1 00:00:00,000 --> 00:00:02,999 KURT OPSAHL: All right, thank you, everybody, for coming 2 00:00:02,999 --> 00:00:05,167 to the Ask The EFF Panel. 3 00:00:05,167 --> 00:00:06,542 It's so great to see so many people here filling 4 00:00:06,542 --> 00:00:08,042 up this room. 5 00:00:08,542 --> 00:00:11,999 We are the Electronic Frontier Foundation. 6 00:00:14,792 --> 00:00:16,999 (Cheers and applause.) KURT OPSAHL: 7 00:00:16,999 --> 00:00:18,626 Thank you. 8 00:00:21,375 --> 00:00:24,626 And so it's a pleasure to come here to DEF CON. 9 00:00:24,626 --> 00:00:26,999 There's so many people who have been great supporters of us here 10 00:00:26,999 --> 00:00:30,959 and so many people doing interesting things that lead to interesting issues, 11 00:00:30,959 --> 00:00:34,417 trying to help make the world a better place and we really also enjoy 12 00:00:34,417 --> 00:00:37,751 helping defend the people in this community. 13 00:00:37,999 --> 00:00:39,375 No arrests so far. 14 00:00:39,375 --> 00:00:42,167 We're going to hope for that for the rest of the weekend. 15 00:00:42,250 --> 00:00:46,834 I'm Kurt Opsahl, one of the attorneys at the Electronic Frontier Foundation. 16 00:00:46,876 --> 00:00:49,125 I do work on the coders' rights project, designed to try 17 00:00:49,125 --> 00:00:52,999 to make sure that people understand what their legal risks are when doing 18 00:00:52,999 --> 00:00:55,999 security research and talking about it. 19 00:00:56,250 --> 00:00:58,999 I also work on some of our other stuff. 20 00:00:58,999 --> 00:01:01,999 What I will be talking about a bit is the NSA surveillance and some 21 00:01:01,999 --> 00:01:06,542 of the recent revelations and what the EFF is doing about it. 22 00:01:06,542 --> 00:01:09,667 What we are going to do is go down the line here where each of us 23 00:01:09,667 --> 00:01:13,918 will talk a little bit about some of the projects that we are doing 24 00:01:13,918 --> 00:01:16,417 and introduce themselves. 25 00:01:16,834 --> 00:01:20,083 Then after we have that sort of brief introduction we are going 26 00:01:20,083 --> 00:01:24,083 to turn it over to you to bring up your questions. 27 00:01:24,167 --> 00:01:26,999 There is a microphone over on this side. 28 00:01:27,125 --> 00:01:30,999 So if you have questions you can just line-up in front of that microphone 29 00:01:30,999 --> 00:01:32,751 and ask them. 30 00:01:32,834 --> 00:01:36,083 A couple of things I want to say about the kind of questions. 31 00:01:36,083 --> 00:01:38,999 We are happy to talk about a lot of the legal and policy issues, 32 00:01:38,999 --> 00:01:42,792 the technology products and such, but this is not the forum to ask 33 00:01:42,792 --> 00:01:44,751 for legal advice. 34 00:01:44,751 --> 00:01:47,334 (Laughter.) KURT OPSAHL: We do provide legal advice to people 35 00:01:47,334 --> 00:01:50,876 but that's best done in a confidential setting. 36 00:01:51,083 --> 00:01:54,250 This is not only not confidential because of all you fine people here, 37 00:01:54,250 --> 00:01:57,292 it's also being recorded for posterity. 38 00:01:57,417 --> 00:02:01,876 It is not the right place for asking, here, I did this thing last night. 39 00:02:01,876 --> 00:02:02,876 Was that legal? 40 00:02:05,292 --> 00:02:07,250 (Laughter.) KURT OPSAHL: All right. 41 00:02:07,250 --> 00:02:10,501 So let me just begin with just one of the things that EFF is working 42 00:02:10,501 --> 00:02:13,375 on that I have been part of. 43 00:02:13,542 --> 00:02:18,542 And that is about the NSA warrantless surveillance program. 44 00:02:18,542 --> 00:02:18,999 It has been in the news lately and some 45 00:02:18,999 --> 00:02:20,999 of you may have read about it. 46 00:02:21,709 --> 00:02:26,375 And we have actually been working on these issues for quite a long time. 47 00:02:26,375 --> 00:02:28,999 In 2005 the New York Times published some reports 48 00:02:28,999 --> 00:02:33,459 about a warrantless surveillance program that was re-branded 49 00:02:33,459 --> 00:02:38,209 by the bush administration as the terrorist surveillance program, 50 00:02:38,209 --> 00:02:40,959 at least part of that. 51 00:02:40,999 --> 00:02:43,959 The following year the USA today published reports 52 00:02:43,959 --> 00:02:46,999 about a program to get the call detail records 53 00:02:46,999 --> 00:02:50,709 from various telecommunications companies. 54 00:02:51,083 --> 00:02:54,751 We have actually from based on the information that we learned 55 00:02:54,751 --> 00:02:57,918 at that time a case that we brought representing 56 00:02:57,918 --> 00:03:01,959 some people against the NSA and the government to try and stop 57 00:03:01,959 --> 00:03:05,584 the surveillance called jewel versus NSA. 58 00:03:05,584 --> 00:03:08,209 That has been going on in the courts for years now. 59 00:03:08,999 --> 00:03:12,459 But we have recently had a little bit of good news there which I will get 60 00:03:12,459 --> 00:03:14,125 to in a second. 61 00:03:14,125 --> 00:03:16,584 I want to say the second case that was brought 62 00:03:16,584 --> 00:03:21,876 about last month, and that was first Unitarian versus NSA. 63 00:03:22,083 --> 00:03:25,209 So in the jewel case the government put forward 64 00:03:25,209 --> 00:03:27,999 the State secret privilege. 65 00:03:27,999 --> 00:03:29,834 They said hey, this has got some secrets 66 00:03:29,834 --> 00:03:33,709 to it that prevent it from being litigated. 67 00:03:33,999 --> 00:03:37,999 And so we can't allow this case to go forward. 68 00:03:37,999 --> 00:03:41,125 They brought up a number of other defenses. 69 00:03:41,125 --> 00:03:43,999 What we have said is that under the Foreign Intelligence 70 00:03:43,999 --> 00:03:46,542 Surveillance Act there is a procedure set 71 00:03:46,542 --> 00:03:49,501 out by Congress after the Church Commission found 72 00:03:49,501 --> 00:03:52,999 a whole bunch of misuse of surveillance powers to determine 73 00:03:52,999 --> 00:03:56,999 the legality, have a court rule about whether what they are doing 74 00:03:56,999 --> 00:03:59,083 is or is not legal. 75 00:03:59,083 --> 00:04:03,918 That's the procedure that trumps the State secret privilege. 76 00:04:03,918 --> 00:04:07,125 So this case has gone up and down in the courts. 77 00:04:07,125 --> 00:04:10,626 It went, we lost an initial round. 78 00:04:10,626 --> 00:04:11,999 Went up to the appeals court. 79 00:04:11,999 --> 00:04:12,999 Won the appeal. 80 00:04:12,999 --> 00:04:14,999 Went back down to the District Court. 81 00:04:14,999 --> 00:04:19,834 Last month the District Court said the case can go forward. 82 00:04:19,999 --> 00:04:23,999 Go through this under the Foreign Intelligence 83 00:04:23,999 --> 00:04:26,542 Surveillance Act. 84 00:04:26,999 --> 00:04:28,999 So that case is ongoing. 85 00:04:29,125 --> 00:04:31,083 We are going to see whether the next move 86 00:04:31,083 --> 00:04:34,334 from the government is to appeal that or to move forward 87 00:04:34,334 --> 00:04:36,709 in the District Court. 88 00:04:36,709 --> 00:04:39,417 After some of the more recent revelations that have 89 00:04:39,417 --> 00:04:43,083 confirmed a lot of the stuff that we had seen before, 90 00:04:43,083 --> 00:04:46,209 but provided something special. 91 00:04:46,250 --> 00:04:48,501 I assume that most people here have been paying a fair amount 92 00:04:48,501 --> 00:04:50,626 of attention to some of the stuff that has come 93 00:04:50,626 --> 00:04:52,501 out in the guardian. 94 00:04:52,667 --> 00:04:57,083 One of the things that came out was a copy of an order that was 95 00:04:57,083 --> 00:05:01,542 for Verizon to hand overall of the records. 96 00:05:01,667 --> 00:05:04,125 This was the call detail record. 97 00:05:04,125 --> 00:05:09,250 This is who you called, how long you spoke, and so the time 98 00:05:09,250 --> 00:05:11,542 of the call. 99 00:05:11,834 --> 00:05:14,083 And it was for all of them. 100 00:05:14,083 --> 00:05:17,999 Not just, you know, one and foreign and not purely foreign but also 101 00:05:17,999 --> 00:05:20,501 down to local calls. 102 00:05:20,501 --> 00:05:23,999 On a daily basis they were to turn over to the FBI to hand 103 00:05:23,999 --> 00:05:28,999 over to the NSA or more or less directly to the NSA this database, 104 00:05:28,999 --> 00:05:32,709 the previous day's calls and then it would be added 105 00:05:32,709 --> 00:05:36,999 into the pool for analysis of contact chains. 106 00:05:36,999 --> 00:05:39,501 Basically this is kind of taking the metadata -- the government 107 00:05:39,501 --> 00:05:42,709 will say it's just metadata, not a big deal. 108 00:05:42,876 --> 00:05:44,542 But metadata is a big deal. 109 00:05:44,542 --> 00:05:47,792 It says who you call and that can reveal a tremendous amount 110 00:05:47,792 --> 00:05:50,999 about your relationship, reveal a tremendous amount 111 00:05:50,999 --> 00:05:55,375 about you if you are, you know, all of a sudden you're making a lot 112 00:05:55,375 --> 00:05:57,834 of calls to a doctor. 113 00:05:57,834 --> 00:06:00,334 That says something about your health situation. 114 00:06:00,334 --> 00:06:03,292 If you are calling certain representatives or political groups, 115 00:06:03,292 --> 00:06:07,959 it may say something about your political affiliation. 116 00:06:07,959 --> 00:06:10,834 There is a lot that it says about you than doesn't require them 117 00:06:10,834 --> 00:06:13,999 to listen to the content of the call. 118 00:06:14,667 --> 00:06:17,834 So this is very important information, very sensitive. 119 00:06:18,083 --> 00:06:21,959 The new case we filed last month, first Unitarian versus NSA was 120 00:06:21,959 --> 00:06:24,999 a collection of 18 different political advocacy 121 00:06:24,999 --> 00:06:29,501 organizations, church groups, people who have a right of association, 122 00:06:29,501 --> 00:06:33,501 a right to get together with other people who are like-minded 123 00:06:33,501 --> 00:06:36,083 and try to act together. 124 00:06:36,083 --> 00:06:37,292 This comes under the First Amendment, where 125 00:06:37,292 --> 00:06:39,999 a lot of the other litigation about the NSA has been 126 00:06:39,999 --> 00:06:42,459 under the Fourth Amendment. 127 00:06:43,209 --> 00:06:46,999 Because that's exactly what the call detail record program is about, 128 00:06:46,999 --> 00:06:49,999 trying to find out what the associations are and cases have 129 00:06:49,999 --> 00:06:53,792 found that indeed that is a First Amendment right. 130 00:06:53,792 --> 00:06:55,999 You can organize, get together with like-minded people, try 131 00:06:55,999 --> 00:06:58,999 to do collective action without the government knowing 132 00:06:58,999 --> 00:07:01,999 everybody you are connecting with. 133 00:07:02,083 --> 00:07:05,417 That case was filed last month, just in the beginning phases. 134 00:07:05,417 --> 00:07:07,792 We are moving forward on a new angle. 135 00:07:07,792 --> 00:07:09,959 That's a very brief summary on some of what we are doing 136 00:07:09,959 --> 00:07:13,459 on the NSA front and with that I'll turn it over to Eva. 137 00:07:13,459 --> 00:07:16,626 EVA GALPERIN: Hi, my name is Eva Galperin, 138 00:07:16,626 --> 00:07:23,334 a global policy analyst for the Electronic Frontier Foundation. 139 00:07:23,334 --> 00:07:27,083 I understand that those are three words that can mean just about anything. 140 00:07:27,083 --> 00:07:29,834 I work on EFF's international team. 141 00:07:29,834 --> 00:07:31,834 There are five of us. 142 00:07:32,542 --> 00:07:35,501 EFF is a relatively small organization. 143 00:07:35,501 --> 00:07:39,125 We have a reasonably large number of lawyers who specialize 144 00:07:39,125 --> 00:07:43,167 in litigation within the United States. 145 00:07:43,167 --> 00:07:45,667 But in the meantime, the Internet is global. 146 00:07:45,751 --> 00:07:46,918 So are we. 147 00:07:46,918 --> 00:07:50,292 So it's up to the international team to cover the rest of the world. 148 00:07:50,375 --> 00:07:52,334 So that's a little exhausting. 149 00:07:52,334 --> 00:07:55,083 (Laughter.) EVA GALPERIN: In some of these places rule of law 150 00:07:55,083 --> 00:07:57,209 is relatively strong. 151 00:07:57,209 --> 00:08:02,626 So we can pursue our protection of the Internet through policy venues. 152 00:08:02,999 --> 00:08:05,542 We can fight bad laws. 153 00:08:05,542 --> 00:08:07,999 We can go to the European parliament. 154 00:08:07,999 --> 00:08:12,999 We can fight secret trade treaties like TPP and acta in a policy space, 155 00:08:12,999 --> 00:08:17,999 but a lot of my favorite work happens in countries or working 156 00:08:17,999 --> 00:08:22,667 with people who are located in people where the rule of law 157 00:08:22,667 --> 00:08:27,876 is even less strong than it is in the United States. 158 00:08:27,999 --> 00:08:32,375 You really cannot pursue the goal of Internet freedom 159 00:08:32,375 --> 00:08:35,167 through policy venues. 160 00:08:35,167 --> 00:08:38,292 Instead you have to go through a sort of process 161 00:08:38,292 --> 00:08:44,626 of helping users to protect themselves, often using technical tools. 162 00:08:44,626 --> 00:08:46,999 I spend a lot of time talking to journalists, 163 00:08:46,999 --> 00:08:51,501 especially independent journalists in countries where the act 164 00:08:51,501 --> 00:08:54,584 of journalism is almost indistinguishable 165 00:08:54,584 --> 00:08:56,626 from activism. 166 00:08:56,999 --> 00:09:02,999 Having your opinion and publishing it about the news is an act of activism 167 00:09:02,999 --> 00:09:05,626 in many countries. 168 00:09:05,959 --> 00:09:12,834 I talk to a lot of terrified journalists and a lot of terrified activists. 169 00:09:12,876 --> 00:09:15,125 Sometimes difficult to tell the difference. 170 00:09:15,167 --> 00:09:16,834 I spend a lot of time advising them 171 00:09:16,834 --> 00:09:19,751 about best practices for protecting their security 172 00:09:19,751 --> 00:09:22,999 and privacy and talking about their rights as they travel 173 00:09:22,999 --> 00:09:27,334 around and try to publish the information that they have. 174 00:09:27,834 --> 00:09:30,751 So in a lot of ways I rely on you guys because the only way 175 00:09:30,751 --> 00:09:34,999 to really understand best practices is to understand what the threats are 176 00:09:34,999 --> 00:09:39,292 on the Internet right now and what kind of threat models people are looking 177 00:09:39,292 --> 00:09:42,626 at and what both governments and individuals are capable 178 00:09:42,626 --> 00:09:45,876 of doing when it comes to compromising people's privacy 179 00:09:45,876 --> 00:09:47,584 and security. 180 00:09:47,709 --> 00:09:51,709 I follow the hacker community very, very closely. 181 00:09:51,834 --> 00:09:54,999 This is my seventh DEF CON. 182 00:09:55,334 --> 00:09:56,417 Not in a row. 183 00:09:56,417 --> 00:09:59,125 The first one I attended was 1998. 184 00:09:59,375 --> 00:10:01,334 It was a much smaller room. 185 00:10:01,334 --> 00:10:03,999 (Chuckles.) EVA GALPERIN: So one of the things I wanted to talk 186 00:10:03,999 --> 00:10:06,876 about really quick was while most of the people here are going 187 00:10:06,876 --> 00:10:10,000 to be talking about what they can do for you, I will talk a little bit 188 00:10:10,000 --> 00:10:12,459 about what you can do for me. 189 00:10:13,250 --> 00:10:19,751 The biggest project that I was working on last year was the project 190 00:10:19,751 --> 00:10:26,834 in which we were finding documenting, reverse engineering and then writing 191 00:10:26,834 --> 00:10:33,334 up the reports on Syrian malware, forces against President Assad were 192 00:10:33,334 --> 00:10:37,999 spying on activists throughout Syria. 193 00:10:39,918 --> 00:10:44,292 Even if you're using encryption, they would surreptitiously install 194 00:10:44,292 --> 00:10:47,542 a root kit on your machine, therefore by passing 195 00:10:47,542 --> 00:10:52,459 all of your precious encryption and all of the good advice I can possibly 196 00:10:52,459 --> 00:10:55,042 give to Syrian activists. 197 00:10:55,250 --> 00:10:58,584 We tracked down the malware, reverse engineering it and writing 198 00:10:58,584 --> 00:11:00,292 up the reports. 199 00:11:00,292 --> 00:11:03,209 We had the reports translated into Arabic. 200 00:11:03,209 --> 00:11:04,709 There's no point in writing them if they can't be read 201 00:11:04,709 --> 00:11:06,999 by the people who are targeted. 202 00:11:09,083 --> 00:11:12,751 This was actually very successful. 203 00:11:12,751 --> 00:11:15,250 And as a result, I have terrified activists coming 204 00:11:15,250 --> 00:11:18,999 to me with more malware from all over the world, places 205 00:11:18,999 --> 00:11:23,375 like Ethiopia and Vietnam and occasionally China. 206 00:11:23,375 --> 00:11:25,667 There are a lot of reverse Chinese malware. 207 00:11:26,083 --> 00:11:29,417 I need a show of hands. 208 00:11:29,417 --> 00:11:30,999 Anybody here reverse malware? 209 00:11:31,125 --> 00:11:32,125 Anybody? 210 00:11:32,125 --> 00:11:33,125 Anybody? 211 00:11:33,125 --> 00:11:34,125 I see some hands. 212 00:11:34,250 --> 00:11:35,459 I need you all. 213 00:11:35,834 --> 00:11:36,999 And over there. 214 00:11:37,999 --> 00:11:41,999 I need you all to come talk to me after this talk 215 00:11:41,999 --> 00:11:48,083 because I have more terrifying malware than I have reversers. 216 00:11:48,584 --> 00:11:51,918 This is where I go to pick up more reversers. 217 00:11:51,999 --> 00:11:55,709 (Laughter.) EVA GALPERIN: I desperately need your help. 218 00:11:56,417 --> 00:12:00,209 I am here to answer questions about anything involving the rest 219 00:12:00,209 --> 00:12:01,999 of the world. 220 00:12:03,334 --> 00:12:05,459 Julian Assange. 221 00:12:07,959 --> 00:12:13,417 EVA GALPERIN: Including Julian Assange, Edward Snowden, ACTA, 222 00:12:13,417 --> 00:12:18,501 TPP, China, Iran, all kinds of terrible malware gamma PHIN 223 00:12:18,501 --> 00:12:24,584 Phisher, United States selling to regimes in Turkmenistan. 224 00:12:24,959 --> 00:12:27,250 That's what I do and if you have questions I'm happy 225 00:12:27,250 --> 00:12:29,209 to answer them later. 226 00:12:29,501 --> 00:12:32,876 MARCIA HOFFMANN: Hi, there. 227 00:12:32,876 --> 00:12:34,542 My name is Marcia Hoffmann. 228 00:12:34,667 --> 00:12:39,709 I was a senior staff attorney at Electronic Frontier Foundation 229 00:12:39,709 --> 00:12:41,999 for a long time. 230 00:12:41,999 --> 00:12:43,292 I was there for seven years. 231 00:12:43,292 --> 00:12:47,125 I left just a couple months ago to start my own little private practice 232 00:12:47,125 --> 00:12:51,083 focused on technology law, very specifically privacy issues, 233 00:12:51,083 --> 00:12:54,667 copyright issues, hacking and security related things, 234 00:12:54,667 --> 00:12:56,375 free speech. 235 00:12:56,375 --> 00:12:59,792 And I remain involved with the EFF as a fellow. 236 00:12:59,792 --> 00:13:03,125 That's why I'm on the panel today, I'm still an EFF fellow. 237 00:13:03,167 --> 00:13:05,999 And I also became an EFF member last night 238 00:13:05,999 --> 00:13:09,083 for the sole selfish purpose of getting 239 00:13:09,083 --> 00:13:13,999 the totally amazing rocking EFF DEF CON T-shirt. 240 00:13:13,999 --> 00:13:15,999 I don't know if you've seen the new one. 241 00:13:15,999 --> 00:13:17,542 Visit the booth and check it out. 242 00:13:17,542 --> 00:13:19,417 It's amazing, fantastic and I love it. 243 00:13:19,999 --> 00:13:23,626 I wanted to talk to you today about a case I became involved 244 00:13:23,626 --> 00:13:28,834 in while I was still at EFF, but when I left I remained involved in it. 245 00:13:28,834 --> 00:13:30,167 EFF is also involved in it. 246 00:13:30,167 --> 00:13:31,417 We are partnering on it. 247 00:13:31,417 --> 00:13:32,918 It's a case some of you may have heard about, 248 00:13:32,918 --> 00:13:35,209 United States versus Auernheimer. 249 00:13:36,751 --> 00:13:39,125 Show of hands, how many people heard of this? 250 00:13:39,334 --> 00:13:43,999 You may know it as the Weev case or iPad hacker case. 251 00:13:43,999 --> 00:13:45,292 Does that ring any bells? 252 00:13:45,959 --> 00:13:49,083 So let me tell you what happened in this case. 253 00:13:49,334 --> 00:13:52,209 There is this guy named Daniel Spitler. 254 00:13:52,999 --> 00:13:59,751 And he notices something interesting about iPads a few years ago. 255 00:13:59,876 --> 00:14:05,918 Specifically what he notices is that if a person has an iPad and wants 256 00:14:05,918 --> 00:14:11,334 to go set up adapt plan on that iPad, the person goes and visits 257 00:14:11,334 --> 00:14:16,375 the AT&T website using the browser on the iPad. 258 00:14:16,375 --> 00:14:18,083 And when they visit the browser, they see 259 00:14:18,083 --> 00:14:21,999 a pop-up window that has pre-populated in the pop-up window 260 00:14:21,999 --> 00:14:26,083 the account holder's e-mail address and then the account holder 261 00:14:26,083 --> 00:14:30,999 is supposed to type in the password to get into the account. 262 00:14:31,125 --> 00:14:35,959 He notices that when you see this pop-up window in the browser, 263 00:14:35,959 --> 00:14:39,167 in the URL there is a number. 264 00:14:39,167 --> 00:14:41,999 And he recognizes that this is an ICC ID which 265 00:14:41,999 --> 00:14:47,751 is a unique identifier associated with the SIM card of the iPad. 266 00:14:47,751 --> 00:14:51,417 Basically what was happening, AT&T servers were recognizing that 267 00:14:51,417 --> 00:14:55,999 this is this particular iPad, AT&T knows that this is, this iPad 268 00:14:55,999 --> 00:14:59,918 is associated with this account holder. 269 00:14:59,918 --> 00:15:01,876 They pre-populate the e-mail address. 270 00:15:01,876 --> 00:15:03,709 He says oh, well, I wonder what happens 271 00:15:03,709 --> 00:15:06,083 if I change that number? 272 00:15:06,083 --> 00:15:07,459 What if I change one digit? 273 00:15:07,751 --> 00:15:09,999 Boom, there's a different e-mail address. 274 00:15:10,083 --> 00:15:14,167 And so he wrote a script that basically just iterated 275 00:15:14,167 --> 00:15:18,918 through the ICC IDs in the URL and managed to harvest 276 00:15:18,918 --> 00:15:23,250 about 140,000 e-mail addresses this way. 277 00:15:23,834 --> 00:15:26,999 And then he, while he's in the process of doing this 278 00:15:26,999 --> 00:15:31,501 he goes online and he tells some of his friends there: Oh, my God, 279 00:15:31,501 --> 00:15:34,584 I just figured out that AT&T does this thing 280 00:15:34,584 --> 00:15:39,334 and I wrote this script and I'm harvesting this stuff. 281 00:15:39,999 --> 00:15:42,083 One of the people that he was speaking to about this 282 00:15:42,083 --> 00:15:45,459 is a guy named Andrew Auernheimer who is also known as Weev. 283 00:15:46,334 --> 00:15:48,501 Weev says we should see if in that list 284 00:15:48,501 --> 00:15:51,999 of e-mail addresses there are any reporters and we can tell them 285 00:15:51,999 --> 00:15:55,375 about this and maybe they'll write about it. 286 00:15:55,709 --> 00:15:59,083 They identify several reporters, including a gawker reporter. 287 00:15:59,542 --> 00:16:03,417 Weev sends them an e-mail and explains the situation, frankly 288 00:16:03,417 --> 00:16:07,542 in rather provocative terms to attract attention. 289 00:16:07,834 --> 00:16:11,083 Then gawker published a story about it. 290 00:16:11,542 --> 00:16:17,584 As opposed spiller and Weev were then indicted on two felony counts each, 291 00:16:17,584 --> 00:16:21,918 conspiracy to violate the federal Computer Fraud 292 00:16:21,918 --> 00:16:25,876 and Abuse Act and identity theft. 293 00:16:26,626 --> 00:16:29,292 Basically the government's argument 294 00:16:29,292 --> 00:16:34,167 for the violation, the conspiracy to violate the Computer Fraud 295 00:16:34,167 --> 00:16:38,083 and Abuse Act is that Spitler's script, his access 296 00:16:38,083 --> 00:16:41,834 to AT&T servers amounted to unauthorized access 297 00:16:41,834 --> 00:16:44,584 to protected computers. 298 00:16:44,999 --> 00:16:49,250 And I think that this is a really concerning interpretation 299 00:16:49,250 --> 00:16:53,999 of the law because this is information that AT&T published 300 00:16:53,999 --> 00:16:56,209 on the Internet. 301 00:16:56,209 --> 00:16:58,999 It was hidden, but there was no barrier in place 302 00:16:58,999 --> 00:17:01,999 to protect that information. 303 00:17:01,999 --> 00:17:03,083 There was no password. 304 00:17:03,083 --> 00:17:04,083 There was nothing. 305 00:17:04,083 --> 00:17:07,834 AT&T basically just hoped that people would never notice it was there. 306 00:17:08,334 --> 00:17:12,501 And so what ended up happening was, Spitler cooperated 307 00:17:12,501 --> 00:17:16,083 with the government, testified against Weev and 308 00:17:16,083 --> 00:17:20,209 in November -- Weev and in November Weev was convicted 309 00:17:20,209 --> 00:17:25,375 on two felony counts, sentenced to three and a half years in prison 310 00:17:25,375 --> 00:17:29,250 and to pay AT&T $73,000 to compensate them for what 311 00:17:29,250 --> 00:17:33,626 they needed to do to rectify the situation. 312 00:17:34,459 --> 00:17:37,334 We are in the midst of appealing this case. 313 00:17:37,999 --> 00:17:40,167 EFF is on it. 314 00:17:40,167 --> 00:17:42,125 I'm continuing to work on it pro bono. 315 00:17:42,334 --> 00:17:47,959 We are joined by Orin Kerr, a respected crime counsel. 316 00:17:50,999 --> 00:17:56,292 And we are partnering to appeal this to the Third Circuit Court of Appeals. 317 00:17:56,292 --> 00:17:59,167 We filed our opening brief in July, July 1st and 318 00:17:59,167 --> 00:18:05,250 the government's opposition will be filed in just a couple of weeks. 319 00:18:05,250 --> 00:18:08,918 And so that's kind of the deal with that case. 320 00:18:09,083 --> 00:18:11,999 If you have questions about it, of course I will be happy to discuss 321 00:18:11,999 --> 00:18:14,083 or any number of other things that you want 322 00:18:14,083 --> 00:18:15,959 to talk about. 323 00:18:15,959 --> 00:18:16,959 Thank you. 324 00:18:22,999 --> 00:18:26,667 (Applause.) MITCH STOLTZ: Hi, I'm Mitch Stoltz, an attorney at EFF 325 00:18:26,667 --> 00:18:29,375 in the intellectual property team. 326 00:18:29,375 --> 00:18:33,501 I apologize in advance of the effect of a very old kind of malware known 327 00:18:33,501 --> 00:18:35,459 as ahead cold. 328 00:18:35,999 --> 00:18:36,999 Bear with me. 329 00:18:36,999 --> 00:18:38,083 I'll keep this brief. 330 00:18:38,542 --> 00:18:41,876 I work on cases where intellectual property 331 00:18:41,876 --> 00:18:47,626 laws like copyright, patent, although I'm less of a patent expert, 332 00:18:47,626 --> 00:18:53,626 and some other random laws interfere with freedom of speech, freedom 333 00:18:53,626 --> 00:18:56,999 to build, freedom to tinker. 334 00:18:57,167 --> 00:19:00,751 And I'll just quickly mention two things that are, you know, 335 00:19:00,751 --> 00:19:04,918 probably really current issues and probably of interest to some 336 00:19:04,918 --> 00:19:07,083 of the people here. 337 00:19:07,751 --> 00:19:10,999 One is the Digital Millennium Copyright Act. 338 00:19:11,083 --> 00:19:13,459 This was a law passed 15 years ago. 339 00:19:13,876 --> 00:19:21,250 Part of it is a federal civil and criminal ban on breaking what 340 00:19:21,250 --> 00:19:27,083 is commonly known as DRM, digital access controls 341 00:19:27,083 --> 00:19:30,667 on copyrighted works. 342 00:19:33,250 --> 00:19:37,417 For the start, we think it was a bad premise 343 00:19:37,417 --> 00:19:43,999 because with a few generally not that useful exceptions it is illegal 344 00:19:43,999 --> 00:19:47,751 to break DRM even if you are breaking it 345 00:19:47,751 --> 00:19:51,626 for an otherwise legal purpose. 346 00:19:51,999 --> 00:19:55,999 Now, there are some exceptions, but those exceptions are hard to use, 347 00:19:55,999 --> 00:19:57,999 for the most part. 348 00:19:57,999 --> 00:20:00,999 They protect certain people and not others. 349 00:20:00,999 --> 00:20:03,334 And there is a process where the Library 350 00:20:03,334 --> 00:20:08,918 of Congress can pass new exceptions every three years. 351 00:20:08,918 --> 00:20:11,751 The problem with those is they are generally very narrow 352 00:20:11,751 --> 00:20:14,876 and they only last three years. 353 00:20:15,042 --> 00:20:19,375 What happened this year, a couple of things that were interesting. 354 00:20:19,375 --> 00:20:28,999 In the last three-year cycle which was 2009 to -- beginning of 2009, 355 00:20:28,999 --> 00:20:40,167 EFF asked for and got an exemption for jail breaking smart phones. 356 00:20:40,167 --> 00:20:45,751 A declaration of shield against lawsuits for people who want 357 00:20:45,751 --> 00:20:51,999 to install unapproved apps on a mobile phone device. 358 00:20:55,584 --> 00:21:00,083 At the time there was another group, actually this was EFF 359 00:21:00,083 --> 00:21:04,667 at the time who also got an exemption for unlocking, that 360 00:21:04,667 --> 00:21:10,375 is for modifying a smart phone to use it on a different wireless network, 361 00:21:10,375 --> 00:21:13,542 different cellular network. 362 00:21:14,792 --> 00:21:17,918 What happened this year, we successfully renewed 363 00:21:17,918 --> 00:21:21,542 the exemption, I'm sorry, in 2012 we successfully renewed 364 00:21:21,542 --> 00:21:24,667 the exemption for jail breaking, but the Library 365 00:21:24,667 --> 00:21:29,626 of Congress decided not to renew the exemption for unlocking. 366 00:21:29,626 --> 00:21:33,792 This was really strange to a lot of people and the way it was reported 367 00:21:33,792 --> 00:21:36,999 in the press mostly accurately was the librarian 368 00:21:36,999 --> 00:21:43,083 of Congress says that unlocking your phone to switch carriers is now illegal. 369 00:21:44,250 --> 00:21:46,250 Maybe not true exactly. 370 00:21:46,250 --> 00:21:48,083 A couple of courts have gone one way. 371 00:21:48,083 --> 00:21:50,209 A couple of courts have gone the other way. 372 00:21:50,209 --> 00:21:52,125 There is no connection to protecting copyrighted works here, 373 00:21:52,125 --> 00:21:56,334 which is arguably what this law was supposed to do. 374 00:21:57,083 --> 00:22:00,125 But some of the major cellular networks, 375 00:22:00,125 --> 00:22:04,626 cellular carriers have claimed and continue to claim that 376 00:22:04,626 --> 00:22:08,125 if you unlock your phone or if you hire someone 377 00:22:08,125 --> 00:22:12,083 to unlock your phone without their permission, that 378 00:22:12,083 --> 00:22:17,999 they can sue you and that there may even be criminal penalties. 379 00:22:17,999 --> 00:22:21,459 This is separate and apart from your contract. 380 00:22:23,626 --> 00:22:25,999 Obviously you break a contract, usually you have to pay 381 00:22:25,999 --> 00:22:28,292 an early termination penalty. 382 00:22:28,292 --> 00:22:30,709 This is something everybody understands. 383 00:22:30,709 --> 00:22:34,999 It's a bargain that you make when you sign up for mobile phone service. 384 00:22:34,999 --> 00:22:36,999 This is on top of that. 385 00:22:37,292 --> 00:22:41,334 The claim that because of this law that was supposed 386 00:22:41,334 --> 00:22:46,083 to protect and restrict, for example, the encryption on DVDs, 387 00:22:46,083 --> 00:22:49,667 because of that law you can't change carriers 388 00:22:49,667 --> 00:22:53,876 without the current carrier's permission. 389 00:22:54,792 --> 00:22:57,209 All really fairly ridiculous. 390 00:22:57,751 --> 00:23:02,292 There's a bill going through Congress just passed 391 00:23:02,292 --> 00:23:06,999 out of a House committee last week, that would fix 392 00:23:06,999 --> 00:23:13,083 in a very narrow way this specific problem about phone unlocking, 393 00:23:13,083 --> 00:23:17,999 but only for the next two years and without getting 394 00:23:17,999 --> 00:23:24,125 at the deeper problem, which is this law is used as a club to stop 395 00:23:24,125 --> 00:23:28,542 and punish lots of things that could be called 396 00:23:28,542 --> 00:23:33,125 circumventing a digital access control. 397 00:23:34,250 --> 00:23:39,999 Going beyond, just protection of copyrighted material, movies, 398 00:23:39,999 --> 00:23:45,459 music and so on, books, to really being a yet another kind 399 00:23:45,459 --> 00:23:48,292 of anti-hacking law. 400 00:23:48,417 --> 00:23:52,999 It gets used as a club. 401 00:23:54,999 --> 00:23:59,083 You know, we are looking for ways to hopefully get Congress 402 00:23:59,083 --> 00:24:03,709 to fix this law in a more really comprehensive way. 403 00:24:03,709 --> 00:24:07,999 In the meantime we continue to ask the Library of Congress for exemptions. 404 00:24:09,083 --> 00:24:13,250 We respect interested in hearing people's stories 405 00:24:13,250 --> 00:24:18,083 about how they, and under what circumstances do you need 406 00:24:18,083 --> 00:24:23,876 to circumvent or undo or avoid digital access controls? 407 00:24:25,292 --> 00:24:28,083 If you've ever been legally threatened for those things, 408 00:24:28,083 --> 00:24:30,584 those are things we would be interested in hearing 409 00:24:30,584 --> 00:24:33,292 about in private and confidentially. 410 00:24:34,709 --> 00:24:38,375 Or if you have thoughts about that law. 411 00:24:39,334 --> 00:24:43,209 The other area that I'll mention briefly is patent trolls, which has been 412 00:24:43,209 --> 00:24:47,125 a really big area for us this year and for the country. 413 00:24:47,334 --> 00:24:51,167 We've seen really strong statements out of the White House, a lot 414 00:24:51,167 --> 00:24:54,250 of sectors of the digital technology economies 415 00:24:54,250 --> 00:24:56,667 about patent trolls. 416 00:24:56,667 --> 00:24:57,918 What are patent trolls? 417 00:24:57,959 --> 00:25:00,999 There is not a really widely accepted definition, 418 00:25:00,999 --> 00:25:06,083 but generally speaking we are talking about companies that don't build 419 00:25:06,083 --> 00:25:08,999 or produce or sell things. 420 00:25:08,999 --> 00:25:10,876 They simply own patents. 421 00:25:18,250 --> 00:25:20,999 They simply own patents and sue over them. 422 00:25:21,626 --> 00:25:25,334 The really damaging ones are in the information technology space, 423 00:25:25,334 --> 00:25:27,709 in the Internet space. 424 00:25:27,876 --> 00:25:29,125 For example, recently there's 425 00:25:29,125 --> 00:25:32,083 a company that has been threatening bloggers 426 00:25:32,083 --> 00:25:35,999 with patent infringement lawsuits because they claim to own 427 00:25:35,999 --> 00:25:41,334 a patent that covers some really basic aspects of Web publishing. 428 00:25:41,334 --> 00:25:44,792 Things that have really been done for over a decade. 429 00:25:49,751 --> 00:25:55,999 The other one recently -- it will come to me. 430 00:25:55,999 --> 00:25:59,876 There's a number of things being done, a number of things that EFF is doing. 431 00:25:59,876 --> 00:26:02,083 We launched a site called trolleffects.org. 432 00:26:02,083 --> 00:26:05,584 We are collecting threaten letters that people have received 433 00:26:05,584 --> 00:26:11,167 from patent trolls or likely patent trolls and see if we can develop a picture 434 00:26:11,167 --> 00:26:16,250 of who is doing this, what patents do they actually own. 435 00:26:16,250 --> 00:26:18,709 It's hard to tell who owns what because they tend 436 00:26:18,709 --> 00:26:22,334 to use shell companies and false identities when they send 437 00:26:22,334 --> 00:26:24,999 the threatening letters. 438 00:26:25,999 --> 00:26:31,167 If people send them to trolleffects.org we can hopefully get 439 00:26:31,167 --> 00:26:34,999 a picture of who is doing what. 440 00:26:34,999 --> 00:26:38,459 And it can be resource for people who get a threat letter, 441 00:26:38,459 --> 00:26:43,667 to figure out how legitimate it is, whether this is a company that 442 00:26:43,667 --> 00:26:47,501 is likely to sue, so on and so forth. 443 00:26:48,751 --> 00:26:53,999 So we would be interested in hearing from you how patents 444 00:26:53,999 --> 00:26:57,918 on software, patents on protocols, patents 445 00:26:57,918 --> 00:27:04,459 on communications technologies, et cetera, have affected you. 446 00:27:04,834 --> 00:27:06,542 I'll leave it at that. 447 00:27:06,542 --> 00:27:11,209 DAN AUERBACH: Hi, everyone. 448 00:27:11,209 --> 00:27:14,626 My name is Dan Auerbach, staff technologist at EFF. 449 00:27:14,626 --> 00:27:16,626 We have a staff of four technologists. 450 00:27:16,999 --> 00:27:19,125 Part of my job is to provide technical support 451 00:27:19,125 --> 00:27:22,876 for the organization in terms of if someone wants to know what 452 00:27:22,876 --> 00:27:27,417 is an IP address or how does network address translations work? 453 00:27:27,417 --> 00:27:31,292 Those sorts of questions, I give that information 454 00:27:31,292 --> 00:27:37,334 to our legal team and activism team and to journalists. 455 00:27:37,375 --> 00:27:42,792 But today I want to give an overview of the other aspect of what we work on. 456 00:27:42,792 --> 00:27:45,167 We have a bunch of tech projects. 457 00:27:46,459 --> 00:27:52,751 Kind of a theme of our tech projects is encrypting the Web. 458 00:27:52,834 --> 00:27:56,083 So this is kind of a mission that we have at EFF 459 00:27:56,083 --> 00:28:00,501 to try to encourage the adoption of https and the use of https 460 00:28:00,501 --> 00:28:02,999 as much as possible. 461 00:28:02,999 --> 00:28:07,918 We have been encouraged with recent news based on the leaks, 462 00:28:07,918 --> 00:28:13,209 the NSA leaks that encryption does seem to work. 463 00:28:13,209 --> 00:28:17,083 The NSA doesn't have some sort of magic ability to decrypt things. 464 00:28:17,292 --> 00:28:19,125 Which is great news. 465 00:28:19,417 --> 00:28:23,250 It means that we really need to deprecate http. 466 00:28:23,250 --> 00:28:29,417 We need http to become like Telenet, to what SHH is now. 467 00:28:33,667 --> 00:28:37,501 (Applause.) DAN AUERBACH: So towards that end we have 468 00:28:37,501 --> 00:28:40,167 a project that we launched in 2010 which 469 00:28:40,167 --> 00:28:43,375 is called Https Everywhere, a browse extension 470 00:28:43,375 --> 00:28:45,999 for Chrome and Firefox. 471 00:28:45,999 --> 00:28:47,999 This is the most visible project. 472 00:28:47,999 --> 00:28:51,167 The way this works, there's a giant list 473 00:28:51,167 --> 00:28:57,292 of rules and your browser understands that some websites offer 474 00:28:57,292 --> 00:29:02,999 an https connection but don't do it by default. 475 00:29:02,999 --> 00:29:07,751 So Https Everywhere encrypts those connections. 476 00:29:10,999 --> 00:29:15,459 It recognizes this is, by default Wikipedia was over http, 477 00:29:15,459 --> 00:29:20,375 but with our add-on it would encrypt that traffic. 478 00:29:20,959 --> 00:29:25,083 That was kind of our first foray into this area. 479 00:29:25,334 --> 00:29:29,417 But then we started noticing, well, https is great, but PKI, 480 00:29:29,417 --> 00:29:34,834 public key infrastructure, the certificate authority system is really, 481 00:29:34,834 --> 00:29:37,709 seems really problematic. 482 00:29:37,834 --> 00:29:41,999 So what we did next was this project called the observatory, 483 00:29:41,999 --> 00:29:47,667 where we did a scan on port 443 of the entire IPV4 Internet and collected 484 00:29:47,667 --> 00:29:50,999 all the security certificates. 485 00:29:51,999 --> 00:29:56,709 And with that, we made a map of the existing certificate authorities 486 00:29:56,709 --> 00:30:00,042 and the relationships between them. 487 00:30:00,250 --> 00:30:05,083 Some certificate authorities are root and they are trusted in your browser. 488 00:30:05,083 --> 00:30:06,751 Others are intermediate. 489 00:30:06,751 --> 00:30:09,375 Some certificates can be cached by the browser even though 490 00:30:09,375 --> 00:30:12,083 they are not implicitly trusted. 491 00:30:12,626 --> 00:30:16,999 It's a messy world of how certificates are handled. 492 00:30:16,999 --> 00:30:19,876 For people who kind of follow this issue, it 493 00:30:19,876 --> 00:30:23,292 is well-known that PKI is pretty broken. 494 00:30:23,292 --> 00:30:25,000 That we need to fix it. 495 00:30:25,584 --> 00:30:27,959 But the observatory was kind of a tool that we tried to use 496 00:30:27,959 --> 00:30:29,999 to study this problem. 497 00:30:29,999 --> 00:30:33,999 We also have something called the decentralized observatory which 498 00:30:33,999 --> 00:30:37,542 for users on Firefox you can opt into sending us 499 00:30:37,542 --> 00:30:42,918 the certificates that you see as you browse around the Web. 500 00:30:43,250 --> 00:30:47,584 And so this is a way for us to detect attacks. 501 00:30:47,584 --> 00:30:50,042 So, for example, if your browser thinks that it 502 00:30:50,042 --> 00:30:54,751 is seeing a valid certificate for Google.com, but we notice, whoa, 503 00:30:54,751 --> 00:31:00,792 this is very different than a lot of the other certificates we're seeing. 504 00:31:00,792 --> 00:31:04,626 We will be able to warn the user about that. 505 00:31:04,626 --> 00:31:08,999 And we also will be able to kind of get some more information 506 00:31:08,999 --> 00:31:12,083 about how certificates vary from region 507 00:31:12,083 --> 00:31:18,834 to region and how Web servers generally deploy their SSL certificates. 508 00:31:19,250 --> 00:31:23,876 That's kind of some of our projects in the vein of encrypting the Web, 509 00:31:23,876 --> 00:31:27,792 but we also have other stuff we work on, too. 510 00:31:28,083 --> 00:31:32,999 Another area that we've been kind of investigating lately is the issue 511 00:31:32,999 --> 00:31:36,999 of nonconsensual tracking on the Web. 512 00:31:37,292 --> 00:31:39,999 So ten years ago when you visited a site like the New York Times, 513 00:31:39,999 --> 00:31:44,292 your browser loaded resources mostly just from the New York Times. 514 00:31:44,292 --> 00:31:48,083 Now if you inspect, when you load the New York Times 515 00:31:48,083 --> 00:31:53,709 and you open a debugger to see all the resources you're loading, 516 00:31:53,709 --> 00:31:58,999 it's from maybe dozens or hundreds of different companies, many 517 00:31:58,999 --> 00:32:03,542 of which are kind of invisible third-party trackers, 518 00:32:03,542 --> 00:32:08,626 which are amassing browsing histories of users. 519 00:32:08,999 --> 00:32:11,209 We think this is really bad. 520 00:32:11,209 --> 00:32:12,918 People don't know about it and it's happening more 521 00:32:12,918 --> 00:32:14,209 and more. 522 00:32:14,834 --> 00:32:18,542 There is an effort called do not track which was supposed 523 00:32:18,542 --> 00:32:21,709 to help mitigate this problem, but unfortunately 524 00:32:21,709 --> 00:32:25,250 the W3C tracking protection working group which I'm on, 525 00:32:25,250 --> 00:32:27,959 has stalled quite a bit. 526 00:32:28,459 --> 00:32:32,375 And so users are left with a few different options. 527 00:32:32,375 --> 00:32:33,999 They can install an ad blocker which I'm sure many 528 00:32:33,999 --> 00:32:37,667 of the savvier people in this room have already done. 529 00:32:37,709 --> 00:32:41,959 But advertising does form a significant portion of revenue 530 00:32:41,959 --> 00:32:47,292 on the Web and we don't think that you should have to block all ads in order 531 00:32:47,292 --> 00:32:49,584 to stop tracking. 532 00:32:49,792 --> 00:32:53,918 So what we did is we are building a tool which is actually 533 00:32:53,918 --> 00:32:58,292 an experimental Chrome tension which you can download now called 534 00:32:58,292 --> 00:33:01,959 the EFF tracker blocking laboratory. 535 00:33:01,999 --> 00:33:05,999 So we thought we would add to the ecosystem of blockers by, 536 00:33:05,999 --> 00:33:10,292 instead of having a list based blocker -- most blockers 537 00:33:10,292 --> 00:33:14,584 today, if you use ad block plus or ghost tree, there's 538 00:33:14,584 --> 00:33:18,834 a manual list created in a central crawl. 539 00:33:18,834 --> 00:33:22,959 What we are doing is a heuristic based blocker. 540 00:33:22,999 --> 00:33:25,709 From within the blousier as you browse around, 541 00:33:25,709 --> 00:33:29,501 we notice this domain seems like it's tracking you and we block it 542 00:33:29,501 --> 00:33:31,250 based on that. 543 00:33:31,250 --> 00:33:34,918 This is very experimental but it's a direction we are going to try 544 00:33:34,918 --> 00:33:39,584 to add to the ecosystem so that we can hopefully eventually land a feature 545 00:33:39,584 --> 00:33:42,626 like this in browsers, so we can fight back more 546 00:33:42,626 --> 00:33:45,918 against the nonconsensual tracking. 547 00:33:47,083 --> 00:33:53,083 Finally we have a project to promote open wireless access. 548 00:33:53,999 --> 00:33:57,459 We are trying to make it easier for people 549 00:33:57,459 --> 00:34:03,501 to provide open wireless guest access with a deprioritized, it would start 550 00:34:03,501 --> 00:34:08,999 with the second wireless LAN that is deprioritized so your bandwidth 551 00:34:08,999 --> 00:34:11,292 is not affected. 552 00:34:11,292 --> 00:34:15,542 We are trying to figure out how to build security properties 553 00:34:15,542 --> 00:34:19,125 into that open wireless solution. 554 00:34:19,417 --> 00:34:21,709 It is actually the case that WPA2 doesn't provide 555 00:34:21,709 --> 00:34:25,542 much security, especially at a conference like this. 556 00:34:25,542 --> 00:34:26,083 It is essentially an open network 557 00:34:26,083 --> 00:34:28,709 because everyone has the password. 558 00:34:28,709 --> 00:34:31,959 We are looking at ways to get WPA2 kind of security 559 00:34:31,959 --> 00:34:34,083 for open networks. 560 00:34:34,334 --> 00:34:36,834 That's an overview of our tech projects. 561 00:34:36,834 --> 00:34:40,501 If you have questions about any of those I'm the guy to ask. 562 00:34:40,501 --> 00:34:41,501 Thank you. 563 00:34:47,918 --> 00:34:50,334 (Applause.) MARC JAYCOX: Hi, everyone. 564 00:34:50,334 --> 00:34:51,999 I'm Marc Jaycox, a legislative assistant for EFF, 565 00:34:51,999 --> 00:34:54,999 working for the legal and activism teams. 566 00:34:55,501 --> 00:34:59,334 That involves working with, dealing with Congress and legislation 567 00:34:59,334 --> 00:35:04,375 and also blogging, helping run coalitions, things like that. 568 00:35:04,626 --> 00:35:06,834 I'm going to give probably a quick overview of my year 569 00:35:06,834 --> 00:35:10,876 with what we have been doing and what we have been working on. 570 00:35:10,999 --> 00:35:13,792 And so the year kind of started off with CISPA, 571 00:35:13,792 --> 00:35:17,959 Cyber Intelligence Sharing and Protection Act. 572 00:35:17,999 --> 00:35:22,999 Before the leaks, this was a law that granted broad legal immunity 573 00:35:22,999 --> 00:35:26,999 for companies to by pass the privacy laws and to share 574 00:35:26,999 --> 00:35:29,751 a lot more information. 575 00:35:31,167 --> 00:35:33,999 So we started off the year with that. 576 00:35:33,999 --> 00:35:36,542 Congress year after year has consistently pushed 577 00:35:36,542 --> 00:35:40,584 cyber security, really online security, network security bills, 578 00:35:40,584 --> 00:35:44,542 all cyber talk has taken over Washington, D.C. 579 00:35:44,876 --> 00:35:49,083 They often at least the language they offer is not very technical. 580 00:35:49,083 --> 00:35:50,876 The terms are always pretty bad. 581 00:35:51,083 --> 00:35:55,667 So we started off this year with the House debating this issue 582 00:35:55,667 --> 00:36:00,667 and kind of arguing for these massive exemptions. 583 00:36:00,876 --> 00:36:03,250 And we over the course of a few months we had 584 00:36:03,250 --> 00:36:07,083 a very large campaign to combat this bill. 585 00:36:07,083 --> 00:36:08,501 It was one of many bills that comes back 586 00:36:08,501 --> 00:36:09,999 every year. 587 00:36:10,083 --> 00:36:12,999 And so this was in the House. 588 00:36:12,999 --> 00:36:19,209 We created a CISPA is bad bill; a zombie bill that comes back. 589 00:36:19,209 --> 00:36:21,667 Last year we defeated it. 590 00:36:21,667 --> 00:36:22,999 This year in the House it had passed 591 00:36:22,999 --> 00:36:25,459 but we ran a pretty successful campaign 592 00:36:25,459 --> 00:36:29,918 with numbers we hadn't seen since the SOBA campaign. 593 00:36:29,918 --> 00:36:33,959 We had over 100,000 signatures against this bill. 594 00:36:33,999 --> 00:36:35,167 Very show out of Congress men coming 595 00:36:35,167 --> 00:36:37,334 out against this bill. 596 00:36:37,584 --> 00:36:39,999 It was such a good showing that we were able 597 00:36:39,999 --> 00:36:43,083 to do such a good job with the help of the community that 598 00:36:43,083 --> 00:36:46,999 the Senate saw the bill, looked at a lot of our critiques and agreed 599 00:36:46,999 --> 00:36:50,876 with the massive privacy invasion that the bill had. 600 00:36:51,083 --> 00:36:53,667 They agreed it wasn't the right way to deal with online security 601 00:36:53,667 --> 00:36:56,375 or network security when it comes in the federal government 602 00:36:56,375 --> 00:36:58,459 and private companies. 603 00:36:58,792 --> 00:37:01,501 So the year kind of started out with that. 604 00:37:01,667 --> 00:37:05,542 Fortunately, they have kind of stopped pushing that, 605 00:37:05,542 --> 00:37:08,083 these types of bills. 606 00:37:08,250 --> 00:37:10,542 So far we'll see with the recent leaks. 607 00:37:10,959 --> 00:37:14,834 And it session segued, we moved on and segued 608 00:37:14,834 --> 00:37:18,751 into Computer Fraud and Abuse Act. 609 00:37:19,375 --> 00:37:22,999 And for the past, from probably January 610 00:37:22,999 --> 00:37:26,999 until June EFF along withstand forward and CDT 611 00:37:26,999 --> 00:37:32,751 and demand progress has been pushing for CFAA reform especially 612 00:37:32,751 --> 00:37:35,250 in light of Aaron. 613 00:37:35,250 --> 00:37:37,999 It was a really big issue and really important to us 614 00:37:37,999 --> 00:37:40,083 and the community. 615 00:37:40,334 --> 00:37:43,999 So we have this coalition of broad left to right coalition 616 00:37:43,999 --> 00:37:47,999 and we spent many months putting the pressure on Congress, 617 00:37:47,999 --> 00:37:52,375 creating a campaign from a wide and diverse set of individuals 618 00:37:52,375 --> 00:37:56,209 to change the Computer Fraud and Abuse Act, to decrease 619 00:37:56,209 --> 00:38:00,584 the penalties in it, to clarify the law so it can't be abused 620 00:38:00,584 --> 00:38:04,626 and it's harder to be abused by the Department of Justice 621 00:38:04,626 --> 00:38:06,834 and by companies. 622 00:38:07,083 --> 00:38:11,417 To make sure that it's actually used for its original intents. 623 00:38:11,417 --> 00:38:12,999 Right now CFAA on the civil side tends 624 00:38:12,999 --> 00:38:17,792 to be used against trade secrets instead of hacking and that shouldn't 625 00:38:17,792 --> 00:38:19,542 be the case. 626 00:38:20,501 --> 00:38:25,209 After many months, about a few weeks ago, four weeks ago, 627 00:38:25,209 --> 00:38:29,999 three or four weeks ago, Senators Lofgren, Sensenbrenner, 628 00:38:29,999 --> 00:38:34,667 Wyden introduced Aaron's Law, a law that decreases some 629 00:38:34,667 --> 00:38:40,375 of the penalties, doesn't allow the government top bootstrap multiple 630 00:38:40,375 --> 00:38:44,626 penalties to jump up the prison time and clarifies 631 00:38:44,626 --> 00:38:48,834 and incorporates the two better judicial decisions 632 00:38:48,834 --> 00:38:53,375 out there in the Ninth and Fourth Circuits. 633 00:38:54,417 --> 00:38:57,999 This is one of the major campaigns going 634 00:38:57,999 --> 00:39:02,999 on and we actually have a phone booth that we brought that 635 00:39:02,999 --> 00:39:06,834 is in the contest area that is a direct line 636 00:39:06,834 --> 00:39:11,999 to Congress so you can call up the Congressional switchboard, 637 00:39:11,999 --> 00:39:18,999 ask for your rep and give them your mind and speak to them about it. 638 00:39:18,999 --> 00:39:21,334 (Applause.) MARC JAYCOX: If anything, with the bills every year 639 00:39:21,334 --> 00:39:25,250 and how DC has been for a while but it's starting to get right in our faces, 640 00:39:25,250 --> 00:39:28,417 that it's time for the community to really push back and time 641 00:39:28,417 --> 00:39:32,667 for the community to engage with them and tell them what's up. 642 00:39:32,709 --> 00:39:35,584 And so that is one of our bigger campaigns. 643 00:39:35,584 --> 00:39:39,292 We have a pretty cool '80s phone booth that we have. 644 00:39:39,292 --> 00:39:42,999 And so I encourage you to go to the area and check it out. 645 00:39:43,083 --> 00:39:46,584 We have another thing that is part of CFAA reform 646 00:39:46,584 --> 00:39:51,083 is the security researchers letter and letter to Congress 647 00:39:51,083 --> 00:39:55,083 from the community, from DEF CON also. 648 00:39:55,626 --> 00:40:00,250 The letter demands Congress to take up CFAA reform which increasingly 649 00:40:00,250 --> 00:40:06,584 looks like a possibility and that they are going to do it and move it. 650 00:40:06,999 --> 00:40:08,459 And it's a letter from the community and 651 00:40:08,459 --> 00:40:11,501 from security researchers pretty much pushing for Aaron's Law 652 00:40:11,501 --> 00:40:13,999 and pushing for CFAA reform. 653 00:40:15,042 --> 00:40:18,999 That's kind of what has been going on with CFAA reform and you know, 654 00:40:18,999 --> 00:40:23,042 it does look like they are listening and the campaigns have been pretty 655 00:40:23,042 --> 00:40:27,125 fantastic so far and the response from the community has been fantastic 656 00:40:27,125 --> 00:40:28,626 so far. 657 00:40:28,999 --> 00:40:30,999 It looks like they will pick it up. 658 00:40:30,999 --> 00:40:32,751 They are going to discuss it. 659 00:40:32,751 --> 00:40:35,209 There will be hearings and we'll see where it goes. 660 00:40:35,209 --> 00:40:37,250 It's something that EFF will push on for and demand progress 661 00:40:37,250 --> 00:40:39,999 and pushing for it in Congress. 662 00:40:40,709 --> 00:40:48,209 Coming off of that, what happened next, that was probably until June, mid June. 663 00:40:48,834 --> 00:40:52,000 What happened next was the NSA spying leaks. 664 00:40:52,209 --> 00:40:56,542 And focused around that we just have had -- there 665 00:40:56,542 --> 00:41:00,167 are over ten bills to fix this. 666 00:41:00,584 --> 00:41:04,250 We had overnight campaigns launched, especially with the most recent, 667 00:41:04,250 --> 00:41:07,501 the first time since the leaks that Congress has had 668 00:41:07,501 --> 00:41:10,125 to speak out on this is the Amash Amendment, 669 00:41:10,125 --> 00:41:13,999 which I don't know how many people know about it, but it was 670 00:41:13,999 --> 00:41:17,959 a amendment that would defund and curtail one part of the spying, 671 00:41:17,959 --> 00:41:21,959 the use of the Patriot Act and culling that information that Kurt 672 00:41:21,959 --> 00:41:23,999 was talking about. 673 00:41:24,999 --> 00:41:29,375 And so since the leaks, pretty much what I have been doing 674 00:41:29,375 --> 00:41:32,792 is focusing on the legislation. 675 00:41:32,792 --> 00:41:37,501 The legislation deals with a variety of things from fixing section 215 so that 676 00:41:37,501 --> 00:41:39,999 this kind of bulk spying can't happen 677 00:41:39,999 --> 00:41:44,083 and doesn't happen; to fixing the -- the spying is over seen 678 00:41:44,083 --> 00:41:48,999 by the secret surveillance court called the FISA court. 679 00:41:50,959 --> 00:41:52,709 That's my preferred term. 680 00:41:52,999 --> 00:41:58,083 Some of the bills, you know, half of these ten bills deal with exposing 681 00:41:58,083 --> 00:42:02,999 the legal opinions and legal rationales that the government proposes 682 00:42:02,999 --> 00:42:07,292 to the secret corporate and remain top-secret. 683 00:42:07,292 --> 00:42:10,626 We don't -- this is secret law that none of us get to see. 684 00:42:10,626 --> 00:42:12,626 It's interpretations of the Fourth Amendment, 685 00:42:12,626 --> 00:42:16,751 interpretations of the statute that we haven't seen. 686 00:42:16,751 --> 00:42:18,542 So these bills push for the transparency 687 00:42:18,542 --> 00:42:22,250 around those opinions and pure structural reform of the court, 688 00:42:22,250 --> 00:42:25,999 making sure the court right now is composed of people selected 689 00:42:25,999 --> 00:42:29,626 by the Chief Justice of the Supreme Court. 690 00:42:29,999 --> 00:42:33,959 He nominates them and confirms them. 691 00:42:33,999 --> 00:42:36,918 We have a couple of bills that push for, we are not pushing for, 692 00:42:36,918 --> 00:42:40,417 but the Senators have a couple of structural reform bills that were 693 00:42:40,417 --> 00:42:43,459 released this week and we will be blogging about shortly, 694 00:42:43,459 --> 00:42:45,751 once I get out of here. 695 00:42:46,999 --> 00:42:49,209 That's part of the NSA spying. 696 00:42:49,459 --> 00:42:52,417 Then there's the Amash Amendment that was going 697 00:42:52,417 --> 00:42:55,999 to curtail part of section 215's program. 698 00:42:56,334 --> 00:42:58,209 It's a blunt instrument. 699 00:42:58,209 --> 00:43:00,792 An amendment to the defense budget bill. 700 00:43:00,792 --> 00:43:05,083 The House has the right, they have the power of the purse. 701 00:43:05,209 --> 00:43:07,999 And so we found out -- this was an amendment that, you know, 702 00:43:07,999 --> 00:43:10,626 we had known about for a week or so. 703 00:43:10,999 --> 00:43:12,417 It was unclear. 704 00:43:12,417 --> 00:43:14,459 The House, the way the House works, the leadership decides which 705 00:43:14,459 --> 00:43:16,999 amendment gets thrown to the floor. 706 00:43:16,999 --> 00:43:19,584 We didn't know this was going to come to the floor. 707 00:43:19,999 --> 00:43:21,999 We found out about 7:00 o'clock the night 708 00:43:21,999 --> 00:43:25,209 before and overnight we had a pretty ... 709 00:43:30,125 --> 00:43:34,918 (Lost audio.) MARC JAYCOX: Impressed a whole bunch of people. 710 00:43:36,334 --> 00:43:40,918 Overnight we pretty much created an activism campaign. 711 00:43:40,918 --> 00:43:41,999 Form a lot of support. 712 00:43:42,626 --> 00:43:45,501 The community reacted brilliantly. 713 00:43:45,918 --> 00:43:52,792 We got the best vote that we've gotten since the reauthorization of these laws. 714 00:43:52,792 --> 00:43:54,501 And it's a tremendous, a clear signal 715 00:43:54,501 --> 00:43:58,417 from Congress that we are, in my opinion it's a clear signal 716 00:43:58,417 --> 00:44:00,999 from Congress that they are very dubious 717 00:44:00,999 --> 00:44:05,999 of how section 215 is being used and they want to change it. 718 00:44:05,999 --> 00:44:10,999 That's kind of been my first, or the first six months of this year. 719 00:44:10,999 --> 00:44:13,083 It has been really fun, intense. 720 00:44:13,083 --> 00:44:15,334 That's kind of what I have been focusing on. 721 00:44:22,542 --> 00:44:25,125 (Applause.) KURT OPSAHL: All right. 722 00:44:25,125 --> 00:44:26,417 Now it's time to get your questions asked 723 00:44:26,417 --> 00:44:28,083 and answered. 724 00:44:28,584 --> 00:44:32,167 So anybody who has questions about anything we just discussed 725 00:44:32,167 --> 00:44:35,292 or other aspects of EFF's work? 726 00:44:35,292 --> 00:44:38,584 Please come to the microphone here and we 727 00:44:38,584 --> 00:44:43,375 will do our best to answer your questions. 728 00:44:43,375 --> 00:44:48,792 AUDIENCE: The FISA court seems to my mind to be a secret court, 729 00:44:48,792 --> 00:44:51,999 a tool of a police state. 730 00:44:52,584 --> 00:45:01,083 I mean, it seems like it probably has a thin justification. 731 00:45:01,083 --> 00:45:07,083 What is the justification and why can't that court be abolished in total? 732 00:45:07,083 --> 00:45:10,083 KURT OPSAHL: The question is what is the justification 733 00:45:10,083 --> 00:45:14,584 for the foreign intelligence surveillance court? 734 00:45:15,999 --> 00:45:20,125 It was created by the Foreign Intelligence Surveillance 735 00:45:20,125 --> 00:45:24,999 Act which, oddly enough, was an attempt at reform. 736 00:45:24,999 --> 00:45:28,959 Previously there were no courts that were being involved and so 737 00:45:28,959 --> 00:45:32,292 they created the foreign intelligence surveillance 738 00:45:32,292 --> 00:45:36,209 court in order to have judges be involved. 739 00:45:36,209 --> 00:45:38,959 So in that sense it was an attempt to bring some aspects 740 00:45:38,959 --> 00:45:41,167 of the judiciary into it. 741 00:45:41,167 --> 00:45:43,125 What has happened is, as a secret court, it 742 00:45:43,125 --> 00:45:46,918 is doing secret reinterpretations of the law. 743 00:45:46,959 --> 00:45:50,876 These have gone into some very strange directions. 744 00:45:50,876 --> 00:45:53,167 I'll just give one sort of example of where this has gone 745 00:45:53,167 --> 00:45:55,999 in some very weird directions. 746 00:45:55,999 --> 00:45:59,584 So the law that allows the government or, you know, 747 00:45:59,584 --> 00:46:03,999 the government says it allows to get your phone records 748 00:46:03,999 --> 00:46:07,918 is section 215 of the Patriot Act. 749 00:46:07,918 --> 00:46:11,918 And Section 215 says amongst other things that it can get business records 750 00:46:11,918 --> 00:46:15,999 that are relevant to an authorized investigation. 751 00:46:16,459 --> 00:46:20,999 And under that secret interpretation of the law, all of the records 752 00:46:20,999 --> 00:46:24,375 of all of the people for all of the time are relevant 753 00:46:24,375 --> 00:46:27,459 to an authorized investigation. 754 00:46:27,459 --> 00:46:29,584 (Chuckles.) MARC JAYCOX: We haven't seen what that interpretation is, 755 00:46:29,584 --> 00:46:31,959 but I'm really curious to see it. 756 00:46:32,167 --> 00:46:35,959 It's going to be an amazing piece of BS, right? 757 00:46:35,959 --> 00:46:37,918 How can you make it so that everything is -- I mean, 758 00:46:37,918 --> 00:46:41,501 relevant becomes essentially a meaningless word. 759 00:46:41,792 --> 00:46:43,334 There's no difference in that statute 760 00:46:43,334 --> 00:46:46,834 with the world relevant and without the word relevant. 761 00:46:51,375 --> 00:46:55,667 And Sensenbrenner, actually the author of that part 762 00:46:55,667 --> 00:47:01,959 of the Patriot Act agrees that is not what it was meant to say. 763 00:47:01,959 --> 00:47:04,250 That's the problem with the secret FISA court. 764 00:47:04,250 --> 00:47:09,542 AUDIENCE: Wouldn't that require 310 minimum search warrants, 765 00:47:09,542 --> 00:47:13,999 the cats case, that can't be legal. 766 00:47:15,999 --> 00:47:18,999 The Fourth Amendment says you need a search warrant. 767 00:47:20,083 --> 00:47:22,209 310 million. 768 00:47:22,209 --> 00:47:24,083 AUDIENCE: (Speaker away from microphone.) It is true, 769 00:47:24,083 --> 00:47:27,209 illegal and unconstitutional are not the same thing, but we think 770 00:47:27,209 --> 00:47:30,751 the amendment is both illegal and unconstitutional. 771 00:47:30,751 --> 00:47:39,667 (Applause.) AUDIENCE: You talked about EFF's add-on 772 00:47:39,667 --> 00:47:45,959 for blocking tracking cookies. 773 00:47:46,999 --> 00:47:49,626 How does your approach compare to Firefox's approach 774 00:47:49,626 --> 00:47:52,459 of blocking third-party cookies by default and then having 775 00:47:52,459 --> 00:47:55,542 the cookie clearinghouse to create white lists and black lists 776 00:47:55,542 --> 00:47:57,918 based on privacy policies? 777 00:47:57,999 --> 00:47:59,417 Sure. 778 00:47:59,417 --> 00:48:06,375 So ours is not a third-party cookie blocking in general. 779 00:48:06,375 --> 00:48:08,918 How it works is, it's more like an ad blocker. 780 00:48:08,918 --> 00:48:13,125 First of all it's not just blocking cookies, it black holes resources similar 781 00:48:13,125 --> 00:48:16,918 to the way many ad blockers work today. 782 00:48:17,083 --> 00:48:21,959 So if you look apartment kind of the spectrum there's blocking based 783 00:48:21,959 --> 00:48:26,999 on very general metrics, like block all third-party cookies. 784 00:48:26,999 --> 00:48:29,083 Then there's, here is a list of particular resources you 785 00:48:29,083 --> 00:48:30,792 should block. 786 00:48:30,792 --> 00:48:32,999 We are trying to find somewhere in the middle. 787 00:48:33,542 --> 00:48:35,292 We think both of those approaches are valuable 788 00:48:35,292 --> 00:48:38,459 and users should install an ad blocker and disable third-party 789 00:48:38,459 --> 00:48:40,792 cookies in their browser. 790 00:48:41,083 --> 00:48:44,375 But in addition we wanted to add to that by having 791 00:48:44,375 --> 00:48:48,667 in middle area where it is sort of functioning like an ad blocker 792 00:48:48,667 --> 00:48:52,834 except as you browse around it is dynamically updating the list 793 00:48:52,834 --> 00:48:56,334 of resources that should be black holed. 794 00:48:56,334 --> 00:48:58,250 So I hope that answers the question. 795 00:48:58,250 --> 00:49:00,125 AUDIENCE: Yes, thank you. 796 00:49:00,501 --> 00:49:03,501 AUDIENCE: Hi. 797 00:49:03,876 --> 00:49:06,292 I also wanted to ask about the markets firms, 798 00:49:06,292 --> 00:49:12,334 like private sector marketing firms and nonconsensual tracking piece of it. 799 00:49:12,542 --> 00:49:14,999 You hear stories about people browsing 800 00:49:14,999 --> 00:49:19,542 for baby stuff and getting catalog for maternity things two weeks later 801 00:49:19,542 --> 00:49:24,125 or marketing that looks where your mouse goes, and so on. 802 00:49:24,334 --> 00:49:26,876 My question is: How bad are the capabilities 803 00:49:26,876 --> 00:49:31,959 of these private sector markets firms in the first place and secondarily are 804 00:49:31,959 --> 00:49:36,083 they subscribed to by governments in order to turn that metadata 805 00:49:36,083 --> 00:49:39,209 into uniquely identifiable data? 806 00:49:39,459 --> 00:49:41,751 Those are great questions and the short answer is, 807 00:49:41,751 --> 00:49:43,834 we don't really know. 808 00:49:43,999 --> 00:49:47,959 We don't know too much about whether the government has 809 00:49:47,959 --> 00:49:50,250 gone to these firms to request data 810 00:49:50,250 --> 00:49:53,709 because those requests are secret. 811 00:49:53,999 --> 00:49:57,250 Some companies are starting to publish transparency reports. 812 00:49:57,334 --> 00:50:00,999 These are generally the larger tech companies that have 813 00:50:00,999 --> 00:50:04,918 first party presence like Google and Facebook and Microsoft 814 00:50:04,918 --> 00:50:06,626 and Twitter. 815 00:50:06,709 --> 00:50:12,999 But not the invisible third-party ad companies that you've never heard of. 816 00:50:12,999 --> 00:50:16,417 So we don't really know what data is being requested of them. 817 00:50:16,417 --> 00:50:21,542 As far as what abilities they have, also it's hard to know. 818 00:50:21,542 --> 00:50:22,334 I think there's a lot of data that gets passed 819 00:50:22,334 --> 00:50:24,250 around in the background. 820 00:50:24,250 --> 00:50:26,334 Right now it's the wild west. 821 00:50:26,334 --> 00:50:28,834 There's just no rules about what you can do or can't do 822 00:50:28,834 --> 00:50:30,709 with user data. 823 00:50:31,292 --> 00:50:34,250 So it is probably safe to assume that 824 00:50:34,250 --> 00:50:37,999 a browsing history associated with a pseudonym 825 00:50:37,999 --> 00:50:41,918 is in the hands much many companies. 826 00:50:41,999 --> 00:50:45,999 If you -- corresponding to you if you're browsing around the Web. 827 00:50:45,999 --> 00:50:48,167 That's kind of a half answer. 828 00:50:48,167 --> 00:50:51,125 That's the closest we get to really knowing. 829 00:50:51,125 --> 00:50:53,375 I want to add on to that, one of the aspects of this 830 00:50:53,375 --> 00:50:56,709 is data broker companies, commercial companies that collect 831 00:50:56,709 --> 00:50:59,792 information from a variety of sources and repackage that 832 00:50:59,792 --> 00:51:02,999 and make it available for commercial sale. 833 00:51:03,501 --> 00:51:06,083 I think that you should basically rest assured that 834 00:51:06,083 --> 00:51:10,999 the government has purchased subscriptions to these services. 835 00:51:10,999 --> 00:51:14,292 I can say that there has been some FOIA work done 836 00:51:14,292 --> 00:51:20,375 by the EPIC that confirms that, confirmed that several years ago. 837 00:51:20,375 --> 00:51:21,834 AUDIENCE: Thank you. 838 00:51:22,792 --> 00:51:24,876 AUDIENCE: Kind of a two part question 839 00:51:24,876 --> 00:51:28,375 about Computer Assistance for Law Enforcement Act? 840 00:51:30,584 --> 00:51:34,999 Yeah, I wrote an article earlier this year, foolishly, which 841 00:51:34,999 --> 00:51:38,083 the title inferred that the FBI was planning 842 00:51:38,083 --> 00:51:42,792 on surveilling our realtime online communications. 843 00:51:42,999 --> 00:51:47,209 That was before the NSA revelations. 844 00:51:47,501 --> 00:51:53,083 So the two-part question is: One, is CALEA receiving enough, I guess, 845 00:51:53,083 --> 00:51:56,167 awareness from the public? 846 00:51:56,167 --> 00:51:57,334 Is that still a threat? 847 00:51:57,334 --> 00:52:01,375 And I know that the FBI made some statements 848 00:52:01,375 --> 00:52:03,999 several times. 849 00:52:03,999 --> 00:52:07,999 One of their previous legal counsels in a course earlier this year 850 00:52:07,999 --> 00:52:12,209 to expand CALEA to allow for online surveillance as well 851 00:52:12,209 --> 00:52:17,250 as extending the privileges to local law enforcement. 852 00:52:17,834 --> 00:52:21,626 And then the second part of the question is, 853 00:52:21,626 --> 00:52:25,083 concerning jurisdiction, if for instance 854 00:52:25,083 --> 00:52:31,334 a local law enforcement agency had permission to do surveillance online, 855 00:52:31,334 --> 00:52:35,999 how exactly do you think that would work? 856 00:52:35,999 --> 00:52:39,334 Obviously it's difficult for them to identify where the person 857 00:52:39,334 --> 00:52:43,334 is when they are doing online surveillance. 858 00:52:43,334 --> 00:52:46,792 I see that kind of as the equivalent of someone 859 00:52:46,792 --> 00:52:51,167 from Las Vegas police department coming to my home and 860 00:52:51,167 --> 00:52:55,999 in a different state and performing a search. 861 00:52:55,999 --> 00:52:59,999 So I'll just answer as to if CALEA is still a threat. 862 00:53:00,459 --> 00:53:05,459 And then Kurt and Marcia and Eva can tackle the other part. 863 00:53:05,459 --> 00:53:06,459 Perfect. 864 00:53:06,459 --> 00:53:09,999 So the answer is yes, definitely. 865 00:53:09,999 --> 00:53:13,792 But what we've seen is the government become very reticent 866 00:53:13,792 --> 00:53:17,125 and nervous about discussing CALEA or discussing 867 00:53:17,125 --> 00:53:20,999 even -- I'll jump back to the online security bills, 868 00:53:20,999 --> 00:53:23,834 the cyber security bills. 869 00:53:23,834 --> 00:53:26,542 They have been nervous because it's completely outlandish 870 00:53:26,542 --> 00:53:29,083 for them to push such bills when we sometime 871 00:53:29,083 --> 00:53:32,999 don't know what is going on with the surveillance. 872 00:53:32,999 --> 00:53:34,626 We sometime don't know what is going on with how they uses 873 00:53:34,626 --> 00:53:36,792 the FISA, Foreign Intelligence Secuirty Act Court 874 00:53:36,792 --> 00:53:38,667 and things like that. 875 00:53:38,999 --> 00:53:42,626 It is very much a threat and it's something that we 876 00:53:42,626 --> 00:53:47,083 as a community, we as EFF have to keep our toes on. 877 00:53:47,209 --> 00:53:50,375 The second we fall asleep or the second we miss something, 878 00:53:50,375 --> 00:53:54,999 they may try to slip it in or try to continue to push it. 879 00:53:54,999 --> 00:53:57,999 For now I don't think -- for now, at least for short-term, next month 880 00:53:57,999 --> 00:54:00,999 or two, I don't think it is a threat. 881 00:54:00,999 --> 00:54:02,667 Definitely medium to long-term it is something that 882 00:54:02,667 --> 00:54:06,542 they have been very vocal about and something to watch for. 883 00:54:06,542 --> 00:54:12,999 And I really hope that we don't have to go through another Crypto war. 884 00:54:12,999 --> 00:54:15,501 I want to add in terms of like extending those abilities 885 00:54:15,501 --> 00:54:19,334 down to local law enforcement, the first time that was discussed 886 00:54:19,334 --> 00:54:23,375 with their legal counsel in front of the subcommittee and Congress, 887 00:54:23,375 --> 00:54:27,083 the two examples they brought up were the importation of drugs 888 00:54:27,083 --> 00:54:32,083 and like child pornography which are not national security issues. 889 00:54:32,292 --> 00:54:38,375 MARCIA HOFFMANN: To be clear for everybody here, CALEA does not 890 00:54:38,375 --> 00:54:45,083 at this time include the ability to wiretap the Internet. 891 00:54:45,083 --> 00:54:47,542 And there has actually been a lot of questions 892 00:54:47,542 --> 00:54:50,709 about whether or not this includes Skype, which 893 00:54:50,709 --> 00:54:54,999 is a Voiceover IP service and it is used by hundreds of millions 894 00:54:54,999 --> 00:54:57,876 of people all over the world. 895 00:54:58,083 --> 00:55:02,250 Until fairly recently, until a couple of years ago Skype was 896 00:55:02,250 --> 00:55:05,209 a European-based company. 897 00:55:05,250 --> 00:55:09,083 Therefore, it was not even potentially coming under CALEA 898 00:55:09,083 --> 00:55:13,417 because it was out of CALEA's jurisdiction. 899 00:55:13,417 --> 00:55:15,999 But when Skype was purchased by Microsoft, 900 00:55:15,999 --> 00:55:20,667 suddenly there were questions about whether or not Skype would be 901 00:55:20,667 --> 00:55:25,083 required to include sort of back door wiretapping capabilities 902 00:55:25,083 --> 00:55:29,834 in order to comply with law enforcement requests. 903 00:55:30,083 --> 00:55:34,792 In order to clarify this, EFF was part of a coalition of individuals 904 00:55:34,792 --> 00:55:38,709 and NGOs that wrote a letter to Microsoft requesting 905 00:55:38,709 --> 00:55:41,999 a transparency report on Skype, saying: Hey, 906 00:55:41,999 --> 00:55:46,125 if you could just clarify whether or not you are tapping 907 00:55:46,125 --> 00:55:49,959 hundreds of millions of users' Voiceover IP phone 908 00:55:49,959 --> 00:55:54,501 communications, we would really appreciate that. 909 00:55:54,751 --> 00:55:57,792 So in a very gratifying moment Microsoft 910 00:55:57,792 --> 00:56:00,250 did us one better. 911 00:56:00,250 --> 00:56:02,626 A few months later they came out with a transparency report 912 00:56:02,626 --> 00:56:05,999 for all of their products, including Skype. 913 00:56:05,999 --> 00:56:08,918 If you take a look at Microsoft's transparency report 914 00:56:08,918 --> 00:56:13,999 for Skype it says we have never given up any phone calls, any content data, 915 00:56:13,999 --> 00:56:17,792 anything to the governments in response to a request, 916 00:56:17,792 --> 00:56:19,999 to any government. 917 00:56:21,209 --> 00:56:26,083 Then the Snowden revelations came around and we started looking 918 00:56:26,083 --> 00:56:31,999 at the Prism slides which included Skype as a source of content. 919 00:56:31,999 --> 00:56:34,999 And a lot of the other Snowden revelations have 920 00:56:34,999 --> 00:56:39,459 seriously implied or out right stated at one point or another 921 00:56:39,459 --> 00:56:44,584 the NSA has had the ability to tap Skype communications. 922 00:56:44,584 --> 00:56:46,375 So I think that Microsoft and Skype have a great deal 923 00:56:46,375 --> 00:56:48,292 of explaining to do. 924 00:56:48,292 --> 00:56:50,751 It's unclear the extent to which the NSA is capability 925 00:56:50,751 --> 00:56:54,083 of eavesdropping on Skype communications. 926 00:56:54,626 --> 00:56:57,083 One of the things that does appear to be clear, 927 00:56:57,083 --> 00:57:01,999 they are probably not doing it under the auspices of CALEA. 928 00:57:02,375 --> 00:57:05,626 They have a different legal justification for doing this. 929 00:57:05,834 --> 00:57:09,751 But it could very well be happening and we are very interest interested 930 00:57:09,751 --> 00:57:14,292 in learning just what the extent of that eavesdropping is. 931 00:57:14,292 --> 00:57:17,459 And whether or not Microsoft or Skype were really capable 932 00:57:17,459 --> 00:57:20,918 of telling us that it was going on. 933 00:57:21,209 --> 00:57:26,250 I want to briefly address the jurisdictional questions. 934 00:57:26,250 --> 00:57:28,834 CALEA is mostly about requiring service providers 935 00:57:28,834 --> 00:57:33,501 to have tap-ability, like the ability for law enforcement to be able 936 00:57:33,501 --> 00:57:37,751 to get telecommunications that went over them. 937 00:57:37,751 --> 00:57:40,792 But where are they getting the authority to do 938 00:57:40,792 --> 00:57:44,709 the wiretap comes from other sources. 939 00:57:44,709 --> 00:57:48,334 You have like the wiretap, some kind of information would be attained 940 00:57:48,334 --> 00:57:53,250 through a warrant that is obtained through the Wiretap Act. 941 00:57:53,709 --> 00:57:56,375 If they are going through foreign intelligence 942 00:57:56,375 --> 00:58:00,083 surveillance court there are processes there. 943 00:58:00,083 --> 00:58:02,999 I guess the jurisdictional question was sort 944 00:58:02,999 --> 00:58:06,999 of about their desire to sort of extend these realtime surveillance 945 00:58:06,999 --> 00:58:10,125 powers down to local law enforcement. 946 00:58:10,125 --> 00:58:11,292 Well, local law enforcement has 947 00:58:11,292 --> 00:58:13,167 wiretap powers. 948 00:58:13,292 --> 00:58:16,792 If they go to court and get an appropriate court order, 949 00:58:16,792 --> 00:58:20,292 local law enforcement can do tapping. 950 00:58:20,292 --> 00:58:21,292 AUDIENCE: Okay. 951 00:58:21,292 --> 00:58:23,751 MARCIA HOFFMANN: Just not on the Internet. 952 00:58:23,751 --> 00:58:25,334 Is not under CALEA. 953 00:58:25,334 --> 00:58:26,334 Also. 954 00:58:26,334 --> 00:58:28,626 And thank you for Weev and bringing that up. 955 00:58:28,626 --> 00:58:33,167 AUDIENCE: So my question is, we all get to go home at the end 956 00:58:33,167 --> 00:58:37,125 of this and go back to our families. 957 00:58:37,334 --> 00:58:40,083 But the guy who started this whole conversation is locked 958 00:58:40,083 --> 00:58:42,501 in an airport terminal. 959 00:58:42,501 --> 00:58:43,834 He's out now. 960 00:58:43,834 --> 00:58:44,667 AUDIENCE: Okay, I haven't seen a newspaper 961 00:58:44,667 --> 00:58:46,751 in Vegas since I got here. 962 00:58:48,083 --> 00:58:49,999 How can we help him? 963 00:58:49,999 --> 00:58:55,417 He is stuck in Russia where the food is notoriously bad. 964 00:58:57,083 --> 00:58:58,667 Borscht? 965 00:58:58,667 --> 00:59:02,959 In terms of the news, the Russians granted him 966 00:59:02,959 --> 00:59:05,626 one-year asylum. 967 00:59:05,918 --> 00:59:08,999 He is no longer in the airport. 968 00:59:11,999 --> 00:59:14,999 (Applause.) We just applauded the Russians. 969 00:59:16,876 --> 00:59:18,459 Don't be fooled. 970 00:59:18,459 --> 00:59:21,250 The Putin government is not a wonderful government. 971 00:59:21,250 --> 00:59:24,083 They are authoritarian and done terrible things. 972 00:59:24,083 --> 00:59:25,999 Especially with the Internet. 973 00:59:26,083 --> 00:59:28,209 This is part of a global power play 974 00:59:28,209 --> 00:59:31,292 between the United States and Russia. 975 00:59:31,792 --> 00:59:35,501 It just sort of happened, how it happened to play out here. 976 00:59:35,501 --> 00:59:37,959 One of the things that is very important about this, 977 00:59:37,959 --> 00:59:42,167 what we are trying to do especially with some of the work that we are doing 978 00:59:42,167 --> 00:59:45,709 with filing a new lawsuit, pushing forward with that, going 979 00:59:45,709 --> 00:59:48,250 to Congress, trying to get better legislation 980 00:59:48,250 --> 00:59:52,250 is take advantage of what Snowden has put out there. 981 00:59:52,792 --> 00:59:54,792 He put this information out there. 982 00:59:55,125 --> 00:59:58,250 Not for himself but for all of you so people could find 983 00:59:58,250 --> 01:00:02,459 out what was going on and what we can do with it. 984 01:00:02,459 --> 01:00:04,167 So we have all this information. 985 01:00:04,167 --> 01:00:05,167 Study it. 986 01:00:05,167 --> 01:00:06,167 Figure it out. 987 01:00:06,167 --> 01:00:07,542 Figure out what is going on and see what we can do 988 01:00:07,542 --> 01:00:10,999 to stop illegal and unconstitutional surveillance. 989 01:00:16,375 --> 01:00:19,792 (Applause.) AUDIENCE: So on the topic of Snowden and Weev 990 01:00:19,792 --> 01:00:22,083 and others, what are the federal definitions 991 01:00:22,083 --> 01:00:24,125 of whistle blowers. 992 01:00:24,125 --> 01:00:25,709 How does the government get around that in order 993 01:00:25,709 --> 01:00:28,999 to prosecute someone in a civil or criminal case. 994 01:00:28,999 --> 01:00:31,083 What protections do we have? 995 01:00:31,209 --> 01:00:35,876 (Some applause.) So whistle blower law is primarily, 996 01:00:35,876 --> 01:00:41,334 the whistle blower laws are designed to protect people who go 997 01:00:41,334 --> 01:00:45,501 to the government to whistle blow. 998 01:00:45,626 --> 01:00:47,999 (Laughter.) : So what the government's position on this 999 01:00:47,999 --> 01:00:49,999 is actually, yeah, you should have gone 1000 01:00:49,999 --> 01:00:52,999 to your supervisor at the NSA and told them all about it and 1001 01:00:52,999 --> 01:00:56,292 they will take it up the appropriate channels. 1002 01:00:56,918 --> 01:00:58,751 (Chuckles.) And some people have tried 1003 01:00:58,751 --> 01:01:02,083 to do this and have not gotten responses. 1004 01:01:02,083 --> 01:01:04,167 There actually may be a lot of people who are part 1005 01:01:04,167 --> 01:01:08,083 of the system who have gone through the existing whistle blowers, 1006 01:01:08,083 --> 01:01:12,999 talked to the inspectors general, talked to appropriate people. 1007 01:01:12,999 --> 01:01:14,083 Of course, we never found out about it 1008 01:01:14,083 --> 01:01:17,709 because the people upstream just ended the inquiry. 1009 01:01:18,083 --> 01:01:21,999 So unfortunately, the protections for whistle blowers who are whistle 1010 01:01:21,999 --> 01:01:25,751 blowing to the press and to the public are not very robust 1011 01:01:25,751 --> 01:01:28,999 in the laws because a lot of the times the government 1012 01:01:28,999 --> 01:01:32,999 is not that keen on things coming out that way. 1013 01:01:33,083 --> 01:01:35,667 There are a number of good organizations that focus 1014 01:01:35,667 --> 01:01:38,083 on whistle blowers, whistleblowers.org and 1015 01:01:38,083 --> 01:01:42,250 the government accountability project focus on people who are interested 1016 01:01:42,250 --> 01:01:44,667 in blowing the whistle. 1017 01:01:44,999 --> 01:01:47,709 If you know someone who has information and wants to blow 1018 01:01:47,709 --> 01:01:49,999 the whistle on it, those are really good resources 1019 01:01:49,999 --> 01:01:51,501 for them. 1020 01:01:51,501 --> 01:01:55,667 AUDIENCE: Then on the topic of CFAA and Booz Allen and other very 1021 01:01:55,667 --> 01:01:59,667 interesting curious government contractors. 1022 01:01:59,667 --> 01:02:02,542 So when you would end up like breaking into something that 1023 01:02:02,542 --> 01:02:06,584 is owned publicly and that's clearly in violation of intended access, 1024 01:02:06,584 --> 01:02:09,667 does that mean that the people that would be working 1025 01:02:09,667 --> 01:02:12,999 for the government to build stuff like that are actually 1026 01:02:12,999 --> 01:02:15,083 committing felonies? 1027 01:02:15,375 --> 01:02:18,999 Are they at risk to get prosecuted by that if, for example, they blow 1028 01:02:18,999 --> 01:02:21,459 the whistle on something? 1029 01:02:21,459 --> 01:02:25,999 If you install a root killing device and intended to go to China 1030 01:02:25,999 --> 01:02:31,918 but are jail breaking a device to add different firm ware -- Let me 1031 01:02:31,918 --> 01:02:34,751 see if I can try this. 1032 01:02:34,751 --> 01:02:37,584 I'm not sure about your question but see if I can rephrase it or see 1033 01:02:37,584 --> 01:02:39,918 if I can understand it. 1034 01:02:39,918 --> 01:02:42,667 Talking about somebody working for the government and in the course 1035 01:02:42,667 --> 01:02:45,959 of their work for the government they get access to a device 1036 01:02:45,959 --> 01:02:48,375 or exceed authorized access? 1037 01:02:48,375 --> 01:02:49,375 AUDIENCE: Yes. 1038 01:02:49,876 --> 01:02:52,999 : So if they are doing so lawfully, that is to say pursuant 1039 01:02:52,999 --> 01:02:57,584 to a warrant that authorizes the access, that's one story. 1040 01:02:57,584 --> 01:03:00,626 And if they are doing it unlawfully which is to say because it 1041 01:03:00,626 --> 01:03:04,792 is exceeding what they are allowed to do under the constitution, it 1042 01:03:04,792 --> 01:03:06,999 is a different story. 1043 01:03:07,334 --> 01:03:08,999 It would be illegal. 1044 01:03:08,999 --> 01:03:12,999 In some circumstances you can prosecute government officials who 1045 01:03:12,999 --> 01:03:15,626 exceed their authority. 1046 01:03:15,626 --> 01:03:19,667 But the law is actually fairly friendly to law enforcement officials who 1047 01:03:19,667 --> 01:03:22,709 over step bounds and it is sort of, it comes 1048 01:03:22,709 --> 01:03:26,417 down to whether you are exceeding a clearly established 1049 01:03:26,417 --> 01:03:28,959 constitutional right. 1050 01:03:28,959 --> 01:03:29,999 If it's the first time the courts are dealing 1051 01:03:29,999 --> 01:03:32,751 with a question there's a bit of a pass. 1052 01:03:32,751 --> 01:03:36,999 There's a question of whether it was intentional misuse. 1053 01:03:37,999 --> 01:03:41,417 It is fairly rare for a government official who exceeds 1054 01:03:41,417 --> 01:03:45,751 their authority in air manner that the government wanted them to do 1055 01:03:45,751 --> 01:03:47,959 to get prosecuted. 1056 01:03:47,959 --> 01:03:49,125 If someone exceeds their authority in a way that 1057 01:03:49,125 --> 01:03:53,167 the government didn't want them to do, they are at risk of being prosecuted. 1058 01:03:53,167 --> 01:03:54,999 AUDIENCE: I'm thinking of government contractors, 1059 01:03:54,999 --> 01:03:58,250 people who are not government officials but still deal with stuff that 1060 01:03:58,250 --> 01:04:00,417 the government purchases. 1061 01:04:00,999 --> 01:04:09,999 I think there are less protections. 1062 01:04:09,999 --> 01:04:13,999 But if they are doing it pursuant to lawfully authorized warrant, 1063 01:04:13,999 --> 01:04:17,709 then that should provide protection. 1064 01:04:17,709 --> 01:04:19,751 There's a lot of things in the law where it says good faith 1065 01:04:19,751 --> 01:04:22,125 compliance with a lawfully authorized warrant can 1066 01:04:22,125 --> 01:04:23,999 be protected. 1067 01:04:23,999 --> 01:04:26,584 If someone is not acting in good faith, if they are doing something 1068 01:04:26,584 --> 01:04:28,999 they know is illegal, it may be something that 1069 01:04:28,999 --> 01:04:30,999 they can go forward. 1070 01:04:31,083 --> 01:04:36,542 It's unlikely that Booz Allen find itself indicted or prosecuted for that. 1071 01:04:36,542 --> 01:04:39,167 I will say that the CFAA has an exception 1072 01:04:39,167 --> 01:04:44,959 for any lawfully authorized investigative protective or intelligence activity 1073 01:04:44,959 --> 01:04:48,626 of a law enforcement agency of the United States or 1074 01:04:48,626 --> 01:04:53,083 of any intelligence agency of the United States. 1075 01:04:53,167 --> 01:04:56,250 So particularly to the extent that a private contractor 1076 01:04:56,250 --> 01:05:00,459 is doing work on behalf of the government in that vein, I think, 1077 01:05:00,459 --> 01:05:03,876 you know, the statute pretty clearly wouldn't apply 1078 01:05:03,876 --> 01:05:05,250 to them. 1079 01:05:05,250 --> 01:05:06,250 AUDIENCE: Okay. 1080 01:05:06,375 --> 01:05:07,375 Thank you very much. 1081 01:05:08,999 --> 01:05:11,083 AUDIENCE: First I want to say thanks. 1082 01:05:11,083 --> 01:05:12,999 I appreciate everything the EFF is doing to protect our rights, 1083 01:05:12,999 --> 01:05:15,292 that we supposedly already have. 1084 01:05:20,999 --> 01:05:23,167 (Applause.) AUDIENCE: I want to continue in the vein 1085 01:05:23,167 --> 01:05:24,999 of whistle blowers. 1086 01:05:25,083 --> 01:05:28,999 How can grassroots or legislative reform help to protect leakers 1087 01:05:28,999 --> 01:05:31,167 and whistle blowers. 1088 01:05:31,792 --> 01:05:35,375 If you study history you see that governments are always prone 1089 01:05:35,375 --> 01:05:37,459 to abuse and to becoming oppressive 1090 01:05:37,459 --> 01:05:39,542 at various points. 1091 01:05:39,709 --> 01:05:42,334 We need leakers and whistle blowers like Snowden. 1092 01:05:42,834 --> 01:05:46,999 How can we as an Internet savvy community solve 1093 01:05:46,999 --> 01:05:54,542 that bigger problem of protecting, like with the pentagon papers. 1094 01:05:54,542 --> 01:05:56,542 You know, restoring some of those protections to leakers 1095 01:05:56,542 --> 01:05:58,501 and whistle blowers. 1096 01:06:03,292 --> 01:06:05,209 On the legislative stuff? 1097 01:06:06,584 --> 01:06:09,999 In general there are a couple of things out there. 1098 01:06:09,999 --> 01:06:14,584 I mean, there's an attempt to get a federal reporter shield law. 1099 01:06:14,959 --> 01:06:19,250 Now, this gets at the problem in a little bit of a different direction, 1100 01:06:19,250 --> 01:06:22,918 which is to say it protects journalists from having 1101 01:06:22,918 --> 01:06:26,209 to disclose who their sources were. 1102 01:06:26,209 --> 01:06:30,083 So that if somebody goes in confidence to a journalist and says, 1103 01:06:30,083 --> 01:06:34,292 you know, here is the evidence of wrongdoing. 1104 01:06:34,626 --> 01:06:37,584 The government says okay, who gave that to you? 1105 01:06:37,584 --> 01:06:39,584 If they were a federal shield law they would say I'm protected 1106 01:06:39,584 --> 01:06:41,334 by the shield law. 1107 01:06:41,334 --> 01:06:44,334 I don't have to disclose who my source is. 1108 01:06:44,334 --> 01:06:47,375 A lot of states have shield laws. 1109 01:06:47,501 --> 01:06:49,999 Some of them are very protective. 1110 01:06:49,999 --> 01:06:51,999 Some of them are modestly protective. 1111 01:06:52,083 --> 01:06:54,999 There is no federal shield law. 1112 01:06:55,125 --> 01:06:57,250 Then also there's the First Amendment 1113 01:06:57,250 --> 01:07:01,999 and its protections for freedom of speech and freedom of the press 1114 01:07:01,999 --> 01:07:05,334 and how that has shaken out in the courts is that 1115 01:07:05,334 --> 01:07:10,250 on the whole there are protections for having reporters having to give 1116 01:07:10,250 --> 01:07:13,083 up their sources but they can be overcome 1117 01:07:13,083 --> 01:07:17,751 by a sufficient showing of need by the government. 1118 01:07:17,751 --> 01:07:18,417 The government has tried to get this information 1119 01:07:18,417 --> 01:07:20,501 from other sources and failed. 1120 01:07:20,876 --> 01:07:25,999 And so the only thing to do would be to use impact litigation in a court 1121 01:07:25,999 --> 01:07:30,417 and try to show a court that the First Amendment does apply and 1122 01:07:30,417 --> 01:07:35,542 to give greater protections because, you know, there's a quote from one 1123 01:07:35,542 --> 01:07:40,250 of the founders of this country, and I'm going to badly paraphrase, 1124 01:07:40,250 --> 01:07:43,083 but a popular government without access 1125 01:07:43,083 --> 01:07:47,459 to popular information is but a prelude to a farce or tragedy 1126 01:07:47,459 --> 01:07:49,459 or maybe both. 1127 01:07:49,792 --> 01:07:51,999 What it is meant by that, if you are going to have 1128 01:07:51,999 --> 01:07:55,542 a democracy where people are voting about the representatives and 1129 01:07:55,542 --> 01:07:59,083 the representatives are voting on the laws, but we don't know what 1130 01:07:59,083 --> 01:08:01,209 is really going on or don't have access 1131 01:08:01,209 --> 01:08:04,083 to full information, it is a farce. 1132 01:08:04,459 --> 01:08:06,167 We are not able to have a functioning democracy 1133 01:08:06,167 --> 01:08:09,918 without a good amount of information and transparency. 1134 01:08:10,209 --> 01:08:14,209 I just wanted to add one quick thing, which is that one 1135 01:08:14,209 --> 01:08:18,999 of the reasons why EFF is made up of activists, technologists 1136 01:08:18,999 --> 01:08:24,542 and lawyers is that sometimes the answer is not litigation. 1137 01:08:24,542 --> 01:08:26,584 Or legislation. 1138 01:08:26,584 --> 01:08:28,667 Sometimes the answer is technology. 1139 01:08:28,667 --> 01:08:31,334 And one of the strongest protections that we can offer to whistle blowers 1140 01:08:31,334 --> 01:08:33,375 is strong encryption. 1141 01:08:39,542 --> 01:08:42,709 (Applause.) If I could add a most basic level, something 1142 01:08:42,709 --> 01:08:46,083 all of us can do is get in touch with our elected representatives 1143 01:08:46,083 --> 01:08:50,209 and tell them that this is something we consider important. 1144 01:08:50,209 --> 01:08:53,834 This is an area where unfortunately for those of us who care 1145 01:08:53,834 --> 01:08:57,250 about technology, phone calls are better than e-mail 1146 01:08:57,250 --> 01:09:01,209 and personal visits to a member's office are better still, 1147 01:09:01,209 --> 01:09:03,292 but they listen. 1148 01:09:03,292 --> 01:09:06,751 And on some level that one constituent took the time to come 1149 01:09:06,751 --> 01:09:11,292 in and tell them how important this issue is to them. 1150 01:09:11,292 --> 01:09:14,999 They see that as representative of thousands of constituents. 1151 01:09:16,292 --> 01:09:18,125 AUDIENCE: Hi. 1152 01:09:18,250 --> 01:09:21,999 Regarding technology patent trolls, a much less important issue than 1153 01:09:21,999 --> 01:09:25,626 a lot of the civil liberties discussions, but can you discuss 1154 01:09:25,626 --> 01:09:28,876 the current situation with the trolls owning the idea 1155 01:09:28,876 --> 01:09:32,751 of podcasting and podcast protocols and where that stands legally 1156 01:09:32,751 --> 01:09:34,250 right now? 1157 01:09:37,999 --> 01:09:42,125 I am not the staff patent expert. 1158 01:09:42,125 --> 01:09:45,999 We have two of them, but this was 1159 01:09:45,999 --> 01:09:51,876 a person who created a pre-Internet audio 1160 01:09:51,876 --> 01:09:55,918 distribution company. 1161 01:09:55,999 --> 01:09:57,417 The idea was it had something to do 1162 01:09:57,417 --> 01:10:00,999 with sending -- AUDIENCE: Audio programs. 1163 01:10:00,999 --> 01:10:05,459 Recording programs on cassette tape to subscribers 1164 01:10:05,459 --> 01:10:12,501 in sort of a, an early version of Netflix mailing DVDs and this was 1165 01:10:12,501 --> 01:10:18,000 in the mid '90s before there was podcasting. 1166 01:10:19,167 --> 01:10:25,501 My understanding is that there may be some examples. 1167 01:10:25,501 --> 01:10:27,459 In patent law this is known as prior art. 1168 01:10:27,459 --> 01:10:30,375 This is evidence that something was invented 1169 01:10:30,375 --> 01:10:35,876 before the patent owner claims to have invented it. 1170 01:10:35,918 --> 01:10:38,751 In other words, their invention was not in fact new. 1171 01:10:38,999 --> 01:10:42,999 My understanding is there may be some prior art 1172 01:10:42,999 --> 01:10:47,751 for podcasting for the ideas that this gentleman 1173 01:10:47,751 --> 01:10:49,959 is claiming. 1174 01:10:49,999 --> 01:10:54,626 And if that's so, we may be able to get the patent office 1175 01:10:54,626 --> 01:10:58,999 to nullify that patent, which would probably end 1176 01:10:58,999 --> 01:11:02,667 the lawsuits and the threats. 1177 01:11:02,999 --> 01:11:04,417 That's what we are pursuing. 1178 01:11:04,417 --> 01:11:06,083 AUDIENCE: Good luck with that. 1179 01:11:06,083 --> 01:11:07,999 Do you have a list of prior arts ... 1180 01:11:07,999 --> 01:11:10,459 (Speaker away from microphone.) Well, 1181 01:11:10,459 --> 01:11:14,459 there's trolling FX, which is on the particular thing, 1182 01:11:14,459 --> 01:11:17,083 the podcasting patent. 1183 01:11:17,459 --> 01:11:20,834 There is a method we are trying to gather information 1184 01:11:20,834 --> 01:11:23,918 about prior art that's out there. 1185 01:11:23,918 --> 01:11:26,999 I don't remember, but basically if you look through our blog posts 1186 01:11:26,999 --> 01:11:30,999 and see the ones about this, it will give you how you can submit prior 1187 01:11:30,999 --> 01:11:33,375 art that you're aware of. 1188 01:11:33,417 --> 01:11:39,083 Basically things from the early to mid '90s would be particularly useful. 1189 01:11:39,083 --> 01:11:40,501 It was like the patent was issued slightly 1190 01:11:40,501 --> 01:11:43,167 before the Internet archive started gathering things, 1191 01:11:43,167 --> 01:11:46,083 which has made it a little bit more difficult to look back 1192 01:11:46,083 --> 01:11:48,334 at some of the history. 1193 01:11:48,417 --> 01:11:52,167 We still have found some so far and are gathering more. 1194 01:11:52,417 --> 01:11:54,834 The other site that we maintain on that subject, 1195 01:11:54,834 --> 01:11:59,250 and I think it might be obvious, is called defendinnovation.org. 1196 01:11:59,417 --> 01:12:03,999 AUDIENCE: I have two questions. 1197 01:12:03,999 --> 01:12:06,083 One is if you guys might be able to talk 1198 01:12:06,083 --> 01:12:11,292 about a recent court ruling talking about local law enforcement not being 1199 01:12:11,292 --> 01:12:16,209 required to have a warrant to track cell phone location. 1200 01:12:16,334 --> 01:12:19,709 That's just recently come up. 1201 01:12:19,709 --> 01:12:21,292 Maybe the reasoning behind that. 1202 01:12:23,083 --> 01:12:27,459 And then the second part, the second question I've got 1203 01:12:27,459 --> 01:12:30,125 is anything on drones. 1204 01:12:30,125 --> 01:12:31,709 You guys published any list? 1205 01:12:31,918 --> 01:12:34,999 I hadn't heard anything about it and I was kind of surprised. 1206 01:12:34,999 --> 01:12:36,959 All right. 1207 01:12:36,959 --> 01:12:39,459 So let me hit the first of those questions 1208 01:12:39,459 --> 01:12:42,501 about cell phone tracking. 1209 01:12:42,709 --> 01:12:45,292 And so yeah, unfortunately there was 1210 01:12:45,292 --> 01:12:49,876 a recent case that warrants were not necessary. 1211 01:12:49,876 --> 01:12:51,667 It was an appellate court decision, two 1212 01:12:51,667 --> 01:12:55,292 out of three said you need a warrant. 1213 01:12:55,292 --> 01:12:56,542 One dissented. 1214 01:12:56,626 --> 01:13:00,083 It has actually been a mixed bag out there in the courts. 1215 01:13:00,083 --> 01:13:04,125 We've gotten some courts that have agreed that a warrant is necessary 1216 01:13:04,125 --> 01:13:07,083 to do cell phone tracking. 1217 01:13:07,375 --> 01:13:10,999 Actually, if you look at the recent Supreme Court case 1218 01:13:10,999 --> 01:13:13,334 from last year, U.S. 1219 01:13:13,334 --> 01:13:15,959 versus Jones talking about a GPS tracker being used 1220 01:13:15,959 --> 01:13:17,999 to track someone. 1221 01:13:17,999 --> 01:13:20,083 They said a warrant was required for that. 1222 01:13:20,083 --> 01:13:23,250 I think if that case is properly extended to the cell phones, 1223 01:13:23,250 --> 01:13:26,083 it should come to a similar conclusion that 1224 01:13:26,083 --> 01:13:28,584 a warrant is required. 1225 01:13:28,918 --> 01:13:31,083 Unfortunately there was that decision. 1226 01:13:31,083 --> 01:13:35,292 We are continuing to work on this and try to find cases that are going 1227 01:13:35,292 --> 01:13:37,999 to be good opportunities to show that 1228 01:13:37,999 --> 01:13:42,918 the Fourth Amendment applies to cell phone information. 1229 01:13:42,918 --> 01:13:43,999 An I add? 1230 01:13:43,999 --> 01:13:44,999 Please. 1231 01:13:44,999 --> 01:13:46,584 Because I have been here and I have been crazy busy 1232 01:13:46,584 --> 01:13:49,167 and this case just came out earlier this week, I haven't read 1233 01:13:49,167 --> 01:13:50,999 the opinion yet. 1234 01:13:50,999 --> 01:13:54,375 What I understand from the reporting is that the rationale that 1235 01:13:54,375 --> 01:13:58,876 the court adopted was based on the third-party doctrine. 1236 01:13:58,876 --> 01:14:01,876 And this is something that you guys all ought to know about. 1237 01:14:01,876 --> 01:14:05,167 And really have on your radars. 1238 01:14:05,167 --> 01:14:07,626 So the deal is, the Fourth Amendment 1239 01:14:07,626 --> 01:14:10,167 as a general matter, right, protects you 1240 01:14:10,167 --> 01:14:14,834 against unreasonable government searches and seizures. 1241 01:14:14,834 --> 01:14:17,417 So the government is supposed to have a warrant 1242 01:14:17,417 --> 01:14:19,999 to search something in which you have 1243 01:14:19,999 --> 01:14:23,999 a reasonable expectation of privacy unless some exception 1244 01:14:23,999 --> 01:14:25,999 applies, okay? 1245 01:14:26,209 --> 01:14:27,792 That's the general rule. 1246 01:14:27,999 --> 01:14:30,999 So back in the '70s the Supreme Court decided 1247 01:14:30,999 --> 01:14:33,250 a couple of cases. 1248 01:14:34,834 --> 01:14:38,542 One involving bank records and one involving 1249 01:14:38,542 --> 01:14:42,918 the numbers that a telephone company collects when 1250 01:14:42,918 --> 01:14:45,125 you dial a call. 1251 01:14:45,292 --> 01:14:48,334 And in those cases the Supreme Court basically said you 1252 01:14:48,334 --> 01:14:50,999 don't have a reasonable expectation of privacy 1253 01:14:50,999 --> 01:14:55,083 in information that you convey to a third-party like that. 1254 01:14:55,083 --> 01:14:56,167 Like a company, right? 1255 01:14:56,626 --> 01:14:58,876 Your bank records, your financial information that you 1256 01:14:58,876 --> 01:15:01,083 convey to a bank, they create records from, and 1257 01:15:01,083 --> 01:15:03,999 the numbers you dial that you convey to a phone company, 1258 01:15:03,999 --> 01:15:07,292 you don't have any reasonable expectation of privacy in a situation 1259 01:15:07,292 --> 01:15:11,459 like that, and the reason is you know that you're giving it up. 1260 01:15:11,459 --> 01:15:15,083 You are voluntarily giving this information over to them. 1261 01:15:15,083 --> 01:15:16,083 How can you have a reasonable expectation 1262 01:15:16,083 --> 01:15:17,999 of privacy in that? 1263 01:15:18,125 --> 01:15:20,999 That has developed into this concept that we call 1264 01:15:20,999 --> 01:15:23,501 the third-party doctrine, which broadly seems 1265 01:15:23,501 --> 01:15:27,292 to suggest that you don't have any reasonable expectation of privacy 1266 01:15:27,292 --> 01:15:30,834 in anything that you give to a third-party. 1267 01:15:31,125 --> 01:15:35,584 In this day and age where we store so much information with companies 1268 01:15:35,584 --> 01:15:40,167 like Google, Facebook, Microsoft, et cetera, et cetera, et cetera, 1269 01:15:40,167 --> 01:15:43,667 that's a very dangerous precedent. 1270 01:15:43,751 --> 01:15:48,083 And that is something that we need to make go away. 1271 01:15:48,083 --> 01:15:50,959 It just doesn't translate to the world we live in now. 1272 01:15:50,959 --> 01:15:55,999 And in the case that Kurt spoke about, the Supreme Court Justice Sotomayor 1273 01:15:55,999 --> 01:16:02,125 called this out and said this is something that we've got to look at. 1274 01:16:02,334 --> 01:16:06,083 So I think you are going to see a lot of cases in the future dealing with this. 1275 01:16:06,083 --> 01:16:07,876 I think the fifth circuit, from what I've read, has really gone 1276 01:16:07,876 --> 01:16:10,417 the wrong way because they said they are cell phone records and 1277 01:16:10,417 --> 01:16:12,918 they are stored with your company. 1278 01:16:13,999 --> 01:16:15,999 That's very problematic. 1279 01:16:15,999 --> 01:16:19,083 I think you're going to hear a lot about this in the coming years. 1280 01:16:19,501 --> 01:16:20,501 Yeah. 1281 01:16:20,501 --> 01:16:22,542 So speaking of reasonable expectations of privacy, 1282 01:16:22,542 --> 01:16:25,999 and the next question was about drones. 1283 01:16:25,999 --> 01:16:29,709 So recently the FBI responded to, I believe it was Senator Leahy 1284 01:16:29,709 --> 01:16:33,626 explaining what the standard is for drones. 1285 01:16:33,626 --> 01:16:38,834 They took the position that you did not have a reasonable expectation 1286 01:16:38,834 --> 01:16:41,999 of privacy against drones. 1287 01:16:41,999 --> 01:16:44,375 That is to say it was not reasonable to expect that you would be private 1288 01:16:44,375 --> 01:16:47,083 from a drone circling over your house and taking pictures 1289 01:16:47,083 --> 01:16:49,999 of what you're doing in your backyard. 1290 01:16:49,999 --> 01:16:52,542 They based on some cases that were involved 1291 01:16:52,542 --> 01:16:56,167 like man playing surveillance that had been done in the course 1292 01:16:56,167 --> 01:16:58,125 of the drug war. 1293 01:16:58,626 --> 01:17:03,999 And this is a sort of illustrative of how things have been going 1294 01:17:03,999 --> 01:17:07,999 in terms of government surveillance. 1295 01:17:07,999 --> 01:17:11,125 They are looking for cases in which there have been statements 1296 01:17:11,125 --> 01:17:15,209 about what reasonable expectation of privacy is. 1297 01:17:15,459 --> 01:17:18,292 That have stemmed from some particular circumstances. 1298 01:17:18,292 --> 01:17:21,125 And then seeing how far they can be applied. 1299 01:17:21,125 --> 01:17:22,834 So they find a court that says at some point 1300 01:17:22,834 --> 01:17:24,667 a plane flew somewhere and looked 1301 01:17:24,667 --> 01:17:27,250 down and there was not a reasonable expectation 1302 01:17:27,250 --> 01:17:29,375 of privacy on that. 1303 01:17:29,375 --> 01:17:33,751 That also means there could be a drone 24/7 hanging over your house. 1304 01:17:34,083 --> 01:17:37,417 Once they establish that there is not a reasonable expectation 1305 01:17:37,417 --> 01:17:42,083 of privacy they can take it to the Nth degree and it doesn't matter. 1306 01:17:42,083 --> 01:17:43,542 It really does matter. 1307 01:17:43,751 --> 01:17:47,709 It is entirely possible that a police officer would follow you 1308 01:17:47,709 --> 01:17:50,959 around where you go, A, and make handwritten Notes 1309 01:17:50,959 --> 01:17:54,999 about where you are going and what you are doing. 1310 01:17:55,834 --> 01:17:58,999 This does not mean that it is a good society. 1311 01:17:58,999 --> 01:18:00,584 A society that, a future that we would want to live 1312 01:18:00,584 --> 01:18:04,334 in where everybody's movements are tracked all of the time. 1313 01:18:04,792 --> 01:18:08,999 (Applause.) And so this is made the third-party doctrine, 1314 01:18:08,999 --> 01:18:14,584 the reasonable expectation of privacy is outdated and becoming misused 1315 01:18:14,584 --> 01:18:19,083 to take things which, beware occasional things where there 1316 01:18:19,083 --> 01:18:22,626 was a natural limit of resource-based limit 1317 01:18:22,626 --> 01:18:27,417 to how much the government can do, when things become cheaper 1318 01:18:27,417 --> 01:18:30,709 they can do it all the time. 1319 01:18:30,751 --> 01:18:34,501 We are very much working on trying to stop that. 1320 01:18:34,501 --> 01:18:37,999 To wrap up on drones so the people on this panel right now are not our 1321 01:18:37,999 --> 01:18:42,083 drones experts, but one of them actually is here. 1322 01:18:42,083 --> 01:18:45,667 Our colleague Parker Higgins, who is going to be in the contest area, 1323 01:18:45,667 --> 01:18:48,209 working the CFAA phone booth. 1324 01:18:48,209 --> 01:18:52,626 If you have questions about drones, he knows a lot about them. 1325 01:18:52,999 --> 01:18:54,709 AUDIENCE: At the same time that 1326 01:18:54,709 --> 01:18:58,999 the NSA penopticon was discussed it also seemed to be apparent that 1327 01:18:58,999 --> 01:19:02,959 the government was going to top tier providers and asking them 1328 01:19:02,959 --> 01:19:05,999 to give up their encryption keys. 1329 01:19:05,999 --> 01:19:10,709 I don't think the subject has gotten to this extent yesterday, 1330 01:19:10,709 --> 01:19:15,999 but what does that do to the concept of non-repudiation and contract law 1331 01:19:15,999 --> 01:19:20,999 or even chain of evidence, digital evidence where our digital I had 1332 01:19:20,999 --> 01:19:25,292 identities are now no longer solely our own. 1333 01:19:25,501 --> 01:19:28,999 Or to put it another way, if the whole ... 1334 01:19:33,792 --> 01:19:35,083 if the ... 1335 01:19:38,501 --> 01:19:40,375 Let me help. 1336 01:19:40,375 --> 01:19:42,626 The question is raising the possibility that 1337 01:19:42,626 --> 01:19:46,083 as you may be communicating in what you believe to be 1338 01:19:46,083 --> 01:19:49,959 an encrypted channel, that nevertheless someone might be 1339 01:19:49,959 --> 01:19:52,542 forced to give up the key such that your 1340 01:19:52,542 --> 01:19:56,959 communications could be decrypted and you wouldn't have the level 1341 01:19:56,959 --> 01:20:00,999 of security that you are -- AUDIENCE: The phrase I'm looking 1342 01:20:00,999 --> 01:20:03,999 for is back door key escrow. 1343 01:20:04,209 --> 01:20:09,167 That's my digital entity, my uniqueness and non-repudiation 1344 01:20:09,167 --> 01:20:12,876 suddenly evaporates and becomes negligible 1345 01:20:12,876 --> 01:20:15,250 as a point of law. 1346 01:20:15,250 --> 01:20:16,751 Hmm. 1347 01:20:16,751 --> 01:20:19,667 Well, I have not thought of it in terms of the digital identity 1348 01:20:19,667 --> 01:20:22,709 because usually what we have been hearing about is more 1349 01:20:22,709 --> 01:20:26,459 on the encrypting communications channel not as an encryption method, 1350 01:20:26,459 --> 01:20:29,292 not as a digital signature method. 1351 01:20:30,834 --> 01:20:33,999 But nevertheless it is quite troubling that we have 1352 01:20:33,999 --> 01:20:37,125 a number of systems that are designed to be able 1353 01:20:37,125 --> 01:20:40,999 to encrypt communications using a public key infrastructure 1354 01:20:40,999 --> 01:20:43,042 and certificates. 1355 01:20:43,584 --> 01:20:46,584 These systems have a lot of problems. 1356 01:20:46,584 --> 01:20:48,667 I think what Dan was talking about earlier, some of our attempts 1357 01:20:48,667 --> 01:20:52,584 to try to at least investigate and understand those problems. 1358 01:20:52,584 --> 01:20:54,959 I guess we can put it this way. 1359 01:20:54,959 --> 01:20:56,709 The more that is known and revealed 1360 01:20:56,709 --> 01:21:01,209 about government access to encryption keys, the more likely it 1361 01:21:01,209 --> 01:21:04,417 is that a good lawyer in a contract dispute 1362 01:21:04,417 --> 01:21:08,959 or anything involving chain of digital evidence will be able 1363 01:21:08,959 --> 01:21:12,999 to convince a jury that the contract was forged or that 1364 01:21:12,999 --> 01:21:16,083 the evidence was manufactured. 1365 01:21:16,083 --> 01:21:17,999 So that's, that risking increase. 1366 01:21:17,999 --> 01:21:19,083 AUDIENCE: Thank you. 1367 01:21:19,083 --> 01:21:22,792 Just quickly to add one last point to that, I think that it's 1368 01:21:22,792 --> 01:21:25,209 a really good question. 1369 01:21:25,209 --> 01:21:27,709 I understand you as saying providers having to give 1370 01:21:27,709 --> 01:21:31,999 over their private encryption keys to law enforcement. 1371 01:21:32,459 --> 01:21:36,125 I think that this, there's kind of a hole right now in terms 1372 01:21:36,125 --> 01:21:38,918 of statutes about this. 1373 01:21:38,918 --> 01:21:40,999 So law tends to focus on user data. 1374 01:21:40,999 --> 01:21:43,667 But there's a big question mark about well, yeah, 1375 01:21:43,667 --> 01:21:46,667 you can get user data if you have these keys 1376 01:21:46,667 --> 01:21:51,167 and are companies forced to hand over the keys under various warrant 1377 01:21:51,167 --> 01:21:53,999 or subpoena circumstances? 1378 01:21:53,999 --> 01:21:56,999 I think there's just a lot of unclarity about that right now. 1379 01:21:56,999 --> 01:21:59,083 It's something that is really alarming. 1380 01:21:59,083 --> 01:22:04,125 I want to adjust one sort of general point on this. 1381 01:22:04,209 --> 01:22:05,209 You know, companies may be required 1382 01:22:05,209 --> 01:22:07,834 to provide some technical assistance to the government when 1383 01:22:07,834 --> 01:22:09,709 they want to wiretap. 1384 01:22:09,709 --> 01:22:12,834 But there's also a notion that they shouldn't be required 1385 01:22:12,834 --> 01:22:15,417 to break their services. 1386 01:22:15,584 --> 01:22:18,999 And I think if your service is involved providing encrypted 1387 01:22:18,999 --> 01:22:22,751 communications and you are not actually providing it, that breaks 1388 01:22:22,751 --> 01:22:26,626 the service and that may be an available argument. 1389 01:22:30,999 --> 01:22:33,459 AUDIENCE: Thank you. 1390 01:22:33,459 --> 01:22:34,459 AUDIENCE: Hi. 1391 01:22:34,459 --> 01:22:37,459 So since this Snowden revelation, I have been trying to think about, 1392 01:22:37,459 --> 01:22:41,709 there's three different contexts for data retention. 1393 01:22:41,709 --> 01:22:43,167 There's the NSA program we just learned 1394 01:22:43,167 --> 01:22:45,999 about and the data retention that my service 1395 01:22:45,999 --> 01:22:49,876 provider is doing of my metadata of their own volition and this 1396 01:22:49,876 --> 01:22:52,209 is in the United States. 1397 01:22:52,209 --> 01:22:55,083 There is internationally how the data retention works. 1398 01:22:55,083 --> 01:22:56,083 My understanding is that in Europe it's more regulated than it 1399 01:22:56,083 --> 01:22:57,501 is here. 1400 01:22:57,918 --> 01:23:00,667 I ask you if you wouldn't mind characterizing 1401 01:23:00,667 --> 01:23:03,751 the difference between the three contexts, 1402 01:23:03,751 --> 01:23:07,834 how long my data is retained and how much it is exposed 1403 01:23:07,834 --> 01:23:11,999 to access by the government with an eye to what you think 1404 01:23:11,999 --> 01:23:14,584 the right answers are. 1405 01:23:17,834 --> 01:23:20,209 So I can talk a little bit. 1406 01:23:20,459 --> 01:23:22,792 If you want to add ... 1407 01:23:22,918 --> 01:23:26,459 To Europe, I understand, is kind of a mixed bag. 1408 01:23:26,626 --> 01:23:33,459 There is greater protection in terms of user data and how it is handled. 1409 01:23:33,459 --> 01:23:35,167 On the other hand, there are also mandatory data retention 1410 01:23:35,167 --> 01:23:38,292 laws which we do not have in the United States. 1411 01:23:38,292 --> 01:23:39,999 It's a double edged sword. 1412 01:23:40,876 --> 01:23:42,999 But beyond those mandatory data retention 1413 01:23:42,999 --> 01:23:48,125 laws, I think as I said earlier it's the wild west and the private sector. 1414 01:23:48,417 --> 01:23:51,501 It's up to the company how long they want to retain your data. 1415 01:23:51,667 --> 01:23:55,999 They can have private policies right now which disclose that. 1416 01:23:55,999 --> 01:23:59,083 If they break those privacy policies they open themselves 1417 01:23:59,083 --> 01:24:03,834 up to FTC complaints or possible other lawsuits, class action lawsuits, 1418 01:24:03,834 --> 01:24:06,375 this sort of thick thing. 1419 01:24:06,792 --> 01:24:08,999 Basically there's no information. 1420 01:24:08,999 --> 01:24:14,751 In terms of -- there's no limit to what data they can retain. 1421 01:24:16,167 --> 01:24:20,459 On that front, I think the right answer is a lot of transparency 1422 01:24:20,459 --> 01:24:23,959 from companies and also ensuring that we don't pass 1423 01:24:23,959 --> 01:24:26,999 a mandatory data retention law. 1424 01:24:26,999 --> 01:24:31,125 If a VPN doesn't want to keep data, they shouldn't have to. 1425 01:24:31,125 --> 01:24:33,209 So I think that's the way that we should be going 1426 01:24:33,209 --> 01:24:35,626 for the private sector. 1427 01:24:35,626 --> 01:24:38,751 With respect to government data, I don't know if someone else wants 1428 01:24:38,751 --> 01:24:43,626 to take that, but I also think that there's no clear rules about it. 1429 01:24:43,626 --> 01:24:46,083 I think there's one more important point to make 1430 01:24:46,083 --> 01:24:49,501 about the private sector in the United States, especially 1431 01:24:49,501 --> 01:24:53,918 in Silicon Valley where you have a lot of startups and people are sitting 1432 01:24:53,918 --> 01:24:56,083 on a lot of user data. 1433 01:24:56,083 --> 01:25:01,167 There is a tendency among engineers to want to save everything. 1434 01:25:01,751 --> 01:25:04,417 Because you never know when it's going to be useful. 1435 01:25:04,417 --> 01:25:05,626 (Laughter.) Yeah. 1436 01:25:05,626 --> 01:25:06,834 In fact, your company might go completely 1437 01:25:06,834 --> 01:25:10,125 under and that might be the only thing that you can sell. 1438 01:25:10,250 --> 01:25:15,501 So there's a very strong push to retain as much data as possible 1439 01:25:15,501 --> 01:25:18,459 for as long as possible. 1440 01:25:18,542 --> 01:25:20,709 Saving data is cheap, backups are cheap, 1441 01:25:20,709 --> 01:25:25,999 the consequences of not having the data when you need it are dire. 1442 01:25:25,999 --> 01:25:28,375 And deletion is computationally expensive. 1443 01:25:28,375 --> 01:25:31,209 So usually when sort of Silicon Valley companies have 1444 01:25:31,209 --> 01:25:34,334 a choice between storing everything indefinitely 1445 01:25:34,334 --> 01:25:38,292 and finding some way to regularly delete it, they will choose 1446 01:25:38,292 --> 01:25:42,918 to just store it all indefinitely because it's easier. 1447 01:25:42,918 --> 01:25:45,626 It is not a conspiracy against user data. 1448 01:25:45,626 --> 01:25:47,375 It is not a conspiracy to make things more convenient 1449 01:25:47,375 --> 01:25:49,375 for the government. 1450 01:25:49,999 --> 01:25:53,334 If you've ever walked into an engineer's office and saw piles 1451 01:25:53,334 --> 01:25:56,167 of paper and notice they never throw anything away, 1452 01:25:56,167 --> 01:25:59,167 it's sort of an out growth of that. 1453 01:25:59,209 --> 01:26:01,542 And in some ways that is potentially very, 1454 01:26:01,542 --> 01:26:05,375 very worrying because even if you don't have mandatory data 1455 01:26:05,375 --> 01:26:08,250 retention in this manner, sometimes you wind 1456 01:26:08,250 --> 01:26:11,542 up having de facto data retention. 1457 01:26:12,999 --> 01:26:17,375 So to address the government storing end of it, 1458 01:26:17,375 --> 01:26:23,999 the question is are they supposed to have it in the first place? 1459 01:26:23,999 --> 01:26:26,459 And the problem with some of these sort 1460 01:26:26,459 --> 01:26:31,999 of mass storage things that have been confirmed recently with reports 1461 01:26:31,999 --> 01:26:37,167 about the NSA getting just gigantic piles -- five years, that's what 1462 01:26:37,167 --> 01:26:40,083 they say they are doing. 1463 01:26:40,209 --> 01:26:44,918 Actually if your information is encrypted it's until it's decrypted. 1464 01:26:45,209 --> 01:26:47,542 They will keep it around forever. 1465 01:26:48,999 --> 01:26:51,999 Or at least until they figure out how to decrypt it. 1466 01:26:51,999 --> 01:26:55,834 So the problem is really, that they get it in the first place. 1467 01:26:55,999 --> 01:26:59,125 They should only be able to get the information when 1468 01:26:59,125 --> 01:27:03,709 they meet legal standards and then only keep it so long as it is needed 1469 01:27:03,709 --> 01:27:06,083 for that valid purpose. 1470 01:27:06,083 --> 01:27:09,083 If that helps answer the question. 1471 01:27:09,083 --> 01:27:16,626 AUDIENCE: With regard to the development of the U.S. 1472 01:27:16,626 --> 01:27:19,083 cyber warfare, the architecture -- I don't know 1473 01:27:19,083 --> 01:27:24,209 if that's a correct word, but it seems like our government has been 1474 01:27:24,209 --> 01:27:27,999 penetrated multiple times by groups like LOLSIC, 1475 01:27:27,999 --> 01:27:31,876 while statement we developed advanced cyber weapons 1476 01:27:31,876 --> 01:27:37,375 like Stuxnet and regularly are tapping into other countries. 1477 01:27:38,999 --> 01:27:41,209 Could you speculate on that? 1478 01:27:41,375 --> 01:27:43,709 Yes, yes. 1479 01:27:43,834 --> 01:27:46,918 (Laughter.) EVA GALPERIN: Sure, I can speculate on that. 1480 01:27:46,918 --> 01:27:47,417 We actually don't have to speculate 1481 01:27:47,417 --> 01:27:50,125 because the White House released this thing called 1482 01:27:50,125 --> 01:27:52,999 the Presidential Policy Directive. 1483 01:27:52,999 --> 01:27:56,542 It is a document that the president creates that instructs 1484 01:27:56,542 --> 01:28:00,167 the divisions and the cabinet agencies about what 1485 01:28:00,167 --> 01:28:03,999 the policy is for the administration. 1486 01:28:03,999 --> 01:28:09,834 And so the document actually is part of the Snowden leaks. 1487 01:28:09,834 --> 01:28:10,209 What came out was that it was 1488 01:28:10,209 --> 01:28:13,501 a classified Presidential policy directive. 1489 01:28:13,876 --> 01:28:16,125 The Presidential Policy Directive Number 20. 1490 01:28:16,501 --> 01:28:20,959 What it did was it kind of confirmed what a lot of academics, 1491 01:28:20,959 --> 01:28:25,334 people in the security research, people who were watching where 1492 01:28:25,334 --> 01:28:28,834 the government is going with this online warfare 1493 01:28:28,834 --> 01:28:33,751 and virus making, malware making and what it did is, it revealed that 1494 01:28:33,751 --> 01:28:38,209 they have pretty much rootinized the processes and are beginning 1495 01:28:38,209 --> 01:28:41,751 to study and look into and create working groups 1496 01:28:41,751 --> 01:28:45,959 for how the government is going to deal with this and what 1497 01:28:45,959 --> 01:28:48,999 the government is going to do. 1498 01:28:49,584 --> 01:28:53,751 Before this document we saw very vague outlines, right? 1499 01:28:53,751 --> 01:28:55,083 Like the U.S. 1500 01:28:55,083 --> 01:28:57,959 government will follow the laws of war. 1501 01:28:57,959 --> 01:28:58,959 The U.S. 1502 01:28:58,959 --> 01:29:02,501 government will, we will follow the U.N. 1503 01:29:02,501 --> 01:29:03,501 conventions. 1504 01:29:03,501 --> 01:29:04,959 And international law. 1505 01:29:04,999 --> 01:29:09,584 What this document revealed was that a, it got into much greater detail 1506 01:29:09,584 --> 01:29:13,999 on what the government is doing, how they will act in defense 1507 01:29:13,999 --> 01:29:18,959 if they support any sort of exfiltration of data or if they suppose 1508 01:29:18,959 --> 01:29:22,292 they are under any type of attack. 1509 01:29:22,751 --> 01:29:26,999 And the document provided a pretty good foundation for how 1510 01:29:26,999 --> 01:29:29,792 they justify Stuxnet. 1511 01:29:30,125 --> 01:29:36,292 We know now within the past couple of weeks that one of the generals 1512 01:29:36,292 --> 01:29:43,375 is being investigated over leaking the fact that Stuxnet was a U.S. 1513 01:29:43,375 --> 01:29:44,751 Israeli project. 1514 01:29:44,751 --> 01:29:48,542 And so what we are seeing right now and what we are paying a lot 1515 01:29:48,542 --> 01:29:53,751 of attention to and fighting against is the increased militarization 1516 01:29:53,751 --> 01:29:55,999 of the Internet. 1517 01:29:56,167 --> 01:29:58,751 It was something that was always in the background, 1518 01:29:58,751 --> 01:30:02,667 something that we were always hesitant in watching and thought what 1519 01:30:02,667 --> 01:30:04,459 was happening. 1520 01:30:04,459 --> 01:30:06,876 What we are seeing now is yes, it's happening. 1521 01:30:06,959 --> 01:30:09,959 The government is creating these things 1522 01:30:09,959 --> 01:30:15,999 and there's hardly anything to be regulating it or figuring out how 1523 01:30:15,999 --> 01:30:19,999 to stop it and what to do about it. 1524 01:30:19,999 --> 01:30:22,125 Because we don't know what they are doing. 1525 01:30:22,125 --> 01:30:24,042 So I think what is going to happen and especially part 1526 01:30:24,042 --> 01:30:27,375 of the transparency efforts we're fighting for is to talk 1527 01:30:27,375 --> 01:30:31,209 with the government and issue these policy papers and what we think, 1528 01:30:31,209 --> 01:30:34,792 you know, should happen in this area and what we think really 1529 01:30:34,792 --> 01:30:37,709 shouldn't happen with the increasing militarization 1530 01:30:37,709 --> 01:30:39,584 of the Internet. 1531 01:30:40,542 --> 01:30:45,250 With Stuxnet -- Flame is another good example -- now when 1532 01:30:45,250 --> 01:30:49,667 you use an online virus it is different. 1533 01:30:49,999 --> 01:30:53,709 You are no longer -- you can try as hard as you may to target 1534 01:30:53,709 --> 01:30:58,999 a foreign nation state or something you want to exfiltrate from a government, 1535 01:30:58,999 --> 01:31:02,375 but it's hopping the Internet, right? 1536 01:31:02,375 --> 01:31:03,999 It's hopping the Internet into the public sphere 1537 01:31:03,999 --> 01:31:07,083 and causing citizens and causing individuals not associated 1538 01:31:07,083 --> 01:31:11,542 with the government and who aren't supposed to be your targets. 1539 01:31:11,999 --> 01:31:15,999 And it's something that is very dangerous that is happening. 1540 01:31:15,999 --> 01:31:18,999 I just wanted to interrupt for a second rudely and talk 1541 01:31:18,999 --> 01:31:23,125 a little bit about the rhetoric of cyber warfare. 1542 01:31:23,125 --> 01:31:27,667 One of the very interesting things that came out of the Presidential directive 1543 01:31:27,667 --> 01:31:30,999 was the sort of declaration that cyber space had 1544 01:31:30,999 --> 01:31:34,999 been sort of declared to be a theater of war. 1545 01:31:35,250 --> 01:31:38,125 And I think that one of the biggest problems when it comes 1546 01:31:38,125 --> 01:31:41,626 to talking about this stuff with the U.S. 1547 01:31:41,626 --> 01:31:43,292 government is that there is an entire culture 1548 01:31:43,292 --> 01:31:45,876 of people who say cyber. 1549 01:31:45,959 --> 01:31:47,792 (Laughter.) EVA GALPERIN: Which is generally 1550 01:31:47,792 --> 01:31:50,999 a good sign that you are talking to someone who has very little 1551 01:31:50,999 --> 01:31:54,501 in common with the Electronic Frontier Foundation. 1552 01:31:54,999 --> 01:31:58,083 The biggest problem with the term cyber warfare 1553 01:31:58,083 --> 01:32:01,209 is that packets are not bullets. 1554 01:32:01,209 --> 01:32:04,083 As a general rule they do not kill people. 1555 01:32:04,083 --> 01:32:07,918 Once you start using the rhetoric of warfare and guns and bullets 1556 01:32:07,918 --> 01:32:12,375 and cyber bombs and cyber shields and cyber tanks or whatever it 1557 01:32:12,375 --> 01:32:14,709 is they are using. 1558 01:32:14,792 --> 01:32:16,999 Cyber Pearl Harbor. 1559 01:32:16,999 --> 01:32:18,999 EVA GALPERIN: I would real lie like to know what this cyber Pearl 1560 01:32:18,999 --> 01:32:22,501 Harbor is that we have been promised for so many years. 1561 01:32:22,792 --> 01:32:26,999 Once you use this rhetoric it leads you to all kind 1562 01:32:26,999 --> 01:32:30,167 of erroneous conclusions about what kind 1563 01:32:30,167 --> 01:32:34,584 of protections we need and what the U.S. 1564 01:32:34,584 --> 01:32:35,999 can do and what the U.S. 1565 01:32:35,999 --> 01:32:41,959 is justified in doing in protecting sort of the American Internet as much 1566 01:32:41,959 --> 01:32:45,999 as there is an American Internet. 1567 01:32:46,083 --> 01:32:49,334 So I'm generally very wary of the term cyber warfare 1568 01:32:49,334 --> 01:32:52,125 and anything that begins with cyber and 1569 01:32:52,125 --> 01:32:56,167 the entire war rhetoric because I think it really frames 1570 01:32:56,167 --> 01:32:59,999 the problem in a highly misleading way. 1571 01:33:01,792 --> 01:33:05,375 I'll just add, it's also seriously blurring 1572 01:33:05,375 --> 01:33:10,167 the distinction between a civilian and military when it comes 1573 01:33:10,167 --> 01:33:12,501 to the Internet. 1574 01:33:13,918 --> 01:33:17,209 EVA GALPERIN: A lot of the things that we have been reading 1575 01:33:17,209 --> 01:33:21,501 about, sort of proposed protections for the U.S., for U.S. 1576 01:33:21,501 --> 01:33:24,751 cyber space have to do with protecting U.S. 1577 01:33:24,751 --> 01:33:26,250 companies' trade secrets. 1578 01:33:26,250 --> 01:33:31,918 And honestly, as far as I can tell, that's not a valid military objective. 1579 01:33:31,999 --> 01:33:35,125 You know who protects companies' trade secrets? 1580 01:33:35,125 --> 01:33:38,083 Companies who have hopefully many people employed 1581 01:33:38,083 --> 01:33:41,417 to protect their own security. 1582 01:33:41,417 --> 01:33:43,209 This should not be something that American tax dollars pay 1583 01:33:43,209 --> 01:33:46,417 for and should not be something that the U.S. 1584 01:33:46,417 --> 01:33:47,417 military does. 1585 01:33:53,125 --> 01:33:59,417 (Applause.) AUDIENCE: My question is regarding the EFF's thoughts 1586 01:33:59,417 --> 01:34:04,542 about the Web filtering happening in the U.K. 1587 01:34:04,918 --> 01:34:07,999 originally slated as being for pornography blocking 1588 01:34:07,999 --> 01:34:13,918 but since has been revealed to spread to other subject matter the. 1589 01:34:13,918 --> 01:34:18,375 And what if any actions are being taken in regards to that? 1590 01:34:22,375 --> 01:34:25,999 (Sighing.) Oh, British Internet, we can't take you anywhere. 1591 01:34:27,584 --> 01:34:30,999 What is particularly interesting about the U.K. 1592 01:34:31,083 --> 01:34:36,167 pornography filters is, to begin with, these are not mandatory filters 1593 01:34:36,167 --> 01:34:38,083 in any way. 1594 01:34:38,083 --> 01:34:44,667 But what is happening is that every household in the U.K. 1595 01:34:44,999 --> 01:34:51,959 will have porn filtering turned on by default by the major ISP 1596 01:34:51,959 --> 01:34:54,083 in the U.K. 1597 01:34:54,083 --> 01:34:58,834 And if you want porn, you have to make an affirmative decision 1598 01:34:58,834 --> 01:35:02,918 to contact your ISP and ask for porn. 1599 01:35:02,918 --> 01:35:05,083 (Chuckles.) EVA GALPERIN: And they really don't see what 1600 01:35:05,083 --> 01:35:08,709 the possible chilling effect of such a thing might be. 1601 01:35:08,751 --> 01:35:12,375 Really the chilling effect shouldn't matter because children ... 1602 01:35:17,417 --> 01:35:18,125 (Some laughter and applause.) EVA GALPERIN: 1603 01:35:18,125 --> 01:35:20,125 Needless to say this is a terrible idea. 1604 01:35:20,125 --> 01:35:24,542 EFF frequently comes out against porn filtering. 1605 01:35:24,542 --> 01:35:27,083 We think it's fine if you decide to put it on your computer, 1606 01:35:27,083 --> 01:35:28,999 on your network. 1607 01:35:28,999 --> 01:35:32,501 But having this sort of tyranny of defaults in which you have 1608 01:35:32,501 --> 01:35:37,250 to make a rather public disclosure to someone else that you want porn 1609 01:35:37,250 --> 01:35:42,209 is highly, highly problematic and poses a potential chilling effect not 1610 01:35:42,209 --> 01:35:46,999 to mention that it looks like the fillers are blocking things other 1611 01:35:46,999 --> 01:35:48,999 than just porn. 1612 01:35:49,334 --> 01:35:53,083 And that this really gives the power to sensor the Internet to these ISPs 1613 01:35:53,083 --> 01:35:56,709 and to the people building the black lists. 1614 01:35:56,709 --> 01:35:59,626 We think that black lists in general are a terrible idea. 1615 01:35:59,626 --> 01:36:02,626 They don't work and they block all the wrong stuff. 1616 01:36:02,709 --> 01:36:05,876 AUDIENCE: So I'm actually from the U.K. 1617 01:36:07,667 --> 01:36:10,459 (Laughter.) EVA GALPERIN: Would you like porn? 1618 01:36:10,459 --> 01:36:13,292 AUDIENCE: So I'm really looking forward to moving back 1619 01:36:13,292 --> 01:36:17,083 into my parents' new house and finding one of two situations, 1620 01:36:17,083 --> 01:36:21,584 either the porn filter is off and I'm hung out to dry. 1621 01:36:22,209 --> 01:36:25,584 Sorry, the porn filter is on and I'm hung out to dry or 1622 01:36:25,584 --> 01:36:28,209 the porn filter is often and I know something 1623 01:36:28,209 --> 01:36:31,751 about my dad that I didn't need to know. 1624 01:36:31,751 --> 01:36:35,459 EVA GALPERIN: Or something about your mom that you didn't need 1625 01:36:35,459 --> 01:36:36,999 to know. 1626 01:36:37,334 --> 01:36:39,834 AUDIENCE: My bad. 1627 01:36:40,083 --> 01:36:42,375 She doesn't know anything about computers. 1628 01:36:42,375 --> 01:36:44,999 Back to data retention, you said that with a lot 1629 01:36:44,999 --> 01:36:49,999 of these startup companies, you know, data can be, if a company goes 1630 01:36:49,999 --> 01:36:53,834 under the only thing they have left. 1631 01:36:54,250 --> 01:36:56,501 I was actually, to add to that I would say that data 1632 01:36:56,501 --> 01:36:59,667 is the only commodity they have in the first place. 1633 01:36:59,667 --> 01:37:00,167 The best way to make sure it doesn't get 1634 01:37:00,167 --> 01:37:02,999 in the wrong hands is just not to give it to them. 1635 01:37:04,083 --> 01:37:07,626 My real question was about Prism. 1636 01:37:07,667 --> 01:37:10,999 So being from Europe, you guys actually have nothing 1637 01:37:10,999 --> 01:37:13,083 to worry about as American citizens 1638 01:37:13,083 --> 01:37:17,999 because the president doesn't actually target you guys, if what the NSA says 1639 01:37:17,999 --> 01:37:19,999 is to be believed. 1640 01:37:19,999 --> 01:37:22,999 EVA GALPERIN: If they believe that you have 1641 01:37:22,999 --> 01:37:29,501 a 51 percent chance of being foreign, then you are a legitimate target. 1642 01:37:29,501 --> 01:37:31,999 AUDIENCE: So as a foreigner -- EVA GALPERIN: 1643 01:37:31,999 --> 01:37:34,375 More than 51 percent? 1644 01:37:34,959 --> 01:37:36,751 AUDIENCE: This is really strange 1645 01:37:36,751 --> 01:37:39,626 because there are more than a billion people 1646 01:37:39,626 --> 01:37:42,792 around the world using Facebook. 1647 01:37:43,125 --> 01:37:47,459 The United States has -- I hate to use this word because it's kind 1648 01:37:47,459 --> 01:37:51,709 of inappropriate, but they have kind of declared war on the world 1649 01:37:51,709 --> 01:37:55,083 by having all of this data stored in private companies 1650 01:37:55,083 --> 01:37:59,959 within your borders and yet you have access to all of it. 1651 01:37:59,959 --> 01:38:03,250 So what can we -- well, firstly, as the European government, do 1652 01:38:03,250 --> 01:38:06,834 they have a leg to stand on at all? 1653 01:38:06,918 --> 01:38:09,751 And is there anything we can do to support them? 1654 01:38:09,751 --> 01:38:12,834 EVA GALPERIN: Let me talk about Prism real quick. 1655 01:38:12,918 --> 01:38:18,334 A lot of the time when American NGOs and civil liberties organizations talk 1656 01:38:18,334 --> 01:38:21,334 about Prism, it's very focused on outrage 1657 01:38:21,334 --> 01:38:24,834 over the NSA spying on Americans. 1658 01:38:24,834 --> 01:38:29,083 And the reason why this outrage is so focused is because spying 1659 01:38:29,083 --> 01:38:32,626 on Americans is very clearly outside of what 1660 01:38:32,626 --> 01:38:36,626 the NSA was originally entitled to do. 1661 01:38:36,626 --> 01:38:38,834 It is outside of its purpose. 1662 01:38:38,834 --> 01:38:41,125 And so it is very, very clearly illegal. 1663 01:38:42,083 --> 01:38:45,417 Now, what about the rest of the world? 1664 01:38:45,709 --> 01:38:47,375 A lot of these NGOs will simply leave the rest 1665 01:38:47,375 --> 01:38:49,542 of the world out to dry. 1666 01:38:49,542 --> 01:38:52,999 They'll say the NSA exists to spy on the rest of the world and we can't get 1667 01:38:52,999 --> 01:38:56,751 all upset when it goes around spying on non-U.S. 1668 01:38:56,751 --> 01:38:57,751 persons. 1669 01:38:57,834 --> 01:39:00,250 On this particular point I disagree. 1670 01:39:00,459 --> 01:39:02,999 Just because you are a non-U.S. 1671 01:39:02,999 --> 01:39:05,999 person doesn't mean that you suddenly don't have rights. 1672 01:39:05,999 --> 01:39:10,584 And not just -- it is not like the Bill of Rights and the U.S. 1673 01:39:10,584 --> 01:39:11,834 Constitution and U.S. 1674 01:39:11,834 --> 01:39:14,167 law are the only law on earth. 1675 01:39:14,250 --> 01:39:20,083 And in fact, it seems very likely that the NSA's wiretapping has, or 1676 01:39:20,083 --> 01:39:24,999 the NSA's sort of drag net surveillance does infringe 1677 01:39:24,999 --> 01:39:30,918 on the privacy rights of hundreds of millions of Internet users 1678 01:39:30,918 --> 01:39:33,626 all over the world. 1679 01:39:33,918 --> 01:39:37,459 The problem is that it's very unlikely that we are 1680 01:39:37,459 --> 01:39:42,375 going to get any kind of legal recourse for it. 1681 01:39:42,375 --> 01:39:47,584 There's simply nowhere for us to go to appeal having our basic human 1682 01:39:47,584 --> 01:39:50,959 rights violated as non-U.S. 1683 01:39:50,959 --> 01:39:51,959 persons. 1684 01:39:51,999 --> 01:39:56,584 What we can do is use strong encryption and also there 1685 01:39:56,584 --> 01:40:01,792 has been a great deal of talk within governmental bodies 1686 01:40:01,792 --> 01:40:08,459 all over the world looking into the state of NSA surveillance. 1687 01:40:08,459 --> 01:40:12,167 There was a bill proposed, I think a bill actually made it 1688 01:40:12,167 --> 01:40:16,250 to the floor earlier this week in Mexico. 1689 01:40:16,250 --> 01:40:19,876 There have been a number of proposals in the EU. 1690 01:40:19,876 --> 01:40:21,834 People are really riled up about this. 1691 01:40:21,999 --> 01:40:24,334 It's possible we will see some legislation 1692 01:40:24,334 --> 01:40:27,918 in other parts of the world, especially because one 1693 01:40:27,918 --> 01:40:31,584 of the key parts of the NSA revelations that we've seen 1694 01:40:31,584 --> 01:40:34,876 about NSA spying is that we are not just running 1695 01:40:34,876 --> 01:40:37,501 around spying on non-U.S. 1696 01:40:37,918 --> 01:40:39,999 persons who are a threat to the U.S. 1697 01:40:39,999 --> 01:40:41,709 We are also spying on our allies. 1698 01:40:41,999 --> 01:40:47,999 Needless to say this makes our allies including the five Is, including the U.K., 1699 01:40:47,999 --> 01:40:50,167 somewhat outraged. 1700 01:40:51,584 --> 01:40:54,375 The question line is back ... 1701 01:40:54,626 --> 01:41:00,209 AUDIENCE: (Speaker away from microphone.) Sir? 1702 01:41:00,209 --> 01:41:02,083 AUDIENCE: Am I good to go? 1703 01:41:02,375 --> 01:41:03,876 Please. 1704 01:41:03,876 --> 01:41:04,626 We are going to keep some order here 1705 01:41:04,626 --> 01:41:07,083 and sometimes we may return to a follow up question 1706 01:41:07,083 --> 01:41:09,999 but people waiting should get a turn. 1707 01:41:10,083 --> 01:41:12,584 AUDIENCE: In terms of the privacy movement I have 1708 01:41:12,584 --> 01:41:14,751 a two-part question. 1709 01:41:14,999 --> 01:41:19,626 I think in information security we are very aware of all the implications, 1710 01:41:19,626 --> 01:41:24,209 however you say it, of what can happen with all this data. 1711 01:41:24,250 --> 01:41:27,417 But how do you get someone who just goes on Facebook and looks 1712 01:41:27,417 --> 01:41:30,834 at pictures of cats all day to understand what this means 1713 01:41:30,834 --> 01:41:34,792 and what is the next step for the privacy movement? 1714 01:41:34,792 --> 01:41:37,167 Like project mesh net or something. 1715 01:41:37,167 --> 01:41:39,542 What should we be working on in the meantime? 1716 01:41:39,542 --> 01:41:41,959 EVA GALPERIN: All right. 1717 01:41:41,959 --> 01:41:44,999 I guess before we get to the legal aspects of this, 1718 01:41:44,999 --> 01:41:50,999 which Kurt will address shortly, I think that it's a misnomer. 1719 01:41:50,999 --> 01:41:53,834 It is a misunderstanding to say that people these days either 1720 01:41:53,834 --> 01:41:57,459 don't understand the privacy that they are giving up or don't care 1721 01:41:57,459 --> 01:41:59,999 about the privacy that they are giving up when 1722 01:41:59,999 --> 01:42:03,167 they use social networks like Facebook. 1723 01:42:03,167 --> 01:42:06,167 I can say this because I talk to people all over the world 1724 01:42:06,167 --> 01:42:10,792 all the time about their concerns about this very issue. 1725 01:42:11,083 --> 01:42:13,626 If you want to see somebody who has a deep 1726 01:42:13,626 --> 01:42:16,999 and intrinsic understanding of every single one 1727 01:42:16,999 --> 01:42:20,999 of Facebook's privacy protections and how they work, look 1728 01:42:20,999 --> 01:42:26,459 at a teenager whose parents have just friended them on Facebook. 1729 01:42:27,999 --> 01:42:30,876 They know how that stuff works backwards and forwards and 1730 01:42:30,876 --> 01:42:32,542 they keep up with every last update 1731 01:42:32,542 --> 01:42:35,083 because they are very interested in making sure that 1732 01:42:35,083 --> 01:42:37,626 they maintain their privacy from people who, well, 1733 01:42:37,626 --> 01:42:41,959 really shouldn't know what they are doing out on a Saturday night. 1734 01:42:41,999 --> 01:42:46,999 And I think that this is also true for other people who have things 1735 01:42:46,999 --> 01:42:50,626 to lose by losing their privacy. 1736 01:42:50,834 --> 01:42:52,834 People are very aware. 1737 01:42:52,834 --> 01:42:55,083 They are smarter than we give them credit for. 1738 01:42:55,083 --> 01:42:59,334 Really, the task that we have as privacy trainers is just 1739 01:42:59,334 --> 01:43:04,999 to give them the right tools to use in order to protect themselves 1740 01:43:04,999 --> 01:43:10,334 and also to help them understand their threat model. 1741 01:43:10,334 --> 01:43:13,292 Help them understand what information it is that they are trying to protect 1742 01:43:13,292 --> 01:43:16,501 and who they are trying to protect it from. 1743 01:43:16,501 --> 01:43:19,667 If you give users that information they can usually make smart decisions 1744 01:43:19,667 --> 01:43:22,417 about what to do with their privacy. 1745 01:43:22,417 --> 01:43:24,876 I want to add on, how do we make them care, 1746 01:43:24,876 --> 01:43:28,667 considering the NSA thing, spying, right? 1747 01:43:28,667 --> 01:43:31,459 How do we make them care, because in other countries 1748 01:43:31,459 --> 01:43:36,417 they protested, but we didn't put fort an effort as much. 1749 01:43:37,375 --> 01:43:40,999 I'll address this. 1750 01:43:40,999 --> 01:43:43,584 We only have a few minutes remaining in the session. 1751 01:43:43,584 --> 01:43:46,959 Actually, I think we have to cut off the question line. 1752 01:43:47,584 --> 01:43:51,626 One of the things that I think has helped resonate this issue when I talked 1753 01:43:51,626 --> 01:43:54,999 to people about it is talking about privacy in terms of control 1754 01:43:54,999 --> 01:43:56,999 of your information. 1755 01:43:56,999 --> 01:43:59,167 To get away from, whether it's something that you have 1756 01:43:59,167 --> 01:44:01,292 to hide in particular, but don't you want 1757 01:44:01,292 --> 01:44:06,501 to have it so your information only goes to the people that you want it to go to? 1758 01:44:06,501 --> 01:44:08,125 And not to the ones that you don't? 1759 01:44:08,125 --> 01:44:09,999 You have a sense of autonomy and control 1760 01:44:09,999 --> 01:44:14,167 on where your information goes and what the spying is doing 1761 01:44:14,167 --> 01:44:17,999 is taking away that autonomy and giving control away 1762 01:44:17,999 --> 01:44:20,083 to somebody else. 1763 01:44:20,083 --> 01:44:21,626 I found that has been helpful. 1764 01:44:21,626 --> 01:44:22,709 AUDIENCE: I would. 1765 01:44:22,709 --> 01:44:26,250 I would also add that I think people, just to reiterate what Eva said, 1766 01:44:26,250 --> 01:44:30,083 but add on that, at least I don't know how much people 1767 01:44:30,083 --> 01:44:33,667 trust polls, but there has been a slough of polls 1768 01:44:33,667 --> 01:44:38,209 in the past few weeks that have been released that by Pew, Gallup 1769 01:44:38,209 --> 01:44:42,250 and Washington post and others, that shows a clear change 1770 01:44:42,250 --> 01:44:46,667 in people's attitudes, the larger American public's attitudes 1771 01:44:46,667 --> 01:44:51,083 towards privacy and the NSA spying in particular. 1772 01:44:51,083 --> 01:44:54,375 I think the job is to continue to hammer home what we have been 1773 01:44:54,375 --> 01:44:56,751 saying and talking about. 1774 01:44:56,751 --> 01:44:59,292 You know, talking about the lawsuits and what exactly 1775 01:44:59,292 --> 01:45:02,292 is metadata and things like that because at least 1776 01:45:02,292 --> 01:45:06,083 from these recent polls we are seeing -- I think we are seeing 1777 01:45:06,083 --> 01:45:08,709 for the first time since maybe 9/11 where 1778 01:45:08,709 --> 01:45:12,918 the larger public shift towards privacy and shift towards government 1779 01:45:12,918 --> 01:45:15,876 surveillance regime is changing. 1780 01:45:16,209 --> 01:45:20,375 AUDIENCE: There is an active ongoing petition 1781 01:45:20,375 --> 01:45:26,876 on the White House.gov website to pardon Edward Snowden. 1782 01:45:26,876 --> 01:45:29,999 Last time I checked it had 132,000 signatures. 1783 01:45:29,999 --> 01:45:32,501 Is that just an empty gesture? 1784 01:45:32,501 --> 01:45:34,999 Is that a valuable tool? 1785 01:45:35,792 --> 01:45:39,292 Or does that come up with a free Internal Revenue Service 1786 01:45:39,292 --> 01:45:42,167 audit for all the signatories? 1787 01:45:42,167 --> 01:45:47,250 (Laughter.) AUDIENCE: -- of the petition? 1788 01:45:47,250 --> 01:45:49,999 I wanted to know about what if anything the government has to do 1789 01:45:49,999 --> 01:45:52,459 to respond to that petition. 1790 01:45:52,459 --> 01:45:53,709 I just want to take a chance to talk 1791 01:45:53,709 --> 01:45:56,083 about the White House petitioning system because it 1792 01:45:56,083 --> 01:45:59,999 is something that I don't think a lot of people know about. 1793 01:45:59,999 --> 01:46:01,292 But the we the people site -- KURT OPSAHL: We 1794 01:46:01,292 --> 01:46:03,334 have one minute remaining. 1795 01:46:03,334 --> 01:46:04,999 MARC JAYCOX: The White House petition site 1796 01:46:04,999 --> 01:46:09,501 is a massive campaign tool for the Barack Obama campaign. 1797 01:46:09,501 --> 01:46:12,999 You give them your information and they harvest your data. 1798 01:46:13,417 --> 01:46:15,083 That's my quick ten seconds. 1799 01:46:15,417 --> 01:46:19,667 Be careful when you sign those; it's a campaign tool 1800 01:46:19,667 --> 01:46:23,209 for the president's election. 1801 01:46:25,999 --> 01:46:31,626 KURT OPSAHL: We will talk to you afterwards, but we have to move. 1802 01:46:31,626 --> 01:46:32,918 Sir? 1803 01:46:32,918 --> 01:46:34,876 AUDIENCE: Question and a comment. 1804 01:46:34,876 --> 01:46:38,250 So Congressman Rick Holt of New Jersey has introduced 1805 01:46:38,250 --> 01:46:42,792 legislation to roll back the surveillance state which asks 1806 01:46:42,792 --> 01:46:47,292 for repealing the Patriot Act, refiling FISA Amendments Act, 1807 01:46:47,292 --> 01:46:50,501 not having requirement to have back doors 1808 01:46:50,501 --> 01:46:55,751 in telecommunications equipment and then one more item. 1809 01:46:55,999 --> 01:46:59,292 What do you see as the prospects for that bill? 1810 01:46:59,292 --> 01:47:01,334 MARC JAYCOX: Representative Holt's bill is one 1811 01:47:01,334 --> 01:47:05,375 of the strongest bills presented in Congress thus far. 1812 01:47:05,792 --> 01:47:10,083 The only kind of Nuance with the bill is that it completely -- 1813 01:47:10,083 --> 01:47:14,999 the government has some sort of need for a grand jury subpoena 1814 01:47:14,999 --> 01:47:18,459 to get some sort of information. 1815 01:47:18,751 --> 01:47:21,375 Representative Holt's bill doesn't have that in it. 1816 01:47:21,417 --> 01:47:23,959 There should be a process by which that happens, but it's 1817 01:47:23,959 --> 01:47:27,501 the strongest bill thus far and it is another indication that Congress 1818 01:47:27,501 --> 01:47:29,751 will tackle this issue and knock on wood it 1819 01:47:29,751 --> 01:47:33,292 will -- One quick comment because it's relevant. 1820 01:47:33,501 --> 01:47:35,501 He is standing for election in the democratic primary 1821 01:47:35,501 --> 01:47:39,209 on August 15 -- KURT OPSAHL: We are actually out of time. 1822 01:47:39,209 --> 01:47:40,876 But thank you all for coming. 1823 01:47:40,876 --> 01:47:42,918 It's wonderful to see you here. 1824 01:47:42,999 --> 01:47:46,999 (Applause.) KURT OPSAHL: Thank you. 1825 01:47:46,999 --> 01:47:48,083 It's great to be here.