In the wake of the mass shooting in Las Vegas in October of 2017, hotels in the city started drafting more aggressive policies regarding security. Just as Caesars Entertainment was rolling out its new security policies, the company ran head on into DEF CON—an event with privacy tightly linked to its culture.
The resulting clash of worlds—especially at Caesars Palace, the hotel where much of DEF CON was held—left some attendees feeling violated, harassed, or abused, and that exploded onto Twitter this past weekend.
Caesars began rolling out a new security policy in February that mandated room searches when staff had not had access to rooms for over 24 hours. Caesars has been mostly tolerant of the idiosyncratic behavior of the DEF CON community, but it’s not clear that the company prepared security staff for dealing with the sorts of things they would find in the rooms of DEF CON attendees. Soldering irons and other gear were seized, and some attendees reported being intimidated by security staff.
🚨 WARNING HACKERS 🚨
Ceasars staff are performing “random” security checks of rooms. If you opt out of room cleaning and used defcon discount they will check your room and WILL confiscate soldering irons + more!
— Andrew Wolf (@really_awolf) August 10, 2018
And since the searches came without any warning other than a knock, they led, in some cases, to frightening encounters for attendees who were in those rooms. Katie Moussouris—a bug bounty and vulnerability disclosure program pioneer at Microsoft, an advocate for security researchers, and now the founder and CEO of Luta Security—was confronted by two male members of hotel security as she returned to her room. When she went into the room to call the desk to verify who they were, they banged on the door and screamed at her to immediately open it.
Current status: two members of hotel security banging on my door after I asked to go into my room and verify them with hotel security. I’m on speaker phone with hotel security, asking for a supervisor to come verify. I’m terrified. What the hell is this @CaesarsPalace #DEFCON
— Katie Moussouris (@k8em0) August 11, 2018
In another case, a hotel employee—likely hotel security—entered the room of a woman attending DEF CON without knocking:
This evening, a man in a light blue collared shirt with a walkie talkie, entered my room with a key without knocking while I was getting dressed. He left when I started screaming. @CaesarsPalace is investigating whether it was a hotel employee. @defcon has also been alerted.
— Maddie Stone (@maddiestone) August 12, 2018
Beau Woods, cyber policy activist and co-founder of I Am The Cavalry, hacked the “Do Not Disturb” sign in an attempt to stave off searches:
For those trying to figure out how to avoid the hotel room (in)security checks, I’ve used this setup and so far no intrusions in two days. pic.twitter.com/oVaucxajGK
— Beau Woods (@beauwoods) August 11, 2018
Ars attempted to reach Caesars for comment but received no response. After Ars reached out to DEFCON, the organizers posted this statement:
We understand that attendees want a statement from DEF CON about the Caesars room search policy. We are actively engaged with the hotel, seeking answers and a clear policy document we can share with you. Please know that we hear your concerns and we’ve shared them with Caesars. We expect a venue where our attendees are secure in their persons and effects and a security policy that is codified, predictable, and verifiable. Thank you for your patience while we work this out.
There is a long history of legal precedent surrounding the expectation of privacy in hotel rooms—overnight hotel guests are recognized to have an expectation of privacy under the Fourth Amendment. But things become murkier when the search is conducted by the property owner. Still, Moussouris’ concern was for her physical safety more than her privacy; despite the new security policies, Caesars doesn’t control access to its elevators by room key, and there is largely uncontrolled public access to the hotel’s towers.
Last view of the crime scene that was my invaded hotel room and violated space, courtesy of @CaesarsPalace who still have not told me anything, offered me anything (except to move my room – like that really would prevent their security team screaming at me again). My last #DEFCON pic.twitter.com/OG19Dfx3El
— Katie Moussouris (@k8em0) August 13, 2018
DEF CON won’t be at Caesar’s Palace next year—but not because of these incidents. The conference has a multi-year contract with Caesars Entertainment to host DEF CON, and Caesars’ convention center will be undergoing renovations in 2019. Moussouris said this was her last DEF CON.
Update, 7:45 PM: Caesars Entertainment issued a statement today claiming that the room search policy had been implemented in January—and that DEF CON organizers had been briefed on the searches, which “involve only a visual review of the bedroom, bathroom and additional seating area, if any.” Marc Rogers, a well-known security researcher who leads DEF CON’s security team and initiated the conference’s transparency report on incidents, contradicted this in an open letter he posted to his blog today:
If I had received this, in the interest of transparency, I would have informed you all. After all, that’s EXACTLY why I started the DEF CON transparency report. The timing of it looks odd.
I do not support or endorse these room searches or how they are executed. I sympathize with the challenge these hotels are facing but believe they need to take a harder look at the efficiency, impact and long term cost of this strategy.
We MUST NOT let our hotels become like our airports. If we do, then the terrorists win.
Rogers also tendered his resignation from the DEF CON team.