Digital privacy
doesn't always make headline news
unless celebrity nudes are leaked
or compromising corporate emails
are made public.
But our relationship to the internet
has reached
an unprecedented level
of connectedness.
In this new environment, the state
of privacy deserves a closer look.
In this film I'm going to travel
the world to undergo challenges
that will explore our digital life
in the 21st century.
I'll be stalked, I'll be hacked, I'll fight to get leaked documents back.
I'll dive into open data and then I'll live in a futuristic home that will monitor my every move.
All to examine 21st century privacy.
But how did we get here?
Before the 1600s
most people's homes were communal.
Life orientated
around a central fireplace.
There was very little privacy
or personal space.
And then a revolutionary
new technology, the chimney.
People could lock themselves
and their things in personal spaces.
They began
to appreciate their privacy
and expect that what happened
behind closed doors stayed there.
The rich have always had
better control over their privacy.
In 1890s Boston, Warren and Brandeis
were attorneys for the high society.
So, the next tech innovation
came along.
Their clients had grown accustomed
to letting their hair down
behind closed doors.
When photos of their parties landed
on the front-pages of gossip rags,
they were suitably outraged
and sued them.
They won
and the right to privacy was born.
Now, that was fine until the next big
tech innovation came along
and put a device
into our homes and our pockets
that lets us air our dirty laundry
to the world.
Our attitudes and the law
haven't caught up yet.
I'm in Los Angeles to meet Max,
a professional digital detective,
who works with businesses and celebrities to protect their online reputations.
I gave him just my name
and then challenged him
to gather
as much information about me
from what I'd willingly
shared online.
- You ready to go through the box?
- I'm a bit nervous, to be fair.
Let's walk you through it.
This is scratching the surface.
This is essentially a couple of hours of work.
That's pretty deep.
You have
a pretty sizeable digital footprint
and most of this represents media
that you put out yourself.
You might say to me, "Well, my life is an open book, I'm not worried about you revealing any information."
But if I'm looking to get you to do
something you might not want to do,
I'm going to use anything
at my disposal
to create
some sort of psychological leverage.
- All right. What is that?
- No we get into your social media footprint.
Right. OK.
These are all terrible pictures
that I took with silly hair and...
Lots and lots of selfies.
And places that you go
that you yelp about.
Did I yelp?
So your physical location starts to reveal itself, documenting yourself
and capturing clues that you might not have intended.
All of this I've intended.
Absolutely all of this I've intended.
You've got a grin on your face.
That says we're about to dive into...
Yes. OK. So now we're getting...
How did you find all of my addresses?
Because you did a registration.
Because you signed a document.
Your previous addresses,
pieces of ownership.
- Yes.
- And photographs from the inside.
Wow. Oh, my gosh.
- Because now that's on Airbnb.
- A walk-through of your spaces.
Yes. My assets.
I'm gaining more and more
personal information, including...
That's my business addresses,
tax exemptions,
all of my company business.
Yes. Your worth. Your finances.
This goes into a larger question
of how companies are treating
their technology and their policy
if they even have a policy.
In many cases
I've seen it's an afterthought.
In start-up mode, many companies,
they hire their developers
and then the information policy
comes much, much later.
But doing it from the beginning, as you can see
when you register that domain,
when you start creating these corporations,
you're starting that footprint.
You need to control that
from the beginning
And so what we're looking at here is a pile of things that have been indexed
Then, over time, as software gets more sophisticated, they'll get more searchable and obtainable.
We cast long digital shadows
imagine the footprint left by a business with hundreds of employees all with the company email address
all contributing to the online reputation.
And this is just data willingly put in the public domain.
But what happens when data that isn't for public consumption ends up in the wrong hands?
Information we assume is secure: like financial details,
credit card numbers, health records, business correspondence,
When a business falls victim to a sensitive data breach the consequences can be particularly devastating.
In order to get a better idea of this threat, I'm going to face it head on.
I'm going to get my Guardian computer hacked.
The first hacker struck
at a live telegraph event in 1903.
John Fleming was not at all pleased that prankster and magician Nevil Maskelyne
chose to insert insulting Morse code
into his fancy demo.
Modern-day hacking
started with a phone line.
Freakers, as they were known, spent the 1970s making free international phone calls.
In 1981, however, the first freaker
was convicted in the US for hacking,
but this hack helped to expose
the holes in the phone system.
In 1988 the Morris worm
hit an early version of the internet,
exposing vulnerabilities
in this technology.
In 2000 the Love Letter worm infected 10% of the world's internet-connected computers,
causing almost $9 billion
in damages worldwide.
It was a casually created joke
by two friends in the Philippines.
In recent years the new breed of geeks are being hired by governments, financial systems and corporations
to both attack and defend.
In order to get a better idea of this threat, I'm travelling to Las Vegas.
Here, annually, for the past 20 years
international hackers have been gathering
to show off their skills
and to exchange techniques.
We already know what can be learned
about me through a legal search,
but what can be uncovered
with specialist skills?
With my Guardian computer I'm visiting two hackers,
can they hack my  laptop?
What is the security situation like in the Middle East, say, compared with Europe or the US?
I think the whole region is somewhere
between 5 to 10 years behind,
as far as awareness of the importance
of information security.
Mainly because the media
doesn't really talk about it.
In the States,
you turn on any TV channel
and there's a story about a big hack
because these things happen and are publicised.
Yes, I've just got an email
from my director.
He says there's a good article
on the front-page of the Guardian.
So... Oh, Lord, there's nothing
but bad news down here, is there?
- That's the world for you.
- It is, isn't it?
Except there's a cool picture
from NASA.
As you're browsing
through the Guardian,
I just stole your credentials,
so I have your email address... .com
and the password is...
- which is a nice Guns N' Roses song.
- Thank you very much!
I'm actually compromising your whole machine.
I could have downloaded files.
I could do a rickroll,
which is redirecting your browser.
- Never Gonna Give You Up.
- I just sent you to Rick Astley.
You did.
How did you crack my computer?
The website you're on is not actually the Guardian.
It looks like the Guardian.
No it is, but if you look at it carefully, which
people don't really do, on the URL,
it actually says "theguardlian",
so I added an "L" in there.
- Yes, I...
- Yes, you did. It was added?
No, I actually registered the website,
the guardlian.com.
- That's available?
- It was. Not any more.
And so I cloned a live version
of the actual Guardian website,
so you wouldn't know
you're not there.
No, it looks exactly, I mean, it looks
like the Guardian.
It's enough to take control
of your whole computer
because you actually gave me access,
just clicking on the link.
I clicked through to the link
from a person
who sent me an email whom I trust.
Well, your Facebook, your LinkedIn
is out there
and we can find out
who you're associated with.
Then we can get their email
out of their LinkedIn or Facebook.
It's a very easy fake.
Is it as easy to do this
to company computers?
It's probably easier
because out of 100 or 1,000 people,
you know, it's more than probable 
that at least some of them will click the link.
Every year, international hackers
converge in Las Vegas
to attend a series of conferences -
Def Con, BSides and Black Hat.
Over a few weeks they exchange the latest hacking and security tricks and techniques.
We're here in Vegas,
kind of in the belly of the beast.
Are there any examples of this kind of exploitation happening in the wild?
Sure, in the old days,
and by old days I mean five years ago,
we used to do
a lot of USB-based attacks
where we would drop them around parking lots
and that was really common.
So what I want you to do
is plug that in.
For one, you don't ever want
to stick anything into your computer
that you don't actually know
what it is.
At this point I can do anything
I want to your computer.
I can do a key logger.
I can download and upload files.
You can see here that we're here
in the C:/Users/Aleksdirectory.
We noticed you have some business
files and some personal files.
- I do, yes.
- We're going to go ahead and download those
to our computer.
I don't want you to have that.
Now we can do a lot of things.
I could take screen shots
from your camera.
- Of me?
- Of you.
We can record the sound.
And then we're able
to download a file to your computer.
It's moving.
And set it
to your desktop background.
That's a fantastic picture, guys.
- I've been hacked.
- Correct.
What about for corporations?
How are they vulnerable with this kind of thing?
We've done a number of penetration tests where we've gone to our local computer store.
We've bought 10 or 20 keyboards
and slotted one of these devices in
in every single keyboard and packed them up in a box
and just sent them to the company.
And what we've done is
put a fake letter in there that says,
"Hey, we're from HP. We want you
to check out our new keyboard.
"We're hoping if we give you
these 20 free models
"you'll buy 10,000 of them down the road
because they're so great.
"Please try these out."
Nobody resists free stuff.
If you make it expensive enough
and nice enough, people will use it.
But humans are humans.
Is there anything companies can do?
I would say basically it's awareness training.
You can have
all the firewalls you want
and all the password policies.
If they're just going to get online and click on any link, then it renders all that moot.
Sometimes we have to sacrifice
some convenience for safety.
If it's too good to be true,
either in an email format
or something you found
or something somebody sent you, it probably is.
Wow! It was quite unsettling
to see how easy it was to get hacked.
But the consequences of getting
hacked aren't always destructive.
Sometimes it ends up exposing
corporate vulnerabilities or flaws
that a business can address
and improve upon.
Certainly from this hack the Guardian will be more astute with its domain registration.
Thankfully none of my personal or the Guardian's business data was subsequently leaked online.
But what if it had been?
How can we start to take control?
And what can we do to get information we never wanted to be on the internet removed?
There are clearly examples where taking action to remove content from the internet
can have negative consequences.
So, there's an example where Barbara Streisland had some photos
of her beachfront property published online 
in a public archive.
She tried to sue the photographer to take the images down
and the result of that was a much larger public outcry.
And the image went effectively viral online as a result of the action she'd taken.
So the very first thing is just to be conscious that if you've put something on the internet
there's no guarantee that it stays
secure and under your control.
I think companies need to have
some sort of incident-handling plan
to know when something does occur,
and it will,
how they are going to respond to that
so it isn't a panic in the business at that time.
I guess what we see in many companies is that they've moved to adopt the new technologies
because they bring business benefit,
but they've not thought through - necessarily - the risks.
How do you ensure that information
doesn't make you vulnerable?
It really depends where the data is, so if it's linked through somewhere like Google, Twitter, Facebook,
there are removal procedures
you can go through.
But if your data is
on a Russian hacker site somewhere,
they're unlikely to respond
to a take-down request.
The best you can do is try
to mitigate the consequences.
So, for businesses and individuals,
once the information is out,
it seems nearly impossible
to take back control of it.
Since the earliest days of human communication, we quickly learn the importance of confidentiality.
It's been good business.
3,000 years ago in the Middle East
potters used cryptography
to keep their glaze formula
secret from competitors.
Particularly during conflict.
Protecting correspondence has
always been of the utmost importance.
But it wasn't just military and business
information we sought to protect.
In 400 BC the writers of the Kama Sutra recommended that lovers encrypt their messages
to keep them from prying eyes.
Now in the 21st century we're exchanging more business and personal information than ever before,
though we've relinquished control of this data to governments and corporations.
Often instead of safekeeping this material, 
we've found that they're exploiting it.
To learn about preventative techniques my next stop is Berlin where I'm meeting Stephanie Hankey.
Her organisation provides tips, tools and techniques to individuals, such as journalists and activists
whose lives depend upon retaining
control of their digital privacy.
If you're interviewing people, it may be just as important for you as a journalist that somebody from the outside
can't see who you're talking to.
Let's say about a phone call that we might have, 
we might think it needs to be encrypted,
so people don't know what we're talking about.
And sometimes that's true but very often what's more important is that we're having a conversation,
but also we talked last week
and that today we talked for an hour.
That's metadata.
What other forms of data
might be collected about me?
You know, for expample, if you're walking around a city, in order for the phone to know where you are,
to look at a map, you have to have location data on.
If you look on your iPhone,
in the System Services section...
Lo and behold, down,
somewhere buried in the menu.
There's a frequent locations. Most people are quite surprised when they look at it
because it gives a kind of overview of something. For example, it even It guesses what your home is.
When you start
to look at the patterns,
then you can start to see things like probably when
you come into the house after work,
when you leave in the morning. Those kind of things.
You can't stop that but what you can do sometimes is switch location services off, for example.
So what are companies
doing with this metadata?
These companies are not yet very transparent about what they're doing with the data.
Some of that is profiling and advertising and so on 
but some of it has gone much further.
For example, LinkedIn is also using their
large-scale analysis of the data
to advise governments
and that becomes very complicated
because people are not thinking
they're contributing to that sample.
In the modern world, a huge amount of a information is collected about each of us
as we go about our daily lives.
Whether we disclose it willingly or unwittingly,
this valuable data is now a commodity
that is traded
amongst a handful of companies.
Trading data is hardly a new thing.
We've always benefitted
from sharing information.
It's helped to advance civilisation.
The internet is the latest
in a long line of technologies
that have ushered in
great innovations and social change.
Trade routes introduced mathematics
and astronomy from Arabia,
weapons and vaccinations from China
and spices and philosophies
from the subcontinent.
The printing press
blew apart traditional hierarchies,
letting the people interpret and proclaim, 
rather than those in power.
The telegraph brought the world 
infinitely closer together,
totally disrupting business,
governance and the judicial system.
And every step of the way the powers
that be tried to claw back control.
Today there are three-billion people
communicating through the internet.
This latest network has given
each of us the empowering ability
to collaborate, share and exchange
information rapidly and efficiently.
What if there was a way to harness it 
for the collective good?
I'm headed to Japan where I'm going
to volunteer to test radiation levels
using a community-built
Geiger counter.
I'll use my data to help map the fallout 
of the Fukushima nuclear disaster.
After the disaster in March 2011,
information about radiation hazards
that was being released
by the government
was at best incomplete,
often contradictory
and ultimately not really reliable.
So we felt it was one thing to say,
"My government tells me radiation
level is X. I guess I'll believe it."
Or to go and measure it yourself.
I mean, if you measure it yourself, then you really can
have confidence in that data.
So, SafeCast was really formed
to allow citizens
themselves to gather the information they needed 
and to disseminate it in a very free way.
SafeCast Geiger kits are open-source.
Through building the devices themselves,
people learn how the technology works
and as a consequence many have offered 
both hardware and software improvements.
This has helped
to rapidly evolve the design.
People from all sorts of walks of life participate: anti-nuclear, pro-nuclear, teachers, housewives
anyone can build it and submit data.
How can organisations wisely protect
the data that they're collecting?
I think the most important thing that we found
the need to protect is privacy.
For instance, the privacy of volunteers. We allow
them to participate anonymously.
In Fukushima Prefecture
there was concern that people
would have radiation levels
in their front yard publicised
and that this could somehow
affect them negatively
and because of that, we decided
to use a hardware hack
to allow them to put the data
in a grid of 100 metres
that doesn't identify that data spot
with a particular person's property.
How much of Japan has been mapped?
We argue that we have been able
to provide a wider coverage
of radiation surveys
than the government has
and this isbecause of the activities
of very active volunteers.
Certainly, Fukushima has been repeatedly mapped 
for three years or more.
But there still are a few corners
no volunteers have been to,
so today we can go
to a park in Koto Ward,
called Kiyosumi Park,
and we can check that out.
We're looking
at 0.1 microsieverts per hour.
This is about normal.
Pretty average for Tokyo.
How does that compare though with,
say, somewhere like the epicentre of the accident?
This is a piece of a deck that
one of our volunteers was building
when the disaster happened
in the town of Koriyama,
which is one of the fairly
radioactive places in Fukushima.
- Woo! Listen to that!
- Yes.
You can hear it.
It's like a scary noise.
It's already now 10 times
what it was...
- This is a very radioactive sample.
- That is significantly higher.
And this is the degree of fallout
that was everywhere in that area.
Inside the highly radioactive places
in Fukushima Daiichi reactor itself,
it's 1,000 times higher, or more.
We're getting to a point where technically, because of the hardware and software tools,
things that were
previously only possible
if you were a government or a large research institution,
now a highschool kid can do.
This is going to get better,
quicker, easier and cheaper.
We are trying to show the potential of that.
This is an example of the agile
development organisations can use
when they open up
and engage their contributors.
By introducing privacy measures, SafeCast has built confidence in their project
and trust amongst
their collaborators.
This is an increasingly important consideration, as by 2020 it's estimated that there will be 30-billion things
connected to the internet.
I'll explore
the privacy and data implications
by spending 24 hours
in a technology-laden smarthome.
Technology liberates us to pursue
things we would rather be doing.
It always has done.
Back in Iran, agriculture technologies let us domesticate barley, wheat and lentils,
so we didn't have to constantly
travel to put food in our stomachs.
We've spent our lives since then
looking to reduce the heavy lifting.
The Industrial Revolution
meant hand-production methods
were given over to machines.
People could move to the city where the new middle class could find other pursuits.
When automation hit the scene we also gave the heavy thinking to these machines
and they've become twice as smart
every two years.
We've travelled to space and 20 years later we have the same smarts in our pockets.
We are now freer to want.
Want cheaper and faster.
We allow machines
to do more of our work for us.
70% of all trades made
on the US stock market in 2011
were made by algorithms,
not people.
We autofill, we store in the cloud,
we find love with a swipe right.
Algorithms and artificial intelligences process this information for us.
However, today it seems
we serve computers.
Most of us spend more time
gazing into our four-inch screens
than into the eyes of our loved ones.
Smartphones are setting us an endless
stream of to-dos and check lists.
In an attempte to alleviate this, companies are creating new connected products
to sense, learn and ultimately
predict our every need.
Collectively, these products are known as IOT 
or the Internet Of Things.
You may have heard
of domestic applications of IOT -
curtains that raise with you
in the morning,
fridges that restock themselves, but what about the toilets that check your health
and notify you if you're pregnant?
IOT is expanding across industries,
from manufacturing to gardening,
from energy to mobility.
It's estimated that presently 1% of everything that could be connected to the internet is.
Imagine a world where the other 99%
are also constantly sensing,
storing and communicating data
about every aspect of our lives.
What kind of hardware systems
does the smarthome use?
There are three kinds. 
First is the sensor to collect personal data.
Second the data of the internal network of the house
This is the tate of the network connectoin inside and outside of the house.
How do you see smart homes 
changing people's lives in the future?
We believe the keyword is health
Now the technology of sensor has developed so we can collect data of each individual.
We can research the causes 
of illness and accidents at home.
By utilising the data we can develop the technology for safety and health.
So in Japan a primary motivation
for this technology
is to provide a safer
and more efficient environment,
particularly for their ageing population.
But are there any drawbacks?
I just had the experience
of being in a smarthome.
Are there any potential privacy implications 
that I should be worried about?
I think that there are already
a number of privacy implications,
just because it's possible
to use various sensors
to track your activities,
to track your habits.
In some cases, I have heard of
incidences where you have a smarthome
where there will be a camera
built into a device
to allow for various metrics
to be measured.
But unwittingly allowing hackers
to, say, peer into your living room
and so everything is a two-sided coin
where there are pros,
but if the security isn't addressed,
they could easily be used for a con
and people fail to realise that.
Would you live in a smarthome
or work in a smartoffice?
Me, personally, I would love to because then I can get
my hands dirty on all the devices -
test them, find out issues.
- Hack them.
- Yes!
But as a normal user,
I would still be a little sceptical
of what kind of devices I deploy.
Because the vendors
want to reach to the market quickly,
they're not giving as much attention
to the security.
They just want to quickly build it up
and ship it.
So that's where
the major problem lies.
And then there are three major
attacks that we are going to see.
One is the controlling app,
the mobile, the client side.
One is the device itself.
And one is the cloud where the
whole user data is going to be saved.
So we have to be very careful
on what kind of data is being saved
and how it is being saved.
As soon as this gets mass adoption
at the levels it will
and as soon as more data gets online,
how that's protected,
how that could be erased,
how that could be forgotten -
these issues, at least from a
Japan context, has not been debated.
Around the world
they're being addressed,
but I think we're still in the infancy stage
of what that really means.
What should businesses be aware of when they're implementing IOT strategies?
When you deal with IOT
it's not an IT issue,
it is a management and risk issue,
it involves the entire company.
With that said,
it's very, very important
that you do cyber security
at the design level,
like the automobile or the airplane.
If you think about it,
these are designed security first
in a transparent, background manner,
and that's where we need to get to.
There's little doubt that
the Internet Of Things is the future
because we've sought out and embraced
ways to make our lives easier.
But it's clear
developers and consumers
need to think about privacy
and not just as an afterthought.
It might be useful for navigation
for my car to know my location,
but does it need access
to my social media accounts?
Does the information that is
collected by these devices
need to be stored forever?
If most of us strive
to live in the moment,
then perhaps so too should our data.
With these devices
entering our homes and offices,
building trust through ethical use
of our personal and professional data
will become crucial for
these technologies to truly succeed.
So as we adopt digital systems and products to make our lives easier
we each produce exponential amounts of data about ourselves and our businesses.
Some we willingly share but much of it 
we unwittingly contribute.
We are incresingly placing our trust in third parties
- does the data that's already out there 
need to be stored permanently?
Do we need regulation to ensure 
encryption and data decay?
How can we protect our legacy 
from being exposed and used against us?
The responsibility for our security starts with us.
It's the domain of personal 
and professional management.
Today we are at a crossroad:
adopting these systems give us a huge advantage,
but we must take stock in how we manage and regulate them to protect us as individuals and as businesses.
