1
00:00:00,000 --> 00:00:02,999
CHRIS SOGHOIAN: Good morning or good afternoon.

2
00:00:02,999 --> 00:00:04,334
My name is Chris Soghoian.

3
00:00:08,959 --> 00:00:12,250
I started last September, I'm the first technologist that

4
00:00:12,250 --> 00:00:17,792
the ACLU has had who has focused specifically on surveillance and privacy.

5
00:00:17,792 --> 00:00:18,792
I finished the Ph.D.

6
00:00:18,792 --> 00:00:20,918
last year specifically focused on the role the internet

7
00:00:20,918 --> 00:00:25,876
and phone companies play in spying on the customers for the government.

8
00:00:25,876 --> 00:00:27,999
It's an extremely timely topic.

9
00:00:28,334 --> 00:00:30,709
I started last September.

10
00:00:30,834 --> 00:00:35,876
The ACLU has been very busy in the last year on surveillance issues.

11
00:00:35,999 --> 00:00:40,417
Shortly after the revelations, we were the first organizations

12
00:00:40,417 --> 00:00:44,417
to file suit against the National Security Agency,

13
00:00:44,417 --> 00:00:50,209
although we were thank you very much for the applause although we are not

14
00:00:50,209 --> 00:00:51,999
the last.

15
00:00:51,999 --> 00:00:55,709
Several other great organizations have sued the NSA and hopefully those

16
00:00:55,709 --> 00:00:57,792
will keep coming.

17
00:00:58,167 --> 00:01:02,999
Today I will be talking, I will be telling a story.

18
00:01:02,999 --> 00:01:05,125
I will be telling a story of how law enforcement and

19
00:01:05,125 --> 00:01:09,083
the government have responded to technical change.

20
00:01:09,542 --> 00:01:11,999
This will be a story, and I guess three acts,

21
00:01:11,999 --> 00:01:14,167
and really delves into the relationship

22
00:01:14,167 --> 00:01:16,792
between the companies and the governments and

23
00:01:16,792 --> 00:01:18,999
the different relationships because not

24
00:01:18,999 --> 00:01:22,667
all of the companies are the same, some are friendlier than others

25
00:01:22,667 --> 00:01:24,667
to the government.

26
00:03:04,834 --> 00:03:08,999
(Technical Difficulties) It wasn't even good at protecting people

27
00:03:08,999 --> 00:03:11,626
from anyone other than the NSA ultimately

28
00:03:11,626 --> 00:03:15,334
the crypto wave ultimately, companies like PGP were allowed

29
00:03:15,334 --> 00:03:18,876
to export technology around the world.

30
00:03:37,626 --> 00:03:43,209
Web browser vendors were able to export full 128 bit crypto

31
00:03:43,209 --> 00:03:50,375
to anyone except to people in Cuba and Iran and other countries.

32
00:03:51,834 --> 00:03:55,125
The F.B.I.'s initial attempts and the F.B.I.

33
00:03:58,334 --> 00:04:01,167
and the NSA the previous strategy was let's stop

34
00:04:01,167 --> 00:04:05,417
everyone other than Americans from getting this stuff.

35
00:04:05,999 --> 00:04:08,959
If we make it difficult for them to get the technology, they won't use it

36
00:04:08,959 --> 00:04:11,083
and we will easily be able to monitor their communications

37
00:04:11,083 --> 00:04:12,999
and get their data.

38
00:04:13,876 --> 00:04:18,292
But even after the crypto export control rules were weakened,

39
00:04:18,292 --> 00:04:22,999
and you could download PGP no matter in which company you were,

40
00:04:22,999 --> 00:04:27,999
it didn't actually lead to the widespread use of PGP.

41
00:04:28,083 --> 00:04:31,751
Hands up, everyone who uses PGP on a daily basis?

42
00:04:33,751 --> 00:04:36,999
For this audience that's not really that good.

43
00:04:36,999 --> 00:04:38,417
I will confess, I only use it with a handful

44
00:04:38,417 --> 00:04:41,083
of colleagues and journalists.

45
00:04:41,083 --> 00:04:44,292
Most people who contact me don't know how to use it.

46
00:04:44,751 --> 00:04:48,751
And the reason is PGP is really difficult to use.

47
00:04:48,999 --> 00:04:52,959
There is a major important study by Alma Whitton who

48
00:04:52,959 --> 00:04:59,918
is at Google ten years ago pointing out the usability failure at PGP.

49
00:04:59,999 --> 00:05:03,626
When a tool is difficult to understand how to use,

50
00:05:03,626 --> 00:05:07,626
people don't use it or they use it wrong.

51
00:05:08,167 --> 00:05:10,083
They think they are encrypting when not

52
00:05:10,083 --> 00:05:13,083
encrypting which is worse because then they will say things

53
00:05:13,083 --> 00:05:15,626
they may not have said if they thought emails were

54
00:05:15,626 --> 00:05:17,250
going through.

55
00:05:18,501 --> 00:05:23,459
And so the widespread availability of encryption really didn't frustrate

56
00:05:23,459 --> 00:05:25,083
the F.B.I.

57
00:05:25,083 --> 00:05:26,999
in the way that they thought it would.

58
00:05:26,999 --> 00:05:29,834
Terrorists and pedophiles and drug dealers didn't rush

59
00:05:29,834 --> 00:05:32,999
out and start using PGP because it turns out terrorists

60
00:05:32,999 --> 00:05:37,334
and pedophiles and drug dealers are like the rest of us.

61
00:05:37,334 --> 00:05:39,667
They are lazy and they are not experts at difficult

62
00:05:39,667 --> 00:05:41,834
to use technology.

63
00:05:42,876 --> 00:05:46,667
So PGP wasn't the threat they thought it would be.

64
00:05:48,834 --> 00:05:51,918
HTTPS, the icon we see in the browsers, is easier

65
00:05:51,918 --> 00:05:56,083
to use because it doesn't really involve anything from the user side,

66
00:05:56,083 --> 00:05:59,501
but even that wasn't widely deployed.

67
00:05:59,501 --> 00:06:04,250
Where SSL was widely used was in eCommerce, online banking.

68
00:06:04,250 --> 00:06:06,918
If you were sending your credit card over the web,

69
00:06:06,918 --> 00:06:09,292
your communications would be encrypted,

70
00:06:09,292 --> 00:06:13,083
but if you were sending emails, social networking messages,

71
00:06:13,083 --> 00:06:15,959
private photos, backing up files, very few

72
00:06:15,959 --> 00:06:19,792
of these things would be protected with SSL.

73
00:06:20,334 --> 00:06:25,292
And so, again, the government had, they had a good time.

74
00:06:25,292 --> 00:06:26,876
They didn't have to worry too hard although

75
00:06:26,876 --> 00:06:29,584
the technologies existed, no one was using them or

76
00:06:29,584 --> 00:06:33,209
they weren't using them for the things the F.B.I.

77
00:06:33,209 --> 00:06:34,209
cared about.

78
00:06:34,792 --> 00:06:37,999
This is a slide that the Guardian published this week.

79
00:06:37,999 --> 00:06:41,751
It's from the latest deck that Snowden provided them.

80
00:06:42,083 --> 00:06:45,584
This is a deck from X Key Score, which is the program they have or

81
00:06:45,584 --> 00:06:49,501
the intelligence platform that allows them to monitor vast amounts

82
00:06:49,501 --> 00:06:52,999
of communications and search for it later.

83
00:06:53,417 --> 00:06:57,083
Now, this deck is from 2008, 2007, so it's a few years old,

84
00:06:57,083 --> 00:06:59,999
but what you can see clearly, also those of you

85
00:06:59,999 --> 00:07:03,083
in law enforcement and in the intelligence space,

86
00:07:03,083 --> 00:07:06,459
these folks appreciated the communications were going

87
00:07:06,459 --> 00:07:09,292
over the network in the clear.

88
00:07:09,292 --> 00:07:13,125
Whether it was Yahoo or Facebook or Twitter or your eMails,

89
00:07:13,125 --> 00:07:16,667
they are easily available for the government to grab

90
00:07:16,667 --> 00:07:22,459
with the assistance of their friends at the background internet providers.

91
00:07:24,083 --> 00:07:26,459
And so things were good for a while.

92
00:07:26,667 --> 00:07:30,542
It didn't really matter that your browser could do strong crypto.

93
00:07:30,542 --> 00:07:33,334
It doesn't matter that you could download tools from a website

94
00:07:33,334 --> 00:07:35,999
and configure them and have a key signing party

95
00:07:35,999 --> 00:07:38,918
because nobody was doing that.

96
00:07:38,918 --> 00:07:41,083
But that didn't stop the F.B.I.

97
00:07:41,083 --> 00:07:41,999
from worrying because down the road

98
00:07:41,999 --> 00:07:44,959
they saw that things were going to get bad.

99
00:07:44,999 --> 00:07:48,209
And it wasn't going to be because people could download tools.

100
00:07:48,417 --> 00:07:50,167
It was going to be because companies were going

101
00:07:50,167 --> 00:07:53,999
to start building crypto into their products by default.

102
00:07:54,751 --> 00:07:58,709
This is Valerie Caproni, she was until about a year ago

103
00:07:58,709 --> 00:08:02,999
the general counsel for F.B.I., the top F.B.I.

104
00:08:02,999 --> 00:08:03,999
lawyer.

105
00:08:03,999 --> 00:08:08,999
She has testified before Congress on various occasions and in 2011

106
00:08:08,999 --> 00:08:13,584
she warned Congress about what the F.B.I.

107
00:08:13,584 --> 00:08:15,417
was calling the going dark problem.

108
00:08:15,501 --> 00:08:19,125
Going dark is the F.B.I.'s term for what happens when everyone uses

109
00:08:19,125 --> 00:08:21,834
encrypted communications.

110
00:08:22,167 --> 00:08:23,751
The F.B.I.

111
00:08:23,751 --> 00:08:26,626
has coined this term and spent lots of money researching this issue

112
00:08:26,626 --> 00:08:30,876
because they are worried about a day in which all of the communications that

113
00:08:30,876 --> 00:08:34,999
users are sending are going to be off limits to the F.B.I.

114
00:08:35,292 --> 00:08:40,751
This is in 2001 or 2011, quote, "The F.B.I.

115
00:08:40,751 --> 00:08:41,999
and other government agencies are facing

116
00:08:41,999 --> 00:08:44,999
a potentially widening gap between our legal authority

117
00:08:44,999 --> 00:08:49,167
to intercept communications pursuant to a court order and our practical ability

118
00:08:49,167 --> 00:08:52,250
to actually intercept communications.

119
00:08:52,584 --> 00:08:53,709
The F.B.I.

120
00:08:53,709 --> 00:08:56,626
says they can get a court order, but when they actually try and get

121
00:08:56,626 --> 00:08:59,626
the communications, either the company doesn't have

122
00:08:59,626 --> 00:09:02,792
the capability because they haven't built wiretapping

123
00:09:02,792 --> 00:09:07,542
systems into their networks, or the company cannot provide data."

124
00:09:08,292 --> 00:09:11,667
She added, "Encryption is a problem.

125
00:09:11,918 --> 00:09:14,626
It is a problem we see for certain providers."

126
00:09:14,792 --> 00:09:20,542
So what she was describing there was the fact that over a couple of years,

127
00:09:20,542 --> 00:09:25,292
starting in 2010, companies in Silicon Valley started rolling

128
00:09:25,292 --> 00:09:28,751
out SSL encryption by default.

129
00:09:29,999 --> 00:09:36,709
In a "Washington Post" story last year, a former F.B.I.

130
00:09:36,709 --> 00:09:38,542
official described in the post, Officials say that

131
00:09:38,542 --> 00:09:41,999
the challenge was exacerbated in 2010 when Google began end

132
00:09:41,999 --> 00:09:43,999
to end encryption.

133
00:09:44,250 --> 00:09:46,584
That made it more difficult for the F.B.I.

134
00:09:46,584 --> 00:09:47,999
to intercept email by serving a court order

135
00:09:47,999 --> 00:09:51,999
on the ISP whose pipes would carry the encrypted traffic.

136
00:09:52,876 --> 00:09:58,999
In 2010 Google was the first, first of the big free web mail providers

137
00:09:58,999 --> 00:10:02,125
to turn on SSL by default.

138
00:10:02,125 --> 00:10:06,375
Google had offered SSL as an option, but it was an option deep

139
00:10:06,375 --> 00:10:10,834
in several layers of configuration screens.

140
00:10:10,834 --> 00:10:15,709
I think it was the last of 13 options after the vacation auto away message,

141
00:10:15,709 --> 00:10:17,876
after unicode.

142
00:10:17,876 --> 00:10:21,709
There was nothing less important in the Google configuration screen

143
00:10:21,709 --> 00:10:23,292
than SSL.

144
00:10:23,834 --> 00:10:25,584
And so, of course, no one used it.

145
00:10:25,709 --> 00:10:28,709
When the option was hidden, and disabled by default,

146
00:10:28,709 --> 00:10:31,792
no one was having, no one's emails were secure

147
00:10:31,792 --> 00:10:34,626
between the user and Google.

148
00:10:34,999 --> 00:10:39,959
But in January 2010, Google flipped the switch and enabled SSL by default,

149
00:10:39,959 --> 00:10:44,501
and in the years that followed, several other Silicon Valley companies

150
00:10:44,501 --> 00:10:46,334
did the same.

151
00:10:46,626 --> 00:10:49,042
It was Twitter, then Microsoft with their renamed or

152
00:10:49,042 --> 00:10:52,292
they renamed Hot Mail to Outlook and they turned on SSL

153
00:10:52,292 --> 00:10:54,250
at the same time.

154
00:10:54,834 --> 00:10:57,999
Facebook started doing it last year, started rolling it out,

155
00:10:57,999 --> 00:11:02,209
and I think just this week announced that all Facebook communications

156
00:11:02,209 --> 00:11:06,834
will be SSL encrypted from the user to Facebook servers.

157
00:11:06,834 --> 00:11:09,459
In addition to that companies have started rolling

158
00:11:09,459 --> 00:11:13,459
out an improved algorithm that makes it much more difficult

159
00:11:13,459 --> 00:11:18,999
for government agencies to go to companies and demand private keys.

160
00:11:19,250 --> 00:11:21,083
They are upping their key sizes.

161
00:11:21,083 --> 00:11:25,083
These Silicon Valley companies are making passive interception much

162
00:11:25,083 --> 00:11:27,250
more difficult.

163
00:11:29,876 --> 00:11:31,083
(Applause).

164
00:11:33,751 --> 00:11:36,709
Now, of course, that doesn't mean the government can't get things

165
00:11:36,709 --> 00:11:38,125
from Google.

166
00:11:39,417 --> 00:11:43,834
Your communications between you and Google servers are encrypted,

167
00:11:43,834 --> 00:11:48,999
but once the files arrive at Google, whether it's your emails or your private

168
00:11:48,999 --> 00:11:54,584
photographs or instant messages, they are sitting there in plain text.

169
00:11:54,999 --> 00:11:57,083
This is Vince Cerf.

170
00:11:57,083 --> 00:12:00,999
He is the chief internet evangelist.

171
00:12:03,375 --> 00:12:08,292
I was on a panel with him in 2011 in Nairobi, and we started talking

172
00:12:08,292 --> 00:12:12,250
about Google's lack of stored encryption.

173
00:12:12,250 --> 00:12:14,083
He said, quote, "We couldn't run our system

174
00:12:14,083 --> 00:12:15,999
if everything in it were encrypted

175
00:12:15,999 --> 00:12:19,999
because then we wouldn't know which ads to show you.

176
00:12:19,999 --> 00:12:23,876
This is a system designed around a particular business model."

177
00:12:24,083 --> 00:12:28,334
So this is a very honest statement from a Google executive,

178
00:12:28,334 --> 00:12:32,083
and I don't begrudge Google, right.

179
00:12:32,083 --> 00:12:34,375
They offer a fantastic easy to use service, and

180
00:12:34,375 --> 00:12:38,083
they don't charge people for it, and neither does Twitter,

181
00:12:38,083 --> 00:12:40,501
neither did Facebook.

182
00:12:40,501 --> 00:12:44,542
These companies all offer one and only one product.

183
00:12:44,542 --> 00:12:46,584
There is no way to pay for Facebook.

184
00:12:46,584 --> 00:12:48,417
There is no way to pay for Twitter.

185
00:12:48,417 --> 00:12:50,584
There is no way to upgrade your G Mail account

186
00:12:50,584 --> 00:12:54,167
to a corporate account, a Google apps account.

187
00:12:54,167 --> 00:12:57,918
They have the accounts for users and then the accounts for businesses.

188
00:12:58,083 --> 00:13:01,083
And when the only accounts they offer are free ones that are

189
00:13:01,083 --> 00:13:03,626
supported by ads, then it makes sense why

190
00:13:03,626 --> 00:13:06,209
they are not encrypting the data in the Cloud

191
00:13:06,209 --> 00:13:09,459
with a key only you have because it would be difficult

192
00:13:09,459 --> 00:13:11,501
to monetize that.

193
00:13:11,918 --> 00:13:15,167
Now, the companies could and maybe will at some point switch

194
00:13:15,167 --> 00:13:19,292
to a business model where you give them money and they give you

195
00:13:19,292 --> 00:13:24,834
a secure service, but that isn't the business they are in right now.

196
00:13:24,834 --> 00:13:27,834
So what this means then is that the companies can and do receive

197
00:13:27,834 --> 00:13:30,083
requests from law enforcement agencies

198
00:13:30,083 --> 00:13:33,999
and intelligence agencies, even before the prism revelations,

199
00:13:33,999 --> 00:13:37,709
we have known that Google gets thousands of requests a year

200
00:13:37,709 --> 00:13:41,626
from law enforcement and intelligence agencies.

201
00:13:41,626 --> 00:13:42,834
This isn't a surprise.

202
00:13:44,999 --> 00:13:49,334
But what we have seen in the last few years is a transition.

203
00:13:49,459 --> 00:13:53,999
We have seen a migration away from telecommunications companies

204
00:13:53,999 --> 00:13:57,125
to Silicon Valley companies.

205
00:13:57,125 --> 00:14:02,292
In years past your private messages, your meta data would be accessible

206
00:14:02,292 --> 00:14:06,999
through a backbone provider, through a telephone company,

207
00:14:06,999 --> 00:14:10,999
through one of the Ma Bells, and like it or not,

208
00:14:10,999 --> 00:14:16,250
the telephone companies have been providing wiretapping assistance

209
00:14:16,250 --> 00:14:18,125
to the U.S.

210
00:14:18,125 --> 00:14:19,999
government for more than 100 years.

211
00:14:19,999 --> 00:14:24,626
The first wire taps were around 1895 in New York City.

212
00:14:24,626 --> 00:14:28,959
For a hundred years these companies have been providing interception

213
00:14:28,959 --> 00:14:31,417
assistance to the U.S.

214
00:14:31,417 --> 00:14:32,417
government.

215
00:14:32,417 --> 00:14:34,999
And it's a relationship that everyone is sort of comfortable with, everyone,

216
00:14:34,999 --> 00:14:38,417
and by that I mean the companies and the government.

217
00:14:40,959 --> 00:14:45,083
And so these companies don't just provide targeted access.

218
00:14:45,083 --> 00:14:48,999
They don't just provide access to an individual user's data.

219
00:14:49,083 --> 00:14:52,459
They provide, when the government asks, access

220
00:14:52,459 --> 00:14:54,999
to all users' data.

221
00:14:55,250 --> 00:14:57,125
The assistance of the phone companies

222
00:14:57,125 --> 00:15:00,626
is what enables dragnet surveillance.

223
00:15:00,751 --> 00:15:03,542
When the government wants to search through every email

224
00:15:03,542 --> 00:15:07,083
or search through every phone record, that is only possible

225
00:15:07,083 --> 00:15:11,667
because the phone companies provided access to everything.

226
00:15:11,709 --> 00:15:13,834
If you take the internet companies at their word,

227
00:15:13,834 --> 00:15:18,125
the Silicon Valley companies, they only provide targeted access.

228
00:15:18,125 --> 00:15:20,792
If they have a court order with my name on it, Google

229
00:15:20,792 --> 00:15:23,209
will hand over my data.

230
00:15:23,834 --> 00:15:28,584
But they will not provide access to everyone's information.

231
00:15:28,999 --> 00:15:31,626
So what's happened over the last few years

232
00:15:31,626 --> 00:15:35,459
is that consumers have started to migrate their data

233
00:15:35,459 --> 00:15:41,667
from the old telecommunications carriers to Silicon Valley companies.

234
00:15:42,501 --> 00:15:46,083
I mean, in many ways the telcos haven't had people's email

235
00:15:46,083 --> 00:15:47,918
for a while.

236
00:15:47,918 --> 00:15:51,292
No one is using Verizon or Comcast email really, but when

237
00:15:51,292 --> 00:15:55,876
the email messages were going over the network in the clear,

238
00:15:55,876 --> 00:16:00,083
it meant the government could go to the backbone providers,

239
00:16:00,083 --> 00:16:02,999
the AT&Ts or Verizons of the world even

240
00:16:02,999 --> 00:16:06,918
if you were using Google or Hot Mail.

241
00:16:07,083 --> 00:16:10,751
As these Silicon Valley companies have enabled encryption,

242
00:16:10,751 --> 00:16:14,709
you can no longer spy on someone's emails.

243
00:16:14,709 --> 00:16:17,334
You can no longer capture bulk information with the assistance

244
00:16:17,334 --> 00:16:19,459
of Verizon or AT&T.

245
00:16:19,918 --> 00:16:24,999
And a great example is what Apple did with AIS Version 5.

246
00:16:24,999 --> 00:16:28,626
In one day they flipped a switch and suddenly a new version

247
00:16:28,626 --> 00:16:32,459
of iMessage was rolled out to users and if you were an IOS user

248
00:16:32,459 --> 00:16:34,709
and you were sending a text messages

249
00:16:34,709 --> 00:16:37,999
to IOA user your message would go through Apple servers

250
00:16:37,999 --> 00:16:40,999
instead of the phone companies.

251
00:16:41,999 --> 00:16:45,999
Overnight, millions and then billions of messages started flowing

252
00:16:45,999 --> 00:16:48,459
through Apple servers.

253
00:16:48,709 --> 00:16:51,999
And those were messages that the government cannot get

254
00:16:51,999 --> 00:16:56,584
with the assistance of Verizon or AT&T and Sprint.

255
00:16:56,751 --> 00:16:58,999
Now, again, this was a leap this was

256
00:16:58,999 --> 00:17:04,667
a document that was leaked suggesting that the government can never get

257
00:17:04,667 --> 00:17:07,751
messages sent through IMS.

258
00:17:07,751 --> 00:17:09,709
I don't think that's actually the case.

259
00:17:09,709 --> 00:17:12,125
I think that Apple provides access on a targeted basis,

260
00:17:12,125 --> 00:17:15,918
but I don't think they are providing wholesale access

261
00:17:15,918 --> 00:17:19,501
in the way that the phone companies do.

262
00:17:20,083 --> 00:17:23,999
And I think what's happened here is that there is a difference

263
00:17:23,999 --> 00:17:27,083
in culture between the companies.

264
00:17:27,083 --> 00:17:30,125
It's not that Google is trying to make the government go dark.

265
00:17:30,125 --> 00:17:33,959
It's that Google has 350 people doing nothing doing security

266
00:17:33,959 --> 00:17:36,083
and only security.

267
00:17:36,083 --> 00:17:38,709
It's that Apple has a dedicated security team.

268
00:17:38,709 --> 00:17:41,209
It's that Facebook has a dedicated security team.

269
00:17:41,209 --> 00:17:44,292
And before you can launch a product at one of these Silicon Valley firms,

270
00:17:44,292 --> 00:17:49,459
particularly if it's storing sensitive user data, you have to have crypto.

271
00:17:49,626 --> 00:17:51,751
There is no way to secure your users' data

272
00:17:51,751 --> 00:17:54,626
against hackers without crypto.

273
00:17:54,999 --> 00:17:58,542
So these companies have, you know, it's a corporate policy

274
00:17:58,542 --> 00:18:02,167
to encrypt data not because they want the government

275
00:18:02,167 --> 00:18:05,999
to go dark, but because that's what the security teams

276
00:18:05,999 --> 00:18:09,626
of the companies demand of them, and realistically

277
00:18:09,626 --> 00:18:14,501
the phone companies don't have a tradition of security.

278
00:18:14,501 --> 00:18:16,667
Your voice mail isn't secure.

279
00:18:16,667 --> 00:18:18,125
You are not getting OS updates to your Smart Phone

280
00:18:18,125 --> 00:18:20,292
if you are using Android, which is, by the way,

281
00:18:20,292 --> 00:18:23,209
something we filed a complaint with the Federal Trade Commission

282
00:18:23,209 --> 00:18:25,334
about earlier this year.

283
00:18:26,959 --> 00:18:28,167
(Applause).

284
00:18:29,834 --> 00:18:33,209
The phone companies just aren't interested in security.

285
00:18:33,209 --> 00:18:35,999
And so what's happening is consumers are giving their data

286
00:18:35,999 --> 00:18:39,375
to companies that finally invest some resources in security,

287
00:18:39,375 --> 00:18:43,125
and that's making it tougher for the government.

288
00:18:43,751 --> 00:18:45,999
So what is the solution?

289
00:18:45,999 --> 00:18:49,167
How does the government respond to a world in which they can only,

290
00:18:49,167 --> 00:18:52,542
they can only get selective data from companies and

291
00:18:52,542 --> 00:18:57,125
in some cases they cannot get data at all if the companies are using end

292
00:18:57,125 --> 00:18:59,083
to end crypto?

293
00:18:59,417 --> 00:19:02,542
The answer is back doors.

294
00:19:02,542 --> 00:19:05,167
The answer is compelled access, forcing companies

295
00:19:05,167 --> 00:19:08,792
to modify their products and provide the government

296
00:19:08,792 --> 00:19:11,584
with a way of getting data.

297
00:19:12,292 --> 00:19:16,209
Starting in sort of 2010, we started seeing leaks

298
00:19:16,209 --> 00:19:20,334
to the press suggesting that the F.B.I.

299
00:19:20,334 --> 00:19:22,584
and others in the law enforcement community were

300
00:19:22,584 --> 00:19:26,751
floating these ideas, they were floating legislative proposals,

301
00:19:26,751 --> 00:19:30,292
expanding a CALEA, which is a law mandating back doors,

302
00:19:30,292 --> 00:19:33,834
and expanding that to internet companies to websites

303
00:19:33,834 --> 00:19:36,709
and apps and other providers.

304
00:19:36,999 --> 00:19:39,292
We saw these trial balloons floated in 2010,

305
00:19:39,292 --> 00:19:43,083
and ultimately there was congressional hearing in the Spring

306
00:19:43,083 --> 00:19:46,667
of 2011 where our friend Valerie Caproni, said, quote,

307
00:19:46,667 --> 00:19:49,751
"No one should be promising their customers that

308
00:19:49,751 --> 00:19:52,999
they will thumb their nose at a U.S.

309
00:19:52,999 --> 00:19:53,999
court order.

310
00:19:53,999 --> 00:19:55,959
They can promise strong encryption.

311
00:19:55,959 --> 00:19:58,999
They just have to figure out how to provide us plain text too."

312
00:20:01,042 --> 00:20:03,999
This is what the F.B.I.

313
00:20:03,999 --> 00:20:04,999
wants.

314
00:20:05,209 --> 00:20:09,042
They want the power to go to a company secretly and force

315
00:20:09,042 --> 00:20:14,999
the company to quietly insert a back door in their own product.

316
00:20:15,876 --> 00:20:20,999
As recent as this year, as recent as April of this year, it looked

317
00:20:20,999 --> 00:20:24,042
like proposals were coming.

318
00:20:24,042 --> 00:20:26,542
It looked like there was a multi agency working group

319
00:20:26,542 --> 00:20:29,375
in Washington and they were getting ready to drop

320
00:20:29,375 --> 00:20:32,417
a bill that would empower the Department of Justice

321
00:20:32,417 --> 00:20:35,792
to fine Silicon Valley companies that refused to provide

322
00:20:35,792 --> 00:20:40,292
the assistance demanded of them, and then something happened.

323
00:20:49,751 --> 00:20:50,999
(Applause).

324
00:20:50,999 --> 00:20:55,292
CALEA, which is the DC nickname for this back door proposal that now

325
00:20:55,292 --> 00:20:56,959
is dead.

326
00:20:57,209 --> 00:20:59,459
It is dead in the water.

327
00:20:59,459 --> 00:21:03,125
No politician wants to touch that kind of surveillance for now.

328
00:21:03,334 --> 00:21:06,167
So thank you very much Edward Snowden.

329
00:21:09,876 --> 00:21:11,083
(Applause).

330
00:21:14,751 --> 00:21:18,876
So if they can't force Google to put a back door in Android OS, and

331
00:21:18,876 --> 00:21:22,709
if they can't force Apple to put a back door in their software,

332
00:21:22,709 --> 00:21:25,209
what are they going to do?

333
00:21:25,667 --> 00:21:29,334
How is the government going to get your communications?

334
00:21:29,417 --> 00:21:32,584
What about when they want to listen in to a conversation you are having

335
00:21:32,584 --> 00:21:36,709
in your living room where you are not even using your device?

336
00:21:37,083 --> 00:21:38,542
Are they supposed to break in in the middle

337
00:21:38,542 --> 00:21:40,834
of the night and install a Microphone like they did

338
00:21:40,834 --> 00:21:42,292
in the 1970s?

339
00:21:42,459 --> 00:21:43,626
No.

340
00:21:43,751 --> 00:21:46,999
They want other ways to access data, particularly

341
00:21:46,999 --> 00:21:51,375
as consumers have started using services like Skype, and we

342
00:21:51,375 --> 00:21:54,501
will talk about Skype later, but services

343
00:21:54,501 --> 00:21:59,501
like Skype that have some form of encryption governments have been

344
00:21:59,501 --> 00:22:01,792
having problems.

345
00:22:01,792 --> 00:22:04,334
And, remember, the government isn't one big beast.

346
00:22:04,334 --> 00:22:05,334
The F.B.I.

347
00:22:05,334 --> 00:22:07,959
or NSA may have tools to access certain applications,

348
00:22:07,959 --> 00:22:10,792
but that doesn't mean they share those toys

349
00:22:10,792 --> 00:22:14,083
with local law enforcement agencies.

350
00:22:14,083 --> 00:22:19,999
NSA doesn't share their secret back doors with the likes of local cops

351
00:22:19,999 --> 00:22:22,999
in Arizona or Nevada.

352
00:22:23,083 --> 00:22:25,999
Those folks have to do things the hard way.

353
00:22:25,999 --> 00:22:29,999
It's also important to note that not all governments are the same.

354
00:22:29,999 --> 00:22:32,999
So Google has an office, in fact its main office in California

355
00:22:32,999 --> 00:22:36,751
and Microsoft's headquarters is in Seattle.

356
00:22:37,125 --> 00:22:40,626
Google and Microsoft have to take orders from the U.S.

357
00:22:40,626 --> 00:22:41,626
government.

358
00:22:41,626 --> 00:22:42,292
When there is a valid court order, the companies have

359
00:22:42,292 --> 00:22:44,667
to provide access to the U.S.

360
00:22:44,667 --> 00:22:45,667
government.

361
00:22:45,667 --> 00:22:47,876
But Google doesn't have an office in Iran.

362
00:22:47,876 --> 00:22:50,626
Microsoft doesn't have an office in Libya.

363
00:22:50,626 --> 00:22:53,999
So if those governments want to get their citizens' communications,

364
00:22:53,999 --> 00:22:58,125
now that Google and Microsoft and others are starting to use SSL,

365
00:22:58,125 --> 00:23:02,083
those other governments are really going dark.

366
00:23:02,083 --> 00:23:05,999
In the countries where Google and Facebook and Microsoft don't have

367
00:23:05,999 --> 00:23:10,417
offices and don't respond to requests, those governments are having

368
00:23:10,417 --> 00:23:13,751
a really tough time because of the use of services

369
00:23:13,751 --> 00:23:17,250
like Skype, like Twitter, like Facebook.

370
00:23:17,250 --> 00:23:20,709
They used to be able to get access through their local

371
00:23:20,709 --> 00:23:26,292
in many cases nationalized telephone company, and now they are going dark.

372
00:23:26,292 --> 00:23:28,999
So those governments are turning to hacking tools.

373
00:23:30,083 --> 00:23:33,792
What we are seeing is an emergence of the private sector helping

374
00:23:33,792 --> 00:23:36,459
companies, helping governments.

375
00:23:36,876 --> 00:23:39,375
The ones that have gotten the most press, the first

376
00:23:39,375 --> 00:23:41,999
is a company called Gama.

377
00:23:41,999 --> 00:23:44,209
They make a software suite called FinFisher.

378
00:23:44,209 --> 00:23:47,999
FinFisher has gotten a lot of press in the last couple of years starting

379
00:23:47,999 --> 00:23:51,584
with a dump documented like WikiLeaks and the excellent work

380
00:23:51,584 --> 00:23:55,959
of the Citizen Lab in Canada has exposed the software.

381
00:23:56,999 --> 00:23:59,709
They have a cheesy sales video online

382
00:23:59,709 --> 00:24:02,334
I recommend you look at.

383
00:24:07,542 --> 00:24:11,999
And then the police officer sitting at the remote operating center can spy

384
00:24:11,999 --> 00:24:16,375
on the calls and text messages and emails of the user.

385
00:24:16,999 --> 00:24:22,292
This is the president or I think CEO of Gama.

386
00:24:22,292 --> 00:24:24,167
His name is Martin Munch.

387
00:24:25,959 --> 00:24:30,375
You may not know Martin's name, but you probably know Martin's work.

388
00:24:30,375 --> 00:24:31,999
Before he was in the government surveillance

389
00:24:31,999 --> 00:24:34,709
business, Martin created a Linux distribution

390
00:24:34,709 --> 00:24:37,834
with BackTrack which was popular with this community,

391
00:24:37,834 --> 00:24:40,959
so Martin pivoted from providing open source security

392
00:24:40,959 --> 00:24:43,334
tools to providing closed source government

393
00:24:43,334 --> 00:24:45,542
and reception tools.

394
00:24:45,959 --> 00:24:48,417
This is my favorite photo of Martin.

395
00:24:48,792 --> 00:24:52,999
So he is a German guy who without any shame sells this software

396
00:24:52,999 --> 00:24:57,751
to governments around the world, and one of the things his software can

397
00:24:57,751 --> 00:25:03,083
do is to remotely activate webcams without the target's knowledge.

398
00:25:03,083 --> 00:25:05,876
And you can see that he is concerned about this capability,

399
00:25:05,876 --> 00:25:11,167
because if you zoom in on his laptop, he has a Post It note over his webcam.

400
00:25:11,959 --> 00:25:14,999
He clearly knows what his own software can do.

401
00:25:16,501 --> 00:25:20,459
So because of the work of the folks at Citizen Lab,

402
00:25:20,459 --> 00:25:26,709
we know that Gama's software has been exported to Mexico, Ethiopia.

403
00:25:26,709 --> 00:25:29,417
It's been used by seriously oppressive regimes

404
00:25:29,417 --> 00:25:33,459
in the Middle East, and in Southeast Asia.

405
00:25:33,459 --> 00:25:36,959
Now, the company says that it's used for lawful interception and targeting

406
00:25:36,959 --> 00:25:39,125
of terrorists and pedophiles and criminals,

407
00:25:39,125 --> 00:25:42,999
but from what we know it's been frequently used to target journalists,

408
00:25:42,999 --> 00:25:45,999
human rights activists and dissidents.

409
00:25:47,792 --> 00:25:50,834
So Gama is one of these companies providing these

410
00:25:50,834 --> 00:25:53,999
off the shelf tools to governments.

411
00:25:53,999 --> 00:25:57,999
The police don't have the resources to develop this stuff in house, so

412
00:25:57,999 --> 00:26:00,250
they just buy this off the shelf spyware

413
00:26:00,250 --> 00:26:02,792
from companies like Gama.

414
00:26:03,125 --> 00:26:06,959
Through the last couple of years the newspapers have covered this.

415
00:26:06,959 --> 00:26:10,876
The "Times" and Bloomberg have described this stuff.

416
00:26:10,999 --> 00:26:14,999
The sale of this technology is unregulated.

417
00:26:14,999 --> 00:26:16,999
Basically any government except for the ones

418
00:26:16,999 --> 00:26:20,209
on international black lists can buy it.

419
00:26:20,501 --> 00:26:23,999
The other big company is a company called Hacking Team.

420
00:26:23,999 --> 00:26:25,375
They are an Italian company.

421
00:26:25,375 --> 00:26:27,209
They make something called the remote control system otherwise

422
00:26:27,209 --> 00:26:29,083
known as DaVinci.

423
00:26:29,459 --> 00:26:31,209
They have a sales video too that appears

424
00:26:31,209 --> 00:26:34,250
to be targeted to 13 year old boys.

425
00:26:35,584 --> 00:26:39,250
Their marketing stuff says, Defeat encryption, total control

426
00:26:39,250 --> 00:26:41,375
over your targets.

427
00:26:41,375 --> 00:26:45,542
Log everything you need, thousands of encrypted communications a day.

428
00:26:45,542 --> 00:26:46,542
Get them here.

429
00:26:46,626 --> 00:26:50,626
And this software really is sold to law enforcement agencies who are

430
00:26:50,626 --> 00:26:53,918
trying to deal with things like Skype.

431
00:26:53,999 --> 00:26:56,999
If you are the government of Turkmenistan and there are

432
00:26:56,999 --> 00:26:59,999
journalists using Skype to communicate, how do you get

433
00:26:59,999 --> 00:27:03,501
the contents of their calls when you need them?

434
00:27:03,709 --> 00:27:05,999
The phone company in town can't help you.

435
00:27:05,999 --> 00:27:10,083
You go to Gama or Hacking Team and they provide you these tools.

436
00:27:10,876 --> 00:27:13,626
This is, again, from Hacking Team's literature,

437
00:27:13,626 --> 00:27:17,626
they say they can get into voice, location, audio and video spying,

438
00:27:17,626 --> 00:27:20,999
web browsing activities, relationships.

439
00:27:20,999 --> 00:27:22,167
They get anything that is on a computer

440
00:27:22,167 --> 00:27:25,209
without the knowledge of the target.

441
00:27:25,999 --> 00:27:29,375
Hacking Team in recent years has expanded

442
00:27:29,375 --> 00:27:31,459
into the U.S.

443
00:27:31,459 --> 00:27:32,999
market, I believe.

444
00:27:32,999 --> 00:27:36,209
In the spring of this year, they hired this man.

445
00:27:36,209 --> 00:27:37,501
His name is Eric.

446
00:27:37,501 --> 00:27:42,751
He used to be a spokesperson for Verizon, and now he is the U.S.

447
00:27:42,751 --> 00:27:44,792
counsel for Hacking Team.

448
00:27:44,959 --> 00:27:50,167
They have an office in Annapolis, Maryland, an hour outside of D.C.

449
00:27:50,626 --> 00:27:52,709
We don't know whether Hacking Team has

450
00:27:52,709 --> 00:27:57,083
successfully sold any products to the domestic U.S.

451
00:27:57,083 --> 00:27:58,999
law enforcement market, but they are showing

452
00:27:58,999 --> 00:28:03,876
up at conferences that are only open to law enforcement and intelligence

453
00:28:03,876 --> 00:28:06,709
agencies in Washington, D.C.

454
00:28:06,999 --> 00:28:10,542
They also went to a conference in Chicago this April,

455
00:28:10,542 --> 00:28:14,999
the Law Enforcement Intelligence Units Association.

456
00:28:15,375 --> 00:28:17,999
Not only did Hacking Team give a talk at this conference, this

457
00:28:17,999 --> 00:28:21,334
is a conference targeting local cops around the country, not only did

458
00:28:21,334 --> 00:28:24,250
they give a talk at the conference, but they also sponsored

459
00:28:24,250 --> 00:28:26,999
the coffee break in the afternoon.

460
00:28:27,999 --> 00:28:29,999
And so if Hacking Team hasn't sold

461
00:28:29,999 --> 00:28:32,792
a product to a local law enforcement agency yet,

462
00:28:32,792 --> 00:28:36,125
it's not because they haven't been trying.

463
00:28:36,292 --> 00:28:39,792
They have been showing up at these conferences

464
00:28:39,792 --> 00:28:41,999
for several years.

465
00:28:41,999 --> 00:28:45,083
They are actively targeting the law enforcement market,

466
00:28:45,083 --> 00:28:48,375
and I think if they haven't succeeded already,

467
00:28:48,375 --> 00:28:53,167
they will succeed soon and get a sale in a small town.

468
00:28:53,999 --> 00:28:57,999
Now, Hacking Team and Gama software is the kind of stuff that local cops

469
00:28:57,999 --> 00:29:01,459
and governments without too much money use.

470
00:29:01,459 --> 00:29:04,999
This is a couple hundred thousand dollars or maybe a million dollars.

471
00:29:04,999 --> 00:29:07,250
It's the kind of thing you buy with a DHS rack.

472
00:29:07,250 --> 00:29:08,999
This is not what you use if you are

473
00:29:08,999 --> 00:29:13,459
a sophisticated law enforcement agency with big bucks.

474
00:29:14,292 --> 00:29:17,125
And the feds have the big bucks.

475
00:29:17,125 --> 00:29:20,542
Federal law enforcement agencies in the United States have enough

476
00:29:20,542 --> 00:29:24,083
money to use the specific custom malware.

477
00:29:24,083 --> 00:29:26,125
They don't need to use the same stuff that the Egyptians

478
00:29:26,125 --> 00:29:29,209
and the Turkmenistan governments are using.

479
00:29:29,209 --> 00:29:32,751
They can use their own custom spyware and they can spy zero days

480
00:29:32,751 --> 00:29:34,959
if they need them.

481
00:29:35,292 --> 00:29:39,999
Again, our friend Valerie Caproni, there will always be very sophisticated

482
00:29:39,999 --> 00:29:45,626
criminals that are virtually impossible to intercept through targeted means.

483
00:29:45,626 --> 00:29:48,999
The government understands that it must develop individually tailored

484
00:29:48,999 --> 00:29:52,083
solutions for those sorts of targets.

485
00:29:52,459 --> 00:29:55,999
And what Valerie says individually tailored solutions.

486
00:29:55,999 --> 00:29:57,751
Which what she means is hacking.

487
00:29:57,792 --> 00:30:00,459
She didn't use the word hacking when she spoke

488
00:30:00,459 --> 00:30:05,250
to Congress, but what she means is hacking and malware.

489
00:30:06,167 --> 00:30:10,751
In 2009 or so, I think EFF filed one of their Freedom

490
00:30:10,751 --> 00:30:16,042
of Information Act requests to look into the F.B.I.'s claims that

491
00:30:16,042 --> 00:30:18,999
they were going dark.

492
00:30:19,125 --> 00:30:23,626
And after a couple of years later, they got hundreds of pages

493
00:30:23,626 --> 00:30:27,792
of documents, most of them heavily redacted.

494
00:30:27,999 --> 00:30:32,999
This is one that I found, so I read a lot of the documents that groups

495
00:30:32,999 --> 00:30:36,959
like EFF produce, and documents that the ACLU obtains,

496
00:30:36,959 --> 00:30:40,083
and this was one in several hundred pages that

497
00:30:40,083 --> 00:30:42,375
the EFF obtained.

498
00:30:42,751 --> 00:30:45,501
And most of it was redacted, as you can see,

499
00:30:45,501 --> 00:30:48,751
but there was one line that stuck out to me, this,

500
00:30:48,751 --> 00:30:51,417
the remote operations unit.

501
00:30:51,751 --> 00:30:54,083
So that sounded really interesting.

502
00:30:54,626 --> 00:30:56,999
I didn't really know what the remote operations unit was,

503
00:30:56,999 --> 00:30:59,999
but it was in a document about going dark.

504
00:30:59,999 --> 00:31:02,999
It was a document that was sort of describing each unit checking

505
00:31:02,999 --> 00:31:07,292
in and checking what their progress was, so I thought let me see what else

506
00:31:07,292 --> 00:31:10,999
I can find about the remote operations unit.

507
00:31:10,999 --> 00:31:13,417
So I spent the last six months researching this

508
00:31:13,417 --> 00:31:17,876
unit, mainly using open source intelligence, basically Googling

509
00:31:17,876 --> 00:31:22,834
and using linked in, and what I found was that the F.B.I.

510
00:31:22,834 --> 00:31:24,250
is in the hacking business too.

511
00:31:24,876 --> 00:31:26,918
So I found a conference, the materials

512
00:31:26,918 --> 00:31:31,542
for a law enforcement conference that happened in April of this year.

513
00:31:31,542 --> 00:31:35,501
This was a training seminar for prosecutors around the country.

514
00:31:35,501 --> 00:31:37,959
And in the list of attendees and speakers at this conference,

515
00:31:37,959 --> 00:31:41,626
I found information for this guy, Eric Chung, who is the unit chief

516
00:31:41,626 --> 00:31:44,209
of the remote operations unit.

517
00:31:44,209 --> 00:31:47,792
So I searched a bit more and I found the zoom info page.

518
00:31:47,792 --> 00:31:51,125
This is a data mining company that collects information from elsewhere

519
00:31:51,125 --> 00:31:52,999
in the world.

520
00:31:52,999 --> 00:31:55,959
Eric Chung's zoom info page mentioned he was the chief

521
00:31:55,959 --> 00:31:59,999
of the operations unit and the unit provides lawful collection

522
00:31:59,999 --> 00:32:03,083
capabilities in support of F.B.I.

523
00:32:03,083 --> 00:32:04,083
investigations.

524
00:32:04,292 --> 00:32:07,834
Well, that sounded interesting, so then I turned to Linked

525
00:32:07,834 --> 00:32:12,584
in and I started researching the remote operations unit.

526
00:32:12,999 --> 00:32:15,999
What I found is that there are a couple of contracting companies,

527
00:32:15,999 --> 00:32:18,209
a couple of contractors who supply people

528
00:32:18,209 --> 00:32:21,292
to the ROU, and contractors like everyone else, you know,

529
00:32:21,292 --> 00:32:25,999
they want to keep their resume up to date in case they get a new job.

530
00:32:26,083 --> 00:32:28,209
So they list things in their resume, maybe things

531
00:32:28,209 --> 00:32:32,999
they shouldn't be listing revealing what they did at their old job.

532
00:32:33,083 --> 00:32:36,459
So I have not included the names of the line item or

533
00:32:36,459 --> 00:32:39,584
the low level contractors, but I will be quoting

534
00:32:39,584 --> 00:32:43,209
from the Linked In pages of several of these contractors,

535
00:32:43,209 --> 00:32:47,501
because I think what they describe is fascinating.

536
00:32:47,501 --> 00:32:49,125
So this is a deployment operations analyst

537
00:32:49,125 --> 00:32:52,876
at a company called James Bimen Associates.

538
00:32:52,876 --> 00:32:56,876
They are a small boutique contracting company in Northern Virginia.

539
00:32:56,999 --> 00:32:58,999
So this person performed testing on software used

540
00:32:58,999 --> 00:33:01,250
as a critical function for counter terrorism

541
00:33:01,250 --> 00:33:03,999
and counter intelligence cases.

542
00:33:05,501 --> 00:33:07,501
He worked with F.B.I.

543
00:33:07,501 --> 00:33:09,334
case agents with surveillance imagery software that

544
00:33:09,334 --> 00:33:13,501
is currently installed on criminal machines in the field.

545
00:33:15,792 --> 00:33:17,751
That's even more interesting.

546
00:33:18,876 --> 00:33:24,876
They test case specific implants against various OSs and platforms.

547
00:33:25,083 --> 00:33:26,083
Good to know.

548
00:33:26,375 --> 00:33:30,918
So if you are using Windows or Mac or whatever, they have a tool for you.

549
00:33:31,334 --> 00:33:34,375
And then they create documentation for the various technologies

550
00:33:34,375 --> 00:33:38,334
and methods that were used to gain access to subject machines.

551
00:33:38,918 --> 00:33:41,999
So it's clear, it's clear from this profile what

552
00:33:41,999 --> 00:33:45,334
the remote operations unit is doing.

553
00:33:45,751 --> 00:33:49,584
I also found another person, this is a remote operations deployment

554
00:33:49,584 --> 00:33:53,375
analyst, also at James Bimen and Associates.

555
00:33:53,999 --> 00:33:56,792
Her profile was fascinating.

556
00:33:56,792 --> 00:33:58,209
I thought it was good.

557
00:33:58,209 --> 00:34:00,834
She created policies, guidance and training materials to protect

558
00:34:00,834 --> 00:34:05,083
the deployment operations tools from being discovered by adversaries.

559
00:34:05,167 --> 00:34:06,918
Those are us.

560
00:34:06,918 --> 00:34:07,999
We are the adversaries.

561
00:34:11,334 --> 00:34:16,209
So Bimen Associates is one of two companies that provides hackers

562
00:34:16,209 --> 00:34:18,209
to the F.B.I.

563
00:34:18,209 --> 00:34:20,834
And it's my belief and understanding that the companies,

564
00:34:20,834 --> 00:34:23,999
the contracting companies actually supply the people who sit

565
00:34:23,999 --> 00:34:27,334
at the keyboard and are launching the tools.

566
00:34:28,501 --> 00:34:33,125
There hasn't been a debate in Congress about the F.B.I.

567
00:34:33,125 --> 00:34:34,999
getting into the hacking business.

568
00:34:34,999 --> 00:34:37,999
There hasn't been any legislation giving them this power.

569
00:34:37,999 --> 00:34:40,626
This just sort of happened out of nowhere, and had it not been

570
00:34:40,626 --> 00:34:44,501
for the sloppy actions of a few contractors eagerly updating

571
00:34:44,501 --> 00:34:49,626
their Linked In profiles, we would have never known about this.

572
00:34:49,999 --> 00:34:52,209
So the president of James Bimen Associates

573
00:34:52,209 --> 00:34:54,709
is a guy named Joey Minshaw, he used to work

574
00:34:54,709 --> 00:34:57,999
at (inaudible) Hamilton which is the same place Edward Snowden

575
00:34:57,999 --> 00:34:59,834
used to work.

576
00:35:01,709 --> 00:35:04,375
This is the President of the company and his Linked In

577
00:35:04,375 --> 00:35:06,626
profile was bare, though it did describe one

578
00:35:06,626 --> 00:35:08,459
of his interests.

579
00:35:08,542 --> 00:35:10,083
He is a member of the Metasploit Framework

580
00:35:10,083 --> 00:35:11,751
Users Group.

581
00:35:13,125 --> 00:35:16,250
I thought you would get a chuckle out of that.

582
00:35:16,999 --> 00:35:21,999
So I gave Joey a phone call a few weeks ago and asked him

583
00:35:21,999 --> 00:35:24,334
some questions.

584
00:35:24,334 --> 00:35:27,375
I, of course, told him who I was, and I told him I work for ACLU, and

585
00:35:27,375 --> 00:35:29,501
he wasn't very nice.

586
00:35:30,167 --> 00:35:33,209
He didn't want to answer any of my questions.

587
00:35:33,999 --> 00:35:37,834
So I gave some of the information to "The Wall Street Journal"

588
00:35:37,834 --> 00:35:41,876
and last night they published a story on this unit.

589
00:35:41,876 --> 00:35:42,834
The nice part of giving these documents

590
00:35:42,834 --> 00:35:45,751
to a newspaper is once they have a bit of information, then

591
00:35:45,751 --> 00:35:49,125
they can go and report it and get other stuff too.

592
00:35:49,125 --> 00:35:50,999
So "The Wall Street Journal" reporter was able

593
00:35:50,999 --> 00:35:54,999
to find former law enforcement officials who would be willing to stop

594
00:35:54,999 --> 00:35:57,999
on background about this practice.

595
00:35:57,999 --> 00:36:01,083
One former law enforcement official she spoke to said that, quote,

596
00:36:01,083 --> 00:36:04,792
"The bureau can remotely activate the Microphones in phones,

597
00:36:04,792 --> 00:36:08,999
Android phones and laptops without the user knowing."

598
00:36:10,501 --> 00:36:12,999
She also added, "The F.B.I.

599
00:36:12,999 --> 00:36:14,375
is loath to use these tools when investigating

600
00:36:14,375 --> 00:36:17,876
hackers out of fear that the suspect will discover and publicize

601
00:36:17,876 --> 00:36:19,626
the technique."

602
00:36:22,584 --> 00:36:23,999
(Applause).

603
00:36:26,959 --> 00:36:30,209
So I guess that means you are all safe from F.B.I.

604
00:36:30,209 --> 00:36:31,209
malware.

605
00:36:32,959 --> 00:36:35,999
So the F.B.I.

606
00:36:35,999 --> 00:36:37,334
has this team of agents who are doing nothing

607
00:36:37,334 --> 00:36:39,542
but delivering malware to the computers

608
00:36:39,542 --> 00:36:41,959
of surveillance targets.

609
00:36:42,167 --> 00:36:47,667
We only have a couple of cases where these tools have come

610
00:36:47,667 --> 00:36:49,459
to light.

611
00:36:49,459 --> 00:36:52,709
There was a case in Texas this summer where the F.B.I.

612
00:36:52,709 --> 00:36:54,834
sought a search warrant allowing them to target

613
00:36:54,834 --> 00:36:58,999
a computer and remotely enable the webcam, collect location data,

614
00:36:58,999 --> 00:37:00,999
collect emails.

615
00:37:00,999 --> 00:37:04,292
In this case, they went to what you could probably say

616
00:37:04,292 --> 00:37:10,417
is the most pro privacy Judge in the country in Texas, and he said no.

617
00:37:11,083 --> 00:37:13,709
Sort of on a technicality, he said they should get a wiretap and

618
00:37:13,709 --> 00:37:15,999
they only wanted to get a warrant.

619
00:37:16,250 --> 00:37:18,250
What is clear is if you have this capability,

620
00:37:18,250 --> 00:37:21,918
if you build this team that does nothing but developing malware,

621
00:37:21,918 --> 00:37:24,999
the first time you attempt to use the team, you don't go

622
00:37:24,999 --> 00:37:28,417
to the most pro privacy Judge in the country.

623
00:37:28,626 --> 00:37:30,999
So presumably they have had this team for a while

624
00:37:30,999 --> 00:37:34,584
and they regularly use it to deploy malware.

625
00:37:34,667 --> 00:37:37,125
So on one hand we have the F.B.I.

626
00:37:37,501 --> 00:37:41,083
basically being in the hacking business, and then yesterday I noticed that

627
00:37:41,083 --> 00:37:43,584
the F.B.I.'s official Twitter account issued

628
00:37:43,584 --> 00:37:48,083
a warning saying pirated software may contain malware, be aware.

629
00:37:48,999 --> 00:37:51,959
And so I guess we only have to worry about the malware made

630
00:37:51,959 --> 00:37:54,999
by other people, not the F.B.I.'s malware.

631
00:37:56,999 --> 00:38:00,167
So the government is using hacking tools.

632
00:38:00,209 --> 00:38:03,250
The government is trying to penetrate people's computers.

633
00:38:03,250 --> 00:38:04,999
They have tried and up until now been unsuccessful

634
00:38:04,999 --> 00:38:07,999
in their attempts to obtain legislation allowing them

635
00:38:07,999 --> 00:38:12,751
to force tech companies to put back doors in their products.

636
00:38:12,999 --> 00:38:15,751
What are they going to do in the future?

637
00:38:15,751 --> 00:38:18,250
Because hacking doesn't scale.

638
00:38:18,709 --> 00:38:20,375
You can break into one person's computer,

639
00:38:20,375 --> 00:38:22,999
you can break into a thousand people's computers,

640
00:38:22,999 --> 00:38:25,542
but you cannot break into a billion computers

641
00:38:25,542 --> 00:38:27,876
without getting caught.

642
00:38:27,876 --> 00:38:29,918
You can do it temporarily, but you will get caught, and

643
00:38:29,918 --> 00:38:33,584
the government doesn't want their tools to get out.

644
00:38:33,999 --> 00:38:36,083
So what are they going to do in the future?

645
00:38:36,083 --> 00:38:38,709
What are they going to do when Silicon Valley companies

646
00:38:38,709 --> 00:38:42,083
actually start delivering end to end crypto, not Google,

647
00:38:42,083 --> 00:38:44,999
not Facebook, but companies who actually sell

648
00:38:44,999 --> 00:38:46,999
services to users?

649
00:38:47,792 --> 00:38:51,209
Well, Microsoft, you know, owned one of those companies

650
00:38:51,209 --> 00:38:53,083
for some time.

651
00:38:53,083 --> 00:38:57,083
Skype was advertising itself as a service that didn't have

652
00:38:57,083 --> 00:38:58,999
back doors.

653
00:38:58,999 --> 00:39:01,501
They were advertising it as a service that couldn't provide

654
00:39:01,501 --> 00:39:05,334
access to law enforcement agencies, but we learned last month that

655
00:39:05,334 --> 00:39:09,250
the government was able to go to Skype before Microsoft bought them

656
00:39:09,250 --> 00:39:11,792
and convince them to modify their products

657
00:39:11,792 --> 00:39:14,999
and provide access to the government.

658
00:39:15,542 --> 00:39:18,792
Quote, from the Guardian story, "Skype was served with a directive

659
00:39:18,792 --> 00:39:21,417
to comply by the attorney general."

660
00:39:21,999 --> 00:39:24,417
We don't know what kind of directive this was.

661
00:39:24,417 --> 00:39:28,209
We don't know if they went to court, if Skype said no and they fought it or

662
00:39:28,209 --> 00:39:31,292
if they did this because they could negotiate some

663
00:39:31,292 --> 00:39:32,999
better deal.

664
00:39:32,999 --> 00:39:35,709
We know very little about the ins and outs

665
00:39:35,709 --> 00:39:40,999
of how companies can be compelled under existing law.

666
00:39:41,209 --> 00:39:43,792
But even so, Skype stopped bragging

667
00:39:43,792 --> 00:39:47,459
about their security several years ago.

668
00:39:47,459 --> 00:39:50,083
And by the time Microsoft bought them, all of their claims

669
00:39:50,083 --> 00:39:53,292
of being wiretap proof disappeared.

670
00:39:53,292 --> 00:39:56,375
Skype was no longer a service, even if it ever was, it was never,

671
00:39:56,375 --> 00:39:59,209
it was no longer a service that advertised itself

672
00:39:59,209 --> 00:40:03,501
as the way to securely talk to your friends and family.

673
00:40:03,501 --> 00:40:05,375
Instead, Skype was a service that you used to talk

674
00:40:05,375 --> 00:40:08,000
to your friends and family for free.

675
00:40:08,626 --> 00:40:11,167
Skype is not the only company offering VOIP

676
00:40:11,167 --> 00:40:13,292
services or video.

677
00:40:13,999 --> 00:40:18,083
There are now companies that are selling services to users.

678
00:40:18,083 --> 00:40:20,501
So one of them is a company called sound circle,

679
00:40:20,501 --> 00:40:23,999
co founded by Phil Zimmerman, the guy behind PGP and

680
00:40:23,999 --> 00:40:28,751
they charge $10 or $20 a month for encrypted VOIP and text messages

681
00:40:28,751 --> 00:40:30,375
and video.

682
00:40:30,375 --> 00:40:33,334
Now, I'm not telling you to go out and use this company's services,

683
00:40:33,334 --> 00:40:36,542
but they have clearly said in their marketing materials,

684
00:40:36,542 --> 00:40:39,999
we have no government mandated back doors.

685
00:40:39,999 --> 00:40:41,792
And I have spoken to the CEO of the company and he said

686
00:40:41,792 --> 00:40:44,417
if the government comes to us and tries to force us to put

687
00:40:44,417 --> 00:40:46,999
a back door in the product, we will close up and move

688
00:40:46,999 --> 00:40:48,999
to a different country.

689
00:40:49,125 --> 00:40:51,792
This is a company the only reason you use their product

690
00:40:51,792 --> 00:40:53,918
is for the security.

691
00:40:53,918 --> 00:40:55,918
You are not using Silent Circle because it's crystal clear audio

692
00:40:55,918 --> 00:40:58,626
or because it's cheap and easy to use.

693
00:40:58,626 --> 00:41:01,083
You are using them because they are secure.

694
00:41:01,250 --> 00:41:04,209
Likewise Spider Oak which is a competitor to Drop Box,

695
00:41:04,209 --> 00:41:07,542
you only use Spider Oak and you may for the service

696
00:41:07,542 --> 00:41:11,334
because they provide encrypted backups with a key only known

697
00:41:11,334 --> 00:41:13,083
to the user.

698
00:41:13,083 --> 00:41:15,999
And this, again, Spider Oak makes clear statements

699
00:41:15,999 --> 00:41:19,999
to users, we have created a system that makes it impossible

700
00:41:19,999 --> 00:41:25,209
to reveal, impossible for us to reveal your data to anyone.

701
00:41:26,834 --> 00:41:28,083
That's it.

702
00:41:28,083 --> 00:41:31,375
The only reason you use these companies is to protect your data.

703
00:41:31,375 --> 00:41:33,709
This is the only reason they are in business.

704
00:41:33,709 --> 00:41:37,999
And so the question right now is, and I don't have the answer to this.

705
00:41:38,083 --> 00:41:41,167
The question is, can the government force these companies

706
00:41:41,167 --> 00:41:43,626
to modify their products?

707
00:41:43,709 --> 00:41:45,459
Because if Spider Oak were forced to have

708
00:41:45,459 --> 00:41:49,709
a back door and it became unknown, they would go bankrupt.

709
00:41:49,709 --> 00:41:52,417
The only reason you are using them is for the security.

710
00:41:53,626 --> 00:41:55,542
So there is this law, I mentioned it

711
00:41:55,542 --> 00:41:58,876
before in passing called CALEA, and it it's normally thought

712
00:41:58,876 --> 00:42:01,125
of it's called the Communications Assistance

713
00:42:01,125 --> 00:42:03,542
for Law Enforcement Act.

714
00:42:03,792 --> 00:42:06,125
It's the law that forces telecommunications

715
00:42:06,125 --> 00:42:09,083
companies to put law enforcement interfaces

716
00:42:09,083 --> 00:42:11,209
in the networks.

717
00:42:11,209 --> 00:42:16,959
The reason that AT&T has very easy to use fast wiretapping capabilities

718
00:42:16,959 --> 00:42:21,167
is CALEA forces them to buy equipment.

719
00:42:21,334 --> 00:42:25,167
It has a provision most folks don't know about.

720
00:42:27,375 --> 00:42:31,292
A telecommunications carrier shall not be responsible for the crypting

721
00:42:31,292 --> 00:42:34,999
or insuring a government's ability to decrypt any communication

722
00:42:34,999 --> 00:42:37,999
encrypted by a subscriber if the encryption was provided

723
00:42:37,999 --> 00:42:41,709
by the carrier and the carrier carries the information necessary

724
00:42:41,709 --> 00:42:44,292
to encrypt the communications.

725
00:42:44,584 --> 00:42:48,709
This feature in CALEA, I think, and I'm not a lawyer,

726
00:42:48,709 --> 00:42:52,083
is the thing standing between these companies

727
00:42:52,083 --> 00:42:54,667
and the government.

728
00:42:54,667 --> 00:42:58,083
This section of CALEA, protects the right of companies that want

729
00:42:58,083 --> 00:43:00,542
to offer encrypted end to end services

730
00:43:00,542 --> 00:43:04,999
with a key only known to the user to the general public.

731
00:43:05,083 --> 00:43:08,501
It is my belief that when the next crypto wars come,

732
00:43:08,501 --> 00:43:13,209
if they do come, and when they come, that this section of the law will be

733
00:43:13,209 --> 00:43:16,792
the thing that the government targets.

734
00:43:18,999 --> 00:43:21,375
I think that down the road, we are going

735
00:43:21,375 --> 00:43:26,083
to see consumers using services that offer end to end crypto.

736
00:43:26,083 --> 00:43:29,542
I think we will see people paying for these services and I do think

737
00:43:29,542 --> 00:43:33,083
the government is going to target these because without it

738
00:43:33,083 --> 00:43:36,999
they cannot engage in dragnet surveillance.

739
00:43:36,999 --> 00:43:38,709
Thank you very much.

740
00:43:38,709 --> 00:43:39,709
(Applause).