Mark D. Rasch

paraderollAI and Robotics

Nov 17, 2013 (3 years and 8 months ago)

70 views

Mark D.
Rasch

Director, Privacy and Security Consulting

CSC


MRasch2@csc.com

#
bridgeconf


“Half the money I
spend on advertising
is wasted. The trouble
is, I don’t know which
half.”



Obtain comprehensive, accurate and timely
data about possible customers that includes:


Purchasing habits and predictions


Profile (race, age, orientation, income) that might
influence purchasing


Information about readiness to buy


Location information

3


NOT to sell to customer


BUT


To get customer to sell to
others!


Thus, social marketing,
Google,
Facebook
, etc.

4


Google’s new privacy policy
effective March 1, 2012


“if you’re signed in,
we may
FRPELQH?LQIRUPDWLRQ?\RX∙YH?
provided from one service
with information from other
services
µ



5


Free directory assistance


1
-
800
-
GOOG411


Business listings AND
connection and direction


What does Google collect?

6


The Holy Grail of
Marketing


Knowing WHO wants to
buy


WHAT they want to buy


WHEN they are ready to
buy and


WHERE they are going to
buy

7


From apps


From IP address


From databases


Public Databases


Social Networking


From technology


Cell phone


EZ Pass


OnStar


From Surveillance

8


Government put GPS
transmitter on car


No warrant (actually
exceeded scope of
warrant)


Monitored all activities
for 28 days


No expectation of
privacy?


9


Majority (Scalia)


Placing Device on Car is
trespass, and a “search and seizure” under 4
th

Amendment


warrant likely required.


Concur


Sotomayor



agrees that there was
trespass but would go much further


even
reexamine Smith v. Maryland


Alito (w/Ginsburg,
Breyer

&
Kagan
)


no
trespass, harm was in monitoring

10


Spoof cell tower


Obtain ESN and signal strength


Learn location


No warrant, no
subponea


In use now US v. David
Rigmaiden

11


Monitors cell phone of
customers


Determines location of
customers as they travel
through the mall


“ping” cell phone for location
data


In use in UK


claim that data
is publicly disclosed

12


“pen register” records or decodes dialing,
routing, addressing, or signaling information
(not content)


“trap and trace device” captures the incoming
electronic or other impulses which identify the
originating number or other dialing, routing,
addressing, and signaling information
reasonably likely to identify the source of a
wire or electronic communication, provided,
however, that such information shall not
include the contents of any communication;


13


OnStar


AT&T/Verizon/Sprint (as cell
provider)


AT&T/Verizon/Sprint (as data
provider)


Google (for maps, etc.)


EZ Pass


Red Light/Speeding/License
Recognition


Parking Meters


Video Surveillance/Facial Recognition

14


Location aware applications


Intermediaries


Data Collectors


ISP’s


Other third parties

15


Surfing activity?


Purchasing Activity?


Social Networks?


Interactions with others?


Stores


Hospitals


Insurance


Others?

16

17

Source: The Future of Privacy Forum
-

http://www.futureofprivacy.org/2008/11/26/where
-
does
-
your
-
data
-
go
-
before
-
you
-
even
-
click/


Browser is “cloud
optimized”


Means ALL data travels
through Amazon cloud
services unencrypted


So, Amazon knows
everything you look at,
purchase, etc.


No limit on use/sale of
that data

19

Source:
TRUSTe Whitepaper: Online Behavioral Advertising: A Checklist of Practices That
Impact Consumer Trust


Facial Recognition
for targeting


Target ads based on
identity or attributes


Coke Zero Facial
Profiler


why are
they doing this?

20

21

Source:
TRUSTe/TNS 2009 Study: Consumer Attitudes About Behavioral
Targeting

22

Source:
TRUSTe/TNS 2009 Study: Consumer Attitudes About Behavioral
Targeting

23

Source:
TRUSTe/TNS 2009 Study: Consumer Attitudes About Behavioral
Targeting


August 2011


Prof.
Alessandro
Acquisti
,
Ralph Gross, Fred
Stuzman


Collected images of
people walking around
on campus


Used public databases

24

Image of Subject

Process Image

(digital)

Compare Image to
ALL images online

(
Facebook
, campus,
etc.)

25

Publicly available
with off the shelf
facial recognition

Identify
Subject

Identify
Subjects’
Interests

Obtain
Detailed
Information

26

Publicly available
with off the shelf
facial recognition


With JUST the image of the
passer
-
by, could obtain
subjects’


Name, address, telephone
number


Photos of friends, house,
neighbors, associates


Court records, license info.,
mortgage and assessment


Social Security Number!




27


Harmonizes data


Looks for patterns


Links databases


Finds non
-
obvious
patterns


Acts on patterns

28


Facts


Drug companies use “detailing”


Vermont statute regulates “prescriber
-
identifying
information.” Without consent:


Pharmacy can’t sell it (for marketing?)


Pharmacy can’t allow it to be used for marketing


Drug company can’t use it in marketing


Drug companies and data miners both sue


Similar Maine and N.H. statutes upheld


Second Circuit strikes down Vermont’s


Heightened scrutiny


The creation and dissemination of information are
speech


This content
-
based restriction is like a ban on
selling cookbooks, lab results, train schedules


Detailers can’t do their job (speech) without this
commodity (information); like banning a trade
magazine from buying ink



Respect Privacy


Data Subjects have a right to know what is
being collected


Opt in/Opt Out


Protect Data


Data Accuracy


Don’t be creepy…

31

Personal data should not be processed at all,
except when certain conditions are met.
These conditions fall into three categories:
transparency, legitimate purpose and
proportionality.

The data subject has the right to be informed when his personal data is
being processed. The controller must provide his name and address, the
purpose of processing, the recipients of the data and all other
information required to ensure the processing is fair.


when the data subject has given his consent


when the processing is necessary for the performance of or the entering
into a
contract


when processing is necessary for compliance with a legal obligation


when processing is necessary in order to protect the vital interests of the
data subject


processing is necessary for the performance of a task carried out in the
public interest

or in the exercise of official authority vested in the
controller or in a third party to whom the data are disclosed


processing is necessary for the purposes of the legitimate interests
pursued by the controller or by the third party or parties to whom the
data are disclosed, except where such interests are overridden by the
interests for fundamental rights and freedoms of the data subject. The
data subject has the right to access all data processed about him. The
data subject even has the right to demand the rectification, deletion or
blocking of data that is incomplete, inaccurate or isn't being processed
in compliance with the data protection rules. (art. 12)

Personal data can only be processed for
specified explicit and legitimate purposes and
may not be processed further in a way
incompatible with those purposes.




Personal data may be processed only insofar as it is
adequate
,
relevant

and
not excessive
in relation to the purposes for which
they are collected and/or further processed. The data must be
accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or
rectified; The data shouldn't be kept in a form which permits
identification of data subjects for longer than is necessary for the
purposes for which the data were collected or for which they are
further processed. Member States shall lay down appropriate
safeguards for personal data stored for longer periods for
historical, statistical or scientific use.

When sensitive personal data (can be: religious beliefs, political
opinions, health, sexual orientation, race, membership of past
organizations) are being processed, extra restrictions apply.

The data subject may object at any time to the processing of
personal data for the purpose of direct marketing.


Don’t be evil


Transparency is good


Privacy can be your friend (and respect for
privacy can be to)


In the end, MOST people don’t care that
much…


A soldier will fight long and hard for a bit of
colored ribbon.

Napoleon Bonaparte






Mark D.
Rasch

Director,
CyberSecurity

and Privacy
Consulting, CSC

3160 Fairview Park Drive, Room 305

Falls Church, Virginia 22042

Tel: +1 301 547
-
6925


Fax
+1 240 209
-
5344

mrasch2@csc.com

37


Don’t forget to visit the
Solutions
Showcase!

Many of the ideas discussed today are
on display at the
Solutions
Showcase
!

#
bridgeconf