Is our online future worth sacrificing our privacy and security?
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 2 | |
| Number of Parts | 177 | |
| Author | ||
| License | CC Attribution - ShareAlike 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/31907 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language | ||
| Production Place | Berlin |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Goodness of fitInternetworkingXMLUMLLecture/ConferenceMeeting/Interview
00:29
InternetworkingBuildingSign (mathematics)Universe (mathematics)Logic gateMeeting/Interview
00:56
InternetworkingCommunications protocolARPANETWeb 2.0Multiplication sign
01:58
WebsiteReading (process)Web 2.0Web browserDigital photographyContent (media)Server (computing)Data modelInternetworkingMechanism designComputer fileService (economics)Universe (mathematics)Profil (magazine)NumberMultiplication signPhysical systemNeuroinformatikQuicksortBerners-Lee, TimGreatest elementLatent heatBitSystem callVideoconferencingFrustrationRight angleEmailMathematicsComputer animation
06:15
Service (economics)Information privacyBusiness modelInformation securityWeb browserContent (media)Product (business)Physical systemVirtualizationMereologyGoodness of fitGoogolExterior algebraSource codeComputer animationLecture/Conference
08:07
Traffic reportingGoodness of fitMultiplication signService (economics)Server (computing)InformationSingle-precision floating-point formatData centerProduct (business)YouTubeComputer configurationGoogolComputer animation
10:08
Lie groupInternetworkingWeb pageTwitterPhysical systemFacebookPhysical lawLecture/Conference
10:40
Computer fileData miningCondition numberGroup actionInternetworkingDefault (computer science)Web pageTerm (mathematics)FreewareForm (programming)Computer animation
11:50
Free productService (economics)Product (business)Automatic differentiationFacebookUniform resource locatorComputer animationLecture/Conference
12:26
Radical (chemistry)TwitterMeeting/Interview
12:49
Interface (computing)TwitterBitUniform resource locatorGenderDirectory servicePoint (geometry)InformationPlastikkarteDatabaseConnected spaceNumberReal numberMenu (computing)Key (cryptography)Poisson-KlammerGraph coloringSpherePrisoner's dilemmaData warehouseVideo gameFamilyAxiomComputer scienceEvent horizonAutomatic differentiationComputer animation
16:24
FacebookNumberCondition numberBitKeyboard shortcutTerm (mathematics)Computer animation
17:23
Service (economics)FacebookFreewareInformation securityInformation privacyGoodness of fitAutomatic differentiationMalwareNeuroinformatikTwitterBackdoor (computing)InternetworkingElectric generatorRight angleGroup actionIterationComputer-assisted translationComputer animation
19:39
CASE <Informatik>Malware1 (number)NeuroinformatikRange (statistics)Computer animation
20:35
View (database)MalwareReal numberFamilyPhysical systemComputer animation
21:21
Physical systemNeuroinformatikInformation securityInformationOpen sourceComputerLaptopWindowBitDigital photographyRight angleComputer animation
21:57
Multiplication signMacro (computer science)MalwareComputer virusComputer programmingBoolean algebraFormal languageElectronic mailing listComputer-assisted translationComputer animation
22:26
Bridging (networking)Scaling (geometry)10 (number)Computer programmingConstructor (object-oriented programming)BuildingAdditionMalwarePhysical systemComputer animation
23:30
Information securityProduct (business)MalwareWritingPhysical systemPosition operatorFlow separationComputer animation
24:09
Observational studyTraffic reportingSubject indexingNumberStatisticsMeeting/Interview
25:00
Event horizonInformation securityInformation privacyMalwareWritingComputer animation
26:09
Computer animation
Transcript: English(auto-generated)
00:24
Thank you, and good morning everybody. My name is Mikko Hoopanen, and I am older than the internet. And this is actually true. I was thinking about this two weeks ago when I was traveling in California
00:42
and I was visiting this building. This is the William Gates building at the campus of the University of Stanford. And in the lobby of the William Gates building there is this sign about the birth of the internet. The early days, the design of these early protocols, TCP IP, UDP, which then later became the internet.
01:11
And I actually went looking online for the first dates. And it turns out that the first packet sent in ARPANET was in 1969.
01:20
In October 1969, and I'm born in 1969. Turns out I was born two weeks before the first packet was sent online. Oh yeah, thank you. 1969, what a great year. We went to the moon, we invented the internet, and I was born. So yeah, not bad.
01:41
However, the internet of course didn't really take off in 1969. It took quite a while until it finally became commonplace. In fact, it took another great innovation, which this time was done in Europe. And that innovation was the web. Here's actually a photo of the famous NextCube server that Sir Tim Berners-Lee
02:05
was using to write the HTML and HTTP specification, and was using to run the very first web server on the planet. And I actually find it interesting that it was done on a NextCube. Because NextCube is the computer which was designed by Steve Jobs,
02:21
while he wasn't working at Apple. So Steve Jobs also had his role in the creation of the web. Now the web really came commonplace pretty much exactly 20 years ago. If you think back, the first time you went to the web, the first time you opened up a web browser and visited a website,
02:42
that was most likely 20 years ago. And you were using a browser like this. And I was setting up the first website that I was involved with in April 1994. In fact, the website I set up is right here.
03:01
That's what web used to look like for those of you who weren't around in 1994. That's the first website I built. It's for a company called Data Fellows, which later renamed itself to F-Secure, which is where I still work today. And in April 1994, there were very, very few websites around.
03:21
Just a handful. Typically universities had websites, and that's pretty much it. Very few companies had a website. But I remember discussing this with my colleagues, that this web thing is going to become big. This web is going to change things. It's so easy to use.
03:41
Of course, we had been using the internet. We, the geeks, had been using the internet already for years. For email, for FTP file transmissions, for Gopher. But then the web came around. And you could just click and point. You had pictures. And you could just get data. I mean, it's going to become something that people will be using.
04:02
And we had this discussion about content. And if indeed the web is going to become big, we will be needing a lot of content online. Content like, you know, entertainment. Maybe news. Maybe one day there will be magazines online. And newspapers will publish news online.
04:21
And there will be even videos. Maybe even movies online. That's what we were discussing in 1994. But then we had a problem, which is that, you know, if we're going to have all this content online, how are people going to pay for it? Like, if we want to have all this content, somebody has to pay for the content.
04:40
It can't be online for free. So how will these payment systems work online? And we had no idea, of course. But we were sort of assuming that it's going to be most likely something like, you know, that these browsers will have a button, you know, through which you would pay for the content that you're using. That all the browsers would implement some kind of a built-in payment system.
05:04
And you could just click a button to read a piece of news. Of course, it would be very cheap. Otherwise, you wouldn't pay for it. But let's say you pay two cents to read this editorial in New York Times. Or I pay half a cent to read today's Dilbert cartoon. That's what we were assuming.
05:22
And oh boy, we were wrong. Twenty years later, we still don't have that. Twenty years later, there's still no way for you to easily pay for content as you consume content online. Which, frankly, is quite surprising.
05:41
Instead, there's been this totally different model that has come up for paying for content. Which is profiling the users. Creating profiles of the end users as they use different services. And then selling those profiles to advertisers. And that has become the number one mechanism of paying for content.
06:03
And it didn't have to be like that. It could have worked another way. But it didn't. We ended up to this scenario where we are today in 2015. And I do still have hope that maybe this will change. Maybe we will be seeing alternative systems.
06:23
That's why I like virtual currencies like bitcoins and altcoins. They maybe one day will provide us with an easy way for making microscopic payments for content easily and directly from within our browsers. But obviously, we're not there yet. And there has been some attempts to do this.
06:41
For example, Flutter, created by Peter Sunde and his friends. Peter is actually speaking here at Republica tomorrow. That's an easy way to pay for content. But it's still not built into our systems. And it still has a very, very small part of users actually using this. Quite interestingly, I actually noticed two months ago
07:00
that Google is prototyping something around this. They call it the Google Contributor, where people could actually pay money for goods and products they use online and for the content that they consume, like news. Unfortunately, Contributor isn't still open. It's still invite only. So, I actually don't know how it works.
07:23
But indeed, Google, Google which has built their business model around privacy. And Google is a great company. They have great products, great services. I think everybody loves their services. They're excellent. But I suppose many people wish they could pay for those services in some other way than with our privacy.
07:45
And don't get me wrong. Google does great work in security and in privacy. However, the work they do around privacy is focused on protecting the user's data and the user's privacy against anyone else except Google themselves.
08:02
Because it's their business model to see what we do. That's what they sell. That's where Google makes all of their money from. And the money that's floating around in this business is massive. I was looking at Google's latest financial reports.
08:20
And it's astonishing just looking at things like their data centers. Like how much money does Google invest into their data centers, which they have around the world. Well, it turns out Google invests more than $2 billion every quarter in their data centers.
08:40
Over $2,000 million four times a year. There's no other company which would invest this much money into their data centers. In fact, Google turns out to be the fourth largest server manufacturer in the world. And Google doesn't even sell servers. They build so many servers to be put into their data centers
09:01
that they're actually the fourth largest manufacturer, which is just astonishing. So obviously when a company invests this much money into their operations and they're giving away the product for free, nobody pays for Google search or Gmail or YouTube or Google Maps, well, of course you would think that a company like this would be going bankrupt.
09:23
But they're not going bankrupt. They're making $12 billion in profit every year. Well, that's what they did last year. And if there's a billion Google users, that means every single Google user made them $12 of profit with their data, with their information.
09:43
Frankly, I would much rather pay in money. In fact, I'd pay twice that. I'd be happy to pay 20 euros a month, 30 euros a month for the services if they then wouldn't be collecting my data. But we have no such option.
10:00
One thing that I've learned about these goods and services is that it really is eye-opening to look at them not as the user, but as the customer of these systems. And this all has to do with the fact that these companies aren't breaking any laws. Google, Facebook, Twitter, when they collect our data, it's perfectly legal.
10:21
It's perfectly legal because we allow them to. Because, as you know, the biggest lie on the Internet is that I have read and I agree to the license agreement, because we never read these things. Of course we don't. I mean, who would want to read 30 pages of legal lists? We know this. We've even tested this.
10:41
We did this Wi-Fi experiment in London last year where we set up a Wi-Fi hotspot. We've got free Internet access over our Wi-Fi. Unfortunately, our license conditions included this thing where you had to give your firstborn child to us. And you know what? Everybody clicked okay.
11:01
Now, of course, we didn't go and pick up the kids, but you know, it's clear that there's nothing here that people actually read. I was also told by a friend of mine who was actually German, who lives here in Germany, that he was doing his tax filings online. And the official form that he was filling in with his tax returns,
11:23
at the very end, he had to accept the terms and conditions. And this Web page actually asked him that, you know, do you want to read the terms and conditions before you agree that you have read the terms and conditions? And the default was no.
11:44
But that's how bad it is. This is quite sad, actually. So a good way of looking at these free products and services is by going to these services not as a regular user, but as a customer.
12:00
And of course, a customer here means an advertiser. For example, I've gone to Facebook and, you know, buy ads, and then just see how well you can target a single ad. And it's really eye-opening when you can, like, say, like, okay, location, this city in this country, I want to target females who are between 35 to 40 years old
12:23
who are interested in these and these things. And Facebook will actually tell you that, okay, there's 2011 people like that, and we will show your ad to those 2011 people. So it really opens your eyes how well they can target these. But I was still quite surprised when I went looking at Twitter.
12:43
Because on Twitter, you don't actually buy ads. You actually promote a tweet. So you pay money to Twitter, and Twitter will then show your tweet to persons who otherwise would not have seen your tweet. So they have an interface for this. They call them promoted tweets. You run campaigns, and you can target, you know, by gender,
13:01
or by location, or by which device they're using. And this isn't actually surprising. Of course, Twitter knows quite a bit about the users based on their tweets and who they follow and what kind of devices they use and where they are. So it's not surprising that they would know, for example, that somebody's interested in cars. If somebody, you know, tweets about cars, follows car companies,
13:20
or maybe racing teams, of course they're interested in that. However, it gets a little bit more surprising when you look at this behavior targeting. Because then you can, for example, target people who are interested in bakery or beverages or cereal. And you can actually look at people or show your tweet to people who are buying Rice Krispies or Galox Special K,
13:45
or maybe, I don't know, Frosties. So how the hell does Twitter know who's eating which kind of cereals? But they do. And you can actually see the numbers here. They actually mention that they have 1.6 million people who eat Kellogg's Raisin Bran and 1.65 million people who eat, you know,
14:01
Honey Bunchies, which is weird. Or you can target based on what kind of alcohol people buy. Are you into vodka or maybe beer or maybe wine? Or you can target based on your income, like how much money are you making? And they once again show the amount of people in each income bracket. Or look at your life events, including how many kids you have.
14:26
Are you expecting a new child in your family in the next six months? Twitter knows if you're expecting a new child into your family in the next six months. And you can, as a Twitter customer, as an advertiser,
14:43
you can use this to target your ads accordingly. So this indeed poses the question, how the hell do they know? So it's quite clear that this information is no longer coming from the tweets or from who I'm following on Twitter.
15:01
And it turns out that this information is actually being bought by Twitter and it's being bought from large data warehousing companies, from companies that you've never heard of. Companies like CPG or Axiom or Datalogix. And they collect this information not from the Twitter sphere at all. They collect it from the real world.
15:22
They buy this information from real world shops, from credit card companies, and from frequent buyer clubs. They collect this into databases and then they sell this information to companies like Twitter. And then Twitter takes that information from the real world and it connects it with your Twitter account.
15:41
So how do they do this connection? How do they know who are you? Well, it's based on your phone number. Because when you register for Twitter, you will be giving in your mobile phone number and that's the key to the databases which are collected from the real world. That's the reason why they're asking for your phone number. That's the reason how they can connect your real world persona
16:04
with your online persona. So they know that this guy who's mostly tweeting about football and is mostly following supermodels on Twitter is actually this guy who's eating Rice Krispies and buys quite a lot of vodka and is expecting a kid in the next six months.
16:24
That's how they know. And by the way, it probably also explains a little bit about this deal between Facebook and WhatsApp. As we all remember, Facebook paid a historically large amount of money for WhatsApp. They paid $22 billion for WhatsApp.
16:43
What did they actually buy? Well, they bought the mobile phone numbers of hundreds of millions of Facebook users, which makes it easier to do exactly what we just saw. And this is, as far as we can tell, completely legal.
17:01
These companies are not criminals. Quite the contrary. They are businesses who are in it to make a profit. And we allow this to happen because we always click yes. Yes, I agree. Yes, I have read the terms and conditions. Yes, I think this is a great idea. You probably think differently if you would really understand what's happening here.
17:24
And it is sad to think that the world's top scientists are working in companies like Google and Facebook and Twitter and all the other companies who produce free goods and services for us. Because what they really are doing is that they're putting all their expertise
17:43
into pushing ads and figuring out how to better profile the users and how to better deliver us users to their real customers, the advertisers. And that, I think, is quite sad. But that's where we are.
18:01
And if you really want to be able to take the free and open Internet that we all received during our lifetimes, because the Internet is new. It wasn't there for the last generation. We're the first generation which is living its lives online. If you really want to be able to keep it free and open also for our children, we really only have two problems to solve.
18:22
The problem of privacy, right here. And then the problem of security. And privacy is mostly being eroded by companies like this. Our security is mostly being eroded by criminals. Criminal gangs who write malware with ransom Trojans and banking Trojans
18:43
and who want to steal our money with criminal attacks. But it's also being eroded by governments. Governments which are interested in breaching our security for surveillance purposes as well as intelligence gathering purposes.
19:02
And the biggest surprise of my 24-year career in computer security has been the fact that suddenly we are facing attacks coming from governments themselves. This would have been science fiction 15 years ago. Nobody would have believed that. But eventually, you know, governments, militaries, intelligence agencies
19:21
are writing malware, backdoors and Trojans and actually deploying them against other countries, using them for intelligence gathering, using them for spying, one day using them to wage war. This is going to happen. So governmental activity has been surprisingly quick to take on.
19:46
We saw the very first governmental attacks a little over 10 years ago. The very first ones were all coming from China. But quite quickly other countries started following. So we have seen almost certainly confirmed cases
20:02
that have been coming from Russia, China, the United States, North Korea, Iran, India, Pakistan. Even the government of Germany has used malware. Here it's mostly being used by law enforcement to infect computers of German citizens
20:21
while they have been investigated for criminal activity. But nevertheless, that is governments infecting their own citizens with governmental malware. Just over the last year, we've seen a range of malware, for example, from the Russian government. What's interesting here is that the so-called Duke's families,
20:44
which we believe are coming from the Russian government, have been especially active in Ukraine. Which makes perfect sense. In the middle of this real-world crisis between Russia and Ukraine, of course, the Russian government is interested in spying against Ukrainian targets,
21:01
including Ukrainian government, Ukrainian military, and Ukrainian military contractors. However, some of the Duke members, especially Cozy Duke, which is the latest of these that we have analyzed, has also been used to target other kinds of targets. Cozy Duke is the malware which was found from the systems of the White House.
21:26
So the Russian government, directly or indirectly, is trying to breach the security of the White House, to gain access to their computers. I actually looked around a little bit about the computer systems of the White House, just based on open source information,
21:41
like photos of computers that Obama is using, and he's using Windows 7. That's a Dell laptop right there. So it's not that hard to target a system if you know how they work, if you know where the information is. Let me give you another example, this time from China.
22:01
Medre is a Chinese governmental malware, or we believe governmental malware, which is written in an unusual language, because this malware is written in Lisp. And we never see malware written in Lisp. Nobody writes viruses in Lisp, but this one is written in Lisp. And the reason why it's in Lisp,
22:22
is that Lisp is the macro language used inside AutoCAD engineering programs. And AutoCAD is the de facto standard program all over the world, that engineering houses use to make drawings of constructions, and buildings, and bridges, or even devices, or even electronics.
22:42
And Medre infects these drawings. And then when these engineers give their drawings to their customers, or exchange them with other engineering houses, the malware replicates into new systems. And in addition of replicating, it takes copies of these engineering drawings,
23:01
and sends them to mainland China. So this is intellectual theft at a global scale. There are tens of thousands of infected engineering houses right now, which are, without understanding it, leaking their private documents to a foreign government.
23:23
This is what we're talking about. Now if you want to be able to solve these problems, we need security. But one problem we have is that all the major security products around the world are coming from one of the countries that are involved in these attacks.
23:43
Of course, USA is the biggest producer of security software, and we know that the US government is involved in governmental malware writing. There are several Russian-undivoused products, and of course Russia is involved as well. There are lots of Chinese products. And that's why I personally like working for a Finnish company, because I don't think anybody is really worried about
24:01
Finnish governmental malware infecting their systems. So I like to be in a position where we are a neutral company coming from a neutral country. We're not Russia, we're not China, we're not Americans, we're not even in NATO. And it's also interesting to note that Finland is one of the least
24:22
corrupted countries in the world, which is especially surprising when you realize that we have 1,500 kilometers of border with the Russians, which is one of the most corrupted countries in the world. So I don't actually know what happens when you cross the border, but something clearly happens. And we just got the latest statistics from the Reporters Without Borders
24:46
three days ago with the index of the press freedom around the world. Freedom is important to us in Finland. We are number one in press freedom. We believe in neutrality. And that's why I believe that the solutions for the problems
25:03
that are involved with governmental malware writing will be coming from neutral countries who will be able to provide solutions which are seen as neutral and independent. And I do believe that to solve the two problems we have, to solve the problem of privacy and to solve the problem of security,
25:23
we are in such a bad place right now that we might actually fail in doing that. In fact, I believe that we've only seen the very beginning of these problems, and it's likely to get worse before it gets better.
25:43
But what gives me hope? What gives me hope are events like these and people like you, people who care, people who think about privacy, people who are willing to stand up and do something.
26:02
Thank you for coming. Thank you very much.