Strange Interactions in Personal Data: Brokers and the CFAA

trying to roll with what was that I've just been keep like this trying to roll okay we've got such a huge audience here at um 7 o'clock in the evening I thank you for holding out with me uh this is going to be a short presentation because I know it's late and we're all looking forward to moving on to other things in our evening okay um strange interactions and person um it's uh first of all who am I blah blah blah blah whatever um my standard disclaimer I'm not a lawyer don't look to me for legal advice I like to talk about the law but I'm not a lawyer yet yeah and then I have five

practice okay um my extra double safe disclaimer um I'm going to be talking about things that are illegal and how wonderful they are um don't try this at home don't come crying to me if they find something to stick on you and make your life really hard um hopefully this will make a difference in the fight against the current incarnation of the computer problem Abuse Act I've been um actively campaigning against um or for change rather and this is this is um My Little contribution um because I do privacy and I'm for change of a um computer lesson so um what this is about it has a weird title um a new way of looking at legal

structures uh when when you go to law school they teach you a really stayed traditional Socratic method um looking at cases interesting cases but everything you look at has already happened they don't talk about potentials they don't talk about what could be because that's irrelevant in the practice of law but I'm kind of a hacker at heart so I like to think of things in the way that they break down and interesting ways that that happens okay so this is a point I raise with people that um are hackers that they have a lot of trouble wrapping their head around you can't own data they're talking a lot about copyright and intellectual property protections and all this but

you can't own data it's just my company owns a lot of data your company does not own data I guarantee you that they your company might have Trade Secrets your might company might have specific Arrangements of data but you can't get legal protections for that data um if say somebody stole it if somebody stole it the the only I'm actually getting a little bit ahead of myself here um copyright doesn't mean anything with personal data um Trade Secrets trade secrets are probably what your company would claim your company owns a lot of data um but it's because it's valuable business information and the trade secret law is written so that if it's not valuable business information then you don't own

it it can't be owned um there are a few Patchwork laws that defin privacy but uh legally there's no law that can that attaches to data for ownership so you can say like we can possess data but not like land rights or we can own land because the government says that we have that right that's precisely it the government will not supp protection for the right to hold that data you can still possess it you just can't say like it is mine and no one else can have it exactly and the government will go like do things for you on your gra they won't right uh the idea behind um not oing data is that the

data intellectual property protections are not meant to limit human knowledge and that that's something that the framers of all this information uh really had in mind is they did not want to limit the knowledge that's available to humanity that's why mathematical equations can't be patented or copyrighted um and and they're going back and forth about the gene information and they struck recently struck down um protections for genes because that's knowledge that's not um information that can be protected legally so what does this mean kind of gets complicated when you start talking about personal data in ownership so the next topic I'll bring up is data Brokers and uh which is kind of a bulk of this

um the idea that uh the data broker that's the business is buying and selling data some of them sell personal data some of them sell uh property information some of there's uh data broker I research that sells information on rights of we which is a hugely complicated process if you want to run lines any anywhere you have to find each little property owner along the route that you plan to take and it's it's very difficult um but they provide a service that do that um most data Brokers buy data from other Brokers and going back to the whole statement that it can't be owned they buy data as a service they buy data in a specific

arrangement in connection with other data they they go through a lot of manipulations to try and explain how this data is is connected to each other and that they have the right to buy and sell it so um data Brokers don't particularly care where information comes from that they uh collect and sell uh as far as the quality of the information it's very important that they get good quality of information but it's not important what the source of that information is and let's not underestimate what data Brokers are and can do there are some really huge companies out there that you probably have never heard of well you might if you traffic and data yeah I could say

that I know one of those companies very well I I know all of the companies very well so um well uh some of them are kind of surprising Reed elere the the people that keep all the academic journals behind the pay wolves also collect personal data and they primarily sell it to lawyers and then Equifax and Experian these are two of the three major um Credit repor Credit Report agencies um AUM is actually the largest company on this list and they've been around for a very long time and unless you're in the industry you've never heard of them I I I've spoken to people who are in the uh their hackers and they're dealing with a

lot of questionable people and so they they investigate people on a regular basis and they connect with a lot of databases and they've never heard of Axiom they were glad I mentioned them so they're looking them up but since axium really does a lot of um wholesale data sales so um few of those are regulated um the specific use is loans credit reports um housing and employment these are protected categories um where you have a right to access the data they have and correct it if it's wrong I frequently have to because I have a common name and people like to stick things I'm still fighting an MRI that showed up on my credit report I don't know where it is

um but like the aums of the world avoid this regulation by avoiding those specific uses of the dat they tend to focus on marketing a lot um I was looking at some others that uh uh valuations they work with insurance companies for their Actuarial information um they work with universities I had somebody apparently they' seen I'd been doing research on data Brokers and they tried to sell me information from India that I'd never heard of so um they're out there they buy under the radar and they're totally unregulated in fact it's even very hard to Define them so what's the big deal data Providence where the data comes from um they're consistent industring wide practices

um competitive Advantage if you tell everybody where your data comes from they'll just go to your Source they'll bypass you even if you have advanced data analysis techniques um they'll it it still put you at a competitive disadvantage if you've revealed all the sources of your data what's really interesting is Congress held a hearing about three years ago on uh data broker uh practices um as a result of a murder suicide based on um a rather unfortunate um stocking event um and the data Brokers came in and every single one of them there were nine of them every single one of them played the fifth Congress can't do anything about that because that's a fundamental right but

um they're not telling um the only data um that comes straight from the source even if well we get our data from Facebook and these others you never hear that only the data that comes straight from the source is identified as name from The Source so the the point is that the Providence where the data comes from is not important what's important it's the quality if you have good quality data then you have a good quality product and if you collect data from many many sources um there is getting it now if you collect data from many many sources then and um just attaching the source to the data is that's another data field in

your database and it um that things pretty I I can tell you from personal experience that Providence is extremely important to data Brokers because how much they have to pay to use that data in their data products is directly related to where they got that data from so the things that you're talking about them not tracking they are absolutely tracking in in a very finite way okay so uh they pay based on the source of their data yes so they're not the implications of where the data came from I mean other than very little regulations but yeah I mean it's all about Revenue right so right so if they have the same data from two different sources they are going to

claim the least expensive source as the source of that data so that they pay less for it and there's actually an a significant portion of the business in fact that's where that business Grew From was providing you the data that you look you want from whatever Source I get it for the cheapest price possible so they take all the data sources they duplicate that and then they find the cheapest way to get you the data as the customer that you are looking for great great so Providence is definitely Providence is important but Providence associated with the price so you're not tracking where that third party that that got the cheaper rate for the data right so we are we are not tracking it

back to its source we are exactly and that's that's my point is you're not tracking it back to your Source you're just um the incoming vendor who whichever source of data you get that's what's important so what if somebody stole data was what if somebody figured out a way to break into a system because personal data is low man on the totem pole when you talk about securing personal data or when you talk about securing data um it recently it's been recognized a lot of startups recognize this as their revenue Source um but I've spoken to many many many startup people who don't recognize the need to protect the personal data they recognize the need to

protect the the credit card data PCI compliance um uh Social Security numbers all the all the financial information that's attached to their customers they recognize the need and importance to protect that but they don't have the force of law behind the protections for personal data so it's it's the lwh hanging fruit of the breaking scenarios uh many companies I've worked for companies that are not very good at uh protecting this because it's expensive it's expensive to hire all all of us technical um hackers to make sure that everything is secure um where we don't always come cheap so um so the risk is uh much lower for uh a seeking uh personal data but it's obviously worth less the

financial data but data Brokers are buying um maybe you won't be able to approach axom because they're they're very good at um uh knowing their source and and knowing who they're dealing with they've managed to avoid um spoko problem spoko is one of the data brokerages um who they they got in trouble with the um Federal Trade Commission because they weren't careful who they sold their data to and the FTC had their mystery shoppers go out and buy spoko data for employment and they got some really ugly finds because spoko unlike the three major credit agencies does not um give you the opportunity to review the data that they have on you of free of charge

and uh contest any um any uh errors that they might have um there are more certain types of data more down little like is um there was an article a while ago um about Target stores identifying a pregnant teenager before the father that she lived with did and the reason they targeted that particular life event is because you make a lot more decisions about what your future life is going to be when you make major changes um when you're moving when you buy a house when you buy a car you buy a lot of things and you're great Target material for advertisers um also life insurance companies and and other um other organizations or any AD company for that

matter all these organizations want this information so that they can um make decisions further uh they like to have neighborhood information to uh when they start talking about expanding their business where should they expand next they so it's it's it's very valuable this is a huge industry and um the more of it you can get the more money you can make and what's interesting is unlike stolen financial information you don't need to scrub it you don't need to uh launder it you don't need to go through third parties um if you set up an organization that looked legitimate on paper you could set up your own data brokerage um based on Stolen information you'd have there there's a little bit of gray

area legal gray area there um where you know and don't know maybe you just find a glal friend um and there's no risk to the buyers because data cannot be owned the buyers are not buying stolen property um unlike any other property that gets um filter through the system that property once it's stolen remains stolen and is recoverable and all the people who buy and sell it are liable um but data doesn't fall under that because data is not property um you can set up a totally legitimate business get real paychecks you don't have to worry about money laundering at all um the only legal concern is with the computer Abuse Act getting caught and getting caught if they're not

protecting it if you're smart about it you might be able to avoid that um so the hacker value equation low difficulty low risk moderate payoff clean money seems like a great idea to me um and so what also comes up there's no way to independently test this if you give somebody your personal details you don't know what they know about you or what they're giving away even um the financial industry the PCI uh compliance game um that's that's pretty easy to to uh evaluate because the banks are in control of that and they they're the ones who have to pay if if things get stolen but nobody pays if somebody's selling your personal data um and

there's a lot of argument about what is the value loss if an insurance company finds out about you um whether it's true or not you um so consumer protection organizations I like consumer rewards they're neutral they don't work with and they do independent testing there's no such thing as independent testing for data security um you either contract with the company or you don't test it um and so the FTC can come in and has come in uh with consent decrees against organizations who poorly protect or ignore privacy protections um but it's a really big hammer they're not going to go after the little startups that have been collecting few people's data few thousand few million people's data

um they're also based on a complaint system um unless you can independently test you can't bring the F Federal Trade Commission in so um the only hope is really um somebody who is actually leaking the dat is that it's leaking and does something about it so maybe you're concerned about this what would a hacker do if you suspected that maybe somebody was not treated responsibly you may speak a little louder because unfortunately the air condition is going to overwhelm you oh okay okay so um if the what would a hacker do what would a hacker do if you were if you were [Music] um if wanted to know that your data was safe is you would uh test it I would I

want to but um computer for Abuse Act says no thanks you can't do that you don't have the authority um in fact recent prosecution Andrew arheimer also known as wee um was he wasn't testing his own data but it was Privacy Information that was being leaked by AT&T that he got convicted for 3 years um so the computer fraen Abuse Act actively prevents people from testing and validating that um the systems that they trust that they have every reason to trust are safe are secure um but what's interesting is even the dmca uh Digital Millennium Copyright Act considered this really oppressive anti-circumvention preventions where you can't break into something if it might protect a little bit of copyright and

they go way overboard with that sometimes but even the dmca has exceptions for uh personal information and protecting your own personal information so what is the cfaa it's the law used to prosecute hackers everybody here should know about this if you're here you should know about the um CFA and and sometimes it is a good thing sometimes people do malicious destructive things for bad reasons and they should be prosecuted i' I remember reading about the very first Insider cfaa prosecution a fellow he was promoted from sheet metal and he took all the backups home and and left a dead man script and so when they fired him they he blew away sy so it's sometimes it's a good thing to

have that hammer to Pro a few people but it's indiscriminate the way the law is written it's completely indiscriminate it doesn't um evaluate whether this is something for the public good or something for personal Vengeance or uh personal um enrichment there is some provision in the law for personal enrichment that's supposed to elevate it to a felony however the way the law is written um also what elevates it to a felony is um a conviction in conjunction with any other law and almost every state has a law that's almost identical to the cfaa if not completely identical and so because we have these these identical laws every every instance um where the the justice department starts to

investigate um they can uh bring into felony charges because of the State uh Federal Duality um but but the last line to me is the biggest issue um Congress wants to make the world a safer Place Congress wants to make our computer systems safer great give the security researchers the tools they need to make the system safer not tie the hands of the compu or the security researchers which is what the cfaa currently does um you can't write a law to protect a computer system it just doesn't work but that's the only um tool that Congress has in their toolbx so everything looks like a nail um so yes defensive offensive security um when when budgets are cons considered

well we can get somebody if they break in so it's not as important to have as good as security um that's that's kind of a scary argument to me but I've heard it um yeah Congress so that's that's pretty much the the bulk of my talk I said I'd be brief so if there are any questions here's my contact information if you like to speak with me further um I'll be around I'm I'm headed over to the eff uh a fundraiser party at the summit and I'll be I'll be working the door for a while so later tonight so hope to see you

there