>> All right. Anyways, this is going to be Nicole, Kevin and Tim and they're goign to be speaking about serveillance on the silver screen. I know the hour's kind of like - let's give them a big hand.  ?	>> [Applause]. ?	>> Come on. Louder! Awesome. Thank you! ?	>> Fabulous introduction. Thank you. Sorry about that. So thank you all for coming, particularly Saturday night at 6:00 PM. This is going to be a super fun panel, a great night to talk about surveillance on the silver screen with two of my favorite folks to talk about these issues with. On the end is Kevin Bankston, who is at the New America Foundation.  You may have known him from previous starring roles as CDT working on creative expression and EFF for almost a decade.  Working on privacy free speech and new technology and Kevin was also the lead council in NSA's AFS cases against the NSA, post 2005 revelations.  And Tim Edgar who is currently at Brown and as an adjunct Professor at Georgetown University. Tim is going to bring a great perspective to tonight's panel because he actually worked in the belly of the beast for a couple of years. Both with Obama on national security issues and the first Deputy for Civil Liberties for the Director of National Intellegence from 2006 to 2009. So you can pause for a moment and think about a couple of things that may have happened related to surveillance between 2006 and 2009. So we have supplied him with beer and hopefully he will be loose lipped during the panel. ?	>> [Laughter]. ?	>> There are no more secrets, unfortunately to spill. ?	>> Or maybe later on at parties. And I'm Nicole Lizzer, I'm the technology and Civil Liberties Director for the ACLU in California. I actually first developed this presentation almost a decade ago when some of the first revelations were coming out about the NSA and Kevin and I did this presentation at DEF CON about 5 years ago where several of the issues in here we thought were still fiction. But post note, we have realized even more of it is fact.  So we're going to have a fun time tonight sort of going through some of these clips and talking about what's fact, what's fiction, what's legal and hopefully having some nice conversation and debate about the issues.  And we have a pretty short timeframe tonight, but we do hope to be able to take a few questions at the end or come up afterwards and we'll be happy to talk.  So we're going to start it off with our first clip.  You may recognize the people in this movie.	
	>>	VIDEO: I don't know if you guys should be talking so loud. ?	>> >> Oh Lisa, it's not like anybody's listening to everybody's conversations. [Music] ?	>> Hi, I'm calling about your meat lovers' pizza. I like it but don't know if I'm really ready to love it yet. ?	>> You hang up first. >> No, you hang up first. ?	>> Okay. ?	>> She hung up on me. ?	>> But we're [indiscernible]. 
We should just wait until we get to Seattle. ?	>> Hey, everybody, I found one. The Government actually found someone we're looking for. Yeah, baby, yeah! ?	>> I do love that clip. ?	>> [Applause] ?	>> So this clip is a fun way to start things because it illustrates where we were just a few years ago, I think this was 2008- 2009 maybe. Post revelations of the Bush era warrant this wire tapping program by snowden.  But even then I think in pop culture and real culture there was concern and anxiety about the bredth of the NSA's abilities and also questions about its effectiveness. Like you're collecting all of this hay, how many needles are you actually finding in the hay? And that's actually been a really critical question because Snowden as well. To pimp the work of my own organization, The New America Foundation, we recently released a couple of papers. One at the beginning of the year about the effectiveness, or lack thereof, of the programs. Especially the bulk records collection of phone records where basically the Government, it started with a big inflated number of how many cases the phone collection had helped. It's basically been narrowed down to one case where they convicted a cab driver in San Diego for donating less than $10,000 to a Somali terror group. So the question is, like is it worth collecting all of our phone records for that conviction?  But also last week we released a paper, you know if you're going to talk about the proported benefits of the programs, what about the cost of the programs, not just the privacy and civil liberties?  And so we just released a paper at our Open Technology Institute at New America all about the costs of the NSA programs.  ?	>> Whoa! [Applause]. ?	>> Thank you. Not only like the direct impact on the U.S. Internet industry but - - . ?	>> [Off mic]. ?	>> Goodness. Goodness gracious. I thought you all were applauding my paper. ?	>> [Off mic]. ?	>> Thank you. ?	>> Wait, am I really doing this many?  Is the audience having them?  ?	>> Drink if you've got them. ?	>> This is very sweet. ?	>> I'm now spilling shit on your paper. ?	>> See how many more relations there will be tonight. ?	>> Yeah. ?	>> We didn't even do the HTTPS by default. ?	>> Who is the new speaker in this room right now?  >> Tim Edgar. First time speaker. ?	>> Whoa! [Applause]. ?	>> Okay, now I'm ready.  ?	>> All right. Cheers!  ?	>> Cheers! ?	>> [Applause]. ?	>> Anyway we had our paper - -  oh, goodness - -  so not just the cost to American Internet industry and trust industry, but also cost to our foreign relations, cost to the security of the internet itself, which I think is really important and not being talked enough about. But let's look at the next clip. ?	>> Oh, and I wanted to say one other important piece in that clip is that it's not just at the NSA, but we see in that clip local surveillance being rolled out in the buses and we have seen billions of dollars come down into local and state surveillance.  So you sort of see that confliction of issues. All right, next for those who are familiar with this film The Bourne Supremacy.	
	>>	VIDEO: [Indiscernible]. ?	>> It looks like it's coming from a European signal and [indiscernible]. ?	>> Sir.  >> What you got?  >> We intercepted a call in London. Key word black prime.	>> Okay, send it to New York right away. ?	>> We have the phone registered to London [indiscernible]. >> You're tracking him?  >> Yes.  >> Thanks, Mike.  >> We have a survey team covering work and they're sneaking peeks on a way to the quadrant. ?	>> How did you find out about that?  ?	>> I pulled his background and ran a cross check on any known anomalies but I come up with nothing. I think if we follow all [indiscernible]. ?	>> The Bourne Supremacy. Third in the Bourne trilogy. As a civil libertarian, this movie was like cinematic crack to me because within the space of a couple minutes, this minute included, they mentioned rendition or otherwise state sponsored kidnapping and torture, sneak and peek searches under the USA Patriot Act, tracking cell phones and Echelon.  How many people in this room know what Echelon is?  And that's why I love DEF CON. Echelon is the program, part of a partnership of the U.S. and the U.K. and Australia and New Zealand and Canada where basically their intelligence services suck up every radio signal on the planet. It's been going on basically for decades.  What's changed in the past 15 years or so is much of our international communications, and therefore, these intelligence communitie's capabilities have transitioned to the wire, to the fiber network. And so that means here in the U.S., the NSA is sitting on our domestic backbone network.  Prior to 2008, primarily under the President's own authority, that's what we talked about as the wire tapping program, since then under a law called the FISA Amendment Act and primarily section 702. Prism is what you have heard of as 702 survelience of cloud companies and sending them targets and getting stuff back from the companies. But there's also - and that's called downstream collection.  But there's also the upstream which is them sitting on the network, which we really have known about since 2005- 2006 based on news report and whistleblower Mark Klein from AT&T, the secret room in San Francisco that was part of the basis of EFF's lawsuits in this area.  But we've learned so much more post Snowden including about how the Government picks these things call selectors which are things that identify their targets and those get tasked to the machines that are sitting on the network and they get fed back the data that they want. So here the selector was Black Briar the code name for a program that trains assassins like Matt Bourne?  Jason Bourne.  Jason Bourne. It's been a while. And so this is not fiction.  This is a capability that they have. Right now they are saying that the selectors that they use for upstream are just addresses and phone numbers. So they'll pull everything that is to or from a target or that mentions a target selector, but they say they are not using key words in the country under 702. There's also surveillance outside of the country that's done only under the President's authority without oversight by Congress, without oversight by the FISA Court under something called EO12 333, Executive Order 12 333. So if you heard about them cracking into Google and Yahoo's data links or sniffing a bunch of address books and sniffing a bunch of webcam photos outside the country, that's when and how they're doing it. We don't know if they are doing this kind of key word based searching outside of the country, they very well might, but they say they are not doing it inside the country under 702, and of course the Director of National Intellegence never lies.   >> And just a fun little fact and fiction, I don't know how many people caught it, but it's picking information from a guardian reporter which is pretty prescedent with the Snowden issues.  So with all the vast powers that the NSA has been gobbling up and the data they have been pulling together, what could happen?  I'm sure they wouldn't do anything wrong in those issues. Here we've got an oldie, but goody from the movie "Brazil." ?	>> I need some information on a woman named [indiscernible]. ?	>> [Indiscernible]. ?	>> Yes. I know her age and distinguishing marks, but I need an address or place of work. ?	>> [Indiscernible]. ?	>> When there's a woman involved there's no stopping me. ?	>> So I'm sure that the NSA wouldn't be using its powers to look for love interests and I'm sure there would also never be mistakes - . ?	>> [Music]. ?	>> Release the information. [Indiscernible]. Good evening, David. What do you believe is behind this recent increase of terrorist bombings?  Bad sportsmanship.  A ruthless minority of people seems to have forgotten some good old- fashioned virtue.  They just can't stand seeing the other fellow win.  If these people were just playing a game, they would get a lot more out of life. >> Nevertheless Mr Helper, there are those that believe the administrative information could become too large. Free information and society is the name of the game you can't win the game if you're a match short and the cost of it all, Deputy Minister, 7% of the gross national profit. ?	>> That's not of our concern, it's the taxpayers. People want value for buck. That's why we always insist on the principles of information retrieval charge. >> You're absolutely right. Those who want it should pay for their queries and detection and for the information [indiscernible]. Do you believe that the Government is willing to go to bat against terrorists?  [Indiscernible]. ?	>> Pretty consistantly [Indiscernible] the critical system [indiscernible]. ?	>> They are certainly not out of the game. >> Mr Helper, the bombing campaign is now in its 13th year. >> Beginners luck. [Laughter]. ?	>> So, Tim, with all of the billions of dollars, there's no misuse ever happening within the system or any mistakes, right?  ?	>> Right. So actually this brings me back to my days inside the belly of the beast doing oversight on compliance issues at the NSA. This is a very realisitic depiction of the kind of compliance issues that we had to address.  The technology was only slightly more obsolete than this technology. ?	>> [Laughter]. ?	>> No, so there were two types of compliance issues depicted in these two clips and we encountered both of them.  The first one was what we call an intentional violation. This is when you used the surveillance apparatus for purposes that would not be considered foreign intelligence. Like, I'm interested in this woman. It turns out it's not a requirement under the National Intelligence priorities framework and, therefore, is not a valid for intellegence target and can get you in trouble if you are discovered through our compliance system.  There were a relative handful of intentional compliance violations that were uncovered over about ten years. About 12 of them.  And all of them, I believe, involved love interests, which perhaps isn't that surprising given human nature.  The term was loveint. Like sigint or humint this was loveint and it's not authorized. The second one is a screw up. This happened relatively more often. When you put in the wrong IP address or the wrong phone number or the wrong e- mail address and you collect information on somebody who is completely innocent because you just put in the wrong numbers. And those were also captured and reported.  There's a third type that's not depicted in these clips which are systemic violations, that's when you screw up the entire way in which you collect the surveilence and then you collect a lot of information beyond just the fly landing in your computer.  No, you actually set the computer system up, which is the one I was actually most concerned about. The one thing I would say in defense of the Government here is that if you have a system that is detecting these violations and reporting them to Congress and the FISA Court and it is in fact, detecting violations and you are reporting them, that is far better than a system in which you say, we don't have any violations.  I was always much more suspicious of any program where the compliance record was 100% than I was of a program that said, hey, we had some pretty big problems setting up it and then there were violations and we reported them and there were a couple of intentional misuses.  That means you're actually measuring your violations and that's a good thing.  ?	>> So then that really sets up our next clip. When you have immense power, what kinds -  ?	>> Before you start, I just want to flag for those who have not seen "Brazil" what happened to Mr.  Buttle.  Mr. Buttle was rendered and tortured into death, so that's what happened as a result of that typo. An innocent man was kidnapped by his government and tortured to death. ?	>> So I am not going to say that sort of thing never happens because I think there have been very serious mistakes, but all I would say is that there's an important reason to be careful about what you do with intelligence information because if it's screwed up, then you're going to have a big problem on your hands. And I think that one of the things the NSA doesn't do is they don't do things.  They don't render people. They don't, you know, they pass information along and it's very important that the other agencies understand that it's not perfect. ?	>> But when you have technology that can provide immense power, one of the big questions that has been sort of raging since the Snowden revelations is, is there proper oversight?  Is there proper channels to make sure that laws being followed and do we actually have laws in place to address issues that need to be addressed?  And this next clip does a good job of teeing up some of that from "The Dark Knight."	
	>>	VIDEO: Beautiful. Unethical. Dangerous. We've turned every cell phone in Gotham into a microphone. ?	>> A frequency generator receiver. ?	>> You took my sonar concept and applied it to every phone in the city. And after [indiscernible] sonar you can image all of Gotham. ?	>> [Indiscernible]. ?	>> This is wrong. ?	>> I've got to find this man. ?	>> At what cost?  ?	>> The data base is encrypted it can be only accessed by one person. ?	>> This is too much power for one person.  ?	>> That's why I gave it to you.  Only you can use it. ?	>> Spying on 30 million people isn't part of my job description. ?	>> [Indiscernible] you can triangulate his position. ?	>> [Indiscernible]. But consider this my resignation. Along as there are these things at Wayne Enterprises I won't be. ?	>> God bless Morgan Freeman. Really. ?	>> [Applause]. ?	>> If only he existed in real life, right?  I mean, you know he does exist in real life, but you know what I mean. The screen Morgan Freeman who is infallible, if only he existed, but he doesn't. Instead we have Diane Feinstein and the FISA Court. So, I love this clip because it is one of the most potent and widely seen metaphors for the moral conundrums that our intelligence community has been put into post 9/11. And it illustrates the need for, well first, the questioning of, should anyone have the ability to spy on 30 million or 300 million or 6 billion people?  And if so, under what checks and balances?  I also think it's a lot of fun because it's a great mixture of actually plausible technology and really stupid technology. ?	>> [Laughter] ?	>> Because like owning your phone and turning on the mic is possible.  In fact we have seen this, we've seen this Law Enforcement investigations of the mafia.  Like they get a warrant and turn on the provider assistance with the mic. We've seen, you guys are well aware of malware you can inject into a phone or a computer to turn on a mic or a camera. And, you know, there are voice printing for the Joker. This capability does exist. The NSA does have that capability. But I don't think the phone network would actually deal really well with this. I think if you opened every mic on the phone network, it would probably fall over and at the very least the company would know that it's happening. ?	>> [Laughter]. ?	>> I don't think Bruce would actually get away with this one, which actually brings up a fun bit of trivia. ?	>> [Off mic]. ?	>> It's a [indiscernible] violation.  This brings up a great bit of trivia which is assuming that this is a Wiretap Act violation, and it is, I think that you open a mic on somebody in a place where, in a private space, that's an interception of their oral communication, and if by doing so you also hear their phone conversation, that's an interception of an electronic communication. If they actually caught, if a class action lawyer actually found out about this and sued Bruce Wayne, how much money do you think he would be on the hook for??	>> [Off mic]. ?	>> 20 bucks. If you assume 30 million plaintiffs, that's 300 billion dollars because the Wiretap Act has really huge statutory damages which is why at EFF we brought a case that would have cost the phone companies an enormous amount. ?	>> Or they would be liable for nothing because they would hire really expensive lobbyists and get immunity. Right? Boo! ?	>> Right. Boo! Which is exactly what happened. ?	>> I'd like to point out that it is Batman and maybe they should have immunity just for this one time. ?	>> I mean, it is Batman, it's not like he's an emotionally crippled sociopath or anything. ?	>> [Laughter]. ?	>> But anyway, I think this clip really raises -   >> It's still Batman.  >> - an issue that we're going to talk more about, which is, if this system, even though it's spying on 30 million people is only going to hit when it hears the Joker?  Has it really violated all those people's privacy or is that targeted enough that it doesn't violate their privacy?  ?	>> It's critically important there are all these screens because that indicates that each individual phone has some kind of strange thing going on.  That maybe if they got rid of the screens, it wouldn't violate privacy.  ?	>> Yes. And then the crazy technology is this sonar thing.  Maybe there's some weird milspec stuff that's starting to do stuff like that, but anyway. ?	>> And then the next clip we're going to go into is both surveillance is happening on national security stage, but also surveillance that's happening increasingly in local law enforcement to surveil many, many people and that is cell tracking.  This is from the company WeKeep which was the 2012 [indiscernible]. ?	>> Video: Where are you?  >> You don't need to know that right now. >> But why can't you just tell me?  >> You see, all I want to know is -  >> Are you ok?  >> Everyone is mad at you.  >> How about you? Are you mad at me??	>> Where are you?  ?	>> I'll try to get back to you as soon as I can. ?	>> Got him. He's just off I94 near Gurney, Illinois. >> Send the coordinates here. ?	>> Done. ?	>> You have a faulty light. ?	>> Still tracking?  ?	>> Yep. ?	>> [Sirens]. ?	>> He's just so handsome. ?	>> [Laughter] ?	>> So this is a pretty straightforward depiction of cell phone tracking which can be done in a variety of ways and is routinely done by local law enforcement as well as the Feds as well as the intelligence community.  Often done with some level of precision by triangulating your position using cell towers. Or working with the provider to turn on your GPS and track you with your GPS.  Or using MZ catchers, which are basically fake base stations pretending to be your local cell towers that follow you around in vans and triangulate your position that way. It's still very unsettled even though we've been fighting about it in the courts for a decade whether the Government needs warrants to do this or can do it under a much easier to get type of court order.  We have probably 3 dozen plus lower court decisions on the issue.  The majority of them require a warrant. But what we hear is that most courts will still grant permission to do this without a warrant. And in the meant time, when the Government loses in these cases, it chooses not to appeal so it can avoid higher court opinions that would disagree with its current practice. We have seen higher court opinions on another issue which is access to stored cell site location information, information about which tower your phone is pinging, that the phone company has in its logs.  There's a circuit split at this point. There was a 4th circuit case, well first there was a 3rd circuit case we litigated the EFF where the court held that courts can require warrants, if they choose to, under the statutes that applies here. A 4th circuit case said that the Fourth Amendment does not protect this data. And most recently an 11th circuit case that included the ACLU holding that the Fourth Amendment did protect this data. So it's still kind of the Wild West and very unclear when and how the statutes and the Fourth Amendment protect your location against Government tracking. ?	>> So I will venture a prediction here that much like gay marriage, the trend here is very clear, that I believe that within just a few years it will be very clear to everyone that, in fact, you do need a warrant for this kind of location tracking. That is the best opinion inside the Government and certainly inside the intelligence community.  It's one reason that there was an attempt to limit the kind of data that NSA got to exclude cell phone tracking data because of the Fourth Amendment implications of that kind of domestic data.  But it really goes to this whole problem of the courts catching up with technology. I mean the older technology was less precise and so some of those older cases may have made a little bit more sense in terms of having the looser standard.  But as that technology gets more and more precise, it becomes increasingly clear.  And I think it's just - -  you know, it's unalterably clear right now that you can't, should not be able to do this without a warrant. And, you know, but it takes a while for the courts to catch up. ?	>> I wish [indiscernible] Intellectual property section would take that on as the official position, but I agree that that's the trend.  I'll just flag that the other problem here is simply that the level of secrecy in regard to this type of legal process has been a real hurdle.  I mean we didn't even know the Government was doing this without warrants until 2005 and they had been doing it for a long time.  And so it's very hard to, you know, you have to shadowbox trying to fight these things and it's quite frustrating.  But the fight continues, including in Congress where there are some proposals to clearly require in statute that you get a warrant when you track a cell phone. Those are not moving as quickly as the proposals to make sure the Governmnet gets a warrant before seizing your e-mail. That's a much simpler and easier to message issue, and easier to draft. ?	>> And for a long time of course the Government and the telephone companies were very happy to keep it a secret how often location information was being sought and obtained and Senator Markey, now Senator Markey, two years ago actually sent letters to all the mobile companies urging them, requiring them to respond about how many demands they were getting.  That opened up some of the floodgates. And then the ACLU actually did only our second shareholder action ever last year.  We did a shareholder proposal against Verizon and AT&T to pressure them to release their first transparency reports which came out in January and of course it revealed what we had long suspected, that these companies were getting hundreds of thousands of demands for location information every year. Like one in ten of them were with a warrant. That helps to support not just the legislative efforts to update the law, but also policy efforts and creates pressure to create change. Because obviously this is incredibly sensitive information. Where you are, what you are doing, who you know and that kind of thing really needs to be well protected.  ?	>> One thing, one additional technique or tactic that is worth noting that is actually reflected in AT&T's transparency report, you know, like I don't agree with ATT&T on everything, but this is something they did good and that they did better than Verizon and the other companies that were transparency reporting at this point, is that they specifically reported on the number of requests they received for cell dumps.  A cell dump is when the Government asks for records of every phone that pinged a particular tower in a particular period.  And the first really prevalent case we heard of this was in the the case of the scarecrow bandit, a bank robbery gang. And what the Government had done is gotten cell phones in all the towers near the banks when they were being robbed and then mined them to see if there were any in the location of the banks at the time of all the robberies. And it turns out that this is actually a very routine technique that is typically done without a warrant, but that necessarily results in the Government collecting an enormous amount of information about people who are not, for example, scarecrow bandits. But we haven't yet had a really, you know, intense policy discussion about what the standards should be for that.  What say, the minimization practices should be for the Government when that happens?  Like, when and how should they get rid of the data they don't need after the case is done?  ?	>> And we have also seen cell towers dumps tried to be used in situations that are clearly not bank robbers.  There was an effort made to obtain all the cell phones of a planned labor protest. Those are the kind of things that really get us very concerned about the use of cell towers dumps particularly without proper and adequate legal process. So we will move on to - -  uh- huh?  ?	>> [Off mic]. ?	>> It would certainly change my legal analysis, but one of the problems in this area is that the law is just so inadequate in describing what's allowed.  If you're going to use a standard sepina, for example, if you're going to say to the company, these are business records that you have created. Please give me your business records.  That's a fairly straightforward legal tool.  To do the much more privacy protective technique that you are describing, would obviously be much better from a privacy standpoint, but that requires the legislature, Congress, you know, ACLU, the police, to get together and have a debate and craft a statute that says, okay, so cell tower dumps, maybe for bank robbers, maybe with particular standards, maybe with particular technology will be okay, otherwise they are banned. And this is the kind of debate we simply aren't having in this country, and we need to have it. 	>> And as Tim said, technology far outpaced a lot of the privacy laws about electronic information have not been meaningfully updated since the 1980s.  Before the web, before social networking, far before when we were all carrying cell phones. That's part of the real legislative fight that we're having both on the Federal level to update laws like the Electronic Communications Privacy Act, about laws that are  regarding particular location information, and states as well trying to pass laws to update privacy protections for location information.  We've had laws passed in Montana, in Texas, in Maine. We had a law that passed with strong bipartisan support in California, but was vetoed by the Governer. But we'll be back at it. All right, so next clip, because we're going to try to move along, minority reports. Tom Cruise in his heyday. ?	>> Also handsome. ?	>> We can just watch the whole movie.	
	>>	VIDEO: [Sirens]. ?	>> We are now in position and ready to begin thermal scan on all of [indiscernible]. ?	>> That's why you asked to partner with me on this little [indiscernible]. ?	>> It's not that you don't trust me to be along with [indiscernible]. You think I might [indiscernible]. If I had the chance - - . ?	>> I just let them use your body [indiscernible] ?	>> So 27 warm bodies. ?	>> Roger that, confirmed 27 warm bodies.  What do you think [indiscernible]? ?	>> Let's do [indiscernible]. ?	>> [Indiscernible] ?	>> [Music]. ?	>> [Indiscernible] authority 2264 [indiscernible] ?	>> Scanning [indiscernible]. ?	>> All right. Totally creepy. So those of us up here would, you know, clearly believe this is unconstitutional. It would be unconstitutional. ?	>> And I think Leo would believe it's unconstitutional. ?	>> Yes, tresspass on the home, and even Scalia would think this was unconstitutional. When the issue of thermal imaging came up in the [indiscernible] case, it was found to be  unconstitutional tresspass of the homes. Scalia was particularly concerned about the fact that it would intrude upon the privacy of the lady of the house taking a bath, so he has sort of very strong feelings about home and privacy within the home. But one can imagine that is this future world that the police may be making the argument, look, we are not intruding upon anyone's privacy, these are devices, we as ourselves, as human beings didn't actually conduct a search of these people and it wasn't until these bots found Tom Cruise the perpetrator, that that was indeed a search and he had no reasonable expectation of privacy because he was the perpetrator, therefore, no Fourth Amendment violation.  And it seems like kind of a crazy argument that all these people whose privacy was invaded that were searched, their Fourth Amendment rights were not violated, we are actually seeing this kind of argument come up in the electronic surveillance context. ?	>> Right. Yeah, so I would agree that even general Alexander would say it's unconstitutional, but it's only unconstitutional because of the invasion of the home. And what's interesting to me, and we had a long discussion about this before the panel, is when you acquire data, there's a view inside the Government, it's been the view for decades now, that that is not collected until a person actually looks at it. It's certainly not a popular view in this room or with civil libertarians, but it is, in fact, the standard view of the Government. And the reason for it is essentially the NSA goes around, they vacuum up all sorts of signals all over the world.  They don't exactly know what they've got in many cases.  They have to take it back to NSA and process it, and they say, hey, we can't be considered to have collected it until we have actully done something to it to make it available to our analysts to look at.  And when I was applying these kind of rules inside the intelligence community and at the White House, that was the rule, that was the internal rules that we had to deal with. Just because those are the internal policies though, doesn't mean that it is consistent with the Fourth Amendment. And so you have to analyze that question a little bit differently.  One question for all of you, is to ask yourself the question, "What is the most creepy thing about this clip?".  Is it the fact that they could find Tom Cruise by extracting this data from the people in the apartment?  Or is it the fact they did it in a creepy way?  ?	>> [Off mic]. ?	>> Because, you know, what if we didn't need these creepy spiders to be looking at little girls and making them cry?  What if we could just extract the data from the Internet of things that were already in your house, that you voluntarily put there in order to save energy, and we just did it by typing a few key strokes, you know, on a computer and extracted it from a server somewhere far away from this apartment building?  Well, then we're dealing with a much more murky question in which whether it's Constitutional or not is not really clear to a lot of people. ?	>> I think this raises a couple of issues because there are two threads of thought. Legal arguments that one can imagine that basically count for the proposition that it doesn't count until actually a person looks. First and this would be if I were trying to figure out how they thought this was legal in the future considering our current case law, is one, the case law would have had to have changed, but two, there is case law about dog sniffs where a court has held that when a dog sniffs your bag, even though the contents in your bag is private and protected by the Fourth Amendment, that is Constitutional because the dog is only going to alert on contra band and you have no legitimate privacy interest in your possession of contra band, and, therefore, dog sniffs are Constitutional even if not warranted. I think that's a particularly weird conclusion, particularly considering that it is legislatures that decides what counts as contra band.  So to have legislatures have the ability to decide what is a Constitutional search is kind of weird.  If I had to guess the legal rationale for this was, that well this is only going to detect a fugitive, Tom Cruise, and otherwise won't reveal any particulars of the home, therefore, it's Constitutional. But then there is also this thread of this isn't so much in the case of legal case law, but it is apparent in the way the Government talks about it. Is that terms of privacy violation, in terms of, you know, how we define what an intrusion is on your expectation of privacy, what counts as an interception of your communication, they seem to be following rules that imply, well, it doesn't really count until a person looks at it or at the very least, until we store it. But what we are looking at and what we have been looking at since we first found out about it in December of 2005 is a network of machines that are sitting on top of our domestic network that the NSA is directly querying specific targets, and all of our bits are going into the boxes and they are able to pull what they want from those boxes. And I would say that EFF's position, when I worked there, and now is reflected in the motion they just filed against the NSA, one of their cases against the NSA, is that as soon as your bits go into a box that is packed by the Government, that's a search of those bits, that's a seizure, of those bits. And that's a violation of the statue of limitation in electronic surveillance. This is also the same position that I've been working on in an academic paper on with another lawyer, Amy Stopanovitch at the organization of AccessNow.org, and you can Google for that and look at it. I think if you read that and EFF's new brief, you will get a good idea of what the argument is in terms of, whether it counts if the robot looks at it. And actually the title of the paper is, "When robot eyes are watching". And so I think this question of, at what point do we draw the line on the privacy invasion?  Is it when the bits go into the box?  Is it when the box stores the bits? Is it when the box sends the bits to the NSA?  Is it when those bits are rendered into human intelligable form?  Is it when a human actually reads them?  It when a human reads them and prepares them for an analyst to pay attention to them?  And how you draw that line is really important. I would say that, think back to that Simpson's clip and you have all of these NSA functionaries listening to all these really intimate things. And you know what they look like?  They look bored because if you were actually doing this with human beings, and trying to pay attention to all the stuff, you would just be listening to communication after communication.  You would'nt get titillated about it, just like your doctor who has seen everybodies bits. Other  bitsn not digital bits. >>[Laughter]  You going to hear so much stuff through the day you will have forgotten most of the time when you leave for the day. Yet everyone would say, looking at a human being, that would be a search, that would be a seizure, that would be an interception or electronic surveillance, so the question becomes, how is it different, how is it less worse if we automate that? And I would actually say that, if you are automating it, you are making it that much worse because that Army of people that you could never afford to listen to everybody, you now have it, except it's an Army of robots. ?	>> [Off mic]. ?	>> Oh! That's a good question. ?	>> Can you repeat the question?  ?	>> No, no, the question was, what about the hash of the bits?  So there is one theory, actually there's a person who wrote a good article, [indiscernible] yahoo and now chief Law Enforcement dude at Google, which takes, in general, very strong positions on this stuff.  He wrote a paper analogizing the searching of the data stream or a computer for hashes of known child porn.  He analogizes that to dog sniffs, and suggested that a search of a data stream or a drive for hashes of child porn would be analogous to a dog sniff because similarily, it would only detect that contra band.  And, in fact, we just saw this in the news just this past week when it was revealed, not revealed, I mean we knew this was happening, that Google does in fact use as do other cloud companies and I fear some of the ISPs, use a database of hashes of images that the NCMEC, or National Center for Missing and Exploited Children has concluded are child porn. I expect most of those images are child porn, however, it is of concern, speaking generally, that a quasi-Governmental entity is providing the private actors a list of expression, photos that they believe are illegal and not protected by the First Amendment, but that no court has adjudicated to be illegal and unprotected by the First Amendment and that means providers of our communication services are voluntarily scanning for that and reporting that. ?	>> So I think there's a legally significant difference between searching the streams of communications for selectors that apply to particular people that you have determined through some process lawfully under surveillance and looking for hashes of images or content of communications because this is an area where Tim and I would agree, because I actually think that that is a search because you are, in fact, trying to find out if every one of those communications contains this particular content, as opposed to trying to pick out which communtcation belongs to this individual that I have decided I'm going to surveil.  But it's a fascinating question because one difference between the hash search and dog sniff is that actually, the hash search is probably a lot more accurate than the dog sniff.  That was one of the big problems of the dog sniff case, is that it assumes the dog is always 100% accurate and only alerted when there is contra band. Which is not true. ?	>> I'm sorry, we're going to run out of time. I just want to say we'll take questions at the end, but this issue is just incredibly essential because if all of our lives are now digital, are we going to have this service collective reality of both local law enforcement and national security and then the Fourth Amendment doesn't apply, so at the very end when there's probable cause to do something so it completely circumvents the Fourth Amendment potentialy. So, this is a really essential question, not just with physical surveillance, but in terms of everything from dog sniffs to sting rays and electronic surveillance.  So this is something we should have a whole panel on at another DEF CON. >> Would there be intrest in that?  >> We were going to show one more clip for "Enemy of the State." Do you think we have time to show the last one? ?	>> We do. Yeah, one more clip. ?	>> One more clip for "Enemy of the State." And then we will move on to talking about change and solutions.  This is "Enemy of the State" pre- 9/11. Sorry about that. ?	>> Oh. What is going on?  ?	>> I'm going to say there is a little bit of a problem. ?	>> Okay, here we go. ?	>> I'll save it.	
	>>	VIDEO: Come on. Come on, all right. Get that [indiscernible]. [Dog barking]. There's no problem with that. Oh, God damn it. What the hell are you doing here?  This is not the office. This is my private time. ?	>> 5 minutes. ?	>> No! I said no Tuesday, I said no last week, I'm going to keep saying no until you hear me ?	>>  This is Jim. All I ask is 5 minutes.  Do you want some coffee?  ?	>> No, I don't want coffee. I want to play with my dog. ?	>> I'm not asking you to vote for it. I know you can't. Just release your people.  Let them go the way they want ?	>> Telecommunication Security and Privacy Act. Did you see the post? This bill is not the first step for the surveillance society, it is the surveillance society. ?	>> [Indiscernible] ?	>>  Listen, I'm not going to sit in Congress and pass a law that lets the Government point a camera and microphone at anything they damn well please. ?	>> So, look, I don't care who bangs who, what type of officers get stoned, but this the richest most powerful nation on Earth and therefore, the most hated and you and I know what the average citizen does not that we are at war 24 hours of every day. ?	>> Yeah, yeah, yeah. ?	>> Do I have to itemize the number of American lives we've saved in the past 12 months along with judicious use and surveillence intelligance?  ?	>> Let's cut the crap. I have three major employers in the Syracuse area alone who are going to just get killed by this bill ?	>> I promise to get you funds equal to or greater than whatever those companies gave your last [Indiscernible]. ?	>> I'm not talking about campign contributions damn it. What about my constituents being out of work.  Jesus, man, wake up. National security isn't the only thing going on in this country. This conversation is over. ?	>> [Indiscernible]. ?	>> Don't you honestly doubt the efforts [indiscernible]. ?	>> You're about a bark and a half from being homeless.  ?	>> Baby listen to this Facist gas bag. ?	>> Freedom always existed in a very precarious balance of when buildings stopped going up, people's priorities tend to change.  ?	>> You've got a point there, sweetie. ?	>> I mean, who is this idiot?  ?	>> He is talking about ending personal privacy.  Do you want your phone tapped?  ?	>> I'm not planning on blowing up the country. ?	>> Well how do we know until we have heard all your dirty little secrets?  ?	>> You are just going to have to trust me ?	>> Oh, I know, we'll just tap the criminals, we won't suspend the civil rights of the good people. ?	>> Right. ?	>> Then who decides which is which?  ?	>> I think you should.  ?	>> Bobby, I think you should take this more seriously.  ?	>> Honey, I think you are taking it seriously enough for both of us, and half the people on the block. ?	>> Tens of millions of nationals live within our borders and many of these people consider the United States their enemy. And they see acts of terrorism. ?	>> So, I love this clip because the wife plays an ACLU lawyer in this movie, so it's particularly close to my heart. But some similar phrases going on in this movie, that we have heard since 9/11. ?	>> One bit of context, that first scene, that is the NSA Director trying to convince, the Chairman of the Senate intelligence committee to support their bill.  It's the first scene of the movie and what happens at the end of it is the NSA assassinates the Chairman of the Senate intelligence committee. I don't think the NSA would do that. You know, it's a bit out there, but I don't know. ?	>> So the NSA doesn't engage in those kinds of operations. That would be other parts of the Government that do that. They would object very strongly to the NSA turf grabbing, if the NSA planned the asassination. ?	>> [Laughter]. ?	>> But obviously the similarities to the Patriot Act and the [Indiscernible] Act, and now we see post Snowden some moving back from that, some real movement in DC to reinsert some important safeguards, and so we want to end sort of on a note of what we see moving and optimism, about what we see potientially happening and adress what has occured since 9/11. The concerns that many civil libertarians and many members of the public have had about over-reach, about over-abuse, lack of safeguards, lack of checks and balances. ?	>> Yeah, so there is this bill, the USA Freedom Act that was really great and then it was really awful and now it's better, but not awesome, but still good enough to acutally change the laws in some really good ways.  And we're hoping that we can try and move it before the election when Congress comes back in September. But I just wanted to flag another thing that, you know, I think of when I watch this clip which is going back to the paper we wrote last week, but also [indiscernible] talk, if you saw it yesterday. Which is too often the debate here has boiled down to a pretty simplistic argument about security or purported security benifit, and cost comprivacy libirties when really we're not interrogating the benefits nearly enough, and we are not actually looking broadly enough at all of the various costs, not just comprivacy civil libirties, but the literal cost - -  how much money is spent on this stuff?  Which the budget is huge. But, you know, the cost industry now that it's known the cost to Internet security forpolations, the cost to the agenda around the world, the cost to our credibility, we need to have a more nuance conversation of pros and cons here. ?	>> And some of those costs I think are the reasons why President Obama issued this PPD28 which makes some pretty modest reforms, but conceptuially was a lead for the intellegence community, for the first time pretty much ever, this Presidential directive acknowledges the rights and interests beyond the United States citizens to include foreign citizens as well and part of the reason for that, I'd like to think it's just because it's the right thing to do, but I think part of the reason for that is because of pressure from the technology industry that says, hey, when you guys go out there and say we have got these protections for U.S. citizens, that doesn't really help us very much in the global marketplace. You know, these revelations are extremely damaging to the U.S. position as a technology leader. And so it's in my strong view that one concequence of the recent controversy will be and should be is the increased understanding that we need to have privacy protections for everyone and not just for Americans. ?	>> And also seeing members of Congress directly challenging the intelligence community, as we saw in this clip, you know, the Director of the NSA saying, do I need to recount all the ways that this has been useful to us and addressing terrorism?  And we see now, real challenges by members of Congress saying, no, like Senator Wyden saying, I don't see any evidence that has led to information that we couldn't have obtained in far less intrusive constutional ways. So not just taking at face value, you know, the issues that this is necessary or it's necessary to be done in these invasive and unconstitutional ways. I think that that's a huge shift in thinking in something that is really important for the debate going forward. I want to be mindful of our time, of all of you in the audience, of my fellow panelists. I want to thank you guys for coming on Saturday night. And please follow - us. Get engaged in the work that each of our organizations are doing.  And thank you very much. We hope to see you next year at DEF CON. ?	>> [Applause]. ?	>> Thank you.