In his his closing keynote at SOURCE Boston last Friday, Dan Geer, CISO for In-Q-Tel and a security researcher, said “amongst the classic triad of confidentiality, integrity, and availability, we have heretofore prioritized confidentiality.” He said in the future that we will prioritize integrity instead, arguing that current privacy laws (confidentiality) are based around the concept that the technology used to capture information about us requires a warrant if it is not in general public use. The problem is, with of the Internet of Things, just about every personally invasive technology is now available to almost anyone, and if not today, then certainly tomorrow.
Geer grounded his arguments in the sixteen-year old Supreme Court case of Danny Lee Kyllo vs US. The case alleged that Kyllo grew marijuana inside one of his properties. From the street you couldn’t tell. But using a thermal imager, law enforcement found that Kyllo had high-intensity lights in his garage, lights used to grow marijuana. The court sided with Kyllo, agreeing that law enforcement needed a warrant to use the thermal imager.
The court wrote: “Where, as here, the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment ‘search,’ and is presumptively unreasonable without a warrant.”
Geer singled out the phrase “not in general public use,” and said, “as anyone knows, what the government and only the government has today, the rich will have tomorrow. What the rich have tomorrow the lumpen digitariat will have it the day after tomorrow – and that is within a now established precedent that general public use removes any prohibitions on use by government or other institutions.” In other words, the idea that such scanning and collection technology is not in general public use today is naive.
For example, if someone takes your picture with their camera on the street, you should have no expectation of privacy, Geer said. Cameras have been around for more than a century but up until the 1800s photography was serious and expensive business, requiring subjects to sit in studios, immobile, while the image was cast onto silver oxide-coated glass panes. Then along came Eastman Kodak and his camera, which sold for about $24, and allowed one to take another’s photo – even outdoors. The Brownie camera sold back around the turn of the century for a mere $1, meaning the masses now had general use of photography.
All this wanton photography did not go unchecked. Indeed, Samuel Warren and Louis Brandeis (who later served on the US Supreme Court) wrote “instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life.” The two seriously suggested that US law should stem the tide of surreptitious photography, and impose liability for any personal intrusions. No federal laws were passed, but some states did agree to pass their own.
Today we should have no expectation of privacy, Geer suggested. He cited common IoT devices — from cars that broadcast as a matter of public safety Bluetooth signals, home motion sensors that use infrared, and heart monitors that use microwave sensors to measure the unique electromagnetic frequencies of the human heart – that exist in the general public. If that is not enough evidence, he cites the server set instruction signal from your home router that anyone with a 2.4GHz scanner. Our cars, our homes, and even our bodies emit wavelengths that can be collected and used against us.
Geer’s point is that “I have every power to capture what you emanate. Even just in visible light, the technology is readily available today to capture and recognize your iris from a distance of 50 yards. Facial recognition is feasible at 500 yards. The unique pattern of your gait can be detected in no more than 10 paces. Being concrete, does my right to look at you — and capture your identity and identifiers — depend on what I’m looking for? Hardly.”
Source: SANS ISC SecNewsFeed @ May 2, 2017 at 08:39AM