34C3 preroll music Herald angel: Today two people from privacy international, one is Eva Blum--Dumontet she's a research officer working on data exploitation especially in the global south and Millie Wood who's a lawyer and is fighting against spy agencies and before that she fought seven years against police cases and they're gonna be talking about policing in the the age of data exploitation. Give them a warm welcome. Applause Millie Wood: Hi I'm Millie as was just said I've been at privacy international for two years working as a lawyer before that I spent seven years bringing cases against the police and what increasingly concerns me based on these experiences is a lack of understanding of what tactics are being used by the police today and what legal basis they are doing this on. The lack of transparency undermines the ability of activists lawyers and technologists to challenge the police tactics and whilst I'm sure a lot of you have a broad awareness of the technology that the police can use I don't think this is enough and we need to know what specific police forces are using against individuals. The reason why is that when you're arrested you need to know what disclosure to ask for in order to prove your innocence. Your lawyers need to know what expert evidence to ask for in order to defend their client. And increasingly as there are invisible ways or seemingly invisible for the police to monitor a scale we need to know that there are effective legal safeguards. Now those who are affected are not just the guilty or those who understand technology they include pensioners such as John Cat a 90 year old man who's a peace protester and he's a law-abiding citizen no criminal record and yet he is on the UK domestic extremism database and listed here are some of the entries: He took his sketchpad and made drawings, he's clean shaven, and he was holding a board with orange people on it. So this is the kind of people that they are surveilling. John's case exposes unlawful actions by the police but these actions date back to 2005 to 2009 as far as I'm aware there are no cases challenging modern police tactics and privacy international in the UK and with our partners throughout the world are increasingly concerned at the pace this is developing unobstructed because people don't know what's going on, and so we've started in the UK to try and uncover some of the police tactics using Freedom of Information requests. These laws should be available throughout Europe and we want to make similar requests in other countries hopefully with some of you. So now I'm going to hand over to my colleague Eva who will talk a bit about privacy international, some of the tactics we know the police are using, and then we'll speak about some of the things that we found out through our initial research. Applause Thank you so, I'm just going to tell you a little bit more about Privacy International for those of you who don't know this organization. We are based in London and we fight against surveillance and defend the right to privacy across the world. Basically, essentially what we're doing is that we do litigation, we conduct research, and we carry out advocacy including at the United Nations, we develop policies on issues that are defining modern rights. Now, our work ranges from litigations against intelligence services to a wide range of reports on issues such as connected cars, smart cities, and FinTech. We've recently published an investigation on the role of companies like Cambridge Analytica and Harris Media and their role in the latest Kenyan elections. With our network of partner organisations across the world we advocate for stronger privacy protection in the law and technology and stronger safeguards against surveillance. Now we talk about data exploitation and it's actually the title of the talk so what do we mean by that? The concept of data exploitation emerges from our concerns that the industry and governments are building a world that prioritize the exploitation of all data. We observe three prevailing trends in data exploitation. One is the excessive data that's generated beyond our control. The second one is the fact that this data is processed in a way we cannot understand or influence and the lack of transparency around it. The last one is, that at the moment this data is used to disadvantage us the ones who are producing this data and it's further empowering the already powerful. We hardly control the data anymore that's generated from phones or in our computers, but now in the world we live in data just don't come just from our phones or computers. It comes from the cars we're driving, it comes from our payment systems, from the cities we live in. This is all generating data and this data is used by other entities to make assumptions about us and take decisions that eventually influence our lives. Are we entitled to a loan? Do we qualify for affordable insurance? Should we be sent to jail or set free? Who should be arrested? This is at the core of the world that we're building around data exploitation. The question of power imbalance between those who have the data and who gets to make decisions based on this data and those who are producing the data and losing control over it. Now what is policing have to do with data, what does data exploitation have to do with policing? The police has always been actually using data in the past. To give you one example in 1980 a transit police officer named Jack Maple, developed a project called chart of the future, this is how he described it: "I call them the chart of the future. On 55 feet of wall space, I mapped every train station in New York City and every train. Then I used crayons to mark every violent crime, robbery, and grand larceny that occurred. I mapped the solved versus the unsolved". Now the system was used by the Transit Police and it was credited with reducing felonies by 27% and robberies by 1/3 between 1990 and 1992. So this generated a lot of interest in his projects and former New York Mayor Rudolph Giuliani asked the New York police department to essentially take up chart of the future and develop their own project. It became CompStat. CompStat was again essentially about mapping crime to try and make assumptions about where crime wars are happening. So this kind of shows the building of this narrative around this idea that the more data you have, the more data you generate, the better you will be at reducing crime. Now it becomes interesting in the world we live in that we describe, where we are constantly generating data, often without the consent or even the knowledge of those who are producing this data. So there are new questions to be asked: What data is the police entitled to access? What can they do with it? Are we all becoming suspects by default? One of the key elements of the intersection between data exploitation and policing is the question of smart cities. It's worth bearing in mind that data-driven policing is often referred to as smart policing, so obviously the word smart has been used generally in a generic manner by various industry to kind of describe this trend of using mass data collection in order to provide new services. But there is actually a real and genuine connection between smart cities and data-driven policing. The first reason for that is that actually one of the main reasons for cities to invest in smart city infrastructure is actually the question of security. This is something we've explored in our latest report on smart cities and this is emerging also from the work we're doing other organizations including coding rights in Brazil and DRF in Pakistan. So actually Brazil is an interesting example, because before the mega events they started organizing like the football World Cup and the Olympics they invested massively in smart city infrastructure. Including projects with IBM and precisely the purpose of what they were trying to achieve with their smart city infrastructure, was making the city safer so it was extremely strongly connected with the police. So this is a picture for example of the control room that was built to control CCTV cameras and to create graphs in order to showcase where crime was happening and also in a way the likeliness of natural disasters in some areas. In Pakistan there is a whole new program on investment of smart cities, which is actually referred to as the safe city project. Now companies understand that very well and this is actually an image from an IBM presentation describing their vision of smart cities. And as you see like policing that is very much integrated into their vision, their heavily centralized vision of what smart cities are. So that's no wonder that companies that offer smart city infrastructure are actually now also offering a platform for policing. So those companies include IBM as I mentioned but also Oracle and Microsoft. We see in many countries including the UK where we based some pressure on budgets and budget reductions for the police and so there is a very strong appeal with this narrative, that you can purchase platform you can gather more data that will help you do policing in less time and do it more efficiently. But little thought is given to the impact on society, or right to privacy and what happens if someone unexpected take the reins of power. Now we're gonna briefly explain what data- driven policing looks like, and eventually Millie will look at our findings. So the first thing I wanted to discuss is actually predictive policing, because that's often something we think of and talked about when we think about data- driven policing. I mentioned CompStat before and essentially predictive policing works on a similar premise. The idea is that if you map where crime happens you can eventually guess where the next crime will happen. So the key player in predictive policing is this company called PREDPOL, I mean I think they describe pretty much what they do, they use artificial intelligence to help you prevent crime, right, predicting when and where crime will most likely occur. Now PREDPOL and other companies using something called a Hawkes process that's used normally for the prediction of earthquake tremors, so what Hawkes originally did is that he was analyzing how after an earthquake you have after shakes and usually the after shakes tend to happen where the original earthquake happened and in a short period of time after that. So the Hawkes process basically is described as when a certain event happens, other events of the same kind will happen shortly after in the same in the same location. Now obviously it actually works quite well for earthquakes, whether it works for crime is a lot more questionable. But that's actually the premise on which companies that are offering predictive policing services are relying. So basically applied to predictive policing the mantra is monitoring data on places where crime is happening you can identify geographic hotspots where crime will most likely happen again. Now other companies than PREDPOL are joining in and they are adding more data than just simply location of past crimes. So this data has included open source intelligence and we talked a little bit more about this later on. Weather report, census data, the location of key landmarks like bars, churches, schools, data sporting events, and moon phases. I'm not quite sure what they're doing with moon phases but somehow that's something they're using. When predictive policing first sort of emerged one of the the key concerns was whether our world was going to be turning into a Minority Report kind of scenario where people are arrested before a crime is even committed and companies like PREDPOL were quick to reassure people and say that do not concern about who will commit crime but where crimes are happening. Now that's not actually true because in fact at the moment we see several programs emerging especially in the US, where police departments are concerned not so much with where crimes are happening, but who's committing it.,So I'm gonna talk about two example of this: One is the Kansas City No Violence Alliance, which is a program laid by the local police to identify who will become the next criminal - basically - and they're using an algorithm that combines data from traditional policing as well as social media intelligence and information that they have on drug use, based on this they create graphics generated using predictive policing to show how certain people are connected to already convicted criminals and gang members. Once they've identified these people they request meeting with them whether they've committed crimes or not in the past. And they would have a discussion about their connection to those convicted criminals and gang members and what they tell them is that they are warned that if a crime next happened within their network of people every person connected to this network will be arrested whether or not they were actually involved in the crime being committed. Now there are actually dozens of police departments that are using similar programs. The Chicago Police Department has an index of the 400 people most likely to be involved in violent crimes. That sounds like a BuzzFeed article but actually there is a reality which is extremely concerning, because those people who are in this list are for the most part not actual criminals, they are purely seen to be connected to people who've committed crime. So if your next- door neighbor is a criminal then you may well find your name on that list. Now predictive policing is deceptive and problematic for several reasons: First of all there's the question of the presumption of innocence. In a world where even before you commit a crime you can find your name on that list or be called by the police - you know - what happens to this very basis of democracy which is the presumption of the of innocence. But also there's the other question of like can we really use the math that was originally designed for earthquakes and apply to human beings because human beings don't work like earthquakes. They have their own set of biases and the biases start with how we collect the data. For example, if the police is more likely to police areas where there is minorities, people of color, then obviously the data they will have will be disproportionately higher on persons of color. Likewise if they are unlikely to investigate white- collar crime they will be unlikely to have data that are reflecting a reality where crime also happens in wealthier areas. So basically we are inputting biased datasets that obviously will lead to biased results. And what these biased results mean is that it will continue the already existing trend of over policing communities of color and low-income communities. I'll leave it to Millie for the next box. So, one of the increasingly popular technologies we're seeing in the UK, and is no doubt used around the world and probably at border points, although we need more help with the reasearch to prove this, is mobile phone extraction. The police can extract data from your phone, your laptop, and other devices which results in a memory dump of the extracted data taken from your device and now held in an agency database. So for example all your photos, all your messages, and all those of people who had no idea they would end up in a police database because they're associated with you retained for as long as the police wish. Now these devices are pretty user friendly for the police and if you're interested you can look on YouTube where Cellebrite one of the big players has lots of videos about how you can use them, and so depending on the device and the operating system some of the data this is from a police document but it lists what they can extract using a Cellebrite UFED is what you might expect: device information, calls, messages, emails, social media, and Wi-Fi networks. But if you look at their website and here are a few examples they can also collect: system and deleted data, they can access cloud storage, and inaccessible partitions of the device. Now this is data that is clearly beyond the average users control, and as the volume of data we hold on our phones increases so will this list. And the companies we know the UK police are using, which includes: Cellebrite, Acceso, Radio Tactics, MSAB, are all aware of how valuable this is and as one of them have stated: "if you've got access to a person SIM card, you've got access to the whole of a person's life". They also go on to note: "the sheer amount of data stored on mobile phones is significantly greater today than ever before." There are also no temporal limits to the extraction of data, this is from another police document we obtained and it shows that if you choose to extract to certain data type you will obtain all data of a particular type, not just the data relevant to an investigation. So all that data on a police database, indefinitely and even if you were asked whether you were happy for your data to be extracted during an investigation I think it's highly unlikely you would realize the volume that the police were going to take. Other targets for the police that we know about are: infotainment systems in cars, Smart TVs, and connected devices in the home. This is an extract from a tech UK report, where Mark Stokes head of digital forensics at the Met Police which the police in London stated in January, that the crime scene of tomorrow will be the Internet of Things and detectors of the future will carry a digital forensics toolkit that will help them analyze microchips and download data at the scene rather than removing devices for testing. Now I can imagine that the evidence storage room is going to get a bit full if they start dragging in connected fridges, hair dryers, hair brushes, your Google home, Amazon echo and whatever else you have. However, their plans to walk into your home and download everything, make no mention of needing a specific warrant and so the only limitations at the moment are the protections that may exist on the devices. The law does not protect us and this needs to change. So I'm going to be talking a little bit about open source intelligence and in particular social media intelligence, because when I talked about predictive policing I identified those two sources as some of the data that's being used for predictive policing. Now, open source intelligence is often thought as, or often assumed to be innocuous, and there is the understanding that if information is publicly available then it should be fair for the police to use. Now the problem is that among open source intelligence there's often social media intelligence that we refer to as documents. Now there are many ways to conduct document and it can range from like the single police officer, who is just you know using Facebook or Twitter to look up the accounts of victims or suspected criminals, but there was also companies that are scrapping the likes of Facebook and Twitter to allow the police to monitor social media. Now social medias have like blurred the lines between public and private, because obviously we are broadcasting our views on this platform and at the moment the police has been exploiting this kind of unique space, this blured line, ithey are accessing this content in a completely unregulated manner, as long as the content is publicly available like for example you don't need to be friend or to have any already established connection with the suspected criminal or the police or the victim anything that's available to you it's completely unregulated there are no rules and I mentioned earlier the question of a budget restriction and so the police is benefiting hugely from this because it doesn't really cost anything to use social media so at the moment SOCMINT is kind of like the first and easy step in a police investigation because there is no cost and because there is no oversight. Now, SOCMINT actually isn't so innocent in the sense that it allows the police to identify the locations of people based on their post, it allows them to establish people's connection, their relationships, their association, it allows the monitoring of protest and also to identify the leaders of various movement, and to measure a person's influence. Now, in the UK what we know is that the police is largely using marketing products, so this is an anonymous quote from a report by academics that have been doing research on SOCMINT and what someone said was that: "A lot of stuff came out of marketing because marketing were using social media to understand what people were saying about their product... We wanted to understand what people were saying so it's almost using it in reverse". Now again, this is not considered like surveillance device this is purely a marketing project that they're using and for that reason law enforcement agencies and security agencies are often arguing that SOCMINT has basically no impact on privacy. But actually when your post reveals your location or when the content of your post reveal what used to be considered and is still considered actually as sensitive private information like details about your sexual life, about your health, about your politics, can we really minimize the impact of the police accessing this information. Now obviously we may not have a problem with the average twitter user or with a friend reading this information but when the ones who are reading the information and taking actions on this information have power over us like the police does, you know, what does it actually mean for our right to privacy? That's not to say that people should stop using social media but rather what kind of regulation can we put in place so that it's not so easy for the police to access. The absence of regulations on SOCMINT has actually already led to abuse in two cases both in the US that we've identified: One is Raza v. the City of New York which is a case from the ACLU where we knew that we found out that the city of New York, sorry, the New York Police Department was systematically gathering intelligence on Muslim communities, and one of the ways they were gathering this intelligence was essentially by surveilling social media accounts of Muslims in New York. The second case is a company called ZeroFOX. So what ZeroFox does is social media monitoring. Now, during the the riots that followed the funeral of Freddie Gray, Freddie Gray was a 25 year old black man who had been shot by the police, so after his funeral there had been a series of riots in the UK and ZeroFOX produced a report that they shared with the Baltimore Police to essentially advertise for their social social media monitoring tool and what the company was doing was again like browsing social media and trying to establish who were the threat actors in these riots and among the 19 threat actors that they identified two of them were actually leaders of the black lives matter movement. Actually at least one of them was a woman definitely not a physical threat but this is how they were essentially labeled. So these two examples actually show that again it's still sort of the same targets, it's people of colors, it's activists, it's people from poor income backgrounds, that are singled out as likely criminals. And it's very telling when we realize that SOCMINT is actually one of the sources of data that's eventually used for predictive policing and then again predictive policing leading to people being more surveiled and potentially exposed to more police surveillance based on the fact that they all singled out as as likely criminal. Now social media is a fascinating place because it's a mix between a private and a public space as I said we are broadcasting our views publicly but then again it's a privately owned space where we follow the rules that is set up by private companies. Now, if we want to protect this space and ensure that like free expression and political organization can still happen on the spaces we need to fully understand how much the police have been exploiting the spaces and how we can limit and regulate the use of it. Now, I'll talk to Millie about what we can do next. So I'm going to briefly look at some of our initial findings we've made using Freedom of Information requests, broadly: the lack of awareness by the public, weak legal basis, and a lack of oversight. Now, sometimes the lack of awareness appears intentional - we asked the police about their plans to extract data from connected devices in the home and they replied neither confirm nor deny. Now this is kind of a bizarre response given that Mark Stokes who's a member of the police had already said that they plan to do this, in addition the UK government Home Office replied to us saying the Home Office plans to develop skills and capacity to exploit the Internet of Things as part of criminal investigations. They also said that police officers will receive training in relation to extracting, obtaining, retrieving, data from or generated by connected devices. So we wrote back to every police force in the UK had refused to reply to us and presented the evidence but they maintained their stance so we will be bringing a challenge against them under the Freedom of Information Act. Now, Eva has also identified the huge risks associated with predictive policing yet in the UK we've found out this is set to increase with forces either using commercial tools or in-house ones they've developed or planning trials for 2018. There has been no public consultation, there are no safeguards, and there is no oversight. So when we ask them more questions about the plans we were told we were 'vexatious' and they won't respond to more requests so it seems like we have yet another challenge, and what about mobile phone extraction tools here are some of the stats that have been found out and I would say these aren't completely accurate because it depends on how reliable the police force are in responding but roughly I'd say it's probably more than 93 percent now of UK police forces throughout the country are extracting data from digital devices. We know they plan to increase, we've seen in their documents they plan to train more officers, to buy more equipment, and to see extraction as a standard part of arrest, even if the devices had absolutely nothing to do with the offense and so these figures are likely to increase exponentially, but in the UK not only to the police not need a warrant in documents we've read they do not even need to notify the individual that they have extracted data, for example, from their mobile phone or that they're storing it. If this is being done without people's knowledge how on earth can people challenge it, how can they ask for their data to be removed if they're found innocent? Turning to social media monitoring which the police refer to as open source research. This is Jenny Jones she's a member of the House of Lords in the Green Party and next to her photo is a quote from her entry on the domestic extremism database, and so, if a member of the House of Lords is being subject to social media monitoring for attending a bike ride then I think it's highly likely that a large number of people who legitimately exercise their right to protest are being subject to social media monitoring. Now, this hasn't gone unnoticed completely although they're slightly old these are quotes from two officials: the first the UK independent reviewer of terrorism who notes that the extent of the use of social media monitoring is not public known, and the second is the chief surveillance commissioner who is and this is a very strong statement for a commissioner is saying that basically social media should not be treated as fair game by the police. So now I'll move on to a weak or outdated legal basis. For most of the technologies we've looked at it's very unclear what legal basis the police are using even when we've asked them. This relates to mobile phone extraction - so the legislation they're relying on is over 30 years old and is wholly inappropriate for mobile phone extraction this law was developed to deal with standard traditional searches, the search of a phone can in no way be equated to the search of a person, or the search of a house, and despite the fact that we have repeatedly asked for a warrant this is not the case and we believe that there should be a warrant in place not only in the UK but in the rest of the world. So if you think that either you or your friends have had their data extracted when they're arrested or your phone has been in the possession of the authorities you should be asking questions, and very briefly something on lack of oversight, so we reported in January this year about documents that were obtained by The Bristol Cable's investigation into Cellebrite and one report said that in half of the cases sampled the police noted the police had failed to receive authorization internally for the use of extraction tools. Poor training undermined investigations into serious offences such as murder, and inadequate security practices meant that encryption was not taking place even when it was easy to do and they were losing files containing intimate personal data. So why does this matter? Here are some key points: In relation to information asymmetry - it's clear as Eva has explained that the police can now access far more data on our devices than the average user. In relation to imbalance of power - it's clear they can collect and analyze sources that are beyond our control whether it's publicly placed sensors, cameras, and other devices. There is also unequal access and if lawyers don't know what's being gathered they don't know what to ask for from the police. All in all this puts the individual at a huge disadvantage. Another impact is the chilling effect on political expression now I'm sure many of you maybe think that the police monitor your social media but the average person is unlikely to, and so if they start to know about this are they going to think twice about joining in protesting either physically or using a hashtag, and what about who your friends are? If they know you attend protests are they really want to have their data on your phone if they know that potentially that could be extracted and end up on a police database? It's far easier to be anonymous face among many people than a single isolated person standing up to power but these new forms of policing we have been discussing redefine the very act of protesting by singling out each and every one of us from the crowd. So, what can we do? Many of you will be familiar with these technologies, but do you know how to find out what the police are doing? In the UK we've been using Freedom of Information requests, we want to do this with people throughout Europe and you don't need to be a lawyer so please get in touch. We also want to dig into the technology a bit more, I want someone to use a Cellebrite UFED on my phone and show me exactly what can come out of it, and we want to tell lawyers and activists about these new techniques. Many lawyers I speak to who are experts in actions against the police do not know the police are using these tools. This means they don't know the right questions to ask and so it's fundamental you speak to people who are bringing these cases and tell them about what they can do or what questions they should be asking, and finally we want you to also raise the debate, to share our research, and to critique it, thank you. Herald: So we've got ample enough time for Q&A are there any questions in the hall, yes, there's one over there. Question: You mentioned the problem of when they do physical extraction from the Celebrite device it's going to get all of the photos, all of the emails, or whatever maybe rather than just what the investigator needs. What is the solution to that from your eyes is there a technical one that these companies are gonna have to implement - which they're not going to - or a legal one, because on the other side a mobile phone is a crucial part in a any criminal investigation in 2017. So what's the workaround or the solution to that? Answer: I think it's both, I think the fact that there isn't any law looking at this and no one's discussing can there be a technical solution or does it need to be one where there's better regulation and oversight so you extract everything, can you keep it for a certain period to see what's relevant then do you have to delete it? The trouble is we don't see any deletion practices and the police have publicly stated in the media that they can just keep everything as long as they like. They like data you can kind of see why but that doesn't mean they should keep everyone's data indefinitely just in case it's useful so I think there may be tech solutions there may be legal ones and I think perhaps both together as is one of the answers. Herald: The next question from microphone one please. Q: I'm just wondering how those laws on action and power given to the cops are being sold to the UK people is it because to fight terrorism as I said or to fight drugs or this kind of stuff, what's the argument used by the government to sold that to the people. A: I think actually one thing that's important is to bear in mind is that I'm not sure most of the of the public in the UK is even aware of it, so I think unlike the work of intelligence services an agency where terrorism is used as the excuse for ever more power and especially laws that have become increasingly invasive, actually with policing we don't even fall in that kind of discourse because it's actually hardly talked about in UK. Yeah, and the mobile phone extraction stuff we've been looking at is low-level crimes, so that's like you have, it could be you know a pub fight, it could be a robbery, which that's more serious, it could be an assault, so they want to use it in every case. For all the other techniques we have no idea what they're using for that's one of the problems. Herald: The next question from the internet please. Q: When you say that there's a lack of laws and regulations for police concerning us in extraction and data from devices are you talking just about UK and/or USA or do you have any examples of other countries who do better or worse? A: I don't know of any country that has a regulation on publicly available information on social media. Herald: Microphone number four. Q: Thank you again for a great talk. In terms of data exploitation an element that I didn't hear you talk about that I'd like to hear a little bit more is when there are questions around who is doing the exploitation, I know in the U.S. some FOIA researchers get around how difficult it is to get data from the feds by going after local and state police departments, is that something that you're doing or do you have a way of addressing confusion when people don't know what agency has the data? A: Yeah, I think actually what one of the things the data exploitation program at Privacy International is doing is actually looking into the connection between the private sector and governments because obviously at the moment there's the whole question of data brokers which is an industry that's hardly regulated at all, that people don't necessarily know about, we don't, the companies that are doing it are familiar household name. I'll let Millie talk a lot more about the government aspects of it. I guess the question is again a country-by-country basis, we work in many countries that don't have any data protection regulations at all so there is this first difficulty as how do we regulate, how do we limit the power of the state when you don't even have the basic legislation around data protection? One thing to bear in mind is like the problem with companies is like how do you also hold companies accountable whereas with the state there is the whole challenge of finding the right legal framework to limit their power, but maybe I'll let Millie talk a little bit more about this. Yeah, with our with our FOIA request we tend to go after everyone so with the example of the Home Office saying something that the other police didn't that was because we went to all the different state bodies and I think that there's a good example in in the states where there's far more research done on what the police are doing, but they're using the same product in the UK I think it's axiom and they're a storage device for body-worn camera videos, and a lawyer in the states said that in order to access the video containing his client he had to agree to the terms and condition on Axioms website which basically gave them full use of his clients video about a crime scene. So that's a private company having use of this video so given that we found they're using it in the UK we don't know if those kind of terms and conditions exist but it's a very real problem as they rely increasingly on private companies. Herald: Number two please. Q: Thank you for your work perhaps you've already answered this partially from other people's questions but it looks like we have a great way to start the process and kind of taking the power back but you know the state and the system certainly doesn't want to give up this much power, how do we actually directly, what's kind of the endgame, what's the strategies for making the police or the government's give up and restore balance, is it a suit, is it challenging through Parliament and in the slow process of democracy, or what do you think is the right way of doing it? A: I never think one works on its own, even though I'm a litigator I often think litigation is quite a weak tactic, particularly if you don't have the public on side, and then again if you don't have Parliament. So we need all of them and they can all come through different means so we wouldn't just focus on one of the different countries it might be that you go down the legal route or the down the parliamentary route but in the UK we're trying all different routes so for example on mobile phone extraction in the beginning of next year we're going to be doing a video we're going to be doing interviewing the public and speaking to them about it, we're going to be going to Parliament, and I've also been speaking to a lot of lawyers so I'm hoping some cases will start because those individual cases brought by local lawyers are where also you see a lot of change like the John Cat case, that's one lawyer, so I think we need all different things to see what works and what sticks. Herald: We haven't had number three yet. Q: Hi, thanks for the talk, so I have a question regarding concerning the solution side of things because one aspect I was missing in your talk was the economics of the game actually because like you are from the UK and the private sector has like stepped in also and another public domain the NHS to help out because funds are missing and I would like to ask you whether or not you think first of all the logic is the same within the police departments because it might also be like cost driven aspect to limit the salaries or because you have the problem with police force coming in because you have to pay their rents and automated things especially when I'm given to the private sector which has another whole logic of thinking about this stuff is cost saving and so maybe it would be a nice thing whether if you could talk a bit about the, I'm sorry, the attempt to maybe like get economics a bit more into the picture when it comes to solutions of the whole thing. A: So I think yeah, your very right in pointing actually the relation, well that you compare what's happening with the NHS and what's happening with the police because in both the economics of companies offering policing services arise from the same situation there's a need of doing more efficient policing because of budget cuts, so the same way the NHS is being essentially privatized due to the budget cuts and due to the to the needs that arise from being limited in your finance, again there's a similar thing with the police when you when you're understaffed then you're more likely to rely on on technologies to help you do your work more efficiently because essentially with predictive policing the idea behind this is that if you know where and when crime will happen then you can focus the limited resources you have there and not sort of look at a more global larger picture. So I mean I'm not gonna be here on stage advocating for more funds for the police, I'm not gonna do that, but I think that there is there is a desperate need to reframe actually the narrative around how we do policing actually and then definitely also look at a different perspective and a different approach to policing because as I've tried to show it's been a really long time since this narrative has developed of more data leads to crime resolution but actually what I didn't have the time to get into in this talk is actually all the research that are showing that those product actually don't work like PREDPOL is actually basically gaslighting a lot of police officers with their figures, the kind of figures that are pushing and suggesting are just like plain inaccurate, it's not accurate to compare a city on the one year to what a city is becoming in another year so it's not even clear that a lot of this project are even like properly functioning and in a sense I don't want them to function I'm not gonna say if we had better predictive policing then the problem will be solved no that is not the question, the question is how do we have regulation that force the police to look differently into the way they are conducting policing. Herald: Number four please. Q: So, thank you for your presentation I have a question about SOCMINT, my opinion SOCMINT might violate the terms of services of for example Twitter and Facebook have you tried to cooperate with these companies to make them actually enforce their TOS? A: So actually there is two things as I said like all companies that are doing scraping of data and you're right in this case they violate the terms of services of Facebook and Twitter. Now, the other problem is that there is already a loop to this and actually the marketing company I was talking about that's being used by the UK police what they essentially do is that they purchase the data from Facebook and Twitter, so this is why it's interesting because when Facebook's say we don't sell your data, well essentially actually with marketing tools that are there to monitor what people say about products essentially what you're doing is selling your data, they're not selling necessarily like your name or your location or things like that but whatever you're going to be posting publicly for example in like groups or public pages is something that they are going to be trying to sell to those companies. So I think you're right and maybe Millie will have more to say about this. I think those companies have a role to play but at the moment I think the challenge we face is actually this loop that we're facing where by purchasing the data directly from the company they don't face any they don't violate the terms of services. Yeah, we've spoken a bit to the some of the social media companies, we've been told that one of their big focuses is the problems of the social media monitoring at the U.S. border and so because there's a lot known about that they're looking at those issues so I think once we show more and more the problems say in the UK or in other countries I think it would be very interesting to look at what's happened over the Catalan independence vote period to see how social media was used then. I think the companies aren't going to react until we make them although they probably will meet with us. A slightly different aspect we revealed in a different part of our work that the intelligence agencies were gathering social media that's probably not groundbreaking news but it was it was there in plain fact and so they all got a bit concerned about how that was happening, whether some of them knew or some of them didn't, so the better our research the more people speaking about it I think they will engage, or we'll find out are they are the police getting it lawfully or unlawfully. Herald: Number one please. Q: Thanks for your talk, I have a question on predictive policing because German authorities in the last two years piloted pre-cops PREDPOL projects in three states I think and they claimed that they would never use these techniques with data on individuals but only aggregate data like the new repeat stuff you presented and they presented as just an additional tool in their toolbox and that if use responsibly can lead to more cost effective policing, do you buy this argument or would you say that there's inevitably slippery slope or kind of like a path dependency to more granular data assessment or evaluation that would inevitably infringe on privacy rights? A: I think this goes back to the question of like you know are we using per listening to identify where crime is happening or who it is who's committing a crime but actually I think even if we if we stick to this even if we stick to identifying where crime is happening we still run into problems we still run into the fundamental problem of predictive policing which is we only have data on crime that have already been reported ever or already been addressed by the police, and that's by essence already biased data. If we have police in some areas then we're more likely to, you know, further police because the solution of those companies of those algorithm will be leading to more suggestions that crime is is happening more predominantly in those areas. So, as we've seen so far is that we fall into these fundamental problems of just overpolicing communities that are already overpoliced. So in a sense in terms of well the right to privacy but also the question of the presumption of innocence I think purely just having trying to cultivate data on the where crime is happening it's not efficient policing first of all but it's also causing challenges for fundamental rights as well. Yeah, I guess it's not a great comparison but what a lot of what they're bringing in now is a program to assist you with the charging decision, so you've got someone you've arrested do you charge them or not? The police say oh well of course it's only advisory you only have to look at how busy a police station is to know how advisory is that going to be and how much is it going to sway your opinion. So the more you use these tools the more it makes your job easier because rather than thinking, where are we going to go, what areas things going to happen, who are we going to arrest, well the computer told us to do this so let's just do that. Herald: Thank you and microphone number three please. Q: Thank you, do you think that there are any credible arguments to be made for limiting the police's abilities under acts in the UK that incorporate EU level restrictions on privacy data protection human rights or fundamental rights and if so do you anticipate that those arguments might change after brexit? A: Well they they're bringing in GDPR and the Law Enforcement Directive now and they're not going to scrap those once brexit comes in. We'll still be part, hopefully, of the European Court of Human Rights, but not the European Court of Justice. I think there are going to be implications it's going to be very interesting how they play it out they're still going to want the data from Europol, they want to be part of Interpol, policing operates at a different level and I think if they have to comply with certain laws so that they can play with the big boys then they probably will, but they may do things behind the scenes, so it depends where it works for them, but certainly the politicians and definitely the police wanna be part of those groups. So we'll have to see, but we will still use them and we'll still rely on European judgments the force they have in a court of law may be more difficult. Herald: Does the internet have any questions, nope, well then number two please. Q: So you've mentioned that they don't have really good operational security and sometimes some stuff that should not leak leaked now within the last year we had major data leaks all across the world like Philippines, South Africa, just to mention a few, now if the, security, OPSEC is so bad in the police in Great Britain it's not unlikely that something will happen in Europe of a similar kind what kind of impact do you think such a huge data leak of private information which the police legally stored has even if it was not leaked by the police and it would be leaked by a private company that had some way access to it? A: I I guess it depends what it what it is, if it's a database with serious criminals and only the bad people, then people will think when it's good they have that information but they need to make it more secure. If somehow databases which held all sorts of information say from people's mobile phones, innocent people's pictures, all that kind of thing then we might see a much wider public reaction to the tools that are used and the safeguards, the legal safeguards, will come a lot quicker than probably we will achieve in the way we're trying to go now because there'll be a bigger public outrage. Herald: Okay one last and hopefully short question from microphone one. Q: Hi, thanks for the talk was really interesting, it's actually quite a short question how much is a Cellebrite, and can we buy one? A: I did look to buy one, I think there were some on eBay but I'm sure if they were like the right things but a couple of thousand pounds, but I think you have to actually be a police force to get those ones, maybe there are other types but it's expensive but not unobtainable, but I'm trying to find universities that might have them because I think that a lot of forensic schools I'm hoping that they will, I know they do extractions of laptops but I haven't found one yet that does phones but I probably haven't asked enough people. Herald: So thank you very much. 34C3 Music subtitles created by c3subtitles.de in the year 2020. Join, and help us!