 Hi, thanks for coming to our Ask EFF Meet EFF panel. I'm Jennifer Granick. I'm the Civil Liberties Director at EFF. And what we're going to do tonight, it's nice we have kind of a manageable crowd here. So what we're going to do tonight is we're going to, I'm going to introduce everybody. I'm going to talk a little bit about some of the cases we've been working on over the past year, just to give you guys some highlights and at a kind of high level. And then what we're going to do is we're going to open it up for questions from you guys and try to answer your questions. So there's a microphone that's over there and you'll be able to line up there and ask your question and we'll do our best to answer it up until about 6.50 at which point I think we're all just going to call it quits. So just a couple of things. I'm going to talk with my colleague here, Matt Zimmerman, more in depth about hardware hacking and at a very geeky level about the DMCA exemptions we recently won for unlocking and jailbreaking and non-versal videos, waiting for that rulemaking since November. And honestly, I was wondering what was taking them so long and I'm so excited that they issued it right before DEF CON. So it's great. So for people who are really interested in that, we're going to have a whole talk about that sort of stuff tomorrow at 10, I think. And then later on tonight, for people who are interested in movies or interested in surveillance or interested in surveillance in movies, my colleague Kevin Bankston there towards the end is going to be doing Big Brother on the Big Screen with Nicky Ozer from the ACLU. And that is at 8 o'clock looking at surveillance in the movies. So that should be really fun also. OK. You guys are here, I imagine, because you know what the Electronic Frontier Foundation is. But for those of you who don't, we are a civil liberties organization dedicated to protecting privacy and free speech online. We are a membership-funded organization, which means that what keeps me off the streets and fed are people like you who give us money. So we appreciate everybody who is a member. Now at DEF CON is a great time to become a member because we have a super cool shirt that has a black light kind of secret message in it. And you get access to our newsletter and all of that stuff. So if you are not now a member, then perhaps you might consider doing it here at the con. We focus on a whole variety of issues having to do with privacy, free speech, and consumer rights in the digital realm. And I'm going to just go through a few of these things today to kind of give people who are not that familiar with our work and idea and also to evoke questions in your mind and then we'll go forward and kind of turn the floor over some to you guys and I will moderate. The first thing I want to talk about, of course, is something seems like a lot of people here have already heard about, which are the DMCA rulemaking. And this is a triennial thing where Congress having vaguely recognized that there's something deeply broken about the Digital Millennium Copyright Act allows for rulemaking for exemptions to the anti-circumvention provisions of that law that allow people to do certain kinds of hacking. And in 2006, back when I was at Stanford, I got an exemption for phone unlocking to take your handset and put it onto a different network. And this year we kind of tried to press forward on some of the ideas that had engaged the Copyright Office in that rulemaking and tried to go a little farther. So we asked for three exemptions and we got three exemptions. We asked for the unlocking exemption to be renewed and then we asked for an exemption for jailbreaking, in other words, to take your mobile handset and reconfigure it so that it can accept applications of your choosing. So what does this really mean? It's about mobile handsets and sort of invention for using interoperability of apps. And we can talk a little bit more about that. And then finally, the third one for non-commercial video. You know, if anybody knows anything about the DMCA, it's really mind-blowing that Copyright Office decided to do anything nice for people who like to make fair uses and free speech uses of video. And so we're really proud of that one. In the privacy realm, we work both on issues having to do with the government and issues having to do with privacy versus companies. On the government side, my colleague Kevin Bankston, at the end, works very hard on issues having to do with statutory privacy rights under the Electronic Communications Privacy Act and how to make that law better. And his project of digital due process puts us together with other civil liberties groups and companies trying to update and improve and strengthen the statutory rights that we have for communications privacy online. We do work with various companies, Facebook, Twitter, other companies, trying to figure out how to help people be more safe about their information with those companies. And to that end, we have worked on a social network Bill of Rights that addresses both privacy and free speech issues and everybody at EFF works on that sort of stuff. But I think Kurt Opsol, who's my colleague right here, will be the person who will answer your questions if you have any issues about that sort of thing. Those of you who know me know that I do a lot of computer crime work, that I love and hate the computer crime statutes at the same time. And we've been doing a lot of work looking at how computer crime statutes have been used to kind of lock people in to various services. So this year we have two cases actually involving the scope of the computer crime statutes and how they regulate what users do. One is our Facebook versus Power case involving Facebook's lawsuit against a data aggregator in which one of the claims is that violating terms of service in order to do data aggregation breaks California's computer crime law. And another case, which is a criminal prosecution in New Jersey, United States versus Lawson or I call it the Wise Guys case, where a group of people who called themselves the Wise Guys were purchasing tickets through automated fashion off of the Ticketmaster website and then reselling those tickets on the secondary market. So my colleague, Marcia Hoffman, who's here sitting next to Kevin, if you have questions about those sorts of things, she'll probably be the one to answer those. We do a ton of work, as you guys all know, on intellectual property rights and free speech and innovation. One of the big things that we've been working on recently is this problem with these kind of copyright troll mass lawsuits against people where the rights holder of some or another sort, US copyright group or some other files a lawsuit against 5,000 unnamed doze and then goes to subpoena from a provider like Comcast or Time Warner, the identities of people with particular IP addresses who they think have been using BitTorrent or other peer-to-peer file sharing type software to download stuff. Yeah, well, are you booing the mass litigation or are you booing the downloading? To have a lawsuit against, I wasn't sure, it was the timing was unclear to me. We have a lawsuit against 5,000 people as seeking their identifying information. It's like, how can you do that fairly so that people are notified, so that they're not wrapped up in a lawsuit that's improper with a bunch of other people who they have absolutely nothing to do with. And Eva Galperin, who is our intake coordinator who's sitting there on the end, helps us manage all of that stuff with all five or six or 10,000 of people out there who call us saying, I think that my IP address is being subpoenaed and I need to know what to do and I need your help. So, yeah. If any of you ever call EFF and you're looking for help, then you know about how great Eva is at trying to find people help and how grateful we are for Eva to help us figure out how to give people assistance without talking to 5,000 people on the phone in a single day. Along the same lines of intellectual property and how it impacts privacy and speech, we have cases where we deal with claims of intellectual property infringement that impact on parody and other sorts of jokes like that. So I don't know how many people here know with who the yes men are. So some people know, we have a case with a group that was doing a fake press conference parody of the United States Chamber of Commerce and the United States Chamber of Commerce didn't think it was funny. So they sued this group, the yes men, saying that it was a violation of their, it infringed their trademark rights. And so you couldn't do this spoof parody thing of the Chamber of Commerce, so they're too precious. And sort of along similar lines, we have another case just involving anonymity and the right to free speech where a gentleman claimed me that he is the world's number one hacker got some comments from people on the internet suggesting that perhaps not everyone agreed with that assessment of his skills. And there was something of a flame war over it, so he filed a lawsuit against a number of anonymous people and has not yet, but seems to be poised to try to serve subpoenas to find out who it might be who disagreed with that contention. And so this is another example of how litigation is used to try to intimidate people through finding out who they are and then subjecting them to lawsuits and that sort of thing. And it's very hard for people without any kind of organized resistance to protect yourself under these circumstances. How do you fight back? And that's one of the things that we think of as being an important thing that we can do is not only to provide these sort of direct services people to also to find a way to kind of disincentivize this misuse or abuse of the legal system. And to that end, not only in trying to get the court to do the right thing and the mass bit torrent litigation stuff, like actually make them file separate lawsuits because these are separate incidents and that sort of thing, we have pushed for courts to award attorneys fees to the winning defendants if it turns out that the case was illegitimate. And that is one way that people can kind of push back even though you can't afford lawyers or that sort of thing, it gives a real disincentive to plaintiffs who might otherwise abuse the legal process. So those are just some of the things that we've been working on this year. We have a bunch of other stuff we've worked on too. So if you have questions, let me just go through and actually make sure I've said everybody's name. And then we're gonna ask you to just line up at that microphone over there if you have questions and we'll go through and just talk about the stuff that EFF does. So here I have Kurt Opsall right here sitting next to me and then Matt Zimmerman and Marcia Hoffman and Kevin Bankston and Eva Galperin. So you guys, no questions? We're all gonna go home early today. There we go. Is that on? Okay, say your question loud and I'll rephrase it for the audience. In your work, do you find that one political party does a better job of representing our interests than the other or do we need to look at each political candidate individually? Do any of you guys wanna handle this question about the political parties? Sure..(audience laughing and laughing loudly.) Democrats talk a good game on privacy issues. Particularly candidate Senator Obama made a lot of promises about reforming the Patriot Act, reigning in surveillance authority, greater transparency and accountability. I'm speaking on privacy issues. I'll leave it to others to talk about copyright or anything else. But it seems that those in power have pretty much the same opinions of the last people in power. And typically, regardless of who's been elected, the DOJ is the DOJ is the DOJ and they will want the same things now that they wanted under President Bush and that they will want under the next president. And so for example, just this week, there was news that broke the Obama administration is pushing Congress to expand one of the most dangerous and worrisome surveillance powers that the Patriot Act expanded. These are national security letters, which are letters that are issued by individual FBI agents to get records about your communications, who you're communicating with and how and when and how much without any court oversight and with a gag order that disallows the provider from ever telling anyone that they were snooping in your records. They want to expand this power to go beyond just basic subscriber information like your name and address and billing information and such and beyond phone records, which they've been allowed to get to extend to any undefined electronic communication transactional records. This is the sort of thing we expected in the prior administration. It's the sort of thing we had hoped we would not see under the Obama administration and yet there it is. And so I would say that, disappointingly, we've found less of a difference than we'd like between the parties when it comes to surveillance issues. You want to say anything about that with regards to copyright or? I don't know. Okay, next question. On the recent iPhone ruling, what exactly does it say that you can and can't do regarding jailbreaking? Okay, great. So your question just gives me the occasion to say the disclaimer that I just wanted to say before, which is that we can't give you legal advice here in this forum and you don't get attorney-client privilege with us in this forum. In other words, what you ask us, like if you're like, well, what if somebody had a bunch of cocaine in their car and it was parked outside the RIV and don't do that, okay? So don't reveal stuff like that. And what we'll tell you is general legal information, but you can't consider it to be legal advice. That having been said, I can answer your question. The jailbreaking exemption says that you may circumvent technological protection measures in your mobile handset for the purpose of putting applications on the phone to make the phone interoperate with different applications. So the ruling is not specifically about the iPhone, it's about any handset, but under the current what's out there on the market, I think that the most popular phone to jailbreak is the iPhone and the apps restrictions are really about the iPhone app store and so that's gonna be the platform that people are gonna be interested in jailbreaking. So one question people ask me is like, well, what about the iPad? It's built basically the same way. Does that thing work, does the exemption work for that? And the answer to that's gonna unfortunately be no. What the way the rulemaking works, it's very arcane and weird. But the way the rulemaking works is you have to identify a class of works that you think that people should be able to have access to and demonstrate that during the three years prior to the rulemaking, people's ability to make legitimate, non-infringing uses of that class of works was adversely impacted by the DMCA. So the iPad didn't exist back when we filed for the DMCA exemptions and the class of works that we identified was the firmware on the mobile handset. So just to, that's basically what it allows you to do. Okay, there may be more specific things you're kind of thinking of, but that's basically what allows you to do mobile handset. I actually have a question related to that. Sure. I didn't work on this project and I'm confused. Which of the exemptions is limited to used cell phones and a little softball here? What exactly does that have to do with protecting copyright? Thank you, Kevin, for that insightful question. So we asked for three exemptions. One was for the jailbreaking, which we just discussed and the other was for phone unlocking. And that one was phrased to allow people to access the class of works which you have to access in order to make the phone go onto a different network. So not for apps to be installed and run on the phone, but for the phone to be reconfigured and run on a different network. So the jailbroken iPhone on T-Mobile or if I wanted to do this for my Verizon phone so it could run on any other CDMA network, that kind of thing. So there are two separate ones and one is about the class of works for going on a different network and one is about the works for using different apps. So in the course of the rulemaking, it was opposed by Virgin Mobile and also by CTIA. And one of the things that they were most concerned about is that some people go out and buy handsets, prepaid sort of handsets from the big box stores in bulk and unlock them and resell them on the secondary market. And they do that because these companies sell the handset at a loss. They sell it at less than it's worth in order to inspire people to buy it so that then they purchase services from the virgins or track phones of the world for many more months. So it's a razor razor blade model. They kind of sell the razor cheap so you keep buying the razor blades and they don't get the benefit of that subsidy if people unlock the phones and then ship them overseas and sell them. And it turns out the subsidy is big enough that they actually can kind of pay everybody all the way down the line, a dollar or so on the handset and people overseas or wherever still are getting kind of a discount on it. So it's just sort of the way they structured the business model and what I said, they were like, how can you allow people to do this to us and what we argued was there's all sorts of people with used handsets who want to resell them for legitimate reasons or they need to be recycled or repurposed, they're perfectly fine phones. I'm sorry that's your business model but and you may have other recourses but you don't have the recourse of the DMCA. And so as a nod really to these concerns, I think the copyright office recommended and the librarian adopted a rule that said that the unlocking exemption only applied to used phones. Now what's a used phone? I think I know what's not used, what's new and I'm pretty sure I know what's used but there's gonna be a gray area. I don't know what exactly that means. Maybe it will be litigated, I don't know. The second question I think is the more important one is what is the DMCA copyright rationale for limiting my exemption to used phones and I think the answer to that is none. It's clearly just a craven throwing of a bone to some industry groups that objected to the rulemaking and there's no copyright reason or infringement reason for them to have done that. So I feel like they took my 2006 exemption and they put its hand on the table and they chopped a couple of pinkies off so I'm kind of upset about it but on the other hand it's good for the rest of us and for our clients in the rulemaking who are phone recyclers so I can't complain too much but I definitely don't like it. My question references the Boucher case with regard to encrypted hard drives. At least as far as the last I heard in regards to the case as the prosecutors weren't able to compel Mr. Boucher to produce the password, he was compelled to produce the unencrypted contents of the hard drive or at least that's as far as I had heard. A ruling where rather than hand over the password so that investigators could unencrypt the hard drives contents, he was ordered I suppose by the judge or instructed to produce the contents, the unencrypted contents of the drive. So rather than give up the information, he, or rather than give up his password, he had to give up the information they wanted. I just wanted to know if that was something that you guys were aware of or something you might consider as being something that should be altered or that ideally wouldn't stand as a precedent? Marcia, do you want to take that or do you want me to? I can take it, but do you? Go ahead. You may want to supplement. I don't have a really good answer for it. Mr. Boucher was not ultimately required to turn over his password. The government, I think initially appealed it but then dropped the appeal. And so that's a situation that just stands. As for the fact that he was compelled to give over his encrypted hard drive. Unencrypted, pardon? You think unencrypted? Unencrypted hard drive or unencrypted hard drive? Well, my understanding from what I'd read, and I don't know if it was what they were intending to ask for since they weren't allowed to compel him to give up the password, was that they were gonna compel him to give up the contents of the hard drive that he had encrypted. So in other words, they wanted him to unencrypt the hard drive so that he wouldn't have to give up the password but the investigators would still have access to the data on the drive in an unencrypted format. Actually, I'm not familiar with that. Are you, Jennifer, or? A little bit, yeah. I don't remember exactly in the facts of this particular case but it makes a lot of sense under the law, right? So there's two issues here. One is the Fifth Amendment right against self-incrimination and the other is the Fourth Amendment right against unreasonable searches and seizures. And the Fifth Amendment problem with the password is this compelled disclosure of the password and what that tells you about the case which is that this person has control over this data. And so the courts, because of our Fifth Amendment, are grappling with how to deal with that problem and the Boucher case, they said, well, we're not gonna force them to turn it over because we think it implicates the Fifth Amendment. So then the question is, okay, work around what can we do to get access to this data without having this Fifth Amendment problem? Now, government has all sorts of ability to get access to information then the Fourth Amendment is one of them and there's also other kinds of things like discovery and subpoenas and those sorts of things. So what it seems here is to say, okay, instead of forcing you to turn over this piece of information, we're gonna force you to turn over the actual underlying data. We could do this by getting a search warrant to search your house, right? We could get a search warrant and go in your house and seize the unencrypted data if we wanted to or if you're a defendant in the case, we can serve discovery subpoenas on you and we can make you as the defendant turn over stuff that you have in your custody and control just like you would have to do in any other kind of civil case. So does that violate the Fourth Amendment? If the process complies with the Fourth Amendment, you're cool, you got a search warrant or there's a subpoena to you for you to disclose it and there's no privilege or anything there, there's not a lot that the defendant really necessarily can do at that point because neither of those things apply. One nice feature of getting a subpoena for the information is that you can raise objections, you can move to quash the subpoena, you can raise say, oh well some of this information is attorney client privilege or some of this is doctor patient privilege and such. So you can assert objections to discovery in a manner that you can't really warrant context because they're just seizing it and they're just doing it. And so this creates the possibility for a court to rule, okay these particular items are off limits because they're attorney client privilege or such. So in that sense it gives you a little bit more of an opportunity to assert your rights. A trade secret or whatever, so it is a more privacy friendly way to go about it exactly because you have a notice and opportunity to be heard prior to the deprivation of your privacy right. So I guess that kind of answers your question about whether we're planning to do anything about it, it fits well within the traditional Fourth Amendment way that you can get information from a criminal defendant. So thanks for your question. Hi. What would you consider the ratio of cases you're able to accept to cases you're not able to accept due to resources? Eva? I probably see a dozen cases a day. And of those dozen cases I probably send eight or nine of them to other organizations or they're not real issues or they're people who think that they have microchips implanted in their job by the government. In which case we can't help them. We have surgeons that we send them to for that. We have not yet started the cooperating surgeons mailing list. I talk to the attorneys here and I usually dig up maybe two or three cases a quarter that we take on ourselves that wind up in litigation. And then probably about six or seven cases a week that go out to our list of cooperating attorneys for a referral. And two or three that get private referrals. So a very, very small number of cases are actually taken on by the EFF. But a reasonably large number of people are helped that don't have chips embedded in their jaws. One of the things I think people don't necessarily realize about the EFF is we really have like nine or 10 lawyers. I think people think of us as being a lot, lot bigger than we really are. But we're really, you know, we're not in terms of our U.S. lawyers, not our international team. We're not that big. So. Most of us are here. I don't know what they're doing back at home. Actually all of last week we were almost entirely out of lawyers and I was forced to tell some people who had reasonably interesting cases. But no, we can't comment. We can't help you. All of our attorneys are out of the office. What happened? Legal team retreat. My name's Randolph Morris. I'm one of the defendants in the high tech hustler case. The number one hacker. I just wanted to, this is more of a testimonial than a question. I just wanted to thank all of you for the article you did and Eva especially for communicating. It took me to meet you guys in order to become a member and I hope that it doesn't take more from people to have to be affected in order to become members as well. Thank you very much. That's kind of you. So much for his privacy though, huh? So I went to your earlier panel about laptops searching and I was wondering, there were several sort of protections that you guys enumerated and I was wondering, do they apply also to non-US citizens, especially around border crossing and so on? I won't speak to the border issue, which is more Marsha's domain, but in terms of the fourth amendment applies if you are in the United States. You have fourth amendment rights, whether or not you are a citizen. Similarly, when it comes to statutory protections for the data you store in the cloud, I always have to put scare quotes around that. But the Electronic Communications Privacy Act, that also does not turn on your citizenry and applies to any person who is storing data with a communication service or remote computing service provider in the United States. And as for the border issue, you know the sad fact is that you really don't have fourth amendment protections at the border and it doesn't matter whether you are a US citizen or not. You know the, and when I say you don't have fourth amendment protections, what I mean is that the government generally does not need any suspicion whatsoever to search your stuff at the border. You know as I mentioned earlier today, the only situation in which they need any shred of suspicion is if they want to search the interior of your body for contraband, because they think you're smuggling it over the border. So again, unfortunately even for US citizens, there's not much protection there. One difference however for non-US citizens at the border is that if you say just decline to allow your laptop search or won't turn over your password or such, for they can turn you away. Customs and border patrol has a tremendous amount of latitude in deciding whether to allow somebody into the country. And so that gives them a additional tool to try and put the pressure on somebody at the border to cooperate with them or on pain of being forced to turn around and go back to where they came from. Did that answer your question? Okay, next question. I also have a follow on to the laptop conversation and somebody made mention of forensic software not honoring user boundaries. And I'm wondering if there's any litigation, action or other motions in place to try and convince or compel forensic software vendors and or manufacturers and or investigators to be put in a position where they must honor user boundaries? Yeah, I mean to me it seems shocking. For those who weren't in the talk, I was mentioning how in this one case about somebody who gave consent for a search, they didn't actually have consent to do and the FBI was technologically able to do it because NCASE doesn't respect accounts on the computer, not encryption but just accounts. And I was saying how that made me mad. And the question is, is there any pressure on vendors to do it differently? And I think the pressure on vendors to do it differently would be if the law required you to do it differently. So the biggest case out there that's pushing to require law enforcement to do computer searches differently is United States versus comprehensive drug testing, which is a case in the Ninth Circuit. And that case arises out of these very egregious facts surrounding the Balkos steroids investigation. The investigators had some reason to suspect and investigate some number of ball players. You know, maybe does anybody here watch sports? You know, Barry Bonds and that whole thing. And they had some reason to investigate some of those people but what they did was they used a multitude of efforts of using search warrants and subpoenas to get whole directories, spreadsheets of thousands of athletes and all of their drug tests from a company that did the blood work on these things. And the courts were understandably annoyed that the government had turned an investigation of 10 or 14 people into a phishing expedition that got private data about thousands of individuals. And so what the Ninth Circuit did as the case kind of wound up its way up, the Ninth Circuit tried to issue some rules to prevent this kind of abuse from happening again. And one of the rules was that you can only search for things you have probable cause to search for. Duh, you know, and it's like, okay, that seems like what the Fourth Amendment's about. But they said, you know, you have to have a search protocol that's designed to get you the things for which you have probable cause and not designed to get you the other stuff and that you should have the forensics done by either an internal team or by external forensic, you know, third party and that where they're gonna look for the right stuff and then all the other stuff that they might happen to turn up, they're gonna just throw that away and not give that over to the investigative team. Some rules to try to like deal with the fact that computer data is always going to be intermingled with private stuff, more than, you know, in any other kinds of searches or seizures that we've had before and how do we keep the private stuff still private while allowing law enforcement access to the stuff that they're entitled to have access to when they have good cause for it. And comprehensive drug testing is anathema to the government. They hate it. Other jurisdictions have considered whether or not to adopt it and generally not so far, although, you know, it's kind of wending its way through the courts. And I think what we're gonna see though is as those rules sort of get pushed forward and as we try to make case law that says that you have to do these things, the vendors are gonna not wanna sell software that violates the Fourth Amendment because the investigators don't wanna get their cases kicked out for suppression reasons and that's gonna inspire there to be better, you know, better search tools and more and better forensic tools that adhere more closely to what I think our reasonable expectation of privacy is with regards to these vast repositories of intermingled data. Yes. So I know that the EFF is about affecting change through legal action and not really getting into the lobbying side of legislation. And I certainly support to financially and I hope that most of the audience here will support you financially. Thank you. What I'm asking is how else can we affect change in policy and government and legislation? Do you have any kind of recommendations for other actions we can take other than online petitions or writing to your Senator or Congressman which really doesn't seem to get any kind of results? Is there any advice you can give to the audience to how we can affect policy and change in the government? Well, I'd first like to take issue with, I mean, thank you for the question but it actually does make a difference when your Senators and Congress people hear from you. We ultimately failed to stop Congress from passing an immunity for the phone companies that assist in the NSA's warrantless surveillance program for example, but we held it off for nearly two years and that is almost solely due to the fact that ordinary Americans were pissed off about it and thought that it was wrong and wanted their Congress people and their Senators to maintain the rule of law. So I don't ever want to minimize the importance of your leaders hearing what you, the people actually think because it makes a huge difference. In terms of what else you can do? Along these lines, we have something called the Action Center, action.eff.org and this is where we ask our members to take action on various issues. And yes, sometimes it is saying please write to your Senator or Congress Critter and express some views or some such but that is our best way of trying to organize the power of our membership where thousands and thousands of people are part of the Action Center and by making concerted action, that can help some. Otherwise, keep keeping aware of the issues and following it so that you can tell your friends about these issues and spread the word, blog about issues and use online tools to keep people informed about it and that can help more people take action and hopefully we can get good changes result. I also wanted to add, some of y'all already heard this from Chris Connelly of the ACLU at his Facebook talk but there are certainly opportunities for you guys to build things that help educate and agitate. He was talking about people coding Facebook applications or bookmarklets or other things that educated people about how Facebook was using their data or helped them evaluate whether their privacy settings were good or helped them scrape out their private data so they could move it somewhere else that better respected privacy. So certainly you guys should be thinking about what are things we can build to effect change? I'm just a lawyer, I can't build things, I can go and talk but you guys can build stuff and that is a great power. Thanks for the question. Other questions or that's it? Do you guys have anything that we didn't talk about today that you'd like to talk about a little bit? I figure since this is an audience that definitely cares about it considering how well our NSA t-shirts sell here. I did wanna give you guys an update on the NSA lawsuits. It's been a rough year in terms of holding the NSA and AT&T accountable. As I mentioned earlier, there was a law passed back in the summer of 2008, the FISA Amendments Act and that included purported immunity for companies that had helped with this warrantless wiretapping program, the full scope of which the government still has not admitted. And it basically gave the attorney general the power to file a secret certification with the court in those cases saying either I think the program was legal or even if it wasn't the president authorized it or it didn't happen. And the court has to dismiss under this statute. We've argued and we did argue at the district court when the attorney general filed this certification that this was unconstitutional for a variety of reasons but mostly because Congress was unconstitutionally delegating to the attorney general the power to decide what the law is in these cases. But our case against AT&T and all the other carrier cases were dismissed. We are continuing to fight that. We are on appeal at the Ninth Circuit right now, just finished the briefing and we're awaiting a scheduling of oral argument in those cases. As for our second NSA case brought directly against the government, that's Joule v. NSA. Our judge zigged when we thought he was gonna zag. We had done really well in the AT&T case when it came to the government's argument that sorry, judges can't litigate whether this was legal because everything about it is a state secret. And any discussion of it would harm national security. We had won on that issue and the court had allowed us to proceed in the AT&T case before this immunity passed. The government made the same arguments in the government case and we were hoping for a similar opinion. Instead, our judge dismissed our case on a rationale that the government never argued, that never came up in oral argument or in the briefing that came after argument. And it's a pretty, with all due respect to the court, pretty crazy idea, which is, you may have heard of something called taxpayer suits where people try to challenge government conduct based on their standing as taxpayers. So if you thought the Iraq war was illegal and you brought a case in court saying, well, my money is being spent on that war and therefore I have standing to challenge it in court, the courts disfavor those. And those are called in the law generalized grievances. You don't have any special interest in stopping the war as a taxpayer differentiated from anyone else. And so the law is, as far as generalized grievances though, those are better left to the political process and aren't really the domain of the courts. Our judge in the NSA case said, well, you know, you have alleged that this wiretapping program essentially reaches everyone who uses the domestic networks. And so I think that's a generalized grievance and I'm dismissing your case. And what that means is, so long as the government wiretaps everybody, the courts can never judge whether that's legal or not. We think this is very clearly wrongly decided. Every single one of our plaintiffs has a concrete and individual injury, which is their own communications and their own records were ensnared by this dragnet. And so we are appealing that decision as well. There was a little rejiggering of the schedule such that our opening brief to the Ninth Circuit is gonna be filed next week. So we are continuing our fight in terms of the NSA warrantless wiretapping program and both of the cases are before the Ninth Circuit right now. So for those who were wondering. Question? I'd like some commentary on the EFF initiative in Australia looking at the blocking list, the black list that the Australian government's considering and if you've got awareness of the EFF, they're the major spokesman that is arguing against it and pointing out the technical and ethical issues with that particular initiative and also any other large international initiatives that the EFF has been involved with around the world. So unfortunately we have three people on our international team, but none of whom are actually at DEF CON this year. So we are active on international issues and are this three person team. The rest of EFF is mostly focused on the United States and we have a small team there but they are working all the time flying around the world to try and promote digital freedom. I believe that I have heard through talking to them that about this block list, but I don't have enough information not to give a really intelligible answer. I mean, one of the things that we do try and do internationally is work to promote good policies and talk to the appropriate policymaking groups like the EU and the Organization for Security and Cooperation in Europe in the Internet Governance Forum, and this group is very active. They're also very active on intellectual property issues through UN-chartered organizations like WIPO, but unfortunately I don't have specific information about that particular block list. Are you talking about the ACTA Three Strikes thing? No. Okay. I can briefly describe it. The current government in Australia is considering a secret blacklist of URLs. The major rationale is child pornography and obviously, and the problem is beta tests of it had legitimate websites and its technical actual ability to achieve its stated goal has been seriously questioned and it raises ethical issues. Colin Jacobs, the EFF Spokesman, is the major person fighting the government in Australia over this issue. I mean, that raises a point worth clarifying that there are a variety of electronic frontiers organizations including Electronic Frontiers Australia that are not officially affiliated with the Electronic Frontier Foundation. They are our friends and our fellow travelers but they are not actually officially connected to our organization. So Electronic Frontiers Sweden or? There's Electronic Frontiers Italy, Electronic Frontiers Finland, Electronic Frontiers Australia, there's a number of these organizations. Just to address some of the larger point, this actually is, this has come up in the United States the notion of having a block list. Sometimes it has been done in the form of URLs which have not been very efficient in making sure the URLs are all correctly put on there. There was another proposal that we dealt with a number of years ago but it was interesting because it was trying to say well, the URLs keep on changing so we're gonna do it based on IP numbers but they didn't seem to realize that a number of these IP numbers actually resolved to a wide variety of domains and so if any one of the domains that was resolving there was on the blacklist then everything else that was associated with that IP was also being taken down and here in the States that was a big First Amendment problem because if you are going to try and have a law that takes down speech that is very disfavored here and needs to be narrowly tailored not to take any more speech than is necessary. I want to make a little bit of a plug for our technologists in addition to lawyers at EFF, we have a technologist team and they've been doing a lot of good work and actually our technologists who's here, Peter Eckersley, he's doing a Q and A related to his own talk right now otherwise he would be on stage with us but one of the cool things that we've come up with lately I wanted to draw your attention to is a project called HTTPS Everywhere which is a plugin for Firefox that makes it so that a set of sites which do support HTTPS if you use the plugin it will make sure that any time you go to those sites it goes to the HTTPS version of those sites and the sites include things like the New York Times, the Washington Post, Facebook, a lot of sort of high traffic Google search, Wikipedia. So it's a nice tool to ensure that in case you forget to be using end-to-end encryption and don't put a, you know, don't manually put an S in there or some of these things, I have a different URL like Google search encrypted.google.com for searching there. So this is a nice tool to help out a little bit with having your end-to-end encryptions while you surf around the web and hopefully make it a little bit more difficult for someone to warrantlessly eavesdrap on your communications. Yeah, more than nice, it's freaking awesome and you should download it. Oh, another technology project that we have been working on is a project called Panopticlic and Panopticlic was designed to look at the, what you can tell about a browser sort of other than cookies are the differentiations between various browsers unique enough that you can uniquely identify a particular browser based on other factors and so as it turned out, the answer is you really can do a pretty good job of uniquely identifying a browser by looking at things like the number of fonts installed, which fonts are installed, what extensions they have, what versions of the software, how big the screen size is and once you add enough of these different things together you come out with a pretty unique signature and if you wanna check it out for yourself you can go to Panopticlic, a website we put together, you can find it on our website or by searching for it directly and check how unique your browser is and perhaps see some of the things that, well, it's actually a very difficult problem because if you try and make your browser less unique that may be helpful and you can set some settings so that you are having the same as a group of other people but that will probably then identify you at least as part of a group that is trying to get around this system but nevertheless I encourage you to check it out, it's a very interesting project show where cookies are not the end of identifying people online. Well, as you guys can see from this panel, we're sort of a small shop, we have three international lawyers, we have nine or 10, I can't remember exactly, United States lawyers, we have a lot of people who help us with membership and development and intake and referrals and all of that stuff but all in all we're like 25 or 30 people really operating out of a kind of sketchy neighborhood in San Francisco, California but we really- It's sketchy. It's sketchy. It actually was one of the top five dirtiest blocks last year, so you know we, but we, yeah. This year number one, yeah. We really care. I mean we try to affect, change and work on these issues that we care about at the international level. We try to put forth cool technology that's fun to use that helps people secure their privacy. We try to come to conferences like this and hear from you guys what you're interested in and tell you what we're up to in addition to our litigation and the few things that we do lobbying on and our activism and all of that stuff. This is Peter actually right here. Now, thank you for coming here. You're an author of an awesome plugin. We were just talking about HTTPS everywhere but we're wrapping up now unless you have something you'd like to say to the audience. No, I guess if we're doing a breakout session I'm just here to answer questions later. Okay, so we appreciate all of your support and as you guys know, for those of you who've seen me here before, I love coming to DEF CON and talking to people. We try to get everybody we can some kind of help one way or the other get them information one way or the other. So thanks for coming and listening to us and thanks for all your support and interest in the EFF. And we look forward to many more years of long and fruitful collaboration with this community. So thanks, guys. Thank you all. We'll see you at...