Thank you everybody for coming. Welcome. Welcome to the Ask EFF panel. We're so glad to
see so many of you people here today. Uh this is gonna be uh kind of a lightning round. We
have about uh 30 minutes in here and with a transition that means about 20 minutes for
questions. Uh so we're gonna do very brief introductions and then we'll look forward to
answering your questions. Uh brief uh uh word of warning uh as many of you know one of the
things we do here is we provide uh some legal advice to people who are in need from this
community. This is not the place for those questions. You want to have that in private
conversations with the uh privilege attaching. These are the place for more of your general
questions about some of our work and policy initiatives. Um and so while you're thinking of
the great uh questions to ask I'll begin with the introductions. My name is Curt Opsall. I'm
the general counsel at the Electronic Frontier Foundation. EFF as you probably all know
because you're here. Uh we are a non-profit organization. We are a non-profit organization.
A non-profit civil liberties organization dedicated defending your rights online. Uh and
with that I will let our esteemed collection of panelists introduce themselves. My name is
Jeremy Glula. I'm on the tech projects team at EFF. So we're the team that develops things
like Certbot and Let's Encrypt and Agency Pets Everywhere and Privacy Badger and also
Explain Tech to the lawyer people. Hi my name is Katitza Rodriguez. I'm EFF international
rights director. I work on global surveillance issues helping groups fight drug
and surveillance laws and in particular in Latin America. Hi I'm Andrew Crocker. I'm a staff
attorney. I work on our civil liberties team especially on our national security, privacy,
crypto stuff. Hi I'm Eva Galperin. I work on EFF's international team mostly on issues
regarding privacy and security of vulnerable populations all over the world. I also do our
state sponsored malware research. And I'm Nate Cardozo. I'm a senior staff attorney at EFF. Uh I
do crypto and security policy as well as free speech and privacy litigation and I will be
giving a talk immediately after this one in this same room about crypto law. So yeah save
your crypto law questions for that talk because it's going to be great. Uh so we have a mic
here in the center aisle. So if you have a question why don't you come on forward and ask on
the mic. Hi um my question is do you think crypto is a good way to protect people from
net neutrality? I think we can trust Tom Wheeler. Who? Tom Wheeler. Oh. Um. Go for it.
Take that one. Uh so I'm probably the only person on this panel who's worked on net neutrality
issues so uh I I mean in some sense we don't have to trust him right? Because everything that he
would do that would have any consequence ends up being a public thing. Uh but I have been very
pleasantly surprised by the direction he's been pushing the FCC. So um I think we can trust Tom
I mean I trust him but I also keep an eye on him. So trust but verify? Yeah exactly. Uh so
what do you think the privacy and security implications are for Americans following the IANA
transition? Um anyone? The person the person who worked on ICANN is not here so yeah.
Ask him. And none of the rest of you does anything with ICANN. Jeremy Malcolm. Oh Jeremy Malcolm.
Yeah we have at this point about uh 70 employees and uh we bring a good selection here. This is a
great group of folks but unfortunately we can't cover every possible uh possible issue. And also
ICANN staff and the IANA transition is not a topic we give priority in the effort. Alright.
Anyone else uh have a question come forward? So we can also uh I'll give a little brief discussion
of some of the things that that we have been uh working on while you're getting your uh your
questions ready. Uh let's uh please. Hi I just got asked by a friend if the
EFF would endorse his campaign for judge and I said I was sort of dubious about that. Can you
elucidate whether EFF can or cannot participate in political endorsements of candidates or
positions and why or why not? Uh well we are actually a cannot uh as a nonprofit organization.
Uh we don't uh get involved in what's known as electioneering. Uh generally we just do it as a
this means on the plus side if you donate to EFF it is a tax deductible donation and we get
some uh advantages as an organization but uh that that also comes that we are a non-partisan
non-political organization that doesn't uh get involved in elections. Who wants to talk
about export controls? I see you trolling. One, thank you for your guys help with the
net neutrality stuff. I think everybody in here greatly appreciates it so thank you. Um is
anybody on the panel? Thank you. Uh actually I'm curious is anybody here familiar with the
kind of stuff that's going on in Europe right now with the privacy shield and GDPR? That's
Danny um I don't know the uh the content of the GDPR right now. I know that um European Union
have passed a new regulation for data protection directive and it's a GDPR. Um due to uh Max
Sherms uh litigation um the safe harbor provision which allows it's a European provision that
compel companies to if you want to transfer data from European Union to the United States you
have to or to any country have to be adequate country. So so the question I I you may not know
the answer which is fine but I was just curious like I've been looking at it uh pretty heavily and
I don't think America's ready and I it it the uh the like right to be forgotten clauses that even
from a technology perspective there's just a lot in there that I think is going to be extremely
disruptive and I just didn't know if you had a take on that or not. I gotta. Yeah um ok yeah I
also got it. Uh oh the right to be forgotten. Um if you want to see people from EFF really squirm
uncomfortably ask us about the place where your right to privacy and your right to free speech overlap. Um
the right to be forgotten is actually quite reasonably popular. Uh in the United States we
tend to sort of err on the side of the first amendment and uh EFF believes that the right to
be forgotten is actually quite problematic. On one hand who among us has not done things that
have ended up on the internet that we're not terribly proud of that we would like to see not
indexed by Google. Uh on the other hand what we're really worried about is that the right to
be forgotten can and will be used by the powerful to cover up their misdeeds and in fact we have a
great deal of evidence that this is exactly what is happening. So uh EFF does not support the
right to be forgotten. We think it's super extra problematic. Uh but that is just one
provision of the GDPR and I want to put an example in Latin America we copy a lot of uh laws
from Europe and from data retention to the right to be forgotten. So we already have bad
precedents in for instance right now in Peru that they've uh they've uh they've been
um a right to be forgotten case when they put a a huge fine to Google but also to another
another case that they put a huge they're investigating uh investigative journalist. So we
have problems in Mexico and in Colombia and the sentence in Colombia was favorable to to
Google but it was not good for the media. The media has to take down the content. Uh this
index the content from their website. Please go ahead. Uh is there anything that the EFF is
doing or can do to uh move technologies that are ITAR restricted and uh dual use that are
out there and uh essentially that is there a way to move them from ITAR to dual use or off of
that? Um sure. Thank you for biting on my export control taunt. Um we we do a lot of work
around export controls. Uh most recently uh the state department proposed listing cyber
products on ITAR. Um without doing a lot of work around the export controls uh most recently uh the
NAICS team is working on a uh moving the ITAR system to the IAR system but uh in order to
defining what that is or what it means or what it would be. Uh so we wrote uh we we only
caught wind of it a couple of days before it was debated uh and we along with our friends at
Access Now uh wrote a uh very strongly worded letter saying don't do this is stupid. Um we are also
What? What's an EAR? Oh EAR is the Export Administration Regulations. It's administered by
the Commerce Department uh and it covers dual use technologies. Uh it's a lot better than
ITAR which is the United States Munitions List. Uh crypto used to be treated the same way
as tanks and hand grenades. Now it's treated the same way as MRI machines. Um so we're we're
making we're we're trying to make sure that things like pen testing tools don't require a
license to export. Um so stay tuned that's the VASNR arrangement uh process. Uh I was on a
panel last year in this hall talking about that uh and it's still very much live. So we we
blog about it from time to time. Eva and I uh are leads on ITAR and EAR stuff at EFF. Hi.
Hello. I always leave DEF CON feeling a bit
deflated. So I wondered if there's some good things that happened in the last year or some
good trends that maybe you could highlight hopefully? What's the what's the good news?
Well we won the Apple FBI case. Yeah. So um last year. Do you want to talk about
let's encrypt say for some of these. Oh yeah the launch of let's encrypt in the past year. Oh did
I steal I'm sorry I didn't mean to steal it. Yeah free certificates easy to set up. I'd say
that's a pretty big win. Well I have uh pretty big wins in small countries too. We defeat data
retention in Paraguay which is a big issue because the European Union have been defeating um
exporting this laws to developing countries and that but was the first win in that country. Another big win?
is, uh, the increasing use of end-to-end encryption. Uh, as you probably know, EFF has a lot
of interesting projects to encrypt the web, uh, encrypting data in transit, so we have HTTPS
everywhere, we started CERT, the CERT bot, um, but this year, uh, we saw the implementation of
the signal protocol, uh, for end-to-end encryption in all WhatsApp messages, and WhatsApp is
the largest, uh, sort of, uh, messaging, uh, platform in the world. So that brings end-to-end
encryption, by default, to hundreds of millions of people, and I think that's kind of, 1.1
billion people, 1 billion dollars, um, so I think that's a pretty big deal, it's a big win.
So last year, uh, Let's Encrypt was just in beta, and, uh, this year, it's, you know, it's
everywhere. I mean, in developer community at least, and I'm using it in production now, and,
uh, it's, I'm, I was sick of it.
So, uh, one thing that, uh, I think it either just happened, or it's about to happen, is that the
Let's Encrypt root certificate is going into the Mozilla trust store, which is pretty awesome.
Um, and then, uh, let's see, we're working on, uh, new, uh, new, uh, new, uh, new, uh, new
challenge techniques, uh, or new challenge protocols, um, and we're just going to keep
pushing it out. Um, I mean, it, at some level, it's just, just, it gets, it'll just keep being
adopted, people keep using it, um.
Are we the second or third biggest CA in the world?
It, I, I think third, but I also think it depends on how you measure. Uh, so, yeah, I mean,
just keep telling everyone to use it. That's basically it.
Hi, guys. So, I have two questions. You probably know that the EFF is a big player
nowadays, and a lot of people use your, you know, extensions and Let's Encrypt. So, the
first question is, can the EFF be in any way forced to cooperate with your favorite
three-letter agencies? The first question. And the second is, if that happens, what kind
of safeguards and ways you have to notify users that this is happening, or some kind
of kill switch, maybe, for add-ons or something like that?
Uh, so, we have not received any, uh, national security letters, uh, nor any orders to modify
our code. So, we can put that out there for now, and, you know, if you ask this question again
next year, see what happens. Um, but I, I think that, you know, this would be something
that, uh, of course, we would fight. We, we believe very strongly, uh, that the government
should not be able to force a, a backdoor. That, uh, one of the core issues that the government, uh,
has been working on for, you know, most of its existence since the 90s is the notion that, uh,
code is speech, that you have, uh, First Amendment rights to publish code, and that if the
government is gonna come along and tell us what kind of code we have to publish, that would
violate our rights. We also think they don't have the statutory authority to, to tell us what to
put in our code, but, uh, even if they, uh, did have a statute, that that statute would be, uh,
unconstitutional. Uh, and I think the, the second way that, that there's some, some assurance is
that, uh, we put our source code out there. And I think Jeremy, could you? Yeah, I was just
gonna say that the other addition is all of our extensions, as well as Let's Encrypt, are all
open, or, uh, Certbot, are all open source, so you can check the source, you can compile it
yourself if you don't wanna, you know, trust the distribution channel. Uh, and then the other
thing is, also, just by default, we don't really collect any data. Uh, HTTPS Everywhere, if you
turn off the SSL observatory, uh, doesn't send anything back to us whatsoever. Uh, Privacy
Badger doesn't send anything back to us. Uh, I think maybe, like, crash reporting or
something like that, if you turn it on. Um, so, we don't have much to give the feds, even if
they, you know, came to us. Which is, of course, by design. Also, we're a hard target.
Yeah. The, the, the, they, the, the, the, the, the, the, the, the, the, the, the, the, the
the, the, the, they would have to have some brass, uh, to, to think that we were going to
backdoor anything. Yeah. Uh, similar to what we've heard before, thank you guys so much for
everything that you do. It makes us able to, as a pen tester, and I'm sure as many other
people here, uh, thank you, uh, makes us able to do what we do. Um, we also, you mentioned
earlier the signal protocol, which has been incredibly successful with its integration in
several different apps, including WhatsApp. Is EFF doing anything to, to, to, to, to, to, to,
to help, either from the technical side, uh, help develop it, or from the legal side, make it
more available and make it easier for people in maybe other countries to access it? Crypto
export plug. Well, I was going to say, so, uh, one thing we are working on, uh, some of you
may be familiar, we had this secure messaging scorecard, uh, up for a while. Uh, we're working
on a revamp of it, and the, really the main focus of that is to encourage developers to, uh,
basically adopt better protocols, better tools, better designs for secure messaging. Um, and
so watch, I would say watch this space, uh, that's going to come up again soon, and we'll be
rating, not so much rating, but basically, you know, listing, you know, which tools we think
are secure, which ones we would say avoid at all costs. Um, and so that's part of it. I don't
know if, Katitsa, you wanted to, or? Um, just, uh, one quick preview of the revamp secure, uh,
messaging scorecard. Yup.
Uh, there is no such thing as a completely secure tool. There is nothing that will be in our top
tier of this thing is perfect. Uh, sort of, nothing is getting five stars. Uh, everybody has
room to improve. There's lots of ways to go, and, uh, we're hoping we're going to see a whole
lot more, uh, integration of end-to-end encryption in secure messaging tools in the future.
Uh, to answer your question, we promote some, uh, tools on our surveillance self-defense. One
of those is Signal. Uh, and, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
uh, uh, uh, uh, uh, uh, uh, uh, uh. That's, uh, uh, a lot of uh, security
trainer, uh, to potential trainers in developing countries and around the world. We just finished a
tour in Mexico through all the country, and so we do a lot of that. Our guy is in several
languages. Uh, we are also looking to translate it to more. Thank you. I also wanna thank you very
much for all your work that you're doing, including, uh, net neutrality. Uh, my question is
about net neutrality. It seems, uh, certain mobile carriers are, uh, a little bit different from
getting away with uh getting around that neutrality by zero writing certain streaming
providers. Uh what are the uh are the uh EFF's thoughts on like uh whitelisting only particular
websites like uh uh like streaming sites? So uh we definitely have uh zero writing is
complicated right because on the one hand it's very easy to say uh well I mean and there's
there's reasons to say like it can be useful in certain scenarios and make it a lot easier to
access the web for people. Uh at the same time it's really easy to make it into a tool that
distorts uh uh competition and really makes it hard uh you know it can almost be a form of
censorship in some sense. Uh one thing uh that we are I mean so we are keeping an eye on uh uh
zero writing uh if you saw our blog post uh at the very beginning of the year that got the T-Mobile
CEO uh cursing at me via twitter uh so and we're continuing to look at that and we're
working with that. Um I don't know I mean we don't at the at the moment have any like big
complaints or anything planned. Um but we are sort of staying on the topic keeping an eye on
things and so we're it's on our radar. And we're we're following the FCC enforcement actions
pretty closely. Thank you. Let's en- Let's Encrypt presents uh obvious threat to the
incumbent industry. What do you what does the EFF see as the future of the EFF and what does the
for-profit authorities and what do you think they should do to stay relevant if anything?
Okay uh well so so so one big thing that Let's Encrypt doesn't do is it doesn't do extended
validation. It's only domain validation. Um so it is really just it's just authenticating that
you control the domain you say you you do. Uh it's not saying that you are in fact the
organization that you say you are. And so and you know it's not saying that you are in fact the
organization that you say you are. And so you know we don't there's no way to easily automate
that. And because Let's Encrypt wants to be an automated system uh we don't see I mean we're
never going to really get into the extended validation business. And so that's an area where
uh you know for-profit CAs can still do things. Um I mean I would say just off the top of my
head that's the biggest one. Um I mean in some sense you know I mean part of it too is just we
wanted to get really hit that long low tail. Um you know I don't think you know we can't do it.
Bank of America or whoever else is going to switch to a Let's Encrypt certificate just
because they really like that extra little green bar in the URL bar so. Thank you.
My question is regarding uh the root cause for Canary Watch being abandoned and uh what
the best direction forward is for national security letters. Uh well thank you so I worked
on the the Canary Watch project and I work also on our national security letter uh cases.
Um so with with Canary Watch uh you know we we had a lot of uh ambitions for for the site
we wanted to have uh something that would uh list out what various canaries were have uh
automated uh uh checking to see if there were any uh diffs and then um it ended up having a lot
of false positives that were just because of like the URL change or the format change or
something about it changed that wasn't a meaningful one. Uh there were also a couple of
instances in which people just didn't update things in a timely manner but then they then they
did and so it was a uh sort of human error false positive. Uh so it was not really being
effective at sort of the the the concept. Um I actually think that that for uh uh people who
want to be transparent, who want to be able to to say that you know they they have not
received a national security letter. Um that regularly issued transparency reports were
you list everything. You put the subpoenas, the warrants, what whatever it is you might be
getting you know and you would say national security letter zero, Pfizer court order zero.
Uh and you issue those uh just as many companies do you know going all the way up to giant
telecoms and internet companies regularly issue those. Uh and then every uh you know say six
months you know you issue a new one and in each one you say the most that you're allowed to by
law. So if it's zero you can say zero. If you receive one you might not be able to say anything at
all. But in all cases you just do the most that you can allowed by law. And uh also if you get
that NSL in the meantime uh reach out to EFF because we want to work on that. We are already
litigating uh on behalf of uh uh two companies that have received national security letters.
We're challenging the constitutionality of the letters and their gag orders. Uh that is going
up to the uh ninth circuit court of appeals uh right now and we're we're uh um well we think
that they are on trial.
This is a tremendous constitutional problem because these letters are going out without court
involvement. Having a gag order that only has court involvement on the back end after you
complain about it uh and doesn't uh comply with uh the first amendment. So that's what we do
about NSLs. We need to get NSLs found unconstitutional and stopped.
You can send your email to info at EFF dot org.
Alright thank you. And we have two minutes so this may be our our uh last question.
Alright.
Thank you for all the good work you guys do and I've donated to you in the past.
Thank you.
But uh having said that I don't actually follow you guys that closely. But I do have a question.
Uh you guys are rooted in you know the western uh you know legal systems in Europe and the United
States. But what about uh areas of the world in particular China and Russia where the legal
systems are you know not as uh the same basically and do you have partners? What what what kind
of work have you done in those areas? And that's pretty important because there are like 300
million people.
Alright.
In those areas.
Using the internet.
Uh EFF actually has an extensive international team. Uh the internet is global and so are the
problems on it. Uh and some of what we do is uh is policy work. Uh obviously we don't do uh
impact litigation outside of the United States because this would require us to have a lawyer
from every country and that's more staff than we actually have at all of EFF. Um but what we do is
um we do trainings. Uh we provide uh all kinds of technical advice. We have a project called
surveillance self defense which you can find at ssd.eff.org. Uh which is translated into eight
languages. Uh in including Russian if I remember correctly. Uh that uh gives you all kinds of a
technical advice on how to keep yourself safe especially in situations where you do not trust the
government. Basically if you don't trust the government encrypt everything.
Alright.
Yeah.
And we do policy work.
Yeah. And we do policy work. We we usually uh because we cannot have lawyers in each country we
work with lawyers in each country. Uh to fight draconian surveillance law. We co uh share knowledge
on the topics but we also use international human rights law in order to defeat those bills that
are in congress because in many countries outside the United States especially developing countries
and the European Union.
The European Union.
And the international court of human rights or the interAmerican court of human rights uh really
uh it has a little piece and you can uh sue uh that the country's violating international human
rights law. It's not as powerful as the other kind of litigation but uh we can do uh we can
testify, we can use those to defeat law. Yes.
Alrighty so I uh unfortunately we're out of time now uh but before we finish off I just want to do a
little public shaming. Yes.
many of you are EFF members who have renewed in the last year? Okay great so for those of you
who don't know uh we are not as big as you might think we're a group of you know 70 employees
who make all the amazing things you know EFF does happen and we are a member supported
non-profit so uh please stop by one of the booths get an awesome DEF CON t-shirt uh and so
that we can keep doing the awesome work we're doing uh and we're in the vendors room in the
contest room and stick around uh because Nate is going to give an awesome talk about the state
of the law with respect to crypto so thanks everybody for coming. Thank you.