CRYPTO AND PRIVACY VILLAGE - “Probably”: an Irreverent Overview of the GDPR

Video thumbnail (Frame 0) Video thumbnail (Frame 8045) Video thumbnail (Frame 15892) Video thumbnail (Frame 23819) Video thumbnail (Frame 31746) Video thumbnail (Frame 39640) Video thumbnail (Frame 51513) Video thumbnail (Frame 63336) Video thumbnail (Frame 65092)
Video in TIB AV-Portal: CRYPTO AND PRIVACY VILLAGE - “Probably”: an Irreverent Overview of the GDPR

Formal Metadata

CRYPTO AND PRIVACY VILLAGE - “Probably”: an Irreverent Overview of the GDPR
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Presentation of a group Dynamical system Multiplication sign Insertion loss Shape (magazine) Information privacy Mereology Machine vision Information technology consulting Power (physics) Formal language Web 2.0 Goodness of fit Hacker (term) Computer configuration Energy level Representation (politics) Acoustic shadow Office suite Information security Descriptive statistics Exception handling Social class Covering space Dependent and independent variables Information Physical law Content (media) Exploit (computer security) Data mining Data management Process (computing) Web-Designer Computer science Right angle Metric system
Building State of matter Latin square Java applet Standard Model Multiplication sign Direction (geometry) Equaliser (mathematics) 1 (number) Non-standard analysis Information privacy Mereology Disk read-and-write head Public key certificate Computer programming Facebook Medical imaging Coefficient of determination Computer configuration Core dump Information security God Email Mapping Regulator gene Electronic mailing list Data storage device Fitness function Instance (computer science) Flow separation Googol Telecommunication Website Right angle Metric system Annihilator (ring theory) Reverse engineering Point (geometry) Web page Slide rule Control flow Student's t-test Rule of inference Frequency Term (mathematics) Energy level Form (programming) Physical law Planning Equivalence relation Voting Personal digital assistant Factory (trading post) Data center Point cloud Family Window
Group action Decision theory Multiplication sign Direction (geometry) Parameter (computer programming) Client (computing) Information privacy Mereology Facebook Rectifier Bit rate Single-precision floating-point format Endliche Modelltheorie Data conversion Information security God Physical system Email File format Electronic mailing list Sound effect Maxima and minima Instance (computer science) Digital photography Data management Arithmetic mean Process (computing) Chain Website Normal (geometry) Right angle Freeware Spacetime Row (database) Service (economics) Link (knot theory) Real number Virtual machine Login Portable communications device Number Twitter Revision control Internet forum Hacker (term) Computer-assisted translation Metropolitan area network Address space Electronic data processing Dependent and independent variables Information Physical law Database Equivalence relation Personal digital assistant Video game Speech synthesis Service-oriented architecture
Building Context awareness State of matter Direction (geometry) Multiplication sign Decision theory 1 (number) Client (computing) Mereology Information technology consulting Computer programming Neuroinformatik Facebook Computer cluster Videoconferencing Encryption Endliche Modelltheorie Information security God Physical system Cybersex Algorithm Moment (mathematics) Proof theory Category of being Digital photography Data management Message passing Process (computing) Chain output Right angle Spacetime Row (database) Trail Backup Sine Open source Firewall (computing) Virtual machine Online help Login Rule of inference Number Crash (computing) Goodness of fit Dependent and independent variables Compass (drafting) Pseudonymization Weight Physical law Mathematical analysis Film editing Loop (music) Software Calculation Data center Object (grammar) Family Sanitary sewer
INTEGRAL State of matter Multiplication sign Decision theory Direction (geometry) Sheaf (mathematics) Design by contract Information privacy Mereology Information technology consulting Facebook Encryption Software framework Office suite Information security God Data storage device Sound effect Maxima and minima Type theory Arithmetic mean Message passing Googol Internet service provider Order (biology) MiniDisc Website Right angle Figurate number Spacetime Laptop Functional (mathematics) Game controller Server (computing) Service (economics) Real number Login Latent heat Pi Operating system Software testing Traffic reporting Metropolitan area network Dependent and independent variables Key (cryptography) Information Physical law Incidence algebra Personal digital assistant Game theory
Electronic data processing Server (computing) Code Electronic mailing list Sound effect Information privacy Computer programming Neuroinformatik Twitter Point cloud Right angle Musical ensemble Computer-assisted translation Information security Computer architecture Social class
Point (geometry) Ocean current Backup Server (computing) Game controller State of matter Multiplication sign Process capability index Mereology Information privacy Rule of inference Code Attribute grammar Goodness of fit Mathematics Different (Kate Ryan album) Internetworking Formal verification Authorization Automation Address space Form (programming) Identity management Rotation Decision tree learning Email Myspace Scaling (geometry) Regulator gene Forcing (mathematics) Physical law Horizon Denial-of-service attack Instance (computer science) Vector potential Type theory Message passing Process (computing) Personal digital assistant Password Interpreter (computing) Data center Right angle Quicksort
up next is probably an irreverent overview of gdpr by Brendan O'Connor give it up have a great time whitney merrill tweeted out in early june just before the CFP closed you know what I really want I really want somebody to submit a history of the GDP are totally throw memes and I'm lucky at work I work in security but I don't have to do gdpr and day-to-day work I do do a lot of Duty PR but the overall responsibility isn't mine which means I'm less burned-out and bitter than say most of your lawyers but what do you sweetie that you wanted this and I'm like I immediately volunteer as tribute the intent of this talk is to be content full but not to let content get in the way of having a good time audience participation is mandatory I need all of you to volunteer to a laugh at at least 3% of the jokes you can all choose your own 3% don't all choose the same one if you don't we're not we're gonna have a very sad time if it helps please feel free to have a drink it is five o'clock on the East Coast we're gonna cover in this presentation why the GD P R exists why some people are freaked out about it why to be concerned and/or unconcerned and whether kittens or puppies make the better reference animal for GDP are compliance memes three takeaways from this talk first the GPR establishes a new overarching umbrella privacy law that protects personal information from exploitation without your effective and affirmative consent and it has no holes except for the holes that occasionally let it tail out secondly the GD P R has rooted in understanding that human rights including privacy are centered around actually being a human being which is a issue we've had the United States recently they're not negotiable based on who has the data again unlike the United States and they cannot be waived in a way that prevents you from unwavering them in the future finally the GD P R provides a valuable opportunity for businesses both the European Union and here in the United States to clean up their acts to fix insane levels of technical debt and to prove to their customers that they're worth doing business with ignoring the gdpr is not an option and US businesses who do so will be punished severely and as I stated in my abstract relax it's all going to be fine probably just remember not to put the fidget spinner in your mouth this is an actual government agency this is real I don't know why this is real but this is 2018 so I guess that's why so hi I'm Brendan O'Connor depending on who you ask I'm either a shitty hacker a really shitty lawyer or worthless person who doesn't do real security Thank You red teamers or just the guy who done wears black t-shirts every single day at the office my favorite description of my job by a former coworker was he's not the lawyer we need he's the lawyer we deserved which I thought was super cool until I realized he did not mean that as a compliment my day job in the past has been in as a security privacy consultant but these days I'm in-house oh speaking of that a note none of the following is me speaking on behalf of my employer nor is it representative of the extremely serious approach we have at insert name of employer to protecting the privacy and security rights of all of our users as a side note we're currently hiring a metric ton of web developers dev managers in p.m. so if that sounds like something you'd like to do if you'd like to work in a fun dynamic web company that is growing like gangbusters in Seattle come talk to me after the talk also a disclaimer I am a lawyer I am NOT your lawyer I am also not a European lawyer and none of the following is legal advice it may not even be a good idea let alone write if you go to Vegas and do shots and then sit in the conference facility and get legal advice you clearly have more fun lawyers than me and you deserve exactly the advice you get finally a Content warning the following talk may contain references the international law international any language in an implication that at least the president of one country sucks a whole lot so let's talk about the prologue to the GDP our harbors of safety and or evil I want to start by taking you back to the beginning of time unfortunately at the last time I as a computer science major took a history class was 1999 so there are slight gaps in my knowledge of Europe there were used to be two great powers in the world first there is the United States defender of freedom and bastion of democracy there was also the Soviet Union builder of curtains made of iron I don't quite understand why their curtains were made of iron I don't know if they didn't like tulle or what the hell deal was but it was a different time in the 80s so then a Republican went to Germany and yelled at a wall and apparently that just solved everything which is super cool the wall was torn down the Soviet Union collapsed and embraced capitalism and election tampering just like the United States has always done so we won America is awesome freedom wins the day right the story is over our laws are the laws all over and we never have to worry about anyone again unfortunately out of the shadow of the Soviet Union another union began to take shape one in which each year countries would come together and have a dance party and I don't know why and if you've watched your vision you know that it is completely inexplicable the singing part was fine but they also in the europe union that got this weird idea that they could have their own
thoughts about what their rights should be so even though we wrote half their constitutions for them to like maybe maybe having a constitution written by the Rockefellers is weird and we shouldn't do that they wanted to have their own laws that embrace fancy European concepts like human rights or privacy the United States of course only embraced privacy as part of a penumbra and a penumbra is a very fancy legal term it's like a lot of legal latin and in this case penumbra of privacy means loll no privacy for you according to the US Supreme Court fast forward to 1995 I said this was a someone gap filled history of Europe when Europe created a law star called the Data Protection Directive now it's a lost art because Europe does some things that are laws and they do some things that are kind of like extremely stringent guidelines written by the Germans this is one of the latter so it's technically not a law the Data Protection Directive is a directive by the European Council which is the heads of state of Europe to all of the Member States of Europe saying you will write a law with the following clauses in it I don't know why they do that it's boring European internal politics but TLDR there's this thing which everyone refers to called the Data Protection Directive that's kind of like a law but it's a law to make a law it's like a Java factory factory factory so it this is weird to Americans still attend we do this weirdly as for drunk driving laws we don't say you have to have a drunk driving law at this level we just say we're gonna take away all of your highway funding until your drunk driving law drops at this level so that's the only how we do in the United States other than that we just have laws but the gist of it was this we're gonna have some rules around data privacy for your opinions and if you have data on Europeans you have to follow European laws including human rights laws like the right to privacy critically if you take data out of the European Union for instance if you send it to the cloud you have to handle it according to European laws anyway and some countries like Canada were determined to have laws with protections equivalent to you laws because I definitely think that reliable Canadian privacy law are a good thing so you can send European data to Canada under this Data Protection Directive no problem but for other countries the EU sets up new treaties called safe harbor and it's funny because you'd think that because the treaty is concluded in English both sides of the Atlantic would spell it the same way but seriously never they never one time agreed for the 23 years this law existed on how to spell safe harbor on either side both sides always fought with each other it was kind of weird and then they eat in the United States safe harbor was very simple it let companies self certify that they absolutely promised they would uphold EU laws it requires an annual self certification that takes about three minutes you just say I solemnly swear I'm up to no good and then you're done unfortunately there's a reason ioactive is on this slide the Federal Trade Commission a couple years ago I had to sue ioactive because I oh I have have been lying for years about having actually filled out the one-page form to do this and it was just embarrassing you know the FTC's critical enforcement methodology that they figured this out they did a google reverse image search on the safe harbor logo and and then it got a list of companies and then they just sued all the ones that were lying so good security ioactive i really trust you on your compliance metrics the other problem with safe harbors it turns out that there's some secret government agency I think it was NASA or something close to that that was using safe harbor certified companies to spy on the whole world so then an angry young Austrian came up with a plan to bend Europe to his will wait not that angry young Austrian a different angry this angry young Austrian is not the one you're all thinking of his name is max schrems he was an Austrian law student when he decided to go have a beer in Ireland and sue Facebook close what he actually did is he went he had a beer in Ireland and then sued the Irish Data Protection Commissioner because remember how all those Member States had to have their own laws that meant that you didn't ask Europe to fix something you'd ask whatever country was holding the data and as everybody knows all the cool American companies have data centers in Ireland and so max Franz was like hey so Facebook is habitually lying to us about safe harbor maybe all should do something about that Ireland is like 40 of our GDP is basically dankmemes at this point so I think we should probably not do that and he said yeah that's not on the list of options like I realize this is Ireland but even here like it's not like optional to have laws so Ireland is like cool story we're not going to decide this so Ireland never actually ruled on this they just kicked it up the European Court of Justice which promptly blew up safe harbor in this like hundred page opinion that it could be summarized as yeah fuck the NSA the judge ruled that facebook was obviously in league with the NSA that was obviously therefore lying on safe harbor and that therefore the United States was negotiating in bad faith as a matter of international law and therefore safe harbor was worthless the treaty is invalid and could not continue neato that was totally fine that was 2015 at which point every US company said simultaneously oh shit now it happens well this thing happened it it's the interregnum period it's called privacy shield after the fall of safe harbor the United yeah yeah no this
is like this is not even a joke this is the actual logo off the State Department's website and it's just like it describes it perfectly right it practically describes the sanity composition and coherence of the program itself under privacy shield now stop if you've heard this one before United States businesses fill in an annual self certification by which they promise to respect European laws right and it's like it's straight up the pitch was we won't fuck you again and Germany just straight-up went apeshit so Germany is slightly weird like besides the whole being German thing they're weird and that they instead of having one information Privacy Commissioner for Germany they have one for each German Lander which is the rough equivalent of a state so 27 Germans went to the European Council said oh we're not doing this shit again and then there was a whole fight and the fight is important and it's interesting then there's details around how privacy shield works and none of this is relevant because the European Court of Justice is about to invalidate privacy shield because Facebook so like we could go into this but straight up unless you already know about privacy shield in its implications it's no longer worth your time to learn about privacy shield in its implications let's just move straight on while I'm pointing out the dumb shit the United States is doing which is our thing as you can see you can get in a drunken fight with a buffalo and yell so National Park I grew up near Yellowstone National Park this is not an uncommon story so I'd be remiss if among other stupid shit we do I didn't mention US v Microsoft now the older nerds of the room are going I remember this one Billy G had to testify this is not that case so new US v Microsoft was where the the Federal Bureau of Investigation you know the feds we all like the spot tried to obtain data held by Microsoft in Europe while violating European law because I guess America freedom brawndo Eagles the European Commission straight-up said if Microsoft turns over this data in violation of our law we're banning Microsoft from Europe like there's not we're not even gonna have Windows anymore all windows are gonna be papered over it's not even me okay you can no longer see out of buildings and the FBI said well terrorism and turn out the FBI lied who knew right this was a drug case this was a this was a related to Silk Road drug case we know the I they were trying to subpoena and yes the FBI lied I'm so amazed the FBI said straight up we're gonna hold Satya Nadella in contempt and I don't think he's gonna do well in jail and the entire thing was fought the US Supreme Court as a full court press to overturn the concept of separate countries having equal sovereignty and that's important under international law because the way the time we came up with this was because we were tired of the thirty years war in the eighty years war simultaneously raging over Europe for you know I mean you know for thirty years of that anyway and so the way that we key fits this was we said okay within your country the king is the king outside the Kings country the king is just some dude with a fancy hat this is called the Peace of the Peace of Westphalia 15:48 and like if we're gonna restart the Peace of Westphalia I for one am on Team Habsburg because I think like being able to be the Holy Roman Emperor would be kind of cool and so straight up yeah it's like yeah international law is bullshit cuz murca so this case was originally called the name that destroys right off the tongue in rey a warrant to search a certain email account controlled and maintained by Microsoft Corporation because calling it a warrant to fuck the Irish was apparently not on the list a serene court dockets and I got followed with the US Supreme Court was called US v Microsoft to and then unfortunately it all came crashing down really really badly ooh that's exactly--it before we had to learn at the notorious RBG was gonna vote to Gore against to go to war against the Holy Roman Empire United States Congress passed a thing unfortunately it wasn't like health care or sanity or anything it was called the u.s. cloud act which just straight-up says the United States is going to ignore everyone else's laws with regard to electronic data storage forever this the cloud act is so obviously in wantedly a violation of international law and the core concept of separate sovereignty that it's just boring hear me rant on this so we're gonna move quickly along I'm gonna summarize this entirely as when Canada invades us to bring an end to our rogue state re this will be one of the charges levied so let's find let's talk about the GDP are at long last this is the standard model in most US companies of how the GPR works oh my god it's coming out of nowhere it's a dog in the air hide your lawyers and hide your children this is like we're bad at stuff like the general US business approach to regulation like any regulation is just to ignore it until all hell breaks loose and like that was part of the problem it's just our thing but also like it's Europe right like do we they're like America's dorky younger brother they have weird stuff they're like blue cheese and human rights and not having child soldiers like why would we even care don't think no this is America where even our diplomats can't find the Geneva Conventions on a map and even if they do they assume it's part of a trade show but like you know what they use straight up post trams post NSA
revelations from Chelsea Manning post having to fight with Microsoft all the way to the US Supreme Court to say that we're a big boy country and get to have in-laws the U is not up for our shit so the u.s. screened-in diplomatic negotiations saying we're absolutely we can't do this horrible things were happen and like that cat over there that you was just like yeah i'ma just walk away and in reality even without Chelsea Manning max schrems and Orange Julius Caesar in the White House this has been a long time in coming like we like to think of this is the thing that just happened like and it's a part of a post trump reality partially because among other things Angela Merkel's still really pissed about how we tapped her cell phone and so she's been very much on like yeah we're not giving this shit to rancid Velveeta man but it's actually been happening since 1995 the the original work to start building a stronger version of the Data Protection Directive the original GDP our draft was passed as an European Commission proposal in 2012 January of 2012 so we've had that much notice that this was gonna happen so if your company first mentioned the GDP our internally in April 2018 fire your lawyers if your company first actually did something about the GDP our and had previously known about it but ignored it fire your management chain they had every warning about this now those of you who've been working on this shit for the last six months continuously well go no we didn't have enough time again you had two years that's enough it's like the law follow the law so let's talk about what the GDP are actually does right because for Americans Brett's duties like it kills our freedoms that's not entirely true it just kills like a couple freedoms and there are unimportant freedoms so we're gonna go through the articles I'm not gonna go through every article there's like 92 in the GDP are it's not that important I am going to give you the numbers of the important articles because you're gonna hear these numbers repeatedly kind of like how the Americans just saved the First Amendment when what we mean is I don't understand what Twitter is the like we just say in article 17 notice what we mean is give me all your shit and then delete it so y'all give me the numbers article 15 is called the right of access and it's very simple give me all the information you have on me and as part of that as part of the request for all the information that a company is storing on you you also have to give them how long you're going to keep it for every single dividual piece of data what your justification is to hold on to the data and your justification for having collected it in the first place and where you've got all of it so if your Facebook for instance and you're collecting data from like the Facebook website and you're also collecting data from like a ton of people just sending you data because Facebook super cool law you have to actually put out exactly which person give you exactly which piece of data that's tied or identifiable to an individual and it's not just like identifying information which is an American concept this is much more like the HIPAA concept if it could be linked to a human then you have to link it and you have to disclose it this is actually not that hard unless you're one of those data is the new oil companies in which case it feels a lot more like this right let's talk about article 16 article 16 is the rate of rectification and in Merck over like that sounds naughty but it's not this is pretty straightforward if your data is wrong or your data is incomplete you have to fix it this is easier to think of why this would matter like I don't care if rapid7 has the wrong data about me I probably gave it to them to get into a party but it makes more sense when you think of private corporations providing government services or just for government services directly and like for instance in the United Kingdom right now they've basically hollowed out their government because they live in an iron Randian fantasy and so now major corporations provide like the equivalent of welfare or Social Security and so if they're saying well you obviously can't have social security because you're clearly a 12 year old boy and you're not a twelve-year-old boy then they have to fix it and then they have to actually address the like give you back the services they took away that's all article 16 says for rapid7 like I could demand the rapid7 have my real email address but that would be a dumb thing to demand article 17 is the right to be forgotten and now there's a lot of harsh reactions the right to be forgotten in the United States and so before y'all start yelling freedom burka Eagle First Amendment guns Brando I want you all to understand what this really is in most cases the right to be forgotten really means hey company I don't want to do business with you anymore delete the data you have on me and stop emailing me for ten years so for those of you who once signed up for a party at blackhat this will be your friend but it applies to a lot of things it's true that there's also a right to deletion in public databases the process is the same but there are a list of balancing effects there's actually a lot of interesting case law because this is not new to the gdpr that has been around for a while and to be honest most of the time this is not a controversial decision so let's say someone uploads an embarrassing photo of you to a public forum or a newspaper takes a photo of you and uses it with a funny caption this actually happened it wasn't hope it was a conference less fraught than hope but a couple months ago a newspaper took
a photo just a normal stock photo in like the chill-out lounge equivalent of four or five hackers that happened to be men and then used them as the headline and caption you know security conference you know repeatedly harasses women and these five hackers had not harassed anyone and we're like excuse me what the hell you we know who the harasser czar take a photo of them don't use me as their age this is a good example of when you'd actually want a right to be forgotten or this woman this woman is now not 12 and she's a nurse in Phoenix and she was tired of random people stopping her in the street to say oh my god you're the urban gird girl so she could file a request to have it removed unfortunate it's really hard to get it removed from like each n but she could have a fort ready to be forgotten request every photo removes it serves no purpose of legitimate public interest anymore and this mean would still be funny it would just look like this now and like it would no longer serve to annoy a nurse in Phoenix who has a right to privacy and a right to having a quiet life so free speech absolutist will undoubtedly first try to sell you Bitcoin and then say freedom requires that I be able to say anything about anyone forever and then they'll say something about the Holocaust on a chain because it seems to be one group these days like I'm familiar with the free speech argument I'm familiar with the argument that like this data is of public interest forever did you hear but the one German doctor who killed people and like yeah i know the german doctor story but here's how this actually works in practice in wisconsin a system allows any person for any reason to access any court record that has not been specifically sealed like a child custody case will always be specifically sealed this means that arrest records charges convictions lawsuits most of a divorce all of that is there and when you log into the system it has a note warning you that now it's illegal to discriminate against someone for anything other than an actual criminal conviction related to the purpose for what you're screening them and what actually happens is that anyone who's ever had a messy divorce every landlord every co-worker everyone knows about it even if it was 40 years ago because there's a right of access there's no way to get this removed so sure can it serve a public interest absolutely is it good well no it's not it's not good that you can't get an apartment if you were once arrested for having weed in the 1960s when as far as I can tell everyone had weed and it's illegal but it's extremely hard to prove there's no logs of this and Wisconsin has done this as a government service but there are hundreds of websites like Florida man mugshots calm where you can go to get mug shots of people who are arrested and even if they were arrested illegally you have to pay them ten thousand dollars for remove it it's just another extortion scam so it's not unreasonable to say hey maybe we shouldn't do this Europe didn't make a crazy decision here to say this spent criminal conviction people who are out of probation I think and salacious rumors for 20 years ago were things that had to be removed they took two rights the United States also has free speech and privacy the Unites States of course is always free speech and then privacy right always the way it works which is not great and they said you know what privacy and not incidentally criminal rebid rehabilitation which is what we always say we want comes first then free speech also very important just not the very tippy tappy thing the united states has decided the other way around that of course guns way up there not please not least because we do love our Puritanism so it's always good to say well one time in the past you sinned so far ever you shall be marked with the mark of cain which for some reason also comes with an ad to reduce your belly fat Europe's not necessarily wrong they just came to different conclusion and back when we still had conversations with people this would be an interesting thing on which two cultures could dialogue moving on article 18 the right to restriction of processing this is a weird one but it simply comes down to either when someone has contested the accuracy of data which like we talked about before or just contested the holding of data they said delete my data and you said Lal no and then they're about to sue you you don't get to delete it in the meantime you also don't get the process on it so basically while there's a court case ongoing or about to be a court case you don't get to use this to build your ML models Facebook you don't get to use it to send emails to spam people rapid7 you just have to hang on to it inert there's also article 19 which says the same thing as article 18 but for all of your trusted marketing partners those of you who've working the clients space who have recently done vendor onboarding and any company more than about 10 people might have heard of a thing called a gdpr DPA or data processing addendum the biggest part of a DPA it's very those you who work in the HIPPA compliance space is very similar to a BA but not as broad the DPA mostly says this it says if we tell you delete the data delete the damn data which is really interesting for data brokers which become essentially legal under this article 20 is the right to data portability this is very simple it says give me the data in a format that I can actually work with if you're one of those companies that says no our memes are too dank we can we can't allow anyone to leave and so your response to this is saying we'll give you all your tweets but it like as a huge PDF and not on a machine readable format that's just
illegal now it was always a shitty thing
to do but now it's - legal article 21 is awesome though it's the right to object so if you tell companies to stop using your data to send you direct marketing rapid7 they have to actually stop if you tell them to stop using your data to build look-alike audiences Facebook and then send those look-alikes direct messages they have to stop it's almost like Europe decided we'll find you if corporations are people then corporations need to stop bad touching you in the data and no means no Facebook finally article 22 the twilight of the algorithms this is this hilariously liberal seeming rule that'll be familiar to those you who do machine learning it says you get to object to fully automated decision making based upon your data and a good example of this in the United States is the compass system how many of you have heard of compass in the criminal justice context one per two people okay for the rest of you compass is an amazing system they took court records from like a hundred thousand people and they and you know rehabilitation outcomes and demographic data and then they made a huge big data machine learning model and they sold to the courts saying hey we're gonna make your sentencing data-driven so if you have a low risk offender then they'll get a low sentence and you don't have to do all that calculation yourself you can just feed it into the compass system this is not inherently a terrible idea however what they actually did is they made a system that says if you're black you'd go to jail forever straight up like there's like nothing that can test this in the world Wisconsin Georgia Florida a bunch of states use this system and it's the most racist thing in the world so the right to objection to automated decision-making says not that we have to not be racist unfortunately but it says that we can't blame the computer so it means that two things one you have a right to a human in the loop for the decision-making so you can't just say oh it's just the computer a human has to actually be an involved part of it running on established criteria but secondly and this is the part that it will annoy ml people you have to be able to provide an actual explanation for what inputs and what outputs the machine learning model actually used and how it how it weights those and how it calculates those you can't just say well I don't know what it does setting your photo and it said fifty years isn't that amazing which is the traditional machine learning we don't understand how it works so under the GDP our if you don't understand how it works cut it out so now let's talk about corporate responsibilities under the GDP are there's a lot of corporate responsibilities but many of them have been summarized as you have to actually take care with data it's not good enough to go nobody's going to notice or nobody's ever going to find that hole that I just found with neces no one's ever going to do that you don't have to create the greatest security ever given to data but you do actually have to do the work article 30 is records of processing which is super cool it says that when you send data to people you have to write down that you sent the data to people like oh my god we have 348 advertising networks how will we ever do this stop stop having 348 advertising network seriously it's okay you can do it just use Facebook I guess and yeah why do you have to do this it's so that people can sue you we don't want to be sued yeah well the fines if you don't do this or much worse than people suing you so you just have to do this you write down this is the data we sent this is who we sent it to and this is why we think that that's legal ideally the answer and number three should be because we had actual an affirmative consent from the users who double opted in to share our data with our trusted marketing partners if that's not your answer you're in a lot of trouble so good luck and yeah is this really hard I mean like it could be but in fact we've been doing the same thing in other spaces for a really long time we call it supply chain security and if you want to have a really good overview of supply chain security go tomorrow to Shafaat khan and talk to the shabak khan leaders at their no-fire talks about how that the Orthodox Union has been doing kosher supervision for like six hundred years it's not that complicated we know if you killed the cow correctly we can also figure out if you sent the data to a market riod the next article is security of processing which means you have to have an actual security program and if you indulge me I will rant for a moment about our dear brethren on the red team in the security community we hear an awful lot about technical security and both attack and defense things like row hammer and meltdown inspector incredible brilliant proofs that our assumptions are open to challenge Travis good speeds packet in packet work proves that when you live with a meta for like the OSI model you die by the OSI model and on the defense side we have sexy defense attack right like leviathans Lotan crash top analysis the brother sins TLS hugs which is an amazing talk that's all in technicolor for some reason and the cyber ITL security property labeling this is all wonderful work and it provides a lot of hope for the future but sexy offense and sexy technical defense are one part of the puzzle and the compliance people how do you combines people in the room there's like eight compliance people in the room and you're all crunchy and that's fine we're them like like I don't want to say were the only actual security people but here's the deal in medicine you know what saves like a bunch of lives things like brain surgeons or things like cool new gene therapies they take untreatable things that make them treatable things you know what these billions of lives sewers and hand washing and mosquito nets the big public health things not the sexy things working on sewers is not thought of as a way to save millions of lives but it does you know what's the sewers and hand washing stuff information security management programs do you have a firewall is it on your shelf or is it plugged in because I've seen that happen do you have an explanation for why you have inbound ports open because if you have a firewall and it's set to any any law then it doesn't help so much do you have backups true story when I worked as an information security management program consultant which is basically means that come in and say show me the backups I once talked to a client that said yes we have backups of this incredibly expensive thing am i cool he showed me the logs no why well it hasn't run for a while how long would that be since we installed it why is that we're waiting for the software to allow us to do the backup how long have you been waiting 2 and 1/2 years ok so you realize that your entire company ceases to exist if this data center floor falls in right and below us there's a gym so if somebody hits the ceiling with a barbell your company ceases to exist like that's not in our threat bottle I'm like ok your threat model sucks too so you don't have firewalls and backups until you know that you have them and that you've checked them and then collect the proof that you do these things repeatedly and every time otherwise it's a pointless waste of money to buy things like Cylons it's actually a pointless waste of money to buy silence anyway but it's especially a pointless waste of money to spend a hundred thousand dollars a year on tech you don't understand until you know that you have business rules around your firewall for god sakes so doing your job the right way every day and taking pride in it is the sexy defense thing so all of you who work on blue team and occasionally have to do boring backup log tracking you are the actual heroes and to hell with the red teamers who say that compliance kills companies your ego does not help security and your bigotry is just annoying so back to article 32 if you build an information security management program you have to actually test if the straps were holding your Humvee to your parachute that's a real video by the way we bombed hump Germany with Humvees about three years ago accidentally so GD PR isn't HIPAA so GDP our data security requirements aren't as specific as saying do X and y and z but it does say you should look at things like encryption eat a pseudonym ization
confidentiality integrity availability testing testing your control frameworks and specific risks that you yes you mr. corporation posted the human rights of the people whose data you're testing and whose data you're holding excuse me because let's face it if you screw up and I get doxxed I don't care whether this was from like a car wash or whether this was Equifax again or what it is all data storage is considered an actual risk which you have to actually account data is the new oil and your company's our hazmat sites so clean them up articles 33 and 34 are very simple if you get briefed you have to actually tell someone you cannot just backfill it with a master lock so you have to tell the government and you have to tell the person whose rights you've just violated kind of see before it's violating somebody's rights you have to tell the government which usually means you're responsible Information Commissioner's Office within 72 hours of first becoming aware of the data breach it's not a lot of time this provides a useful incentive to you to make sure that you have an incident response team and then fund them because if your incident response team doesn't have Splunk or elk or some things that they can search a lot of logs in a real big time you're going to get fined for not responding within 72 hours also here's your incentive to finally put full disk encryption on stuff if you have effective security controls which means encryption on data you've lost and you know that the key was not breached you don't have to do a report you have to do a report of the government but not to the individual people so put full disk encryption on your laptops this is 2018 it's been built and every operating system for a decade just turn it on you also have to tell people whose data you've lost quote without undue delay which means fast if and again you don't have to tell them if it was encrypted but it has to be real encryption it cannot be base64 encoded for security seriously so it has to be real and you will be audited on whether it's real and you will be sued if it was not real and you'll be sued by both governments and people article 37 a data protection officer how many of you have worked in the HIPAA space like a handful of you so in the HIPAA space you have a thing called a designated security official which is sometimes a designated security officer that just says we need to have a neck we can choke if you get a HIPAA preach same exact thing for the GD P are you an actual human being not a function not a consultancy but an actual person in charge of Gd P R type privacy protection interestingly they have to report to the c-suite they can't report to like you know the third executive assistant in charge of hand-washing and you can't fire them because they tell you to work harder this is also a thing straight out of HIPAA you're not allowed to shoot the messenger and you're not allowed to prevent whistleblowing and all the same things there should sound really familiar to people you know their compliance faces you can still fire them if they grope the intern to be clear like this does not give them any special protections other than then saying you cannot shoot the messenger and now the cool part the part you've all been waiting for why do we care about Europe like we're not even in Europe does it matter well yeah it does matter first of all the gdpr applies to all companies who hold data on European citizens regardless of whether or not they have a European subsidiary so Europe will straight-up penalize you as we'll talk about in a second or even if you're an American only company because you don't provide gdpr protections to European nationals okay so even if you sell forklifts and you only sell them in the United States you have to actually put gdpr compliance in place it might be but probably isn't good enough to do the whole we're gonna turn off our European Game Servers thing that if you could game companies have tried like that's embarrassing and it's not super helpful because you actually have to do this and it's not like optional and they will find you B as it turns out the Europe's banks are connected to our banks since they will find your money first big thing of the penalty section how many of you have been forced aside into arbitration clause everyone raise your hand everyone has had to do this it's in the PlayStation contract for God's sakes everyone has to do this article 77 78 and 79 say nope we're done with that shit no more binding arbitration that waives your fundamental right to sue no binding arbitration that waives your fundamental right to report to an actual government and have an actual judge give an actual order to fix stuff there's no more of this well you waived it so you're screwed thing that is very popular in the United States but you all won here about money so here's the money two percent of worldwide turnover which means global gross annual revenue not just profit or ten million euros whichever is higher if you breach certain sections it's actually double that four percent of worldwide gross annual revenue or 20 million euros whichever is higher that's an amount of money that makes even Google notice because Google cannot take 4% from every single one of these lawsuits of its worldwide annual gross revenue and the reason for this is really simple pie isn't that huge because Facebook was just paying the penalties under the Data Protection Directive because it was cheaper than doing the compliance work so now it's not so now they'll actually do it and that's exactly what it's designed it's designed to be a Google Facebook and Microsoft killer and it should be pretty effective I know Google's pretty worried about those lawsuits they were already defending also though this particularly grating to American companies you have to actually pay damages to the people whose rights you violate it real damages not another craft way or click-through contract that says your maximum damages are limited to the amount you pay in in one month for our service which is like three dollars so haha sorry we stole everything you also don't get to say well Equifax didn't have a contract with you so Equifax can't be sued by you that's not a thing anymore either not for European nationals so finally what comes next well this is already in effect GDP our day was May 25th it's amazing the GPRA isn't affecting to protect all of us because most companies not Facebook are applying all these same rights everyone in the world because it's easier than trying to ask for passports when you get a deletion request max schrems our angry Austrian from earlier has already sued Facebook as I mentioned and how that case turns out will shape a lot of how the United States and the European Union react to each other in the next couple decades luckily we have strong and stable leadership in the White House so I'm sure that regardless of the decision coming from the European Court of Justice we will continue to respect our neighbors across the Atlantic and work together in a productive and meaningful sell we're all screwed like I get even like we're so do like Trump is just gonna go there and like oh boy you're not even a real court like what is cheese also there have been proposals from some US states to enhance their own privacy laws but none of them have gone anywhere that was a weird sound it sounded like there was one crazy state who might have done something oh shit it's California oh my god everyone responding to California oi yeah California passed the GDP our style privacy in law at about 72 hours because a rich man threatened them to hold a referendum and they were pretty sure like the polling said like gdpr is gonna pass in California and it was seriously gonna have an effective an effective date of the next day after the election so it's just gonna be like surprise gdpr and so rather than doing that the California Legislature rushed through have a mishmash bill that provides more or less GDP art-style they're slightly watered-down protections to Californians which means America this is how this works so this is kind of amazing they did the full Leroy Jenkins so hopefully it works out for them we'll find out in 2020 you could read the law now but we're not sure what most of its gonna mean and like half of the planet it's gonna sue so we'll figure out what it means in a couple years outside California though what comes
well for one thing people are going to learn what goes into their code or they're gonna have to learn what goes into their code they're not gonna be able to say well it's server list so I guess I'm outside of your jurisdiction they're gonna say well it's server lists which means it runs on someone else's servers and like I always get annoyed at the like the cloud is just other people's computers meme but I do love the calling it's serverless architecture is like calling takeout kitchen lists architecture like it's ism like it still got made on a computer right and finally people in the united states are starting to treat privacy like a first class principle instead of the punchline to a joke which is traditionally how we've done this so everything is awesome except that of course now we have to be GDP are compliant forever or is I will leave now on Twitter put it didst thou know that GDP are compliant did not end all the 25th of May we actually have to set up an effective security program yeah you do remember that sealing cat is watching your data processing activities and will be doing so for the foreseeable future thank you [Applause] [Music]
we are taking all questions on the microphone so everybody can hear the questions we've got actually got about ten minutes for questions and if we have to shut down the mic hopefully there's time outside of the venue so thanks questions all right so my question is given the fact that you know Angela Merkel flipped her shit because the US was like we don't give a fuck about your laws America guns bronto Eagles blah blah blah in USB Microsoft isn't it somewhat hypocritical for them to turn around and say with the GDP our we don't give a shit even if you only sell to Americans and never deal with Europeans you still have to deal with GPR and they don't quite say that so that the difference is its if you only sell to Americans and to hold no data on Europeans it's entirely done by the nationality of the people whose data you hold so if you really like if you're like if you think of yourself as like kwik-e-mart type thing you don't have to worry about GDP are cuz you're only selling to people like there and like you might incidentally pick up a European Nationals like you know stickers bar receipts realistically I don't think the enforcement percent potential is particularly high so this the thing is that most US businesses do in fact sell overseas and have always relied on not being in Europe to protect them from European laws and that's the difference that's what doesn't happen anymore and the u.s. does do exactly that and has done that for a long time the difference of the u.s. you Microsoft issue was that it was on a non American citizen with a non-american data center and it reached out and took something so that's the difference okay and also why is it why is it no longer the case that you can't say you know all our servers are on all our servers are on American soil and like your user agent went from Europe to America so there is no you're no longer in Europe you're in America you're dealing with American rules and stuff like that because Europe said that that was dumb so diving into this is a whole long story right is it deals partially with the fact that Europe for various reasons didn't create the big internet companies and I'll hold everybody's data but it's also because there are lots of situations in which the nationality of someone it actually affects the laws they're in regardless of what country they're in this is less uncommon then it kind of seems like it's mostly it seems like it's uncommon because the United States traditionally does this to everybody all the time and in like a thousand different forms every way from the treatment of our armed forces to banking regulations all sorts of things it's just that nobody else has ever done to us before so I will summarize as because there's a ton of law saying they get to do that with respect to their own citizens alright thank you hi if someone asks to be forgotten and I have backups of that data do I need to then go through those backups and erase them from my backups yes holy crap yeah it's not like there's you so I I only have an hour and not like an entire career to walk you through all this right so it there there are rules about how instantaneously this has to be and like you can you can say for instance okay we've deleted it we've deleted you from our live things we're no longer recording you our backups we have a six-month rotation we do it with Iron Mountain trying to go out tired mountain and pull those individual backup tapes outside of the rotation is unrealistic so we're gonna let it timeout instead you can do things like that you have to actually justify that you can't just sail all no but yeah the answer is you can't keep permanent backups at the expense of the rights of European citizens and if you look at data breaches that's perfectly obvious why we do that right thank you I have kind of a two-part question um first of all so I get a lot of requests to forget me from people who apparently are you know Priya nationals and part of me thinks that these are all coming from an automated system because the emails are all exactly the same maybe I withdraw my codes article 17 for the process you know might yeah I know them yeah yeah so what is like what is expected for due diligence for verifying that those people are actually the people that they say they are and the second part is do you have any good ideas for attacks where you might like send out requests on someone else's behalf to have them forgotten from important things Soto's the answer to your first question is don't just delete their data okay don't be that guy like just don't like don't be the edge lord like this is a weird thing to have to explain like the large American businesses but like don't be the I'm just asking a reasonable question like I want you to show me your password no just leave the damn data it's okay there's plenty of data but so like don't don't be that guy honestly this is not legal advice is your lawyer will tell you can get away with it but then you have to actually do verification it's easier just to delete their data you know for part two that is an interesting and intriguing question the way I have seen it done is that basically you have to validate that the person has the authority to act on behalf of the thing they're claiming cuz yeah if you can just DDoS send emails so like if you think of it like MySpace let's because MySpace is easy and every likes to make fun of them myspace like myspace could say hey oh hey yes I got your request to delete data associated with this email address that email address is associated with an account we've sent an internal myspace message to that account reply to it cuz I prove that you're in control of the account and then we don't have to verify your true identity we just verify that you're a person who is authorized to access the account so I've seen that get through lawyers before so I think that's cool he doesn't require it doesn't require collecting passports which nobody wants to deal with so that's how I would approach it and that allows you it's still very human intensive I haven't seen a good automated way of doing this I have heard that Google has a good automated way of doing it but I actually don't know what their solution is but for companies that are not at you know billion users scale put a human in the loop and send a DM and it's not that hard there are situations that won't work but that's a pretty good start yeah and that is actually what we're doing because that's that's yeah thank you hi there - non-contiguous questions first one I thought I knew pain reading the gdpr and then I read the CCPA any idea why there's no clear right to be forgotten in that mess and because the first amendment just straight up the first amendment the reason that we can't do it right - forgotten this because the first amendment current interpretation says that we can't that's not a that's not a thing that we would necessarily have to do this goes into kind of lawyer constitutional nerdery so like talk to like marker and aza or talk to other like First Amendment attorneys who are big deals but it would not be impossible to construct a Supreme Court jurisprudence going forward that would allow us to see that there that a right to privacy in trying the Fourth Amendment would enable us to say you can't do in material facts that would be a pretty massive change though so I'm not saying it's likely at all that anyway that's why that's what we can't cool a second question is on the horizon other states attempting to California on on privacy I was listening to Alison bender speak earlier in the week at blackhat she talked about an attempt in Massachusetts to require reached companies to give at least some suggestion suggestion to consumers of attribution which seems like a minefield yeah the governor shot that one down but I just see anything else weird on the horizon that privacy folks should be watching for I mean that sounds like a handout to mandiant not to put you fine like it's like that's awesome you could just always say it's China it makes it easy the dark point yeah I there's lots of weird stuff like the like it's communist is the states of the laboratories of democracy I'm increasingly convinced that in our hilariously polarized times the street the state - no the meth labs the democracy because like I'm from Montana and you should see the shit that came out of Montana when we had a ultra majority of one kid little political party it's like more than 75% like we just did away with democracy luckily no haven't mattered but like holy crap it was bad so yeah no not it's I mean almost nothing compares to my current states thing that says that if you're PCI compliant you're not liable for data breaches we're grow this of whether you process credit carts it's just a whole thing somebody states always do crazy stuff we'll see how it shakes out thank you all right let's give it up for Brendan [Applause]