 Think Tech Hawaii civil engagement lives here. Well go back to the cyber underground. I'm Dave the cyber guy Dave Stevens And I'm an instructor over at Capulani Community College, and I have brought one of my colleagues here today to talk about GDPR GDPR GDPR you're the resident expert, so I'm going to be asking you questions. Oh, that's not fair Ladies and gentlemen Tom Moore hi faculty Capulani Community College, which is part of the University of Hawaii system I just want to keep emphasizing that the system. This is this is our University of Hawaii system and Capulani Community College We're pioneering some of these efforts and we're the campus with a view Are we the only campus with no no winward has a campus view that it's we have the best. Yeah, that's you white key key Well, you could see white key key for my camp. That's our only claim to fame. No, no, no It's just one of the many one of the many. Well, okay. Let's talk about GDPR. First of all, what is it? It's a thing from Europe that causes a lot of email and we've been getting a lot of email Everybody not just the two of us some of them all of them most of them have been getting on and they've been gone What the hell is this and why did it come all at once right? It came all at once because it just kicked in on the 25th of May and so we've been getting emails up until the 25th Yeah, it's coming. It's coming. Yeah, it's coming. Yeah. Yeah, well the companies that have been sending us those emails We're getting those warnings that oh by the way if you don't send out these emails You're gonna get major fines and so that's why all of a sudden they started sending us all of those messages And we're all gone. Does it matter or we support? What are we supposed to do with this? Can we well if you read the size 8 font at the bottom of the email says click here. Yeah To redo your subscription preferences So most of these have to do with can we send you email? Because the GDPR which is the general data protection regulation for the eurozone That's all the countries that are still in the EU Including England right now. That's right 28 of them plus In half and it's big ol. Yeah 27 and a half but whatever be almost. Yeah, yeah because it is not done yet Yeah, so We we get these emails and because of these rules you have to explicitly Opt in and we've all been on those web pages where you fill something out you join a contest or or something and signing up for a newsletter and Lo and behold somewhere on the page. There are checkboxes That says we can market to you and those checkboxes are pre-checked. Oh You have to uncheck them if you don't want that. It's very clever It was a neat marketing trick started in the late 80s and AOL pioneering it so now they well So now they make you opt in but they opt in for you just in case you didn't want to well You know, they're really looking out for you. Yeah, of course This is for your I wouldn't want to be cut off Wait, come on if you didn't have your recipe of the day and you're for some reason someone signed me up I think this was a joke somebody signed up for a Bible verse of the day. I And I can't get them to stop no matter how many times I've sent him email. They just won't stop I think they think it's funny that I get a Bible verse every day Painfully relevant sometimes, but you know, I get one every day But you're supposed to opt in Also, you get some of these because they're supposed to have increased transparency. Oh, yes transparency and accountability What what's that word accountability? I'm an American sorry that well, yes I might add I'm from the government. I'm here to help you Yeah Accountability well, that's why they have to have a compliance officer So it's data protection officer requirement, right? But they don't have to have it if they're a smaller company Well, they have to have they have to have one up the chain somewhere somewhere so fault it gets to be what a great job It's my fault. Well, that's that's any project manager Your fault you have no power to change it. Yes. Well, the job. Yeah, but but hence the accountability It's built that accountability is built in whether it does anything or not. It's built in transparency likewise built in Whether it does anything or not. It's it's in the rules Do you think it'd be like the airline see CEOs that when something bad happens? They resign, but then you they pop up at another airline two weeks later So the deep that they data protection officers will just rotate around the company says as they get blamed for stuff If they were really as smart as they seem they would have that all sort of planned out Okay, Jerry tomorrow you're over here and I'm over there. Yeah. Yeah Yeah, I I think that's the way a lot of companies do that and that's the only way you get to be CEO The CEO it's kind of a career option. So now we have the DPO data protection officer now Let's talk about does this affect the United States? Yeah, well To the extent that you have data that company X Y or Z in Kansas as data on Residents in the EU it affects them. So if we're tracking anything about residents or or somebody who belongs in the EU the zero zone We have to abide by these regulations. So that's why Google Facebook Twitter all the global companies Amazon Everybody has to update their policies Uber sent me one I was surprised they kept my email actually but apparently they do I'm being tracked By everybody but I I actually appreciate this now This was a as far as I know this is an not really an extension but a change out and an increase of policy from the data protection directive of 1995 in 1995 Yeah, right. So they took a long time To come about to this and they took four years to create the GDPR Well The little bird told me that they actually voted this in in 2016. It was 1995 And they thought about it for me it sort of meditated on it till till 2016 and then inside it Oh, damn, maybe we should actually set a deadline since you know deadlines apparently work and in 2016 probably around May It's just a wild guess. They set the 2018 deadline and of course everybody that had Compliant or it needed to be compliant with these rules waited until April of this year to do anything about it That's why we got this massive email spamming campaign from everybody and now it's gone oddly dark Which I find relieving everyone's vacation kicked in Yeah They couldn't sign it. They couldn't hook up for vacation until then. Oh, it's wonderful It's kind of a zen thing for me. I'm like, oh, no email. Oh loving this. This is great Well, what inquiring what minds want to know is whether the fines which are Gigantor whether they kick in for the Kansas companies for the How you sending lists Google and AOL and all your favorite companies whether those fines apply because they're gigantic 4% of gross revenue for a year or 20 million euro That's for the that's for the serious crimes for the minor crimes. Those are those are the those are the venal sins anyway Mortal sins are 20 million the venal sins are only 10 million and 2% of gross revenue and it's not profit It's revenue and it's global revenue. Hmm. So that's how the rules work Theoretically in in Europe whether that applies to companies outside Europe. I don't know maybe only the rules apply Maybe not the enforcement if there's no enforcement. I Don't know yeah Well in the past if you have a company that has a central base in like the United States and you put an office in another country And you don't comply with the rules and they find you and you don't pay They just say well, okay, you can't do business here anymore and you're out So I would imagine companies like Amazon would take this very seriously because if the eurozone says you're out that's 28 Countries worth of people you no longer get to do business with and it I would imagine the competition would take over immediately Because Amazon set the standard all you have to do is do what Amazon does. That's right And I'm starting to scratch anymore. Just great. You just complete the business model Wow, they're out cool. I'm in yeah, yeah That's so it's even higher all the guys they fired who you know, so it's even easier You get the buildings the equipment the staff and the model sure why not so I hope that works in Kauai with the last day Amazon Don't take this serious because I'm gonna I'm gonna move out to the eurozone and I'll take over for you. Yeah Actually, I like Amazon AOL. Don't take this seriously I'll take over for you and it will become like a good thing again K sold his house in in around Maryland for like 47 million dollars So AOL worked for a while. Wow, so GDPR really hit him Had to sell his house. No, I just there's a base in the AOL reference 47 billion dollars. What do you not billion million? Million how what that house? Yeah for a house. Yeah, well, that's that's probably a two-bedroom apartment in San Fran I didn't write. Yeah, something hard of the city. Well, yeah, I wish I'd gone to put van eyes Boulevard right before the bridge Yeah, let's let's talk about well some other stuff Why would I have to be compliant? There's certain things I do in my business that would make me have to be compliant and I'm carrying data in a database somewhere I'm tracking people from the eurozone and it just doesn't have to be name IP address Geolocation references pictures or whatever. This could also be Behavioral statistics which have been around for decades upon decades. We're trying to track Behavior because we want to know how people move around the internet. How long they stay on a page stickiness How many times they click on things that we put in front of their click-through rate? And how long they actually stay on a website, which is very difficult to do actually because if someone closes their browser before they They log off or if they just leave the page without logging off You don't know when they actually left that timer just keeps on ticking So if you have multiple websites like Facebook and Twitter were hooked up and you went from Facebook to Twitter in the same browser You could if you own both companies know when you left Facebook and When you arrived on Twitter, so you'd have those statistics, right? You're tracking Behavior and that's part of the statistics GDPR covers Yeah, I'm I'm a little confused because I I understand what you've said What I read in my notes is that they're only allowed these companies are only allowed to keep statistics that are essential to current business and That's a tricky one. Yeah, so make an argument about a lot of stuff. Yeah, I mean Amazon Everything about you matters because they're selling you things. Yeah One other thing you don't have to Be selling your goods or services in the EU for this to apply. No, it only applies where they live Well, if you've got the data no matter what even if you're not selling it That's right You are owning it and you're the curator of that data there for you're responsible for it. You're also responsible for telling people The data you have on those people you have to tell those people be transparent What you're doing with the data and what data you're collecting And you have to do it in again not size eight font in light gray at the bottom of the website on the 13th Click through in your website on an inaccessible link. That's no longer there And this is a trick that's been done many times, you know that one page that still exists But unless you type it manually into the URL, you know into the address bar, it's not going to work Because there's no links to it. So you can't do that anymore. So those emails we've been getting Quite complete. Here's what we're doing with your data Here's our new privacy policy with a link to the privacy policy, you know, no one ever goes to You know, I went to a couple and I'm Kind of glad I did They're they're not the legalese I'm used to Yeah, well, yeah, you're right, right? They're writing to maybe an eighth grade reading level Which means our current administration would be completely lost But for me, I was actually able to make through because you know, we teach college Sure, we can read it in eighth grade level. Of course almost if you don't believe it's just ask us And we'll tell you in writing. Yes, simple sentences. Yeah, exactly And a handwritten note What else do you know about GDPR? Well? when things go wrong and surely they will they've got 72 hours to let you know and That's you that's it. Well, that's what it says in the pen not so fine print So that's much better than some of the recent Things that have happened locally that weren't notified that we weren't notified out in 72 hours So, you know 24 are being nicer, but I think it's 72 hours after they know So if the breach happens at X and they find out three weeks later, then after they become aware They've got 72 hours to publicize that information at least to those that were affected if not to the community at large you're right those those rules are Wonderful rules and they need to be in place in the United States in the United States We have a different set of standards here aquifax got away with not telling us about their first breach Which was in March of that year? Just last year and they got away with it because the first breach that it detected no data left the network But if from a hacking point of view and I teach cybersecurity That was the breach that probably got them in the back door so they could plant the malware with the back doors and and come back later and start rooting around for the data that they wanted and Right about June. They found it and took it. So had it been stopped in March of that year instead of I believe they did it in late April of that year They wouldn't have had that problem well the whole point of Giving people notice that their security has been breached or if a company's security and breach in my data's been put at risk the whole point is to advise me so that I can take protective measures and You know if if we're in a yahoo kind of a situation and I find out oh don't go down that road so many years Okay, let's talk about this right after the break. We're gonna take one minute come right back and discuss These rules and Ernst and we'll discuss. Yeah. Yes until then stay safe Hello everyone. I'm DeSoto Brown the co-host of human humane architecture Which is seen on think-tech Hawaii every other Tuesday at 4 p.m. And with the show's host Martin despairing We discuss architecture here in the Hawaiian Islands and how it not only affects the way we live But other aspects of our life not only here in Hawaii, but internationally as well So join us for human humane architecture every other Tuesday at 4 p.m. On think-tech Hawaii Aloha, I'm Marcia joiner and I'm Beatrice can tell them and we have come in this series Young and old alike to take a look at our past your past and the fastest not seeing history books History books are his story and what we refer to as mirrors of the past But we as colonized people indigenous peoples and people of Kola looking to the mirror and do not see ourselves there On the ties that bind we will examine those underlying causes Please join us with the ties that bind on Wednesdays at noon Twice a month. We look for you there. Aloha. Aloha Thanks for coming back appreciate you watching the end of the show, and then we haven't bored you to death Already Tom and I are just discussing some of the GDPR regulations. We're gonna do it like a tech minute now though You bet we're gonna we're gonna stir off. We're gonna follow up with what we discussed last week The VPN filter malware that's been going all over the world. What do you hear? What do you know? I think it's the Russians, but I just do you just always assume it's the Russians That's an easy one. Yeah fallback or North Korea. Well, that's what we have a Russian on staff Just so we have the inside information We love you Boris. We love you man Yeah, well inquiring wines want to know if I if I reboot my router will I lose all the settings? Yeah, okay, no, no, I won't know you know supposed to say yeah, you're supposed to question you're supposed to do this right So if you're gonna read read, okay rebooting the router Unplug it yeah, and this is just reboot you unplug it You got to wait 30 seconds because there's electronic components inside of it. They're called capacitors capacitors capacitors Yeah, they they have electrolytic material that can hold a charge like a battery like a battery But very very light so they they go about 30 seconds to a minute So if you leave your router unplugged for about 30 seconds to a minute Count Mississippi's or hippopotamus or whatever chimpanzees. Okay, and and then you plug it back in and you let it re Reboot that does not protect you from the virus However, if you do have this malware on your router it will go out and try to reach the mother ship it'll phone home and all these sites are under observation by the FBI and the NSA and They can tell if your model router is now affected. So we went through TP link and a couple others that here probably Nick here was one of them Linksys, which is the Cisco consumer grade products, right? But there's a few other those like I didn't see Belkin out there yet I didn't see a Zeus But if you reboot and you've got a Belkin or an ASUS and they phones home now They can add that to the list as the warning now if you want to do it the right way you need to Save your settings. So somewhere in the interface You always have a web interface you can go in their manager device and you save all your settings to like a text file Or an XML file they have both formats and you you save that to a place They won't get erased on your hard drive You laugh but it happens a lot more than one more than one You save it do okay duplicate and then There's always a hole on the back somewhere a little pin size hole So you can stick a paper clip in your router and press down on that hole while it's powered on That resets all the device settings. What's a paper clip? Oh? Yeah, we don't use those much anymore a paper clip. That's a little metal thing with spirals on it that holds paper together Little thicker than a stapler. Okay Staples hold things together like this thing. There's a staple here. Sorry. We're preaching to Millennials. We have to say that So we have this once we save this thing then even if we say change the firmware, right? We can still recover all those settings so we don't have to worry There should be backward compatibility for all the major settings say that you're redoing you said Mac white listing your port forwarding Your network SSID Most likely your password, but you should reset it anyway So I I guess I didn't finish where we're keeping that paper clip in there for about 30 seconds 45 seconds Maybe a minute for some models You should refer to the manufacturers specifications for that then powered off Let it completely erase and then power back it on I'm powered back on now You're going to go back to manufacturer setting so you're going to have to physically plug your computer into your router Otherwise, you know that you can't get on anymore. Most people think oh, I just log back in on Wi-Fi No, Wi-Fi is not there anymore, right? You just wiped it. So then you have to Reload your settings You can't just rub the floppy disk on top of the router and have the settings jump back in that hasn't worked since like the 80s Yeah, and those floppies were a little bigger that back then they had the velcro bottom like we're totally kidding Oh Yeah, Tom Tom, so if your notebook computer doesn't have an Ethernet jack Yes, so that's gonna adapter. Yeah, so it takes a little the big point is it takes a little planning I mean like laying out what you're going to do in what order is real helpful before you start and we're talking to Millennials Is a series of instructions made for yourself that you can follow once you've made these plans Yeah, should include timing equipment order to sequence of events sequence of events. It should include Your labor who needs to help you? Yeah, and by all means tell everybody else in the house What you're doing before you do it otherwise someone's gonna run and say I was just watching Did John Snow live? Yeah. Yeah, and you know I almost got my taxes fired on time I was just about to click submit Yeah, or that email was really important. I wonder if I'm gonna get it back. Yeah. Yeah No, speaking of that by the way I was a troll I do this every once in a while a troll of dark web to see if any of my information Actually is in the hands of nefarious people and unfortunately it is and I was I only knew this because during my security clearance check a couple of years ago with the Department of Defense OPM the office of personal management. Oh, I remember this story so they they they took my social security card and photocopied it right there and Scanded it into digital and I saw them upload it and put it into my file. Yes, what I found on the dark web a Picture of your social security card. Yeah, I was tempted to take a selfie with it. Yeah here. I found it But you know, it wasn't even for sale. It's out there for free. I found it with a tour browser and Depressing I'm not even worth a price of admission, but yeah, it's it's out there with all the other OPM data Are you gonna sue OPM about for this about this? No, they because they offered me Data monitoring service for a year. You each did that. Yeah, because everybody gets braced It's not a matter of if yeah, it's when absolutely a lot of people don't realize that rate VPN filter by the way this this malware we're talking about in all these consumer grade routers It's a small and home office stuff That has three stages and each attack can perform different things But it can be used for monitoring you and extracting your data on your network Or it can be used as a relay or what we call a proxy So you can be the one held liable for attacking another computer because it's your system But I didn't know but I didn't know yeah, it doesn't care No, no one cares in the government. What is so ignorance of the law is no excuse Ignorance of a hack is no excuse either. You just get fined especially if you have no lawyers, and I don't have a lawyer anymore That's good. No, that's kind of Vicki Can you be my lawyer? There's a log inside. Oh damn it. Yeah, okay That's how much I know at least that much about lawyering. Well, let's talk about the difference between these general protection data protection rules Regulation in the EU versus things like compliance Over here in the United States where we use things like NIST the National Institute of Standards and Technologies They work with the DoD and the NSA to come up with a list of rules that you should Apply to your network and your infrastructure and your employees And your security in general so that you will keep yourself to a reasonable level of security safe data and security while you're interacting with the federal government recently they just enacted a subset of those major rules called NIST 800-171 which is for small and medium businesses a 109 checks to do on your business which could entail over 600 different control checks things like how to set up your router password length Your security systems where's your perimeter of your data how to encrypt and separate your data access controls and it goes on and on This is not the same as GDPR Correct GDPR is all about how we're handling data and telling people we're handling their data It's mostly about transparency and responsibility However, I read 88 pages of the GDPR. I know it was hard I had to take a nap and come back But because it's written just like every other document you demand GDPR because I almost read 23 pages The same thing happened to you you start drinking and go to sleep. Yeah, this is so boring. Oh my god. Where's my scotch? So I read this and I didn't see any of those rules like you have to encrypt data But it just it says you have to keep it safe in a safe place and you can't let it out outside of your balance So I'd imagine there's other regulations that apply in the EU just like we have over here well for military stuff No for small and medium businesses now the 800 171 applies to anybody doing business With the DOD the Department of Defense or any of the Uniformed Armed Services FBI NSA all that But it's not just if I'm like if you're the DOD, it's not just if I'm doing business with you Okay, I could be doing business with this person who does business with that person who does business with you I Still have to comply Right because you're in the chain. So here's the question. I didn't see in the GDPR if You're collecting the data and I do business with him and he does business with her and she does business with you And you have the data do I have to comply? Seems like that would be the preference whether they can enforce it I don't know but you you have the data. I don't have the data. It's the curator of the data. Where's the data stored, right? However Consequentially I could have access to your data And so I'm wondering about that regulation. I still haven't gone deep enough to find out Did you actually read all those 88 pages? Oh, I can't remember any of them. So I skimmed them I put them under my pillow well, you know One of the questions is what about GDPR 2.0? Maybe that's the thing that's gonna come in there. Have you heard any sort of I've heard whispers I've heard whispers. Yeah, but only from you know the the tech magazines out there saying you know now that we've done this We don't see any hardcore regulations like you have to apply cryptography and and lock down your routers And use a firewall and all that stuff. So maybe that's the second part Hey, we had a good talk. We got to wrap this up anything. You're kidding. Is it we've gone through a whole 30 minutes This keeps happening. I know I can't help it, but this is the length of show that we have I hope to have you back very soon and we'll discuss. I hope you come back. Well, I hope very soon. Yeah, you can stay here No, there's gonna be someone else to want the room for something. Yes. Thanks for joining us everybody I love to have you here And we're gonna be back next week with another great show until then stay safe