All sessions will be held in Santa Clara Ballroom unless otherwise noted.
8:45 am–9:00 am
Opening Remarks, Day 1
Program Co-Chairs: Melanie Ensign, Discernible, and Joseph Lorenzo Hall, Internet Society
9:00 am–10:00 am
Panel
The Emperor's New Clothes: Location Data and the Promise of Anonymization
Moderator: Aaron Alva, Federal Trade Commission
Panelists: Brandi M. Bennett; Jennifer King, Stanford University Institute for Human-Centered Artificial Intelligence; Beryl Lipton, Electronic Frontier Foundation
For years, organizations have banked on the promise of "anonymization" techniques and technologies to reduce the risk and liability of collecting or processing geolocation data. But for many technologists, the math just isn't mathing. This session will explore the regulatory and technical advancements driving location data into the privacy spotlight.
Aaron Alva, Federal Trade Commission
Aaron Alva is a technologist and tech advisor at the Federal Trade Commission. At the FTC, he advises the Director of the Bureau of Consumer Protection and case teams on a variety of technology issues including data minimization and deletion, multifactor authentication, health privacy, and ad tech. Before the FTC, Aaron conducted research on a variety of topics ranging from cloud forensics to digital evidence admissibility to surgical robotics security. He is also a recipient of the NSF CyberCorps Scholarship for service for his joint Masters in Information Management and J.D. at the University of Washington.
Brandi Bennett[node:field-speakers-institution]
Brandi is an experienced technology and data privacy attorney who has worked for everything from baby startups to large multinational media and entertainment companies. Her privacy experience covers a wide variety of laws and jurisdictions from the EU to APAC to LATAM and North America. She was the first in-house counsel at a geolocation-based advertising network and analytics company, helping build their privacy program and working with NAI, DAA, and IAB codes and the EU Data Protection Directive. She helped a dating app (the only dating app she has a profile on, thank you very much) through GDPR, launched a Chinese social app globally (not TikTok) that ended up failing to launch, and took Endeavor and UFC through CCPA. She has also been the lead privacy counsel for Legends, which operates stadiums, ecommerce, and brick and mortar retail for major sports and entertainment franchises globally. Brandi is licensed in California and a graduate of the University of Denver Sturm College of Law (2008).
Jennifer King, Stanford University Institute for Human-Centered Artificial Intelligence
Dr. Jennifer King is the Privacy and Data Policy Fellow at the Stanford University Institute for Human-Centered Artificial Intelligence. An information scientist by training, Dr. King is a recognized expert and scholar in information privacy. Sitting at the intersection of human-computer interaction, law, and the social sciences, her research examines the public’s understanding and expectations of online privacy as well as the policy implications of emerging technologies. Most recently, her research explored alternatives to notice and consent (with the World Economic Forum), the impact of California’s new privacy laws, and dark patterns. Her past work includes projects focusing on social media, genetic privacy, mobile application platforms, the Internet of Things (IoT), and digital surveillance. Her scholarship has been recognized for its impact on policymaking by the Future of Privacy Forum, and she has been an invited speaker before the Federal Trade Commission at several Commission workshops. She has been featured in numerous publications and outlets, including The New York Times, the Washington Post, the Los Angeles Times, Wired, Recode, National Public Radio, CNBC, Bloomberg, CNET, Vox, Consumer Reports, NBC News, MIT Technology Review, among others.
Dr. King completed her doctorate in Information Management and Systems at the University of California, Berkeley School of Information. Prior to joining HAI, Dr. King was the Director of Consumer Privacy at the Center for Internet and Society at Stanford Law school from 2018 to 2020. Before coming to Stanford, she was a co-director of the Center for Technology, Society, and Policy, a graduate student-led research center at UC Berkeley, and was a privacy researcher at the Samuelson Law, Technology, and Public Policy Clinic at Berkeley Law. She was a member of the California State Advisory Board on Mobile Privacy Policies and the California State RFID Advisory Board. She received her Master’s in Information Management and Systems also from the University of California, Berkeley’s School of Information, and her undergraduate degree in Political Science and Sociology from the University of California, Irvine. Prior to entering academia, she worked in security and in product management for several Internet companies, most notably Yahoo!.
Beryl Lipton, Electronic Frontier Foundation
Beryl Lipton, Investigative Researcher, focuses her work on government transparency, law enforcement surveillance technology, and other uses of technology by government actors. She has extensive experience using Freedom of Information laws and large-scale public records campaigns in her research.
At EFF, Beryl supports the Atlas of Surveillance, The Foilies, and The Catalog of Carceral Surveillance, among other projects. She enjoys teaching others about the strengths and limitations of public records laws and discussing the potential and real harms of the surveillance state.
Prior to her work with EFF in 2020, she spent seven years as a projects editor at MuckRock, where she focused on prison privatization and other public-private partnerships. She is a board member for Spare Change News, the Boston area street newspaper, and contributes to Gannett New York, where she has spearheaded the collection and release of police misconduct records throughout New York state.
10:00 am–10:30 am
Break with Refreshments
Mezzanine East/West
10:30 am–12:00 pm
Mixed Signals: There Can't Be Only One Threat Model
Session Chair: Stephan Somogyi, Google and Columbia Journalism School
How Geopolitical Change Causes People to Become (More) Vulnerable
Lucy Simko, George Washington University
Computer security and privacy is critical for vulnerable and marginalized populations. Vulnerable populations might face more determined adversaries or higher consequences for security and privacy breaches. Vulnerability can be caused by change, like undergoing life changing events including environmental or manmade crises that can affect all humans at various stages in their lives. It is therefore of critical importance for computer security and privacy to understand the interactions between change and computer security and privacy. In this talk, I will explore this relationship based on four populations that experienced change: (1) refugees who moved to the united states; (2) Sudanese activist in the 2018-2019 Sudanese revolution; (3) those affected by the Covid-19 pandemic; (4) and those experiencing a Hurricane in the mainland United States in 2021. Based on my research with these populations, I describe three major themes that characterize the relationship between change and computer security and privacy: (1) Change creates different elements of one's threat model---actors, threats, assets---as well as different technical needs. (2) During a period of change, people may change how they prioritize computer security and privacy in response to other emergent needs. (3) When technology design is misaligned with the needs and uses of marginalized populations, it causes those populations to have to work harder to maintain security and privacy, exacerbating existing systemic inequalities during times of change. Based on this understanding of how change interacts with computer security and privacy, I recommend how we can design for change: by centering the needs of those affected by change and marginalization, reducing vulnerability for all.
Lucy Simko, George Washington University
Technology Abuse Clinics for Survivors of Intimate Partner Violence
Lana Ramjit, Cornell Tech
Perpetrators of intimate partner violence (IPV) use digital technologies to cause lasting physical, and financial, and psychological harm. Advocates and scholars have established the prevalence of technology abuse, but IPV agencies often lack the capacity, training and resources needed to recognize and respond to technology abuse.
The Clinic to End Tech Abuse (CETA) and the Technology Enabled Coercive Control Initiative (TECCI) are services that partner with IPV agencies to offer free, consultative services to survivors of IPV who are experiencing tech abuse. Collectively, they have served nearly 700 survivors in the New York City and Seattle areas by identifying points of compromise on their devices and developing technology-specific safety plans. However, both clinics have struggled to keep pace with demands for their services.
In this talk, we present a vision for how a network of localized, community-based technology abuse clinics might be able to meet the challenges of scale. We also share our new toolkit, a resource based on our collected experiences which we intend as a guide for other stakeholders interested in creating and sustaining their own technology abuse clinics.
Lana Ramjit, Cornell Tech
Working on the Frontlines: Privacy and Security with Vulnerable Populations
Sarah Aoun
What does it mean to work on the frontlines of privacy and security? Working with vulnerable populations and high-risk individuals on privacy and security is incredibly challenging, and can have real implications for people's safety. More often than not, security and privacy researchers can lack context and understanding of what this looks like in practice. In this talk, we will explore the ways in which journalists and activists around the world are targeted for their work, and what it means to be a public interest technologist working to protect them.
Sarah Aoun
12:00 pm–1:15 pm
Lunch
Terra Courtyard
1:15 pm–2:00 pm
Fireside Chat with Simson Garfinkel on Quantum Technologies
Moderator: Joseph Lorenzo Hall, Internet Society
Speaker: Simson Garfinkel
"Quantum" is all the rage; from post-quantum cryptography, to strange looking computational apparatuses doing quantum computations, to visions of future quantum communications networks sending quantum information around the world. Where classical computation involves bits and bytes, quantum technologies operate on a different level, using both the precision and fuzziness of quantum mechanics. Despite the fanfare, we may be overly focusing on certain aspects of quantum technologies, and potentially missing serious implications that may arrive at our doorstep much sooner than any significant quantum computer or quantum communication network. Join Joseph Lorenzo Hall in a fireside chat with Simson Garfinkel, co-author with Chris Hoofnagle of the 2021 book, Law and Policy for the Quantum Age, from Cambridge University Press.
Simson Garfinkel
Simson Garfinkel has written extensively on computer security, privacy, and digital forensics. A fellow of the AAAS, the ACM and IEEE, Garfinkel holds a Ph.D. in Computer Science from MIT and a Master of Science in Journalism from Columbia University.
2:00 pm–2:10 pm
Short Break
Mezzanine East/West
2:10 pm–3:40 pm
Advancing the Goal Posts
Session Chair: Kyle Tobener, Copado
The Edge of Developed Practice in Searching Encrypted Data
Kenn White, MongoDB
After 20+ years of academic research in cryptography, it is now possible—and practical—to search fully encrypted data. But the demands of high-performance distributed systems present unique challenges unaddressed by most research models of encrypted search, particularly for running rich, expressive queries. This talk will break down the major milestones along the journey from academia to the modern day developer ecosystem. We describe a technique called Structured Encryption which addresses the problem of encrypting structured data in such a way that it can be efficiently and privately queried. We will unpack common misconceptions in the security community around private search, touching briefly on several current approaches, with the balance of the talk focused on an implementation of Structured Encryption and lessons learned from recent work to open source and natively integrate the capability into one of the most widely used databases in the world.
Kenn White, MongoDB
Adventures in Authentication and Authorization
Ian Haken, Netflix
Zero-trust architectures for microservice ecosystems rely on strong authentication between services, but if you’re looking to implement authentication in your environment there’s an overwhelming number of options: OAuth, mutual TLS, JWTs, macaroons, biscuits, HTTP request signatures, and more. And once you’ve picked one, a robust zero-trust ecosystem needs an authorization system on top of it where there are even more options to choose from. In this presentation I’m going to describe our journey through implementing ubiquitous authentication and authorization in our microservice ecosystem: the requirements informing our technology choices, the pain points and hurdles we encountered along the way, and how we accomplished the somewhat surprising solution of using multiple technologies instead of just one.
Ian Haken, Netflix
Navigating the Sandbox Buffet
Maxime Serrano, Figma, Inc.
Buggy software is a fact of life, and preventing all security vulnerabilities is near impossible. Organizations often have no choice but to run potentially risky software, such as parsing, thumbnailing, or compression libraries, within their infrastructure to do even basic work. Such software is frequently implemented in memory-unsafe languages, by third-parties, and is seldom designed to handle hostile user input. It’s no surprise that security news is replete with bug names like “ImageTragick.”
Fortunately, sandboxing can be a powerful defense in these scenarios. In the past, sandbox technologies were often expensive, immature, and operationally fickle, so only well-resourced organizations could leverage them effectively at scale. But today, we live in a democratized era of the sandbox buffet, where there is a surfeit of different ways to virtualize, contain, and jail processing. With so many options, it’s easier than ever to pick the right combination of sandboxing techniques that provide the most appropriate set of tradeoffs for isolating your workloads.
Maxime Serrano, Figma
3:40 pm–4:10 pm
Break with Refreshments
Mezzanine East/West
4:10 pm–5:40 pm
Skeletons in the Closet
Session Chair: Cameron Dixon, Cybersecurity & Infrastructure Security Agency
The Dirty Laundry of the Web PKI
Emily Stark, Google
When you type “https://example.com” in your web browser, how do you know that you’re establishing a secure connection to the real example.com? This question is foundational to the web security model, and the answer rests in the web public key infrastructure (PKI). In the web PKI, trusted certificate authorities (CAs) issue certificates that authenticate websites. Sadly, the web PKI – which is so foundational to the communication, collaboration, commerce, and cat memes that we all use the web for everyday – is shockingly antiquated, overcomplicated, and crufty. In this talk, I’ll describe some icky inner secrets of how the web PKI works, exposing the fragile security infrastructure on which the web is built. I’ll also outline some properties that we should try to achieve in a leaner next-generation server authentication model for the web.
Emily Stark, Google
When Malware Changed Its Mind: How "Split Personalities" Affect Malware Analysis and Detection
Tudor Dumitras, University of Maryland, College Park
We are presenting the first large-scale study of malware samples that change their behavior when executed on different hosts or at different times, using data from 5.6 million hosts from around the world. Researchers and practitioners have been aware of this problem for over a decade, but prior to our work the behavior variability had not been measured at scale. We demonstrate how malware with such "split personalities" may confound the current techniques for malware analysis and detection. More importantly, we illustrate the unique insights that the security industry can gain by monitoring malware behavior ethically and at scale, on real hosts.
Tudor Dumitras, University of Maryland, College Park
Spotting the Differences: Quirks of Machine Learning (in) Security
Fabrício Ceschin, Federal University of Paraná (UFPR), Brazil
Machine Learning (ML) has been widely applied to cybersecurity and is currently considered state-of-the-art for solving many open issues in that field. However, it is challenging to evaluate how good the produced solutions are, since security challenges may not appear in other areas, as security problems could incur infeasible solutions for real-world applications. For instance, a phishing detection model that does not consider a non-stationary distribution would not work given that 68% of phishing emails blocked by Gmail are different daily. In this talk, I will discuss some of the challenges of applying ML to cybersecurity, which include: (i) dataset problems, such as dataset definition, where defining the right size is key to creating a representative model of the task being performed, and class imbalance, where the distribution between classes differs substantially; (ii) adversarial machine learning and concept drift/evolution, where attackers constantly develop adversarial samples to avoid detection leading to changes in the concept in the data, and turning defense solutions obsolete due to the volatility of security data; and (iii) evaluation problems, such as delayed labels, where new data do not have ground-truth labels available right after collection, producing a gap between the data collection, their labeling process, and models training/testing. My goal is to point directions to future cybersecurity researchers and practitioners applying ML to their problems. Finally, for each challenge described, I will show how existing solutions may fail under certain circumstances, and propose possible solutions to fix them when appropriate.
Fabrício Ceschin, Federal University of Paraná (UFPR), Brazil
8:55 am–9:00 am
Opening Remarks, Day 2
Program Co-Chairs: Melanie Ensign, Discernible, and Joseph Lorenzo Hall, Internet Society
9:00 am–10:00 am
Fireside Chat: The State of Memory Safety
Moderator: Amira Dhalla, Consumer Reports
Panelists: Yael Grauer, Consumer Reports; Alex Gaynor, Federal Trade Commission; Josh Aas, Internet Security Research Group and Prossimo
The most ubiquitous kind of vulnerability that plagues modern computing is the memory safety vulnerability—where the underlying programming language doesn't inherently protect data structures in memory. When "memory unsafe" code fails, it can allow attackers access to arbitrary pieces of system memory, and potentially execution of malicious code. Over the years, writing code in memory safe languages, "sandboxing" memory unsafe code, and raising awareness around memory unsafety have been important steps in more generally protecting computerized and networked systems against this class of threats. But where are we at? What is the current state of memory unsafety? Join Yael and Amira from Consumer Reports, who are currently working on a report surveying the landscape of memory safety, in a fireside conversation with Alex Gaynor and Josh Aas, two key informants on the quest to squash this pernicious class of bugs.
Amira Dhalla, Consumer Reports
Amira Dhalla has spent over a decade in technology working on issues related to digital rights, privacy, security, and equity with global organizations and communities. Together, she works with educators and activists to design participatory curriculum and resources to make emerging technology more inclusive, open, and safe. She currently works at Consumer Reports as the Director of Impact Partnerships and Programs with a focus on digital privacy and security. Amira works on projects that improve the cybersecurity and privacy of products and tools in the marketplace, while also tackling topics like discriminatory technologies, deceptive design, and trust and safety.
Yael Grauer, Consumer Reports
Yael Grauer works at Consumer Reports managing Security Planner, a free, easy-to-use guide to staying safer online. Her background is in investigative tech reporting, and she has covered privacy and security for over a decade for various tech publications. She has extensively researched the privacy and security (or lack thereof) of consumer VPNs, teamed up with EFF to research street-level surveillance, broken stories on Zoom misleading users about end-to-encryption, looked into questionable claims about blockchain voting, and investigated surveillance against China’s Uyghur minority. Yael serves on the Board of Directors of the CyberMed Summit, the world’s only clinically-oriented healthcare cybersecurity conference. She also runs a do-it-yourself data broker opt-out list, and is currently writing a book on investigations for No Starch Press.
Alex Gaynor, Federal Trade Commission
Alex Gaynor is a software security engineer. He's a founder and principal at Fish in a Barrel, working on systemic solutions to classes of vulnerabilities. He's previously been Chief Information Security Officer at Alloy and an engineer at Mozilla and the United States Digital Service. Alex has a long history of contribution in open source, from building a JIT'd Ruby VM to serving on the Board of Directors of the Python Software Foundation. Alex lives in Washington, D.C.
Josh Aas, Internet Security Research Group and Prossimo
Josh Aas co-founded and currently runs Internet Security Research Group (ISRG), the nonprofit entity behind Let's Encrypt, the world's largest certificate authority helping to secure more than 290 million websites. He also spearheaded ISRG’s latest projects, one focused on bringing memory-safe code to security-sensitive software, called Prossimo, and Divvi Up, a privacy-respecting metrics service. Josh worked in Mozilla’s platform engineering group for many years, improving the Firefox web browser. He also worked for Mozilla in a senior strategy role, helping to find solutions for some of the Web's most difficult problems. He has deep expertise in software security and ecosystem dynamics, as well as organizational leadership.
10:00 am–10:30 am
Break with Refreshments
Mezzanine East/West
10:30 am–12:00 pm
But ... I Saw It on the Internet
Session Chair: Isedua Oribhabor, Access Now
How the Internet Improves Humanity
Eric Goldman, Santa Clara University School of Law
Given the time and energy we spend worrying about the Internet‘s flaws, it’s easy to forget how the Internet makes our lives better in many ways. This talk will highlight one under appreciated aspect: how the Internet has the capacity to improve the human species by increasing pro-social interactions and reducing anti-social ones. The talk will also show how this scenario probably won’t be realized because of misguided regulatory efforts to “fix” the Internet.
Eric Goldman, Santa Clara University School of Law
Eric Goldman is Associate Dean for Research, Professor of Law, Co-Director of the High Tech Law Institute, and Supervisor of the Privacy Law Certificate, at Santa Clara University School of Law. His research and teaching focuses on Internet law, and he blogs on that topic at the Technology & Marketing Law Blog.
Characterizing and Measuring Misleading and Harmful Online Ad Content at Scale
Eric Zeng, Carnegie Mellon University
Like it or not, online advertising is a core part of the internet, sustaining many free websites and services. However, it is also a potent vector for abuse; malicious actors can use the infrastructure of ad networks to serve scams, malware, and other misleading content to millions of users. Research on online advertising in the computer security and privacy community tends to focus on privacy and web security issues. However, in this talk I argue that additional research and transparency is needed for the content of online ads, where social engineering techniques and dark patterns are regularly used to mislead users, direct them to scams, and achieve other harmful ends.
To illustrate the importance of studying ad content for protecting users, I will present three case studies of problematic ad content that uncover deeper security, privacy and safety issues in the online advertising ecosystem. First, I will present a user study of people’s perceptions of display advertising on the web, characterizing the types of ad content that people like and dislike, and why. Second, I will present a large-scale study of advertising on news and media websites, showing how some news outlets rely on revenue from clickbait and deceptive advertising via native ad networks. Lastly, I will present a longitudinal study of deceptive political advertising during the 2020 U.S. Elections, such as misleading polls and petitions and political clickbait, and how these ads are targeted at partisan news sources.
Eric Zeng, Carnegie Mellon University
A New Process to Tackle Misinformation on Social Media: Prevalence-Based Gradation
Kamesh Shekar, The Dialogue
While misinformation and disinformation is not a new threat, it is accelerated by social media platforms. High-stakes information like election-related information, health-related information, etc., has critical consequences on individuals and communities in real life, but it is muddled with mis/disinformation. Platforms use various technological measures and predictive machine learning tools to detect unlawful content like child sexual images, pornography, dis/misinformation. These technological measures have their merits to an extent, especially where platforms can act faster and at scale. At the same time, we increasingly see content falling through the crack due to false negatives and getting struck or taken down due to false positives.
One of the critical reasons social media posts fall through the cracks is that platforms are presently confined to content-level intervention in the absence of process-level clarity and intervention within the content moderation pipeline. This lack of process-level intervention causes platforms to utilise resources and time inefficiently.
Against this backdrop, in this talk, I discuss/propose a novel process-level intervention that would refine the content moderation pipeline and enable the efficient use of tools and resources across its entirety. I propose a “prevalence-based gradation process” (PBG) – a system that uses prevalence as an integral element for hard moderation to tackle mis/disinformation. The talk will also show how the PBG process would act as a means through which social media platforms can evaluate content using ex-ante measures and exercise optimal corrective action in a calibrated format adjusted according to the exposure level of the information.
Kamesh Shekar, The Dialogue
12:00 pm–1:15 pm
Lunch
Terra Courtyard
1:15 pm–2:00 pm
Panel
Session Chair: Joseph Lorenzo Hall, Internet Society
The Not Fake News Hour
Riana Pfefferkorn, Stanford Internet Observatory
Security and privacy can be kind of a bummer. Take a break and come watch a fake professor from a real university cover current events in tech policy, “SNL Weekend Update”-style. It’s not fake, it’s not an hour, and it’s probably not news to anybody attending Enigma.
Riana Pfefferkorn, Stanford Internet Observatory
Riana Pfefferkorn is a Research Scholar at the Stanford Internet Observatory. She investigates the U.S. and other governments' policies and practices for forcing decryption and/or influencing the security design of online platforms and services, devices, and products, both via technical means and through the courts and legislatures. Riana also studies novel forms of electronic surveillance and data access by U.S. law enforcement and their impact on civil liberties. This is her third time speaking at Enigma.
Invited Talk
Metric Perversity and Bad Decision-Making
Lea Kissner
People keep making terrible decisions. Shockingly often, bad decisions are because of perverse metrics—metrics that are technically correct but drive people to bad decisions. This is an especially bad problem for security, privacy, abuse, and related fields: we have adversaries, we have unknowns, and we have many small risks with incredibly high impacts. In this talk, we'll go through the types of perverse metrics—and how to avoid them.
Lea Kissner[node:field-speakers-institution]
Lea was the CISO at Twitter and has done privacy, security, and abuse-fighting work at companies including consulting at Zoom, being the Global Lead of Privacy Technology at Google, and the CPO of Humu. They hold a Ph.D. in computer science (cryptography) from Carnegie Mellon.
2:00 pm–2:10 pm
Short Break
Mezzanine East/West
2:10 pm–3:40 pm
It Takes a Village
Session Chair: Christina Morillo, Trimarc Security
What Public Interest AI Auditors Can Learn from Security Testing: Legislative and Practical Wins
Justin Brookman, Consumer Reports
Public interest researchers (such as journalists, academics, or even concerned citizens) testing for algorithmic bias and other harms can take much away from security testing practices. The Computer Fraud and Abuse Act, while intended to dissuade hacking, can be a legal barrier for public interest security testing (although recently much of this has been cleared up by the courts). Similarly, researchers trying to test for algorithmic bias and other harm in the AI space run into similar CFAA barriers when tinkering with algorithms. AI researchers can look to legal and practical techniques that security researchers have done in the past. This includes apply for DMCA exemptions for narrowly tailored objectives, promoting the use of bug bounty programs but for AI harm, and more. We provide practical and policy recommendations that stem from security researchers that AI testing experts can advocate for in attempts to remove legal and practical barriers that prevent this kind of research.
Justin Brookman, Consumer Reports
Justin Brookman is the Director of Consumer Privacy and Technology Policy for Consumer Reports. Justin is responsible for helping the organization continue its groundbreaking work to shape the digital marketplace in a way that empowers consumers and puts their data privacy and security needs first. This work includes using CR research to identify critical gaps in consumer privacy, data security, and technology law and policy. Justin also builds strategies to expand the use and influence of the Digital Standard, developed by CR and partner organizations to evaluate the privacy and security of products and services.
Prior to joining CR, Brookman was Policy Director of the Federal Trade Commission’s Office of Technology Research and Investigation. At the FTC, Brookman conducted and published original research on consumer protection concerns raised by emerging technologies such as cross-device tracking, smartphone security, and the internet of things. He also helped to initiate and investigate enforcement actions against deceptive or unfair practices, including actions against online data brokers and digital tracking companies.
He previously served as Director of Consumer Privacy at the Center for Democracy & Technology, a digital rights nonprofit, where he coordinated the organization’s advocacy for stronger protections for personal information in the U.S. and Europe.
Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin, Texas A&M University
Everybody complains about the current cybersecurity state. Regardless of the reason, nobody is fully satisfied. I don't think "security is broken". In fact, we have "more" security nowadays than at any time in the past. However, it is true that the field has a lot to progress. Therefore, in this talk, I assume the methodological position that security research is failing and I present my discoveries when trying to understand which aspects of security could have been failing and thus might be enhanced. I support my investigation with results from a published systematic literature review of 400+ papers from the last 20 years of published malware research in the most reputable venues. I identified more than 20 challenges and pitfalls in security research and categorized them into 5 high-level categories that will be discussed in this talk: (i) the lack of diversity in study types; (ii) researchers not looking to the market and industry when needed; (iii) researchers focus too much on the industry and market; (iv) the lack of guidelines in the field; and (v) the reproducibility crisis that cybersecurity and almost all fields face. I close the talk with suggestions that one might adopt to mitigate these problems. My recommendations are divided according to the multiple stakeholders in the field and they range from (i) researchers developing more longitudinal studies with representative populations; to (ii) the field establishing more guidelines for experiment development; and (iii) venues clearly welcoming diversified study types.
Marcus Botacin, UFPR/TAMU
Understanding Trust and Security Processes in the Open Source Software Ecosystem
Dominik Wermke, CISPA Helmholtz Center for Information Security
Open source software has an important role in our everyday-lives: as foundation, glue, or tooling, open source constitutes many important links in the software supply chain. But the openness of this ecosystem brings unique (security) challenges, including code submissions from unknown entities, limited developer-hours & tooling to review commits or dependencies, and the necessity to vet included open source components. Through the results from interview studies with contributors of open source projects, companies that use open source components, maintainers that distribute their packages on open source packages repos, as well as developers that create reproducible software, we examined the security and trust processes and considerations in the open source supply chain, especially those that are not directly visible on a data level and can only be understood through engagement with the open source community.
During this talk, I will introduce the different aspects and challenges of security and trust in the open source ecosystem to a wider audience, highlight interviews as a collaborative, less harmful approach for open source research that positively engages with the community and creates excitement for academic research, and share practical advice on how to improve security in the software supply chain by enabling stakeholders such as maintainers and contributors.
Dominik Wermke, CISPA Helmholtz Center for Information Security
3:40 pm–4:10 pm
Break with Refreshments
Mezzanine East/West
4:10 pm–5:40 pm
Blow the Whistle
Session Chair: Ted Han, Mozilla
Protecting Whistleblower Information
Shanna Devine, Office of Whistleblower Ombuds in the U.S. House of Representatives
From the recent Twitter data privacy breakdowns to the role of Big Brother, whistleblowers are society’s eyes and ears to abuses of power that betray the public trust. Likewise, Congress relies on these courageous individuals to sound the alarm around threats to our civil liberties and conduct effective oversight.
The Office of the Whistleblower Ombuds, an independent and nonpartisan support office for the House of Representatives, will discuss the ways in which it advises Congress on best practices for working with whistleblowers from the public and private sectors – and how whistleblowers can also take precautions to protect their communications.
Shanna Devine, Office of the Whistleblower Ombuds, U.S. House of Representatives
Shanna Devine serves as the inaugural Director of the Office of the Whistleblower Ombuds. In that capacity, she is responsible for advising the House community on best practices for working with whistleblowers from the public and private sectors.
Prior to joining the House, Shanna was already partnering with Congress in a bipartisan capacity to strengthen working relationships with whistleblowers. Her experience began in 2008 with the Government Accountability Project, a nonprofit whistleblower support organization. As legislative director, she led campaigns that resulted in bipartisan passage of landmark whistleblower laws, including Congress’ unanimous passage of the Whistleblower Protection Enhancement Act of 2012. As an investigator, she worked with whistleblowers to safely verify their allegations and channel their knowledge to Congress for effective oversight. She routinely conducted trainings on best practices for working with whistleblowers, and in 2015 and 2016 she played a strategic role in the establishment of the bipartisan Senate and House Whistleblower Protection Caucuses.
Shanna earned her Master of Public Management degree from the University of Maryland’s School of Public Policy. She earned her bachelor’s degree in Critical Theory and Social Justice from Occidental College.
So You're Going to Blow the Whistle? Communications Dos and Don'ts for Whistleblowers.
Emily Schwartz, Bryson Gilette
Deciding to be a whistleblower is not something most people prepare for but it is undoubtedly a life changing experience. This presentation will talk through the communications basics for whistleblowers: what to consider, communications must haves, what not to do, and how to begin to tell your story.
Emily Schwartz, Bryson Gillette
Emily Schwartz is a strategic communications professional who has worked at the intersection of technology, politics, and policy for nearly 15 years. She led the communications rollout for Facebook whistleblower Frances Haugen including preparing her for her public reveal on '60 Minutes' and multiple government testimonies. Prior to joining Bryson Gillette, Emily led global data sharing policy for Uber, advising the company on regulatory issues regarding privacy and geolocation data. Emily has worked with major brands, startups, and nonprofits to advise them on issues ranging from global product rollouts to crisis communication management.
Open Source Software and Journalism: Field Notes from a Global Perspective
Harlo Holmes, Freedom of the Press Foundation
Drawing from the past five years working with public interest and investigative journalists, Harlo Holmes will share a variety of field notes she has gathered regarding the particular challenges journalists face using open source technologies on the job; including the complexities that have arisen before, during, and after COVID-19 lockdown across the globe.
Harlo Holmes, Freedom of the Press Foundation
Harlo Holmes is the Chief Information Security Officer (CISO) and Director of Digital Security at Freedom of the Press Foundation. She strives to help individual journalists in various media organizations become confident and effective in securing their communications within their newsrooms, with their sources, and with the public at large. She is a media scholar, software programmer, and activist; and was a regular contributor to the open source mobile security collective The Guardian Project.
5:40 pm–7:10 pm
Conference Reception
Sponsored by Google
Mezzanine East/West
8:55 am–9:00 am
Opening Remarks, Day 3
Program Co-Chairs: Melanie Ensign, Discernible, and Joseph Lorenzo Hall, Internet Society
9:00 am–10:00 am
Panel
Privacy Policies, by Lawyers, for Lawyers. What about Everyone Else?
Moderator: Hannah Poteat
Panelists: Holly Hogan, Automattic; Miju Han, Google; Emily Jones, Simmons & Simmons; Gabriela Zanfir-Fortuna, Future of Privacy Forum
We still need privacy policies even if nobody reads them, but they fall short as effective communication and education tools. What else can organizations do to ensure customers and users are adequately informed about data use and data rights? Time for privacy to show creative flex.
Hannah Poteat[node:field-speakers-institution]
Holly Hogan, Automattic
Holly is the General Counsel of Automattic Inc. where she leads the legal team in helping Automattic/WordPress.com make the web open and accessible, one website at a time. She navigates novel legal issues for a global internet company as it has grown in revenue, size, and impact. Holly has expertise in designing legal and business solutions that empower teams to scale globally, make good decisions, and get the job done; building and leading teams in and out of the legal department; and un-complicating international laws with legal strategies that keep operations running smoothly. Prior to Automattic, Holly was a partner at K&L Gates LLP and represented companies as a litigator in a diverse range of cases—from patent and contract disputes to First Amendment cases. She started her career as a prosecutor. Holly is a graduate of Harvard Law School, and has a B.A. in Politics (magna cum laude) from the University of San Francisco.
Miju Han, Google
When transitioning from data scientist to product manager, Miju spent a long time thinking about how to leverage data in products. That led to the beginnings of GitHub Advanced Security, which has helped developers and security teams patch over ten million vulnerabilities to date. She then helped HackerOne realize its vulnerability intelligence product suite before moving over to Twitter after the teenager bitcoin hack to start its privacy and security product practice. Miju is currently focused on privacy full-time at Google, where she is responsible for how Google Ads uses data.
Emily Jones, Simmons & Simmons LLP
Emily is a partner at international law firm Simmons & Simmons and leads the firm’s recently launched US office in San Francisco. The new office does not practice US law and Emily is an English-qualified attorney who has worked in Silicon Valley for over five years advising fast-growth technology, fintech, and healthcare companies on data privacy, cyber security, and technology laws as they grow their businesses globally. Emily has been advising on data privacy and security issues for over 16 years and works with companies launching new products and services especially involving emerging technologies. Her experience includes carrying out GDPR compliance health checks, responding to regulatory investigations, data security incidents, and data subject requests and negotiating with customers and vendors. She also helps clients to find commercial solutions to address evolving international data transfer issues. She is CIPP/E certified and regularly speaks at conferences on data privacy and security matters.
Gabriela Zanfir-Fortuna, Future of Privacy Forum
10:00 am–10:30 am
Break with Refreshments
Mezzanine East/West
10:30 am–12:00 pm
Pull Up a Chair for Privacy
Session Chair: Pilar Garcia, Help Scout
Meaningful Hardware Privacy for a Smart and Augmented Future
Marcus Hodges, Meta
Smart home devices are becoming increasingly popular in our living spaces. Wearable devices that let you capture photos and videos in the moment, without taking out your phone, are designed to take with you everywhere you go. In the future, augmented reality (AR) glasses will feature a wide variety of cameras and sensors for capturing and understanding your surroundings. Because these devices transcend the keyboard, many of them feature sensors that are always-on, such as the wake word engines of smart voice assistants. Yet, despite thier many benefits, these emerging computing platforms also present new classes of security and privacy challenges to users and bystanders alike.
As these devices are gaining adoption, there are two evolving hardware privacy features that promise awareness and user control over sensor privacy - the Recording Indicator LED light and the Privacy “Mute” Switch. However, very little has been published on their design and security. How do these features work? Are they trustworthy? What does the LED actually mean?
This talk will describe these hardware privacy mechanisms and explain in detail their design, purpose, and security properties. We'll explore the constraints and trade-offs that influence their function and discuss the importance of hardware security assurance. I’ll clarify what privacy LED indicators mean, don't mean, and why augmented reality poses new challenges to their semantics.
These privacy features are deceptively simple and evolving. To preserve their meaning and potential for trustworthy privacy protection, we need to come together as an industry and align on new security and privacy standards.
Marcus Hodges, Meta
Technical Metamorphosis: The 3 Stages of DSAR Automation
Alon Levy, Uber
Caterpillars do not transform into butterflies overnight. It takes time and a series of steps. In this presentation, we’ll walk through each stage in the journey to automate, standardize, and validate Data Subject Access Request fulfillment engineering operations to address regulatory requirements and provide a good user experience. We’ll share our experience as a technical team building multiple automation tools for Data Subject Access Requests in order to help other engineering teams prepare or refine their own strategies for privacy automation.
Alon Levy, Uber
Building an Automated Machine for Discovering Privacy Violations at Scale
Suchakra Sharma, Privado Inc.
While the most advanced digital watch in 1980 asked us to manually enter and store our phone book on the watch, modern smartwatches are sending our GPS location pings and heartbeat each second to unknown cloud machines which you know nothing about! To tackle this information void of where our data flows, various regulations and privacy frameworks have been developed. While there are multiple stakeholders such as lawyers and privacy officers in privacy conversations, the onus falls on the developers to eventually write code that respects those regulations - or fix issues that got introduced. In this talk we discuss how tried and tested static analysis techniques such as taint tracking and dataflow analysis can be used on large code bases at scale to help fix privacy leaks right at the source itself. What does it take to build such tooling? What challenges would we face and how can you, a developer or a privacy engineer fix privacy bugs in code!
Suchakra Sharma, Privado Inc.
12:00 pm–1:15 pm
Lunch
Terra Courtyard
1:15 pm–2:00 pm
Panel
True Crime Journalism: Cyber
Moderator: Melanie Ensign, Discernible
Panelists: Joseph Menn, Washington Post; Lily Hay Newman, WIRED; Alfred Ng, Politico
The role journalists play in reporting cybercrime is often more complicated than we imagine. What if you're contacted by a source involved in a crime? What obligation, if any, do journalists have to law enforcement, victims, and the general public? This panel of seasoned journalists will share their experiences from real investigations.
Joseph Menn, Washington Post
A leading security journalist for two decades, Joseph Menn is the author of the bestseller "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World," first published in 2019. It revealed that then-presidential candidate Beto O'Rourke had belonged to the oldest surviving and most influential group of U.S. hackers and explained the origins of hacktivism and ethical security work. The New York Times Book Review called it "a hugely important piece of the puzzle for anyone who wants to understand the forces shaping the internet age." It was named one of the 10 best nonfiction works of the year by Hudson Booksellers as well as one of the five cybersecurity books everyone should read by the Wall Street Journal, and it was inducted into the Cybersecurity Canon project's Hall of Fame.
Menn now covers digital threats for the Washington Post, having joined in early 2022 after working at Reuters, the Financial Times, and Los Angeles Times. Menn also wrote 2010's "Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet," a real-life thriller that brought the modern face of cybercrime to a mainstream audience. Fatal System Error revealed collaboration between major governments and organized crime. It was placed on the official reading list of the US Strategic Command, while the New Yorker magazine compared it to the "Dragan Tattoo" novels of Stieg Larsson. Before that, he wrote the definitive inside account "All the Rave: The Rise and Fall of Shawn Fanning's Napster," named one of the best three books of the year by Investigative Reporters & Editors Inc.
Menn speaks regularly at security conferences including Def Con, Black Hat, and RSA, and tweets as @josephmenn.
Lily Hay Newman, WIRED
Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Additionally, her work has appeared in Gizmodo, Fast Company, IEEE Spectrum, and Popular Mechanics. She lives in New York City.
Alfred Ng, Politico
Alfred Ng is a privacy reporter at POLITICO and previously covered cybersecurity at CNET. He was also an enterprise reporter on privacy at The Markup. He is known for his short bios and abrupt endings.
2:00 pm–2:30 pm
Break with Refreshments
Mezzanine East/West
2:30 pm–4:00 pm
Questioning the Status Quo
Session Chair: Swathi Joshi, Oracle
Myths and Lies in InfoSec
Adrian Sanabria, Tenchi Security
In InfoSec, many closely held beliefs, commonly accepted best practices, and accepted ‘facts’ are just wrong. These myths and lies spread quickly. Collectively, they can point security teams in the wrong direction. They can give rise to ineffective products. They often make their way into legitimate research, clouding results.
"Sixty percent of small businesses close within 6 months of being hacked."
There's a good chance you've seen this stat before. It has no basis in reality. The available evidence suggests quite the opposite.
"Attackers only need to get it right once, defenders have to get it right every single time."
This idea has been repeated so often in InfoSec that it has become generally accepted as a true statement. It isn't just wrong, it's demotivating and encourages defeatist thinking that can sink the morale of a security team.
Most of the myths and lies in InfoSec take hold because they seem correct, or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups.
This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves.
This talk compiles some of the most interesting research I’ve done over the past decade. My goal is to convince you to treat vendor claims, commonly accepted industry statistics, and best practices with healthy skepticism. You don't need to be a data scientist or OSINT expert to test theories and discover the truth - you just need to sacrifice a bit of your time now and then. I'll show you how.
Adrian Sanabria, Tenchi Security
The Slippery Slope of Cybersecurity Analogies
Josiah Dykstra
Cybersecurity is rich with analogies, from keys and locks to Trojan horses. We look for the “needle in the haystack” and “evict malware resident on our systems.” We debate “baked-in” versus “bolted-on” security. We do not mean all these things literally, of course. The language and analogies we use in this field are borrowed from many different domains. Analogies can help explain basic cybersecurity concepts, but too often they omit or overgeneralize important details. They can mislead, sometimes deliberately, because the experience they purport to connect might be out of proportion. Despite their shortcoming and imprecision, using an analogy or an abstraction might be helpful in appropriate situations. Using analogies, abstractions, and metaphors shapes technology’s development, practice, and policies. The analogies are more than simple figures of speech. They have a normative dimension; sometimes, they can be used to help the imaginary shape reality. This talk explores the use and misuse of analogies and metaphors across cybersecurity. We consider analogies from the physical world, medicine and biology, war and military, and law before discussing tips for avoiding pitfalls in using analogies and metaphors.
Josiah Dykstra, Independent Security Researcher
The Very Hungry Defender: Metamorphosing Security Decision-Making by Incorporating Opportunity Cost
Kelly Shortridge, Fastly, Inc.
Information security is often seen as a drain on the organization and defenders struggle to prove the value of their decisions to the rest of the organization. Security teams usually consider the narrow benefits of implementing a defensive measure for their own goals while ignoring the variegated costs they impose on the organization, its employees, its users, and even society. Therefore, information security is in continual danger of suboptimal outcomes and missed opportunities.
Opportunity cost can help transform information security programs from an organizational drag to an uplifting force by considering the foregone benefits of alternative options. This talk explores the importance of opportunity cost in security decision making and why defenders must incorporate different forms of cost in every decision. Drawing on cross-disciplinary research on opportunity cost in complex system domains, we will examine the tangible and intangible costs and effects that practitioners must take into account when evaluating defensive options. Through this lens, we’ll discuss negative externalities beget by security investments and how “cost” is far more than just money. To make these concepts more concrete, we’ll close with practical examples from the realm of application security to demonstrate why opportunity cost – and an appreciation of the kaleidoscopic nature of "cost" – is essential when making defensive decisions.
Kelly Shortridge, Fastly, Inc.
4:00 pm–4:15 pm
Closing Remarks
Program Co-Chairs: Melanie Ensign, Discernible, and Joseph Lorenzo Hall, Internet Society