00:00:00.534,00:00:05.439
> Uhh next up is Nate Cardozo,
he's gonna go over some history
up to the current state of

00:00:05.439,00:00:10.444
Cryptography and the law. So
let's re welcome Nate Kurduso.
[Cheering] [Clapping]. >>Thanks.

00:00:16.216,00:00:22.489
Thanks for coming. Thanks
for,uhhh, almost filling this
room. Its pretty full. Uhh I am

00:00:22.489,00:00:26.293
Nate Cardozo, I am a senior
staff attorney at the Electronic
Frontier Foundation in San

00:00:26.293,00:00:31.932
Francisco. I was on the EFF
panel just now, and I answered a
couple of questions, but there

00:00:31.932,00:00:38.839
might be some more time at the
end of this one. I am a lawyer,
I am not your lawyer. [Laughter]

00:00:38.839,00:00:43.210
Unless you know that to be
false, because I am probably
some of yours lawyer in this

00:00:43.210,00:00:48.215
room. I have been at the EFF for
the last couple of years and
it's been an extraordinarily

00:00:52.219,00:00:57.324
busy time. In this talk i'm
gonna talk a little bit about
the past, where we have come

00:00:57.324,00:01:03.864
from in terms of crypto law,
uhhh and of course what is old
is new again and where we are

00:01:03.864,00:01:09.903
going. I am going to talk about
the legal challenges that face
people who design, implement and

00:01:09.903,00:01:15.309
use crypto around the world. I
am a US lawyer, my focus will be
on the US, but I'm gonna touch

00:01:15.309,00:01:21.014
on some dumb things countries
are doing besides the United
States. I mean we are doing dumb

00:01:21.014,00:01:25.652
things here, but there are other
countries doing dumb things as
well. And I am going to talk

00:01:25.652,00:01:30.657
about the future, what we are
likely to see. So on wednesday,
ummm or maybe Thursday I forget,

00:01:33.694,00:01:40.033
at Black hat Jennifer Granick
said : End to End Encryption is
legal, period. Okay so that's

00:01:40.033,00:01:45.038
the state of the law. Questions?
[Laughter] [Clapping]
[Cheering]. I mean she's right.

00:01:48.275,00:01:55.048
End to end Encryption in the
United States is legal, period.
Ummm but there is still some

00:01:55.048,00:02:01.955
places to go and some things to
talk about. The story I am about
to tell you isn't really

00:02:01.955,00:02:08.929
particularly true, but I'm gonna
tell it anyway. [Laughter]. From
around 1784, when Joseph Gramme

00:02:08.929,00:02:14.067
invented a particularly good
lever lock, until the second
half of the 19th century, there

00:02:14.067,00:02:18.038
was such a thing like perfect
security. You are looking at it,
that was it. Uhhh the..that safe

00:02:18.038,00:02:20.040
was unbreakable. The lock could
not be defeated and with the
advent of overlapping cast

00:02:20.040,00:02:22.042
steel, rather than forged steel,
overlaps obviously hiding the
rivets, uhh you couldn't just um

00:02:22.042,00:02:26.880
break it open. You couldn't pick
the lock, couldn't break it
open, couldn't be drilled,

00:02:26.880,00:02:30.083
couldn't be bashed. You could
drop it from a very tall
building, umm so the solution of

00:02:30.083,00:02:32.085
course is to build one big
enough that you actually can't
lift, and that's exactly what

00:02:32.085,00:02:34.087
they did. Of course lock pickers
have been around as long as
locks and in 1851 a locksmith

00:02:34.087,00:02:36.089
called Hobbs picked Brahmas
unpickable lock. Took him 51
hours but he did it. At the same

00:02:36.089,00:02:38.091
time, right around the same time
Hobbs figured out how to pick
this thing, uhhh TNT was

00:02:38.091,00:02:43.630
invented and that, uhh, made it
much much easier to break into
this thing. Like I said none of

00:02:43.630,00:02:48.635
this is true, safes were picked
all the time, in that
intervening 67 years between

00:02:59.112,00:03:04.051
Brahma and Hobbes, but not by
picking them and not by blasting
them open. But as you all know

00:03:31.745,00:03:37.350
even with a perfect spec there
is no such thing as perfect
security. Vulns are in

00:03:37.350,00:03:41.121
implementation, they are not in
the sp...well sometimes they are
also in the spec, but more

00:03:41.121,00:03:47.894
commonly they are in
implementation. Uhh so you
overlapped your cast plates, but

00:03:47.894,00:03:52.899
you had the hinges exposed and
you just knocked the hinges off
the door. The...one of the

00:03:55.502,00:04:01.074
co-founder of the Electronic
Frontier Foundation John Gilmore
in something like 1993, I cannot

00:04:01.074,00:04:06.246
get a exact date for this
statement, said: "The internet
interprets censorship as damage

00:04:06.246,00:04:11.251
and routes around it". That
statement is more true now than
it was 20 something years ago.

00:04:13.253,00:04:18.892
In 93 there was no TOR, there
were no VPNs, no anonymizing
proxies, at least none to speak

00:04:18.892,00:04:24.865
off. We barely even had the
first in claims of transport
layer security when Gillmore

00:04:24.865,00:04:29.870
said this. But there were words,
there were lots of them and
images and code, politics. You

00:04:32.706,00:04:37.677
name it, it was online. And for
more than 2 decades the internet
has provided us with a truly

00:04:37.677,00:04:43.083
global platform for expression.
Today anyone can write an
opposition party blog, post

00:04:43.083,00:04:48.388
photographs of their cats, which
if you follow me on twitter, you
see. You can organize a street

00:04:48.388,00:04:53.894
protest, contribute to open
source crypto on github, send
419 spam, search for

00:04:53.894,00:04:58.899
extraterrestrial life, mine for
bitcoin, swap selfies, use PGP.
But in the 90s we had the first

00:05:03.570,00:05:05.572
crypto wars, this is actually
anachronism what I put on the
screen, this is a perl

00:05:05.572,00:05:10.577
implementation of RSA so it's
not exactly the right time, but
you get the picture. This first

00:05:10.577,00:05:15.582
crypto wars was an attempt by
the US government to regulate
that. That you couldn't put that

00:05:19.853,00:05:24.858
on the internet. If you were
here for the last panel there
was a question about ITAR or

00:05:28.628,00:05:33.633
EAR, this was considered a
munition, in the same category
as hand grenades or tanks. And

00:05:36.069,00:05:41.074
you had to get the same permit
to put that online as you did to
export a tank. The fear was that

00:05:44.911,00:05:49.916
this, would become this. This is
of course the enigma machine, or
rather a set of its code wheels,

00:05:52.619,00:05:58.458
uhh the enigma
machine...uhhh...who
here..uhh...raise your hand if

00:05:58.458,00:06:04.064
you are familiar with enigma.
Okay most people. Enigma was not
invented as a military

00:06:04.064,00:06:09.069
technology. Enigma was invented
to protect the European banking
system. Uhh and became famous

00:06:11.238,00:06:18.011
after some modifications by the
Nazis, uuhhh when it went into
effect in World War 2. And for a

00:06:18.011,00:06:23.016
time it defeated all allied
cryptanalytic attacks. And for a
time provided perfect security.

00:06:26.686,00:06:32.158
It took a set of stolen code
wheels, the invention of the
computer and the most brilliant

00:06:32.158,00:06:38.265
cryptographic minds of their
time, both in Poland and the
United Kingdom to crack this

00:06:38.265,00:06:43.270
thing. But getting back to RSA,
that. The US government's fear
was that if we did not regulate

00:06:46.573,00:06:51.578
this, it would allows our
adversaries this, perfect
security. Uhh and we end up in a

00:06:54.080,00:07:00.520
situation where a cipher
designed to facilitate banking,
both RSA and enigma, would

00:07:00.520,00:07:04.858
instead be used by the Soviets
for their nefarious plans on
world domination, because that's

00:07:04.858,00:07:09.863
what they did. Umm who here is
old enough to remember this?
Okay. A case and point, I am

00:07:13.667,00:07:19.973
certainly old enough to remember
this befuddling option. Do you
want Netscape navigator for the

00:07:19.973,00:07:25.078
US, or do you want it for the
rest of the world. Do you want
the version that only supports

00:07:25.078,00:07:30.083
40 bit RC4 or the full 128bit
capable version. The strong
version of course was only

00:07:32.986,00:07:39.192
available if you live in the
United States or Canada, because
the inclusion of encryption in

00:07:39.192,00:07:44.197
ITAR. Umm but this was the 90s,
there was geoip blocks, there
were no verifying mechanisms,

00:07:47.267,00:07:51.871
and all you had to do was check
the box that said you were in
the UNited States to get the

00:07:51.871,00:07:56.876
strong version. That was it. The
US implementation was that bad
and it was completely

00:08:00.547,00:08:06.820
ineffectual, it didn't keep
strong crypto out of anybody's
hands. And it led to things like

00:08:06.820,00:08:13.660
this. People put algorithms on
t-shirts. You couldn't publish
this on the internet, but you

00:08:13.660,00:08:19.566
could print it on a shirt and
wear it through the airport.
[Laughter]. It led to this. Theo

00:08:19.566,00:08:24.571
de Raadt lives in Canada, so he
wasn't subject to any of it. It
led to this. Who here recognizes

00:08:27.974,00:08:32.979
this? Awesome. Uhh crypto
literally moved offshore for a
time. This is clans, the

00:08:35.982,00:08:42.789
principality of....umm and it
led to this. This is the clipper
chip. Ill talk a little about

00:08:42.789,00:08:47.794
this later. Of course I'm a
lawyer, umm and my colleagues
are lawyers and my boss is a

00:08:52.432,00:08:58.705
lawyer. And if all you have is a
hammer, everything looks like a
nail. And if all you have is a

00:08:58.705,00:09:03.643
JD everything looks like a
lawwww...a lawsuit. [Laughter].
In the late 90s a grad student

00:09:05.845,00:09:10.316
at the University of California
Berkeley, walked into the EFF
office, I don't think literally

00:09:10.316,00:09:17.190
but we can picture that, and
his, his deal was he invented
something and he wanted to

00:09:17.190,00:09:23.463
publish a paper about it. His
name was Dan Burnstein, he is
now a professor at Chicago and

00:09:23.463,00:09:28.468
Eindhoven, and one of the best
cryptographic minds of our
generation. He wanted to publish

00:09:30.537,00:09:35.475
a paper about snuffle, he didn't
even want to publish the
algorithm, although he also

00:09:35.475,00:09:41.080
wanted to do that. Uhh so we
went to court for him, my boss
Cindy Cohen who is now the

00:09:41.080,00:09:45.785
executive director of the
Electronic Frontier Foundation
and at the time was a partner at

00:09:45.785,00:09:52.592
a small firm down the peninsula
in the San Francisco bay area
represented Dan, and got crypto

00:09:52.592,00:09:57.597
not declared a munition. Uhh
code is speech and we won. And
crypto is now legal and

00:10:01.034,00:10:06.039
exportable. [Clapping]. The 9th
circuit in Bernstein said: "the
availability and use of secure

00:10:12.645,00:10:19.285
encryption may reclaim some
portion of the privacy we have
lost". And that's still true. Um

00:10:19.285,00:10:24.757
UN special repertoire for
freedom of expression just last
year agreed, and stated in his

00:10:24.757,00:10:30.163
report: "Encryption does not
only protects security and
privacy, not only free speech,

00:10:30.163,00:10:36.002
but the right to hold opinions
without interference". And
that's exactly right. We depend

00:10:36.002,00:10:42.408
on crypto in order to read, in
order to write, in order to
speak; all around the world and

00:10:42.408,00:10:47.413
in the United States. This was a
button produced back in the..umm
in the first crypto wars,

00:10:53.520,00:10:59.125
against the clipper chip, which
was that really terrible little
chip I showed you a minute or

00:10:59.125,00:11:04.797
two ago. The clipper chip was a
NSA developed chipset developed
for secure voice communications.

00:11:04.797,00:11:10.003
The thought was it was going to
be installed in all our regular
old telephone handsets, and we

00:11:10.003,00:11:15.708
would be able to make secure
calls using it. It used
something called the skipjack

00:11:15.708,00:11:20.880
encryption algorithm and it
included a back door with key
escrow, in something called the

00:11:20.880,00:11:25.885
LEAF. The Law Enforcement Access
Field. Umm Matt Blaze at Penn,
amongst others, showed that the

00:11:28.121,00:11:33.126
algorithm was broken and umm
thankfully the clipper chip was
defeated, and key escrow

00:11:36.629,00:11:41.634
appeared to be dead. Or atleast
requirements for key escrow
seemed to be dead. And the

00:11:43.703,00:11:48.708
internet was a safer place for
it. This is the cute little
golden key, which the EFF

00:11:51.678,00:11:56.683
was..we had a campaign around
the golden key to ask webmasters
to put on their homepages,

00:11:59.285,00:12:05.758
because that's what we had back
then, in support of strong
crypto without key escrow. This

00:12:05.758,00:12:10.763
was from 1996, I was 15 at the
time, and my homepage had this
key on it. The clipper chip

00:12:14.767,00:12:21.674
failed, mostly because it
sucked, but also because of the
actions of cryptographers like

00:12:21.674,00:12:26.679
Matt Blaze and his partners, who
were able to show policymakers
just how insecure it was. And

00:12:30.617,00:12:35.622
thank your lucky PKIs for ECCN
5D002, this is encryption
exception to the export

00:12:41.861,00:12:47.233
controls. This giant block of
text which I'm sure you can all
read and have already entirely

00:12:47.233,00:12:52.238
digested, is what makes strong
crypto legal and exportable
today. And we thought we had

00:12:56.309,00:13:02.582
solved the field, we won. Our
friends at Mountain View and
Cupertino are free to ship

00:13:02.582,00:13:08.054
products that actually protect
their user's security to the
best of their ability. People

00:13:08.054,00:13:14.227
like Moxie Marlinspike and Adam
Langley are free to publish,
free and open source tools for

00:13:14.227,00:13:20.400
all of us to use. Umm as
Jennifer Granick said, end to
end encryption is legal, period.

00:13:20.400,00:13:25.405
But thanks to Comey, more work
remains. And we are back to
where we started, everything

00:13:29.342,00:13:34.347
that is old is new again. In
1997 the director of the FBI at
the time, Louis Freeh said: " We

00:13:36.916,00:13:41.587
are in favour of strong
encryption, robust encryption,
the country needs it, the

00:13:41.587,00:13:45.925
industry need it, we just want
to make sure we have a backdoor
and key so we can get into

00:13:45.925,00:13:50.930
anything you look at". That
sounds shockingly familiar to
what the FBI director today,

00:13:54.033,00:13:59.038
James Comey is saying. Almost 20
years later. 2015 and 2016
brought us a new set of

00:14:01.040,00:14:06.045
challenges. iOS 8 and Android M
brought us full disk encryption
by default. Uhhh whatsapp joined

00:14:09.115,00:14:15.888
iMessage in actual end-to-end
encryption for more than a
billion people around the world,

00:14:15.888,00:14:22.762
that's to say nothing of, uhhh,
Signal, or gpg, or TOR, or Pond
if you are crazy enough to use

00:14:22.762,00:14:29.302
Pond. And we are back into the
Crypto wars, we are calling it
the next Crypto Wars or Crypto

00:14:29.302,00:14:34.307
Wars 2.0. Uhhh gg..you heard
what I said uhh what Louis Freeh
said about Crypto in 1997, in

00:14:39.579,00:14:44.584
2015, James Comey, the
director..the current director
of the FBI called crypto only a

00:14:47.553,00:14:53.626
business model. The government
has of course been downplaying
companies support, uhh calling

00:14:53.626,00:15:00.066
it just a marketing pitch and
not a technical feature. This of
course completely disregards the

00:15:00.066,00:15:05.071
facts of strong crypto. IDG and
Lookout did a survey in 2013
before iOs 8 and Android M, that

00:15:08.474,00:15:14.313
found that of the something like
4 million phones that were lost
and stolen in the United States,

00:15:14.313,00:15:19.318
fully a quarter of those lost or
stolen devices resulted in
identity theft. 1 Million

00:15:21.854,00:15:26.859
Americans were victims of
identity theft because we didn't
have full disk encryption on our

00:15:29.295,00:15:34.300
phones. And uhhh that's where
Director Comey wants us to go
back to, and I think thats

00:15:37.336,00:15:42.341
crazy. Because what could
possibly go wrong with
backdooring our crypto?

00:15:47.513,00:15:52.518
[Clapping]. To this day, most
uhh actually proposals, ooh, uhh
actual technical proposals uhh

00:15:54.954,00:15:59.959
for weakening of encryption are
something like this: they are
something like key escrow. Or

00:16:02.795,00:16:08.334
maybe double key escrow where
you escrow the key ounce to a
private key held by the

00:16:08.334,00:16:13.172
manufacturer and again to a
private key held by the
government so they need both to

00:16:13.172,00:16:18.177
unlock it. Something like that.
That's not really a good idea.
Luckily a whole bunch of

00:16:22.882,00:16:27.653
academics wrote a really good
paper telling us why it's not a
good idea. Uhhh this is keys

00:16:27.653,00:16:32.658
under doormats, published last
year, ummm the year before, its
either 2014 or 2015. Yall should

00:16:34.961,00:16:40.499
read it, atleast...uhh for the
technical people read the whole
thing, for lawyers like me read

00:16:40.499,00:16:47.206
the executive summary, it's very
good. The people who wrote this
paper are some of the best

00:16:47.206,00:16:53.012
cryptographic, computer
security, and security
engineering minds alive today

00:16:53.012,00:16:58.217
and they write: "that we find it
would pose far more grave
security risks, imperil

00:16:58.217,00:17:04.423
innovation, raise 3 issues for
human rights and international
relations if we are to give Jim

00:17:04.423,00:17:09.428
Comey what he is asking for".
Keys under doormats identifies 3
major classes of problems uhhhh

00:17:11.430,00:17:16.435
with lawful intercept or lawful
access capability. First lawful
access would necessarily abandon

00:17:19.605,00:17:26.546
advances in crypto like perfect
forward secrecy. Thats crazy, we
barely know how to build secure

00:17:26.546,00:17:32.285
devices and secure systems, were
bad at it, we don't know what we
are doing. And to abandon the

00:17:32.285,00:17:38.824
state of the art and roll back
to the bad old days when a lost
or stolen phone had a 25% chance

00:17:38.824,00:17:44.564
of resulting in identity theft,
strikes me as a really bad idea.
Strikes them as a very bad idea

00:17:44.564,00:17:51.304
too and they are smarter than I
am. Second it would necessarily
increase system complexity. Uhhh

00:17:51.304,00:17:56.175
they keys under doormats
metaphor kinda breaks down here
but you kinda get what they are

00:17:56.175,00:17:59.812
getting at. Uhhh there is no
such thing as a backdoor that
only the good guys can walk

00:17:59.812,00:18:06.519
through. Remember back with the
safe: you had a unpickable lock,
you had cast plates that

00:18:06.519,00:18:11.223
overlapped, but you left the
damn hinges exposed for someone
to knock off so they could open

00:18:11.223,00:18:16.429
the door. That's the problem.
The problem here isn't
necessarily in the protocol, but

00:18:16.429,00:18:21.133
the massive increase in
complexity, that any sort of
lawful access system is going to

00:18:21.133,00:18:26.839
necessarily result in. Also
doing something like this is
going to concentrate the

00:18:26.839,00:18:33.346
attacker's focus on one or two
incredible points of failure,
and by definition the

00:18:33.346,00:18:40.086
matter...the key material is
going to...have to be kept
online. Because as Jim Comey or

00:18:40.086,00:18:45.358
the District Attorney of
Manhattan Cyrus Vans, umm have
repeated over and over, they are

00:18:45.358,00:18:51.063
going to use these capabilities
a lot, They are not going to be
okay with having the keys kept

00:18:51.063,00:18:58.004
in secure offline storage, they
want push button access to our
communications. So Comey has

00:18:58.004,00:19:04.310
actually hurt us, he's he's hurt
us and he's come around, and umm
he's not pushing for backdoors

00:19:04.310,00:19:10.116
anymore. Uhhh he said last year:
"we are not seeking a back-door
approach, we want to use the

00:19:10.116,00:19:15.121
front door". Which of course is
the same damn thing. Uhhh the
Washington Post put it a little

00:19:19.558,00:19:25.664
bit more uhhhh weirdly, i'll
say, and they said, and this is
a quote: "a backdoor can and

00:19:25.664,00:19:31.170
will be exploited by bad guys
too, however with all their
wizardry perhaps Apple and

00:19:31.170,00:19:37.276
Google, could invent some sort
of secure golden key". That's
what the Washington Post called

00:19:37.276,00:19:41.080
it. Of course you
know...technol...sufficiently
advanced technology is

00:19:41.080,00:19:46.919
indistinguishable from magic.
This thing is magic to people
like Jim Comey. To people like

00:19:46.919,00:19:51.657
the editorial board of the
Washington Post. They don't know
how it works, it's well its

00:19:51.657,00:19:56.662
obviously magic. So if the
wizards at Mountain View or
Cupertino can design this, then

00:19:59.165,00:20:05.604
just nerd harder and invent
[laughter] the golden key, or
they will beat us up and take

00:20:05.604,00:20:10.609
our lunch money. [Laughter]
[Clapping]. Like common.
[Clapping]. Well that's not the

00:20:13.579,00:20:18.584
way the world works. Okay the
slide you are about to see is
false. [Laughter]. NSLs are not

00:20:24.423,00:20:29.428
magic, only friendship is magic.
[Laughter]. There is no legal
tool in place, at least in the

00:20:31.664,00:20:37.803
United States, uhh that is
currently sufficient to require
a provider or developer to

00:20:37.803,00:20:42.808
maintain or create the ability
to provide plain-text on demand.
That is a much more verbose way

00:20:46.112,00:20:51.250
to say what Jennifer Granick
said at Blackhat earlier this
week, end to end encryption is

00:20:51.250,00:20:56.255
legal period. There is a
perception in this community
that NSLs are magic. Umm I am

00:20:58.324,00:21:04.630
here to hopefully rid yourself
of that perception. National
Security Letter and other types

00:21:04.630,00:21:09.735
of National Security process are
terrifying, they are scary, they
operate with almost no

00:21:09.735,00:21:11.737
oversight, National Security
Letter get issued without even a
judge's signature, but they are

00:21:11.737,00:21:16.742
not magic. With an NSL you can
get subscriber information and
maybe a little bit of

00:21:18.978,00:21:23.983
transaction information, you
can't get content, you can't get
a backdoor, you can't force

00:21:29.021,00:21:34.026
someone to build code. Umm
Jennifer and Rihanna at Black
Hat the other day on technical

00:21:36.662,00:21:41.667
assistance order. Technical
assistance orders might be a
little more magic, but we don't

00:21:43.936,00:21:48.941
know. Ill talk a little bit
about that later, later today.
But there are things that might

00:21:52.912,00:21:59.018
be magic around the world. Many
countries are looking at or
considering legislation that

00:21:59.018,00:22:03.956
would mandate backdoors, or have
already mandated access to
plain-text or otherwise endanger

00:22:06.025,00:22:11.030
encryption. The
Intel...Investigatory Powers
Bill has just past the House of

00:22:13.532,00:22:18.537
Commons and is up in the House
of Lords, in the United Kingdom.
Section 189 4c of the IPB says

00:22:22.608,00:22:28.280
that operators might be
obligated to remove electronic
protection at the sole

00:22:28.280,00:22:34.720
discretion of the Home
Secretary. What does that mean
to you? Well to Theresa May who

00:22:34.720,00:22:39.959
was Home Secretary at the time
that the IPB was introduced and
is now the Prime Minister of the

00:22:39.959,00:22:45.631
United Kingdom, it meant that
the Home Secretary....or it will
mean that the Home Secretary

00:22:45.631,00:22:51.070
will have the capability to
order providers to strip
end-to-end encryption in the UK.

00:22:51.070,00:22:56.075
Ummm if at the Home Security's
discretion its practicable, note
the Home Secretary is not a

00:22:58.777,00:23:05.050
cryptographer. [Laughter]. The
second major problem with this,
this statute is it

00:23:05.050,00:23:09.788
would....grants the UK power to
issue a National Security
notice. Another secret

00:23:09.788,00:23:15.828
instrument even more vaguely
drawn than removing electronic
protection, that would require

00:23:15.828,00:23:21.333
operators, and operators are
construed very broadly to
include things that are not UK

00:23:21.333,00:23:26.438
entities like Google and
Facebook and Apple, uhh to carry
out conduct, including the

00:23:26.438,00:23:31.410
provision of services or
facilities which the British
Government deems necessary in

00:23:31.410,00:23:35.681
the interest of National
Security. They don't have a 1st
amendment in the UK, they don't

00:23:35.681,00:23:40.686
have the arguments that won the
day in Apple v FBi litigation.
And this scares the living hell

00:23:42.855,00:23:49.495
out of us. In Australia, the
Australian department of
Defence, that's not a typo

00:23:49.495,00:23:54.500
that's just how they spell it
down there, has already passed a
regulation: The DSGL, which I

00:23:59.571,00:24:06.145
don't remember what that stands
for. Uhhh that prohibits
intangible supply of encryption

00:24:06.145,00:24:11.150
technology. Ummm this is
terrifying to us. Many ordinary
teaching and research activities

00:24:14.420,00:24:20.025
may well be subject to unclear
export controls under this
statute. We don't know how

00:24:20.025,00:24:24.663
Australian courts are going to
interpret it, but it is
certainly plausible giving just

00:24:24.663,00:24:30.669
the plain reading of the law in
Australia, that it is now
illegal to teach encryption to

00:24:30.669,00:24:37.176
students that are not Australian
citizens in Australia. That's
horrifying. Um other countries

00:24:37.176,00:24:42.181
are doing crazy things as well.
Umm China, umm passed an
anti-terror law last year. The

00:24:45.551,00:24:51.657
final version of which says, and
this is the best translation I
could find, that companies shall

00:24:51.657,00:24:58.030
provide technical interfaces,
decryption and other technical
support. End to end encryption

00:24:58.030,00:25:02.968
is not legal in China period, to
mangle Jennifer Granick's phrase
from earlier. Um okay now I will

00:25:06.438,00:25:11.443
turn back to the US, thanks
Obama. Uhhh in October last year
the president said: "we will not

00:25:14.046,00:25:20.386
for now call for regulation
requiring companies to decode
messages for law enforcement".

00:25:20.386,00:25:25.391
Okay there's a problem there,
can you spot it? I bolded it for
you. [Laughter]. A month later,

00:25:28.994,00:25:33.999
the National Security council
issued a secret decision memo,
which was thankfully leaked to

00:25:36.435,00:25:42.541
Bloomberg, who published it,
that said: they were going to
identify laws that needed to be

00:25:42.541,00:25:47.546
changed to deal with going dark.
So for now, lasted a month. Ummm
also around the same time, we

00:25:55.154,00:26:01.994
saw people like the Director of
National Intelligence start
thinking about what's necessary

00:26:01.994,00:26:06.999
to change the political climate
in the United States, in order
to get those laws, laws changed.

00:26:09.601,00:26:14.873
And of course in March 2016,
South by Southwest, the
president sat down to talk about

00:26:14.873,00:26:19.878
crypto, umm and that's what we
got. We went from, not now, to
if we don't we are fetishizing

00:26:26.752,00:26:32.724
our phone. Bob Lit whos the
general council at the office of
the Director of National

00:26:32.724,00:26:38.630
Intelligence, one of the chief
lawyers in the security
apparatus of the UNited States,

00:26:38.630,00:26:44.770
said that: the encryption debate
could turn in the event of a
terrorist attack or criminal

00:26:44.770,00:26:49.775
event where strong encryption
can be shown to have hindered
law enforcement. And that's what

00:26:52.411,00:26:59.251
we got in San Bernardino in
December. umm of course, uhhh
I'm not even gonna ask for a

00:26:59.251,00:27:05.257
show of hands, I hope you are
all familiar what happened in
San Bernadino and its aftermath.

00:27:05.257,00:27:10.262
What was this case really about?
The FBI wants the ability, and
I'm not...um..uhh Im Im Im

00:27:13.732,00:27:19.505
literally parahras....I'm not
literally, I'm actually
paraphrasing what Jim COmey said

00:27:19.505,00:27:25.577
before a hearing in the United
States House of Representatives
under oath: the FBI wants the

00:27:25.577,00:27:31.183
ability to mandate that
companies turn our devices into
tools of surveillance. It wasn't

00:27:31.183,00:27:37.256
about this one phone. If the
question in San Bernardino had
been limited to, should the FBI

00:27:37.256,00:27:42.861
be able to unlock a single
terrorist's phone, I'm
comfortable with saying yes.

00:27:42.861,00:27:45.898
That the answer to that
questions is yeah, the FBI
should. But that's not what the

00:27:45.898,00:27:52.704
case was about. We saw from the
leaked National Security memo,
and people like Bob Lit's

00:27:52.704,00:27:58.176
statements, that they were just
waiting for a terrorist attack
or criminal event, um to turn

00:27:58.176,00:28:04.516
the public tide. That's what the
Apple v FBI case was about. I
was about whether or not the

00:28:04.516,00:28:10.188
FBI, or the department of
justice, or the government can
compel a company to change its

00:28:10.188,00:28:15.193
practices. The only reason I
would submit to you, that the
FBI pursued the case and the way

00:28:17.229,00:28:23.435
they did, was to set a legal
precedent ummm that would give
them the ability to demand US

00:28:23.435,00:28:29.274
tech companies stop providing
end-to-end encryption or secure
device storage. And they saw it

00:28:29.274,00:28:36.148
as a win win. They thought, the
FBI thought that even if they
lost the court fight in San

00:28:36.148,00:28:41.954
Bernardino, they would be able
to take that loss to congress
and ask for a fix. There was

00:28:41.954,00:28:46.391
also a case in Brooklyn, umm
that was very similar in front
of a magistrate judge named

00:28:46.391,00:28:51.396
Judge Orenstein, ummm that case
was about a iOS 7 device, and it
was probably unlockable, and

00:28:54.600,00:28:59.938
they got into it as well. But
the FBI's ask in both of those
cases, in both San Bernardino

00:28:59.938,00:29:05.177
and in Brooklyn was ill
considered for three reasons.
First legally. What the

00:29:05.177,00:29:11.016
act...FBI was asking for
represented a fundamental shift
in the way the Al Ritz act was

00:29:11.016,00:29:16.755
interpreted. Umm I have in other
contexts gone much deeper into
the Al Ritz act and what that

00:29:16.755,00:29:22.527
is, I'm not going to...uhh for
this audience, you find it super
boring. But in anycase it's

00:29:22.527,00:29:28.634
never been used to compel an
American company to sabotage its
own products. The Al Ritz act

00:29:28.634,00:29:33.639
was passed in 1789 and
definitely available to police
back in the Joseph Bramah days,

00:29:36.441,00:29:42.547
in the days of that first safe,
that I...the first unbreakable
safe. Brinks...West...uhh Wells

00:29:42.547,00:29:47.552
Fargo were never compelled to
create a master key to their
devices. Umm that is something

00:29:49.688,00:29:54.693
American courts have never done.
Technically the ask was flawed.
As I said earlier we don't know

00:29:57.663,00:30:01.733
how to build secure systems and
the fact that the FBI was
considering mandating Apple

00:30:01.733,00:30:06.738
undermine the security of a
already not perfectly secure
device, was crazy. Was not just

00:30:08.974,00:30:13.979
crazy to the...our left wing
radicals at the EFF, ummm but to
the several dozen companies that

00:30:16.048,00:30:22.087
submitted Amicus briefs in
support of Apple's position in
San Bernardino. And finally the

00:30:22.087,00:30:27.092
FBI's ask was flawed for policy
reasons. There's no way that and
FBI backdoor would stay an FBI

00:30:29.461,00:30:34.166
backdoor. The Russian, the
Chinese, the Brazilians, The
Turks, the French, the Germans,

00:30:34.166,00:30:39.938
you named it, are gonna want the
same access. And the only reason
that Apple has been able to say

00:30:39.938,00:30:45.243
no to the Chinese, to the
Russian, to the Brazilians is
because they don't give it to

00:30:45.243,00:30:51.149
the FBI. And once that changes
the calculus all around the
world changes very quickly. And

00:30:51.149,00:30:57.756
that would be very crippling to
not just tech, but also American
business. Umm there are other

00:30:57.756,00:31:03.862
litigations happening around the
country, at least we think there
are. Umm wiretap acts litigation

00:31:03.862,00:31:08.867
might be ongoing. In march Mario
Puzo wrote a story in the New
York Times about an order

00:31:11.670,00:31:16.374
directed at whatsapp, ah
federal...a United States
Federal court order directing

00:31:16.374,00:31:21.346
whatsapp to do something, we are
not exactly sure what, we don't
know which court it's in front

00:31:21.346,00:31:26.651
of, we don't know if the
litigation is ongoing. If I had
to guess, I'm gonna say it's

00:31:26.651,00:31:31.656
probably not ongoing right now,
but who knows. There may be FISA
court order, the FISA court,

00:31:35.060,00:31:39.564
United States Foreign
Intelligence Surveillance Court,
sits in the basement in the

00:31:39.564,00:31:45.303
basement of a federal courthouse
in washington DC, and meets
literally in a Faraday Cage to

00:31:45.303,00:31:50.242
do its secret orders. Umm
litigation in front of the FISA
court generally speaking is one

00:31:50.242,00:31:55.247
sided. The government stands in
front of the judge alone and is
unchallenged. That is changing a

00:31:57.516,00:32:01.953
little bit, there is now an
Amicus provision, an order
direct at a company might be

00:32:01.953,00:32:08.927
contested. So far as we know
only one provider has ever
contested a FISA court opinion,

00:32:08.927,00:32:14.299
or a FISA court order and that
was Yahoo in 2007/2008. We of
course didn't learn of that

00:32:14.299,00:32:19.304
until 2013 or 2014, 2014 I
think. Umm but we are in the
middle of a FOIA case to get

00:32:22.641,00:32:27.045
access to get any decryption
orders that might exist, at the
FISA court. One of the nice

00:32:27.045,00:32:33.018
things that happened last year,
this is a minor win for us. The
USA Freedom Act was passed

00:32:33.018,00:32:38.290
in...was passed by Congress and
signed into law by the
president. In one section in USA

00:32:38.290,00:32:44.930
Freedom says that the government
has to declassify significant
FISA court opinions. Ummm of

00:32:44.930,00:32:50.836
course it doesn't define what
significant is, its not clear if
its retroactive so we sued. And

00:32:50.836,00:32:52.838
we are suing to get a hold of
that.
Um...oh...remember...okay...okay

00:32:52.838,00:32:57.843
I will go here. You remember
when I said they are just
waiting for a big, terrorist or

00:33:00.312,00:33:06.218
criminal thing to update the
law. That happened in San
Bernardino and we got the Burr

00:33:06.218,00:33:12.824
Feinstein bill. Luckily the Burr
Feinstein bill seems to be dead
right now, but it would have

00:33:12.824,00:33:17.829
required providers of just about
everything, to decrypt on
demand. Uhhhh carried civil and

00:33:20.365,00:33:26.504
criminal penalties, would apply
to not just communications, not
just to storage, but also to

00:33:26.504,00:33:32.878
licensing. Which means it would
have included app stores. If
Burr Feinstein has been passed

00:33:32.878,00:33:38.083
in its original form, it would
have required Apple and Google
to censor the App store and the

00:33:38.083,00:33:43.088
Play Store to make sure nothing
had crypto in it. And of course
not just end-to end encryption

00:33:45.423,00:33:50.762
but also full disk encryption,
would have been included. And
actually if you read the Burr

00:33:50.762,00:33:57.569
Feinstein legislation literally,
if you take it to its extreme,
it would have outlawed general

00:33:57.569,00:34:03.141
purpose computing. That's just a
hint of how out of touch the
dur....the drafters of this

00:34:03.141,00:34:08.146
legislation are. Okay 2016 what
are we looking at? There could
be a key escrow mandate,

00:34:12.050,00:34:17.522
certainly China and India feels
comfortable with. I dont think
its going to happen in the

00:34:17.522,00:34:21.760
States. I dont think its going
to happen in the States for a
couple of reasons. Ummm all of

00:34:21.760,00:34:27.999
which are enumerated in the keys
under doormats paper. Uhhh the
Burr Feinstein bill, may be

00:34:27.999,00:34:34.873
redrafted and re-introduced. It
definitely won't passed in its
current form, because as I said

00:34:34.873,00:34:40.245
read literally it outlaws
general purpose computing; and
even congress isn't that dumb. I

00:34:40.245,00:34:45.917
mean maybe, they might be.
[Coughing]. Uhhh but a law that
says we don't care how you do it

00:34:45.917,00:34:50.922
just make plain-text available,
uhhhh is certainly plausible.
That's the route the Uk seems to

00:34:53.992,00:35:00.265
be taking. The Investigatory
Powers Bill is as I said in
front of the House of Lords. Uhh

00:35:00.265,00:35:05.437
if the House of Lords passes it,
it will become the Investigatory
Powers act and that will be the

00:35:05.437,00:35:10.442
end of end-to-end encryption in
the UK. Uhhh I gave a talk at
real world crypto in January and

00:35:13.712,00:35:18.683
I made a lot of predictions,
very few that became true. I did
not anticipate the Al Ritz Act

00:35:18.683,00:35:23.955
litigation at all. But I made a
prediction that said the
government is going to focus on

00:35:23.955,00:35:28.326
defaults not primitives. And I
think thats right, I think
that's still right. The

00:35:28.326,00:35:34.032
government knows, they are not
stupid. They know there is no
way to keep strong crypto out of

00:35:34.032,00:35:39.437
the hands of people who are
really determined to get it. But
there is a way to keep strong

00:35:39.437,00:35:43.675
crypto out of the hands of
everyone who just walks into the
Apple store and buys and iPhone.

00:35:43.675,00:35:48.680
Umm they can force companies to
change the defaults. We have
seen a couple of states try it.

00:35:52.384,00:35:56.921
In California and New York, a
pair of bills that were almost
identical were introduced at the

00:35:56.921,00:36:01.826
beginning of the year, that
would have made it a crime to:
sell a smartphone that had

00:36:01.826,00:36:06.831
secure device storage by
default. They did not nece..they
didn't need, they didnt even

00:36:08.900,00:36:13.972
really try, California tried a
little bit but didn't try very
hard to make it impossible to

00:36:13.972,00:36:19.644
install full disk
encryption.They really just care
about the defaults. They

00:36:19.644,00:36:23.081
don't...they know they aren't
going to get the terrorist, they
know they aren't going to get

00:36:23.081,00:36:27.385
organized crime, they know they
aren't gonna get the
paedophiles. They are gonna get

00:36:27.385,00:36:32.390
us, ordinary Americans. Uhhh and
thats what these two bills were
about. What's likely in 2016.

00:36:36.761,00:36:42.200
Informal pressure. One of the
things I do along with my
colleagues at EFF is we

00:36:42.200,00:36:48.273
represent developers, sometimes
in small companies, who get a
visit from their three letter

00:36:48.273,00:36:53.278
agency friends. So I kinda know
what this looks like a little
bit. The FBI will request a

00:36:56.214,00:37:01.619
meeting, they will come down and
sit in your office and say: it
will be really great if you put

00:37:01.619,00:37:06.791
a backdoor into your stuff and
if you don't blood will be on
your hands. And they will show

00:37:06.791,00:37:11.129
you pictures of terrorists with
your products in their hands,
that happens. So they don't

00:37:11.129,00:37:16.134
necessarily have need to force
you, they can just pressure you
real hard. I don't think any ban

00:37:18.770,00:37:23.541
we could possibly see in the
UNited States can hit free or
opensource software. I dont

00:37:23.541,00:37:29.447
think its possible. We have the
first Amendment here. They not
dumb enough to try, well Diane

00:37:29.447,00:37:36.387
Feinstein is dumb enough to try,
but I don't think that's
actually gonna pass. [Laughter]

00:37:36.387,00:37:41.392
[Clapping]. Two slides ago I
said it's about defaults not
primitives. For any ban

00:37:44.028,00:37:46.431
on...uhhh....I don't se...I
don't think we are gonna see
bans on primitives, I don't

00:37:46.431,00:37:50.668
think we are gonna see
algorithms targeted. I think we
are gonna see defaults targeted.

00:37:54.372,00:37:58.176
We might see a CALEA like
mandate. CALEA is the
Communications Assistance for

00:37:58.176,00:38:04.983
Law Enforcement Act, passed in
1994, that requires telephone,
plain landline and mobile

00:38:04.983,00:38:11.289
telephone companies to have
wiretap capabilities. This is a
relatively decent possibly. A

00:38:11.289,00:38:15.660
mandate like this would apply to
providers operating in the
United States and something like

00:38:15.660,00:38:20.331
a condition for selling
something they must turn...um
maintain the ability turn over

00:38:20.331,00:38:25.336
plain-text. This is only going
to be tough on Apple and Google,
maybe even the App store and

00:38:27.672,00:38:32.677
it's not gonna touch github or
your pet free and open source
crypto project. Uhhhh and of

00:38:36.281,00:38:41.286
course countries around the
world might continue to do dumb
things. Kazakhstan uhhh, appears

00:38:43.354,00:38:47.826
to want everyone to install
their certificate into your
trust store, so they can

00:38:47.826,00:38:53.398
man-in-the-middle all of your
SSL. They de-published that
requirement, so it's not clear

00:38:53.398,00:38:58.403
how serious they were, but they
were certainly thinking about
it. Uhhh China already has. But

00:39:01.673,00:39:07.145
it's not gonna work any better
this time than it did the last.
Last time all you had to do is

00:39:07.145,00:39:12.150
put it on a t-shirt and walk
through an airport. Information
does not give a crap about

00:39:12.150,00:39:16.855
borders. These are not
centrifuges, these aren't SCUD
missiles, these aren't nerve gas

00:39:16.855,00:39:22.627
precursors. You can't stop
crypto at the border. We live in
a world with strong

00:39:22.627,00:39:26.698
cryptography, and there is
nothing the US government or any
other government around the

00:39:26.698,00:39:31.703
world can do possibly do to
change that fact. We have TOR,
we have GPG, we have Signal. And

00:39:36.641,00:39:42.313
we are beginning to have real
available tools to evade
censorship. Whatsapp is used

00:39:42.313,00:39:47.318
everyday, or every month by 1.1
billion people around the world,
with strong crypto. Thats

00:39:49.554,00:39:55.193
amazing. So what's to be done?
What if you are a developer
staring down the barrel of a

00:39:55.193,00:40:01.032
order, or a request, or a
demand, or a NSL, or if the NSA
comes and sits in your office

00:40:01.032,00:40:06.037
and says blood will be on your
hand? Email info@eff.org and we
will help. [Clapping]. What if

00:40:09.641,00:40:14.646
you are just a regular person
wanting to fight back a little
against the surveillance state?

00:40:18.283,00:40:23.288
Oh we have a site for that, in 7
languages, we will show you how
to install signal or whatsapp on

00:40:26.024,00:40:30.728
your phone. We will show you how
to turn on full disk encryption
on any device you might have

00:40:30.728,00:40:35.733
that supports it. We will help
you with threat modelling. SSD
is awesome and you should

00:40:35.733,00:40:40.738
definitely go there. Uhhh and
what if you just have some
questions? Will ask them. That's

00:40:44.208,00:40:49.213
it[Whistling] [Clapping]. I
think, do we have a couple of
minutes? >>Yes >>Yes. We have a

00:40:57.555,00:41:01.793
couple of minutes. There is a
mic at the front. Line up if you
want to ask a question or two.

00:41:01.793,00:41:06.397
>> Question: Hello. How do you
feel about the Democratic
platform? Did you read the tiny

00:41:06.397,00:41:12.070
little section, and I mean tiny,
on cyber security [Laughing].
>>So unfortunately EFF is a 501c

00:41:12.070,00:41:16.140
non-profit and we can't get
involved in Election politics.
>>Yeah cause they use that weird

00:41:16.140,00:41:21.079
language about the false notion
about privacy and security. >>
Well I can tell you what I think

00:41:21.079,00:41:26.384
about privacy and security. You
can't have one without the
other. You need both. There is

00:41:26.384,00:41:31.389
no tension between privacy and
security. We need them both. >>
Question: Hello how you doing?

00:41:34.192,00:41:39.163
>> Hey pretty good. >>
...Question: Alright I keep
hearing there is no such thing

00:41:39.163,00:41:44.402
as perfect security, would you
say bitcoin has perfect security
barring the unlikely quantum

00:41:44.402,00:41:49.841
thing? >> Uhhh I have no idea.
Luckily EFF is at this point is
big enough that..uhh..I can

00:41:49.841,00:41:54.846
trust other people to think
about crypto currency, and I can
think about crypto without

00:41:57.115,00:42:02.053
currency so uhhh, ask. Send a
email at info@eff.org. >> Yeah
thank you. >> Question: So the

00:42:06.057,00:42:11.329
normal political argument for
weakening crypto, is we need to
catch the terrorist, plus if you

00:42:11.329,00:42:16.334
have nothing to hide why should
you care. But we have a sort of
increasing, uhhh number of

00:42:18.669,00:42:24.042
terrorists events at least
hitting western media, so how
uhhh how do you think that puts

00:42:24.042,00:42:29.447
us if everytime there is a
terrorist event that convinces a
certain portion to not or

00:42:29.447,00:42:34.452
careless about privacy. Are we
doomed or? >> I sure hope not.
If I were a pessimist there

00:42:40.058,00:42:44.662
would be no reason for me to get
up everyday and go into work at
EFF. I have to be a optimist on

00:42:44.662,00:42:49.767
this. As I said there is nothing
anyone can do to keep strong
crypto out of the hands of

00:42:49.767,00:42:55.606
someone determined to use it. In
terms of the I have nothing to
hide why should I care argument.

00:42:55.606,00:43:00.678
That's something we hear a lot
at EFF. WE hear that from policy
makers, from regular people. And

00:43:00.678,00:43:06.250
my response about that is, it's
not about you. Right? It's
literally not about you. It's

00:43:06.250,00:43:11.255
about everyone else. I don't
have anything to say, but yet I
benefit from freedom of speech,

00:43:14.192,00:43:19.197
because other people's speech
benefits me. The robust exchange
of ideas benefits me. Privacy is

00:43:21.499,00:43:26.504
the same. I benefit from you
having privacy, because privacy
is a prerequisite for change.

00:43:29.040,00:43:33.878
Privacy is a prerequisite for
democracy. We couldn't have had
a civil rights movement or a gay

00:43:33.878,00:43:40.751
right movement in the UNited
States without privacy, you can
organize in public. If you are a

00:43:40.751,00:43:45.756
LGBT teen in Saudi Arabia, you
need privacy. And I benefit from
privacy being available around

00:43:48.459,00:43:53.464
the world. [Clapping]. > We have
no more time. Im sorry thats all
the time we have. If you want to

00:44:00.204,00:44:06.344
point somewhere else where you
can take more questions if you
have the time? >>I'm going to be

00:44:06.344,00:44:11.282
going to the contest area, I
have a two and a half hour booth
shift. If you want to meet me at

00:44:11.282,00:44:16.521
the EFF booth [laughter] uhhh in
like 5 minutes, thats where Im
headed and I can continue

00:44:16.521,00:44:21.425
answering your questions there.
> And while you go over to the
contest to talk to him, you can

00:44:21.425,00:44:26.931
at the same time get a Mohawk
and donate to the EFF, and I
haven't seen enough Mohawks this

00:44:26.931,00:44:31.936
year. >> Thanks everybody.
[Clapping].