 Thanks for coming out to the EFF panel. Just for the tiny portion of you that don't know what the EFF is, I'm going to introduce you to our fine organization before we all introduce ourselves and talk to you a little bit about the law and then let you ask us questions about the law. EFF is one of the oldest civil liberties organizations that's working at the intersection between the digital world and the world of law and policy. Back in the 90s, we worked with Phil Zimmerman and PGP to make sure that free crypto could be exported to the world. A few years ago, when Dimitri Sklyarov was arrested here at DEF CON, he came to us. We helped find him legal counsel. We worked with Adobe to get their charges against him dropped. And also, more recently, when Avi Rubin and Dan Wallach got that leaked, debold source code that came to us about it and helped get us started on a campaign to make sure that e-voting machines are secure and hopefully voter verifiable before this upcoming election. I'm Annalie Newitz. I'm EFF's first ever policy analyst and I'm the newest person at EFF that's here today. I think we're each just going to introduce ourselves briefly and then I'm going to tell you a little bit more and then move on. So Seth, I think you have to go first because you're closest to the microphone. Okay. I'm Seth Shown. I'm a staff technologist. I was the first ever staff technologist at EFF. We now have, as of tomorrow, nine staff attorneys and two staff technologists. Hi. My name is Kevin Bankston. I'm one of the attorneys. I'm actually technically the Bruce J. Ennis fellow, which means the foundation pays my salary. Bruce Ennis was a legendary First Amendment litigator who argued the CDA case, which I think many of you are familiar with. I was doing the internet free speech beat at the ACLU before I came to EFF and I'm still working on free speech issues as well as most particularly online privacy in the face of government surveillance post 9-11. So Patriot Act is my beat. Wendy Seltzer. I'm another staff attorney. I focus on intellectual property issues and I run the Chilling Effects Clearing House at ChillingEffects.org, helping folks who've received cease and desist letters over online activity, also involved in fighting against DMCA, fighting against bad software patents in our new software patent busting campaign. And for the one of you who might not know, EFF is the Electronic Frontier Foundation online at EFF.org. Very important to add that. I'm Jennifer Granick. I'm the only person here who doesn't work for the EFF. I'm the executive director of the Center for Internet and Society at Stanford Law School. It's an academic program that studies the intersection of civil liberties and technological change and I'm a criminal defense attorney by training. And Jennifer's worked with us a lot. She's an honorary EFFer. So I just want to remind you, as if you haven't heard already, if you've come by our booth in the vendor area, we're a nonprofit organization, which means it's donations from folks like you and other people that help us survive and help fight for your digital liberties. So we really appreciate the fact that DEF CON is donating the proceeds from the dunk tank to us at DEF CON, which means you can write now, well, after the panel, you can go dunk, dark tangent in our name. We thank you. And also please come by our booth. We're in the vendor area. We've got lots of interesting goodies. We've got propaganda. We've got the Myth TV box that Wendy and Seth will be explaining on their panel at 6 p.m. We've got stickers. We've got t-shirts. We've got everything. So come by, say hi, give us a donation, and we'd really appreciate it. So today's panel is basically sort of an EFF unplugged panel. We have no PowerPoint. We have... Yes. I think that is worth a round of applause. We have no PowerPoint. We have no technical demos. So we're going naked into this talk. Basically, what we're going to do is each of us is going to talk for about five minutes about a particular legal case that's interested us in the past year, and then we're just going to hand it over to you guys to ask us whatever questions you have. So this is your chance if you have a burning legal question to ask us, a policy question, anything you can offer us, say, an imaginary scenario in which a friend of yours might be reverse engineering something, and we can talk to you about that. So without further ado, I'm going to hand this over now to the person who's going to speak first, which is Jennifer Grenick. Thanks, Annalie. And I want to thank the EFF for letting me crash their panel here. So this year I worked on a case which was the United States versus Brett McDonnell. And this case involved a guy who used to work for a company that did internet messaging where you could get your voicemails, your emails, all sorts of messages in one consolidated place. He worked there, and while he was working there, he realized that the web messaging service had a problem, and the problem was that you could see the session ID in the URL, which meant that the next website, as many of you probably already realized, meant that the next website that somebody went to would reveal the session ID for the person's web mail service, and anybody who had access to the logs for that next website could go back and read the customer's email. Well, Brett McDonnell told his company about this problem, and they had a fix for it, but they did not implement the fix. Many months later, he had left the company, and he realized that the company still had not addressed this problem. So he sent an email to the customers of his former employer, telling them about this problem and directing them to a website where they could get more information about how they could protect themselves from it. The company did not like this. They reported him to the FBI, and Mr. McDonnell was charged with a violation of 18 USC 1030. The surprising thing was that he was convicted of that charge and sentenced to 16 months in prison. At that point in time, I became involved in the case and took it up on appeal. Now, my argument on appeal was twofold. First, it was about an interpretation of the statute, and second, it was about the First Amendment. The statute, 18 USC 1030, is the general anti-computer crime statute, and it prohibits unauthorized access to computers which causes damage. And damage is defined as a harm to the availability or the integrity of data on a computer system. And what the government, the Department of Justice argued in this case, is that when Mr. McDonnell told people that this system was insecure, he damaged the integrity of the system because now people knew it was insecure and they could come by and they could read people's email. So my argument was, first of all- First of all, that the statute does not define damage in that way, that harm to the integrity of a system means something other than the fact that people know that it is already insecure. My second argument was a First Amendment argument that even if this were the interpretation, this were a proper interpretation under the statute, the First Amendment would prohibit it because free speech means that we can tell truthful things without fear of civil or criminal reprisals. Now, the really interesting thing about this case is that after I filed my brief on appeal, the government asked for more time for their brief, which we lawyers, we always ask for more time, delay is what justice is all about. And reluctantly I said yes, sadly my client had already spent the full 16 months in prison by the time the appeal was perfected and we were able to file. But when the government came time for the government to file their opposition to the appeal, they did not file the opposition. Instead, they agreed with me that the conviction was wrong and that it should be overturned and they made a motion for the Ninth Circuit to reverse it and to remand it to the trial court to overturn it. So they did the right thing, but a little too late. What's the important thing about the case to know about the case? Well, in this motion that they filed to overturn or agree, where they agreed that I was right, which I had never expected in a million years, they explained the government's position on when vulnerability disclosure is something that could potentially get you in criminal or civil trouble. And this is the clearest statement I think we have so far of what the government's statement is. So on one hand we have something very good. On one hand the government says telling somebody that a computer system is insecure is not a violation of federal law. So good news there. But they said, but if you tell or disclose information with either the intent that somebody take that information and use it to compromise or break into or gain unauthorized access to a system, then that can be criminal, either as aiding and abetting or as if there's an agreement as conspiracy or something like that. Okay, so intent, disclosure with intent could be criminal. The other thing they said is that disclosure to somebody with knowledge that that person is then going to use that information to commit unauthorized access, that that perhaps also could be something you could be pursued for criminally. So intent means it's what you desire. Knowledge is what you know. It's two different concepts in the law. But the government said with either of these additional factors present, then perhaps the case would be right. But in my case, since none of those facts were there, the conviction was clearly wrong. So I think this is an object lesson for people to realize. First of all, to some extent it's true. The First Amendment is still solid and everything's okay here in the United States. But on the other hand, there are circumstances under which that general rule might end up being something different. And you want to be very careful that you are not a person who's harboring that kind of criminal intent or even necessarily acting in a way where you know that information that you're putting out there will certainly be helping someone who you're giving that information to to commit a crime. Okay, so the case is United States v. McDonnell. All the papers and the pleadings and the government's motion are up on our website at the school where I work. And our website is cyberlaw.stanford.edu. So that's my case that interested me this year. I think our process, I see a question here, but I think our process is should I take the question or should we? One question from this gentleman in the red hat. Well, it may come as a major shock to everybody through, but some actors do read bug track. If I post a vote on only a bug track. He's asking me about bug track and what's the situation there. So, you know, this is one of those kind of gets, lets me talk a little bit about how the law can be complicated. You know, what's intent and what's knowledge is a question about what's inside somebody's head, right? So how do you prove what's inside somebody's head? Well, you know, we can't, we don't have mind readers yet. So you prove it by circumstantial evidence, the factors and circumstances that surround the transmission of the information. And bug track is a public mailing list, public information to people who are computer security specialists and press and other interested parties. It's very similar to the kind of disclosure that happened in my case where he was telling customers. He wasn't giving the information to a person where he knew that that person was going to misuse the information. Now, the case law on this is not great. There are cases in which people have been prosecuted for giving information to a general group of people at a public gathering. But those cases are pretty rare. It is kind of, generally, public disclosure of information to a group of similarly interested people. I think akin to bug track is going to be exactly the type of thing that's going to be protected by the First Amendment. As I said, there are a few cases that go a little bit otherwise, and mostly that's in the tax protester context where people were giving information about how to evade taxes to people who were there to listen to a seminar and how to evade taxes. So there's no clear black and white answer in the law, but a thing like bug track probably is and certainly should be perfectly fine. So, thank you. Thanks, Jennifer. I was here last year talking a little bit about chilling effects. One of the things that I said that we do with the chilling effects website where we collect cease and desist letters is to use it to look for interesting cases. In all of the cases, we publish the letters that we received to help people understand what the legal jargon really means when a lawyer says it. But we also look through those four cases that would be good cases for EFF to use in its activist litigation. We take on cases where people need help that they're not getting from the rest of the legal system and cases where we can make good law by taking up fact patterns and legal issues that haven't yet been considered. So one of those cases that we saw early last year around October or so as election time was rolling around was a case of some email archives that had leaked out of Diebold, the electronic voting machine company. These were email archives among their technicians talking about the things that techies talk about on email lists, the bugs that they were finding, the problems they were finding, the security flaws that they saw, the demos that wouldn't work right when they brought these machines out into the field, the insecurities, the system tests that they'd renamed so that it would pass some of the certification requirements, sorts of things that don't make you really comfortable about the way our electronic voting is being counted. So these things leaked out, not quite sure how that's never come out, and around the internet people found them and reposted them, mirrors spring up often when there's speech that's being suppressed and this case students at schools across the country started posting these, news organizations started posting them and referring to them, reporting on the security problems with electronic voting and so some students at Swarthmore posted copies of these email messages, the folks at Indy Media linked to some of the email archives and their descriptions of flaws in e-voting and Diebold's response was to assert copyright. Our employees wrote these memos, therefore we own the copyright, take them down and they did this because the Digital Millennium Copyright Act, one of its lesser known provisions, everybody here probably knows about the anti-circumvention provisions, it's also got a safe harbor for ISPs and that's supposed to be a good thing, keeps the ISPs safe from claims of copyright infringement when one of its users wants to make a posting, keeps the ISP out of trouble so they don't have to watch everything that their users are doing every moment but can wait until they get a notice. But the backside of that is that when the ISP does get a notice, DMCA safe harbor says, take it down and you won't be liable, leave it up and you might be liable. So what does an ISP do when it gets one of these complaints? Takes it down expeditiously and even though the users can file a counter notification and maybe get it put back up, ISP isn't obliged to do that. So Swarthmore College got a cease and desist letter from Deebold. These emails are intellectual property, take them down or face potential liability. Indimedia got a nasty letter. You're linking to these emails which contain our copyrighted intellectual property, take them down or face potential liability. But wait, it gets better. Online policy group, the internet service provider to Indimedia got a nasty gram. You are hosting someone who links to these email archives. You are providing an information location tool and subject to the safe harbor provisions of the DMCA. Please take it down and expeditiously or face potential liability. And when online policy group with EFF's council wrote back a response saying, we believe that these do not infringe copyright, they're fair use. Online policy groups host. The host of a host of a link or two claimed infringement got a cease and desist letter. You are hosting someone who is hosting material that links to our infringing means of our intellectual property. Take it down or face potential liability. Well, at that point, we'd had it heard enough and we went into court and filed suit against Deebold for misuse of copyright, for misuse of this provision of the Digital Millennium Copyright Act, for interference with the hosting contract that these people had with their providers. And we went in first for a temporary restraining order and then converted that to a motion for a preliminary injunction to get Deebold to stop threatening people, to stop interfering with the posting of these important commentaries on the security of our voting systems. As soon as we went into court or shortly after, and there we were privileged to work with Jennifer Granick and the Stanford Cyber Law Clinic who represented the Swarthmore students whose material was taken offline. We at EFF represented online policy group, the non-profit ISP who was hosting indie media and didn't want to make the DMCA takedown. We went into court. Pretty shortly after we got into court, Deebold started backing away. No, we didn't really mean it. We didn't really mean to sue anybody. We just wanted you to take that material down. And they retracted all of their threats. They said that they wouldn't sue anybody for the non-commercial posting of these email archives discussing their e-voting machines. And that still wasn't enough for us. We continued the case in the courts because we wanted a declaration that you can't just make these idle threats. You can't just go around saying, I'm going to sue you. I'm going to sue you. And then make them hire a lawyer before you say, oh, we didn't really mean it. Sorry, go away. That's not good enough. That's not going to cut it. And we can't let people be chilled that way. We continued to ask the court for a declaratory judgment, which is our way of going in and affirmatively saying, tell them to stop making these legal threats. And we kept up the case for misuse of copyright and misuse of the DMCA. We said that that started out in November. We are still waiting for a decision on that case. We had hearings in the court in February, but we are waiting. And every day we check the court's dockets to see whether that opinion has come down. If it comes down our way, we think a great precedent for protecting free speech online. If copyright threats, you can't just make them willy-nilly. If there's not an actual claim of copyright infringement, somebody is making fair use of a copyrighted work. If somebody is using even copyrighted material, you can use for criticism and commentary and news reporting, as all of these folks were doing. You can use it for political discussion. And it's not fair to send cease and desist and litigation threats in that context. So we're hoping that we get a victory there to hold out against other people who are making similar threats as a warning. We can't do this. There are limits to what even fancy law firms and fancy letterhead can do to chill the speech of the public online. So that's the debold case. We've been involved in electronic voting outside of just this copyright context, as Annalie mentioned, when researchers at Rice and Johns Hopkins got a hold of some debold source code and wanted to analyze that to see if our voting machines were secure The first question they had was, is this a trade secret? Are we going to get in trouble? Is the debold going to come sue us for having analyzed this code? And again, we at EFF were able to look at that question and to look at the important public interest, which in Ohio, law factors into the question of trade secret. It's not a trade secret if you haven't taken reasonable measures to keep it secure. It's also not a trade secret in Ohio, and several other states, if there's an important public interest in the publication that gets balanced against the corporation's claim to secrecy, we were able to advise them that they wouldn't face a trade secret lawsuit. They analyzed the code. They thought it was going to take them weeks or months to come up with a report. The weekend after they got it, they called us back and said, our computer science undergraduates have a better code than this. There are so many flaws in this code. We wouldn't trust the undergraduate elections to it, never mind our national elections. And so that's what got EFF involved in the electronic voting fight. As a separate matter, there was saying we shouldn't be trusting our votes to black boxes. We've been calling for a voter verified paper trail, and you may have heard some of the discussion yesterday. I believe there were some talks about that. Basically, we need to be able to audit the record of our votes. You don't need to remind everybody here that computers are fallible, and a paper trail would allow us to recount and make sure that nothing's screwed with our votes, no computers have crashed when we've voted, and our election process has integrity. That's a little bit of what I've been working on at EFF. So the Patriot Act is a big bill. The 342 pages made amendments to 10 different statutes. It's really unreadable by normal humans, unfortunately, including your congressmen. The broad problem with Patriot is the range of investigatory techniques, including wiretapping and demands for records, that it allows the DOJ to engage in with minimal or no oversight or accountability. I'm going to talk to you about one of those provisions, and a case that EFF's been helping on that deals with it. Pardon me. There's something called a national security letter, appropriately ominous sounding. It is a letter that can be issued by the local special agent in charge of your FBI office, directly by them without review or oversight by any court. This letter is served on your ISP, web mail provider, or other communication service, and can demand any kinds of stored transactional logs or any other non-content information about what you do online. So as long as it's not the contents of your file, so long as it's not the actual contents of your email, they can get it. IP logs, they can make them grep for who you're sending email to and who's sending email to you. Basic traffic analysis stuff, and whatever the ISP has or can get, they can demand with this letter. And the ISP is forever gagged from ever speaking about this, ever making public that this request was made. They can go to jail for it. Considering the letters are also classified, there's a whole other range of criminal statutes that can be applied if you were to ever reveal that these national security letters were used. Now, some people have wondered, where's EFF's Patriot case? Well, there's a couple of things about that. First, if we were working on one, we couldn't tell you or we'd go to jail. The other thing is though is that without facts, without someone actually getting served with one of these letters, we don't have standing to bring the case. And of course, because when people receive these letters and they're told you can't tell anyone, they're often afraid to approach anyone, even though it's legal to go to a lawyer to deal with your process that's served on you. So there's a case in New York that we found out about a couple of months ago. The ACLU, my former co-workers at the ACLU, filed a lawsuit, ACLU and DOE versus Ashcroft. Well, who's DOE? We don't know and ACLU can't tell us. The thing is, they filed a complaint under seal that is completely secretly to the court, argued with the DOJ for about three weeks about what they could say without going to jail and then released a heavily redacted complaint. With any and all potential facts that might exist, they can't confirm or deny whether there are any facts redacted out. So again, ACLU can't confirm or deny what is really obvious to any lawyer looking at this complaint. That is, the DOE must be some ISP that actually received one of these letters and went to the ACLU to help them challenge it. But ACLU cannot confirm or deny whether they're representing DOE, much less who DOE is, what DOE is doing, what DOE has dealt with. The level of secrecy, of course, is ridiculous. Again, any educated person, anyone educated in the law looking at the complaint, can tell someone's gotten one of these letters. Yet the government is attempting to keep secret even the fact that these letters are being used. Using FOIA, Freedom of Information Act, ACLU and EPIC, the Electronic Privacy Information Center, were able to get some documents about NSLs. But basically it was just a six-page list of redactions of NSLs that had been authorized since 9-11. So it's obvious that they are being used, yet DOJ won't let ACLU say, we have a client that got one. Even though it's obvious that they did, it's completely unnecessary government secrecy, trying to protect a process that is very well unconstitutional, very possibly unconstitutional, this is about, does this violate the Fourth Amendment? And they are also challenging the scope of the gag order, which under the First Amendment. Because again, there's no legitimate national security reason for us not to know that this process exists and is actually being used. In fact, we had a little fight with the DOJ when we got their reply brief after we had submitted our friend of the court brief helping ACLU out. There were three words that were mistakenly unredacted. And they called us up and said, hey, could you send that back to us please? We need to fix that. And considering we're ethical lawyers and it is classified information and that the judge is currently considering whether their demands are legitimate and we didn't want to jump the gun on that, we acceded to that request. We sent it back. Because the only fact that those three words revealed were that there were facts. The obvious thing that you could tell by reading the complaint. And it's just another example of overreaching secrecy completely unnecessary, making you less safe, making you less safe because you're unable to exercise public oversight over what your government is doing. So in terms of EFF bringing a case, again, we need the facts. So keep in mind, if you run any kind of electronic communication service or no people who do, and I'm sure all of you do know many, spread the word. If you receive some, if a federal agent comes into your office with this strange piece of paper, it might have the words national security on it, might have the words terrorism investigation, it will certainly have the words don't say anything. I'm paraphrasing. Call EFF. Call EFF. Because we want to help. We want to bring a case too. We don't want to be stuck just putting in briefs for ACLU's case. They got lucky. Someone apparently they can't confirm or deny and they haven't told me anything, but apparently they had someone come to them with the facts and allow them to bring this challenge. We're looking for those facts too. So whenever the feds come and show you some strange piece of paper and say give us this information now, we want to help. We want to be the 9-1-1 for the internet. We're here. We're waiting. Give us a call. Thank you. Thanks, Kevin. That totally ruled. Well, I'm going to talk about something that's a little bit less intense than national security letters. I want to talk about an interesting case that EFF has been helping out with involving two of my favorite topics which are obscenity and anonymity. This is the Barbara Nidki case and basically in order to understand the case I have to give you a tiny little bit of back story. There's a case back in yield 1990s where the ACLU challenged an act called the Communications Decency Act. How many people remember the CDA? Okay. So the CDA was going to limit freedom of speech online and particularly what the ACLU challenged at that time was a provision of the act relating to indecent speech and they got that act taken out of the CDA in the late 90s. In fact, it was a newly unanimous Supreme Court that said no, it's not fair to say that you can't publish indecent materials online. The definition of indecentity is very capacious. It's very hard to know what counts as indecent or not and they felt that the Supreme Court felt that that would hinder free speech. And so a lot of people felt like the story ended there. They thought, oh, the CDA is gone. Yay, the witch is dead. We can say whatever we want online. But actually unbeknownst to most people the CDA lives on just like those zombies in Night of the Living Dead. And there is a little particularly zombie-licious part of the CDA which is the obscenity provisions of the CDA. And in that provision basically what the CDA says is if someone puts anything obscene online that is unlawful and they are liable for criminal penalties federal criminal penalties which could include potentially jail time. Now this is where it gets interesting. For those of you who know anything about how the Supreme Court defines obscenity it doesn't fit in very well with how we think of the internet. Obscenity is defined as anything that is sexual. In fact anything that arouses the prurient interest which is to say anything that gets you out of the way. So it's anything that does that which is also offensive patently offensive to a person who is evaluating it under contemporary community standards. Now this is the community standards part is the part to focus on because typically and historically the way community standards have been defined is through reference to a geographical location. So for example if you're living in Alabama which is a state where recently it was determined that it's illegal to sell sex toys your notion of what counts as obscene or not is going to be very different from my notion of what's obscene in San Francisco where we have feminist sex toy shops. Yay. So basically the question is well how do you enforce these kinds of geographical community standards on the internet which has typically been a place where people do not have to identify themselves by their geographical location and in fact if I put up a website as the plaintiff in this case Barbara Nidki did which has materials that might be considered obscene in some geographical locations well how do I make sure that somebody in Alabama doesn't see my website? How do I protect myself against that kind of liability? So for a while a lot of lawyers and activists felt like it wasn't a good idea to challenge this provision of the CDA because they felt that they sort of wanted to take a don't ask don't tell approach to it you know if we challenge this section what if we get a really bad ruling that says that the internet community is defined by what's often referred to as the lowest common denominator which since I'm picking on Alabama I'll just say what would happen if it was determined that Alabama should set the community standards for the internet because in order to protect the entire community we have to adopt their standards but indeed a couple of years ago a plaintiff did come forward that is Barbara Nidki she's a New York erotic photographer she has a website at BarbaraNidki.com that you can go find right now if you actually want to use the DEF CON network actually I mean it might be good for erotic websites I don't know so she basically said she was supported by the National Coalition for Sexual Freedom and EFF has been helping out with the case as well we filed a friend of the court brief and we've helped them get some expert witnesses she said well how there's something like 3,000 community standards potentially in the US how can I as this small webmaster possibly ever protect against the possibility that someone would access my site and see some of these pictures that are erotic so she brought her case and here's where things get really hairy in terms of anonymity as both sides are going through the discovery process Nidki's adversaries of course are coming up with possibilities for how community standards could be enforced on the internet and one of the things that's come up is the idea that geolocation software could be used by people who are putting up websites in order to determine the geological sorry the geographical location they're placed in geological time their geographical location and I'm sure as many of you know geolocation software is notoriously crufty it doesn't work very well and also it can be extremely expensive so what we may see when the outcome of this case comes out which it will probably be a year or two is we're facing the possibility that if you want to put sexually themed you know speech or any kind of expression online which a community might deem obscene you're going to have to have tremendous outlay of funds in order to have geolocation software in order to protect yourself against liability for obscenity and also of course you'll have to constantly be updating the software with every possible obscenity law from all over the U.S. to make sure that you know which places need to be blocked the other part of this is that as I mentioned geolocation software doesn't really work particularly well and what it means is that if you have a geolocation software package like many of them that turns away people who use proxies like say Tor they want to be known they want to maintain their anonymity online what that means is if you wish to be anonymous online you may no longer gain access to certain kinds of free speech and so if the case does not go our way ideally we want an outcome like with the indecency provisions of the CDA where a unanimous Supreme Court says no we have to have free speech online we can't use community standards to determine how everyone on the internet would prefer to have their entertainment if it goes the other way we may see a regime of geolocation software for people who are putting up websites so which prohibits free speech but we'll also have a situation where we can no longer exercise our first amendment rights to engage in anonymous free speech either as speakers or as listeners as people who are trying to get access to that speech online so this is one way in which an obscenity ruling may actually start to break anonymity online because either you'll identify yourself you'll identify where you are in order to gain access to potentially obscene speech or if you choose not to if you choose to use a proxy for example you may find that you're simply turned away so that's one of the cases that I'm particularly interested in right now so I don't think we could have an EFF panel without talking about copyright a little so I wanted to talk about copyright a little bit we actually have a lot of copyright lawyers at EFF I'm not a lawyer but they're out there, they're everywhere fortunately for us, thanks to members supporting everything, we've been able to get up as I was saying to nine staff attorneys which is quite a few so I wanted to remind all of you that we're going to be back here talking about the broadcast flag in this very room with Wendy and I at 6pm that's the television broadcast flag and we're going to be talking about it for about an hour in full historical detail and what you can do about it and so on since we have about five minutes here to give our presentations I thought to speak about the radio broadcast flag because there's actually another broadcast flag they've been multiplying they've been active the radio broadcast flag is interesting because like the video broadcast flag that we'll talk about later it's the embodiment of a bizarre idea that entertainment publishers have talked policymakers into believing which is the digital is different idea that if they were to publish an entertainment work or distribute an entertainment work through a digital medium that entertainment work would be more subject to copyright infringement having been distributed in the digital medium then it would have been if they had published it in an analog medium so for example the theory seems to be that if you publish something on CD or you streamed it online somehow that causes copyright infringement whereas if they had just stuck to cassettes or vinyl records or VHS or whatever then somehow there would be no internet copyright infringement because that's analog and you can't copy analog so this theory is ridiculous but policymakers have been and they need to say brainwashed there's been a publicity campaign there's been a campaign to say well digital can be copied and it can be copied perfectly and analog can't obviously in the real world of physics these are just representations of the same signal and you can go back and forth between representations and if you don't like that something is in analog then you can digitize it and then you have a digital representation so to give a concrete example of where this argument is currently being advanced that we're working on the recording industry noted that there's plain old analog radio broadcast AM and FM and now there's the introduction of a new digital radio service the US is not using the standard that the rest of the world uses which is kind of typical of the US in the broadcasting world we always have to have our own standard the US digital radio standard is variously known as IBOC for inbound on channel or DAB for digital audio broadcasting or HD radio for marketing purposes because it sounds good not the radio but the name of the radio so we have this HD radio thing coming out the sound quality is not actually better than FM if you have a good FM tuner but it's digital so presumably that makes it more subject to copyright infringement according to the recording industry so they said okay people are going to be able to record this into digital files and then they're going to be able to share those files with each other something they could not have done had been an analog radio service this is not true we set up a couple of demos we took analog FM radios we plugged them into computers and we recorded and lo and behold you can actually record analog media into digital files it actually works the extreme technical savvy of the EFF but I mean this is the oddity policy makers are actually impressed by this you know we made a demo CD something we've been working on just this past week we've made it prepared to make a demo CD recording analog radio into digital and digital radio into digital and they actually sound about the same and you can't tell which is which and we went to an earlier preliminary FCC meeting on this and people were saying like can you really do that is that really true you can't tell them apart I thought one was digital so it must be perfect and analog is noisy and everything so I don't know what to do about this conceptually because it's become so ingrained I mean the entire rationale for the digital millennium copyright act was that digital would be copyable so there needed to be special extra copyright laws for digital media even though from the point of view of physics or information theory or signal processing in the first place but it worked well enough to persuade the policy makers so we've got this radio broadcast flag issue now where the recording industry is saying well we need DRM mandated by law on digital radio we don't care about analog radio because no one could infringe as we've been saying but on digital radio we need DRM mandated and it's an unencrypted broadcast we'll talk a lot about mandating DRM broadcasts in our 6pm talk about the video broadcast flag we've been arguing against it saying you could just record off analog and you'd get the same thing and there'd be just the same risk and why don't you care about that the other thing they said is in digital radio you can actually tell what's playing and so you might be able to write something or build something that would automatically rip things off air and identify what they were and then you could have a collection of recorded music now unfortunately for that argument there are perfectly lawful mp3 streams of radio stations that give metadata identifying what's on and you can use a program to record those mp3s from the perfectly lawful mp3 streams off the net second there's actually a digital metadata channel in current FM broadcast called RDS the radio data system where they actually tell you what's online what's being broadcast what's on air so you actually can get that metadata out of analog FM so you get the same quality and you get the same metadata to tell you what's on and you can actually capture things and know what they are and automatically categorize them and have digital files so there's no difference but our current task is to persuade policy makers that this is so and we'll give it a try I guess that's about it for our introductory remarks so I think do you want to have Bill and then questions or okay thanks everybody so what we're going to do is we're going to take questions at the mic up here but because we're being unfair we're going to let Bill Scannell go to the mic first and so he's our plant he actually wanted to talk a little bit about his experience with EFF but then people can line up behind Bill and that's always good because everybody likes to line up behind Bill right yeah in airports especially on switch no when I heard that the EFF was having this panel I asked if I could speak because it's one thing here a bunch of lawyers and activists talk about the things that they're doing on behalf of their clients it's another thing to hear what the clients think about all of it and the EFF is there for me and has been there for me for well over a year and a half they've been there for many people in this room whether you know it or not the EFF is our insurance policy to allow us to go out and do the work that we do whether it be with speech, with computers, with activism and what not when any of us have a problem if we don't think of it because we're too scared we all have a friend that says well have you called the EFF true? in March of last year when I heard that the United States government wanted to start color coding American citizens and giving them permission to fly I was upset I got angry in this program which some of you may know it's called the caps to passenger profiling system made my brain explode and I was scared and I was alone but I went and put up a website called breakout delta I had strange cars in front of my house I continued to be scared and then and then the phone rang and it was the EFF and they said this is great we're here for you Bill and they were there for me they were there when I put up pictures of Homeland Security officials and East German uniforms in front of Airpoint Charlie they were there for me when I started getting nasty grams from companies because they didn't like the fact that their data was being splattered all over the internet they were there for me when I was getting complaints from all of the map of people who didn't like the fact that they were being publicly vilified for giving our data our passenger data to the government for them to analyze and profile us having the EFF at your back and watching your six is truly a sight to behold these people are not you know, activists out of central casting these people come from big law firms from first rate universities who have chosen to give up literally multi-million dollar careers and work in tiny offices in San Francisco for you and for me there are insurance policy and as a result and as a result of having that kind of insurance policy backing me and other people as a result of the EFF always being there for me and for you two weeks ago Tom Ridge announced that Caps 2 was dead freedom really isn't free and talk isn't necessarily cheap the work that they do isn't out of thin air it takes our money and our support and not just buying the t-shirt not just buying the ticket or the book or what not I'm sorry not just us buying the t-shirt or the bumper sticker not just us saying the EFF is cool it takes our money it takes our money to keep these people in business because they're working for us I have an insurance policy I've had one for a year and a half and I will continue to have one as long as I continue to speak out publicly against evil government programs that are interfering with my right to travel in my country freely without anyone knowing who I am and what I'm being tracked for and we need you you can get the money later sir it's just a dollar but they need your support they need your money you need the insurance policy so I want you to buy an insurance policy I want you to think about what the EFF is worth it to you when all of a sudden you get the nasty gram and you know the legal letter is crap but you're going to have to hire a letter anyway what is it worth to you to have someone like Wendy Seltzer go and I want you to open your warts and buy an EFF insurance policy thank you for your time thank you for that moment of testimonial that was awesome you can come by our booth if you have now been roused into giving money to us and just talk to us or get a sticker or whatever I saw another EFF client earlier I won't point him out because we're a privacy organization but it's nice to see our clients around it's nice to see that they appreciate our work should we just go to questions now questions I had a question dealing more with copyright infringement it was about I guess I've always assumed that it's okay if you have a TV show that you like to watch just to tape it so that you can watch it later I was wondering if what the legal implications are downloading this from someone else who has taped it and who has maybe edited out the commercials that sort of thing and what the legal implications are if you do that just for your own use sure as the copyright lawyer up here the right to time shift as the taping of a show off broadcast television is called was enshrined in a Supreme Court decision 20 years ago the Betamax decision Sony vs. Universal we know protects the VCR for its substantial non infringing uses and one of those non infringing uses the Supreme Court said was the right to time shift take a show put it on tape watch it later as if that's a fair use the question asked about downloading that show when maybe you didn't set your VCR but somebody else did or maybe you didn't subscribe to that cable channel but somebody else did or maybe you're in the wrong part of the country but somebody else gets the sports show you want to see the copyright status of those is unclear but likely to be on the infringing side of the line copyright law gives the owner of copyright the exclusive right to copy distribute make derivative works publicly perform publicly display and downloading ends up making a copy that you didn't weren't authorized to make the broadcast authorizes you to make that temporary time shifting copy but if you didn't get to do that it's probably not going to be clear there may be cases where it'll be a fair use there will be cases where it's courts are likely to see it as an infringement collaboratively maintaining a list of commercial cut points though so everybody who has taped the show can cut on the same point and skip over the commercials we think would not be an infringement collaboratively annotating the show giving people metadata so that they can find it on their own hard drives that's a good thing that's not infringing one of our other copyright lawyers has pointed out as a kind of interesting general observation about fair uses that just because something is a fair use if you do it does not necessarily in every case mean that someone else that you got to do it on your behalf would be protected there was a famous case about a company that helped people access remotely music that they had purchased and it seems that it might be a fair use and perhaps is a fair use if you remotely accessed music that you had purchased but a company got in a lot of trouble when they on a profit making basis helped people to do that so there's that interesting distinction between can I do this and can I get someone else to do it for me or to help me do it and it might be that those questions are distinct from one another thank you very much a company by the way was they offered Michael Robertson's mp3.com and the my mp3.com service they got find lots of money thank you hi can you guys talk a little bit about civil the role of civil disobedience and technical activism the if the geolocation thing you're talking about actually becomes law it would seem that a lot of people would suddenly be paying attention where otherwise they're just sitting around hoping everything works out yeah and and since you asked the question I would say I actually neglected to mention that if for if the nidki case does not go as we hope setting up a tor node for example would be something that would be a great form of civil disobedience a good way to break geolocation software in fact there's other ways you can break geolocation software by you know just filling in the wrong address each time you fill out an online form or I mentioned why that's relevant sure yeah so Seth why don't you explain since you're very eager this is a digression from the civil disobedience question but the relevance of filling out the wrong information through the nidki case we learn something that is perhaps not widely known which is that one of the ways that geolocation companies find out which physical location corresponds to a particular IP block is when people go to sites and type in their zip code in a form the company to which you submitted your zip code through a web form has a certain kind of partnership with certain geolocation companies they may disclose your IP address and the zip code you entered to the geolocation company to help them refine their database and the geolocation company will then use statistical techniques and they'll say it looks like 8 out of 10 people who are in this particular IP block entered the same zip code on this form looks like that IP block probably in that zip code so this means that filling out web forms accurately has the unfortunate side effect in some cases of helping commercial companies refine the accuracy of their tracking databases with more accurate demographic information about where people are so now back to the civil disobedience question and as I was saying I think that trying to do things to break the mechanism that Seth was describing could be described as civil disobedience they're not illegal, you're allowed to fill in an incorrect zip code when you subscribe to something or are going on ebay or whatever so that is a way that you can mess around with government mandated solutions to stymying free speech does anybody else want to talk about other possible technical civil disobedience a brief comment civil disobedience when it comes to computers isn't just like civil disobedience when you're making a chain at a protest or something there are serious criminal penalties that could accrue and you should really consult a lawyer so give a call to EFF if you have any concerns about the legality of what you're doing we don't do computer crime defense ourselves we don't do criminal defense but we do know many criminal defense lawyers people like Jennifer and we can work for you to them I won't ask if you recommend it but I will ask if it's useful to you yes yes this question is regarding chilling effects for my understanding making false legal threats and legal threats without any basis is against the bar code of ethics do you think there'd be any success in pursuing some of the lawyers at these corporations sending out the letters with possible bar sanctions and do you think that would be a good deterrent well the tactic that we've been using is more one of shame by putting these letters online and letting everybody see the silliness in some of these letters we tend not to go after the individuals because oftentimes cease and desist letters are written by the young associates who are at the low end of the law firm totem pole they get to they're directed by somebody higher up at the firm who's directed by somebody at the client we look at ways of going after that kind of abuse with things like the declaratory judgment complaints there might be times when an ethical complaint was warranted but lawyers will tell you also that there are many shades of gray and they'll argue that in fact there was a legal justification for even letters that seem absurd thank you my question regarding the obscenity case I'm afraid there's been an intervention where else can you really have some fun and have your lawyer here just to get you in trouble I also want to say a few words on the hacktivism discussion on a more serious note DEF CON the staff of DEF CON and the people affiliated with DEF CON no way condone physical violence against individuals destruction of property threats destruction of data and so on and so forth those aren't anarchy that isn't civil disobedience that's outright terrorism, murder violence, mayhem assault and battery, whatever you have it so we do encourage you of course to always myself being a strict constitutionalist you know make sure that your rights are not taken away from you but protest in a safe and civil manner don't blow shit up don't rob banks and say you're civil disobedience, you're bank robbers don't kill people because you're murderers and yeah I've heard the old talk what's the difference between a freedom fighter and a terrorist what do you do? well we're not at that point yet guys and you know what, honestly if we do come to that point I'll be the first guy out there with a gun preachers edition but we all know that we have a democracy and we can change via that democracy okay what that means is you guys have to get out there and vote okay when 10% when 10% of your generation votes because you ain't got nothing to say alright if you don't like George Bush fine, vote for John Kerry or the green guy, Howard Nader or whoever alright, if you like George Bush vote for George Bush, you want Mickey Mouse vote for Mickey Mouse but get out there and vote the only way you will change the system is to vote that's what it's there for that is your God given right anything else you know better than Timothy McVeigh or an Osama bin Laden the thugs and their murderers that being said let's play spot the fed yes sir stand up sir sit down sir I live in Washington DC I'm sorry you were spot the fed I'm sorry go ahead I live in Washington DC that is an excellent question that I don't have an answer to sir except a move that one I leave up to I don't know what to tell you but I don't encourage you to blow stuff up is that a choice fortunately this kid will probably end up in a lot of trouble for what he said he committed four or five felonies just up there on stage okay and that made us really unhappy to see that happen we have talks like that because we want that point of view shown and heard we'll continue to have talks like that and we'll continue to make disclaimers like this but like I said we want those people heard from because this is democracy and it's their right to speak it's not okay to yield moving the credit firehouse or firing a credit credit moviehouse I get those two backwards I run into my local station and go movie movie yeah try that, that's actually kind of funny and then when the cops come scream you'll never take me alive or get your friend to do it because that's even funnier because that way you don't get hurt but don't do any violence okay so we'll try to spot the fed you do you sir oh you're encouraging people to do it you don't have a fed, no okay they're in the room you know we actually found a tape recorder in the back of the room tape recording the whole session we unplugged it no one wants to try spot the fed come on somebody wants to try they're in here stop what because we wanted to do a spot the fed during the EFF talk because that would be we've got plenty of time for questions because they have plenty of time for questions and it would be cool in like the electronic frontier foundation where it's kind of the anti am I going too fast for you sir where they're really like on the left side where it's really cool and the freedom fighters and like the law enforcement the bad guys you know do you need pictures sir I could draw them for you you with me save it for your live journal sir no one wants to try spot the fed yes sir okay there we have one yes sir no sir I'm priest the man is actually at 1600 Pennsylvania Avenue yes sir well come on down he's got that 300 cc craning in the sloping forehead and one eyebrow it could be an FBI oh he could be a foreign fed come on down sir that's okay you can come down anyway we'll make fun of you come on it'll be fun you have to come too sir nice muscle shirt key point out sir you'll get there someday come up come up come up yeah come on come on come to the front sir would you give me a favor sir say I'll be back I'll be back say Oslo Vista baby Oslo Vista baby kind of a tenor tenor terminator do you think where are you from sir where sir ooh Mossad could be Mossad could be dead in the pool where are you from sir I'm actually now from New York originally from Tel Aviv what part of Europe are you in sir what part of Europe where in Europe in New York in Chelsea in New York I'm sorry is there nuclear plant out there are they still going after that where in New York sir in Chelsea what do you do for a living sir we teach law in New York law school and we met Jennifer in the conference who organized it yeah we did so so Jennifer's working for Mossad now I'm done with that you're sure she's working for Mossad really you can tell us it's okay we have a scoop here ladies there's a press in here a famous EFF lawyer works for Mossad don't submit for defamation please thank you sir you can sit down you're obviously an attorney anyone else like to try to spot the Fed I know people in here who are feds are you guys that blind just know the cologne okay in closing I'm going to share one of the best Fed hacks I've ever seen done at DEFCON this was done I think DEFCON ate this will show you how clever they can actually get every once in a while we do get an original thought they came in with a real high high speed low drag camera system bright lights and a booth babe and they said have your crew a picture taken here complete with the complete with the height and they had a little number thing you could hold they changed the number and every idiot stood up there like this and like this and from DEFCON ate they collected every single underground guy with their permission oh yeah we'll send you the picture sure we will about midnight when we kick in the door so if someone here asks you to take your picture like that probably feds could have worked once and worked again thank you very much for being such good sports next time we'll hopefully find a Fed for you next time back to the regularly scheduled questions my question was regarding the obscenity case what separates the woman in question from the millions of hardcore pornography sites out there? is there any distinction and if not isn't that selective enforcement isn't that what? selective enforcement I mean just picking someone at random right well again back to the he's asking what separates Barbara Nidki's website from hardcore pornography that would be considered obscene what was the she's not being prosecuted or being pursued by the government in any way she is actually affirmatively challenged the law herself so she selected herself out and it's because she's not a hardcore pornster but rather an artist trying to express herself that she decided to bring this case herself so it's people like that that help make the law not stink you really do need to stand up and sometimes you need to be the plaintiff and not wait to be the defendant so I had a question about copy protection software probably PC games recently apparently have been putting in copy protection that denies you installation of the software if you have other programs that could be used to copy it installing your computer like Damon tools or alcohol 120 I was just wondering if there's a provision in the DMCA that allows this and if there's anything being done about it just because the programs that it searches for are legal on their own and the software is legally purchased but it still doesn't allow you to use it that's interesting I haven't seen those software copy controls in action I'd be very interested in hearing reports on what that is so the DMCA anti-circumvention provision says you can't circumvent an access control and you can't make tools to for the purpose of circumventing access and copy controls so I'm curious about whether you can listen for other tools and refuse to install do these games allow you to return them if they don't install on your computer no because all software vendors don't allow returning because of copy protection I'd be fascinated to hear more about this because that sounds like a real abuse of the rights of the public as purchasers and that's in the way that they see fit and going way overboard to stop copying to stop people from using lawful debugger or other programs alongside their programs without noting very very clearly on the package this game may not install on your computer could be a serious violation of rights and one that might be a copyright misuse for example the DMCA itself in the DMCA text with one exception does not impose any restrictions on the substance of what kind of DRM a publisher may use or what kind of policy the DRM may enforce in the body of the DMCA there are no restrictions except for one obscure one about videotapes on what the DRM can do to you or how it can restrict you there may be other interesting legal aspects to it another plea for you are our eyes and ears in the world please tell us interesting things like this that you're seeing, email us call us, let us know interested to hear more thanks one of the problems here though is that you have a set of rights that are protected by law and then you have a set of things that you are maybe not allowed to do that the law says private ordering or contracts of what where you kind of negotiate with another entity what's going to happen the problem with these types of cases the situation you're talking about and also for example software licenses which say you're not allowed to reverse engineer you're not allowed to benchmark or that kind of thing is that the law tends to look at that as there's some kind of contract here and you agreed in exchange for buying this software and using it that you were going to abide by these particular terms and conditions and the law in these situations is really not very good for us you don't have a lot of choice necessarily as to what software you buy but nonetheless a lot of these contracts have been in licenses for software have been upheld the thing that's really interesting about the case that you raised is your answer to Wendy's question which is can you return it then if you aren't allowed to install it and the answer there is no and so it could raise a lot of issues in terms of sort of unfair competition or that sort of thing breach of contract or that sort of thing but generally I think we're going to see more and more of these situations where software licenses are constraining by contract what it is that people are allowed to do with the software and there are no laws that say that we have a right to reverse engineer it says copyright law doesn't stop you from reverse engineering for example trade secret law doesn't stop you from reverse engineering but there's nothing that says that software licenses can't stop you from running another kind of program on your machine while running this program on your machine or that kind of thing and it may end up being true that we need affirmative legislation that protects our rights in these areas from what I've seen it doesn't actually prevent you from running the program it scans your registry to see if it even exists so it's preventing you from even owning the software or if you've uninstalled it sometimes it'll pick up on dead registry keys so that was interesting my question is about the recent litigation with individuals that download the music just sees John Doe lawsuits and then certain ISPs that actually will give up their information if somebody has an open wireless connection which is obviously a lot of people if you drive through a neighborhood and they're specified in this lawsuit what is the person to do is there any protection from them if they're open and in fact that they didn't do it I can answer that if you're not the person who downloaded the who infringed copyright let's say whatever the thing was that it was infringing if you're not the person who infringed and it was simply an infringement that happened through a wireless service that you own you're not going to be responsible for the copyright infringement you didn't know about it you didn't benefit from it you couldn't control it it's not your fault the problem is and one of the reasons why people like to secure their wireless access points exactly what you're saying is that they're the first point of suspicion so if the RIAA or the police come to your door because it was your IP address that was associated with whatever the illegal activity was you're going to have some explaining to do and it may be that then you have to show how it wasn't you but then the sort of focus of suspicion will move on but you're not you won't be legally responsible but it could be a hassle right well I mean I guess that's kind of the whole point is how can you prove it wasn't you I mean you know from what you say it would be easy to prove it wasn't me because let's say it said that I was downloading the new Madonna song at this time from this IP address and then all I would have to do is show I don't have the Madonna song that was downloaded at that time on my hard drive and so then it's clearly somebody else using the wireless access point and it's wireless and it's open and they have to move on from there so it wouldn't necessarily be all that difficult but it might I mean you know who wants to go through that right because I'd have the Madonna song I downloaded it the day before so if they didn't believe you you might have to go to court and have a factual dispute in court that would have to be resolved by the court I mean courts exist largely to resolve such factual disputes so you might say I did this and they might say no you did this other thing and in some cases it might go to court which is a difficult process and you would need lawyers to represent you like the EFF well that's the whole point is with these lawsuits that you know like okay we're going to see for $300,000 but just give us $1,500 and we'll go away you know it's cheaper to go to the $1,500 than get a lawyer I mean the EFF's not going to support every kid who's downloading music with an open wireless connection that's the problem we've been raising in congress hi there I really appreciate you guys coming this is the first time I've ever heard of the EFF so this is a new experience for me but I'm a journalist from San Francisco area and recently in my newspaper I ran a commentary that described how the federal the wiretapping laws have been they don't cover transmissions that go over the internet namely voice over IP phone calls and to a greater extent email I don't know if this is under dispute or if it's currently you know if it's been substantiated that it's not covered in this but it seems like a great threat to privacy in general yeah electronic communications are explicitly covered by the wiretap act and by the stored communications act which governs access to messages that aren't in transit which is what the wiretap act deals with and some of you may have heard there was a recent decision called usv councilman in the first circuit in this case dealt with a gentleman who ran a used and wear online book service and offered email service to his users and what he was doing was he configured proc mail to look at incoming email for his users and if anyone was using amazon any email from amazon was also copied to his box so he could spy on what his users were buying in amazon and use that to his competitive damage now you may think well hey that sounds like a wiretap to me that's a message in transit he was you know getting it before you were getting it he was getting it while it was being transmitted but the law distinguishes between those and those messages that are in storage and you know a common sense interpretation of that means a message in storage is one that is reached during boxes waiting for your retrieval but the court in this case and the appeals court agreed was they said that no since this had passed through any memory at all at the provider end that being you know through proc mail or probably before that through the firewall it had been in memory at some point it had been stored at some point and the reason this is important distinction is that under the wiretap act even providers are prohibited from intercepting your communications unless it fits into a provider exception where they are protecting their rights and property or doing what's necessary to maintain their network there's no similar prohibition when it comes to stored communications so even before this decision it was totally legal for a provider to grep your email for whatever they wanted after it was waiting for you to retrieve it that was never in dispute but what this court found was that even if it's just you know passed through memory for a few milliseconds on its way to the inbox even that is covered by the stored rules not the wiretap rules which means your provider essentially has carte blanche to do whatever they want to your messages whenever look at it for any reason do whatever they like this is sort of a tempest in a teapot in the sense that they could already do this if they just waited a few more seconds there wouldn't have been any dispute at all that that was legal and now because of this case and because of groups like EFF and other privacy organizations making a big stink out of it the Hill's paying attention the Times ran an editorial the Post ran an editorial that gets the Hill's attention and so now we have an email privacy act that's been introduced in the house there are various other congressmen and senators working on bills to deal with this problem and not only would they deal with the problem of this should be handled by the wiretap act and not the store communications act they are also intending to make the store communications act more like the wiretap act by saying no even when it's stored providers can't look at it unless it fits the exception so we're trying to maintain your privacy against email providers who may be not quite so ethical when it comes to looking at your email okay thank you so much you all are my heroes first of all that's very kind thank you I work for a security architect for a very large corporation I love the company I work for, I love my job I found myself in a situation sometime ago, a few years ago where I was working on a project that I was required to sign an undisclosure agreement that would have been a criminal offense to violate and the project was one that I couldn't sleep with myself for working on and I want to know what advice you all would have for anybody in this room that would ever find themselves in that situation luckily for me, I decided don't do anything stupid I love my job, I love my freedom I'm just going to hope that somebody else working on this project says something or something happens and it becomes public and it gets known about and eventually dissolved and that's what happened so I can sleep again but I want to know if you all have any advice for anybody in this room who may find themselves in those situations because it's people who do security for a living and work with other corporations I'm sure there are lots of people in here who may find themselves in similar situations by the way what I did about it was double my membership contribution to you all to make myself feel better that's good because the only real answer to that is to consult an attorney we can't give some sort of broad advice about how to deal with non-disclosure agreements particularly ones that may carry criminal penalties I can only assume that was a government project because obviously if you sign a Google NDO non-disclosure, I mean NDA that's not going to get you thrown in jail but yeah, the general rule is do what you said you were going to do until a lawyer says it's okay not to and if you have questions about it you need to talk to a lawyer we can't just say oh yeah sure it's okay if you have ethical qualms about it screw it, it's no big deal you know that you really it's a shame that we live in a society that there are so many missteps you might make where you have to consult a lawyer but then again that's why people like us do what we do you don't have to spend thousands and thousands of dollars to hopefully get a quick answer on something you can call us sure you know the interesting thing is that so much of what is done in technology can enshrine some kind of value system you know the technology can either take no note or no interest whatsoever in the notion of anonymity or privacy it could enable censorship or filtering or that kind of thing and we really benefit very much so from having technologists with a sense of civil liberties working on these kinds of projects and I agree with what Kevin said about the legal side but from the technology side you look at the open way that the founders of the internet coded it so that it would be open and nondiscriminatory and that it would route around blockage and in all of that was a technological design principle but it also goes along really well with this very fundamental democratic principle that I think kind of underlies democracy that kind of underlies the way that we look at things here in the United States and I think it's obviously the reason why the internet's done so well so I think that when you are when you're embarking upon some technological project to bring to that project your sensibilities about civil liberties and about what's right and wrong is critically important this project had no redeeming value at all so but I appreciate you well it disappeared so you did good my question's about the Patriot Act and my limited knowledge of the Patriot Act is condensed into Nancy Chang's Science and Political Descent Book which has scared the daylights out of me to be quite awesome is there any guidelines or steps by which a not necessarily well I guess a webmaster might be able to take if they have a site that maybe has things like Howard Dean Chomsky stuff links to things like that so that you don't step over that line and end up doing a stint in jail or something like that for the Violating Patriot Act I'm not certain what what kind of violation you're talking about most of the new crimes or expanded criminal penalties in Patriot don't deal with internet stuff deals with things like bioterrorism and money laundering the greatest impact when it comes to the Patriot Act is the surveillance it enables there are some provisions specifically regarding surveillance when it comes to hacking for example or rather a computer crime I don't want to equate the two but there is for example a trespasser exception to the Wiretap Act where a provider can say this person who is not our subscribers on our system you have our consent to wiretap this person to go to a judge to do so even though the privacy violation is the same regardless of whether your intent is ethical or not but I'm afraid but as far as publishing political speech Patriot doesn't prohibit you from doing so in any meaningful fashion I guess I should clarify not so much to publishing but I didn't want to get on a hit list basically is what I'm targeting there where do you draw the line where you don't step over and all of a sudden now you're under surveillance and you're under freedom of speech well I mean they have been given broad powers but it's not carte blanche and they can't say wiretap you or subpoena your records simply for publishing first amendment protected speech in fact some of the surveillance provisions in Patriot in particular expansions of the Florida Intelligence Surveillance Act surveillance which is authorized by a secret court in DC that only the DOJ appears before and we never see their decisions or other procedural rules or anything there is a qualifier that says but if you want to investigate a U.S. citizen or rather a U.S. person you can't do it based solely on first amendment activities so I think if anything the key response to this is speaking your mind don't be afraid to engage in important political speech for fear of being spied on the fact is I don't trust the DOJ a whole lot but they do have limited resources and they're not going to fritter those away trying to intimidate a dean supporter for example and I don't think any of us should allow ourselves to be cowed from speaking out because this law exists if anything we need to speak up louder my question has to do with the email law that you were talking about my company can come in and look at my email at any time and also if I'm on my computer they can also look at my hotmail or my yahoo because they have a tool that allows them to do that but then also when I VPN from home they make it that they can look at anything that I'm looking on while I'm VPN in I also understand that school systems now if you have any email through any kind of college university or any high school that they have that freedom to do that as well at what point does that does that stop school's workplace and if you're doing it from home at what point is that going to stop well the provider exception that I was talking about is important but it is unfortunately a bit broad it's the language but it's essentially you can intercept as necessary to protect your rights and property or to provide the service in those cases you're giving your employer is the service provider or the school is the service provider and so if they have acceptable use policies that prohibit certain types of content or behavior they can monitor to see that you're not doing those things and also even if they didn't fit in under the provider exception in the vast majority of cases like those you're discussing they do get your consent either when you sign an agreement when you start work or they post some sort of banner when you log on saying you may be monitored so unfortunately that there's there's no clear limit on that other than that broad exception but as I was saying when it comes to stored stuff there's no limit at all right now they can do whatever the hell they want and look at whatever the hell they want for whatever reason they like and we want to at least fix that problem so okay what I was looking at is basically first of all what you were talking about the provider exception what constitutes them being what constitutes being a subscriber because like if my packets go from me 15 hops to where they're going they're all providers all of those hops so they're all my provider they're all a communications service provider it doesn't matter whether you necessarily have a subscription agreement with them they are providing the communications are weird the answer to this question is use crypto yeah okay basically they're basically any of them can just say they're that so in other words I would be a subscriber of those providers or would I be a trespasser because my packets are traversing their network as IP does no you would not be considered a trespasser just for basic internet routing as far as whether to what extent they can look at your messages before this councilman decision it was presumed that those packets as they were moving through those machines were governed by the wiretap act and so it would have to fit in to the provider exception now after councilman if the supreme court upholds it if it's even appealed if the law doesn't change if councilman stands that means they can look at those packets for any reason at any time and so essentially your internet community but this is not news to this crowd you've always known that your emails unless you encrypt them everyone can look at them as they pass through the internet but this is something the public doesn't get and luckily things like New York Times editorial has helped inform the public yeah there's actually a privacy issue here and you really need to one get congress to pay attention to it and two take self defense measures which means crypto the other thing I'm looking at is the wiretap versus stored and what constitutes stored because well my packets go and they go through say 15 routers on the way to where they're going those packets were stored even for an infamintesimal part of time now what constitutes stored and what constitutes on the wire and according to this decision even if it's just for milliseconds that was stored and so the provider can look at it any way at once and its disclosure of that would be governed by the stored communications act rather than the wiretap act as well so this isn't just important in so far as providers the thing is if this isn't a wiretap if copying packets out of proc mail into some other box is not a wiretap that means carnivore is not a wiretap and instead of having to get a wiretap order which is like a super warrant which has lots and lots of additional requirements they only need to get a regular search warrant or after a certain period of time has gone by nearly a subpoena to install a carnivore box again this isn't definite this isn't what's happening now but these are the implications of this decision if it stands well there's nothing that says say a version of Cisco IOS couldn't float that passed certain predefined packets that basically got stored for forwarding the time that it's deciding where they go pops them out another interface to disk somewhere we need to hurry up because we're running out of time I just want to say that the person the brunette who's the last person in line you are the last person in line so that we're closing out the mic now so the rest of you can actually ask questions I know I'm not the only one who gets amazed at the level of ignorance and trust that people place into the systems or the amount of abuse of that trust that goes on and the EFF is defending and highlighting where these congressmen can't do what they're trying to do where the commercial people can't do what they're trying to do from your perspective do you have any creative suggestions for how you can emphasize the other side of what you can do safely or how we can better educate people not to trust as much what they're trusting because it seems to be something that's missing quite a bit I hate to all do respect to everyone here but a journalist who knows about DEF CON and not the EFF and making laws now about making it potentially illegal to read email that's not encrypted these are scary things to me do you have any suggestions for helping to raise that awareness certainly there's all different kinds of ways that people can raise that awareness I mean largely it's through education a lot of EFF's work in litigation does result in educating the public often times the media does pay attention to what we're doing and we get a chance to help people understand really complicated technical and legal issues and where they come together I think really the best way to combat this stuff is to at least for us there are places that can really make a great precedent or engaging in projects like our myth TV project that just to plug one more time Seth and Wendy's panel is going to be about at 6pm building pieces of technology that demonstrate problems in the system problems with copyright law problems with surveillance law but beyond that there's no perfect panacea I mean it's basically even on an individual level if you're an engineer and you can help explain to people at your office to use crypto for example to go back to that theme that's terrifically helpful if people can come to understand that so I mean but there's no like I said there's no perfect way that we can suddenly we could implant chips in people's minds and control them and say now you will understand the gravity of your actions if you do this that'd be great if it were true and the government would probably take it up and we'd have to fight that yeah for example if you control an SMTP server enable start TLS it's really easy and there is Seth educating the public but yeah so next question well just one follow up it's just that listening to and like I said I didn't expect the EFF to do more but listening to it comes back to the same thing demonstrating where you need to pay attention to this often gets branded as illegal hacking and then we need the EFF to defend us again I'm looking for the way where webmasters who are not involved in this can be educating so that when the congressmen go they're not going just because there was some outlandish event that got raised by the ACLU or EFF and now needs attention I wanted more of a that you get educated as you go and it doesn't seem to be something that's easy to do thank you though yeah first I just want to say thank you so much for everything you've done and also I was wondering what are the current legal implications of deep linking to information such as like bomb instructions or something like that just anything that can be deemed as that sort of information deep linking and also direct linking directly to a different website like what I believe happened on raise the fist so you're talking specifically okay well what happened in regards to raise the fist this was a site with a young man who posted bomb making instructions and it is illegal to distribute instructions for making bombs with intent that those be used to make bombs and blow up people Jennifer already talked about the idea of intent and how amorphous and sort of thought crummy concept it is and we attempted to offer our services in that case but there was a settlement reached by the defendant there and so there hasn't been any precedent on the constitutionality of that law it's kind of lacking that it only applies to the distribution using the internet of bomb making instructions with intent that they be used and I don't see any real meaningful reason for that distinction but again it hasn't been litigated yet as a lawyer as you're dirty I would recommend thinking very carefully before you post any kind of bomb making instructions yeah what other information would be classified in like the same category as that like I would have to look at the statute you can come get my card and you mail me about it and I'll look at the statute and get back to you also this wasn't anything about me personally certainly of course not of course not hi guys I know that this has been so far more about law than about lobbying but I sort of take an idle interest as a crypto anonymity type guy in things that might send me to jail in the next five years could you talk a little bit about this piece of legislation that's currently before congress called induce why it's bad and how I can keep it from passing and if it passes how I can keep it from sending me to jail thank you ah induce induce was bill proposed by senator oren hatch whom you may remember from ah last year he proposed that copyright holders should be able to destroy the computers of anyone they suspected of infringing their copyrights this year his back trying to add a new layer to copyright liability for those who aid a bet or induce infringement of copyright and we drafted up a mock complaint against apple saying under the induce act it was likely that apple could be sued for making the iPod and to shiba could be sued for making the hard drive that apple used in the iPod to apple specs because all of those things could be used to aid and abet infringement and apple makes burn induce infringement terrible terrible law being pushed strongly by the entertainment companies mpaa ria we have got together a coalition with other technology companies got some of the intel yahoo google lots of strong technology companies have voiced their concerns about it hearings took place two weeks ago nobody except mitch bainwald from the ria spoke up in support except for the register of copyrights who also said yes we need stronger copyright ah liability they tell us that this was targeted at peer-to-peer companies it's not targeted at peer-to-peer companies it could make sony liable for offering the beta max it could make apple liable for the iPod so what can you do about it you can write to your congressman and to make it really easy for you eff has an action alert action.eff.org come and add your own text to the letter that's already pre-addressed to your senators call them up talk to them talk to staffers in your home state help them to understand why this is such a terrible problem for innovation if everybody has to ask permission from the entertainment companies before building new technology products we won't get the new technology products as a potential sign of our impact some proponents of induce have suggested that induce was specifically intended to reverse the decision in a case that was won by our eff colleague fred von lohmann so it's nice when people feel not nice when they do it but nice when they feel that they have to pass a law specifically to reverse the case that eff won thank you my question is a follow on to the gentleman who was asking about the mp3 over unsecured wireless it seems that you could be negligent for an unsecured wireless connection and it seems to me that we're really close to a lot of negligence problems you don't have zone alarm loaded on your home computer so you're negligent for some kind of virus getting loaded interesting question because we're short on time I think I understand you're asking could negligence law be used against these people negligence is a specific legal concept that applies when you have a duty to act and you act improperly or you don't act you don't have any legal duties specifically with regard to your wireless connection or with regard to securing your computer now maybe you should and maybe that's something that congress should be thinking about but maybe that duty falls with say the provider of the operating system that has so many bugs and maybe we need products liability for people making awful software maybe we don't but tough problems negligence applies very specifically where there are duties and at least in the current world we don't have too many duties toward other people on our networks thank you back to fair use it's my understanding that under the copyright act it's considered to be fair use to make backup copies of movies that I buy so it would seem that under the copyright act if I buy you know $50 loaded DVD and I want to make a backup copy that's legal and under the DMCA it's not legal because it's copyright protected so what's the deal I know there's been some loss that's going on and they have an update they have any more information short answer is DMCA Trump's any notions we previously had of fair use we have made the argument to the courts that when you get an encrypted DVD that blocks you from making fair use not just the backup copies but taking an excerpt to say this is a terrible movie don't go see it that's something that's lawful under previous fair use law so far the courts have said fair use incompatible with DMCA too bad we are continuing to fight that because we think that fair use is an important part of our free speech guaranteed under the first amendment copyright law isn't supposed to trump the first amendment but we are continuing to fight that and continuing to look for again to look for examples of the fair uses that are being blocked by overreaching copy controls thanks thanks very much for coming and come see us at our booth in the vendor area