 Hello, everybody. Welcome to the Ask the EFF panel. We are the EFF or a portion of EFF who is here to answer your questions. My name is Kurt Opsall. I'm the deputy executive director and general counsel of EFF. I've been doing this Ask the EFF panel for a lot of times and we always enjoy getting some good questions. Before we get to your questions, though, we're going to give some brief overviews. One thing I wanted to do at first is put out a little bit of ground rules. Well, first of all, I assume most of you are, but how many people here are familiar with the EFF? All right. Well, thank you. I will not do much of an introduction as to what we do. But as you may know, one of the things we do is we give counsel people, give legal advice to security researchers, people from this community about research they're doing, about presentations they're having, other kinds of legal issues that are in our space. That is something we really enjoy doing, but now is not the time to ask those questions. We want to have that be a confidential attorney client privilege communication outside of a group of your closest friends. So if you have questions that are particular to your situation, come talk to us afterwards. Email to info at EFF.org to set up a time to talk to us. Where Amul right there will answer your email. Great guy. But not during this event. So while we briefly introduce who we have here, starting to my right, we have Nate, staff attorney with EFF, works with me a lot on the Code of Rights project. We have Corinne, our legal director. Mark Jacobs, our legislative analyst. We have Cooper, who works on our technology projects. And Nadia, one of our activists. All right. And so, Nate. Thanks, Kurt. So we wanted to do something a little bit different this year. For those of you who have come to ask the EFF panels before, what we've done and what we will do again this year is each of us will talk a little bit about one or two things that we work on, maybe a couple more. But I wanted to give a little bit more. I wanted to talk about everything that we do. So I had a couple of interns prepare a list of everything we did in the last year. And single-spaced it was 11 pages long and it would have taken me like 20 minutes to read. So I'm not going to do that, unfortunately. But I will give some numbers and I'll give some highlights. Just so that you can have a little bit more of an appreciation about the scale and variety of the work that we do. We're only 17 lawyers, something like seven activists, six or seven technologists and seven international activists. So it's not a big team. But yet, in the last year, we have filed more than 15 new lawsuits, including a lawsuit representing Oscar winning filmmaker Laura Poitras seeking records of her detention more than 50 times. And that was even before her involvement with Ed Snowden. We represented a patent troll victim successfully. The first time we've actually done a direct representation in that kind of context. And we sued the DEA not once but twice about two separate phone metadata programs that it was involved in. We had major developments in more than 11 of our ongoing cases. And that ranged from major briefs filed to major court arguments. In the last three years, we've done more than 30 counseling engagements of people talking at Black Hat B-Sides and DEF CON. This year alone, we counseled presenters giving 10 talks at the three conferences. And we filed more than 30 amicus briefs, probably something like 50. It was hard to get a good count. In courts all around the country ranging from the Supreme Court to most of the federal circuits to district courts, to state supreme courts, to local courts. We testified in state, local and federal rule makings and other legislative hearings at least eight times in the last year. So that's, those are the numbers. 15 new suits, major developments in 11 suits, 10 counseling engagements just this week in Las Vegas and more than 30 amicus briefs. Probably something more like 50 amicus briefs. And I would love to talk in depth about all of them. But unfortunately, I can't. But I can. Or at least I can talk about a few of them. Because we couldn't possibly review all of our work here today. So I'm just going to talk about a few cases and situations that I'm engaged in and really have been, we've been really enjoying, I have to say. The first is we filed six exemption requests before the copyright office in the DMCA rulemaking process. And for those of you who saw Corey Dr. Rose talk yesterday, you'll know a little bit about it. But basically, what we have found is that we have this law that makes it illegal to break DRM even if you're doing it for a perfectly lawful reason like fixing your car or testing security, or maybe jail breaking your phone or a host or preserving a video game, a host of otherwise legal things that you want to do, but you need to break the DRM in order to do it. And that in and of itself is illegal unless you get permission from the copyright office. So every three years, we get to go to the copyright office a bunch of, which is part of the Library of Congress and ask a bunch of lawyers and librarians if it's okay, if technologists go ahead and do their work. And this year, we really tried to up the ante a little bit because we are seeing how the different places in which copyright, because we have software in so many different kinds of devices from cars to refrigerators to of course, your phone, and DRM on all of that software suddenly is more necessary than ever for us to go to the Library of Congress and ask permission for you all to do the work that you do for Chris, Charlie Miller and Chris Villasec to do the work that they presented earlier today. I wish that we didn't have to do that, but on the other hand, but we do and this particular round has been quite interesting because in particular, the exemptions we asked for, which had to do with car repair and security, video game preservation and of course, jail breaking, not just your phone, but tablets. They were aroused a lot of interest and in particular, we aroused the interest of General Motors and John Deere who felt it necessary to file responses to our exemptions to say no, no, no, we own the copyright in that software in your tractor and you can't mess with it. We're serious, right? So all of a sudden I'm fighting John Deere in court. I never thought I'd be doing that. I never thought I'd have to go and reach out to farmers and talk to farmers about how copyright was affecting their lives. I wish I didn't, but on the other hand, I think that's the way you turn the tide because you get more and more people to understand that this kind of arcane area of law is actually affecting them. So the DMCA rulemaking process is still in play. We'll know the outcome in a couple of months and we'll know if we won and we will let you know. I just want to hit on two other things very quickly. One is we also killed two patent trolls. My colleague right there, Dan Naser, led the charge. And the reason I wanted to talk about these two in particular is because I thought this audience would appreciate the patents that we killed. One of them was a patent on competition over a social network. There's a patent on that. It's not going to work too well anymore to be enforced. Secondly, there's a patent on podcasting. Just podcasting. Somebody thinks they own that. We don't think so. And we, turns out, we won that one. So victory that I want to talk about has to do with cloud flare. And this is an important case because what's happening more and more is that the entertainment companies are running to court and they're getting very broad injunctions that require service providers, domain name registrars, to search engines, to anyone who's providing service to a website, trying to require those service providers to shut down service to those sites based often on nothing more than allegations. The cloud flare case was slightly different, but it's basically that same kind of idea. And their theory is if you provide any service to a website that's doing something unlawful, you're conspiring with it. So they have this conspiracy theory. So cloud flare was providing some services to some websites that were arguably infringing trademark. But all they were doing is providing basic service like they would to any other customer. But nonetheless, some entertainment companies got a court order requiring cloud flare to stop serving that website and any other website that happened to pop up that looked like it that used the same trademark anywhere in the name, basically making cloud flare into copyright and trademark cops. And this is part of a broader trend, which is why we're worried about it and why we got involved. Fortunately, we weren't able to completely overturn the injunction. We weren't able to overturn the order, but we got it narrowed and clarified. So it's very clear that cloud flare does not have to be the trademark cops. So that was a big victory. And I think hopefully we'll set precedent for other similar situations down the line. Hey, everyone. How's it going? I'm going to do this pretty quickly because I know a lot of people want to answer questions. I'm really, you know, I'll focus on the four or three or four things that we're doing on the legislative front at EFF. The first and foremost one is updating the email privacy law. Right now it's a law that was passed in 1986. It doesn't cover emails that are older than 180 days. And it's been even for this Congress, we've been dealing with this for the past couple of years, and we're forging along to try and get it through for the first year ever the house has bills sponsored by over 293 members. So we're hoping to get that through this year. The second one we're doing is reforming the computer fraud and abuse act. Right? We want to make sure that, you know, it's used to actually encourage security research and not chill it. The proposals we've seen, you know, for the past couple of years have been just disastrous, right, in our opinion for computer security research and would indeed chill it and not encourage it. So we're, you know, working on those two things. The third thing we're doing and something that is actually probably going to move next month in September is combating a lot of these privacy invasive cyber security information sharing bills. What they do is they grant a lot of new authorities for spying, new authorities for attacking everyday innocent users. So what we're doing right now, and especially again within the next month, there's one bill called the Cyber Information Sharing Act, and that's going to be coming up in September with actually a CFAA amendment. That is, you know, just poorly drafted. We're going to try and kill that coming up at least in the immediate short term. The last thing we're doing, which, you know, I think if a lot of you follow the news in the summer, you know, there was one part of it with reforming one of the many NSA programs that we've found about over the past couple of years. The last thing we're doing is further looking at the foreign intelligence surveillance laws and making sure that and offering changes so that, you know, they aren't used to engage in mass spying, right? You know, we've seen just a huge number of revelations about mass spying, about collecting innocent Americans' users' information with really twisted interpretations of the surveillance laws. So we're also working to change those. So in addition to the massive amount of legal work we do, we also do a lot of technology work as well. And we have several technology projects. This year alone we've launched four new or unveiled four new technology projects. Let's Encrypt, which is a free certificate authority or a certificate authority that will give out free SSL certificates and help you set them up. Democracy.io, which is a front end for all of the myriad forms for contacting Congress members. Canary Watch, we helped launch a thing called Canary Watch, which was tracking warrant canaries. And Privacy Badger, which is a browser extension to block trackers that follow you around online and spy on what you're doing. In addition, we've maintained several other technology projects such as Start TLS Everywhere to help Encrypt all of the email servers, SSL Observatory and Panopticlick. We also have done some tech-based advocacy and unveiled some stories such as the Verizon UUID header, where Verizon was adding a tracking header to all of your browsing over their 4G network. The Superfish Lenovo Windows spyware. And we helped uncover an info leak on healthcare.gov where your personal information was being leaked to multiple third party advertisers. So those are some of the technology projects we do. And I can go into more detail about any of them, but to keep it short, I'll pass it along. So, EDFF, of course, in addition to litigation and technology projects, we have an activism team. So I'm just going to talk about three of the things that we've worked on. One of the things that I work on is privacy. Two interesting things that happened this year. Most recently, we worked on a letter to ICANN, the internet corporation that assigns domain names. And so they are wanting to get rid of privacy services for anybody who has a commercial website. And what they deem commercial encompasses a huge range of websites. They are possibly pretty out of touch with how people are using the internet and why they would want privacy. So we sent a letter to ICANN with a huge list of signatories. And this was a really diverse range of people. It was people that have been targeted for harassment. It was people who are concerned about security and privacy like Bruce Schneier. And it was, you know, we think that it had a really good effect. They have sort of dialed back on saying that they're going to get rid of privacy services. So we were happy to see that. And we're certainly going to keep pushing because, you know, we think that they need to be more responsive and think about the unintended consequences of their proposals. In addition to that, we also worked on Facebook's real names policy. So this is something that a lot of people are seeing this year that they are getting kicked off of Facebook. And it's actually being used as a way to try to shut people up and get them off of Facebook. So people like international activists, some people, for instance, in Vietnam, use Facebook as actually a primary platform for blogging. So political dissidents are getting their names reported as fake names and getting kicked off. Drag queens are getting kicked off, even though they're using names that they use in everyday life. Just a huge range of people. And so we are going to keep pushing on that. In addition to that, another project that we have is surveillance self-defense. And we are continuing to add new playlists to this. So on surveillance self-defense, we put together playlists, which are just a list of tools that we think would be really helpful for specific groups. So we have playlists for journalists, for LGBTQ youth, for people who are working on human rights issues around the world. Those are just some of the playlists. And we're going to keep adding more information on there. We added more new tools. And we also do surveillance self- defense trainings. And I would say just this year, we've trained hundreds of people how to use end-to-end encryption. And, you know, we're really going out there and teaching people who might otherwise feel very uncomfortable using these tools. In addition to surveillance self-defense, a project that just launched last week that I'm very excited about is street-level surveillance. So this is a project that, you know, a lot of times, especially when we go out there and we're talking to people who maybe don't have as much of an in-depth knowledge about surveillance, they're thinking about the NSA. And they are sort of thinking that it's something really far away, that maybe it's not something that they should be concerned about. But especially in the last couple of years, we are seeing the proliferation of technology really in the hands of local and domestic law enforcement. So street-level surveillance is bringing together our past work on these issues and also our future work. And we really want it to be something that people can use to actually sort of take the issue into their own hands. So we have a partnership with Muckrock. And if you're not familiar with Muckrock, you should definitely check them out. They have made it possible for probably thousands of people to file public records to act requests or freedom of information act requests. So we have a partnership with them to help people file PRAs, public record act requests on the use of biometrics in their communities. And we also have talking points for activists. And we're going to be adding more resources. And in addition, we're highlighting the legal work that we've done. So actually just recently, we got a case accepted to the California Supreme Court. And it is a public records act case around the use of automated license plate readers by the Los Angeles Police Department and the Los Angeles Sheriff's Department. So automated license plate readers are sort of a privacy and the records of their use are sort of a privacy catch 22. On the one hand, if you can't get any public records act requests about the use of ALPRs, you're not going to know exactly how privacy invasive they are and where they're being used. And if they're being misused, on the other hand, of course, that information reveals a lot of information about the license plates that are being tracked. Of course, that's why we want to make it public what is really being revealed. Just like with a lot of the other surveillance that we see sort of law enforcement's line about that is if you're not doing anything wrong, why should you be concerned or it's just license plates, it's not that big of a deal. So we're really excited to see that case go to the California Supreme Court and there's been a lot of legislation at the state level around automated license plate readers and whether they are, whether that information can be requested under the State Public Records Act law. So we think that this case is actually going to be pretty important in, especially as states continue to adopt legislation. And ALPRs and biometrics are just a couple of the technologies that are being, that we have information on now, but of course, stingrays, drones, shot spotter, you name it, it's going to end up on that website because we think it's just really important for people to have this information in front of them. So we're going to keep it short and just that. All right. So where are we going to have the questions? We just do it right here. If anybody has a question, we're going to start a line right up here where I'm standing. I want to come forward with your question. So, and you know, this is sort of like it's a live ask me anything. So we're looking forward to hearing from you. Go ahead. Thanks for providing this forum. I'm curious specifically on the issue of privacy and cert transparency. I know that Let's Encrypt is going to support cert transparency. Some other actors in this space have gone out against cert transparency due to privacy. Perhaps I want to make a website and I don't want to tell the world about it. I want SSL, I want my friends to be secure, but I don't want anybody else to know about it because it's my website. More broadly, are there cases, are there places where, how do you manage cases like that where there is, you know, there's public interest in cert transparency, but there's also public interest in privacy. How do you, how do you balance those? I think Cooper, you want to say something about Let's Encrypt and then maybe Nadia about the ICANN? I can't hear what you said. It's like about Let's Encrypt. Yeah, yeah, yeah. So thanks. Excellent question. And I think that that's actually a really interesting question and pretty hard to answer. So they're definitely, I think that certificate transparency is pretty important. I think that, you know, there's obviously some problems with the CA system, a couple, right? And I think that the benefits that we'll get from certificate transparency and from knowing that the SSL certificate that your site is encrypted with is actually the one that it's supposed to be encrypted with, right? I think that those will be pretty strong. And the privacy thing is certainly an issue, right? And maybe, you know, maybe there are some other workarounds for that, right? Maybe you, maybe you host a tour hidden service. I don't know. But I think that the benefits of CT outweigh the, you know, some of the potential privacy concerns. Yeah. No, I mean, I mean, I don't know. I haven't done, like, honestly, I haven't done much research on that particular topic. So we actually don't have anyone from the Let's Encrypt team specifically up here. You can ask Peter Eckersley. I'll throw him under the bus on that one. So back in May, there was a circuit court ruling on the warrantless surveillance that said it was an authorized by the Patriot Act. And then it was like a month later, there was a FISA court ruling that seemed to ignore that and say, you know, everything's fine with warrantless surveillance. And then, of course, Congress reauthorized the expiring sections. I was just hoping you guys could provide a bit of context and how this might play out in the courts. Do courts contradicting each other? Will that go to the Supreme Court likely? Or how can Congress sort of ignore the rule going? So on the first part, yes, there was a very good ruling about section 215 of the Patriot Act. And the court found that what the government had been doing was illegal. It was not authorized by that section. It wasn't saying that it was unconstitutional, though that argument had been made and that's actually, we also believe it is also unconstitutional. But that was a good ruling. However, that circuit court's decision was not binding outside of that circuit. So it is not enough that that happened to require the FISA court to abide by that. And then things got further complicated by the passage of USA Freedom, which changed the language of the statute that had almost immediately prior been the court interpreted and to say that they couldn't do the program. So now we have to think about the program under the new statute. And then for how that's going to play out in Congress, Mark, did you want to say something? Well, I think the larger question was, I think the larger question was how it's going to play out between when you have two competing court decisions, right? So, you know, I think right now we have a continuation of the program and we're going to go into this an hour program that the USA Freedom Act sets out. I'd also be interested to see if you could give us an update on where the ACLUV clapper is as well as if those cases are ongoing. Because I think an important part of that question is well, what happens to these current court cases that, you know, we're at first addressing the legality and constitutionality of the program? All right. And so there are a number of different cases out there which are challenging the NSA's wireless wiretapping program. Several that we brought. There is the ACLU versus clapper, which had the section 215 decision, obviously brought by the ACLU. And there's a couple other ones out there. There's a Smith of E. Obama, which was a case that was originally brought by a solo practitioner attorney on behalf of his wife. As the client, unfortunately got an adverse decision at the district court level. But then the ACLU and EFF joined forces to assist in the appeal. And that was actually heard in December. So we have a number of cases ongoing. We're going to have to determine a couple of things moving forward. One is the main question, the very important one. Is this constitutional? Is this or unconstitutional? We think it's unconstitutional. That what they were doing with the wireless wiretapping program, regardless of what was written into the statute, goes beyond the bounds of what is acceptable under the Fourth Amendment. And under the First Amendment, for your right of association, your right to be able to communicate with other people without the government knowing everybody you're communicating with. And those challenges will remain ongoing despite the statutory language change. However, for the aspects of these challenges where it was focused also on the statutory language, that has been changed by the modifications of USA Freedom. So, you know, the original statute, 215, it was thought to be the library provision. That was the colloquial term for this. When it first passed, people thought they would get your library book records with this. It was any tangible things that would be relevant to an authorized investigation. And through secret law, through determinations of bycourts that were not until recently known to anybody, they determined that everything is relevant to an authorized investigation, which sort of makes relevant a dead letter. It means nothing of everything is relevant. And they expanded the understanding of tangible things, instead of it being records that companies had and then providing those records, it was an ongoing daily dump of all the phone records prospectively. So they, I think, you know, their interpretation was wrong. And this is illustrating what the terrible, terrible problems there are with secret courts doing secret interpretation, like the FISA court, where we still only have a vague glimpse of the kind of decisions that they're making. So they changed some of that language through U.S.A. freedom and came up with a different system where the telecommunications companies would hold on to the records starting in about six months, or six months from when U.S.A. freedom passed and they would use a different system to get them. And so when you have a statutory challenge and then they change the statute, that sort of throws a little bit of a procedural monkey wrench in. And in a lot of the cases that we've been working on, we've been providing briefings of the court, what is the effect of U.S.A. freedom on the ongoing cases? But just to build on that a little bit, I mean, so those particular set of cases have been ongoing for quite some time now, and we've been, you know, fighting, and also the ACLU's been fighting for many years. But one of the things that is extraordinary to me is that, you know, it seems like no matter, every time you turn around and you go, wait, now we know we're fighting over this issue, this is the issue we're going to bring up to the Supreme Court, where we're going to need to, okay, we're focused now. And then all of a sudden we get a new revelation. Actually, it turns out that a whole other agency is collecting records of all Americans and people internationally, and now we have a brand new case. So that's, we had to file a lawsuit against the drug enforcement agency, which Nate just mentioned. So we're starting, we're back down a district court just starting again, but it's a similar kind of activity and it just seems like every time you turn around, your most paranoid fantasies turn out to be true, and there's yet another way in which your government is spying on you. It's really quite extraordinary. So what happens with these particular cases in FISA and so on is incredibly important, but it's very clear that the problem isn't even that confined, it's not confined to the NSA, it goes far beyond it. What the DEA was doing, they were collecting records and then they were letting agencies, all the other government agencies, access them. So it's really hard to even track who actually got access to those records that were collected and were able to use them. It's really, it's extraordinarily pervasive and really quite shocking. So good evening. So there was a QA by Bruce Schneier, I think it was yesterday, and I'm going to channel an excellent answer to a question about OPSEC, making OPSEC easier for normal people, and his response, if I'm paraphrasing it correctly, was it's probably impossible. So go for pretty good security and make it ubiquitous. So to that end, I know that training end users, lay users on end-to-end encryption is one of the services, if I recall correctly. What can we do to encourage the adoption by our peers and by normal people, tools such as signal, scythe, mail envelope, et cetera, to just kind of get the word out there? Well, I think one of the, there are a variety of different ways you can encourage people. So it depends on your audience. But I think, you know, one of the things I always like to point out is that we are making surveillance more expensive and more difficult for the government when we do that. I think another important point to make is that especially if you feel like, you know, if you have, if you understand how open source applications work and you know why they work and you're comfortable using them, that really your security is only as strong as the weakest link in your security. So I think it's incredibly important for this community to be, you know, working with the people who, you know, your grandma should be able to use signal. And really your grandma could use signal and there's no reason why why she couldn't. You know, there's no reason why anybody couldn't use signal. But you know, I think it's a question of making it accessible to people. And also definitely everything that's on surveillance self-defense is shareable. Everything that EFF does is creative commons. So take any of our tools. What's the URL for surveillance self-defense Nadia? It's a shocking URL. It's HTTPS.slash SSD.EFF.org. So please send people there. You know, there are people across the country who do these trainings and they do them for people for a variety of levels. So you know, it's, you can do a security 101, you can do a security 201, you can really tailor it to specific groups. So one of the things that I get really excited about doing is doing surveillance self-defense trainings. Where I know what the audience is going to be and I really tailor what I'm doing to that audience. And so I think sort of that's a very long answer to a simple question, which is your argument for why people should use things is a little bit audience specific. To add on a little to what Nadia said, one of the other things that we do is we try and make encryption just more prevalent, right? So we have HTTPS everywhere. We have start TLS everywhere to get plain text off the wire. And then we're doing crypto policy work to make sure that NTEND encryption stays safe and legal and not backdoored. So that's another thing that we're doing. Because if everyone is using iMessage and iMessage is as Apple says it is and not backdoored, that's great. So I kind of a follow on to that question. We've seen a lot of, for lack of a better word, zero knowledge encryption systems and services being provided in the past few years. And just the technical premise being everything on their servers for a specific account is encrypted to a public key and then the private key, they encrypt the private key with the user's password, right? And so they never have direct access until the client logs in. And on a legal level this is different than just encrypting it locally with a password or with an encryption system you control. But when there's a distinct messaging app that talks using protocol to a remote server, but things get really fuzzy when it's a browser based app, right? So a lot of the new, a lot of the new email services that we're seeing, you know, in other countries, like Protonmail, they have a client and you put your password in and on the JavaScript side, like, but it's incredibly easy to backdoor those and they can backdoor them on demand and target an individual user. My question is, um, is that especially for U.S. services and obviously I don't think you guys can talk about Germany and Switzerland but for U.S. services they're doing similar things, do you really feel that there's a legal distinction there between the two systems? There's no law on this whatsoever. No court has ruled on it in the United States. And something that I'd like to emphasize actually, and this is just sort of more general, we haven't seen and we're completely unaware of any order from a U.S. court ordering a service to backdoor its product. The law of its situation is a little bit different. That wasn't a backdoor order, that was a key material order, but it's different. But that's the only one that we've heard of. What we've seen is a ton of informal pressure put on, you know, the blood will be on your hands argument unless you backdoor. So your question was, is there a legal distinction? The answer is no because there's no law on it whatsoever. End to end encryption or zero knowledge systems are legal in the United States. Period. What that means though? What happens when you get a wire tap order with a technical assistance order attached? We don't know the answer to that and we would love to litigate it. So if you run a service and you get an order that you're uncomfortable with, please email info at EFF.org and we'd love to either help or find you lawyers to help. Thanks. So I'm going to switch gears a little bit. When with stuff like the SISBA, the legislation that just won't die or Congress passing retroactive immunity to telecoms who are complicit in various questionable programs, breaches that seem to be happening every other day and basically kind of the deck being stacked against you, how do you deal with burnout? At what point do you like, how do you keep from just kind of throwing your hands up in the air and saying fuck it? Never say that. That's actually, so working on the cyber security stuff, sorry. So that's actually a great question. I will tell you working on the cyber security stuff in two weeks I'm going on a 500 mile bike ride and not touching devices. So that's sometimes how I deal with it. On the flip side of that, I deal with it with the fact that we are going to have to fight for these things, right? We have people, you know, some of them in the intelligence community, some of them at the FBI and I say just constantly fighting us and we're going to have to constantly fight back. I think that we are in a very special time period, right? A lot of the standards we set now or going to last for a while when it comes to all of this stuff and everything that EFF touches and everything that EFF works on. So, you know, for me personally it's just the fact that if we don't, if all of us aren't fighting against it, right? If all of us aren't setting the standards in the public interest for better uses, then we're going to have a much worse internet, we're going to have a much worse, you know, in my opinion technology industry. So, you know, I think those are kind of my two answers. Burnout is difficult, especially you saw over the summer, you know, Nadia as well as myself were working on national security legislation and activism and then we immediately switched to this cyber information sharing act. So, you know, there isn't a lot of rest, but, you know, I think perspective try and take vacations and also just realizing that we're in a very, very specific and a very important time period. We'll get to, I'll get to rest later in my life. I would just add to that too that I think that, I think that everybody at EFF feels extraordinarily privileged that we get to do this work and that you guys support us in doing this work. And so yes, not like, you know, you don't have hard days, but it's tough. But really, we are so lucky that we get to do this and we get to fight this fight. No one who works at EFF is the kind of person who doesn't love a good scrap. You know, that's why we're there. And the other thing is sometimes you win and that feels really good. So you just got to remember those. I think just one other thing to add is that one of the great things about EFF is that we have a holistic strategy. And so even though, and we all work on a lot of things. So, you know, in this year, I feel like I've seen some really frustrating things that didn't move. But we've also, I also get to work sometimes on local things. So, you know, I'm working on things at the city council level or I just got somebody to use some program they never would have used before. So it is definitely the small victories make a big difference and having a holistic strategy like we do, I think, is also not only helpful for winning but also helpful for our mental health. Hi. I have a comment and at least two questions. First question is, what do we do about the problem of demonstrating injury? When there's so much secret things going on like with the NSA versus ACLU case, I believe it was 07, there was a lack of evidence of an injury, the court said and they couldn't have obtained any of the evidence, they also admitted. That's kind of a catch-22 in these types of scenarios. Any suggestions or thoughts on that are appreciated? And do you want me to wait for my second question or? Well, I just, I addressed that a little bit briefly. I mean, what are you talking about with, you know, evidence of injury? There's a notion called standing that is necessary. You have to have standing before you can proceed with a case. You have to have some concrete relationships of the case that is usually demonstrated by showing that you have been injured in that case. And one of the challenges that has come up in the national security context is the government asserts that it is a state secret whether or not they've spied upon you in particular. So even if they have a program that is spying on everybody, nevertheless, if whether everybody includes you is a state secret that can be determined, therefore you can't get standing and therefore the case has to be dismissed. And that's what we've been fighting in some of our cases for at least, you know, in our jewel versus NSA case, we've been fighting the standing issue for since 2008. So it is, it is a challenge. Any hope for a way to overcome that? Yeah, I think one of the things that we foresee doing a lot of fork on, particularly in the national security arena and with NSA legislations, we really want to see, we really want to fix classification. So this is definitely a problem and something that makes it a lot harder to understand what's going on and we see it as a huge issue. So whether there's hope or not, yes, there's always hope. Okay. That's dovetails into my second question perfectly. But first my comment, people often in the know will tell you that there's a shortage of good attorneys, a lot of the qualified and skillful litigators get lifelong contracts so that they don't have to represent certain, you might say, bad guys. So assuming there is a shortage of good attorneys and legal researchers, it's been said approximately 10 percent of the population will ever litigate and even less will be able to make an argument that's complete. How do you guys feel about your availability of legal team? Is there a way to deal with that? Availability of legal team? Is there a way to contribute and assist legal research or do you feel confident that you have enough to get the job done? Well, you know, I would put our team against any team anywhere in the United States. And we actually often are against all the different kinds of things, big law firms, big governments, you know, large and small, we'll fight and we'll take them on and we'll win. So I feel very confident that we have a set of very highly qualified lawyers now. We can always use help, right? Help is great. One of the things that we have, if there's any lawyers in the room, we have a group of co-operating attorneys. Those are the people who, among other things, they take the cases that we can't. We get tons of inquiries, people who need legal assistance and we can't take them all on. We try to focus on places where we can do impact litigation, we can change the law, we can make new law. That's really where we have to focus our work. We have to connect people to legal services. And so we have a whole host of co-operating attorneys and we always want more help from people who are willing to, you know, take on the clients who just need some counseling, need some advice, maybe need to do some litigation but it's not necessarily impact litigation. So if you want to join that list, send me an email, send an email to info at eff.org. Give your card to a mule, stand up a mule. We also have a group of basically technologists who are willing to help out with some of our projects. So it's co-op techs. And so if you would like to join that group, anyone in this room, same contact info at eff.org. Just one more comment. What don't you pass the mic? We have a lot of people waiting in line there so I'm sorry, don't mean to cut you off but we have respect for the line. We'll be around after too. My question is about the European laws that have been discussed at the moment about the new privacy laws. Just talk about it. My question is about the European laws that have been discussed at the moment. What's your thoughts of it? If it's going to be, it's actually going to do any difference. Are you talking about the right to be forgotten? For there for once but also the change that instead of it's the company location that is the jurisdiction of where the company is located whereas the suggestion is that it's where the individual is located. Got it. Yeah. This is actually a growing issue I think it's going to be for us and the right to be forgotten law actually raises it as well. For those who aren't, so I'll try to answer both of these in one. So we don't have an international law. So for those who aren't familiar, the right to be forgotten is the law that it's mostly in Europe but other countries are adopting it. Russia is trying to adopt it as well. And it's basically where you can go in and say there's something on the internet about me and it's not true and it's invading my privacy or it's defamatory and so I can get an order requiring Google or any other search engine to and what's happened recently is that so they're in Europe they've adopted this and we've had courts order Google in particular to apply that right. But up until now it's been country specific so it would be if there's a French court issued the order then only in France Google has to pretend like that site doesn't exist for people who in France they can't get to that website or there's also in French court and this has gone up on appeal now and been affirmed said no no no actually we need you to take down all around the world right so every citizen in all the world wouldn't be able to access it because some portion of the French population has figured out that they can get around and actually see the whole internet just by changing a few small settings and so Google's fighting this and I think rightly so because it's very dangerous it seems to me to have a different view depending on what country you live in you see a different view of the internet I think that's a very dangerous path for us to go down and usually people come in and they have these very sympathetic stories this was totally untrue as accused of a crime and I didn't do it and it's totally wrong but it's a practical matter what it means is depending on what kind of editing you want you just choose your jurisdiction and depending on what you're doing and that is what I think is scary I don't think any particular any one court should have the ability to set the terms for the entire world and they're also because in particular there are other countries that worry very much about things like the right to be forgotten so in Latin America several countries in Latin America have been very concerned about this because they have a history where it's extremely important for state leadership you are very scared by the notion that some portions of history will somehow disappear depending on where you sit and so this is but it's a hard problem I will tell you because I don't practice law in Germany so one of the things that we're working on is actually building coalitions with lawyers with privacy groups in other countries and figuring out ways that we can work together in Germany maybe somebody else can and we can support them by saying here's our experience in the United States here's what you might want to be worried about and that sort of thing but it's a big problem for sure and it's a growing one and in terms of data localization laws we are generally very very skeptical of data localization laws the reason being we have seen them possibly even more often than not passed for frankly nefarious force companies to store data locally so that it will be accessible to law enforcement so that scares us. Thank you. So I was really glad to see the EFF listed as one of the organizations that was against trade agreements like TPP and TTIP and I was just hoping that you could A explain a little bit more about why and what the impact of those international trade agreements will have to see as next steps to fighting trade agreements like that. Sure. I can speak to that. So so yeah absolutely we are very strongly against the TPP the TPP is this vast trade agreement that covers all kinds of things from dairy to corn to automobiles I mean it covers a lot but it also has a chapter on intellectual property and that worries us a lot and focusing just on the issue of copyright chapter where they're trying to negotiate international copyright law via a trade agreement and that already seems to be fundamentally wrong because when you're talking about copyrights you're talking about balancing and figuring out what are the rules for expression and that means you're talking about speech and that means it doesn't belong in a trade agreement because it's not the same thing as figuring out what are going to be the rates for corn it's a very complicated thing and unfortunately when you say the word copyright all of our free speech assumptions go out the window and suddenly it's really okay to police all kinds of expression as long as it's done in the name of fighting piracy so the other problem with the TPP though is not just the content of it what the trade negotiator in particular is trying to do is export some good DMCA that makes it impossible for you to break DRM for example so we sort of know we've got a long history here knowing that that doesn't work and causes all kinds of unintended consequences but it doesn't stop the US trade agreement trade representative of trying to make other countries accept it anyway but the other thing that's happened that's really pernicious about these trade agreements is they occur in secret okay and the theory behind keeping trade agreements secret is because they circulate in the markets based on finding out what might be in a trade agreement well that's all fine except now they're negotiating about the rules for our speech and that can't be secret okay so we've been fighting it the good news is there was a round of negotiations just last week that was supposed to be the final round and everything was going to be accepted and it was all going to be over too bad activists this is the time to negotiate it but it gives us another chance to challenge it and complain about it if they manage to get enough countries to agree to it then they still have to come back to Congress and they still have to get it ratified and so that will be if we get there we may not get there one of the things that happen with the trade agreements is sometimes people just give up right and that would be the reason remain hopeful that this trade agreement actually might die in the vine but if it doesn't we'll kill it in Congress I was hoping that you could elaborate on EFF's comments towards Wassener and also maybe some of the next steps that the community and EFF is taking sure so for those of you who don't know the Wassener arrangement is a 41 state rule use technology and what that means is technology that is useful both in a civilian and a military context things like centrifuges nerve gas precursors body armor land mines tanks stuff like that in 2013 certain types of surveillance equipment was added intrusion software and IP network surveillance tools were added to the Wassener but the United States didn't immediately implement the rule instead Department of Commerce took like 18 months to get its act together and released a proposed rule in May of this year and it was terrible it would have outlawed paid jailbreaking service or it would have required the license for paid jailbreaking services for pen testing and this was crazy right this had nothing to do with the types of software that the Wassener arrangement was amended to ban the export of the software that was intended to be covered by the Wassener arrangement were things like finfisher and hacking team state sponsored malware to target endpoints and the command and control infrastructure rules the Bureau of Industry and Security which is part of commerce here in the U.S. were way too vague and would have regulated anything with zero day capability or with root capability without even trying to define those terms so Eva Galperin and I at EFF filed two sets of comments with the commerce department one of which said here all the technical problems with those by a number of organizations access CDT human rights watch and Colin Anderson and EFF also filed its own comments pointing out that code is speech and this kind of restriction would be unconstitutional among other things next steps the commerce department has indicated that it is going to revise the rule again so we won that but the real next step is going to be to try and push the member states of the Vasanar arrangement at the plenary meeting in December of this year in Europe to try and clarify the Vasanar control itself John Gilmore in 1993 said that the net interpret censorship as damage and routes around it software export controls don't use or end user controls so you can have a remote administration tool you just can't provide support to a repressive regime without going through a licensing scheme first so that's where we are right now we're working with the commerce department hopefully we'll be working with state to go back to the Vasanar arrangement really good things like pen testing because there's not much a pen testing toolkit can be used offensively or defensively that's dual use but we need to make sure that they're not chilled and that specifically security researchers academics hackers developers are not chilled and are free to continue going about their work so speaking of developers and a third thing before you were talking about hey if you have some developer you set up some service and the government comes to you with some you know I'm thinking like what the lava big guys got if you get something like that you know you love to litigate that I'm curious if there are any particular services that you would like to see developers set up and I'd like to know what the services are is this being recorded so yeah making a legal honeypot well I have to say we take the cases where they come up one the interesting things that has happened is that the government sometimes is as good at identifying good factual situations interesting cases as we are there have been for example so one of the things that we've done is tried to establish that there's a fourth amendment protection for your email that the government needs to have a warrant the statute as Mark was mentioning earlier has a distinction between emails 180 days or older we think that the fourth amendment should apply to your email all the time and we've won that case in some jurisdictions when we've come up with that case in other jurisdictions in this case no worries and thus the case goes away we don't get to establish a precedent and I appreciate that because it is of course victory for our clients in those cases but it's not the larger purpose of trying to establish the precedent so I would be concerned if one purposefully attempted to create this sort of honeypot situation with good facts to tempt the government to raise this issue well they'd figure that out and would not actually pick that particular battle the question regarding burnout actually got me thinking about something else so the answer was that you know hopefully that the EFF would have a lot of standards enforced by the work that's done that would permeate through time but that raises a concern for me on a sort of solipsistic thinking because it is the case that there's a lot of sort of for example Facebook and the other Silicon Valley companies because they're tech companies tend to be more accessible and more sort of culturally related to the EFF and to things like that but you have giants prowling telecom industry that is looking for new technology and is looking to deploy relevant cloud-based services and so on but whenever you want to work with them and ask under the table but perhaps obviously is this law can this technology do law enforcement requests you know and there you have those sort of very old telecom institutions that are only willing to deploy stuff that is very very open to law enforcement requests way too open to law enforcement requests but that remain outside the limits of what you know the way that the EFF operates generally so you know you see things like reports and you see things like all those things you know who's transparent and who's reaching out and then you see like a list of companies you know Apple Facebook Google all of the modern how related is that company's culture to the way that the EFF understands and how we all understand here in this room I presume tech culture but what do you do about those people who you know the standards that you set the precedent that you set is just not relevant to their way of thinking because they just they're coming from you know Bell Labs they're coming from the old you know telephone way of doing things and this is I would say what is the question so I just asked how do you deal with that so deal with the is it culture relevancy then like how do you deal with I think I understand the question I mean there are ways in which we can pressure companies that are sort of Silicon Valley companies sort of now established tech but still relatively new to sometimes improve their practices and do good things and it's very hard to get at the sort of older telecos how can how can we best influence them and handle that that particular problem does that sound like the right question yeah okay so the one thing I would say is that you know for example we have this who has your back project where we sort of go through who has your back when the government comes knocking and we look at companies practices and I will tell you over time even our sort of super friendly companies they used to get like one star or no stars I would appreciate and so we have but I guess what I'm saying is when we started a lot of those companies that you know later eventually got four stars or five stars for protecting their users they didn't start out that way okay so it's not like we started out all friendly friendly we started out saying no you need to improve your practices and they did and it's taken you know a few iterations but we got in there so I just wanted to improve well enough we're friends with them but anyway the newer companies we really it took a while to get them in a better place so you know I think you know there's some companies where never they're just going to be who they're going to be and I think what's going to happen is they will just evolve over time and we'll get a new guard taking over from the old guard so there's that and then sometimes you just evolve and where we have the holistic approach right where you know when we're dealing there are multiple ways to deal with a company you know we have litigation we have activism we have policy so I think that I think you know when I try and answer that type of question that's what comes to mind right there a company is sometimes an adversary sometimes isn't and there are different ways to get inside of companies and different ways to have companies act certain ways and I think you know if it tries to do that from a variety of and add on the sort of distinction between the old school telecommunication companies and some of the more modern technology companies Mark Klein was an engineer at AT&T old school telecommunications guy he'd been working there for many many years and he saw some things while there at AT&T involving wiring up a room for the NSA surveillance program and when revelations in the newspapers gave him the context sort of figure out what he had been involved with. He knew that it was wrong and he wanted to tell something about it. And from that we got our case against AT&T for their cooperation and collaboration in the NSA program. And I think that was applying some values that maybe this is a little bit different from what you see in some of the modern internet companies but reflecting a very core belief shared by a lot of people that we don't want to give the government that much power of our lives. So one other thing to add to that real quick is that I think a lot of these companies actually respond really strongly to bad publicity. So things like Verizon doesn't normally care about what we're doing or care about privacy probably. But when they got so much bad publicity over the UUID thing and people reacted so strongly to that I think that that really made them stand up and listen where they otherwise wouldn't. And another example of that would be the healthcare.gov information leaks. Normally this is probably not a thing. This is not a friendly institution. This is not an institution where we necessarily have a lot of contacts. But the bad publicity generated by that and the outrage and people being upset that you all helped build. I think that that really does help us connect with these companies that otherwise don't care. Okay, hi. So you've touched on this a little bit in answer to other questions but I just want to ask about sort of the how can we, how can we prevent, okay let me start again. I'm going to start again with a question. How can we prevent and what tools do we have at our disposal to prevent the setting of bad international precedence outside the United States? So these come in two forms, right? They come in the form of things like WCT WIPO, right? Which is where we got 1201 everywhere through treaties and that's what we're talking about with TPP. But also, I mean, Canadian Parliament this summer pushed through copyright, retroactive copyright term extensions on audio recordings with no treaty, no like, you know, just they just said it's international standards just because well the EU does it and the US does it. That's international, right? I mean like we get these standards even without the standards bodies and the, you know, like just out of nowhere. I mean what, yeah, it's bad. So again, I wish our international team were here. Next year I think we're going to have to make sure we have somebody. It's hard, you know, it is hard to intervene on the international level but what we do try to do is, you know, we do run international campaigns sometimes where we can, where we coordinate with other groups and make it possible for people in the United States and outside of the United States to speak up and support of, you know, international principles that we think are really valuable. So that's one way to do it. I mean I think for people in this room the most media thing is, you know, stay tuned to EFF.org and when we run these international campaigns even if it seems like well this doesn't affect me as a US citizen. But maybe it's actually going to help set international norms and so maybe you should lend your voice when we call, which will be really, really great. It's really, I mean this is what we found out is that we can stop bad things but only when there's sort of coordinated international outcry. I would remind everybody of, you know, just a year before we stopped SOPA, which was domestic legislation, right, actually it wasn't a year before, it was right around the same time, international protests stopped ACTA, which was an international trade agreement that looked like it was going to be adopted and effectively was stopped in the tracks via international protests here and abroad. So, you know, there is still stuff we can do. It just requires, you know, a certain degree of coordination. Hi. So you guys have talked a little bit about the freedom of speech issues so far and I'm curious. So I've heard some quotes from your organization speaking out against laws that have come out criminalizing what's locally referred to as revenge porn. And I'm curious if you think in this space there is any way to kind of balance criminalizing these actions with the very clear kind of free speech concerns that we see in that space. So that is a great question. And I think the easier answer is we haven't seen any legislation that even comes close to that. The problem is that a lot of this legislation has very poorly defined terms. It's really unclear when it would apply. And actually, ironically, the legislation in some ways mirrors the policies that we've seen coming from companies. You know, there are questions about really key terms like consent that are just not clear in the legislation. So, you know, if we were to see a piece of legislation that really genuinely could balance these concerns, we'd be excited. But we have not seen it yet. The question, though, of addressing this issue is certainly something that we think that people need to think creatively about. Because what's happening now is that it's very reactionary. And it's reactionary in a very particular way. I think sort of shifting again to mentioning the companies that they know that people are upset. They know that people want them to do something and they're going to do the thing that is the easiest for them to do. And that's what we're seeing with the revenge porn legislation. And I think the other thing to keep in mind is that a lot of this legislation is not thinking about the, all of the issues of harassment really are coming from a big cultural context. And legislation doesn't want to think about any of those things. Legislation is very poor at addressing cultural issues. But, you know, so it is, we're just seeing this desire for easy answers. And I think it's hard to imagine what free speech protective revenge porn legislation would look like. So, you know, I think that's a very unsatisfying answer. And the issue of harassment, a lot of the answers are very unsatisfying. Hi. Thanks for being here tonight. You're welcome. EFF has come out against legislation like CISPA and CISA. I'm curious if you could describe at a high level what you think a constructive framework would be, both from a private corporate perspective as well as a government perspective, sharing threat information in a way that also respects privacy and protection of individuals' information. Yeah. Great question. Well, I think we should start out by addressing the flaws that we've seen in the breaches, right? I think one of the more important things to note is that CISA and CISA these laws are addressing or they have been painted as more information sharing is a silver bullet to more breaches. But when we look at a lot of the breaches that happened, right, when we looked at J.P. Morgan Chase, when we look at OPM, Home Depot, Target, what we're seeing is that it wasn't a lack of information that actually would have solved these breaches. What it was, I don't know if people followed up on the news, but J.P. Morgan, New York Times reported was due to an unupdated server. There have been other things where just malware and phishing links, so it's like very low hanging security fruit, very low hanging fruit that we can try and protect against and get. So I think the first step is ensuring that we are actually tackling those things. You know, we could probably all talk about this for hours on what a good policy around those items looks like. On the flip side of a lot of the information sharing legislation, you know, we particularly focus on the broad immunity in the legislation and the granting of new powers, right? There are new authorizations in this law. You know, a lot of people neglect and especially the proponents of CISA neglect that, you know, companies, the government are already sharing the narrow technical information to stop these threats and to protect these threats. They're also deleting personal information when they share these things and that also isn't, you know, often isn't content, our emails, other personal data. And what these bills do and what we see every bill, what every bill does for the past five years is try and get rid of a lot of the privacy protections and try to enlarge, not only just enlarge the scope of the content or of the ability to collect very private information, but also increase the powers. So, you know, I think that we try to focus on the first point is that information sharing isn't a silver bullet. Narrow information can be shared. We don't need to grant companies huge new powers and broad immunity to facilitate that. And the second is let's actually deal with the problems that we're trying to deal with. Let's look at how these breaches were caused and try and fix those problems. We're focusing on a problem that isn't, on a solution that isn't an actual solution to these problems. So, with full system encryption becoming more ubiquitous, have you seen a trend towards law enforcement trying to force individuals to divulge their passwords? And have you seen any specific cases in which they've addressed whether or not that's protected speech? So, I'll take the question about divulging your passwords. So, this has been a continued area of litigation under what circumstances can somebody be compelled to divulge their passwords, or maybe actually the better way of putting it is compelled to provide unencrypted information. So, you often are, the government will not be able to compel you to give away your password per se, but you may have an order to decrypt the information and give them the uncrypted copy. However, it is that you may be able to do that. And I don't want to get sort of too esoteric into it, but one of the distinctions is whether the act of having the password, knowing the password and having that password work would give testimony. Would that provide additional information such as this is the hard drive that you own? You are connected to it. Will it be testimonial? At which point you can have your sort of fifth amendment protections come into play. But if they know that it is your computer, they can establish that through other means. They know that you do have access to this information. But you are not currently giving it to them. Then sometimes courts will order somebody to give a decrypted copy. So that was the, and I actually have forgotten the second part of your question. It was about whether we've seen an increase in law enforcement attempting to force people to. So I haven't seen any particular increase, but we are actually not, our strong set is not in grand statistics. Because when the government does things, we only find out about it if somebody contacts EFF and asks for help. One of the things that the government does is, as Kurt mentioned I think earlier, is that they pick and choose their sets of facts to actually litigate. And if there's a good set of facts for us, it's often the case that they just drop it. Usually in the compelled password cases, we see it in child pornography. And judges are willing to go to great lengths to throw child pornographers in jail. So the government loves to litigate the compelled password turnover cases in the child pornography context and not really in other contexts. So there's been some bad law made by some bad people. Hi. Thank you. So you've touched on quite a few proposals, rule making, the export control and legislation and information sharing that would undermine our rights. So I think it's easy to become disillusioned with the political system. But are there any proposals out there that you can point to that would kind of allow us to sleep a little bit easier, things that would benefit our rights that you've seen, that you think that we should support? And if so, what can we as kind of an involved community do to help that cause? So let me just start by pointing out a win from our perspective. So this is an all doom and gloom. Because we actually had a win this year from our perspective, which is that four million people spoke up and forced the FCC to do the right thing and enact net neutrality rules that actually make sense and will survive legal review. The FCC has been trying to enact open internet rules for about a decade now, but based on the wrong legal authority for kind of technical reasons, which I can get into, but I don't have to. But the point is that, you know, a year ago, the FCC was poised to do the exact same thing again, which means it would go to court and it would lose again. And we have a world in which many people don't have any or have very little choice with respect to high speed internet access. So we have a world in which we don't have competition, and that means we have a world in which UFF came to believe we really needed some rules of the road. And the FCC, we have a lot of concerns about the FCC, but nonetheless, that was the agency in power to establish those rules. But the FCC was going down the wrong path once again, and we and many other organizations worked together and mobilized internet users, and we completely turned the ship. And it was amazing. It was an astonishing thing to happen, and very exciting for me to watch. And it leaves me feeling actually very, very positive about the power of the internet and the power of internet users to actually do some good in the world to not just stop bad legislation, but actually help, you know, enact good things. So that makes me hopeful. And those rules are being litigated in court now once again. But this time, I feel like we could win this one. We'll survive legal review. So there have been some real victories, and there will continue to be that. I think that internet users are starting to mature as a political force to be reckoned with. So I want to say thanks for hosting this session. You know, I want to go back just roughly two years with the snow and revelations and how much it completely shocked the country. You know, a lot of us already knew some of this, but not to the extent. In myself, working in the cybersecurity world, I'm sure probably a lot of people in this room, the feeling that I get every time I read something, that's whether it's on the intercept or your spiegel, or new things that come out about surveillance again. And I feel like there's, you know, people become desensitized to it now. Even peers of mine. So it's my concern, I guess my question is, you know, how can we get people to become more, trying to get the best turn, to be more engaged and understand the implications of, you know, mass surveillance and our freedoms. So... Well, so that is a great point. I think that people absolutely do feel overwhelmed. When I do surveillance self-deference trainings, one of the first things I say is how many people have ever heard somebody say, why do I care if I don't have anything to hide? And, you know, pretty much everybody raises their hands and then I ask how many people have heard somebody say, oh, it's just so bad, there's nothing I could ever do about it. Usually everybody raises their hands. So I call those two things privacy nihilism, kind of combined. And it's very prevalent. It's a very real issue. So I think, you know, we need to make it real. And I apologize if there's any kids in the room, but dick pics. I mean, that was a brilliant, that was a brilliant segment about, you know, when you're talking about section 702 of the FISA amendments section 215 of the Patriot Act, people want to know how it's going to affect them. And really on the very base level, people want to know, can they see my dick pics? So making it real for people, I think is really important. I think that there's still more translating to do. I think we're still figuring out with the degree of information, this is the level of information that we got, how much is still out there. I think we as advocates are still figuring out how to communicate that and I think that it's, we really absolutely want to talk about the values behind the work we do. We want to talk about why privacy as an ideal and as a value is something that we have the right to. But we also need to talk about how it's going to matter to people. And so I think continuing to do that and also giving people hope, so having that holistic approach and saying, yes, it is really bad and I am going to tell you about another new revelation, but here's the thing you can do right now. Right now, you don't want to get any harder for the government to surveil you. So I think doing those things, all of those things, and also really letting people know what a difference it makes when they do engage. Just as somebody who's done legislative work and Mark can speak more to this, when Congress people get calls and when they get emails, they actually do, it actually does make a difference. They actually, sometimes the difference is only in numbers. If they only got one call and maybe they're not listening, but if they got 100 calls, they're like, oh, if they get more, then they're going to care more. So I think all of those things, people need to hear all of those. Also, I would just add there's one thing. I love the privacy Badger project because it's just one of many things that we do, but part of what it does is I have it installed in my browser and you can see like you go from website to website and you realize all the different ways in which, and this is a government surveillance, it's company surveillance, but it's a very easy way to suddenly realize I can visualize all the different companies that are watching me now. Whereas I would navigate to this site, oh, hey, it's green, it looks great, this is really safe. And so I think that's just like little, you know, not little, I don't mean to say it's small, but like it's actually quite important and visually interesting way for people to engage and become conscious of how much they're being tracked. So I think those kinds of projects are actually kind of key to keeping people aware and sensitizing them as opposed to allowing desensitizing. And just to piggyback even a little bit more, we don't talk about free speech as only an individual issue and we shouldn't be talking about privacy as only an individual issue either, right? I don't really have anything interesting to say, so I don't care about free speech for myself, I care about free speech for everybody else because what everybody else has to say is what matters. And privacy is the same as having nothing to hide and I don't care about privacy for myself. I care about other people having privacy because privacy is what's necessary to do the hard work of democracy. You can't organize without privacy. You can't push social change without privacy just like you can't do it without free speech and frankly you can't have free speech without privacy. So whenever you hear the I don't have anything to hide, I don't care about privacy, the answer is well I don't care about privacy, the answer is well I don't care about society. Good evening. I'd like to move the conversation back to online harassment. I've had a friend who has had a very hard time and an acquaintance who's had an even harder time. This is very near and dear to my heart. I know this summer the Supreme Court came out with a decision that kicked a lot of these am I right on that? About how victimization is defined, there was an ex husband who went after his wife and that decision was kicked back down. I'd like to know if the EFF is working on the lower court level to help define what is harassment, what is harassment and how that's defined going forward. So I can say that I'm not certain which case you're referring to but you know there is a huge bleed over between online harassment and offline harassment and it sounds like maybe the case you're talking about was about offline harassment. No it was online harassment, he was putting things on Facebook about how he was going to. I'm sorry now I know what case you're referring to, I wasn't clear and I think I'll let one of the attorneys answer that. But I think the question actually wasn't about that case, I think the question was what is EFF doing or not doing to help the lower courts define harassment? Correct. And you know I think part of our viewpoint is that actually we have a lot of laws that define harassment already. I mean we have a number of laws on the books that can be used, criminal laws and civil laws that can be used when people are stepping out of line online. We have robust defamation laws and criminal penalties for other kinds of criminal activity. One of the things that we think though with respect to the criminal side, I think law enforcement needs to be much better educated about what counts as a threat and how to handle threats. I think too often law enforcement has discounted actually important threats that are happening and so one of the things that needs to happen. I can't say we're actively doing it right now but it is you know I think something that we're aware of that you know the laws that are on the books are not always enforced in the right way. But what we like about the laws on the books is that at least with there, like with defamation law for example, we have a history of courts figuring out the balance between defamation and free speech. True threats, just talk. And I think it's going to continue to be a struggle and we're super aware of you know what's happening online is much of what happens online is awful. Much of what happens online is great. But much of what happens online is awful. I do think that something that Nadia said earlier is really quite right. There's a way in which we have a cultural problem. And law and the courts is not always actually the right way to get at that cultural problem. It seems to me if you had a cultural problem in part you need a cultural solution. You also need tools for users to protect themselves so that we don't have to wait until a judge rules on something to be able to be protective. So it seems to me there's a lot that can be done that actually doesn't belong inside a courthouse. It actually belongs somewhere else. And at the lower court level one of the things that we do the most to help people is hook them up with good attorneys. As an impact litigation organization we don't do very much in the lower court level because lower court decisions are not presidential. So we reserve most of our effort for appeals courts that will have presidential rulings going forward. But every day, day in and day out, a mule hooks people up who come to us for help with harassment, with doxing, with lawyers who are very good at that. And we do that all the time. Thanks for being here today. I think recently in a district court decision maybe in New Orleans or somewhere a judge found that using the DCMA digital DMCA as simply a lock I guess he found that the thing that was being locked they weren't trying to protect a copyrighted work. They were simply using it as an access control list and found that that's not an acceptable use of the DCMA. So is this just a clueful judge slapping down a bit of overreach or is that kind of use in decline now? So what we have seen with respect to that question, there's a question of whether your activity has to be in some way tied to a copyright enforcement, a copyright interest or not, or tied to copyright infringement or not. And we would certainly like a world in which you have to be breaking DRM in order to engage in copyright infringement for there to be a DMCA claim. There's actually a law that's being advocated by representative Zill Lofgren, a hero by the way on most things that would do just that. But courts have interpreted the DMCA in different ways in terms of whether it actually has to be tied to breaking a lock whether it has to be tied to a copyright interest or not. So the Ninth Circuit has gone one way, the Sixth Circuit has gone another way. It's kind of a mess, but in the meantime if you're a person who's trying to actually engage in security research or fix your car, that's not very comforting because the law is kind of a mess. So do you see with the conflicting opinions that this is something that ultimately is going to head for the Supreme Court? It could happen. So I've heard it suggested that the net neutrality rules may restrict the actions that can be taken against the DDoS attack because you have to give equality to the DDoS attack. Is there any legal basis? I see you're shaking your head. That's good. I think that is just a cable company talking point. Yes. Wow. That was awesome. Hi, thank you for being here. I appreciate the opportunity to be able to ask a question. Actually, I wasn't playing on asking a question. I just kind of formulated one here as I was listening to you guys speak. But I guess where I want to go with this is we hear terms such as cyber warfare, things like that. And us as citizens, we are kind of getting bombarded more and the feeling of having to defend ourselves, I guess, is morphing into something more than just physical, right? It's digital defense. We rely heavily on the First Amendment to protect ourselves and a lot of your answers were based on First Amendment protections. We have the DMCA 1201, which seems like the biggest limit to our freedom as far as tinkering, hacking, things like that. I'm curious, have you guys ever considered application of the Second Amendment to this defense? So the Second Amendment is our right to, basically our right to defend ourselves, to form militia. But the kind of the idea around the Second Amendment was for us as citizens to protect ourselves against the government and the right to bear arms to protect ourselves against the government. So if we had maybe some application and some maybe some morphing of that Second Amendment, maybe that can be another defense to protect ourselves against the government and government intrusion into our lives. So this is certainly the notion of the Second Amendment coming into play has been raised on a number of cases. There is no court that has ever indicated that they might look at the Second Amendment outside of the more traditional meaning of arms rooted in the time of the Constitution, which is to say like guns and knives and weapons of that sort. And when it has come to software putting into categories with weapons, that's generally been somewhat problematic. And so in the earlier days of the EFF, in the first round of crypto wars, there were controls over the export of cryptography with the notion that those were munitions, those were weapons. And in that case, it was really the First Amendment that came into play establishing the code of speech and that you had a right to publish code even if it was encrypted, even if it was encryption, a program that made encryption. And so there really hasn't been any indication that the Second Amendment will be a fruitful avenue in the court. Do you see any future application of the use of the Second Amendment as a citizen's defense for some of these ridiculous laws? I mean in terms of, so the question being, can the Second Amendment be useful? The Second Amendment, of course, remains out there. You know, the area in which it may start to impact in technology or things like hacking guns, there's a panel on that earlier. 3D printing, you know, will bring some of these issues to the fore. Thanks. Thank you. And I guess the last question. Yes, mine is to simply, have you seen an increase in the usage or perhaps improper or more usage of the H1B visas? Usage, sorry, I didn't hear. The H1B visas, as in... We don't do immigration law? I guess I was just curious if you had anything. No? I know the quote has been filled. Yeah, immigration is not one of the issues we've worked on very much. And actually, whenever EFF needs immigration law advice, we hire immigration lawyers. All right, I'll write this, the last question then. I want to follow up with the question you mentioned. The secrecy around the national security. I don't know if you guys remember the case in Alabama when the Japanese car maker, Senate manager was arrested. Could you hold the mic a little closer? Yeah. I don't know if you guys remember the Japanese car manager was arrested in Alabama because his car, rental car tag was expired. Sorry. He was arrested because the rental car registration was expired. Okay. I don't think any of us here are familiar with that case. Sorry, so because of that, you know, because Alabama has a law request if you have a car registration. Also, if you are a foreigner and has some like mileage traffic problem, you have to go to the jail. So that was a kind of publicized. My question is that the car company probably used the, it's not the accident, you know, because when that happened you probably would say, we made a mistake, somebody didn't do the work, didn't do the public car registration. But before that case I was actually giving one of those car without the body registration. But I found out before, you know, the cops stopped me. So I think that's the kind of, they have a program to provide this car to some people. So provide the pretence for the cop to get the rest, get some evidence, something like that. Yeah, I'm not aware of a program that involves providing cars, people in the targeted surveillance manner. The suspicion I had because I got that car and I bring that to another. Well, actually this is about your sort of your specific situation. No, no, no, I was kind of asked the question if that's the kind of the policy or something like that. And it's very hard to hear it when you have the mic so far away. Hold the mic right here. So you're asking whether license plate surveillance is a policy? I would say if that's the something, they have a program like the car company or something like they participate in the program, in the name of the national security, but it's kind of a violent, your privacy, something like that. How do you context that? Because when you brought that up they would say that's because something to do with the national security so we can do nothing about it. Okay, I'm not positive that this will be an answer to your question, but let me take a stab at it anyway. I mean we do have this, Nadia was discussing just earlier the street level surveillance project that we just launched and part of the goal of that project is to not just track, but also share information about the various ways in which governments are surveilling people on the ground, including things like tracking license plates. So I don't think that's exactly what you're asking but I think that's the closest in terms of what we're paying attention to. Do you wanna add to that? Yeah, and I think one of the things that we always encourage is that people file a public records act request. So it sounds like you were potentially talking about a collaboration because you were mentioning the car companies themselves. And that is definitely something that we are seeing a lot of is. That's something like the AT&T participating in the national security. I'm sorry, I couldn't catch that. So far as we know car manufacturers, we have never heard any credible information that car manufacturers are collaborating with any surveillance. No, rental company, not manufacturer. Yeah. I was saying that. Rental car. Right, rental cars. Nope, that's all we know. Sorry, we don't have a better answer for you but we're not really aware of a rental car program that is this involved. It could be that there is one but we have not really heard of that. But thank you for your question and thank you all for coming. We really appreciate coming here, being part of this community and thank you so much.