BSides Vancouver 2015 - Keynote: Steven Rambam - You've Lost Privacy, Now They're Taking Anonymity

B-Sides events are for the community, by the community. And three years ago we started the Mainland Advanced Research Society to encourage the local tech communities to unite and collaborate. Like all B-Sides events, we came from humble beginnings with small free venues, pizza lunches, but yet great conversation. Over the last three years, our community, all of you, have encouraged us to keep making B-Sides bigger and better. And we've taken on this challenge with the largest event we've had yet. It's in the notes to applaud. Over the next few days, I invite you to check out both speakers, or both speaker tracks, take pictures of our elite job board, which will be up here and in the other room. And of course, please

visit our sponsors who have enabled us to have this fine venue, breakfast, lunch, and allowed us to give everyone t-shirts and super cool laser cut badges, and all the prizes. So did I say prizes? So to incentivize some of the people to sign up early, which helps us plan the awesomeness level of the next two days, we offered a raffle prize pack for professional and VIP attendees. So I know we said one raffle worth $300 and we lied. We're going to do three prize packs, two worth over $500. So we're going to be drawing one of those this morning, one at lunch, and one tomorrow morning. You must be present to claim. We're going to do that in a moment. If you did

not buy VIP or professional, there are still opportunities to win some cool stuff. First, these awesome badges that we have. We were able to get these produced from a local guy in Victoria named Todd from Ahead Designs. And he took on this massive project, very last minute, and he really just exceeded our expectations. So we want to give him a shout out. So take pictures of the badges. Tweet at Ahead Designs on Twitter as well as hashtag us or mention us. And we're going to pick winners. And we have four $50 Digital Ocean credits to give away. The other opportunity to win an elite badge, if you have got just a hacker badge, you want to go up to elite status.

In our program book, we have a cipher challenge. Last year, one of our community members cracked our puzzle before lunch, so we've asked him to make a little bit more of a challenge, and it's in our program book. So first person to solve all three, tweet us the third puzzle answer, and we'll upgrade you to an elite badge. Alright, some announcements before we get started here. For the quadcopter workshop, we had to cancel that. Quadcopters are just too popular these days and a piece of the puzzle, very important, the thing we used to control the copter was backordered pretty much since January and we have not been able to get the parts. So we are

going to do that workshop, so just ping us if you are interested in getting involved, but that will be down the road. The venue has been so kind to discount a beer for us, Blue Buck, which is the best beer in British Columbia as far as I'm concerned, and they are not a sponsor. And so good deals at lunch at the bar, so grab that. So there is Wi-Fi. The details of that are in the program book if you are so willing to use Wi-Fi in an environment like this with all you guys. So I would suggest you turn off Wi-Fi, Bluetooth, NFC, anything else leaking out of your phone. But at least if you have to use Wi-Fi, don't connect to Linksys, Starbucks, or your home SSID because

I assure you that's not yours. Safety, we have fire exits that way and that way. If you go that way, that'll be pretty entertaining. It'll be like being on the set of Walking Dead. And let's see here, cell phones, please put them on vibrate. If you still use a ringtone, please put them on vibrate. And we're gonna have Colin talk a little bit about the CTF that's going on right now. Please have a warm applause for Colin. Thanks, Alex. So for the first time this year we're doing a capture the flag challenge here at B-Sides. The goal of capture the flag is to complete some challenges. There's a variety of challenges including cryptography, reverse engineering, and what have you. If you're

interested and wanted more information, there's some information on the website but we're also in the lounge so there's some fellows sitting there with some laptops. They're running the CTF. By all means ask them questions. It's all a points-based system, so whoever can get the most points wins. And that's pretty much about it. And I'll leave this back to Alex. Thank you, Colin. Thank you, Colin. All right, so we're going to do a raffle, then we're going to get Steve up on stage to scare the hell out of you about this internet technology we keep on using. Marianne is from Bit9. She's going to help me do the raffle.

Alright, so this raffle includes a Hex, which is one of our sponsors, laptop bag, $200 DigitalOcean credit, which is pretty awesome, a ready-to-fly quadcopter, so right out of the box, plug it in, charge it, and you're ready to go, and four Club Mates. So let's draw. We have Andrew Pawson. Is Andrew Pawson here? You need to clap. He is not winning then. One more.

Sean Fitzjames, I did see him here, so I think he's the winner. There he is. Come on up. Yeah, I'm going to put the... Fantastic. Congratulations, Sean. Thank you. I am indeed real. Here you go. All right, so I'm going to introduce our keynote speaker. I'm really excited to actually announce this guy. I've been following him on the internet for quite a while. Not that way. So Steve Rambam is the reason I do not use Android and iPhone devices and severely limit my social media usage. I've shared his talks on YouTube with countless sheeple who overshare and his talks today will truly fascinate you if not cause minor panic attacks. I'm very pleased to welcome Steve Rambam. Please give him a warm round of

applause. Does this work? Does this work? Yeah. Okay, great. I have to say this is the politest, quietest group of hackers I've ever experienced. Very Canadian experience. Yeah, exactly. Exactly. I've got root to your system. Sorry. Let me say that this is normally an eight-hour talk. We reduced it to a three-hour talk for hope. We further reduced it to a about two-hour and 15-minute talk For this event, so that there'll be 45 minutes for Q&A, as you'll see later this morning, the Q&A is the best part of this. What I am going to try to do, hopefully, is give you an overview of where privacy and anonymity is today. How, for those of you who don't know, I'm an investigator. I

look into people's lives for a living. I want to know where you live, where you work, what you read, what movies you watch, what books you read, your politics, your sexual orientation, where you go on vacation, who are your friends. I want to know everything about you, what you think, what you believe. And today, I can do that for the most part without leaving my office. I don't have to surveil you, I don't have to go down and look through dusty records. It's all out there. And we're going to look at that for a little bit today. Now, I'm usually in a sort of schizophrenic situation when I give these talks. On one hand, I see everyone out

there, not just the general public, but undoubtedly everyone in this room. putting their entire lives, their entire soul on the internet and as an investigator, I want to say thank you very much. I appreciate that. As a fellow citizen, I have to tell you, it creeps me out. So hopefully this will focus things a little bit. Strange man has just come up here and put a microphone in my face. Okay. I'll try to use my courtroom voice.

When I first started giving a talk called Privacy Is Dead Get Over It 20 years ago, we would show the way things used to be. You would start with a phone number, which would give you a name and an address, which would give you a date of birth and a social security or social insurance number, which would give you residences, which would give you work, which would give you credit card and bank accounts and corporations and marriages and divorces and birth and death and what have you. Now it's much easier. You can take any one piece of information, a license plate, a telephone number, a MAC address, anything, and the systems that are out there now, including systems that I own, can take that

one data point and expand it and expand it automatically. You can take a phone number and immediately have someone's social security number. You can take a license plate and immediately know what books that person reads. It's really that simple. These are typical data fields that are compiled: name, address, phone, date of birth, place of birth, social security number, social insurance number. drivers license, vehicles, families, friends, religion, politics, habits, hobbies. How many people here think that by virtue of being Canadians and living in Canada, you have some greater level of privacy protection than in America, than in the United States? One person raised their hand. One person is wrong. There is nothing that is gathered on people in the United States

that is not gathered on Canadians. This is not a governmental issue. Marketers target you the same way. Facebook targets you the same way. Google targets you the same way. Everyone who invades privacy in America and gathers personal data and biographical data gathers it in the United States. Every bit of information on your life is gathered. For the most part, It's because you contribute that information yourself. Now even if you don't, it's going to be gathered. One thing that we're going to beat to death today, and I'm going to be going through this very, very quickly, is that nothing beats self-contributed information. It is remarkable what people put up there. They put up their photo, they put up their location,

they put up their beliefs, their habits. Last night I tweeted what I was having for dinner just to get into the swing of things. Frankly, nobody really cares what I had for dinner or what you had for dinner, but people do it routinely. Here is a perfect example, a ridiculous example. Somebody wrote an article about how there's a new system out there that's going to be a challenge to email. So there's a response, typical trolling response. Ha ha, the Luddite mentality continually evolves, blah, blah, blah. So the original poster says, you know what?

Your name is so-and-so and you live in Portland, Oregon. You're pretty shit at triathlons. And last year you humiliated yourself by coming in 152nd out of 183. Something I'm sure your mom, name redacted, wouldn't be proud to talk about in her weekly gossip circle. She prefers to think about the days where she lived in Glendale or Pasadena, wasting her time on her short-sighted son, the loss of her father after a six-month battle with pancreatic cancer. Give my condolences to blank. I like blank's mustache. Can still walk her dog at Harris Beach. This, by the way, is what's known in the investigative community as Google Foo. You go out and you take easily publicly available information and you compile a remarkable dossier on anybody. So basically the

guy went, okay, you win. This is all pervasive. And it's all pervasive because everybody buys into it and allows it to happen and even does it without thinking now. People overshare. Here is the VIP ticket sign up for this event. Alex said, "Hey, we're inviting you to our VIP dinner. Go to this link and sign up so there'll be a ticket available for you." Maybe somebody will explain to me why you need to know if I'm happily employed, if I'm a male my age and my t-shirt size to go to a VIP dinner. I get it. People want to know, can they recruit me? Am I a male? Am I a female? What's my age? The t-shirt is for

obvious reasons. But people routinely just fill out boxes, blindly agree to terms of service. Self-contributed information is the basis for everything that I'm going to be talking about today. People put the stupidest stuff you've seen up on the internet. Now this guy, by the way, is a lawyer. As you might have guessed from the rabbit suit. There are things on the net that are, to me, maybe I'm from a different generation, but are inexplicable. There is an app I just made love. You enjoy an intimate moment with your significant other, and of course the first thing that you want to do is you want to whip open that app and tell your friends about it. Now, by the way, By the way, if

you go, if you download this app and look at the locations, about a third of them are parking lots. I mean, that's the funniest thing about this. There is an app called PMS Buddy. I couldn't make this up if my life depended on it. This is so that you can alert people you care about, don't talk to me for the next five to seven days, basically. The sickest thing? Now, on Facebook. People, this is not considered wildly outrageous. Alright, why should you care about any of this? There's two reasons. Number one, because things are, to be serious for a moment, rapidly approaching the point where you cannot put the genie back in the bottle. Anything that you put out there

is immediately gone. It's immediately out of your control. I would assume that a computer security conference, everyone here would know that and have internalized that. In fact, not so much. People don't even think about it. You post one data point. Today you post your age. Next week you post your religion. Next week you post who you're voting for in the general election. Next week you post a book that you read or a movie that you went to. Next week you post some inner belief. And a year from now or two years from now, the aggregate total is a window into your soul. And you cannot take that back. You simply can't. Once it's out there, it's indexed and aggregated

and grabbed by guys like me and put into my system. The world is changing also. you need to understand that it's not a nice world anymore. I mean, it was never a particularly wonderful world, but it is really not a nice world anymore. And you do need a certain level of privacy and anonymity. Now, these are American examples. I can assure you that with what's going on in Ottawa and Toronto and the people who are now targeting Canada in... The next six months to a year, there's going to be a lot of similarities between data valence in the US and data valence in Canada. A lot of it is already shared with NCIC and CPIC and the various law enforcement and intelligence databases. Anything that you put

out there is gone forever. Now, closer to home for you guys, computer security guys, social engineering. The more I know about you, the more vulnerable is your life and your system and whatever you maintain and whatever you're involved in. You can have a door with five locks and cameras and heat sensors and wonderful passwords and if I can social engineer a guy on the other end of the phone into giving me access, that's it. And by the way, that's how it's mostly done. Identity theft, Identity theft is a, I have a TV show and we are doing an entire hour on outrageous examples of identity theft. We have purposely picked people who've been screwed who are highly educated, highly competent people and their lives were shredded.

The more you put out there, the more people can grab. Impersonation, and this is not a joke, especially guys like me. You don't know, six months from now, a year from now, two years from now, if you are going to want to be a more private person, if you are going to want to have a greater degree of personal anonymity. The more stuff you put out there, the less opportunity you have. I don't know what the situation is with whistleblowers in Canada, but I will tell you that if you want to be a whistleblower, if you want to reveal... some egregious thing that you have learned in your life, in your career, it is much harder for you to do it

today. You can't get from point A to point B. Person A can't talk to person B without it being observed. So what's changed? What's changed in the past five or ten years that make this such a dramatic situation? First of all, cameras, camera platforms like drones, Photos, info capture, facial recognition, massive photo databases, cellular phones. The biggest change is cellular phones. Cellular phones are the little snitch in your pocket. That phone tells me where you are 24/7. Show of hands, how many people here actually turn off their cell phone at any point during the day? I would say 10% of the room raised their hand. 90% of this room keeps their cell phone on 24/7. And I want to tell you that

thing is a locator beacon. It tells me what's important to you, who's important to you, where you go, what you do, are you sleeping, are you in a relationship, have you visited a radical mosque, have you visited an abortion clinic, what your politics are. That phone tells me everything there is to know about you. And that's without me listening to the conversations. People talk about metadata on phones. Metadata is really a big deal. Massive relational databases. When I started, my first computer was a 128K Mac. You had to switch floppy disks to use the computer. When I set up an online database 25 years ago, People Finder, I had a 10 megabyte disk that was considered the state of the art. A 10 megabyte disk. You can

now go into OfficeMax or Office Depot or whatever's up here in Canada and you can buy a 4 terabyte disk for $129. 4 terabytes is more information than the entire United States government had when I became an investigator. Super accurate profiling of persons. We're going to talk about that. but especially effective de-anonymization. You think that if you log on through a pool, you go to the library and log on through a library, use public Wi-Fi, you use a new laptop, you don't log in, you don't authenticate, you're anonymous. Absolutely untrue. All that's needed is three or four data points of any type location during the day, people that you speak to, things that you buy, where you go at night, where

you go during the day, and I know it's you. When I used to give this talk, I used to say we are not going to cover governmental databases. We are only going to cover what's publicly available. Now for the most part that's still going to be true today, but let me tell you there's no dividing line anymore. Google, Facebook, Microsoft, meaning including Skype, all of the large data companies work hand in glove with every government out there. And governments provide services now to these companies. I can tell you that especially in the United States, that there's almost interchangeability. I can tell you that there is an FBI agent that sits in the Facebook office just for data requests. I can tell you that there is a Google

government services office that interacts with the CIA and the NSA and the FBI. And I know this from first person information, from first person observation.

Everything that we are discussing today is valid for Canada. Everything. There is nothing that's being gathered today that respects borders. How many people here have a Facebook page? Most of the room. How many people here use Google? The whole room. These are American companies. Their penetration into every country is nearly absolute.

There are special programs being developed for all governments, including Canadian governments, that allow data mining of the information that you put up there. I'm going to flip through some of this and get to the good stuff. Facebook purposely analyzes every post not just for keywords like cancer so they can market drugs to you or Aruba so they can market a ticket or a travel agency to you but they can tell from your post your age, your sex, pretty much your sexual orientation. There was something that was done called Project Gaydar. Your politics. I will tell you that one of the primary reasons that Obama won re-election was because of the way that he was able to use Facebook and Google and precision target market potential influencers.

He would get someone who he knew, or rather his team would, would get someone that he knew was a supporter of his position and would leverage that person. Tell your friends, tell your friends to get out and vote. Tell your friends this re-election is important. And it was remarkably successful. 85% successful. For example, phrases that parents use to their adult children. Just using a preponderance of these phrases, they know. Parents writing to their underage children. Facebook literally listens in to what you're doing. Facebook wants to know everything that there is to know about you. And why? The thing that you need to know is this is not because anybody wants to invade your privacy. It's all about money. Your profile, your eyeballs on that screen

are worth billions, literally billions of dollars. 90% of Google's income comes from knowing who you are and connecting you with things that you might be interested in. Facebook, it's now more than 50% of Facebook's information and it's soon going to be as high as Google. People want to know what you care about, what you like, what you're interested in, and they want to push that stuff to you. Partner categories. Facebook is now one of the biggest target marketers. Beverage buyers, cereal buyers, frozen food buyers, lookalike audiences. I can tell you as an investigator, similarities attract. If you are a right-wing Republican, most of the people you hang with are right-wing Republicans. If you are a slightly left-wing computer hacker who's drinking coffee all

the time and wearing a t-shirt, look around you, you're going to see a whole lot of people like you. And not just because you're at a B-Sides conference. That's who you're going to see hanging out with you on a Friday night. That's who you're going to see knocking on the door at your house. That's who you're going to see at your job. Similar is attract. And it's even down to the zip code and the postal code. People move to places where they feel that there's people like them. If you live in Berkeley, California, you are not the same person as if you live in Salt Lake City, Utah.

Every device today, and we're going to go into the internet of things in a second, every device today is gathering personal information. Every game box, every interaction that you do on the internet, your thermostat, your trash can, your baby's diaper, believe it or not. There's a database out there called Teleguerilla. Absolutely free to investigators. Teleguerilla for free pulls up all of this information on a person.

Let me speed ahead and let's start getting into specifics. Again, every piece of data that you put out there is there forever. There is no forgetting. This is what's called in the investigative community Hoover's Law. Once you put it out there, you can't get it back. And it's indexed and it's linked to you. Every drunken Cancun photo, every place you've gone, everything you've posted. Let's start with this. This is a typical Twitter post, a typical Twitter feed. From the bottom, roaming the streets with, I can hardly read my own laptop. Let me do it this way. Roaming the streets with Mike, Tyler, Lindy, Sarah, PJ, and Mitch. 23 hours ago, watching out Malibu's Most Wanted, waiting for that

70s show. 21 hours ago, holy effing crap, I got my bumpers to go to the max. 13 hours ago, just woke up. 13 hours ago, listening to XM. 8 hours ago, getting ready for work. 7 hours ago, going to Avicoli's for pizza before work. 6 hours ago, ah well, at work. 30 minutes ago, just got out of work. I don't need to surveil this guy. I know everywhere he is, I know what he's eating, I know who he's hanging out with. Look at your own Twitter feed. This is not unusual. People live cast their whole lives. They do it routinely, they do it without thinking about it. Now multiply this by hundreds and hundreds and hundreds of additional entries and you'll understand that

this person's entire life is out there for the grabbing. Let's talk about Facebook. Facebook, one in five minutes spent online when I compiled this were spent on Facebook. Now it's one in four. One in two minutes spent on social sites are spent on Facebook. Across the board, everybody uses it and they use it all the time. Facebook subscribers put in real information. Real information. It's not like on a dating site where you change a few things. They put in their names, their ages, their email addresses. I've got to tell you that one of the most useful de-anonymizers out there is a search engine called Gorilla Trace that, among other things, plugs your phone number and plugs your

email address into the Facebook search and pulls up, I mean, from your email address, it pulls up your picture instantly. Facebook wants to colonize the web with likes, with links, with tricks that keep you from going off of their infrastructure. They want to keep you on Facebook forever. Why? Not because they're jealous of the other fella, not because they want to invade your privacy, but because they want to watch and see and index and categorize every single thing that you do. By the way, yesterday in the paper, I'm sure you all have heard about these drones and these balloons that Zuckerberg is putting out there to bring internet to the poor, unlinked people in Africa and wherever. Well, it

was revealed yesterday that you can only access 38 specific websites if you use this. And these are the 38 websites that are approved by Zuckerberg. Open Graph, Open Graph pulls in everything you do even when you're not on their site. If you're not a Facebook subscriber, Facebook, which is hugely unlikely these days, Facebook is building shadow profiles of non-subscribers now. If Bob posts a photo of somebody at an event, and Sarah posts a photo of somebody else at an event and another person mentions somebody in a status posting. Sooner or later there's a hundred or two hundred or three hundred or four hundred data points about that person who's not even on Facebook and Facebook is building shadow profiles of these people. By the time that person actually you

know goes over to the dark side and signs up with Facebook, Facebook already knows everything about them. This is what Even if you don't contribute information, this is what Facebook gives up about you. This is what your friends give up about you to Facebook, rather. Your biography, your birthday, your family and relationships, what you're interested in, usually, religious and political views, website if you're online, status updates, photos, videos, links, notes, hometown, where you are today, education and work, activities, interests, things I like, my app activity. I'm really curious. I know looking in the in the in the room Everybody hears I'm gonna guess 10 to 15 years younger than me. How many people are okay with this one guy as

an investigator? Thank you as a normal guy I don't get it facial recognition facial recognition is an enormous deal. It's a huge deal and It lets me know where you are and what you're doing and who you're with without you making a single data entry, a single post. I know when you're walking down the street. I analyze photos that you're in. I have everything. Facebook is at the bleeding edge of this. They started by buying a company called Face.com. They are now literally better than the FBI. The FBI is consulting with Facebook for its, trying to think of what the name, they have a new identification program. Let me show you something. I don't know if you can see this, but see that tiny

little dark blob there? That's all the photos in the US Library of Congress. The next slightly little blob, bigger blob, that's all the photos in Instagram. The next bigger blob there, that's all the photos in Flickr. And proportionately, that's all the photos in Facebook. Every day, there are 4 million photos added to Facebook. Every day. And it is the craziest stuff. Look, this guy, and by the way, he's locked up now, the guy who posted this. This is a guy who his kid, he hit his kid, which he shouldn't have done. His kid hit him back, so he duct taped his kid. This is not the father of the year. But he felt that he had to post that on Facebook.

And he did. And he got locked up. People have no red lines anymore. Nothing. Facebook, Google is employing 600 PhDs. Facebook is employing 280 PhDs. And The products and the projects that they're involved in are truly, truly bleeding edge. And I mean, here's an example. DeepFace, closing the gap to human level of performance and face recognition. I can tell you that Facebook now can have their systems look at a photo and with 97% certainty say, that's Bob. And they closed the other 3% gap by seeing who posted the photo or what the context of the photo was. They know enough about Bob to know no way Bob is going hang gliding. No, Bob doesn't live in China. Ah,

here's the article. This is an actual Wall Street Journal article. Facebook's facial recognition is the best in the world now. And they do it because they want to recognize that photo and they want to sell that person's stuff.

Facebook is a critical cog in the ongoing de-anonymization of everyone because similarities attract. If I know who your friends are, if I know who you hang out with online, if I know who you hang out with in person, I know 90% of what there is to know about you. I mean, unless you're the Unabomber living alone in a cabin in the woods, which by itself would tell me something about you, Who you hang out with and what you do on a daily basis as reported on Facebook, I know 90% of what there is to know about you. Project Gaydar. I think this was University of Connecticut. Okay, I don't remember. Sorry. Some university decided to take Facebook pages and determine

sexual orientation if it wasn't declared from the Facebook page. Better than 90% accuracy. Not surprising.

Facebook even monitors your posts now and rats you out if you say something that's troubling to them. There is a procedure now on Facebook, which by the way is, I'm sure you agreed to one time when you clicked on a revised terms of service. Facebook is that good that it can scan everybody's posts and determine from algorithms they've written whether you're writing about something improper. Facebook wants to be a bank. Facebook wants to be a phone company. Facebook wants to be connected to every iota of your life. Every iota. I don't know if you remember the famous lawsuit between Zuckerberg and what he called the Winklevii, the Winklevosses. They subpoenaed all of his chat logs from when he was back when he was back in Yale

or Harvard rather Harvard and at first developed what was then called the Facebook and he was saying I can't believe it 3,000 people have posted their information on the Facebook this this first iteration of Facebook he said I don't know why they trust me dumb and he was right they're idiots When I'm doing an investigation of somebody, if I have subpoena power, if I'm working with law enforcement and I have a warrant, the first thing that I do is I hit Google with a subpoena. And I want to tell you what Google knows about you is astounding. Now, if you use the Google infrastructure, they know everything about you. If you use Google Docs, if you use

Gmail, if you use Google Voice, if you belong to a Google group, The more embedded you are in their infrastructure, the more they know about you. I can tell you that when I've worked with a law enforcement agency that had a warrant, we even got drafts of things that you wrote. You know, you wake up in the morning, you think your boss is an idiot. Dear moron, I can't believe I'm coming to work for the crap that you pay me. And then you don't click send. You just delete the draft. That draft is saved for 18 months. It's a fact. I've gotten that as a result of subpoenas and warrants. Now, I'm putting this photo up here because I want you to look at these guys and understand

these are the two guys that you have surrendered your entire life, your entire soul to. These two guys know everything about everyone now. This is old information, but during 2009, Google at one point had more cash on hand than the U.S. government. They were making more money every day than General Motors. They have 600 PhDs on staff. That 500 servers statistic is long surpassed. Long surpassed. They are adding server farms at the rate of one a week. They use more electricity than all of Salt Lake City. They are Skynet, basically. Google is capable of keeping the entire internet in RAM. I mean, just stunning. Just stunning. Most people think of Google as a public utility almost. Oh, this is really convenient. I don't

have to worry about finding things on the internet. I'm just going to go Google it. Google is now a verb. Go Google that. Web, translation, blogs, Google+, which... died a painful death more or less, but there's still tens of millions of profiles. News groups, reader, images, Gmail, every book, every single book they've scanned. Google News, Maps, Street View, Google Music, Finance, Video, meaning YouTube, Google Voice, Frugal, every single person in here uses Google two, three, four, five, ten times a day. You check your Gmail, you use your free Google Voice phone number, you Google something. And every time you do that, I learn something about you. You use Google Translate, I know the specifics of

your communication in a foreign language. You talk to somebody on Google Voice, I can tell you that that call is being monitored. It's not being monitored by somebody listening in. but keywords are being extracted. Same with Google Mail. Try an experiment. Get together with one of your friends, try an experiment. Start emailing back and forth about you've been diagnosed with cancer. Tell your friend you just came back from the oncologist. This is the report. Oh, that's terrible. Do that for a week. Within a week, ads for medical products will suddenly appear in your Gmail. ads will appear on search pages. Every time that you log in and authenticate yourself to Google, Google will be pitching something to you

related to that. Google identifies you and tracks you every time you log on, even if you don't authenticate. Now, most people do. They log in. They're Google infrastructure is set up for them. They want to take advantage of that. They want to check their Gmail. They want to see if they got any Google voice calls. They want to see if they got any instant messages. All of this stuff takes place when you log into Google. How many people here use Android phones? Half the room. How many people here clicked yes on that? Good part of the room. I'm delighted to see some of you didn't. Every app that you use on a Google phone tells me something about you. Are you looking for

an apartment? Are you eating Chinese food? Are you inputting an address for a demonstration? Are you exercising your religious belief? Are you interested in particular politics? Every time that you use an app, it tells me something about you. Now, by the way, Apple's even better at this, and we're going to get to Apple. Google Goggles. How many people here have used Google Goggles? Decent amount of the room. The minute that you use that, I know that you are in front of a location or in front of an item that you cared enough to inquire about. And that tells me something about you. Tracking. The holy grail for every investigator, every detective, every law enforcement officer, and every target marketer is your location. I want

to know where you are so I can sell you stuff there. If I learn from my analysis of your profile that you like Chinese food and that you usually eat Chinese food at least once a week and you haven't eaten Chinese food for two weeks. So AI tells me maybe you're jonesing for Chinese food. and you're walking down the street with your Android phone or with a Google app open so I know your location and you pass Big Wong's restaurant. Bing, bing, bing. A little coupon pops up on your phone. Hey, it's lunchtime. You hungry? Look to your left. It's Big Wong's. 20% off coupon. That is less than a year away. That's what both Google and Apple are developing.

And let's say your GPS isn't working. Let's say Skyhook, which we're going to talk about, isn't effectively reporting your location, which by the way is highly unlikely. One of those two things are going to report your location. Skyhook reports your location from nearby Wi-Fi nodes, GPS you all know about, but Google wants to be absolutely positively sure. So they now have something called peer-to-peer location reporting. If I don't know where Bob is, but I know that Bob is near Joe's cell phone, and I know where Joe's cell phone is, now I know where Bob is. This is an actual patent that Google has filed. Peer-to-peer location reporting. If your cell phone isn't snitching you out, the closest nearby cell phone will. How many

people here and you guys are the elite, the elite computer folks. How many people here actually read a terms of service? Okay, way higher than an average audience, but still only about 25%. After you read the terms of service, those of you that raised your hand, how many of you don't click on it? Counting, it has happened. Okay, rarely. Even that makes you remarkable, honestly. Consent to the collection used sharing an onward transfer of your data, including but not limited to voice and location data, as outlined in the mobile privacy policy. Mobile.google.com/privacy. Location data may be from mixed sources and may not be accurate. Use at your own risk. This is what you clicked on

when you used Google on your cell phone. Now, how many of you remember Google 411? 800-GOOG-411. that back when 411 on cell phones was $1.95, you could dial an 800 number at Google and voice recognition. I'm looking for Bob's Big Burger and It would go back and forth with you until it actually understood you and then it would give you the address and phone number of Bob's Big Burger. Everybody says, "Man, Google is so great. Google loves us. Google wants to keep us from spending unnecessarily $1.95 on directory assistance." Wrong. Google wanted to perfect a world-class speech recognition system and it used you Tens of millions of guinea pigs. Everybody calling in with every type of accent.

A Brooklyn accent, a southern accent, a British Columbia accent, an Asian accent, an African accent. Google now understands all of those accents. And Google has one of the premier, premier speech-to-text, speech recognition systems in the world. And believe me, it's not being used for your benefit.

It analyzes YouTube videos, it analyzes telephone calls, it's provided to government departments through Google government services. Google with a 99% accuracy rate, especially if it does two runs on the same voice, 99% accuracy rate can transcribe your conversations and can look for keywords. And for those of you that use Google Voice, you see this all the time when it transcribes a voice message to you and sends it to you as text. Siri also, this is a recent post on Reddit that had me really laughing. Here's a guy who started a new job. Started a job today with walk and talk technologies. I get to listen to sound bites and rate how the text matches up with

what's said in an audio clip. He's perfecting a voice recognition system. He says, "At first I thought these sound bites were completely random. Then I began to notice a pattern. Soon I realized that I was hearing people's commands given to their mobile devices. I love the end of this. You've never heard something sexy until you've heard a guy with a slight Indian accent slowly enunciate, I want to have sex with you to his texting app. Alright, so that's kind of sad, but the point is, everything that you do on your cell phone is not processed on board. It's sent to the mothership. When you go, "Siri, find me a machete so I can chop my girlfriend's head off," that goes to

the mothership. "Siri, find me the closest bookstore," goes to the mothership. There is not enough processing power, obviously, on the average cell phone, and there isn't enough of a database on board the average cell phone. It has to go to the big computer. This is very, very important because it's worth money. It allows them to glean more information about you from your conversations that can be used to sell you stuff, but governments also want it. There's a Babel program in the US. There's the Bolt program. Broad operational language translation. I don't know how many of you remember the tricorders on Star Trek. You know, some alien, the Gorn, would appear and the Gorn would go "blah,

blah, blah, blah." And it would go, "Why are you on my planet?" on the translator. It would translate it live. We are not far from this and this type of product is being beta tested right now in Afghanistan, in Iraq, in every type of war zone. This is a critical thing. I mean, you are going to have a boot soldier with a device in his hand that's going to be able to speak to anybody anywhere in the world within a few years. Voice analysis. from your tone, from the words that you're using, from the cadence of your speech, it is now possible to tell your emotions. Now, we'll get into the whole thing about voice stress analysis and lie detection

from voice, which is actually a thing, but with a ridiculously high level of accuracy, a machine can listen to your voice and determine, are you happy? Are you annoyed? Are you upset? Are you really upset? Computers can now determine that. Computers can now determine when you're on hold for customer service, if you're a really ticked off person and route you to the right person who can handle that sort of thing. Jihadi John, the Brit that has been chopping everybody's head off for ISIL or ISIS or whatever you want to call them, was identified. And he was identified, whether you know it or not, substantially due to voice recognition. Now, it was a lot easier for him than it might

be for you or me. It's a lot harder to take one person's voice and run it against 350 million North Americans. But there are ways to winnow things down. For example, if the system knows that I'm speaking with a Brooklyn accent, which I am, they compare me to people from that area. If the system knows that I'm speaking with a Canadian accent, Well, we've now reduced it by 90%. There are things that you can do. Jihadi John was clearly a Brit. He was clearly somebody who was involved in ISIL. They had, I'm going to say, at the most, a pool of about 3,000 people that had a check. They ran his voice against snippets of the 3,000 people, and they

effectively ID'd him. Accurate, useful, immediate voice recognition is a thing. Google wants to keep you on their systems just like Facebook does. And they even put apps out there so you can customize your experience and never leave Google. There's a great example of this. There was a guy who used to take the train home every day. and he would have to wake up two stops or three stops before his stop, text his wife, and gather all his stuff together and then get off the train. So he wrote with the Google app, which is drop and drag, I mean you just connect lines, it's all visual interface pretty much, very little coding. He wrote an app that when the GPS on

his phone indicated that he was two stops from his house, it would ring his phone, wake him up, text his wife. I mean, personally, I think that's very cool. But when you look at all the things that are being done of a nefarious nature with this type of programming, it's not that fun. I mean, Google gives you direct access when you're programming for them through their API's, geolocation API. Ah, here's the guy. Every product that Google offers has some backdoor intent. Why are they offering a URL shortener? Go.gl. Why are they offering that? Because they want to know what you're interested in. If you are posting a URL, it's a website, it's an item, it's a product, it's a thought, it's an issue that you

are personally interested in. Google Glasses. Everybody thinks, "Oh, they call people who are wearing them glass holes." And they're correct. And they're correct. I mean, it is a moronic thing to walk around, essentially, with a video camera on the bridge of your nose. But you know what? This is part of a greater sharing trend. People walking around with GoPro cameras. People walking around with body-worn video. This is the trend. And I have to tell you that as you walk around and you're sharing this information, you are sharing it, first of all, with Google. Google has dozens and dozens and dozens of patents related to video identification, video to text. You play a video and it's Bob is walking

down the street, then he gets into his car, then he drives off in a westerly direction. Google can analyze video like that now.

By the way, Google encrypted search, if you think that Google is encrypting search and encrypting their whole infrastructure so that you can log in with an HTTPS connection because they love you, because they want to protect your privacy, that's just ridiculous. What they want to do is make sure that what you do on their infrastructure is only shared with them. It's encrypted to everybody else. Google, by the way, even has satellites now. It has its own satellites. And I'm just going to throw this up there. This is a new thing now. There are homebrew satellite kits out there. So if you can build your own satellite for about $6,000, imagine what Google's putting out there. This is what I call Rambam's second law. Rambam's

first law, by the way, is all information is used for unintended purposes. Rambam's second law is you are what you Google. How many people in here have Googled their own name? The whole room. How many people in here have Googled their own address? About half the room. How many people in here have Googled their own phone number? About half the room. Just out of curiosity, how many people in here have Googled their own social insurance number? No, no, keep your hands up. One, two. One guy in the back. A few of you. The point is, everything that is important to you, everything that makes you, you, sooner or later you Google. If you Google an address for

Google Maps, it's because you're interested in that location. If you Google a book or a topic or a religion or a political issue or a country or a job board or anything, It's because that is important to you. You don't Google something because you wake up in the morning and say, gee, I think I'll Google unicorns. To the point of ridiculousness. There's a couple in Florida wanted to kill a young girl. They didn't know for sure, how do you strangle somebody exactly? Where do you put your hands? So they Googled it. And they're now charged with their murder. People Google everything. It is a psychological default. I can't, what's that word? I can't think of it. I'll Google it. It is a

default response now. Now, yeah, no problem. Google's a big help. We can trust them with our information. Their corporate motto is do no evil, right? Wrong. In every possible way, Google has shown that they have absolutely contempt, have absolute contempt for for individual rights and privacy, Street View, Book Scans, YouTube, misuse of trademarks. Let me tell you about that misuse of trademarks. If you are Pepsi-Cola and you want to bid the highest for the ad word Coke, regardless of trademarks, regardless of just common sense and ethical conduct, you can buy that trademark. If I'm XYZ-ed, computer services company and my biggest competitor is ABC computer services company I can buy the ad word of their name so every time

somebody Google's them my link my company is the top link I don't think that's particularly ethical conduct busting Safari protections Safari Apple's browser had a do not track feature no problem Google went around it You don't want to be tracked? Tough, we're Google. Promoting their own products. The all-mail folder, which we'll talk about. The thing that everyone needs to understand is Google is not a public utility. It is not the electric company. It is not the water company. It is not the phone company. It's not regulated. It is a private company. First of all, whatever you give them consensually, after you've clicked their terms of service, they own. You can never get it back. It

is a Google business record. You don't like that they have it? Tough. Too late. They can do whatever they want with it. Whatever they want with it. If a neo-Nazi group wants a list of every Jewish person in British Columbia, maybe Google will sell it to them. Probably not. but it's not impossible. Street View. Street View takes pictures of everybody, but in New York, those pictures are, the faces are digitized out. Why? Well, a guy by the name of Kevin Bankston decided to check his address on Google Street View and saw himself. And he wrote to Google and he said, hey, wait a second, you don't have my permission for that. Google basically said, Mr. Bankston, You're

in a public place, you have no expectation of privacy, bite me. Big mistake. Kevin Bankston was the head of legal services for the Electronic Freedom Foundation. So they started a jihad against Google. And Google finally settled with them and said, "Okay, we will digitize everyone's face in the area where Mr. Bankston lives and works." So if you're in New York City, your face is digitized, and if you're in Vancouver, Canada, not so much.

Google Street View, private roads, private businesses, they don't care. Inside jobs, books. Copyright law has been established for 100 years. You slave, you sweat, you write a book. I'm an editor of a publishing company on the side, publish investigation and intelligence books. I can tell you what people do to write a book is like giving birth to a child. These people sweat and slave and put their heart and soul into it. They put it out there, they copyright it, and Google says, "Thank you," and scans it into their system in violation of every accepted law and norm. Newspapers are dying. Newspapers are dying. It's a fact. People aren't buying newspapers. People aren't reading newspapers. They get their news for free on a tablet, which is

a whole different discussion, a different five-hour discussion about restriction of information. Newspapers live and die based on whether you subscribe to them digitally or with a physical version. Google doesn't care. They grab all of this and they give you news.google.com. You don't have to read the New York Times. You don't have to subscribe to AP. Google Street View, I love this picture. Apparently they can photograph you, you can't photograph them. Data harvesting, ignoring do not track, ignoring do not track and merging it with marketing data. How many people here, this is really a good one for me, how many people here know about the all mail folder? Okay, now this is a, no, no, keep your hands up, please, please, please. Okay, so this is a computer

security conference and less than half the room raised their hands. When you delete email on Gmail, it does not get deleted. It goes to the all mail folder. Now, by the way, you have to actually expand your mailbox to see the spam, the starred, the trash, and the all mail folder. You have to actually see more mailboxes. Here's what you have to actually do to delete a message on Gmail. You have to delete the email, then you have to go to the all mail folder, physically go in there and delete all mail, Then you have to navigate to the trash folder and you have to empty the trash folder and then, I don't know how many of you have seen that, when you

delete it, you get a message from Google saying, "Why delete? You have five gigabytes of storage space. You can leave it there." This is the ethos of Google and you share all your information with them. I'll end on Google with this. A reporter for the Wall Street Journal was doing an article on Google and privacy. So they went and they met with Eric Schmidt, who is the big mucky muck at Google. And he pooh-poohed the whole privacy issue. He says, oh, people put it out there knowingly. So the reporter, she pulled out a 50-page printout on information about Eric Schmidt that she had gleaned via Google. And he looked through it, blew his top, threw her out of the office, and banned the

Wall Street Journal for one year from any interviews with Google. So apparently, what's good for the goose is not good for the gander. And the reason, again, is they want to be the biggest advertising, the biggest target marketing company in the world. Out of curiosity, how many people here use Google products like Google Docs, Google Voice, Gmail? The entire room, pretty much. How hard would it be for you guys to change now? To tell all your contacts a new email address? To do things differently? You're used to that infrastructure. You can click on those boxes and send an email with your eyes closed now. Change your Google Voice number. Remove everything from Docs. They suck you in and suck you in until you're

trapped in the digital swamp. If you... Alright, let me kill that. This is what Eric Schmidt says. We can suggest what you should do next, what you care about. Imagine, we know where you are, we know what you like. Not only are you never lonely, you're never bored. We suggest what you should be watching because we know what you care about. A near-term future in which you don't forget anything because the computer remembers. And you're never lost because they know where you are. If I look at enough of your messaging and your location and use AI, we can predict where you're going to go. And by the way, that's absolutely true. Every one of us are creatures of narrow habit. I know where you

likely will be on Tuesday at 3 o'clock. Show us 14 photos of yourself and we can identify who you are. You think you don't have 14 photos of yourself on the internet? This is straight from the horse's ass. Mouth. And again. Now, there are people who gather information on you shamelessly. This is what they do for a living. Amazon is one of them. What you read, what music you like, where you travel, what you buy, permanently logged history. If you want to delete your purchases from Amazon, there's only one way to do that. Only one way. You have to close and delete the entire account. And even then, they still keep it and they still market to you by email. Whatever you buy, whatever

you look at on Amazon tells me something about you. If you buy a book on kidney cancer, it's because you or somebody you care about has kidney cancer. If you buy a guidebook to Aruba, you're going to Aruba. If you start buying Judaism for Dummies, either you're Jewish and you're getting back into your religion, or you're about to convert. I mean, whatever you do on Amazon tells me something critical about you. And they suck information every way that they can. How many of you, well, it doesn't matter. Some of you read on multiple devices books that you've purchased from Amazon. You have a Kindle, you have an iPhone, sometimes you read it on the computer,

and sooner or later you're going to realize, hey, wait a second. I stopped reading on the Kindle at page 286, and I opened my phone, and it automatically opened to page 286. Everything that you do When you are logged into their infrastructure, which you are when you use the Kindle or one of their app, is watched. If you highlight a passage, if you highlight an email a passage, what you're reading, what page you read again and again by length of time that you're on that page, this is all done And it's in their terms of service. This is all done to gather information about you. And by the way, Apple does the same thing to the

max. To the max. Every single connection that you have to a financial institution, every single credit card, every single bank, every single wire transfer, everything that you do with Western Union, It's recorded internally for financial purposes because governments require it, but it's also spun off for marketing purposes. When you go into a bank and you open a bank account, who do you think is checking your social insurance and your social security number to make sure it's you? Do you think they're contacting the Canadian government or the U.S. government? Absolutely not. Absolutely not. Equifax has a banking service and it's all going to a credit bureau now. Everything. All databases will eventually be used for unintended purposes. Number one, tracking. Every time that

you log in, every time that you hit a cookie, a pre-established cookie, every time that you have a piece of software that has to authenticate activation, Apple Store, iTunes, Windows Media Player, Internet Explorer, and by the way, this now applies to every browser, whether it auto-completes or auto-corrects or whatever, it is communicating with the mothership to do that. Every time you use activated software, every time you open an app on a phone, even we, by the way, TV, TiVo, cable, smart TVs now Smart TVs know if you're in the room and some smart TVs, some Samsung smart TVs even know if you're in the room and what you're looking at on the screen because it has an onboard

camera. OnStar, every time you use a toll road, MetroCards, passenger list, car chips, digital license plate readers, which we're going to talk about, every time that you use a digital product, Every time that you take a photo or print something out of a digital printer or burn a disc, that activity is being logged. Every disc that you burn has a unique serial number embedded in it. Every laser printer, unique serial number. Every check-in, every time that you use an app like Foursquare or any other check-in app, your location is logged. Now let's talk about cell phones. Cell phones are the biggest issue today. Cell phones report who you talk to, who you associate with, what you check on a browser, where you go, who's

important to you, what your interests are, where you spend your time in a day. If you go to a extreme demonstration, if you go to a radical mosque, if you are at a known crime location like a crack house, whatever you do I know you're doing it if you have your cell phone with you. We closed the case in Louisiana two weeks ago. Woman decided to kill her husband. Her ex-husband got out of jail. She decided to kill her current husband. She got him to borrow some money for her. He turns over the money. Her and her ex-husband kill the guy, and they dump his pickup truck to make it look like he ran off. We proved who the killers were because we did

what's called a tower dump. We found out that every cell phone that was at that location when the car was dumped. And sure enough, the wife and the ex-husband. And we got them. Your cell phone is reporting your location 24/7. And it does it through a variety of means. If you have a smartphone, which most people do today, an iPhone, a better Android phone, a really good Samsung phone, It is reporting your location from onboard GPS, which is now accurate depending where you are. I mean, it can be as accurate as what corner you're standing on in a wide intersection. Skyhook. Skyhook is a company that drove around North America for five years, gathering up the location of every node by MAC address. This Wi-Fi signal is here.

This router is here. When the iPhone 3 came out, it did not have GPS, but it reported your location pretty darn accurately, and it did it exclusively with Skyhook. It triangulated from Wi-Fi. You're 200 from this router. You're 300 from this Wi-Fi signal. There's another Wi-Fi signal 100 meters behind you. You're pretty much right there. Skyhook and other services now similar to Skyhook report your location by Wi-Fi. And by the way, there's now in the new iPhones something that even tells what floor you're on in a building. Pinging, tower triangulation. This is how law enforcement does it. It doesn't do GPS. It knows that you are 400 yards from this tower, 500 yards from this tower, and it triangulates in where you are.

Apps on your phone. Apps on your phone, right at your location, 24/7. Everywhere that you go with your cell phone, it's reporting. And a lot of these systems are self-healing. A lot of these systems, if somebody's living in Boston, and they're moving to Vancouver and they pack up and they take their Linksys router with them and they connect that router in Vancouver, the system will figure out through proximity and through IP addresses eventually, okay, that router that we used to use for a Boston location, it's now a Vancouver location. And, and thanks to the wonders of GPS, not only can I tell where you are thanks to your GPS signal and your cell phone, but I

can tell what's there. Every single location is now geomapped, geocoded. If you're in your car and you tell your GPS, "Find me the nearest gas station," it's able to do that because it knows the GPS location of every gas station and every liquor store and every street address and everything. I know that you are standing in front of 123 Main Street and 123 Main Street is Bob's Liquor Store. There are versions of this that are available to the public. I mean, if you use Wiggle, if you grab an IP address or grab a MAC address or grab a router address, you can feed this into Wiggle. I don't know if this is still working. I've last used this about three months ago. But when I've used it,

it's been pretty darn accurate about half the time. Navtech. Navtech sells a complete GPS database. I don't know if you can read this. Alert, express mail drop box within a block. Alert, your friend John is two blocks away. Meet for lunch. Alert, game in progress, want to join. 20 box seats available. Shay Paul has three tables available. This is the current, by the way, this is two years old. This is, at the very least, the current state of GPS. It tells the location and activities of a subject, behavior patterns, and associates. There is a product that I saw, I've actually seen this in Israel, called Rabi. It's called Rabi because the guy had a sense of

humor. It stands for, previous slide? Thank you. Thank you. Relationship and activity analysis and behavior informant. It is what's called data valence. This is the new term. This is what law enforcement and marketing companies and other people who want to watch you do. It's called data valence, surveillance of you 24/7 just from your data and your digital activities. The little digital breadcrumbs that you leave, the signals that your cell phone sends out, when you log onto your terminal, when you use an iPad, data valence. And it is about 95% as good as me following you around with a team of eight people. Here's an example. At 3 p.m. By the way, I asked the guy, why

are you using all these Italian names? He says, because the mafia doesn't have a lobbying group. He says, at 3 p.m., Vinnie and Cheech separately arrive at Don Vito Lasagna Social Club. Fifteen minutes later, Don Vito arrives. No problem. from cell phones. Following Don Vito's arrival, Eddie DeHook, Tommy One-Eye, and Bobby the Butcher depart the social club and are shown within 100 feet of the router in Spanky's Boom Boom Lounge for the next 45 minutes. Don Vito told them, "Hey, youse guys, get out of here." So they go down the block to the strip club. At 4:00 p.m., Eddie, Tommy, and Bobby return to the club and Vinnie and Cheech leave, meeting over. At 2:25 a.m. that evening, Vinny and Cheech are shown visiting Pier 99 for

one hour. Also present at Pier 99 is Eduardo "The Mule" Ruiz, Colombian coke dealer. Another stereotype, sorry, but there it is. Two days later, undercover narcotics officers begin to notice the availability of a new type of Colombian cocaine in the territory controlled by Don Lasagna, all from data valence. It really works like this these days. Here is an actual subpoenaed cell phone tower report, pinging report. It tells me this guy is at this location with a 4,900 foot accuracy. This guy at this date, this time is at this location with an 80 foot accuracy location. This time, this date, this location, back to a big distance. Down to about 25 feet. This is what a typical tower report looks like. Connection of your phone to that tower. I

can follow you day and night. Day and night. And this is just one of four or five methods that can be used. Here's the peer-to-peer pinging again. Now, not just people, but places. If I wanted to, I could find out with reasonable accuracy 99% of the people who are attending B-Sides Vancouver. How? All the cell phones at this address. It's that simple. It's being used against terrorists. It's being used against the Occupy movement. I can tell you that the NYPD rolled out something called a Stingray, which is a cell tower spoofer that determines every single cell phone in an area. They rolled us out at every Occupy Wall Street demonstration. And they had the names and the identities of every single person there.

And they went and visited those people at night, a lot of them. And if you don't believe me, hey, Google it. Instantly capture social data also. View pics and comments. This is an actual advertisement for a secure product that's being sold to the US government. You know, this is FOB Geronimo, Forward Operating Base Geronimo, right there. And these are the tweets and the photos and everything posted from that location. Whoops, apparently the government didn't like me showing that. Tracking mode. Isolate one target, track all posts. There are systems that I can go Okay? Hasan is a problem to me. Watch this guy. Massive 24/7 data valence and the system does it automatically. Location, location, location,

posts, photos. Not too sure what he's smoking there. I have a system that I rolled out. I own peoplefinder.net among the things I do as an investigator. And we rolled out something called GeoTwit. The geographic locations of your tweets. And I speak every couple of years at 2600. I've bumped into some of you guys there actually. And I wanted to make a point. So I pulled up every single person that went to 2600 and I took about five of them and I showed their exact route from when they got on the train, who it was, their tweet talking about it, their geolocation. I guarantee you that at least five or ten of you have tweeted during this event. and it gives me your exact location through

the day. Here's a guy, Mark Silverberg, he was one of the speakers, he tweeted that he was going to 2600, tweeted from his house, pulled up a picture of his house. This is the new norm. By the way, every single tweet is turned over to the Library of Congress and it's a public record. Remembered Wi-Fi. I have access to your phone. I know every Wi-Fi that it connected to or tried to connect to. I believe it saves 1,000 connections before it starts overriding it. I know the last 1,000 places that your cell phone pinged Wi-Fi, whether it connected or not. This is off of my cell phone when I was traveling. I was in the Admiral Club in the Zurich

Airport. This is my cell phone. 45% of apps track location. How many people here have the Flashlight app on their phone? Okay. Did you know, just out of curiosity, did you know that the Flashlight app reports your location? You raised your hand, right? Okay. Well, no reason for an app that does nothing more than make your screen glow white. to have your location, access to your camera, and access to your phone calls. But it does. 45% of all apps report your location. And people do that so they can sell it. And governmental agencies buy software that gather all of this together. No human involvement needed. Here's Nomad. It pulls in email, it pulls in location tracking data, it pulls

in SIMs, hand phones, MAC addresses, emails, even landline stuff. We can track a specific target through all his electronic communications. This is actually an old ad. Every single thing that you do, every location, sucked in. And now, because as I mentioned before with Facebook, similars attract, They have what's called a community of interest. If you are friends with Bob the terrorist and Fred the terrorist and Layla the terrorist, you're a problem probably. It's that simple. If you are friends with this anarchist and that anarchist and this anarchist, depending on the open-mindedness of the local government, they may want to suppress you or not. And it's now, this is actually the technical term in the US, they call it

a community of interest. And here's a graph, an actual bonafide link analysis graph, which shamelessly is now called guilt by association. Now when I first became an investigator, I was told there's no such thing as guilt by association. You are innocent until you're proven guilty, except in cyberspace. If you associate with a bunch of bad people, you're a bad person. Here's link analysis. This guy right here, that's the guy I want. I'm not really sure why that one is red. I guess that's like the guy you want to flip to get that guy. But these are actual legitimate screenshots. Why are people tracking your location 24/7? It's not because Big Brother is out there. It's not because they want to invade your privacy. It's because

they want to sell you stuff. Chinese restaurant around the corner. You're in a foreign country. They want to market you travel stuff. Where do you spend your time? What's your activities? And very, very soon, and this is being rolled out now, even as we speak, this is actually a good use for this. If Bob's credit card is being used in Milwaukee, but Bob's cell phone is in Vancouver, there's probably a clone cell phone. They are now going to, there are companies where there's pervasive fraud issues on an account where they will be authenticating that you are actually using your cell phone, excuse me, that you are actually using your credit card based on the location of

your cell phone. Which I gotta tell you, I think it's pretty brilliant. Location as a service. Mobile location information is worth money. Where are you? What's at this location? What's near this location? Your location is being tracked 24-7 as a result. Assist the GPS, cell ID, the ability to access precise GPS, no device dependency, no device or interaction required, no user ID required. This is now being used to track people who are bailed out. The bondsman tracks their cell phone. And this, by the way, is an actual trace that I did on somebody. This was a girl. The girl went to an ATM. She was sent by her job to go pick up some pizza. She went to the

pizza store. They wouldn't take her credit card. She went to an ATM. She was last seen at the ATM taking out $100. Nobody saw her for the next two days. And we were asked to try to locate her and thank God her cell phone had been plugged in in her car so it didn't run out. She was in Dallas. It was 106 degrees. She had bought a six pack of beer. She figured, well, I might as well have some beer. She sat in the car, drank beer, fell asleep. The car ran out of gas. The AC stopped and she cooked to death. She died and we found her in her car as a result of

this. This is an actual private cell phone pinging that I did.

All you all know about Uber, Uber's God view, how they were tracking executives, they were tracking people who were criticizing their service. Every service that you use is now tracking your activities. Every app tells me something about you. If you use barista, you're a coffee guy and I know where you're going. Coupons, I know what coupons you get. Compare me, I know what items you're interested in. Loan shark, you're looking for a loan. Mint, banking. Gas cubby, I know you own a car and where you're going for gas. Spottasaurus is parking garages. I still know you own a car. Repair pal, good guide is food. Woot watch, forget about that. RnDining, Find an Apartment. This is an actual ad.

I didn't compile the most intrusive things, but if you have these apps on your iPhone, I know an enormous amount of personal information about you. Print and Share, Analytics, Log Me In, Quick Sheet. All of these things tell me something about you. And it's because Apple has something called iAd. Apple wants to market to you. Your information is worth money. And again, just so you know, Apple saves all of your communications with Siri. All of it. New privacy policy lets Apple collect, share iPhone users precise locations. You know, I'm amazed that Snowden was such a big deal. What was Snowden's big revelation that first got him in the paper? The government is recording your location. Who didn't suspect that? And

who doesn't already know that the phone companies, the telcos, The phone manufacturers, the phone service providers, the phone add-on providers are doing that also. But you have to think about it. And the phone is now becoming the critical device for your life. It's a loyalty card, it's a payment device, it's a barcode reader, store guide, eBay or Amazon you probably have an app, manufacturer syncing, retail object, locator beacon. 71% of people never turn off their cell phones. 95% of the people in this room cell phones by the way whether you know it or not can be turned into a roving bug the microphone can be activated I just put that up there to add to your paranoia I'm

gonna I'm gonna go through this very very quickly but this is a great example the CIA decided that this guy whose name was Hassan Omar Abu Bakr Hassan Mustafa Osama Nasser sorry They decided that he was a bad man, that he was a terrorist. He was wandering around Milan. They wanted to snatch him and take him to a foreign country. Americans are wonderful people. We don't torture. We outsource it like we outsource everything else. We snatch you up. We take you to Egypt. We put you in Egyptian jail. They torture you for us, but we can say we didn't torture. But we got to get the guy from point A to point B. If he's unfortunately in Milan, we got

to snatch him up and get him to Egypt. So the CIA locates this guy, surveils him, and brings him to Egypt, where he is in fact tortured. And oops, sorry, not a terrorist. Egypt returns him to Italy, where he proceeds to file criminal charges against the CIA. Italy had a very aggressive investigator. He was their main drug guy. His life had been threatened. He was their main drug investigator, mafia investigator, and he was on this like white on rice. Now, everyone here knows that the cell phone reports your location constantly. Everything you do reports your location. Everything. Here's an example. So here's what the investigator did. He checked the location of Osama's house. He checked the

location of where Osama was picked up. And he found cell phone patterns. He found people who were hanging around in that area, who didn't have stores, who didn't stay in the local hotels, who had no good reason to be there. And every once in a while the cell phone signal was good enough that he could tell that they were in cars. And then he grabbed the cell phone activity, the metadata, and he saw who was talking to who and who was the big boss, who was the coordinator, who was everybody checking in with. And he ran that number and uh-oh, it belongs to a guy at the U.S. Embassy who's a CIA guy. So just from digital data, just from

calls back and forth, just from GPS, he was able to track people which were the cell phones of the abductors. And then he followed these cell phones locations until they worked their way in a caravan on the highway to the Aviano Air Force Base where they went out on the tarmac, some of them flew away, some of them drove back, but Osama was never seen again. He was able to track the entire abduction and identify 23 CIA agents, CIA agents, and issue arrest warrants for them, including Bob Lady, who was the CIA chief, just strictly through digital data. He then went, and every time that the cell phone was at a hotel or someplace that it spent the night, they investigated there.

And they found a whole bunch of credit cards. And these credit cards, great trade craft, were all consecutive numbers and were all billed to a billing address at a P.O. box in McLean, Virginia. So not the most brilliant thing. At any rate, identified the second secretary at the embassy, identified a technician at the consulate, identified the chief of security for the U.S. Air Base at Aviano. And by the way, the interesting thing is profiling cell phones. Let's say you decide you want to be a master criminal, so you take out the SIM on your phone, you put another SIM in. First of all, your phone has an onboard serial number, it won't work, you can tell it's the same phone.

Second of all, within a day or two, you know, this cell phone goes to Bob's house, goes to Bob's job, drives in Bob's car, visits Bob's girlfriend, it's Bob's cell phone. Three or four data points, your phone can be re-identified.

They went to the hotels, they got the legitimate passports when people checked in, they got IDs that had been provided, and they identified all these people and issued arrest warrants. And here, by the way, is the actual exhibit from the Milan court that somebody emailed me showing how they linked everybody with phone calls and email and GPS address and car rentals and staying in the Western Europa and so on and so forth. all from digital data. Even CIA agents can be hit with this. And here is the indictment and the arrest warrant from the Milan court. They screwed up. And again, you visit the wrong mosque, you attend a demonstration, you call a person already under investigation, or somebody wants to profile you. If you call an OB/GYN, two

days later you call a divorce lawyer, three days later GPS shows you at an abortion clinic, you went, you told your boyfriend you're pregnant, he said, "I don't want it," or your husband rather, "You're pregnant, I don't want it, you get divorced, you have an abortion." from cell phone data. It's really that simple. Now, by the way, I love this. The Simpsons did a spoof on the iPhone called the iPhone, where you actually had a phone embedded in your eye. And Futurama did the same thing. Well, we now have the Apple Watch out last week. This thing is going to be strapped to your wrist. Watches are never turned off. Apple has solved the problem of that 29% of people

who leave their cell phone at home when they go jogging or go to the gym or turn it off. Let me put this in Canadian terms. If you have this watch, you are tagged like a moose. Okay? That's something you can all understand. You have been tagged like a moose if you have the Apple watch. Your cell phone tells me everything there is to know about you, especially, especially if it's partnered with all the other stuff I know about you. You are constantly reporting your data. There's apps out there like Girls Around Me, GPS tracking. Now, I just want to go through some other stuff very, very quick to raise your paranoia level, and then we'll go to

Q&A. Let's say you say, okay, you know what? I'm going to be really, really careful. I'm going to mail a letter. Just letting you know, every letter that you mail in the U.S., in Canada, in Western Europe, the front is scanned. The to address, the from address, and it's saved for five years.

Anything that you do digitally, you take a photo, there's an EXIF code embedded in it. You print something out on a digital printer, there's a microscopic serial number embedded, especially in color printers because they originally started doing that to stop counterfeiting. You burn a disc, you burn a CD, that burner's unique ID is embedded in the disc. Everything that you do. Everything that you do. Now, let's talk about marketing. There are people who do nothing but try to get inside your head. They want to know everything about you. Every magazine subscription, every 800 number call, every product survey, every registration, every time you use your credit card, that information is sold to marketers. He bought a book. He went on a trip. He bought a car. He visited a

gas station. Everything, every login, every website visit, every friend, every group, everything, everything is purchased by data aggregators. And I know because I've seen this firsthand. I've subpoenaed it. I've bought it. I use it in my own system. I've seen it grabbed with warrants. This is not Fantasy, this is not Cassandra, this is not Chicken Little, this really happens. Everything that you do digitally, the knowledge of that event is worth money to marketers and they pay dearly for it. Billions and billions of dollars. Your likes, your dislikes, your habits, your religion, your politics, your sexual orientation, everything. When I first started giving this talk, I said, Look at what I can tell about you by your magazine subscriptions. This is like when the

internet wasn't a thing. If you subscribe to Inc, you're interested in business. GamePro, games. Ecologist, you have a certain point of view. Wine Spectator, Bark, Cat Fancy, or Horse Animal Fair, I know what you buy. Skateboarding, ski, golf, I know what your sports interests are. Gun Digest, football, HEEB, psychotherapy, Paranoia Magazine, there's really such a thing. Paws, there's even a magazine for HIV positive people. If you subscribe to that, either you or somebody very close to you is HIV positive. And they take this stuff and they define you down to the granular level. Caught in a pickle means you need money. Credit amigos, Hispanic people badly needing money. Desperately seeking products, people working from home. Five star investors, which by the way are knuckleheads that'll invest in anything.

I'll buy that, it's your lucky day, outdoorsman products, and really, really obnoxious stuff. There's a marketing, if you contact CPC Associates, there's something called Astrology Success. These are various mailing lists they'll sell you. Astrology Success customers have responded to a direct mail solicitation offering angelic information Intervention, angelic intervention, sorry. As a mean of achieving financial and personal success, send me money and I'll have an angel pray for you to be successful in your business. 60,000 people. This is basically the moron list. I'm sorry, but it is. 60,000 people who have responded to a direct mail solicitation selling angelic intervention. Wrap your brain around that. That's how much it goes down. U.S. and Canadian businesses, consumers, bankruptcy and tax lien data, doctors, dentists, everything,

everything. Things like suffering seniors, elderly people with cancer. Oldies but goodies. Half a million gamblers over the age of 55. This is stuff they know about you. People want this. People want this. And you can extrapolate out the 21st century funnel. They take email. They take posts. They take blogs. Look, direct mail, call center, in-store networks, website, email, display, mobile, text, mobile apps, in-store, social media, everything. This is a company that gathers all of this together and builds a marketing profile on you. Number of friends, number of sites, Facebook, LinkedIn, MySpace, yeah, MySpace. Credit card use, you know, American Express, Discover, gambling, investments, all of these things. What's your ethnicity? What's your religion? How big is

your household? I mean, are you interested in aviation? Are you a chip head? Christian families, etc., etc., etc., etc. All of these things. Are you gay? Are you Hispanic? Are you Asian? All part of marketing. site personalization. They want to link your on-site and your off-site. If you are reading a magazine online, a targeted ad from your offline activity may pop up. All of this stuff is put together. Now, the previous example that I gave about what magazines you subscribe to, now, Imagine you subscribe to Soldier of Fortune magazine, American Rifleman, Washington Times, you purchase The Force of Reason, you're a registered Republican, and you're listed in Focus USA Christian Donors List. You are a right-wing, gun-owning Republican. Subscriber to the Village

Voice, High Times, Cat Fancier. You purchased Noam Chomsky's latest obnoxious book. You're a Green Party member. You've contributed to the UJA, the Gay Men's Health Crisis, and American Friends of Peace Now. You are a left-wing Jewish New Yorker homosexual. Now I know, by the way, just so you know, little investigative tip, I know that this person is a homosexual not because of the Gay Men's Health Crisis, but because he owns a cat. Sorry, sorry, sorry, sorry. The point is you can extrapolate out the information to the point where they now have psychographics. They figure out what's in your brain. Micro-targeting, the big sword. It gets down to the ridiculous level. When the Volkswagen company decided to

reintroduce the Beetle, it had been out of production for almost 20 years, and they couldn't figure out who to market it to. So the first year that they sold the Beetle in the stores, they, with Germanic precision, profiled every single buyer. Hundreds and hundreds of questions for the people that would answer them. You know, where do you live? What do you do? What are your interests? What pets do you own? What food do you eat? Everything. They wanted to know who is the typical Volkswagen buyer. And they found out that the typical Volkswagen buyer, among other things, likes chunky peanut butter and owns a cat. Likes chunky peanut butter and owns a cat. So they bought up all the chunky peanut butter coupon

cash-or-inner lists and all the cat owner lists, however you do that, I don't know. And they saw who was on both lists, and they marketed like mad to those people. And those people bought 500% more beetles than the people that they just marketed to through some other method. You can extrapolate out. When Obama was first running, it was Obama and Hillary and John McCain. For example, bourbon drinkers are disproportionately Republican. Gin drinkers are overwhelmingly American. If you drink a clear liquid, for some reason, white wine, vodka, that sort of thing, you are more likely a Democrat. Don't know why, but that happens to be the case. The average American has nine friends, drinks milk from the cereal bowl, eats 25 pounds of candy a year, has lost

12 teeth by age 50 because of the 25 pounds of candy, prefers smooth peanut butter over chunky. During the 2008 election, if you liked olive oil, bare naked granola, lattes to go, the Cheesecake Factory restaurant, Panera and Starbucks, you were disproportionately likely to vote for Barack Obama. Bourbon, stuffed crust pizza, fiber one, Hardee's, Fuddruckers, BMW, and you own a gun? My man McCain. But that's actually true. That's how they do things today. There are weird-ass correlations. The people who believe in alien abductions are more likely than non-believers to drink Pepsi. Okay. If you eat fresh fruit every day, you're more likely to buy a pricey can on Canon DSLR. The people who, I have no idea how they

got this, people who cut their sandwiches diagonally rather than vertically are more likely to prefer men's Ray-Ban sunglasses. This is honest to God. I mean, this is a Wired article, a ridiculously well-researched Wired article. I can extrapolate out to who you are from widely, widely disparate things. Oh, here's a Canadian thing by accident. The riskiest drinking establishment in Canada. Shark's Pool Bar in Montreal, where 47% of the patrons who use their Canadian Tire card there missed four payments over the next 12 months. This is the sort of data they gathered. Uh-oh, this guy goes to Shark's Bar? No more credit for him. Database milestones. Who you are, what you do, what you buy. Here's a typical profile.

This guy... Thomas so and so, North Tonawanda, New York, mid 40s, Caucasian, married, tradesman, hobbies, residence, home value, gender, zodiac, whether he has children, some college, homeowner, 17 years, the neighborhood is below average. Plays sports, plays football, enjoys NASCAR, loves to travel, likes music, R&B music, soft rock music, reads cooking books, reads about interior decoration, sports, magazines, owns pets, likes cars, rides a motorcycle, enjoys cooking, researches musical funds, he enjoys knitting, which I find weird, fitness, hockey, okay, that redeems him from the knitting, cruises, rock and roll music. This is the guy's whole frickin' life from a marketing company. Everything. Everything. Narrowcasting. Facebook is now feeding you only the news it thinks you want to read. I mean, that's how well it knows

you. Now, this is the good stuff, and we're going to do 15 minutes of this, and then we have the Q&A. De-anonymizing data. You think that you're anonymous, and in fact, you are absolutely not. Just a few data points, a couple of places you go during the day, a couple of check-ins a day. I know you. I own you. You cannot be anonymous today. You cannot. Researchers at the University of Texas de-anonymized Netflix purchases by comparing film names and the purchase dates in IMDB comments. Laura Sweeney de-anonymized 87% of 1990 census data just with a combination of five-digit zip code, gender, and DOB. If I know your age, whether you're male or female, and your postal code, I have a huge, huge possibility of already knowing

who you are and where you live. And that's a fact. Carnegie Mellon researchers accurately guessed SSNs. That doesn't apply anymore. They used to be geographically issued. The more unique data in hand, the more I know about who's Bob, who's Laura, the more likely I can identify you, even if you're trying to be anonymous. Perfect example, 6'8", Chinese tap dancer in Ames, Iowa. There's only one. Perfect example. Congress, about nine years ago, said, "Hey, what's all this internet stuff and search engines? Let's do an investigation." So they contacted Google and Yahoo and Hotbot, which was a thing back then, and AOL, all the search companies, and said, "We want all of your searchers' searches for a month." And some entities said no. Some

entities said here you go, unredacted. AOL took the middle road. They turned over all the searches, but they anonymized the searches. They gave them numbers. They stripped out the name and email address and address and all of that. So because this was turned over to Congress, this was a public record. And the New York Times, bless their pointy little heads, grabbed the database and said, "Let's see how anonymous people really are." So they looked at searcher number... Where's my pointer? Whoop, not what I wanted to do. They looked at searcher number 4417749, and they determined that it was Ms. Thelma Arnold. in Georgia. How? Well, she googled 60-year-old single men, landscapers in Liburn, Georgia, Arnold, Shadow Lake subdivision, and dog that urinates on

everything. So they went to the Shadow Lake subdivision in Liburn, Georgia, and found somebody named Arnold with a dog that urinates on everything. And sure enough, it was Miss Thelma Arnold, the anonymized searcher. Everything that you do points directly to who you are. Now, by the way, Browser fingerprinting. Your browser is unique. You don't log in, you connect from a public Wi-Fi, you do everything you can, you scrub your computer, doesn't matter. By the time you've set up your browser, the type of browser you use, the unique operating system it's running on, in fact, the version of the type of browser you use, unique operating system, fonts installed, add-ons, plug-ins, everything. Browsers are absolutely unique

or nearly so. And if it's not unique across the spectrum of the Internet, it's unique for the area of the IP address that you log in. That browser with those characteristics at this particular area of IP British Columbia, there's only one guy that uses that browser and we have previously identified that fingerprinted browser to Bob. It really is that simple. Remote physical device fingerprinting is a thing. You can remotely fingerprint a terminal, a laptop, a cell phone, not just from the UUID or the MAC address or the persistent IP address of a cable modem or something like that. Those are guaranteed things, of course. but unique device fingerprinting. Every device, after you've had it for a week or a month or a year, is set up in a certain

way that's unique to you. That device is identifiable. There are companies that are already making hundreds of millions of dollars off device fingerprinting. They want that when you log in anonymously, they know it's Bob so they can still sell stuff to you. This guy is gathering hundreds of millions of devices. As far as anonymity, some obvious things. Cookies, browsing history, downloaded history, embedded graphics, micro pages, passwords, all of these things you know about. But ISP data grabbing like form, ISP URL collection, every time that you, if you've set up your browser to use, I'm sorry, if you've set up your router to use a browser to use a browser, Anything other than open ISP translation, your provider, whether it's Verizon or Bell Canada or

a cable company or whatever, is watching every single URL that you type into the browser. And that tells a lot about you. DNS correction. Not just cookies, not just normal cookies, but flash cookies, respawning cookies, super cookies that track you every minute of your life. Forensic linguistics. Show of hands, how many people know what forensic linguistics is? One, two, about ten people in the room. Let me tell you what it is. You are unique. You use the same words, the same structure of sentences, the same punctuation. If I have three or four or five samples of your writing, significant samples, I can go out on the internet with with programs that exist and I can find every anonymous post you've made, every anonymous blog that you

make, every phony Facebook profile because you will keep writing in the same manner. This is Sal Perricone, a federal prosecutor in the US. He was working a case and he was so disgusted with the guy that he was prosecuting, he started putting out blog posts under the name H.L. Mencken, 1951. So the guy that he was talking about was losing his criminal case. He figures, well, if I can't attack the message, let me attack the messenger. I believe that the prosecutor is this guy saying mean things about me. He's not objective. This shouldn't be allowed. Maybe I can get my case thrown out of court or at least get a new trial on the basis of that. So he brings a court action and he

gets a subpoena. for the guy to reveal whether he's really making these anonymous posts. And the basis for it is forensic linguistics. The guy used words, for example, like "dubity." I'm looking at this with real dubity. It's the state of being dubious. It's a made-up word. But the prosecutor was known to use this word "dubity," and the blogger was known to use it. repeated use of the phrase "on the altar of" punctuation. The guy would put a period, a space, and then the parentheses, where most people would put period, parentheses. These small factors allowed them, with a professional, to identify that this was the prosecutor. And you know what? He came in, he had to admit it.

I can tell you that forensic linguistics is used every day, multiple times a day, for criminal cases. Soon it's going to be used for de-anonymizing posts. J.K. Rowling. J.K. Rowling, after the Harry Potter series died, she started writing these Harry Silk novels, these murder mystery novels. People could not identify who this writer was. But because the books were selling so well and the books were getting the attention of publishers who were paying them more attention than they would pay normally a new mystery writer. It's a bitch trying to sell a book these days. And all of a sudden this person came out of nowhere is getting all kinds of love from a couple of big publishers. So the

people who care about this sort of thing said we are going to de-anonymize who this publisher is. And they ran the book, and they ran it against, because they suspected, they ran it against J.K. Rowling, and the linguistic fingerprint showed that it was her, and she fessed up. It's really that simple. De-anonymizing. You post photos. I hope everybody here raises their hands, but they won't. How many people here know what an EXIF tag is? Good enough. Perfect example: I go to your webpage, I go to your blog, if you're not posting via a system that strips out EXIF tags and I can compare it to something else you've posted, I know it's you. Facial recognition: I speak

at a variety of federal agencies' undercover schools. Basically, I talk about how to keep me from busting your cover if you're undercover. It's sad to say, but a lot of major criminal organizations hire good private investigators. A guy is all of a sudden looking to do business with them, looking to join their criminal organization. They actually background them the same way somebody would a job applicant. And I talk about how to maintain your cover, how to defeat a private investigator. This guy is Jack Garcia, Joaquin Garcia. He spent 24 of his 26 years as an FBI agent undercover. He is the only federal agent known to have so successfully infiltrated a mafia family that they gave him an offer of being a made man, a full-fledged mafia guy.

He infiltrated the Gambino family. I did a course on undercover investigations in which he was on a panel with me. And I used him as the dummy. I said, you know what, Jack? You were able to do this 15 years ago because there was no internet. If you were going undercover now, the first thing I would do is I would take your picture and I would run just even publicly available facial recognition, TinEye or Google image search. And I took his photo. I got his photo off the net from a New York Daily News article. That photo you see right there. I grabbed it and I ran it through Google image search and it came up with everything. And Joaquin Jack Garcia, FBI agent, born

'52, all from just facial recognition. The crap that's available to the world is that good now. I can't begin to tell you how good facial recognition being used by passport agencies and immigration agencies and customs agencies and Driver's license bureaus, there's a reason why you're not allowed to smile in your driver's license photo. It's because they want the same data points for every face. And they can see that the guy who took that driver's license out in the name of Bob Jones, did he take out another driver's license under the name of Fred Smith? And every day, people are arrested in every state and in every province because of facial recognition of driver's licenses. TinEye. TinEye is another good one. Camera

noise signatures. It's not just enough facial recognition and EXIF tags. Every camera sensor has a unique fingerprint. Even if it strips out EXIF tags, if you are a governmental agency or Facebook or somebody like that, you can identify that photo as belonging to this other batch of photos just from the camera noise signature. You can't You can't strip out camera noise signatures, even when the EXIF tag gets pulled out. Cameras. Cameras are everywhere now. This is Bryant Park in New York. In 1998 there were 129 cameras per square inch. 2003, 2008, that's what it looked like. Now, I can tell you it's just one blob. You can't even see the individual dots. This is the average big city.

Everybody has their own security camera. The local law enforcement, the local municipality is putting out their own cameras. Let me show you how good cameras are today. This is a photo of something taken. This is Barack Obama's first inauguration. This is back in 2008. Cameras are exponentially better now. This was taken by this camera here called Gigapan. Multi, multi megapixel shot. It's a 1474 megapixel shot. That is the distance. And then you zoom in and you zoom in and you zoom in. Every single face can be identified. I can take a Super Bowl photo, one shot, and everybody that's in that frame, one photo, the whole stadium, I can identify each person's face individually now from one photo. Let me show you this. From that

to that. From that to that to that to that. That is the new norm for cameras. And by the way, this is an eight-year-old camera. Again, cameras are increasing exponentially. If there's no camera, send a drone. I can tell you as an investigator, I use drones right now. If I want to know if somebody's home, if their car is parked there, they've got a big-ed driveway, I just stand by. in the public space. I put the drone up into the air. I put it up high enough so it can see over the hedges. I don't have to fly into the guy's private space, although legally I can above a certain altitude. I just put it all the way up. It's

as if I have a 500-foot stepladder. I look in. I see his car is still there. I zoom in on the license plate. I identify it's the car. I lower the drone back down, get back in my car. Everybody's using drones today. You can buy a phenomenal drone for $1,000, $1,200 a Parrot drone. Helicopters, persistent drones that stay in the air for years, hand-launchable drones. This is the L.A. County Sheriff's Office. Drones, tiny, tiny, tiny drones, even cyborg drones. This is a moth that DARPA has put a controller in. that they can go with a little stick and show the moth where to fly. Cyborg fly. This is something called Devil Ray. The big problem is

keeping the drone in the air. This thing can let out two cables, hover above a power transmission line, an electric line, recharge, pull in the cables, fly off for another 20 hours. It's a vampire drone. This thing here pops right out of a briefcase. It's configured perfectly for a briefcase. There it is. You put it down, and off it goes. That butterfly there, that is a drone with a high-def camera developed in Israel. There it is. Looks exactly like a butterfly. By the way, if you come and visit Texas, the police drones now have grenade launchers. I mean, remarkably effective homebrew drones. These are private hobbyists. Drones following skiers down the road. That is an actual surveillance drone with a chip camera in it.

That's another one. That's another one. That is the Harvard RoboBee. The tail is an antenna. It's got a tiny, tiny little chip camera. It's powered with lights. That is a quarter. This is legit. You can go to Harvard's website and suck that right off. That's the Parrot drone for a thousand bucks. High def, zoomable camera, viewable on your iPhone or iPad. Now, I just had to put that up there. The guy's cat died. He missed his cat. He had a new drone. So he made a cat drone. Everywhere, everywhere. Helicopters. There's an actual case. Guy took a hostage. released the hostage, stayed in the car with the gun. The police cordoned off the street. They heard a noise. They weren't sure what the noise was. The NYPD helicopter

from a ballistically safe distance, two miles, was able to zoom right into the car and see that the guy's head was blown off and blood and all of that, that he had shot and killed himself and that it was safe for the ground team to the ESU, the SWAT team to go over and open the car, the door and extract them. I mean, that's how good they are. By the way, Google is putting up multiple satellites. Multiple satellites. Google will be able to zoom in now No privacy, no nothing, do whatever the heck it wants. Now it's not just the cameras. The cameras are really, really impressive. Facial recognition is really impressive. But if you match cameras with activity recognition, smart surveillance,

smart cameras, analytics, cameras can tell what you're doing on board. They were originally designed for prisons, so this ad for a schoolyard kind of looks like a prison. This kid's making a break for it right there. But it can report, whoop, go back. It can report this kid is eating, this kid is playing, these people are chatting, they don't look like they're chatting to me, but never mind. This kid is studying, I'm not sure what he's studying, and this kid's alert, suspicious behavior. That's all from the camera before anybody even looks at it. Cameras can follow you around. It can lock in on a particular target. This, by the way, is a five-year-old technology.

Facial recognition is good enough. Somebody smokes pot on a campus, they compare it to the base file of student IDs, they catch them, they eject them. They did that at University of Colorado in Boulder before pot was legal there. Starting in 2006, every motor vehicle department has been comparing. Every single... password entity every single law enforcement entity is sizable law enforcement is now using facial recognition let me show you how good it is two years ago Russia invaded the Crimea Putin says we don't know anything about it not our soldiers these are just you know crazy hairy guys with beards who are going in there and shooting up the place France said you know what liar pants on fire they took

the photos of the special forces that went into Georgia, the Russian special forces that went into Georgia in 2008, and they compared them to the people who went into the Crimea and into the Ukraine in 2014. And lo and behold, same guys, busted Putin. That to that, that to that, it's that good now. You can't hide. Even with the mask, they were able to compare the mask The particular weapon, that's a unique weapon. That's an M4, M16 platform, which they don't use in the communist countries. So that was a big giveaway. The uniform, the pouches, how everything was set up, they were able to identify just from that. Now, I showed you the CIA getting screwed. I showed you the KGB getting

screwed. Here's the Mossad getting screwed. Mossad decided to assassinate an Islamic Jihad financier. I believe it was Dubai. So they sent in an assassination team. They had the people check into the hotel. They're walking around looking like normal guys with tennis rackets and smiling face checking in. Guy gets killed. It was supposed to look like an accident, like a heart attack. For some reason, they figured out that it was an assassination, and they were able to go back from the cameras, identify the people, and pull up even their passport photos. Twenty Mossad operatives outed. Now, it happened too late for them to be caught, but facial recognition, nobody is immune now. I would hate to be

James Bond trying to sneak into a foreign country. And they know me the minute I come in, not just governmental departments, me. I was working with the Illinois Attorney General's office identifying deadbeat dads. I took their wanted photos. I ran them against MySpace and Facebook, and I found them, no problem. I did the same thing with the Texas AG's office for sex offenders. Sex offenders that had their computer rights taken away because they had solicited minors online. And I went and I found their current Facebook and MySpace profiles. One of these is hilarious. This one was really, really easy. He used his booking photo as his MySpace photo. Honest to God. Not a joke. That was not... Professor Moriarty.

He was not a criminal mastermind. So, huh? So imagine you wear a disguise like the guy with the mask. Not only can your environment identify you, but 95% of your face can be concealed and you can still be identified by small portions. If you're the elephant man, you have that hood with the little eye, they'll identify you as the elephant man. Not only that, Photo enhancement, that can be cleared to that. This is an actual DARPA enhancement. Okay, you wear an even better disguise, doesn't matter. That's enough. That's enough. That's enough. Any one of those areas, if it shows, whatever. They now have nose recognition, which is the death of me personally, but the nose is enough. They can basically take a nose print

of you. Okay, you travel by car. This is whoop, whoop, whoop, whoop. Go back, go back. let's see if the sound works i found the canadian alpr example this is a canadian trooper demonstrating alpr automatic license plate readers everywhere your car goes its location is recorded and buffered 60 000 plates per hour per police car you see those forward-facing cameras they can drive at at speed through an entire airport parking lot come out the other side they've recorded every car that's parked in that parking lot they drive down a street at night every car that's parked there if there's a murder that a dead body that's found three days later they find out the body's been dead for three days they can go back check

the alpr database see what cars were parked there which by the way is how son of sam was caught this particular system is capable of capturing up to 3,000 license plates in an hour. We have two forward-facing cameras and one side-facing camera. The side-facing camera is out at a 90-degree angle, and it's basically for doing parking lot applications. I can go into a parking lot of a shopping center and drive down the lanes of the parking lot, and as I'm doing that, I'm running every single license plate in that parking lot. The forward facing cameras, one is forward facing to the lane to the left and one is forward facing to the lane to the right. And what I'm getting there is typically oncoming cars and the camera to

the right would be either cars in the... Anyway, you get the point. The new units get 60,000 plates an hour. Most of them are not law enforcement. Most of them are people like this outfit, Vigilant Video, that sells information to repo companies. You didn't pay on your car. There's no GPS tracker on the car. There's no disabler on the car. They need to find your car so they can hook it up and take it away. 1 billion records a month by private companies. These companies are gathering so much more data than law enforcement that even CBP, Customs and Border Patrol in the US, is doing data swaps with them. In return for some of their data, they're giving the border crossings to the private companies.

In London, it's so good that if you haven't renewed the insurance on your car, the gas pump will not go on to gas up your car. If you don't have valid insurance on your car, you can't gas up and drive the car in certain areas in the UK now. It's that good. And again, it's not just for repo guys in law enforcement and privacy invasion. It's because they want to sell you stuff. This guy's a Home Depot preferred customer, owns two Ford trucks. He likes Whoppers with cheese. People want to identify you even when you're in your damn car. By the way, these are the new glasses. This is DARPA glasses. These are so a guy can walk

into a village situation or a POW situation and look at everybody and do live onboard facial recognition. And it'll alert if somebody's a high value target or is wanted for something. These are called DARPA glasses. Digital contact lenses coming up soon. Your contact lenses will be able to receive information. If you have a program, you're in a party. You can never remember somebody's name. Somebody comes up to you, oh, Bob, what a great conversation we had. And you're going, who the, who is this guy? Your glasses will go beep, beep, beep. And his whole dossier will come up. Hey, Fred, how's Susie? How are the kids? Right in your eye. That iPhone may not be a joke. I'm going to zip through some of

this. By the way, here's a good example of video to text talking about there's an accident in the actual video. And it shows that. This is an API that allows you to put it into your own programs. 36 million matches a minute. I like this one. Keeps telling me Superman and Clark Kent are the same person. I'm sorry, 36 million faces a second. My mistake. That's some of the matching. There's commercial applications. Knuckleheads, it's so good now, knuckleheads can do commercial applications that will allow them to find a bar with a disproportionate number of women from the app. They'll check each bar. It says 90% full, 58% women. Hey, I got a chance there. Covert cameras. CAMERAS AS LIE DETECTORS. THIS IS CURRENT. THIS IS

ABSOLUTELY CURRENT. can look at the face, can tell from the demeanor, can tell from the conduct, can tell whether there's flushing of the face, the likelihood that the person's lying. It can tell the same way voice recognition can tell if somebody's angry. It can do emotion recognition, surprise, disgust. This is an actual article from the Wall Street Journal a couple of months ago. The U.S. CBP, Customs and Border Patrol, has already rolled out a program called Elvis. I guess they thought this guy looked a little like Elvis because of the hair. If you have global entry, meaning they're already pretty sure you're an okay guy, you go to Elvis, and Elvis asks you a question. Are you a citizen? Yes. Okay, it believes you. Have

you ever been arrested? No. It's starting to think you're a liar. Have you been employed in the past five years? Yes. Not too sure. Have you ever used illegal drugs? Eyebrows elevated, delayed verbal response, tonal rise at the end of response, pupils dilated, send them to a live inspector. It's that good already. The U.S. government is using this. Now, gait recognition. People, Ministry of Silly Walks, Monty Python's Ministry of Silly Walks, people are going to be able to identify you wearing a ski mask, they can tell who you are by the way you're walking. Biometric database, FBI biometric database, is going to be everything from iris scans, remote iris scans, voice scans, everything. Everything is being fed in. Everything is being

fed in. And you can already do this on the move. There's already iris scans on the move and remote iris scans. you can do fingerprint reading from six meters away. I can sneak up behind you and go zzz and fingerprint you from a distance. This is a lie detector through IR. This is a normal picture. This is with IR and it's showing the flushing. You can tell, not perfectly, but it's an extra indicator when you're questioning somebody. You can look down at your screen and see if there's any vascular indication that the person's having a response to your questions. Eye tracking technology. This is no lie. This is a real thing. Not only can it look at a picture, and tell

me who you are, and tell what your facial condition indicates, but it is now possible to zoom in on your iris and see who and what you are looking at in that picture. Imagine you get a good picture of Osama bin Laden, and you enhance his iris, and you see he's standing in the Mall of the Americas. I don't know. At any rate, it's getting that good. Analysis of photos is going into places where it's never gone before. Antibody tracing. Interpretation of activity. They have things like NORA, non-observational related activity. Other things. Here's examples. You check flights to Iran right before a bombing. You buy a book on fighting cancer. If you rent a gay porno movie, you're probably

gay. You put an address into MapQuest. My favorite one is a man is sitting next to a woman four times on airplane flights who is not his wife by checking all of the manifests on all the flights. You fill a prescription for some, you're on a plane four times this year sitting next to the same woman who isn't your wife. There are programs to analyze your activity down to the granular level. You may think you're not giving anything up, but by the time you've given up 500 or 600 or 1,000 data points, you've given up your whole life. And there's programs like Nora, was developed originally in Las Vegas casinos. For example, the blackjack dealer once shared a telephone number

with the sister of the guy winning big at his table. An actual example. Advise, busting credit card anonymity, money now all being electronic, people using Square and PayPal and all the various iPhone methods, correlation data. If you have an anonymized credit card history today, This is the article in, I believe it was, I'm sorry, Science and Defense magazine. They determined that the vast majority of the time, just knowing an individual's location on four occasions was enough to fingerprint 90% of the spenders. We are creatures of narrow habit. Once I have your profile, I have your profile. This is stuff that we sell now to investigators. locations, historical locations of people, profiles, associates. I know that the person is associated with this person through a

residence address. Man, this thing is going nuts on me.

I know that this is an associate because of residence addresses, co-owner of a company, son, wife, attorney. All of that just by pressing a button, I can find out who your associates are. Financial relationships, Wells Fargo Bank because you opened the checking account there and it was run through that private system. American Express, Delta Airlines co-brand. Nationwide financial, UCC1 filing. All of this. Activity and personality profile. A dog owner, a liberal, Democratic Party, chess player, and goes to Brazil. All through stuff that I can get in about two seconds flat. Relationship activity. This is the Enron relationship chart that the government did. If I was investigating, boy, I'd find out who Kay Allen is and go and speak to that person. I'm going to... Two new technologies you

have to watch as security people, and I'm going to wrap this up in like five minutes so we have at least some Q&A. HTML5, HTML5 is going to allow people to tail you on the internet, surveil you on the internet like never before. Learn about HTML5 as opposed to normal HTML. And IP going from four to six, IP version six. Every single device is going to be able to get its own IP address. Phones will have their own IP address. Terminals will have their own IP address. People are going to be able to identify things the way they never did before. These are two technologies that are going to massively increase what we've been talking about today.

Super cookies, persistent respawning super cookies that you can't get away from. We're going to end with the Internet of Things. This is terminology that was coined by David Petraeus, who at that time was the director of the CIA. He talked about how every device coming online and every device being developed is now being networked. I urge you, it's publicly available on the CIA website. Go to CIA.gov, download his entire talk. on the Internet of Things. It's really, really good, even though it's a few years old. He says, "Data is created constantly, often unknowingly and without permission. Every bite left behind reveals information about location, habits, and by extrapolation, intent and probable behavior." I mean, that's an amazing statement, and

it's a frightening statement when the head of the CIA makes it, because if he's saying this publicly, that means they've been working on this for a decade. Let me give you some examples here. Smart homes, smart cars, smart watches, health monitoring, everything is linked. Here is a jug of milk that will tweet you or email you when the milk has spoiled. Here is an oven that you can preheat from your car or from the train on the way home. An ethernet connected oven. Here is, all of you know about Nest Labs, the smoke detectors. When Nest Labs were discovered to have a flaw that allowed people to reset it when they shouldn't, Nest went in to every single Nest smoke detector remotely

and deactivated the feature, revealing, of course, that every single Nest smoke detector was connected to the mothership. There's a chair that's being developed for high-end restaurants. that will immediately pop up on a screen and tell you if somebody is in that seat or if the table is available in the restaurant. And it will also make it available to websites like Open Table. You will be able to see real time how many people are seated in a restaurant and whether there's tables available. And also, one of the options for it is going to be doctor's offices and HMOs where you sit in the chair, you put your fat ass in the chair, and it tells how much you weigh. Network trash cans. So you know

if the trash can is full and you have to come and empty it. For me, as an investigator, this is going to allow me to know when a target's thrown out his trash and I can go do garbology and grab his trash. It'll pop up right on my, oh, that's Bob's house, let's go get his trash. How bad a parent do you have to be to have to have a diaper that tweets you when it's wet? But Huggies has an internet connected diaper. It tweets you when you gotta change your kid. Everything. This guy put an electronic use meter that you could look at remotely in his home and he went on vacation and he told his 16 year old daughter, "No parties in

the house. No parties." And he was a sneaky guy, sneaky dad. He monitored the activity meter and when it went through the roof, he said, "Are you having a party?" Busted his daughter. It was in Australia. Here we have a Wi-Fi connected Barbie. I take it back. This is the worst parent. Your kid is so lonely and has nobody to talk to that the kid has conversations with Barbie. Talks to Barbie, the speech goes to the mothership, Barbie responds. Interactive with Mattel. So basically, you know, isn't this cute? Baby's first wiretap. You know, this is a Wi-Fi connected Barbie. Now, some of this stuff, all information will eventually be used for unintended purposes. Fitbit. People

were reporting their physical activity. unknowingly they were reporting their sexual activity and you were able to look up Fitbit activity on Google for a while so here's sexual activity general sexual activity general moderate effort sexual activity activity active vigorous effort at a boy passive light effort kissing and hugging how it knows this I don't know this is an honest-to-god screenshot you can't make this stuff up It's not just that this stuff is being reported unknowingly. You have, and folks, if you are a religious person or easily offended, cover your ears right now. I mean, they describe it as a pedometer for your penis. I would describe, I mean, basically this is a Wi-Fi connected cock ring, is what it is.

That's precisely what it is. Why this is desirable, I'm not really sure. But everything is being connected. Everything. And by the way, smart device manufacturers have a association group and they have universally decided and told CBS News that you are too damn stupid to hop out of privacy issues. Which they're right. So here's the final recap. 15 minutes behind schedule, but we'll have time. Every significant factor related to data gathering has changed and not for the better regarding privacy or anonymity. More storage space, more processing speed, artificial intelligence, targeting individuals, cross-referencing offline and online, archival with current, real-time gathering of data. Whatever you do is in the database from the moment you do it. You make a phone call, it's in the phone call

database. You swipe your credit card to buy gas, instantly report to the mothership. Everything you do is instantly in the database. Nobody has to key it in now. Personal and business data is worth billions of dollars. You, your likes, your dislikes, your habits, your hobbies, your activities, your geographic location, are worth billions of dollars. And because of the profit motive, people are going to be gathering this information incessantly, obsessively, effectively on everybody. Most information that's out there about you is information that you put out there or allowed to be put out there. You are in control of this. You can go dark or reasonably dark. If somebody asks you for information that you think is ridiculous, like am I happy with my job

to get a dinner ticket, just say no. Rambam's first law, Rambam's second law. You are what you Google. All information will eventually be used for an unintended purpose. You eat chunky peanut butter, you own a cat, you want to buy a Volkswagen. It really works like that. It's always about money. Tattoo that on your arm somewhere. Now, well, I'm not even going to, yeah, I will, just to be a fair guy. Just to let you know, when the government is gathering this data, it's not just because they are privacy invading big brother jerks. It's a bad world now. People really need this. Had this been done prior to 9/11, there's a real argument that can be made

that 9/11 wouldn't have happened. The CIA knew about two of the 9/11 terrorists, al-Hazmi and al-Midhar. They were on the CIA watch lists, America being not as observant as it should have, let them into America, but they immediately made it up with all the other 9/11 terrorists. They already knew about these guys and they could have had these guys. These two shared an address. The ringleader shared an address with him. Another terrorist on the watch list shared a frequent flyer number with him. Five of them shared telephone numbers with Mohammed Atta. All of these people could have been identified if anybody was watching and anybody knew what to look for. There's an argument that can be made. The problem is they're hoovering up information

on all of us. We're going to go into Q&A now. I just want to tell you a couple of things. Anybody in here who's an investigator, a security specialist, a law enforcement officer, there's an educational foundation that instructs on these issues, provides white papers, makes training far, far, far beyond what we've covered here today available to appropriate persons. It's called the Fraternal Order of Investigators. New website, fraternalinvestigators.org. If you are a security director, you have a legitimate need, take a look at that. Second thing I want to tell you is I got a TV show, watch it. Say nice things about it to Discovery Channel. Maybe they'll actually pay me money. That's my company website. Anybody who contacts me will get a response. Those of

you that I've met at prior talks and who have contacted me will Definitely confirm. I respond to emails. I don't ignore calls. I really want to hear from you. If you have a tip that you want to give me on a new technology or a new data source or something that may be of interest to me, hey, I'm an investigator. No such thing as too much information. Flood me with whatever you got. Q&A. Any questions or have I stunned you all into silence? Yeah, you. Oh, okay. Do we have a mobile app? Okay, you are the, no, you're the designated mic guy. You got to go around like Jerry Springer and stick it in their nose.

Definitely didn't sign up for this. All right, so I think it's pretty clear. We're being watched. We're being monitored. Right at the end you said, you know, you can make it a little bit harder to put your information out there. But realistically, to live in a modern life, you got to use some of these services. So everyone here probably has a cell phone. Your cell phone lets you get tracked. There's no real way around that. You're going to need to call people. You're going to have to have a cell phone. Some services, like, say, Google, you're going to have to use that. You're going to have to use Bing or some alternative if you want

to be able to search the internet, which pretty much everyone who has an IT job is going to need to do. Even things like Google Maps. I mean, you could choose not to use that, but it's an extremely valuable source of information. Do you have any tips as to, I guess, how you can use services without putting your information out there? Yes. Big Brother's on you. But you don't have to be a sucker about it. Don't download apps. Don't activate apps that you don't really need. Flashlight being a perfect example. It's ridiculous. Don't blindly agree to terms of service. Read it. Find out if you're being screwed to the point where this is not a desirable service for you. Use DuckDuckGo

or some interface that goes to all these same methods of gathering data and providing search services. Use an anonymizer. Use the Onion Browser. You can put the Onion Browser on your iPhone. You can use Google in a way that will frustrate them to a certain point. Always click "Do Not Track." Some people actually pay attention to that. Don't blindly give out information. It is astounding to me that if you want a dish on your roof to get cable TV, you have to give your social insurance a social security number. That's insane. Say no. I did and guess what? They were happy to take my money anyway and put the dish on the roof. Just, you have

to constantly be alert to the fact that you're dribbling information out there and make an informed decision, do you want to put it out there? And I'll tell you, most of you guys work in computer security. The more I know about you, The more I know about the people around you, the more I know about what you do and who you do it with, the more likely I'm going to social engineer my way into your system. If for no other reason than ethically you need to be good at your job, stop giving that stuff out. I will tell you that Kevin Mitnick, who's a buddy of mine, is a miserable programmer. He sucks on computers.

But he is a brilliant social engineering guy. He can talk his way into anywhere on the phone, in person. I mean, he could get into Fort Knox and walk out with the gold and they'd help him carry it to his car. Because he's so good at that. He sucks on computer. This sort of information will bite you in the behind as a security specialist sooner or later. It absolutely will. Next question? Where's the microphone guy? I already got it. Thank you for the talk, Steven. I have a question. As you clearly demonstrated with so much information available and so voluntarily provided, with so much capability to analyze it and harvest it practically every way possible, What's your

interpretation why the governments across, you know, on both sides of the Atlantic still want increased surveillance capabilities when it comes to digital data? Because they're terrified and they don't know what they don't know. I mean, it sounds like a Rumsfeld line, but it's really true. You don't know what you don't know. If Fred goes berserk, takes hostages, yells "Allah Akbar" or "Aloha Snack Bar" or whatever it is, and chops somebody's head off, you want to be able to go back in time and see where did Fred get this from? Identify his point of radicalization and see who else was at that point. It's a legitimate concern. I mean, you have people being killed in Canada right now. So far you've been lucky, so far America's been incredibly lucky.

I personally, I'm psychologically, I find it psychologically difficult to walk into Grand Central Station. You see a thousand people in there just clueless walking around. Nobody checking you, nobody doing anything. A guy can walk in with a backpack, wearing a coat and tie, people with a coat and tie never get stopped. Walk in with a coat and tie and a big backpack with 40 pounds of explosives, kill 200 people. There's nothing stopping it. I mean, I've lived overseas. I've lived and worked in the Middle East. I've lived and worked in places where every restaurant you went into, they would check your bag, where every movie theater. I mean, I've experienced these situations. I've got to tell you, it's coming to North America, especially with ISIS,

ISIL. These people are going to come back radicalized and trained. And some of them will do stuff. So you don't know what you don't know until sometimes it's too late and they want to at least be able to have a plan B. Also some of these guys actually get caught. Some of them. The knuckleheads, the idiots. They go on the internet and say, "Gee, how can I build a bomb?" And they're talking to a government employee and they don't know it. I don't think that anybody, not me, not the government, not privacy advocates, not extreme right-wingers on the other side, nobody knows where the appropriate balancing point is. And the problem is if you go too far towards not gathering data and

something happens, you're screwed. And if you go too far towards gathering data and it's not needed, you've unnecessarily screwed everybody. So it's a tough one. It's a really tough one. My personal preference, grab all the data, put it in a lockbox, a real lockbox, that you can't pull it out until you really need it. I don't know if that's possible, though. I personally don't, having worked with intelligence agencies and being a guy who goes and lectures at Quantico and goes and speaks to federal agents and works with federal law enforcement all the time, I got to tell you, They can't be trusted, I can't be trusted, we can't be trusted. I mean if the data's there and it makes your life easier, you want to use it.

You really, really want to use it. So it's a problem. Next. Hi Steve, over here. To your left. I hear a voice. I'm waving at you. I see that waving hand. Okay. I'm blinded by this light here. Okay. Go ahead. There's no spotlight here. I'll make one comment and I have one question. So the question is, how successful do you think it would be for all of us to pollute the data streams that we're providing to people by faking those surveys? If I say I'm a student and I'm not a student or I'm unemployed and I'm employed, why don't I just do that all the time and make it not worth their effort to try

and call everything? Because the machines are smarter than you. I get this question all the time. and I don't even bring it up during my talks because I want to see if I get the question all the time. You're welcome. Yes, exactly. Thank you. The profile that exists of you before you decide to do that is so good and so bulletproof. that you can't turn around and pretend to be somebody else. You're going to say, "Debbie is living in Fred's house. Debbie is going to Fred's job. Debbie is driving Fred's car. Debbie is using Fred's cell phone." I don't think so. We know it's Fred pretending to be Debbie. Now that might get you an entry as a potential cross-dresser in the database. but it's not going

to fool anybody into not knowing it's Fred. There's just so many data points out there. It can't be done. By the way, you would have to start with a brand new persona and a brand new online identity, and that in itself... That in itself is a giant red flag. This guy's 30 years old and he's never had a Facebook page, never tweeted. This is his first email address. I don't think so. This is an alias. Let's check deeper. Let's see. Oh, he's logging in from Fred's house. He's using a cell phone with Fred's UUID. Gotcha, Fred. No, it's horrendously hard to do if you have capable opposition. Thank you, Steve. Next time you're in New York, when you go home, when you walk into

Grand Central Station, face away from the Apple Store, look towards the clock, look up towards the Hudson Line signboard, tell me what you see in the top corner there next time you're there. I'll email you. Okay. You'll notice it. I know exactly what you're talking about, and it's not a big help. It's a giant facial recognition system the government's using. Okay, great. And you know what? So they'll know who set off the bomb. But there's no way the guy with the bomb's not going there for one first time. He'll go ten times and scout the place. It's Grand Central. If I go through there every day, I'm a commuter. Anyway, uh, next. Hi there. Hi, Steve. I'm over here by the bar. Hey. Where am I looking?

The bar's here. Yeah, yeah. I just followed the poor big arms. So if the phone is the snitch in your pocket, I just wonder how optimistic you are about dark phones or black phones. There's quite a few different ones being developed. You're shaking your head. Okay. Yeah. Yeah, my friend Stefan in Germany bought phone number five from them and we played with it. In fact, he was at the Hacker Conference with me, the Hope Conference in 2014. So not only did we play with it, we beat it to death. Everybody beat it to death. It's harder, but it still bleeds enough information that sooner or later you're screwed. Just not immediately. Thanks. That's it. Oh, one more. What are your thoughts about trying to track somebody

down if they're using a... Tor browser and say like Astral VPN, that kind of stuff. I didn't hear this. I heard, what are your thoughts about tracking somebody down and then your voice went... Sorry about that. Like Tor browser or like AirVPN or Astral VPN, that kind of stuff. Listen, first of all, it's already been determined that X number of Tor nodes are actually run by governmental agencies. So you see some of the traffic. Second of all, Tor transmissions are not necessarily encrypted. They're just bounced all over the world. All that Tor is supposed to do, in theory, is anonymize your identity and your location. And there's so many ways to get through that. I

mean, you can send a tracking bot through, and if the guy's a moron and opens it on the other end, that's it. That's his location. It's not going to transmit it back out over Tor.

I mean, it's a tool, it's not a real good tool. If you don't believe me, go visit Dread Pirate Roberts in jail. I mean, it didn't help him at all. And that's a perfect example, by the way, Dread Pirate Roberts, how they nailed this guy. He wasn't able to establish a completely new persona. The guy who ran the dark web. They were able to compare similar postings, similar job issues, a similar email address. I mean, you've got to, it's like the witness, you know, cyber witness protection program. You've got to burn your entire life and then burn the ashes. It's very, very hard to do, nearly impossible and Tor. My belief on Tor is that it lulls

you into a false sense of security and then you end up screwing yourself twice as bad as if you were being cautious about everything. Thanks. Over by the wall. Which wall? There's two walls. Yeah, you'll see me. Just an example, because Chris was winding down, of something I did that was kind of interesting and weird. When Tinder, does anyone here use Tinder? New dating service? It's horrible. Nobody's going to admit to it. Nobody's going to admit to it. I do, screw it. When Tinder first came out, you can hit their API directly, which is terrible by itself, but you could ask it for the user and it would give you the GPS coordinates of that

user that you're asking about down to like six decimal places of the GPS coordinates. So you could right away you could just hit people directly. And they fixed that. But I just want to give an example of how terrible these newer services are. And they fixed it by now only providing you with the location or with the distance to that person because when you're looking for people you want to find out how far away they are. So I was talking to a girl and she said, oh guess where I am? So I said, "Okay." And I got her location and the distance it was and I drew a little circle on a map and then

I faked my GPS to three other locations on the Earth and had her exact city in Thailand. So it's just another horrible service that they try to anonymize it, but it's super easy to crack all these things. The bigger, I agree with you, by the way, but the bigger takeaway from all of that is Tinder has your exact location down to the street corner. Tinder is buffering and gathering all of this data. So... Just an example of how easy it is to pull that stuff. What's your guarantee this will never be sold or used for marketing or used to enhance other products? A, you have no guarantee of that. And B, I guarantee you it will. So that's the real takeaway. Nobody

else? I'll repeat what you say. Okay. Oh, that's a bad analogy for so many reasons. He said... Interesting question. Let me repeat it. If I didn't get it right, correct me. He said when DNA first came out, there were the same privacy fears that it could be used to track people down and whatnot. First of all, those fears have been realized. DNA can be used to track you down. And they even use familial DNA right now. If they don't have your DNA, but you come from a family of knuckleheads, and dad has been arrested, they run it through CODIS, through the DNA database. They say, this is not the guy, but boy, there's a whole lot of similars,

and they know it's a member of that family. So, so, so, and there's a whole bunch of other stuff happening with DNA. So, first of all, I think that fears about DNA have been realized. What the gentleman quite correctly says is it's gotten a huge number of innocent people out of jail. Yes, it's gotten a few thousand innocent people out of jail. It's gotten, I believe, 150 people off of death row, mostly through the Innocence Project. It's probably kept... I would say a million people from being arrested, right? But it is tracking a hundred million people and it's not entirely a happy story. But let's assume that DNA is correct. Let's assume that you're right about DNA. When

your DNA is taken, 99% of the time you know it or there's a warrant to take it covertly. And you're actually suspected of something and you're actually doing something Chances are good that you're guilty because despite all this stuff about bad cops and evil cops, I got to tell you, 97% or whatever it is, 90 plus percent of the people who are arrested and suspected are really the bad guys. Cops usually get it right. So by the time somebody gets to you with DNA, it's a fair thing to do. This is not a fair thing to do. Your data is being gathered. It's absolutely unknowing for most people. Even in this room, which are the elite people in British Columbia who know what's

going on digitally and in cyberspace and online and with databases, and they understand the system. Some of them possibly run these systems. Even they don't think about it. You have no idea what's going on until you suddenly get hit in the head with an anvil and you realize it. For me, it's not a good analogy. I get the point you're trying to make, but what's the positive benefit to society? I understand it's an engine of capitalism. If people make a widget, they don't have to spend a zillion dollars marketing it to the world. They can use their ad budget effectively and only sell it to the people who really want to buy it. I get

that it's an engine of capitalism, but in the meantime, I gotta tell you, you know, maybe I'm from a different generation, but privacy is a big deal to me. Anonymity is a big deal. Ah, I wish he would have actually said that before I went off on a long rant. Sorry. What he was getting to is have I seen organizations like the Innocence Project use this to get innocent people off? Rarely. Only after the fact. A guy's in jail, he's on death row. They go, hey, what happened to this guy's phone logs? And then they show he was in Milwaukee. In terms of this data being used to get people off, to clear people, not so much, not so much. It's usually used

to lock people up. And I got to tell you, I work both sides of the street. I've literally put a guy on death row and I've literally gotten a guy off a death row. Not the same guy, by the way. And I've used these technologies for both. Okay, you know what? That's a whole 'nother three hour talk. He's talking about prosecutors' use. I want to tell you, I don't know what, I don't know as much as I could or should about the criminal justice system in Canada. but I will tell you that the criminal justice system, and I'm a right wing, lock 'em up, throw 'em in jail, throw away the key, put 'em on death row type

of guy, and I gotta tell you, I'm horrified by the criminal justice system in the US. I can tell you, a perfect example of that is DNA. you've got a guy on death row you tell the prosecutor we know he's innocent we have all this other evidence run his DNA and they fight you for 15 years what's the harm literally 15 years what is the harm in running a guy's DNA what's the harm if he's guilty that puts him deeper in the cell if he's innocent You've really done something connected to justice. Problem is it's not a justice system, it's a legal system. And it's who's winning, who's ahead on points. Why would a prosecutor fight for 10, 15 years to compare DNA? It's unjust. And then

when they run it, they argue it shouldn't be introduced. I mean, there are people who could be cleared in a week and there's 20 years of interference. So, prosecutors are not always the best guys. And it's because they have absolutely unbreakable immunity. No prosecutor can be prosecuted for anything he did while he's a prosecutor, even if it's shown later to be outrageous. You know, submarining exculpatory evidence, refusing to analyze evidence, hiding potential defense witnesses, shredding the whole Brady rule, if you know what that is. I mean, buy me a beer later and I'll tell you some great stories. I mean, no, no, prosecutors are not using this. Good cops are using it and good defense investigators and defense attorneys are using it. But the prosecutors are

really... They're the monkey wrench. They really are. They don't like to lose. They don't like to give up. Once they've got somebody, they have tunnel vision. And once they've convicted somebody, he's guilty. He's convicted. Listen, I'm on the other side of the aisle. I'm on the prosecution side. And even I'm saying this. So imagine how bad it really must be. Like one or two more questions? No, let's cut it. Oh, come on. It's 15 minutes after lunch. God bless. Thank you.

I don't want people to miss out on lunch. You know, I did this like a speed freak. We missed so much stuff. All right, everyone. We have lunch in both the bar and the sponsor room, so get at her. The bar is also open now, and we have Blue Buck on special. So if you're thirsty, enjoy. Oh, it's just the best beer in the British Columbia. Well, it's called Blue. I hope it's not like what that's called, which is horrible.