"Golden Age of Surveillance," Yoga @ CDT – Talking Tech w/ Joe Hall & Michelle De Mooy
CDT Tech Talks | 2015-07-01 | 20:22
Host Brian Wesolowski first chats with Joe Hall about law enforcement's history with encryption, "the Golden Age of Surveillance," HTTPS, and infrastructural encryption. <br><br>Then Michelle De Mooy joins to talk about yoga at CDT, workplace wellness programs and incentives, the Affordable Care Act and the Americans with Disabilities Act, personal health info, and wearables. Did we mention Brian's muscles?<br><br>Attribution: sounds used from Psykophobia, Taira Komori,BenKoning, Zabuhailo, bloomypetal, guitarguy1985, bmusic92, and offthesky of freesound.org.
Top Keywords
- encryption 0.015
- wellness programs 0.012
- wellness 0.012
- programs 0.010
- wearables 0.008
- health 0.007
- encrypted 0.007
- online 0.007
- information 0.006
- secure 0.006
- lock 0.006
- americans disabilities 0.006
Transcript
Speaker 0
0:10 – 0:13
Welcome to Tech Talk. Bye. CT.
Speaker 1
0:15 – 1:29
Welcome to CDT's Tech Talk where we chat up the smartest people in tech policy to go beyond the headlines and make sense of how developments will actually affect our lives. I'm Brian Wasilowski and it's time to talk tech policy. This week, we'll explore encryption and and why commitments from the private sector and parts of the US government to encrypt all the things are welcome developments. We'll also take a look at employee wellness programs and their privacy implications. Should your employer be able to reward you for your healthy habits and at what cost? You've probably heard about online encryption and you probably have a sense that it's a very very good thing for your overall security online. You've also probably heard that some law enforcement agencies don't wanna see technology is encrypted because they believe it will make it impossible for them to do their jobs. Regardless, from web traffic to apps, to emails to online chats, if you want privacy and security online, you're gonna wanna encrypt it. To decode all the encryption talk, we have our esteemed chief technologist, mister Joe Hall here with us. How are you, Joe? Very well. Thank you. Thanks for joining our podcast. I hope you have a great time chatting with us today. We're having fun recording it. I'm glad we're capturing. Yes. Absolutely.
Speaker 2
1:29 – 2:21
So tell me about encryption. CDT talks about it all the time. We advocate for it. You are one of the strongest proponents of it. What does it mean when we're talking encryption and what, you know, why does CDT advocate for it? Sure. Sure. So first, let's take a step back. You know, the Internet, when it was originally designed, was not designed to be a secure place. It was originally a bunch of researchers who were, for the most part, good people and shared similar goals. The Internet of today is a very different place. There's billions of people online, and all those people and their motivations are are just as varied as they would be in the real world. There are bad people in on the Internet trying to do bad things to you, unfortunately. And encryption itself does three important things. It makes sure that your communications are confidential, that they're secret, that you're talking to the real entity that you intended to talk to, and that no one can change the content of your communication as it traverses the Internet.
Speaker 1
2:22 – 2:50
So why is it that, whether it's law enforcement or intelligence agencies seem to always throw up a flag and say, you know, we shouldn't really I don't know that they say we shouldn't do encryption, but they seem to either want a backdoor into the encryption, the keys, whatever terminology you wanna use. Why is that? Yeah. And so law enforcement for many years, for about, you know, eight years now, has been arguing that they're, quote, going dark. And what they mean by that is that previously when everyone had used telephones, they had ways to wiretap those phone conversations. They would go to a
Speaker 2
2:55 – 4:48
calls. We still use phones, we use them quite a bit, but we also use a ton of other kinds of communications, including most of them online, including chat, email, websites, forums, apps, apps, and all sorts of kinds. They don't have the ability to just turn up with a button, wiretap that kind of stuff. And increasingly, when they do get access to that stuff, it's encrypted or it's garbled or something. It's really sort of saying, hey, we're losing our ability to tap into stuff. We disagree with this on all fronts. And what what we disagree with is first, we think law enforcement is actually going bright. It's really a golden age for surveillance. I share way more than I ever share. Definitely. That's the thing. Right? And but, you know, when you're a kid, there are just a bunch there are not many ways you could share things. And now you you literally can share your whole life if you want to. Right. And so we call that sort of a golden age of surveillance. There's so many forms of information that didn't exist before. There's things like, you know, precise geolocation information that because we have the constellation of satellites around the planet, we now have the ability to have that information. Social media, your your all your friends, it's in your phone, it's on your social media accounts. And then data brokers, just vast databases that law enforcement cannot get access to. Their solution is to they say is to they would like to weaken some of these encryption products or introduce backdoors or flaws into these communication products. And we think that that was gonna do way more harm than good. It would sort of trade off making police and FBI jobs more easy, but, unfortunately, that means that you're also making it insecure for everyone else on the Internet and and So the bad guys can walk through that door too. Exactly. The bad guys can walk through that door plus it this isn't gonna work, you know, as a a really famous cryptographer Phil Zimmerman who created PGP has said, this is like trying to legislate the weather or tides. This is math. You can't sort of keep people from doing math.
Speaker 1
4:49 – 5:13
So are we seeing a big uptick in encryption now? I mean, certainly, it's in the news, but are people actually starting to use encryption? I saw that, you know, Apple announced that all their apps need to be encrypted. I think that Google encrypts, you know, their email communications. And just today, we saw that Bing and someone else is also Reddit are starting to encrypt more things. Is, you know, is the tide turning or how is turning. I mean, it's
Speaker 2
5:14 – 7:04
ever since the the Snowden revelation started two years ago, almost exactly two years ago, there's we've sort of understood that intelligence agencies around the world and others even have the capacity to monitor pretty much everything online. And so a lot of folks who rely on user trust, so social networks like Facebook and and Twitter, and government agencies like the entire federal.gov domain is gonna be encrypted and only encrypted. So you cannot reach one of those sites via an insecure method. Is this the HTTPS stuff? This is HTTP. I mean, I see that all the time. Explain that a little bit to us. So so it's just five letters, but it it basically means the little lock you see in your web browser. This is a form of encryption that's specific to the web. Okay. It's through your web browser. It's designed to to work on on the web browser. And it's important because, you know, increasingly we do pretty sensitive stuff online. You buy healthcare, you know, at healthcare.gov online. I do all my banking online. All your banking is online. Right? And so when you see that lock, the browser vendors, Google, Facebook wait, not Facebook. Google, Mozilla, Apple, and Microsoft all have designed their browsers to be pretty conservative in the sense that, if you see that lock or if the lock has an x through it or something like that, then you need to be careful about what you're typing into those sites. But if the lock is there in green or yellow or whatever, and it's it's solid, you should feel pretty confident that your communications are protected from at least people in between you and the other site on the network. That doesn't that may you still may have malware on your device or your your your laptop and that server may get compromised like we've seen in some of the hacks recently like the OPM hack, which affects all federal employees, past, present, and hopefully not future. But we don't know because they maybe planted something that allows them to to do other stuff later. So the vulnerabilities,
Speaker 1
7:05 – 7:08
you should clearly not feel 100% secure on HTTPS
Speaker 2
7:09 – 7:59
sites. Is that right? So the problem with security is it's a layered approach. And so HTTPS, makes it to where the the transport, the the the the while your bits are flying from your device to the website, that that's protected. And and anyone on the between you and them can get access to that stuff or change it, which is really important. The the trick is is there's other plenty of other ways. They can install malware on your device. They can get access to the stuff on the other side. Unfortunately, they could even spoof that website in in a way that it looks like it's a secure website. Mhmm. And unfortunately, there's not a lot you can do about that, but luckily people like me are working to make sure that it's very, very hard to spoof secure websites online. And we have a ton of methods to do that that are pretty pretty technical.
Speaker 1
8:00 – 8:10
Are these methods that are available in the market now? Things that, you know, happen behind the scenes that someone like me wouldn't know about but should feel good that this This is entirely stuff that's happening behind
Speaker 2
8:11 – 8:53
behind the scenes. And this is a big focus here at CDT of our work on encryption is what we call infrastructural types of encryption. It's things that you that work, and you don't have to worry about it. You don't have to do anything special. It just happens. And you can think of things like like iMessage. If you if you send a text message between two iPhones or an iPhone and an iPad or whatever, that is fully encrypted, end to end. No one can get access to that stuff, and it's one of the most secure communication products that's widely deployed out there. Well, that's good to know. I'll keep texting. And you see, the only thing you know is it's blue instead of green. Yeah. So if you're gonna say something private, save the iMessage, because text messages are totally not secure and not encrypted.
Speaker 1
8:53 – 9:24
Interesting. So as someone that is, I would say, relatively novice on encryption, I certainly get a bit of technology and would put myself in the tech novice space. What are basic things? You know, a lot of times encryption when you hear it, you think, oh my god, that's so hard to do or people start to talk about being safe and secure online and say, well, you need to be using the Tor browser or something. You get a whole lot of mixed messages. What are some things that any person can be doing to feel more secure and taking advantage of the tools out there? Yeah. I would say the top three are
Speaker 2
9:25 – 12:29
two step login, password managers, and what's called VPN, which is a virtual private network software. Two two step login. Most services allow you to have a text message sent to you while you're logging in or once every thirty days to confirm that you are who you say you are. Mhmm. And they'll do that in cases where all of sudden you're logging in from Antarctica, they'll say this doesn't seem like that's Joe. I'm gonna challenge them. And so two factors are important. You should enable it on anything you can. Facebook, Google, they all, have pretty easy if you just search two step and the thing that you want to do it on, they'll be directed. So two step basically meaning you have the pass the password plus a code that they sent you or text you to. It's something beyond the interface you're currently on. You type in your username and your password and then it would say, hey, we just sent you a text message, put in the code that we just sent you. And that means that you have to they'd have to steal your phone and your login information to get access. Password managers are pieces of software that allow you to never have to think about anything but one more password for the rest of your life, which unlocks all the other passwords in this piece of software. They create secure passwords for you, they'll store them for you, they can organize them, you can store other things like credit cards. You never have to take your credit cards around anymore if you want to do online transactions. It'll even type this stuff in, which means certain kinds of malware, things called key loggers, will sit on your computer and monitor everything you type in and look for things that look like passwords. And if you're pasting them in, they'll never that kind of software can't do it. And finally, the VPN software is a little advanced, but, essentially, if you're ever on a WiFi network, you know, a wireless Internet network like at a coffee shop or an airport or a hotel, typically, they will not have the lock next to the name when you select them on on your desktop or your phone. That means it's an insecure network. That means anyone else in that facility can who's on the network can see everything that you're sending. And if you're not sending it over in encrypted way like HTTPS, then they can see all that stuff. A VPN creates a really hard and strong you could think of it as a brick walled tunnel through that promiscuous network up to the up to the Internet, and all your traffic goes through there. And so, for example, the the disconnect VPN on, the iOS platform on your iPhone or iPad, that's a wonderful, way of tunneling through those kinds of networks. It's very easy to use, very cheap. It's available in the the app store. For non iOS things, we tend to recommend something called Astral, which is, a similar piece of software you download. And you turn it on whenever you're on a network without that little lock, and it makes sure that all your traffic is secured through that network. That's really helpful. So it's more than just about having a really strong password, which unfortunately too many people think. Right? We call call this digital hygiene. And it's it's kind of the thing where, you know, you always are learning a little bit more about how being more hygienic and being more presentable and and, you know, that may include a fashionable element, it may include a whole sort of things. And you really have to think of security as not something you do once and then go away from but it's something you're going to be learning about for the rest of your life. Well Joe this was really helpful we may have to have you back soon to talk about digital hygiene I love the term it's fascinating.
Speaker 1
12:30 – 13:26
Hope to have you back soon. Thanks. Thank you. Would you take yoga classes for a reduction in your health insurance cost? What information would you be willing to share for that reduced rate? Your blood pressure? Your weight? What about your geolocation as you go for a walk? The Affordable Care Act allows employers to offer incentives for employees who take part in wellness programs, but there are inherent privacy risks with employee health data, and wellness programs are a relatively new area of health care. CDT's Michelle Desmoy recently wrote an article for US News and World Report on this topic, and she joins us now to talk about it. Welcome, Michelle. Thank you, Brian. It's great to have you on Tech Talk. Oh, it's so great to be here. So you are in fact the instigator of yoga at CDT, even though it's not tied to our insurance so clearly you think there's some benefit to wellness programs. I do and I just want to say namaste,
Speaker 0
13:27 – 13:58
just start things off. I've actually never taken part in it. You haven't well it's been really great and I just don't wanna intimidate people with my muscles, you know, like a tank top. I think that would be awkward for the work environment. We're all grateful for that you that you were not there to intimidate us. You're welcome. Yoga is is just one example of something that is actually doable in the workplace. Something that is maybe not it's not a gym per se, but it's sort of geared towards wellness and health. And so the nice thing is that CDT has been subsidizing that. Some employers have been using different versions of subsidizing,
Speaker 1
13:59 – 14:11
in the form of workplace wellness programs. Yeah. So in your article, you note that there are in fact some conflicts and potential challenges with incentives that are offered as part of wellness programs.
Speaker 0
14:11 – 15:50
And some of these are in conflict with provisions of the Americans with Disabilities Act. Can you elaborate on this a little bit for me? Sure. And it's a little bit wonky, so, you know, I'll try to kinda just make it general. But really what's happened is workplace wellness programs have been allowed to use incentives. So They want to get people to join these programs, and the Affordable Care Act was trying to give them a way to do that. And this is good because everybody, you know, has sort of has this belief that these programs really improve health and that that lowers health care costs for employers. What's ended up happening, though, and the Equal Opportunity Employment Commission, brought some lawsuits last year against some big companies that they felt were using incentives improperly. So they were using them instead as penalties. So people who refused to participate for various reasons, including not wanting to share their personal health information because many of the programs start off with a health risk assessment or even biometric screenings, they were being penalized for not not joining. So if an incentive is 30% off of your insurance premium, well that's 30% that somebody else is paying. And so they were saying that incentives could not be proxies for penalties. Well, in April, the EEOC sort of did an about face, and they did this on a proposed rulemaking around the Americans with Disabilities Act, a law that protects your ability to protect your health information from your employer. So employers can't have that information about you unless they have a very good business related reason. And the ACA said that they could. And so the EEOC felt like there was a conflict here, when really the Affordable Care Act says,
Speaker 1
15:51 – 16:08
okay, yes, there are incentives, yes, people are gonna disclose information, but you still have to comply with laws like the Americans with Disabilities Act. And you can understand why something like that would matter. I mean, if you are, in fact, someone with a disability, you may not be able to participate in these programs. I mean, for example, yoga. If you have a physical disability,
Speaker 0
16:08 – 16:28
there may just be things you cannot do. I mean, I guarantee you muscles. Well, or too big muscles. Your giant muscles won't allow you to do the yoga pill. That's what it is. In all seriousness, yes. And a lot of disability groups are really concerned about this this notice for proposed rule making. Because it is sort of saying, well, if you comply with the Affordable Care Act, then you you're pretty much in compliance with the Americans with Disabilities Act. Two very different laws. And if
Speaker 1
16:30 – 16:45
Americans with Disabilities Act. Two very different laws. And if you have to give up personal information or health information on you to your employer, your insurer to participate, you know, you're kind of making a trade off here. And certainly, if the trade off you mentioned, the 30% reduction, we'll say that's $2,000
Speaker 0
16:45 – 17:26
a year or something. That's gonna be a a lot more to a junior employee than, say, the CEO of a company. So you might be more willing or feel more pressure to actually give up that information. And there actually were cases, I believe, where they were saying there were also burdensome requirements, such as people having to go to their doctors to get something filled out or to a specific place to join the wellness programs, paperwork, having to do things online when they didn't have the access at home. So those sorts of issues were coming into play. And I think in particular, one advocacy community that I've been talking to quite a bit about this is the obesity community. Because it turns out, you know, many of these wellness programs are targeted towards obesity,
Speaker 1
17:26 – 17:54
and there's a lot of discrimination that can occur around that. And so it's obviously a big concern to that community. So let me pivot a little bit, not too much, but you're also doing a lot of work in wearables and looking into the issue of wearables and data that wearables collect. A lot of times wearables may be part of this program in terms of walking or fitness or, you know, kind of tracking who's doing what. Mhmm. You know, what what are the issues you're exploring in terms of privacy and health wearables, such as Fitbits or Jawbones?
Speaker 0
17:54 – 19:13
Yeah. Actually, a lot of a lot of awareness, or excuse me, workplace wellness programs are including wearables as a way to get people to join and a way to of track their own fitness, their own activities. And this is fine to a certain extent. One of the problems is that when the information goes through a wearable, unless it's going to what's called a covered entity like your provider or health insurance company, it's not covered by any federal law in terms of protecting the data. So that becomes sort of fair game to vendors who are often the people who are administering these these wellness programs. Wearables, I think, are are a great resource for people who wanna track that, but not necessarily a great resource if you want privacy from your employer and and you're given one. So a lot of employers have started using them for things like monitoring, you know, where are you going? Are you going where you say you're going? You know, how active are you? What what sort of shape are you in? Because, of course, they recorded more than just steps. Well, I know that, you know, my friends that use them, their favorite part of it is the sleep pattern. I don't know what it does. It tells them, you know, when they're sleeping, when they're not. I don't know how you act upon that. But that would be got into a little trouble about that originally. A couple years ago, there was an issue because they had that feature on by default. So it turned out that people were able to extrapolate or sort of make inferences about when people say weren't asleep from two to 02:15.
Speaker 1
19:13 – 19:20
What could happen during those hours? That's very interesting. Well, that's definitely probably not information you'd want your employer to have. Definitely
Speaker 0
19:21 – 19:58
a lot. And there's a there are a lot of, you know, sort of relationships between data that may not seem apparent at first as privacy issues. But, you know, steps is one thing, but steps between here and here is quite another. Well, this is great. Thank you so much for joining, Michelle. Certainly, a lot of issues to explore further. Wellness programs probably aren't going away, neither are the privacy concerns of figuring out how to address probably aren't going away, neither are the privacy concerns. So figuring out how to address them. I guess that's your job. Right? It is my job. I'm the only person working on it. No. There are lots of groups working on this, and, thankfully, CDT has been able to convene with these groups and and work with them to try to make a difference, especially in the EEOC's case. Great. Thank you so much, Michelle. Sure. Thank you.
Speaker 1
20:02 – 20:18
That's it for this week's CDT Tech Talk. You can find more information about encryption and our health privacy work @www.cdt.org. As always, tweet us any questions you have or topics you'd like us to cover to at SendemTech. Thanks for listening.