CIR/NPR Collaboration – Your Data and Who Has Access to It

October 2, 2013 by

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Filed Under: Blog Tagged With: , , , , , , , ,

PRISM: Solving for X

June 14, 2013 by
prism

Figure 1: PRISM

I thought it would be a fun exercise to describe PRISM  based on information publicly available through the press, private companies, and the DNI. Specifically, how would this system look if we took all the statements made at face value?  This might be a stretch, but it seems like a worthwhile exercise  — not unlike a multivariate equation when one or more of the variables are unknown.

While PRISM is potentially the least troubling with respect to its legality and the type/volume of information of the 4 programs we’ve learned about, it is also the most technically puzzling. There have been many theories on the architecture of PRISM and I’ve been inundated with requests to help press/advocates understand it — so here goes. [Read more…]

Filed Under: Blog Tagged With: , , , , ,

ACM Conference on Security and Privacy in Wireless and Mobile Networks

April 17, 2013 by

Budapest, Hungary | April 17-19, 2013

WiSec presents high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications.

I gave a plenary talk about mobile threats to privacy. My presentation covered common threats to mobile privacy and security, focusing on what information is stored on your smartphone and what information is shared – intentionally and unintentionally – with cloud providers and third parties. I reviewed common security problems and pitfalls, as well as the privacy risks consumers assume by operating smartphones powered by a burgeoning advertising industry.

Filed Under: Talks Tagged With: , ,

FinCapDev: Privacy, Security and Mobile App Development

April 10, 2013 by

I hosted a webinar with Manas Mohapatra, the Director of Mobile Policy for the Federal Trade Commission’s Mobile Technology Unit, for the FinCapDev Finalists.  We discussed security and privacy issues related to mobile app development.

Webinar is archived here.

Filed Under: Talks Tagged With: , , , , ,

The End of Privacy?

October 23, 2012 by

Ford Foundation’s Wired for Change Conference
New York, NY | October 23, 2012

As part of Ford Foundation’s Wired for Change conference, noted consumer privacy experts and technologists Harvey Anderson, Brad Burnham, Kamala D. Harris, Jon Leibowitz and I considered how mining Big Data and safeguarding privacy can reasonably coexist, moderated by John Palfrey.

View complete video archive

Filed Under: Talks Tagged With: , , , , , ,

Defcon: Can You Track Me Now? Government and Corporate Surveillance of Mobile Geo-Location Data

July 26, 2012 by

Defcon 20 Hacking Conference
Las Vegas, NV | July 26 – 29, 2012

In July 2012, I took part in a panel at the 20th annual Defcon Conference. I joined tech experts Christopher Soghoian from the Open Society Institute and Catherine Crump, staff attorney with the ACLU’s Project on Speech, Privacy, and Technology, for a briefing on the current technological and legal landscape of location data tracking. The panelists explored how consumer location tracking efforts weave a story about the systemic privacy vulnerabilities of smart phones and the legal ways in which law enforcement has been able to hitch a ride. The panel was moderated by the Director of the ACLU’s Project on Speech, Privacy, and Technology, Ben Wizner.

View video archive

Filed Under: Talks Tagged With: , , , ,

Facepalm

June 18, 2012 by Leave a Comment

facepalm
There’s been a lot of attention around the Israeli facial recognition startup Face.com.  They, amongst other things, make a mobile app called “KLIK” which lets users tag their friend’s faces in real-time, as they walk down the street. Just today, they announced that they’re being acquired by Facebook for $100M.

A few weeks ago, I noticed a different kind of excitement surrounding the startup. I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts (KLIK relies on Facebook to use the app).

Face.com essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables ‘face prints’), even if that information isn’t public.

[Read more…]

Filed Under: Blog Tagged With: , , , ,

Berkeley Law: Conference on Web Privacy Measurement

May 31, 2012 by

Berkeley Center for Law and Technology
Berkeley, CA | May 31 – June 1, 2012

As the Web continues to transition from a static collection of documents to an application platform, websites are learning more and more about users. Many forms of Web information sharing pose little privacy risk and provide tremendous benefit to both consumers and businesses. But some Web information practices pose significant privacy problems and have caused concern among consumers, policymakers, advocates, researchers, and others. Data collection is now far more complex than HTTP cookies, and the information available to websites can include a user’s name, contact details, sensitive personal information, and even real-time location. At present there are few restrictions on and scant transparency in Web information practices. There is a growing chasm between what society needs to know about Web tracking and what the privacy measurement community has been able to bring to light.

A number of practitioners, researchers, and advocates have begun to more formally study how websites collect, use, and share information about their users. The goal of the Conference on Web Privacy Measurement (WPM) is to advance the state of the art and foster a community on how to detect, quantify, and analyze Web information vectors across the desktop and mobile landscapes. Such vectors include browser tracking, such as cookies, flash cookies, the geolocation API, microphone API, and camera API; and server-side tracking, such as browser fingerprinting. We are also interested in the deployment of privacy-preserving technologies, such as HTTPS and proper deployment of P3P.

I served on the programming committee for this event, and led a discussion about tools for web privacy measurement.

Filed Under: Talks Tagged With: , , , ,

TechCrunch TV: Ashkan Soltani On Mobile App Security

May 3, 2012 by

TechCrunch TV | May 3, 2012

TechCrunch TV had me on to discuss Path, Apple’s collection of location information, and the various other privacy issues with mobile devices.

techcrunchTV050312

Ashkan Soltani On Mobile App Security by 5minTech

Why You Should Treat Your iPhone Like a Toddler: The State of Mobile App Security Techcrunch, May 3, 2012

Filed Under: Talks Tagged With: , , , , , , ,

2012 State of the Mobile Net Conference

May 3, 2012 by

Advisory Committee to the Congressional Internet Caucus
Washington, DC | May 3, 2012

The 4th Annual State of the Mobile Net Conference featured debates about the most pressing issues facing the exploding mobile net. While App developers frenetically code away, Washington policymakers are looking more and more closely at the mobile net ecosystem. Indeed, Washington policymakers are eager to help the mobile net achieve its potential by freeing up spectrum, implementing consumer protections and considering privacy rules for the burgeoning app market. With the speed at which the mobile net is evolving, how can Washington policymakers provide the appropriate level of assistance?

I took part in a panel called Complex Devices / Complex Privacy Questions: Grappling With Privacy In the Mobile Space

View video archive

Filed Under: Talks Tagged With: , , , ,

App Developer Privacy Summit

April 25, 2012 by

Palo Alto, CA | April 25, 2012

Mobile apps and the services they provide have been one of the most exciting areas of innovation in recent years. Many of these new services have been successful because they enable consumers to use data to connect, discover and accomplish in new ways, but the collection and use of consumer data in the complex mobile environment has caused a rise in privacy concerns. To maintain the consumer trust necessary to continue the pace of innovation, the key participants in the app ecosystem need to work together.

To better understand their respective roles in this new ecosystem, platforms, app developers, carriers, consumers and policymakers are gathering to address current and pressing consumer privacy issues. The Application Developers Alliance and the Future of Privacy Forum, along with the Stanford Law School Center for Internet and Society, hosted the App Developer Privacy Summit on April 25, 2012.

I was one of the panelists/presenters.

http://blip.tv/future-of-privacy/app-developer-privacy-summit-6153058

Go to 2 hours, 32 minutes for details.

Filed Under: Talks Tagged With: , , ,

MobileScope Takes WSJ Data-Transparency Prize

April 17, 2012 by

Wall Street Journal Live/Digits | April 17, 2012

Ashkan Soltani, the programmer who designed the MobileScope app and the technical adviser for WSJ’s What They Know series, discusses his privacy app, which won WSJ’s Transparency Weekend “Ready for Primetime” award.

WSJDigitsMobilescopewins

MobileScope Takes WSJ Data-Transparency Prize by 5minTech

Learn more about Mobilescope.

Filed Under: MobileScope, Talks Tagged With: , , , , , ,

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

April 13, 2012 by

NYU Law School, New York, NY | April 13, 2013

People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy hosted a technology and policy dialogue about the new world of mobile and location privacy.  They brought together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I gave a technical demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

Filed Under: Talks Tagged With: , , ,

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

April 13, 2012 by

New York University School of Law
New York, NY | April 13, 2012

The age of ubiquitous computing is here. People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. On Friday, April 13, 2012, New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy will hosted a technology and policy dialogue about the new world of mobile and location privacy. The gathering aimed to bring together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I did a technology demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

Filed Under: Talks Tagged With: , , , ,

Analysis of Carrier IQ Software

December 14, 2011 by Leave a Comment
Log Pile by Lars Hammer on Flickr http://flic.kr/p/a4XR3b

Log Pile by Lars Hammer on Flickr http://flic.kr/p/a4XR3b

There has been some confusion and multiple conflicting statements about the Carrier IQ issues that were highlighted in Trevor Ekharts’s initial video some weeks ago.  I will attempt to hopefully clarify some of that confusion and show that, despite statements to the contrary, there is capture and transmission of sensitive information to 3rd parties resulting from misconfigured Carrier IQ software. [Read more…]

Filed Under: Blog Tagged With: , , ,

Mobile, Telcos and the Future of Freedom of Speech

October 25, 2011 by

Silicon Valley Human Rights Conference
San Francisco, CA | October 25-26, 2011

I was a panelist at the first annual Human Rights Conference – or RightsCon.

Panelists on Mobile, Telcos and the Future of Freedom of Speech talked about the nascent connection between commerce, politics, human rights and information, especially with burgeoning uprisings in the Middle East and beyond.  With the reality of competitive pressures within the industry and the network monopoly of many governments, we looked at some of the industry practices and approaches that are needed to ensure telecoms are not hijacked for repression and abuse. The panelists discussed the realities of operating with infrastructure in country, the business models available to ensure control of the network; and the privacy and mobile security needs of human rights advocates.

The event was livestreamed but there is no video archive.

Filed Under: Talks Tagged With: , , , ,

When Zombies Attack – a Tracking Love Story

September 23, 2011 by

OWASP AppSec USA 2011 Conference
Minneapolis, MN | September 20 – 23, 2011

In this talk,  Gerrit Padgham and I talked about the current state of online tracking and highlight current practices such as “cookie respawning” and non-cookie based tracking that popular websites and mobile applications engage in. We discussed theories on why the platforms we use do not adequately protect users from these threats and highlight the proposed solutions, such as additional transparency tools and Do-Not-Track that are intended to help mitigate these issues. We also demonstrated MobileScope, a technical solution we have been developing to give the end user ultimate visibility into the traffic their device is sending. Finally, we discussed open questions surrounding the ability to adequately assess risk drawing from behavioral economics and risk management theories for cues as to potential outcomes in this space.

When Zombies Attack: A Tracking Love Story with Ashkan Soltani & Gerrit Padgham from OWASP on Vimeo.

Additional video archives on YouTube.

PDF of slides

Filed Under: Talks Tagged With: , , , , , ,

Pii2011: Privacy Identity Information Conference

May 19, 2011 by

Santa Clara, CA | May 19-20, 2011

Privacy Identity Innovation is the only tech conference focused on exploring how to protect sensitive information while enabling new technologies and business models. Over 250 attendees from around the world participated in the second Privacy Identity Innovation conference, which took place May 19-20, 2011 at the Santa Clara Marriott hotel in Silicon Valley.

On May 19, I participated in a roundtable discussion called Pii and Location: Can You Find Me Now?

pii2011: pii and Location: Can You Find Me Now? from Marc Licciardi on Vimeo.

Listen to audio archive

On May 20, I was part of a panel discussion on Simplifying Privacy Notice.

pii2011: Simplifying Privacy Notice from Marc Licciardi on Vimeo.

Filed Under: Talks Tagged With: , , ,

Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy

May 10, 2011 by

Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law
Washington, DC | May 10, 2011

On May 10, 2011, I testified in front of the Senate Judiciary Committee on Privacy Technology and the Law regarding mobile privacy. The other witnesses included representatives from Apple, Google, Center for Democracy and Technology, and the Association for Competitive Technology.

Read prepared testimony.

USA Today live blogged the hearing.

senate testimony
Video archives on CSPAN include my delivered testimony, answers to questions about what “location” means, and a question from Senator Franken about the most serious threat regarding mobile devices and privacy. View CSPAN footage of entire hearing

[Read more…]

Filed Under: Talks Tagged With: , , , , ,