Personal Data Protection Day, Minsk, 2019. Organizer: human rights organization Human Constanta.
Leading (hereinafter - B): – Arthur Khachuyan is engaged in… Can we say “on the dark side” in the context of our conference?
Artur Khachuyan (hereinafter - AH): On the corporate side, yes.
В: “He collects your data, sells it to corporations.
OH: - Not really…
В: “And he will tell you exactly how corporations can use your data, what happens to the data when it gets online. He probably won't tell you what to do with it. We will think further...
OH: - I'll tell you, I'll tell you. In fact, I won’t tell you for a long time, but at the previous event, I was introduced to a person to whom Facebook even blocked the dog’s account.
Hi all! My name is Arthur. I really do process and collect data. Of course, I do not sell any personal data to anyone in the public domain. Kidding. My field of activity is the extraction of knowledge from data that is in open sources. When something is not legally personal data, but knowledge can be extracted from it and made it the same in importance as if this data were obtained from personal data. I won't say anything really terrible. Here, however, about Russia, but about Belarus, I also have figures.
What is the real scale?
Just the day before yesterday, I was in Moscow in one of the leading, ruling parties (I won’t say which one), and we discussed the implementation of some project. And that means that the IT director of this party gets up and says: “You said, numbers and so on, you know, the 2nd Directorate of the FSB prepared a note for me here, which says that there are 24 million Russians in social networks. And you say - 120 with something. In fact, we have more than thirty [million] people who do not use the Internet.” I say yes? OK".
People don't really understand scale. These are not necessarily government agencies, which probably do not fully understand how the Internet works, but in fact my mother, for example. She is only now beginning to understand that she is given a card at Perekrestok for a reason, not for the miserable discounts that this Perekrestok offers, but for the fact that later her data is used in OFD, purchases, predictive models, and so on.
In general, there are so many residents, and there is information about so many in open sources. Only the last name is known about someone, everything is known about someone, right down to the porn that he likes (I always joke about this, but this is true); and all sorts of information: how often people travel, who they meet, what purchases they make, who they live with, how they move around - a lot of all kinds of information that bad, not-so-bad and good guys can use (I don’t even know what scale to come up with right now, but nonetheless).
There are social networks, which, of course, are a giant set of open data, playing on the weaknesses of people who kind of scream about privacy. But in reality, if you imagine a graph over the past 5 years, the level of hysteria about personal data is growing, but at the same time, the number of closed social media accounts is decreasing year by year. It may not be entirely correct to draw conclusions from this, but: the first thing that stops any company that collects data is a stupidly closed account on social networks, because the opinion of a person inside his closed account, if he does not have 100 thousand subscribers, it not really very interesting for some kind of analysis; but there are also such cases.
Where do they get information about us?
Have you ever been knocked on by your old school friends, with whom you have not communicated for a long time, and then this account disappeared? There is such a thing among the bad guys who collect phones: they analyze friends (and the list of friends is almost always open, even if a person closes his profile, or the list of friends can be restored “in the opposite direction” by collecting all other users), they take some inactive your friend, make a copy of his page, knock on your friend, you add him and after two seconds the account is deleted; but at the same time a copy of your page remained. So, in fact, the guys did recently, when 68 million profiles from Facebook flew away somewhere - they added about the same to everyone as friends, copied this information, even wrote to someone in personal messages, did something ...
Social networks are a huge source of information, in almost 80% of cases information is taken about a particular person not directly, but from the immediate environment - this is all sorts of indirect knowledge, signs (we call it the "Evil ex" algorithm), because one of mine A friend pushed me to this absolutely brilliant idea. She never followed her boyfriend - she always followed his five friends and always knew where he was. This is actually a reason to write an entire scientific article.
There are a huge number of bots that also do all sorts of good and bad things. There are harmless ones who stupidly subscribe to you in order to advertise cosmetics to you later; but there are serious grids that are trying to impose their opinion, especially before the elections. I don’t know how it is in Belarus, but in Moscow before the municipal elections, for some reason, I had a huge number of friends of some incomprehensible ones, and each campaigns for a different candidate, that is, they absolutely do not analyze the content that I consume - they just try to impose some incomprehensible reform, taking into account the fact that I am not registered in Moscow at all and will not go to vote.
Garbage - a source of dangerous information
Plus, there is Thor, which is not exactly underestimated - everyone thinks that you only need to go there to buy drugs or find out how weapons are made. But in fact, there are a lot of data sources out there. Almost all of them are illegal (such, near-legal), because someone could hack into the database of air carriers on some hacker site and throw them there. Legally, you cannot use this data, but if you get some knowledge from there (as in an American court), for example, a recording of an audio conversation made without a warrant, you cannot use it, but the knowledge that you received from this audio recording, you you won't forget, and here it's about the same.
This is actually a very dangerous thing, so I always joke, but it's true. I always order food next door, because the Delivery Club breaks down very often, and it really has such problems. And recently I was very surprised: I ordered groceries, and on the box, which I took to the trash, a sticker was pasted on which it says “Artur Khachuyan”, phone number, apartment address, intercom code and e-mail. In fact, we even tried to negotiate with the Moscow municipality to give access to the garbage dump: in general, to come to the waste dump and try, purely for the sake of interest, try to find some mention of personal data - to do something like a mini-research. But we were refused when they found out that we wanted to come with Roskomnadzor employees.
But this is actually the case. Have you seen the awesome movie "Hackers"? They were poking around in the garbage in order to find some part of the virus. This is also a popular thing - when people threw something into open sources, they forgot about it. It could be some school site where they wrote their dissertation on white supremacy, and then they went to the State Duma and forgot about it. Such cases actually happened.
What do United Russia people like?
If you go to the “topchik” on the Lifenews website ... Students did a study for me two years ago: they took all the participants in the United Russia primaries (they all officially submitted their social media accounts to the All-Russian Central Executive Committee), looked at what they like in general - porn childish, trash, obscure ads from strange adult women ... In general, people kind of forgot about it.
Then they wrote a letter stating that twenty people had their accounts stolen. But their accounts were stolen two weeks ago, they submitted them to the election commission 8 months ago, and the likes were two years ago ... In general, you understand, right? There is a really huge amount of information that can always be used even for research purposes.
Minioftopchik: yesterday I saw the news that Roskomnadzor blocked the studies of students of the "tower" two years ago. Maybe someone saw this news, no? It was my students who did the research: they were from Tor, from the Hydra website where drugs are sold (sorry, from Rampa), they collected information about how much, what, in which region of Russia it costs, and they did the research. It was called "Consumer's basket of a party-goer". This, of course, is a funny thing, but from the point of view of data analysis, the data set is actually interesting - then for another two years I went to all sorts of "hackathons". This is a real thing - there are a lot of interesting things there.
How Get Contact "bought the souls" of curious users and why you need to read the user agreement
Usually, when you ask a person what kind of data leakage you are afraid of (especially if a person has a webcam taped), he always puts the priority structure like this: hackers, the state, corporations.
This is, of course, a joke. But in fact, active data analysts, all kinds of data scientists have stolen much more than, it seems to me, scary Russians, Americans or some other hackers (substitute any, depending on your political beliefs). In general, usually everyone is afraid of this - do you all have your webcam taped up? You can't even raise your hands.
But if the hackers are doing something illegal, and the state needs a court order to get the data, then the last guys [corporations] don't need anything at all, because they have such a thing as a user agreement that no one ever reads. And I really hope that such events will still force people to read the agreements. I don’t know how it was in Belarus, but in Moscow in the middle of that year there was a wave of the GetContact application (you were probably aware), when an application appeared out of nowhere that says: give the application access to all your contacts, and we'll show you how funny you were recorded.
It didn’t surface in the media, but a lot of high-ranking employees complained to me that everyone started calling them all the time. Apparently, the administrators decided to find Shoigu's phone in this database, someone else ... Volochkova ... A harmless thing. But those who read the GetContact license agreement - it says: spam in unlimited quantities for unlimited time, uncontrolled sales of your data to third parties, without restriction of rights, statute of limitations, and in general everything that is possible. And it's actually not such a super-rare story. Here’s Facebook for me, while I was there, 15 times a day showed notifications: “And synchronize your contacts, and I’ll find you all your friends that you have!”.
Corporations don't care. Federal Law 152 and GDPR
But in fact, the priorities are in the opposite direction, because corporations are protected by private law and therefore in almost all cases it is impossible to prove that they are wrong. And given the fact that it is big, scary and very expensive, it is almost impossible. And if you are also in Russia, with outdated legislation, then somehow everything is completely sad.
Do you know how the Russian law (and it is practically Belarusian) differs from, for example, the GDPR? The Russian 152nd Federal Law protects data (this is a relic of the Soviet past) - a document that protects data from being leaked somewhere. And the GDPR protects the rights of users - the right that they will lose some freedoms, privileges, or something else, because their data will leak somewhere (they introduced such a concept directly into the “data-li”). And we have everything that they can charge you with - a fine for not having a certified "open" - "Excel" for processing personal data. I hope this will change someday, but I don't think it will anytime soon.
What are the real targeting opportunities today?
The first, probably scary story that everyone constantly thought about was reading private messages. Surely there is a person among you who has ever said something out loud, and then received targeted advertising. Yes, were there? Raise your hands.
I really don’t believe in the story that the conditional Yandex Navigator recognizes direct audio in the stream for all users, because those who have encountered voice recognition a little, they understand that: firstly, the Yandex data center » five times more should be; but most importantly, the cost of attracting such a person would cost a lot of money (in order to recognize audio in the stream and understand what the person is talking about). But! In reality, there are algorithms that tag you for certain keywords in order to then make some kind of advertising communication.
There were a lot of such studies, and I made clean accounts 100 times, wrote something to someone in messages, and then suddenly received an advertisement that seemed to have nothing to do with it. There are actually two conclusions here. Against such a story - it is believed that a person simply falls into some kind of statistical sample; let's say you are a 25 year old male who at this very moment should have encountered English courses just at the moment you wrote to someone. At least Facebook always says this in court: that there is a certain behavior model that we won’t show you, which was built on data that we won’t show you, we have internal research that we definitely won’t show you ( because everything is a trade secret); in general, you fell into a certain statistical sample, so we showed it to you.
How Facebook pissed off users' privacy
Unfortunately, this is generally impossible to prove if you do not have a person within the company who will somehow confirm these actions. But in American law, in this case, the non-disclosure agreement of this employee is higher than his desire to help you, so no one will do it. It’s also interesting - it was about a year or a year and a half ago - a trend began to develop in America, when people installed a browser extension to encrypt Facebook messages: you write something to a person, he encrypts it with a key on the device and sends it to rubbish in open access.
For example, Facebook has been suing this company for a year and a half, and it’s not clear on what grounds (because I’m not well versed in American law) forced them to remove this application and then made an amendment to the user agreement: if you look, there is such a clause, that you cannot transmit messages in encrypted form - it is somehow so cunningly described there that you cannot use cryptographic algorithms to modify messages - well, there is such a thing. That is, they said: either you use our platform, write in the public domain, or you don’t write. And this raises the question: what for do they need private messages at all?
Private messages are a source of XNUMX% reliable information
Here is a very simple thing. Everyone who analyzes the digital footprint, human activity, tries to somehow use this data for marketing or something else - they have such a metric as reliability. That is, a certain image of a person - you understand perfectly well, this is not a person himself - this image is always a little more successful, a little better. Private messages are real knowledge that can be obtained about a person, they are almost always 100% reliable. Well, because rarely someone will write something to someone in private messages, deceive, and this is all very easy to check - respectively, according to other messages (you understand what I'm talking about). The bottom line is that knowledge extracted in this way is almost 100% reliable, so everyone is always trying to get their hands on it.
But nevertheless, this is all, again, a very difficult story to prove. And those who believe that the conditional "Vkontakte" has such access from law enforcement agencies for personal messages - this is not entirely true. If you just look at the history of court requests for disclosure of information, how Vkontakte very cleverly (in this case, Mail.ru) fights off these requests.
They always have the main argument: according to the law, law enforcement agencies must argue why access to personal messages is needed. As a rule, if this is a murder, the investigator always says that most likely the person said where he hid the weapon (in private messages). But you and I understand that not a single sane criminal will ever write to his accomplices on Vkontakte about where he hid the firearms. But this is one of the most common options that officials report.
And here is another such terrible example (I was asked to give terrible examples today) - about Russia (I hope this will not happen in Belarus): according to the law, the investigator must have sufficiently good reasons for the operator to disclose this information. Naturally, these reliable parameters are not described anywhere (what, in what form they should be), but in Russia there are now an increasing number of precedents when such a basis appears for the court if there is a certain model that predicted a certain, good or bad, behavior .
That is, in our country no one can be imprisoned (and this is good) for being included in some statistical sample of purebred murderers - and this is good, because it violates the presumption of innocence; but there are precedents where the results of such forecasts have been used to obtain judicial clearance for data. Not only in Russia, by the way. In America, there is also such a thing. There, the Palantir has also beaten everyone for a long time, such things are used. Scary tale.
This is my research. We did this: we walked around St. Petersburg, in places of green dots we wrote some key points to friends from “clean” accounts - like “I want to drink coffee”, “where can I buy washing powder?” and so on. And then, accordingly, they received geo-referenced advertising. In some magical way ... Or as they said: “Coincidence? Don't think!" These are personal messages on Vkontakte. Forgive me Mail.ru, but it's true. Anyone can repeat this experiment.
By the way, when they wrote a statement in support, Mail said that there were wi-fi points that captured your poppy address. There is such a thing too.
Methods for obtaining and common options for "draining" personal data
The next story is the extraction of additional knowledge, a piece of which I actually touched. In fact, a completed person's profile in social networks really carries 15–20% of the real knowledge that the data operator stores about him. The rest of the story comes from very interesting things. Why do you think Google is developing libraries for computer vision so much? In particular, they were among the first to develop libraries for actually analyzing and categorizing objects - in the background, in the foreground, no matter where. Because this is a huge source of additional information about what kind of apartment a person has, a car, where he lives, luxury goods ...
There was a bunch of “hacker” stuffing when trained Google neural networks merged (I don’t know whose they were, but nonetheless). There were a lot of interesting things about the size of the chest, waist circumference - that only people did not try to find out about other people based on the analysis of photographs. Because when a person takes a photo, he doesn’t always think about how many interesting things you can learn from it? And how many passports for newborns are laid out in Russia? .. Or: “Hurrah, my baby got a visa”! This is generally the pain of modern society.
Such an offtopic (today I will share facts with you): in Moscow, the most frequent leak of personal data is housing and communal services, when a list of debtors is hung on the door, and these debtors then sue because their personal data got into open access without them permissions. What if this happens to you ... The bottom line is that when a person does something, he does not know what was in that photo, what was not. There are a lot of car numbers now.
We once conducted a study - we tried to understand how many people with open pictures of cars (they have, respectively, offenses and so on) - this, unfortunately, could only be done using the merged traffic police databases, where there is only a number (not very reliable information), but it was also interesting.
Your next ad depends on how you "consumed" the previous one.
This is the first story. The second story is behavior patterns, the content that a person consumes, because one of the most important metrics that social networks are trying to build about you is how you interact with ads. No matter how accurate, “awesome” algorithms are, no matter how wonderful artificial intelligences and everything else works, the real priority of a social network is always to make money. Therefore, if the conditional “Coca-Cola” comes and says - “I want all the inhabitants of Belarus to see my post”, they will see it, regardless of what the algorithms think about this person, how to target him there. You probably received ads, in addition to super-super-targeted, nonsense completely unrelated. Because a lot of money was paid for this unrelated nonsense.
But one of the main metrics is to understand what content you interact with the best, namely, how you react to it in order to show you a similar advertising story. And accordingly, this is a metric of how you interact with advertising: who bans it, who doesn’t, how a person clicks, whether he reads only headlines or completely falls into the material; and then based on that, continue to keep you in this, as it is now called, "filter bubble", so that you continue to interact with this content.
If suddenly you are ever interested, you try for a long time, within a week, maybe a month, just ban all ads from social networks in a row: you are shown some kind of ad - you close it. If you analyze this and put it on a graph, there will be an interesting story: if you ban ads for a week, the next week it will show you in an enhanced version and generally from different categories; that is, conditionally, you love dogs, and ads with dogs are shown to you - you banned all dogs, and then they will start showing you all kinds of versatile nonsense from different options in order to try to understand what you need.
And then, in the end, they will spit, mark you as a person who does not interact with advertising, put a conditional cross on you, and at that moment they will start showing you ads of exclusively rich brands. That is, at this moment you will see ads only for Coca-Cola, Kit-Kita, Unilever and all the people who are making huge money, because you need to get views. Within a month, conduct an experiment: ban all ads for one or two weeks, then you see everything in a row, and ban it - in the end, you will only see ads, as it turns out (and advertising agencies say), only customers who pay for views , because it is impossible to understand how you interact with this ad.
Porn is more often watched by those who tend to dive deep into the content
Accordingly, here is a story about all kinds of behavior tracking. I have such an interesting example - visitors to a government website. The funny thing is, the more depth of viewing people have, the more of those people prefer porn viewing to traditional relationships. “Sorry” that I talk about this topic all the time, but I actually have a very good relationship with Pornhub, and these are always very interesting studies, because this is a topic that is kind of taboo, but it tells a lot about a person . And the following points about the return of traffic that follow from here ... We will also remember about Pornhub!
What is considered personal data and can an iPhone be unlocked with a 3D face model?
My favorite is circumvention of the law on personal data. If you read the technical documentation of the same Facebook that provided some internal documents (for example, to the court), you will not find any mention of either face recognition or voice analysis. There will be very complex language that no qualified lawyer will find inside the legislation. We work in much the same way in Russia - I'll show you such a thing now.
What do you see here? Any normal person would say that face. This is Sasha Grey, by the way. And legally, this is a matrix of some three-dimensional points, of which there are 300 thousand pieces. For better or worse, this is not considered personal data by law. In general, the Russian RKN does not consider one photo to be personal data - it considers it personal data if there is something else nearby (for example, a full name or a phone number), and this photo itself is nothing at all. As soon as the law on biometrics was introduced, and biometric data was equated with personal data (so, very rudely), everyone immediately began to say: this is not biometric data, this is an array of points! Especially if you take a direct or inverse Fourier transform from this array of points, it seems like you cannot deanonymize a person back from this transformation, but you can identify him. Purely theoretically, this thing does not violate the law.
I also did another study: this is an algorithm that builds a three-dimensional reconstruction of a face from open sources - we take an account on Instagram and then we can print the face on a 3D printer. Who, by the way, is interested, I have a link in the public domain; if suddenly someone wants to unlock someone's "iPhone" ... It's a joke - "iPhone" cannot be unlocked, the quality is reduced there.
Private profile is a plus for security
This is the first thing, and the second ... I have already touched on the fact that information is mainly obtained from the user's environment. I drew this picture in 17: the average user of Russian social networks is inside, he has an average of 200-300 friends, his friends of friends and his friends of friends of friends.
Thanks to social networks for introducing smart e-feed algorithms, integral years, ostensibly to increase the likelihood of you encountering some interesting content. This is the number of people who can at any random moment see the content that you produce, even if your account is limited only by the upper levels of privacy (only for friends of friends and so on). Here are the friends of friends:
If someone thinks that when he chooses to see “friends of friends” in “My posts” on VK, then three handshakes is about 800 thousand people, which in principle is not so small, but depends on your content. Maybe you are doing some indecent streams, and all these friends of friends can interact with this content. One of them can repost something somewhere, all people have a like feed, which in fact is most likely to be canceled, because this is not a very personal thing. Therefore, at any time, the content can get somewhere.
VK that year also launched super-closed profiles, but so far a very small number of people have used them (I won’t say which one, but a small one!). Perhaps someday people will think of this - I really sincerely hope so. All research is constantly aimed at making people understand the scale of the problems. Because until someone in particular is touched by some terrible things, they will never think about it. Go ahead.
Government agencies do not know what personal data is and are in no hurry to define it
Any specialist in the field of personal data law always says the following: you never need to combine different data sources, because here you have e-mails (this is just personal data with some kind of anonymized identifiers), here - full name ... If this combine everything, it seems like they will become personal data. In general, it would be right to touch on this topic first, but I think that you are already immersed in it and are aware, maybe, how the law works.
In fact, no one knows what personal data is. Important concept! When I come to government agencies, I say: “A bottle of cognac to someone who says what personal data is.” And no one can say. Why? Not because they are stupid, but because no one wants to take responsibility for themselves. Because if Roskomnadzor says that this is personal data, tomorrow someone will do something, and they will be to blame; and they are executive authorities and generally should not be responsible for anything.
The bottom line is that the law clearly states that personal data is the data by which a person can be identified. And there an example is given: full name, home address, phone number. But you and I know that a person can be identified both because of how he presses the buttons, and because of how he interacts with the interface, and by other indirect parameters. If anyone is wondering, there are a huge number of loopholes in almost every area.
Identifiers that reveal us
For example, everyone started to put points to capture poppy addresses (have you come across for sure?) - smart (or I don’t know, greedy) manufacturers of mobile equipment, like Apple and Google, quickly introduced algorithms that give out a random poppy address so that you can’t was to identify when you walk around the city and send everyone your poppy address. But the smart guys thought of the next story even further.
For example, you can get a mobile operator license; having received a license from a mobile operator, you will get access to such a thing - the SS7 protocol is called, according to which you will see a certain broadcast of mobile operators; there are a bunch of all kinds of identifiers that are not personal data. Before that, it was IMEI, and now - literally someone took it off the tongue and decided to maintain in Russia (such an initiative) a single database of these "IMEIs". It kind of is, but still.
There are, for example, a bunch of identifiers - for example, IMCI (Mobile Equipment Identifier), which is neither personal data nor tied to some other things and, accordingly, it can be saved without any legal prosecution, and then with whom exchange these identifiers in order to communicate with the person later.
The culture of working with personal data is at a low level
In general, the bottom line is that everyone is now very much concerned about merging data from one to another, and most companies that do this merging sometimes do not even think about it. For example, a bank came, entered into a non-disclosure agreement with a company that does scoring, dumped 100 thousand of its customers ...
And not always this bank in the agreement has a clause on the transfer of data to third parties. These clients sped something up, and it’s not clear where this database went later, didn’t go - in most companies in Russia there is no culture of deleting data ... - this “excel” is sure to hang somewhere on the secretary’s computer later.
Our data can be sold with every in-store purchase
There are a lot of schemes that seem to be near-legal (that is, legal). For example, the story is as follows: of the 15 largest Russian banks, only two are the actual SMS gateway - Tinkoff and Alfa, that is, they themselves send their own SMS. Other banks use SMS gateways to send SMS to end customers. These SMS gateways almost always have the right to analyze content (for example, for security and some of their conclusions) in order to then sell aggregated statistics. These SMS gateways are "friends" with fiscal data operators that operate checks.
And it turns out the following: you came to the cashier, the operator of fiscal data (they gave, did not give your phone number - somehow it is tied there) ... you receive an SMS to your phone number, the gateway of these SMS sees the last 4 digits of the card and the number phone. We know at what point you made a transaction from the fiscal data operator, and in SMS we know (now already) to which number information was received about debiting such and such a sum of money with such and such last four digits of the card. The last four digits of the card are not your identifiers, they do not violate the law, because you cannot be deanonymized using them, the transaction amount is also not.
But if you have agreed with the fiscal data operator, you know what time window (plus or minus 5 minutes) this SMS should come to you. Thus, you were quickly tied to your phone number in the OFD, and your phone number is tied to advertising identifiers, in general, to everything-everything-everything. Therefore, you can then be caught up: they came to the store, and then they send you some more nonsense without permission. I think there is hardly anyone in this room who has ever filed an application to the FAS for spam. There is hardly any ... Except for me, I guess.
Papers are an archaic but effective way to fight for your rights
It works very cool. True, you will have to wait a year and a half, but the FAS will actually conduct an audit: who, how, to whom transferred the data, why where, and so on.
Question from the audience (hereinafter - Z): - There is no FAS in Belarus. This is a different country.
OH: - Yes, I understand. Surely there is something similar...
Objections come from the floor
OH: - Okay, bad example, sorry. It doesn't matter. Among my friends, I don’t know anyone who, in principle, knows about the existence of such a story - that you can go write, and then they will work for another year.
The second story, which is also developing very much in Russia, but I think that you will find an analogue in your country. I really like to do this, when a government agency does not communicate well with you, some bank or something else - you say: "Give me a piece of paper." And you write on a piece of paper: “According to clause 14 of the 152nd Federal Law, I ask you to process personal data in paper form.” I do not know exactly how this is done in Belarus, but it is certainly being done. According to Russian laws, they do not have the right to refuse you a service based on this.
I even know many people who sent similar messages to Mail.ru and asked to keep a record of their personal data in paper form. Mail.ru fought back from this for a very long time. I even know one Yandex developer who got a joke: they deleted his VK account and sent him a bunch of printed screenshots and said that they would send him screenshots every time he wanted to update his page.
It’s funny, but nevertheless, this is a real alternative if someone really cares about the data, on the one hand ... And on the other hand, the same RKN told me that this agreement on the processing of personal data is formal, and the law provides for several more options to give this consent. And that, for example, I was invited here to an event, and if, for example, Human Constanta may not enter into an agreement with me on the processing of personal data within the framework of Russian laws (because the very fact that I arrived and agreed to speak is consent to processing of personal data), they still take these paper permits. But the RKN told me a similar thing, that it’s not a fact at all that most likely they will someday disappear.
I hope that in Russia they will never create a single operator, God forgive me, of personal data, because worse than putting all personal data in one basket, it can only be put in the state basket. Because who knows what will happen with all this.
Companies share personal data, and laws do not regulate it well
Most companies exchange some kind of data, identifiers among themselves. It can be a store with a bank, and then a bank with a social network, a social network with something else ... And in the end, these people have a certain critical mass of knowledge that can be used in some way, and all this knowledge is true are now trying to keep on their side. But nevertheless, then it still gets into some kind of advertising traffic or somewhere else.
The transfer of data to third parties is the most fun that can be, because the laws do not describe what kind of third parties they are, to whom they should be considered “third parties” at all. By the way, this is a very common phrase of American lawyers - they have Third parties there - who, whom do you consider third parties: grandmother, great-grandmother? .. There was even such a precedent in America when someone's data was disclosed, a person sued , and they proved that this person through several friends knows the owner of the data - a certain number of handshakes, led some strange sociological studies - thus proving that these people cannot be considered third parties to each other. Funny. But the fact of transmission of such data is very common.
Even if you go to a site where there is a counter for identification, this counter has the right to transfer the data of this traffic somewhere (“Clickstream”, owners of advertising platforms of anything, “Pornohub”, for example). Pornhub, if one of you is a web developer, you can go and see how many tracking pixels are on the Pornhub website. You just go in - there is a huge amount of java script loaded, such as to improve the site. In fact, cross-domain cookies are also set there, which is not there, because this information is always highly valued in the clickstream market.
"Facebook" wags and is not going to tear off the mask
Naturally, none of the major players ever tells anyone to whom and how they sell data. Because of this, for example, Europe is now trying to sue Facebook. Just after the introduction of the GDPR, the European Union is trying to shake Facebook off its own disclosure of algorithms for reselling data to third parties.
Facebook doesn't do this and says publicly that it doesn't because they are a "corporation of the world" (I'm quoting this from an email they sent me), they are "against the misuse of technology" (especially if you selling facial recognition to the Kremlin). In general, the bottom line is that Facebook is not doing this quite honestly: its main goal and the main thing that will happen as soon as such a mechanism is revealed is that it will be possible to realistically calculate the margin of advertising, it will be possible to understand the real cost of advertisements.
Conventionally, if Facebook tells you now that the cost of an advertising display is 5 rubles, and we sell it to you for 3 (and, like, two rubles remain for us), and they, conditionally, receive 5% of the profit from these advertising impressions. In fact, this is not 5%, but 505, because if this algorithm pops up (to whom and how did Facebook send “clickstream”, visit data, pixel data to all kinds of advertising networks), it turns out that they earn money much more than they say about it. And the point here is not the money itself, but the fact that the cost of a click is a ruble, but in fact - hundredths of a cent.
In general, the bottom line is that everyone is trying to hide such a transfer, it doesn’t matter - advertising, non-advertising traffic, but it is there. Unfortunately, there is no way to legally know this, because the companies are private, and everything they have inside is their private law and their trade secret. But stories like this come up all the time.
Drug dealers are predictable and "fire" on "Avito"
The last picture from this presentation. It is funny, and its essence is that there are certain categories of people who are very worried about their personal data. And it's good, actually! This example is about such a category of people as drug dealers. It would seem that people who should be very worried about their personal data ...
This is a study that was carried out at the beginning of that year under the supervision of the competent authorities. Yes, this is a script that was given money to buy drugs in Telegram, in Tor, but only from those people who could be identified.
In fact, almost all drug dealers in Moscow are burning on the fact that their phone number is not in any open sources at all, but sooner or later they will sell something on Avito, by which it will be possible to understand the approximate location of these people. The bottom line is that the red dots are where people live, and the green dots are where they go to leave you know what. It was one of the parts of the algorithm that predicted the deployment of patrol services, but these Moscow guys always try to somehow go diagonally, away.
They believe that if they live from the top left, then they should go from the top right and they will definitely never be found there. What I'm telling you is that if you're trying to hide from the ubiquitous algorithms, the real coolest option is to change the behavior model: install some sort of "Guest" to randomize visits, possessions, and so on. Yes, Lord, there are even algorithms, plug-ins that change the size of the browser by a couple of pixels so that it is impossible to calculate the signature, the “fingerprint” of the browser and somehow identify you.
That's all I wanted to say. If you have questions - let's go. Here is a link to the presentation.
Question from the audience (B): – Tell me, please, in terms of using Tor, in terms of traffic tracking… Do you recommend it?
It's hard to hide, but it's possible
OH: - "Thor"? "Thor" is not, in general, in any form. True, I don’t know how in Belarus - in Russia, in no case should you go there, because almost the majority of verified “gracenodes” suddenly add some packages to your traffic. I don’t know which ones, but if you look: there are “nodes” that mark traffic, it’s not clear who does it, for what purposes, but someone marks it in the header so that you can understand it later. In Russia, now all traffic is stored, even if it is stored in encrypted form, and everyone trolls the Yarovaya Package about the fact that encrypted traffic is stored, but it remains marked, that is, it cannot be used, it cannot be decrypted ...
W: - In Europe, it has been stored for a long time, probably ten years.
OH: - Yes, I understand. Everyone laughs at this - like, you store https that cannot be read. The content cannot be read, but it is possible to understand where the packets came from with certain algorithms - by the weight of the packets, by the length, and so on. And when you have all the providers under the hood, there are, accordingly, all the backbone equipment and all the passports ... In general, do you understand what I'm talking about?
W: What browser do you recommend using?
OH: For Thor?
W: - Not at all.
OH: - Well, I do not know. I actually use Chrome, but only because the developer panel is the most convenient there. If suddenly I need to go somewhere, I will go to some cafe. True, there you should not log in to a real SIM card.
W: You were talking about some students. Do you teach or run any courses?
OH: – Yes, we have masters in data journalism. We train journalists to collect data, analyze - they periodically do such studies.
There are no secure apps
W: - It is not safe to communicate with friends on Facebook, Vkontakte, so as not to receive contextual advertising later. How to improve security?
OH: – The question is what do you consider an acceptable level of security. In principle, the word "safe" does not exist. The question is what do you think is acceptable. Some consider it acceptable to share intimate photos through Facebook, and some intelligence officers believe that everything that was said through the mouth, even to the closest person, is in fact unsafe. If you don't want the social network to know something about it, then yes - it's better not to write about it. I don't know about secure applications. I'm afraid they don't. And this is normal in terms of the fact that any owner of any application needs to somehow monetize it, even if this application is free or it is some kind of media. It's kind of free, but it still needs to live on something. Therefore, nothing is safe. You should only decide for yourself, so to speak, what suits you.
W: – What do you use?
OH: – Social networks?
W: - From messengers.
OH: - Of the messengers, I use the main state messenger of the Russian Federation - Telegram.
W: - Viber. Is he safe?
OH: - Listen, I'm not very good at instant messengers. To be honest, I'm not in security, I don't believe in anything, because that would probably be very strange. Although Telegram is kind of like open source, and its encryption algorithms have been disclosed. But this is also such a tricky thing, because the “open-source” client is there, and no one has seen the servers. I think not: Viber has a lot of spam, bots, and so on. Fig knows. I don't think this works very well.
Who is more dangerous - corporations or the state?
Host (B): - And I have a question for you. Look, you mentioned this a couple of times in passing – that the state… Too much data is not very good… A corporation has too much data. Well, that's just life, right? So who is more afraid - corporations or the state? Where are the pitfalls?
OH: - That's a very difficult question. He borders. Difficult ethical barrier. A person, if he has nothing to fear, if he did not break the law, in principle, why does he need privacy? Although I don’t think so – this state thinks so. Maybe there is some grain of truth in this. Listen, I'm most afraid of hackers - some kind of such a gesture. In fact, the biggest gesture that I have seen in my life (out of this entire topic): about a year and a half to two years ago, a pedophile was caught in the Moscow region and during investigative actions several tutorials on Python were found on his computer, scripts API VK. He collected the girls' accounts, analyzed which of them was nearby, collected the content that they ... In short, you understand. Here is the biggest tin I have ever seen. And I'm really afraid of this, that at one fine moment someone will do something like that.
Another little “offtopic”: the European Organization for State Security made a report that year that the number of thefts from bank accounts increased by about 20 percent, by 25 or something, when the secret question was hacked. Just think about your secret question at the bank right now, and see if I can find out the answer to it from open sources. If you have your mother’s maiden name or favorite dish there ... In general, people analyzed accounts, based on this they understood the nickname of their beloved pet - something like this ...
W: - You said that companies, corporations collect the necessary information using algorithms? Are you sure you know how?
OH: - There was a movement of people who at one time drove photographs through a special filter so that this filter would break the analysis of images, so that it would be impossible to somehow identify these people later. Here I gave you an example that Facebook was struggling with the cryptography of messages. And if this thing appears and becomes widespread, social networks will surely fight it. Plus, image recognition is now working very well, and it borders on the fact that the sufficient level to "break" this photo (in order to "break" the algorithm that recognizes these images) - most likely, nothing is clear on it will not be.
All sorts of glitch filters work well if it's a strong direct shift in half of the photo. Your account will then acquire all the colors of LSD. Purely theoretically, I don’t think it’s very scary if Facebook, for example, finds out what kind of car I have - probably if I don’t log in to the car through Facebook.
The law of oblivion works, but not on the Internet
W: - Have you encountered a user who would force you to respect him, delete him, gain access. You operate with large arrays of data, you probably notify about it. People can contact you. How many percent?
OH: - I'll tell you now. Now this is where it gets really interesting. Now I’ll count how many people will come, because after the event, always 15-20% come in, fill out a form for deleting data - there is such a thing. In reality, this is somewhere around 7-8% of closed accounts that we do not analyze, and about 5 out of a thousand people who ask to delete their data. This is very small, even in my humble opinion.
The problem here is this: there is such a thing as the law of oblivion. But the oblivion law, at least in Russia, legally only applies to search engines. It says right there: search engines. And that is the removal of only links to materials, and not the materials themselves. In reality, in order to remove something from the Internet, you will have to bypass all these sources, so I don’t believe in it in principle. We try to warn users that they need to think first before publishing.
While this percentage is very small - 5-7 people out of thousands. By the way, about the law of oblivion: everyone knows such a cool case “Sechin vs. RBC”. The Law of Oblivion worked, the article was removed, but it is everywhere. You understand that if something once got on the Internet, then it will never disappear from there.
Users are deleted, but they are identified by typical behavior
W: - Don't you think that people who delete their accounts and try to become a "black hole" will be at a greater disadvantage relative to other economic agents?
OH: - Most likely, yes - this position will be unprofitable for them. There are a bunch of discounts and offers that depend on them. But, purely theoretically, if a person deletes an account now ... It is popular with all extremists when they delete an account and make a fake, but continue to interact with the same content - this person, again, can be identified (especially if it is within the same social network , from one computer - this is generally a question); elementary by the content consumption model it will be possible to find this person, if there is such a task.
I hope that in the next 5 years there will be some kind of technology for monetizing this data, when it will really be possible to pay money to a person - you yourself will pay and we will not use my data. And I think that if a paid subscription is introduced on some Instagram, no one will use it, so the alternative is to pay users for their data. But it's not very soon, because the lobby of scary corporate guys will not allow such a law to be passed, although it would be cool. But here the point is that it is impossible to estimate the real value of the data of one person at any particular point in time.
Facebook is a bunch of guys
W: - Good afternoon. More recently, there was news that Facebook intends to integrate all of its projects, including Instagram and Facebook, WhatsApp, and so on. How, in your opinion, from the point of view of personal data, when now these programs hang separately on my smartphone, but they still belong to Facebook? .. What will happen next?
OH: - I understand. Legally, they already belong to Facebook, and it can unite them uncontrollably within itself, so I think that nothing will change. The only thing is that now it is enough to hack one application in order to get everything at once. And Facebook... I hope they're watching. Terribly full of holes guys in general in all places.
Recently, a lot of information has appeared about this - about data leaks from Facebook. This is not because Facebook suddenly began to lose this data, but because the GDPR now forces the company to warn in advance. And the biggest penalty is if there was a leak, and the company kept silent about it, and therefore Facebook is now talking about it. This does not mean that these data leaks did not exist before.
W: - Hello. I have a question about data storage. Now each state introduces a law on the fact that the data of citizens are stored on the territory of this state. What condition is enough to meet in order to comply with this law, for some international application?.. For example, Facebook: there is only one database...
How to comply with these conditions?
OH: – Listen, legally you just need to rent a server in this country and put something on it. The problem is that there is no competent regulatory body. Facebook data does not lie in Russia. Roskomnadzor is fighting them, fighting, fighting, fighting... Facebook has a part of the servers where the interface of this very Facebook is located, and it is impossible to check where the data is in fact, how they are synchronized.
W: – Check traffic?
OH: – Check traffic? Yes. But the traffic can then go to some backbone point. Plus, between the servers there can be something like a VPN or something else. Purely theoretically, it is impossible to control in any way that, say, a system administrator at one fine moment will not go to this server and will not take something from there. That is, this law was made not for the sake of data protection, but for companies to open representative offices, pay taxes and store iron in the country. But in my opinion, this is some very strange initiative, to be honest.
W: - That is, it is enough to actually check the interface?
OH: Someone can come to you and check that you have data there. But you can show some "excel", and no one can check it, hardly anyone will check it. Now they simply look at IP addresses: that the IP address associated with the domain is located on the territory of the country - they do not check further. Now, probably, they will come to me to check.
There are no services that you can trust 100%, but decent people have nothing to fear
W: - Such news, reprinted in many places: a dude posted it from Microsoft, made a service to check his ...
OH: - Something like: have your passwords been leaked? In fact, after the same leaks on Facebook, the same Facebook always launches some kind of backup sites where you can check that it is not included in this database - again, this is required by the GDPR. That is, if you do not do such a thing, then you will not be very good. Therefore, everyone now presents these projects as “this is our initiative”; in fact the law requires it. This is actually a very cool thing, but I would not really trust such verification services if you need to send something more complicated than your password there, because many people have the same passwords.
W: - You just enter your e-mail there, and they already say how many times it was compromised ...
OH: – I really don’t trust such things, because later it’s very easy to link you to this browser, to a real account. Especially if you use the services of the same people who launched this site. It's like it was the year Facebook sent it in: if your intimate photos are leaked to Facebook, you send them to us, and we'll check where they were mentioned.
I don’t know what kind of PR nightmare this is and who on Facebook came up with it, but it really happened. They wanted to compare whether no one sent in private messages your nudity. In principle, this pursues good goals, but it is as strange as possible. I wouldn't trust it.
W: - And one more question. For the average user, how high are the risks of a leak? Risk of damage from leaks.
OH: - I understood you. Watching what kind of data to store. I think not very high. The worst thing is that if e-mails and passwords leak somewhere, and you have this password everywhere, then yes. In general, I think that users have little to be afraid of. But if they, of course, do not store some kind of dismemberment in Google mail. There were a lot of examples.
The most famous story is in Google, when a girl was kidnapped in Utah, they could not find her, and at one fine moment the kidnappers sent her pictures in an archived attachment. And Google, scanning this attachment, found signs of child pornography. Everyone was found. And they still managed to sue Google for violating the secrecy of correspondence. This trial has been going on for quite some time. But nevertheless, I believe that an ordinary user has nothing to be afraid of if he does not post, say, his passport in the public domain. This is a double story - depending on what kind of data and what kind of user. Maybe now it's okay, but in 15 years, when he becomes some kind of official, then some of his materials will surface.
How is it working with the state?
W: - Thank you. You spoke a little about the fact that you are doing research for the state, state bodies, services, and working with them. Maybe you can tell us a little more about some current projects. Even more, if you can, about ... Two questions: the first is current projects, and the second is whether there were any such proposals from public services ...
OH: - Indecent!
W: - Yes. When you thought maybe you shouldn't do this.
OH: - I'll tell you. I tell everyone this. This man and I had a long fight on Twitter. From the Milonov team on Twitter, I somehow received a question about finding teachers who watch gay porn. We immediately said no. But there are some, letters often come, and very often it is connected with some kind of oppositionists, rallies. We do not deal with such nonsense, and so everyone pours shit over us. I am not ashamed of it.
We have the following policy regarding the “states”: we develop software, software for three-dimensional reconstruction, face recognition, data analysis. What exactly they do is very difficult to say, but from the models it is crime prediction, what is connected with state security inside the city, the movement of people, geomarketing, and so on. From the placement of objects in the inner city environment to the identification of pedophiles, rapists, maniacs and all sorts of bad guys.
Honestly, we did not deal with any oppositionists. Maybe they don't tell us about it to our faces. In fact, this is a very big problem - cooperation with the "states", because they do not always explain what the task is. They tell you: make software for identifying housewives, but they are actually going to do something else with it - everything breaks down there.
Plus, the state is a very interesting and strange client that is constantly trying to put some three pennies into your research, and often their approaches and understanding of machine learning are very superficial. For example, I have a separate lecture on machine learning errors. I always cite there as an example, when we were making a crime forecasting system in the Moscow region, the customer said: where they sell watermelons, please increase the coefficient four times. And then it actually turned out that the places where watermelons are sold are not criminal. These are simply errors of the fact that a person contributes his thoughts.
In short, the state is a cool client, there are a lot of interesting tasks there. Most come down to similar models of predicting something. Most often it is some kind of urban infrastructure.
W: – Are there any sources where you can follow your research? A lot of information. As I understand it, a lot of it is still left overboard. Your pages, something else...
OH: I don't have personal pages.
W: - Probably, Facebook has already been closed?
OH: - About four months ago there was a story: they sent us all such large letters that “you are freaks, you sell everything to the Kremlin, you violate all the rules of Facebook. They even sent a letter to my dog: “Hello, Mars Blue Corgi, you are collecting data!” and so on. Look, we're rebranding now. In two or three weeks we have a website and everything will be updated. You can watch this. But we are very lazy just in this regard.
How can you determine the reliability of a VPN?
W: - When did you say that you would go to a cafe without identifying yourself there by your phone number. And under what?
OH: - You can’t say - under a stranger, because this is a call to violate the identification regulations. No no no. I'm kidding. Now almost all cafes identify everything in a row - there is not only a phone number, there are a bunch of pixels, there is device identification, a poppy address, and what not, in order to use it later - from advertising purposes to operational search activities. So you have to be very careful with things like this. Not only can you write something, but they can write from your device, and then something will happen.
You may have seen the story that they are now investigating how (in Belarus, by the way, too) they rent out Facebook accounts, such as for casino advertisements. But in fact, it is not known for what, they also give access to a computer. These are the things you should be most careful with. If you decide to write something anonymously from somewhere ... I would come to a cafe and turn on some cool VPN. But in fact (again, I'm not pointing fingers at anyone), when you have an account in a VPN, you check who owns this VPN, which company, who owns this company, and so on. Because most players in the VPN market are not exactly good guys.
Well, it doesn't matter in Belarus. In Russia, a good VPN is checked by whether azino777 is blocked there or not. Because if not, then there is a good chance that this VPN service will be closed within a week. Basically, check everything.
About auto-delete messages
W: - You talked so much about private messages that their social networks are read ... But, for example, Facebook has secret private messages that can be put (besides that they are also encrypted) for destruction. How can you comment on this?
OH: - No way. Firstly, I am not a super professional in cryptography, and secondly, the problem here is that no one has seen the Facebook server, no one knows how it all works there. Conventionally, in some specification it is written that this is end-to-end encryption, but it may not be like that, or it is end-to-end, but with some kind of errors or something else. It makes sense to use such a thing if you are afraid that the person to whom you sent it will at some point try to do something.
Telegram has a handy feature for sending intimate photos that are self-deleting: when you try to take a screenshot, it is automatically deleted. The iPhone has a screen recording function, and you can record screen video and so on ... I just get sent materials with this function very often (auto-delete) - I never understand why. I can download right now! It's all up to you.
Social rating in China: myths, reality, prospects
В: - I actually abuse a little, although I don’t need a VPN (by the way, we have a verified VPN). A question about ethics. We have a wonderful friend from Kazakhstan, we also brought him with a lecture. Somehow they sat with him at some conference where they talked about different things, and he says (and he is engaged in cybersecurity, that is, in its purest form, engineering security, a person who is interested in technical solutions): “Here, he returned from China. They do such a cool thing there - social rating. By the way, have you researched anything on this issue, how does it work for them?
OH: – We sell scoring in Russia, I know a lot about it.
В: - So I have a question, what would you say more about this - about what, perhaps, all of us are waiting for in the future. But another question about ethics. He said so happily: “An interesting engineering solution!” Do you have your own code of ethics?
OH: - Yes, by the way, there is. Two years ago we introduced it - just after the story with Milonov, we decided to somehow rank these projects. Returning to the rating: this is one of the super popular questions, because the media very strongly demonize this whole story - that people are not allowed to go abroad, they are killed by a laser from the moon. I bring you, again, engineering pieces ...
If you start digging into this story, look at what parameters are included in this social rating, you will understand: it includes closed alimony, criminal record, credit history, that is, from an engineering point of view, a really awesome thing. You live without breaking the law, you live well - they give you a low interest rate on a loan. You have an important social work (for example, a teacher) - they give you suitable housing. At first, this confused everyone, because at first the story was leaked that if you write badly about the president, then your rating will be lowered. Although there was no evidence. In defense of the rating, I will say, against the rating, I will say that no one has seen the algorithm, what parameters are actually used there.
Then a story appeared that more than a million people were not allowed to go abroad, they were forbidden to leave. In fact, this is not quite the exact wording. When you receive a visa (for example, to Europe), you are given a visa at the rate of “70 euros per day” (something like that); If you don't provide proof of income, you won't get a visa. In China, the local Foreign Ministry decided to go a little further: it simply immediately warned people who did not have enough money that if you wanted to go abroad, you would not have enough money. Accordingly, all this was then sent to the concept that the poor are not allowed to go abroad. This is a complex ethical thing, it borders on a certain presumption of guilt or innocence, but in fact I cannot give an assessment.
People kill, not guns
The main thing to understand is that all these algorithms that society condemns are not the problem with the algorithms. Algorithms simply made it possible to analyze a large “volume” of people very quickly, and this social problem was raised to the top. That is, the Microsoft bot that learned from the tweets and became a racist is not the bot's fault, but the tweets it read. Or a company that decides to build a model of an ideal employee by analyzing the current ones, and it turns out that this is a white, gender-male with a higher education.
This is not a model - racist, sexist or something else; these are the people who hired these people (they were right, they were wrong - it doesn’t matter). Everything just borders on the fact that artificial intelligence is evil, bad, and it will destroy the world, but in fact ... If conditionally now, for example, the Russian government passes a law stating that oppositionists are not given free education, and they write software there that identifies and deprives them of this free education - it's not the algorithm's fault. Although no one supports this concept of mine, because - when I say that it is not weapons that kill people, but people - "you are a fascist" and so on.
In general, this is really a very cool engineering solution. It is necessary to understand why this, for example, will not happen in Russia. You [in Belarus] will not have this, because you are a European state, everything is fine with you. This will not happen in Russia for many reasons: firstly, we do not have the same level of trust in the law enforcement system as in Kita; We don't have that level of digitalization. Why did it work out in China? Because the government: they have digital medicine, digital insurance, digital police. And someone smart thought: let's put it all together and do it - in fact, this is a loyalty program. There are more goodies than "not goodies".
Therefore, yes - I think that this will not be introduced in Russia. We must first digitize the entire Ministry of Health (and this is a task for 50 years) - someone has to lay down their lives to do this, but no one, of course, will do this. On the other hand, Russian banks are the best in the world in terms of scoring people, they don’t do anything: “Yeah, man? Do you like young girls? Here's a credit card for your mistress. It's very advanced there. For example, in America, such scoring is prohibited almost everywhere, because there are laws according to which the bank is obliged to explain to you why: “Aha! Because the Social Data Hub company keeps history for 10 years, and now - this and that gave out about you! And let's sue both one and the other! We don't have stories like that.
Why are the statistics suppressed?
In principle, I support scoring, if it's not some kind of "totalitarian" story. But the whole point is that it is impossible to predict, evaluate. This is the hardest story in big data ethics to predict the social impact that will be there in 15 years. For example, I beg the prosecutor's office for a very long time to open information about crime. Crime statistics are one of the cornerstones of any statistics; everyone really wants this. But, for example, in Russia, criminal statistics are not opened for a very simple reason: they are afraid to disrupt the demographics within cities. They believe that people will stop living in some cities, even inside the city everything will somehow be redistributed. For the same reason, the USE statistics are not disclosed - you yourself understand that people will go to some schools, and not to some.
Perhaps this is correct, perhaps not, but there were many projects ... For example, Yandex at one time (again, according to the “yellow” rumors, I didn’t see it, I don’t know) decided to add the number of attacks on taxi drivers to the real estate forecasting model , that is, some kind of approach to the level of crime, counting the number of taxi drivers' complaints that someone harassed them, threatened them, and so on. They quickly turned back inside the company so as not to do such things.
W: – You communicate with students, communicate with the audience in your country, in our country. You noticed from the number of questions from the audience that we are still at that stage of development when we think that we need confidentiality, that we can hide from someone, protect our data without providing it, hiding it, encrypting it. If the European Union has already moved to the next stage, the stage of privacy, which implies control over data - to force everyone who collects your data to give you effective control over them ... By samples by region, by social strata - which of the categories of citizens, people, more Has it already moved to the second stage, or who else is sitting on the first one in the main?
Who is most concerned about the security of personal data?
OH: - The total majority ... I would say: everyone does not care! It excites now top-managers. The cities in Russia are Moscow and St. Petersburg. The active center is IT specialists, designers, creative professions, everyone who knows how to filter content, gain new knowledge, with a high level of interest in international issues. Basically, these are top managers; yes, IT specialists (not counting security specialists); bankers - that is, all the people who can somehow be affected by a data leak.
If, for example, the data of some householder from some Kaluga is stolen: it is unlikely that something will seriously change in his life if someone steals from him, for example, access to gmail, where he keeps access to serials . The question is that the law protects everyone equally, and rightly so, because ... from the point of view of the law, everyone is equal - ha ha ... but the most important thing is that it is impossible to understand whose data will cost how much until this data is lost - unfortunately , is very difficult to predict. But mostly this category of citizens.
Phone - in foil!
For the only time in my life I saw total storage of everything and everything in two companies. One is the largest information security integrator: everything, up to USB, is glued inside the office with glue; and people go there the same way - I met a man there who has a phone in a foil bag. I found out that there are companies that sell special bags like this. And the second time I saw a similar story in Bloomberg among employees: we were standing in a smoking room, and someone was taking pictures somewhere, and one of them - “So that we were not visible there in the background!” I'm like, "Oh wow!"
“We are better than the FSB”
I would not like to say that this is less than one percent of the population, but, unfortunately, in the general mass, almost everyone does not care. But on the other hand, I have a scandalous service for monitoring the actions of minors (we launched it a long time ago under the slogan “We are better than the FSB”) to warn a parent that a minor is doing trash, before our own algorithm, installed where - something there, someone will send to him.
When verifying a child, you need to send a scan of the passport (this is basically a normal practice), but we wrote that you can cut off the passport number, because we are not interested in it; we are only interested in your photo, hologram and first name. And almost 100% of people - well, about 95 out of 100 passports - people in Photoshop carefully cut out these numbers and sent only the right part. That is, they understood - yeah, if they don’t need it, then they don’t need to send it. In my opinion, this is some kind of real progress, to which they were prompted by distrust of us.
W: - The selection is such a definite one. There are people who apply, they are already advanced.
People don't want to be followed, but they don't read agreements.
OH: - Yes. And the second is the same thing: we launched a dating application at the end of that year (we will restart it soon). There was a control group of 100 people. And there, according to the GDPR approaches, there were 15 checkboxes in my account - I give permission to analyze interaction with the interface, to access my demographics, to access 98D facial reconstruction, to access my personal messages, and so on. We have maximally painted all kinds of access. Even somewhere there are statistics on who ticked what. 2% left all the checkboxes checked by default (despite the fact that they went to this page and saw it all, but they didn’t give a damn), but these XNUMX% were interesting to analyze what was a priority for people.
Everyone removed the permission to access private messages and almost everyone removed the permission to access sex test data (what they like there, what they filled out there, their perversions - just kidding). But people were kicked into this one, poked: the interface tells them - carefully read this, makes it possible to scroll through this agreement to the end. But it was done solely because it was a research project and everyone was warned. No company, including us, when they release this application to the public, will force a person to read this message to the end, because ... well, sorry, that's how it works.
Provided that they came to us knowing what the company does, knowing that they went to a service that will suggest candidates to you based on what kind of porn you like - even on the basis of this, only 2% read these checkboxes and in general have done something. And then almost none of them unchecked the box "Access to traffic and data about visiting other web pages." Basically, everyone was worried about private messages.
Nudity and landings for likes - interesting laws of the fraternal republics
W: – I have a data protection question. You can wear a phone in foil, pretend that they don’t exist ... Then it turns out that you kind of save, save, but then you have to give your data to the state, because it demands from you, and you just can’t ... And then it turns out, that government contractors are all full of holes. And in Belarus there is still such a rule: if I check the security of my personal data (I correct something and get access to it), then I immediately become a criminal. The same article was used to accuse journalists in the “BelTa case” of having obtained unauthorized access to data (you can read it yourself). Here, own, and a question: whether such restrictions are an effective measure for privacy, in general for security of private data?
OH: - I understand. There are many very interesting laws in Belarus. I just recently found out ... I'm joking about the transfer of nudity, but you, it turns out, is prohibited.
W: - Demonstration prohibited!
OH: - It's kind of weird.
W: - You can watch, you can’t transmit, you can’t like. You can't watch together!
OH: - I will answer your question. I will return to the topic of “sitting for likes” in Moscow. In Russia, this is the number one topic. I don’t know how it is in Belarus, but, to be honest, the state… If you analyze the statistics, in Moscow 95 landings for likes out of 100 is when people complained about people, someone writes to the prosecutor’s office about another person. The state very rarely initiates such cases. It seems to me that this law is absolutely absurd. I do not know a single real criminal who was imprisoned for this. But this measure is used to impute at least something to a person. It seems to me that this is the most strange. I think someday it will be cancelled.
W: - This is called keeping under the hood.
OH: - Well, uh, okay ... I can’t say. I'm not exactly a pro-state monster, but my perception is slightly changed, you know, by people who come to us and say: "My child is missing, help me find it." I say, "I can't do anything without the permission of the court." You look at these parents who would give everything in their lives, they would give any access to any data - just to solve their problem. Therefore, it is very difficult for me to conduct such a discussion: on the one hand, I believe that the state does the right thing when it catches some real people, and on the other hand, giving uncontrolled access is generally a terrible story.
I'm going back to your thing, "sorry" for being distracted. I don't believe in foil bags at all. Having a mobile phone and wrapping it in foil is kind of stupid. Why do it? For the sake of not connecting the phone to Wi-Fi? It's easier to turn it off. So that the mobile operator does not identify you? So they can still trilaterate the signal, somehow calculate it. For me, the only effective security measures are storage, protected, like a local network - maybe in an apartment where you can store something.
W: - It's a question of law. Is the legislation punitive towards a person who wants to verify their data?
OH: - I understand, yes. I didn't even know about this thing, so I can't tell you for sure. There is no such thing in Russia, although everything is very difficult there. Probably, you can consult with qualified lawyers and, perhaps, there is some kind of loophole - maybe file it with some European Court ... No? I can't tell you about it. My knowledge of law is superficial, at the level of the head of the company. I know what not to do without anyone telling you anything. This, of course, is very sad.
W: - I mean, in other countries (for example, in the States) it is normal practice that you can test some kind of vulnerability, and then declare it, but not disclose it.
OH: Yes, bug bounty. I understand there is.
W: “And companies don't have a mechanism to take you out because it's cheaper.
OH: “This thing also borders on the level of the law. It depends on how you find this vulnerability. It seems to me that a large amount of the money paid for this vulnerability in America was paid under a non-disclosure agreement and under threats to sue this person. It's like holding a candle too. We're always risking this kind of thing. My employees have found similar vulnerabilities a couple of times in all sorts of government applications - I always say: "Send an anonymous letter is better than you tell them that the hole is there." And then some research institute will come, which delivered this service ... In general, I will not continue further.
Checking a business for honesty will not work: if you don’t like it, don’t use it
W: - A question. You said that you conducted an experiment - 15 checkboxes had to be ticked ... Let's say the user cancels all the checkboxes. Who will control it and how? How to check it at all?
OH: - Honestly, I'll tell you: no one and nothing. Seriously. The fact that you ticked and unchecked the "Prohibition of advertising tracking" box at Google does not mean anything at all. Unfortunately, even when you put a ban on indexing search engines on Vkontakte, search engines still index it, and then simply do not give these results to certain people. This is all at the level of the lack of competent authorities that cannot verify this. Plus, the companies that do it are private. Facebook has a right or wrong position, they have only one: if you don't like it, don't use it.
About regulation
W: I have only one simple question. And how do you feel about the issue of regulation in data processing, self-regulation?
OH: - I, as a representative of the company, believe that the market, business needs self-regulation. I believe that the big data association can regulate everything itself, without the state. I really distrust government regulation and really distrust all the stories when the state wants to keep something, because every case showed that this is very bad. Surely someone will stick the login and password on the yellow sticker on the monitor, and so on.
In general, I believe in self-regulation. Plus, I believe that in the next 5 years we will come to a certain openness. Even now, you can already see it in the news, that it is very difficult for the state to lie to users, it is very difficult for users to lie to the system. And this, in principle, is probably good. Since our intelligence officers are calculated from public photos
All this leads to a decrease in the level of crime. Well, purely mathematically. If someone is interested in talking about reducing the level of crime, there are a lot of all kinds of conclusions that can be drawn. In general, I am for self-regulation of the market. Thank you!
Some ads 🙂
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper in Equinix Tier IV data center in Amsterdam? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com