privacy, encryption, and anonymity in the civil legal aid context

LSNTAPPrivacy, Encryption, and Anonymity

in the Civil Legal Aid Context

April 26, 2016

Using Go To Webinar Calling with phone? Select Telephone and enter your audio

pin if you haven’t already.

• Calling through Computer? If you’re using a microphone and headset or speakers (VoIP), please select Mic & Speakers.

• Have questions? Yes! Please help us make this as relevant to you as possible. We’ll reserve the last 10 minutes for questions, but, feel free to add any questions in the Go to Meeting Question Box.

• Is this being recorded? Yes. LSNTAP will distribute the information after the training.

Make sure you get your infographic/checklist after the training!

Speakers

Amie Stepanovich

US Policy Manager at ACCESS NOW

Jay Stanley

Senior Policy Analyst,ACLU Speech, Privacy & Technology Project

Joseph Melo

Director of EngineeringJust-Tech

Wilneida Negron

Digital Officer, Florida Justice Technology Center/Fellow at Data and Society Research Institute

Mike Hernandez

Director of Consulting

AgendaIntroduction Data and Privacy

Security Ecosystem in the Civil Justice Context

Wilneida

Broader Framework

Third party policies and federal context

Amie

Local Framework Day to day security issues in your office

Joe

Wormhole into the Near Future

The pitfalls of big data analytics

Jay

Questions?

Is cybersecurity the next digital divide?First digital divide, concerns computing and access:—who has access and who doesn’t. — how can we increase access.

Second digital divide, concerns our understanding and application of these technologies: — wide ecosystem of stakeholders and responsible parties (i.e. users, developers, elected officials, government, regulators, etc.)— everyone plays a role in shaping the uses and understanding of these technologies.

The Rise of the “It Depends” View

• Looking across age, household income, education, gender, etc., “…most Americans see privacy issues as contingent and context-dependent.”

• Uncertainty, resignation (powerlessness, part of modern life), and annoyance.

• One of the most unsettling privacy issues noted was how hard it is to get information about what is collected and uncertainty about who is collecting the data.

• Awareness of trend towards surveillance and data capture that to them seemed inevitable.

• Others are hopeful that technological and legal solutions can be found.

– Pew Research Center.

“I think the [chances for achieving privacy] are getting more hopeless as technology advances.”

“In my opinion, there’s a lack of disclosure on how personal information is used by companies. If you read some of the terms of service, you are essentially giving them the right to do almost anything with your personal information.” - January 2016 Pew Research Focus Group

Where do we go next?

• Digital illiteracy affects the elderly, poor, and LEP people.• Information and experiences of stakeholders is siloed. Need to bridge the multiple gaps in

understanding.• Data security issues creep in our everyday technology issues:

• Mobile phone usage of clients and staff: the device is not the problem, its the network that it connects to mobile malware, Android phones, and the network security. Knowing the mobile tools your clients use.

• Website analytics: i.e. Google Analytics• Third party vendors for technology development (eg. Expert systems, triage portals, apps, SMS

text messaging, predictive analytics, etc).• Libraries as access to justice partners: Referring clients to public computers at the library. • Mobile phones:. If its connecting to a broader infrastructure that allows for content collection,

mobile malware• Sharing of documents: among staff.• Etc…

What are the challenges?

Privacy and cybersecurity lie intersection of legal aid policies; third party policies; local, state, and federal laws; social norms, values, and practices of civil justice community; and technology itself.- Data & Society Research Institute.

Third party policies: We can pressure third parties about their terms of service to protect clients.

Technology: We can encourage developers and technologists to create or incorporate privacy-protection software and protocols.

Laws: We can all participate in regulatory debates about privacy policies.

Legal Aid Programs: Can create policies, and update existing ones, to address the privacy of all types of data that flows through their servers and technologies.

Clients: Their expectations are affected through education and awareness.

Civil Justice Data Privacy & Security Ecosystem

Dealing with Data

Amie StepanovichU.S. Policy Manager

amie@accessnow.org

Technology is cool

• Popular to believe that technology can save us from the big problems

• …But it creates big risks• Risks are compounded for sensitive

populations

Assessing Your Risk

• National Institute for Standards and Technology has great resources—– Privacy Risk Assessment– Cybersecurity Risk Assessment

• No federal law – Federal Trade Commission has asserted

jurisdiction over security

Encryption

• Encryptallthethings.net

Problems

• The “who”• Notification• Reliance on third parties

Takeaways

• Privacy Assessments• Cybersecurity Assessments• Due diligence is key• Know the laws

Legal Services NTAP

Privacy, Encryption, and Anonymity in the Civil Legal Aid Context

Joseph Melo, Just-TechMichael Hernandez, Just-Tech

Sharing Documents/Data Securely

• Email Is A Poor Way To Securely Share Information• Emailing confidential/sensitive information directly to

individuals • Emailed information lives in your mailbox, the recipient's

mailbox and is stored/backed-up in other systems• Inadvertently sent to the wrong person(s)• Emails are easily forwarded• Email accounts get hacked regularly

Sharing Documents/Data Securely

• Does your organization have and use a secure file transfer method?

• File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), Globalscape

• Third-Party Cloud Solutions• Drop-box Enterprise, Citrix ShareFile, IronBox

• End-to-end security (e.g. “in-transit” and “at-rest”)

Sharing Documents/Data Securely

• Is There A Better Method of Sharing Documents/Data? • Maybe don't send the documents/data at all OR don't send

documents/data that you lose control over • Use a DMS and give third parties limited access

• SharePoint Online, Box • Use information rights management to:

• Set read-only permissions, disable copying of text, prevent saving a local copy, prevent printing, set a time limit for access to the file(s)

Staff Member Owned DevicesSmartphones, Tablets, Laptops, Desktops

• What are some of the security considerations and implications?• Are user devices secured, restricted, patched & A/V protected?

• Who else has access to the device/uses the device (child?, friend?, spouse?)

• Can users save work related documents/data to their devices?• Mobile Device Management

Staff Member Owned Devices Smartphones, Tablets, Laptops, Desktops

• Do staff have a secure method/connection to work remotely?

• Client VPN, Secure RDS, Third-party remote access (LogMeIn, TeamViewer, etc.)

• What happens when a device is lost, stolen or retired? • Data/drive destruction/shredding services

• If a device is lost or stolen, is IT notified? • Recommend having a line added to your IT policies about work

related data on personal devices

Staff Member Owned Devices Smartphones, Tablets, Laptops, Desktops

• Don’t forget the paper!• Does staff take home hard copies?

• Is there a policy that outlines the procedure for lost hard copies?

Security Considerations for Your Clients• Using Third Party (Untrusted) Networks/Wi-Fi

• Coffee Shops, Libraries, Airports, Subways, City-wide Wi-Fi Networks

• Using Third Party Computers & Devices• Library computers, Schools, Internet Cafes/Shops, Communities Tech Centers,

Friend's Computer• What sites are you browsing?• Does the computer have antivirus software installed?• Does your client have a secure method to upload files?

• What are the dangers of using public computers?• Keyloggers

• Real value of two factor authentication

Security Considerations for Your Clients

• Using your smartphone • Does your smartphone has antivirus software installed? • Are there unsigned apps installed? • Apps asking for more permissions

• Is there an opportunity to educate our clients to protect their work with legal services but also more broadly with other organizations, government agencies, e-commerce

Importance of Policies• Does your organization have a set of policies in place?

• Acceptable Use Policy• Type of activity on work devices, such as desktop/laptops, smartphones/tablets

• Data Retention/Destruction• How long should you keep data for?

• Data storage• Emailing documents, flash drives, third-party software• Users opening personal accounts on Dropbox, Evernote, etc.

• Secure computers and connections• Giving users the proper equipment and connection methods to work remotely

Should We Consider Caller Identity?

• Does your organization have a method to identify your client over the phone?

• How do you know the person you’re talking to is actually your client?• Elder fraud/benefit fraud (redirecting checks), consumer fraud, releasing confidential

information to stalker/ex-boyfriend, etc.• What type of information could you use to verify their identity?

• Pin, Secret Q & A• SSN, DOB, home address, case number

Resource Links• Globalscape - https://www.globalscape.com/• Dropbox Enterprise - https://www.dropbox.com/enterprise• Citrix Sharefile - https://www.citrix.com/products/sharefile/overview.html• Ironbox - http://www.goironbox.com/• Office 365 - https://products.office.com/en-us/home• Box - https://www.box.com/• Mobile Iron - https://www.mobileiron.com/• Office 365 Mobile Device Management -

https://technet.microsoft.com/library/ms.o365.cc.devicepolicysupporteddevice.aspx

• Microsoft Intune - https://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx

• Instant Security Policy - https://www.instantsecuritypolicy.com/

• Joseph Melo• Office: 929-277-9803• Email: jmelo@just-tech.com

• Michael Hernandez• Office: 929-277-9804• Email: mhernandez@just-tech.com

Jay StanleySenior Policy AnalystSpeech, Privacy and Technology ProgramEditor of ACLU’s Free Future blog jstanley@aclu.org @JayCStanley

The Pitfalls of Big Data Analytics

Age of Data

Big Data: Broad & loose definitions

•The “macroscope”•Predictive analytics•Machine learning

Target pregnancy example

Target pregnancy example

Not all uses spooky

• Recommendation engines• Computer vision & other AI techniques• Health care• Manufacturing processes• Deliver government services more efficiently?

Analytics for social services

9 Questions to Ask

Questions:

1. Do the judgments being made lend themselves to analytics and/or machine learning?

Questions:

2. Is the analytics discriminatory?

asdf

“Rooted in their community”

Questions:

3. Is the analytics fair or does it incorporate guilt-by-association?

asdf

Guilt by association

Questions:

4. How accurate are the analytics?

Questions:

5. What are the consequences of error?

Questions:

6. Are the interests of the agency aligned or in conflict with the interests of the subjects?

Questions:

7. What does the analytics replace?

Questions:

8. Does the program merely triage within a group already targeted?

Questions:

9A. Does the program create incentives for ever-increasing data collection or other systematized privacy violations that might hurt many people even if it helps some?

Questions:

9B. Could the compilation of data be stigmatizing, prejudicial, or otherwise harmful to them in contexts other than the one in which they are helped?

Questions:

9C. Can the data be repurposed for potentially harmful ends?

A new eraProceed with caution…

Jay StanleySpeech, Privacy and Technology ProgramFree Future blog: www.aclu.org/freefuture jstanley@aclu.org202-715-0818

Contact info: