I'd like to introduce the EFF panel. This is the ask the EFF panel. You get to ask some of the premier legal minds devoted to making your sure your ass doesn't end up in jail, questions. So I'm going to hand it off to Kurt Opsahl. And let him introduce his panelists. >> Welcome everybody. So great to see so many people here today. How many of you are already familiar. With EFF? All right. I have a good number of hands. Thank you for following our issues. So I'll make only the briefest descriptions for those who haven't. Electronic Frontier Foundation. We are a nonprofit civil liberties organization, dedicated to defending your rights online. For fair use, for privacy, for innovation. And we want to make sure the future is one we want to live in. One of the things that we do a lot here is we provide free legal advice to speakers and security researchers, who need that. And we're here today to answer your questions. We'll start out by giving brief introductions to my co-panelists here. So you can see what sort of work we do. Give you some ideas about questions to ask. One ground rule very important as we do provide legal advice, and we often have had members of this community become our clients, but this is not the place to ask legal advice. You want to have a attorney client privilege conversation which is confidential. When you're explaining the things that you might have done and you're worried about. When you're doing it in front of several hundred people, that is not the right place for it. So if you have those sorts of questions, save them for later. Come find us after. Write to info@EFF.org. Our intake coordinator can help you get in touch with the right people. But, umm, for these questions, any other topics about what we do? We'd love to hear them. So let's start out and have our panel introduce themselves. >> Hi there. My name is Eva Galperin. I'm a global policy analyst with the Electronic Frontier Foundation. I work on EFF's international team. Meaning that while we have many employees of EFF who's job it is to worry about U.S. law and U.S. surveillance and sort of U.S. persons, my team worries about the rest of the world. We're a little busy and we don't sleep much. Primarily, I work on -- my work is focused on vulnerable populations. Which means usually journalists and dissidents and activists. I work on privacy surveillance security and free speech issues. You can ask me about sort of the security and privacy advice that EFF is giving, the kind of training that we're doing with people in Ethiopia and Vietnam. I'm also particularly interested in the post Soviet states. There's a lot of really interesting stuff going on with surveillance right now in the U.K. and Australia. I am also available to answer various questions about sort of how EFF views security research because I have published a great deal of security research with EFF and also in cooperation with citizen lab. So having said that, here's Yan. >> Hay, I'm YAN, I'm a staff technologist at EFF which is a really vague title. But I maintain a browser extension called HTTPS everywhere with the tore project. Wow, thank you. [Applause] Cool. Yeah. Making a new release when I get back on Monday, I also make a browser extension called privacy badger. That's an ad -- You guys really like browser extensions. Ok I'm not done yet. We'll get this. And what else do I do? We have a new mail encryption project called star TLS everywhere which I've spoken about here for a little bit. In general my work is on -- focus on how do we protect people's privacy from advertisers and governments and so forth. And also how do we get people who run servers to turn on encryption as much as they can. So you can ask me anything. >> Hey guys, I'm Mark Jaycox. I'm a legislative analyst with EFF where I hope to get our message to congress and talk to lawmakers and work -- depending on the congressmen or congresswoman, argue what their staffers about what they're doing. What they're trying to do. And how their legislation will impact tech. My main issues, issues I work on deal a lot with national security issues, surveillance law, the CFAA the Computer Fraud and Abuse Act. And kind of a lot of the surveillance privacy laws. >> I'm Nate Cardozo, I'm a staff attorney with the Electronic Frontier Foundation. I'm on the civil liberties team. I do free speech and privacy and I work with Curt on the coders writes project. We represent hackers and security researchers and academics to try to keep them out of trouble and get them out of trouble. We do in fact counsel people who present at conferences just like this to make sure they don't say anything that they will regret in front of a room full of Feds. I work on, I don't really work on the national security cases that we do. Right now I'm suing the government of Ethiopia for wiretapping an American citizen on American soil using a targeted malware program called FinFisher. If the FinFisher guys are here, tell them I say hi. I work on some automotive privacy issues because I like cars. I do freedom of information act litigation as well and right now along with our legal fellow Andrew Crocker, who is not here, I am suing the NSA and the office of the director of national intelligence to get them to court over documents about the so called vulnerabilities equities process. This is the balancing test the government uses to decide whether or not to sit on zero days. And we want to know what that process is because they haven't told anybody. And so we foyed it and of course they didn't respond so we sued. That's what I do. [Applause] >> As I said, I'm Kurt Opsahl another one of the attorneys at EFF. Let me tell you about a couple other pieces of litigation that we work on that you guys might have questions about. We have a couple of active suits against the National Security Agency for the war against wiretapping program trying to put a halt to the unconstitutional legal telephone records program and the upstream wiretapping program. I also am working on the case against national security letters. These are letters that the FBI can issue to serve providers without a court, without any process. To obtain information about their customers and if they get one, the service providers aren't allowed to tell anybody, even the fact that they have received one, we got a court to declare it was unconstitutional last year. Thank you. [Applause] The government has appealed. We are defending that appeal so argument will be in early October and we will go explain to the appeals court, why that's not right and shouldn't be allowed. We also work on some intellectual property issues. Probably answer some of your copyright questions if they come up. And I guess with that, let's start this up with the questions. Sir. >> Thank you. Can you hear me okay? >> Yes >> My name is Don Nindell. I'm CEO of a Nevada corporation. I have two patents on security. They deal with encryption. Because of that, about three years ago, I got a card from one of the ACLU panelists. And I want to ask, do you compliment? Do you work with ACLU? What I'm thinking about is, maybe I need a card from one of you also because if I'm in encryption, you know exactly who's looking at it and why I'm a person of interest. Is it possible to be able to edit -- to get a card like this after -- in a private session? Because I think some day they're going to be right here standing besides me and yanking me off. Do you understand my question? >> I think the question is -- how do we work together with our friends at the ACLU. >> Yeah, you complement each other? Do you coordinate? Do you work side by side. And which one of you would be the best one for me to consult with in the event that no such agency -- I'm not supposed to mention it. >> The second part of the question was how do you get assistance from EFF when you find yourself in legal hot water. >> Something like that yeah. >> Let me address, I guess, the first question, the first and we work together very closely with the ACLU. For example, one case that we're working on about the 215 records program. We are co-counseling with the ACLU. So that's a pretty tight relationship. We have been Amicus which is -- in court cases, in addition to the parties, you can come in as an Amicus like a friend of the court to provide some additional views to the court from your community. So we've often done this in ACLU cases. They've often done that in our cases. So I think we have actually a very good relationship with them. And do complement each other. And I think the second part of the question was how to, how to get assistance from EFF. So actually on this panel, we have two former intake coordinators. They have now gone onto other jobs with EFF. One of you guys want to talk about that process a little bit? >> I can do it. So if you would like EFF to help you in some way, if you are looking for legal assistance, the thing to do is to e-mail info@EFF.org. At the other end of that e-mail address, is a very nice man named Amule whose job it is to patiently talk to everybody who wants EFF's help. Figure out whether or not this is the sort of case that that EFF would like to take on. And if that's the case, put them in touch with an EFF attorney. If it is not an EFF case, his job does not end there. The next step is to put this person either in touch with other resources, especially if this is sort of not an EFF like issue. Or to put them in touch with our list of cooperating attorneys we maintain a list of several hundred attorneys across the country all of whom are interested in doing pro bono cases and sometimes you know, sort of semipro bono discount cases that come EFF's way. And who can also provide you with legal assistance. What we do is send an e-mail out to that list. And if somebody responds, we go ahead and put you in touch with them. >> So YAN, I was wondering if you could describe HTTP Nowhere for the folks in the room and where the implications of billing that entails and stuff like that. And another question is, could you guys talk about the Riley case and implications for hackers in the room and how things might have changes. >> The implications from which case? >> Riley. >> Hacking -- Cell phone searches. >> Absolutely yeah. >> Okay. I guess since you asked the first part of the question to me, I should answer it. How many people here use HTTPS everywhere? So real quickly what it is, it's a browser extension that will automatically make the HTTPS connection to a website when you visit it if we know that that server supports HTTPS and things are unlikely to break if we switch you over to SSL. So this prevents SSL strip attacks which Moxi has presented on in the past, and also, sometimes Redit for instance, doesn't really, until recently, you had to go to pay.redit.com to get the SSL version. So we would have that automatically in a browser extension so -- it's pretty good. We have like 10,000 sites or so in the development version right now. Maybe 4,000 stable. So lately a lot of people have been saying with all these NSA attacks and privacy concerns, HTTPS Everywhere is not good enough. What you want is a harden Browser mode where you don't have any clear text traffic. So what if you could just only use HTTP -- sorry, only use HTTPS, never go to HTTP. So it's actually pretty easy to do from HTTPS Everywhere. So now if you use the development version of HTTPS Everywhere, you could experiment with this mode called HTTP Nowhere mode where it blocks all HTTP traffic. I have to do some weird things like turns off OCSP for a little bit, otherwise, you'll get SSL errors all the time. I love feedback on that and stuff like that. >> All right. And a second part of the question was asking about the Riley case, which is a recent decision by the United States Supreme Court dealing with the search of a smart phone. And of course found nine-zero that you needed to have a warrant to get this information. This is a really good decision. Not only is it a good decision because this means that the government needs to get a warrant on a cell phone if you're arrested. That's good enough in itself, but it helps establish precedent for other cases. The discussion in that case has a lot of really good language that is going to end up in briefs. For years to come where the court was saying your whole life is in your phone. It matters to protect this information and that they -- the governments argument that well, you know, basically as technology made things easier to have on your person. We should sort of treat this like -- just whatever happened to be in your pockets -- ordinarily they can look in your pockets and search to arrest. So they wanted to have the effect of new technology be an expansion of police power to search. So they would be able to get anything that happened to be in your pocket, all the way into the phone and potentially into any server side information that was accessible to the phone. And the supreme court rejected that theory. Rejected their theory that because these phones were connected to servers elsewhere, that the, you had given up your privacy rights to them because you had communicated that information to a third party. The government said therefore you didn't care about this information -- should be free rain. No warrant needed. The court rejected that. The government said, well we put forth some regulations and rules that will make sure this happens in a very orderly and nice manner And the courts said our founders didn't fight a revolution to have government regulations and rules. This is 9-0. Right? [Applause] So if you guys read in our briefs and the years to come, I think you're going to see a lot of quotes from the Riley decision and we're going to try to make that precedent stick all over on fourth amendment issues. [Applause] >> Hi, I'm Andrew Conway. I'm a researcher for Cloud Mark. I'd actually be interested in a a comment from each member of the panel on this one. What do you think the best and worst things that have happened in the past year from the point of view of your particular work for the year ahead? >> Awesome question. >> Great question. >> All right well, we're hitting the whole panel. Let's keep it very brief. I think I'll start out with some of the best and the worst things. It's the same thing which is the revelations that we have learned about -- the additional information we have learned about NSA surveillance. The best thing because we now have much more information about it, it helps us fight our law suits against the NSA and it helps make people aware of what's going on and the need to stop it. It's the worst thing because oh my God, they're doing an amazing amount of surveillance on us in contravention of our constitutional rights. >> I'm going to take a very similar approach which is the, I'm going to talk about a different leak which happened just last week and earlier this week. There was a hacker who goes by the name of Finius Fisher who broke into Gamma. >> Huh? >> So the hacker who broke into Gamma, which is a company which makes a product called Vinture and Vinspy. They went ahead and pulled a bunch of their brochures and also a whole lot of other documentation. And some of their source code. And put it all online. One of the most interesting revelations that have come about as a result of this particular hack is conformation of a lot of the work that Citizen Lab has been doing over the last couple of years about the fact that this company which is based in the UK and Germany is selling its surveillance equipment to governments that are using it for very shady purposes. Using it to spy on activists and journalists and possibly committing human rights abuses. So it's really great to get sort of conformation about this stuff that we have been suspecting for several years. Umm, the bad news, I think the worst thing that I've really seen this year is a lot of security and privacy burn out. I talk to journalists and activists all over the world and I watch them sub come to the privacy anihilism. They read things like the FinFisher hack or they look at the NSA documents and they say well the government knows how to get to everything all the time anyway. So why should I bother protecting my privacy and security at all. And this is really one of those -- one of the most important fights that we need to fight on the world stage, which is getting people the technical information they need to understand that when you simply give up on protecting your privacy and security, you are letting the bad guys win. Governments want you to think that they are all powerful and that they see everything all the time. Because if you don't do anything, you make that work trivial. And there are a couple things that you can do that will make their job hard. [Applause] >> That is a difficult answer to follow up. So I'm just going to say something really boring which is that SSL usage is actually up quite significantly. So there's a report that stated in some parts of the world, like Latin America, peak traffic percentage of that that's encrypted has gone from about one or two percent to about ten percent. It's amazing. And it's largely because major service providers have been turning on SSL. And there's more about to come. So Cloud Core has said if we SSL for all customers -- but very soon -- and word process said, we're turning on SSL for everyone in the next year. That's a lot of sites. So we're doing okay on that front. The bad things that happened this year was Heart Bleed. And it was really demoralizing to other people and we -- as a maintainer of HTTPS Everywhere I actually noticed some sites starting to break after Heart Bleed because their operators said we're just not going to use SSL now. We're going to turn it off. And that's really sad. >> So you know what? It is very rough out there but you know what's a little comfort to everybody? A little bit of tradition. But what we could all use right now is something that we all know and love. Which is welcoming new speakers. I know not everybody that's up here is new. Some of you have spoken before. Please raise your hand if you are a new speaker at Def Con. >> Alright! [Applause] >> I'll also take a drink cheers. Congratulations. [Applause] >> That's good too. >> I'm awake now. >> Now back to your regularly scheduled mayhem. Thanks guys. >> Thanks guys. I will have to take a similar approach to Curt I think the worse things are -- is really the information we've had from Snowden, from the leakers. I think the best thing though I will take is part of the educational aspects. The public, larger public non-tech people are becoming a lot more aware of what they share -- who they share with. Their behavior's changing. They're learning what a third party is. And where their information is potentially going. To data brokers and other third parties. And at least in -- particularly in my area, especially working on the legislative side and with congress, members of congress actually are getting educated on these things. We've seen members of congress outraged that they were not properly briefed on this stuff. And completely outraged that they have a right to know, they should have been informed and they weren't in some instances. So that has a huge impact on where congress is moving with this stuff, gaining a base understanding of the complexity of these systems. Complexity of what the NSA and government and intelligence agencies are collecting. So those are really the two most important aspects on my book. You have a clear response which was, increase education from the public and from members of congress. And that provides a base level, right, it provides a foundation to understanding the systems and it provides the foundation to reorienting your actions towards more privacy friendly, towards a more tech friendly environment and in particular when it comes to lawmakers, legislation, and smart legislation. And actually thoughtful legislation. >> So, one of the projects that I work on at EFF is our, who has your back report. This is the report where we give gold stars to companies that have good practices in protecting user data. Companies are little children and they respond very well to being offered gold stars. This year was our fourth year, fourth? Fourth year of who has your back. And the best thing that we saw this year, far and away, is companies almost down the line with the big Internet Service Providers. Google, Microsoft, Facebook, Apple, are promising to give notice to users when the government comes seeking their data unless they're gagged. That is just extraordinarily important if a company gives notice to the user when the government comes seeking their data, that means the user can fight back they can contact info@EFF.org. We can move to quash the process. And if the company doesn't give notice, no one can fight because the company's not going to do it. We've seen in the last year that column on our who has your back report just filled with stars and it's awesome. That frankly is a direct result of the Snowden leaks. The companies had egg on their face with that beautiful prison slide that we saw on August 6th of last year. So they needed to do something -- or June 6th -- they needed to do something. And they are. And that's great. I think the worst thing that I've seen this year is CFAA reform is stalled in congress. It's not moving and it needs to move. After our friend Aaron Schwartz's tragic death, there was some momentum behind it, and now it's not moving. And that sucks and it needs to change. >> Alright. So when I receive an email with a GPG signature, it's really reassuring that I know that the e-mail comes from the person I want it from. Is a GPG signature generally considered evidence in court that an email came from a place, and ultimately a lack of a GPG signature can that be used as evidence that an e-mail didn't come from someone -- asking for a friend. >> As to the second part of the question, I don't think anyone's ever tried that. As to the first part of the question, you would need an expert testimony to support that. Umm, but sure. I mean it helps establish train of custody. It helps establish authentication. It's not forged. My GPG fingerprint is on my business card and I encourage all of you to do the same thing. So I know it's actually your GPG signature. Anyway, yeah. >> Can I ask a quick follow up which is weird because I'm on the panel. But that was a great question. Conversely. >> Get in line. >> What's that? >> Get in line. [Laughing] >> So conversely, people say OPR's great. Because that's plausible deniability. Do you think that will hold up in court as evidence that someone didn't say something if the other party turns over their chat logs. >> Maybe. >> I don't know. Okay. >> I'm a lawyer. The answer is it depends. >> Well it's complicated. [Laughing] >> Well plausible deniability and non-repudiation are two different things. So, sorry, did that make sense >> Thank you guys for what you do. What kind of expectation of privacy do employees have from next generation firewalls that are doing HTTPS inspection. And as an administer. >> Could you speak up? >> Could you please? >> And slow down a little bit. >> Sorry, what kind of expectation of privacy do employees have from next generation firewalls that are doing HTTPS inspection in their workplace. And as an administrator of one of those firewalls, is there anything legal that an admin would need to know about running one of those? >> I'll take the first part of his question. Most of you when you come to work for a company, among the very large piles of documents that you sign, one of them essentially says that anything they do to you on their net work is nice and legal and you say it's okay. And that includes intercepting your encrypted chats on their network. Man in the middling them and reading them. Networks such as apple have been doing this for years on the theory that this will help them catch leakers. If you have given up your rights you have given up your rights. That answers the first part of the question. Whether or not there is any culpability on the part of the network of administrators, I'm not a lawyer, and this is not legal advice. But again, if the employee has already signed a document saying that anything you do to me on the net work is nice and legal, I don't think that you have any culpability. >> I would add a little bit to that as a lawyer. I would add it depends. There are circumstance sometimes where they don't put the things in the employee manual -- what it says in the manual and how detailed it is. There are cases from time to time in which somebody has been able to say what they have done with actually not part of what I gave consent to in the employee manual. And under some circumstances where government employers if you're trying to -- you may have some additional rights. So under particular circumstances, it could happen. So if there's something where it's a concrete example and there's a real question. That would be the sort of thing to get specific advice about that particular situation. >> With your encrypted e-mail initiative, what is your technical goals and are you working with anyone else's also working on the same sort of problem like dark mail? >> What was the last word you said? >> Are you working with other people who are also trying to solve encrypted e-mail like dark mail or anything like that. >> So the question was, what's our encrypted e-mail initiative. Which makes me -- the way you ask that makes me think that I was kind of misleading in my introduction. Oh so, our encrypted e-mail project is for server to server transit encryption, not end to end like you encrypting an e-mail to another person. Which is what a lot of people use PGP for. So our encrypted e-mail project Start TLS Everywhere, is to make TLS connections between SMTP servers more robust. I'm not sure if that's actually what you wanted to hear about. So I'm going to stop talking. But if you do, then ask someone else will ask me that question. Yeah. >> Hi, my name's Ethan, I'm a 3L at UCLA. I really appreciate your work. Historically when you look at lot of the civil rights battles they've been done very strategically. An organization will have a very clearly defined goal, be it gay marriage or desegregation and they go about achieving that goal very strategically through test cases and being very selective. Do you have any macro goal like that with corresponding strategy or are you a more of an attack everywhere mentality. >> We absolutely cannot attack everywhere. We have about 50 people in the organization. And that -- our band width is constantly filled with being able to work on -- a small percentage of the cases. We definitely try to be strategic about it. One of the things that happens with our intake coordinator -- we're talking about that process before -- is try to determine whether to take the case to see if it can be done within our band width and also accomplish the goal. Try to set precedent, try to do something which is going to have a greater effect then just on the parties involved and try to push things forward. I know there are things which are over arching our goals. We want to support fair use. So we take some cases which will help solidify the fair use doctrine. We want to determine that a -- third party doctrine is book. Third party doctrine is this notion that you lose your fourth amendment rights if you store information with a third party and then this was brought about in the late seventies, nowadays with more and more information going online. It's very dangerous doctrine. We're trying to find the right cases to undermine that. To come up with a better doctrine for dealing with information in the digital age. So yeah, we do operate very strategically. >> I'll also add that we also have annual meetings where we think about hard and seriously what we have done in the past year. At least -- I'm speaking for the legal team now, precedence wise -- and each team does this. But thinking about, for the year, what have we done in the past and what really do we want to do in the next few years? You know, three, five, seven years. So there's a lot of long-term thinking. There's a lot of you know, figuring out where our resources are best served. And that long-term thinking, I think, you know, is very important to figuring out where we spend our resources. What we want to do, what we need to do. And a lot of it, you know, we get from talking to you guys. >> I'll give a concrete example, the Ethiopia case that I'm working on that I actually should be writing an opposition to a motion to dismiss right now but instead I'm talking to you. We took that case so -- our client is an Ethiopian American. He's a US citizen, he lives in Silver Spring Maryland, charming man. We took that case not just because what the Ethiopian government did to him sucks, we took the case because we want to establish the precedent that governments can't just spy on people willy nilly without going through the legal process. Which is exactly what the Ethiopian government did to our guy. And if we can get an American court to say illegal spying is illegal and you can't do it, that's valuable. Not just for our client, but for everybody. So I mean, that's a window into the type of thinking that we do before we take a case. >> So my question's more about turning to the offensive. I'm a malware researcher. And I've come across many times where a botnet or a ransomeware coming out of a control server, is vulnerable itself. If I was to say attack that server with the end goal to shut down the botnet or disable the malware network, what legal ramifications are there and is it even an option? I don't want to take it, I want to dish some back. >> It depends. [Laughing] >> For a question about your particular situation, that's probably one in which we should be taking offline and having a -- >> Ill advised! >> I'll spin on that question a little bit. Microsoft did something interesting a couple of weeks ago. They discovered a botnet that they didn't like at all. That was using noIP.org. The dynamic DNS services. For its command and control structure. Which I think is a pretty clever idea. But that's neither here nor there. And they decided they wanted to take it out, and they were going to take it out by suing noIP. And they did, and they got the registries to turn over control of the name servers to Microsoft. And as a result, they put five million innocent dynamic DNS subscribers out of service for like four days. That's not the way to do it buddy. So thank you. [Applause] >> My name's Shawn. With the Supreme Court of the United States weighing in a lot of these issues where we have crash course in technology for the justices. Obviously there's different ways that they can get things wrong depending on your perspective with regard to legal and philosophical matters. But it seems to me that'll be really bad if they get things wrong because of technical matters. It seems to me that their lack of technological savvy represents a threat to them getting it right. I'd like to know if you guys agree. If so, to what magnitude do you think that risk is. And do you think there is any way to mitigate that risk. >> This is actually something that has been involved with EFF for many years. Which is explaining to judges about technology. In order to be a judge, you have to practice law for 20 or 30 years. So you tend to be of the generation or two beyond what the current technologies are. And this has been one of the challenges. And we try to do this by explaining it well. We have our staff technologists who will help us out. We're writing our briefs, trying to explain it in clear plain English terms, what these technology -- use metaphors so the judges will understand and try to improve it. Now you may have seen for some of the decisions the last couple years by the Supreme Court where they ask some questions which indicated that perhaps they weren't fully understanding the technology. Things like, if a pager got two pages at the same time would they get a busy signal and this is about pager technology which is already a generation behind. They had -- and in a recent decision, they talked a lot about the cloud. Some of them seemed to understand what that meant. Some of them maybe not, not so much. But, nevertheless, this is something which is very important. And one -- a very important sort of, saving grace which I think that's help come up with some good decisions out of judges in recent eras, is they all worked with clerks. And the clerks are recent law school grads who are much more familiar with modern technology than the judges they work for and can help explain it to the judges and understand the briefs about it. >> Thank you. >> I have another Riley question. I'm a graduate student. I deal with human subjects data. I also have to go travel internationally a lot. Does Riley just protect my cell phone, or does it also protect my laptop and tablet and does it protect me at the border. >> Let me hit that, the first question is does Riley protect you beyond cell phone? Just a little digression about how sort of the the precedent system works. So when you have a case decided, what it means is just specific to the facts that are there. The case is about cell phones. But when you later have a case about a tablet or laptop, you can say to the court, look this is similar to a cell phone. This is something that is so similar to a cell phone because it operates, because like a smart phone, it can do these functions, it can -- communicate just like cell phone can. That you should come to the same conclusions for this new technology as you did with the old technology. And so the cell phone decision forms a precedent. And that we were to be using that precedent case by case to expand its scope so it hits these other areas. And then as far as international borders, your rights are much lessened at international borders. Coming in, they are able to do -- instead of needing a warrant based on probable cause, they need reasonable suspicions which is a lower standard -- >> Your suspicious. >> What? >> I just said your suspicious. >> Very suspicious. >> Thank you we're all suspicious. >> Umm does that answer your question? >> Yes. Thanks. >> One more thing. EFF has written a white paper about your rights at the border. This is referred to as our border search white paper. It was written by my colleagues Seth Showen and Marsha Hofmann who's now in private practice. So if you would like more details about your rights at the border just go ahead and take a look at them. >> Thank you. >> There's recently a technological innovation that IC is expanding the scope of what can be accomplished through speech. It's called bit coin. And it allows a person to memorize a phrase and there by travel, go here go there, and keep secret with an arbitrarily large amount of money. To communicate that phrase to another person through speech alone. And that person can then, if they were to so choose, go use a computer to get access to that money and give it to somebody else in the same way. So now that transmitting money and storing money is a form of speech, that wasn't true until four or five years ago really. The EFF has done cases where people have encrypted tax records and things like that. There -- haven't there been some EFF cases already that look at the intersection between a person's right to privacy and free speech and finance. But now that the scope of that relationship is just being blown wide open, why is EFF just staying out of that fight and why is it -- you know. Why do they refuse bit coin donations. Why are they -- >> We take bit coin donations. >> Where does that play out? Like the current regulatory guidance's from the IRS and Bensin, and New York department of financial services. Does EFF even do regulatory law? Are they going to start doing regulatory law because of this intersection? >> Let me clear up a little bit of confusion. There was a brief period of time during which EFF stopped taking bit coin donations. And the reason why we did that was because we were not sure that it was legal for us to do so. And we needed the time to consult. >> Modification on that. It's that there was some question about the legality and what we'd like to do is be counsel for people, and not be the defendants of such. So we provide legal services to others who are in situations and so, this sometimes means that we are not the first actor on things because we want to be in a position to defend it. We didn't want to have a situation in which we're representing somebody who is using bit coin and the other side to say, well you use bit coin yourself. You're not a serious player here. You're just trying to defend your donation stream. And then after it came to what -- I'll let you finish the rest of the story. But I wanted to interject there. >> All right. We consulted with some trained legal professionals that spent a lot of looking at the law of banking regulation. And once we felt the chances of us ending up being the defendant in a lawsuit rather than somebody's lawyer, we made another public announcement saying yes we would in fact take bit coin. I actually think that bit coin is a very important technology. Primarily because it is a very powerful tool in the fight against sort of limiting free speech by attacking its weakest link. Which you definitely saw in the sort of U.S. attacks against papal payments to wiki leaks. So this is one of the reasons why we're excited about bit coin technology and EFF. >> Thank you for answering the question. >> No problem. >> My question is kind of threefold. And it all pertains to the blimp campaign at the Utah data center. >> Well, try to limit it to two, sort of twofold questions. >> Ok, alright. >> Fold folds two and three together. [Laughter] >> All right. How about one and two? Do you believe that you achieved your goals with add campaign and what sort of backlash or repercussions have you had or challenges in launching that campaign? >> Which campaign? >> The Blimp campaign above the Utah Davis center. >> Oh the blimp campaign. >> The weather was a challenge. [Laughing] >> I think I -- I think I can speak on that for a little bit and anyone can jump in to. One of the major goals of that campaign -- well actually gets back to the Beth Schwartz question. A big aspect of that came was increasing education around that. We know that a lot of you guys know about the NSA, it's really reaching out to the next step and reaching out to the general public. To the people who sometimes don't know what HTTPS is. So that campaign was a pretty huge educational campaign around that issue. We saw massive hits around it, we saw massive sharing around it. That is one of the main campaigns to increase education awareness about NSA spying and especially around the bills in congress too. We released a score card. Score card is -- methodology around where senators and congressman and congresswomen lawmakers rank. And that stopped the spying.org. And so that blimp campaign was part of that larger roll out to make sure that we pass strong reform that we fix at the minimum one of these programs in the short-term. And making sure that things get done. We've seen just crazy things over the past year. And we need to fix a lot of them. So it's pushing that envelope further and getting people to act. Getting congress to act. And increasing awareness around that. >> Thank you. >> You guys are great. Thank you for your courage. >> Thanks. >> The question I have is we've seen a lot of mob enthusiasm for net neutrality. And while I think that's great, I have a concern when congress makes bills about the internet. And I wanted to run a couple of lines from these bills by you. In the most recent bill, it says that fixed broadband providers may not block lawful content. Application services or non-harmful devices. And then in the unreasonable discrimination, it also says fixed broad band providers may not unreasonably discriminate in transmitting lawful network traffic. It seems like by making those statements, they're also implying that they will have someone at these broad band providers watching to make sure everything is lawful in order to block unlawful content. I was just curious, what is your opinion on some of the recent net neutrality bills? And do you guys have a congressmen or two that maybe has a little more technical chops than some of the people in there that can have a voice in amending some of these bills and all of this? >> Yeah sure, I guess the kind of my initial response is it's very hard to do a spot on legislative analysis right up on stage. I do do that at some times but it's probably a little bit hard. That language sounds actually more like from some of the computer security and cyber security bills than an actual net neutrality bill. For the second part of your question, I'd like to take a step back a little bit because right now, we hear a lot of rumblings that congress is going to do something on net neutrality -- or not even do something, but there are bills in congress about net neutrality. And that does not equate to congress doing something on net neutrality. We have a lot of PR bills released. We have a lot of bills that are there for press release splash and to make news. Right now net neutrality is really in the regulatory phase and they're trying to figure that out. We had over a million comments filed on the net neutrality and where it's going on -- net neutrality reclassification and where the public is at and where the FCC is at. Congress right now I think is watching. But congress is -- I don't really think congress is going to be passing anything straight up on net neutrality. I think the important aspect -- especially what you seen the EFF focus on and our resources is, around the FCC, the comment system and community wi-fi and getting those things out there. We'll see, congress, as there want to sometimes they react quickly and will throw something on the floor and try and move something. But right now net neutrality is really in the regulatory aspect and we're trying to hammer it down there and get our opinions and our thoughts out there. >> All right umm, what is the -- I guess current state of case law around IMSI catchers or stingrays. And what can we do to change that case law so that it's not as god awfully scary as it was last I looked? >> I'm actually not sure of the answer of that question. >> One of the things we're doing around IMSI catchers is we're filing a bunch of FOIA law suits to try and get municipalities and agencies to fork over the records of when they use IMSI catchers. We think they use them a whole lot more than they admit to. So we are trying to do that. Hanee Facurey our criminal law attorney is not on the panel. >> In general on IMSI catchers I guess, some of the question is how can you safely do research on IMSI catchers? I guess point back to when Christian Pagent demoed a IMSI catcher at Def Con a couple years ago. We were able to get to a circumstance where it could be researched within a comfortable -- within the bounds of the law. There are many laws about using these kinds of devices. So if you're doing research on them, it is definitely a good time to get some legal advice to make sure you're doing it in a safe way. >> I would also add that the current state is unknown. The stuff that's actively being litigated, I think just in the past couple months. Our point criminal defense guy has filed amicus briefs on this. There's a large question as to the breadth of information and the breadth of call detail records and information that they're collecting on innocent people or on non-suspects. So I think the current state is cloudy. That's why we're here. We're here to file those amicus briefs and to make it less cloudy and clear for the judges. >> I'll spin on that a little bit. This is going to get legal geeky for just a sec. In the American legal justice system, when law enforcement come seeking a warrant, they usually go to magistrate judges, which are the lowest level of federal judges in the United States. They are not appointed for life. They are not full article three judges. But they sign warrant applications. We've seen in the last year what's being referred to as a magistrate revolution. We've seen magistrates rejecting search warrant applications a lot. And it's great and they are actively seeking amicus participation from groups like EFF and ACLU. And I think we need to see a lot more of that. >> Okay. I've got a pair of questions. One on the international side and one on the judicial side. So I'm both a U.S. and UK citizen. Does that make me more or less protected from U.S. and EU surveillance? So maybe I am -- [Laughing] >> So yeah, it's serious. Maybe one can say awe he's EU. Nah we can just take his stuff anyways. What happens there? And then secondly on the judicial side -- so for Riley, just as an example whenever we see the government pushing very strange interpretations of what constituted reasonable searches, is that consistent across the entire judicial department or are there any particular instances where they say no, that's entirely reasonable were going to abandon trying to push some strange interpretation of what is a legal search. Thanks. >> Should I take the first half? >> Response to that. The first question is who do you trust more? The NSA or DCHQ? [Laughing] >> But Eva has a proper answer I asume. >> Meanwhile back in proper answer land. [Laughing] >> So very often when you hear activism around opposing illegal NSA surveillance, you hear very sort of American centric language. Which is the NSA is spying on Americans. On American citizens on, you know, blue blooded whatever the hell. And this is not okay. And the implication is, that if you are not an American citizen -- if you are not an American you have no rights. You're left out in the cold. Screw you. The NSA can spy on you all you want. This is not true. This is not even remotely true. One of the reasons why you hear so much rhetoric around how terrible it is that the NSA is spying on Americans is because Americans are specifically outside of the NSA's remit. So it is the most clear cut case of the NSA breaking the law. But, just because you are a non U.S. person, does not mean that you don't have rights. And there are a couple of points, a very important points that EFF has been making in this area. One of them is in fact our Ethiopia lawsuit. Where we are making the point that if you are a government and you want to spy on somebody in another country, you are still subject to the laws of that country. And this applies in the United States and it applies when the U.S. government wants to spy in other countries as well. So we're trying to set that precedent. EFF was also instrumental in putting together a set of principles. The 13 principles on the application of human rights to mass surveillance. And hundreds of organizations all over the world have signed on to the principles. Which you can find at www.necessaryandproportionate.org. Which is a very long and awkward URL. >> And I can't spell it. >> And one of the points that we make there is essentially that you are still protected by international law if you are a non U.S. person. You still have privacy rights. And the governments should only be using mass surveillance in a way that is necessary and proportionate to the task at hand. And what the NSA is doing right now we're arguing is well outside of these guidelines. >> Thank you. >> Hello again. How does the privacy law scale to space and other worlds? >> That's a great question. >> There is a an international treaty on space. It has some rules about weaponization of space and so on. But I have not really examined it for how the privacy laws -- but I would sure hope that if we are going to other worlds -- to going to outside of this one, that we maintain a society of the future that respects civil liberties wherever we go. [Applause] >> Hi, in the last five years, there's been a proliferation of on officer video systems throughout the country -- >> On one what? >> On off surveillance video systems. Cameras the police officers wear on their person. So then when they go into somebody's home or into a business, by contrast let's say a dash cam that's limited to the field of view in front of a vehicle, or a CCTV on the inside or outside of a business, now law enforcement has the capacity to enter into a private residence or at least some sort of a private domicile. Does the EFF have a stance on law enforcement wearing on officer video. And also what are kind of the restrictions about chain of custody. And now we have storage medias or mediums that can basically store evidence indefinitely, are there any concerns applied to that as well? >> I'll hit on the first question. No matter what technology the government is using, they need to use it within the bounds of the constitution. So if they have a camera on them inside of your house, they still need to have a warrant to go inside the house. And where this is actually come up most in the law has been places like using heat imagers to look through walls. Getting that difference between something that you're doing outside of a house and being able to see information that's inside that protected place. We want to make sure all of these technologies are being used within the bounds of the constitution and where they are seeing into a protected area, in a place where you have a reasonable expectation of privacy that you are able to protect that reasonable expectation. And the, sort of the other, I guess tension that comes in there a lot as new technologies are being used, where previously there were things that were very difficult for the police to do by just a sheer like challenge of having the number of officers necessary to do it. So this has come up in the cases of GPS location vs. --well we could have an officer drive around and follow after somebody but now we have this new technology that enables us to do that. In that case, the Supreme Court said that the fact that you might be able to do it by having somebody go around. You couldn't practically do that. So this doesn't mean it's always okay to use the technology to replicate that. So likewise they might say that the difference you see the camera on and off service. They couldn't remember everything that they saw. But now we have the camera to be sure. But on the whole, the real question is whether they can go into a place that require a warrant if they come to your door, come back with a warrant, whether they have a camera or not. >> Thank you. >> Hi. I've got a two parter on the practical implications of a technology lawsuit. So, when you work with tech all day, a lot of things could seem common sense there's just simple facts of how the system works. But to a laymen and the court, it seems like complete -- like impenetrable to them. And I wondered if there was any way to think about when expert testimony would be required in a lawsuit. >> Expert testimony is almost never required in a lawsuit. There are some very obscure areas where it is. It is required that -- those are rare. And especially in criminal law, expert testimony is almost never required. That said, it's often extremely helpful. And the more the better. If you are a technical expert and you're willing to testify for free in EFF cases, e-mail us. Info@EFF.org. >> So then is it just a matter of having a lawyer that's willing to understand the technology deep enough to make the argument? >> Yup. >> And then my second part was what are the implications on winning a case if you do need a technical expert? And also on bankrupting a person that has to hire the technical expert? >> What was that last part? Bankruptcy? >> So like, yeah, if you -- would it just be an incredibly expensive ordeal that not an average person could hope to do. >> That's one of the things that we try to resolve. By providing free legal services to people who otherwise could not afford to do a defense. If you have to pay for high quality lawyers who understand these technologies, there are a number of them out there. They'll charge five or $600 an hour. They're great. But most people can't afford them. And there are a number of circumstances where it's been really satisfying to get into a case where the other side really thought they could come in there and brow beat somebody, just blow them away because they have so much money and resources and then be on their side and we're working for free and we get experts to come in to work for free and are able to match them toe to toe where they are trying to drive somebody under the ground with the sheer weight of money. It's very satisfying when that doesn't work. [Applause] >> Again, concrete example from the Ethiopia case, we have a whole stable of computer science Ph.D.s from citizen lab, from the University of California at Berkeley, the University of Toronto Monk school who are doing top notch computer forensics for us for free. Thanks guys. >> First of all, I'd like to thank the EFF for all the good work that you guys do. And secondly, I have a big question for you, in regards to Lavabit, and the talks that have occurred here at Def Con, from the founder of Lavabit. Has EFF done anything, or do you plan to do anything to try to address the legal issues that constitutional issues, really that the founder of Lavabit face where he wasn't able to tell people his ordeal except the attorney that he was engaging. And the fact that the government was aware of the fact he was engaging certain people for legal advice and all the issues surrounding it? >> So we of course have been following the Lavabit case very closely. We helped refer Ladar to a former EFFer Marsha Hofmann who was able to help him out. Umm, on the broader issues, one of the things we have been trying to do with our national security letter case is to try and establish that silence enforced by these lawyers where you can't tell somebody that you received a national security letter is a violation of the first amendment. We're trying to get it so people can talk about the process that they received and can be able to fight back against it more effectively. We umm, we're very concerned about the case. We ended up filing an Amicus brief because of the implications that were coming out from the notion that they could get the key to everybody. That, you know, in order to go after a particular target, you get the key that decrypts everybody's e-mail, and that's far too raw. It is not targeted and you have to trust the government that they're not going to misuse that key. Unfortunately that case did not go the way that I thought it should have. Or the way I would have hoped. Or you know, we're there for the next fight as well. >> Thank you. >> Hello. So a while ago Europe decided that we had a right to be forgotten. And I think it was recently declared technically infeasible. I was just wondering if the EFF was involved in that and what's your opinions, if you can disclose them? >> Oh yeah. So recently the European court of justice made a terrible ruling regarding a gentleman in Spain who wanted to have some information about his previous legal dealings. I think the sale of the home of his in a bankruptcy case removed from Google search as part of an implementation of the right to be forgotten. And the European court of justice moved this. Not only could they require Google to do so, but that they would start requiring Google to comply with a variety of requests. From people all over the European union to simply have things removed from search if they simply didn't want them there anymore. Google is actually not a big fan of this ruling. Because as you can imagine, having to hire a whole bunch of people to process all of these requests is an enormous pain in the ass. It may seem easier to simply, grant them all, but then you're engaged in this sort of mass censorship, which we think is extremely problematic. So one of the things that we've been working with Google and other search engines on, is we've been talking about -- talking with them about what they can say about the things that they have removed from their search engines in response to the right to be forgotten. And we're going to see if we can do some sort of analysis about what is being taken down, how it's being taken down. And why it is being taken down. Because we have a theory that when you grant people the right to censor content about themselves, you're really only creating a tool for the powerful to groom their own image. But this is not really an argument that we can make without facts. And the European court of justice is actually struggling very hard to keep the search engines from being able to publish anything about what they're taking down, not just how many things they're taking down, but who they are taking down -- them down in response to and why. Because they feel that this will simply create a Streisand effect. Where you have essentially done everything but tell them, hey, here's where you find the information. So there's that sort of struggle between these two forces right now. It is my hope that the European court of justice will come to understand that this is simply not a feasible ruling that it doesn't really protect anyone. But people who are already powerful. And I hope that they backtrack on it entirely. And this is something that the EFF has really been working on in its international activism. >> One of the important things to remember about the right to be forgotten ruling, is that the Spanish gentleman at issue sued both Google and the publisher of the newspaper to get the article itself taken down. And the newspaper won. So the article still exists but Google lost and it was de-indexed. So it's not as bad as it could be. >> I'm not sure that I would characterize it as not as bad as it could be. I think one of the -- >> It's aweful. >> One of the lines from the ruling is essentially we could not get the paper to take this down because that would clearly be illegal, and so we're going after the search engine because we think it would be easier to implement censorship in this way. And I think creating a new centralized form of censorship that is entirely up to very large search engines is a terrible idea. >> Yes. >> Just in case my thoughts were not clear on this subject. >> One of the best benefits of the ideal of electronic freedom that I can imagine as an American citizen would be to be able to go online on some government web site and authenticate my self-appropriately and see every database the government has that has my name in it. Not the contents in particular, because that would -- my understanding would be more likely -- freedom of information act where you can request the contents of a document once you know that the document exists. But there are situations where you don't even know that the government is tracking you, for instance, like on the no fly lists. Which my understanding is, you don't have the right to even know that you're on it until you get the hand in your face at the airport saying you can't get on the plane. And more recently, the secret lists that the veteran's administration had about, cooking the books on how soon they were actually getting to patients and stuff like that. Is there anything like that being tracked as a form of electronic freedom and do you know of any other secret lists that the government has that the average, you know, that are being tracked as an issue that the average conscientious citizen might not have furloughed? >> I guess -- no. [Laughing] >> I could answer a little bit about the list of lists. Actually a while back, we did a freedom of information act request to get from the FBI at least more information about some of their databases. We were looking at the investigative data warehouse. Which was there attempt to combine a bunch of these lists together in one place. But, it probably is going to be very difficult to get the full list of lists because they will often in the freedom of information act litigation say that this information is secret. And therefore cannot be revealed. You can go and foray yourself and try to get the records that the government has about you. But the most interesting ones probably will -- they will not give you or even indicate that they have. >> Yeah just expand a little bit on that. And then Nate if you want to talk -- I think when we're talking about lists and lists of lists, it depends on who you're asking. The domestic non-intelligent side, they at least published, they being DHS -- and this is not for criminal investigations. We know about the no fly list because they have to publish the list they keep when they're keeping a system of records. They have to put out this notice. The notice does not go into precise detail. It does tell you the data they aim to collect, often retention periods, who they're going to share it with. And more information like that. So kind of the crazy list at the DHS we know about. It's really just the intelligence list. Because it goes beyond the privacy act, which mandates DHS do those lists. It goes beyond the FOIA, the freedom of information act to request where they have a lot of the -- the information we found out right from Snowden and from the leaks. So that's kind of my answer. You have to separate it out. We are going to know probably a lot of these civilian agency lists. We will probably not know a lot about the intelligence agency lists unless courage becomes contagious and there are more lists of lists out there. Umm, and the criminal investigatory list. We may know some of them, but there is always going to be some hidden lists. And I think that sums up the nuance of how we approach these things and how we approach what information the government is collecting. >> My question dove tails on what you were just saying. Given what is apparently an increasing trend of aggressively prosecuting federal leakers is the process of protecting federal whistle blowers broken, can it be fixed and what are the implications for all of our -- for the next potential Snowden. >> It is totally broken. >> It is totally broken. >> Agreed. >> And it's broken in particular -- I'll answer what I can and you guys can jump in. It is particularly broken on the intelligence side. You know, we have seen all of the leakers, to be honest with you Rick, Thomas Drake. You can't go -- you are forced to go up through a system that at least from the history and the evidence we have, is intended to and does neglect warnings from lower individuals. People have warned their managers. You know, we have Thomas Drake saying and Snowden saying we warned these manager and what happens is they don't listen. That is a huge problem. Then on the other side of that, you have the congressional intelligence committees, who are supposed to be over seeing these things and who are supposed to be insuring that whistle blowers and leakers can go to them. But again, we see that not happening and that doesn't happen because the system is broken. There are few, if any, protections. I believe there are even no protections. >> There are protections for whistle blowers on the books. They're just not strong enough. That they are basically designed to allow people to speak to the government inspector general about problems that they are seeing or to a make a complaint to the government. And sometimes there's a concern that those complaints will not be acted upon and so sometimes the whistle blowers are not satisfied with internally whistle blowing. There is a really great site, whistleblowers.org that actually discusses what protections are out there. So there are some, but it's just not enough to give a real assurance to somebody that wants to blow the whistle that they will be able to do so both with protections and effectively. >> Unfortunately, a lot of the protections to whistle blowers apply only to federal government employees and do not extend to contractors. Snowden obviously was a contractor. Not a federal government employee. So a lot of the whistle blower protections that are on the books for employees didn't even apply to him. >> And last of all, if you think things look grim for whistle blowing and reporting on whistle blowing in the United States, try Australia, our partner in the five Is which is currently considering legislation that would essentially make it illegal to report on documents which have come to light on the subject of national security in Australia if they are made public by leakers. And that's an attack not just on leakers but on journalism itself. >> Is there anything we can do to fix it? >> Certainly there are things to try. One of the things is, there is one on -- the journalism front here in the United States, there's a really good case called Bartnickey which is addressing a circumstance in which a radio station got some information that was unlawfully obtained. They published it on the radio, peole went after them and that -- for publishing that and went up to the Supreme Court and the Supreme Court said because that information came to them through no fault of their own, they had a first amendment right to put that news out there. So we haven't seen a lot of cases in which after the information has been received by a -- newspapers or reporters where they brought cases against the newspapers and reporters. So that's been helpful. And then for some of the suggestions that have been made, the espionage act could be used against whistle blowers. I think that if that actually was brought before a court, it would be a hard case for the government to win. The threat of it out there may discourage people. But this is a 1918 law that was passed during World War I. It's fairly a draconian. And it hasn't really been used. But it's threat is there. I'm hopeful if it ever does get through, they'll pull the trigger on that. And that ourselves or someone else whose fighting on that case, can establish that that is above the law and take that threat away. >> Thank you. >> The other -- so there's another side to this of course which is there are technical protection measures that whistle blowers can use to protect themselves. The one that I'm going to plug is secure drop. Secure drop is maintained by the freedom of the press foundation which is a friend and client of the Electronic Frontier Foundation. And allows what we think is probably a secure way for whistle blowers to talk to journalists in a way that they will not be able to be identify later. So yay, secure drop. >> So I actually work on secure drop and have since the last major re-release of it. So secure drop is based on a Tor Browser window currently. So all the caveats of browser attack surface, all the caveats of attacks against Tor -- services and so forth, apply to secure drop. So make of that what you will. But there are people who are, there are more people now thinking about how to protect whistle blowers internalists because they realize this is a really important problem. We heard of this thing called invisible.IM that some people just came up with. So yeah, there is more technology out there. But, you know, like given an adversary like the NSA, you have to be really careful about the claims you make about security. >> You mentioned earlier about community wi-fi. My question in regards to that is how does community wi-fi and municipal fiber affect net neutrality. And how can one like myself combat the vast amounts of misinformation surrounding those subjects. >> Little hard for me to hear you. You're asking about municipal wi-fi. >> Yeah community wi-fi and municipal fiber and how do they effect net neutrality and what can I do to combat the misinformation or any of us do? >> So on municipal wi-fi, we have an open wireless project that we are promoting. Part of it is actually, here we have recently released some software for router based on open WRT. We're trying to make it both more secure and also have it easier to have a segregated guest network, so people could open their wireless and help -- basically be a good neighbor and allow people to get on the internet through their connection while not compromising ourselves. Another aspect of this is -- in order -- municipalities are either making unity wi-fi where they're harboring free wi-fi for all the citizens of their community, or in some cases they'll have municipal fiber which they will make available to people who want to use it. So it's like, let a thousand flowers bloom using this municipal wi-fi. And this means that people will have alternative ways of getting on to the internet where they can just go through their city or through a neighbor who's running open wireless. Then this can help bring them out -- you don't have to go through a major provider who have been talking a lot about being un-neutral and throttling different types of -- or making a fast lane depending on how you look at it for various types of access to web sites. So by providing an alternative path for people to get on the web, that maybe helpful in making sure that folks can get to the stuff they want to see without having to go through a major ISP. >> Thanks. >> I know we briefly talked about gag orders, I was curious to get your opinion on warrent Canaries. That being a canary that dies in the mine to say that it's now unsafe to be there. Along the lines of, you know, Google or someone hosting a page that they update manually every week or so saying no we haven't received a warrant or a gag order. And then you know, can the government actually tell them to not take this down and to lie to -- with hold this gag order. >> So warrant canaries are fascinating. And I actually wrote a FAQ about warrant canaries so you can look at that on our blog for a really deep drill down. Sort of go over briefly, that this has not been litigated, we don't have a court that has said one way or the other about how it would work with warrant canaries -- and you were exactly right about what the issues and things --compelled speech. Courts have dealt with compelled speech before. And in a few instances, you can compel someone to speak, like warning labels are a form of compelled speech. So that's why they, the cigarette companies don't want to have warnings on their packs. But nevertheless, they're compelled to do so. Most compelled speech circumstances have been in commercial speech. And a warrant canary would be a circumstance where it is put there for political reasons. And by and large when it is compelled political speech, courts have not been friendly to us. I think there's some pretty good argument that the government shouldn't be able to compel you to lie. Never the less, these haven't been tested. And one of the things that we'll see if one of these cases come up, please do get in touch with us. Because we'll be very interested in that type of case. Ideally it would be a circumstance in which the canary, the event will not occur for some time so that we can have a full briefing schedule with the court. And the court can look at it in a calm and measured manner which is sort of -- courts if they're going to do something bold and radical, they need to do it in a calm and measured way. So if you know this is going to go live tomorrow and the government is saying there'll be blood on your hands, we have a giant emergency here, most likely the court is going to say okay, I'm not -- I don't understand this well enough to do something bold and to disagree with the government who's telling me the world will end. But if we're able to go through it and explain these -- write a good brief that explains the compelled speech law and how it applies here, we're hopful for the best. >> Hi, thank you for your work first of all. My question is regarding the topic of privacy and identities. And I wanted to get -- >> Privacy and? >> Identity, online identities. >> Online events. >> Identities. Just want to get your opinion on government programs that deal with these issues such as the national strategy for trust identities in cyber space nstic? >> Can you repeat the last half of the question? >> Which -- is this better? >> Yes. Much better. >> Sorry. First time on a mic. Your opinion on programs that deal with trusted identities in cyber space such as nstic, which I just use the acronym. >> It suggests what? >> nstic national strategy for trusted identities in cyber space. I just wanted to get your opinion on programs like that. >> I know that some of my colleagues have been looking into that. But I don't know if anyone is on this panel. Lee was looking into that. >> Lee Chin will be able to answer your question another time. >> He's really great. So he's probably doing wonderful things about it, but I just don't happen to know what they are. >> Hi, so, it's been an interesting year already for supreme court cases. You've already talked about a couple of them. There was also the one having to do with retransmission of over the air television broadcasts. >> Aereo. >> Aereo, yeah. >> Yeah, I was wondering if you could comment on that and if you could comment on any upcoming Supreme Court cases that you're involved with or tracking. >> I'll answer the Aereo question. So Aereo, as many of you may know was a company that was selling a service where you could basically have an antenna -- individual antenna, so they have thousands of these dimed sized antenna. Each customer would have one. It would get broadcast from initially New York and eventually some other areas. And for residents of those areas, they could watch over the internet, a stream that was generated from that antenna. And we looked at that case, and looked at the law, and it really seemed like that was a circumstance in which they were not doing a public performance of the copyright act. They were doing something that was basically an extended antenna, it was an innovative way of doing something. That was not prohibited by the copyright act under the language of the act as drafted. And so we wrote an Amicus brief in that case and tried to explain to the court that some people were saying basically, this is taking advantage of a loophole, this is not what we want to have here and then it's not the court's place to make these sorts of decisions. So in order to preserve innovation, people have to innovate within the law that exists. As I look at the law that exists, they find that there is an area where the copyright act is not prohibiting it they should be able to do that unless congress comes in and changes the law to make those changes. But nevertheless, unfortunately, the Supreme Court that did come out against Aereo's business model, they said they were kind of more or less like a cable company and so therefore they should be treated like a cable company and well, Aereo ended up losing on that argument. >> Do you think that has any other implications for other companies outside of that decision? >> So the court in writing this decision took some pains to say we are not doing anything that's going to be bad for the cloud. They were very worried about the effect of this case on the cloud. The word cloud came up a lot. In our argument there. And so I hope that when other judges are looking at this decision and they have the content industry saying this decision means that something else that is innovative is also bad. That those courts will look at that language that limiting language and say okay, we should limit this really to these specific facts. But certainly the reporting industry is going to try and expand it as best they can. And so, we're going to try to limit it as best we can. >> Thank you very much. >> If you want a little piece of legal decree, our colleague Parker Higgens did a cut of all of the uses of the word cloud in that oral argument. And he put it on sound cloud. So if you Google Parker Higgens supreme court cloud, it's masterful. >> Have you or any of your associates suffered any of the theoretical consequences of your affiliations be it increased surveillance, selective prosecution or anything that would be considered heat. And if not, do you at least feel like you're walking on egg shells. Harvey Silverglate's book talks about the average American breaking three federal laws a day. Umm, I guess that wouldn't really be an option for you guys I would think. And also, I'm not limiting the scope to just governmental type heat, but any organizations that would consider you adversarial? >> So -- to add to this, I feel like we are within three hops of people that they're interested in. So under the terms of the program that probably means they are looking at our phone records and such. But we're all under surveillance under the program. Whether it has been directed heat. I don't think any of us have been selectively prosecuted. And you know, I would hope that even if they are looking deeply at us, that's -- I would think that if they actually decided to do something discriminatory, that they realize that'd be a bit of news and that they wouldn't want to create martyrs. But I guess we'll find out if they do. >> For the U.S. government detaining employees of the electronic frontier foundation is incredibly media pathic. That provides us with a tiny bit of protection. My threat model on the other hand, because I do international work and I spend a lot of time working with journalists and activists who are under threat in other countries, my threat model is mostly non U.S. government. And probably the funniest sort of heat that I have ever seen come my way was the time that the Vietnamese government sent me malware. [Laughing] >> I do all of EFF's malware analysis reports. [Laughing] >> Free advertisement. >> So they couldn't have sent it to a more appropriate person. If it had come to somewhere else, our intake coordinator would have just wound up sending it to me. So I got together with Morgan Marquis-Boire from citizen lab and we wrote up the contents of the malware, but what was particularly interesting about this malware, besides the fact that it would not have worked on my machine in the first place, was the targeting. The malware was made to look like an e-mail from a gentleman at oxfam offering me an invitation to a conference in Asia. This showed a tremendous understanding of what interests activists. Which is free conferences. [Laughing] >> If they had really wanted me to open the document, they should have offered free flights and hotels. [Laughing] >> Business class travel would have done it I think. >> Oh man, I would have been owned. >> I wanted to add to what Curt said about canaries and say that the courts are much more liberal when it comes to restraining action. >> Can you get closer to the mic. >> Sorry, I was going to add to what you were saying about canaries. That the courts tend to be much more liberal about restraining action then compelling it. So if the canary is automated or already up, they can restrain you from modifying it much more willing to do that than it would be to compel you to continue to take a manual action. But my question really goes to what you said earlier about infrared cameras peeking inside home using heat sensitivity. And it goes to technology and the reasonable expectation of privacy. And the question is, does encryption create a reasonable expectation of privacy? Particularly vis-a-vis Smith V Maryland? >> So talking about Smith V Maryland. For those who are not familiar with it. That is the origin case of the third party doctrine this notion, that if you put your information online that you are no longer having an expectation of privacy in it. So it's open season on that information which is one of the things that we're trying to undercut that doctorate and make it make sense in a modern age. On encryption, one of the areas where this has come up has been on forced decryption. There's a little bit of a different question. Because if your encryption is good. Then the question of whether you have a reasonable expectation of privacy isn't going to come up so much as, can they get at it. And they'll need to get a password and the question is can they require you to give up that password? So it usually comes up in a 5th amendment context. >> Or a key. >> Or a key. >> So umm, while you do have a fifth amendment right, to not give up your password. Sometimes this could be undercut by the inevitable disclosure doctrine. So what this means is that if they are able to convince the court that that information would have come up any way because they know what's in there, then they could require you to decrypt it. They can't tell you to give up your password. They will require you to decrypt the information, which is the same. But if decrypting the information would show that this is your information, it would be a testimonial act, it would give them new data that you actually had control over this, then that starts to be more strongly protected by the fifth amendment. There have only been a handful of cases on this so while we're going to continue to work on those fights and push against forced decryption. And we really have not had one which has put decryption or encryption into, directly in the third party doctrine. So we'll look forward for when that case comes up before the courts. >> I think an important -- another important point here though is -- I would argue very strongly and I have, that you have a reasonable expectation of privacy in your communications even if they're not encrypted. >> Absolutely the fact that's a case that we were successful with in the sixth circuit where the court found that there was a reasonable expectation of privacy in e-mail, even if it wasn't encrypted regardless of whether it was encrypted and required a warrant to get that e-mail. And one of the things we did with the who has your back report, that they were talking about earlier, is we asked all these service providers, do they insist upon a warrant before they give up content. And you can look at that report and see where the gold stars are. We're basically asking them to say that they agreed with that six circuit decision and would apply it regardless of what circuit they were in. >> I was concerned that my question may have actually just been pulled out from under me by the previous questioner. But it looks like it veered in a different direction. So, my question was, can you speak to third party doctrine in the context of data that is encrypted before leaving your system and being stored in cloud. In other words, true crypt file stored on drop box. That sort of thing. Without veering into the fifth amendment side of it which I know is a separate discussion. By doing those two actions together, are you automatically going to fall under third party doctrine, even though the data was encrypted before it left your system? >> I guess you echo a little bit of what Nate was just saying. What we've been pushing for is to require warrants before you get that information regardless of whether it's encrypted. That this notion that you've given up your privacy rights by taking advantage of online services where you're storing your information elsewhere is an antiquated and out dated notion. You should be able to take full advantage of modern technologies without giving up your civil liberties. So. [Applause] >> Now you can add to that by giving yourself some technical protection. By using encryption both in the communication and storing it there. And this can be helpful to add an extra layer of technical protection against that principle. And to -- what gives me a lot of hope on this front is the Riley decision. The Riley decision we talked about earlier, this was the cell phone decision. And one of the things they talked about was why you needed a warrant there was in part because if you got onto somebody's phone you might be able to access information they held elsewhere. And if you think about that, if they believed that the third party doctrine made all of that pointless, you didn't a warrant, once you put it on the server, it doesn't matter there's no need to say that in the opinion. It's suggested that when they were looking at the phone, looking at the capabilities of the phone to be able to get that information off of a drop box or wherever, that this was something that brought a warrant to their mind. So hopefully we will get a good case on this. More good cases to establish that a warrant is needed for any of this information whether it's encrypted or not. But sure, you might as well also add that extra layer of protection by putting encryption on any materials your storing elsewhere. >> Thanks for everything. >> The files that allowed for the 3D printing of firearms were taken down, can you discuss the law around that. >> The question was about the 3D printer and the firearms. I don't know if anybody on this panel has worked on that. >> That case is in progress. That's the best answer I can give. >> I'm curious about if in your international work you've run into situations where a foreign government is using the U.S. court to suppress free speech from bloggers and online newspapers from dissidents from their government. There's a recent pattern recently, the Haitian government has been using defamation laws in the U.S. to silence, by opening multiple lawsuits against bloggers and online newspapers. I'm wondering if you've encountered that strategy from other governments or -- and is that something that you guys would be interested in looking into? >> Well it turns out that there's an incredible variety of tactics that governments use to silence speech all over the world. Especially speech which is taking part on platforms that they do not directly control. So third party platforms like Facebook and Twitter and Tumbler and Blogger are tremendously dangerous to governments that want to maintain strict control over their media. And frequently these platforms become one place where you can get independent media in certain countries. Probably the best example of that that I can think of off the top of my head is Ethiopia. Because I spent a lot of time working with Ethiopian activists. We've seen a couple of different tactics for shutting down speech. Probably the most common one that involves the U.S. law is to simply file DMCA takedowns against speech the government doesn't like. And this is a very common abuse of the DMCA. This is sort of the basis of one of our main protests against the DMCA. Because the way the DMCA works is that a person who is complaining can actually get content taken down merely by alleging that the content is theirs. And that it is an abuse of their copyright. And it is up to the person who has put the content up in the first place to file a counter notice if they want the content to be put back up. And in doing so, they both have to reveal information about themselves and also open themselves up to the possibility of a lawsuit. And so often they are -- even if they know they can do this, they're scared to do so. Sometimes the content is also time sensitive. So by the time they have filed the counter notice and put the content back up, it's already too late. We've seen this approach. We have also seen the abuses of the abuse reporting system. For example, I worked with activists at Viet Tan which is sort of prodemocracy opposition group mostly located in Vietnam that was having a bunch of their Facebook sites taken down. So many members of the Viet Tan were losing access to their Facebook accounts. And this is where they were doing most of their activism. And it turned out that supporters of the Vietnamese government had figured out that one way you can shut down somebody's Facebook account very quickly is simply by reporting that the user is underage. This is another abuse of the abuse system rather than abuse of the court system. And one of the things that EFF finds extremely worrying is that these third party platforms like Facebook and Tumbler and Twitter have become sort of the semipublic comments. And umm, often you don't have to go through the courts anymore and you don't have to go through any kind of legal rig ma role if you want to suppress speech. All you need to do is gain the system that these platforms put up in order to decide what content stays up and what stays down. And in order to sort of fight this, EFF has just received a grant from the night foundation to run a site that we're calling onlinesensorship.org. I think the first version of it is already up. It's a place where people can report things that have been taken down from -- on these sites usually for TOS violations and this gives us some insight into how these services are taking content down and whether or not there is bias in the kind of content their taking down and whether or not there are campaigns to get certain kinds of content taken down. Which is something that we really don't know anything about right now. >> Thank you. >> We only have a couple minutes left for questions. Only about two minutes left for questions. >> Two minutes? We'll take these last two questions. >> Jump into it. As we use technology more in our civilization and I assume technology related questions like the DMCA and -- maybe a keylogger in Divorce or something, those are all penetrating the courts across the country and just boring non- precedence setting cases. And I wondered if you guys had any insight into how much or how often these technology issues are coming up just in random cases that don't make the news and if you think our courts and the random lawyers across the country are up to it. What's the situation with all that? >> We get a little bit of insight into that because our intake system receives a lot of requests where they may not be precedence setting that we end up referring them to other people. But at least it gives us a sense of what's out there, we try to refer people to qualified council so they can fight those issues. There's probably a lot more people out there who don't know about the EFF who might be in the situation that don't know to contact us. So, if you hear about people who are in a situation where they should contact us. Pass down the good word. But yeah, I think the technology is coming into many many cases. A number of years ago it was -- it would go to the courts for the subpoena to try to identify an online speaker. And we were called to a lot of litigation around that to try to establish what the test is for revealing the identity of an online speaker. Now we will occasionally get involved in those cases where it's going to be a chance to approve that test or find that test in a new jurisdiction. But in many many cases all across the country, people are using that and applying those tests to either identify or not identify somebody. >> Cool, alright, last question. >> So if people want to use software, they have to click something that says yes I have read this document and I have agree to the all the terms so although people technically have agreed to it, they probably aren't aware that every single thing they type into the address bar of chrome is going back to Google and they probably haven't begun to think about how nest is going to affect what Google now knows about them. You guys have the who has your back report for encryption. Are any plans to put up a similar report for who isn't asking you to give out copious amounts of your privacy or calling out the ones who do? >> That's a good question. We don't have any plans to do that right now. We are pretty slammed bandwidth wise. But it's great. You should do it. [Laughing] [Applause] >> Alright, thanks. >> Thank you. Thank you all for coming and thank you so much. The support from this community has always been very important to us, we love you all. It's so great to be here once again to answer your questions. So thank you guys. [Applause]