 Our next speaker here, Trey Foghetti is here to talk about the challenges of user privacy in a location sensitive system like 911. Uh, he's part of the 911 association. Uh, this talk is being recorded for, to show it online later on. So if anyone has any questions, please walk down the, uh, to the microphone at the center aisle and we can record the questions too. So without further ado, Trey. Thank you so much and thank all of you for being here this afternoon. I know your time at DEF CON is precious. Um, and, and I will say for my part, I very much want to make this talk, uh, a lot less formal and a lot more, um, interactive than some of the talks that you'll see in the other tracks. So if you have at some point a question about anything that I'm saying, please don't wait till the end to come up to the microphone. And as soon as I get to like a convenient pausing point, I will, uh, take your question because, uh, this is a really, um, interesting area that I'm very passionate about. I've been told I can't be heard, so let me, I'm just gonna hold this. How about that? Everybody hear me now? Good. So, um, where we start is, I, I get a question all the time. So you guys at 911, you're just tracking everybody all the time, right? That's how you know where I am. And the answer couldn't be further from the truth. Um, we are not tracking you at any time. In fact, you would almost be appalled at how little location data we do get when we want to find you, which is when you call 911. So my talk is gonna go over a little bit about what we do get when we get it, um, how we are actually part of the privacy solution by virtue of keeping people who want access to location data away from it when they shouldn't have it, and how we, uh, acquire and store and use location data when you make it available by calling 911. So, um, at the outset, I think I want to start with just a quick thing about how location works. Are folks here familiar with how GPS works? Like, generally? Okay, I'm gonna go into it just kind of at a very high level. So basically, a few thousand miles up, we have a constellation of 30 odd satellites orbiting the earth, uh, roughly every 90 minutes. And each one of them is singing a, a, a unique song, but they're singing it on the same frequency. And by singing the same song inside a receiver, essentially, you can find out how far off in time your song is from the one being sung by the satellite. And that tells you a time offset. So you get, we multiply that by the speed of light, correct for things like the, uh, diffraction of the ionosphere that delays these signals. And then once we have ranging from multiple satellites, then your device can calculate its location in, uh, 3D space. Now, it, it's pretty good horizontally. GPS in the best of cases can give us, you know, 5 to 10 meter fixes most of the time. If you have a really good device with a great antenna and, you know, a multi band receiver and you leave it stationary for a very long time, you can get that down to like a 10th of a meter reliably or better. But for this typical case of something that's cheap enough to put in a smartphone and for us to carry around with us every day and, you know, doesn't have a gigantic antenna sticking out the end of it, that's not the, really the reality. You're not going to get anything nearly that close. So historically we've had this problem of we need to find people when they call 911. So how are we going to do that? Well, in the wire line world, it was easy. We knew where the telephone company's wires went. They kept a billing database that said, you know, here's where our wires go. And when you established phone service, we could go to them and say, look, for every address that you put in your database, you have to validate that with somebody. It's something called the master street address guide for your locality, which is a table that contains all of the valid street names and all of the valid number ranges within those street names. And so they could submit that address, make sure that it was valid. If it wasn't, they had to go back to you and say, Hey, it looks like your street doesn't exist or potentially your numbers out of the range. Like what happened? Did somebody build something new? And if that's the case, okay, we got to go fix the database. But there was a process. We knew where everything was. Smartphones aren't like that. They move around. Cell phones generally move around. And so we had to come up with ways to figure out where mobile devices were. In the early days, there were two very general ways of doing this. There was called the network based model and the handset based model. In the network based model, devices in the network either transmitted or received signals to or from a device and used information like angle of arrival, time difference of arrival or absolute timing offsets to calculate ranging and bearing data and figure out where the device was. And that worked. It's actually very fast. It's one of the fastest ways to find someone generally. The problem is it's not terribly precise. With those sorts of methods, you can get within two to 300 meters very quickly, but you'll never get down to some tens of meters. It just doesn't work that way. So that was the typical technology in CDMA or excuse me, in GSM networks, because in GSM networks, that was what was convenient. They had the right sort of signal structure to do that kind of ranging. CDMA had at the time a really cool advantage which is when I talked about the way GPS satellites sing little songs, they're actually doing that in a kind of a version of CDMA. All the satellites transmit on the same frequency, but they do it with different pseudo random number sequences imposed over that. And you can pick individual satellites out by knowing which one of those are, looking up in an Almanac, okay, what satellites should I be able to see? Getting that from the constellation itself even, and using that data to figure out, okay, what should I listen for? Since CDMA handsets already had correlators inside that could do that for the networks they were attached to, someone had the bright idea, well, let's just reuse that as a GPS receiver. And it worked. It worked brilliantly. Now the trouble was early on there was only one because they only expected you to be carrying on one voice conversation at a time. So when in the early days they wanted to figure out where you were for 911 purposes, they actually had to say hold on a second, you're gonna hear silence while I determine your location. And then they would trigger, the 911 center would trigger something in the carrier network to actually start that process with your device. The device would listen for the satellites, collect the data, correlate it, ship it off to the network, the network would calculate your position and relay it via a database to the 911 center. Really clue G and you don't want to tell somebody in the midst of an emergency, please hold, right? That's not a great thing to tell someone when they're like screaming to death. So so over time, we got better, we got better chips with more correlators, we got to the point that we could actually put GPS chips in almost every phone. And these days, that's what everybody does. We have GPS chips. Most of the network technologies have sort of gone away. We still have two out there called advanced forward link trilateration, which is a ranging technology used mostly in CDMA networks. And then OTDOA, which stands for observed time difference of arrival. How many navigation nerds are there in the room who have heard of Loran? Okay, we got a few people. Good. So this is this is the really cool thing. OTDOA is just Loran with cell towers instead of Loran chains. It's you just listen for the time differences between transmissions of synchronized towers. And then you can use that to do hyperbolic ranging, which is really fun. It's kind of a cool sort of thing. Again, it's one of these network technologies that are fast, but not necessarily super precise. All well and good. Okay, fine. You've got a met a measurement system. What do we do with that now? In the 911 case, and I said this before, we're not tracking you. We don't want that stuff running all the time, because frankly, we don't have anything to do with the data, and it's really not of any interest to us. We need to know where you are when you have an emergency. You don't want that going on, obviously for privacy reasons, otherwise you wouldn't be in the crypto privacy village. And you also don't want it going on because it's a very battery intensive activity to keep track of yourself precisely all the time. In fact, most of the things that you see, you know, this question, why is it that Uber can find me but 911 can't that we hear so often? I really hate this question, because like most of the time, Uber is not Uber doesn't hasn't measured where you are to any degree of certainty. They have software in your plat in your device platform and in their platform that's making a very educated guess. People tend to focus on the little blue dot that tells you where the thing thinks you are. What they often don't realize is that there's also a blue circle around that there's some uncertainty associated with that location fix. And often in the case of commercial apps on smartphones, that uncertainty is actually relatively large, it can be on the order of hundreds or even thousands of meters. That's calculated at about a 90% confidence level most of the time, which we want we want about a only about a 10% margin that will find you outside the circle. But if you think about a place like Caesar's Palace, an uncertainty of 100 meters or 200 meters makes it really difficult to find someone who makes it really difficult to go search for them. 200 meters might put me in any one of three different hotel towers, the casino, the conference center, and a bunch of restaurants. So you really have to deal with constraining that uncertainty somehow before you can use that for emergency response. Uber can make those guesses because it has that ability to then ask you, okay, where are you? In fact, does this match up? And if not, drag the map and pick the little dot, we don't have that luxury in 901. So I've said that we're not tracking you. Well, what are we doing? When you call 911, a few things happen. And I've talked about some of the different methods that we've used. We're starting to add things from the handset now. Historically, only stuff that was baked into the baseband or the network was really available for 911. But these days, we're actually doing a lot more than that. This is bleeding edge stuff that's just starting to come into the devices. But we're starting to be able to use Wi-Fi and Bluetooth, both to do sort of associative location to say, look, we know that Trey's Wi-Fi access point is at this particular address in this town, because he's there all the time and he's associated with that and so on. So if the phone can see Trey's Wi-Fi access point, that's probably a location of association that we can use as a starting point for a search. It's kind of a probabilistic sort of thing. That's a very uncomfortable proposition for 911. We want things to be deterministic. We want to be able to say to the cops and firefighters in the field who really couldn't find their way out of the building without our help, that this is how you, this is exactly where to go. But that's not realistic. That's just not the way the physics of measurement work. And that's why the other thing that we're looking at Bluetooth beacons, you put Bluetooth low energy in a light bulb for lots of really great reasons. One of the things you can do with that is associate that UUID, that Bluetooth beacon ID with that location in a database. We're working on something called the national emergency address database, which will actually associate Wi-Fi Max and Bluetooth UUIDs with physical locations in the world. So that if, for example, there's a beacon in this particular ballroom, I can be localized if I'm within 10 to 30 meters of that, I can be localized very, very precisely with that. But of course, that takes getting a lot of beacons out in the world. Thank you, Internet of Things. That's going to be easy. But then it also, it means we've got to track those things and make sure that if they move, we find out about it, that, you know, there's some aging in the database to make sure as things get older, we trust them less to provide location and so on. So at call time, when you make a 911 call, a couple of things happen. First off, the, your platform, your, your phone platform, whether it's Android iOS, BlackBerry, BlackBerry, whatever, completely overrides your location privacy settings. It says, look, you've made a 911 call, this is really important, turn everything on, we need to find you. Historically, that's only meant like the GPS chip, and you know, not some of the other cool things that you have in there, like the accelerometers, gyroscopes, magnetometers, barometers, Wi-Fi, Bluetooth, etc. But we're working to change that. We're actually working to get to the point where we can ingest data from all of those different things to create something called device based hybrid. And this is where we, you know, use those, use things opportunistically where they make sense. So GNSS, GPS, Galileo, GLONASS, Compass Baidu, all of those things work phenomenally well outdoors in urban and suburban environments, and even to some extent in sort of urban clusters, not necessarily in Manhattan and San Francisco and downtown Atlanta and Chicago, in those places GPS is really, really awful. But Wi-Fi and Bluetooth things have much higher densities in those environments and consequently they are of more use. And so this is, the concept behind device based hybrid is, we're going to opportunistically use what is best in the environment that it's in. So if you're in Manhattan, and the best thing we have to like figure out where you are is Wi-Fi and Bluetooth, we use that. And if not, if you're out someplace where GPS is working great, we'll use that. All of this is just, sort of starting to happen. We've had one company called Rapid SOS that built some really cool stuff to kind of get location data around the database limitations of the legacy 911 network. And in doing that, they've kind of proven out that you can get a lot more calls clustered down in that, you know, zero to 20 meter range with device based hybrid. And I don't mean to like endorse rapid or something like that. There are tons of folks working on this. Google just announced a few months back that they're going to be doing a lot more in their fused location provider for emergency services purposes over the next three or four years, including, and this, I thought this was really cool, they're putting dual frequency GPS receivers in their devices, which allows you to directly measure and cancel the ionospheric diffraction delay. And that is the primary source of error in a GPS fix. So in three to four years, your handset GPS locations indoors and out are going to be phenomenally better. They really will just get meaningfully better. We're also saying barometers go into devices, which is really cool. These allow us to implicitly pull out a vertical location. If you have, oops, I've gone dead. If you happen to have, I think so, there we go, we're back. If you happen to have a barometer and you have a good external reference for what sea level pressure is, you can use those measurements, you can compare them and say, okay, I must be this much up or down from that reference datum. Now, in order to do this, you've got to have measurements that are fairly localized. And so, you know, another example, this company, Nexnav, their idea is to put sort of pseudo lights or fake GPS satellites on cell towers and buildings and broadcast basically their own GPS signal down at 900 megahertz where it penetrates deep into buildings. And to broadcast as part of that hyper local barometric pressure corrections that let them pull up exactly the height that you are at with a great deal of reliability. Now, what do we know about 900? 900 is the junk band, right? Everything awful is in there. It's completely useless other than wireless meter readers who just sit on top of everything. Except that the one thing that is actually privileged in 900 megahertz is multi lateration and location monitoring services. And there are licenses and these guys happen to have a lot of them. There are other folks who have them for other markets, but this is like a cool thing that you can do in the 900 megahertz band and you get, you actually get interference protection if you do this. So another cool thing. When you make that 911 call, all of this stuff kicks on and starts saying, okay, now where are you? Initially, when your 911 call arrives at a 911 center, most likely we will not have good location data at the start of the call. What typically happens, and this is something called phase one and phase two, phase one location is what we get at the beginning of basically every wireless call. And it just tells us the ad street address of the cell tower that you're attached to. And it's the GPS coordinates of the tower. Again, this is not used, this is the tower. And it tells us the central bearing of the cell sector that's serving you. So if you look up at a cell tower, it's usually kind of triangular. It's got antennas on the vertices of the triangle. Each of those has a particular central bearing. It's serving about, you know, 60 to 120 degrees. And so by knowing that kind of general bearing and then asking you questions, hopefully we can figure out if you don't know where you are. The way all of that works is super-clugey. It actually happens because of a database process that got started in the 1980s built for the wire line world. And that's why before we can get your more precise location, we have to wait a period of time for a couple of processes to happen. So first of all, the device has to actually calculate a fix that is better than whatever it had from, you know, the tower and so forth. And then it has to communicate that back to the carrier network. The carrier network has to pass that to a database management system provider. They have to further process it and implant it into the database that ultimately your local telephone company typically maintains because it was the one that they maintained for that wire line process oh so long ago. Then at that point, the 911 center system either automatically or manually can re-query the database and say okay, is there anything better? And typically by the 15 to 25 second mark is when we'll start to see an improvement. Something like a GPS fix that's within the within the allowable error range. The carriers have location targets that they have to hit. Ultimately those are going to get down to 50 meters horizontally and some number vertically that we don't know exactly what it'll be yet but we're working on that. Or a dispatchable address. Dispatchable address is the process I talked about before with with the database piece of it. Now the one sort of worrisome part about this is those values, those location values, we know they're very sensitive, those are actually transmitted in the clear. But they're transmitted in the clear only within sort of trusted carrier networks and then only on the network's control plane. So the location information never touches the user data plane until it actually gets down to the 9-1-1 center and it is received at the start or you know some number of seconds into your call. And then at that point we kind of we look at this as like a hot potato. We'll keep that store as long as we have to to provide you with service and to keep the sort of records that 9-1-1 centers are legally obliged to keep for whether it's for investigatory purposes or just because the legislature said we want everything to be kept for 90 days or 120 days. Some things may get archived if they look like they're going to be important down the line but not necessarily everything. I mean we typically want to get rid of non-critical 9-1-1 data that's not subject to a litigation hold as quickly as possible. We really just want to get that out of the system. This is where it gets a little interesting because obviously being in public safety 9-1-1 is part of a lot of law enforcement responses. A lot of law enforcement responses start as a result of a 9-1-1 call. In fact almost all of them do. And 9-1-1 is known for having location data. People in the law enforcement and fire and EMS communities know that when you call 9-1-1 we get your location data. And so people not unreasonably often make the assumption that well if I need that for some other purpose the way I should be able to get that is by just going to my friendly neighborhood 9-1-1 outfit and saying hey help me out with some of that good good location data right? And we get those requests all the time. Our members actually get location data requests from law enforcement and fire and EMS often when there's no actual 9-1-1 call going. So I said earlier 9-1-1 really is on the front line of protecting user privacy because often the thing we have to do is tell sometimes even the boss no because we get 9-1-1 data for a purpose we use it for a purpose and that's part of user trust in the 9-1-1 system is that we're not going to misuse that 9-1-1 location data. The other reason that these things happen from time to time is we also have access to a process for exigent circumstances. So if you've ever seen the movie The Call with Halle Berry so small aside I got to meet Halle Berry she is amazing in person she is even more beautiful and like even more friendly and awesome and wonderful and she really like took a lot of time and effort to get in the trenches with real 9-1-1 call takers and learn how they do what they do which was really awesome and cool hopefully there will be a sequel but in that movie there was this occasion where a young woman was kidnapped and thrown in a trunk and she made a very she was only able to make like a quick discrete 9-1-1 call to say you know help I'm in the trunk right when that happens we've got to have some pro some process to get some location data when you're not on a 9-1-1 call now the challenge for us is as I talked about before all of the location privacy settings and all of those sensors and measurement systems are not on unless you're in a 9-1-1 call so the moment you hang up we lose the ability to query for updated location information and at that point the best we can do and I realize this sounds insane in 2017 is facts yes facts a form to the carrier that was serving that 9-1-1 call to say we need the best location data you've got for this particular phone number the turnaround time for that can be 15 to 45 minutes they generally they do take it very seriously they try to get the exit circumstances request process as quickly as possible but it is it is still a process like it's not an automated kind of thing it is a very manual process and then what happens once the carriers lawyers and engineers have looked at the form and said okay yes this is a valid exit circumstances request there really is an ongoing emergency with a threat to life or property then then and only then can they start to do a little bit to help us but again you're not in a 9-1-1 call they can't turn on all the sensors typically the best we can do is we fall back to that sort of phase one information we can typically get okay what tower and sector is serving the device so we get you know kind of a point and a bearing and if we're really really lucky in some cases they will also be able to give us a range estimate so I talked before about you know GPS and the way the ranges kind of crossover and you can get a location out of that another way you can develop a location fix is with a bearing and a range so that's a line and arc and wherever they cross that's sort of generally where you are because again our measurements are kind of fuzzy that arc can be really wide that line can be really thick you get kind of an annual or sector but hey that's still useful data but again it's not data that we're getting easily it's something that's very very protected and in the 9-1 case when we do get that again that's a manual process so there's no database to put that in that's actually something that's done on a you know we're on the phone with AT&T Verizon Sprint T-Mobile somebody saying okay where are they now okay has the location changed where are they now and it's this very sort of iterative manual thing and eventually hopefully you can work out okay it's a car that's going down you know I-40 or something like that and say let's go try to intercept whatever that is and and find somebody and then of course immediately after that exigent circumstance passes that location data that was used for that purpose basically has to go away because it wasn't necessarily obtained with an investigative purpose for law enforcement purpose so then you've got to start thinking about okay do we get a subpoena do we get a warrant how do we actually acquire that location data in a way that can be used for some criminal prosecute prosecutorial purpose that's not you know related to an immediate emergency response so that's kind of the multiple phasic approach that you have within the 9-1 center we have the sort of baseline case I weirdly I often hear people say one one two which is the European emergency number is is really part of the global emergency calling standard and you should use that and in a lot of places using one one two might actually get you to a 9-1-1 center like it might it won't always but it might and if it does the challenge though is it won't turn on usually any of that cool location stuff so don't dial one one two unless you're in Europe once that location process is over with there is sort of a residual question of what do we do with the data and I don't think we have a good answer right now because that your average 9-1-1 center is not technically sophisticated enough to be encrypting or hashing or doing things like that with those sorts of data they kind of have to rely on whatever their system vendor makes available and oftentimes that doesn't include robust confidentiality and integrity mechanisms but that is something we're working on so the next piece of this that I want to talk about is how we will acquire and use location information in a next generation 9-1-1 environment and basically the process still stays heavily dependent on what the device and the network knows but now instead of dealing with legacy wireline databases from the late 70s early 80s we're going to take this into a more IP based realm so in next generation 9-1-1 when you dial 9-1-1 from a phone whether that's a voice call to 9-1-1 or a video call or even a text session we're going to have real-time text very soon or total conversation if you have you know different accessibility needs you'll have the ability to communicate in all of those different ways simultaneously which is really awesome if you have a hearing or speech disability at that point you've got a couple of things that have to happen first the device needs to figure out what 9-1-1 system it's call should go to so it's going to query something in the access network providers network and here I want to stop and define a couple of terms because historically when you bought phone service from the phone company you were really buying two very different things but it looked like the same thing because it was all you knew when you bought voice service from the phone company you were buying first off a transport network so that's an access network that that is capable of moving things around but you were also buying an originating service the ability to connect from one end point to another end point using some you know particular address today networks don't have to do all of those things in an integrated way I can buy my access network service from for example AT&T and I can buy my voice originating service from Vonage for example we have to accommodate that in the 9-1-1 system we have to be able to deal with the fact that your carrier is no longer just the phone company it may be somebody else historically we have not done a good job of that because we've just bolted stuff on to the 9-1-1 systems over the years and we haven't really integrated a lot of these new technologies into the way the system works so your device goes to the access network provider and well okay why will the infrastructure provider they know where their wires go they know where their cell towers are they're the ones who have the sort of intimate real world physical connection with you that can be used to start that process of localizing the call so your device goes and queries their location information server it gets back currently actually location by value it gets sort of your here generally although we're trying to be very careful about giving that to devices because you know we can see a state where you might have malware on the device and you don't necessarily want to disclose location to that so we're working on some cryptographic stuff to try and keep that private as well to basically tokenize it so that then the device can pass either that location value or that token to something called an emergency services routing proxy and the purpose there is for the proxy to say to a big thing called a forest guide which is basically a hierarchical database structure that tells you here are where all the countries in the world what are their boundaries within those what are the states within those what are the counties within those what are the 911 center service areas and oh by the way you're there great you go to this 911 center that's where your call should go so this involves a lot of GIS processing that's geospatial information system I think I have a slide here that actually shows some of that so we actually have a standard for geospatial information systems remember I talked about that that old school way of doing the database of addresses where you have a list of street names a table of street names and a table of valid number ranges that's all well and good if you only need to locate people in like row houses but what if you have an apartment building how do we know that a floor number is valid how do we know that a room number is valid and moreover how do we decide where do all of those 911 calls within that thing go for example if I'm Caesar's Palace I might have my own I might be a limited municipality I might have my own response center that can get you help faster we might want to route all of the calls within Caesar's Palace to them instead Disney World's a great example of that they actually have the Reedy Creek Improvement District there are like six Disney executives that have houses like on the property they're the entire voting block for the whole city of Reedy Creek and and they actually have their own 911 center it's like a best practice place everybody loves to hold it up is like shiny and new good place to go but you have to be able to track those things so that you can do change management so that you can know when somebody puts up a new building how do we add that to our addressing system and then once you've consulted the forest guide it'll give you an IP address for something called the border control function of the ng911 system next-generation 911 system that actually serves that particular location at that point the routing proxy whether it's in your access network providers network or if it's disaggregated in the originating service providers network will actually send signaling and media to that border control function and then my to me the coolest part of all this is if at some point during the call things change and there's some reason your location changes or whatnot and there's some reason to redirect the call either before the setup is complete or during the call there's actually an intelligent mechanism to say hey there's this other 911 center that might need to be involved in this response do you telecommunicator handling the call want to loop them in even if it's on like a listen-only basis and you can do that and you also get another kind of cool capability is you can have now specialized 911 centers that deal just with particular populations that have very specific needs so for example in Washington DC we have one of the largest universities for the deaf and hard of hearing Gallaudet great school they actually do a lot of cool engineering work related to 911 stuff but if you have a 911 call that's coming from just the area of the Gallaudet campus you might want to put that into a different queue for someone who has a hot connection with an ASL interpreter or knows ASL themselves and can handle that video call that way or who's trained especially to handle real-time text calls and that's something in today's environment we absolutely can't do because remember back we're routing everything based on that cell tower and the sector at the beginning of the call that's all we know in the future the idea is we're going to route based on the actual X Y and hopefully Z someday from the device and that makes it a lot easier to do much more granular things like that that can really help it has a huge impact if you're in a population that has a specific need like that it's a really big deal to be able to get to the get to something like that on the first try because today one of the one of the terrible things that happens is if you need to connect with somebody like a video interpreter that can delay your 911 call on the order of 15 to 30 minutes and that is not an amount of time you want to be waiting in an emergency I've used about 40 minutes here I haven't had anybody volunteer questions so I just want a level set are there things that I've covered in insufficient depth or not covered or other things you want to hear about so that I can kind of tune the the rest of the talk yep oh it's funny you think there's IP switching involved in this that's that's very quaint yeah no so the question was when I said that location data is transmitted in the clear what part of the sort of transactional structure was I talking about so from the device to the network it is encrypted at the level of whatever the the bearer established for that so in LTE it would be encrypted in GSM it would be encrypted probably weekly same thing in CDMA within the carrier network it will be segregated but not necessarily encrypted and then the way it's and I know this is why I laughed about the whole IP switching thing the way it's actually transmitted within the telephone company networks is as a series of either medium frequency tones or maybe DTMF in some cases like it's really kind of hilarious how some of this stuff still actually works the data block we get with a 911 call I think I said this in my talk the other day but it bears repeating is 512 maximum 512 non extended ASCII character set letters and digits and that's all so when you want to represent something like a physical location it that's all you've got to work with and so we really had to like figure out okay how do we dumb this stuff down one of the big things that we're looking forward to is once we have these next gen systems where we can protect it properly encrypted and it is an IP system is actually starting to be able to represent things graphically I think I showed here's an example of like an uncertainty around a floor for example today we couldn't do that we couldn't pull up a visualization of a building and put circles or ellipsoids or spheres or other things in there and say look in this general area because we have no way of representing that in the 911 systems that we have now the cool thing is the carrier standard that makes all of this work at kind of the numerical level is something called J standard 036 I think it's an attis slash TIA standard it actually defines the ability to send different geometric shapes so I can send an ellipsoid point with uncertainty I can send a point with spherical uncertainty I can start to do you know annual or segment things like that nobody does that because again we don't have any way to represent it today so the question was what percentage when it comes to dispatch is sent in the clear versus encrypted or perhaps digital I assume you mean and I assume you mean the radio part okay so the radio part of dispatch how much of it is encrypted how much is in the clear overwhelmingly it's in the clear there are places that are starting to do more encrypted communications badly in most cases if you look Matt blaze Travis Goodspeed and some folks did an analysis a few years back of one like the dominant public safety radio standard in the US and found that it was basically hopelessly insecure they used a really weak kind of even more broken version of RC for as the as the stream cipher in some commercial implementations that were very cheap and so everybody used those even though they weren't terribly interoperable and they're not at all secure so we're in the process of trying to fix that earlier this year the Department of Homeland Security and NIST work together to get a requirement into the standard so that I think starting in 2018 going forward all radios built to that standard will now have to have a S 256 as a mandatory part of their cipher suite they can still have broken versions of RC for but a S 256 has to be in there as well and part of the reason for that is in the public safety community interoperability is a huge deal disasters may start local but they usually don't stay local and when they go beyond the you know disasters don't obey jurisdictional lines no matter how much we admonish them and so eventually you've got to have help from your neighbor and when that happens being able to talk with them as a big deal the other thing I appreciate that question about encryption the other thing that I want to raise a serious point about though is authentication and integrity checking because even though we are fixing the encryption problem sort of we're getting to a standard we are still not doing anything about protecting networks from radio networks from bad devices so devices that aren't that don't belong there so most of the radio networks today if you know like an eight digit code that is really easy to pull off the air you can get a radio attached to that network and start receiving traffic from it it's not authenticated in any way and then there are also vulnerabilities to replay attacks in these networks so you don't have a good integrity mechanisms either so we we know that's a problem it's something we're working on the trouble is these are tens of million dollar networks that turn over once every 15 to 20 years and the next iteration may just not happen because they're actually building an LTE network right now for for first responders that's going to be nationwide so there's a big debate about well do we even like keep working on these standards because at some point we're just going to use that because it'll be better not necessarily soon but someday other questions so the question was when you make a 911 call location stuff turns on does the data that's developed as a result of that gets stored on the phone in a way that it could be recovered by forensic analysis the cops down the line or something I don't know a really good answer to that question the challenge is there are so many parties involved because there are legal obligations and interests that the carriers have there are very different legal obligations and interests that the handset manufacturer has and even the chipset manufacturer the folks who are putting those measurement devices how those interface with the 911 aspect of the device can vary so I don't know the answer to that unfortunately I my hope would be that once the 911 call goes away that that location data goes away as well in part because in in the 911 business one of our big concerns is always well can we adequately protect the safety of someone who calls 911 but doesn't want a third party to know that they have one tactic that we see particularly like in an abused spouse situation all the time is somebody calling 911 and pretending to order pizza and when they do that most clever telecommunicators and dispatchers will say you're telling me that you need to order a pizza because you wanted to call 911 and you don't want someone else to know is that right yes pepperoni which is you know so and that's the kind of thing where we don't want somebody to be able to look at the device and say oh you called 911 from the house where you know you're not supposed to call anybody like that that would be a potential information disclosure that would not be good there's a question right there yeah could you come up to the mic so that we can get this on the recording yeah okay okay the question was can the location information that is collected be used to prevent things like for example swatting I promise I did not pay him to answer that to ask that question but that is like the best possible question you could ask it is something that we have been looking at for a very long time the answer is yes absolutely it should be used that way every time it it I go through no end of amazement that people don't don't always check mismatches like that when there is a call I do think it one of the benefits of frankly having humans in the loop for 911 calls is that rather cleverly a lot of the time they do say that and you know they'll they'll say to somebody look before you go full swat on Brian Krebs again maybe let's make sure that this call is actually coming from there and the other thing that we've been able to train on is when you get a call from a non-service initialized device so a cell phone that doesn't have service which is required to still be able to make a 911 call treat that as suspect until you have really really good information linking it to to that person's thing now part of the challenge is if you're too far away from the target of like a swatting attack in the first place your calls not going to go to the right 911 center anyway and then you're going to raise a whole host of other questions like well if you're in but if your call ended up in Boca Raton but you're calling from Denver then there's something clearly something has happened that we we don't expect and that we ought to be asking more questions about so great great question really appreciate that and in NG 911 one of the things we're going to do is a lot more data analytics capabilities to make sure we're authenticating things like that in fact as I talked about like the device based hybrid in the national emergency address database and all that when we were negotiating those new rules with the wireless carriers in the FCC that was one of our key concerns was if they get a Wi-Fi hotspot for example out of the database and it says this hotspot is here let's say Caesars Palace in Las Vegas but the call came in from a cell tower that was in Knoxville Tennessee okay you know Houston we have a problem don't use that location data fall back use the tower use the GPS whatever else you've got so location data that comes from the at the database process has to be corroborated going forward that that was a big deal for us for like from an integrity standpoint to make sure that we we had corroboration yep in the back the question was is there a 911 app let me be really clear no there is not a 911 app if I could get Apple and Google to do one thing it would be to just grep the entire app store the entire play store and delete anything that involves the words 911 they don't work they're totally bogus there's all kinds of things and I I hate to be this like passionate and upset about it because I love that there are developers out there trying to do helpful things for people in an emergency but the thing that like none of the developers with maybe one exception who have ever attacked this problem have understood is just how much legacy cruft there is that stands between anything you can do with an app and the 911 system it just doesn't work the only there's been one startup that sort of kind of halfway cracked the problem and they literally had to go and build millions of dollars of infrastructure they built their own NG 911 system to just do an in run around the whole thing and then ultimately find some carrier partner to trunk the calls out to peace apps it no there is no app that works with 911 and there won't be there there are very good reasons that you should not do that again I appreciate people's passion but like it just it doesn't work don't as unfortunately there are dozens of apps on both of both of the major platforms that purport to do something like connect you directly to the nearest police officer well okay a the app provider doesn't know where the nearest police officer is and be the only way to connect to that nearest police officer is over a radio platform that I guarantee you that app developer knows nothing about and more over that police officer does not want your 911 call like that's not the process you know they've got other stuff going on you know for the third of 911 calls that are like cat up a tree or mcdonald's got my order wrong or or you know what at whatever the thing was that went wrong the nearest cop the nearest firefighter doesn't want that we have these things centralized for a very good reason the people that take these calls are important part of the process and you can't circumvent that so sorry to be passionate about it but yeah no no app and won't be different clearly you missed my talk yesterday so that actually happened it was so the question was if we have all this legacy stuff that's very susceptible and you know minimum traffic carrying capacity what if somebody has some malware that gets on a major platform and then starts calling 911 repeatedly what I will do is point you to the DEF CON media server because once once that talk goes up you can get 45 minutes of a great answer to that question yeah in the back yep the question is what about the integration with SS7 the regrettable reality is SS7 is going to be with us for some period of time for most 911 systems SS7 would be an upgrade because they're still using MF and KAMA yes yes you can hey that is exactly the look you should have when I say they're still using MF and KAMA but they are that's it that's how they're signaling things they're not using SS7 the ultimate goal is to bypass that completely we'll still have to have SS7 interfaces for carrier networks that hang around because signaling system 7 is going to be with us for some period of time but next generation 911 is designed to start getting rid of that get it out of the system as quickly as we can I think we've got time for maybe one or two more questions okay I'll be hanging around in the hallway then thank you all very much for coming to the talk and great great getting to chat you take care