 All right, we are going to get started here. So up next we have US Senator Ron Whiden. He is the foremost, thank you. So Senator Whiden is the foremost offender of America's civil liberties in the US Senate and a tireless advocate of smart tech policies. Years before Edward Snowden blew the whistle on the dragnet surveillance of Americans, Whiden warned that the Patriot Act was being used in ways that would leave Americans shocked and angry. And his questioning of NSA Director James Clapper in 2013 served as a turning point in the secret surveillance of Americans' communications. Since then, Whiden has fought to protect Americans' privacy and security against unwanted intrusion from the government, criminals and foreign hackers alike. He has opposed the government's efforts to undermine strong encryption, proposed legislation to hold companies accountable for protecting their users' data, and authored legislation with Rand Paul to protect Americans' Fourth Amendment rights at the border. Whiden is a senior member of the Senate Select Committee on Intelligence and the top Democrat of the Senate Finance Committee, Annie Libs and Portland Oregon. So without further ado, please welcome Senator Whiden. Thank you very much for that unquestionably inflationary introduction. And I believe I'm the only United States Senator here at DEF CON. So I am so honored to extend a greeting from 1% of the United States Senate to all of you. We're going to get these numbers up in the years ahead, folks. Count on it. And I especially want to start with a thank you to the whole DEF CON community. And my sense is that you don't hear people with election certificates say this very often, if at all. But my view is that white hat hackers are absolutely irreplaceable in the technological age. And what I'm going to go back and tell my colleagues is white hat hackers do our country an enormous service by finding security lapses and often shaming the government and companies and fellow coders into fixing them. Hackers also make it harder for the government to hide when it spies on Americans or collects their information. So my view is the strength of white hat hackers is that they are hackers, makes America stronger and Americans safer. And I want to begin tonight by making sure you know this United States Senator appreciates that. And I do have a history of working with security researchers. I've opposed over the years expansions of the Computer Fraud and Abuse Act, wrote Aaron's Law to try and roll it back, and fought against efforts from the Clinton administration to William Barr today to require back doors for encryption. Back doors will leave America less safe folks. Encryption is not a debate between strong security and liberty. It's a debate between stronger security or less strong security. And if you want the strongest security in America, you have to be for strong encryption and no back doors. So one of the challenges, as you know also well, is that so often people in politics basically drive a kind of knee jerk response to something that will be in the news. And I understand that because when there are events, people who get election certificates feel that they have to quote, say something. But we've got to make sure that there is a greater awareness of technology, and in particular what you all at DEF CON have done is made a concerted, understandable effort to increase people's awareness of technology and particularly it is useful in holding off bad ideas that are the knee jerk reaction for example when a tragedy hits our country. Speaking of really awful ideas, I think I want to talk about the phone companies storied history of violating the privacy of law-abiding Americans. For more than a century, the phone companies have been willing partners of government and corporate surveillance. I've sounded the alarm about phone surveillance in the past, but only in the past few months has the public learned some of the most troubling details about how these telecom giants sell out their customers. And a lot of the worst has flown under the radar. So I am going to describe this kind of contemptuous phone company conduct with respect to your private information. And I'm going to tell you how to finally hold these surveillance state enablers accountable. Now this is, as I mentioned, my first time at DEF CON. But I do have a little bit of interesting history with this conference. As many of you may know, DEF CON played a key role in the public learning that the NSA had been vacuuming up their phone records. Seven years ago, then-NSA director Keith Alexander, remember him? He had a lot of fans here, didn't he? Seven years ago, Keith Alexander, then-NSA director, spoke at DEF CON. He told the audience, looked at you straight in the eye, and said that allegations at the NSA had, quote, millions or hundreds of millions of dossiers on people is absolutely false, unquote. That statement came only a few weeks after General Alexander gave a speech in Washington, D.C., and said, and I quote, we don't hold data on U.S. citizens. Now I remember him saying that at this speech, and I said to myself, that is one of the most untruthful statements ever made in the history of the United States about government surveillance. General Alexander was lying, and as a member of the Senate Intelligence Committee, I knew he was lying. For years, along with Senator Feingold, Newt All, and Durbin, I've been fighting to warn the American people that the government had secretly interpreted Section 215 of the Patriot Act. I warned that when Americans came to understand how the Patriot Act was being used, they would be stunned, and they would be angry. Secret interpretations of the law run contrary to everything the Founding Fathers believed in. Secret interpretations of the law corrode democracy, and secret interpretations of the law must be stopped. Now because this program was classified, my Intelligence Committee colleagues and I couldn't reveal it to the American people. But thanks to Keith Alexander's public claims at DEFCON and all these fabricated statements that he was making, I finally had a hook to ask a public question about NSA mass surveillance. So at the next public intelligence oversight hearing, in March 2013, I asked James Clapper, the Director of National Intelligence, if General Alexander was telling the truth. I bet some of you might remember the answer. Director Clapper said that the NSA did quote, not wittingly collect data on U.S. citizens. That was also a lie. As everybody knows, NSA was out there scooping up millions of innocent Americans' phone records. A few months later, in the summer of 2013, Edward Snowden revealed to the world that the government had in fact been vacuuming up vast numbers of Americans' domestic phone records, and you might be interested to know he noted that he had been watching Mr. Clapper's false testimony to the Senate and to the country. Americans were in fact stunned and angry. Section 215 will be expiring later this year, and Congress is going to be asked to reauthorize it. It is extraordinarily important that the Patriot Act phone record surveillance program be one in which checks are put in place so as to protect law abiding Americans in their checks that are not in place now. Section 215 was not a one-off. Telephone companies had been partnering with the government to spy on Americans for as long as they've ever been around. Even before the phone companies existed, phone companies spied on their customers. Starting in 1919, the U.S. government's first code-breaking agency, known as the American Black Chamber, illegally intercepted international telegrams through the willing participation of telegraph companies like Western Union. In 1929, President Hoover's Secretary of State, Henry Stimpson, shut down the program as soon as he learned about it. He said, gentlemen, do not read other gentleman's mail. Now that might be an old-fashioned way to put it, but he sure was a Patriot who understood the dangers of indiscriminate domestic spying. But the problems continued. Beginning in 1945, the U.S. Army and later the National Security Agency was given copies of all telegrams, domestic and international, carried by the three major phone companies. The companies only agreed to help after they were personally assured by the Secretary of Defense they wouldn't be prosecuted. They wouldn't be prosecuted and their involvement would be kept secret. That surveillance program was known as Operation Shamrock and it was around for 30 years until Frank Church shut it down. Later, shortly after 9-11, George W. Bush authorized the NSA to conduct a dragnet surveillance program sweeping up both metadata and content of emails and phone calls. This was a massive illegal spying program and it could take place only because major telecommunications carriers gave the NSA direct access to their networks. Once this program became public, the phone companies got sued by the ACLU, by the Electronic Frontier Foundation, they got sued by everybody in sight. In response, Verizon argued in court that it had a First Amendment right to share its customers' private data with the NSA. When that didn't work, the phone companies got Congress to give them a get out of jail free card. Thirty-one senators said no sweetheart immunity deal for the phone companies and I'm proud of one of those senators being me because it was outrageous that the phone companies got that deal. Now, dragnet surveillance basically can't do it without the private sector being willing, which by the way Dick Cheney, who I don't quote all the time, admitted in a 2008 speech. So that brings me to another spying program that needs some attention and this is the Drug Enforcement Administration's phone spying program. Earlier this year, the Justice Department Inspector General revealed that the Drug Enforcement Administration had occupied and operated an illegal spying program for more than 20 years. Now, I've sat on the Senate Intelligence Committee for about as long as anyone in the Senate and in my view, this was one of the most illegal dragnet surveillance programs in the history of the country. Take a guess who signed off on the program. Anybody want to throw out a name? The person who signed off on the program was none other than the current Attorney General Bill Barr. Back when he was Attorney General for the first time in 1992, he said it was just fine for the DEA to subpoena bulk records of calls between the United States and certain foreign countries. While the total number of countries the program targeted has been hidden from the American people, the Inspector General said publicly this year that the surveillance program and I quote, involved the collection of phone call records for billions of phone calls from the United States to many different countries. Folks, I don't think there's any question what you call that. You call it mass surveillance. And Mr. Barr was right in the center of the whole thing. In the 20 years that the DEA illegally collected Americans phone records, the government never once went to court. The program relied on a twisted interpretation of the government's subpoena power. As the Inspector General made clear, the government only served these subpoenas on phone companies that it knew would be willing partners. Through the two decades that the DEA spied on Americans using this program, not a single phone company ever pushed back, ever asked if the subpoenas were legal. One reason the phone companies were such willing participants, the Inspector General said, is they all got paid to fork over your personal information. I'm not done with this particular program or Mr. Barr's various activities and we can talk about that as well. The phone companies recently have been in the news and you've seen a fair amount about it with respect to their sale of location data to brokers. And last summer I conducted an investigation into the wireless carriers and location data. Essentially I found that the wireless carriers were treating their customers phones like tracking tags and selling real-time location data without customers' knowledge or consent. They were selling it to sleazy middlemen who then sold it again to just about anybody who showed up with a credit card. Now I discovered that all four major wireless carriers, AT&T, Verizon, Sprint, and T-Mobile were doing this. We're selling location data via data brokers to a company called Securus. Their business is essentially gouging the families of prisoners by charging them huge fees to call relatives who are serving time. I discovered this company had built a web portal to let prison guards track any phone in the country without a court order. Once I exposed this program the phone companies immediately said we're shutting down Securus' access and pledge to clean up their sale of location data. But as we kept digging it turned out this was much bigger than just this one company gouging the families of prisoners. In the months that followed Mr. Joseph Cox at Motherboard revealed and he deserves much credit for this how the carriers and their shady data broker partners were selling location data to bounty hunters, used car salesmen and get this, even stalkers! Phone companies going along with something that allows for stalking of people they're doing business with became clear the practice was totally out of control. American's location data was available to anybody as I say who could pay. And by the way phone companies promised once again to shut it down after Mr. Cox's story and you know a lot of them said well run widen didn't exactly get the date right that we were talking about when we were going to shut it down and all of this you know rat razzmatazz. I think the point really is it is clear that they were doing business as usual with these bounty hunters invading the rights of law abiding Americans after they started to say they stopped and I'll just tell you given their track record breaking their pledge to me I'm not giving them any benefit of the doubt and neither should you. Now I want to just go a little bit further on why the wireless carriers are so unbelievably bad on privacy. One thing that frequently comes up in the debate about privacy particularly after Cambridge Analytica is saying quote if you aren't paying for the product you are the product. This pretty much explains the privacy invasions we've seen from Facebook. But the phone companies aren't offering a free product. Americans pay a lot for our cell phone plans and they still get their privacy violated. Here's my sense of what is happening. The wireless carriers depend on government licensed spectrum to operate. So that gives the government just by virtue of that a lot of power over the companies. The Federal Communications Commission has historically been at the beck and call of law enforcement and intelligence interests and has used its authority to approve or deny licenses as a means to ensure that other government agencies get what they want. For example in the early 2000s when a few companies started to offer satellite phone service the FCC sat on the license application from the satellite phone company at the FBI's request. It didn't okay the license until the company agreed to put its downlink station in the United States instead of Canada so that the government could force the company to wire tap calls. Forced the government to wire tap calls. Americans need a regulator to manage the public spectrum but the FCC wields its power not in the public interest but in the government's interest. It's no surprise the phone companies choose to get paid by the government when they can get it instead of fighting with the government. Well tech companies like Apple, Cloudflare and Yahoo have fought the government over problematic surveillance requests. The government doesn't have nearly as much power over them as it does over the phone companies. That explains the phone company's willingness to put the government's needs over their customers. But what about the sale of location data to data brokers? There is a big problem here and it's really two words. AG pie. He's the federal communications chairman and he doesn't believe the agency ought to be in the business of regulating the wireless carriers or privacy and cyber security. Whether it involves the sale of location data, shady middlemen or the carrier's shoddy track record and securing networks from hackers and foreign spies, exploiting flaws in SS7, Chairman Pi has made it clear he is just going to sit it out on the sidelines. When you have the industry's primary regulator basically saying he just doesn't have any interest in accountability when it comes to these industry violations, what you have is a situation where the carriers say, hey look, let's just rake in a little bit of extra money by going even further. Let's go further. And in this case, sell their customer's location data to even more people. So the status quo isn't working so well. The federal communications commission is an ineffective regulator run by an ex-Verizon lawyer who basically doesn't believe in what the job is all about, which is accountability and oversight and if appropriate regulation. The department of justice is run by Bill Barr, as I mentioned, an ex-Verizon lawyer who personally authorized a massive illegal surveillance program and is an enthusiastic advocate for unchecked presidential power. If any of you are having trouble sleeping, I gave a long speech about Mr. Barr specifically on the floor of the senate and talking about his entire privacy record, basically which also is supplemented by the proposition that he believes the president is just above the law, that there are no laws that really are relevant to the president. This issue fundamentally is about a lot more than just privacy. The total absence of any effective privacy regulation combined with the carriers' repeated willing participation in illegal surveillance programs is basically serving as the building blocks for Donald Trump and future administrations to expand the surveillance state and use it against their political enemies. Sadly, I have to tell you that sometimes you look at this and you say, really, it doesn't even matter which party is in control. Government agencies will fight any effort to limit their power and most politicians just aren't willing to spend the political capital and the time and the energy to take them on. But I want you to know that as long as I have the honor to represent Oregon in the United States senate, I gather we've got some Oregonians in the house. I don't want to make some of you feel bad, but all the Oregonians in the house get to participate in the most logical, sane system of voting in the United States. We vote by mail and one day everybody in America is going to vote by mail because I'm going to make sure it happens, it's time. So we Oregonians will be schmoozing on the side when we're done. But suffice it to say, I'm just not willing to accept business as usual in this government overreach, surveillance state that I have just described. And here's my playbook for how to fight back. First, Congress must pass comprehensive privacy legislation that finally gives the Federal Trade Commission the tools it needs to hold companies accountable for privacy violations. It is my view that CEOs should face jail when they lie to the government about their privacy policies. And we have had one instance, you know, after another of these kinds of enormous things that we have seen in the past. We have had this enormous, enormously damaging cases where whether it's Facebook customers or somebody else get hurt by these privacy violations. And my privacy bill would give Americans an effective, easy way to stop companies from sharing their private information with data brokers and all of these other bottom feeders, these shady middle men. Second, phone companies and really all companies that hold private customer data must reduce the length of time that they keep that data on hand. I proposed that yesterday. And the reason I did is after the big hacks of OPM, Equifax and Capital One, it's clear that the only sure-fire way to stop data from being stolen is to not have it laying around for ages and ages in the first place. The wireless carriers keep information about Americans' calls and texts and locations history for far too long. In AT&T's case, the company apparently has call records going back to 1987. This kind of sort of data retention is a huge, huge gift to hostile foreign governments that want to hack our citizens. So I did, as I said, this week, in effect, write to the wireless carriers, told them they ought to delete records once they no longer serve a legitimate purpose. And if they don't do it, I'm going to make sure that the Congress gets serious about stepping in and doing it for them. It's a safety and security measure. And third, the Supreme Court last year held that the government needs a warrant to collect location data. There are still unresolved questions, including whether or not the court's decision in the carpenter case even applies to the intelligence community. So I will be introducing an updated version of my GPS act in the coming months to ensure that the government cannot track Americans without a warrant. In each of these efforts, I certainly have appreciated many of you and DEF CON giving us technical help. I want to close by talking about the debate that you're going to see later this year and why it's so important that those who care about the real need for liberty and security and understand that the two are not mutually exclusive, good policies, get you both, bad policies, get you neither, is that section 215 of the Patriot Act expires in December of this year, December of 2019. Now, as sure as the night follows the day in the United States Senate, the Senate will wait until the very last minute when you all have your Christmas trees up and the wrapping paper is flying every which way and Americans are debating who will cook the Christmas turkey. Because that's always what happens. It comes up at the end of the year and the office of national intelligence says, oh my God, if we don't just extend this bill, western civilization is going to end. The following bad guys will be striking us. They will practically be arriving under our holiday trees to take your children and all kinds of other things. And I exaggerate but barely because that's what they do and as sure as the night follows the day. So you will see me as we get into Halloween and the like constantly come back to hey folks, we need to have the debate about section 215 of the Patriot Act. We got to have it before Christmas Eve. The American people should know that we can come up with policies that protect both their liberty and their security. And I really would hope that some of you in DEF CON and all the good work that you're doing will help us as usual in it. So as I said, last minute, there's always some kind of claim. In fact, one year I was actually able to get the office of national intelligence to make what was an admission against interest. Where they basically said, when everybody said it's all going to expire, they really said no, it's not going to expire. There's authority to have it for a longer period. I don't know what happened to that lawyer who wrote that. But suffice it to say this is an incredibly important law with respect to surveillance, section 215 of the Patriot Act. Most of the debate will focus on the call detail record program, program in which the government collects metadata about people and who they call. And I am going to push very hard to see if we can put a stake in this program and close it once and for all. It has not been used to stop a single terrorist attack. And it's even less useful now when the bad guys have so many other ways to communicate. The reason I want to finish it off now is that if you leave spying authority on the books, nobody knows which administration is going to do it, but I don't want to say trust us to any administration to have the power to abuse it. So the phone records dragging that is important, but there are other sections of 2015 of 215 that are important as well. In 2014, the FBI and director of national intelligence confirmed in unclassified letters to me that the intelligence community used section 215 to obtain historical records of Americans location data. I made one of those letters public a few weeks ago. Earlier this year the director of national intelligence also revealed the intelligence agencies still haven't been told how they should interpret the carpenter decision holding that location data is protected by the Fourth Amendment. So here we are, section 215, one of the most powerful surveillance laws on the books. A law that has been abused by the government before, and the person who is now in charge of the Department of Justice, Bill Barr. Mr. Barr has shown an eager willingness to perform legal gymnastics to let the government spy on Americans. So before Congress reauthorizes section 215, I think it's critically important that the public be told whether or not the government believes it still may use this law to attract Americans' phones without a warrant. If you want to break the classic cycle of Congress rubber stamping, Congress needs to hear from the American people that this is something they care about. And I'll just close by way of saying there is no question in my mind that white hat hackers, the DEFCON community, really gets it. The number of stickers and EFF t-shirts and hoodies and everything I've seen walking around today is a clear signal that everybody here on a Friday night in Las Vegas for Pete's sake, there are a lot of fun things to do in Las Vegas on Friday night. And this is a community that understands the importance of privacy and oversight of the intelligence community and the need for strong backdoor free encryption. And the fact that you're all here on a Friday night is an indication to me that we can work together to make sure the rest of the country understands how important this stuff is. And in a lot of ways whistleblowers and white hat hackers in particular in my view are our last line of defense against government and corporate surveillance. Americans should never have to trust in just goodwill of government or phone companies or social media. We need black letter laws that keep our private information safe. And I want you to know that Congress only acts when the American people speak out. I know that this is a community that cares. Please, let's join together and make sure that we mobilize from sea to shining sea concerned citizens that share our views, share our values, share our priorities about pushing back against unfair surveillance and thank you for having me. I would like to say that I think by order of the federal government I should give you the rest of the night off. And before I do that, let's just together keep up fighting the good fight. Thanks everybody.