 Hello, Sunday DEF CON attendees. Thank you for coming out this afternoon, and James and I are going to be talking about your mind, about are your thoughts really protected. There's new technology we're going to be talking about that's going to put into question some Fourth Amendment search and seizure procedures. Can everyone hear me or I'm going to speak louder? All right. We're going to make your brain hurt, but it's good. You'll like it. Please note, neither of us are speaking for our employers. We promise we won't break the world, but don't blame them. My name is Tiffany Rad. I'm a college professor and adjunct professor at the University of Southern Maine. I teach in the computer science department and soon I'll be also teaching cybercrimes classes at the law school. I teach technology and law classes because I think it's important that the lawyers talk with people in tech and tech talk with the lawyers because that's how better policy is going to be made. I'm also the founder of Hack Me, Maine's only hacker space, which is still virtual at the moment, but we're working on it. Hi. I'm James Arlen, better known as Mercurial and I promise I won't use the game show voice today. I'm a part-time security consultant. I'm a part-time CISO. I'm a part-time stringer for Liquid Matrix. I'm a full-time awesome dude. I need you to understand that I am just the security guy here, not the lawyer. Also, I happened to found a hacker space. Hacker space people kind of glom up together. We need you to understand for a minute, for purposes of this talk, data and documents are sometimes, but not always used interchangeably. In some cases, they each have different legal meanings but not always. For the purposes of this talk, data is the lowest level of abstraction. It looks like ones and zeros. Document is a bounded representation, a tokenization of a physical document held in data form. The other thing we need you to understand is that there's more than one kind of legal person. There's the kind of legal persons that are made of meat and there are the kinds of legal persons that are made of documents, people and corporate persons. They each have rights. In some cases, they're similar. It's really hard to put a corporation in jail, so generally the agents of the corporation will do that. Agents can speak on behalf of a corporation that has no voice of its own. We're talking about data and documents either in transit or as they have stopped where they are going and are stored on a server. So storage communications, we're talking about the ECPA for that one and within transit, they have different warrant requirements for accessing data, if it's stopped or if it's still moving. The Fourth Amendment is, I think one of my favorites of the Constitution because it's search and seizure. I know next door they're talking about search and seizure for laptops. We're talking also about that subject, not exclusively at laptops coming through customs or crossing borders. But we're talking about when Fourth Amendment rights should be challenged and changes in legislation that are going to I believe need to take place as technology is changing. I'm not suggesting we change the Fourth Amendment, but there should be some legislation. We'll discuss later in the presentation that with some new cameras, we're going to be discussing their fast cameras that the Homeland Security Department's putting out in the next couple of years. You need to understand that the sanctity of your person is not absolute. The Fourth Amendment has exceptions. A few of them are the Transportation Security Administration, which writes a blanket exception for what it pleases. There are also Terry stops, warrants and third party permission to search. We're talking about Fourth Amendment rights. There where your stuff is, it changes the way the Fourth Amendment acts. The Fourth Amendment doesn't protect your stuff, it protects you, the person. So when we talk about plain sight, for instance, that's if you have a computer or for instance a weapon lying in the backseat of your car. If you're pulled over for a traffic light violation, a light out and the officer happens to see that laying in your backseat, that's in plain sight, that is something that you can't say that that is private. Things are a little bit different if you have things locked in your glove compartment, it requires a little bit more of a belief that there could be some contraband or some illegal activities going on that relate to those storage facilities in the car. When we talk about computers, we'll be talking a little bit more about where the data is, different types of devices and how that applies. All right, we're talking about, I gave a presentation yesterday about car computers and of all these things, this is something that I find interesting is that when you purchase a car and for that matter when you purchase a computer, you don't own that completely outright. You license it. See, we all work with computers. We know we have licenses with software, but do you know that the software in your car is also something that you license? You don't have a right to open it up to take it out, change it, the way that it's protected presently with the way the car and computers and software set up. You don't have a right to do that. That belongs to the car manufacturer who may have licensed that from a third party who wrote the software. But there are devices on cars that are post 1999 that store what they call near events such as if an airbag deploys, the computer knows that. But it doesn't just know that, it knows how fast you're going with that airbag deployed and it also knows how hard you break or perhaps more telling if you did not break at all. A warrant is required for police officers if they want to get that information to walk up with a small PDA and they download that from your car's computer. You yourself are not permitted under the, actually it's copyright law. You're not permitted to take that off your computer because there's a little bit of encryption that is keeping you from doing that. But this is, when we're talking about medical devices like implantable blood glucose, insulin pumps, heart monitors, I mean these types of things also require a warrant to remove information that is stored about your biometrics, your body. That is personal information. You do have a reasonable right to privacy for those devices. But as some of the devices do transmit data, some of the, especially some of the companies I've looked at with medical devices, sometimes that connection's secure, sometimes it is not. So we need to think about privacy and also security for those connections because it is personally identifying information. The fifth amendment is you can't be forced to incriminate yourself. I was working on a case recently about, let's just say there was someone who wrote an interesting piece of software that that software proved that an IP or MAC address may not be exactly who it looks like it could be. That is going to possibly affect a cybercrime's case that's ongoing in Maine right now. And what can't be done is that if you're on the stand and if you're not, if you're just, for instance, in this case it's someone who would have information that could affect the case. You cannot be forced to incriminate yourself. Unless there's a few exceptions like if you have a grand jury, if you're in front of a grand jury, it's a thing that's a little bit different with that. But we're just talking generally for cases you, your thoughts and your ideas as it relates to this talk are private short of something like grand jury or court order. So we need to think about the different ways the law treats data. For now, as we walk you through a series of interesting ideas, I need you to keep in mind that we're talking about data that is stored. It is not moving, it's staying still. That really, really matters. It's a very, very big distinction in law. So in the first case, it's 2009, I'm feeling kind of cloud-tastic. I'm going to store some documents in Google Docs. All right, I'm the prosecutor in this case. Jamie, I'm Marcus Sacks. Do you think that you're going to prevent me from finding that data that you're hiding in the cloud? It's in the cloud. If you are technically trying to hide that information, I will find that. But I have appropriate warrants that I can get to get that information out of the cloud. It may be more difficult, and especially if the pieces of information are stored over countries' borders. As if the U.S. has shares information, such as like I don't think Afghanistan or Iraq would be very friendly with some of our requests. But that is information that we can find. So if you think you are hiding your stuff from me, I will find that. Do you mean the cloud failed me? Yeah. Are you going to tell that to Chris Hoff? I'm scared of Chris Hoff. Okay, fine. It's not a document stored in Google Docs. It's data, and I've backed it up with Amazon S3 because that'll keep it safe. So you think the difference between data and document means that I'm not going to be able to piece together that information that you've split into ones and zeros. Technically, I'm going to find that stuff. I don't trust the cloud. I'm going to put the data on a rented server that I'm keeping on an ISP in the United States of America. So just because you're moving that data outside of your house, do you actually think it's going to be more difficult for me to go to that place where you've rented space and you have your server for me to get access to it properly with a warrant? Actually, they might turn it over more quickly than you would if it was in your house. You're not helping. I'm going to own the server because then they have no rights over it. It's mine. That doesn't change my answer. I'm going to put it back in my house. I'm going to come to your house with a warrant and I'm going to take those servers, but you may give me a little bit more challenge on the warrants to make sure that they're appropriate. You may not turn them over as quickly as a third party would, but I'm still going to get those servers, Jamie. I'm going to carry it around with me everywhere I go and I'm going to hug it and pet it and keep it safe. So you're putting it on your body. Let's say if you have it in your pocket, you have a cell phone and I want to get that. If I have a reasonable expectation or a reasonable belief that I need to stop you, stop and frisk, if there is something in your pocket that I think might be worthy of investigation relating to the reason why I stopped you, I'm still going to ask you for that. I'm getting an uncomfortable feeling. I'm going to keep it on a phone because telecommunications devices are different from computers under US law. Telecommunication devices, that smartphone you have is a computer. If it's stored there, it's the same warrant. I'm just going to keep it on a microSD card. I'm going to keep it really close and safe. Then I'm not going to have fun going looking for that one. I'm going to use encryption. That's a great one right there. I'm going to use ROT 13 because it always works. I think that might only work if you claim that's your anti-circumvention measure under the Digital Millennium Copyright Act. Then if that is broken, then it triggers DMCA and that's the weak security that you're talking about. You think that the DMCA is going to create better security for your products or can it protect you from me, the Fed? Yes. I might have a little bit more challenge having you turn over the key. But recent cases in Vermont, for instance, the Chow porn case, it took a while to litigate this case but a defendant was required actually by the court to turn over his key. However, there are other cases where they've requested and required the key such as with the World Trade Center bombs accused of bombing the World Trade Center during the first attack when they bombed the parking garage. He never turned over the key and they're still trying to break the encryption on that laptop. As far as I know from people working on that, it hasn't been broken yet. OK, I'll use real encryption this time because apparently the DMCA isn't going to help me out. Well, recent cases suggest that I'm still going to be able to get you to turn over that key. I am Bruce Schneier. You know what? I'm sorry, Jamie, but you are not Bruce Schneier. Bruce Schneier gets a get out of jail free card because he does security research. I do security research. I present it at Blackhound and DovCon. You try some of the research he's done through TSA. I'm sorry, but that's not going to work for you. Fine. I'm going to keep my data moving. I am going to spin it around the world in a never ending circle of data goodness. It will be a halo over our heads. What some people have done. And it is, it can be legal if it's done properly, but you can do what's called a jurisdiction hopping. As long as you're not trying to obstruct justice, if you do want to store different parts of your data in different countries, once was Havenco, but now that's unfortunately folded. If you want to put in offshore platforms, it is going to be more difficult for people to get for the feds if they do a proper word and all that to get that data, especially when you're dealing with other jurisdictions. But it's still as possible. And I remember having some discussions when Havenco, just to let you know that I'm sorry, I'll explain that, there was a offshore platform that claimed that they had jurisdiction that were off the coast of the UK. They claimed that they were an entity of separate country and that if they ever were served with a subpoena warrant, they would totally disregard that. The jurisdiction question for Havenco and Sealand was, in my opinion, has never quite been settled. But it is possible. It's complicated to get that data because they also had a internet connection that went just right under the ocean to the UK. There are a lot of ways that with a proper warrant that that information that's being transmitted through there could have been intercepted and illegally intercepted. I don't feel better. Here's the thing, though. We've been talking about data, and the name of the talk is your mind. It's important that you understand data constructs because, in large part, your brain is just a data storage and manipulation device. We need to sort of tease apart how you store and manipulate data that's related to your mind. I just want you to think, though, briefly about the idea of personal notes and effects. The question is that we're addressing also is if you take your pertinent ideas, which you're thinking right now, and either because you have short-term memory and you can't remember them, if you put them on any type of external computer or data device, what would it take for proper warrants to get access to that data? And that's one of the things we're considering. And we'll go a little further at the end of the presentation and talk about some new technology that they actually claim is a pre-crime detector. And it reads your pre-crime thoughts. It's true. So 200 and something years ago, your personal effects or those notes that you wrote yourself could fit into a briefcase. And it was maybe a couple of hundred sheets of paper. You can fit the Library of Congress in a briefcase now. Keep that in mind. So it's the 1990s. Everything is awesome. And we've got our first PDAs. We're keeping names, addresses, phone numbers, relationships, aspirations, stuff that is definitely PII. Is this thoughts and memories? Is this personal notes and effects? It's kind of an interesting question. Just sort of puzzle on that. In the early OOs, we got ourselves a connected PDA. So now you're starting to see things like Blackberries and other sorts of devices that have a replicated copy. So there's the copy you're carrying with you and there's another copy on a server somewhere which you don't control. You might be storing personal stuff on your BlackBerry or other iPhone-ish kind of device. Does a corporation have any rights to that? It's your memory. What if it's not just to remember something but rather to do something? You know, a cron job or a Google search alert. Now we're starting to talk less about the information and more about the I need to do something. It's starting to look like agency. When you switch from remember something to remember to do something, you get pretty quickly to make a decision for me. This is how corporations work. The corporate person requires that its agents, its officers and directors make decisions on its behalf. Right now, my computer makes decisions for me. If I get a meeting request that meets certain criteria, it will be accepted or denied by the computer without me ever having to see it through the magic of Microsoft Outlook. The computer's making a promise that I'll show up to that meeting at that time in that place. And it's making that promise for me. It's actually setting up a contract between me and the person who's requesting the meeting that says, I agree. Is it OK for a computer to be making a contract? One of the questions we had with a legal agent is can a computer become a legal agent? And we started talking about this and as it relates to storage of information and is it alive, so to speak. When I was at Carnegie Mellon, we had an interesting project that we discussed with some CS majors that were there. And it was, this was before I went to law school, so probably some of the stuff would have been a little bit dubious now that I know, but we were trying to get a social security number and get a computer to vote. And we were thinking, well, it's a cognitive device. It can be an agent, but it was a project we never actually took to fruition. We were just thinking about it. Can a computer be alive? Not just in the sense of AI, but in the sense of voting, online voting, or online voting, e-voting, and getting a bank account, managing that bank account, making just simple communications and contracts that would be akin to a person, and now with virtual worlds online. And helpers, like my former students, a World of Warcraft helper, is it, who's controlling that? Who is contractually responsible for that helper? So, how are you related to your computer? It becomes a very complex question. It seems very simple, but it's really not. How much of my computer do I really own, like the computer part? Similar to the car computer we were talking about, and your ownership of the car, you own the plastic, maybe the stuff in the LCD, the keys, anything that is software, and some of the firmware as well. You don't own that. It's licensed to you. Okay, and with data storage, it is probably not easy either. Well, with data storage, you own the information that's coming in and out of there, but as for the physical device, you like the box. Okay, you might own the physical box, but the rest is going to be licensed, and you own your communications. Except for the FCC and stuff. You can see this gets depressing fast. So, if it's possible to own a computer, but not really, I mean, I can own a carrot, but I can't own a computer. Who really owns my computer? Well, it depends on the operating system you use. Is it Linux, or is it something else? Actually, when you use Linux, you're still using, you still are licensing. You don't own that code either, I'm just checking. So, if it's not mine, how can it make decisions for me? I mean, I don't even have control over it. I kind of own my kid more than I own my computer. Last law, and contract law has struggled with this. The shrink wrap licensing, for instance, is a difficult problem because it used to, I don't do it as much as they used to, I believe, but when you buy a box with some software in it, you rip open the shrink wrap, and you've just agreed to the license just by cutting the plastic. And in contract law, you need to have something called the meeting of the minds where both parties understand the contractual provisions and both agree to it. That's complicated with the shrink wrap license. And similar to when you purchased a computer, we were talking, Jamie and I were talking about that, how the software, you may not know everything it's doing, but you've agreed to a lot of the terms on that, either for online stuff and end user licensing agreement, or the software licensing for your operating system. That's the difference between explicit, we're talking about explicit or implied contracts. This was the example I mentioned to you about. At Carnegie Mellon, we tried to make a computer legally alive, and theoretically, we thought it might be possible, but legally very complicated. So what does it take to become a legal agent for yourself or others? At least in the corporate law, you can be an agent for your corporation and make contracts, decisions, sign anything for your company. You can set up a bank account if you are an agent. In fact, for any company, you need to have a legal agent in that state in which you are doing business. So, our question was, for a computer to do that when it makes agreements online, is that something that makes it more legally alive? So if you think about the idea of sort of a cognitive ladder, that at some point, a computer's going to be smart enough or capable enough that it can do things for you, it can become legally mature. We've already got a set of cases that describe legal maturity. This is stuff that has been well understood. In a lot of ways, a legally immature person is a lot like a child. We need to understand at what point do children become adults. And we looked up the age of majority. At the age to get married, for instance, criminal responsibility. At what time, in some states, you can go to war, but they don't give you enough responsibility to drink alcohol. But we talked about these, and in tort law, when accidents occur, children at times can be held to an adult standard if they're operating machinery or a boat or a car, for instance. And an accident occurs. They won't always look at the child as, this is a 10-year-old child, the 10-year-old child's mental facilities. If it's involved something, machinery, or as we were discussing in relation to this talk, a computer, is that different. And I do know under cybercrime, a lot of cybercrime laws and cases. Now, you can't get out of saying, I was 17 when I hacked that site, I'm not an adult, you can't charge me, because the courts look at us with, as having special skills, these special skills are akin to, for instance, a child operating a car, is that they will hold us to a higher legal standard because of our technical abilities. And in fact, knowing a lot more, I'm not saying ignorance is the list per se, but knowing a lot more can be a little bit more difficult in court to explain that you didn't know what you were doing technically when you did that. So that's why we're talking about ages in relation to also with computers. I have a seven-year-old, I don't want her making decisions for me, she's not an adult, and I really don't want her driving my car. The other place where the laws really looked at this stuff is legal maturity for mentally handicapped adults. Can Eliza and Rain Man get along? Might be fun. Can these cognitive agents represent your thoughts? And should the thoughts in your mind, for instance, relate to a computer being that where your mind is a type of computing machine, should it have the same protections as computers do for search and seizure? What happens when you can move memory out of your head and into a device? Science fiction is awesome, except you're probably doing it today. I don't keep track of phone numbers. I can't. I don't keep track of dates. I have no idea what I'm doing next Thursday, but my little friend knows. Would you let me borrow your phone at DefCon? I'm one of those Twitter people. You may know me from the Twitter. Are you establishing intent when you record your thoughts, your actions, or your activities? Can you ever really take back what you put out there on the Twitter? And likewise, if you think, I know most people in this room probably know this, but anything you put out on Twitter is public. It's your broadcasting, where you are, your GPS locations at times. You don't have an expectation of privacy because you are saying your thoughts are, I am here in this talk at DefCon in track two or three. Actually, I don't know where I am now. I guess my GPS would give that away. But the question is, do you have an expectation of privacy? No, if you're tweeting about this, it's public, and anyone can look at that. And they don't need a warrant to be able to read your Twitter feed if you've made it public. Protected updates aren't. I'm also a super hipster. I use cloud memory. My information is available to me wherever I am, whatever device I'm using. That makes it equally available to anyone else. Want to go really sci-fi? What about prosthetic memory? This is Johnny Mnemonic happening for real. This is out of Microsoft's research labs in Cambridge, and this is about four years old. And almost nobody I talk to knows about this device. This is the Microsoft Sensecam. It is a research prosthetic for Alzheimer's patients. It records low-grade stop-motion stills of everything that's going on until you're standing in front of somebody, in which case it switches to high-grade video. It also records all of the audio from your day. It's used as a reference device, so Alzheimer's patients can review what happened during their day. Many of you may or may not have gone to school and know that if you review your notes, you remember more from them. This gives you a way of reviewing your life. There are people who are walking around wearing these pendants. If I was to be walking around wearing one of these pendants, I'd like to know whether or not that pendant was subpoenaable, or whether or not the licensing agreement that I have with Microsoft means they would give it away. We make a choice to use some of these devices, and some of these devices make our lives easier. Some of them we have to question and reasonable expectation of privacy. And we're gonna be talking a little bit about surveillance cameras now, and yeah, a little bit later. A little bit later. Okay. So sometimes we make choices to put our information out there, and sometimes our information is put out there for us. Tiffany was talking earlier about the idea that medical prosthetics include logging capabilities. If you were a black hat last year, you learned a little bit about automatic defibrillators. Insulin, drug pumps, Caesar detection and control. They're all vulnerable to subpoena. Was your heart racing at the time that the crime was committed? Was your heart not beating at the time the crime was committed? There's a, we'll put up the links at each of our sites, but there's a very complex paper that was written for forensic pathologists describing how to correctly remove these devices for subsequent examination, for determining things like exact time of death and exact circumstances of death, where they don't actually have to do it the old biological way. They can just sit at a computer and double click something. Now we can talk about. Now we talk about cameras. Someone who's been doing this for a long time, and I like a lot of Canadians, so I follow Steve Mann's work. I don't know if any of you remember him, but he started at an MIT, and he's been, back then, I guess it was almost 15 years ago, he'd wear a big CRT, actually wear it on his body and had a camera on his head. He made a point to, he was bringing awareness about surveillance, part of what his message was, that anyone can be, if you're in public, if you think you have a reasonable expectation of privacy when you're out in Times Square, walking around and there are all these surveillance cameras, you do not. You are in public. Your image is being captured by these cameras, and it's not just on public property. If you are in Walmart, for instance, and Steve Mann did a really interesting project on this about five years ago, he walked into Walmart wearing his camera, and his wife did as well, but hers was more concealed, so she captured all this on video. They walked into Walmart and the manager came out and said, you can't record anything that's going on in here. This is our property. You are here in Walmart. You're giving, we don't give you permission to do this. You're recording me. I haven't given you permission, but the way it works, I know at least under US law, is that Walmart, it's not going to imply type of contract. When you're in Walmart, you can't tell them. I want to shop here, but I don't want you taking my video to determine which end caps need to be stocked or what information that I'm leaving or what books I'm reading while I'm walking around. They do not, from what I understand from a case study I did in Walmart, they do not associate that with your personal identifying information. However, if you are on video and you are purchasing something with a credit card, that type of information, if for instance a guy was buying matches and gasoline and lighter fluid, something that had to store, and he used one of those shoppers cards where you, I live in Maine, we have Shaw's, you get a little bit off if you use your shoppers card. So when you do that and you look at your receipt of how much you saved that day, you need to ask yourself, was my privacy and everything I purchased worth $5.33 that day. That is their information while you're in their store. Homeland Security has a new camera and this is one of the things that we talked about, we wrote about in our white paper for Black Hat. It's called FAST and it is being, loud it is being a pre-crime detector type of camera. And on their website, I actually, these are images, fair use of these images that I have borrowed from the Homeland Security website. They have licensed images from the movie Minority Report and some of the caption was, look what we can do now with new technology, suggesting that we can do Minority Report as type of research and technology right now. What's interesting about the FAST camera, if you look in the, it's quite complicated camera. Right now, the prototype is huge. It's the size of a trailer and they did a task project on this where they paid 200 volunteers to walk through a trailer in Maryland about, I think it was about six months ago. The FAST camera not only records pupil dilation, contraction, I mean it looks at your eyes, it determines your heart rate, your blood pressure, if you're sweating, it looks for other types of biometric information that you're giving out and one of the most interesting I found was it has a pheromone detector on it. I never believed in all those perfumes that like, oh, by this perfume it has the opposite sex or same sex pheromone, whichever you would prefer to attract that type of mate. But actually Homeland Security is using pheromone detectors to determine if you are, if you are leaving pheromones in for instance airport security that would suggest that you have criminal thoughts. The point of this camera is so TSA can stop you before you pass your security if someone has criminal intentions, they wanna stop it before that. So not only were we talking earlier about the idea that you may be choosing to externalize some things that should be protected thought within your head, sometimes those things are externalized for you, here we're talking about broadcast reception. So you may no longer have the opportunity to keep thoughts inside your head, those thoughts are being extracted at a distance. So we talked about when you're thinking things which is private and you have a reasonable expectation of privacy to sit there and think, then you put those thoughts and memories on devices or tweet them. And now we're talking about you just standing in public and these cameras are making, the sensors are revealing things about your thoughts potentially. And one of the other questions that we have when we have to think about these new surveillance cameras is where's the data being stored, for how long is it being stored and is there any way that we can access the information that's being stored about us? And there's a pretty large facility in West Virginia that I believe is almost builder it is right now, but that's where a lot of their biometric data is going. And one of the other things that we did research on was okay, where else are they using biometric data to determine pre-crime? And it's here in Las Vegas, in fact. I don't think it's at this casino because I have not seen it, but there are casino workers that if you work at that casino, you must agree to wear a little collar, a bracelet or something on your ankle or on your arm. And it checks heart rate. It's being monitored via RFID so a pit boss could look down. If someone has a high heart rate, they will determine either if a crime is being committed, such as if their table's being held up or someone's cheating, or if the dealer is thinking about cheating, a cheating the casino. We're in an interesting place where these things are moving from fantasy to reality. This is the 15 year sci-fi cycle. It takes about 15 years for something that is absolutely out there in science fiction to get turned into a bleeding edge product and about five years after that, everybody's carrying one around with them. Are we in the kind of place where we're okay with that? If you can use my thoughts against me, that's kind of out of my control, but what if my thoughts conspire against me? What if your software mistakenly miscomprehends what's going on? Say I'm just really, really warm or I'm kind of jittery because I'm in front of 600, 700 people? It's not like there's ever been bad software, right? And nobody's ever tried to exploit software holes to cause negative things to occur. And since my computer's doing stuff for me, and laws can be changed. But you cannot be, if you already are being prosecuted for a crime, if laws are changed they can't retroactively like add 10 years to your sentence. So that's the only caveat for that. The minor caveat? What do we do? Oh, sorry, we're gonna tell you what to do. We're not here just to scare you, but you need to know I'm not a lawyer, I'm just a security dude. And I am a lawyer, but I am not your lawyer. I had to throw it out, it's always my disclaimer, sorry. If you follow the advice, you might still be screwed. Practical measures. These are the things that you can do in cases where you're choosing to externalize thoughts. When you wanna write down notes, things to remember, things to do. Remember, anytime you write down that to-do list, you're creating a paper trail for somebody else to use against you. Try and keep your information in your home. There's a slightly higher bar of entry. Use encryption. Simultaneously, keep the tinfoil hat in the drawer. Don't use too much encryption. Guess what? True crypt hidden partitions are findable. Don't give them a reason to look real hard. The closer you look to innocent, the more likely it is that they'll believe you're innocent. Store your data where it's not easy to subpoena. Haven Coe would have been a good place, but put it in a bank vault in Aruba, see how that helps. Make really good friends with Richard Branson. And that applies as long as you're not obstructing justice. If you are trying to hide data for an ongoing investigation, do not contact C-Land. The best advice is simple awareness. Your mind and your memory are not necessarily your own. This is changing right now. We're not entirely in charge of the changes. We're asking you to engage with the general public, legislation, vendors, help them understand for the last 15 years, we've been building technology like crazy little rabbits and waiting for the legislation to catch up. It never does. This is a case where we need to have the legislation framework ready for when the technology gets there. Because let me tell you, if we're learning about it, it's in a lab somewhere doing the next generation thing. We're just unaware of it. So what we've told you about isn't what's current. It's stuff that's old enough we were able to find out about it. And if we in this room know about it, that means that law and some legislatures are probably about 10 years behind. So if you care about these issues, I would recommend that you make wise choices when you're selecting lawmakers. Influence them. Tell them what your opinions are about this. We made a big deal in Maine about the Real ID Act and while their Maine is still gonna go Real ID Act, we were one of the few states that did hold out. I told all my students, contact the senator. Even if you're four against a Real ID actor or cameras such as this and how the data will be stored, tell them about it and support EFF. So if you're inspired by Carrie Underwood's Before He Cheats, watch to see if there's a camera around. This was taken by a Google van driving by. All of these pictures were. Was that malicious or was she falling down? If you happen to be in the range of a fast camera. Don't do stupid things and think peaceful thoughts. These guys were not. And remember that you never wanna be in a database forever as a world champion sword fighter. There's one in every crowd. We have brief time for Q and A, thank you. We also have lots of time in our room. Right in the middle, stand up. Okay, so the question was, are there some cases of protected agency where an individual can operate on behalf of but it be protected in a way that is legal proof? I give it to the lawyer. Legal proof or you were asking, I think more so similar to it for an agent of a corporation. I am saying that whatever rights that corporation has, especially if it's a land lease contract, you as an agent would have rights to make that contract. And I'm not saying that it's subpoena or warrant proof, but however that corporation stands, you stand as that. Yeah, that's right. Okay, I understand. His question is, if one of the agents is an attorney, is it different than just between two people who are not attorneys? Yes, there is an attorney client privilege and it takes a grand jury or it's very strong court order to break that. So if you are telling your attorney about your secrets about some super badass encryption you have going on, they are not, if someone just comes and says law enforcement does, I wanna know about that, that attorney has very specific rules they must follow about how much information they can give and when, depending on the investigation. But that is stronger protection than just between two individuals who are not, or one is not a licensed attorney. Green shirt? You've got a great answer for this one. Okay, so the question is, how come the Fifth Amendment does not protect me from giving out my encryption keys? We had, we were asked this in Black Hat as well. This is a very good question. The case in Vermont that I was talking about was in regard to the defendant said, hey, those are my keys, it's my speech, so to speak. So I can't be forced to incriminate myself by turning over those keys. Well, the way that the court looked at it, the keys are a tool, this is a tool. The Fifth Amendment protects you, the person. So you, they can ask you questions about the keys, but the court did give an order to turn over those keys, otherwise it was obstruction of justice for when they did do the forensics on the computer. They needed to open it up to see what was in it. So it's a tool. So I was gonna say now, so explaining that, look, think very carefully about what the key related to your computer means. The key is not speech. The key is not incrimination. The key is exactly the same as if you had a house with a very, very complex locking system and they had a warrant to get into that house. They can require you to help them open the door. It's just that simple. In Canada, we've got this very awesome thing called at the queen's pleasure, which means they will keep you in jail until the queen decides to let you out. You will give up those keys. I saw a bunch of hands over on this side. We've got a question. Middle back. Okay, so the question slash statement was give them disinformation. Don't always shop under your own information. Share who's information you're shopping under so that you can get awesome weirdness to happen. I like awesome weirdness. I feel kind of bad for the BI guys, though. Blue. So he's just saying that apparently PCI doesn't work. They're tracking you by your credit card numbers too. Question in the front, we've got two minutes so it's gotta be fast. Okay, let me rephrase that. The question is more about some legislation in Maine and I'll just briefly address that because that doesn't directly relate to specifically what we're talking about, but there is a pre-crime bill as it's being coined that Senator Maine suggested. And she was also on the Homeland Security Committee. She was the director, I think the director of it. She wanted to use filters to determine what people are talking about online. And I'm not talking about carnivore echelon but it's just when people use particular things in chat rooms, she wanted to be able to get that information and use it against people. That did not pass. That legislation did not pass, so. I don't believe it's before Congress this session. I think that bill is, I mean, if anyone wants to talk to me, I think we need to move on. I was just gonna say, we're about to move into the challenging question room. Q&A room, which is all nice and close and sweaty. And we'll take your question first in the Q&A room. Thank you. Thank you.