 The last thing I'd like to do is introduce Andrea. So Andrea is a BRCA community data organizer and a co-founder of? The Light Collective. Yeah, the Light Collective. And along with Fred Schroeder, Andrea discovered a security vulnerability in Facebook's group product that affected all closed groups on Facebook, which is significant, especially if you don't understand what privacy really is about. Without further ado, Andrea, please. Thank you. So it's nice to see some friendly faces here. And for those of you who I haven't met, thanks for coming today. I'm really honored and excited to be at my first DevCon. And I'll start with this, which is I went to a cancer research symposium a few months ago at this college where I got rejected. And they were super fancy. And I walked into the room where I was practicing with all of the other speakers who are all big-name cancer researchers talking about data sharing. And the board, these really rich people walked in. I was practicing my talk. And they were like blood ran out of their face. And they were like, oh, you're the hacker. I was like, what, me? And in every way, what I'm going to tell you in this talk is a lot about me and my own perspective as a patient advocate who fell into one of the scariest years of my life, discovering security vulnerability in Facebook's group architecture. And not only did it affect my group, but I came to find out that it's skilled to all closed groups on Facebook and was very dangerous. So I will kind of take you through the backdrop of my work as an advocate before this happens. I will share a little bit about the timeline and experience as somebody who was, I guess, essentially a civilian layperson who doesn't know anything about cybersecurity and how I scale that learning curve and kind of use my experience in advocacy and genetics to do that. And then I'm also going to talk about what the process was because this eventually landed in filing FTC complaints. It started a congressional investigation, and the FTC settlement was just announced and we're thinking about a path forward. So that's what I'm going to talk about. I hope that's interesting. All right, so who am I, again, a little bit about my role or background as a patient advocate and all the places that my genome could have gone right and could have gone wrong. My future changed 14 years ago when I learned that I had a T and a G that somehow got switched on place 181 of my BRCA1 gene. What that meant, and I used to say, I have the breast cancer gene, but everybody has a BRCA1 and 2 gene. What I have is a mutation. I have a bug in my code. I'm a mutant. And when I was going through my experience in the early days back when I tested positive in 2005, there was not a lot of resources or support for women like me, and I really struggled. I was alone, and it was an incredibly isolating experience where I was basically in the closet. And eventually, I came to the point where I faced my fear, and if you can imagine being told at some point in your future, you have up to an 87% chance of getting breast cancer and up to a 60% chance of getting ovarian cancer in your lifetime, but those statistics and numbers are changing because we need to better data and we don't know when you should have your surgeries or remove your body parts. That's a really hard path to take, but I've gone through facing some pretty incredible fear and come out on the other side of that, and I continue on this path. And there's a reason I've done it. I've found over the past seven years as an advocate a shared identity with other women who carry these genetic mutations. There's this really great article in the LA Times that actually references our situation. And again, we call ourselves pre-vivors because we have these genetic mutations. We're being told our futures, and we know that data sharing is a really important part to better options, better solutions, and we try to support each other. Well, in the beginning, I didn't have any support, and what ended up happening was I went to social media, like many people do. Many patients go to social media seeking support in a shared identity. And what I found was an incredible group of women. Amazing, wonderful, brave pre-vivors and survivors who carry these mutations, who understood what it was like to feel alone, and to make these agonizing decisions or navigate a healthcare system that wasn't evolving as quickly as we were evolving. Well, where do we find ourselves? We found ourselves on Facebook. And as we did that, back in 2012, these groups were kind of under the radar. We just kind of emerged. I was in a founder of the group that I am a co-moderator, which is called the BRC Sisterhood, and they're an incredible group. But as it evolved over time, we started seeing the need to think about governance and privacy and all of the things as a community grows to make sure that the people who are there for the right reasons are in a safe space and protected. And in every way, I think this fits into a much bigger picture. So I'm gonna talk a little bit about how my genetic mutation fits into this broader picture. I don't know like all of the technologies in cybersecurity. I don't know everything about all the genes, but what I do is I look through a lens, and I think about my own mutation and all the data impacting how I can move that genetic mutation forward. So my children have better options to screen for treat and prevent cancer than I have. That's why I got on this path. And in the bigger picture, you know, back in 2013 when I started advocating, it was all about free the data and open science. And I started writing about this case that was then in federal court, and I started this blog called Brave Bosom. And it was all about a company that had patented our genes. And the genetic testing or diagnostic testing company in question was the one that had done my genetic testing. And I didn't realize, oh my gosh, there's a patent on our genes. Well, this case went all the way to the federal court, I mean to the spring court. And this is me kind of, you know, co-organizing a rally at the spring court. And after that, I was literally the poster child for free the data like in 2013 to like 2015. And the reason for that was we know in this community there's life saving data that when it comes to genetic testing and variant classification, all of those data sets are locked away in silos. And in order for us as patients to be able to have an accurate test result, this is a map of different public genomic data sets in all of the different variants. So let me just show you over on the left. This is something called BRCA share, up here is ClinVar. All of those have different variants that are classified. And what happens in genetics is scientists and researchers and clinicians get together, they look at the health outcomes of people in our community and then they say, oh, these families got a lot of cancer and these didn't, that means it's pathogenic versus benign. But the vast majority of variants in genetic testing has a lot to do with what's called a variant of uncertain significance. And that's one of the big data sharing problems in genomics right now that I think is really important to think about as we look at lifesaving data sharing. And this is just a path forward. I just wanted to give this backdrop of good data sharing in this community. And this is a really great resource called BRCA Exchange. But as we know, and as this community knows and as I awaken to this problem last year, our data is valuable as a community. I could tell you how many times, if I had a dime for every Silicon Valley entrepreneur who really wants to partner with patients and comes to me and wants to pick my brain and talk about our community and how they can offer solutions, I'm done with that. I'm sorry. I am kind of thinking about a path forward because I've decided that the things that we design have to be designed from within, from the ground up, not for us but with us. And I also think that when we look at the privacy or cybersecurity problems and what the community can offer, I look at a problem like this where our data is more valuable and the incidents of health data breaches are continuing to increase. And I know that I need to affect change. I need to figure out what the solution is, not only for the lifesaving data sharing but for the life threatening data sharing where data can be used against us. Well, one last point on the broader picture. In healthcare, we have a lot of rights under HIPAA. Well, when you go to consumer health tech and the broader policy landscape, there's really not a lot of rights or protections for health data today. We live in user lands, I like to call it, as a lot of people know policies can change on you, where you can't really move, like our group is literally traps. And that's what I think of as like, this is a really great paper called The Privacy in the Age of Medical Big Data and it talks about the gap, excuse me, and policy, that we need to start addressing and we need to get to these deeper places where users are engaging and we're going organically to grow these communities or find other solutions for ourselves. So, that's the backdrop. And now I'm gonna tell you the story of the scariest year of my life. So, it was about a week after it came real general, it okay hit and I had read all the news in it. I asked myself a simple question. What are the privacy implications of having a patient support group on Facebook? Now, I started my career in Silicon Valley, have a background in tech, I know I'm not just enough to be dangerous, like in terms of coding and like these like that, but I understood data flows, like beating my head against this data sharing problem and thinking about the value of genetic data or our communities mutations for seven years, but also just the way we think about privacy and protections. And what I found as I started researching and learning more about these developer tools and looking at the APIs was incredibly scary to me. I found a way to scrape from outside of the group that I was in the list of my group and attach it to employers physical location, other aspects about my group that are non-public information that the users didn't think would be available to people. And so we called the vulnerability and I'll get into, well, actually let me take a step back and say, wait, this isn't the full story. Okay, so there was this guy on Twitter and I knew him because he had been at a health conference and he wrote this book called Hacking Healthcare, but it's to me, he had like advised Congress on cybersecurity. So I set up a meeting with him and I share all this research and he was like, do you understand cybersecurity or responsible disclosure? I was like, no. And he came back to me three days later and basically said, I need to speak to everybody who you talked to about this because if exploited at scale and it can cause a loss of life. And what he found within, you know, I gave him all my research and the tools that I had used and what he found was that in a single attack we could scrape hundreds of thousands of groups programmatically. And when we say strict inclusion criteria, what we mean by that is we attach it to a part of their identity that is a strict inclusion requirement to be in the group. So for me, that strict inclusion requirement, we strictly require people in our community to we're a BRCA community. So we are people with hereditary cancer and that is how we let people in the group because we want to support people who are there for the right reasons. So here's the timeline. That was the, you know, I started this crash course in cybersecurity. I didn't believe Fred at the beginning. I was like, oh my God, who's this crazy person? I'm terrified. I don't believe him. And he said, you know, please just, you gotta trust me. I'm dead serious about this. A council otherwise will help. And he started bringing in other people to help. Couple of them are in the audience today and I just wanna say, you know, thank you for their along this path, people who have been like asking, rolling up their sleeves and realizing this is an incredibly dangerous situation and saying, how can I help? What can I do? From the south, it's kinda like when you're in a hurricane and there's a Cajun Navy and they're like, I don't know if anybody, who knows what a Cajun Navy is? Oh good, okay. So let me explain to other people, like a Cajun Navy is like everybody in their monster trucks and they're like little life boats going around after a flood like picking people up off their roofs and helping. And so what we started to assemble was this like small Cajun Navy helping us to in an interdisciplinary way write up a vulnerability report on sick roll and submit it to Facebook's White Hat Portal through the responsible disclosure process. There were like, there were a couple of months so we submitted it after writing all of this up. We gave them screenshots, we gave them very specific actions that they could take to protect us. And then, you know, they said, okay, we'll take a look at this, you know, and we gave them a timeline. Come July, they give us a response basically saying, the system is working as designed. We may kick this over to our product team in the future to think about new features. And thank you for your product feedback. So essentially, we were like, what? That's crazy. Like, this is really dangerous, you guys. Like, I didn't believe it in the beginning, but then I was tells us going out and finding groups where if outed, there could be a loss of life. They could be harmed with this information. And I was scared. So we wrote a letter to Facebook and we co-signed it with the women in our community about the admins and moderators representing about 30,000 people in this small ecosystem of support groups around the world. Three days later, they closed the most dangerous permutation of the vulnerability, quietly changed some of their privacy settings, and then I think the same week was that 700 page congressional report on all of their, you know, all of their stuff. And so we went public. And so what happened then was there was a huge barrage of late news headlines that were really like not the accurate story but kind of portrayed us as like a bunch of RLR women just like, you know, thinking about this, not from a security research perspective, even though we had the experts, but they, I just felt like it could have been portrayed for the scale and danger that it was, and it never was. So let's fast forward to December. We submitted an FTC complaint, and then in February we make that public. As soon as we make it public, a couple of reporters reach out, they do an interview, and then immediately lawmakers and some people in the Energy and Commerce Committee started an investigation, and that led to this letter to Mark Zuckerberg from the Energy and Commerce Committee. I think, you know, I just want solutions. I keep feeling like we talk and we issue reports, and I want my group to get to safety. And here we are now after, like a couple of weeks after the FTC settlement, and then of course we've read the settlement very carefully. We agreed with the dissenting opinion from the commissioners at the FTC that this didn't adequately protect the rights, nor did it address the scale and harm that was being caused, and swept under the rub. So what is the harm? I think maybe some of the people in the audience probably know these things better than I did in the beginning, but if you don't know what the harm is, I want to share some examples of what can happen in a group pack. And after finding this, and just kind of as I quietly sit as an unarmed village and see this vulnerability exploited, I am very scared. So I want to kind of warn anybody, if you are a sexual assault survivor, some of the things I'm about to share are a little bit triggering. There was a Facebook group of 15,000 women, like kind of the same month that we went public that got infiltrated, and then scraped the women threatened. And the response from Facebook was they quietly jubilated the group. And I'm gonna show you the screenshots, but it essentially was, and I think I have to show the harm because while protecting the identities of the women involved, the profiles were fake. So anybody who's not covered up is a fake profile. They switched the group from a support group for women to making fun of and threatening these women, taking pictures that were on their Facebook profiles of children and threatening to contact them. And the way we knew that sick roll was used in this was we had accounts from the women who said that they had told them that they were scraping the list of the groups and that they were sharing like examples of in private messages employers. And that to us was like a sign that, okay, well, you don't share your employer in a Facebook group. You do that by like doing this reverse lookup and connecting all the lists. And they also told these women that they had lists and they could contact them off Facebook. And for one of them, they did. For one of these women, the woman who I knew in, sorry. So for one of these women, she ascended suicide. And as she made that suicide attempt, she posted a public picture on Twitter. And I could see that somebody was following her and I took some screenshots, but I took it to the FBI. I never heard back. And I still want answers for these women who were hacked, scraped and deleted. 15,000 of them deserve answers. They deserve some accountability. And what did they get? Nothing. They got. They got, it's like being re-traumatized. It's like being the same thing happening to you again. And then pretending like nothing happened because it's not convenient to talk about. So I need to talk about the harm. How many of you in this room are familiar with ILMAB? There are a couple of people. So ILMAB, I saw happen a couple of months ago. I think this was around February. I was pretty scared because I saw the ILMAB hashtag and I started following what was happening. And essentially there was a group. I'm gonna take a step back here and say a lot of people have responded over the last year like telling me as they think about reactions to this story. Well, I never would have used Facebook to share my information. And I know everything on the internet is not safe. What, you know, why would you do this? Well, this is a group of longstanding, I think cybersecurity professionals. I'm new to this community. So I don't know much about it. But what I did see is that they scraped the list of the group. And then they started contacting people's employers. So if you think of the last story versus this story, you can imagine the conflict I am feeling having learned about responsible disclosure and having found something that can be weaponized and knowing that there are bad ways to use this vulnerability and there are, I wouldn't say good. I would say this just needs to stop because what it's doing is radicalizing people and tearing communities apart. And I think that is one of the things that I have no good answers for, but I am seeing in real time. And I'm just observing. The other one I think that was described in very chilling precision for sickle was to protect and slur. This was a study done by a nonprofit group that had scraped the groups and then compared hate groups with police officers. So again, it's a weapon, right? It was a weapon where what they did was they outed the group members who were also police officers, also members of hate groups. I wish I had all of the answers. I wish I did. And all I want is a path forward. I want my group to be safe. And I think we can say to ourselves, privacy is dead or there's no point. And I am hopeful. I want to leave this and start a conversation about why I'm hopeful. Even after we keep waiting for people to do the right thing and fix these problems, I'm hopeful because of the community that has organized around us and the experts who have supported us. I'm hopeful because I think there are solutions beyond what limits us today in policy and what we know about rapidly emerging tech. I am hopeful that we as a community are going to have a set of rights where we don't have those today. And I'm gonna keep banging this rum until we get it. I'm not gonna stop. I'm not gonna stop because I can't. I don't know exactly what all the solutions are to have a safe space for people and the right model to sustain peer support. But I know that it was a lifeline for me. There's evidence around the efficacy and importance of that lifeline for other patients on social media and vulnerable groups going through grief, going through fear. Mothers with children who have autism. Parents who need to, mothers going through postpartum depression or parents who are going through divorces. The implications of needing peer support are just endless and important and we must protect them. This is about, for me, protecting shared identity when it's worth protecting a community. And I've been really humbled by learning about DEF CON. DEF CON is that this is another community that we really have to protect. It's really incredible. So we started a nonprofit called the Light Collective and we had a small grant through Robert Wood Johnson Foundation to give some resources to the admins and moderators who need them. But again, we're still kind of in cage and navy mode and we need FEMA. And I think the people in this room are like the FEMA we need after all of the conversations I've had, I'm just really humbled and inspired by so many incredible minds here. So we're focusing on collective governance. We're thinking about fair partnerships. We're thinking about good moderation practices and how we build things instead of from the top down not only for policies and the way we make decisions and the way we design features. How do we do that from the ground up? So I was really nervous to be giving this talk and I don't know if anybody knows Bernay Brown but I just thought I'm kind of in this place where after facing fear and after thinking about a path forward I want other people to be hopeful and fearless because what it's gonna take to get out of this is a lot of courage and stepping outside the lines of business as usual or the jobs that we have today or the problems that we think are the ones we have to solve. I think we need to start thinking differently. Thank you and I'm open for whatever you think might the solution be.