The Internet of Shit Goes to Court - When Smart Devices Betray Their Owners

Video in TIB AV-Portal: The Internet of Shit Goes to Court - When Smart Devices Betray Their Owners

Formal Metadata

The Internet of Shit Goes to Court - When Smart Devices Betray Their Owners
Title of Series
CC Attribution - ShareAlike 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Can smart devices solve crimes - or is IoT the new CCTV? An all-female introduction to IoT privacy, security and the use of smart devices as evidence in criminal investigations.
Laptop Physical law Structural equation modeling Plastikkarte Mass Counting Plastikkarte Type theory Computer animation Software Meeting/Interview Internetworking Smartphone Computing platform
Building Internetworking Computer animation Internetworking Infinite conjugacy class property Internet der Dinge Plastikkarte Twitter
Focus (optics) Information Plastikkarte Information privacy Flow separation Leak Connected space Internetworking Computer animation Personal digital assistant Internetworking Intercept theorem Message passing Row (database)
Lecture/Conference Meeting/Interview Personal digital assistant Plastikkarte
Area Process (computing) Lecture/Conference Internetworking Shared memory Einstein field equations Energy level Sound effect Office suite Asymmetry Inequality (mathematics)
Matching (graph theory) Weight Range (statistics) Sound effect Mereology Demoscene Internetworking Computer animation Meeting/Interview Personal digital assistant Office suite Musical ensemble Identity management Metropolitan area network Physical system Personal area network
Server (computing) Theory of relativity Information Web page Computer file State of matter Electronic mailing list Coma Berenices Digital electronics Computer animation Telecommunication Personal digital assistant Computer hardware Arc (geometry) Row (database)
Axiom of choice Trail Multiplication sign 1 (number) Mereology Information privacy Fraction (mathematics) Web service Radio-frequency identification Meeting/Interview Internetworking Fiber (mathematics) Dependent and independent variables Arm Information Weight Mathematical analysis Shared memory Vector potential Word Computer animation Personal digital assistant Point cloud Speech synthesis Musical ensemble Row (database)
Point (geometry) Computer animation Meeting/Interview Fitness function Pressure Metropolitan area network
Inclusion map Frequency Computer animation Digital media Lecture/Conference Personal digital assistant Web service View (database) Fitness function Internet der Dinge Personal area network
Group action Presentation of a group Computer animation Variety (linguistics) Speech synthesis Office suite Electronic mailing list Quicksort Office suite Connected space
Internetworking Lecture/Conference Meeting/Interview Exploit (computer security) Bit Internet der Dinge Metropolitan area network Window
Computer animation Meeting/Interview Multiplication sign Mereology Window Number
Digital media Personal digital assistant Internetworking Projective plane 1 (number) Plastikkarte Parameter (computer programming) Internet der Dinge
Computer animation Lecture/Conference Term (mathematics) Different (Kate Ryan album) MIDI Parameter (computer programming)
Game controller Server (computing) Group action Dependent and independent variables Equaliser (mathematics) Analogy Product (business) Core dump Asymmetry Information Source code Turing test Information Server (computing) Projective plane Two-dimensional space Data transmission Content (media) Computer animation Symmetry (physics) Personal digital assistant Web service Speech synthesis Quicksort Sinc function
Interface (computing) Moment (mathematics) Cellular automaton State of matter Data storage device Plastikkarte Mass Digital electronics Data transmission Entire function Computer animation Personal digital assistant Internetworking Smartphone Macro (computer science) Window
Point (geometry) Laptop Web service Information Meeting/Interview Personal digital assistant Hard disk drive Cartesian closed category Quicksort Mereology
Laptop Mobile app Uniform resource locator Information Radio-frequency identification Meeting/Interview Lecture/Conference Energy level Asymmetry Computing platform Row (database)
Point (geometry) Meeting/Interview Mehrplatzsystem Acoustic shadow Data conversion Line (geometry) Twitter
Implementation Game controller Electric generator Internet der Dinge Parameter (computer programming) Discrepancy theory Exploit (computer security) Computer programming Product (business)
Complex (psychology) Theory of relativity Mixed reality Range (statistics) Internet der Dinge
Game controller File format Digitizing View (database) Decision theory Data storage device Mathematical analysis Plastikkarte Bit Tracing (software) Doppler-Effekt Arithmetic mean Process (computing) Software Meeting/Interview Telecommunication Computer hardware Core dump Point cloud Energy level Internet der Dinge
Cache (computing) Process (computing) Computer animation Computer file Personal digital assistant Operating system Traffic reporting Row (database)
Logical constant Digitizing Digital media Gradient System call Portable communications device Area Bulletin board system Wave packet Tablet computer Web service Message passing Computer animation Software Blog Internet service provider Computer hardware Universe (mathematics) Hardware-in-the-loop simulation Right angle Smartphone Codierung <Programmierung> Computer forensics
Web service Digital electronics Computer animation Chemical equation Authorization Fitness function Point cloud Line (geometry) Traffic reporting Power (physics)
Authentication Proof theory Exclusive or Computer animation Bit rate State of matter Expression Fitness function Interpreter (computing) Theory Physical system Number
Coefficient of determination Computer animation Personal digital assistant Expert system Mathematical analysis
Digital photography Hoax Computer animation Lecture/Conference Meeting/Interview Internet der Dinge
Lecture/Conference Personal digital assistant Formal grammar Software testing
Addition Complex (psychology) Observational study Lecture/Conference Personal digital assistant Prisoner's dilemma Order (biology) Energy level Line (geometry) Limit (category theory) Position operator Physical system
Email Trail System call Variety (linguistics) Multiplication sign Mobile Web Cellular automaton Similarity (geometry) Spring (hydrology) Latent heat Web service Goodness of fit Endliche Modelltheorie Extension (kinesiology) Message passing Information security Inheritance (object-oriented programming) Cartesian coordinate system Product (business) Social engineering (security) Uniform resource locator Process (computing) Maize Personal digital assistant Boom (sailing) Right angle Modul <Datentyp>
Game controller Personal digital assistant Sheaf (mathematics) Authorization Set (mathematics) Internet der Dinge Game theory Mereology Physical system
Context awareness Smart Device Multiplication sign Plastikkarte Information privacy Limit (category theory) Information privacy Product (business) Product (business) Vector potential Process (computing) Computer animation Lecture/Conference Different (Kate Ryan album) Telecommunication Chain Encryption Authorization Hill differential equation
Regulator gene Divisor BEEP Multiplication sign Moment (mathematics) Structural equation modeling Dimensional analysis Product (business) Mechanism design Kernel (computing) Software Lecture/Conference Telecommunication Order (biology) Software framework Software testing Right angle Endliche Modelltheorie Information security Error message Spacetime Social class
Goodness of fit Presentation of a group Lecture/Conference Civil engineering Personal digital assistant Right angle Quicksort Internet der Dinge
Covering space Multiplication sign Physical law 1 (number) Mass Information privacy Morphismus Causality Lecture/Conference Meeting/Interview Personal digital assistant Right angle Quicksort Traffic reporting
Latent heat Lecture/Conference Personal digital assistant Physical law Authorization Boundary value problem Procedural programming Information privacy Machine vision Subset Condition number
Game controller Open source State of matter Multiplication sign Information privacy Entire function Connected space Product (business) Web service Process (computing) Software Lecture/Conference Internetworking Personal digital assistant Computer hardware Information security Spectrum (functional analysis)
Inheritance (object-oriented programming) Lecture/Conference Forcing (mathematics) Multiplication sign Physical law Expert system Planning Bit
Pairwise comparison Addition Direction (geometry) Information privacy Mathematics Process (computing) Lecture/Conference Personal digital assistant Logic Different (Kate Ryan album) Quicksort Internet der Dinge Information security Physical system
Process (computing) Root Lecture/Conference Oval Physical law Maxima and minima Information privacy Extension (kinesiology) Perspective (visual) Position operator
Lecture/Conference Fitness function Plastikkarte Speech synthesis Mass Endliche Modelltheorie Information privacy Cartesian coordinate system Traffic reporting Measurement Family Number
Roundness (object) Lecture/Conference Meeting/Interview Digital media Execution unit Metropolitan area network
the the the and the heat
law and the types that we
Frege's determine your innocence will you have brush prove you're guilty all will use
master uh where your smartphone contain data that you weren't even aware of in the 1st place the technology is embedded into the fabric of society on devices networks and platforms and generating massive amounts of data about each and every 1 of but we're not just talking about phones and laptops anymore ever more of our devices are connected to the internet 24 7 anything from fridges toys toasters or even and this is a smart guy consensus the
Internet of shit is of course not name we came up with this is in Larrea's Twitter account that collects the most of these are examples of attempts to put into that and
sensors on various devices this is another
example of this is the smart my also an
example that is the all-time favorite examples is smart hairbrush which as you might not be aware of that has not just been to his wife and motion sensor but also microphone to measure and analyze the quality of your hand the question we would like to ask is do we really fully understand the consequences of the Internet of Things we're building
it the implications for privacy and almost particularly when people gain access to our data and devices that were supposed to but we're not just talking about hacking or interception In this talk we wanna zoom in and focus on 1 particular scenario the case where rises and the data I used to I used in criminal proceedings given the consequences whether
police when you have whenever you public criminal investigation the consequences are quite severe Picabia have find the could you could get a criminal record was case you could lose your liberty reputation and so on given the severity of these consequences me to ask ourselves can we can and our are devices betraying us the problem with aside from a few headline-grabbing cases the implications of the Internet of should going to court has received very little consideration there's little at information on the value of this evidence once the cases precedes the role it played
if any at all to produce a guilty verdict and the complex issues that arise when smart devices and the data are used as evidence another question is what does trust even need when we have smart devices in rented accommodation is when we have not addressed in the workplace or even public space In
this talk we would like to make a simple case we argue that the desire to obtain data from smart devices and the tools that are used to extract them far outstripped the compensation of the average person who uses advise these devices we will prevent a few very well
known cases and discuss some of the fundamental areas that we think deserve further discussion that is the fundamental informational asymmetry about what kind of data generated and collected in the 1st place and unequal access to that data and finally the accurate accuracy and reliability of data the and as we bring sensors into our bodies into our homes and offices with very little understanding and oftentimes very little axis about what kinds of data these devices generate collect
process or share in a way that this could be the next level chilling effect anything you ever do can and will be used against you the so how does the Internet and shit and often called a widely
reported case involves Amazon at if you look
at the court documents you will see that the accused actually had a wide range of connected devices including smart meter nest them among thermometer honey well alarm system doll monitoring motion sensors and remains activated by things the weight is going effects on method so what happened in this case
in November 2015 amount in our Kansas had some friends over to his house to watch football match the next morning 1 friend was found dead in the hot tub in the back yard police charge the man with murder he pleaded not guilty as the police were investigating the crime scene detectives learned the music had been streamed onto the back patio at the time of death which could have been activated and controlled by the method a preservation request was served on
Amazon and they retain the data to further search warrants were served by the
police believe that commons and was in possession
of records related to the homicide these were specifically audio recordings and transcriptions tax records and other related communications of the device the accused pain they believe these long
servers and other computer hardware imitate maintained by Armisen they also so it's a long list of what can be cast as subscriber information billing records a further search were served which Frédérique will touch on later which was a set daunomycin but was directed at the device
itself so analysis method and show how many of you are familiar this is about a 9 inch for it buys controlled
speaker 7 microphones and beamforming technology to pick up sound from anywhere in a room even when music playing the always on echo speaker makes recordings of audio that he is from a fraction of a 2nd before it hits the activation words either Alexa Anderson and tailored judges the command the over when a connect when they hit detects the weight words the applet connects remotely to the Alexa voice service Amazon's intelligent personal assistant and transmit the audio to the Alexa voice service in the cloud to process and respond although no recordings and meant to be made at other times the device is often activated by accident if it's misinterprets away command we know as was widely publicized it in February this year understand so to quash the war resisting the request for audio recordings and the transcripts they argued that the user speech and transcript was protected under the 1st Amendment given the privacy implement implications state the warrants Amazon argued was not specific enough referring to the fear of government tracking and censoring and one's reading listening and viewing choices are heightened sharing of relevance and compelling need as well as sufficient nexus between the information on the subject of the criminal investigation was required as part of its admissions Amazon claims no would you recruiting at the user's request is stored on the device the what have the potential to be a fascinating fiber so in the case however was short lived when the defendants agreed to handle the information retained from his arm as an effort we don't know as far as I'm aware what the police extracted what data they have and how it's being used and however what this case does raise if the importance of data on internet devices of which the police seem very enlightening the that's a good another case this is about
the fitness tracker fit that a man is accused of killing his wife in massacres America he told the police that a masked
assailant came into the couple's suburban home at 9 and after she being the gym
the the husband was was subdued using pressure points his gun was then taken
by the assailants and his wife shot immediately after she walked into the house however the Fitbit tells a different
story they did show the odometer which tracks the wearer's steps shows is the victim moving around the house and how after the husbands that the murder took place it also shares she traveled 1 thousand
200 feet after arriving hang contrary to the accused story that she was murdered as soon as she walked in the door it is not clear how the fit the data was obtained whether by warrant the company or the accused but this case clearly presented other was presented in the media as seductive view of the magic of the Internet of Things in solving crimes if you look at the if you look at these cases is not a
surprise to see why law-enforcement is interested in data from connected devices in a way that the missus for trade of the fantasy that we're creating a
world in but not in which not just speech becomes traceable but also actions and our movement movements this in the background is an actual flight
from Microsoft presentation on the connected officer and this is sort of the well we're creating you're surrounded by connected things In fact
at the digital forensic sheaves of searchable
Scotland lot lot marks broke uh he argued in January this year that IT will revolutionize criminal investigations of a police officers in the UK are trained to identify digital footprints and the police is also developing a tool that would allow police to go into homes and automatically distract data from a variety of that devices so that the police police doesn't have to uh take a fridge or other devices in custody as a matter of a surprise
also the NSA is interested in the Internet of Things not to see toaster but also by medical devices if government
access your PageMaker sounds futuristic his natural example of the police using data from a suspect's pacemaker thinker a man in Ohio with your faces charges of aggravated Austin
and insurance through the fire contain when I ask questions he said that he managed to grab a holiday stuff serve as
window follow-up 3 taken on the front lawn and that's how his prize possessions saying the police found a bit suspicious as well as the fact that as
gasoline on his play they decided to to see the data from his cardiac device a cardiologist found it
highly improbable that the accused would have
been able to connect perhaps remove and number of items from the exodus window can carry numerous heavy items on the front of his house during a short time indicated you think the
fact that police can access data from devices that we put in the intimacy of a home or even all bodies sounds privacy-invasive and this is exactly how all
of these cases were reported by the media headlines like your fridge just fine when you for uh 2nd a snitch what is fascinating those at all the cases mentioned so far and those are the ones that are predominantly reported by the media how ones where electronic evidence is used to charge somebody of a crime uh the data from smart devices is used as evidence to become a for the case made by the prosecution however wouldn't be interesting for the sake of the argument to think that this might actually be useful would it be amazing if you could use Internet things data to prove that the guilty are guilty and to free the innocent the
we're creating a world of sense of this idea that the internet of things will have your back uh that everything is traceable that we're surrounded by impartial electronic witnesses uh from which each each of us can benefit actually has an unlikely historical precedent this is the uh the projects that
Steve Mann uh research and others conducted throughout the eighties and nineties and other devices that continuously track all of his behavior so in a sense you could say that the father of wearable how he's called has made a device that could continuously create evidence when he got into an argument you could go back in time and say actually that's not what I said
the funds also the person who coined the term surveillance which means surveillance from
below the scenario where you not just being surveilled from the top that you yourself have devices did also record evidence that you can use whenever you accuse a whenever you need to defend yourself yeah the 12 this paralogous tempting the I think it is important to notice that there is a decisive difference the senses we are surrounding ourselves with
uh another not not project in our research project at the afterlife fundamentally beyond our control sort speech and behavior is being data fight by commercial ecosystem in which we often the product not the customer we are not always the owner of the data that we generate and in the following we like to look at 3 problems that are a
consequence of this fundamentally commercial ecosystem on the 1 hand informational and symmetry and equal access as well as accuracy and reliability of these data so let's
go back to the Amazon uh echo paved the way in which this case was reported was mostly about the very fact that Amazon echoes listening you could say in a parody some articles quoted a parody saying probably the merger went to the Amazon Ackerman said Amazon or Alexa how can vary body this is of course not how this evidence is being used the entire rational behind the search warrant on the Amazon Akil is that any devices that are constantly on are constantly generating data the Amazon necklace 7 microphones whenever the devices on these devices are generating data the idea is that it only gets recorded whenever you see the actuation worked in the case of the police was that in the midst of the action may be potentially the apple got turned on by accident we think this is itself is problematic because it means that the devices your surrounded with might or might not recall whatever you're doing and that these evidences might or might not be used against you however there's a fascinating 2nd dimension to this case which is that there is a fundamental disagreement about what kind of data stored where if you look at the core document this is from Amazon's a request to squash the warrant Amazon claims that there is no data on the device itself how in fact other the police issued to search warrant the 1st 1st search warrant was for data that is on Amazon servers and since Amazon didn't comply with the police issued a 2nd warrant to search the actual device that was already in the police possession his approach the police we have learned that the device is capable of storing data including voice recordings uh Amazon things as wrong
and says the police were able to extract the data and in the footnote it says that would not have included any voice recordings from Alexa because such data is stored remotely if you look at the
Amazon macro itself any connected smart devices are obviously not built to store
massive amounts of data the entire idea behind smart intelligent devices is that the data was processed and stored remotely however we don't know what the police rational was but it would be reasonable to assume that any device has sort of like a sliding window in which a voice data is recorded and stored on the device in cases that they're in the case of an Internet outage or other kinds of problems in the in the moment of transmission so it's not really clear what kind of data on the device also because the device has no interface it's connected to a smartphone but you as a user can access the data that's on the device but regardless what is actually there we here have a murder investigation where a suspect's from on trial there and he does not know whether or not his devised stores data that may or may not incriminate him you this is the
2nd example that proves the point that there might be data on devices that we don't know about a couple of years ago our colleague Richard Tynan was present when gchq the British intelligence signals intelligence service instructor journalists from the guardian to destroy the
laptops that contain the snow and documents to give a fascinating talk about this at the CCC
camp if you wanna look at it but the point is here that everybody was present in the
room was extremely surprised by how precise the gchq instructions the journalists were not just instructed to destroy the hard drive they were instructed to destroy all sorts of part of the a metal in that case um which means that in case of very sensitive information it's 1
extremely difficult actually delete and destroy
data and secondly data stored all over the device at places that gchq knows about however the people who actually owning and using the laptop I don't know with so now and the level of the device there is an information asymmetry about what kinds of data on the device this continues to the level of the platform this was in the
news recently I assume many of you have those
um the the scandal was that work is collecting location data even after the app was deleted which is worth repeating you delete apps and apps for the apostille recording of collocation data which means that it is stored somewhere and it can be subpoenaed potentially you but I think this this informational asymmetry about the kinds of data that exist about us goes to more abstract level as well which is when you combine data we get a picture of a self that is itself that is even more ourselves than
we are but then we know about ourselves every single 1 of us is creating a much more detailed data shadow of our thoughts feelings and behavior than we are aware of In a way your phone is that's a quote somebody recently posted on Twitter if you follow the history of everything you've ever done everything you've ever search for and everything you've ever said to anyone of course not true but that's an exaggeration so in a way your phone is more you would then you are yourself and technology is not as recording technology is increasingly becoming a conversation partner this year in the background a couple of years ago a well was hacked or
there was leaked about the search history of millions of users and I encourage you to watch this fascinating documentary which sort of like construct a narrative from the search history of a single user who at some point searched I Love Alaska so the bottom line is we don't know what data is
generated collected processed and stored about us and I want like to stress that this is not always malicious there can be a discrepancy between the way a program or a product specified to work and how it actually works in its implementation what we call this excessiveness of generation beyond on knowledge and control data exploitation the there is another important arguments why the Internet of Things may not help us establish our innocence we have
unequal access to the data that is collected about each and every 1 of us
we already know a there is unequal access to digital evidence but a is Please body-worn
cameras CCTV or on the are individuals non-lawyers can spend years arguing over disclosure and what they can or can't see in relation to evidence against them there were into this mix the Internet of Things yeah and you're adding another layer of complexity which will not only result in unequal access to the raw data but also the ability to understand it and to interpret it if the government can access to a wide range of data on you from your own or
publicly placed Internet of Things devices all those tiny bit indicate your political views your sexual preferences your health individually they may have little meaning that piece together they could turn into the living breathing real you into what we call your digital duffel bag without your
consent for control perhaps this could be used to that determine whether you're guilty or not and what happens when the Doppler is inaccurate for example when your sentenced decisions are made on dodgy data when
considering unequal access let's recap on some of the examples about how and where smart devices connect to store and process data 1st the on the smart devices and sensors themselves 2nd the hardware and software and thirdly for example on the clouds so the it data on the device as we've argued the use of smart devices don't know what kinds of data these devices are actually so there's also the technical problem the actual core data on devices is often proprietary format you need some level of analysis to understand what it means the next place where smart devices can leave traces on the hardware and software that provides communication between smart devices and the external world this is most probably on your
phone most smart devices a
connected throughout the entire and collect and process data Amazon for examples offers a cache of recordings that have been made by the device on your face 1 of the most reported cases about access to data on things was apple and not FBI case in America following the San Bernardino sheeting apple famously rejected the government's search warrant to build a new operating system that would allow the FBI access to it and it 2 unencrypted file however it's highly likely that in the vast majority of cases throughout the world the police are able to extract the data and not just them
they are able to extract data the we don't even know is that let's look at 1 of the tools they use what we can see here police agents using digital forensics such services offered by companies like celebrates the FBI's going to happens for mobile friends x so rights forensics tools include the universal forensic extraction device which is hot hardware bundled together with proprietary software that acquires decodes analyzes data from smartphones and tablets and portable GPS devices what we perhaps don't know or don't know enough about is that tools like set bright can collect data that the user does not know it was on the device
this can grade Deleted SMS messages as well as call histories and data collected by the phone apps the and then we got a training manual for set a bright technology that the Denver police providers journalists in the US which clearly shows the sophisticated tools can access to the data and so unless the user by these tools and knows how to use them she has no way to access the
data on her device but the police did
this imbalance of power relating to all devices should concern the not a circuit data in the cloud May society days will be upgraded the clouds a amounts Amazon challenge the request for data and
services to services to bought the data was obtained from the defendant so we don't know where the line is to be drawn the Basel yet to come however it is likely that some of the companies do comply with these requests without resistance and only a few companies produce transparency reports such as nest of fit that but what about other manufacturers and companies a further aspect is more data is provided to the individual how easy is it for you to get your own data from the company or from the authorities and finally let's have think about quality the final
aspect is the premise that your device to betray you and this relates to the quality of all
data from IIT devices involve issues around accuracy and authenticity and admissibility
using evidence can be technically challenging and expensive we know for example the DNA the evidence was initially seen as proof but now it's value is highly contested and what about your fitness
tracker what my that say about your emotional states walking your smart appliance say about the number of people in a room that all requires interpretation but the familiar expression in the UK it just is is open for all just like the Ritz Hotel the rate is an extremely expensive and exclusive hotel in theory yes anyone can go in but in practice only if you have real access the same is true of the legal system when the poorest and most vulnerable in
our society charged with serious offences how are they to afford an expert they might be able to attain the raw
data but more users fast if any the prosecution can presented digital evidenced by the expert if that that was to the implications Will the defendant even understand if the data is wrong and will they know what's challenge let's have a think about the fit case what if the accused is telling the
truth would anyone believe him if he said that he sold the dog took the fit run around the house and his evidence was real without expert analysis
I sincerely doubt it it's still early days CMU wait to see how evidence
from piety devices used to analyze and perhaps found to be flawed or manipulated or unreliable Hazel's fascinating to see that their
tools coming out that make you insanely easy to fake data on IoT devices such this is a photo shop for
audio sounds if can fabricate somewhat somebody said and then this is being recorded by the vise should this be evidence or not I would just
like to stress that we not against technology and technological innovation in the past has been used to sort of like to bring in to re-examine existing cases to uncover uh some
evidence that was lost and to to charge people want to free people were unjustly charged with crimes however and this is important to notice that not all the in 8 cases uh
well actually cases where there was a lack of evidence for example um sometimes evidence was missing or police just simply fact of an investigation or police failed to disclose certain evidence currently in Massachusetts and 21 thousand drug cases could be dismissed because a formal police chemist falsified test he the
2nd problem in the UK at 24 you old somehow served 7 years in prison following a flawed investigation that failed to follow basic lines of inquiry what we're saying is that technology and
more data are not going to solve existing problems in the criminal justice system instead they will add an additional level of complexity and they come with their own problems and challenges it simply won't be the case that
we will be surrounded by technological witnesses that will have our back the
idea that we're surrounded by objective unemotional electronic witnesses that freeing the and the innocent and I'm incriminating the guilty is clearly an exaggeration we believe that the study is fundamentally thought however all positions is nods that we should use technologies to help fight crime but we need to understand the full consequences including the limitations that these technologies have we also don't think that we should cooperate with law enforcement quite the opposite however in order to cooperate we need to know what kind of evidence
exists about us you have a right to protect yourself from self-incrimination if you don't know what kind of data might or might not be and advise you might potentially incriminate yourself the data on the device might be inaccurate or misleading and you wouldn't even know so what we want is transparency around data right now data is being generated collect process analyze the chance excessively and to an extent that we don't fully understand and this is a serious problem In this talk we address the very specific threat models the not case in which police 1 axis your data this is of course 1 of the many scenarios where your data on your diet device you don't know about from a trading it is important to remember that we're generating even more data about this at a time when our technological infrastructure as a fundamentally insecure just a few weeks ago the company facts by was tax under the
pretext of offering legal spy tools the parents and employers VECSYS by has become a leading vendor of commercial surveillance tools the company offers anything from corn intersection and set SMS tracking remotely activated microphones and location tracking good similar services emerge variety devices well I a t be a security nightmare or signal as intelligent bonanza is probably
base and this has implications for its value as evidence which we need to discuss before the pre race too far ahead while the Internet of Things is
relatively new this approach by the authorities is not a game changer but part of a gradual creep new technology into our lives society and legal systems what is new or at least not discussed enough it it all devices and devices around us may be completely beyond our control we have no guarantee or knowledge what devices the collecting and storing we do not have total access to the data on our own devices and we can always delete sets this may be seen as an advantage for example in a criminal case in the US of Germany for what if you're gay activist in Uganda stopped at border control the consequences for you all for your activism and if they discover your section sexuality a serious we need to know what the authorities can access
on our devices we need awareness
of smart devices in public places and what they connect with all the data being collected by your authorities we need to know that today using strong encryption we need to think about Privacy by design and product liability the finally we need
to understand the limitations the risks the potential for electronic evidence being misleading or false thanking
fewer and fewer thank you very much I think there's some time for questions so maybe we can have some light on the audience I conceived and hence rising in but at the back there is a question I'm coming to you the we want in so that OK so thank you for your talk was wearing when we're talking about different devices and maybe different manufacturers and other intermediaries the process book in the global power supply chain of these
products we can create governments and regulation domestically mean best practices globally but is forced the enforcement mechanisms in order to keep people
know to keep people secure and communications private during not songs kernel framework for 4 of best practices were the actual enforcement of how we can make sure the devices using will have
oversight and tools like classes In consumers is error of the best kind of governing a regulatory body in which you feel would best suited for emerging IRT space and national dimension to this question there's the the burning question of of the entire security of the ICT infrastructure and there are several solutions that we're working on 1 thing we think is important is product liability currently manufacturers are not liable the moment software to devise and that is design has has sort of like a strange incentive model um in Indiana dimension is our right to access data on a device there are mechanisms in for example European Data Protection Law 2 axes to get access to your data uh but a lot of Siam time this stops the moment you approach the speed of the divide and we think it would be quite interesting to test and how far this goes yeah we'll see on where I 1 now said we are practicing what we preach
in looking to find out what what data is in the wings and on the various things we we merely civilization to so basically so that it will be interesting that there is a
need for more research sort of like to establish what kind of data is on rise as well as legal proceedings where you find out the manufacture please tell me what is on the device yeah OK are there any more questions OK
I see 2 hands by good I'm coming it hi thank you for a presentation that was really interesting as the 1 very short question do you have any cases where around the Internet of Things devices were emboldened press freedome or human rights related cases some up as a
sort of criminal investigations like the human rights and you remove rooted cases and I think that's something that our research is the that we produced an country-specific reports we did take investigations in certain places and if we beat people in human rights defenders in those countries you're raising laser issues then it would be a major cause I'm not sure of any particular ones that these various things to do with the with mobile phone extraction which we had intended actually be day people having a nest in their hair and whether to take the human rights abuses we haven't effort at maybe they don't have that have a rollout of each of them uh and this sending on a lot of cases out get all of these cases is seed these cover crimes that happened in 2015 that was the time when all of these devices hit the mass consumer market mostly in the last hour um and I think these cases might be coming up in the future it was another question here do you think that
apart from data protection law there should be other of the morphisms provision so made especially in criminal
procedure law so long to prevent some authorities from accessing the
data yes uh I think that in data protection auditing GDP are different visions they have around the world a going to be able to deal with these specific issues which may be interpreted very different nationally depending on your legal system and and I think that he's been very specific laws anything the police the very specific guidance I think that is a very specific oversight because we see the authorities push the boundaries and and if it's if if we're going back to say the GDP are that's just not hiding that's going to be sufficient sufficient to clear and criminal investigations they have attention doesn't protect you this is not applicable in the case where you have a we have a search warrant from from a police but the question is under which conditions can the police have a search warrant for your device and when such a Y intersect acceptable and when is it not OK I see another question and found out to it that's great I'm coming out thank you for the interesting talk
and with regards transparency i was wondering what role DUC for open source software open source software impeccable hardware in this respect the of course if you build it yourself you have a much larger control of a elected devices doing so yes I think is the fact that a lot of connected
devices outsourcing the entire processing to service this is the entire privacy nightmare of the Internet things that your data flowing around the world which means that when it comes down to this uh people can subpoena the state and various places absolutely in in an open source product that's less of a problem however then you also have still have security issues right and we we focused about the police yeah but it's interesting to see in them in the sexes by case the customers are not just uh regular creaky people wanna spinous both of the customers also for example banks a lot of times we have investigations going on in companies uh where there's certain complaints and you have to investigate what actually happened in this is sort of like the spectrum of legal proceedings that we were talking about in
I thank you for your talk 1st of all and you mentioned quite a few times so the GDP art this I don't know all of you you know what it is in the European Data Protection Law which comes into force in May 2000 she and this law contains a lot of the transparent trans parents the through you just asphalt like that they need to be clear which data someone is collecting where is it stored to whom is given and so on and so am I don't know how deep you're into that law but if your 8 bit
do you think this will have an impact because it's companies do not have applied to these laws they will be planes and with millions and millions of light years so do you think there might be in an impact or is it just that you say well I don't know because I don't know enough about that without putting an on we have an expert in the audience on the on the GDP off
as so thank you it's in all these cases the from the west and it is interesting to
see how these things pan out in the legal system that does protect privacy but in according to very different logic if you have a system where you need no legal grounds for processing and the processing addition doesn't have to be also fair not excessive you have a scenario where data is extremely key that is the West case uh data is being shared souls in it it in much in a way that is fundamentally different from the way that it is happening in the European Union is also different criminal justice system so the comparison so full of a sort of difficult to make but in the US case you see that like insurances whenever you have a criminal proceedings insurances can subpoena data from all sorts of places the thing that Internet of Things security if it is not just about this is addressed also in the Privacy Directive and there lots of important important changes that are happening but I think the particular case where the police has the warrants that's a different scenario and and if you want to get
something like the GDP art in the US would you from EUR down perspective would say 0 yeah that would
halt all possible which each is from your perspective say only got no all the transparency roots and so on fire organizational position is that data protection is important and data protection laws very important because it regulates the processing of data how it can be obtained and how it can be shared How can we share so in that sense of egg it limits the entire excessiveness to a certain extent but I think 1 the interesting thing to do but if you look and see how far companies again a compliance just to get some of their seminars and conferences that a lot of lawyers that represent these companies putting on a beach if you're in London and very much about how to cite the minimum with GDP of if you wanna really make any sense at Apple they get it that's a good tip and
any more questions we still have another 5 minutes or so so OK I'm saying 1 hi yi i wonder what you buy an on or do you have fitness of are most to use that that tools are you
afraid of what tools presently and I I've got they I've got a mass but I do my intentions are to be at the since the subjects access requests in practice if I they express system but if I have idea people you use speech people privacy exemptions they only terrified of everything you do your and add again that the kind of basement who took about was the threat model but I did the gchq 2 half my fave I am worried about other surveillance measures there I I think and it's good to be wary devices I think we need to challenge the companies read at proceeds afterward said encourage people to for example do subjects access across it's great when we people that people challenging for example verb finding out what data that we can't do is up to people who buy these devices and to challenge them obviously there are a lot of people out there but it's family member is your grandparents you have no idea and about the data collection even if you bring application the financial can say and I would say I trust them and maybe I punditry emissions in and the number is actually quite a lot about that nest has a transparency report it will be interesting to see more transparency reports for more manufacturers of smart devices to see what kind how many
once they get and how many requests from law-enforcement at they comply with the containing more questions the man who thing even at the United the thoughtful and yet these don't round of applause to uh and uh there's
also a lot of people around the world and this