 My name is Greg Conti, I'm a computer security researcher and faculty member at West Point that's the United States Military Academy. I hope to do several things during the talk today, convince you that the information that we're all giving, both as individuals and companies, to other online companies is massive and it's dangerous and it's going to get worse before it gets better. And that by the process of relying on third parties for critical infrastructure and giving them possession of our data is a clear and present danger and it's a risk because that information is coveted and often accessible by a variety of parties, both legitimate and illegitimate. And that the compelling tools and services that we're passing information that cause us to pass information on the network is often visible to networking providers as well and the whole ISP scenario. I am here as a free citizen and this is my disclaimer and the background of the slide is where they send people who don't put up their disclaimer. So who's familiar with the AOL data set disclosure of two years ago? So what would you say about third of the audience, third of the audience, something like that? Who's seen the data? Okay, so maybe five percent of the audience. So for those of you, I've been studying this problem for about four years pretty heavily and I always tried to make the case to tell people you're giving away a lot of sensitive information via search and what website by when you're using mapping software, where you're looking basically any online tool and service you're disclosing some information and the larger the company the more services, the more information you're disclosing and it was hard kind of to make the case. So I gave a talk, kind of an early talk of this in August 2006 and three days later AOL released a very large data set containing the search queries for over 600,000 people and about 24 million queries and I think that makes the best case. In a way it was sad because what they were trying to do was have a facility and open research community but they were nominally anonymized basically just switched out user IDs with basically handles with usernames with anonymous number and it didn't take much to take a set of queries and work back and that was soon picked up by sites like AOL stocker and AOL Psycho that went out there. I mean this was in the public domain so they just added a web front end and people could go out there and search to their hearts content. So let's just, as we move forward I want to convince you that we're giving away a lot of sensitive information and think of this as just one vector across many vectors. Any online tool or service you're giving something away. Whether it's a free email service, whether it's mapping, whether it's, I mean just any conceivable and I have examples in here. So this is just one of many, of hundreds of potential different paths. And again this is in the public domain and this is AOL user 2708. Okay and the deletions are my deletions. Let's see where that one's going. I'm sure this guy got a lot of CDs and free porn mpegs from an anonymous address. So I didn't edit this down significantly so that you can kind of see this mixture of mundane and with this kind of ongoing theme of revenge. So again it's difficult with context. This person could have been writing a story or this could have been part of someone's life. But as we move forward with this talk I think just this and there's other examples. I mean they're all out there. They're for the world to see which is a bad thing. And they're not being anonymized necessarily. I mean the raw data sets out there. And when you look at the, this is just search. And this was just search over 90 days. So I did a survey of college students, 352 college students about five months after the fact. And they're surprisingly, I thought it was surprisingly because to me this was big news. If it's on slash dot you can almost assume that it's common knowledge in the tech community. But for the average college student 84% had it heard of it at all, 7% vaguely. And this was shortly after the event and only 2% were familiar with it. So you've got this context. Even something like that which was picked up by mainstream media and was about as loud a bang as we've had still didn't get people's attention. So in this talk today I'm dividing up into several main sections. The first is covering the types of information disclosure. And I think it's useful to take a step back is just the generic idea of information. How information flows out of your computer and then how it goes across the network and the impact of websites and ISPs on that chain. The different vectors that we're using both some current ones and where things are going. And the idea of cross-site tracking because that's an integral part of this. The idea that if you think you're going from one website to another and no one's detecting that, you're probably mistaken. So I may use the term Googling. I'm using the dictionary sense with the little g. And I'm using it broadly to refer to the wide range of free online tools and services. And when I say web-based information disclosure, that's things that users, you and I type into or share with third parties and it's often stored on someone else's servers. And this is a key tenet that I argued that the free web tools and services that are out there, they're not free. We're paying for them with micropayments of our personal information. And a result of that study, and I have a link to it at the end where I had the statistics from, the takeaway we had there or the conclusion we came to is that users aren't entirely oblivious to the fact that the information's being collected, but they're doing a cost-benefit analysis. But it's one of those short-time cost-benefit analysis like, I'll give you a free candy bar in return for your password. And they're not thinking long-term years and decades. Sensitive information, and I thought this is very ironic because this is Elliott Spitzer, the former governor of New York who resigned under a prostitution scandal. And he was just pointing out the sensitivity of electronic trails people leave behind. And he, as well as Mark Foley, a former U.S. congressman who was brought down by electronic trail, he left behind. I don't want to read this, but you can get the idea. It was the classic chatting using instant messaging with an intern kind of thing, a male intern. But more importantly, it's the end users. I mean, people in this room, you're savvy folks and you know how to defend yourselves. The broader populace doesn't. So part of the reason of being here today is to kind of get engendered some discussion and move forward and seek solutions. Because largely the population out there is defenseless. And I'll just read the top one. Can anyone help me please? The stalking thing, and she's referring to the AOL stalker site, so she saw her stuff out there. This thing is not funny at all. When I type in my name, it gives lists of places that show where I've been on AOL on the net. This is nobody's business. And I have not done anything wrong at all. And I've contacted AOL about this matter. And they keep saying they will do something about it, but never do. And what she doesn't get is it's in the public domain and there's really, it's game over at that point. Sally at the bottom said, how do I get stuff removed from AOL stalker? Can anyone tell me? AOL won't respond even though they claim willingness to remove data when requested. Someone, anyone, please help. And it's a shame because AOL was, on one hand, I was trying to facilitate an open research community and they just missed the mark on what they were sharing. So there's ongoing research on better ways to anonymize data. And it's hurt the research community, but at the same time, I mean, this thing hurt a lot of people. And this is all in a very complex environment where governments worldwide, oftentimes the cost of doing business, is, well, the cost of doing business is complying with local rules and regulations and laws. And that makes for, and laws and governments and environments vary in each country you go to. And there's been examples here. There's a far-reaching request for search query data from the Department of Justice. There is an incident where an Indian man had posted disparaging comments and the local governments pushed on Google hard to share information. Another man posted a fake Facebook profile about one of the country's leaders and was jailed. I mean, the list goes on and on. And most recently was the request when Google was ordered to give over, like, all to YouTube user data to Viacom. Now that's since been, I think, brought within to the realm of reason. But just the fact that this stuff exists, it's like a personal diary. Your personal diary of yourself, groups that you belong to, and your companies and other organizations, they're all out there on someone else's servers. And the law, and I'm not a lawyer, but my understanding is the law is different. Information on your computer has a certain degree of protection. Information on someone else's computer that you've already shared has a lessened degree of protection. And like I said, the situation is going to get worse before it gets better. This is an example, and I debated putting it in there because it's kind of hard. It's New York Times statistics based on ComScore data. And it was kind of hard to backtrack and be able to defend each individual number. But this is a chart of the number of times data is collected on each visitor in a month by a number of online companies. And from one end of the spectrum was Yahoo, where they claimed 2,500 pieces of information were collected on each visitor in a month. And you see all the major players out there are collecting data. I was at the point here. And at the same time, there are millions of visitors. The scale on the left tops out at 180 million. And sites like Yahoo, AOL, Google, they're all approaching 160 million. And getting hard numbers out of companies is difficult. So I'm not saying these are the exact numbers, but I think they're a reasonable estimate for discussion today. That there are millions, perhaps hundreds of millions of visitors to these sites and large amounts of information is being collected. And this is an environment where there's only 20% internet penetration. So in Asia, which has 518 million users, and you can see Europe, North America. Globally, it's only 20% penetration, so it's going to get worse. And another driving factor behind that is the number, is the ubiquity of computing devices. It's not just desktops and laptops anymore. The world population is 6.6 billion. In this past year, the number of cell phones accounts across half the world's population. So 3.3 billion cell phones. And what's the trend with those? There's more and more power embedded location aware technologies and web browsing capabilities. They're becoming small computers unto themselves. There has been some progress that came out of the AOL incident. And kind of there's this flurry of activity. And then after a period of time, there was some movement specifically on data retention of search queries. So ask.com took a very strong leap forward. They have an Ask Arracer service where their policy states that they'll just retain the data for hours before it's discarded. And Google, Microsoft, and Yahoo also came out with policies at which point they would anonymize their data. And please, as I'm walking around the con, I've been researching this hard and I want to continue doing so. If you have more current information, please let me know. Same thing with logs. I found this, all these public statements, all the news just surrounded search queries and some about cookies. But as far as all the other range of products and services offered by these companies, I couldn't really find anything. And the absence makes me wonder if there is anything, any anonymization built into a policy there. As well as, I mean, other companies, these are just the big ones in the spotlight. What are the second tier players doing? And also the idea of the cookie fallacy. And that's what I call it. And there's this Google cookies would expire after in 2038 or something like that, 2038. And they moved it back to two years. But in general, the idea of changing expiration time down to two years still really doesn't make that much difference because it's typical in an online company, they just update your cookie when you visit. So you'd have to not go there for two years. I think your computer would blow up and you'd get a new cookie that way before an expired cookie would matter. And also ISPs. And if you have some good sources or links on the data retention, public data retention slash anonymization policies. I mean, I've done some reading and there's a little bit out there. But if you've got some nice sources, please send them my way. Because I do wonder about ISPs as well. And I said the situation is complex because on one hand you've got user data and companies, it helps. It provides a competitive advantage. And you see, but it's important to realize, and this is I think another conclusion that I came to, is that you just are seeing the tip of the iceberg when you're using a search engine to pull out information. Say you're using Johnny Long's Google hacking techniques or something like that. You're only seeing a small fraction of the entire database. So there's this publicly available portion and then there's the private portion. And presumably it's well protected, but just the fact that exists is significant and a major concern. And you see little things like eBay. You can click and see what a given user has bought. And that's probably 0.001% of what they actually have on folks. And the same thing with Amazon. You see it manifests itself when they make recommendations to you on what's a purchase. And you get insights into the other data monitoring. So this information is valuable, but there's this tension where you're... What I'd like to see is almost no data retention, but that's a personal opinion. On the other hand, the business cases, this stuff makes for a competitive advantage. And that's the environment that we're working in. At the same time, this information, companies are working very hard to profile people so as to better target advertising. And the two examples on the left are Tacoma, where they have examples of a career watcher and an active gamer and they have all sorts of happy examples. But I think there's much more realistic and scary ones that are entirely possible that we concern you. How hard would it be to profile someone as a Google hacker? How hard would it be to profile someone as a security researcher, a political activist for a given party, as a person with AIDS or a cancer survivor, a corporate leader, a spouse of a corporate leader perhaps, a law enforcement officer, a government official, and the whole spectrum of profiling is possible. I debated putting this in there because what we're doing is talking about information flows on the internet, but I think it's useful to consider just information flows into and out of your computer. And I try to be comprehensive and think through the entire range of possibilities information can flow into and out of. And really the primary way is the wired network or your internet connection. That's how information flows in and out. But as security professionals it's just useful to take, your information can leave your premises in a variety of ways. So if you've got your personal computer and imagine you drew a circle around it in chalk or something like that or actually this would be more like a sphere but you can't draw spheres with chalk. The power line. So when you have physical wires connecting your computer to something else, information could very well flow and there's a wide range of side channel attacks that show that information can flow in a variety of ways and there's often value in it. And we know that there's networking across power lines. So we know information can flow in the presence of power. Personally I don't think there's much there because, and I've talked to some electrical engineers who say there's a great deal of filtering by power supply. So the idea of information leaking out of your power line is unlikely. But it's useful just to kind of think broadly on the subject. And clearly phone lines, modems and the like. Electromagnetic emissions. Tempest is the government standard for reducing electromagnetic emissions. Some are deliberate as in wireless connectivity. Others, I mean it's the bane of computer engineers worldwide that electronic emanations can screw up computation or communication on a variety of undesirable paths. Sound, researchers have found that just by hearing the typing of someone they can identify keystrokes to a high degree of accuracy. So it's useful to think about that. Things, things go move in and out across that boundary when your connections to peripherals. And then of course people, both what they carry and what's in their head. And back to the wired network. Now those threats, that emanation of information occurs on your PC but it also can occur across any pair of, any node on the network. I mean it's a computing device and actually the link between the two before it actually gets to the server of the online company. And we have, we'll have some examples down the road in the talk where we'll talk about the capabilities of ISPs. Here we go. So it's useful to consider the vantage point of a large online company versus the vantage point of a large ISP. An online company receives traffic globally. But they're not seeing, it's for many customers but it's dispersed. They may be part of an advertising network that brings additional information so they can see activities off their computer itself. And they have limited knowledge of user identity. In some cases I clear if you have a registered account or you purchase something. And usually the business model includes the capability to do extensive data mining. Contrast that with an ISP. Well an ISP sees traffic from all of its customers. Except, except encrypted traffic, usually although there are capabilities of business products to do SSL man in the middle. And it doesn't have visibility of obviously, it only knows its customers, not everyone else's, where the online company sees a global swath. But what they do know, and this is important, they know the identity and location of accounts. So they know who signed up for what, where it is. They typically have a wire run to the computer or to the wireless access point and they have that critical piece of information. Historically ISPs have been essentially utility. Like water, providing you electronic, like networking to your home. That's changed of late. And I have a couple of examples later on. But what they do is they have the power to manipulate the flow of information into and out of their computer, out of your computer, and they're using it. Here's an example. This is Roadrunner. And what Roadrunner does is if you mistype a URL, they redirect you. And so they're able to know, they redirect you to an ad late in page. So they're able to control your information flow. And Google, I'm sorry, this is out of the Canadian ISP Rogers screenshot from Lauren Weinstein's website. And what they did is they added advertisements. As the web browsing occurred, they added an advertisement as a header on, they were testing that out. And we can't rely on just the integrity of the flows into and out of online companies. So it's the cool new or compelling tools that are out there that we use that would encourage us to disclose information. And counterintuitively, the easier they are, the more we're compelled to release sensitive information. So there's traditional ones such as search communications and the like. Getting into advertising networks. But there's also, take a close look at what the Web 2.0 innovations are bringing on and what there's some fundamental shifts taking place. So think the trend away from the desktop. The idea of moving your Office Sweep software off to someone else's servers. And there's been some movement. But in general, the tool resides with someone else, and your data is stored somewhere else. Generally that's a bad idea, even if you maintain a local copy. Mashups, location-based services, social networking, it's useful to think at each of those in regard to the information you're disclosing. And finally, with cloud computing looming on the horizon, I think it's important for all of us to think about the privacy implications and threats coming from that as well. So just to flip through a few different examples of things we were disclosing information through, this is simply Google, which is a consolidation of, and basically it's just useful to, it shows all Googles the variety of different search facets that it provides. So that's just one example. Mapping systems, if you imagine your corporate headquarters and your administrative staff, what are they doing MapQuest results for? What does that look like when aggregated over time? What if you're looking at a particular region of the world to do some, you're flying a VIP out to a particular region. Chances are they're doing MapQuest or some mapping type search to provide a nice little packet to hand to the boss. Then there's the idea of, I mean, and this is actually two-edged sword, it's kind of like an extension of mapping. Where are you looking at in, say, these 3D world street view type products? But it's also the contents of the images themselves. So it's a double-edged sword. It's what you're disclosing, and the fact that they're actively collecting the information. The fact that the, perhaps there's movement afoot to anonymize tools like Street View. But my understanding is that's just anonymizing the public view. You have to wonder what about the original source data? Is that being anonymized as well? Tools like LinkedIn, which a lot of people around this place use. And sites like that know your contact and your contacts' contacts. But sometimes, particularly when I have an old friend that sends a note and contacts me through LinkedIn, I feel like a bit of my privacy has died. Because now a third party knows that I know this person. Sites like Craigslist, browser behavior. Say, for example, you went to it and you're searching for personal ads. You visit Las Vegas and you're searching for personal ads. You send it, FTP replacement service. Very cool. You upload a file. They send you a URL, and you can send that URL to others. So you can send very large files. But, and again, this is an example of you should consider the information disclosed through each of these services. You're uploading a file, a big file, perhaps an important file, to someone else's servers. What happens to it's there? What happens to it there depends on their privacy policy and luck. Even the most innocuous site, and one I think personally it's a great time to be alive, that there's a rot13.com. But, and I mean I think it's cool, but the idea is that any site you're pushing information into could very well be collecting it and retaining it, and particularly the ones that have business models dependent on it. And just another example, the fact that you as an individual listed a, this is Google's page where you type in a link, like this should be indexed by Google. When you do that you're going back to data mining and linking between individuals. But what you're doing is creating a strong link between you and your cookie or your registered user account and a given website. And this is something I'm not sure how much, I mean I know people are aware in general, but I'm not sure how much we're moving forward. I have a suggestion I think on how to make this better. But it's no longer just being logged by an individual website. It's been, I mean obviously there's been cookies and web bugs and things like that for a while. But it's usually, I think it's getting worse. And let's take a look. So refer values, tell you where you've come, tell the site where you've come from. Click through tracking tells the site, if they do so it's using JavaScript it tells you where you're going next. Obviously there's cookies. And sometimes it's interesting that sites are using like AJAX technology. So what you see the first time isn't showing you that if you do view source you're not seeing the actual source. The source can be updated as you go along. There's information sharing agreements, advertising networks are consolidating, web bugs, and then probably the most concerning is the idea of third-party content because I don't think a lot of people realize. If you embed third-party content on your web page that's pulling say a YouTube video from a server. So you visit that page, they can track that person. Any time you go to a site with an embedded video from a common source they can track you as you hit one of those sites. Web analytics services and like the same. And just an example. I know Amazon's affiliate network, they have, when you do text links they have basically web bugs that are pulled from their servers, at least last time I checked. And then also you're seeing relationships between large parties. This is an example of eBay pulling ads from a Yahoo server. So you're seeing relationships where, say you have a company you don't want anything to do with you may be surprised. This is an example. I did create a tool called Rumet which is a security visualization tool that shows network traffic. And on this left on that white line it plots locations on a scale from 0.0.0.0 at the bottom all the way up to 255.255, etc. So that's like a scale you can plot a point on there and show an IP address. So that was my computer. And I turned it on when I visited MSNBC's website. And you can see the green lines. So there's a cluster of files at the top and just zooming in. Each dot represents a packet that went off. And then another cluster, another set of packets. And another cluster and another set of packets. And I wasn't sure if you'd be able to see them. So that kind of highlights the major regions. So it turns out when you visit, and that's the site on the left, you're not just visiting one site. You visited 16 third-party sites. And I went out and looked each of them up. 10 of them are from different companies. And this is a common practice. And right now we can detect it because they're going to third-party sites. I mean, the company itself could manage this internally and it would be invisible. But for now, we can see it. And because you're visiting so many sites, and a friend suggested this idea to me, the idea of the least common denominator. And this is a big deal. One site may have a strong policy, but really dealing with the lowest common denominator, privacy policy, when many sites are involved, which is significant. So is there a browser plugin that easily shows third-party contact? So what I'm thinking is like in Firefox and the status bar at the bottom, you visit a site and it'll just show you a number, like 12. And you click the drop-down, it shows you everywhere else you visited. Has anyone seen anything like that? No script? And is it pretty seamlessly integrated in to the interface? Okay, cool, thanks. And you may be familiar with... I mean, people have been aware of the problem and even the Black Hat keynote speaker suggested something along these lines. If you're familiar with TrackMeNot, the idea is that it inserts spurious search queries and the idea is to mask your real queries from the fake queries. I think there are many issues with it and I don't know if we'll ultimately be successful and you'll probably anger a lot of online companies by just continually sending streams. But I found it interesting that the Black Hat speaker suggested not just for search, but because of profiling and the like, we need to do this across as many different avenues as many different websites as possible. I don't know if we'll go there. The idea is to break up profiles to spoil profiles. Which again, there's this balance. The business models are built on them. That's why these services are free. On the other hand, there's this tension. So, interesting. And as we walk around the con, I'd be interested in your thoughts on that. So there has been some progress. There have been attempts at raising user awareness. The business world is looking at data leak prevention. There's been the search query anonymization I've mentioned. And then this is a little off topic, but what Google did with the malware warnings when a site was suspicious, it would give you a warning in the search results. And even the I'm feeling lucky button you click, it wouldn't automatically take you to a malicious site. It would take you to another page. So this, see there's users and then there's DEF CON attendees. So you're savvy computer folks and two different animals. But this is an example that would probably throw you into anaphylactic shock. If you watched the video, it nearly killed me when I watched it. But it's kind of like this happy version of how cookies work. But it's a step forward. It's a step forward raising user awareness. And there's a change here that's been positive. Can anyone tell me what it is? What's that? Yeah, good. So this is a recent change where they've added the privacy policy to the front page. But there's also many challenges. Electronic discovery is an ongoing battlefield. And the idea of the information you've provided is out there and our courts are trying to get a hold of it, among many others. A great deal of software phones home. There's dependency. When you outsource critical infrastructure, such as your email to a third party, that could be a problem. It could be service and it could go away at any point in time. New products and services will, as they come out, you have to evaluate them for what you're giving away and what you're getting back in return. Companies consolidate, as you saw with Google, and double click. But also companies die. And this is heresy, but one day Google will die. And it may be 250 years from now or maybe seven years from now. But what happens to the data when companies die is a big question. Web 2.0 provides a greater resolution. Before you type things into a form and click, before you click submit, you're safe. But now, this increased ability to track what people are pointing to, what people are doing with a final resolution is a major concern. And this is the general trend away from the desktop out into the cloud. So I think it's a useful way to analyze this to look at, kind of create a spectrum from likely to less likely things, all of which are possible. Some are more likely, some are ongoing, and some are not. Your placement of these may vary a little, so please don't pick me on the locations, but I think you'll get the idea. So likely things. Cross-site tracking. I showed an example, a large number of sites by visiting Microsoft or MSNBC. User profiling is ongoing, targeting advertising is ongoing. We've seen redirection when you mistype a URL. Sharing with third parties in government collaboration I think is an ongoing thing, certainly in certain parts of the world. Then less likely, it's almost like most frequent and less frequent. The idea of ISPs manipulating traffic, a service being eliminated that you depend on. Search results theoretically could be modified, and I know Search Engine Optimization tries to do that, but the company itself could do that, and some of them do for pay. I mean, it's a business model. And of course, data spills. One of the things I think is most interesting is the idea of digital assassination. When you seed so much information to a third party, or a number of third parties, you've given up control, you've given up power. And what could they do with that power? Right now, it might not be a big deal, but as we move forward, you wonder, could they take down a president? Could they alter the course of an election? Could they ruin their life if they were so inclined? That's a lot of power to place in someone else's hands. So lots of people I'd like to thank, and let me explain the first one. I have a friend who decided it would be a neat idea to turn his name slash handle into a hash. So I thought it was a neat idea. So lots of people provided feedback. And here's a number, this is like I said, I've been doing this for years and what I've tried to do today is just draw, kind of synthesize it. I'll give you the highlights of what's been occurring and where it could very well be going and why you should care. I'd like to make a plug for DAVIX, which is a security visualization live CD. The hard part with security visualization tools is that they're often a pain in the butt to configure and install. And Jan Mosh and Rafi Mardi have done it. So there's a workshop two to four p.m. on Sunday at a DEFCON breakout room. So if you're interested in that and you also have the image if they want to get a hold of it. So they've got like 25 on one, they've done 25 on the CD. Also, I started off saying that free web tools and services aren't free, but there's also something else. We are also paying for them by tolerating evil interfaces, right? You've probably all encountered evil interfaces on the web, things that trick you, why do you send you in the wrong direction, bounce up and down over top of the contents and the like. So I'm trying to dig into that a little bit and doing a survey. So I have a little bit of West Point swag. If anyone would fill out one piece of paper, circle some numbers, we'll give you some swag and your name is not on it, it would be greatly appreciated. Because it's looking at countermeasures people employ and I think you're the best folks out there for employing countermeasures. Are there any questions? Is there a mic for questions or is there not a mic? Oh, I'm sorry, yes. The question was, is the information on the DEF CON CD, the PowerPoint presentation, it's an early version. I mean, we had to submit it 30 days ago and I've been working on it since. I'll put it up on my website, which is rumint.org. If you may have heard, SIGINT stands for Signals Intelligence, IMINT stands for Image Intelligence and Rumint is Intelligence Community Slang for Rumor Intelligence. So R-U-M-I-N-T.org. Just search my name, it'll come up and I'll have them up there when I get back. Other questions? Okay, back there? Ah, I think what we're seeing are piecemeal solutions, right? And I think that's a step forward. I think the best part is collaborative solutions. I think the large online companies have to be part of the solution itself. It'd be nice to see summer of code type tools and one thing I feel is self-awareness. The idea, if you allow people to easily monitor themselves what they're doing, that will allow them to make more informed decisions. But I think it's on the policy front. It's on individual companies have to take steps forward. End users have to be made aware. It's an ongoing direction forward. So what part of it is to come out here and jointly seek solutions? Yes, absolutely. What he mentioned was GPS-based systems. Just listening to business news this past week and I think it was the Oracle CEO was just very excited about the idea of location-based systems and GPS is being embedded in many devices. So what you have is this whole other concern of information we give and another piece of that is where you are at any given point in time and that can be scary. Oh yeah, absolutely, absolutely. He said the cell phone already does that. So I'll take questions and there's a question and answer room. I'm happy to sit down and talk with anybody and I thank you for your time.