Open Rights Group Conference 2019

I popped my ORGcon cherry on Saturday – lured by the promise of an Edward Snowden keynote, I popped up to the beautiful Friends House in Euston to hear talks on a range of digital privacy issues.

I was impressed by the range of panelists and speakers – from all ends of the privacy spectrum; Big Brother Watch to GCHQ were represented and met with not with fire and fury, but a mutual respect and a wish to make our digital lives better.

I’ve noted which speakers were at each talk – their bios can be found on the ORGcon website here.

I’ve jotted down a brief summary of my impressions from each talk – hopefully they’ll give a little glimpse into each session I attended. ORG livestreamed all the main stage talks (including the Snowden keynote) – you can find the recording here. I understand that they’ll have more recordings on their YouTube channel soon.

There were also two amazing artists who were sketching a summary of each talk – here’s a sample of a few of them, incredible talent to do this on the fly all day on a hot Saturday!

Snowden Keynote

Speakers: Edward Snowden & Martin Bright

State surveillance which now targets journalists, political minorities and immigrants protects “state security” rather than “public security”. Mass surveillance is not just a failure of privacy, but a failure of democracy.

When asked if his personal politics had shifted from the right while at NSA to the left as he leaked their data, he replied that he had never been about left or right – he was more concerned with the “up and down” of the powers governments held.

We now think so little of politicians that we expect the worst from them in any situation…

Great question from the audience – how do children deal with corporations predating on their personal data? Snowden noted that most younger users don’t really care about giving up privacy in return for convenience.

We should instead be building towards technology that doesn’t require people to read patch notes, tech advisories and pages of user agreements to engage securely

He finished on an upbeat note – there is hope for the future – society will shape the regulations, change can be effected!

The Personal is the Political – How your data defines your personal ads

Panel: Reema Patel, Ravi Nalik, Rose Acton, Steve Wood

Political ads learning from Facebook etc on how to present ads – A/B testing, scaling etc. Very economical to reach large numbers and tweak adverts based on feedback.

Lots of concern about regulation – ads need to be archived and transparency as to who commissioned them. Big issue around third parties putting forward ads without ties to the parent party. Regulation is fining non-compliance, but third parties will be harder to pin down.

One gentleman asked about mind control – the audience getting a dopamine rush from their laptops and smart devices rather than engaging with the talk going on. How will this be regulated? The panel did not have an answer….

Can tech be truly ethical?

Panel: Paul Dourish, Lillian Edwards, Ann Light, Gina Neff

Is this a matter of design or regulation?

Lots of discussion around process vs people. Concerns about biases in algorithms, e.g Amazon tech hiring algorithm prioritising men over women due to the bias of the programmers…

Most of the panel felt change will be a mix of regulation and design. One question from the audience was how to deal with the “charging bulls” (e.g. Facebook). More intense regulation definitely required – but other monolithic companies can “be better”; Microsoft as a good example of a company doing the right thing.

Companies should change from “Move fast and break stuff” to “Move slowly and grow stuff”

“Tech isn’t good, isn’t bad, but it’s not neutral either”

Facial Recognition

Panel: Silkie Carlo, Dr. Suzanne Shale, Sian Berry, Madhumita Murgia

General concern that the Metropolitan Police Service had been running LFR (Live Facial Recognition) trials since 2014 and that match rates were extremely low (80%+ mismatch rate). Officers are supposed to be performing QA on matches, but Big Brother Watch noted examples where people had been stopped regardless of the quality of the match.

Also of concern that LFR struggles with BME/female matching – algorithm bias introduced by engineers?

I was impressed to see MPs/Government attending and engaging on this subject (amongst others)

Solving the encryption dilemma

Interesting choice of speakers – Nate Cardoza (Privacy Policy Manager for Facebook) and Mark Daly (NCSC/GCHQ). Neither got booed! Cori Crider was an excellent moderator, with some penetrating questions.

Facebook Messenger currently not end-to-end encrypted, this is due to change in next 2 years.

Talked about the “Ghost Proposal” where government agencies would have key escrow on end-to-end encrypted communication . Mark Daly stated that the govt wasn’t interested in this currently…

Nate spoke about his shift from EFF to Facebook, wants to ensure that privacy is at forefront of FB policies. If he leaves, be concerned about what they’re up to… Hopefully a shift away from harvesting metadata.

A safeguarding dystopia

Panel: Jim Killock, Josianne Galea Baron, Vinous Ali

How do we go about protecting children online?

Thorough summary of UNICEF’s mission to protect children by Josianne. Children have numerous rights enshrined in law to safeguard them (similar to Human Rights Act)

Technology can empower children, but is it being used in the right way to keep them safe?

Are the age verification measures being put in place suitable, workable? – concerns around privacy of data (breaches, who holds the data). Mindgeek are aiming to be the AgeID gatekeepers – they’re also the owners of one of the biggest porn sites on the Web.

Little thought given to educating parents on how to keep children safe online. Definitely a key issue and one given very little weight by the government!

Legislation- issues with sexting in underage but age-appropriate relationships (although Outcome 21 not mentioned)

Vulnerability – many children in vulnerable situations (care homes etc). Harder to protect them.

Thanks to Owen Blacker, who live tweeted this discussion and reminded me of some of the talking points!

Final Thoughts

This was a really interesting convention – I was genuinely surprised with the breadth of speakers attending. Getting representatives from Parliament and the big data companies is essential if we want to enact the changes discussed and they seemed engaged and receptive to criticisms of policy and law within their respective organisations.

I was slightly disappointed not to be able to get into the Action Space, which was looking at the data held on mobile phones and how companies hide their tracking of users and pull that data out. Obviously a popular topic!

I think the conference was just on the verge of needing a second day – I had to choose between two different talks a couple of times, but it would require a few more main stage talks to fill out a second day (which I’m sure they could have arranged).

All in all, I really enjoyed my first ORGcon, see you there next year!

Posted in Conferences | Leave a comment

London CryptoParty 2017

Thought I’d put out a short writeup from the London CryptoParty, held last Friday at IDEALondon (https://www.cryptoparty.in/london)

First of all, massive thanks to IDEALondon for making the space available for the event (and the drinks!). Also thanks to Leonie Tanczer (@leotanczt) for organising and leading the evening.

After a brief introduction by Leonie and a run through of a selection of suggested topics that generated some great debate, each table took some time to talk about what they wanted to look at during the evening. What was great to see is that there was a real diversity of knowledge in the room, from cybersecurity experts to people who didn’t know what HTTPS was! It’s very encouraging to see people who don’t have a huge amount of experience coming to these events – it can often be very daunting for the newcomer.

Our table decided to discuss (amongst many other things) VPNs and TOR. A great comparison site was put forward – https://thatoneprivacysite.net/ which looks to be a fairly definite list of VPN providers. I shall definitely be checking some of them out. Ironically, many of the VPN sites were blocked on the local network…..

We also spent some time talking about TOR, why its use is justified, the risks in using it (given that ISPs can see that you’re using TOR unless you take extra steps to mask yourself) and a little rundown on how it works Check out https://www.torproject.org/about/overview for an overview.

I briefly moved over to one of the other tables, where they had moved onto more advanced discussions… machine learning in IDS was one – a little over my head! But it was interesting to hear about what the guys on the frontline are into in regards to security.

Unfortunately, that was all we had time for – a few moved on for the usual post-meeting beers, while I meandered back to Moorgate.

There were quite a few other topics posted up for discussion which we just didn’t get time for, including:

Disk Encryption (Veracrypt http://veracrypt.codeplex.com/, Filevault, etc)

Password Managers (Keepass, Lastpass, etc) – this was briefly discussed at the start of the meeting, with people in favour and against their use. As someone who doesn’t use one, it was interesting to hear what the other side thinks – it definitely made me consider using one in the future.

HTTPS (Ghostery, HTTPS Everywhere)

Email Encryption (GPG, Thunderbird, etc) – again, this was talked about. The main issue with this is the genuine difficulty in setting up signed email, which limits the amount of other users to send to… Most people seemed to be happier using Whatsapp or Signal!

Overall, I thought it was a great session. I liked the open discussion at the start of the evening – it gave everyone a good idea of what was worth discussing, as well as being able to have a wider discussion about the proposed topics. While I didn’t spend too much time doing anything practical (although I did finally install VeraCrypt), I found it particularly useful to hear about the latest trends in encryption, especially when it comes to VPNs. It can often be more useful to take a few notes, come home and do a bit of research rather than try to install and get a new program running at the event (especially when it’s PGP mail…..)

I’d definitely recommend this to any tech newbies (or even tech oldies!) – there was no judgement about people’s abilities and everyone was more than happy to spend time explaining the fundamentals and help get programs up and running. If you’re considering coming to a CryptoParty in the future, but you’re worried about not knowing what’s going on, don’t worry!

 

 

Posted in Uncategorized | Tagged , , | Leave a comment