Presented at
DEF CON 18 (2010),
July 30, 2010, noon
(50 minutes).
Your Internet, phone and web application providers are all, for the most part, in bed with the government. They all routinely disclose their customers' communications and other private data to law enforcement and intelligence agencies. Worse, firms like Google and Microsoft specifically log data in order to assist the government, while AT&T and Verizon are paid $1.8 million per year in order to provide real time access to customer communications records to the FBI. How many government requests does your ISP get for its customers' communications each year? How many do they comply with? How many do they fight? How much do they charge for the surveillance assistance they provide? Who knows. Most companies have a strict policy of not discussing such topics.
You might assume that the law gives companies very little wiggle room - when they are required to provide data, they must do so. This is true. However, companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the emergency circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests.
The differences in the privacy practices of the major players in the telecommunications and Internet applications market are significant: Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide the government access to user data - Verizon even argued in court that it has a 1st amendment right to give the NSA access to calling records, while other companies refuse to voluntarily disclose data without a court order; some companies charge the government when it requests user data, while others disclose it for free. For an individual later investigated by the government, the data retention practices adopted by their phone company or email provider can significantly impact their freedom.
Unfortunately, although many companies claim to care about end-user privacy, and some even that they compete on their privacy features, none seem to be willing to compete on the extent to which they assist or resist the government in its surveillance activities. Because information about each firmís practices is not publicly known, consumers cannot vote with their dollars, and pick service providers that best protect their privacy.
This talk will pierce the veil of secrecy surrounding these practices. Based upon a combination of Freedom of Information Act requests, off the record conversations with industry lawyers, and investigative journalism, the practices of many of these firms will be revealed.
Presenters:
-
Christopher Soghoian
- Security & Privacy Researcher
Christopher Soghoian is a Ph.D. Candidate in the School of Informatics and Computing at Indiana University. His research is focused on the intersection of applied computer security, privacy, law and policy. His work has resulted in the successful passage of an amendment to Indiana's data breach laws, a congressional investigation of web security flaws at the Transportation Security Administration as well as several media firestorms.
Links:
Similar Presentations: