 Brian or Ben if we could start the recording. Yeah, it's running now. Oh, you already did look at you. Okay Welcome everybody to session seven of become a cybersecurity Ninja today session is a little privacy, please and we're gonna talk about what our technology already Probably knows about us and what we can do to get back a little privacy If that's something that we care about and this cartoon that we have up on the front I really love and I this is in New York, or I think like six months ago Or at least that's the first time I ever saw it and this to me Really sums up the issue because I think that the counter argument to people wanting to encrypt their personal emails or use VPNs on their home networks Is is often along the lines of well if you're not doing anything illegal why are you trying to get privacy for your communications with other people and For anyone who is posed with that question by someone and and wants a more intelligible response and punching in the face Which is something that I've had to resist doing on occasion This cartoon just having a couple of copies that in your pocket and just handing it to him I think sums it up really nicely for me. So Yeah, I love this cartoon and the other thing that when I'm asked that question in particular of Why do you care about privacy laws clearly? We're not written for the internet age and there are lots of them that such as Copyright where we're infringing all over the place unintentionally and it creates this ability for selective enforcement against individuals and until Laws will never really catch up to Technology we need to allow people to innovate do creative things and rewrite those but that surveillance culture cuts down on the innovation and creativity happening in culture overall and Gosh, I'm so glad to have you with us today Brian The great perspective to bring to this and I really appreciate that and with that So here's our title slide and with us today is a Brian row and I'm gonna just skip through We are at session seven so everything in blue there is what we've gone through already for those of you have been here Through every session. I love you and thank you so much And I hope that this has been great for you and continues to be Really helpful and we are coming up on the home stretch here So in two weeks, we're gonna do the the ninja toolkit and then we're gonna do an incident response And we're gonna have that quiz and give out some prizes. We are getting there I of course from Joshua Pascam with roundtable technology We do all sorts of technology stuff for nonprofits and small businesses around the country but mostly in New York and Maine and I'm gonna let Brian take feel free to take quite a bit more time than that to introduce yourself Brian No problem. My name is Brian row. I also go by sart online or sartris on Twitter I work at Northwest justice project helping legal services or organizations implement new technology I also teach in the areas of privacy law copyright Remix fair use that type of stuff. So I love technology and there are so many opportunities here to do great things That privacy is one of those areas though that unless we proactively protect it It kind of disappears in our modern state, which is why I'm so happy to be part of this presentation And I'm so delighted to have you here with you Brian. And thanks so much We're joining us today. So our learning objectives today We're gonna spend a little bit of time and hopefully kind of entertaining for folks talking about what your technology already knows about you and for those of you who aren't I Would say haven't done a lot of research on this topic. I'm gonna go ahead and suggest that you're gonna be surprised then we're gonna go into how to cut back on what you share and Limit what your technology will know about you and then of course some tools and services I can give you some privacy our usual checklists of best practices resources for further learning and that's gonna be it today And we'll try to keep the content to our usual half hour My sense that we'll probably run a bit long today So if those you're making planning that you might want to plan sticking around up to 40 to 45 just looking at the content We have and of course I wanted to Brian plenty of time to Provide provide his input here So what your technology already knows about you noise to signal I want to give huge props to them they He does a lot of great great cartoons Rob Coddingham. I was introduced to him through Beth canter He did a lot of cartoons for her happy healthy nonprofit book anyway, and I love this cartoon and we're gonna go ahead and launch a poll so Then if you could go ahead and launch that one for everybody and I just want to know what you think Do you think that Facebook knows your sexual preferences? And I'm gonna go ahead and give a yes a no I don't care or this question makes me Uncomfortable which is a perfectly reasonable response And if you for whatever reason don't feel like answering this question at all for reasons of privacy then by all means Just just leave it blank and we'll leave that open for just a couple of seconds and see what people think and go ahead and close That up and let's let's share the results overwhelmingly People seem to think yeah, so that's a that's an interesting thing Well, we'll go and explore that a little bit and see see what we come up with So go ahead and close that up then and let's explore So we're gonna take a little time looking at this tool called apply Magic sauce produced by University of Cambridge labs And this is something that is free and anybody can go ahead and do this Brian and I for those of you who are listening We're talking about the different ways it can examine If you can give it access to your Facebook profile and it will look at really just what you have liked The things you have liked and use that to try to predict some things about you You can also give it your Twitter Inputs and you can also give it writing samples. You can just take I can email you've written a couple of paragraphs of paper You've written and you can plug all of those things in or different things in and see What it will tell you and here's what it will tell you this is my magic sauce So it and I should point out that I am going to share everything that it predicts about me and before everybody Ways that I'm giving me all my own privacy too much I want to say that I've liked in the entire history of my time on Facebook three things. I am not a Facebook user Pretty would dose me. I'm not on social media generally. That's probably a big handicap when it comes to promoting webinars like this one I'm just not an active online Personality and I don't engage with social media platforms really hardly at all. So this is based on I think I joined Facebook like seven years ago A grand total of three likes. I don't even remember what they were But there are three things in and all of those were probably in the first month. I was a Facebook person All right So I think some I've been in the conservative and traditional side more than liberal or artistic a little bit impulsive a little bit You know nothing too serious here. It does predict how neurotic. I am anyone Then we can go ahead and test if that one's completely wrong, right? I'm anything but laid back and relax, right? Yeah, yeah, yeah, exactly. Thank you I'm on the opposite end of the social media spectrum. I post two to three things every day on Facebook I'm on Twitter all the time it had hundreds if not thousands of likes To look at here and I also use their text analysis tool looking at my text writing on Different websites at different social media It was interesting that they tried to predict my age on Facebook I come out to be 29 on other sites I'll go down as low as 20 and as high as 50 depending how much I talk about law The liberal part of this was definitely accurate. Some of the others were a little bit rough but it was interesting looking through this that over 70% of the predictions were clearly right on or at least how I see myself Wow, okay, so the more data gets more accuracy, which would certainly make sense And so this is back to me now. Is there anything else you want to say on that Brian before I Reveal more of myself here. I write mine kind of scarily in the background and it's it's weird. It's it's creepy It comes within one year of my actual age and pretty much hits it dead on the head So well, that's gonna that's only gonna make it hurt that much worse for me as we explore the rest of the things It tells me about me and it's only with Twitter because I don't have a Facebook page. So yes, that was very scary for me All right, so I am you know how like 70% of people think they're like above-average drivers think think they're above average intelligence Well, this this tool will tell me that I am you know exactly average I have four intelligent than only 49% of the population So I am just slightly on the less intelligent side than than the average person and I am a little bit even more less Satisfied with my life currently so I am I am less satisfied with life I like the way that it sort of puts these in a positive spin rather than saying you are less intelligent than 51% of the population Yeah, nonetheless hurts hurts a bit so that that's a little painful I got to be honest And it yes that I am single which my wife of 17 years is probably not delighted But it was wrong and that one certainly but it suggests that I'm single and then we'll go to political orientation it Thinks that I for weirdly it lists the conservatives the label there but thinks I have liberal Political views. It had not much to go on does think I'm Christian. I'm Jewish in case anybody's wondering But I am not Catholic Mormon or Lutheran which it thought I probably wasn't and so I guess it was right on that and then we finally get to Sexual preference so to answer the question. Yes, Facebook does certainly have a guess as to whether you Have a sexual preference that is this is all by the way data that that Facebook is guessing about you and and there's Tens of thousands of different of categories of things that they will put you in To try to tell markers things about you and sexual there's a I forget how many but there's dozens of Things around your sexual preference your sexual Likes, you know that kinds of things that you're attracted to and so on and so forth. So anyway, I have about apparently an average Likelihood of being gay. So it is guessing my sexual preference. And so we have our answer there and all this information is part of this idea of metadata and Very quickly metadata just as a basic definition is in data about data, right? So you have a data point is, you know, Ben is 29 years old, right? But then data about that data, all right is well, where did we get this number that Ben is 29 years old? It came from, you know, his Android phone, which is 18 months old Which is running on this level of firmware and typically is located around Portland, Maine and you know on and on and on is that data about the data that that we have and The more that we you know ever since smartphones really became So popular And people are hearing about this more and more, you know, we all put surveillance devices In our pockets and I mean if you look at it from the perspective of let's say, you know The NSA or the CIA or people that would like to have or really more to the point marketers Facebook Google etc who would like to have as much information about us as possible the fact that we as consumers Not only will take a surveillance device and put it willingly in our pockets and carry it around with it With us and feed it information all day long Not only will we do that, but we will pay various Companies, you know our mobile providers the place you buy the phone from all the apps that we pay for all the services that we use We will pay for the right to provide all that surveillance data when you kind of flip it on its head like that It's kind of shocking how willingly we all do that and it and it tells us all the things that you're seeing here in the slide and and more Brian, I'm gonna pause for a minute So to go back just a little bit on how much the services that we know Or that we use know about us and the type of information that they have Netflix ran into a bunch of trouble a few years back They had a contest that tried to improve their suggestion algorithm and they thought they had anonymized a bunch of data And made it available to the public so they could try to come up with a way to do better suggestions Some smart people ended up looking at that anonymized data with a few data points and then combining it with publicly available IMDB reviews to pinpoint exact users and Find out their sexual preference and their Interest in certain films that they were not reviewing that were of a much more personal nature than the ones that they were publicly reviewing the amount of data that we give to Pretty much anybody that we work with online or that we subscribe to is giant and they have the ability to even take small amounts of that and Find out so much more about us beyond what we give them by correlating other data points Yeah, and on that note actually there was something on the cyber security world that just came out I think last week Brian where a researcher was able to detect with 99% accuracy what? Netflix show or movie someone was watching just from watching the TCP stream So without having to look at the computer without having to hack anything just looking at the TCP traffic flowing to the computer They could they could predict with 99% accurate what show or movie they were watching on Netflix So Interesting stuff that that is out there All right, so let's take a little bit of a deeper look at metadata So people understand what it is so you make a phone call to your mom and This I think was done in Australia these these these images and Brian that you can we can talk about my violations of copyright Grab these big off Google. I've had searches that throw over in my webinars, but But so who received the communication so you call your mom and immediately we've got the two phone numbers involved Probably an email address that's connected to a to a phone account right because if I have the phone number That's probably tied to an email account that is listed with that phone number at the IP address The network is coming off of I have or of the phone I have the unique identifying number of course the mom's phone I have the date time duration of the communication So at this time these two people talk for X amount of time and now they're linked So the metadata that puts these two people together is two people that have talked to each other at this time of day from these two Different devices from these networks that all becomes part of a data set about these two people that I can put together when you get into Surveillance around terrorism or criminal activities or things like that This idea of your network who you're connected to becomes really really important because that's a lot of how it gets determined Who gets looked at and who gets surveillance on it? Now the communication type so was it an SMS? Was it a phone call? Was it an email? Was it a voice over IP call? Was it done over your carrier network? What service we're using of all these different services? We know all of these things. We know Where the communication was sent? We know the cell power behind, you know If it was up a Wi-Fi hotspot what that was there was off a base station somewhere where that was all that information Is collected every time you make a phone call all of this stuff is getting tracked And so that leads us to to this next cartoon You know what level of privacy you have so that I think Sets up, you know what you're giving away Before we kind of get into the the next step here Let's hold up a met poll for a second But Brian is there anything else that you want to throw in before we start going into the how to get some of this? Privacy back are there, you know, I don't want to harp on it add infinitum, but I think a lot of those different pieces of information that we're giving away can just be collected in our use of a public Wi-Fi space of a Wi-Fi connection at work. I mean if you often don't even need a Application or a particular consent agreement to give away that information that is easily Identifiable to you Yep It's all out there all being collected all the time Another poll and this by the way, I just want to give credit I'm now forgetting the name of the person. Let me look through my attendees So see if I recognize the name. I will call a person out by name. Hang on Who was it? Ah, I forget the name of the person there was someone this week who emailed me this this quiz from the Pew Research And I would highly recommend it to everybody I will I will dig out the link and throw it in the chat before I get to end this But it's a 10 question cyber security quiz put together by Pew Research And I took this question straight from it and it's a pretty Not super easy quiz So I highly recommend it to folks and if you're able to get through it and ace it then kudos because it is Not been it's not a super easy quiz. This is one of the questions I thought was not a super gimme Private browsing is featured to many internet browsers to let users access webpages without any information to like incognito mode In in chrome for example. So the question is can internet service providers See the online activities if you're using private browsing So then let's go ahead and pop that question up and Interested to know what people think can your ISP still see your online activities when you use private browsing mode How can they still see and this of course has been much in the news lately, right of what your Subscribers and this audience our cyber security ninjas are very on top of this. So then we can go ahead and show this Not a single person Believes that they cannot and that is correct. Your ISP of course can still see all of your You know searches all of the websites that you visit Depending on what you're encrypting or not encrypting they can even see the information that you're entering in to your browser and things like that so That's uh, it's what it is. So before we go into the things you can do to gain back a little privacy We will this this section is going to become a kind of frequent thing. So things experienced ninjas have learned already from previous Sessions of cyber security ninjas. So first of all keep your software up to date on your phone on your computer Make sure everything's patched and current that's just going to be very solid advice For the foreseeable future using a password manager so that you have strong unique passwords for all of the services that you use Obviously using two-factor authentication everywhere that you can encrypting your devices So if your device goes into other hands that all the information on your device is Safe and encrypted and no one will be able to get it encrypting sensitive communications using a messaging app like signal and using something like crypt up and Just generally encrypting those sensitive communications and using a virtual private network or vpn And one could say, you know, certainly when you're on a public wi-fi or on an unfamiliar network that you're concerned might not be secure and increasingly given the the new law that was just passed or the restriction that was Removed that now allows our internet service providers to Sell all of the information about our internet histories from our homes You might want to just use a vpn all the time. Although that doesn't 100 solve the problem It's still at least something so those are all things that our experiences. Just hopefully already know The next thing we'll suggest is to limit The kind of the amount of metadata That you share by default when you do things and the picture that you're looking at here Is all of the metadata it's called xs ex is And it is the default Information that is stored with any photograph that you take from a typical smartphone or digital camera And with a smartphone, you won't have the little gps information that's there This does a smartphone will by default tell where the photo was taken When it was taken it will say You know What camera make and model it was it'll give you all this other information about the photo So if you simply you're out at the cafe and you have a beautiful meal in front of you and say hey I'll take a picture of this and post it up to twitter You've just given away all of that information about what phone you use about where you were what time you were there And that is now part of the permanent interactive piece of metadata You have willingly put online So that you could share your meal which by the way if that's just something you're fine with that's fine I'm not I'm not in any way suggesting that that's not something that's okay to do I just want folks to be aware That you're doing that Yeah, and I think that's the really important part here is that being aware of what you're sharing and then Controlling or selectively sharing the things that you want to this type of Education over what information can be data-mined from the things you're doing is something that We have to do with clients whenever we deal with stocking and domestic violence issues Because people just aren't aware that that single photo has so much other rich deep information Including their location that a a stalker can use against you or your family So being aware of it and then limiting it is really the best strategy there The other thing that I really liked about the last slide and some of the other things that have been covered you really have a series of Seven different levels where information is getting shared And being aware of each of those different levels unfortunately is needed in order to Limit your sharing Devices at this point don't have a single button that says Stop sharing location that turns off all of those levels. They often have a button that turns off one of those levels and the other six are still on And digging through that stuff to find that where I'll have some specifics for the iphone users out there And then if I had better content that was easy, but it's different on all that different android versions and phones so I there was but so it's hard to provide a single thing for that And yeah one of just just as a quick heads up one of the poll questions that I had in my draft Which I got rid of was does twitter know where your children go to school and what time they get out of school And that was the one that you know for someone who you know often goes to playground to pick up their kids Take photos and posts them the answer to that is of course then yes because that information you're just putting it all online a Privacy paradox it was a project that was run by a podcast and nyc Podcasts called note to self which for people who want to learn more about this on an ongoing basis They really do a terrific job of discussing and talking about privacy issues On that podcast on an ongoing basis and one of the Really interesting things that this shows is around location services How many different apps were looking for access to your location? And just by toggling it off and not giving those apps access to your location Now your photos don't have your location information on them and other things as well And obviously this limits some functionality if you don't give google maps access to your location Then it's going to be a lot less functional for you So there and there's a lot of on the iphone anyway There's the ability to give something access only when you're using the app and that's always going to be recommended There's to never give it access and I recommend that for any app that doesn't have any reasons to need your location like you know Twitter I don't know why it needs to know where you are other than to give more information to twitter and There really are is no app that I can think of which that needs it all the time So we're we're on the ups and ends here Okay, go ahead. I'm a power user and I use geolocation in services where I actively Broadcast where I am and then meet up with people Especially when traveling that I haven't seen for years because they get pings back and forth So for example facebook knows where I am tells people when I'm around I'm going to be in Boston this week I haven't been there for about two years. I am sure that I'll run into two or three people because of that But I'm proactively opting in and aware that I am doing it There are use cases for these type of technologies, but Being aware is the most important part here And that I thank you so much for saying that brian and not yeah, and I want to repeat what brian said there because I don't I think he's doing a much better job than me of kind of Giving the general idea that it which is not that you know, you shouldn't share anything online And I feel that I'm unfortunately coming off that way I am you know, clearly a bit more private privacy focused, I think Then brian is and that's my choice right brian gets a lot of value out of different types of online engagement And that requires more but again, he's doing it consciously Knows what he's sharing and is making that choice and I 100 respect that and would never tell anyone not to do that I just want people to be aware of it and I apologize if I'm coming off as sort of hey You should lock all this stuff down that is not at all the intent. So brian. Thank you for for dialing that back No problem And here's just another gift on how to how to you know, take back some of the location services and And restrict the different apps to do that and location history And all of these different things so the location history is one of the things that I actually found Probably the scariest of all the stuff are frequent locations rather which is all the places that you go Frequently that is tracked on your phone Which basically provides a history of of everywhere that you've been and provides that to lots of different applications that have access to that That was something that I didn't know that my phone was was tracking for me One other quick quick thing I just want to mention for for those of you who are attending this who are frequenters of protests if you go to if you're you know part of Uh, you know resistance at the moment if you're doing a lot of protest work This is and brian you could probably speak to this as well on the on the police side But it's pretty clear that that the police and law enforcement are pretty comfortable in their legal protection of taking your hand And pressing your thumb down on your phone to unlock it so that they can take a look at the contents of your phone But they are not comfortable Uh coursing you into giving them your four digit or six digit pass key to unlock the phone And if they're also on much shake your legal ground if they try to course you to do that And for that reason if you are in a position where you think you may encounter law enforcement and want to have Privacy from remote device I recommend turning off touch ID. That's just kind of a little safety tip To again protect your privacy if you happen to encounter law enforcement. Just a quick tip there This is a really interesting one and it's it's one of those that's currently Being litigated, but your your protection of your password It's much tougher for them to take that and you are at least going to get an opportunity to have a day in court and Get some representation from people like electronic frontier foundation that care a lot about issues like this in order to try to protect that in that passcode under some type of Either self-incrimination or free speech type doctrine where the biological information is very very very very difficult And they've often got the information from you before you can even contest it so But this is a cutting area where there are a lot of people trying to do cases and litigation on it. It is not settled at all Yep Do you still would you would you agree with that advice for the time being the brand? Yeah. Yeah. Yes, definitely I think having having the passcode is definitely more recognized as legally protectable Another one of those examples where law school makes you get precise answers that don't actually help people Put the passcode in that's helped Having passcode better than not having passcode for sure All right, and and the thing here is interesting is that yeah, we we give you know So much information freely to app developers, you know at a pokemon go or niantic and you know to to twitter and facebook and Google and all of the different mobile apps that we have and so many of these apps when you install them And you just kind of click It flashes by that screen of like all the permissions It's going to ask for and you're of course allow because you just want to get to play in the game And using the app or doing whatever and don't realize that you just gave it access to your entire location history your photos your Your contact list So pay attention to what you're giving permission to with those apps It is going to be things that you did not consider in any way shape or form Like there's like little throw a piece of paper into a waste basket app Where you're just playing basketball with a waste basket and it gets access to your contacts and to your pictures It there is no nexus between what you think the app does and the information it's collecting I think that there needs to be some type of regulation or other things that look at that But currently it's the wild west and lots of apps collect A lot more information than they need to for their legitimate business purpose Oh, yeah And sorry just to weigh in a little bit here and that's that's not to say that every app that has the or asks for those permissions Actually collects and you know uses that data which actually makes it worse because So those permissions are based on the actual underlying code and and what it actually needs to complete that You know throw a paper into a basket Animation and scoring and all that sometimes they use Code from different parts of the operating system and don't actually need contact data or anything But they need a specific command that comes is a part of that That section of the operating system The reason it could be more Harmful is because if someone discovers that they don't actually need that or a way to hack that app that data could be collected Without both the user knowing or the developer knowing in certain cases. So that actually opens it up So it's it's another reason to be extra vigilant about The permissions that you give these apps and on your on your mobile devices, especially so 100% agree very very good point there The more places your information in a nutshell and and Ben that was an awesome point But the more places your information winds up the more opportunities there are for that information to get into the wrong hands And and be freed in those apps are doing it. And yeah, the the paper app You know, I can think of one really legitimate reason why I wanted contact It's probably got a share button in it And when you share it and it wants to like, you know, send a promo code to a friend and you know If you sign up five friends you get all these extra points in it Well, it needs to wants to pull those emails from your contact list. So for that function it wants access to your contact That's what I asked for it Do you want to give it that that's different question? All right last Last poll question here. We're in the home stretch here for for those of you Sorry, we're running long. I did I did warn you upfront True or false turning off the gps function of your smartphone prevents any tracking of your phone's location. This is also from that pew Cyber security thing and again, I will get that link up So go ahead and answer that and our audience is hip to our questions Oh, no, we got a couple of a couple of people who missed this one So let's go ahead and show the results for that one ben So 92% thought that is false turning off the gps prevents any tracking of your phone It is false and it basically your phone can be tracked very Which are very I believe within six meters something like that from cell phone towers so as Unless you put your phone in airplane mode or turn it off or put it in a Faraday bag Which we'll talk about in a minute then Then your phone is connecting with local powers and those powers can tell where your phone is Whether or not your gps functions enabled so It still knows All right, your diy Faraday bag This is put in here. I would say 30% in just 70% On ironically, I'm not I don't know how those percentages work out But uh, that basically it's a thing you can put your phone in and if you really are somewhere and you just want to make sure That you're not being tracked, but you have your phone with you It's something you can flip your phone in and as far as we know Your phone's not going to be giving away any information to anyone Uh about what it's doing or where it is or anything like that if it's in the bag And uh, I'm I'm encouraging some of my crafty relatives to make me a really stylish Faraday bag that I can carry around with me and I'm going to sell them on etsy if that comes to it all right, so privacy Tools and services we didn't get into how to use for for all of these Some of these I have come into I'm just going to run through them very quick Tor everybody on this webinar series should know about that by this point at the private web browser That gives you a very very good degree of privacy. Nothing is 100 perfect, but tor is pretty great Signal which is an encrypted messaging app that gives you privacy for your instant messaging as long as you're communicating with someone else who's also on signal Panoptic click, which is let's talk about signal for just for just a second And also just running into apps. There are a lot of apps out there that claim to do Private communications or to delete things after you send it that type of stuff Snapchat got themselves in a bunch of trouble because their definition of delete was not actually to delete things It was to stop letting you look at it and it was still around on your phone They've since fixed that whenever you are choosing one of these apps Go out. These are all well vetted, but there's a lot out in there the app store that aren't You've got to do the research and make sure that what it says that it does has actually been vetted by security professionals Because there's a lot of lazy coding going on in this space And signal is a great one Also with this type of sharing stuff I think that there's a second person to think about in any of these instances I Overshare share huge amounts But I also deal with client data and I have some friends that do not share So I have a different set of standards when interacting with them the channels that I use for those particular individuals So you need to consider the privacy choices of the people that you're working with I have a separate email address that doesn't go to google that has the ability to do pgp encryption For people that that really matters too. I've got like three people who email me on that address But the option is there And that is essential when dealing with client data or someone else's private data Even if you love to share everything as I do Thank you, Brian Uh, and I will continue run through this and I yeah And I have done my best to vet all the things that the links and the things that I provide next week where we go over tools and services I will or two weeks. I'm sorry. I will also work to only present resources that we have vetted and that we feel a high degree of confidence in and you know, I will constantly be Evaluating and looking at these lists and making decisions about what kind of what goes on and comes off based on what I'm reading And it's it's tough. I mean, I've learned a lot even over the course of this series about New services or ones that I thought were good that I now think aren't good Especially in the vpn space by the way where I've learned a lot over the last couple of months A quick note on the fourth one. I believe that's uh, http ask everywhere not anywhere It's my electronic frontier foundation Yeah, so it is an amazing browser Plug in it's great. Very very useful Yep, I could fix that right now That's a great catch. Thank you And it looks like I've got the wrong link to it anyway So clearly I have some we have some cleanup to do before we uh, share the deck tomorrow All right, uh, every uh, thank you for that So pin off to click is a tool that lets you check on the privacy level of your browser You can see sort of what your browser is sharing about you and we can make some suggestions about things you can fix https everywhere forces everything into a Secure connection or encrypted connection in your browser that along with using a vpn on your home network We'll give you if you're concerned about the privacy in terms of what you're sharing with your internet service providers Those two things together using a vpn at home and using https everywhere We'll we'll help with that. It does break a lot of websites And that's something that you should I wouldn't just say a lot But it does definitely impede the functionality of a fair amount of sites privacy badger Uh, these are by the way panoptic like https everywhere Privacy badger all from uh electronic frontier foundation with brine mentioned before Not crypt up is an encrypted messaging Plug-in for gmail that uses pgp to send encrypted messages to folks very very easy to use I demonstrated that a couple of sessions ago dns crypt encrypts your dns queries That's a product there. That's the open dns distributes duck duck go is a secure More anonymous Search engine that you can use in place of google if you want to have a little bit more privacy around your searching And then of course the notes self privacy paradox and then they'll link to the diy fairy bag Things so key success factors understand what you're sharing. Uh, brian has has Uh articulated this so eloquently throughout the session today, but share thoughtfully Don't stop sharing. That's not the message of this webinar not to disconnect from all these devices It's not to stop sharing anything. It's just to share thoughtfully Think about limiting what metadata you share and at least being aware of what metadata you're sharing Use two factor authentication encrypt as much as possible browse with tor If you want any privacy use a virtual private network get active Certainly legislation changes Can make it harder or easier for us to have privacy On our digital communications and being active around things like net neutrality and The ability of isps to sell our information and the regulations around What apps need to tell you about when information they're collecting all of that, you know, certainly makes a big big difference So that's another thing you do and then stay informed and I can't really emphasize that enough the stuff changes So fast and there's it's so complex a lot of this that that's being informed will really help you on that Do anything you want to add to any of that brian? I guess One thing that I really recommend is that it it is impossible for anybody to be an expert on this But there are people out there who are going to know a an amount of information That's well above you for any one of these areas If you've got any questions take them to your it staff take them to your friends Who are interested in information technology those of us who? Understand coding and understand how this foundation works. We love to talk about this stuff and we're happy to help And and I would add to that, you know Just like you would vet your resources for things think about the perspective of the person you're talking to I you know, I'd like to think that I'm a pretty reasonable You know, not fear mongering person but over just over the course of session today I've realized you know that I when I talk about this can not perhaps be as as kind of I don't know an even-handed perspective or on issues of privacy and digital security So whereas brian, I think has much more open views about sharing and things like that to be thoughtful of You know before you get all frightened by somebody he says oh, you got to lock all this stuff down You know realize everybody's got a perspective And and and it's important to know where the person's coming from. I hope that's helpful All right, and with that I think we are we have some resources for further reading I have the link to apply magic sauce the privacy paradox tip sheet which is from note itself I really like that resource by the way on the privacy level than a few other things that are in there Next session ninja toolkit may 2nd 2 p.m And that whole session is going to be all the different tools and services and different things that can help you Improve your cyber security. Uh, and so that's that's going to be that session I believe we're going to have a return guest for that one which will be Keith burner From uh, freedom house and I will very much look forward to him. He's compiled an incredibly comprehensive list Of cyber security resources And with that we are open to questions if anyone has them. I don't see any in the In the links, but if anyone has it now is your time to type them in I want to give a huge thanks To brian roe for joining us today. Uh, thanks as always of course to ben gardener as well And thank you all for attending today. It's been terrific brian. I really thank you so much your Thank you so much for having me. I greatly appreciate the topic. It's just so important overall And I look forward to seeing the rest of the pieces in this series and sharing the videos from it great We do have a question is uh, which is can you scrub any data that is already out there meta data scrubbing So brian, do you want to take a crack at that one or so? If you have physical control of the device and it hasn't been shared There are options to do that once a third party gets a hold of it It is virtually impossible and you have almost no right in the us to do that when you delete your facebook account It doesn't mean it gets deleted. It means you no longer get access to it and it's probably sitting on a backup server somewhere there are Some areas in the european union where you have the right to view The information that a company has about you and you may even have the right to at least have it corrected if not Deleted but those are not things that we have in the us and it once shared It's out there and it stays out there forever Thank you so much. And yeah, that is 100% true. If you have control over it Then yes, you can you can delete it or clean it before it's it's pretty hard to clean it If it's already got the metadata in it You just have to not share it essentially, but uh, but if you if it's already out there it's already out there Right for litigation or other things there are some tools where if you've got a photo and you want to scrub Some of the metadata before sharing it with the other party. There are options to do that Oh, yeah, definitely talk to your tech staff about that And there are tools you can do that actually there are apps you can put there the exit I was doing some research on it There's like an exit remover thing that just that just pulls off the exit information from photos before you share them And then you share them up from that All right next question is there a recommended virtual private networking service I use a vast at home and they offer a vpn and Brian I have I do have some thoughts on this because I did some additional research for this for this session Also for the ones weeks ago, but I will I'll let you take the first crack at it if you have a thought on it Um, this this is one that I do not have a good answer To I'm I'm curious to hear what you say about it. We We've set up our own virtual private network through Northwest justice project using Cisco tools, but um, I don't know I'm curious what you suggest here Yeah, I mean I will have to say this article from Brian Krebs and Krebdom security was uh I would recommend reading it is in The links for so everybody will get the slide deck tomorrow, but Krebdom security should do vpn that link is there and he um has a links to a massive spreadsheet of vpn i'm gonna go ahead and Find it side there it is side by side comparison of many popular vpn Services, so this is a simple vpn simple vpn comparison chart so it gives you a On all of these different categories Uh, how that this particular vpn service ranks So you can look at business ethics pricing Uh, technical availability technical security and kind of think about what you care about the most And sort of pick from here and if you browse through this massive list, which has I forget how many entries in it over a hundred Then you can Kind of see which ones rise to the top and there definitely were a few You can see like Bull H vpn is one that you know where you see a lot of green essentially across but you'd want to decide to determine which are the most critical categories for you and then choose them and I would say ultimately if your organization provides a vpn as Brian was talking about so if if you have a network that you control and A vpn service through your firewall provider or something like that That's probably going to be your best option and you're most securing your most private option notwithstanding that You know your employer or whoever manages that network will still know What you're browsing on that vpn, but no one else will All right. What is the difference between tor And vpn. Oh good question Brian, you want to take crack at that or you want me to take Yeah, um, so vpn. You're basically setting up a connection between to computers or two groups or two networks where tor is Taking the traffic and routing it through a bunch of different nodes making it virtually impossible To track how it goes through that process So there's really kind of different use cases for both of them and they are compatible You can use tor And of vpn. You can they're not mutually exclusive technologies Yeah, and I've been I've been messing around with different using that. I mean this will get for for those of you that are not sort of uber nerds I apologize, but I've been messing around With the penoptic tool and other tools um the browser fingerprints and just to see what level of anonymity I can produce within my own environment And so the best thing I've been able to do so far is running on my macbook in something called virtual box I run a virtual windows 10 computer run a vpn out of that and then boot up tor on that vpn and it that seems to You know limit most of the information that they have it makes the browser fingerprint Very very limited in terms of information to share it But that's obviously a lot more work than anyone's going to want to do Just to get some kind of basic privacy, but that uh, Anyway, that doesn't these are great questions by the way. All right another question coming in And and brian if you have to go I totally understand I can hang out for a few more no problem. Okay, sure I assume office 365 collects metadata to should we limit sharing clients information in there? Uh, this is a good question in terms of client information and things like that Again, the metadata, you know is mostly a risk if you're talking about um people with you know Government access because in order to really get access to a lot of the metadata, right? You'd have to have access to the the tools that are Giving you that information so within office 365 Unless you're sharing it publicly Right the metadata is not available to anyone other than You know government enforcement who would subpoena that information Right as opposed to if I put a photograph on twitter Then the entire world has access to all the metadata of that post. They know what time I make that post They know what type of phone I posted it from they know the geographic location. I posted it from all that brian go ahead You're gonna No, and this is one of those very um practical areas where it depends on who you are really worried about having access to the information directly I know lots of law firms that use either google or office 365 To keep client data with secure connections to those particular services But if if you're dealing with the government as an adversary party then I definitely Don't recommend using those and coming up with a way that You have access to the physical servers and then you are aware when a security letter Or something is asked for because you're not necessarily going to be notified If it's a third party so But it is definitely a best practice in law that there are lots of people who use cloud services And there are some ways to take cloud services and encrypt stuff that is stored with them But you're going to lose a huge amount of the functionality around search We one of our more popular videos was on using Box crypto with drop box so that we could leave stuff encrypted for clients via a drop box Somewhere where I normally wouldn't put client data But I was fine as long as they it was encrypted on the way over there and while sitting there But then of course it doesn't show up in searches on your box drive right right for that document It doesn't show up in the search because it's encrypted so search can't index it Exactly you're going to lose a bunch of functionality that way and yeah So I hope that is a helpful answer for for the folks who asked that question And if not you of course know to follow up and uh someone has pointed out of course that the nsa now knows how I'm trying to anonymize my browser. Yeah Like I got it back to do a lot more about me Yeah, yeah going back to the original. I Very first slide right. I have nothing to hide. I'm not doing anything illegal I Josh Yeah, yeah, go ahead. So the other Thing also to consider about that question is we're also considering the difference between the content Of a document or an email message and the metadata as far as the metadata is concerned Microsoft absolutely collects your metadata on Emails and things like that because it allows them to you know, they data mine that stuff And they can use it and you know commercial means or or what have you and certainly google does that as well That's what most of their business is based on um as far as the content of the message itself or the content of a document You're really like brian said you're limited by the security That you place on that device or that um that document or that email itself as far as a A company like microsoft being able to read your email. It's it's less likely, but it's certainly possible And if you're trying to protect it from a government entity like a subpoena or something like that They're almost certainly going to turn it over especially if they're in the united states as we talked about a few weeks ago with Blind subpoenas and you know gag orders and things like that. But as far as the metadata of the emails That it's certainly Gathered but the content itself is is is is protected much better than the metadata because The metadata is what really is mined and used to track and you know It goes into that big nsa database, but the content itself at least in the united states it's generally not collected because it's illegal to or as far as we are all right, so Just that little piece of clarification there And and I also would say that metadata I don't know if it's like we say collected as though like metadata is just created Like all the time everything you do digitally Generates metadata essentially and so how much is collected depends on the organization, but at you for producing metadata all the time Anyway, uh, all right. I think that that is it for our questions. I actually do have to get going because I have a three o'clock I can't thank everybody enough great questions. Brian. Thank you so much No problem. Happy happy to do it and I look forward to the rest of the series. Take care All right. Thank you so much. Bye. Bye everybody