LSNTAP Privacy, Encryption, and Anonymity in the Civil Legal Aid Context April 26, 2016
Apr 12, 2017
LSNTAPPrivacy, Encryption, and Anonymity
in the Civil Legal Aid Context
April 26, 2016
Using Go To Webinar Calling with phone? Select Telephone and enter your audio
pin if you haven’t already.
• Calling through Computer? If you’re using a microphone and headset or speakers (VoIP), please select Mic & Speakers.
• Have questions? Yes! Please help us make this as relevant to you as possible. We’ll reserve the last 10 minutes for questions, but, feel free to add any questions in the Go to Meeting Question Box.
• Is this being recorded? Yes. LSNTAP will distribute the information after the training.
Make sure you get your infographic/checklist after the training!
Speakers
Amie Stepanovich
US Policy Manager at ACCESS NOW
Jay Stanley
Senior Policy Analyst,ACLU Speech, Privacy & Technology Project
Joseph Melo
Director of EngineeringJust-Tech
Wilneida Negron
Digital Officer, Florida Justice Technology Center/Fellow at Data and Society Research Institute
Mike Hernandez
Director of Consulting
AgendaIntroduction Data and Privacy
Security Ecosystem in the Civil Justice Context
Wilneida
Broader Framework
Third party policies and federal context
Amie
Local Framework Day to day security issues in your office
Joe
Wormhole into the Near Future
The pitfalls of big data analytics
Jay
Questions?
Is cybersecurity the next digital divide?First digital divide, concerns computing and access:—who has access and who doesn’t. — how can we increase access.
Second digital divide, concerns our understanding and application of these technologies: — wide ecosystem of stakeholders and responsible parties (i.e. users, developers, elected officials, government, regulators, etc.)— everyone plays a role in shaping the uses and understanding of these technologies.
The Rise of the “It Depends” View
• Looking across age, household income, education, gender, etc., “…most Americans see privacy issues as contingent and context-dependent.”
• Uncertainty, resignation (powerlessness, part of modern life), and annoyance.
• One of the most unsettling privacy issues noted was how hard it is to get information about what is collected and uncertainty about who is collecting the data.
• Awareness of trend towards surveillance and data capture that to them seemed inevitable.
• Others are hopeful that technological and legal solutions can be found.
– Pew Research Center.
“I think the [chances for achieving privacy] are getting more hopeless as technology advances.”
“In my opinion, there’s a lack of disclosure on how personal information is used by companies. If you read some of the terms of service, you are essentially giving them the right to do almost anything with your personal information.” - January 2016 Pew Research Focus Group
Where do we go next?
• Digital illiteracy affects the elderly, poor, and LEP people.• Information and experiences of stakeholders is siloed. Need to bridge the multiple gaps in
understanding.• Data security issues creep in our everyday technology issues:
• Mobile phone usage of clients and staff: the device is not the problem, its the network that it connects to mobile malware, Android phones, and the network security. Knowing the mobile tools your clients use.
• Website analytics: i.e. Google Analytics• Third party vendors for technology development (eg. Expert systems, triage portals, apps, SMS
text messaging, predictive analytics, etc).• Libraries as access to justice partners: Referring clients to public computers at the library. • Mobile phones:. If its connecting to a broader infrastructure that allows for content collection,
mobile malware• Sharing of documents: among staff.• Etc…
What are the challenges?
Privacy and cybersecurity lie intersection of legal aid policies; third party policies; local, state, and federal laws; social norms, values, and practices of civil justice community; and technology itself.- Data & Society Research Institute.
Third party policies: We can pressure third parties about their terms of service to protect clients.
Technology: We can encourage developers and technologists to create or incorporate privacy-protection software and protocols.
Laws: We can all participate in regulatory debates about privacy policies.
Legal Aid Programs: Can create policies, and update existing ones, to address the privacy of all types of data that flows through their servers and technologies.
Clients: Their expectations are affected through education and awareness.
Civil Justice Data Privacy & Security Ecosystem
Technology is cool
• Popular to believe that technology can save us from the big problems
• …But it creates big risks• Risks are compounded for sensitive
populations
Assessing Your Risk
• National Institute for Standards and Technology has great resources—– Privacy Risk Assessment– Cybersecurity Risk Assessment
• No federal law – Federal Trade Commission has asserted
jurisdiction over security
Encryption
• Encryptallthethings.net
Problems
• The “who”• Notification• Reliance on third parties
Takeaways
• Privacy Assessments• Cybersecurity Assessments• Due diligence is key• Know the laws
Legal Services NTAP
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Joseph Melo, Just-TechMichael Hernandez, Just-Tech
Sharing Documents/Data Securely
• Email Is A Poor Way To Securely Share Information• Emailing confidential/sensitive information directly to
individuals • Emailed information lives in your mailbox, the recipient's
mailbox and is stored/backed-up in other systems• Inadvertently sent to the wrong person(s)• Emails are easily forwarded• Email accounts get hacked regularly
Sharing Documents/Data Securely
• Does your organization have and use a secure file transfer method?
• File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), Globalscape
• Third-Party Cloud Solutions• Drop-box Enterprise, Citrix ShareFile, IronBox
• End-to-end security (e.g. “in-transit” and “at-rest”)
Sharing Documents/Data Securely
• Is There A Better Method of Sharing Documents/Data? • Maybe don't send the documents/data at all OR don't send
documents/data that you lose control over • Use a DMS and give third parties limited access
• SharePoint Online, Box • Use information rights management to:
• Set read-only permissions, disable copying of text, prevent saving a local copy, prevent printing, set a time limit for access to the file(s)
Staff Member Owned DevicesSmartphones, Tablets, Laptops, Desktops
• What are some of the security considerations and implications?• Are user devices secured, restricted, patched & A/V protected?
• Who else has access to the device/uses the device (child?, friend?, spouse?)
• Can users save work related documents/data to their devices?• Mobile Device Management
Staff Member Owned Devices Smartphones, Tablets, Laptops, Desktops
• Do staff have a secure method/connection to work remotely?
• Client VPN, Secure RDS, Third-party remote access (LogMeIn, TeamViewer, etc.)
• What happens when a device is lost, stolen or retired? • Data/drive destruction/shredding services
• If a device is lost or stolen, is IT notified? • Recommend having a line added to your IT policies about work
related data on personal devices
Staff Member Owned Devices Smartphones, Tablets, Laptops, Desktops
• Don’t forget the paper!• Does staff take home hard copies?
• Is there a policy that outlines the procedure for lost hard copies?
Security Considerations for Your Clients• Using Third Party (Untrusted) Networks/Wi-Fi
• Coffee Shops, Libraries, Airports, Subways, City-wide Wi-Fi Networks
• Using Third Party Computers & Devices• Library computers, Schools, Internet Cafes/Shops, Communities Tech Centers,
Friend's Computer• What sites are you browsing?• Does the computer have antivirus software installed?• Does your client have a secure method to upload files?
• What are the dangers of using public computers?• Keyloggers
• Real value of two factor authentication
Security Considerations for Your Clients
• Using your smartphone • Does your smartphone has antivirus software installed? • Are there unsigned apps installed? • Apps asking for more permissions
• Is there an opportunity to educate our clients to protect their work with legal services but also more broadly with other organizations, government agencies, e-commerce
Importance of Policies• Does your organization have a set of policies in place?
• Acceptable Use Policy• Type of activity on work devices, such as desktop/laptops, smartphones/tablets
• Data Retention/Destruction• How long should you keep data for?
• Data storage• Emailing documents, flash drives, third-party software• Users opening personal accounts on Dropbox, Evernote, etc.
• Secure computers and connections• Giving users the proper equipment and connection methods to work remotely
Should We Consider Caller Identity?
• Does your organization have a method to identify your client over the phone?
• How do you know the person you’re talking to is actually your client?• Elder fraud/benefit fraud (redirecting checks), consumer fraud, releasing confidential
information to stalker/ex-boyfriend, etc.• What type of information could you use to verify their identity?
• Pin, Secret Q & A• SSN, DOB, home address, case number
Resource Links• Globalscape - https://www.globalscape.com/• Dropbox Enterprise - https://www.dropbox.com/enterprise• Citrix Sharefile - https://www.citrix.com/products/sharefile/overview.html• Ironbox - http://www.goironbox.com/• Office 365 - https://products.office.com/en-us/home• Box - https://www.box.com/• Mobile Iron - https://www.mobileiron.com/• Office 365 Mobile Device Management -
https://technet.microsoft.com/library/ms.o365.cc.devicepolicysupporteddevice.aspx
• Microsoft Intune - https://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx
• Instant Security Policy - https://www.instantsecuritypolicy.com/
• Joseph Melo• Office: 929-277-9803• Email: [email protected]
• Michael Hernandez• Office: 929-277-9804• Email: [email protected]
Jay StanleySenior Policy AnalystSpeech, Privacy and Technology ProgramEditor of ACLU’s Free Future blog [email protected] @JayCStanley
The Pitfalls of Big Data Analytics
Age of Data
Big Data: Broad & loose definitions
•The “macroscope”•Predictive analytics•Machine learning
Target pregnancy example
Target pregnancy example
Not all uses spooky
• Recommendation engines• Computer vision & other AI techniques• Health care• Manufacturing processes• Deliver government services more efficiently?
Analytics for social services
9 Questions to Ask
Questions:
1. Do the judgments being made lend themselves to analytics and/or machine learning?
Questions:
2. Is the analytics discriminatory?
asdf
“Rooted in their community”
Questions:
3. Is the analytics fair or does it incorporate guilt-by-association?
asdf
Guilt by association
Questions:
4. How accurate are the analytics?
Questions:
5. What are the consequences of error?
Questions:
6. Are the interests of the agency aligned or in conflict with the interests of the subjects?
Questions:
7. What does the analytics replace?
Questions:
8. Does the program merely triage within a group already targeted?
Questions:
9A. Does the program create incentives for ever-increasing data collection or other systematized privacy violations that might hurt many people even if it helps some?
Questions:
9B. Could the compilation of data be stigmatizing, prejudicial, or otherwise harmful to them in contexts other than the one in which they are helped?
Questions:
9C. Can the data be repurposed for potentially harmful ends?
A new eraProceed with caution…
Jay StanleySpeech, Privacy and Technology ProgramFree Future blog: www.aclu.org/freefuture [email protected]
Contact info: