In finance, analysts combine seemingly-insignificant information to constitute useful information that a company didn’t intend to reveal. This is called mosaic theory. This talk applies the concepts of mosaic theory to a personal privacy audit.
Many details, like those you might post to social media or include on a public resume, can be combined to deduce significant aspects of your private data. Small divergences from your usual patterns can, when combined together, also reveal information that you may not intend to disclose. Often, this information includes your physical location, vacation dates, or current employer.
After this talk, you should be able to apply the concepts of mosaic theory to evaluate the data that is publicly available about you, including combinations of small details that you may have considered insignificant on their own.
3. Disclaimers
3
I’m not a lawyer, a financial advisor, the SEC, or in any way entitled to decide what is or is
not legal or insider trading. I am especially not your lawyer or financial advisor. This whole
talk is provided without warranty or guarantee. This is not legal advice. This is not
financial advice.
I’m going to talk about how legal and financial concepts work in a general sense based on
a layperson’s understanding so we can all have a shared basis from which to discuss their
applicability to your personal privacy. Do not make financial or legal decisions based on
any information in this talk. Talk to actual experts if you feel inspired to make financial or
legal decisions after watching this talk, do not rely on my information here.
I am not an Expert on insider trading regulations, but I will discuss them as a useful lens
through which to view personal privacy.
.
5. 5
About Me
● Currently Security Lead at
a small startup
● Strong technical
communications
background
● Hold security certifications
including the GSEC,
GCIH, and GCIA
10. Every day, professional investors and
research analysts work the phones to
ferret out information about companies that
can’t be found by simply reading news
releases.
10
Andrew Ross Sorkin
New York Times Dealbook Column
November 29, 2010
https://dealbook.nytimes.com/2010/11/29/just-tidbits-or-material-
facts-for-insider-trading/ ;
"Puzzling" by byzantiumbooks is licensed under CC BY 2.0
11. ● “Material” information
direct from a reputable
source
● Information comes
packaged together
● Information is useful alone
What counts as insider trading?
11
● “Immaterial” information
from multiple sources
● You combine information
to create useful packages
● Individual pieces of
information are not as
useful as the whole
Insider Trading
(Bad)
Skilled
Financial
Analysis (Good)
14. Another Example of Alleged Insider Trading
This one still hasn’t been decided, so it may be okay, but it also sounds bad.
14 https://www.sec.gov/news/press-release/2021-121
18. You also have information.
18
Material non-
public
information
● Bank balance
● Passwords
● Maybe salary
● Maybe legal name
● Maybe home address
Based on your threat model
Immaterial or
public
information
● Your social media profiles
● News articles about you
● Talks you’ve given
● Maybe your company’s
website mentions of you
● Maybe school or
competition-related
information
19. Material
Information
19
This is bad to release.
https://www.darkreading.com/attacks-breaches/new-phishing-campaign-targets-individuals-of-interest-to-iran/d/d-
id/1341525
22. 22
Where is info about you?
Where do you release info
about yourself?
• Personal Social Media
• Professional Social
Media
• Work or personal blog
• Slack or Discord
• Meetups
• Stickers or patches
• Affinity Fashion
Where do others release
information about you?
• Their social media
• Blogs
• Possibly news articles
• Slack or Discord
• Referring you to jobs
or talking you up
• Data breaches
• Data sales
23. 23
Is that all?
Is there information you
normally consider
anonymous that can be
easily deanonymized?
"Puzzling" by jhritz is licensed under CC BY 2.0
24. 24
What’s your
threat model?
What is the information
about yourself that you
actually care about
protecting?
"The threat ..." by Claudio Gennari ...'Cogli l'attimo ferma il tempo' is licensed under CC BY 2.0
25. 25
“Margaret” or “Maggie Fero”
Risks include:
• Harder to burn than
other aliases
• Heavy use of a
consistent name
makes me easier to
track
• Ties talks back to me
in the workplace
Benefits include:
• Easier for friends to
find
• Lets me leverage my
talks professionally
• Lower-effort than
developing separate
portfolios under
multiple names
26. 26
Birthday, but not date of birth
● By sharing my birthday, people tell me happy birthday, which I love!
● I’m also less likely to be assigned projects due on my birthday, and might
get cake or cards!
● Sharing my birthday does make it easier to get my date of birth, which can
be used in fraud, but for me personally, the small amount easier it’ll be for
somebody to commit fraud in my name relative to if they had to get this from
a breach is worth it for those guaranteed benefits
● Full DOB or age is different for me, because of the prevalence of age
discrimination in my field; I still think somebody could get it, but the value to
me of revealing it is negligible and the increased risk that more people would
subconsciously use it against me at various points is not worth that
27. 27
Threat model evolution
● Moving from living alone
with a door to the street to
a group living situation
with multiple locks
● Information you were
concerned about your
employer learning is
revealed to them
Risk of bad
things
decreases
Benefits or
chance thereof
increase
● Access to networks or
other resources
● Hitting thresholds where
what was a liability is seen
as admirable
● Resulting from career
evolution
34. 34
Do you still care about protecting that
information, now that you’ve found it?
35. 35
Could somebody else make this leap
without the context that you have for
your own life?
36. 36
Are there things you need to avoid
disclosing to keep from making
information discernible, if it’s information
you still care about protecting and it’s
not quite released?