 Hello, DEF CON. I've been wanting to say that for about seven years. This talk's called, Socially Owned in the Cloud. My name is DigiVigil. If you were expecting somebody else, that's bad. Since you're all here, I figured you were expecting someone else, but it's OK. So let's go on. What was my motivation for this talk? Obviously to come up here and say, welcome, DEF CON. But not entirely. Not all of it, at least. The talk is about intellectual property, but from a somewhat different angle than we usually think about it. At least as usually, I think about it. The big corporations have proven to us all over and over again that intellectual property is very valuable and that the laws that govern it are enforceable, at least if you are a large enough entity. And a lot of the data that should be really important to us and mean a lot to us are not governed by any rules that we can set. People these days, self-included, post data, personal data in relatively public forums without any real way of controlling what happens to that data afterwards, we kind of started off storing valuable information in bank boxes, vaults, our homes, whatever else. Then the computer came along and it was a great thing for storing data in. We started backing it up to CDs, USB, external hard drives, whatever. But the point is up until that point, most of the data was either stored in a secure location that we controlled as in the bank vault or at our home in this computer. As the internet became more prevalent, we had the opportunity to move our storage away from not just our private house or the control that we have, but onto public sites. A lot of those public sites we rent in order to store data. So technically they should be safe, except we don't really know what they do with the data. At least I'm paranoid, so I don't know. And the last step is that we have the ability to store personal data in a public forum, like MySpace or Orchard or one of the different social sites. Our private sphere has also evolved away from just being the people that we are close to in our daily lives. Through the people we could telephone, telegraph. Then we had BBSs. I love the BBSs when they came out. That's how I made friends. It was weird. Let's not talk about that. I just said it, didn't I? And then it evolved into these tubes that we can now communicate with a lot of people a lot of the time. I tried to find the other drawing of it, but I failed. So in those two evolutions that we saw, we have gone from in-person communication, that was when we were standing together, to in-person communication over wider spans with telegraphs, telephones, letters, to email, which could be sent to more IM one-to-one immediately. But we seem to be moving more towards the communication between ourselves and a group of people, so one-to-many instead of one-to-one or one-to-a-little group. I guess with Twitter, it is one-to-hover, many is interested in what you're tweeting about, which in my case is nobody, but there could be a lot of people following me if I was famous. For some reason, there have been a lot more control over the rules that govern our data. When it comes to snail mail, who could read your mail was so much regulated by law with a telephone, though recent administrations have done their best to subverse those laws, there were rules about who could listen to your conversations, at least if they were domestic. If they were international, then there were much less rules governing that. And with the new ones, like social security, no, social sites, not social security. I'm not going to talk about my social security number up here. And those EULAs that we get that we can read from all the different sites that we go to and the different software we get, I don't know anybody who reads that, except the very brilliant people from the EFF, and they can even understand what it says. I tried reading it, and I really can't. And I even have a little background in law, but I don't get it. So when we put our data out there, how do we know what the provider is doing with it behind the scenes? How do they store it? What's your distinction? Can you remove it? Can you delete it? What can we do? We give our data to them, and we update it frequently, at least some people do. But at the same time, we don't seem to have the set of rules that governs what we can do with it. And this was the core of my presentation when I started it, getting an answer to these questions from the biggest providers out there. And it was meant to be a survey of, OK, here are the questions that I think are in a lot of people's minds, and how are you addressing it in your business, and what is your plan regarding it? Do you care about these issues? And they definitely do care about the issues. And they do spend a lot of time researching it and making policies on it. I don't know how many people here. I saw a couple of people with a Kindle. And I believe that recently there was a bit of a tiff when Amazon removed some books from the online libraries because of rules. And they have also said that, well, they've proven that they can remove the books. You buy a book and you expect to be able to download it to your Kindle for the rest of the lifetime of that device. And actually, new Kindle devices after that know the Kindle platform devices. Apparently, that's not the case. So I wanted some answers. And I wanted answers from the big players. And I wrote a survey, a long survey. And I sent it out to some players that you might have heard about, of course, of being online. These are the prominent players in various segments of our online life. I tried to find, I found the direct contacts that were on the website. I went online. I found people who'd posted in various forums, in various industrial magazines and such, and sent it to them. These were emails. I filled out online forms. I sent a snail mail. I actually went out and bought postage, wrote things, and sent it off to a lot of different people at each company. And the result, yeah. They didn't really want to respond to me. And they didn't want to respond to any of the other people that I could get to write the letters to either. I did reply one terse comment from Amazon that claimed that due to the competitive nature of the industry, they could not divulge any data, presumably for fear that their competitors would use this data for nefarious purposes. In other words, our data has become the corporate asset way out of our control. Not only can you not control, but you're not allowed to query about its contents, the existence, or in a lot of cases, with some exceptions, you can't really get it removed. One of the things that you would need in order to get it removed is the ability to query what they have. Some European countries and Europeans in the audience? Hey, hi. I have read that in some European countries, the rules governing what countries can store about you is actually governed by laws of that nation. And I have no idea how sites like Amazon actually deal with those laws, or if they do at all, since they do operate in some of them countries like the UK and Germany. But I'm no expert in international law. Some of the sites do have a little click box. You can do this as remove my data. If any of you have been on dating sites, I, of course, wouldn't need them, but I did. You can deactivate your profile. But for me, it seems they keep it for forever anyway, because you keep getting the emails, well, somebody winked at you. Guess what? Well, my profile is not active, so could that happen? I don't know. But my expectation is that they do store this data forever. I was recently attending a workshop on data mining, NEL Security. And one of the speakers there made this point that storage is cheap, even if we don't know what to do with it, meaning the data, we will figure out a use for it later. And they build more and more complex models in order to try to sell us more and more things, or do whatever is the goal of the corporation that has that data. And most of them will sell the data, not directly connected to our person, but in aggregates and trends and so on and so forth. So your data that you have given up, fed them through, what's it called? User-contributed site search, become intellectual assets with big corporations that are governed under their laws. So my hope, after I find out that I couldn't get these answers, I change the track of my talk a little bit, because I can't really give you the results of the survey, since the respondents were not able to do it, or willing to do it. Maybe if I had been from a large institution which had lawyers and everything to help me write it, I would have been more successful. But as a print. So sorry, thank you. Some of the earlier slides tried to refer to that. How do you store data? What jurisdiction is it under? What happens to the data when the main person owns it and dies? This is a specific interest in me. Well, so if I had a lot of content that I had on Kindle, or if I had a lot of content in iTunes, or any of the other sites that actually lease you media in these days, usually if you think about having a book collection, when you die, your heirs will get to split that book collection and it lives on, as with the record CDs, whatever else you might own in a physical sense. As more and more of our commerce moves over to be buying content online and some of that data being DRM. I know iTunes now is switched off from DRM at least for their music, but for their movies and for their TV shows it's still the same. Sorry? Are you concerned with the Kindle? The Kindle as well, yes. Because it burns? Yes. And also for iTunes or for other providers in the same space, the central tenet there is that we don't really own the data anymore. We lease it. And the period that we lease it over is set by the corporation that depending on when their DRM walls go down or whatever like that, we cannot access it anymore. In the old world, we owned it wholly. If you want to go down, you mentioned Fair Knight 901, 4 or 5.1, sorry. 1984 is not an interesting book in that since we don't have physical copies anymore, they can actually change the content of the books, the music, the videos, the video, and anything else at their leisure and they might actually do. Yes? Yes. I recently went to a few presentations by Microsoft. We all love Microsoft. They give us Kool-Aid and other scary things. But they have something that they call the identity meta-system, which is meant for single sign-on and cross-multiple sides. But it has some interesting side effects in that you can actually grant permissions to specific entities for a specific period of time. So my hope, going forward, that the DRM that we all load today, at least I do, and we try to get rid of, could actually be used by us in order to control the data that we wish to disseminate out to various sites so that we would grant them a non-exclusive license that we could terminate when we no longer felt that that site was serving our needs for our content. Sorry? I have not. Sorry. No? Excellent. I know that there have been a couple of efforts I hadn't heard about that one. Do you know if Facebook or MySpace are actually behind that? Excellent. Well, Facebook is currently the big kahuna, right? And MySpace is losing people. Left and right? Let's see. So I would say that social sites make their money off of us and our content, our sweat, and our work, and our life. We should take our control back, and we shouldn't let them play with our data without having protection surrounding it. And that's the end of my presentation. I spoke too fast.