Privacy and Transparency in 20 years

There is inherent tension between privacy and transparency.  For a democracy to function properly some argue that transparency (not privacy) is necessary for public institutions, but that privacy (not transparency) is necessary for individuals. And, yet governments and corporations have legitimate needs to keep certain secrets (think national defense and trade secrets) and certain individuals such as terrorists and criminals use privacy as a means of accomplishing their hostile and illegal acts (think encryption and ephemeral messaging).

How will the tensions between privacy and transparency be reconciled over the next 20 years?  Will one value prevail over the other or will they both be harmonized?  Will personal privacy be a thing of the past? Gaze into your crystal ball and describe our nation in 20 years in terms of privacy and transparency.

Takeaways for Week 15

This week was all about reclaiming one's privacy.

On Monday, a discussion on ephemeral messaging took place, where several benefits of this type of service were brought to attention, which included the following:

• Gives a sender greater control over who sees a message
• Increases the level of privacy
• Increases security of information
• Greater convenience
• Provides for spontaneity

However, it was noted that these apps are not created equal in terms of privacy.

Wednesday's class was all about detailing levels of privacy protection.  There were three types of protections:  strong, for normal people; stronger, for geeks; and super strong, for tin foil hat types.

The strong protections included:

• Password hygiene:  Password-protecting all of one's devices with complex, 8-12-character passwords, using separate passwords for each online account, and not settling for default security questions.
• Authentication:  Using two-factor authentication and biometric ID for accounts and devices
• Self-censorship and Restraint:  Using cash to pay for embarrassing items, using the delete button liberally, "liking" fewer things on social media to make one's online profile less complete, and decreasing one's digital footprint
• Caution with Social Media and Apps:  Turning off geotagging when posting photos and status updates, remembering that some personal details simply should not be shared on Facebook, using sound judgement when posting photos, signing out when through viewing or posting, changing Facebook privacy settings to "friends only," checking permissions when downloading an app, possibly skipping or monitoring automatic replies, and periodically reviewing apps and deleting those that are not used

Stronger included:

• Encrypting hard drives
• No use of unencrypted cloud services
• Keeping malware and virus protection software up-to-date
• Using a VPN
• Properly wiping phones and computers when disposing
• Confidential Communications:  Encrypting phone communications, using ephemeral messaging apps, and avoiding free public networks or wi-fi
• Web Browsing:  Clearing browser history and cookies on a regular basis, using a browser that does not track, using an IP tracker, installing plugins to avoid tracking, and using a disposable/temporary e-mail address

The Super Strong category consisted of some fairly wacky ideas, including:

• Keeping one's phone in a Faraday Cage when not making calls
• Covering all inner-facing cameras on any Internet-connected devices
• Plugging headphones when not listening to music
• Wearing "unhackable" fashion, such as a drone cloak or plane laptop sock

With all of these possible protections, one can therefore come to the conclusion that privacy cannot be completely dead.  It will just take a little bit of extra effort to maintain.

Takeaways for Week No. 15

Recent Developments for 4/17/17

• Burger King Ad hacked the Google Home Assistant (when the commercial was listened to, it triggered the Home Assistant to read off the ingredients in a Whopper Burger); Helped reinforce the issue that smart devices can be hacked

Ephemeral Messaging

• Messages that don't persist, kind of like how a face-to-face conversation where no hard copy of communications is kept
• More and more ephemeral messaging platforms are being developed, like Instagram Direct and Facebook Messenger's Secret Messages.
• Benefits: sender has greater control over who sees the message, there is an increased level of privacy, there is increased security of information, there is greater control over distribution and life-time of messages, etc.
• As ephemeral messaging becomes more popular, what are some concerns about people using this technology?
• Drawbacks of ephemeral messaging: people can be less civil/ethical (in a sense, there is less accountability), there is no backup history of what was messaged/nothing to look back on
• Concerns from a business perspective: there are often reasons/laws where a company will need a permanent copy of messaging/communications, there are concerns of messaging being used for sexual harassment or discrimination
• Concerns from a government use perspective: there is a need for transparency/accountability

Ways to Protect Personal Privacy

• Practice Good Password hygiene, practice self-censorship and restraint, be careful with social networks and apps, use confidential communications, practice good data security, etc.
• What is the right amount of caution for a person to take?
• It honestly probably depends on the person, although certain, basic measures should be taken by everyone.

Takeaways for Week 15

1.    Ephemeral messaging apps are becoming increasingly available and easy to use.  The contents of messages sent on these apps are encrypted and vanish from all devices/servers after a certain amount of time.  Many of them also have features that make it more difficult to screenshot the contents of the message.  Confide, for example, is an app that requires the user to decode a message one line at a time by dragging their finger down the screen.

2.  Ephemeral messaging ensures much safer and more secure messaging than other electronic forms of messaging.  This can be helpful for companies conveying private information or individuals involved in a very personal conversation. 

3.  On the down side, ephemeral messaging may enable illegal or inappropriate exchanges, such as child pornography, cyberbullying, or drug transactions.

4.   Users should investigate a few questions before using ephemeral messaging.  These questions might include:

-       Where will the message be stored, and for how long?

-       How easy is it to screenshot or copy the message?

-       How secure is the encryption?

           5.  There are three basic levels of privacy protection we can implement: strong          (normal person level), stronger (geek level), and super strong (tin foil hat-wearer level).  Some of the simplest but most effective suggestions include using password hygiene, using good judgment on what information and pictures we share on social media, and limiting geolocation.

QUESTION OF THE WEEK NO. 13

Do you agree with the following statement?:

 Privacy as we know it is essentially dead and we must learn to live in a totally transparent world where every aspect of our lives, except for our unexpressed thoughts, are an open book.

A Less Permanent Internet: Ephemeral Messaging

What is it? Ephemeral messaging, or self-destructive messaging, is a system where messages are deleted after a certain period of time after being read. Messages can be text, images, videos or emails. The process usually involves encryption during transfer and strong password walls to verify users before messages are viewed. A certain period of time after the message is viewed it is deleted on both the sender’s and receiver’s devices, as well as the system servers. Examples of platforms that use ephemeral messaging are Snapchat, Wickr, Mirage, Dust, Confide and Facebook Messenger.

Purpose. Internet users have limited control over their online content, ephemeral messaging offers an increased level of privacy. It provides protection against a widespread distribution of the content you send and keeps conversations private from others. Since no record is maintained, someone with your device is unable to read those messages. Ephemeral messaging helps those who are hiding activities, which could be for privacy in everyday life up to hiding illegal activity or threatening messages that could otherwise be used in court. Generally, ephemeral messaging is for users to communicate without leaving a copy of everything they send to be permanently recorded. See this video (start at 2:45) for more information on benefits of ephemeral messaging.

How secure is it? It is impossible for ephemeral messaging to be perfectly secure. Some platforms have tools to prevent screenshots of messages, or require a finger to be on the screen to make it more difficult. However, this doesn’t prevent a user from having an external camera to take a picture of the content while viewing the message. There is also the possibility that the service provider doesn’t destroy their copy of the message. The apps’ companies may also collect some information for analysis or to sell to advertisers, or be forced to surrender that information when asked by the NSA or through the legal process for an employer or school. For more information see this website discussing potential security issues in ephemeral messaging. Despite the lack of perfect security, ephemeral messaging is more secure than regular messaging. The chances of the message content being released much lower, providing a more private means of communication.

Apps. The most popular app for ephemeral messaging is Snapchat. It has had some issues, such as getting hacked and potentially not deleting photos off their servers. Confide is another app, which has a feature requiring the user to drag their finger to reveal each line of the message, making it more difficult to copy the message. Facebook Messenger has a new feature, Secret Conversation, which includes encryption. Wickr allows its users to set the duration of auto-destruction on their messages. See this website for more information on popular ephemeral messaging apps.

Use in Business. Ephemeral messaging has begun to spread into business use. These apps could be useful in the communication of private and sensitive information. It can be essentially used as a digital version of in-person meetings or phone calls, in lieu of emails which maintain the information sent. Ephemeral messaging could protect businesses in the case of hacking, where their conversations would be vulnerable if stored. Sensitive information won’t be stored, where it has the potential to be found. Though ephemeral may not be for all communication, it may be used for information the company/entity wishes to keep private. This type of communication could be useful in government, hospitals, senior-citizen care, law enforcement, fire departments and financial institutions. Some regulation may be necessary to incorporate ephemeral messaging in business, this website outlines some possible regulations.

I cannot say if ephemeral messaging will be widely used, but it has benefits which gives it the potential to become commonplace. It offers a step towards making information on the Internet less permanent.

Works Cited

https://ssd.eff.org/en

http://www.techspot.com/guides/1292-web-security-anonymizer-primer/

https://www.lifewire.com/self-destructing-messaging-4102193

http://www.businessinsider.com/republicans-encrypted-ephemeral-messaging-app-confide-hacking-fears-gop-report-2017-2

https://iapp.org/news/a/new-wickr-ceo-looks-to-build-on-ephemeral-messaging/

https://www.forbes.com/sites/parmyolson/2013/11/22/delete-by-default-why-more-snapchat-like-messaging-is-on-its-way/#59691cd36f31

https://www.linkedin.com/pulse/ephemeral-messaging-need-self-destruct-apps-radhika-ramachandran

https://www.linkedin.com/pulse/part-2-best-practices-corporate-ephemeral-messaging-barsocchini

https://www.schneier.com/blog/archives/2014/04/ephemeral_apps.html

(2:45) https://www.youtube.com/watch?v=0ahNBwcqjaw

http://iphone.qualityindex.com/charts/19789/top-5-ephemeral-messaging-apps-on-iphone

Weekly Takeaways #14

Weekly Takeaways #14

1. Deep and Dark Web: websites which are not able to be indexed, cannot be accessed without a certain browser and URL.
1. Guarded with encryption
2. Anonymous use
3. Also holds databases requiring login to access (restricted access)
2. Dark Web: same type as Deep Web, but generally associated with ‘dark’ or illegal activities
1. Deep web is broader, includes all content not accessible to search engines
3. Tor: allows you to browse anonymously, difficult to track
4. Virtual Currency: not regulated
1. Peer-to-peer transactions
2. Doesn’t protect against fraud or ability to get money back
3. Subject to taxes
5. Bitcoin: most popular form of virtual currency
1. Not linked to identity
2. Can only be accessed with password and two-factor authentication
3. Used for illicit purposes as well as by regular businesses or investment
6. Questions to consider:
1. Should virtual currency such as Bitcoin be regulated?
1. How would it be regulated?
2. Should accessing/using the Dark Web be illegal?
1. Line between intention and attempt. At what point should Dark Web use be criminalized?

QUESTION OF THE WEEK NO.12

Should accessing and using the Dark Web be criminalized?

Bitcoin: Do virtual currencies need regulation?

Bitcoin was the first decentralized virtual currency, a type of “unregulated, digital money, … used and accepted among members of a specific virtual community” (European Central Bank). Bitcoin was created by Satoshi Nakamoto on October 31, 2008, when Nakamoto published a research paper titled “Bitcoin: A Peer-to-Peer Electronic Cash System.” You can send and receive Bitcoins online, without having to go through a bank or other intermediary like PayPal. That means much lower transaction fees (around 0.0005 Bitcoin, or $0.60). And because there’s no central bank or mint to manage everything, there are no terms, limits, or conditions. Check out this video [1:36] on Bitcoin for more. But how can Bitcoin work without a central authority? If you receive a Bitcoin, how do you know it’s really yours to spend, with no third-party guaranteeing each transaction? Bitcoin’s answer is peer-to-peer data processing, also known as mining. Bitcoin mining is the process of making computer hardware do calculations for the Bitcoin network to confirm transactions. As a reward for their services, Bitcoin miners collect transaction fees.

Each user has a digital wallet, containing your Bitcoins, as well as a private key, like a unique digital fingerprint. When you buy a cup of coffee, you use your Bitcoin wallet to make the transaction, which is digitally signed by your private key. The “signature” is then checked by Bitcoin miners before being published on a transparent public ledger. The miners do mathematical calculations to check that it was really you that signed the transaction, and that you didn’t spend the same Bitcoin twice. If you want to learn more about the cryptography involved, the Bitcoin Wiki has a good explanation. The Bitcoin network works like most peer-to-peer software: users, also called nodes, can join and leave at will, and the “official” record is just the order of transactions that most nodes agree on. This does create the possibility of an attack on the Bitcoin network if a group of nodes made a concentrated effort to log inaccurate transactions. As Nakamoto says in his research paper, “The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.”

With Bitcoin worth $1190, new potential Bitcoin users might be wary of the peer-to-peer structure. Without a trusted third-party to oversee and mediate, there’s no money-back guarantee. And users have a high degree of anonymity, which provides opportunities for criminal activity, including black markets, money laundering, and tax evasion. Should Bitcoin be regulated? If so, who should step in? New York state created BitLicense, which requires that businesses obtain a license to deal in Bitcoin or other virtual currencies. This and other rules have been heavily criticized for imposing onerous conditions on Bitcoin operators, and making it difficult for small companies or startups to operate. You can read more about BitLicense here.

The IRS treats virtual currencies as property, so every Bitcoin user must track the gains or losses of each transaction to stay in compliance with IRS regulations. Tax Foundation, a tax policy research organization, claims that virtual currency should not be categorized as property. They say that the IRS ignores how virtual currency is used and treat them as something that people hold for an investment. The Federal Reserve does not currently have the jurisdiction to supervise or regulate virtual currency, but said in 2014 that “Bitcoin does not present a threat to economic activity by disrupting traditional channels of commerce; rather, it could serve as a boon. Its global transferability opens new markets to merchants and service providers” (Board of Governors meeting transcript).

I believe that regulating Bitcoin is a fruitless effort. It’s nearly impossible to stop someone downloading a Bitcoin wallet and connecting to the network. That’s because the Bitcoin network is completely decentralized. There’s no server to shut down and no one node that knows all. Even in areas where Bitcoin isn’t considered illegal, any regulations will inevitably restrict innovation. For a great overview of this debate, read this CoinDesk article.

QUESTION OF THE WEEK NO. 11

Healthcare providers are moving to a system of electronic health records where an individual’s entire medical history, diagnoses, treatments, medications and other health information are maintained in a digital form.  In order to provide better and more timely health care to individuals, should physicians and other healthcare providers be able to freely access and share this information with each other without a patient’s consent?

DNA Databases and Dragnets

The collection of a national DNA database is an idea that has been circulating for a very long time.  In the United States, the Title 42 Chapter 136 of the U.S Code states that the collection of DNA samples can only be obtained by individuals in custody, individuals on release, parole or probation, and individuals already in CODIS (Combined DNA Index System).  The Attorney General, Director of the Bureau of Prisons, the probation office, or anyone delegated by these people, can only collect DNA.   DNA can only be collected from people who are guilty of a class A misdemeanor and punished in accordance with title 18.  This U.S Code goes more into detail about what is determined a felony and what is described as a DNA sample.  These provisions are very different from those in the UK.

            Since 1994, the UK has been collecting DNA from people all around the nation and now holds DNA samples from 2.7 million people (5.2% of the population).  The DNA collected is largely associated with people who have never been charged or convicted of any crimes.  The British Parliament created the Criminal Justice and Public Order Act in 1994.  This act gives the police the right to take anyone’s DNA without consent, as long as they committed a “recordable” offense.  This could mean anywhere from a casual traffic stop or being drunk and disorderly to a robbery or murder.  In 2001, the law was changed to enable permanent retention of the DNA sample profiles for people who were charged but not proceeded against.  The ultimate goal of this is Act is to collect DNA from all citizens, to make a society where justice is accurately served to those who are guilty, and providing freedom to those who are innocent.

            The use of “DNA Dragnets” has become a popular way to collect citizen DNA.  Dragnets are used to collect a pool of DNA, which is then run through the system to see if they can find a match.  In September of 2004, a student at the University of Oklahoma was raped and murdered on her way home from class.  The investigator, John Maddox, found the DNA of the rapist, and created an arrest warrant for him under the name John Doe.  This was possible because they had the DNA evidence, but they did not know who he was.  So Maddox asked for people to volunteer their DNA.  The article states, “In most cases, where people refused, Kuykendall got the courts to force them to give DNA. But Juli's parents, Mary Jean and Bud Busken, wonder why any innocent person would hesitate. "The bottom line to me is there's only two people that don't want to have DNA taken, and that's a person that has done something wrong, or going to do something wrong," says Bud Busken.”  DNA collection is perfectly legal as long as it is voluntary.  This article was really interesting so if you want to check it out you can do so here.

            I find it hard to justify the need for a national DNA database with every single citizen’s DNA and even less the use of dragnets.  I feel like a criminal can just refuse to have his DNA tested, and unless they have any other evidence, they won’t be able to get a warrant to force the suspect to give DNA.  I do not think that the United States should create a national DNA database or allow the use of DNA dragnets because it infringes on the citizens right to privacy by being excessive and unreasonable.

https://www.law.cornell.edu/uscode/text/42/14135a

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1490298/

http://www.cbsnews.com/news/dna-dragnet/

National DNA Database

Should the creation of a national DNA database consisting of DNA from every citizen collected through a mandatory collection program?

In the U.S. current law allows DNA to be taken from sex offenders and those convicted or accused of a serious crime.  The information is the stored in a national DNA database.  The database has been used both to prosecute crimes and to exonerate those wrongfully convicted.  With some exceptions, most notably the military, the federal government may not collect DNA from ordinary citizens.  Several states, including Utah, have statutorily allowed the collection of DNA from persons arrested and subsequently charged with felonies.  In Utah, DNA samples of those arrested, but never charged or later exonerated, must be destroyed.  In contrast, Britain more widely collects DNA from ordinary citizens, often in “DNA dragnets” where, for example, DNA samples of all male citizens in a given community are taken to aid in the investigation of a rape.  The samples are maintained in a national database.

How does it work exactly here in the U.S?

How do these DNA databases using CODIS work?

For example, in the case of a sexual assault where an evidence kit is collected from the victim, a DNA profile of the suspected perpetrator is developed from the swabs in the kit. The forensic unknown profile attributed to the suspected perpetrator is searched against their state database of convicted offender and arrestee profiles (contained within the Convicted Offender and Arrestee Indices, if that state is authorized to collect and database DNA samples from arrestees). If there is a candidate match in the Convicted Offender or Arrestee Index, the laboratory will go through procedures to confirm the match and, if confirmed, will obtain the identity of the suspected perpetrator. The DNA profile from the evidence is also searched against the state’s database of crime scene DNA profiles called the Forensic Index. If there is a candidate match in the Forensic Index, the laboratory goes through the confirmation procedures and, if confirmed, the match will have linked two or more crimes together. The law enforcement agencies involved in these cases are then able to share the information obtained on each of the cases and possibly develop additional leads. (FBI.gov)

Why not?

You may ask yourself why it is even a concern that the government stores a little bit of your DNA if you haven't committed a crime.

One argument focuses on the threat to privacy. "Many people are against the idea of extending the DNA database because of the potential threat it has to our privacy. While a DNA profile provides very little information about someone, their DNA sample contains information that can reveal their ethnicity or how susceptible they are to disease. The risk of data abuse is therefore potentially high."

Also when would we draw the line to who has access to this information? If the individual themselves had questions about their genetic profile could they request to view the information stored about them? Would we share this data with other all other countries or just those that have a similar system in place? Who would be regulating this data to make sure it doesn't get used for commercial purposes? "As genetic databases become increasingly common in other countries (over 60 countries are now operating one) the sharing of data between international police forces is likely to increase. This may increase the vulnerability of databases to abuse and hacking. It also introduces the challenge of differences in the rules for holding data which vary greatly between different countries. Although one standard may apply in the UK, it may not apply elsewhere."

What are the other possibilities of uses for the database? 

Genetic testing: "Currently the database can already be used for some genetic research studies and to identify partial matches, where close genetic relatives can be identified from the DNA profiles of relatives on the database." What new doors could this open up? Being able to find long lost relatives, prove certain familial ties and even uncover your genetic risk to certain disease? What if insurance companies were able to access this data and increase rates for those susceptible to certain conditions?

There are many ethical questions that arise with this possible new law. For example, how long will this data be stored? Maybe past the death of the individual to help rule out DNA in the future? Will certain groups be exempt from this and for what reasons? What measures will be taken to ensure the safety of this information? 

Personally I think that we don't have the means to protect such a large amount of personal information with any expectation of safety. The possible threats this country could face if this information got into the wrong hands outweighs the possible benefits to me. There is certainly valid debate from both sides but I just think it's too high of a security risk. This information could not only jeopardize privacy but also general safety. If someone got all the DNA profiles of a group of people they could target them in a number of ways (ex. biological warfare, discrimination) I do not think it should be mandatory for every citizen to give a DNA sample, that just gives too much control to the government. 

Sources:

http://www.yourgenome.org/debates/is-it-ethical-to-have-a-national-dna-database

http://www.pbs.org/wgbh/nova/next/body/dna-databases/ 

https://www.fbi.gov/services/laboratory/biometric-analysis/codis/codis-and-ndis-fact-sheet