ChaosPad V1.1
Full screen

Server Notice:

hide

36c3-chaoswest-talk-78 Latest text of pad 36c3-chaoswest-talk-78 Saved Jan 27, 2022

 
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles.
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
 
 
So I'm very happy to announce for the second talk of the day, Soloff. Yes. So he's a lead researcher at possible security and he's a bug bounty hunter, is an active policy activist and a white tech white hat hacker from Latvia. And he's talking today about nothing to hide. Go out and fix your privacy. You know the statue is yours. Some citizens complain about being under surveillance, but they are told that if you have nothing to hide, they have nothing to fear. Still, news media regularly cover cases where citizens there's an unusual behavior are put on suspicion lists, even though they have broken no laws. Now, this is a quote from a news article from European Digital Rights, newspaper ads program number three. So it's news from the future fictional, but clearly paints a part of the future. We are all headed to. Now, anyone here took math in college. Mathematical logic. Some so you could tell me what this means. So basically, what it says here on the screen is for every person that belongs to a group of criminals. That person also belongs to the group of people who are hiding something. That funky signed the middle means from that statement follows that for every person that has something to hide. That person also belongs. There's a group of criminals. How many of you think this is correct? No one. Great. It's of course, wrong, but it is a really common fallacy. I hear that a lot. Now what they want is privacy, though. Privacy, first of all, is the autonomous right to choose who will work with my data, so maybe I am fine with Company A working as my data, but I am not OK. This company be working as my data. Also, how the information is processed, so maybe I'm OK for Amazon to process my home address to send me a package, but I do not consent to Amazon sending goons to my house to get money out of me. And of course, what information is processed, even though I'm OK with giving my address? Maybe I'm not OK, I was giving my phone number, but it's not only that it's a
lso right to decide who I interact with. And that includes right to be left alone. So. In a sense, privacy is also about consent in a lot of ways. And now to illustrate, this is a letter to try to transfer my feeling to you. I created this concept of Schrödinger's video camera. Now you may have heard of Schrödinger's cat filtering his video camera. VIDEO Something like that. Imagine you just bought a new apartment somewhere in Paris. Great view. Nice building. And then one day you noticed that a security camera showed up outside your window on the opposite side. It has one of these nontransparent domes, and you cannot see inside it. You cannot see if it's looking at you or not. You can't even tell if there's a camera inside or if it's completely fake. But for me, it doesn't matter, oh, the feeling I get is terrible either way, even if someone told me that there's no camera in there, even if someone showed me that there's no camera in there, I wouldn't feel at ease. So that's why, for me, privacy is, in many ways, the feeling of privacy now. Exactly one year ago, at this stage, I gave a talk to all of personal privacy in 2018. I just want to acknowledge some reactions that I've been getting since the talk. So some of the reactions are funny. Some of them are affirmative. Others are insightful. Of course, others are just plain uninformed because, you know, you do not have to actually use a phone, right, even though it's hard, but you do not have to, even more so you don't actually have to use Facebook, right? But these two remaining arguments? I want to talk closer about these two. So here's a short video something you may have seen it. So it's a video of a lady trying to unlock the man's phone with a Face I.D.. Now it's clear from this that it's fake at least. I mean, it's a sketch, right? It's clearly visible, it's a sketch. But what I won't talk about is the reactions. And I am I am outraged by the reactions. I mean, all the all the main topic of the video aside, a
ll these people here assume that since he has something to hide, he did something wrong, which is unacceptable. To me, so what if you really got nothing to hide? Maybe the people in the audience here, even though I doubt that have nothing to hide, I'm sure we have some people, some people like that. Watching the stream, not here, the Congress. So. What what data hoarding, what if someone will say, a government or a large corporation these days? Maybe that's more likely collection of data about you that allows them to more easily blackmail you, that allows them to impersonate you. Even if that's not the case, think about herd immunity, that's a concept used in vaccinations. You should get vaccinated because some people medically can't, and you will also protect them by providing a human shield if we can. So saying the same applies for privacy, there's herd immunity in privacy. So many people are not hiding anything. Will make it really hard for the few who actually have something to hide and doesn't have to pay anything criminal or nefarious. Many people have legitimate reasons to hide things. And by accepting that you're OK with not hiding anything by giving up your right to privacy, you're also helping those people that actually need privacy to give up their right as well. And, of course, remember that today's authority might become totalitarian or inhumane. We see the transformation process starting in in a couple of Western countries right now, and we I don't know where it's going to, where's going to lead us in the next years, but it may be the case. Imagine how much easier. Would it have been for Adolf to have committed his atrocities here in Germany, if he had Facebook, if he had access to all the data? I hope that's not coming back. Never. Now what do I talk about now is a state of privacy. I wouldn't take a look at what's happening around the world and what's happening in the world, of course, is there are these protests in Hong Kong going on. So this is an 
article from middle of this year and people in Hong Kong. They're really aware of tracking that their transportation cards can be used to track where they're moving, so they try to avoid that. We are afraid of having our data tracked, is what they say. So that's good. People are getting more aware. But it's also happening in the West Los Angeles decided passed a law basically that all the scooter sharing companies have to share real time scooter location data with the government and Uber. Even though I dislike their methods and and the, you know, trying to disobey the law whenever possible. I think they took the right stand. All the other companies, actually. Are ready to give the data and are giving the data to the government, Uber is the only one who questioned this and and and tried to fight against that. I mean, the idea behind that is is a good idea. So the government wants to make sure that the communities, the geographical communities were underrepresented people, live or underprivileged nations shall say that they also get the scooters that don't target just the rich neighborhoods. So that's good. But do they really need real time tracking for that? I doubt that. Now, my favorite topic of CCTV, of course, this is the only slide from the last year that I include this year. These are actual posters. For those of you who haven't seen them from the UK, how the government is telling you that CCTV is good. So what's new? Well, this happened the beginning of this year. So in May this year, a man was stopped by the police. All he did, he was walking by and someone warned him that there is facial recognition going on over there. So what he did? He pulled over his sweater table, a over his face and walked by police. Stopped him, forced him to scan his face, found nothing wrong and find him £90 for trying to wear the facial recognition. So it's super dystopian and super creepy. But I mean, there are ways around that, right? We could use this cap, for example, and have 
a face off, I don't know, General Secretary of a Communist Party somewhere. So then you're not not trackable, not not attracting attention. Right. So. There is this law in Hong Kong that that doesn't allow you to use masks anymore in the protests. And it's problematic because they track everyone through facial recognition, so that's why the mask was allegedly created. The good news is it's relatively recent news. In November, it was ruled well. Its system political system in Hong Kong is complicated, but Hong Kong courts ruled that it's illegal to ban wearing masks, and the full hearing in the next next level of court is still going to happen in January next year. So but currently currently the law is suspended. Currently, you can actually wear masks. I mean, I don't know if police actually in, you know, are OK with that, but by law, you can now. Privacy advocates, me included, have always been complaining about not being able to use public Wi-Fi without a phone number. Finally, we can we have an option to take a selfie and upload the passport, which is terrible. Oh my god. Let's get back to facial recognition for a second. So European countries are trying to copy and paste the idea that China is doing. It's not just China, it's not just Russia. But the difference is they are asking for permission. So why are they asking for permission? Well. And now they've got a negative answer. The question is, will they listen? And yes, they will, because European Data Protection Board find. A school in Sweden because of using field recognition, I mean, thanks to whoever made it, but we kept GDP, so we do have some protection in Europe. Unfortunately, not all of us here and not all of us watching the stream are so lucky to have that kind of regulation, but it does actually work. Even though I've been hearing bad things about GDP already. Yes, there are things to improve, but it doesn't work. It does help us. Now, as you as you were told, I come from Latvia and I want to share so
mething from Latvia. This is a picture I took at a press event in Riga. So police were presenting their new vehicle, this one over here. And this vehicle, the idea is it will automatically find people for not wearing seatbelts, talking on the phone, not showing turn signals. So it has a bunch of 360 degree cameras in there and and doing some fancy stuff. I mean, I'm all for traffic safety. But check this out. I mean, I like that they do have a sense of humor. I guess, I guess Bebe was taken. So I mean, they decided to go see which is OK, which is the one that police use, but still only oral will be proud. And so another slides from a previous presentation. So People's Daily China was touting how cool it is that in classrooms, you can actually now use surveillance cameras to track the progress of students as they're learning or they're focusing and so on. Well, what's new? What happened? Doesn't 19? Anyone knows this happened. Brain scans. So let's take a look at this short video here. That should be out for reasons longer. Teachers at this primary school in China don't know exactly when someone isn't paying attention. Buy me another one million into these headbands measure each student's level of concentration. The information is then directly sent to the teacher's computer and to parents. China has big plans to become a global leader in artificial intelligence. It has enabled a cashless economy where people make purchases with their faces. A giant network of surveillance cameras with facial recognition helps police monitor citizens. Meanwhile, some schools offer glimpses of what the future of high tech education in the country might look like. Good job classrooms have robots that analyze students health and engagement levels. Students wear uniforms with chips that track their locations. There are even surveillance cameras that monitor how often students check their phones or yawn during classes. These gadgets have alarmed Chinese netizens right now. That screwed up
 beyond repair. If you ask me. But luckily just happening in China right now. US, America. So there's the great article I invite you to read that enfolding. The Guardian published on October 22 this year about how they use digital surveillance for four American kids or against American kids. I shall say I will. I will read you some of the quotes from the article, and I divided this article into multiple categories as easier for concern. First of all, the reason why is anyone doing that? I mean, it's not China, it's not the little communism. There's no you're not supposed to spy on people, at least unless you're the government threat in the US. So the reason is that lawsuits by parents of students who committed suicide or parents of children who have been cyber bullying is a problem for the school. So they see this as an easy solution. They track everything students do, and then they are off scot free. I mean, from the perspective of of the school's lawyer, even if the kid does commit suicide, their asses are covered because they have a great system and they did everything they could. So it's kind of a lose lose situation there. Now what? What reaction time? So as the article says, it's not. I've sent this email two days ago. It's you've sent this email three minutes ago. Come to my office. Let's talk. That's the speed that the latency does. The reaction time of the system in Weld County, Colorado. A student emailed a teacher to two. She heard two boys were about to smoke weed in a bathroom. And school is proud of this. Within four minutes. Of sending the female troops were deployed to the bathroom. Scope, so I mean, it's getting worse and worse, so I'm going to get gets ready for that, prepare for that. So it's not just about what they do. It's cool 24 hours a day, whether students are in their classrooms or their bedrooms, the monitoring is going on, of course, when I'm talking about video cameras here, but the content monitoring. Tech companies are also working wi
th schools to monitor students, web searches and internet usage. And in some cases, track what they are writing in their private social media accounts. Gaggle, which is the name of one of the companies providing the service in the US, also automatically sends students a scolding email every time they use a profanity. How's that for a chilling effect? Now with all that. What's the justification? Some proponents of this call monitoring say that the technology is part of educating today's students in how to be good digital citizens. What does that mean? Well, allegedly it helped train students for constant surveillance after they graduate. That's the actual quote from the justification of this system. And here's another quote from Bill McCulloch, a Google spokesperson. Take an adult in the workforce. You can't type anything you want in your work, email is being looked at. So the idea is, you know, let's let's do this to our kids in schools and then prepare them for that. What are the effects, of course, there are chilling effect, ACLU said the schools don't post on a bulletin board. Here are the words we are going to be searching for. Of course, it forces students to be careful and to self-censor. They might not write about things or talk about things that are not in fact being monitored. The idea that everything students are searching for and everything that they're writing down is going to be monitored can really inhibit growth and self-discovery. That's the quote from entitled the to policy analyst at the Center for Democracy and Technology. And finally, it's a military technology and in that the kingdom. School surveillance technology has been already tested for use in counterterrorism efforts. Again, I don't I don't want to get blown up, but by terrorists, but I mean, I don't I don't like all these safety processes that we have either. I mean, even here at Calder's this year, we are starting to have signs don't leave your bags intended. It's I'm not sure how I fee
l about that. I mean, I thought it's a safe space here. The ACLU experts that referred to previously said it's certainly fair to ask to what extent we feel comfortable with technologies first developed for used for use in war being used against our children. Now, let's take a moment to talk about the company name gaggle. According to Merriam-Webster, dictionary gag is a verb that means to prevent from exercising freedom of speech or expression. And the other definitions for the verb to me only emphasize the non-concessional nature of the interaction between a student, the kids and the school, they don't have a saying that they're being gagged gag. It's not only technologically but also psychologically, and that's unacceptable. OK. Let's talk about something else. The end of end-to-end encryption. Or as U.S. Attorney General William Barr called it, warrant proof encryption. GC HQ has suggested that this firm's communication services should be able to surreptitiously add intelligence agents to conversations or group chats. This is still an ongoing discussion, but this is where this is going. So I've been I've been looking at this problem and I've been thinking I've been trying to predict how will secure encrypted communications look in the future because the government really has. They have strong incentive to try and access that kind of communication because of terrorist content, because of child abuse material. So I think as a community, we've managed to convince them that by ordering the Krypton part is not going to work. I mean, it would work, but it's not all the worst of the ideas. So what I think is actually this is this is where it's going to be going. So public clients are going to be able like like public, like let's, I mean, WhatsApp, Facebook and so on. They're going to be able to add the third party to your encrypted communication channel without you knowing it is going to happen in your client's software. So that's that's what I think is going to happen.
 By the way, Jim Baker, the vice general counsel who has been working with William Barr on that proposal, had the change of heart. This is a cool article from October this year. You can take a look at it, and the guy finally understood that that what he's trying to do is not not the right direction to go to. OK, let's talk about those client apps. So let's take WhatsApp as an example. If. What's up? We're doing something shady on your phone. You could stop it by rooting your phone, right? That would help, because then you can install background apps that monitor the traffic, that monitor the file interactions that take a look inside the WhatsApp and amazing, but you cannot do that. They've had that. They've had that rule for some time. And it also applies, of course, to iPhones to jailbreaking iPhones as well. But they tend to have these these waves where they reinforce the rule. So it's been there for years, but they reinforce it once and again. Right? Um, so OK, I can't rule my phone. What about third party apps? Well, no, this is actually a bit a bit newer. It hasn't been there for that long. But if you install a third party WhatsApp app, you're going to get banned, right? So the only question for us, the technological nerds here is are is it going to be legal to install our beloved secure apps now? But I want you to think about the other people I want to use to think about non technological people. What are they going to do? How are you going to communicate with them? And actually not less importantly, how will they communicate between each other? Let's take a look at another important aspect of everyone's everyday life watching pornography online. The Australians want to use facial recognition to verify that the people who are watching porn online are the actual people. I mean, how how short sighted have you been to not see how this can go wrong, right? Those fake emails, everyone's getting that we filmed you watching porn and we filmed your face. Those are goi
ng to turn real if this if this is actually enforced. But another thing, right is, of course, online dating. It has launched in the US this year and it rolls out in the EU next year. And I actually have a couple of things about Facebook online dating. It actually does provide you more privacy, which is good. So when you opt into Facebook dating it not only make sure that your dating profile is in a way anonymized and it limits you access to your actual data. It's also does something to her actual Facebook profile, where it tweaks the privacy settings a bit that you are a bit more private. But there's a catch. In order to obtain for Facebook dating, you have to enable location on your phone. You have to physically confirm your location. So Facebook isn't going to give us privacy for nothing. They want something in return. So not not good again. Now, suicide prevention is an important topic, and Facebook is doing their share, and I feel quite OK about that. That that they're doing that. That's good. And here is the algorithm from the official, from their official spec that's available publicly. So basically, they monitor everything. By the way, people with knowledge on the subject have told me have informed me that even if you do not post the message, even if you do not post the comment, if you decide to write that message and then delete it before killing, submit. Facebook still gets that text, and they still launch it through this process here. So they use a classifier they use. They use some neural nets to try to understand what's happening. And the last step? Well, not the last step. The one step before the last step is it's reviewed by human person, which is the part that I dislike about this idea. So I mean, giving that the taking action over here actually means popping up as this. So the user basically get this message here. I mean, I think it'd be OK to have more false positives and not have it reviewed by a human reviewer. That would be that would be better, 
even though some people are more creeped out by robots, readings or stuff than than people reading the stuff. I'm one of those guys actually still on Facebook that reuse. So, um, there's this article Facebook lawyer was forced to testify in court. They do that all the time this year, but this one of one of these this year, it's from June, doesn't 19. One of these times this year and what they're basically said is you have notification of privacy. There's no privacy interest because by sharing with the kind of friends you have published, you have shared with everybody and then they go on to compare it to a birthday party in the article where you invite a couple of her close friends, like 20 friends and you have notification of privacy because any of those 20 friends could go ahead and tell your stuff to anyone else. So I'm not OK with that. Remember, privacy is also about consent, and that's not fucking consent. OK, let's talk about something more down to earth, more technical web browsing, specifically JavaScript. The technology that fuels the modern web from dynamic web pages to tracking this year is an interesting message that I got when trying to search for some parts on Mouser. So it says that you have two jobs to be disabled so you can either enable JavaScript or log in. I mean, if that's an admission of why the job was being used, then I don't know what is. We also have this article here, and I'm not good this German, but it's funny, it's kind of loads, but then it doesn't, so I don't know what the point of that again. They're just screwing with people like me. I mean, I used to have to browse with JavaScript disabled to have the web not work for me. Now all I get to do is browse from Europe. That's what I get. One of the comics that I read that that is the actual comic that falls on top. Everything else is trash on my screen. And it's not just that it's open. Open any page on your mobile and your screen is full of garbage. Not the actual text that you want to
 take a look at. So. This is interesting here. If you take a look at The Washington Post a bit closer. So this is what happens when you open from Europe, you have this this nice blah blah blah, and then you can, you know, click agree and continue. And your only other option if you don't agree to tracking to do gave up your privacy, according to Juniper, is back to options. And if you click back to options, what you get is, you know, you can pay taxes, the content. So that may be legal. I mean, The Washington Post is a relatively large organization, so they probably know what they're doing here, but it's not ethical at all. Now I'd like to spend the next 10 minutes to talk about why I do all of that. Why? Why do I try to stay private in my everyday life? I mean, I tried to convince you at the beginning. Personally, for me, it's care for others, even though I don't have that much to hide, I. I like to provide that shelter, that herd immunity for for the vulnerable people that really do. But it does. So me hiding stuff, me not disclosing as much as the normal person thus tends to create some curious cetaceans. So I have a bunch of certificates. I'm not this, not the crowd I should either advertise up to. I was kind of forced to give them anyway. So after every time that I take an exam, I have to write them a message because every time I want to take the exam, I show them my I.D., my my governmental I.D., my secondary I.D. And they still take my photo and thought so. Obviously, every time after the exam, I write the polite letters, them saying Thank you for the exam. Please delete my stuff. And they do. But one time they also said we did. And then I asked, Why the hell are more certificates gone? Why can't I verify them? And this what I said. So sorry, we misunderstood what you meant. So we deleted your whole account and all your certifications. And the funny part, um, when the when we were trying to resolve that multiple times, they basically asked, So tell us which ce
rtifications those were because we deleted all of them all. Like, I could choose any any of them. At one point they said, OK, we restored them all. I took a look at my list, a look at their list, and one was missing. So I tell them, no look, look more closely. So another thing happened to me. I got in this mess. Anyone who still gets us mess here in the audience. Yeah, about half about half the people. So I've gotten some mess from it didn't come from a number. It came from a spoofed spoofed source. So it's a ASCII based credit on Total V and what it says in Latvian is basically hello. Unfortunately, your credit request has been denied credit and they'll tell me I've never, ever applied to any kind of credits or even credit cards in my life, so I was confused. Obviously, a normal person gets the same as what do they do? They try to find the fuckers and they try to understand why the hell are spamming me because you cannot reply to that number. So I go to the web page, which is, you know that. And I ask them, So what's up? And they don't pick up. So I phoned them, I was about to ask them and they don't connect because my outgoing number doesn't exist. It set to private. I use caller I.D. bearing so they don't connect. They don't want to talk to me. So, OK, the only the only thing I can do is I hop on my bike and I ride over to their office and everything is fine. Everything, so they're over there. I show them my phone. They ask for my phone number. I write my phone number on a piece of paper. They take it over backstage to some white guys, and the guys come back saying, No, it's not the last time we didn't send it, and I'm OK with that. I mean, I could easily have sent that myself, right? Or you could have done it, huh? But I mean, it's fair. Someone can prove that it happens. So I I wave goodbye and I'm out. So that's that. A week later, same number when a shopping card for fifty euros, if you go in your profile and renew your information. So what they do called him
 up doesn't connect the look at their web page again. Take my bike. Go there about one hour before the closing time. It's not open. Apparently, the opening hours in the web page are the opening hours for the phone, which doesn't work, not for the actual office. So 10 p.m. No one was there. People were there. I saw them, but they didn't open the door for me. So on my way back, I go into the patrol station. I filled a bike a bit for about one euro and I have the receipt as me. So in two days, I ride back again. They're open. I on my way there. I filled the bike a bit. Thanks the receipt. Go there. And I show them this again. And you know what? They told me that, yeah, we look more closely here and we found your number. Sorry, our bad sold out. I told them, OK, well, it's a bit strange that you do not verify the number. Don't you have like requirements by law to verify these things? And I replied, Yeah, we do, but only if we approves the credit. So you can apply with a bunch of random guy's numbers and and get them stamped. So I sort of thought, OK, that number for you, but I have these two euros that I need you to compensate because, you know, because of you, I was there there. You lied to me, and now I had to take these trips here. And so that told me to send an email. So I I got the email address. I went home. I sent them an email attached to scans. And they replied, please provide your bank account number to transfer the money. I politely announcer replied, I do not have a bank account number that I can provide to you at this time. So that was that. They never replied. Couple of weeks later, I look at my bank account and there's the fucking money. Many people have asked me at this point, why haven't I looked deeper into that? I'm too afraid what I'm going to find out. I don't know how they got my account number. I don't have the slightest clue. Now, from the previous perspective, there is one more thing you can do if you're still use post in the post office, you ca
n use a post office box. That means if you give someone your address, they cannot abuse it, right? If I, if I can send them to sending me stuff, they can send me stuff, but they cannot break down my door because that's not my door. That's my P.O. box in a in the post office. So that's I don't know the prices here in Germany, Latvia, it's dirt cheap. I actually have to. P.O. Box is this year one box costs twelve euros per year, so it's super, super cheap. Speaking of Congress, I'll see three post is also quite good. It's it's anonymous if you want it to be and it's right behind the stage, so go send a postcard to someone you we want to send the postcard to after the talk. Let's talk briefly with mobile apps. So this is Socratic. It's a mobile app that kids use to talk about homework, to learn, and Apple and also Google. Right now, you can actually create the good system that allows you to control granular early control of what can apps do and what they cannot do. And in this case, you know, they they ask to access your contacts. And the thing that Apple has done is they allowed the developer to actually specify whatever text they want in here. They cannot delete or change anything, but they can edit text. So let's say it's only about chatting. It's only for chatting about homework. Don't worry. So naturally, you press, don't allow. Then this happens. I'm sorry, we can't do any of that. So I hope there comes a day when Apple forbids apps like that that that block your experience fully just because you haven't given them a permission that should actually be optional. Now I use this taxi app called Bolt. Then they change the branding to Bolt. And this is how it looks now. I can still use it, but if I want to press on the button, which you don't see on the screen, it's super, super dim over there where all my settings were, my name, my phone number and my previous rides. I cannot access it unless I can be enabled. So why don't you text my history? I have no idea, but tha
t's how they do it now. But still, it's at least it's it was functional until that deleted my account because I wrote the GDP I requested them to to, you know, to explain what's going on and what context my data. They basically said, Since you have lost your trust in a server, we will terminate your account starting next month. But I mean, I still I still got to use it for a while. So then I switched to this other taxi. That's Yandex. It may or not, may or may not be run by Russian special services. I don't know. I was using that. I took one ride and coincidentally it was to the airport to go to Ukraine. Coming back from Ukraine, I enabled my phone connection again. This is what I got. Your next round can happen. 2023 welcome. Speaking of Yandex, they have privacy policy. Of course, all companies doing business in the EU need to have that now, and it's quite OK. So they actually have the type of data like location they explain because they use it and they explain how you can change your data or how you can withdraw your consent of them using the data. And it's all fine here. But if you scroll down further, we see those kinds of categories and we see a reason as to improve app performance quality, and we see that you cannot use the same app without giving the data so. And what does that include? I'm out of this place on Android. List of installed apps on Android device such are statistics like model manufacturer operating system sensor information. Anyone has a camera sensor, their phone cheese. OK, back to WhatsApp. I was forced to use WhatsApp because my friends use WhatsApp and I have all the apps. I'm like that guy, but I don't want to be the guy that shares your phone book with the company because then you betray your friends. So I never do that. I always click Deny. So I was using WhatsApp like that, and I want to show you how I found a way to create new conversations in WhatsApp without giving access to your phone book. So here I use my regular dialer and I di
aled the number I want to dial. I want to chat within WhatsApp. I pressed the green button. I pressed the red button. I go to recent. I press on the I over there, then I hold the message button. Then I choose WhatsApp. The call button is what I call WhatsApp. And red button, what's up? Then I got to calls in WhatsApp. Then I opened up here and then put the chats and I'm in the chat. Yeah, so so that's how that's how you could create a chat in WhatsApp. And it's not because you can't do it anymore, but because they fixed it. I mean, I still don't love WhatsApp, but now they actually fix the button for the people. For those of us who do not have the book, so. So that's something I mean, it doesn't make them perfect, but now I don't have to do that. So that's cool. I also use these things. Do you have them here in Germany, the prepaid anonymous card, you can just buy them in the shop. Yeah. OK. So I use these a lot since I don't have any other kind of banking cards, and if you notice it doesn't have a name. This just says term of use one year maximum. So I decided I have to be fair, and when I buy something online, I have to write as it is. So I tried to do a bunch of stuff by leaving the name on the card blank. That's just a placeholder sounds, I wrote, and it gives a nice Earth like pork bun at the next register here gives a kind of technical letter, so you can you can work from there. But for these cards, of course, you can write any name that you want and it and it just works. Now, if you take a look at this picture here, I took that in Vietnam. Cameras everywhere. I don't like to waste time, sorry. Always on along on longer rides. I try to work out with them her laptop, but they cannot work on a bus. They will see my passport passwords. I don't know what kind of resolution they have. I don't know if it's a theft camera or it's 240 camera. Who the hell knows? So you can't. You can't walk there. And the private information like screen information of my customers, it
's also at risk. So basically, the only the only place you can still work are airplanes. Even though I did see one airplane that has a camera already from the UM, from the cockpit to do the cabin on on the door instead of the usual analog systems that they use. So luckily, airlines want to save weight, so they probably are not going to install cameras on all seats. Even though I've seen news about some low budget carriers installing cameras in the entertainment systems on on every seat, and they actually have been confronted about that and they told everybody that, you know, we want to leave when they evaluate. We basically they use different wording, but have you on track people like we do online. We want to see how they interact is our product. Now, speaking of airports, right, airplanes are mostly good, but they have these things. In some airports, it's actually considered a privilege. I was coming here from Riga through the fast track, and they referred me to secondary and the position of the thing in the airport. And me going there through multiple times a month actually suggests to me that they only use this for fast tracked travelers. It's a it's a feature, not a bug, right? You get magnetic for everyone else and pat down and here you get this, but you can still opt out. Of course, even even in the U.K., you can try to ditch that European courts ruled out. That's not allowed now until Brexit happens for goods, including in the UK around the world. It differs. My main concern is that it's not that I'm going to be seen naked. It's the artificial intelligence, the robots taking decisions in a nontransparent way about me. I mean, it's going to be with it anyway. Just the judge. Just, you know, pat me down. I'm not even talking about transgender people because for these things, the first thing the operator has to do, they have to have to select the I don't know if it's meant to be sex or gender, but they have to select a pictogram of who is going in the system. Yo
u know, boarding passes, boarding passes are cool. Except insecure, then again, except you say they do have a signature part where you can where you can sign it. But you know, it wasn't really secure. But my problem is boarding passes is shopping, especially in Germany. They fixed something two years ago, and now you cannot buy a single thing in the airports without showing the boarding pass after you've gone through security. So I had that, and what I'm going to do is I'm going to spend the Congress to work on an app. I'm going to present it in March in Insomniac in Switzerland. I'm going to have a tall called travel for hackers. I'm going to talk about how to safely travel, what can you take and what you cannot take to different countries. And I'm also going to have this app, but you have to promise to only use it for shopping, not for boarding or accessing airport lounges anyway. You can. Using this app, you'll be able to enter the mice, your boarding pass like point and click, and then you can go, Go, go shop, right? Don't don't use it for bad stuff where I might get. I might get thrown in jail. I don't. We don't want that doing another thing. What is secure? I mean, airports, you have boarding passes. We have these scanners. Fingerprints are secure. I mean, unless you use them as your password, that's no. But fingerprints are good. So back. I think it was 10 years ago when Latvia started to enroll into this ICAO program for for biometric passports. And before that, they just told everybody, we don't need your fingerprints because we had no biometric passports. That's fine. Now that changed, too. We only saw fingerprints in your passwords, passports, and that's an acceptable compromise. I mean, I see how that can improve travel safety as opposed to to the dump limitations we have on the liquids that we can that we can carry. But I haven't told you the story how I tried to carry ice through airport security in Belgium that told me it was a liquid. We argued with 
them for about 30 minutes and then they won because then they became liquid thrusters. It's restored. I gave up. I just I just to throw it away. Yeah, but I mean, they have their own physics. So back to passport a passport passport, right? So we only our fingers in passports. So OK. But then I learned somehow that, you know, they might somehow save that. I talked to some friends in the Ministry of Interior, and that's what they told me. Well, that's what someone came to me. And the thing is, what happened then is there was a rush to create a law that's called on biometric data storage. So they wanted to legalize storing it cash in the database. That's their current. Um. Those are kind of transferred. If you asked them, what do you do with a fingerprint? We store the cash was fingerprint database and cash is safer. Why? Because if I do stuff that annoys my government, they cannot download my fingerprint from database and put it on a dead guy somewhere. Cash, is that right? So what I did is I used the kind of GDP are we had the GDPR since 2001 in Latvia, a similar thing. It was basically the same. Only the fines were up to 1000 euros, but everything else was the same. So I use that to request my data from the government to take a look at the cash. So they sent me the cash. We ask you it's a FBI wavelets squalor contra. Quantas is an algorithm, and it's an algorithm that can be used to compress black and white images. I got these two files left and right finger, and I did manage to find the only resource on the internet and was get them. Actually, that contains an algorithm to open it up. And yeah, my fingerprint isn't there. That's not an actual fingerprint, but you got that right. So my call, then fingerprint is there. That's the that's the wrap I used. Let's summarize. So what's the status quo right now? I want to talk about. Multiple aspects. First of all, user demand, as you see, I mark that was a frowning face users, and I'm talking about people outside this conf
erence do not really care about privacy. They don't need private taps. They're OK with being filmed. They are OK with being with their fingerprints being taken. I think most people would be OK with their palm print being taken, maybe even a blood sample if it only happens once and for four years. So that's problematic. The cookie law, someone remembers that we have that in the. We've had it for a couple of years now. Well, it did nothing. It basically did this that every side had to open one more banner and inform us that, hey, cookies are being used. And we did have D.A. the D.A. Heather, and they should be. It was a great idea. I took a look at what happened. And it's basically just randomly died within some discussion groups. So maybe we should revive that because that's perfect. You inform your browser if you want to be not tracked and the websites should be mandated to not show you the banner, but to actually take care of honoring that heather GDP for big data. That's actually crap. Big companies have ways both legal and technical to get around GDP are currently and GDPR enforcement cannot reach them. I mean, if if something happens, it's going to be proven. Fines are big and those funds are going to be paid. I hope, but the GDPR still can be improved there now. GDP in general, that's great. That actually allows us to stand for our rights, go and ask them about what data our economy and ultimately the data do change your data. They need to be on their toes and to know that we are looking at what they're doing. But the problem is, all these things are EU, I mean, cookie law is but the other things are it's EU only. So we have to make sure that other governments around the world adopt something similar. Surveillance surveillance technology is getting worse and worse. We have different technology being advertised, both as a military tool and a tool to track your kids and a wife. That's not OK. And for encryption, I use average face neutral face here because encryp
tion is good, right? Anyone who knows how to say yes works. Or a beautiful algorithm? You can even take a look at that, and it's great. It's unbreakable if you use if you implement correctly and use Radtke sizes, there are two problems. It's not being applied correctly in some places. And most importantly, as a user, you have no idea if the app is actually using encryption for that part, or it's bypassing the encryption entirely or using something else. So that for a month, would any of you notice that your favorite chatting app sends a copy of your message somewhere, even though the original copy is encrypted? So what do we do? How can you fix it? Now, let's not talk about cookie law, that's uh, that's that's that's not that interesting for the user demand. And GDP are the same thing we have to inform users themselves GDP, PR and firsthand, we have to tell them that it's good you can use it. And privacy is good. This is how it will help you. This is how it'll help your friends. This is how it will help other people online. Japan for big data, lots of work needs to be done if there are any lobbyists in the room. That's where are you going. If you have contacts in the European Parliament, that's where you're going. We need to fix GDPR, so it works better for big data because big data to the nominated and and you cannot do anything with this right, it's safe. But it's not known for surveillance technology and encryption. This needs to be fixed by us here. We are the only ones with the technical expertize to actually try and fix these things. Privacy and indeed human rights are a relatively recent invention. They've been among us for a hundred, maybe 200 years, which is why, at least in my eyes, it's even more deplorable to see corporations and governments alike hastily eating away at how right to privacy for their own benefit. Privacy shouldn't be a luxury that only the rich and powerful can afford privacy for everyone. Privacy is a fundamental right, and likewise all
 fundamental rights and the encroachment on them needs to be aggressively and decisively terminated. Thank you so much. Thank you again for your great talk. Unfortunately, we don't have time for questions, but uh, yeah, I think there was a lot of content and that and if you have any questions, contact him. All the details are. So enjoy all the interaction and enjoy the rest of the Congress. Thanks.