CS 3710: Intro to Cybersecurity (slides): Privacy

# Privacy
## CS 3710

===

## Privacy and surveillance

---

## Privacy and surveillance

Privacy is not by any means a _new_ issue.

But changes in the way we use technology, and structure our lives around it,
have given bad actors many additional tools to work with.

</div>
  <div class="col">

</figcaption>
</figure>

</div>
</div>

---

## "But I have nothing to hide!"

A common refrain from people who want to downplay privacy issues is

### *"if you have nothing to hide, you have nothing to worry about."*

</div>
</div>

### This argument is bulls\*\*t.

</div>

---

## Common things that are at risk

On a day-to-day basis, there are plenty of different types of information that
you try to keep secret:

- Usernames and passwords

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index=0>

- Credit cards, financial information

</div>
<div class="fragment fade-in" data-fragment-index=1>

- Social Security Number, driver's license, passport information

and so on.

</div>

---

## Risks in privacy

But there are many other, more insidious threats out there.

_**Example:**_ stalkerware

</div>
<div class="col">

</figcaption>
</figure>

</div>
</div>

---

## Risks in privacy

_**Example:**_ student spyware

*Credit: [The
Southerner](https://www.shsoutherner.net/features/2021/03/14/gaggle-mpss-new-student-surveillance-software-brings-possible-protection-and-danger/)*

</figcaption>
</figure>

notes:

https://www.eff.org/deeplinks/2022/06/mandatory-student-spyware-creating-perfect-storm-human-rights-abuses

https://www.shsoutherner.net/features/2021/03/14/gaggle-mpss-new-student-surveillance-software-brings-possible-protection-and-danger/

Some quotes from the article:

Gaggle monitors activity on school accounts as well as provides a 24/7 tip line
so that students can report concerns about the well-being of peers or school
safety. The MPS version scans all Google Workspace (G Suite) products including
Google Drive, Gmail, Hangout chats, and downloaded photos or files on all MPS
accounts. It does not view live meetings such as Google Meets or social media
unless directly connected to the account. Although Gaggle is most definitely not
a keystroke logger, students should expect that most of their account is being
monitored.

... While there are many trigger words, only a limited sample is easily
available to the public. One problem with some of these trigger words is that
they associate certain identities with being in danger. Some examples include
LGBTQ+ related words including "queer", "gay", and "lesbian". These are flagged
in an attempt to identify potential bullying. However, whether or not it is
intentional this inadvertently targets and discriminates against LGBTQ+ youth
who are more likely to use these words.  Moderators do review marked words for
context and to assess the situation, but according to [sources] this has already
raised issues.

In one such instance, a student was outed without their knowledge to their
parents.

---

## Risks in privacy

_**Example:**_ parental monitoring apps

*Credit: [The
Southerner](https://www.shsoutherner.net/features/2021/03/14/gaggle-mpss-new-student-surveillance-software-brings-possible-protection-and-danger/)*

</figcaption>
</figure>

notes:

https://www.malwarebytes.com/blog/news/2019/07/parental-monitoring-apps-how-do-they-differ-from-stalkerware

https://nautil.us/parents-shouldnt-spy-on-their-kids-235888/

https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/

Mobile app called "TeenSafe" that is purportedly a "secure" monitoring app for
mobile devices to let parents view their children's text messages, see their web
browsing history, and find out what apps are installed.

In this particular case, researchers found that the app's database was
completely exposed, containing parents' email addresses as well as childrens'
Apple ID email addresses. It also stored passwords for Apple ID in plaintext.
Because the app requires that Apple 2FA is disabled, somebody with this data
could break into a child's account to access their personal data.

https://www.vice.com/en/article/ywk8gy/spyware-family-orbit-children-photos-data-breach

Another parental monitoring app, FamilyOrbit, that left 281 GB of pictures and
videos from childrens' phones.

---

## Threat modeling

When considering these threats, it's important to perform appropriate threat
modeling to assess your level of risk.

</figcaption>
</figure>

notes:

At a government level, the most common impacts that people face on a day-to-day
basis from privacy violations typically stem from overt uses of law enforcement
against marginalized populations.

- Homeless populations -- acts that are only allowed in private are effectively
  banned in totality for the homeless (sexual activity, personal hygiene, etc.)
  - The government has total ability to search and destroy the residence of
    homeless people who are living on public grounds.

- Racial minorities -- surveillance of racial minorities (e.g. black activists
  and intellectuals) isn't new, although its means have changed.
  - FBI surveillance of MLK: https://kinginstitute.stanford.edu/encyclopedia/federal-bureau-investigation-fbi
  - https://www.oah.org/tah/issues/2020/history-for-black-lives/tracking-activists-the-fbis-surveillance-of-black-women-activists-then-and-now/
  - More recent examples of FBI/police surveillance:
    - https://rightsanddissent.org/fbi-spying
    - https://www.cnn.com/2019/01/18/us/nypd-black-lives-matter-surveillance/index.html
  - Stop and frisk -- largely leveraged against racial minorities, e.g. by the
    NYPD
  - New trend is the use of "crime prediction" tools to try and justify
    over-policing in certain parts of the country.
    - Good quote from Privacy at the Margins: "the more you put police in
      public areas, the more crime you'll find because of that surveillance,
      justifying further surveillance."

https://web.archive.org/web/20220718184440/http://blog.totallynotmalware.net/?p=53

===

## Secure and anonymous communication

---

## Factors to consider

Cryptography is our most useful tool in ensuring secure communications. An
authenticated cipher provides guarantees of

### *confidentiality, and integrity.*

</div>
</div>

Against a more powerful adversary, however, it isn't good enough to just use
HTTPS and store messages on a secure central server.

</div>

---

## End-to-end encryption

An _**end-to-end encrypted (E2EE)**_ message is one that remains encrypted at
every step of the journey between sender and recipient.

</div>
<div class="fragment" data-fragment-index=0>

This entails having clients generate and store their own asymmetric key pairs in
order to communicate with other users.

</div>

</figcaption>
</figure>

---

## End-to-end encryption

The _**Signal protocol**_ is the current standard for E2EE messaging.  In
addition to confidentiality and integrity, it provides forward secrecy and
plausible deniability.

</figcaption>
</figure>

---

## What makes E2EE difficult?

"Humans are incapable of securely storing high-quality cryptographic keys,
and they have unacceptable speed and accuracy when performing cryptographic
operations.

</div>
<div class="fragment fade-in" data-fragment-index=0>

(They are also large, expensive to maintain, difficult to manage, and they
pollute the environment. It is astonishing that these devices continue to be
manufactured and deployed. But they are sufficiently pervasive that we must
design out protocols around their limitations.)"

- Kaufman, Perlman, and Speciner quoted in Ross Anderson's "Security
  Engineering"

</div>

</div>
</div>
</div>

---

## What makes E2EE difficult?

The UX ("user experience") of cryptography is challenging. In E2EE, users have
to manage their own keys, which adds some unique challenges.

</figcaption>
</figure>

</div>
  <div class="col">

</figcaption>
</figure>

</div>
</div>

---

## What makes E2EE difficult?

Here are some UX challenges you have to consider when designing cryptographic
systems:

_**Q:**_ what do you do if a user loses access to their keys? E.g. if they
forget a password, lose a phone, etc.

</div>
  <div class="fragment fade-in-then-out" data-fragment-index=0>

_**Q:**_ what happens if a users' encryption keys are temporarily leaked?

What if an attacker gets temporary access to a user's device?

</div>
  <div class="fragment fade-in" data-fragment-index=1>

_**Q:**_ how do users share keys with one another? What kind of public key
infrastructure (PKI) exists?

</div>
</div>

</div>

</div>
</div>

===

## Metadata

---

## Metadata: data about your data

_**Metadata**_ is "side information" that comes with certain pieces of data.

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index=0>

For instance, consider a text message. The following would be considered
metadata:

- The time the message was sent
- Who it was sent to
- What device it was sent on

</div>
<div class="fragment fade-in" data-fragment-index=1>

The message itself _would not_ be considered metadata.

</div>

---

## Metadata: data about your data

Encryption is _**really good**_ at protecting data.

However, there are fundamental cryptographic challenges and physical phenomena
that make completely protecting all metadata challenging.

</figcaption>
</figure>

---

## Metadata: data about your data

"So what?", you might ask. What can metadata actually tell us?

Think about the following hypothetical scenarios (*credit: EFF*). Consider an
adversary who...

... Knows you rang a phone sex line at 2:24 am and spoke for 18 minutes. But
they don't know what you talked about.

</div>
  <div class="fragment fade-in-then-out" data-fragment-index=1>

... Knows you got an email from an HIV testing service, then called your doctor,
then visited an HIV support group website in the same hour.

But they don't know what was in the email or what you talked about on the phone.

</div>
  <div class="fragment fade-in-then-out" data-fragment-index=2>

... Knows you called a gynecologist, spoke for a half hour, and then called the
local abortion clinic’s number later that day.

</div>
</div>

---

## Tor: The Onion Router

_**Tor**_ is one attempt at solving many problems around metadata privacy. It is
an overlay network (i.e., built on top of the existing internet) that protects
the identity of the client and server involved in an HTTP request.

</figcaption>
</figure>

---

## Tor: The Onion Router

*Source: Article19*

</figcaption>
</figure>

notes:

Ref: https://catnip.article19.org/data/ARTICLE19-Catnip-Tor-Network-2021-web.pdf

---

## Cwtch: encryption with metadata privacy?

</figcaption>
</figure>

</div>
  <div class="col">

_**Cwtch**_ (a Welsh word roughly meaning a hug that creates a feeling of
safety) is an end-to-end encrypted messaging app that runs over Tor.

</div>
</div>

===

## New and emerging threats

---

## Mobile devices

The rise of always-on, always-connected mobile devices introduces a wide range
of new privacy risks.

Many apps and advertising services collect tracking information to sell to
various buyers.

</div>
<div class="fragment fade-in-then-out" data-fragment-index=0>

Cell service providers will also cell client analytics, which can then get
sold on to ~anyone

</div>
<div class="fragment fade-in" data-fragment-index=1>

There are also various ways to capture traffic directly from mobile devices.

_**Ex:**_ *cell-site simulators* (aka Stingrays or IMSI catchers) are devices
that masquerade as cellular service towers and intercept their communications.

</div>

</div>
  <div class="col r-stack">

*Mudge's whistleblower complaint against Twitter*

</figcaption>
</figure>

</div>

*Source: [Joseph Cox /
Motherboard](https://www.vice.com/en/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile)*

</figcaption>
</figure>

</div>

*Source: [EFF](https://www.eff.org/pages/cell-site-simulatorsimsi-catchers)*

</figcaption>
</figure>

</div>

</div>
</div>

notes:

Mudge's complaint: https://dy1ywzohuuzsd.cloudfront.net/technology/2022/twitter-whistleblower-sec-spam/whistleblower_disclosure.pdf?itid=lk_interstitial_enhanced-template
- see point 72

---

## ML-driven surveillance

A primary challenge for large-scale intelligence services, advertising, and
related industries is turning the sheer quantity of data available into
actionable insights.

*Source: [Office of the Directory of National
Intelligence](https://www.dni.gov/files/documents/icotr/2018-ASTR----CY2017----FINAL-for-Release-5.4.18.pdf)*

</figcaption>
</figure>

---

## ML-driven surveillance

Recent advances in machine learning, however, have helped drive a boom in these
industries and in surveillance-friendly tooling.

</div>
  <div class="col">

*Source: [New York
Times](https://www.nytimes.com/2020/12/29/technology/facial-recognition-misidentify-jail.html)*

</figcaption>
</figure>

</div>
</div>

notes:

Notably, Virginia has recently (June 2022) authorized the use of facial
recognition for use by law enforcement:

https://lis.virginia.gov/cgi-bin/legp604.exe?221+sum+SB741
https://www.wtvr.com/news/local-news/virginia-lifts-ban-on-police-facial-recognition-technology-june-30-2022

===

## Summary of privacy and surveillance

We've seen a high-level overview of some of the reasons why privacy is important
and how it can be a challenging problem.

</div>
<div class="fragment" data-fragment-index=0>

If I had to summarize the most important things to know about privacy in three
bullet points, they would be:

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index=0>

- Build a (reasonable) threat model

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index=1>

- Use encryption.

</div>
<div class="fragment fade-in" data-fragment-index=2>

- Create a mindset of thinking about what kinds of data and metadata you might
  be exposing in sensitive contexts.

</div>