0:00:00.000,0:00:14.488
<i>34C3 preroll music</i>

0:00:14.488,0:00:19.939
Herald angel: Today two people from privacy[br]international, one is Eva Blum--Dumontet

0:00:19.939,0:00:25.349
she's a research officer working on data[br]exploitation especially in the global

0:00:25.349,0:00:34.750
south and Millie Wood who's a lawyer and[br]is fighting against spy agencies and

0:00:34.750,0:00:41.070
before that she fought seven years against[br]police cases and they're gonna be talking

0:00:41.070,0:00:46.340
about policing in the the age of data[br]exploitation. Give them a warm welcome.

0:00:46.340,0:00:55.242
<i>Applause</i>

0:00:55.242,0:00:58.440
Millie Wood: Hi I'm Millie as was just said I've been

0:00:58.440,0:01:02.440
at privacy international for two years[br]working as a lawyer before that I spent

0:01:02.440,0:01:08.320
seven years bringing cases against the[br]police and what increasingly concerns me

0:01:08.320,0:01:14.130
based on these experiences is a lack of[br]understanding of what tactics are being

0:01:14.130,0:01:21.000
used by the police today and what legal[br]basis they are doing this on. The lack of

0:01:21.000,0:01:26.780
transparency undermines the ability of[br]activists lawyers and technologists to

0:01:26.780,0:01:31.479
challenge the police tactics and whilst[br]I'm sure a lot of you have a broad

0:01:31.479,0:01:36.990
awareness of the technology that the[br]police can use I don't think this is

0:01:36.990,0:01:43.390
enough and we need to know what specific[br]police forces are using against

0:01:43.390,0:01:50.479
individuals. The reason why is that when[br]you're arrested you need to know what

0:01:50.479,0:01:56.810
disclosure to ask for in order to prove[br]your innocence. Your lawyers need to know

0:01:56.810,0:02:03.010
what expert evidence to ask for in order[br]to defend their client. And increasingly

0:02:03.010,0:02:08.949
as there are invisible ways or seemingly[br]invisible for the police to monitor a scale

0:02:08.949,0:02:14.010
we need to know that there are effective[br]legal safeguards. Now those who are

0:02:14.010,0:02:20.720
affected are not just the guilty or those[br]who understand technology they include

0:02:20.720,0:02:29.730
pensioners such as John Cat a 90 year old[br]man who's a peace protester and he's a

0:02:29.730,0:02:36.260
law-abiding citizen no criminal record and[br]yet he is on the UK domestic extremism

0:02:36.260,0:02:42.980
database and listed here are some of the[br]entries: He took his sketchpad and made

0:02:42.980,0:02:50.220
drawings, he's clean shaven, and he was[br]holding a board with orange people on it.

0:02:50.220,0:02:56.020
So this is the kind of people that they[br]are surveilling. John's case exposes

0:02:56.020,0:03:03.800
unlawful actions by the police but these[br]actions date back to 2005 to 2009 as far

0:03:03.800,0:03:10.170
as I'm aware there are no cases[br]challenging modern police tactics and

0:03:10.170,0:03:14.879
privacy international in the UK and with[br]our partners throughout the world are

0:03:14.879,0:03:20.520
increasingly concerned at the pace this is[br]developing unobstructed because people

0:03:20.520,0:03:28.480
don't know what's going on, and so we've[br]started in the UK to try and uncover some

0:03:28.480,0:03:34.180
of the police tactics using Freedom of[br]Information requests. These laws should be

0:03:34.180,0:03:39.480
available throughout Europe and we want to[br]make similar requests in other countries

0:03:39.480,0:03:44.450
hopefully with some of you. So now I'm[br]going to hand over to my colleague Eva who

0:03:44.450,0:03:47.860
will talk a bit about privacy[br]international, some of the tactics we know

0:03:47.860,0:03:52.030
the police are using, and then we'll speak[br]about some of the things that we found out

0:03:52.030,0:03:54.570
through our initial research.

0:03:54.570,0:03:59.530
<i>Applause</i>

0:03:59.530,0:04:02.919
Thank you so, I'm just going to tell you a[br]little bit more about Privacy

0:04:02.919,0:04:07.150
International for those of you who don't[br]know this organization. We are based in

0:04:07.150,0:04:11.470
London and we fight against surveillance[br]and defend the right to privacy across the

0:04:11.470,0:04:15.519
world. Basically, essentially what we're[br]doing is that we do litigation, we conduct

0:04:15.519,0:04:21.350
research, and we carry out advocacy[br]including at the United Nations, we

0:04:21.350,0:04:26.830
develop policies on issues that are[br]defining modern rights. Now, our work

0:04:26.830,0:04:30.900
ranges from litigations against[br]intelligence services to a wide range of

0:04:30.900,0:04:36.880
reports on issues such as connected cars,[br]smart cities, and FinTech. We've recently

0:04:36.880,0:04:41.610
published an investigation on the role of[br]companies like Cambridge Analytica and

0:04:41.610,0:04:47.990
Harris Media and their role in the latest[br]Kenyan elections. With our network of

0:04:47.990,0:04:52.471
partner organisations across the world we[br]advocate for stronger privacy protection

0:04:52.471,0:04:59.161
in the law and technology and stronger[br]safeguards against surveillance. Now we

0:04:59.161,0:05:04.080
talk about data exploitation and it's[br]actually the title of the talk so what do

0:05:04.080,0:05:10.380
we mean by that? The concept of data[br]exploitation emerges from our concerns

0:05:10.380,0:05:15.720
that the industry and governments are[br]building a world that prioritize the

0:05:15.720,0:05:22.650
exploitation of all data. We observe three[br]prevailing trends in data exploitation.

0:05:22.650,0:05:28.000
One is the excessive data that's generated[br]beyond our control. The second one is the

0:05:28.000,0:05:34.139
fact that this data is processed in a way[br]we cannot understand or influence and the

0:05:34.139,0:05:39.530
lack of transparency around it. The last[br]one is, that at the moment this data is

0:05:39.530,0:05:44.690
used to disadvantage us the ones who are[br]producing this data and it's further

0:05:44.690,0:05:51.270
empowering the already powerful. We hardly[br]control the data anymore that's generated

0:05:51.270,0:05:55.290
from phones or in our computers, but now[br]in the world we live in data just don't

0:05:55.290,0:06:00.130
come just from our phones or computers. It[br]comes from the cars we're driving, it

0:06:00.130,0:06:05.970
comes from our payment systems, from the[br]cities we live in. This is all generating

0:06:05.970,0:06:12.770
data and this data is used by other[br]entities to make assumptions about us and

0:06:12.770,0:06:18.450
take decisions that eventually influence[br]our lives. Are we entitled to a loan? Do

0:06:18.450,0:06:25.060
we qualify for affordable insurance?[br]Should we be sent to jail or set free? Who

0:06:25.060,0:06:31.130
should be arrested? This is at the core of[br]the world that we're building around data

0:06:31.130,0:06:37.630
exploitation. The question of power[br]imbalance between those who have the data

0:06:37.630,0:06:42.490
and who gets to make decisions based on[br]this data and those who are producing the

0:06:42.490,0:06:50.180
data and losing control over it. Now what[br]is policing have to do with data, what

0:06:50.180,0:06:57.020
does data exploitation have to do with[br]policing? The police has always been

0:06:57.020,0:07:04.620
actually using data in the past. To give[br]you one example in 1980 a transit police

0:07:04.620,0:07:10.530
officer named Jack Maple, developed a[br]project called chart of the future, this

0:07:10.530,0:07:16.479
is how he described it: "I call them the[br]chart of the future. On 55 feet of wall

0:07:16.479,0:07:20.740
space, I mapped every train station in New[br]York City and every train. Then I used

0:07:20.740,0:07:25.340
crayons to mark every violent crime,[br]robbery, and grand larceny that occurred.

0:07:25.340,0:07:33.250
I mapped the solved versus the unsolved".[br]Now the system was used by the Transit

0:07:33.250,0:07:41.110
Police and it was credited with reducing[br]felonies by 27% and robberies by 1/3

0:07:41.110,0:07:50.280
between 1990 and 1992. So this generated a[br]lot of interest in his projects and former

0:07:50.280,0:07:56.039
New York Mayor Rudolph Giuliani asked the[br]New York police department to essentially

0:07:56.039,0:08:02.479
take up chart of the future and develop[br]their own project. It became CompStat.

0:08:02.479,0:08:10.360
CompStat was again essentially about[br]mapping crime to try and make assumptions

0:08:10.360,0:08:19.360
about where crime wars are happening. So[br]this kind of shows the building of this

0:08:19.360,0:08:25.570
narrative around this idea that the more[br]data you have, the more data you generate,

0:08:25.570,0:08:31.780
the better you will be at reducing crime.[br]Now it becomes interesting in the world we

0:08:31.780,0:08:36.379
live in that we describe, where we are[br]constantly generating data, often without

0:08:36.379,0:08:42.059
the consent or even the knowledge of those[br]who are producing this data. So there are

0:08:42.059,0:08:48.339
new questions to be asked: What data is[br]the police entitled to access? What can

0:08:48.339,0:08:54.490
they do with it? Are we all becoming[br]suspects by default? One of the key

0:08:54.490,0:09:00.449
elements of the intersection between data[br]exploitation and policing is the question

0:09:00.449,0:09:06.119
of smart cities. It's worth bearing in[br]mind that data-driven policing is often

0:09:06.119,0:09:12.029
referred to as smart policing, so obviously[br]the word smart has been used generally in

0:09:12.029,0:09:17.699
a generic manner by various industry to[br]kind of describe this trend of using mass

0:09:17.699,0:09:26.689
data collection in order to provide new[br]services. But there is actually a real and

0:09:26.689,0:09:34.670
genuine connection between smart cities[br]and data-driven policing. The first reason

0:09:34.670,0:09:43.709
for that is that actually one of the main[br]reasons for cities to invest in smart city

0:09:43.709,0:09:48.910
infrastructure is actually the question of[br]security. This is something we've explored

0:09:48.910,0:09:54.320
in our latest report on smart cities and[br]this is emerging also from the work we're

0:09:54.320,0:10:00.890
doing other organizations including coding[br]rights in Brazil and DRF in Pakistan. So

0:10:00.890,0:10:06.009
actually Brazil is an interesting example,[br]because before the mega events they

0:10:06.009,0:10:10.350
started organizing like the football[br]World Cup and the Olympics they invested

0:10:10.350,0:10:16.850
massively in smart city infrastructure.[br]Including projects with IBM and precisely

0:10:16.850,0:10:20.250
the purpose of what they were trying to[br]achieve with their smart city

0:10:20.250,0:10:25.850
infrastructure, was making the city safer[br]so it was extremely strongly connected

0:10:25.850,0:10:32.420
with the police. So this is a picture for[br]example of the control room that

0:10:32.420,0:10:39.109
was built to control CCTV cameras and to[br]create graphs in order to showcase where

0:10:39.109,0:10:45.860
crime was happening and also in a way the[br]likeliness of natural disasters in some

0:10:45.860,0:10:51.649
areas. In Pakistan there is a whole new[br]program on investment of smart cities,

0:10:51.649,0:10:58.799
which is actually referred to as the safe[br]city project. Now companies understand

0:10:58.799,0:11:05.249
that very well and this is actually an[br]image from an IBM presentation describing

0:11:05.249,0:11:11.189
their vision of smart cities. And as you[br]see like policing that is very much

0:11:11.189,0:11:16.790
integrated into their vision, their[br]heavily centralized vision of what smart

0:11:16.790,0:11:22.829
cities are. So that's no wonder that[br]companies that offer smart city

0:11:22.829,0:11:28.379
infrastructure are actually now also[br]offering a platform for policing. So those

0:11:28.379,0:11:34.820
companies include IBM as I mentioned but[br]also Oracle and Microsoft. We see in many

0:11:34.820,0:11:39.600
countries including the UK where we based[br]some pressure on budgets and budget

0:11:39.600,0:11:44.379
reductions for the police and so there is[br]a very strong appeal with this narrative,

0:11:44.379,0:11:51.120
that you can purchase platform you can[br]gather more data that will help you do

0:11:51.120,0:11:58.109
policing in less time and do it more[br]efficiently. But little thought is given

0:11:58.109,0:12:03.230
to the impact on society, or right to[br]privacy and what happens if someone

0:12:03.230,0:12:13.439
unexpected take the reins of power. Now[br]we're gonna briefly explain what data-

0:12:13.439,0:12:20.499
driven policing looks like, and eventually[br]Millie will look at our findings. So

0:12:20.499,0:12:26.339
the first thing I wanted to discuss is[br]actually predictive policing, because

0:12:26.339,0:12:30.740
that's often something we think of and[br]talked about when we think about data-

0:12:30.740,0:12:37.759
driven policing. I mentioned CompStat[br]before and essentially predictive policing

0:12:37.759,0:12:43.319
works on a similar premise. The idea is[br]that if you map where crime happens you

0:12:43.319,0:12:50.859
can eventually guess where the next crime[br]will happen. So the key player in

0:12:50.859,0:12:54.989
predictive policing is this company called[br]PREDPOL, I mean I think they describe

0:12:54.989,0:12:58.230
pretty much what they do, they use[br]artificial intelligence to help you

0:12:58.230,0:13:06.249
prevent crime, right, predicting when and[br]where crime will most likely occur. Now

0:13:06.249,0:13:10.929
PREDPOL and other companies using[br]something called a Hawkes process that's

0:13:10.929,0:13:17.019
used normally for the prediction of[br]earthquake tremors, so what Hawkes

0:13:17.019,0:13:23.269
originally did is that he was analyzing[br]how after an earthquake you have after

0:13:23.269,0:13:28.660
shakes and usually the after shakes tend[br]to happen where the original earthquake

0:13:28.660,0:13:35.940
happened and in a short period of time[br]after that. So the Hawkes process basically

0:13:35.940,0:13:40.910
is described as when a certain event[br]happens, other events of the same kind will

0:13:40.910,0:13:45.470
happen shortly after in the same in the[br]same location. Now obviously it actually

0:13:45.470,0:13:50.790
works quite well for earthquakes, whether[br]it works for crime is a lot more

0:13:50.790,0:13:56.290
questionable. But that's actually the[br]premise on which companies that

0:13:56.290,0:14:02.119
are offering predictive policing services[br]are relying. So basically applied to

0:14:02.119,0:14:08.730
predictive policing the mantra is[br]monitoring data on places where crime is

0:14:08.730,0:14:13.309
happening you can identify geographic[br]hotspots where crime will most likely

0:14:13.309,0:14:20.819
happen again. Now other companies than[br]PREDPOL are joining in and they are adding

0:14:20.819,0:14:26.259
more data than just simply location of[br]past crimes. So this data has included

0:14:26.259,0:14:30.629
open source intelligence and we talked a[br]little bit more about this later on.

0:14:30.629,0:14:35.699
Weather report, census data, the location[br]of key landmarks like bars, churches,

0:14:35.699,0:14:40.089
schools, data sporting events, and moon[br]phases. I'm not quite sure what they're

0:14:40.089,0:14:50.209
doing with moon phases but somehow that's[br]something they're using. When predictive

0:14:50.209,0:14:56.179
policing first sort of emerged one of the[br]the key concerns was whether our world was

0:14:56.179,0:15:00.999
going to be turning into a Minority Report[br]kind of scenario where people are arrested

0:15:00.999,0:15:05.490
before a crime is even committed and[br]companies like PREDPOL were quick to

0:15:05.490,0:15:10.199
reassure people and say that do not[br]concern about who will commit crime but

0:15:10.199,0:15:15.800
where crimes are happening. Now that's not[br]actually true because in fact at the

0:15:15.800,0:15:21.100
moment we see several programs emerging[br]especially in the US, where police

0:15:21.100,0:15:25.509
departments are concerned not so much with[br]where crimes are happening, but who's

0:15:25.509,0:15:30.920
committing it.,So I'm gonna talk about two[br]example of this: One is the Kansas City No

0:15:30.920,0:15:37.850
Violence Alliance, which is a program laid[br]by the local police to identify who will

0:15:37.850,0:15:42.579
become the next criminal - basically - and[br]they're using an algorithm that combines

0:15:42.579,0:15:48.189
data from traditional policing as well as[br]social media intelligence and information

0:15:48.189,0:15:53.569
that they have on drug use, based on this[br]they create graphics generated using

0:15:53.569,0:16:01.609
predictive policing to show how certain[br]people are connected to already convicted

0:16:01.609,0:16:06.169
criminals and gang members. Once they've[br]identified these people they request

0:16:06.169,0:16:11.479
meeting with them whether they've[br]committed crimes or not in the past. And

0:16:11.479,0:16:16.420
they would have a discussion about their[br]connection to those convicted criminals

0:16:16.420,0:16:21.910
and gang members and what they tell them[br]is that they are warned that if a crime

0:16:21.910,0:16:27.109
next happened within their network of[br]people every person connected to this

0:16:27.109,0:16:33.319
network will be arrested whether or not[br]they were actually involved in the crime

0:16:33.319,0:16:38.379
being committed. Now there are actually[br]dozens of police departments that are

0:16:38.379,0:16:46.100
using similar programs. The Chicago Police[br]Department has an index of the 400 people

0:16:46.100,0:16:50.359
most likely to be involved in violent[br]crimes. That sounds like a BuzzFeed

0:16:50.359,0:16:56.389
article but actually there is a reality[br]which is extremely concerning, because

0:16:56.389,0:17:02.069
those people who are in this list are for[br]the most part not actual criminals, they

0:17:02.069,0:17:08.019
are purely seen to be connected to people[br]who've committed crime. So if your next-

0:17:08.019,0:17:16.679
door neighbor is a criminal then you may[br]well find your name on that list. Now

0:17:16.679,0:17:21.480
predictive policing is deceptive and[br]problematic for several reasons: First of

0:17:21.480,0:17:26.519
all there's the question of the[br]presumption of innocence. In a world where

0:17:26.519,0:17:32.519
even before you commit a crime you can[br]find your name on that list or be called

0:17:32.519,0:17:37.899
by the police - you know - what happens to[br]this very basis of democracy which is the

0:17:37.899,0:17:42.529
presumption of the of innocence. But also[br]there's the other question of like can we

0:17:42.529,0:17:47.720
really use the math that was originally[br]designed for earthquakes and apply to

0:17:47.720,0:17:53.049
human beings because human beings don't[br]work like earthquakes. They have their own

0:17:53.049,0:17:59.870
set of biases and the biases[br]start with how we collect the data. For

0:17:59.870,0:18:07.640
example, if the police is more likely to[br]police areas where there is minorities,

0:18:07.640,0:18:11.769
people of color, then obviously the data[br]they will have will be disproportionately

0:18:11.769,0:18:18.490
higher on persons of color. Likewise if[br]they are unlikely to investigate white-

0:18:18.490,0:18:24.200
collar crime they will be unlikely to have[br]data that are reflecting a reality where

0:18:24.200,0:18:29.040
crime also happens in wealthier areas. So[br]basically we are inputting biased datasets

0:18:29.040,0:18:35.030
that obviously will lead to biased[br]results. And what these biased results

0:18:35.030,0:18:41.600
mean is that it will continue the already[br]existing trend of over policing

0:18:41.600,0:18:48.440
communities of color and low-income[br]communities. I'll leave it to Millie for

0:18:48.440,0:18:55.667
the next box. So, one of the increasingly[br]popular technologies we're seeing in the

0:18:55.667,0:19:00.586
UK, and is no doubt used around the world[br]and probably at border points, although we

0:19:00.586,0:19:06.450
need more help with the reasearch to prove[br]this, is mobile phone extraction. The

0:19:06.450,0:19:10.680
police can extract data from your phone,[br]your laptop, and other devices which

0:19:10.680,0:19:16.431
results in a memory dump of the extracted[br]data taken from your device and now held

0:19:16.431,0:19:23.331
in an agency database. So for example all[br]your photos, all your messages, and all

0:19:23.331,0:19:28.330
those of people who had no idea they would[br]end up in a police database because

0:19:28.330,0:19:34.549
they're associated with you retained for[br]as long as the police wish. Now these

0:19:34.549,0:19:38.600
devices are pretty user friendly for the[br]police and if you're interested you can

0:19:38.600,0:19:42.559
look on YouTube where Cellebrite one of[br]the big players has lots of videos about

0:19:42.559,0:19:48.929
how you can use them, and so depending on[br]the device and the operating system some

0:19:48.929,0:19:54.419
of the data this is from a police document[br]but it lists what they can extract using a

0:19:54.419,0:20:01.820
Cellebrite UFED is what you might expect:[br]device information, calls, messages,

0:20:01.820,0:20:08.970
emails, social media, and Wi-Fi networks.[br]But if you look at their website and here

0:20:08.970,0:20:14.750
are a few examples they can also collect:[br]system and deleted data, they can access

0:20:14.750,0:20:20.580
cloud storage, and inaccessible partitions[br]of the device. Now this is data that is

0:20:20.580,0:20:26.490
clearly beyond the average users control,[br]and as the volume of data we hold on our

0:20:26.490,0:20:31.749
phones increases so will this list. And [br]the companies we know the UK police are

0:20:31.749,0:20:39.059
using, which includes: Cellebrite, Acceso,[br]Radio Tactics, MSAB, are all aware of how

0:20:39.059,0:20:44.750
valuable this is and as one of them have[br]stated: "if you've got access to a person

0:20:44.750,0:20:50.500
SIM card, you've got access to the whole[br]of a person's life". They also go on to

0:20:50.500,0:20:56.070
note: "the sheer amount of data stored on[br]mobile phones is significantly greater

0:20:56.070,0:21:04.149
today than ever before." There are also no[br]temporal limits to the extraction of data,

0:21:04.149,0:21:09.149
this is from another police document we[br]obtained and it shows that if you choose

0:21:09.149,0:21:16.159
to extract to certain data type you will[br]obtain all data of a particular type, not

0:21:16.159,0:21:21.280
just the data relevant to an[br]investigation. So all that data on a

0:21:21.280,0:21:28.429
police database, indefinitely and even if[br]you were asked whether you were happy for

0:21:28.429,0:21:32.789
your data to be extracted during an[br]investigation I think it's highly unlikely

0:21:32.789,0:21:37.630
you would realize the volume that the[br]police were going to take. Other targets

0:21:37.630,0:21:44.179
for the police that we know about are:[br]infotainment systems in cars, Smart TVs,

0:21:44.179,0:21:51.230
and connected devices in the home. This is[br]an extract from a tech UK report, where

0:21:51.230,0:21:56.700
Mark Stokes head of digital forensics at[br]the Met Police which the police in London

0:21:56.700,0:22:03.200
stated in January, that the crime scene of[br]tomorrow will be the Internet of Things

0:22:03.200,0:22:08.450
and detectors of the future will carry a[br]digital forensics toolkit that will help

0:22:08.450,0:22:15.020
them analyze microchips and download data[br]at the scene rather than removing devices

0:22:15.020,0:22:20.081
for testing. Now I can imagine that the[br]evidence storage room is going to get a

0:22:20.081,0:22:24.840
bit full if they start dragging in[br]connected fridges, hair dryers, hair

0:22:24.840,0:22:32.570
brushes, your Google home, Amazon echo and[br]whatever else you have. However, their

0:22:32.570,0:22:38.240
plans to walk into your home and download[br]everything, make no mention of needing a

0:22:38.240,0:22:43.509
specific warrant and so the only[br]limitations at the moment are the

0:22:43.509,0:22:50.220
protections that may exist on the devices.[br]The law does not protect us and this needs

0:22:50.220,0:22:59.409
to change. So I'm going to be talking a[br]little bit about open source intelligence

0:22:59.409,0:23:05.470
and in particular social media[br]intelligence, because when I talked about

0:23:05.470,0:23:10.830
predictive policing I identified those two[br]sources as some of the data that's being

0:23:10.830,0:23:17.470
used for predictive policing. Now, open[br]source intelligence is often thought as,

0:23:17.470,0:23:23.409
or often assumed to be innocuous, and[br]there is the understanding that if

0:23:23.409,0:23:29.440
information is publicly available then it[br]should be fair for the police to use. Now

0:23:29.440,0:23:34.270
the problem is that among open source[br]intelligence there's often social media

0:23:34.270,0:23:40.509
intelligence that we refer to as[br]documents. Now there are many ways to

0:23:40.509,0:23:45.900
conduct document and it can range from[br]like the single police officer, who is

0:23:45.900,0:23:54.009
just you know using Facebook or Twitter to[br]look up the accounts of victims or

0:23:54.009,0:23:58.620
suspected criminals, but there was also[br]companies that are scrapping the likes of

0:23:58.620,0:24:04.580
Facebook and Twitter to allow the police[br]to monitor social media. Now social medias

0:24:04.580,0:24:10.580
have like blurred the lines between public[br]and private, because obviously we are

0:24:10.580,0:24:17.909
broadcasting our views on this platform[br]and at the moment the police has been

0:24:17.909,0:24:25.059
exploiting this kind of unique space, this[br]blured line, ithey are accessing this

0:24:25.059,0:24:30.809
content in a completely unregulated[br]manner, as long as the content is publicly

0:24:30.809,0:24:37.620
available like for example you don't need[br]to be friend or to have any already

0:24:37.620,0:24:43.470
established connection with the suspected[br]criminal or the police or the victim

0:24:43.470,0:24:48.610
anything that's available to you it's[br]completely unregulated there are no rules

0:24:48.610,0:24:56.700
and I mentioned earlier the question of a[br]budget restriction and so the police is

0:24:56.700,0:25:01.749
benefiting hugely from this because it[br]doesn't really cost anything to use social

0:25:01.749,0:25:07.019
media so at the moment SOCMINT is kind of[br]like the first and easy step in a police

0:25:07.019,0:25:14.470
investigation because there is no cost and[br]because there is no oversight. Now,

0:25:14.470,0:25:19.420
SOCMINT actually isn't so innocent in the[br]sense that it allows the police to

0:25:19.420,0:25:25.519
identify the locations of people based on[br]their post, it allows them to establish

0:25:25.519,0:25:30.669
people's connection, their relationships,[br]their association, it allows the

0:25:30.669,0:25:37.380
monitoring of protest and also to identify[br]the leaders of various movement, and to

0:25:37.380,0:25:45.880
measure a person's influence. Now, in the[br]UK what we know is that the police is

0:25:45.880,0:25:52.019
largely using marketing products, so this[br]is an anonymous quote from a report by

0:25:52.019,0:25:58.029
academics that have been doing research on[br]SOCMINT and what someone said was that: "A

0:25:58.029,0:26:01.620
lot of stuff came out of marketing because[br]marketing were using social media to

0:26:01.620,0:26:05.190
understand what people were saying about[br]their product... We wanted to understand

0:26:05.190,0:26:11.549
what people were saying so it's almost[br]using it in reverse". Now again, this is

0:26:11.549,0:26:16.350
not considered like surveillance device[br]this is purely a marketing project that

0:26:16.350,0:26:23.309
they're using and for that reason law[br]enforcement agencies and security agencies

0:26:23.309,0:26:30.140
are often arguing that SOCMINT has[br]basically no impact on privacy. But

0:26:30.140,0:26:36.640
actually when your post reveals your[br]location or when the content of your post

0:26:36.640,0:26:40.080
reveal what used to be considered and is[br]still considered actually as sensitive

0:26:40.080,0:26:45.090
private information like details about[br]your sexual life, about your health, about

0:26:45.090,0:26:50.120
your politics, can we really minimize the[br]impact of the police accessing this

0:26:50.120,0:26:56.190
information. Now obviously we may not have[br]a problem with the average twitter user or

0:26:56.190,0:27:00.880
with a friend reading this information but[br]when the ones who are reading the

0:27:00.880,0:27:06.460
information and taking actions on this[br]information have power over us like the

0:27:06.460,0:27:17.717
police does, you know, what does it[br]actually mean for our right to privacy?

0:27:17.717,0:27:26.610
That's not to say that people should stop[br]using social media but rather what kind of

0:27:26.610,0:27:32.960
regulation can we put in place so that[br]it's not so easy for the police to access.

0:27:32.960,0:27:41.720
The absence of regulations on SOCMINT has[br]actually already led to abuse in two cases

0:27:41.720,0:27:48.159
both in the US that we've identified: One[br]is Raza v. the City of New York which is a

0:27:48.159,0:27:55.840
case from the ACLU where we knew that we[br]found out that the city of New York,

0:27:55.840,0:28:00.179
sorry, the New York Police Department was[br]systematically gathering intelligence on

0:28:00.179,0:28:04.799
Muslim communities, and one of the ways[br]they were gathering this intelligence was

0:28:04.799,0:28:11.509
essentially by surveilling social media[br]accounts of Muslims in New York. The

0:28:11.509,0:28:17.320
second case is a company called ZeroFOX.[br]So what ZeroFox does is social media

0:28:17.320,0:28:23.150
monitoring. Now, during the the riots that[br]followed the funeral of Freddie Gray,

0:28:23.150,0:28:30.500
Freddie Gray was a 25 year old black man[br]who had been shot by the police, so after

0:28:30.500,0:28:36.549
his funeral there had been a series of[br]riots in the UK and ZeroFOX produced a

0:28:36.549,0:28:41.360
report that they shared with the Baltimore[br]Police to essentially advertise for their

0:28:41.360,0:28:47.929
social social media monitoring tool and[br]what the company was doing was again like

0:28:47.929,0:28:52.970
browsing social media and trying to[br]establish who were the threat actors in

0:28:52.970,0:28:58.659
these riots and among the 19 threat[br]actors that they identified two of them

0:28:58.659,0:29:04.499
were actually leaders of the black lives[br]matter movement. Actually at least one of

0:29:04.499,0:29:09.550
them was a woman definitely not a physical[br]threat but this is how they were

0:29:09.550,0:29:17.570
essentially labeled. So these two examples[br]actually show that again it's still sort

0:29:17.570,0:29:24.240
of the same targets, it's people of[br]colors, it's activists, it's people from

0:29:24.240,0:29:30.179
poor income backgrounds, that are singled[br]out as likely criminals. And it's very

0:29:30.179,0:29:34.029
telling when we realize that SOCMINT is[br]actually one of the sources of data that's

0:29:34.029,0:29:38.740
eventually used for predictive policing[br]and then again predictive policing leading

0:29:38.740,0:29:45.409
to people being more surveiled and[br]potentially exposed to more police

0:29:45.409,0:29:51.169
surveillance based on the fact that they[br]all singled out as as likely criminal. Now

0:29:51.169,0:29:56.890
social media is a fascinating place[br]because it's a mix between a private and a

0:29:56.890,0:30:02.210
public space as I said we are broadcasting[br]our views publicly but then again it's a

0:30:02.210,0:30:07.679
privately owned space where we follow the[br]rules that is set up by private companies.

0:30:07.679,0:30:13.779
Now, if we want to protect this space and[br]ensure that like free expression and

0:30:13.779,0:30:18.619
political organization can still happen on[br]the spaces we need to fully understand how

0:30:18.619,0:30:23.460
much the police have been exploiting the[br]spaces and how we can limit and regulate

0:30:23.460,0:30:29.879
the use of it. Now, I'll talk to Millie[br]about what we can do next. So I'm going to

0:30:29.879,0:30:33.460
briefly look at some of our initial[br]findings we've made using Freedom of

0:30:33.460,0:30:39.539
Information requests, broadly: the lack of[br]awareness by the public, weak legal basis,

0:30:39.539,0:30:45.429
and a lack of oversight. Now, sometimes[br]the lack of awareness appears intentional

0:30:45.429,0:30:54.740
- we asked the police about their plans to[br]extract data from connected devices in the

0:30:54.740,0:31:01.679
home and they replied neither confirm nor[br]deny. Now this is kind of a bizarre

0:31:01.679,0:31:06.659
response given that Mark Stokes who's a[br]member of the police had already said that

0:31:06.659,0:31:13.509
they plan to do this, in addition the UK[br]government Home Office replied to us

0:31:13.509,0:31:18.269
saying the Home Office plans to develop[br]skills and capacity to exploit the

0:31:18.269,0:31:23.929
Internet of Things as part of criminal[br]investigations. They also said that police

0:31:23.929,0:31:29.920
officers will receive training in relation[br]to extracting, obtaining, retrieving, data

0:31:29.920,0:31:35.399
from or generated by connected devices. So[br]we wrote back to every police force in the

0:31:35.399,0:31:40.970
UK had refused to reply to us and[br]presented the evidence but they maintained

0:31:40.970,0:31:45.679
their stance so we will be bringing a[br]challenge against them under the Freedom

0:31:45.679,0:31:51.929
of Information Act. Now, Eva has also[br]identified the huge risks associated with

0:31:51.929,0:31:57.769
predictive policing yet in the UK we've[br]found out this is set to increase with

0:31:57.769,0:32:02.070
forces either using commercial tools or[br]in-house ones they've developed or

0:32:02.070,0:32:09.049
planning trials for 2018. There has been[br]no public consultation, there are no

0:32:09.049,0:32:14.279
safeguards, and there is no oversight. So[br]when we ask them more questions about the

0:32:14.279,0:32:21.370
plans we were told we were 'vexatious' and[br]they won't respond to more requests so it

0:32:21.370,0:32:27.299
seems like we have yet another challenge,[br]and what about mobile phone extraction

0:32:27.299,0:32:32.570
tools here are some of the stats that have[br]been found out and I would say these

0:32:32.570,0:32:36.821
aren't completely accurate because it[br]depends on how reliable the police force

0:32:36.821,0:32:42.940
are in responding but roughly I'd say it's[br]probably more than 93 percent now of UK

0:32:42.940,0:32:48.379
police forces throughout the country are[br]extracting data from digital devices. We

0:32:48.379,0:32:53.080
know they plan to increase, we've seen in[br]their documents they plan to train more

0:32:53.080,0:32:58.690
officers, to buy more equipment, and to[br]see extraction as a standard part of

0:32:58.690,0:33:04.009
arrest, even if the devices had absolutely[br]nothing to do with the offense and so

0:33:04.009,0:33:09.769
these figures are likely to increase[br]exponentially, but in the UK not only to

0:33:09.769,0:33:15.610
the police not need a warrant in documents[br]we've read they do not even need to notify

0:33:15.610,0:33:21.139
the individual that they have extracted[br]data, for example, from their mobile phone

0:33:21.139,0:33:27.590
or that they're storing it. If this is[br]being done without people's knowledge how

0:33:27.590,0:33:32.220
on earth can people challenge it, how can[br]they ask for their data to be removed if

0:33:32.220,0:33:39.590
they're found innocent? Turning to social[br]media monitoring which the police refer to

0:33:39.590,0:33:44.330
as open source research. This is Jenny[br]Jones she's a member of the House of Lords

0:33:44.330,0:33:50.730
in the Green Party and next to her photo[br]is a quote from her entry on the domestic

0:33:50.730,0:33:57.249
extremism database, and so, if a member of[br]the House of Lords is being subject to

0:33:57.249,0:34:04.659
social media monitoring for attending a[br]bike ride then I think it's highly likely

0:34:04.659,0:34:08.830
that a large number of people who[br]legitimately exercise their right to

0:34:08.830,0:34:14.429
protest are being subject to social media[br]monitoring. Now, this hasn't gone

0:34:14.429,0:34:20.399
unnoticed completely although they're[br]slightly old these are quotes from two

0:34:20.399,0:34:24.899
officials: the first the UK independent[br]reviewer of terrorism who notes that the

0:34:24.899,0:34:29.690
extent of the use of social media[br]monitoring is not public known, and the

0:34:29.690,0:34:33.679
second is the chief surveillance[br]commissioner who is and this is a very

0:34:33.679,0:34:38.949
strong statement for a commissioner is[br]saying that basically social media should

0:34:38.949,0:34:47.649
not be treated as fair game by the police.[br]So now I'll move on to a weak or outdated

0:34:47.649,0:34:52.649
legal basis. For most of the technologies[br]we've looked at it's very unclear what

0:34:52.649,0:34:58.359
legal basis the police are using even when[br]we've asked them. This relates to mobile

0:34:58.359,0:35:03.940
phone extraction - so the legislation[br]they're relying on is over 30 years old

0:35:03.940,0:35:11.310
and is wholly inappropriate for mobile[br]phone extraction this law was developed to

0:35:11.310,0:35:16.680
deal with standard traditional searches,[br]the search of a phone can in no way be

0:35:16.680,0:35:22.300
equated to the search of a person, or the[br]search of a house, and despite the fact

0:35:22.300,0:35:26.901
that we have repeatedly asked for a[br]warrant this is not the case and we

0:35:26.901,0:35:31.270
believe that there should be a warrant in[br]place not only in the UK but in the rest

0:35:31.270,0:35:35.550
of the world. So if you think that either[br]you or your friends have had their data

0:35:35.550,0:35:39.369
extracted when they're arrested or your[br]phone has been in the possession of the

0:35:39.369,0:35:45.650
authorities you should be asking[br]questions, and very briefly something on

0:35:45.650,0:35:52.420
lack of oversight, so we reported in[br]January this year about documents that

0:35:52.420,0:35:58.000
were obtained by The Bristol Cable's[br]investigation into Cellebrite and one

0:35:58.000,0:36:04.020
report said that in half of the cases[br]sampled the police noted the police had

0:36:04.020,0:36:10.320
failed to receive authorization internally[br]for the use of extraction tools. Poor

0:36:10.320,0:36:15.809
training undermined investigations into[br]serious offences such as murder, and

0:36:15.809,0:36:20.940
inadequate security practices meant that[br]encryption was not taking place even when

0:36:20.940,0:36:26.849
it was easy to do and they were losing[br]files containing intimate personal data.

0:36:26.849,0:36:33.490
So why does this matter? Here are some key[br]points: In relation to information

0:36:33.490,0:36:37.760
asymmetry - it's clear as Eva has[br]explained that the police can now access

0:36:37.760,0:36:43.670
far more data on our devices than the[br]average user. In relation to imbalance of

0:36:43.670,0:36:47.420
power - it's clear they can collect and[br]analyze sources that are beyond our

0:36:47.420,0:36:54.320
control whether it's publicly placed[br]sensors, cameras, and other devices. There

0:36:54.320,0:36:58.890
is also unequal access and if lawyers[br]don't know what's being gathered they

0:36:58.890,0:37:03.660
don't know what to ask for from the[br]police. All in all this puts the

0:37:03.660,0:37:10.410
individual at a huge disadvantage. Another[br]impact is the chilling effect on political

0:37:10.410,0:37:16.850
expression now I'm sure many of you maybe[br]think that the police monitor your social

0:37:16.850,0:37:21.859
media but the average person is unlikely[br]to, and so if they start to know about

0:37:21.859,0:37:27.110
this are they going to think twice about[br]joining in protesting either physically or

0:37:27.110,0:37:32.380
using a hashtag, and what about who your[br]friends are? If they know you attend

0:37:32.380,0:37:38.540
protests are they really want to have[br]their data on your phone if they know that

0:37:38.540,0:37:44.460
potentially that could be extracted and[br]end up on a police database? It's far

0:37:44.460,0:37:49.380
easier to be anonymous face among many[br]people than a single isolated person

0:37:49.380,0:37:55.119
standing up to power but these new forms[br]of policing we have been discussing

0:37:55.119,0:38:00.339
redefine the very act of protesting by[br]singling out each and every one of us from

0:38:00.339,0:38:08.309
the crowd. So, what can we do? Many of you[br]will be familiar with these technologies,

0:38:08.309,0:38:12.720
but do you know how to find out what the[br]police are doing? In the UK we've been

0:38:12.720,0:38:16.610
using Freedom of Information requests, we[br]want to do this with people throughout

0:38:16.610,0:38:21.910
Europe and you don't need to be a lawyer[br]so please get in touch. We also want to

0:38:21.910,0:38:26.660
dig into the technology a bit more, I want[br]someone to use a Cellebrite UFED on my

0:38:26.660,0:38:31.809
phone and show me exactly what can come[br]out of it, and we want to tell lawyers and

0:38:31.809,0:38:37.329
activists about these new techniques. Many[br]lawyers I speak to who are experts in

0:38:37.329,0:38:42.210
actions against the police do not know the[br]police are using these tools. This means

0:38:42.210,0:38:46.700
they don't know the right questions to ask[br]and so it's fundamental you speak to

0:38:46.700,0:38:50.920
people who are bringing these cases and[br]tell them about what they can do or what

0:38:50.920,0:38:56.640
questions they should be asking, and[br]finally we want you to also raise the

0:38:56.640,0:39:18.034
debate, to share our research, and to[br]critique it, thank you.

0:39:18.034,0:39:24.220
Herald: So we've got ample enough time for[br]Q&amp;A are there any questions in the hall,

0:39:24.220,0:39:28.670
yes, there's one over there.[br]Question: You mentioned the problem of

0:39:28.670,0:39:33.110
when they do physical extraction from the[br]Celebrite device it's going to get all of

0:39:33.110,0:39:37.710
the photos, all of the emails, or whatever[br]maybe rather than just what the

0:39:37.710,0:39:42.059
investigator needs. What is the solution[br]to that from your eyes is there a

0:39:42.059,0:39:45.740
technical one that these companies are[br]gonna have to implement - which they're

0:39:45.740,0:39:51.140
not going to - or a legal one, because on[br]the other side a mobile phone is a crucial

0:39:51.140,0:39:56.890
part in a any criminal investigation in[br]2017. So what's the workaround or the

0:39:56.890,0:40:00.020
solution to that?[br]Answer: I think it's both, I think the

0:40:00.020,0:40:04.000
fact that there isn't any law looking at[br]this and no one's discussing can there be

0:40:04.000,0:40:08.520
a technical solution or does it need to be[br]one where there's better regulation and

0:40:08.520,0:40:12.660
oversight so you extract everything, can[br]you keep it for a certain period to see

0:40:12.660,0:40:16.859
what's relevant then do you have to delete[br]it? The trouble is we don't see any

0:40:16.859,0:40:22.290
deletion practices and the police have[br]publicly stated in the media that they can

0:40:22.290,0:40:27.280
just keep everything as long as they like.[br]They like data you can kind of see why but

0:40:27.280,0:40:31.240
that doesn't mean they should keep[br]everyone's data indefinitely just in case

0:40:31.240,0:40:35.062
it's useful so I think there may be tech[br]solutions there may be legal ones and I

0:40:35.062,0:40:40.510
think perhaps both together as is one of[br]the answers. Herald: The next question

0:40:40.510,0:40:45.349
from microphone one please.[br]Q: I'm just wondering how those laws on

0:40:45.349,0:40:50.280
action and power given to the cops are[br]being sold to the UK people is it because

0:40:50.280,0:40:56.510
to fight terrorism as I said or to fight[br]drugs or this kind of stuff, what's the

0:40:56.510,0:41:00.490
argument used by the government to sold[br]that to the people.

0:41:00.490,0:41:05.170
A: I think actually one thing that's[br]important is to bear in mind is that I'm

0:41:05.170,0:41:10.630
not sure most of the of the public in the[br]UK is even aware of it, so I think unlike

0:41:10.630,0:41:15.330
the work of intelligence services an[br]agency where terrorism is used as the

0:41:15.330,0:41:22.450
excuse for ever more power and especially[br]laws that have become increasingly

0:41:22.450,0:41:26.130
invasive, actually with policing we don't[br]even fall in that kind of discourse

0:41:26.130,0:41:30.980
because it's actually hardly talked about[br]in UK. Yeah, and the mobile phone

0:41:30.980,0:41:34.880
extraction stuff we've been looking at is[br]low-level crimes, so that's like you

0:41:34.880,0:41:40.750
have, it could be you know a pub fight,[br]it could be a robbery, which that's more

0:41:40.750,0:41:45.550
serious, it could be an assault, so they[br]want to use it in every case. For all the

0:41:45.550,0:41:48.170
other techniques we have no idea what[br]they're using for that's one of the

0:41:48.170,0:41:53.599
problems.[br]Herald: The next question from the

0:41:53.599,0:41:57.400
internet please.[br]Q: When you say that there's a lack of

0:41:57.400,0:42:04.460
laws and regulations for police concerning[br]us in extraction and data from devices are

0:42:04.460,0:42:09.790
you talking just about UK and/or USA or do[br]you have any examples of other countries

0:42:09.790,0:42:13.500
who do better or worse?[br]A: I don't know of any country that has a

0:42:13.500,0:42:18.520
regulation on publicly available[br]information on social media.

0:42:18.520,0:42:25.849
Herald: Microphone number four.[br]Q: Thank you again for a great talk. In

0:42:25.849,0:42:31.920
terms of data exploitation an element that[br]I didn't hear you talk about that I'd like

0:42:31.920,0:42:35.940
to hear a little bit more is when there[br]are questions around who is doing the

0:42:35.940,0:42:40.410
exploitation, I know in the U.S. some FOIA[br]researchers get around how difficult it is

0:42:40.410,0:42:44.640
to get data from the feds by going after[br]local and state police departments, is

0:42:44.640,0:42:48.450
that something that you're doing or do you[br]have a way of addressing confusion when

0:42:48.450,0:42:50.880
people don't know what agency has the[br]data?

0:42:50.880,0:42:56.580
A: Yeah, I think actually what one of the[br]things the data exploitation program at

0:42:56.580,0:43:00.330
Privacy International is doing is actually[br]looking into the connection between the

0:43:00.330,0:43:06.050
private sector and governments because[br]obviously at the moment there's the whole

0:43:06.050,0:43:09.950
question of data brokers which is an[br]industry that's hardly regulated at all,

0:43:09.950,0:43:14.130
that people don't necessarily know about,[br]we don't, the companies that are doing it

0:43:14.130,0:43:19.900
are familiar household name. I'll let[br]Millie talk a lot more about the

0:43:19.900,0:43:24.920
government aspects of it. I guess the[br]question is again a country-by-country

0:43:24.920,0:43:29.470
basis, we work in many countries that[br]don't have any data protection regulations

0:43:29.470,0:43:36.609
at all so there is this first difficulty[br]as how do we regulate, how do we limit the

0:43:36.609,0:43:40.920
power of the state when you don't even[br]have the basic legislation around

0:43:40.920,0:43:45.710
data protection? One thing to bear in mind[br]is like the problem with companies is like

0:43:45.710,0:43:53.220
how do you also hold companies accountable[br]whereas with the state there is the whole

0:43:53.220,0:43:58.119
challenge of finding the right legal[br]framework to limit their power, but maybe

0:43:58.119,0:44:02.069
I'll let Millie talk a little bit more[br]about this. Yeah, with our with our FOIA

0:44:02.069,0:44:06.270
request we tend to go after everyone so[br]with the example of the Home Office saying

0:44:06.270,0:44:08.990
something that the other police didn't[br]that was because we went to all the

0:44:08.990,0:44:14.680
different state bodies and I think that[br]there's a good example in in the states

0:44:14.680,0:44:17.690
where there's far more research done on[br]what the police are doing, but they're

0:44:17.690,0:44:22.600
using the same product in the UK I think[br]it's axiom and they're a storage device

0:44:22.600,0:44:29.119
for body-worn camera videos, and a lawyer[br]in the states said that in order to access

0:44:29.119,0:44:32.799
the video containing his client he had to[br]agree to the terms and condition on Axioms

0:44:32.799,0:44:38.140
website which basically gave them full use[br]of his clients video about a crime scene.

0:44:38.140,0:44:42.750
So that's a private company having use of[br]this video so given that we found they're

0:44:42.750,0:44:47.120
using it in the UK we don't know if those[br]kind of terms and conditions exist but

0:44:47.120,0:44:54.673
it's a very real problem as they rely[br]increasingly on private companies.

0:44:54.673,0:44:58.370
Herald: Number two please.[br]Q: Thank you for your work perhaps you've

0:44:58.370,0:45:03.450
already answered this partially from other[br]people's questions but it looks like we

0:45:03.450,0:45:08.539
have a great way to start the process and[br]kind of taking the power back but you know

0:45:08.539,0:45:13.250
the state and the system certainly doesn't[br]want to give up this much power, how do we

0:45:13.250,0:45:18.190
actually directly, what's kind of the[br]endgame, what's the strategies for making

0:45:18.190,0:45:24.770
the police or the government's give up and[br]restore balance, is it a suit, is it

0:45:24.770,0:45:27.859
challenging through Parliament and in the[br]slow process of democracy, or what do you

0:45:27.859,0:45:32.170
think is the right way of doing it?[br]A: I never think one works on its own,

0:45:32.170,0:45:36.670
even though I'm a litigator I often think[br]litigation is quite a weak tactic,

0:45:36.670,0:45:40.920
particularly if you don't have the public[br]on side, and then again if you don't have

0:45:40.920,0:45:44.220
Parliament. So we need all of them and[br]they can all come through different means

0:45:44.220,0:45:49.090
so we wouldn't just focus on one of the[br]different countries it might be that you

0:45:49.090,0:45:53.540
go down the legal route or the down the[br]parliamentary route but in the UK we're

0:45:53.540,0:45:57.460
trying all different routes so for example[br]on mobile phone extraction in the

0:45:57.460,0:46:00.900
beginning of next year we're going to be[br]doing a video we're going to be doing

0:46:00.900,0:46:04.120
interviewing the public and speaking to[br]them about it, we're going to be going to

0:46:04.120,0:46:08.960
Parliament, and I've also been speaking to[br]a lot of lawyers so I'm hoping some cases

0:46:08.960,0:46:15.280
will start because those individual cases[br]brought by local lawyers are where also

0:46:15.280,0:46:19.859
you see a lot of change like the John Cat[br]case, that's one lawyer, so I think we

0:46:19.859,0:46:25.901
need all different things to see what[br]works and what sticks.

0:46:25.901,0:46:31.150
Herald: We haven't had number three yet.[br]Q: Hi, thanks for the talk, so I have a

0:46:31.150,0:46:39.020
question regarding concerning the solution[br]side of things because one aspect I was

0:46:39.020,0:46:45.569
missing in your talk was the economics of[br]the game actually because like you are

0:46:45.569,0:46:51.510
from the UK and the private sector has[br]like stepped in also and another public

0:46:51.510,0:46:58.799
domain the NHS to help out because funds[br]are missing and I would like to ask you

0:46:58.799,0:47:03.299
whether or not you think first of all the[br]logic is the same within the police

0:47:03.299,0:47:12.720
departments because it might also be like[br]cost driven aspect to limit the salaries

0:47:12.720,0:47:18.589
or because you have the problem with[br]police force coming in because you have to

0:47:18.589,0:47:24.099
pay their rents and automated things[br]especially when I'm given to the private

0:47:24.099,0:47:30.779
sector which has another whole logic of[br]thinking about this stuff is cost saving

0:47:30.779,0:47:43.930
and so maybe it would be a nice thing[br]whether if you could talk a bit about the,

0:47:43.930,0:47:49.359
I'm sorry, the attempt to maybe like get[br]economics a bit more into the picture when

0:47:49.359,0:47:56.130
it comes to solutions of the whole thing.[br]A: So I think yeah, your very right in

0:47:56.130,0:48:02.309
pointing actually the relation, well that[br]you compare what's happening with the NHS

0:48:02.309,0:48:07.799
and what's happening with the police[br]because in both the economics of

0:48:07.799,0:48:14.940
companies offering policing services arise[br]from the same situation there's a need of

0:48:14.940,0:48:23.380
doing more efficient policing because of[br]budget cuts, so the same way the NHS is

0:48:23.380,0:48:30.079
being essentially privatized due to the[br]budget cuts and due to the to the needs

0:48:30.079,0:48:34.799
that arise from being limited in your[br]finance, again there's a similar thing

0:48:34.799,0:48:38.880
with the police when you when you're[br]understaffed then you're more likely to

0:48:38.880,0:48:44.329
rely on on technologies to help you do[br]your work more efficiently because

0:48:44.329,0:48:51.210
essentially with predictive policing the[br]idea behind this is that if you know where

0:48:51.210,0:48:56.380
and when crime will happen then you can[br]focus the limited resources you have there

0:48:56.380,0:49:02.640
and not sort of look at a more global[br]larger picture. So I mean I'm not gonna be

0:49:02.640,0:49:06.599
here on stage advocating for more funds[br]for the police, I'm not gonna do that, but

0:49:06.599,0:49:11.660
I think that there is there is a desperate[br]need to reframe actually the narrative

0:49:11.660,0:49:19.170
around how we do policing actually and[br]then definitely also look at a different

0:49:19.170,0:49:22.680
perspective and a different approach to[br]policing because as I've tried to show

0:49:22.680,0:49:28.010
it's been a really long time since this[br]narrative has developed of more data leads

0:49:28.010,0:49:32.789
to crime resolution but actually what I[br]didn't have the time to get into in this

0:49:32.789,0:49:37.490
talk is actually all the research that are[br]showing that those product actually don't

0:49:37.490,0:49:42.770
work like PREDPOL is actually basically[br]gaslighting a lot of police officers with

0:49:42.770,0:49:47.650
their figures, the kind of figures that[br]are pushing and suggesting are just like

0:49:47.650,0:49:53.671
plain inaccurate, it's not accurate to[br]compare a city on the one year to what a

0:49:53.671,0:49:59.230
city is becoming in another year so it's[br]not even clear that a lot of this

0:49:59.230,0:50:05.460
project are even like properly functioning[br]and in a sense I don't want them to

0:50:05.460,0:50:09.250
function I'm not gonna say if we had[br]better predictive policing then the

0:50:09.250,0:50:14.869
problem will be solved no that is not the[br]question, the question is how do we have

0:50:14.869,0:50:20.820
regulation that force the police to look[br]differently into the way they are

0:50:20.820,0:50:25.597
conducting policing.[br]Herald: Number four please.

0:50:25.597,0:50:31.980
Q: So, thank you for your presentation I[br]have a question about SOCMINT, my opinion

0:50:31.980,0:50:37.359
SOCMINT might violate the terms of[br]services of for example Twitter and

0:50:37.359,0:50:41.000
Facebook have you tried to cooperate with[br]these companies to make them actually

0:50:41.000,0:50:46.360
enforce their TOS?[br]A: So actually there is two things as I

0:50:46.360,0:50:51.270
said like all companies that are doing[br]scraping of data and you're right in this

0:50:51.270,0:50:58.700
case they violate the terms of services of[br]Facebook and Twitter. Now, the other

0:50:58.700,0:51:03.049
problem is that there is already a loop to[br]this and actually the marketing company I

0:51:03.049,0:51:08.289
was talking about that's being used by the[br]UK police what they essentially do is that

0:51:08.289,0:51:13.559
they purchase the data from Facebook and[br]Twitter, so this is why it's interesting

0:51:13.559,0:51:19.900
because when Facebook's say we don't sell[br]your data, well essentially actually with

0:51:19.900,0:51:25.970
marketing tools that are there to monitor[br]what people say about products essentially

0:51:25.970,0:51:29.599
what you're doing is selling your data,[br]they're not selling necessarily like your

0:51:29.599,0:51:34.400
name or your location or things like that[br]but whatever you're going to be posting

0:51:34.400,0:51:41.109
publicly for example in like groups or[br]public pages is something that they are

0:51:41.109,0:51:45.329
going to be trying to sell to those[br]companies. So I think you're right and

0:51:45.329,0:51:50.839
maybe Millie will have more to say about[br]this. I think those companies have a role

0:51:50.839,0:51:56.260
to play but at the moment I think the[br]challenge we face is actually this loop

0:51:56.260,0:52:00.960
that we're facing where by purchasing the[br]data directly from the company they don't

0:52:00.960,0:52:07.420
face any they don't violate the terms of[br]services. Yeah, we've spoken a bit to the

0:52:07.420,0:52:12.840
some of the social media companies, we've[br]been told that one of their big focuses is

0:52:12.840,0:52:17.710
the problems of the social media[br]monitoring at the U.S. border and so

0:52:17.710,0:52:22.609
because there's a lot known about that[br]they're looking at those issues so I think

0:52:22.609,0:52:27.000
once we show more and more the problems[br]say in the UK or in other countries I

0:52:27.000,0:52:31.869
think it would be very interesting to look[br]at what's happened over the Catalan

0:52:31.869,0:52:37.410
independence vote period to see how social[br]media was used then. I think the companies

0:52:37.410,0:52:42.380
aren't going to react until we make them[br]although they probably will meet with us.

0:52:42.380,0:52:49.990
A slightly different aspect we revealed in[br]a different part of our work that the

0:52:49.990,0:52:53.190
intelligence agencies were gathering[br]social media that's probably not

0:52:53.190,0:52:57.779
groundbreaking news but it was it was[br]there in plain fact and so they all got a

0:52:57.779,0:53:01.480
bit concerned about how that was[br]happening, whether some of them knew or

0:53:01.480,0:53:05.950
some of them didn't, so the better our[br]research the more people speaking about it

0:53:05.950,0:53:11.030
I think they will engage, or we'll find[br]out are they are the police getting it

0:53:11.030,0:53:17.350
lawfully or unlawfully.[br]Herald: Number one please.

0:53:17.350,0:53:21.200
Q: Thanks for your talk, I have a question[br]on predictive policing because German

0:53:21.200,0:53:28.700
authorities in the last two years piloted pre-cops[br]PREDPOL projects in three states I think

0:53:28.700,0:53:33.630
and they claimed that they would never use[br]these techniques with data on individuals

0:53:33.630,0:53:38.870
but only aggregate data like the new[br]repeat stuff you presented and they

0:53:38.870,0:53:42.940
presented as just an additional tool in[br]their toolbox and that if use responsibly

0:53:42.940,0:53:48.240
can lead to more cost effective policing,[br]do you buy this argument or would you say

0:53:48.240,0:53:55.020
that there's inevitably slippery slope or[br]kind of like a path dependency to more

0:53:55.020,0:54:01.010
granular data assessment or evaluation[br]that would inevitably infringe on privacy

0:54:01.010,0:54:05.319
rights?[br]A: I think this goes back to the question

0:54:05.319,0:54:08.740
of like you know are we using per[br]listening to identify where crime is

0:54:08.740,0:54:14.369
happening or who it is who's committing a[br]crime but actually I think even if we if

0:54:14.369,0:54:18.910
we stick to this even if we stick to[br]identifying where crime is happening we

0:54:18.910,0:54:23.650
still run into problems we still run into[br]the fundamental problem of predictive

0:54:23.650,0:54:28.599
policing which is we only have data on[br]crime that have already been reported ever

0:54:28.599,0:54:35.809
or already been addressed by the police,[br]and that's by essence already biased data.

0:54:35.809,0:54:41.430
If we have police in some areas then we're[br]more likely to, you know, further police

0:54:41.430,0:54:51.579
because the solution of those companies of[br]those algorithm will be leading to more

0:54:51.579,0:54:57.880
suggestions that crime is is happening[br]more predominantly in those areas. So, as

0:54:57.880,0:55:04.459
we've seen so far is that we fall into[br]these fundamental problems of just

0:55:04.459,0:55:11.329
overpolicing communities that are already[br]overpoliced. So in a sense in terms of

0:55:11.329,0:55:18.069
well the right to privacy but also the[br]question of the presumption of innocence I

0:55:18.069,0:55:23.040
think purely just having trying to[br]cultivate data on the where crime is

0:55:23.040,0:55:29.660
happening it's not efficient policing[br]first of all but it's also causing

0:55:29.660,0:55:35.020
challenges for fundamental rights as well.[br]Yeah, I guess it's not a great comparison

0:55:35.020,0:55:39.481
but what a lot of what they're bringing in[br]now is a program to assist you with the

0:55:39.481,0:55:43.910
charging decision, so you've got someone[br]you've arrested do you charge them or not?

0:55:43.910,0:55:48.319
The police say oh well of course it's only[br]advisory you only have to look at how busy

0:55:48.319,0:55:52.660
a police station is to know how advisory[br]is that going to be and how much is it

0:55:52.660,0:55:56.740
going to sway your opinion. So the more[br]you use these tools the more it makes your

0:55:56.740,0:56:01.260
job easier because rather than thinking,[br]where are we going to go, what areas

0:56:01.260,0:56:04.250
things going to happen, who are we going[br]to arrest, well the computer told us to do

0:56:04.250,0:56:08.700
this so let's just do that.[br]Herald: Thank you and microphone number

0:56:08.700,0:56:13.111
three please.[br]Q: Thank you, do you think that there are

0:56:13.111,0:56:19.940
any credible arguments to be made for[br]limiting the police's abilities under acts

0:56:19.940,0:56:25.130
in the UK that incorporate EU level[br]restrictions on privacy data protection

0:56:25.130,0:56:29.650
human rights or fundamental rights and if[br]so do you anticipate that those arguments

0:56:29.650,0:56:35.140
might change after brexit?[br]A: Well they they're bringing in GDPR and

0:56:35.140,0:56:39.670
the Law Enforcement Directive now and[br]they're not going to scrap those once

0:56:39.670,0:56:44.299
brexit comes in. We'll still be part,[br]hopefully, of the European Court of Human

0:56:44.299,0:56:49.130
Rights, but not the European Court of[br]Justice. I think there are going to be

0:56:49.130,0:56:51.960
implications it's going to be very[br]interesting how they play it out they're

0:56:51.960,0:56:57.420
still going to want the data from Europol,[br]they want to be part of Interpol, policing

0:56:57.420,0:57:02.309
operates at a different level and I think[br]if they have to comply with certain laws

0:57:02.309,0:57:06.029
so that they can play with the big boys[br]then they probably will, but they may do

0:57:06.029,0:57:12.160
things behind the scenes, so it depends[br]where it works for them, but certainly the

0:57:12.160,0:57:16.019
politicians and definitely the police[br]wanna be part of those groups. So we'll

0:57:16.019,0:57:20.809
have to see, but we will still use them[br]and we'll still rely on European judgments

0:57:20.809,0:57:26.865
the force they have in a court of law may[br]be more difficult.

0:57:26.865,0:57:32.319
Herald: Does the internet have any[br]questions, nope, well then number two

0:57:32.319,0:57:35.839
please.[br]Q: So you've mentioned that they don't

0:57:35.839,0:57:41.609
have really good operational security and[br]sometimes some stuff that should not leak

0:57:41.609,0:57:47.869
leaked now within the last year we had[br]major data leaks all across the world like

0:57:47.869,0:57:54.710
Philippines, South Africa, just to mention[br]a few, now if the, security, OPSEC is so

0:57:54.710,0:58:00.160
bad in the police in Great Britain it's[br]not unlikely that something will happen

0:58:00.160,0:58:05.299
in Europe of a similar kind what kind of[br]impact do you think such a huge data leak

0:58:05.299,0:58:11.750
of private information which the police[br]legally stored has even if it was not

0:58:11.750,0:58:16.539
leaked by the police and it would be leaked[br]by a private company that had some way

0:58:16.539,0:58:19.329
access to it?[br]A: I I guess it depends what it what it

0:58:19.329,0:58:25.340
is, if it's a database with serious[br]criminals and only the bad people, then

0:58:25.340,0:58:29.480
people will think when it's[br]good they have that information but they

0:58:29.480,0:58:35.920
need to make it more secure. If[br]somehow databases which held all sorts of

0:58:35.920,0:58:39.589
information say from people's mobile[br]phones, innocent people's pictures, all

0:58:39.589,0:58:44.820
that kind of thing then we might see a[br]much wider public reaction to the tools

0:58:44.820,0:58:51.039
that are used and the safeguards, the[br]legal safeguards, will come a lot quicker

0:58:51.039,0:58:55.599
than probably we will achieve in the way[br]we're trying to go now because there'll be

0:58:55.599,0:59:02.030
a bigger public outrage.[br]Herald: Okay one last and hopefully short

0:59:02.030,0:59:06.619
question from microphone one.[br]Q: Hi, thanks for the talk was really

0:59:06.619,0:59:10.320
interesting, it's actually quite a short[br]question how much is a Cellebrite, and can

0:59:10.320,0:59:14.760
we buy one?[br]A: I did look to buy one, I think there

0:59:14.760,0:59:21.319
were some on eBay but I'm sure if they[br]were like the right things but a couple of

0:59:21.319,0:59:24.319
thousand pounds, but I think you have to[br]actually be a police force to get those

0:59:24.319,0:59:30.529
ones, maybe there are other types but[br]it's expensive but not unobtainable, but

0:59:30.529,0:59:34.779
I'm trying to find universities that might[br]have them because I think that a lot of

0:59:34.779,0:59:38.369
forensic schools I'm hoping that they[br]will, I know they do extractions of

0:59:38.369,0:59:41.725
laptops but I haven't found one yet that[br]does phones but I probably haven't asked

0:59:41.725,0:59:45.808
enough people. [br]Herald: So thank you very much.

0:59:45.808,0:59:50.990
<i>34C3 Music</i>

0:59:50.990,1:00:07.000
subtitles created by c3subtitles.de[br]in the year 2020. Join, and help us!