All right. For anybody who is in this back corner over here, is if you want to hear clear audio I suggest you go to this side of the room. We just have problem with the air wall there, if you want to hear clear audio come on over to this side. That being said, welcome to the talk. This is general purpose computing, computers, sorry and without further adue Cory Doctorow. >> Thank you. Thanks for coming. Thank you. So, you know, two years ago I came to DEF CON and I gave a talk where I predicted that things were going to get really ugly in the Internet of things. After all we live in a world made out of computers and not just in that kind of metaphorical sense where like if you download those glossy videos, promoting the Internet of things where like it all looks like it's been set dressed by someone involved in the Tron production and everything is like white and linear and jumpsuity people walk in these houses they like wave their hands and the lights come on. I had someone the other day, yeah, I've had those like awesome computer controlled lights for months now. And I went to a hotel I was like, you have to touch a light switch like an animal. Then they walk into the kitchen and they wave their hand again the lights come on. They say like, tea, black, hot, early grey. Right? And it feels futuristic like tomorrow we'll live in world made of computers, one of the implications that may occur to you as you watch this person walk through their gesture and voice controlled house is that a house that you can gesture and talk to no matter where you are is a house microphone listening to you and camera watching you wherever you are. And this is where things start to get ugly with the Internet of things. Now, we don't have to wait for the Tron future to live in a world made out of computers. We already in habit a world where the most salient fact about many of the things that we put our bodies into and we put inside of our bodies the most important thing about them is their internal logic. It's the computers that they run on. They are in effect special purpose computers that do things like let's you live inside of them. Or drive around in them. Or keep your heart rolling. And so, when you hear about, for example, sub prime car lending which is the newest way to like monetize poor people, right? You give them a car loan, and then you turn that car loan, the return on that car loan into a bond and you float that on the street and the way that you securitize car loan is you fit the ignition system on that car with a network location aware ignition override that makes sure that you're adhering to the lease terms or the loan terms or disables your ignition system so if you drive outside the tri-county area, if that's a term of your loan, they can remote shut down your car. And you hear about that you realize that the most important fact about that car is the computer inside of it. Doesn't have to be one of those Jeeps that just got recalled because over the Internet you can disabled the steering and the brakes these things are designed to be disabled over the Internet. And people have broken into those systems and use them to shut down cars in the middle of highway or IM mobilize every car ever sold. Not just cars that are computers that we put our bodies into, a 747 is a flying fancy aluminum case connected to tragically badly secured Scada controllers. The thing about the Internet of things, the thing about world made out of computers is that it's inheriting the worst fact about the early years of compute commerce is the Ink jet printer business model. Where the things are sold in a way that they are intended to act as a platform where the manufacturer controls that platform and gets to monetize it and at high margins by controlling who can sell add-ons for it and who can sell consumeables for it and who can add features to it. This is very useful if you're the manufacturer, for example, you can charge a lot of money for like the extra stuff that plugs into it like whatever you use up in it like the chargers, or the gasoline or the windshield wiper fluid, also great if you're the manufacturer because you can make covenants to third parties who might subsidize the purchase. If you make third -- if you make smart thermostats you might be able to get a power company to subsidize buying millions for everybody who livers in a district by being able to warrant that you'll never sell software for it or allow software that allows the user that have thermostat to adjust it when the power company turns it down or up. If the power company says, we're running out of head room in the power infrastructure, we're going to turn down everyone's air conditioning by two degrees, they want to be able to make sure that you don't just walk over to it turn the air conditioning back to where you had it before. That's great way to subsidize the hardware. So everybody wants this Ink jet printer business model where you get to control the software, the consumeables and every other piece that have ecosystem. And we have given a gift to people who want to design these Ink jet printer business models, a legislative gift in this country in the form of a section of the digital copywrite act called section 1201 the anti-circumvention component digital millennium. If you break a law that is used to secure access to a copyrighted work that even if accessing that copyrighted work is lawful, breaking the lock is not. And so all you need to do to make sure that nobody can plug stuff in that you don't want plugged in or run software that you don't want run, or add consumeables that you don't want added to your platform, is put the thinnest creditible lock that you can imagine around the system and then the government will spend unlimited number of tax dollars prosecuting people who remove that lock to add otherwise lawful functionality. That you'd be crazy not to take up uncle Sam on this offer to defend your dumb business model with every tax dollar at their disposal. And the DMCA you don't even have to like get action against you under the DMCA for the DMCA to work. To stop people from getting involved in breaking these Ink jet printer business model tools because it has such incredible horrific penalties that all you need to do is ask yourself, am I willing to go to jail for five years on a first offense and spend $500,000 in fines on my first offense to see whether or not I can unlock some functionality in this device the answer is usually, no. You don't even need a lot of proscutions to get everybody who is capability of doing that unlocking step to kind of say, actually there's something better somewhere else out there with fewer penalties. My risk calculus said I'd rather not do this. Now, the interesting thing about DMCA1201 there is almost no litigation history. We don't really know whether or not the courts would fine $500,000 in five years in jail for listening to music the wrong way or watching TV the wrong way or plugging in some additional functionality or unauthorized charger to your device as write proportional. Because the other side gets to decide when to prosecute people for violating 1201. And they generally speaking only go after people who they think they can win against who have really bad facts and don't look like the kind of people you want to stand up in front of a judge. So one of the only cases where 1201 has ever been litigated was when "2600" magazine which don't get me wrong, "2600" is an amazing magazine, I've written for it, Manny does God's work but "2600" magazine published DCSS for decrypting DVDs the film industry said we're going to fight this one all the way to the end. Because "2600" magazine is in New York where the second circuit and judges don't really understand technology, not like out in California where they really clued in on this stuff and "2600" calls it's the hacker quarterly. And we can be reliably assured that the magazine and all of its supporters are going to show up in court wearing black T-shirts that say things that judges don't understand and find vaguely disturbing. These are the people we want to fight in court. We got our butts and handed to us in "2600". The courts said there's no free speech interest in magazines being allowed to publish math. And they said that this is about whether or not people should be allowed to defend their investments or whether or not anyone who can figure how to steal their stuff should be able to because they know how to remove a lock. A terrible judgment. Couple of years later we had a great chance to stand up to right kind, because Ed felton was at principle deputy CTO of the White House was led a team or worked with a team that broke SDMI which was this really crazy dumb idea to watermark digital music so that when you converted it to analog back to digital again, that somehow that watermark would survive even against an adversary who wanted to remove it and that watermark would be detectable by digital to analog converters just say, I'm sorry, I refuse to convert that analog music back to digital because it has been marked as non-convertible and we won't do it. The SDMI consortium, they spent a lot of money, hundreds of millions of dollars, they spend years on it, smartest people going, working on it they offered big bounty to anyone who could break it on condition that you signed a non-disclosure. Of course Ed and his team didn't want to bounty they want tenure and publication. They wrote a paper on it submitted it to usenix symposium the record industry went bananas they threatened Ed and Musnix gives this paper about stats at a technical conference, we're going to sue him and the technical conference, we were like, oh, yeah, this is the one we want. Because we really want a judge to decide whether or not record executives should be in charge of what kind of math Princeton professors can talk about the learned conferences. That is the question I want to stand up in front of a judge all day long, right? If we get the right answer, well then "2600" can publish all the DCSS that they want. As soon as we stepped up at electronic frontier foundation to represent Ed the record industry dropped the threat. They not only dropped the threat they offered us to covenant saying they would never pursue Ed for SDMI ever, just to stop us from going to the judge asking for what's called a declaratory judgment which is when you say, I've got this threat in writing, they put it in writing, I've got this threat in writing from the record industry against my client, my client has the right to know even though they have withdrawn the threat he had the right to know how it would turn out. Because they had given us covenant saying we're never going to go after Ed, well the judge said, you don't have any standing to ask that question. Because you know the answer. The answer is they're never going after Ed. There's almost no litigation history in 1201 which works great if your hope that 1201 will intimidate people who don't know how a lawsuit might turn out because there's no case law on it. And you want to just have them stay the hell away from anything that interferes with your dumb Ink jet cartridge business model it's a great situation to be in. Now we do have a little bit more case law and this is actually kind of interesting. It's kind of an interesting example of how the Internet of things has changed the the calculous here in 2004 there were two companies that sued over the DMCA one was called Lexmark division of IBM which sued a competitor that was refilling Ink jet cartridges and changing the software in them it had a bit that was set that said, I have been discharged. That bit was not supposed to be settable back to I now full again. And they were resetting that bit to say, I am full. And I have never been discharged they were refilling the cartridges. Another one called Skylink that made garage door openers there was third party company that was making replacement handsets to open the garage door. And in both cases, so one was consumeables the other one was add-ons they went to the court, to the federal circuit who are not known for their technological where all the dumb patent cases are heard where we get the worst judgments out of but they went to the federal circuit they said, we think that 1201 protects us from people refilling Ink jet cartridges, these are copywrited ink jet cartridges. I've been looking for your copyrighted work in this I can only find one the DRM. Like the only code running in this thing is the DRM the DRM is supposed to be against the law to remove DRM that protects that controls access to a copyrighted work, but if the copyrighted work that the DRM is protecting you against is the DRM, just feels a bit circular. So the judge, he bounced both of those. Now, things have changed since 2004. Here we are in 2015 and every single computerized systemed has real substantial copyrighted works inside of it. Because these days you don't build like PLC or FPGA or special purpose-based controllers for most of our little things, controllers are so cheap now that for 60 cents you can buy a TCPIP stack in an embedded controller that you can stick in your light bulb. And so, why would you build something that was small and light weight and didn't have a substantial copyrighted work in it when you can get like some light weight version of Linux all on chip for pennies. Everybody from light bulbs on up now has a copyrighted work inside it. So, as soon as you add a lock to it, it's against the law to remove that lock because now it's protecting access to a real bona fide copyrighted work beyond the DRM itself. That means that we now have this restriction on jail breaking HVA Doctor systems and insulin pumps and jail breaking 747s and jail breaking IM planted pacemakers and implanted defibrillators. And it just keeps going, right? Just keep getting more and more things that are protected by digital locks and where it's against the law to remove those locks because someone has used them to protect a business model. So those tall willowy office towers that you see going up in the finance districts of the great cities of the world where you look at them you're like, how the hell does something that tall and skinny stay up. Well they use computer controlled dynamic load adjustment to dynamically readjust themselves against seismic and wind stresses from moment to moment. That building is a case Mod that bankers hang out in. And it's protected under the DMCA. You just saw 1.4 million Jeeps are recalled because they could be accessed over the Internet and have their steering and brakes disabled. A client ever EFF Chris Roberts, has claimed that there are ways to get into the control systems of united's planes through it's in flight Wi-Fi system. And the thing about this is that it's not only crazy for business purposes, not only is way for companies to rip you off by charging you a lot of money for consumeables or locking you out of features that you might otherwise want to have. All those there's a lot of that. Make no mistake. It's also deadly for security, because we have exactly one methodology for determining whether or not a security system works and that's disclosure and adversarial peer review, right? It's when your friends tell you about the dumb mistakes you made and your enemies make fun ever you for having made them, right? And that methodology if it sounds familiar it's because it's the methodology that we use to go from the dark ages to the enlightenment. Before the enlightenment we had one kind of science, it was called alchemy. Alchemist never submitted. They fell prey to the most frail of human frailties our ability to deceive ourselves about what we think we know. So they would conduct experiments, they would go, I think it came out the way I predicted it would. I'm not going to tell anyone else about it because I've discovered something awesome, this is why every alchemist discovered the hardest way possible that drinking mercury was a bad idea. And it wasn't untill alchemist started publishing and submitting to peer review we found out about the dumb mistakes. The entightenment, we call what came out of it science. What we use to determine whether anything works. Why our bridges stand up and it's why our security stands up when it does. It's because we allow third parties who don't like us to look at what -- look at the stuff that we've done and figure out the dumb mistakes that we've made in order to humiliate us in the public sphere, that's the only methodology we have for knowing whether security works. But under 1201, it's against the law to reveal information that could be used to remove a lock. EG like, where was the key hidden? Or there is a buffer overrun. Or there is -- that makes it insecure and would allow adversary to gain access it to and override the access controls built into the system that the manufacturer was hoping would be intact through it's entire duty cycle. And what that means is not that vulnerabilities don't exist, they do. And not that vulnerabilities don't get discovered by hostile parties, they do, one of the things we saw when the NSA take tailor access manual leaked their manual of like premade hacks that field agents can request from their I.T. people to use in the field is that the NSA routinely discovers weaponizes zero days this they use against other people and that in particular those zero days are longer lived when they're in systems where it's against the law for independent security researchers to disclose those zero days. They last longer. So, making it illegal to disclose doesn't stop those Vones from discovered or exploited. It just makes it harder for normal people who don't anticipate Vones in the systems that they rely on for life and limb from being discovered. Because after all, your phone is more than a super computer and your pocket that you use to throw pigs at birds, right? Your phone is a super computer in your pocket that knows who all your friends are, and knows what you talk -- where you are, where you go, and it knows how your banker and you talk to each other and authenticate your conversations, how your lawyer and you talk to each other and authenticate conversation, is that maybe off token to your house's front door lock and your car it has a microphone and only way you can know whether those are on or off is if the phone security model is intact. Otherwise, the camera and microphone could be covertly operated and making it against the law to tell you about Vones in that phone to make sure sure that you don't run software that didn't come from the manufacturer's app store, is grotesque not just because it rips off independent software vendors and limits innovation it's grotesque because it puts you at risk in every conceivable way from asshole to appetite. Of vulnerabilities being discovered and festering and being used to exploit you. Every three years the copyright office olds these hearings on 1201 where they ask, are there any ways that 1201 is like getting in people's -- and should we grant an exemption up till the next hearing. They just concluded one you probably heard couple of examples from it, for example, John Deere tractors a farmer put forward a petition to allow him to jail break his John Deere tractor, the story went that he was getting out there to Till the fields with his John Deere tractor and it wouldn't run, he called tech support, and they said, yeah, looks like the inflations sensor on one of your tires has gone south, we can dispatch a part in a couple of days, he said the tire is fine, can I just go into the firmware disabled that sensor, no, you can't. He said well I really want to be able to track that, John Deere doesn't really care whether or not you tweak it what they do care about the fact that they do send a meter accurate soil density surveys through the torque sensors in the wheels while you're tilling your fields and they sell that information to seed companies like Monsanto but not to the farmer. The only way for the farmer to know about her fields' soil density is to pay the seed company and covenant only to use that seed company's seeds. They went to the copyright office said we want to jail break our Monsanto tractors -- our John Deere tractors and John Deere came back and said, no, that's not your tractor, it's our tractor, you've only been licensed the tractor, it's copyrighted work. In case there was any doubt, G.M. uses this to lock mechanics out of their cars because they want to make sure that only mechanics who sign a contract that says, I buy original G.M. parts, that we charge major mark ups on and not third party parts that only those people can get diagnostics off the motor and so, G.M. filed petition whose bakes summary was, you remember that ad where we said that's not your father's Oldsmobile, we weren't speaking metaphoricly, right? So, if you want to read stuff that will make the hair on the back of your neck stand up, look up 2015 copyright office 1201 tri-anial proceedings, read what the security researchers wrote how this stuff getting in their way. Guy name Jay Radcliffe who is security research erat rapid 7 also a type 1 diabetic. If you're a type 1 diabetic you get insulin pump instead of relying on human beings who are after all the shitiest lab techs to figure out when you need more. You get an insulin pump, it means that your insulin dose is titrated very carefully and very tight ly through the day and really good; lock step with your blood sugar you live many more years. But Jay Radcliffe has audited the insulin pumps he won't get one. He is prepared to sacrifice years off his life to not get one because he knows what the wireless interface in this thing can get access. To and after all, insulin can be fatally overdosed on pretty trivially. He won't get a type 1 he reports on this. Also said he's audited a bunch of other medical devices he estimates that 40% of the code in implanted medical devices has never been audited. Also heard from security presearchers who work on voting machines, they say that voting machines are horrifically insecure but because they have a lock that protects access to a copyrighted work they can't tell the people who are proceed during them for their local elections about the vulnerabilities in them. The most hair raising thing in it was there's a security researcher, we don't know which one there's a filing from about half a dozen super eminent, ivy league, big ten security researchers and in their filing they said, one of us, not naming any names, has been advised by counsel not to tell you what area she or he works in because merely disclosing that counsel believes will bring 1201 action against him or her, right? This is the first rule of 1201 club you don't talk about 1201 club. Internet of things investors are really big on this 1201 stuff they all want these devices to ship with ecosystems, lock in, lock in for add-ons, lock in for consumeables. And in a real market where like that lock in can be broken, this stuff doesn't work, right? Keurig put a lock on the 2.0 coffee pod machines you can only buy coffee pods from Keurig not from competitors. They lost 25% of their market share in the first year. They did an investor call where the CEO had to eat his hat and say, we made a really dumb mistake. Because like nobody woke up this morning said, gosh, I wish there were fewer vendors who could supply software for my cochlear implant or fewer ways that I can read my E-books or fewer people who would sell me coffee for my coffee pod machine. The absence of one of these things there's no way that you can work. But in 2015 we now have a system where by this competition is harder and harder to come by. The future looks pretty grim in terms of 1201 how it interacts with the Internet of things. Like, I'm working on a catalog of design fiction, ideas about what kind of devices we don't have and should have or might see in the future as a result of 1201 called the catalog of missing devices. One of the ideas that our UX futurist types came up with is product that unlocks your fridge so it can chill third party butter. But you know, I told you about those sub prime cars, there's another really interesting example of where the Internet of things is headed. There's a guy named Hugh Hare who runs the prosthetics lab at the MIT media lab. I'm a words guy, he's got pictures, awesome slides. I'm like PowerPoint corrupt I never use pictures. He's got awesome slides of all of the ways the computers have been woven tightly into -- to improve their lives in IM measurable ways, hands and feet and neural prosthesis that use very powerful magnets to suppress activity in parts of the brain that cause otherwise untreatable depression. And so Hare I saw him do this talk, amazing, he shows us slides the last slide is him. He's clinging to the side of a mountain like a gecko he's all in Gortex, super ripped. You can see from the knees down he's just got stumps. His stumps are in these great robotic mountain climbing prosthesis. He's been standing here like this the whole time. He says, didn't I mention, right? Like forget one more thing in Steve Jobs, didn't I mention, rolls up his pants leg he's robot from the leg down. He starts running up and down the stage like a mountain goat. Leaping into the air. It's incredible, best demo I've seen. First question anyone asks, was how much did your legs cost? He names a price you could buy like a house in mayfair or brownstone on lower east side. The second question anyone asks, who can afford those legs? He said, of course anyone can afford those legs if it's a choice between 60 year mortgage to get your house and 60 year mortgage to have legs, everyone is going to pick the legs all day long which I think is probably true. When you combine sub prime immobilizers and legs you get somewhere very ugly, right? When you miss the payment, the legs walk you back to the repo depot to take them back. Anyone who pawns those legs because it's again the law can make your legs take you anywhere they want. So, EFF loves litigating stupid tech laws. This is one of our secret super powers that I think a lot of people don't appreciate. America has this amazing back door to its legislative system. In other countries without strong constitutional traditions the way that it works is lawmakers make an incredibly stupid law then you have to wait until there's now lawmakers and enough of them to make that law go away. You have to bring pressure against them. You have to get majority of those law makers to change that law. But because America has independent judiciary and strong constitutional tradition, in America if you can just convince enough federal judges, some times only one, that a law violates the constitution they can make the law go away. This ha has down sides because law makers can make dumb laws knowing it's good red meat for the base, the judges will make them go away before they cause too much harm. On balance it means that we get a legislative second resort in the courts. And that means that when you have audiological blindness in congress to bad technology ideas, if we can get the right defendant in front of a judge, we can make the fact that congress is full of people who don't understand technology irrelevant to the legislative landscape. So our best example of this was Bernstein. Some of you probably know about Bernstein. In the early '90s government had this weird idea hard time imagining that anyone had this idea civilians couldn't have access to crypto. Kind of crazy idea. Amazing that anyone could have ever had that really dumb idea back in the early '90s for those of you who don't know this has come back in 2015, FBI wants to ban civilian access to crypto. The NSA had this idea that civilians shouldn't be able to use crypto, they class it as munition, made it illegal to traffic in strong crypto. And people made lots of arguments in front of congress about why this was dumb. John Gilmore one of the EFF's founders and employee number six one of the principal authors of GCC and Solaris, he made a computer that was optimized for brute forcing Dez 50 the cipher that the NSA said. For quarter million dollars he made computer that could exhaust Des 50 in two hours. He said this is like the entire American banking system can be beat for 250 grand with this thing the size of a bar fridge by a guy who looks like a hippie, right? Congress said, yeah, that's very nice. Why don't you leave now. We made arguments about international competitiveness, economists joined on, nobody cared. Then we found Daniel J. Bernstein may know today at DJM an eminent cryptographer, professor at UC Berkeley, grad student, who is publishing strong ciphers on usenet. Remember usenet? We argued that his source code was form of speech. That programmers had first amendment right to publish source. In the 9th circuit appellate said you're absolutely right. Congress is wrong. Whether or not this should be classes of munition, classing it as munition violates the first amendment and we can have strong crypto that's how we got crypto. That's how we got here today. We love -- [ applause ] We love litigating bad laws with good clients. Watching this stuff happen, I left EFF about ten years ago to go be a novelist make up stories to help you pass along boring hours between the cradle and the grave. And after about ten years of that, I looked around at this stuff said, like, this is dire. Like, as much as I'm interested in making sure that, you know, I can live the Cushy glamorous life of science fiction writer I also don't want my daughter growing up in a world that like makes Dystopian science fiction book like my little pony episode. I came back to EFF to work on a project that we call Apollo 1201. It's a mission to kill all the DRM in the world within a decade. [Applause] We're going to do it with your help. Because we know that people in this room, people who come to this conference, people who work in this field, violate 1201 all day long. It's impossible to do security research without doing it. But it's the love that dare not speak its name. We have a pact effectively with the people who want to defend 1201 and keep it intact. It's that security researchers just don't make a big deal out of the 1201. Like they research mobile malware, the paper starts with, I got some apps. They don't say, I took a jail broken phone decrypted a bunch of apps in memory just say, I got apps. Then I discovered this interesting thing. So long as nobody talks about it too plowedly the other side doesn't come back and everybody kind of trundles along. But meanwhile, devices that we rely on every day become reservoirs of long lived digital pathogens that threaten you, me and everybody we love. So, we want to talk to you about this stuffer as they said in "Oceans 11" we're putting together a team. We want to know about the work that you're doing. We want to know in particular when you're scared about 1201, we want to help you figure out how to structure that research so that it's as litigation hardened as possible. So that if you decide that a critical piece of your presearch is describing the 1201 elements or someone on the other side decides they want to make an example of you and put your head on a pke the way that your research is structured to optimized for making sure that the judgment that comes out of it is a shining beacon on a hill for everyone else who is thinking about 1201 not a terrifying icon of how bad it is when you go up against the machine. We want to make this structured in such a way that 1201 eventually goes away altogether because with 12301 gone DRM goes, too. Right? And once it's not illegal to eliminate DRM, people will eliminate DRM because DRM is only used to protect high margins and as Jeff Bezos said in alarming candor to book push, your margin is in my opportunity. Everyone of those stores that's taking 30% out of the hide of software vendors, is ripe to be disrupted by someone who makes another store if that takes 20% out of their hides or 10% or monetizes it different by everything some kind ever platform strategy. Every device that has high priced consumableful. Every John Deere tractor selling information back to farmers that they're generating by driving their own tractors around the field ever one is market opportunity. And everyone of those will be taken advantage of in the DRM will disappear as soon as the status of DRM is legally ambiguous or positive for people who break it. It's not hard to break DRM. Hiding devices that are owned by that keeping -- that you leave in the bank robber's house is a bad idea. Right? Even leave those keys will always be subject to interrogation. Remember in DRM crypto you don't have Alice and Bob and Carol. You have Alice and Bob. Bob gives a listen ciphered message, has the key, then Bob crosses his fingers and hope that Alice never figures out where the key is and puts it in another device that does things Bob doesn't like. That is the wishful thinking business model is the -- of crypto. It doesn't work. [Applause] So, here is my pitch to you. If you're a hacker you're doing security research, come and talk to us I'm real easy to find the first Cory in Google. I'm Cory, the first result is my homepage one e-mail address on it. The same e-mail address my mom and my wife use to get in touch with me. E-mail tell me about your 1201 stuff we want to talk to you figure out how we can help you or if we can help you talk about the contours of the law and give you good surprise. Thing we've been doing for 25 years now we're awesome at it. But if you're a designer, if you are UX person those people come to -- get in touch with me about the catalog of missing devices because we're putting together design intervention as part of the 1201 project so help people start to realize what's missessing because of 1201. This is an under appreciated fact about 1201 that there are all these devices missing from the field it's hard to notice what's not there. With the patent fight, there's a device everybody loves, some patent troll has a dumb patent they make that device disappear, everybody gets angry. But with DMCA1201 the device just never shows up in the field and people don't even notice it's there they assume that maybe it's like physics. Is the reason that you stick a CD in your computer and the computer wakes up and runs some manufacturer supplied software that mixes and burns your CD to put on your mobile device but you stick a DVD in all it let's you do is same thing that you could do with it in 1996 and watch it. People are like, I guess there must be something like technically impossible about doing more stuff with DVDs we're making this catalog of all the stuff that was stolen from your future. If you're into this stuff, if you're a UX or UI designer, product designer get in touch with me talk to me about contributing to the catalog of missing devices. We can also offer you tax receipts for the consulting that you do on this stuff. For the value of your consulting because we're 501(c)3 lots of ways to make this good for names who want to work on it with us we'll also make sure that you get credit and be help can out an important way. Then my last plead to all of you is, if you're a W3C, the worldwide web consortium or work for a company that is a member of the consortium get in touch with me because it took the dangerous and awful step of adding DRM to the realm of technologies that they're willing to standardize for the web. Which means that our web-based frontends which are supposed to replace plug-in based or app-based front ends for everything from our pace makers to our thermostats, will all have components that are unlawful to report vulnerabilities in and will thus be subject to having those vulnerabilities fester in them. We have a project to reform the way that the W3C deals with it if you're involved with the W3C I want to hear from you. So the DMCA has been festering since 1998 it's unsightly boil on the American legal system and it's spread ail over the world thanks to the U.S. trade representative. And as it stops being enforced in America, everyone of the countries that has adopted their own version of 1201, at the behest of this government, will be poised to remove their own 1201 laws because after all if you're in a suicide pact and other guys backs out, we won't make these products it's natural for you to want to back out, too. With your help we're going to squeeze this eZit for every and everywhere in the world. Thank you. [ Applause ] I have about ten minutes for Q&A? Ten minutes for Q&A? I don't know if we have Mics I can repeat the questions. I remind you a long rambling statement followed by what you think that have isn't is a question but not a good one. I will at between people who identify as women or non-binary and men because otherwise the Q&A is us a the sausage fest. So, go! Yes. [ inaudible ] Right. So the question is, are there still cases where DRM works like for example, subsidy consoles, right, where they sell the console below cost then they use games and money from the games to realize a recoupment on those costs. Or other models where I take a picture I send it to you but I want to make sure you don't share it on. How do I do that without DRM. And I think that those are two separate cases I'm going to take them separately. In the second case the snap chat case that only works -- what snap chat is good for or all those other disappearing ink tools are good for is a system in which you trust the other party but you don't trust their Opsec you say, we're going to share a document we're both going to delete it after we've looked at it, but sometimes you forget because human beings are crappy computers, right? That works really well, right? Auto enforcing opsec, great. Totally terrible at stopping people you don't trust from sharing information that you shared with them asked them not to share on. Because if you send me a photo to my device like at bare minimum I can take a picture much it. But also it's my device you've hidden some keys in it then expect I'm not going to find it again we're back to wishful thinking, right? So like would the world be a better place if we could figure out how to turn off gravityf someone with chronic back pain, yes. But like are we going to defend things that don't have any nexus with turning on gravity but let people pretend that we do and have all these horrible side effects, no. As to like protect subsidy hardware by allowing the state to like spend unlimited number of tax dollars to prosecute people who do otherwise lawful things to that subsidy hardware, I guess the answer is, whether or not you think the state should be deciding which business models work. And I think that we have lots of hardware that works without subsidy, like nobody came down off of mountain with two stone tablets that said the only way a console shall ever be monetized is through discount hardware. And in the games world it's especially interesting because the games world has got long history of not being protected by law. So back in the days of sloppy -- flop fee and CD the games industry were one of the first major constituencies to go to the law bodies say are, we're being pirated into the ground. Of course, lawmakers hated the games industry so their response was, that's awesome. So the games industry invented network-based play, like war craft which became larger than all of the other games ever invented. So they will adapt or die. We have video games before we had subsidy hardware, we'll have video games after subsidy hardware, if the question is do we get to know about vulnerabilities and consoles in our living rooms with cameras or subsidy hardware for Mario reboots, I'll take the knowing about the vones and cameras. Any people who identify as women or non-binary like to ask the next question? Anyone? Any dudes who would like to ask a question. >> There's been discussion applying DRM to allow people to protect their private information when they share it with a website or some sort of a service. Can you comment on how -- what you think about that. >> What about IRM which is what this is called when Microsoft first launched it. Information rights management. The ideas I encrypt the data, I send it to you, you have a client that has the keys to decrypt it, the client looks for business rules that come along with encrypted document like no print, no forward, no view after six hours. And then either obeys those rules or obeys those rules enforces those rules against you. So, again, this is a great tool inside a firm if you want to make sure that opsec happens automatically. Like if the thing is that you and I have agreed that after we both looked at this document and dispensed with it we're not going to retain it, like a seven-year document retention window want to dispose of everything after seven years, so ever a lawsuit against us discovery process won't involve old documents we forgot to get rid of that we have to pay counsel $400 an hour to view, great tool. The idea like, I'm a giant company based in either mountain view or Redmond or Cupertino and you are going to send me a bunch of personal identifying compromising information, but you're going to like lock it up with DRM that I will run the client that you trust and I'll make sure that -- that software will make sure that I never do anything untoward with it. That seems really -- like technologically IM plausible we're back to like, it would be awesome if gravity didn't work sometimes. If you don't trust your adversary and you send them both the keys to decrypt the document and the document, then you ask them nicely not to do bad things with that information, it seems really unlikely that that will work, right? Like we have attacks on DRM encrypted E-books that are totally non-encryption breaking, like screen scripting, where you just run a screen scripting toolkit that just advances the page once a second screen shots predictable rectangle it shows up runs through OCR you send me a million line spread sheet, it's just not that hard for me to convert that back to machine readable data with no restrictions. So the fact that it would be awesome if that did work doesn't mean that it does work. It needs to be technologically plausible as well as a good idea. And the problem is that the way that we defend that today is by saying, well, you go to jail if you report a vulnerability that would allow you to do that kind of thing, as we've seen it doesn't stop bad guys whatever your definition of bad guy is whether that is state level actors that sit in your own government's capital or state level actors that sit in other government's capital or script kids or identity thieves or voyeurs, doesn't stop them from violating the law. It's a bit like the rule against extracting keys to rip DVDs like if you're already prepared to share a DVD and break the law, the fact that extracting keys to rip the DVD not much of deterrent. It's like law is going to break this law I found out I'd be breaking another law so I stopped breaking the law. It doesn't seem likely that is going to happen. I am all for having things that make companies better about their document handling and retention especially in respect to personal information. And I love ideas like, going to insurance underwriters and saying, you know, you're allowing the companies that you write policies for to treat personal information as though the only cost associated with it is hard drives. And really what you should be doing is factoring in the full cost of the event breach that have information because we have exactly one gold standard for not having information breaches, that's not collecting and retaining information. So, companies that are able to subsidize themselves by getting insurers to write them cheap policies because for some reason insurers are acting like there's no risk to retaining PII that's crazily dumb. I think that -- like not passing laws that require deep document retention like we have in the EU being proposed in the U.S., that is a -- also really good way to get away from this stuff. Right now a lot of firms are bound through compliance to gather and retain tons of PII. And that's just asking for trouble. David Cameron, the prime minister of the United Kingdom, a counry I just emigrated from, those two facts are not coincidences, has just announced that everyone who operates a porn site that is accessible within the United Kingdom is going to have to gather and retain proof of age which in practice means credit card numbers for everyone who visits the website to make sure that they're over 18. Or they will be blocked at the national fire wall of the U.K. which was instituted in the last parliament. And given that porn sites are not better than the office personnel management at protecting themselves from breaches what he just said is we are going to gather and then release a financial net worth indexed record of the pornography tastes of everyone in the United Kingdom. Right? This is a crazily bad idea that we don't need DRM to fix in terms of privacy. We just need to like stop mandating that companies retain PII because we should assume that the breach will always occur. How are we for time? Two minutes. Anyone have really quick question preferably someone female or non-binary. Just shout. [ inaudible ] A list of companies that are friendly towards 1201 versus not friendly there. Is a bit of one. If you look at the 1201 docket at the copywrite office the 1201 exemption docket you'll see the companies that were insisted that 1201 is requirement. Apple is one of them. Although Steve Jobs wrote that letter saying DRM sucks, and although one of the jail breaking exemptions that's been granted at the last couple tri-enial. They're not tablets, the copywrite office can't tell difference between tablet and laptop which suggests that they probably shouldn't be regulating either of them. Apple every year when this comes up says the sky will fall if you are allowed to decide what software runs on your iPhone. There are bunch of thieves companies. You can also see the companies that insisted that DRM should be work product. W3C those are the big ones. On other side, there are companies that play both sides of the fence. When Amazon was hoping to open a music store to rival Apple's DRM locked music store, they launched the MP3 store, the slogan, DRM, don't restrict me. Then they bought audible, which had -- sells digital audio books. They said, by the way, if you make audio books and sell them through our platform which is -- responsible for 90% of the audio book sales in the world is the sole supplier of spoken word to the iTunes store, you must have DRM. Lot of those companies play both sides of the fence. We're out of time. I'm going to sign books at the press people over in the champagne room. There are books in the champagne room. There are books there. I will see you there. Thank you. Support EFF! [Applause]