Data Privacy Day 2016 - Data Privacy in Social Media

Nick: My name’s Nick Vance, this is Robert Murphy, I work for Technology Services. Rob: I’m a detective with the UofI police department. Nick: And we’re going to talk a little about data privacy and social media, so, oh I thought I had my little into slide in here, it was originally supposed to be Rob and I and my coworker Joe who is sick, but we’ll try and wing it on our own without him. So I am a social media specialist at the university, I work in social media analytics and I’m also a graduate student in the School of Library and Information Science studying Information Science, and let’s just jump right in. Audience: Who is your professor? Nick: My professor? Who do I have right now... I just started my new classes last week and I have no idea who my professor’s names are. Audience: No I just meant your major research professor. Nick: I don’t have... I’m not going into the doctoral field so I don’t have a research professor just a regular professional. So in the work that Joe and I do we’ve found a lot of gaps in knowledge on the campus about just what people are doing with social media data especially, but other data in general, and we found this presentation to be helpful, especially to students, giving them an idea of what they’re data is actually being used for. So the first thing we like to go over is just that your data is being stored. All the social media data, anything you tweet, anything you put out is being stored by companies in big, much larger server areas than this, this is a tiny server storage area compared to what is actually happening out there. And it’s not just companies, even the library of Congress right here is storing all Twitter data back through 2008. There’s been a lot of controversy about that, for the Library of Congress, but they say this is a study of humanity, it’s a study of what people are actually doing, so they’re keeping it. So you can go to the library of Congress and they have all Twitter data back through 2008. And it’s not just what you post, obviously these things they’re out there on the Internet you can type it in and you can find the information around them. But it’s also your purchases. All these companies, they know all the things you buy. You search on Amazon and all of a sudden, we were talking and ads are popping up next to you like “are you sure you don’t want to buy that bike we looked again at that bike at this store”. It’s what you watch, Netflix, Hulu, your satellite provider they know what you’re watching they have that data stored. Your surroundings MyNest in my apartment knows when I come and when I go and what temperatures I like. Security systems your GPS, they store all the data of where you’re going. Even your physical attributes My Apple Watch, people’s fit‐bits they know when they’re moving they know pretty much where they’re at. WedMD has an idea about your sicknesses, MyFitnessPal knows all the food that I eat everyday. Even if I’m getting it from restaurants what restaurants I’m going to. And companies, specifically, I think you’re going to talk a little bit more

about the danger of specific people, I’m going to talk a little bit about companies. Companies are building profiles of everyone. So they use, I keep forgetting I have this right here and I don’t have to turn around, this is great. They use, these profiles, they can identify and connect your different profiles. So they have algorithms to be able to look through, this person has this thing they’re talking about these things, it’s probably the same as this Facebook profile the same as this Twitter Profile, it’s probably the same as this commenter on CNN.com it seems like they’re saying the exact same things, and they can bring all these together. They can track your life events, you go on Twitter and say my car breaks down there’s an alert in Ford that they’re like this guy needs a new car we gotta go tell him! They track your needs the same thing the car breaks down you’re talking about I’m hungry and Mcdonald’s gets an alert in their headquarters and says tweet something about food to this guy. They track brand sentiments, so if you’ve said things in the past about any company, these companies know what you’ve said about them and they know how you feel about them. So they can pop up this user profile when someone talks about them and say what have they said about us in the past what do they think about us. They know your influencer networks, so this is something that would be much more helpful if I had Joe here who does research in Social Media networks but I can kind of do his elevator pitch. The influencer network is just the people who most influence you, so they’re looking at who do you tweet at who do you follow, whose tweets do you re‐tweet all the time, who seems to drive decisions in what you’re doing. If they say something and all of sudden you say Oh I’m doing that too, these companies can track and analyze who influences you and leverage those things, pay people to put out ads on their social media that will influence you more, and they have your photo, so they tie all those profiles together, that profile comes up in whatever company we’re talking about and it’s got a picture of you it’s not just a number they’re like that’s the name that’s the person. This is a little bit more about Joe’s social media profiling. Joe has taken it a step further he’s doing research into social media personalities. So what he’s looking at is brands, the personality they have. So there’s personality characteristics around everything you do on social media, whether you’re rugged, whether you’re cool, whether you want to move fast. And he’s doing research into whether those brand personalities actually will tie back into the people who follow them the people those brands influence, are you more likely to follow Nike if you have a similar personality to how Nike acts on social media. So they’re even profiling these personality characteristics about you, whether you like to move fast, whether you like to be tough and rugged, or whether you like to be sleek and cool and trendy. And all that data’s for sale. It’s not just companies that are bringing it in and they’re just using it for them, companies are selling it to other people. In fact, we here at the University do it. Joe and I work in social media analytics and we pay a company called Crimson Hexagon which I’ll tell you a about little more in just a second, to use their data. To be able to mine through the data that they have and we’re trying to use it hopefully for less, hopefully to take less advantage of people than some of these marketing companies are and help our campus. So we want to do it to improve our campus, we

want to do it to understand the community, staff, faculty, and students. And we want to do it to research our world, so we’re leveraging this to give to researchers in the humanities and other areas so that they can study people on broader scale than they ever been able to do with surveys and with interviews. So like I said the company we use in Crimson Hexagon, they get in social media, Twitter, Facebook, Instagram, Tumblr, we get in some Reddit stuff and a few other social media sources they get in blogs, they get in reviews for some websites like Amazon and travel websites, they get in website comments, the things you post on anonymous websites comment places CNN, ESPN used to be anonymous it’s not anymore, they get all those in, news, just general news stories these things pull in, and even forum posts that’s where Reddit comes in that’s where lots of other forums come in, where you can go through and you can search all this data and see where are people talking about these specific things. I ran for this presentation a quick little search back in November. Over three days we found 1,656 people that said something about hating their job. This is just on twitter 1,656 people said I hate my job. So these are the people, “I hate working at Subway for Maggie”, Matt Diesel says “Apparently I was scheduled today but I hate my job so I’m going to pretend like I wasn’t scheduled”, Birthday? says “I hate my job, my manager, and like 90% of my co‐workers”, all of these things, DQ Probs, all these things can be tied back to all of these people, and when they interview for not a Dairy Queen job 10 years from now their managers are going to bring this up and say hey we saw that you hated your job and your manager, hey Matt Diesel we saw that you didn’t come to work because you hated your job. And we do it for University Services too, so this is Illinois net, one of the first things we found when we started using these services to track first around technology services then around the campus as a whole is that people don’t like our wireless. It’s harder to join Illinois Net then it is to join a sorority, update: UofI wifi still sucks, if Illinois Net could be murdered, I would murder it, Illinois Net it would be greatly appreciated if you could move faster than a drunken snail’s pace. So we’ve used this to leverage and se we need to make a change, we need to improve our wireless in some of these areas, but‐ while this has helped us it could hurt people in the future to see if Illinois Net could be murdered I would murder it, when they bring up their social media and say hey you’re interviewing for this job Illinois graduate, you seem like you were a little bit feisty on social media do you want to talk to us about that? We also use it track a few other things. So this is the affinities of people on twitter who talk about the University of Illinois, so this isn’t just technology services they say Illinois, University of Illinois, Fighting Illini, all these things and I know you can’t read it right now we’re going to zoom in so you can see it a little better in a second, but over to the left things that these people like more than the average of twitter, so this is the average twitter people talking about these things, so this takes your whole feed, you say something about Illinois, this program goes in, looks at your whole social media feed, collates it and says what are the things that you talk about the most, what are the things you talk about the least, and then it averages out for any search that you look at. So if I’m a marketing company and I’m looking at this, we’ll look at the green

side, people will talk about Illinois, for some reason talk about the pharmaceutical industry, Snorthcode, Snapchat, the Affordable Care Act, and Benghazi. I did this a little while ago it’s probably not Benghazi anymore. When was this...8/26/2015‐9/25/2015, so they’ll see, these people talk about these things a lot, and some of the other ones soccer, ESPN, NBA, you can target these people based on hey, this person said something about my company and they also talk about these things, or, maybe not my company this person said something about auto insurance how do I find a specific group of people that I want to market to, I should tie with this company I should tie with this sport and I’ll get this targeted area a little bit more. We can also track geolocation, so this is the creepiest one I save it for the end of my things that we can track. These are geolocated posts on campus, as you can see we can get really close within a half block range of where people these people are at. So Green Streets up here, Greg Drive, there’s two people tweeting on the quad, there’s some posts down green street over here, here’s some posts around the armory right there, down into the dorms over here, we can see where these posts came from and it’s not just these red dots, in the system if I click on the dot I can see the tweet. it’s not just hey these tweets came from this area, but I can tie it back and say this person tweeted from this are, this thing. Audience: What’s the difference between the red and orange colors? Nick: The red and the orange I think they were colored on recency but I don’t remember for sure...I can look back into that and let you know. We can not only do this but these companies actually have algorithms as well to take a look and guess where you’re at. So if you don’t have geolocation on you’re protecting where you’re at, your profile might say it, but if your profile doesn’t say it they go through your whole feed, and have algorithms to run to say these people were talking about these things, they said they were here they said they were going here, it seems like they’re in this location. So even if you hide all that geolocated information and take all the location information about your profile, if you were putting tweets out there that aren’t the most generic thing in the entire world, we can get a general idea of where you’re at. So this one’s back to Joe. Joe and I had opposite reactions to working in this field. Joe has deleted all of his social media. He didn’t like that companies could figure these things out about him, I think I’m 5‐6 years younger and I’m just kind of used to to it. I grew up with social media, with computers and I’ve always assumed that these companies were using these things nefariously to follow me around. Joe deleted all of his social media, but this is about a year to a year and a half later he did a search on himself. So some of these companies will tell you you take it out, we have deals with these other companies we’ll pull the data back out all your data will be gone. That’s not really true. So this is a year and a half later Joe searched himself. This is a pretty good description of his life, I know this Edwin? Lee here is one of his good friends, I know he loves to play golf, he loves coffee, apparently he was sick at one point here, I know his wife’s names up in here somewhere.. I don’t see it right now, but years later, deleted all of his accounts we can still find out all of this

information about Joe and this is just a goofy little word cloud visualization, digging into this more would give you so much more information about who Joe is. Oh amex awards are my favorite Joe is very into getting credit card points and would tweet about getting Amex rewards all the time #, and then they would give him extra points. There’s Lemi. You don’t have to stop tweeting. Bring this whole thing to a boil and say this is terrifying, but I told you I haven’t stopped. What we want people to do is understand and be able to make informed decisions about what they tweet. So you don’t need to stop using social media just because these companies get the data from you. In some ways I really like it, when I want to get back to that website, I was shopping for a bike one day and I saw a good deal on it and I left the website and I’m going somewhere else and all of a sudden on the other side of my page I was like ah I should go back and buy that bike what site was that on oh there’s the ad for the bike, I was like oh thank you! So this isn’t all bad, but we need people to know and you need to be able to think am I ok with this existing forever if I tweet it out. Am I ok with this being read by people aside from my friends, because even the private data you have doesn’t always stay private. Am I ok with this being used to profile who I am in the future whether it’s a job interview, or whether it’s some company deciding whether they want to market to me or not. You need to be able to understand is this ok. And if you are ok with all of that, press send. But we have to make informed decisions about these things before we press end, before you blast something out that no matter how quickly you delete it, is going to be there and be stored and be searched about you for the rest of your life. Questions? Ok you can come back up and give some of your...I didn’t go the 45 minutes I told you I would I talk fast. Rob: Alright, like I said I’m a detective for the UofI police department, I’ve been in law enforcement for a long time since around ‘91, so hopefully in a couple of more years if they haven’t taken our retirement away I’ll be walking out the door. That being said, I started out in investigations, and we didn’t have anybody that really did computers investigations, we had a few we solved a few internet crimes it was pretty cool, so they sent me to the University of Tennessee to the cyber crimes academy, learned a lot of cool stuff came back, they were like meh we’re not really going to do all that stuff, so I had to figure out how to do computer forensics without all the fancy, cool stuff that we had, which we did we did a lot of it we pawned a lot of it out to other agencies CITES helped us out tremendously with that. So we learned a lot about social media. When I first started in investigations we made some of the best marijuana buys off of Facebook. Because when Facebook was brand new you had to be a University Student because that was how University students communicated amongst themselves, and there weren’t any police officers on Facebook, there weren’t any professors on Facebook, there weren’t any staff members on Facebook. All you had to have was a UofI address, and I had it. Parkland gave us addresses, I had one for SIU I had one for all kinds of stuff, and you know what we did we swapped them. Oh here use my profile and we bought marijuana we bought all kinds of stuff we’d knock on the dorm room door hey I’m

here to buy that marijuana you got here oh and by the way here’s the cuffs. And it was funny because we did this for years and you’d think it would spread like wildfire but it never really did. You know you’d get a message every so often the cops are on Facebook, nobody cares. and he said he’s a little bit younger than most of us in here, except for you, the generation that’s coming up now they’re used to be tracked on social media.. And we have a hard time educating students when they come in not to post their entire life on social media. It’s a stalkers dream for their intended victim to post their life on Facebook or Twitter, and I know Facebook’s kind of dying away and there’s new stuff that’s coming up and we know what it is, we’re on it, we look at it, and so do the stalkers. We had a young lady, I believe she was a communications student, and she posted her entire schedule on Facebook. She would say hey I just got out of class 101 something or other, and I’m heading to the illini 22 over here, and she would post this every time she got out of class. And there was this little shy individual in the class that really liked her, but he just couldn’t bring up the courage to ask her out, so you know what he did, I’m going to follow her around. And he would follow her around everywhere she went, and she was like this guy’s kind of creeping me out. I know he’s in this class with me at 8am, but then I see him at the bus stop when I get on the bus at this time or I see him here, and then she would go to the gym and work out, it would be like 10:00 at night, he’s at the gym working out too. So she started getting creeped out a little bit, and we have a generation issue that we can’t tell that person hey you’re creeping me out go away, we’re going to post it on Facebook. Well this just made matters a little worse because now what’s he doing he’s getting attention, so this builds up. And finally she calls us, and she’s like well I don’t understand how he knows my schedule, see I look at her open Facebook because there’s no privacy on there at all, and I said well I know your schedule you have class at 9:00 at Gregory Hall you have this you have that, and she’s like how do you know that and well you post it all on Facebook your entire life’s here, you got a diary on here I know that you like chocolate chip cookies every night at 10. And it’s an education thing, so we have to educate people to lock their profiles down, but we’ve created a generation who loves to, I think the psychologists and psychiatrists are losing money, because they don’t need them anymore because they post all their worries on Facebook and it makes them feel better or on Twitter and all those things, so it’s an interesting generation that we’re bringing up but it also makes it difficult for us to keep people safe when they’re posting all their stuff out there. A lot of the social media sites have done a pretty good job at taking GPS locations out, like Facebook. I remember, who’s the reporter that just died of cancer? Well you remember the channel three? Dave Betten, Dave Betten called me a few years ago and said hey I want to do this story about people posting pictures on Facebook. And we’re going to take one of my friends that I’m facebook friends with and he posts pictures of his kids in the backyard all the time playing. And what we’re going to do is I want you to run one of those cool programs you got, and we’re going to geolocate it and we’re going to knock on his door on TV, live TV and say hey we’re here because we’ve tracked you on Facebook. And I’m like i don’t think that’s a really good idea, I mean the stalkers already know this but do we really need to tell everybody? But do we need to

educate people to lock their data down and turn their GPS off. Now Facebook scrubbed that off there for the most part, Twitter scrubbed that off there for the most part, but you have programs like CITES is using, we have programs that we use off and on, especially during events like Unofficial. We monitor Twitter, we have what’s called a Tweet Deck going up in the command post with all the Tweets going on, we know where all the house parties are at so we can go over and knock and say hey guys how’s it going? We monitor those things because we want to know where things are going on. So yeah you can turn the GPS off but guess what, they still know where you’re at. We found something‐ anybody turn your wifi off on your smartphone and then you use your GPS to find an address, what does it tell you to do? Turn your wifi back on because it better locates you. So even if you turn your GPS on on your phone and you’re using wifi they know where you’re at. When we get a computer stolen or lost on campus, we encourage students, staff, everybody to register their MAC addresses, their machine application codes, whatever it is, the MAC address it’s like this electronic serial number of the laptop with CITES, do it with CITES. Because if that laptops stolen or something like that we can actually track it through the network, creepy huh? In fact we had an individual who had his laptop stolen. We report it to CITES he didn’t register his MAC address so we had to, well we don’t, the people that are very intelligent with the computers, actually take his user name and they associate it with all the electronic devices he’s logged onto the network with, and this is just at the University and they can track electronic serial numbers on the network. So they’re like this has got to be the device it’s an Apple device it was an Apple laptop that was stolen this is device we know this is it, so the CITES guys enter it into their script that runs across the network searching for this lost item, and it finds it right away. We’re like oh yes we got this, so we all scurry out there, I’ve got the CITES technician on the line, and we’re tracking it through the network we’re going through the Illini Union I’m like we’re getting close we know, and they can put in right in into a location they can tell us in this room right here that this person is on the Northeast section of the room, I mean they can get it down pretty, you know pretty nice little location. So we’re following this person, we’re like all excited and he gets out of the Illini Union of course we’re a couple minutes behind, and he goes to, I think we end up stopping in Lincoln Hall of all places because he had hit the network in a couple of other places, guess what it was our victim because he was on his iPhone and they had put the wrong MAC address in, a little embarrassing for us yeah but we blamed it on the CITES guys. But that being said isn’t that scary? I mean it’s scary how we can track people like that just off of their computers. Now we don’t do that unless it’s reported stolen trust me we’re not looking at all your stuff and tracking you wherever you go, but that being said it’s a great way to find where things go, we used to keep that top secret and not tell anybody, but it’s out there now we’ve been doing it for 10‐15 years now, and the bad guys know so what do they do? They turn the computers off so we can’t track them as well. But eventually they’ll come back to campus and turn that laptop on they can re‐format it, do whatever but it’ll still have that electronic serial number that’ll pop up. So a lot of times we can get some back, it might be year or two later the longest I think was four years we had some laptops stolen from the English

Building. And we recovered a couple that had popped up back on campus so statue of limitations is way over and I gave the laptop back to them and guess what the technology is already been updated so it went to surplus. But so those things stay in the network for a long time. So those are some of the cases that we do, and we also do a lot of investigations when it comes to social networks. If we’re looking at a bad guy, what do you think we do? First thing I do is I do a Google search on him, I mean Google knows everything, and Google stores everything. If you do a search, if you have a Gmail account, I think it’s called circles, or whatever their social media that they do that nobody really does but you’re all a member of, Google Plus? Google plus I’m sorry‐ Audience: You can get circles on Google Plus. Rob: Oh there you go I knew there was something with circles. But in Gmails they all interact. How many people have gotten onto their computer and it automatically has your name up there when you do a Google thing? I know right they’re tracking you. Google has associated your work IP address, with your home IP address, and other, your phone IP address they’ve associated that all together and plus they collect the MAC addresses too so they know what kind of devices you use they know you’re using an Apple phone or a Droid phone they collect all of that. It’s amazing what Google does collect. The only thing about Google is they don’t like law enforcement. They collect all this information for their own, for their own evil stuff their marketing stuff but they don’t law enforcement so they’re really hard for us to work with. But that’s ok. And guess what our student accounts are now. They’re gmail. And I warned CITES when we did this I said you realize if we need a student’s email it’s no longer a simple process, it’s actually a court order that has to be served on Google headquarters in California and all of this craziness that has to go though I can’t just go to legal counsel here’s my court order, I need this for whatever it be. Even if we have a student that, heaven forbid commits suicide, and we have to investigate everything just to make sure there’s no foul play and we rebuild their life you go back a month or so and rebuild their life to make sure that’s what it was. But we can’t get their email, and where’s all their information? On their email and stuff like that so it really hurts us in some investigations, and we’re really trying not to get faculty email to go there, or staff email because we’re, I’m concerned about the security of it all, we know where the data’s at, it’s at CITES. Now Gmail where’s it at? It could be anywhere in the world they have headquarters everywhere. So it’s kind of a, my long thing another issue we have with students too is pictures. And that’s one thing we really push in freshman orientations and we do presentations with students throughout the university, one of my big investigations that I used to do, I’m still kind of on the attorney generals task force for child pornography, it’s a big thing, and pornography’s a huge thing. Students like to send pictures to their significant other, where do those pictures end up? When the breakup happens they end up everywhere. Trust me, and they’re almost impossible, well they are impossible, to get back. We’ve had a couple of students where this has happened, and they’ll call us, from time to time, hey my pictures just showed up on this site,

and we’ll contact the site and most sites are good when they get the email from law enforcement that they’ll take the picture down, most sites are, but the problem is what, what just happened, it’s there. How many people saw it, can you save it to your computer? Yeah. So we really push this so if you have kids, if you have students you talk to if you’re students yourselves just remember everything you put out there can be seen by everybody. When you’re at a party drinking it’s a good idea to “hey we got beer woohoo!” What’s an employer going to do? They’re going to mine your social data, it doesn’t matter if you’ve got your Facebook account locked down to where nobody can see it. I’m not friends with my daughter on Facebook, but you know what I check her Facebook account all the time. She’s gotten to the point where she doesn’t really post a lot on there, she does Twitter and Instagram and all that kind of stuff, I still see it. But why? Should we do that to our kids? Hell yeah we should to do that to our kids, yes we should do that to our kids we need to know what’s going on we need to know what’s out there. But that in itself is all bring stuff to her, hey you just posted something on Instagram or, one of the other things they’re using now, but do you think this is really a good idea? You’re 17 now, hopefully when you’re 18 you’ll be getting a job or going to college one of the two, do you think an employer would appreciate seeing this? Well it’s private! Well I’m not friends with you and I’ve got it right here. So it’s something to think about employers love this stuff, we love this stuff when we do backgrounds. Another police detective that teaches a lot of social media mining classes and stuff, he actually has branched off now he doesn’t even do police work anymore he has a private company where he just does backgrounds. So an employer can come to him and do a background, he can find things out like nobody’s business. One of the latest things he did, a police department, he still does backgrounds for his old police department, and they said this candidate looks perfect he is the coolest person ever his education is perfect, it’s amazing I mean this guy is awesome I mean we can’t find anything wrong we’ve done all those social media background checks you told us to do. He sits down at his computer in five minutes on an IRC chats, anybody know what an IRC chat is? The students probably have no clue but you’re shaking your head you know what IRC is! Do you even know what an IRC is? Nick: I’ve heard of it. Rob: Oh I know you’ve heard of it. It’s still there! But the thing about it on IRC chat he was posting all of this Nazi stuff, like white supremacists and all this other stuff, had pictures of him in his little outfits with his Klan stuff. The police department didn’t find that, this guy who had retired and moved onto other things within five minutes on an old IRC chat that was ten years old found this, nobody ever uses IRC anymore, but it’s out there, it’s still there, you can still find this stuff, do you want him as a police officer? No we don’t! But if we can’t find it, he didn’t disclaim it, we don’t know. And that goes across to everything whatever you do, whatever you post is on social media, so we’ve got to think about those kind of things. So I’ve kind of dribbled on for a long time, do you guys have questions and stuff? Yes Ma’am.

Audience: So you mentioned it a little bit, so you know in lieu of parental...guidance‐ Rob: Stalking, I call it parental stalking, it’s illegal. Audience: That’s an issue across the board, right with students with anything, but, ok so you come to your educational institution and you have concerns and you have the knowledge, so is there a regular requirement that students have regular social media skills that are given to them, or a lecture or something? Rob: We do education stuff throughout the University, these guys do educational stuff throughout the University, but we can’t touch every student. Nick: We’re working on some programs, we’re working on a video that we’re trying to get out to students we’ve considered some of the...like FYCARE and the alcoholic classes that they have but honestly we just don’t think they would be very effective. Audience: I mean whether they are or not‐ Nick: Yeah well we’re trying to figure out other ways we can get this to them, that is maybe more effective than a required seminar, but yes we’re trying to figure out‐ Audience: It’s just really hard to get the youngsters to understand what it’s going to be like when they’re 40, you know they don’t‐ Rob: And you’re right but students have so much stuff thrown at them in the first month of school, FYCARE I work with FYCARE I do, when they do the initial training with the FYCARE, there’s this college class you have to take and I’m their guest lecturer a couple of times, and we talk about it, I want them to talk about it, they have 2 1/2 hours to get all this sexual education out there, they have the drinking class that Mckinley does, they have a short time. We do a bystander class now which is kind of like the booster shot for FYCARE, so your junior year maybe you’ll take it, and it’s like a bystander intervention class, we talk about social media, but the problem is are they listening? The parents are, they’re in freshman orientation they get to hear me talk during freshman orientation, mostly I’m talking to parents and they all go back and tell their students hey this is what the cops said, and I want people to know we bought marijuana on Facebook, I want people to know that cops are looking at your Facebook, I want them to know we’re looking at Twitter, now other cops hate me for this because they’re using it for intel, but I want you to know this, because if nothing else to scare them into stop putting this stuff on Facebook. Yes Ma’am. Audience: I just wanted to add that Illinois has a law that between grades 3‐12 kids have to get digital citizenship? instruction, and part of that is to include all of the issues that you’re talking about. Some are doing it very well, some would have trouble and were audited but by law they’re to have digital citizenship for grades 3‐12.

Rob: They also passed another law, and i can’t remember the name of it about sexual abuse that they have to get this education to. And it’s the same thing that’s my passion I want all the kids to know, I’m a kids instructor for that kind of stuff, but they’re not getting it either. It’s kind of the same thing, it’s there’s a law, here’s what you guys have to do, so they read from a script and they move on, and tell you actually it happens when that naked picture gets passed around the high school students, and then we can come in and say you know what you’re the victim, but you’re also the offender, this is what can happen to you. And until they actually get that shock value it doesn’t affect them. Audience: Can you speak about the companies that sell this information? How much do they make from it? Google did this and Amazon... Nick: I don’t think Google sells that much data, there’s a lot of, especially the social media data companies there’s a lot of them out there, Crimson Hexagon the one that we get I think costs us around $50,000 a year, we have a good amount of searches with them and that’s with an education discount and a bunch of other things and they sell to a lot of people. So the bigger companies there’s a company called Gradien Six? some other large..Oracle does one‐ Rob: Lifeboat. Nick: Yeah there’s a bunch of other companies that do it, and they make a lot of money doing it. But the biggest thing is those data streams so some of these companies don’t even do the data collection themselves there’s another backend company that does all of this mining and pushes the data to them. And the hard thing is, one of the reasons we chose Crimson Hexagon was they were a lot more ethical we felt like than some of the other companies were, I told you some of those rules about if you delete the post you have to pull it out of the data, they work harder to follow those rules they’re only pulling in data from companies that they’ve reached agreements with. But there’s a lot of companies out there, especially non‐U.S companies that do illegal web scrapings so they’re just going across everything and pulling all the data, they’re getting into any private data they can find and pulling that out because they don’t have to worry about these, like Facebook and their relationship with them breaking down. So there’s a lot of companies out there that do it ethically and there’s a lot that don’t, Google I don’t think shares it but those are the companies that have so much data...but my worry would be if Google ever turns downhill at some point they’re either going close and have all that data in servers somewhere or they’re might start selling all that data that they have, and I’m sure it’s in the 100 agreements that we’ve signed with them that they have some right to do something with your data if they want. Audience: Do they have social security numbers in there too?

Rob: I’m sure.
Nick: I don’t know, probably. With social security numbers, I’ve been typing it in I’ve been applying for an apartment somewhere so my social security number for sure is somewhere on the internet so that’s somewhere where people can find it. Audience: One instructor expressed that in the world of credit they have credit reporting laws now where you have to require to have access to your credit score and that report, and there are no parallel rules so companies are free to amass information and make inferences and decisions without you ever knowing that happened. One example I heard about was a company that was advertising its services insurance companies and if you ever buy life insurance traditionally a nurse might come and visit you, collect blood samples, get biometrics data and so forth because they’re evaluating your health before they decide if you’re insurable, but this company was saying this is cheaper we don’t even need to do that, we’re going to scrape the data out of social media and see if you have a gym membership do you buy fast food do you purchase certain kinds of things, and they even have scenarios like prospective customers A and B, who one has a little more income so she has a gym membership, eats at nice restaurants and does stuff, the other one is on a budget so she works out at home and sometimes eats fast food, well person A will get an insurance offer and person B won’t and will never even know why she didn’t or will be offered a much worse rate, so those kinds of things which really seem contrary to what... Nick: Yeah and I don’t remember what conference we were at I was talking to a guy from Cisco and we were talking about that same thing, but there really isn’t anything out there that does that, the social media karma.com for credit card commercials. Audience: So you’re just kind of at the mercy of whatever genius comes up with some algorithm and decides to package it and sell it. Nick: Yeah go for it. Audience: I have a question about it’s really interesting topic it’s been really helpful, but what kind of technical challenges do you have trying to analyze these kind of data stats (now unable to understand properly but begins talking about forensics of some sort)...so we’re really interested in what kind of technical challenges you have. Rob: The challenges we have? Are you talking about challenges like forensic‐wise? Audience: Yes. Rob: The biggest challenges we had with that is certifications. Like ncase and FTK, which is forensic tool kit, they’re expensive, they’re real expensive that’s one of the reasons why our department didn’t pursue it because we can go to CITES and have them do our forensics for us, but the problem, the problem is, to go back to child

pornography again we do cases with child pornography, in the university we’ve had university students, we’ve had faculty with cases going around. There’s no protection for them because they’re not law enforcement officers so they can’t be in possession of it because guess what they just violated federal law. So there’s a, are they protected if they’re doing it for us, yes, kind of, but the law doesn’t really, like she was talking back there the law hasn’t, or over here the law hasn’t really caught up with all of the technology. So that’s the things that are the costs, it’s expensive to do forensics, and it’s time consuming, I mean there’s a lot of data if you get a terabite machine, that’s a lot of data to parcel through to find what we need, we just need a few things, but then the jury’s going to say well what did you miss, and it puts that doubt in the jury and if you put doubt in a jury can you convict somebody if there’s doubt? No you can’t, so that’s what we’re running into, same thing with video taping. Now they want all cops to carry body cams at all times, that’s awesome, that’s great, and you know what it’s saved us a lot because now people can see hey this is actually a cool officer he’s trying to work out get things going, but is there data issues there? Where do you store all this data? I mean it’s a lot of information, it’s just kind of a long about thing, and people will really put it on there can you prove that that person, how can you line it all up to know that they downloaded it. Audience: I don’t have so much as a question but I just wanted to share I teach a class, my names Mike Pullman, I teach a class on more advanced security and privacy, it’s a second eight week class it runs in the spring semester, it’s mostly targeted at media professionals, so people like journalists who might be going across international borders with maybe they’ve been out shooting a documentary or they’ve been collecting some data they’re nervous about, maybe more oppressive governments getting a hold of their data or communicating with a whistleblower and they don’t want the whistleblower to get caught, what we do in this class is we talk about the daily best practices in the beginning, and then we very quickly move into some of the more advanced things like how send an encrypted email, how to browse the web anonymously and safely, how to protect your data in those cases where there are, you’re not doing criminal activity, you’re out there trying to do positive things but you’re concerned about the protection of the data. But it’s MDIA 199 I’ve got flyers here if anybody wants one on their way out I can give them to you. Nick: Cool. Any other questions? Audience: And I should actually say to we also talk about the societal question of how much government and private collection of data is appropriate, what kind of laws should go around those things, so it’s not just a technical class but it’s also a discussion of the broader societal questions. Nick: Cool.
Audience: Do any of the privacy settings on facebook offer any protection at all?

Rob: No.
Nick: For some of these companies, for some of the mining companies they help somewhat, so a company like Crimson Hexagon that we use generally tries to avoid bringing in that private facebook data, but the problem you’re going to run into is sometimes they have a hard time, even the companies that are trying not to do it, have a hard time telling what’s private. So for me, it’s very dangerous to be Facebook friends with me, because I log into this system all the time, and to get even public facebook data you have to have an account, so their deal with facebook says you have to log in with your account, you log in, they use it to authenticate so you can pull data out. But..there was a study done in Harvard they were studying hARVARD students, and when people went back through the study they realized these are private profiles you have in here, because one of the people that had logged in was friend with these people, so when it pulls the data out it doesn’t see it as oh this is private data I get to keep that, it just goes in through your account, sees these people pulls that data in, and then it’s not only in whatever search you did it goes back and dumps into their data warehouses. So friends of mine on Facebook probably have had, if their accounts are private, have probably had some of their data pulled and dumped in that warehouse and some other company can now pull it out. But that’s just for resellers, so companies like we were talking about Google, companies that do this screen scraping and aren’t going to resell it they don’t have to worry as much about these privacy laws about the deals they’re making with these companies because it’s just theirs, they are not probably going to get caught having private data or having gathered some data in some kind of nefarious way, so that data is for sure in a lot of these companies that aren’t reselling, so the resellers have to watch a little bit more on the private data but it still gets in there a lot of the time. Audience: Do your emails, are they all known also like your social media can they sell the data, can they pick up emails too? Nick: They’re at least known to Google. We haven’t had anything where we’ve been able to buy email data that’s probably a lot more regulated but they’re at least known to companies that have them warehoused somewhere like we’ve been saying. Rob: We use TLO, which is a pay service. And TLO used to be really, really good you have to be law enforcement or an attorney, I don’t know why I put attorneys in there you can be one of those bad attorneys or you can be one of those good attorneys, so they both can both join TLO, and there’s also Acronat (not sure if that’s how it’s spelled) I think it’s called, it brings up cell phone numbers, email addresses, I mean all kinds of addresses, I ran myself through there apparently I have a hotmail account that I haven’t used in years but they know it’s there, but I haven’t used it in ten years but it’s in there, I had a Juno account, there I’m updating myself a little bit,

Juno! It’s in there. I don’t even remember what it was, I can find it, so it’s there you can get emails. Alright, cool, thank you guys.