Tech at FTC

I’m currently serving as the Chief Technologist of the Federal Trade Commission.

For the past few years, my work has focused primarily on consumer privacy, security, and surveillance. I had the pleasure of working Julia Angwin and the team at the Wall Street Journal on the multi-year What They Know series. I then teamed up with David Campbell and Aldo Cortesti to create a pretty fantastic mobile privacy company, MobileScope. Jer Thorp and the team at OCR invited me to collaborate on the development of the Floodwatch Chrome browser extension, which was released in mid-October. And most recently, I worked with the Washington Post’s national security and technology reporters, spearheaded by Barton Gellman, on an array of ground-breaking stories about surveillance and the NSA.

With this announcement, I am moving back to the regulatory side of these issues, extending the work that was started by my predecessors at the FTC: Dr. Latanya Sweeney, Dr. Steven Bellovin, and Dr. Edward Felten.

I’m extremely excited to return to the FTC in a new role as Chief Technologist and help move forward the agency’s work in protecting consumers’ privacy and security. I hope to leverage my experience and expertise in emerging technologies to help advance Chairwoman Ramirez’s goal of safeguarding consumers’ privacy, while ensuring they can reap the benefits of new innovations. [Read more…]

Announcing Floodwatch


Most web users are now pretty aware that their browsing and searching habits are constantly tracked. This tracking data is captured by advertising companies that then feed our information into ever-growing profiles that presume to know our age, gender, income strata, as well as our preferences and shopping habits. It’s exactly these profiles that generates the ads that to follow you from website to website, to remind you that, “Hey, you were shopping for sneakers, right?”.

But you are not your browser history. Far too often, your browsing patterns can lead to inaccurate assumptions about your preferences and personal characteristics. These inaccuracies are melded into your internet persona, which then influences what ads you see or how much you’re charged for an item. [Read more…]

The Washington Post’s Surveillance Coverage Won a Pulitzer!

pulitzerThe Washington Post was just awarded a Pulitzer for, “its revelation of widespread secret surveillance by the National Security Agency, marked by authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of national security.”

I am very proud to work with Barton Gellman and to be identified as part of this reporting team!

Read more here.

Security at the Mercy of Advertising


Yahoo’s latest move is yet another example of the tension between end-user security and the online advertising ecosystem.

Last year, Yahoo announced plans to enable encryption by default as a direct response to a story that Barton Gellman and I wrote about the NSA’s collection of millions of address books globally.  One of the slides we referenced in that story indicated that the NSA was collecting substantially more addresses from Yahoo than the other providers (444,743 from Yahoo vs. 105,068 from Hotmail or 33,697 from Gmail). These figures make sense given that, at the time, Yahoo was still not using default encryption for their front-end webmail users, let alone their back end email delivery (something I’ve written about previously).

Today, Yahoo announced they’ve made progress on their encryption plans with the help of former iSec Partner’s cofounder, and information security guru, Alex Stamos.  As Alex’s first post as Yahoo CISO indicates: [Read more…]

Talks and Events

I frequently speak at conferences and public events on matters relating to consumer privacy, security, and technology policy.

Upcoming events

February 08-09, 2015
Digital Broadband Migration: After the Internet Protocol Revolution
Silicon Flatirons, Boulder, CO

Read about past events below.

Bloomberg Interview on Apple #gotofail

AS Bloomberg
I did an interview with Bloomberg news on a major security vulnerability in Apple’s operating system (mobile and otherwise). We discussed what this vulnerability means for users, how it happened, and whether or not the NSA might be involved.

Apple’s #gotofail weekend


In case you spent your weekend watching closing ceremonies and not reading tech news, there was a lot of buzz around a security problem in Apple products. On Friday, Apple released an emergency update for iOS7 that fixed a severe vulnerability in their SSL/TLS implementation on the iPhone.

For those who are not technically inclined, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the encryption protocols underlying, among many things, the little lock icon you see in the upper right corner of your browser. This encryption protects you from eavesdroppers when logging into any secure site, like your bank account. It also protects you from actors like the NSA (and other governments) scooping up your emails in bulk when you’re … well … anywhere. After Apple released the emergency update for iPhone, security firm CrowdStrike examined the patch and reverse engineered the vulnerabilities it was addressing, only to find out that it repaired some pretty significant parts of the iPhone operating system. They also found that the same vulnerability exists in Apple’s OS X operating system meaning that the problem extends to Mac OS X laptops/desktops, not just iPhones. [Read more…]

PEN America Essay: Understanding the Threat

I wrote this essay for a conference hosted by PEN America on the chilling effects of surveillance. I was asked to address what questions researchers should focus on and I discussed the threat posed by stored data and the opportunity for researchers to create new transparency tools. It was originally published here, but you can also read it below!

How do we protect something we can barely see?

As much time as we spend discussing privacy, you would think it’d be easy to define. Yet the more we discuss it, the more it becomes apparent that our definitions of privacy vary widely. For some it means keeping only their deepest secrets safe, while for others any information collected about them without their consent is perceived as a violation. Despite these inconsistencies, most definitions of privacy depend on knowing and controlling what information is collected about us.

Most of the time users don’t realize how much information they are sharing, how it’s stored, or who has access to it. In the analog world, controlling one’s own information was relatively straightforward. Obvious physical and cost barriers limit how quickly and how far information about an individual can be shared. Its reach was our personal circle of friends or maybe a wider community if there were a diligent town gossip. But technology has expanded the reach of information significantly. Now, there are vast quantities of data collected about individual users daily, often stored indefinitely in data centers operated by private companies, and available to anyone that is granted (or can forcefully obtain) access. [Read more…]

Presentation on Mobile Device Tracking at the FTC

FTC Talk Image

I presented a quick overview of mobile tracking technology at the FTC Spring Privacy Series on Mobile Device Tracking. My presentation covered the different types of signal your phone emits and the technology that can use these signals to track you as you move around a retail location. You can watch the video here, but my slides are not on camera–follow along with the slides here.

My talk preceded a panel discussion with representatives of the marketing industry (National Retail Federation, iInside, Mexia Interactive, and Create with Context) and Seth from the Electronic Frontier Foundation. They explained the various uses of this technology in the retail marketing and several of the points I made about the technology, specifically about hashing, came up several times throughout their discussion.

The Cost of Surveillance

actual numbers

Graph showing the difference in hourly cost between various location tracking techniques.

The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled “Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones.” In it, we discuss the drastic reduction in the cost of tracking an individual’s location and show how technology has greatly reduced the barriers to performing surveillance. We estimate the hourly cost of location tracking techniques used in landmark Supreme Court cases JonesKaro, and Knotts and use the opinions issued in those cases to propose an objective metric: if the cost of the surveillance using the new technique is an order of magnitude (ten times) less than the cost of the surveillance without using the new technique, then the new technique violates a reasonable expectation of privacy. For example, the graph above shows that tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him. [Read more…]

PostTV: Webcams can record secretly


In this video I demonstrate how the built-in MacBook camera may be turned on, even when the light is off, allowing someone to spy on users without being detected.  You can read more about this story here.

PostTV: For NSA, Google cookies allow ‘laser-guided’ targeting

explains NSA cellphone collection

Intelligence agencies follow targets using cookies installed by Google, typically to track users for commercial advertising purposes, to follow suspects online and target them with malware. You can read more about this story here.

PostTV: Reporter explains NSA collection of cellphone data

laser guided targeting

In this video I discuss the NSA’s ability to use massive numbers of cell location records to determine if anyone, including US citizens, are co-traveling with targets of surveillance. You can read more about this story here

The Limits of Harvesting Users Online

The state of New Jersey recently announced a $1 million settlement with E-Sports Entertainment, LLC over allegations that the company installed malware on its customers’ computers. The Attorney General claimed that E-Sports’ software allowed the company to use its customer’s computers to mine for Bitcoins without the user’s knowledge, generating thousands of dollars in Bitcoin value for E-Sports (and no value for the users) after numerous reports of unusually high CPU usage by their customers.  E-Sports released a statement apologizing and clarifying that this was the behavior of a rogue programmer. They also announced that they are donating the value of the bitcoins ($3,713) to the American Cancer Society plus doubling the donation from their own funds.

There were multiple components to the New Jersey case, including a privacy count regarding monitoring of users’ computer even when they were offline. However, the Bitcoin aspect of the complaint is extremely prescient, as there seems to be a burgeoning trend of government regulators looking more seriously at Bitcoin.

[Read more…]

TLS – A simple step to improve cloud email security


The Washington Post published a new piece by Barton Gellman and myself on Wednesday that revealed new insights into how the NSA conducts surveillance on US technology companies. Specifically, we described how the NSA captures data flowing between the private data centers of companies like Google and Yahoo. Google announced last month that it’s beginning to encrypt these links (possibly based on some precinct paranoia) and the WSJ reports that other firms are “racing to encrypt data.” This is a great development, in my opinion, as even if the NSA weren’t monitoring these links, it’s safe to assume that other foreign governments are.

However, as the firms begin to beef up their own internal security, its also important to note that links BETWEEN companies are still unencrypted.  For example, when Google users send email to Yahoo users, that communication is still entirely “cleartext” and accessible in bulk to anyone listening. I had researched this question a few months ago and found that, of the four US webmail providers (Google, Hotmail, Yahoo, and AOL), only Gmail supports encrypted email transport (see the graphic above).

[Read more…]

Why Apple’s claim that it can’t intercept iMessages is largely semantics

This op-ed originally appeared in the Washington Post last Saturday in response to Apple’s claims about the security of iMessage.

A lively debate is brewing over the security of Apples iMessages. I was recently quoted on this issue, but Apple has since responded, and it seems important to clarify that the argument now seems to be largely a matter of semantics.
In case you missed it, a group of researchers at Quarklab recently analyzed the iMessage protocol, including the trust model and key exchange, and found some mistakes that leave iMessages open to attacks. I had also previously demonstrated that iCloud backups, including backed-up iMessages, could easily be accessed by Apple. This news is important because previous reports suggested that iMessage encryption was a major impediment to law enforcement, and Apple specifically described iMessage data as “protected by end-to-end encryption so no one but the sender and receiver can see or read them” in response to their reported participation in the NSA’s PRISM program.

Apple stands by its claim that its software can’t be intercepted and that it is not reading iMessages. In that article, Apple spokeswoman Trudy Muller said: “iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

But Apple’s response that it cannot intercept messages is a bit misleading.

Apple controls the entire stack: the phone operating system (iOS), iMessage application, the SSL certificates, and key exchange. Quarklab’s researchers demonstrated that if they could obtain (or fake) a trusted Apple SSL certificate AND man-in-the-middle the iMessage key exchange, they would be in a position to intercept or tamper with iMessage. Basically, that means iMessage could be vulnerable if an actor is able to convince the application that they are authorized to carry the data and to insert themselves between the users.
[Read more…]

A Group of Geeks Submitted Questions on NSA Activities


I recently submitted comments to the President’s Review Group on Intelligence and Communications Technologies along with 46 other leading technologists.  The mission of this Review Group is to assess whether technological advances, specifically technical data collection capabilities, have undermined the public trust.  (Spoiler alert: they have.)

Our comments focused on the need for a technical expert to advise the panel on how online systems work and what the implications are of tapping into them.  We also expressed our concern that the NSA’s efforts to subvert encryption and to plant backdoors undermine security for everyone online.  Most importantly, our comments include a number of technical questions that we feel this panel should focus on and, when possible, ask that the intelligence community provide answers.  You can read the full comments here.

The panel’s work was affected by last week’s government shutdown.  It’s not clear how this delay will impact their timeline for a final report, if at all, but I don’t expect to hear answers to our questions soon.

CIR/NPR Collaboration – Your Data and Who Has Access to It

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Questions on the Google AdID

I’ve received a few inquiries about the recent announcement of Google AdID. Because Google hasn’t released many details about the implementation, I am a bit reluctant to speculate too broadly. However, I thought it would be useful to present some thoughts on the potential reasons for this shift and its impact on consumer privacy.

Google’s proposed advertising ID seems to be motivated by the following factors:

  1. The increasing number of consumers blocking 3rd party cookies. Recent studies indicate that consumers are increasingly concerned about their privacy online and as many as 20% have blocked browser cookies.  I suspect this figure will rise as privacy issues continue to capture public attention.
  2. The trend of advertisers moving to non-cookie based identifiers (e.g. browser fingerprinting).
  3. To avoid missteps along the same lines of Apple/Safari.
  4. The increased pressure to offer advertisers ‘enhanced’ cross-device tracking capabilities like they already do with google analytics.
  5. The tension (and lack of progress) in the Do-Not-Track negotiations–specifically, the Digital Advertising Alliance’s (DAA) recent abandonment of the process. (Google is a member of the DAA.)

[Read more…]

Bits of Freedom: The Dutch Perspective

The Bits of Freedom Crew

I was recently invited to be a visiting fellow at Bits of Freedom in Amsterdam. This was a great opportunity to gain insight into the European privacy debate, not to mention escape the DC summer and visit an amazing city full of bicycles.

Bits of Freedom is a digital rights organization, not unlike the EFF in the United States. They are a mix of lawyers, activists, and tech folk who work at the intersection of technology and human rights. BoF focuses on issues such as transparency, active hacking, net neutrality, and the Transatlantic Trade and Investment Partnership. The staff employ a variety of tools to meet their goals including FOIA, government transparency reports, advocacy campaigns, and direct lobbying to, “influence legislation and self-regulation” both in the Netherlands and across the EU.

My visit focused on learning from the experts here as well as providing some of my own perspective. [Read more…]

How Protecting Your Privacy Could Make You the Bad Guy

pandora netherlands

There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA).

A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law.

However, I’d also like to make the case here that the CFAA is bad privacy policy for consumers, too. [Read more…]

Is Electronic Surveillance Out of Control? KCRW’s To The Point

KCRW | July 10, 2013

On July 10, I was a guest on KRCW’s daily show, To The Point.  Reacting to recent revelations of NSA surveillance issues and comments made by witnesses at the Privacy and Civil Liberties Oversight Board (PCLOB) meeting on Tuesday, I talked about the need for more oversight and transparency of NSA programs by technically minded individuals that can understand the underlying technology and its implications.

Listen to the show. My comments start at about 32 minutes.

Privacy and Civil Liberties Oversight Board

Washington DC | July 9, 2013

On July 9, I joined a few technical experts on a panel to field questions from the Privacy and Civil Liberties Oversight Board.

The panel footage is available from CSPAN here, with a clip of my remarks here. A draft of my written comments is posted here.

Comments for the Privacy and Civil Liberties Oversight Board

I am speaking today at the PCLOB meeting on Sections 215 and 702 of the PATRIOT Act.  My panel begins at 12:30 and you can watch it live here.

I will be commenting on the role of technology in these programs, focused on how the limits of technology suggest that claims that surveillance programs can avoid targeting Americans are probably overstated. [Read more…]

As Technology Changes, So Should Law

Improved technology enabled the NSA’s mass surveillance programs and future improvements will make collecting data on citizens easier and easier.

Recent revelations about the extent of surveillance by the U.S. National Security Agency come as no surprise to those with a technical background in the workings of digital communications. The leaked documents show how the NSA has taken advantage of the increased use of digital communications and cloud services, coupled with outdated privacy laws, to expand and streamline their surveillance programs. This is a predictable response to the shrinking cost and growing efficiency of surveillance brought about by new technology. The extent to which technology has reduced the time and cost necessary to conduct surveillance should play an important role in our national discussion of this issue.

The American public previously, maybe unknowingly, relied on technical and financial barriers to protect them from large-scale surveillance by the government. These implicit protections have quickly eroded in recent years as technology industry advances have reached intelligence agencies, and digital communications technology has spread through society. As a result, we now have to replace these “naturally occurring” boundaries and refactor the law to protect our privacy.
[Read more…]

The Stream

I was on Al Jazeera’s “The Stream” today discussing online privacy, the problems with notice, and the type of harms we experience with our data out there. This is probably one of the longer live TV appearances I’ve done but fortunately it turned out OK.

(And yes, the irony of being on a talk show about privacy when the host repeatedly encourages the audience to ‘Like’ her Facebook page is not lost on me 🙂 )

Computers Freedom and Privacy Conference

Washington DC | June 25, 2013

My panel focused on PRISM.  We discussed what the program might look like based on publicly available information as well as whether the intelligence gained through the program is worth the risk to American’s privacy.


You can watch the day’s events here. PRISM Panel begins around 2:10:00.

Intercepting Skype?

I recently came across what looks to be a ‘pitch deck’ by a company claiming it can provide (and has patents on) the Legal Interception of Skype communications.  They claim they’re currently ‘Deployed within US government and overseas in telecom infrastructure supporting 30+ million people’.

I tried looking for the two patents they reference but came up empty although I’m told JCJ is a pseudonym for this Canadian/American company and that it’s possible that they’ve opted to hide their patents.

Anyone have thoughts on whether this is real/vaporware and which ‘8 person company’ this could be? [Read more…]

PRISM: Solving for X


Figure 1: PRISM

I thought it would be a fun exercise to describe PRISM  based on information publicly available through the press, private companies, and the DNI. Specifically, how would this system look if we took all the statements made at face value?  This might be a stretch, but it seems like a worthwhile exercise  — not unlike a multivariate equation when one or more of the variables are unknown.

While PRISM is potentially the least troubling with respect to its legality and the type/volume of information of the 4 programs we’ve learned about, it is also the most technically puzzling. There have been many theories on the architecture of PRISM and I’ve been inundated with requests to help press/advocates understand it — so here goes. [Read more…]

Privacy Law Scholars Conference

Berkeley, CA | June 6 – 7, 2013

I presented a paper I co-authored with Kevin Bankston on the cost of surveillance. Our research provides data on the decreasing cost to the government of surveilling its citizens as a result of new technology. We looked at the hourly cost of various methods of location surveillance to provide a mathematical foundation for a discussion on fourth amendment rights.

MobileScope’s Been Acquired

I am excited to announce that MobileScope has been acquired by Evidon.

I co-developed MobileScope with David Campbell and Aldo Cortesi so that individuals could see and control the data their smartphones were sharing. It was a labor of love, and this sale will make MobileScope available to a broader audience. You can follow the developments here at or more about the sale here.

I’ll still be continuing my life as an independent researcher/consultant but am super excited that there’s a developing market for privacy technologies.

Security and Human Behavior

Los Angeles, CA | June 3-4, 2013

I was a participant in Bruce Schneier’s annual Security and Human Behavior conference. I was part of a privacy  discussion with Alessandro Acquisti, Chris Palow of Facebook, Esther Dyson and Chris Soghoian from ACLU and talked about information asymmetries, the use of personal information and price discrimination.  There are live blogging notes from the conference here and here.

Congressional Internet Caucus: Enabling Do Not Track Privacy- Is It Dead or Alive?

Washington DC | May 24, 2013

A panel of experts discussed the current state of “Do Not Track” efforts.  I focused on the technical difficulty of blocking tracking and ways to ensure consumers have a choice.  You can read more about my thoughts on DNT here.


I was on a similar panel two years ago where we discussed whether Congressional action was necessary to ensure consumers opt-out of tracking.

Watch the panel here. My remarks start at 14:30.

Why We Still Need DNT

[hulu thumbnail_frame=15]

Earlier this month, the World Wide Web Consortium (W3C) met face-to-face in California to discuss Do Not Track standards, and there’s a lot of concern about whether the group will to meet their self-imposed July deadline. Do Not Track has been getting attention from the media again after the recent re-introduction of the legislation, mostly focused on the controversy it provokes, whether it’s necessary given the upcoming browser modifications, or how unlikely it is to pass Congress. In fact, I will be participating in a panel hosted by the Congressional Internet Caucus titled “Enabling Do Not Track Privacy: Is It Dead or Alive?“, which will be broadcast on CSPAN today. (Watch it here.)

The conversation about tracking isn’t new. Exactly thirteen years ago the very same set of stakeholders were debating the very same set of issues: privacy, 3rd party cookies, and what tracking defaults should be. In fact, if you didn’t notice the date of the article (07/21/2000), you might confuse it for breaking news. Many of the players cited in that article are the same you’d see quoted today (here’s looking at you Microsoft, Doubleclick, Mozilla (Netscape), National Advertising Initiative, and EPIC), and we seem no closer to developing comprehensive standards for online tracking than we were 13 years ago. It can get discouraging. [Read more…]

Circumvention Tech Summit

Hong Kong | April 26-28, 2013

I participated in the third annual Circumvention Tech Summit.  This meeting of developers and activists is focused on increasing dialogue among circumvention tech developers and providing them with the knowledge and resources they need to create and develop better tools.

ACM Conference on Security and Privacy in Wireless and Mobile Networks

Budapest, Hungary | April 17-19, 2013

WiSec presents high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications.

I gave a plenary talk about mobile threats to privacy. My presentation covered common threats to mobile privacy and security, focusing on what information is stored on your smartphone and what information is shared – intentionally and unintentionally – with cloud providers and third parties. I reviewed common security problems and pitfalls, as well as the privacy risks consumers assume by operating smartphones powered by a burgeoning advertising industry.

FinCapDev: Privacy, Security and Mobile App Development

I hosted a webinar with Manas Mohapatra, the Director of Mobile Policy for the Federal Trade Commission’s Mobile Technology Unit, for the FinCapDev Finalists.  We discussed security and privacy issues related to mobile app development.

Webinar is archived here.

KALW’s Your Call: What do data brokers know about you?

KALW Radio | April 8, 2013

I discussed data brokering with host Rose Aguilar on “Your Call,” a public radio program from KALW San Francisco.  The program was part of Your Call’s “Agenda for a New Economy” series and focused on  companies that gather and sell  personal information to marketing firms. We discussed some of the surprising ways data has been used  and methods you can use to control what is shared about you.  

Listen to show

The Technology of Privacy Conference

Silicon Flatirons, Center for Law, Technology, and Entrepreneurship
at the University of Colorado
Boulder, CO | January 11, 2013

I joined a discussion about the Threats and Benefits of New Technologies at the Fifth Annual Silicon Flatirons conference on privacy. Academics, policymakers, privacy advocates, and practitioners came together to discuss the changes in the state of the art of privacy and technology, and focus on what it means for policymaking and legal practice in particular. My presentation discussed the need for both technical and policy solutions to privacy problems.  (Our panel starts at 57:00)

View video archives here.

The Big Picture: Comprehensive Online Data Collection

Federal Trade Commission Workshop
Washington, DC | December 6, 2012

I participated in a workshop, organized by the Federal Trade Commission, designed to examine the practices and privacy implications of “comprehensive” data collection about consumers’ online activities.

This discussion highlighted the need for a comprehensive policy governing tracking behavior.

Video from session 2

For Your Eyes Only: Privacy, Empowerment and Technology in the Context of Social Networks

User Empowerment in Social Media Culture Conference
Brussels, Belgium | November 30, 2012

Privacy in social network is typically associated with the difficulty of configuring the settings so that the uploaded information does not become available to unintended audiences. There is however a wide range of security and privacy issues in these systems, as well as a diversity of technologies that have been proposed to improve the protection of their users. This panel tackled the question of what it means to protect security and privacy in social networks. Panelists discussed the different types of threats, assumptions, adversarial models, security and privacy objectives, available technologies to achieve these objectives, as well as the limitations of these technologies.

I was a panelist.

Security in Social Networks

For Your Eyes Only International Conference
Brussels, Belgium | November 30, 2012

The panelists presented and discussed proposals for mitigating select privacy problems in OSNs through technology itself. They looked at ways of concealing data from service providers, as well as third party trackers, and discussed mechanisms to improve the tedious task of managing disclosures through privacy settings. The panelists proposed ways in which they assess the limitations of these technologies and discuss ways in which technical measures need to be complemented with legal and organizational measures.

I was one of the presenters.

For Your Eyes Only – Security in Social Networks (Day2, Panel 4) from spion on Vimeo.

W3C Workshop: Do Not Track and Beyond

UC Berkeley | November 26 – 27, 2012

This workshop served as a forum for the W3C membership and the public to discuss the Consortium’s next steps in the area of tracking protection and Web privacy. What have we learned from Do Not Track standardization and real-world implementations? Furthermore, undoubtedly support for privacy on the Web platform cannot end with Do Not Track: what should we look at next and beyond DNT?

I was a participant.

The End of Privacy?

Ford Foundation’s Wired for Change Conference
New York, NY | October 23, 2012

As part of Ford Foundation’s Wired for Change conference, noted consumer privacy experts and technologists Harvey Anderson, Brad Burnham, Kamala D. Harris, Jon Leibowitz and I considered how mining Big Data and safeguarding privacy can reasonably coexist, moderated by John Palfrey.

View complete video archive

Hidden in Plain Sight

How online privacy tools are changing Internet security and driving the (probably quixotic) quest for anonymity in the digital age. By Chris Clayton Delta Sky Magazine | October 22, 2012

[…] Most people have a difficult time with far-off risk,” says Ashkan Soltani, a former technologist with the Federal Trade Commission’s privacy division who’s currently a privacy/security researcher and consultant. “That’s why we passed seat belt laws. The likelihood of you getting in a car accident is low, but the harm that you might experience in that accident is potentially high. It’s the same online. We’re bad at figuring out how our data could be used against us in the future, so we don’t care.” […]

Soltani is more optimistic. He sees a future where governments pass stronger digital privacy laws and geeks build easier-to-use privacy controls that work seamlessly with the slobbering puppy version of the Internet we all love. In the meantime, he’s doing his best to educate as many people as possible on the virtues of proper digital hygiene, whether that means using anonymity tools or simply being more aware of the fact that you leave a data trail wherever you go these days.[…]

PDF of article

Amsterdam Privacy Conference: Behavioural Targeting and Privacy

Amsterdam Privacy Conference
Amsterdam, The Netherlands | October 7-10, 2012

This interdisciplinary panel brought together leading scholars from Europe and the United States to present and discuss recent research on various aspects of behavioural targeting and privacy. Behavioural targeting is the monitoring of people’s online behaviour over time to use the collected information to target people with advertising matching their inferred interests. Using cookies or other tracking technologies, companies compile detailed profiles based on what internet users read, what videos they watch, what they search for etc. Profiles are enriched with up to date location data of users of mobile devices, data that people submit to websites themselves and other data that are gathered on and off line. As the internet plays an ever-larger role in our lives, the profiles will become ever more detailed. The constant stream of articles in the academic literature and popular press on behavioural targeting illustrates the relevance of the subject, which is high on the agenda of regulators in Europe and the United States.

I was a discussant at this event.

Data Days: Data Conference and Pioneers

Berlin, Germany | October 1 and 2, 2012

I was a keynote speaker and panelist at an advertising technology conference in Berlin speaking generally about the problems and opportunities in “big data”.

User data is essentially the raw resource in this industry.  Yet this information doesn’t simply magically appear but is typically collected from users.  These raw materials can essentially be broken up into: 

  1. Information knowingly shared publicly with a site or service.
  2. Information shared via a site/service but intended for another recipient (i.e webmail).
  3. Information collected without the user even being aware.

I highlight how this third category seems to be where most of the privacy tensions stem from, how this data is actually not that useful, and how there’s a huge opportunity in trying to engage the user into providing higher quality ‘consensual’ data (which I dubbed ‘fair trade data’).  Thoughts?


The Kojo Nnamdi Show: Using Facial Recognition Software

The Kojo Nnamdi Show at WAMU
Washington, DC | August 22, 2012

I discussed facial recognition software with Laura Donohue, a law professor at Georgetown University, on The Kojo Nnamdi Show.  We discussed how the technology works and the implications of its increasing quality and availability.  

Defcon: Can You Track Me Now? Government and Corporate Surveillance of Mobile Geo-Location Data

Defcon 20 Hacking Conference
Las Vegas, NV | July 26 – 29, 2012

In July 2012, I took part in a panel at the 20th annual Defcon Conference. I joined tech experts Christopher Soghoian from the Open Society Institute and Catherine Crump, staff attorney with the ACLU’s Project on Speech, Privacy, and Technology, for a briefing on the current technological and legal landscape of location data tracking. The panelists explored how consumer location tracking efforts weave a story about the systemic privacy vulnerabilities of smart phones and the legal ways in which law enforcement has been able to hitch a ride. The panel was moderated by the Director of the ACLU’s Project on Speech, Privacy, and Technology, Ben Wizner.

View video archive


There’s been a lot of attention around the Israeli facial recognition startup  They, amongst other things, make a mobile app called “KLIK” which lets users tag their friend’s faces in real-time, as they walk down the street. Just today, they announced that they’re being acquired by Facebook for $100M.

A few weeks ago, I noticed a different kind of excitement surrounding the startup. I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts (KLIK relies on Facebook to use the app). essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables ‘face prints’), even if that information isn’t public.

[Read more…]