MLTalks: A bit about computer crime and digital evidence with Jan Fuller

MLTalks: A bit about computer crime and digital evidence with Jan Fuller


Hi everybody, welcome to another MLTalks. I’m the Director, Joi Ito of the Media Lab. And, for all of you watching this on either Facebook or Twitter, not Twitter, or, I guess we’re streaming it on our own site. You can use the hashtag MLTalks, and towards the second part of this conversation, we’ll be doing Q and A. And we will try to integrate your questions. Today’s guest is Jan Fuller, and she is a forensics expert. She has a really amazing story and a really amazing perspective. And I’m really looking forward to her conversation. But we will have her come up. And we’ll start with a conversation between the two of us, where I’ll be asking her questions and we’ll pivot to dialogue with all of you. But Jan, you wanna come on up? (audience applauds) So thank you for coming all this way. You’re in from Seattle, right. Right, thank you for having me. Is your mic, is her mic up? Even though my voice is slow, is. Is it, I think it’s. Hello. There we go. Hello.
Okay. There we are, got it. So, first of all, I think, what might be helpful for everyone is to, first, explain what a forensics expert is or additional forensics expert. Okay, so digital evidence forensics has to do with in my job was to do anything with a chip that came into the Redmond Police Department, which is where I worked for 28 years was mine to take care of. So, I would go on scene with a search warrant, bring back the evidence or it would come in and it was my job to process it, analyze it according to whatever the search warrant allowed me to do and produce reports, go to courts, that sort of thing. So, that’s kinda the bottom line. And, maybe can you tell us a little bit about how you started in this and where you came from? Where I came from. Sort of both socially and kind of literally. Right. So, getting into this field was really a unique opportunity because, a, I knew nothing about police work to start with, and, b, never saw myself doing this. But, I started with police department basically as the Chief secretary. And he at some point said, you’re good at that, you do that. He kept saying that. So first one was doing budgets and grants. And I did that. And then one day the team that was running the CAD system left for a more lucrative job at a big company in Redmond, maybe starts with an m for Microsoft. And so, he said you’re good with computers. You run, you can do that, go do that. So, with a week’s notice, I crammed on Unix and somehow managed to only take the system down one time in a year and a half. And that was pretty successful. And I enjoyed doing that. And then very, right after that, one of the officers had an opening at IACIS which is the computer investigative school that’s really, really great out of Florida. And he promoted, so couldn’t go. So I was told, hey, you’re good with computers, you go learn computer forensics. And I literally did not know what I was getting into. I didn’t know what it would mean. When someone mentioned that there were child porn cases, I thought, no, I’ll just do fraud. I won’t do anything else, just totally naive about it. And I went to the school. And, there were 300 people there. One of the first assignments, you gotta, well then it was a box on the table in front of you. And we were told to take it apart and put it back together and prove we knew what we were doing. I’d never taken the side off of a computer. So that’s how far I had to come. But people were wonderful. I got tutored. I passed the test, the exams. I passed all the certifications. I’ve passed all the re-certifications, and I’ve been through tons of training since then. And that’s how this happened, so. And, now what are you working on? Well, I retired in April from the police department, and I’m working diligently on a project to address some of the needs in local law enforcement, particularly regarding digital forensics, because there are, let’s see what’s the figure, 18,000 plus police agencies in the United States. Right now, I don’t know, it’s might be closer to 20,000. And of those, 73% are agencies of 25 members or less. And you can bet that those agencies don’t have their own digital capabilities and yet every single crime that’s committed or observed has some sort of digital component anymore. There’s a video of it. There’s the actual crime. There’s so much, so I want to put together teams that will go out and address, and according to what a community wants their police department to be doing maybe just image devices and get them on to someone else or actually do the analysis in order to catch some of the crimes that are affecting the local as well as broader sense of community. And so I see those teams as being comprised of a prosecutor. There’s a lot of different people who have their, have a big role to play in computer forensics. And the community is part of it. A victim’s advocate would need to be part of the teams so that they could talk to and help find resources for any victims that are located. A community member may be, the certainly forensics experts, possibly students or people who’ve recently certified in computer forensics, so they get some actual bench time and some experience in what it’s like to go out and do this kind of thing. State and local, whoever the partners are that makes sense for that agency and that location. I wanna bring ’em together and actually do a boots on the ground. I wanna drive a van with equipment in it and take care of some issues that right now I think are going, they’re languishing. So, I’ve been sort of leading up to this part. I mean, I think most students when they think of police, they think of people who come and bust their parties. I think lately we think about police brutality. And I think police kinda get, have a negative image on the minds of many people these days. And I think when I talk to you was really kind of interesting for me is I kinda forgot that police also catch some really bad people too. And I think that’s, to me, I think was kind of a important first step in me understanding your work. And so, I thought maybe the, a really good place to start would be to talk about one of the cases and then describe both how you did it. And we can sorta see what the category of crime is that you go after. So, we start with the David Delay case which is kind of, one of your big cases. And I think we have a video of one of the, is it one of the victims? It is the victim. She’s the one that broke this, the whole case open. Okay, so we’ll start with that, and then we’ll get you to explain the case. He said that I would make $20 million from the documentary and that it was, if porn was legal, then escorting and prostitution should be legal too. And that once it aired, or whatever, it, that I would and all of the other girls would get $20 million each. (creepy music) When I met them, I was a senior. I was a gymnast and I was doing gymnastics. I wouldn’t say I was a shy person in high school. But I didn’t really talk about relationships or anything. And so I kind of just went on there to meet people and possibly find a relationship. Who knows? (creepy music) I can’t remember what she really like said exactly, but I know she was just friendly and kind of, I don’t, pursuing in some way. But she was a nice person and you know actually genuinely cared and wanted to get to know me. (creepy music) At first they treated me very well. David bought me things and bought coffee and just treated me like a friend, I should say, like a good friend who you would think was a nice person. Then took me to, I mean, hotels and stuff just for fun at the beginning. I just thought that oh I have, I’ll have a lot of money, and I’ll be around people that care about me. I just thought that sounded great. And maybe a month after meeting them, it kinda got to the point where they slowly introduced the whole escorting or prostitution phase, whatever you wanna call it. (creepy music) I think I was kinda just in shock, and I didn’t really know what to think of it. And I just wanted to be cared about. And I wanted a person to care about me and to be loved. So, at that point, I would, I just didn’t really know what to do. (creepy music) I think it was about five or six months after living with them in November of 2014, I called my mom. She obviously jumped on it of like, oh, you wanna come home, great. And, she knew that I needed to get out of the situation. But they were not there at the time, so that’s how I got out. They had scheduled someone, some man to come over that night. But, I had decided before they, before the person comes over that I was gonna get on it and actually leave. So, that’s what I did. (creepy music) So.
So. So yeah, so tell us a little bit more about this case and. Well first of all, it’s this case that got part of the project to go to local agencies kind of started, because the parents went to three if not four agencies before they came to Redmond. And it, the other agencies didn’t have the capacity, didn’t actually maybe know that there was something that could be done about this, the type of crime. Her Facebook had been hacked into and they were posting things on it. And, so it really helps show the gap that there is, because the parents were frantic to try to get this to stop and to help their daughter. So it came to Redmond, and luckily we had an officer who recognized that maybe there was something that could be done. Turned it over to an investigator and then we were off and running with it. The case was, it took a long time. It was several years at the working. So at this point you didn’t know that how many victims and things. You just had her story. We just had her story, and we were getting her Facebook page and kind of figuring out. And then with the interviews and then with, I think it was first a phone, maybe, that came in. And I’d have to verify, but I think that was the first device that. More and more evidence kept coming in of how big this was. And they were all, I’m gonna stipulate, their warrants were not just looking at things, but were looking for things. And pretty quickly, I think I did maybe 29 different p types of evidence. There were tons of CDs. There was all kinds of cameras and computers and cell phones. And it pretty quickly emerged that there was this pattern. And I believe I’m safe in saying that I probably recognized 500 or more individual victims of which we identified 19. And seven were used as part of that case that went Federal. So, that’s a lot of people. In addition to that piece of it, I think it was probably six months into it, I was looking at the evidence on a hard drive. And I found an image that I had seen four years earlier in a case that we got that was a. We hadn’t been able to solve, because the child in that picture, there was no face shot and nothing in the room to indicate who she was. And that picture was on this computer. And, once in a while, it’s not that you can remember all of the pictures, ’cause there’s millions of ’em. But, some of them just stick with you because of a particular. You’re haunted by it or it just, I don’t know what it, what it was, but. So and there it was. So, the investigator, whose name is Natalie D’Amico who did a fabulous job on this case. She and I became kind of obsessed about figuring out who this little girl was. And we looked at all the Facebook posts. Tried to figure out, okay, does that text go with who this little girl could be. And it wasn’t, none of it was working until maybe eight months after we found that picture. I had a new device to look at, and I found a picture of the girl as an older child, ’cause it was more current. And she had a school sweat shirt on. And so we were able to identify her. And one of the things David did was, he encouraged or sometimes coerced women to abuse their children for his benefit and film it. And that had been the case with this child. And so, out of this case came several other arrests for people who were abusing their children and other children and filming it for his, at his request. So, that was a particularly satisfying moment to identify her and remove her and her siblings from this situation and hopefully helped. And how long did this whole investigation take? We got it in 2014 and the sentencing was in 2018 of this year. There were a lot of continuances with the case. It went Federal. There were a lot of reasons. His defense team quit. And he fired some, and, I mean, it took a long time. And so, were hundreds of victims. There’s this one guy or this couple. How common is this? I mean, how many of these David types do you think there are? Oh I couldn’t give a number, but there, there’s a lot. There are. And are these people who were doing it some other way before we had social media and dating sites? I mean, is this a category of an old category or is this a new category? Well, it’s easier to do now. The social media certainly gives a platform, so. And is it easier or harder to find them? I think it’s both. I think you can, sometimes you’re lucky when you find some, the person comes and reports, then you have someone who knows what to do with it. So that part makes it a little bit easier. But sometimes you’re thwarted by investigating certain aspects or you come across, in this case there were a couple of cell phones that held some really incriminating evidence that were encrypted. And so we had that issue to look at. So, harder, easier, some of it feels like luck, but it’s, it takes hours to investigate what you can do and what you can try to get and. Yeah, I mean it’s interesting for me, ’cause I’m usually the digital liberties, privacy, encryption person, and here’s a great example of a case where you want law enforcement to have access. And I think that’s sort of the interesting and tricky thing. I mean, we have a, Madaris back there who works with us. And he’s working on cryptography that allows certain people to have access to some of the stuff, so that maybe you don’t have to have the absolute privacy or access to everything. But I think when one thing that’s really important as we think about sort of technology and the future and surveillance is this process of what rights and what warrants and process you have to go through in order to get this. And do you feel like you, first of all maybe talk about the process, but do you feel like you have sufficient access to do your job? And do you think that what, I mean, what would you, if you could have what you want?
A little magic wand. No I don’t think that there’s sufficient access. Sometimes, I don’t think anyone should make my job easy. I think I should have to work for it and that’s great. But, if you can articulate that you know you’re going to find a piece of evidence on that device and you can say why you know it because of an exchange of a, during a chat that they’ve said that their going to do something, then I think a judge should be able to sign a warrant and that it should be decrypted so that you could find the information only related to that. Encryption is a problem. That’s 500 some plus, and that’s not even a big case. So, I think it’s crucial that we do something about the encryption, because no one wants their daughter or niece or anybody or, it’s not just daughters. It’s girls and boys. No one wants to see that. And if we have a good way to both prevent and to stop, I, to me it’s baffling that we can’t do that. I do think it has to be within limits. I don’t think it should be wide open. I don’t think it should be that it’s best practice if the a person with my job, which is the forensics investigator does and finds what’s there according to what the judge has ordered. And I turn that only over to the investigator, so there’s no fishing. There’s no looking for extra things. To me, it’s a good model. And how much of your job is, I know, I mean, it’s amazing story that you started as a administrative assistant. You ended up as an investigator. How much of this is sort of nature versus nurture? How much of this is technology? How much of it is your intuition and your passion and your or and how much of this is something that people should, that we need more training for, for example? So how much, as my investigation part of it. Yeah, the ability to close these very complicated cases. Well I do have a passion for it, and I do like a good problem. And I do like to work towards a solution, so there’s that piece of it. It’s, not every case worked out very satisfactorily and sometimes there’s a lot of really boring times when you’re waiting for something to process or you think oh, if I see another zero and one I’m just gonna scream or what is that. But, there’s so much satisfaction in going down and actually making a difference by finding a victim or, and providing services. It’s kind of addictive to do that, to help. And it’s a unique way to help. And, so, there’s another case that you’ve mentioned, this Barry McCohen case, ’cause you can’t talk about all of your cases obviously, but you can talk about the ones that are have sufficiently been public, right. Can you tell us a little bit about another case? Sure, so Barry McCohen came about there was a Redmond case of a child sex abuse and child porn. And, Thompson I believe was the name of the suspect in that case. And I finished the Thompson case, finished all my work, but again had one of those images that just wouldn’t go, get out of my head about who is that girl. And the suspect and McCohen had been conversing through chats. And it was the most vile, horrific chat content as well as maybe fantasy, but talk about stealing a child from a playground and using, it was Barry McCohen’s grandchildren that he was abusing. And he was planning to use possibly one of the grandchildren to lure another child (mumbles). I was obsessed with figuring out who that child was. And there wasn’t much way to figure it out, because the pictures were, the initial pictures were of a little girl looking out a window. But, eventually when I, I found a picture that turned out to be McCohen taking a photo of his granddaughter in the backseat of the car. And he had it in the rear view mirror. And, because I’ve been fortunate to be trained in video forensics as well, I was able to clarify that image and get, I think I just got nine digits of the phone number. And it, but it was easy to figure out who he was, because it was a simple real actually a Google search. And then a Google Map search. And in the Google Map search with the crime analyst was working with me to do that. And we were watching as we came around, and it was the house you could see from the first picture. And then it was the car that he was taking it from. And then there was a wall. It was the most CSI moment I’ve ever had in the real, in doing this. And he did not plea. He wanted to go to court. So I went back and testified. And he did, I think he got 55 years, maybe three sets of 55. I mean, it’s basically a life sentence in Pennsylvania. So that was a very satisfying case. And I think a good outcome. And are most of these people pretty sophisticated in trying to confound investigations or? Sometimes, yes. And so again, encryption is a good way that that happens or using the dark web or… Sometimes I have a theory that the ones that we catch are people who don’t feel good about themselves for what they’re doing. And may, I don’t know, that’s just, but there are a lot who mess up. And there’s some that we just never get. And we know that they’re out there. Interesting. And you mentioned earlier about sort of use of the term community. I think, maybe you could talk a little more about this, but I feel like one of the things that, at the Media Lab and others. And we’re involved with the ACLU. We’re involved with a lot of national level organizations that are fighting against policy level things. And it feels like a lot of the rules that we have around what police can and can’t do, what surveillance can and can’t do, is a result of some sort of big policy argument at a political level and that community that doesn’t seem to have a whole lot of relevance to those people. But, you often mention the word community. I mean, how does community, do you think relate with police? Well, yeah, well I think you can’t get to decrypting phones or get to solving the crimes if you don’t gain the trust of the community that you’re working out. They have to know that you’re not collecting things just for a person, just a massive… And I believe that most agencies are not. There, this is is my perspective and from where I’ve worked. So if you get the trust and they’re working with you, then you’re working together to solve the problems. I think I was maybe mentioning that last week I was at the IACP conference which is International Association of Chiefs of Police in Orlando. And both the outgoing President whose name is Lou Dekmar and the incoming whose Paul Cell mentioned a trust initiative that IACP is doing in, because we recognize it’s a problem. The community knows it’s a problem. So they have this initiative. And what was more significant to me, from my interest, is that they both mentioned the digital component to the trust initiative. And it’s, we have to work together. We shouldn’t be doing something that is against what the community wants. We need to do what the law says. But we can certainly do more.
Yeah. We had a speaker named Claude Steele who was a provost at Berkeley, but he’s well known for thinking about diversity on campuses and things like that. And one of the things that he said, which is sort of interestingly relevant is that with the increasing diversity, and there’s traditionally faculty are tough on students. And if you’re all kind of from the same community, that that people interpret that toughness in the right way as kind of like tough love. But when you have a very diverse population and you haven’t built up the trust, and there is reason for mistrust, because of sort of societal things, that you really need to invest in building trust before you can have a, even a functioning academic system. And so, so he was really urging us as well as sort of campuses to focus on this trust building. And the trust building had a lot to do, he said, with actually talking about race, talking about identity, talking about the issues, rather than just kind of pretending that it’s okay. And I feel like right now society we have a lot of mistrust right now. We’re very polarized and connecting to community, ’cause I think it’s easy to say, okay, well, let’s build trust in the community. But what, how do you do that? Well, personally, I think you have to meet people. I think you don’t just need to talk about it. I think you actually actively have to go out there and know your neighbors and empathize with them, just to get to know ’em, and know them as human beings. You don’t have to agree with them, but share your ideas that way. But just talking doesn’t do it. Yeah, yeah, yeah. Yeah, we I mean, and I think functioning neighborhoods I think have that. And I think the, I think for, I was just last, I guess it was last or a week before last, we were, I was in Chicago where I’m on the board of the MacArthur Foundation. We’re trying to help different towns. And there’s some towns that we’ve seen really turn around on exactly this thing. And it’s often somebody from the local community who’s taken on this task of creating a community center and building that conversation. But, do you, I mean, you can say, I’ve never been to a conference with chiefs of police before. But do you sense that they’re all equipped and able to start this process? I absolutely think that they are. And, I hear more and more talk at those conferences about the need to, I don’t know anyone that doesn’t want this to happen, and doesn’t want to serve their community. Sometimes, maybe they’re bound by a law or whatever, but I believe they truly want that. And the other thing I want to say about building trust is that you really first have to look at yourself and make sure that what you’re doing inside yourself is respectful to anyone before you require anyone else to do it. It really does start with the you. And so getting back to sort of your initiative and also kind of… What are practical things that, so we’re, not everyone here, but most of us are technologists. We’re, we work with some of the platforms. We kind of take them to task sometimes on things. And we have a lot of opinions. What do you think for the technical communities, how can we help? Yeah, I think there’s a lot of ways to be, to integrate with law enforcement and what they’re trying to do, so because there’s improvement to be made with programs out there. There’s, and to do research so that, because a lot of law enforcement is not technical. Don’t tell anybody that. So, they need help with the research. They need help developing what is actually good product. Otherwise, they rely on what they buy off the shelf, for example, versus a really thoughtful. And not that some off the shelf isn’t good. But there needs to be more interaction that way. And you can definitely make a difference with adding what you can do with the gaps in what law enforcement is able to do. Yeah actually, I, one of the companies that we are sometimes critical of that does the risks scores for the criminal justice system. We recently found out that they go to, actually that conference of chiefs of police. And they have a booth. And they sell this thing. And I was talking to actually a chief of police who had bought the software, and they had signed some agreement that said that they didn’t have to disclose the data. They didn’t have to disclose their algorithm. And it was basically a confidentiality agreement which they signed without really thinking about what the out, what the second order effect is, which is if the risk score does something and contributes to an unfair sentence or an unfair parole or bail that you can’t subpoena that in court. And I think the, just to, and it’s interesting, because the types of people who kind of think about these things don’t go to the conferences where these guys are handing out their flyers and so on. And so, interestingly I got one of the chiefs of police magazines the other day. Just was flipping through, looking at the ads. It’s kind of scary. And I think, I feel like we can sit here in our armchair and kind of point fingers at jurisdictions for buying software or signing agreements that I think aren’t great for justice. But, we need to sort of meet where that’s happening. And this police chief said well, you guys need to show up at these conferences if you have an opinion, because that’s where the deals are being made. And is that, is that. I think you should show up at the conferences and talk about what you can do or how to work together. Listen to the presentations and listen to the opinions and understand where each is coming from. Something I’ll send Andy. (Joi laughs) But, and then the, I think, ’cause I think that’s my concern is that, and we’re, we have a faculty member here at MIT named Ron Rivest who’s very anti-electronic voting. And I think the problem is once you start to get companies who build these voting machines, it’s very hard to fight against them, because they’ve now become a business. And I think that a lot of the software that I see that I think are, I have concerns with, they’re starting to build businesses. And I think that one of the things as researchers that want to figure out tools that both protect privacy but also enable law enforcement to do what they want, I think that’s maybe really important. But, this ties to one of the questions that I, pushback that I get from the local law enforcement and local government is well we, they don’t have the resources. They don’t, you tell them, they better, they can write their own software or they should understand what’s going on. And you just happen to be so-called good with computers. But, I mean, how much, what’s the right way to fix that? Is it a money issue? Is it skills? I mean, is that an area we can help? Well, skills definitely, money, of course. But it’s resources not just, it’s resources and understanding the issues as well. There’s a lot of ways to make a shift there and get people to understand, get people to then know what can be written and working collaboratively right. It’s, so with that 73% of agencies 25 and under, do you think they have resources to do their own software (mumbles)? I mean, they’re lucky to get a piece of software sometimes. It’s hard. And they’re working on really small budgets. And they may want to, it’s, life has changed. Policing has changed and trying to integrate technology, it’s hard. And I asked a version of this question earlier, and you gave me it kind of it depends answer. But a lot of the digital privacy people argue that police have more tools than ever before. And they just want more, but they have plenty of tools to do what they need. Would you disagree with that, or do you think that maybe at the federal level they do, but at the local level they don’t? I can’t really exactly answer that, because I don’t know what tools they’re talking about. But even if you have a lot of tools, like let’s say you’ve tried four things, and none of them, it just means they didn’t work. It doesn’t mean that you’re collecting more and more. It just means it didn’t get you the outcome that you were expecting, so. And so I don’t know what tools they’re meaning, but. So, I can keep going as well, but I don’t know if anybody here has questions. I’m happy to start opening it up to question. Agnes, and we have a microphone nerf box that we’ll send you. Can you? Wow. Can you revisit the wish list question? Given your understanding of what you find difficult to do, what kinds of tools do you wish you had to make your job easier, better, faster? I wish I had more tools that could weed out, you can weed out some known images, the hash values and that sort of thing. I wish I had tools to go through video even faster. I know a lot of companies are working on that, but that’s one. I wish I had a tool that would automatically validate my equipment, because it’s time consuming to go through and valid, so every time you do an exam, you test your equipment to make sure that there’s, everything’s operating correctly and that the software’s updated. It’s very time consuming. I’d love to have a tool that would automate that process. And, those are a couple just off the top of my head. Hi, Jan, I’m really interested to know what you think about kind of open sourced and crowd sourced investigations, particularly online investigations. So a famous example really recently is the Bellen Cat investigation into the Sergei Scropaul case. I can’t quite hear her. Can you say that again? Oh sorry. I’m interested to know what you think about open sourced and crowd sourced investigations. So famously recently the Bellen Cat case which was investigating the Scropaul’s poisoning Mishatrace, one of the suspects being a military doctor in Russia. Yeah, what do you think about kind of citizen governed tools for investigation forensics? Go for it, it’s open source. If it’s available and legal, great. I use open source tools for validation, et cetera, yeah. Do you actively engage communities in your work though? Have I ever asked someone to help me, you mean? I guess that’s a version of that. I guess the question is maybe, and I don’t even know the answer to this, but are there communities of people who do this somewhat as a hobby that connect with you. Or maybe they’re even, they maybe, I don’t know, I can imagine, like mothers against xyz or something like that as well. But are there citizen efforts that are organized in a way? I don’t know exactly about digital. I don’t know that a request has come out. But we do request if you know anything about this case. So it could come about that way. It’s possible it could come out that way, but I don’t know that anyone ever provided me with actual tips that. So it could be that we could design something that looked like a way for people to participate in helping something. And I think that the trick and there’s recently right now there’s the, what’s it, the shitty men in media list, I think is the. I don’t know if you’ve been tracking that. But there was a list, a Google spreadsheet that a woman shared with other women to anonymously share and create a list of media men in New York who were sort of shitty in whatever ways. And it described their sort of their pattern. And it was to help the other women on the list protect themselves from getting caught in a situation where they were being taken advantage of the men. So the initial, I think the initial idea was actually probably very well intended and really to support the women. But what happened is you can imagine is because of its anonymous nature it was, it started to leak out. And then it got bigger and then the people who were on the list, now one of the people is suing the woman who started the list. And it’s also become so-called weaponized, because now people are going after all the men on the list. But it’s this kind of interesting thing, where I think that… Again it depends on the category of crime. Right now with #MeToo I think that’s an interesting, it’s, it has a likelihood to turn into something that was unintended. But I guess one question would be is there a way to sort of figure out how you might crowd source evidence or other things and to keep it from turning into something that grows into something you can’t control. I didn’t think of an example that, I think it was two months ago a young woman went missing in the mountains near Seattle. And the family has been looking. Search and rescue was out, the dog and everything and nothing was located. And they did a really cool thing, because they put up drones and then they put all that data in the Cloud for anyone who was interested and had time to go through, because there was such a huge amount of data. So that’s an excellent resource for saying, yes, there’s nothing here and that would point the searchers towards what they thought was a code. They, as far as I know, they haven’t located her. But it’s a perfect way for technology to be used for. And I suppose searching for missing people is pretty unpolitical and something that you could probably get people to do without hopefully not turning it into some weird thing. But, is there anybody actively thinking about this or, and if there isn’t, what would be the appropriate group to do that or should we just do it, I guess? Well, I think it’s a great project. And I think it would be something good to put out and ask anyone at IACP or. I don’t know if there’s anyone working on anything like that there, but it wouldn’t surprise me. And, putting together a. I mean, I think the other thing, this reminds me of, at, we have this Title IX process which is this process, as you know, but for the people who don’t even at MIT, if somebody tells me an issue that involves a sexual harassment, I’m required to report it to the central Title IX officer. And the reason for that which is kind of an obvious one in retrospect is that sometimes it’s one person doing multiple crimes, and so if there’s no central point, you can’t actually see the whole picture. So it may look like one incident, and you kind of cover it up, but it turns out that if everybody reports it, you can see the pattern. And, but people don’t like to talk about these things. And you have to keep confidentiality. So one kind of interesting way, and again you have to prevent it somehow from being gamed, but if there was a way to confidentially and securely provide signals so that you could see, and again, I think you’d have to figure out that, a way to not have that become an attack on a person that could be orchestrated, but one of the problems that you said was these jurisdictions make it so difficult to even get a case started. Well, there’s that piece and there’s also if you have, if everyone is going to look for evidence, let’s say, if it, if there’s any possibility that they alter the evidence inadvertently, I mean, you have to be really careful that what you collect you’re able to document, that is true and accurate. So you would have to build into your system something that if you were having a group, try to look for something that they’re not actually spoiling the evidence. Right, right, right. Yeah, and I guess, the last thing you want is people running around and, like they show in the movies, and just. Yes, stepping across the crime scene. The blood’s tracked all over. Although recently, I mean, I think it’s interesting seeing Icarus is a case, I know there’s another film that I’m (mumbles) peripherally involved in that involves doing a documentary that. So Icarus is really interesting, because there’s this documentary just on doping and riding in general. They stumble on this Russian guy. They contact the New York Times. Great paper by the way, New York Times. And then they involve law enforcement, and it turns into a big, big deal. And it was a interesting case where you go from media to law enforcement. And I think that the thing is, and this is why it’s little different than pure amateur that I think people who do documentaries in this space. They have slightly different interests than law enforcement, but they’re a single source and relatively sophisticated. So you kind of have a negotiation with them. Whereas, kind of a big crowd is probably harder, right. Right, right. Any other, okay, we’ve got a couple. Go head. Hi, is there a certain kind of record or piece of data that you’d really like to be useful to you, but you don’t have a tool or there’s no precedence? Sorry, i didn’t, my ears maybe. Is it not loud enough? Is that better? Yeah, the sound quality’s a little bit echoey so re-say it. Okay, sorry. Is there a particular type of record or data that you would really like to be useful to you, but you don’t have a tool or there’s no precedence in using? And would you tell people if you had. (Joi and audience laugh) I think that would be case by case basis, really. Sometimes it’s not, I’ll use meta-data for example, wouldn’t be relevant to this case, might be to another. And that you would want a tool that would extract more of that or be able to read more of that, that’s. I’m not sure exactly if that’s what you’re asking, but it would be case specific for me right now. And this one back there. You wanna or you’ve got the. Go head, if you have. Do you think de-centralized platforms could be a solution for further engaging citizens in the community through crowd sourcing and possibly incentivizing contributions to investigations? I’m sorry, but again, it kind of comes garbled and I can’t distinguish what you’re. Okay, do you think de-centralized platforms could be a solution for further engaging citizens in the community through crowd sourcing and incentivizing contributions to investigations? Possible, yeah. Do you wanna describe a de-centralized platform as an example? Blockchain, for example. Blockchain. I still don’t have a good feel for how to answer that question, ’cause I’m not sure that I understand it, so. I think, I mean, one of the things, for example that, and we’re working on it in our digital currency initiative is de-centralized markets or places where. I, my guess is that they probably overall increase crime more than they help solve crimes, at least in the short run. But, I think and you were talking about providing incentives as well, right, so I think part of this would be, and I have talked to some law enforcement about how they’re using de-centralized platforms and things like digital currencies to contact and interact with people in ways that they couldn’t do before. But, you’re, it’s not something that you’ve. It’s not something that I personally worked on, but I love the idea. Yeah, and I’ll say this for the digital currency initiative perspective. I’ve talked to one Compliance Officer of a major exchange who used to be the Compliance Officer of a major bank, and she says that it’s now easier to find bad guys, because you can look at the blockchain and see everything everybody is doing. And so, so one of the things I think that’s, and again, people like Madaris are working on more private blockchain technology to try to inhibit this. But right now the blockchain is actually feels private, because you don’t necessarily know who the account holders are, but isn’t very private in that you can actually analyze the patterns of most of the transactions and kind of identify who the fraudsters are. And I think that’s gonna be a constant battle that we’re doing. Again, this sort of, does end up into where you go, which is how much privacy do we need to provide versus how much access do we need to provide. And one of the fears that I have is that a lot of countries are talking about blockchain for the poor people as a way to un-bank the, the bank the un-bank. And the worst thing that could possibly happen is that only poor people are completely visible to everybody and rich people have other ways of sending their money. And so, the (mumbles) of completely visible I think is dangerous. On the other hand, the completely private one has its own obvious challenges. But I think that’s something that we’re gonna be seeing in real time soon. Yeah, my think if you worked with, talked to people in law enforcement about how they would, what they would need to investigate specifically and see the whys of it then you would know what to, how to develop maybe differently that could still serve the social good as well as protect privacy. Who’s got, go head. Sort of following on that public, private tension, there seems to be a really big disconnect between what you’re talking about, the need for public buy in and community trust on one hand and sort of what you’re talking about in term of the extreme privacy of black box algorithms, like a risk scores, predictive policing. So I was wondering, a, have you had a sort of successful examples of getting community buy in to some of these very private technologies and, b, are there more sort of open source or other types of some of the technological software work that you’re looking for that don’t follow that sort of private company black (mumbles) bottle that’s facilitates that sort of community buy in? Well, we, the local law enforcement, we don’t use anything we can’t validate or get ourselves. So we’re not gonna get data from, if I heard you correctly, we’re not, we’re getting data through sources that we’re approved to get it through pretty much and validating it. So, it’s, did that answer the question or speak to it enough or maybe there’s more to it? Yeah, I think there’s a couple of pieces. I do think what’s interesting is how you have that conversation, oh this is useful, how you have that conversation in the community, because I think one of the problems is, and I know Madaris wants to speak, so maybe he can address this as well, is that you can do a lot more with the technology than the vendors tell you. And so, for instance, you can have privacy that’s only available, for instance, if these three institutions, including your church, say okay. So for instance you could have a category of warrant that only unlocks this particular data set if these three other groups say okay. I mean, so I think if the community sorta designed what kind of privacy they wanted and said we wanna build this, and they could work with an academic institution like MIT or they could work with some other philanthropist or something. But you could probably design something that was much more nuanced to do exactly what you want rather than here’s a package, here’s a vendor, take it or leave it, which is kind of what the problem that we have. And there’s actually a great, there’s a Wired article about this recently, but one of our, my colleagues, Ray Ozzie, who’s one of the founders of Lotus, he made a very controversial set of statements saying that he thought that we should rethink the end to end encryption problem and that we should think about whether there was a way to technically make it possible to decrypt things. And that he wasn’t, he thought that we were being too absolutist on end to end encryption. And he got flamed like crazy, as you can imagine, because it’s almost like, it’s almost a religious dogma right now among my community that end to end encryption shall not be breached. But, I talked to him about this and he remembers way back during the Clipper chip days. And I was also fighting for encryption back then. What happened was when we were able to show that we could do digital encryption, what the US government did is they cut a deal with the telcos and said okay fine, you can do digital encrypt all you want. We’ll just pass CALEA, which is a law that basically built a backdoor into all the telephone companies and said we can’t put alligator clips on anymore. And so every telephone company has to give a, an ability for digital wiretaps. And so what they did by making the middle secure, they forced the government to do an end run, which actually is what led to more of these sweeping surveillance things. So I think it’s an interesting other meta point, which is I think as a community, we tend to not want to even have the conversation of having a conversation with law enforcement. And I think that, I think that it might be actually very fruitful. And I see the question written out here now. So, there are successful examples of getting community buy in and really it has to do with license plate readers, for example. Some communities hated the idea, said, no, no, no. Some of them love it and so they have them. So that’s one piece of technology that was pretty community centric for. I didn’t know we had them here. And so, I had my, the tags on my license plate were expired, and my wife wanted to go to the store to get something important. I said oh, we’ll get them replaced when you get back. And then I ended up spending a day in remedial. So I learned the hard way. (Joi laughs) One of the frustrating things about this is that there are private companies driving around doing with license plate readers doing the parking enforcement and everything. But law enforcement can’t get the data from them. So even if we have a homicide or we have someone we know is there, we can’t get the data to know that that person was really there. It is not possible. It’s done. So it’s a little bit of an encryption, and it’s probably not what the community intended, but it is the truth of it.
That’s really interesting. Same with bridges that capture your license plate to go over for the tolls and everything. So you’re looking for someone or you’re looking for someone who’s stolen a child or something, you aren’t gonna get it.
How interesting. I’m a cryptographer, so I’m gonna ask a not cryptographic question which is can you speak a little bit about the human component of doing those investigations? It must be really emotionally taxing to just look at child abuse images all day long, and obviously people get paid more in industry. So, where do people in law enforcement find meaning and purpose to keep doing this? Well, I can’t speak generally about law enforcement, but I can speak about myself. And I definitely have been traumatized by looking at millions and millions of images and not just, sometimes it was the things adults did to each other that was just as traumatic. It’s not all about child sex crimes that’s hard to see. And I believe that I, if I’m going to do a good job doing what I am drawn to do which is try to find the victims, try to make things better, then I need to keep myself healthy. So I meditate. I go to a psychologist when I need to, to take care of myself, because there is definitely a toll. Anybody else. Shouldn’t admit that in public. Too late, I just admitted it in public. (Joi laughs) Teasing. You mentioned the dark web. I imagine that makes your job much more difficult and now, so what has the police enforcement done to deal with that, with the dark web? How do we deal with it, how do we deal with the dark web? Well, there are some tools out there that, and if you have a dark web case you’re not entirely cut off from getting information, if you’re allowed to look for it. But it’s incredibly limiting and pretty much most of the time you say not gonna get you anything here. But you still try, you might find a few little fragments or something or. And again do you ever find? That’s from the local perspective that other people might. This gets back a little bit to the crowd sourcing. But I remember when Anonymous would actually take action against what, who they thought were bad guys. But do you ever have hacker groups or others come and try to help you with things? I have not. And in some of the cases, where in the dark web is I can’t quote the statistic, but it’s big, the number of cases related to child pornography and child abuse hosted on the dark web. In order to view the information and view the pictures, you actually have to provide new content. So it’s creating this new world of ugliness. I wish that someone could do something about it. Law enforcement can’t, because you could never, you could investigate but you could never actually create a new victim in order to get into the club. So you would never wanna do that. I mean, it’s, the whole thing’s wrong. Interesting. We’ve got one here. (mumbles) I love that little box. That’s a cool little box. Hi, I’m a lawyer interested in privacy issues. What are some of the techniques you use to decrypt things where you don’t have a warrant for decryption? And do you think that the so-called back doors for encryption is the right way or would you suggest another way? Well, first of all, I don’t think of it as a back door. I don’t, I think there needs to be an avenue that through a valid warrant, a phone can be unlocked. Let’s just say phone and not anything else. It’s not really a back door, because you know that the probably it can already be done. So it’s not like people are creating something for law enforcement to get in. Law enforcement doesn’t have to hold the key. We just need to be able to go somewhere that can say that this and decrypt that phone for us. It’s nothing about I wanna hold the data. I wanna see it all. So, it’s not leaving a back door for law enforcement. And what are some of the technical ways, I mean, I know you can’t get too much into it, but what are some of the techniques that a law enforcement agency who doesn’t have a warrant for the suspect to say, for example, the San Bernardino Apple case, what are some of the ways the law enforcement agency would go about trying to decrypt that device? Well, you can talk to the suspect and see if they’ll give it you. You might be able to, there’s not much choice you have. You’re pretty much stuck if, depending on the model of phone. I mean the earlier phones you can, you might have access to. But you’re just done. And I think if you look at the market for services that you can get somebody to do unlocking of phones. Again, this is just a rough number, but I was talking to somebody who’s in this field. And he said, the previous generations of iPhones you could pay somebody $30,000 to basically break into it. And now it’s gone up to probably close to a million dollars to break into a locked phone, if you can. And there’s, there are RFPs at that level out there. So it, I think one of the things that’s happened is that the new encryption has just made it more, very much more expensive. If you go onto the internet, you can see videos of some Chinese hardware hackers who just shave off the back of the CPU and can get access to a phone. So it’s not impossible. It just costs a lot more money. And so at the federal level, you could probably afford a million dollars to get into a phone. At the FBI level, it’ll be very hard to do that. And so there, it’s still vendors out there who do this. And when I think about operational security for people like at the New York Times or some of our non-profits, one of the things that happens when you start to increase the cost of getting into these things is you just push the attack vector to a different place. So now it’s cheaper to kidnap somebody and torture them than it is to steal a phone and crack it. We don’t do that. We do not do that. I’m talking about bad actors and overseas. I don’t think they would do that in Redmond. But I do think that that’s one of the other problems that it does is it just pushes things around. And also, I will say, and again this gets back to some of the encryption work. I mean, there are ways to, for instance, ask a system a question that it can validate as true or false or you can get ways for machines to give certain types of information to certain people but protect other types of information. And so, so I think if we start to break down privacy and say okay law enforcement, what exactly do you need and when would you need it, and in what form. And, for instance, if you could validate whether is this phone number in the contact list of this phone. That could be possibly tremendously valuable. And if you needed a warrant and you need a key and you could verifiably check this number against this number or check two lists, this is I think a common (mumbles) thing. You take two lists, two phones, and see how many numbers are shared in the contacts lists between these two phones. That reveals very little usable privacy information. And you can’t really go fishing that easily, but you might be able to then connect to a suspect. So there might be, again, this gets to the community thing. What is it that you need? What, and there might be some sort of middle ground in the technology, I think. And technology is changing and evolving. You have to have a plan to keep moving and keep the middle ground as it evolves. So on that note, I think we’re out of time, and thank you very much Jan. And I hope to, we thank you for coming. (audience applauds)

Author:

Leave a Reply

Your email address will not be published. Required fields are marked *