Riana Pfefferkorn is the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society. Riana’s work focuses on investigating and analyzing the U.S. government’s policy and practices for forcing decryption and/or influencing crypto-related design of online platforms and services, devices, and products, both via technical means and through the courts and legislatures. She also researches the benefits and disadvantages of strong encryption on free expression, political engagement, economic development, and other public interests.
Riana was previously an associate in the Internet Strategy & Litigation group at the law firm of Wilson Sonsini Goodrich & Rosati, where she worked on litigation and counseling matters involving online privacy, Internet intermediary liability, consumer protection, copyright, trademark, and trade secrets and was actively involved in the firm’s pro-bono program.
Let us start the interview.
Question 1: Glad to have you here Riana, can you please tell us how an online user should follow up legal procedure after being scammed and phished by the hackers? Recently, phishers have targeted employees with fake GDPR compliance reminders. How does one tackle such situations?
Riana: Getting legal recourse after getting scammed can be difficult, as the authorities do not have the resources to investigate every such instance and those responsible typically make themselves hard to find. If an employee costs their organization money as a result of a scam, the company should report it to local police and the FBI; if a consumer suffers a loss of money, identity theft, etc. due to an online scam or phishing, they should likewise report it to local police (some police departments now have groups specially dedicated to online scams), as well as file a complaint with the Federal Trade Commission, which can be done online. Also, notify your bank or credit card company (if those financial details were implicated in the scam), and to protect against identity theft, contact the major credit bureaus (Experian, Equifax, TransUnion) and have them put a security freeze and a fraud alert on your credit report. The fraud alert lasts for one year; the security freeze will stay in place until you ask the credit bureau to lift it.
Here are some FTC resources:
Place a fraud alert: https://www.consumer.ftc.gov/articles/0275-place-fraud-alert
Place a security freeze: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
Of course, the best way to deal with the fallout from a scam is to keep it from succeeding in the first place through preventative measures. Be wary of clicking on links from unknown phone numbers or email addresses. Don’t reuse passwords; instead, use a password manager such as LastPass or 1Password, and use it to generate and store strong passwords for all your online accounts. Turn on multi-factor authentication for your accounts wherever you can, especially for your email and bank accounts. If there’s an option to use an MFA means besides SMS, do it, since SMS is a less-secure factor. But if only SMS is offered, that’s still better than nothing.
Question 2: Continuing on the first question from an online user’s perspective, cyberbullying is one of the worst things that exist on the web and we have seen many people including some of the famous personalities have had to leave the web because of it. How does one stop cyberbullying, by legal and forced (but ethical) means?
Riana: Cyberbullying is a persistent, pernicious problem and there’s no silver bullet for it. But that doesn’t mean users are totally helpless. There are several layers at which you can take action to defend yourself from cyberbullying.
First is legal authorities. Multiple states now have cyberbullying laws, so if you are a resident of such a state, you could file a police report. There’s even a federal website now that’s devoted to this issue that suggests resources for getting help: https://www.stopbullying.gov/resources/get-help-now If the bully is a coworker or fellow student, you can also bring it up to your employer or school. Not everyone will feel comfortable resorting to the police or to their boss or school, however.
A second layer is the platform through which the bullying occurs. Cyberbullying also contravenes most online platforms’ terms of service. That means the first, easiest step is to flag the harassing account to the service provider, and it might be suspended. However, enforcement of terms of service against harassing content is inconsistent, both between platforms and within a single platform.
Finally, if authority figures can’t or won’t help and neither do the platforms themselves, resources exist for users to protect themselves. I suggest checking out the resources available from Tall Poppy (which was started by an acquaintance of mine): https://tallpoppy.com/resources/
Question 3: Do you think there is much awareness, globally, about data privacy or is there a constant need for the cybersecurity stakeholders to keep telling people about their data privacy? Also, what are your views about the latest California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)?
Riana: I think that awareness about data privacy and security is growing worldwide, but that there can be a disconnect between how private and secure people think their communications and data are online, and how much actual privacy and security they have, as well as what actual legal rights they enjoy. I think there’s also a disconnect between policymakers and those who build actual products and services. It’s been fascinating to see jurisdictions around the globe, such as the EU and Brazil, write laws that reinforce privacy as a fundamental right, not just the transactional, contractual concept it’s often viewed as in the U.S. But those laws don’t always take into account how technology actually works. So the devil has proved to be in the details of implementing those laws in ways that are feasible, work at massive scale, and still let the user use the product or service to do what they came there to do. Beyond that general impression, though, I confess I don’t know enough about the gory details of the CCPA and CPRA to want to comment on it in-depth. But for those curious, Prof. Eric Goldman has blogged about both extensively and his blog posts are always worth reading.
Question 4: There has been a huge debate about the Lawful Access to Encrypted Data Act. Do you think the government should ever be able to access the data?
Riana: One of my core beliefs is that there are spaces in human society that cannot be policed from the outside, and that such spaces should be allowed to, and indeed must, exist. I believe such spaces are a net good for society, and that we need them for privacy, free expression, and human flourishing. Therefore, I believe that people have a right to privacy in their data and communications, and that that right extends to having the right to encrypt them in a way that law enforcement cannot break. If law enforcement can get a warrant or a wiretap for users’ communications, great, they can go ahead and try to decrypt that information (though such efforts raise their own legal and ethical difficulties). But I strongly disagree with any law that forces the provider of a communications service to break encryption and decrypt data for law enforcement.
Question 5: As encryption is one of the most important elements for digital whistleblowing, how can one digitally whistleblow without having to face the drastic consequences that may follow due to the decryption?
Riana: The SecureDrop project and its offspring have tried to address this issue and make it safe for whistleblowers to share important information: https://securedrop.org/
We’ve seen from the Reality Winner case what can go wrong when a journalistic outlet mishandles documents received from a whistleblower. Luckily, there are more and more resources out there now for journalists to help ensure the security of their whistleblower sources, such as these from the Society of Professional Journalists: https://www.journaliststoolbox.org/2020/10/02/security-tools/
Question 6: Do you see a safer online space after 5-10 years considering no company or individual appears presently safe from malicious attacks? Will there be a completely safe and secure cybersphere ever?
Riana: Cyberspace, like the real world, will never be totally safe and secure, and we must be very wary of lawmakers trying to take away privacy, free speech, and security rights in the name of increasing safety online. In 5-10 years, I think the challenges in the online space will look different from those we face today. Cybersecurity professionals have their work cut out for them; it’ll always be a cat-and-mouse game to improve security in one or another domain (be it web security, business email compromise, or what have you). But I believe we’ll make advances in online security that will help to achieve incremental progress overall. The goal isn’t to achieve total security; that’s impossible. The goal is to achieve resilience: improve defense, make offense costlier, and decrease the severity of the consequences when an attacker does successfully get past a defense.
Question 7: A number of people are still unaware of the threats and limitations of online privacy policies. Keeping this in mind, what message would you like to convey to the online community?
Riana: Privacy policies are meant to protect those who write them more than to protect you, the user. Keep demanding actual privacy improvements from the products and services you use. Privacy is now a market differentiator, and you can “vote with your pocketbook.”
Question 8: Thank you so much Riana for the interview. Last question, what does your perfect weekend look like during the lockdown?
Riana: Going outside for a long walk in nature and not opening my laptop even once.
Thank you for the time Riana, as for our followers you can follow her on Twitter @Riana_Crypto and drop us your questions or feedback in the comments.
Also, Our next cybersecurity interview will feature an InfoSec Advocate, an activist, and the current Vice President of Strategy at Point3 Security. She strongly believes that information security is a humanitarian issue and has a keen interest to keep people safe and empowered online & offline. Keep following our blog for all the latest updates related to cybersecurity. Stay safe and take care, everyone!