 This is abortion access in the age of digital surveillance with folks from the Electronic Frontier Foundation and the Digital Defense Fund. I am Karim McSherry, I'm the legal director at EFF. With me I have India McKinney, who's director of federal affairs. We have Daley Barnett, a staff technologist and all around awesome smart tech person who also works with hacking, hustling, who you may also be familiar with. And then we have Daley Barnett from the Digital Defense Fund. Kate Bertosh. Oh, what did I say? Just in my name? Oh, please. Sorry, Kate Bertosh. Don't worry, I'll catch up. So, and what we're gonna do this is that we're gonna sort of just take turns talking a little bit about some of what's going on in the year since the DOB's decision that if you're here, I'm assuming you're familiar with and some of what we are all respectively trying to do about it and especially what you can do and it is not just the decision as such, that is what it is, but the DOB's decision, one of the things that it's made many, many people aware of is that their privacy and their security is not where it needs to be if they want to protect themselves and their communities because we know this is a team sport. And so that's something that EFF and DDF have been working on for years, the privacy and security part of it, but we have a whole new and a particularly dangerous and fraught context within which to do our work. So that is the place that we're gonna be focusing here. The beginning premise is that, first of all, there are lots of different ways in which your digital security might be able to be compromised if you don't protect yourself, but also that there's many, many companies, third parties that are collecting data about you all the time, often without your knowledge, though nominally with your consent and that data becomes a treasure trove of information for law enforcement and so far many companies are not doing enough to have better practices around that. So and in a current context where that can ultimately be evidence that could be used against you or your friends or your family or your provider, this has become a very, very pressing issue for many, many people. And especially, and we've been very involved in trying to do something about it at EFF. So I'm gonna talk a little bit about what we've done from the sort of legal team perspective and then we're gonna talk a little bit about what some of the technologists have been doing, which is really, really crucial work and then to close this out, India is gonna talk a little bit about what's happening at the federal level and there's some really, really important work that's happening right now that all of you should be paying attention to, some of which doesn't seem obviously relevant to abortion access, but in fact, completely is. So I'll be as brief as possible. At EFF, there's a few different things that we've been doing from a litigation perspective. One thing we've been doing is we're using the Freedom of Information Act to find out, at least in California, where we have some decent privacy and data sanctuary laws, to find out where and how law enforcement is, despite those laws, collecting automated license plate reader data about people and then sharing it with law enforcement agencies in states that actively restrict abortion in a much more serious way than California does. That's unlawful under California law and we are holding them accountable for it. And then there's sort of some things that are in process. There's a lot of work that we've been doing around what's called dragnet surveillance and that is where law enforcement gets what are called geofence warrants or keyword warrants and that's seeking information within a given area or related to searches with a particular, using a particular keyword. And this has been a long-standing practice. It doesn't just apply to seeking information about abortion but this practice is a natural one to apply in the abortion context. And so what we sort of view is like when you protect privacy and security for everyone, you're protecting, particularly in this moment, the use of those kinds of warrants to against women and people who are providing access and also their communities. So there's challenges in multiple states to those warrants and so far they're reasonably successful because courts are understanding that these are too broad to comply with the Fourth Amendment. So that's, so progress is being made so far. Then finally, just from a litigation perspective, we're looking at challenges to social media laws that target teenagers. So this is at the state level. There are already multiple states that have passed those kinds of laws and they're supposed to protect the children but they include things like, well, if you're under a certain age, you can't access social media without your parents' consent. And we know that precisely the people who are gonna most need to be able to access those resources without their parents' consent, right? Are gonna be the ones who are gonna get stuck in the middle. So we worry a lot about the effect of that for people who are seeking reproductive healthcare and gender affirming care. We're also doing a bunch on the legislative side. Most of that I'm gonna leave to India to discuss but we have been working in multiple states to get data sanctuary laws passed and laws that also just generally limit, again, that drag net surveillance that I was talking about. It can be that this is an area where we still have big fights to do at the federal level but at the state level, especially in blue states, there's a lot of very freaked out, upset people and rightly so and so we are able to sort of galvanize some energy around this issue and to get some laws in place at the state level. It's not a complete solution but progress is being made really fast in just a year. Okay, so I can give lots of details later in the Q and A but another thing that EFF has been doing is we've been doing a ton of activism around things that companies and nonprofits even should be doing around collecting and retaining data about people who reach out to them. There's a lot of practices that really are just creating treasure troves of data and people don't always realize that that is what they're doing until the cops come knocking. So that's a small sample of what we're doing. The last thing I would point to is we, our technologists have been just going flat out from day one and even before building and building on tools that you can use to protect your privacy and your security and we've also been doing a ton of work around education and I will hand it off to Daley to talk about that. Sure, thanks. So on the tech angle, I'm most interested in disarming surveillance technologies that are endangering the movement and otherwise empowering and educating people involved in the abortion access work with the ability to keep good opsec while maintaining community trust because it's a little bit different than most InfoSec things. So at EFF we jumped on this only a few months before the Dove's decision really passed like when the memo leak dropped. And we have this project called Surveillance Self-Defense which is at ssd.eff.org. It's a bunch of instructional guides on tactics and technologies for thwarting surveillance and boosting privacy. So we have these sort of pre-baked personas in there where we curate different guides from within the SSD into an intentional list with the threat models that are likely associated with that persona in mind. So it seemed like a good place to start, right? And I've worked with Kate for long before all the stuff came to pass. So I knew that she was the expert to reach out to because she's the founder of Digital Defense Fund. I'll let her speak more about that but they're fucking awesome. And so after some conversation we honed in on three personas or threat models that we wanted to tailor our advice to. Activists, healthcare workers, and patients in the healthcare system who are seeking abortion or other reproductive care. So for the activist, the inherent tension there is this between privacy and publicity that needs to be reckoned with, right? That needs to be really kind of juggled carefully. So we lean towards advising use of compartmentalization techniques to keep strong separation between what needs to be broadcast really loudly and what needs to be kept really private. And then for healthcare workers, it's tricky because there's this huge regulatory standard HIPAA which is widely misunderstood and it's supposed to provide a cloak of protection for the data that's being passed around in this space. So there's a bit of compartmentalization techniques but I think what was most useful for us is the compartmentalization between the professional and the private for these people. And also being able to effectively communicate a bit of know your rights info to the patients that are coming into their spaces. And then of course for the third persona, the people that are seeking an abortion or just the allies that are taking them to and from clinics, there's a focus of not just doing basic things like good internet privacy and secure communications but also considering the street level surveillance that they may face along the way because it's not unreasonable to expect the ALPRs that will be planted outside of clinics will be facing them, surveillance cams and the like. So honing in on these three personas helped us not just to deliver some really solid advice but it helped us be really intentional with our language moving forward in blog post and the one-on-one sort of consultations we were giving individuals throughout the space. Some of the TTPs that we recommend, either in the blog post or through the abortion access playlist again on the surveillance self-defense project are secure comms, safely attending protests, mobile device security, compartmentalization, assigning team roles for trusted community members, especially when setting up incident response plans. That's a little bit irregular for most like infosec advice you find. It's a little more activist oriented. And of course, threat modeling. So although some folks organizing in the abortion access space or the movement have been operating under the assumption of criminal liability for a while now before DOBS, that aspect is still really quite new for a lot of people and it's really scary. So I think we've only seen the tip of digital evidence being used in courts, right? At least in the post DOBS context. I should say that last year, the FBI reported a tenfold increase in designating abortion activist groups as terrorist organizations. So it's been time for us to regard our threat models in that way, right? What's making things worse is the role that tech companies are playing in this space, I think. Yeah, like data retention policies need to be reevaluated. The data collection, aggregation and brokering industries are these vampiric awful scourges that need to be banished like yesterday. But when tech companies themselves are misunderstanding their own liabilities under HIPAA, extended through these business associate agreements, we get these special third-party SaaS apps that are positioned to be these messaging services between healthcare providers and patients, these necessary components and they're running willy-nilly with behavioral tracking and selling that data and HIPAA regulation or not, this is just illustrative of how the tracking industry at large run amok in dangers everyone, especially when the lens of criminality extends or shifts to encompass new people. So I mean, take my analysis there with a grain of salt because I'm not a lawyer, but I can tell when something sucks and when it's hurting people. So we can't just be forming our digital security advice for activists who are pushing for normalization of abortion as healthcare. There are also those who are organizing on behalf of communities. There are those that are handling vast amounts of data for many others across state lines. Unlike typical Infosack paradigms that are pushing this sort of zero trust as a core ethos, I think it's really critical that we re-humanize the privacy and security recommendations and make them for people that are living among people. We're protecting human networks, right? Not corporate ones. So in that process, we must realize that everyone's security is imbricated with one another. Like Corinne said, it's a team sport. And I should say that one glimmer of hope that I see, especially in the work that I'm doing with Kate, is cross-movement organizing with similar goals of bodily autonomy. So there's sex worker rights, trans rights, disability justice, harm reduction activists. These people are kind of recognizing the shared threat models and goals of each other and therefore sharing resources and upskilling each other for that sort of collective liberation. So finally, I just wanna say that my call of action to you guys, the hackers and security researchers and fellow technologists, we need to be doing our part to better educate each other about good OPSEC procedures, but we need to normalize the use of techniques, normalize the use of privacy technologies so that less tech savvy folks can use them better, use them well and not feel weird for using them. Any way that we can use our skills to protect these vulnerable networks of people rather than companies is good. And I should say if you're working at a company, if you're working at a tech company with bad privacy policies or a bad reputation of handing over data to law enforcement or just like weird creepy tracking stuff, do your part, like change it from the inside and I'll hand it over to Kate. I always think I do a little better holding it. I love that we kind of exited a little bit on feeling weird, because I think it's like good to kind of put back in context sort of why you're listening to a talk today about abortion access at a place like DEF CON. I just actually wanted to start with a little question for the audience, so please don't be shy. How many people here, this is your first DEF CON? Give me a little bit of a hand. I love it, yay. So six years ago, it was my first DEF CON and I had just two weeks prior got a job at the Digital Defense Fund where I had to set up this fund where our job is to basically provide digital security and technology resources to the abortion access movement that includes organizations working on behalf of patients who providers and then now more recently kind of interfacing directly with those groups that support patients themselves. So I think one of the really strange things about being at DEF CON was like, do I belong here? What am I here to learn? And then no sooner do I do that than the very first year I was here, I walked into a panel with EFF Wonder Cooper Quinton and journalist Kashmir Hill talking about the pregnancy panopticon and all of the different types of places that pregnancy and related data is kept and the leaks and applications and things like that. And it was just such a really wonderful eye-opening moment in the years since. I think I've really enjoyed getting to work more with the cryptography and privacy village. I'm now one of the core organizers, so come visit us out there as well. But I think it was kind of through being in this space that I absorbed a lot of what I think makes DEF CON a really great place to figure out like sort of what's next for this kind of very big existential crisis, which like, DEF CON is, I took back from these different years with me, that sort of like spirit of irreverence that like anyone can learn anything that all of us don't have to accept the structures and hierarchies of technologies as they are handed to us. You have the right to rip the do not remove sticker off. And I think that's something that I think I've tried to take back with us so we and our team can kind of better understand not just the threats in our space but how we can be flexible and creative and brave and adapt to them. So these days our work mostly centers on ensuring that organizations that work directly with people who are seeking abortions are prepared that they can utilize their own creativity and tools to build the ones they do not have to reuse tools for unintended but very amazing values forward purposes. I think in this way sort of DEF CON really embodies that same spirit of what autonomy actually means. And it's why I'm really excited to come back and bring back to you this session sort of like how we together can continue to take that entitlement that we all have to sort of make technology and spaces and our digital selves our own. I think if you take kind of nothing back with you today except for a couple of key points it's that over these last few years as we've worked directly with these organizations we've kind of figured out out of all of these threats because certainly here at DEF CON we love a good threat model. What is it like right now for somebody seeking abortion? What are the issues that people are really kind of facing off with? And we know these things actually because unfortunately even before the Dobs decision overturning Roe v. Wade people have been getting prosecuted for being suspected of ending their own pregnancies for many decades. And so there are organizations like Legal Organization if went how who've compiled reports of every single time that this is so far happened in the United States that we can tell it can be sometimes very difficult to find and they found these sort of very key disturbing results which is that as we kind of look through these cases the sort of entry point where the case of somebody who is suspected of ending their own pregnancy comes to the attention of law enforcement it is usually primarily through either A people who are responsible for their care be it doctors, nurses, social workers someone else who's supposed to be providing them with personal healthcare or other support or someone that the patient knows. So friends, exes, neighbors and that is a vast majority of the cases. So that is extremely disturbing. I think very notable also that cases don't tend to come to the attention of law enforcement via these like drag net methods. We know that like data is generated all throughout a person's experience of being pregnant and deciding whether or not they want to continue to be pregnant but that tip of the spear is unfortunately an interpersonal violation somebody turning you in and then all of the data that's generated about that experience becomes relevant and is often requested by law enforcement or as we unfortunately see quite a lot there is something called a consent search that is a disproportionate factor in many of these cases that is where someone is typically pressured into disclosing a device or agreeing to the search of a device. Then we know a lot of those same forensic digital technologies that the folks on this stage are all experts in come into play they plug your phone into a device that clones the drive and then they search for everything that's on it. They use keywords, they're looking for everything from text messages, email receipts, your search information. Often it's not even necessary then to go to the company and question because that search history copies right on your phone. So I think with this in mind it's very tempting sometimes to be like, oh well if I had to get an abortion I would do all of these things I would like use Signal, use Tor, use Bitcoin I don't know. It's very tempting for us to each construct in our minds sort of like what I've come to call sort of the ghost abortion like the abortion that has no data. You know, I've literally had a reply guy kind of tell me that like in order to get your legally sensitive abortion first you have to jailbreak your Kia Sorento to not collect that GPS data along your route to a clinic. As I think from, you seem like a sensible crowd with that laugh. So you can kind of see how like as many good intentioned things as we may want to put out there to help folks to learn about how to better protect themselves and the people they're supporting there is only so far that we can ask of people. Like it's really not reasonable to ask someone who's probably going to have to search across many states, often great distances make a lot of travel plans now and spend way more money than they've ever had to spend on getting an abortion. I mean like we forget all the time right that like we talk about all these various pieces of data that are collected through search engines or through our experience of interacting with a mobile device but banking institutions and telecoms companies have a long history as you've heard in this building before of unfortunately sharing data with law enforcement. So I think one of the things that's very critical for us to do then is to look at cases that we see in the news like you may have seen that one where unfortunately Facebook messages were sort of front and center in a very sensitive case of a parent and child trying to work out how to obtain an abortion allegedly. I think what's very unfortunate about that is that those messages are things that were a source of support. There were people in the same household trying to give each other the sort of attention and care that that kind of situation deserves and that that is used against you in a court of law is a huge violation. So I think what was really, really great to see from communities like this one was the outrage that companies like Metta have a standard practice of not maintaining encryption for those communications. I think we all have an idea here of why we sort of have the ability to use other things like we do as part of our work try to encourage folks to use encrypted chat to understand the value of it but that encryption should be by default and that's why I'm so grateful for the work of the other folks on this stage is because it should not be on one person to not make human mistakes in the course of something so extremely normal and needed and part of the human experience as getting an abortion. So I think that is something I really want you to take with me just because I love the vibe in DEF CON where it's like technology works this way but I think it should work this way and I'm gonna roll up my sleeves and do it myself and I just absolutely love that. I think I've really taken from this that we all have this sort of digital body that law enforcement has chosen to go after those messages on Metta were really critical for the case because physical bodies especially of pregnant ones do not cooperate with criminal forensic standards. It is a very non-compliant experience. There is no drug test for an abortion medication. So generally speaking in order to form a case based on around an experience that many people have which is that pregnancies begin and pregnancies end they have to use this digital body and the corpus of data that it's created and try to construct sort of your intention with the inside of your own head. All of that is a tremendous violation and they're going to keep utilizing as other folks have described. Pregnancy is sort of the good enough reason to violate your fourth and fifth amendment rights and break down encryption, privacy and other technology rights across the board. So I'm really, really grateful to work in community with all these folks and pass it back because I know that was just a whole lot to absorb but I know that I'm really, really grateful as well for this community and your collective continued enthusiasm to make sure that we have the right not only to support our own communities ourselves and learn those skills but also to change the environment that they operate in and yeah, with that I wanted to pass it back to the FF crew and to India, thank you. Yeah, so you've heard from both Kate and Daly some of the things that you can do individually to protect your own individual privacy and to shore up your own individual security and the thing is that's a lot and that's a lot of a burden to put on you right now and it's particularly a big burden to put on somebody who is pregnant when they don't want to be or pregnant and something is going wrong or just pregnant. I am currently pregnant. There's a lot that goes on with just being pregnant when you don't have to think about is my search history going to turn me over to the cops and that's not a thing that should happen and so that's when we start talking about systemic change. We need to be making systemic change. So the thing is, laws can change and that cuts both ways. What we saw before, a lot of times you hear like when we do this privacy work we hear a lot of people say things like well I have nothing to hide so I'm not really concerned all that much about my privacy. Well, all of a sudden the dobs decision happened and people who previously had nothing to hide because abortion was legal, all of a sudden they have something to hide. If you are a person who is able to bear children you probably have something to hide now and there's a lot of things that are in your phone and are in your computer that can tell on you. Sometimes to law enforcement with a warrant or a subpoena. Sometimes just because law enforcement asks nicely. Sometimes because companies voluntarily turn that information over because they think you are trafficking children or something like that. And so all of a sudden we all need to start carrying both about a comprehensive consumer data privacy law which does not exist in the United States. We also need to start thinking more about attacks on encryption and other ways to have private communications. So my name is India McKinney. I'm the director of federal affairs for the Electronic Frontier Foundation and so that's a fancy way of saying I'm a lobbyist. And so I will tell you that even though there's been a lot of conversation in the last couple of years in Congress about a comprehensive consumer data privacy law, there is not currently introduced legislation that would protect the privacy of all Americans. It currently does not exist. And so if you think that's a problem, there's a phone number there. You need to call that phone number. You need to ask to speak to your senator. When they pick up the phone, you tell them your name, you tell them your address and you tell them you want to see a comprehensive consumer data privacy law and you would like a response. Then you call that phone number and you talk to your other senator. Then you call that phone number and you talk to that representative. You have three, you make three phone calls. If you don't want to do that, there's a website up there act.eff.org. We don't currently have an action about a consumer data privacy law because again, the law doesn't exist. What we do have is several different actions that are targeted against several active big, big bills that are not directly targeted at either abortion access or privacy, but they are targeted at encryption or giving law enforcement more access to all of your communications. Carvats and ECPA, direct attacks on encryption, age-gating parts of the internet. All of these things are actively being discussed in Congress as a way to protect children. And if you look at the language that Congress is using to talk about child exploitation, child endangerment, child trafficking, and you look at the way pro-life people talk about abortion, it's actually the same language. And so you need to be really careful when you're hearing them talk about these bills that are gonna save the children from the terrible things that happen on the internet. Of course there are terrible things that happen on the internet. We've all been on the internet. There are terrible things that happen on the internet. There are terrible things that happen in real life. Encryption is not the problem. But law enforcement has been extremely clear that they want to be able to access all of your messages and they don't wanna have to go through your phone to do it, they want to be able to just get it from the companies. Because again, right now in the status quo, they can both subpoena the information, they can just ask nicely for the information, and in some cases they purchase the information from a data broker because that's legal. They're using your taxpayer dollars to buy information on you that has been collected by data brokers. So if you think this is utter nonsense, there's a phone number where you can call and you can tell your senators that this is utter nonsense. So it works best if you have a specific thing that you want them to do. I want you to oppose the Earn It Act. I want you to oppose COSA. I want you to oppose the Stop See Sam Act. I want you to oppose the Cooper Davis Act. Those are all the ones on act.eff.org. If you don't wanna talk on the phone, just push some buttons. You can do it on your phone right now. And so the thing is, those are the things that really actually matter to change the discussion about making systemic changes. Right now, the reason there is no comprehensive consumer data privacy law is because they tried that last Congress and it turns out it's really, really hard to get right. The law that was proposed, the ADPPA, and I don't remember what that stands for anymore. It was a good starting point, but there were a lot of holes in it that were not strong enough. And the biggest one is it was gonna preempt any state laws for providing additional protections for their consumers in the individual states. So it was gonna be a lower threshold and states weren't allowed to build on top of that, which again, if you think that's utter nonsense, I have a phone number for you. So, but then Congress, we had elections. There's a new majority in the House of Representatives. The Senate has decided, has openly said in multiple meetings, they are not interested in taking up consumer privacy for everyone. They're really more focused on helping the children. And the House of Representatives, they've had hearings about a consumer data privacy law for everyone, but no text has been introduced because it's really hard. They got a lot of bad press. They got a lot of bad emails and they just haven't done anything about that. And so until there's the political will, until there's political consequences because people like you create it, that's actually not gonna change. So it's a little bit like, again, I am a political person, not a computer person, so I'm gonna totally bridge you to this analogy, but bear with me. We basically wanna DDoS this issue. One person going to make a phone call on this, yes, it doesn't move the needle. If everyone here at DEF CON makes the phone call, clicks the button, sends the email, goes to a town hall meeting, and convinces other people to do that as well, that is going to have a massive overwhelming impact on how the Congress as a body perceives this issue. Right now, privacy pulls extremely well. Are you in favor of privacy? 97% of people say yes, we don't know what the other 3% of people are thinking, maybe they're law enforcement, I don't know. But it's an overwhelmingly popular issue. But what does that mean? What does that look like? Does it mean a private right of action so that the lovely Feisty lawyers at EFF can bring a class action lawsuit and actually make change? What does it mean? So we really wanna take your questions and get more into the heart of what this issue is, but I do wanna make sure that I leave you with the call to action. There are things that you can do right now. There are also things that you can do when you get home. Paying attention to these issues, becoming a member of EFF and signing up for our emails, and then taking all of the action alerts. Like this is our day job. We want to share this with you and we actually really do need your help. And I do actually believe that if we all do this together, we can make a difference. Thank you. All right, so there you have it. It's the trifecta of strategies and we're gonna have to do them all at the same time. So now we have 15 minutes and we would love to take questions from the audience. If you have questions for the technologists, the lobbyists, the litigator, please go up to, there's a mic right there in the middle and we also, if you would rather ask a question more anonymously, we have some paper and pens that you could come grab. It's like ninth grade health class. You have a question or two I'm embarrassed to ask in front of everybody. Here, I'll hand these down and we can kind of like leave them someplace. Okay, please go ahead. Thank you. I think you're first. Is there more than one? Hello. Hi, thank you very much. Congratulations on your pregnancy. I feel very grateful to live in California where I feel like my rights are more or less intact. What do you all think about period trackers? Am I being extremely paranoid to not want my daughter to track her period online? All right, can I grab? Yes, please do. All right. All right, I just want to- We have a lot of thoughts about this. Oh, I'm sorry. Okay, I think these are really great protective instincts. I always love the question about period trackers because when they kind of blew through the news it was a wonderful opportunity for us to talk again about threat models. Basically, like we discussed a little bit before, some of that, again, that really first way that cases come to the attention of law enforcement tends to be like an interpersonal piece, either a healthcare worker or someone who is close to you violating your privacy. So period trackers are very patently useful. When I need to get an abortion, especially if it's very sensitive, I need to know how pregnant I am. That's gonna let me know whether I can use medication abortion, which can be done very discreetly. It helps me to know if I'm calling to go out of state where I need to go and which clinics can help me with my procedure. So this is a patently normal, useful thing that we all benefit from. So how do I do it safely? As of right now, period tracking apps are not tending to be like the way that that sort of surveillance is again coming to attention of law enforcement. Lots of period trackers have responded to a lot of that concern, rightly so, and have disclosed a little bit more about how their different applications work. So there are some that are like Yuki app, E-U-K-I, which are local only to the phone, so they can have that kind of ability to track your period. It also has a lot of great other sexual health information in there that is only then not connected to the internet, all that wonderful stuff. Other companies like Clue have like posted way more comprehensive disclosures about how they would respond to should they receive an illegal request. And I think these are all the ideal. Like I think the sort of questions from the community and from consumers were excellent and I want us to keep doing that because what happens is that companies come out of the woodwork who are like, actually I think I feel pretty confident in the way that we handle this particular problem and I am excited to share with you that same entitlement and expectation you should have to it being end to end encrypted or working only on my phone or a combination of the above. So I would say that there are safe options to use for your personal threat model and that it's a great opportunity to explore them with your daughter and learn together kind of like what's most important to each of you and get to practice it together which is really cool. So thank you for your question. Hello. So first of all I just want to say thank you so much for what you're doing for the community. It means a lot to me. I don't have a question, I just have a comment that I wanted to make with the end to end encryption applications that you guys are recommending folks to use. Especially with the point that you brought up with the cloning of the mobile devices and that being able to be leveraged against folks trying to get abortions or have. So highlighting the point that end to end encryption only happens in transit. So once it's actually on that device, if that's cloned, the whole end to end encryption kind of goes out the window. So I just wanted to highlight that for you ladies, especially if you're advocating for our community. So thank you. Yeah, that's absolutely true. And so that's actually one of the things that we bring up. Like I don't want to tell law enforcement how to do their job, but when the January 6th event happened in the capital, a lot of those activities were organized over signal in WhatsApp and other encrypted platforms. And law enforcement still got access to those messages because they did old fashioned policing where they turned some of the witnesses and participations and people voluntarily opened their phones and sent them screenshots. And sometimes they got things from family members, girlfriends, again the personal connection. So they still got access to the messages without having to break encryption. So that's definitely, again, that's the thing that cuts both ways. But when law enforcement rings their hands and says, we just can't get any of it, that's actually not true. Absolutely. Great, thank you. Hi, I really appreciate what you've done here. The problem that I can see is that there are a lot of folks that are not in this room. So my request is could you put together not best practices because best practices generally don't stay that way or aren't in the beginning. Can you put together some really good practices for now and make those available in some way that the folks who need this information, whether it's from a technology, a legislative or a practice basis, can learn what's the best way that they can approach this issue that they're trying to deal with. Make it ubiquitous and make it simple. Cool, yeah, that's it, Steve. Yeah, so we, at least at EFF, we've actually tried to put together a whole bunch of resources in different forms, so we do the surveillance self-defense work that Daley was talking about and then there's also, we've written a lot for other audiences on the blog, like what companies can do now and should be doing right now if they don't want to be honeypots for law enforcement. That wasn't the title, but that was the meaning. And so we have tried to do the, to put those resources together and but they always have to be updated. There's an issue tag on EFF for reproductive justice. So you can go there to find all of the blogs associated with this topic and then over on ssd.eff.org, you can find that playlist for the specific tech advice and general information security advice we give. Cool, yeah, great question. Thanks. Yeah, and I just threw our URL for our guide in case at digitaldependsphone.org, you can just go right there. Next, thank you. Yeah, my question is kind of along the same avenue. I'm from Washington state and I was actually one of the people that worked really hard to get my health, my data bill passed, which gives us in Washington state, not just women, but men, all of our health data actually needs to stay private and not trackable. And of course, when I was advocating for this, so many legislators do not understand the internet. One person from my own district actually had an amendment to exclude small businesses from this law. And I was like, so Apple health tracker can now just spin off and be an LLC. Now it is a small business and it can continue to track your data and trade and sell it. So I'm wondering if the EFF has a way to help simplify what we're asking for, but to also help educate the legislators who are like, oh, that computer stuff, I just don't understand it. And I'm like, well, that computer stuff, you are making laws about it. So you should understand it. So there's actually a federal bill in both the house and the Senate called my body, my data, which is a law that would provide privacy protections at the federal level for reproductive and sexual health data. So again, you can call that phone number and you can tell your representative to support my body, my data in whatever chamber they're in. And you can also, that since the bill exists, you can share it with your local state people and say, this is the law, start here. Don't give us less than this. Right, and I do know one thing, a lot of people in Washington state, the legislators were saying, oh, they can't just do this for Washington state and not the other 49 states. And my husband's like, well, we do it for the European Union. So already, even though we have this bill, my health, my data, it is not equal to the privacy the EU has and it's not even perfect there. But that's good to know. I just want you to know legislators are like, explain. What exactly does this mean? Yeah. So we have seen that before, and there's a lot of education that always has to be done, but two things I would say is that, one things I actually think it is powerful to have protection for health data for everybody. So we bring it in, right? It's not like men don't also want that or people who can't get pregnant don't also want data privacy protections. But the other thing I would say is you should never hesitate to start in your state. The only reason there is any discussion right now about, or there was last year of an actual federal, a real federal bill is because California passed a really strong privacy bill. It wasn't perfect, but it was very strong. And all of a sudden, a lot of tech companies are like, wait, what? No, no, we don't want to have to comply with 50 different state bills. And then you can say, okay, fine, good. Let's have a federal bill, but let's have it be strong and not weaker than California's. Great. I believe Washington state bill is actually stronger than California. Real quick, did we have any sheets to come back? The little, anybody had any anonymous questions? Anonymous questions. No? All right, that's okay. Next question. Thanks. Thanks for sharing your ideas on this space. I feel like I just- Can you please louder? Sorry. I feel like I just opened my eyes to this topic. I couldn't quite understand your definition of autonomy. Yeah. Can you repeat that? And secondly, you said DEF CON nurtures autonomy, like the culture. Can you connect the idea again for me? I'd love to come back to that, yeah. I think honestly, one of the things that, and this is very personal, like this is not like a dictionary definition of autonomy, but I really enjoyed how when I came to DEF CON, there was sort of this idea that like, a piece of technology is given to you. We have these materials, computers. We have systems. We have how we interact with other people. And you sort of have the right to kind of like, make them your own, like a prism through which you get to act out what you will in your perspective on the world. And I just really felt very inspired by that. I think it's really wonderful to get to walk into any village and try something for yourself and to direct your own learning and to just have that sort of spirit that all of this is for you. And for you to express yourself here. So I think like, you know, I don't know, I think my ideas about autonomy are like, changing all the time. I think all of us who like work in this space, you sort of have these aha moments where you're like, wow, I see parts of how the world fits together. And it's really, really remarkable. So I think this is one of the many places that happens for me. I don't know if anybody else on this table wants to speak to what autonomy means to you as a technologist now, all right. I couldn't say it better. Hi there. I'm, excuse me, I'm trans. So thank you for acknowledging the intersectionality between trans rights and abortion rights and all of the other things. One thing I just wanted to ask, what would you advise people who say they're in the middle of having an abortion or getting their kid gender affirming healthcare, something like that. And they may suspect that they've started to become a target of an investigation or something. Or if their state has changed their rules, how would you advise those people to handle that? Because of course it's not the crime, it's the cover up. And how do they deal with the potential evidence that might be within their devices and their information? Can I start with that? Oh please, go right ahead, Carrie. I would start with the non-technical stuff first because it's the easiest to approach for people. It's a lot less scary. Pen and paper exercises are great. Device mapping and network mapping, I mean like social network mapping, is usually a really accessible point for people because they can identify the people that they have already given trust to and then they will begin to formulate how to speak with those people about this new concern they have and loop them in in the process and make it again a team sport. That's huge, right? I would also then from there begin to develop some secure communications methods with those people they've identified that already have that trust. And I mean secure communications in the non-technical way first, right? And you could maybe come up with some careful language or some rules, some community standards about how to broach the topic and how to broach it in different contexts, when in different contexts, if that makes sense. You can get really tricky with it if you wanna do like linguistic steganography or if you're like a history nerd, Polari type code switching of language. But that's usually really accessible for folks and it also introduces some really fundamental infosack or privacy concepts that translate quite nicely to the technologies they'll eventually want to start incorporating like encryption technologies or good backup games or et cetera. Thank you. Thanks for the question. I think we have time for one or two more. Hello, hello. My question is more about civic engagement. I live in a really strong- It could be louder. The speakers all face that way. Yeah, that's a problem. Oh, okay. My question is more about civic engagement. I live in a really majority strong district where I have unresponsive congressional representatives. And so my question is, is it a framing issue? How do you approach people whose viewpoints just are way different than what can I do as a constituent in those like areas to make it more effective? Because I've called and I get form responses and they don't really seem to want to engage with a voter who's a minority in their district with regards to like political affiliations and so on. Yeah, so the thing is, abortion is obviously a super polarizing political issue but a lot of the things that go into protecting abortion rights are not. There's a lot of reasons that you are interested in protecting individual privacy that have nothing to do with abortion. There's a lot of reasons that you want to protect the ability to have a private conversation digitally that have nothing to do with abortion. And so this is really a nonpartisan issue. Encryption is supported by members of both parties in Congress. Encryption is also being attacked by members of both parties in Congress. It's really nonpartisan. So there is a little bit of code switching depending on which office you're going to talk to but giving the government the ability to read all of your messages just because they feel like it or for funsies like that rightly terrifies a whole lot of people across the political spectrum. So it doesn't really matter if you're talking to a progressive caucus member or a freedom caucus member. That's something that is scary. And so if you protect some of the tools you end up protecting the rights of people who need it for different reasons. Thank you. Great question. So I went to both of the websites and this is a challenge I put to both groups. And I've been involved in political action before. So I talked from some area of expertise is that's what's missing from both websites is a pamphlet, a set of directions Q&A about how to talk to the Uncle Bob who does not understand the word encryption. And his version of privacy is drawing the blinds on the window and that's privacy to him. So the thing is is that on both of your websites it is call to action to go call a Congress critter which is fine or a state representative which is fine. But there's nothing there on either one of your websites as far as I can tell and I looked at both of your house that say how to persuade members of your family. And I can tell you that I've worked on local issues and gotten local issues passed is that was the way that we got our issues passed when we were going up against big big dollars the California Realtor Association. So the thing is, is if you can't give somebody how to talk to the Uncle Bob and they can't persuade Uncle Bob I found that the people who are budding activists pull back into the shell they lose confidence to make that phone call to their Congress critter. So that's when I'm calling out both groups son is that you were worried about talking to Uncle Bob the Congress critter but not Uncle Bob please do the Uncle Bob persuasion. Thank you. Thank you. Okay, thanks so much. Do we have time for a little bit more? Yeah, we'll make this our last one. Thank you. I just a question and a comment related to some of what's being said. So I currently live in the political health scape and abortion health scape that is Texas. And so I'm worried about my daughter, her friends, et cetera. And I think a lot of it comes down to just simple narrative, simple stories the ability to hand over some again pamphlet was used as a term but use this technology don't use that technology use this method of travel what is the simple guides that you can hand to somebody that is here's the 10 things to think about I think that's critical in my opinion. I totally agree with you and I think this is a wonderful note to close out on because I get to connect you to some other amazing resources. All of the groups that have operated in Texas in other states that are now banned states to date have taken on this work. I mean, frankly how we learn how to do it at digital defense fund is by seeing how they connect directly with patients and we work together to translate some of this advice into something that's reasonable for someone who is going through the experience right now. So I would say that organizations like Jane's Due Process have amazing content directed at teens that is absolutely there to not only help you know what your rights are to help with accurate information but also each of them is their own amazing digital security expert in the field knowing what folks deal with. So I'm so glad that you are there supporting your daughter and all of her peers because now there are all these amazing organizations that can support all of you as a family and community. So thank you so much for sharing that. I really appreciate it. Thank you for what you're doing, it's critical. All right, thank you all so much for coming. I just want to flag that a very kind person gave us a few boxes of plan B and informational information, informational packets. They're right here, there's just a few but perhaps you or a friend would like to have one on hand. So come and grab it. Yeah, come grab some. Plan B, these are real like, I give these out at every event we're at and if there's always a huge hit, pack them with some sour gummy candies and people will really go nuts. So. All right, thanks for being here. I have to stick around. Thanks for coming.