-
34C3 preroll music
-
Herald angel: Today two people from privacy
international, one is Eva Blum--Dumontet
-
she's a research officer working on data
exploitation especially in the global
-
south and Millie Wood who's a lawyer and
is fighting against spy agencies and
-
before that she fought seven years against
police cases and they're gonna be talking
-
about policing in the the age of data
exploitation. Give them a warm welcome.
-
Applause
-
Millie Wood: Hi I'm Millie as was just said I've been
-
at privacy international for two years
working as a lawyer before that I spent
-
seven years bringing cases against the
police and what increasingly concerns me
-
based on these experiences is a lack of
understanding of what tactics are being
-
used by the police today and what legal
basis they are doing this on. The lack of
-
transparency undermines the ability of
activists lawyers and technologists to
-
challenge the police tactics and whilst
I'm sure a lot of you have a broad
-
awareness of the technology that the
police can use I don't think this is
-
enough and we need to know what specific
police forces are using against
-
individuals. The reason why is that when
you're arrested you need to know what
-
disclosure to ask for in order to prove
your innocence. Your lawyers need to know
-
what expert evidence to ask for in order
to defend their client. And increasingly
-
as there are invisible ways or seemingly
invisible for the police to monitor a scale
-
we need to know that there are effective
legal safeguards. Now those who are
-
affected are not just the guilty or those
who understand technology they include
-
pensioners such as John Cat a 90 year old
man who's a peace protester and he's a
-
law-abiding citizen no criminal record and
yet he is on the UK domestic extremism
-
database and listed here are some of the
entries: He took his sketchpad and made
-
drawings, he's clean shaven, and he was
holding a board with orange people on it.
-
So this is the kind of people that they
are surveilling. John's case exposes
-
unlawful actions by the police but these
actions date back to 2005 to 2009 as far
-
as I'm aware there are no cases
challenging modern police tactics and
-
privacy international in the UK and with
our partners throughout the world are
-
increasingly concerned at the pace this is
developing unobstructed because people
-
don't know what's going on, and so we've
started in the UK to try and uncover some
-
of the police tactics using Freedom of
Information requests. These laws should be
-
available throughout Europe and we want to
make similar requests in other countries
-
hopefully with some of you. So now I'm
going to hand over to my colleague Eva who
-
will talk a bit about privacy
international, some of the tactics we know
-
the police are using, and then we'll speak
about some of the things that we found out
-
through our initial research.
-
Applause
-
Thank you so, I'm just going to tell you a
little bit more about Privacy
-
International for those of you who don't
know this organization. We are based in
-
London and we fight against surveillance
and defend the right to privacy across the
-
world. Basically, essentially what we're
doing is that we do litigation, we conduct
-
research, and we carry out advocacy
including at the United Nations, we
-
develop policies on issues that are
defining modern rights. Now, our work
-
ranges from litigations against
intelligence services to a wide range of
-
reports on issues such as connected cars,
smart cities, and FinTech. We've recently
-
published an investigation on the role of
companies like Cambridge Analytica and
-
Harris Media and their role in the latest
Kenyan elections. With our network of
-
partner organisations across the world we
advocate for stronger privacy protection
-
in the law and technology and stronger
safeguards against surveillance. Now we
-
talk about data exploitation and it's
actually the title of the talk so what do
-
we mean by that? The concept of data
exploitation emerges from our concerns
-
that the industry and governments are
building a world that prioritize the
-
exploitation of all data. We observe three
prevailing trends in data exploitation.
-
One is the excessive data that's generated
beyond our control. The second one is the
-
fact that this data is processed in a way
we cannot understand or influence and the
-
lack of transparency around it. The last
one is, that at the moment this data is
-
used to disadvantage us the ones who are
producing this data and it's further
-
empowering the already powerful. We hardly
control the data anymore that's generated
-
from phones or in our computers, but now
in the world we live in data just don't
-
come just from our phones or computers. It
comes from the cars we're driving, it
-
comes from our payment systems, from the
cities we live in. This is all generating
-
data and this data is used by other
entities to make assumptions about us and
-
take decisions that eventually influence
our lives. Are we entitled to a loan? Do
-
we qualify for affordable insurance?
Should we be sent to jail or set free? Who
-
should be arrested? This is at the core of
the world that we're building around data
-
exploitation. The question of power
imbalance between those who have the data
-
and who gets to make decisions based on
this data and those who are producing the
-
data and losing control over it. Now what
is policing have to do with data, what
-
does data exploitation have to do with
policing? The police has always been
-
actually using data in the past. To give
you one example in 1980 a transit police
-
officer named Jack Maple, developed a
project called chart of the future, this
-
is how he described it: "I call them the
chart of the future. On 55 feet of wall
-
space, I mapped every train station in New
York City and every train. Then I used
-
crayons to mark every violent crime,
robbery, and grand larceny that occurred.
-
I mapped the solved versus the unsolved".
Now the system was used by the Transit
-
Police and it was credited with reducing
felonies by 27% and robberies by 1/3
-
between 1990 and 1992. So this generated a
lot of interest in his projects and former
-
New York Mayor Rudolph Giuliani asked the
New York police department to essentially
-
take up chart of the future and develop
their own project. It became CompStat.
-
CompStat was again essentially about
mapping crime to try and make assumptions
-
about where crime wars are happening. So
this kind of shows the building of this
-
narrative around this idea that the more
data you have, the more data you generate,
-
the better you will be at reducing crime.
Now it becomes interesting in the world we
-
live in that we describe, where we are
constantly generating data, often without
-
the consent or even the knowledge of those
who are producing this data. So there are
-
new questions to be asked: What data is
the police entitled to access? What can
-
they do with it? Are we all becoming
suspects by default? One of the key
-
elements of the intersection between data
exploitation and policing is the question
-
of smart cities. It's worth bearing in
mind that data-driven policing is often
-
referred to as smart policing, so obviously
the word smart has been used generally in
-
a generic manner by various industry to
kind of describe this trend of using mass
-
data collection in order to provide new
services. But there is actually a real and
-
genuine connection between smart cities
and data-driven policing. The first reason
-
for that is that actually one of the main
reasons for cities to invest in smart city
-
infrastructure is actually the question of
security. This is something we've explored
-
in our latest report on smart cities and
this is emerging also from the work we're
-
doing other organizations including coding
rights in Brazil and DRF in Pakistan. So
-
actually Brazil is an interesting example,
because before the mega events they
-
started organizing like the football
World Cup and the Olympics they invested
-
massively in smart city infrastructure.
Including projects with IBM and precisely
-
the purpose of what they were trying to
achieve with their smart city
-
infrastructure, was making the city safer
so it was extremely strongly connected
-
with the police. So this is a picture for
example of the control room that
-
was built to control CCTV cameras and to
create graphs in order to showcase where
-
crime was happening and also in a way the
likeliness of natural disasters in some
-
areas. In Pakistan there is a whole new
program on investment of smart cities,
-
which is actually referred to as the safe
city project. Now companies understand
-
that very well and this is actually an
image from an IBM presentation describing
-
their vision of smart cities. And as you
see like policing that is very much
-
integrated into their vision, their
heavily centralized vision of what smart
-
cities are. So that's no wonder that
companies that offer smart city
-
infrastructure are actually now also
offering a platform for policing. So those
-
companies include IBM as I mentioned but
also Oracle and Microsoft. We see in many
-
countries including the UK where we based
some pressure on budgets and budget
-
reductions for the police and so there is
a very strong appeal with this narrative,
-
that you can purchase platform you can
gather more data that will help you do
-
policing in less time and do it more
efficiently. But little thought is given
-
to the impact on society, or right to
privacy and what happens if someone
-
unexpected take the reins of power. Now
we're gonna briefly explain what data-
-
driven policing looks like, and eventually
Millie will look at our findings. So
-
the first thing I wanted to discuss is
actually predictive policing, because
-
that's often something we think of and
talked about when we think about data-
-
driven policing. I mentioned CompStat
before and essentially predictive policing
-
works on a similar premise. The idea is
that if you map where crime happens you
-
can eventually guess where the next crime
will happen. So the key player in
-
predictive policing is this company called
PREDPOL, I mean I think they describe
-
pretty much what they do, they use
artificial intelligence to help you
-
prevent crime, right, predicting when and
where crime will most likely occur. Now
-
PREDPOL and other companies using
something called a Hawkes process that's
-
used normally for the prediction of
earthquake tremors, so what Hawkes
-
originally did is that he was analyzing
how after an earthquake you have after
-
shakes and usually the after shakes tend
to happen where the original earthquake
-
happened and in a short period of time
after that. So the Hawkes process basically
-
is described as when a certain event
happens, other events of the same kind will
-
happen shortly after in the same in the
same location. Now obviously it actually
-
works quite well for earthquakes, whether
it works for crime is a lot more
-
questionable. But that's actually the
premise on which companies that
-
are offering predictive policing services
are relying. So basically applied to
-
predictive policing the mantra is
monitoring data on places where crime is
-
happening you can identify geographic
hotspots where crime will most likely
-
happen again. Now other companies than
PREDPOL are joining in and they are adding
-
more data than just simply location of
past crimes. So this data has included
-
open source intelligence and we talked a
little bit more about this later on.
-
Weather report, census data, the location
of key landmarks like bars, churches,
-
schools, data sporting events, and moon
phases. I'm not quite sure what they're
-
doing with moon phases but somehow that's
something they're using. When predictive
-
policing first sort of emerged one of the
the key concerns was whether our world was
-
going to be turning into a Minority Report
kind of scenario where people are arrested
-
before a crime is even committed and
companies like PREDPOL were quick to
-
reassure people and say that do not
concern about who will commit crime but
-
where crimes are happening. Now that's not
actually true because in fact at the
-
moment we see several programs emerging
especially in the US, where police
-
departments are concerned not so much with
where crimes are happening, but who's
-
committing it.,So I'm gonna talk about two
example of this: One is the Kansas City No
-
Violence Alliance, which is a program laid
by the local police to identify who will
-
become the next criminal - basically - and
they're using an algorithm that combines
-
data from traditional policing as well as
social media intelligence and information
-
that they have on drug use, based on this
they create graphics generated using
-
predictive policing to show how certain
people are connected to already convicted
-
criminals and gang members. Once they've
identified these people they request
-
meeting with them whether they've
committed crimes or not in the past. And
-
they would have a discussion about their
connection to those convicted criminals
-
and gang members and what they tell them
is that they are warned that if a crime
-
next happened within their network of
people every person connected to this
-
network will be arrested whether or not
they were actually involved in the crime
-
being committed. Now there are actually
dozens of police departments that are
-
using similar programs. The Chicago Police
Department has an index of the 400 people
-
most likely to be involved in violent
crimes. That sounds like a BuzzFeed
-
article but actually there is a reality
which is extremely concerning, because
-
those people who are in this list are for
the most part not actual criminals, they
-
are purely seen to be connected to people
who've committed crime. So if your next-
-
door neighbor is a criminal then you may
well find your name on that list. Now
-
predictive policing is deceptive and
problematic for several reasons: First of
-
all there's the question of the
presumption of innocence. In a world where
-
even before you commit a crime you can
find your name on that list or be called
-
by the police - you know - what happens to
this very basis of democracy which is the
-
presumption of the of innocence. But also
there's the other question of like can we
-
really use the math that was originally
designed for earthquakes and apply to
-
human beings because human beings don't
work like earthquakes. They have their own
-
set of biases and the biases
start with how we collect the data. For
-
example, if the police is more likely to
police areas where there is minorities,
-
people of color, then obviously the data
they will have will be disproportionately
-
higher on persons of color. Likewise if
they are unlikely to investigate white-
-
collar crime they will be unlikely to have
data that are reflecting a reality where
-
crime also happens in wealthier areas. So
basically we are inputting biased datasets
-
that obviously will lead to biased
results. And what these biased results
-
mean is that it will continue the already
existing trend of over policing
-
communities of color and low-income
communities. I'll leave it to Millie for
-
the next box. So, one of the increasingly
popular technologies we're seeing in the
-
UK, and is no doubt used around the world
and probably at border points, although we
-
need more help with the reasearch to prove
this, is mobile phone extraction. The
-
police can extract data from your phone,
your laptop, and other devices which
-
results in a memory dump of the extracted
data taken from your device and now held
-
in an agency database. So for example all
your photos, all your messages, and all
-
those of people who had no idea they would
end up in a police database because
-
they're associated with you retained for
as long as the police wish. Now these
-
devices are pretty user friendly for the
police and if you're interested you can
-
look on YouTube where Cellebrite one of
the big players has lots of videos about
-
how you can use them, and so depending on
the device and the operating system some
-
of the data this is from a police document
but it lists what they can extract using a
-
Cellebrite UFED is what you might expect:
device information, calls, messages,
-
emails, social media, and Wi-Fi networks.
But if you look at their website and here
-
are a few examples they can also collect:
system and deleted data, they can access
-
cloud storage, and inaccessible partitions
of the device. Now this is data that is
-
clearly beyond the average users control,
and as the volume of data we hold on our
-
phones increases so will this list. And
the companies we know the UK police are
-
using, which includes: Cellebrite, Acceso,
Radio Tactics, MSAB, are all aware of how
-
valuable this is and as one of them have
stated: "if you've got access to a person
-
SIM card, you've got access to the whole
of a person's life". They also go on to
-
note: "the sheer amount of data stored on
mobile phones is significantly greater
-
today than ever before." There are also no
temporal limits to the extraction of data,
-
this is from another police document we
obtained and it shows that if you choose
-
to extract to certain data type you will
obtain all data of a particular type, not
-
just the data relevant to an
investigation. So all that data on a
-
police database, indefinitely and even if
you were asked whether you were happy for
-
your data to be extracted during an
investigation I think it's highly unlikely
-
you would realize the volume that the
police were going to take. Other targets
-
for the police that we know about are:
infotainment systems in cars, Smart TVs,
-
and connected devices in the home. This is
an extract from a tech UK report, where
-
Mark Stokes head of digital forensics at
the Met Police which the police in London
-
stated in January, that the crime scene of
tomorrow will be the Internet of Things
-
and detectors of the future will carry a
digital forensics toolkit that will help
-
them analyze microchips and download data
at the scene rather than removing devices
-
for testing. Now I can imagine that the
evidence storage room is going to get a
-
bit full if they start dragging in
connected fridges, hair dryers, hair
-
brushes, your Google home, Amazon echo and
whatever else you have. However, their
-
plans to walk into your home and download
everything, make no mention of needing a
-
specific warrant and so the only
limitations at the moment are the
-
protections that may exist on the devices.
The law does not protect us and this needs
-
to change. So I'm going to be talking a
little bit about open source intelligence
-
and in particular social media
intelligence, because when I talked about
-
predictive policing I identified those two
sources as some of the data that's being
-
used for predictive policing. Now, open
source intelligence is often thought as,
-
or often assumed to be innocuous, and
there is the understanding that if
-
information is publicly available then it
should be fair for the police to use. Now
-
the problem is that among open source
intelligence there's often social media
-
intelligence that we refer to as
documents. Now there are many ways to
-
conduct document and it can range from
like the single police officer, who is
-
just you know using Facebook or Twitter to
look up the accounts of victims or
-
suspected criminals, but there was also
companies that are scrapping the likes of
-
Facebook and Twitter to allow the police
to monitor social media. Now social medias
-
have like blurred the lines between public
and private, because obviously we are
-
broadcasting our views on this platform
and at the moment the police has been
-
exploiting this kind of unique space, this
blured line, ithey are accessing this
-
content in a completely unregulated
manner, as long as the content is publicly
-
available like for example you don't need
to be friend or to have any already
-
established connection with the suspected
criminal or the police or the victim
-
anything that's available to you it's
completely unregulated there are no rules
-
and I mentioned earlier the question of a
budget restriction and so the police is
-
benefiting hugely from this because it
doesn't really cost anything to use social
-
media so at the moment SOCMINT is kind of
like the first and easy step in a police
-
investigation because there is no cost and
because there is no oversight. Now,
-
SOCMINT actually isn't so innocent in the
sense that it allows the police to
-
identify the locations of people based on
their post, it allows them to establish
-
people's connection, their relationships,
their association, it allows the
-
monitoring of protest and also to identify
the leaders of various movement, and to
-
measure a person's influence. Now, in the
UK what we know is that the police is
-
largely using marketing products, so this
is an anonymous quote from a report by
-
academics that have been doing research on
SOCMINT and what someone said was that: "A
-
lot of stuff came out of marketing because
marketing were using social media to
-
understand what people were saying about
their product... We wanted to understand
-
what people were saying so it's almost
using it in reverse". Now again, this is
-
not considered like surveillance device
this is purely a marketing project that
-
they're using and for that reason law
enforcement agencies and security agencies
-
are often arguing that SOCMINT has
basically no impact on privacy. But
-
actually when your post reveals your
location or when the content of your post
-
reveal what used to be considered and is
still considered actually as sensitive
-
private information like details about
your sexual life, about your health, about
-
your politics, can we really minimize the
impact of the police accessing this
-
information. Now obviously we may not have
a problem with the average twitter user or
-
with a friend reading this information but
when the ones who are reading the
-
information and taking actions on this
information have power over us like the
-
police does, you know, what does it
actually mean for our right to privacy?
-
That's not to say that people should stop
using social media but rather what kind of
-
regulation can we put in place so that
it's not so easy for the police to access.
-
The absence of regulations on SOCMINT has
actually already led to abuse in two cases
-
both in the US that we've identified: One
is Raza v. the City of New York which is a
-
case from the ACLU where we knew that we
found out that the city of New York,
-
sorry, the New York Police Department was
systematically gathering intelligence on
-
Muslim communities, and one of the ways
they were gathering this intelligence was
-
essentially by surveilling social media
accounts of Muslims in New York. The
-
second case is a company called ZeroFOX.
So what ZeroFox does is social media
-
monitoring. Now, during the the riots that
followed the funeral of Freddie Gray,
-
Freddie Gray was a 25 year old black man
who had been shot by the police, so after
-
his funeral there had been a series of
riots in the UK and ZeroFOX produced a
-
report that they shared with the Baltimore
Police to essentially advertise for their
-
social social media monitoring tool and
what the company was doing was again like
-
browsing social media and trying to
establish who were the threat actors in
-
these riots and among the 19 threat
actors that they identified two of them
-
were actually leaders of the black lives
matter movement. Actually at least one of
-
them was a woman definitely not a physical
threat but this is how they were
-
essentially labeled. So these two examples
actually show that again it's still sort
-
of the same targets, it's people of
colors, it's activists, it's people from
-
poor income backgrounds, that are singled
out as likely criminals. And it's very
-
telling when we realize that SOCMINT is
actually one of the sources of data that's
-
eventually used for predictive policing
and then again predictive policing leading
-
to people being more surveiled and
potentially exposed to more police
-
surveillance based on the fact that they
all singled out as as likely criminal. Now
-
social media is a fascinating place
because it's a mix between a private and a
-
public space as I said we are broadcasting
our views publicly but then again it's a
-
privately owned space where we follow the
rules that is set up by private companies.
-
Now, if we want to protect this space and
ensure that like free expression and
-
political organization can still happen on
the spaces we need to fully understand how
-
much the police have been exploiting the
spaces and how we can limit and regulate
-
the use of it. Now, I'll talk to Millie
about what we can do next. So I'm going to
-
briefly look at some of our initial
findings we've made using Freedom of
-
Information requests, broadly: the lack of
awareness by the public, weak legal basis,
-
and a lack of oversight. Now, sometimes
the lack of awareness appears intentional
-
- we asked the police about their plans to
extract data from connected devices in the
-
home and they replied neither confirm nor
deny. Now this is kind of a bizarre
-
response given that Mark Stokes who's a
member of the police had already said that
-
they plan to do this, in addition the UK
government Home Office replied to us
-
saying the Home Office plans to develop
skills and capacity to exploit the
-
Internet of Things as part of criminal
investigations. They also said that police
-
officers will receive training in relation
to extracting, obtaining, retrieving, data
-
from or generated by connected devices. So
we wrote back to every police force in the
-
UK had refused to reply to us and
presented the evidence but they maintained
-
their stance so we will be bringing a
challenge against them under the Freedom
-
of Information Act. Now, Eva has also
identified the huge risks associated with
-
predictive policing yet in the UK we've
found out this is set to increase with
-
forces either using commercial tools or
in-house ones they've developed or
-
planning trials for 2018. There has been
no public consultation, there are no
-
safeguards, and there is no oversight. So
when we ask them more questions about the
-
plans we were told we were 'vexatious' and
they won't respond to more requests so it
-
seems like we have yet another challenge,
and what about mobile phone extraction
-
tools here are some of the stats that have
been found out and I would say these
-
aren't completely accurate because it
depends on how reliable the police force
-
are in responding but roughly I'd say it's
probably more than 93 percent now of UK
-
police forces throughout the country are
extracting data from digital devices. We
-
know they plan to increase, we've seen in
their documents they plan to train more
-
officers, to buy more equipment, and to
see extraction as a standard part of
-
arrest, even if the devices had absolutely
nothing to do with the offense and so
-
these figures are likely to increase
exponentially, but in the UK not only to
-
the police not need a warrant in documents
we've read they do not even need to notify
-
the individual that they have extracted
data, for example, from their mobile phone
-
or that they're storing it. If this is
being done without people's knowledge how
-
on earth can people challenge it, how can
they ask for their data to be removed if
-
they're found innocent? Turning to social
media monitoring which the police refer to
-
as open source research. This is Jenny
Jones she's a member of the House of Lords
-
in the Green Party and next to her photo
is a quote from her entry on the domestic
-
extremism database, and so, if a member of
the House of Lords is being subject to
-
social media monitoring for attending a
bike ride then I think it's highly likely
-
that a large number of people who
legitimately exercise their right to
-
protest are being subject to social media
monitoring. Now, this hasn't gone
-
unnoticed completely although they're
slightly old these are quotes from two
-
officials: the first the UK independent
reviewer of terrorism who notes that the
-
extent of the use of social media
monitoring is not public known, and the
-
second is the chief surveillance
commissioner who is and this is a very
-
strong statement for a commissioner is
saying that basically social media should
-
not be treated as fair game by the police.
So now I'll move on to a weak or outdated
-
legal basis. For most of the technologies
we've looked at it's very unclear what
-
legal basis the police are using even when
we've asked them. This relates to mobile
-
phone extraction - so the legislation
they're relying on is over 30 years old
-
and is wholly inappropriate for mobile
phone extraction this law was developed to
-
deal with standard traditional searches,
the search of a phone can in no way be
-
equated to the search of a person, or the
search of a house, and despite the fact
-
that we have repeatedly asked for a
warrant this is not the case and we
-
believe that there should be a warrant in
place not only in the UK but in the rest
-
of the world. So if you think that either
you or your friends have had their data
-
extracted when they're arrested or your
phone has been in the possession of the
-
authorities you should be asking
questions, and very briefly something on
-
lack of oversight, so we reported in
January this year about documents that
-
were obtained by The Bristol Cable's
investigation into Cellebrite and one
-
report said that in half of the cases
sampled the police noted the police had
-
failed to receive authorization internally
for the use of extraction tools. Poor
-
training undermined investigations into
serious offences such as murder, and
-
inadequate security practices meant that
encryption was not taking place even when
-
it was easy to do and they were losing
files containing intimate personal data.
-
So why does this matter? Here are some key
points: In relation to information
-
asymmetry - it's clear as Eva has
explained that the police can now access
-
far more data on our devices than the
average user. In relation to imbalance of
-
power - it's clear they can collect and
analyze sources that are beyond our
-
control whether it's publicly placed
sensors, cameras, and other devices. There
-
is also unequal access and if lawyers
don't know what's being gathered they
-
don't know what to ask for from the
police. All in all this puts the
-
individual at a huge disadvantage. Another
impact is the chilling effect on political
-
expression now I'm sure many of you maybe
think that the police monitor your social
-
media but the average person is unlikely
to, and so if they start to know about
-
this are they going to think twice about
joining in protesting either physically or
-
using a hashtag, and what about who your
friends are? If they know you attend
-
protests are they really want to have
their data on your phone if they know that
-
potentially that could be extracted and
end up on a police database? It's far
-
easier to be anonymous face among many
people than a single isolated person
-
standing up to power but these new forms
of policing we have been discussing
-
redefine the very act of protesting by
singling out each and every one of us from
-
the crowd. So, what can we do? Many of you
will be familiar with these technologies,
-
but do you know how to find out what the
police are doing? In the UK we've been
-
using Freedom of Information requests, we
want to do this with people throughout
-
Europe and you don't need to be a lawyer
so please get in touch. We also want to
-
dig into the technology a bit more, I want
someone to use a Cellebrite UFED on my
-
phone and show me exactly what can come
out of it, and we want to tell lawyers and
-
activists about these new techniques. Many
lawyers I speak to who are experts in
-
actions against the police do not know the
police are using these tools. This means
-
they don't know the right questions to ask
and so it's fundamental you speak to
-
people who are bringing these cases and
tell them about what they can do or what
-
questions they should be asking, and
finally we want you to also raise the
-
debate, to share our research, and to
critique it, thank you.
-
Herald: So we've got ample enough time for
Q&A are there any questions in the hall,
-
yes, there's one over there.
Question: You mentioned the problem of
-
when they do physical extraction from the
Celebrite device it's going to get all of
-
the photos, all of the emails, or whatever
maybe rather than just what the
-
investigator needs. What is the solution
to that from your eyes is there a
-
technical one that these companies are
gonna have to implement - which they're
-
not going to - or a legal one, because on
the other side a mobile phone is a crucial
-
part in a any criminal investigation in
2017. So what's the workaround or the
-
solution to that?
Answer: I think it's both, I think the
-
fact that there isn't any law looking at
this and no one's discussing can there be
-
a technical solution or does it need to be
one where there's better regulation and
-
oversight so you extract everything, can
you keep it for a certain period to see
-
what's relevant then do you have to delete
it? The trouble is we don't see any
-
deletion practices and the police have
publicly stated in the media that they can
-
just keep everything as long as they like.
They like data you can kind of see why but
-
that doesn't mean they should keep
everyone's data indefinitely just in case
-
it's useful so I think there may be tech
solutions there may be legal ones and I
-
think perhaps both together as is one of
the answers. Herald: The next question
-
from microphone one please.
Q: I'm just wondering how those laws on
-
action and power given to the cops are
being sold to the UK people is it because
-
to fight terrorism as I said or to fight
drugs or this kind of stuff, what's the
-
argument used by the government to sold
that to the people.
-
A: I think actually one thing that's
important is to bear in mind is that I'm
-
not sure most of the of the public in the
UK is even aware of it, so I think unlike
-
the work of intelligence services an
agency where terrorism is used as the
-
excuse for ever more power and especially
laws that have become increasingly
-
invasive, actually with policing we don't
even fall in that kind of discourse
-
because it's actually hardly talked about
in UK. Yeah, and the mobile phone
-
extraction stuff we've been looking at is
low-level crimes, so that's like you
-
have, it could be you know a pub fight,
it could be a robbery, which that's more
-
serious, it could be an assault, so they
want to use it in every case. For all the
-
other techniques we have no idea what
they're using for that's one of the
-
problems.
Herald: The next question from the
-
internet please.
Q: When you say that there's a lack of
-
laws and regulations for police concerning
us in extraction and data from devices are
-
you talking just about UK and/or USA or do
you have any examples of other countries
-
who do better or worse?
A: I don't know of any country that has a
-
regulation on publicly available
information on social media.
-
Herald: Microphone number four.
Q: Thank you again for a great talk. In
-
terms of data exploitation an element that
I didn't hear you talk about that I'd like
-
to hear a little bit more is when there
are questions around who is doing the
-
exploitation, I know in the U.S. some FOIA
researchers get around how difficult it is
-
to get data from the feds by going after
local and state police departments, is
-
that something that you're doing or do you
have a way of addressing confusion when
-
people don't know what agency has the
data?
-
A: Yeah, I think actually what one of the
things the data exploitation program at
-
Privacy International is doing is actually
looking into the connection between the
-
private sector and governments because
obviously at the moment there's the whole
-
question of data brokers which is an
industry that's hardly regulated at all,
-
that people don't necessarily know about,
we don't, the companies that are doing it
-
are familiar household name. I'll let
Millie talk a lot more about the
-
government aspects of it. I guess the
question is again a country-by-country
-
basis, we work in many countries that
don't have any data protection regulations
-
at all so there is this first difficulty
as how do we regulate, how do we limit the
-
power of the state when you don't even
have the basic legislation around
-
data protection? One thing to bear in mind
is like the problem with companies is like
-
how do you also hold companies accountable
whereas with the state there is the whole
-
challenge of finding the right legal
framework to limit their power, but maybe
-
I'll let Millie talk a little bit more
about this. Yeah, with our with our FOIA
-
request we tend to go after everyone so
with the example of the Home Office saying
-
something that the other police didn't
that was because we went to all the
-
different state bodies and I think that
there's a good example in in the states
-
where there's far more research done on
what the police are doing, but they're
-
using the same product in the UK I think
it's axiom and they're a storage device
-
for body-worn camera videos, and a lawyer
in the states said that in order to access
-
the video containing his client he had to
agree to the terms and condition on Axioms
-
website which basically gave them full use
of his clients video about a crime scene.
-
So that's a private company having use of
this video so given that we found they're
-
using it in the UK we don't know if those
kind of terms and conditions exist but
-
it's a very real problem as they rely
increasingly on private companies.
-
Herald: Number two please.
Q: Thank you for your work perhaps you've
-
already answered this partially from other
people's questions but it looks like we
-
have a great way to start the process and
kind of taking the power back but you know
-
the state and the system certainly doesn't
want to give up this much power, how do we
-
actually directly, what's kind of the
endgame, what's the strategies for making
-
the police or the government's give up and
restore balance, is it a suit, is it
-
challenging through Parliament and in the
slow process of democracy, or what do you
-
think is the right way of doing it?
A: I never think one works on its own,
-
even though I'm a litigator I often think
litigation is quite a weak tactic,
-
particularly if you don't have the public
on side, and then again if you don't have
-
Parliament. So we need all of them and
they can all come through different means
-
so we wouldn't just focus on one of the
different countries it might be that you
-
go down the legal route or the down the
parliamentary route but in the UK we're
-
trying all different routes so for example
on mobile phone extraction in the
-
beginning of next year we're going to be
doing a video we're going to be doing
-
interviewing the public and speaking to
them about it, we're going to be going to
-
Parliament, and I've also been speaking to
a lot of lawyers so I'm hoping some cases
-
will start because those individual cases
brought by local lawyers are where also
-
you see a lot of change like the John Cat
case, that's one lawyer, so I think we
-
need all different things to see what
works and what sticks.
-
Herald: We haven't had number three yet.
Q: Hi, thanks for the talk, so I have a
-
question regarding concerning the solution
side of things because one aspect I was
-
missing in your talk was the economics of
the game actually because like you are
-
from the UK and the private sector has
like stepped in also and another public
-
domain the NHS to help out because funds
are missing and I would like to ask you
-
whether or not you think first of all the
logic is the same within the police
-
departments because it might also be like
cost driven aspect to limit the salaries
-
or because you have the problem with
police force coming in because you have to
-
pay their rents and automated things
especially when I'm given to the private
-
sector which has another whole logic of
thinking about this stuff is cost saving
-
and so maybe it would be a nice thing
whether if you could talk a bit about the,
-
I'm sorry, the attempt to maybe like get
economics a bit more into the picture when
-
it comes to solutions of the whole thing.
A: So I think yeah, your very right in
-
pointing actually the relation, well that
you compare what's happening with the NHS
-
and what's happening with the police
because in both the economics of
-
companies offering policing services arise
from the same situation there's a need of
-
doing more efficient policing because of
budget cuts, so the same way the NHS is
-
being essentially privatized due to the
budget cuts and due to the to the needs
-
that arise from being limited in your
finance, again there's a similar thing
-
with the police when you when you're
understaffed then you're more likely to
-
rely on on technologies to help you do
your work more efficiently because
-
essentially with predictive policing the
idea behind this is that if you know where
-
and when crime will happen then you can
focus the limited resources you have there
-
and not sort of look at a more global
larger picture. So I mean I'm not gonna be
-
here on stage advocating for more funds
for the police, I'm not gonna do that, but
-
I think that there is there is a desperate
need to reframe actually the narrative
-
around how we do policing actually and
then definitely also look at a different
-
perspective and a different approach to
policing because as I've tried to show
-
it's been a really long time since this
narrative has developed of more data leads
-
to crime resolution but actually what I
didn't have the time to get into in this
-
talk is actually all the research that are
showing that those product actually don't
-
work like PREDPOL is actually basically
gaslighting a lot of police officers with
-
their figures, the kind of figures that
are pushing and suggesting are just like
-
plain inaccurate, it's not accurate to
compare a city on the one year to what a
-
city is becoming in another year so it's
not even clear that a lot of this
-
project are even like properly functioning
and in a sense I don't want them to
-
function I'm not gonna say if we had
better predictive policing then the
-
problem will be solved no that is not the
question, the question is how do we have
-
regulation that force the police to look
differently into the way they are
-
conducting policing.
Herald: Number four please.
-
Q: So, thank you for your presentation I
have a question about SOCMINT, my opinion
-
SOCMINT might violate the terms of
services of for example Twitter and
-
Facebook have you tried to cooperate with
these companies to make them actually
-
enforce their TOS?
A: So actually there is two things as I
-
said like all companies that are doing
scraping of data and you're right in this
-
case they violate the terms of services of
Facebook and Twitter. Now, the other
-
problem is that there is already a loop to
this and actually the marketing company I
-
was talking about that's being used by the
UK police what they essentially do is that
-
they purchase the data from Facebook and
Twitter, so this is why it's interesting
-
because when Facebook's say we don't sell
your data, well essentially actually with
-
marketing tools that are there to monitor
what people say about products essentially
-
what you're doing is selling your data,
they're not selling necessarily like your
-
name or your location or things like that
but whatever you're going to be posting
-
publicly for example in like groups or
public pages is something that they are
-
going to be trying to sell to those
companies. So I think you're right and
-
maybe Millie will have more to say about
this. I think those companies have a role
-
to play but at the moment I think the
challenge we face is actually this loop
-
that we're facing where by purchasing the
data directly from the company they don't
-
face any they don't violate the terms of
services. Yeah, we've spoken a bit to the
-
some of the social media companies, we've
been told that one of their big focuses is
-
the problems of the social media
monitoring at the U.S. border and so
-
because there's a lot known about that
they're looking at those issues so I think
-
once we show more and more the problems
say in the UK or in other countries I
-
think it would be very interesting to look
at what's happened over the Catalan
-
independence vote period to see how social
media was used then. I think the companies
-
aren't going to react until we make them
although they probably will meet with us.
-
A slightly different aspect we revealed in
a different part of our work that the
-
intelligence agencies were gathering
social media that's probably not
-
groundbreaking news but it was it was
there in plain fact and so they all got a
-
bit concerned about how that was
happening, whether some of them knew or
-
some of them didn't, so the better our
research the more people speaking about it
-
I think they will engage, or we'll find
out are they are the police getting it
-
lawfully or unlawfully.
Herald: Number one please.
-
Q: Thanks for your talk, I have a question
on predictive policing because German
-
authorities in the last two years piloted pre-cops
PREDPOL projects in three states I think
-
and they claimed that they would never use
these techniques with data on individuals
-
but only aggregate data like the new
repeat stuff you presented and they
-
presented as just an additional tool in
their toolbox and that if use responsibly
-
can lead to more cost effective policing,
do you buy this argument or would you say
-
that there's inevitably slippery slope or
kind of like a path dependency to more
-
granular data assessment or evaluation
that would inevitably infringe on privacy
-
rights?
A: I think this goes back to the question
-
of like you know are we using per
listening to identify where crime is
-
happening or who it is who's committing a
crime but actually I think even if we if
-
we stick to this even if we stick to
identifying where crime is happening we
-
still run into problems we still run into
the fundamental problem of predictive
-
policing which is we only have data on
crime that have already been reported ever
-
or already been addressed by the police,
and that's by essence already biased data.
-
If we have police in some areas then we're
more likely to, you know, further police
-
because the solution of those companies of
those algorithm will be leading to more
-
suggestions that crime is is happening
more predominantly in those areas. So, as
-
we've seen so far is that we fall into
these fundamental problems of just
-
overpolicing communities that are already
overpoliced. So in a sense in terms of
-
well the right to privacy but also the
question of the presumption of innocence I
-
think purely just having trying to
cultivate data on the where crime is
-
happening it's not efficient policing
first of all but it's also causing
-
challenges for fundamental rights as well.
Yeah, I guess it's not a great comparison
-
but what a lot of what they're bringing in
now is a program to assist you with the
-
charging decision, so you've got someone
you've arrested do you charge them or not?
-
The police say oh well of course it's only
advisory you only have to look at how busy
-
a police station is to know how advisory
is that going to be and how much is it
-
going to sway your opinion. So the more
you use these tools the more it makes your
-
job easier because rather than thinking,
where are we going to go, what areas
-
things going to happen, who are we going
to arrest, well the computer told us to do
-
this so let's just do that.
Herald: Thank you and microphone number
-
three please.
Q: Thank you, do you think that there are
-
any credible arguments to be made for
limiting the police's abilities under acts
-
in the UK that incorporate EU level
restrictions on privacy data protection
-
human rights or fundamental rights and if
so do you anticipate that those arguments
-
might change after brexit?
A: Well they they're bringing in GDPR and
-
the Law Enforcement Directive now and
they're not going to scrap those once
-
brexit comes in. We'll still be part,
hopefully, of the European Court of Human
-
Rights, but not the European Court of
Justice. I think there are going to be
-
implications it's going to be very
interesting how they play it out they're
-
still going to want the data from Europol,
they want to be part of Interpol, policing
-
operates at a different level and I think
if they have to comply with certain laws
-
so that they can play with the big boys
then they probably will, but they may do
-
things behind the scenes, so it depends
where it works for them, but certainly the
-
politicians and definitely the police
wanna be part of those groups. So we'll
-
have to see, but we will still use them
and we'll still rely on European judgments
-
the force they have in a court of law may
be more difficult.
-
Herald: Does the internet have any
questions, nope, well then number two
-
please.
Q: So you've mentioned that they don't
-
have really good operational security and
sometimes some stuff that should not leak
-
leaked now within the last year we had
major data leaks all across the world like
-
Philippines, South Africa, just to mention
a few, now if the, security, OPSEC is so
-
bad in the police in Great Britain it's
not unlikely that something will happen
-
in Europe of a similar kind what kind of
impact do you think such a huge data leak
-
of private information which the police
legally stored has even if it was not
-
leaked by the police and it would be leaked
by a private company that had some way
-
access to it?
A: I I guess it depends what it what it
-
is, if it's a database with serious
criminals and only the bad people, then
-
people will think when it's
good they have that information but they
-
need to make it more secure. If
somehow databases which held all sorts of
-
information say from people's mobile
phones, innocent people's pictures, all
-
that kind of thing then we might see a
much wider public reaction to the tools
-
that are used and the safeguards, the
legal safeguards, will come a lot quicker
-
than probably we will achieve in the way
we're trying to go now because there'll be
-
a bigger public outrage.
Herald: Okay one last and hopefully short
-
question from microphone one.
Q: Hi, thanks for the talk was really
-
interesting, it's actually quite a short
question how much is a Cellebrite, and can
-
we buy one?
A: I did look to buy one, I think there
-
were some on eBay but I'm sure if they
were like the right things but a couple of
-
thousand pounds, but I think you have to
actually be a police force to get those
-
ones, maybe there are other types but
it's expensive but not unobtainable, but
-
I'm trying to find universities that might
have them because I think that a lot of
-
forensic schools I'm hoping that they
will, I know they do extractions of
-
laptops but I haven't found one yet that
does phones but I probably haven't asked
-
enough people.
Herald: So thank you very much.
-
34C3 Music
-
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
