The Front Row Episode 05: Future of Digital Privacy Transcript

Host: Welcome to The Front Row. A podcast from 2U about what it takes to solve the problems of the future. Like losing control of your online life.

Jordan Reid: The morning of one of, what turned into the most dramatic days of my entire life, I got an email from my Dad and he was forwarding me an email from his business partner who said, “Hey, is Jordan selling her site?”

Host: Jordan Reid, author and lifestyle blogger at Ramshackle Glam dot com. The site gets a lot of traffic and back in 2014, when this happened, Jordan was about to launch her first book. So when her Dad’s business partner, Anthony, he’ll play a big role in this story, happened to see Ramshackle Glam posted on an online auction site for thirty thousand dollars, he was surprised.

Jordan Reid: Even when my friends saw that my site had been hacked and was up for sale, I didn’t worry. I really didn’t. I thought, “Oh that’s weird.”

And I, “This is going to be annoying, I’m going to have to spend a few hours on the phone with Go Daddy.” And within a couple of hours I realized I had a very, very serious problem on my hands.

Host: During a call to Go Daddy, Jordan learned the hacker had transferred her account into his name. Even showing documentation proving the site was hers, got her nowhere.

Jordan Reid: Nobody said go away, this clearly isn’t yours. They just said, sorry can’t help you. And that was what pissed me off.

I was pregnant, I had a two year old son. My husband was in business school. I was the only person making money for our family. We had a house, it is for me, enormously more valuable than that because it’s my entire livelihood.

Host: The hacker was holding Jordan’s life ransom. Today on The Front Row, the future of digital privacy.

News Anchor: Cyber attack that is happening right now, tens of thousands of computer systems in nearly 100 countries have been victimized. Hackers demanding ransom.

Nick Merrill: This attack [inaudible 00:02:11]

Host: Massive cyber attacks like this one. From May 2017 and the small time hacker who had invaded Jordan Reid’s life, they’re only going to get more common in the future.

In this episode, we’ll explore how much havoc they create and what experts are doing to safeguard us. From re thinking passwords to training the next generation of digital security experts. This podcast is brought to you by 2U, a company working with top tier universities to create digital education programs, like cyber security at Berkeley.

Back to Jordan Reid and the hacker who was holding her website and her life for ransom.

After hours of useless calls to her web hosting company, she decided to call the police who referred her to the FBI. Yeah, the FBI.

Jordan Reid: Do you want me to call the FBI about my website? And they were like, “That’s their jurisdiction, yeah.” And I was like, “Okay.”

Host: Within a few hours there were two FBI agents sitting in her living room setting up camp. The FBI was interested because hacks like these are common but 99 percent of the time, the site has already been sold a few times over. By the time the original owner realizes what’s happened, there’s no way to trace it and no legal recourse.

But Jordan’s site was still in play. And thanks to her Dad’s friend Anthony, she had a third party way to stay in contact with the seller, guided by the advice from the FBI. If the seller thought that Jordan was aware her site had been hacked, he would’ve yanked it from the auction site or raised the price. It took about two days, but Anthony, working on Jordan’s behalf, negotiated the price down to thirty five hundred dollars.

Jordan Reid: There was a moment when he just stopped responding and Anthony was like, “Oh my God, he knows.” And he was like, “He just got really weird and all of a sudden was like, eh I’m not going to sell it to you and he just disappeared.” But we couldn’t seem too eager, it was like this grand stressful sting operation. But then eventually he did come back said, “Okay I’ll sell it to you for thirty five hundred dollars.”

Host: Earlier that day, Jordan had set up dummy accounts for Anthony to use. She transferred money from the dummy bank account to the sellers Escrow account, hoping he wouldn’t just take the cash before transferring her website back.

Jordan Reid: And I sat there watching this dummy Go Daddy account just like, dying. And praying and all of a sudden it popped up and I had my site back and I immediately, like immediately, just went and changed like every single password and locked down like crazy and then I called Escrow dot com and I placed a stop on the payment.

Host: Success. But three years later, Jordan still haunted by the experience. In the months after she got angry emails from the seller who figured out she retrieved her site and was trying to fish the money back. The FBI were able to find out her seller was operating out of Morocco and her site had originally been stolen by an operation in the Philippines.

Jordan Reid: They could read all about how we had tricked them. So they were pissed. And I was very, very anxious. I don’t feel safe. And I’m also not perfect and I don’t change my password as often as I probably should ’cause I’m a human who gets distracted. But I definitely live under the spectrum of awareness that this can happen again.

Host: Nick Merrill, one hundred percent agrees.

Nick Merrill: Secure passwords are hard to remember. Don’t want to use a password manager. People write down their passwords when they are strong. They’re easy to steal.

Host: Nick is a PhD student at the School of Information at UC Berkeley. He’s part of a team in the bio sense lab working on a new approach to security and authentication. That’s the process of confirming that you are who you say you are.

Nick Merrill: You know, let me ask you this question and you can see what your intuition is. What makes you, you? For me I think it’s the way we think, it’s who we are kind of in our heads. So when we think about what the ultimate authentication paradigm might look like, I think the pass thoughts is pretty close.

Host: Pass thoughts? Simply put.

Nick Merrill: So to highlight the ideas that you think your password, and we use signals that are collected from the brain to uniquely authenticate you. And in this case, your password is really a secret thought. We call it a pass thought.

Host: It could be thinking of a song, or emotion. Like a golf swing or your favorite dance move or even a memory. Your first day of school, the best barbecue you ever ate. Even if someone else has the exact same pass thought, your mind will create a unique electrical signal when you’re thinking it.

And we can measure and plot these signals through EEG, electroencephalography. Usually it’s done via an electrode on your scalp but Nick and his team are working on a set of earbuds that would do the same thing. You could use them to log into your computer and accounts. Maybe even your home or your car.

And pass thoughts are extra secure because …

Nick Merrill: The dynamics of how these activity patterns change over time are very unique from individual to individual and even within individuals they kind of change over time so my brainwaves today are going to be much different to my brainwaves tomorrow. So kind of automatically enforces this password changing. You know you’re always supposed to change your password every [en 00:07:34] months but with EEG it kind of happens by itself. Your brain changes.

Host: Plus.

Nick Merrill: When you’re thinking your secret thought, someone who is looking at you can’t tell what you’re thinking about. This is a big advantage over something like passwords where they’re always susceptible to the shoulder surfing attack where you can look someones shoulder, if you have a video camera in the room.

Host: The pass thoughts sensing earbuds are still in development but Nick is certain they’ll be part of a more secure digital future.

Nick Merrill: I have no reservations that we’re looking to come up with truly the ultimate authentication method.

When I think about what authentication is ideal, I think that it happens across a broad range of things. Passwords aren’t one of them but all kind of data from sensors and badges, all these different factors can come together and pass thoughts I definitely think is a weapon in that arsenal.

Host: You’re listening to The Front Row. A podcast brought to you by 2U. Imagining a world with no back row.

Syracuse University’s College of Engineering and Computer Science prepares students to identify, prevent and counteract cyber crime.

Jules P.: Our goal was to try to create real [sentrest 00:08:50] place in the world of privacy.

Host: Jules Polonetsky, co founder, the future of privacy forum in 2008.

Jules recognized digital privacy issues were going to be a big deal earlier than most people. He’d been a New York State legislator and in 1999 he was the consumer affairs commissioner for the City of New York.

That year, a big dot com controversy erupted over an internet advertising company called Double Click. They were getting flack for using cookies to track browsing so they could target banner ads. But the flack hit the fan when Double Click bought a big database marketing firm. Now they could find out what you were actually buying in real life and then match that with your web activity.

Jules P.: Well that news didn’t go over well with the Federal Trade Commission with many attorneys general, with class action lawyers who brought cases, Double Click stock was frozen on the NASDAQ. They were sued by everybody, they were criticized and they were looking for help and so I was thinking about what to do next and I was thinking, “You know what, what’s this whole dot come thing? Let me learn more about it.” So I became the chief privacy officer at Double Click when that title was still a pretty new title.

Host: At the time, a business magazine made fun of Jules’s new gig. Mocking the job’s title dot com companies were creating. The Chief Yahoo, the Chief Ninja, the Chief People Person. But the jokes on them.

Today a privacy officer is a must have for any company dealing with data. The field is growing exponentially as data becomes a currency across industries.

Jules went on to work with AOL and a number of other high profile companies. Over the years he’s seen ideas that were just possibilities come to life, like Fitbits and drones. He can tell you about any number of terrifying, potentially helpful developments. For example, a 2016 study done by Microsoft scientists who found that analyzing search engine queries could identify users with pancreatic cancer. Even before a diagnosis.

Jules P.: I mean, can you imagine surfing the web and you get a notice, “Mm, hello, this is Microsoft or Google, based on your last thirty searches, we believe you may have a higher risk for a very serious disease. We urge you to see medical treatment.” I’m like, “Whoa, what’s going on here? Whose the …” On the other hand, if lives can be saved with early detection, is there some responsibility to do something about it? Fitbit may know, or other wearables. It’s on your wrist. Are you getting Parkinson’s? Did you just fall down? Are you being abused?

Host: Jules has a good reason to be concerned about the possibility of early detection.

Jules P.: My father passed away just a few months ago of pancreatic cancer, we don’t have a cure for that. But data and studying his information, studying other information, personalized genetics are I think going to give us cures to some of the diseases that have been challenging.

Host: So with the right oversight and guidance, this technology could be a force for good.

Jules P.: But if you could get in at the ground floor when cities, companies, researchers are really thinking though, “Listen, this is what we’re going to do.” And you can say, “Well, do you really need to keep that? That’s higher risk data.” Or, “Can you kind of [deidentify 00:12:22] that and still do your analysis?” Or, “Hey, how about an opt out switch so that the people who do get creeped out or are worried about this have an easy way to turn it off.”

That’s all easy often if you do it at the outset.

Host: And that’s what future for privacy forum aims to do. But for existing platforms, apps and smart appliances, Jules has some simple advice. You cannot remember a lot of complicated passwords. But complicated passwords are strong passwords so until pass thoughts or other innovations are common place, use a password manager. Just do it. Really. If you work over wifi in a café or public space, subscribe to a VPN. A virtual tunnel that secures your data.

If you’re doing something really sensitive, use apps that encrypt your information. Finally, get to know the services you interact with the most.

Jules P.: As the saying goes right, if you’re not paying for the product, you are the product. Free usually means, maybe there’s more information I need to actually understand.

Host: For example, Facebook. Between your posts, likes, comments, browsed articles and messages, the company has a goldmine of information about you but you may be surprised to find out, they don’t sell it. They keep it too themselves to better sell highly customized ads.

Jules P.: It’s surprising sometimes how well they get you. You can look, when you get a Facebook ad, it will let you see why did I get this ad? People don’t always pay attention but it’s really fascinating and I urge people to do so.

Host: Give it a shot, for the next ad you get on Facebook, click on why am I seeing this in the drop down menu in the top right corner. It’s fascinating and I can almost guarantee you’ll see some stuff that surprises you in it’s accuracy. There will also be a few errors. But here’s another surprise. Despite how much we claim to want privacy, research shows we don’t clear out all that info on Facebook. Even though we can.

Jules P.: Most people it turns out, want to edit it. They don’t like we’ve assumed you’re male because they’ve gone to tech sites. They don’t like it being wrong. They want the system to get them right.

Host: Digital privacy is a very personal thing. Each of us has a different tolerance for how much information we’re sharing online. Some of us want our apps to know us better. If we’re going to get ads, they might as well be useful ads. When other see how much an app knows, they may delete it entirely. But knowing how much of you is out there is critical.

With his deep knowledge of what’s out there, Jules is very optimistic about the future benefits of technology applied wisely.

Jules P.: And I do think that if the people that we work with, who are again very often the chief privacy officers at companies. If they are empowered to shape responsible decisions, we’ll help make sure that we have a world that is not Orwellian but that uses technology so that we have better health, more free time, more time to do important things like spend it with our family and be healthy and achieve great things.

Host: Today on The Front Row, we’ve been talking about the future of digital privacy and cyber security and if you’re looking for a career, there is definitely a future in this field.

Right now, over two hundred thousand cyber security jobs are unfilled. The demand for educated information security experts is expected to grow by 53 percent through 2018. Here’s one of the people training the next generation.

Attilio B.: My name is Attilio Bonaccorso and I am a professor of cyber security risk management for American University in Washington DC.

I really like being able to talk to people about this topic. Not just because I have a level of familiarity with it but I find a lot of people are intimidated by cyber and just by computers in general.

Host: As a kid growing up in the 90’s, Attilio was fascinated by computers but his parents weren’t so thrilled about his habit of taking them apart to see how they worked.

Attilio B.: I didn’t go to school originally for computers. I went to school for political science because I wanted to understand people. I put myself through school working in the IT department at [Rikers 00:16:42] University. From there I went into the private sector and just took an IT support job. I was a network administrator, network engineer for a company. Did that for a little while and then ended up working for the Department of Defense after that.

Host: Attilio’s approach to teaching cyber security through his online course is to help the students who come from all areas, not just IT, understand and think critically about the digital environment.

Attilio B.: As an educator, there are plenty things we can say about what’s happening now and by tomorrow that will be obsolete anyway right, because there’ll be something yet more painful and paranoia and, “My God, why am I touching a computer?” Right?

I’ve tried to design the material in such a way that the core concepts, the ideas and the mechanics that you need to worry about probably are not going to change overnight. The software that you use and the technology that you use or the things that will be exploited will. But the mindset of the people that are dealing with the problems is likely to not evolve as fast.

Host: And so for half of his classwork, Attilio sorted students into teams and has them play an online, live war game.

War Game SFX: You know what Barry, why don’t we try both ways. Why don’t we move our corporation to China. We become an insider threat and report everything back to the White House.

Attilio B.: There five teams in the War Game. Couple of nation state actors, countries, a couple that take on the role of businesses and one that takes on the role of a hacker group.

Now, in all of those cases, the students need to have no technical background whatsoever.

Host: The students have to stay in character and respond to new information or challenges. What Attilio calls [injex 00:18:30].

Attilio B.: Which includes press releases, continuity of operations plans. Decisions, funding, partnerships. All this stuff that we actually deal with in the real world. As decision makers. There are multiple injex that I submit to the students over the course of just a single class period and the students actually have to interact with the other groups in such a way that may change the direction of the war game. Everybody’s like, “What are we doing? I don’t understand this. I don’t … Why are we doing this? I thought we were going to learn cyber.” They are very confused.

War Game SFX: I know it’s just so hard, you really have to do your research. [inaudible 00:19:17]DDOS. What does that mean? DDOS.

I don’t know, they said that earlier and they didn’t know what it meant. Distributed denial of service, attack occurs …[inaudible 00:19:28]

Host: But once they get past the confusion, things start to gel.

Attilio B.: One group was writing up a plan to interact with another group and then the following [inject 00:19:37] basically killed their plan. Because they took too long to react to what was happening in the environment. And you can see that was, “Oh, all that work for nothing.” They were upset about it but they weren’t like, “Well I didn’t, I didn’t learn from that.” They actually took away that we have to faster with our response.

Host: If all of this sounds very untechnical. You’re right. And that’s by design too.

Attilio B.: I don’t mean that to sound trite, but cyber is not just about the person who is going to be clicking the keyboard for ones and zeros to be a defender. That is a role and it is an extremely important one but so is the person who is going to make the purchasing of the equipment for the person that’s going to use that.

So is the person who has to make sure that the audits are done properly. Or that the budget is on time. So I think that anyone in any field could actually be supportive of cyber security.

Host: Especially when you consider this scary reality.

Attilio B.: If I gave you the instructions today. Whatever your level of expertise is, I could send you to a website, have you download open source free and legal tools and you could actually start on a career of cyber crime with very little experience.

Now, whether or not you would be caught depends on how well you do right? But you could just fundamentally start to do that with little to no training.

Think about what that would mean for people that have learned in their parents basements from the time they were 10 years old and know how to code and know the backend of the computer. Think about the damage that they can do with no formal training whatsoever. Based on simply what’s available on the internet.

Host: Unfortunately, most of us don’t even both with the most basic security precautions. Strong complex passwords change frequently or even better, a password manager. Even when we hear about a Jordan Reid or a global ransomware attack.

Attilio thinks it will take something bigger to shake us out of our digital laziness.

Attilio B.: And I think that governments are really trying to wrangle with, “How do we as a nation state, do what is in the best interest of the people that entrust power to us and how do we protect those people both at the systems that we use to run the government but also critical infrastructure?”

If the power goes out, it doesn’t just effect computers, it effects hospitals and insulin pumps and respirators and emergency management systems and water treatment and just everything right? So if a cyber attack happens on critical infrastructure, people die. That’s the real possibility.

Host: It is easy to get paranoid about something like this happening. But the good news is that governments and corporations are preparing for this possibility, plus people like Attilio are training cyber security students to be critical thinking problem preventers and solvers.

War Game SFX: We’re thinking that umbrella’s chosen between the other states and China. Or they’re not even sure which one they’re going to sign with yet. We want to jump on China before they do ’cause the US doesn’t want to work us so we kind of got steered in that direction.

So why do you think the US doesn’t want to work with you guys?

Host: This brave new digital world we’re living is full of promise and pitfalls but with vigilance, education and determination, we can tip the balance in favor of the promising.

Jordan Reid didn’t back down when hackers stole her website and her livelihood. She fought back and outsmarted the cyber thieves.

Nick Merrill is getting closer to making the super secure pass thoughts a reality.

Jules Polonetsky believes a new generation of privacy officers and cyber security experts will be able to harness the good in technology and mitigate the risks.

And Attilio Bonaccorso is training that next generation.

We have tremendous power at our fingertips. The barriers to understanding and using technology have fallen. Just look at a toddler with a tablet.

But when we open the modern Pandora’s box we have to be prepared for what may fly out.

Next time on The Front Row, we’ll look at the cities of tomorrow.

This podcast is brought to you by 2U. 2U is a company that partners with great colleges and universities to build the world’s best digital education.

To find out more or to get in touch, visit us. We’re at 2U dot com slash podcast. That’s the number two and the letter U. Or tweet us at 2U inc. Listen on Apple podcast or wherever you get your podcasts. Thanks for listening.

Like what you read? Give 2U a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.