 much for coming here to hear my speech at eight o'clock on a Saturday night. I'm not sure why I got how I managed to pull this particular time slot. This is a time when people would rather be breaking the law than learning about the law, but I'll do my best to try to keep it interesting and also maybe try to keep it short and maybe we can have something like a conversation following this. So for those of you who don't know me, my name is Jennifer Granick and I am the executive director of the Center for Internet and Society which is a public interest internet law program at Stanford Law School. And as part of our program we have conferences, speakers, things to study the interaction of civil liberties, the public interest in computer technology, and I also teach a class there which is a practical course for law students which is called the Cyber Law Clinic and we take cases and provide people with pro bono legal services and students get to work on the cases and learn how to be lawyers and I get to work on issues that I think are important and interesting. So I am a teacher but also a litigator in that capacity. I came to this job from my background as being a criminal defense attorney which I can tell you has been an extremely useful background this week and we may get a chance to talk about that a little bit while I'm up here. Okay so my conception for this talk was that I wanted to actually have a really large audience and I thought how else do you have a large audience other than to survey everybody and find out what questions they're interested in and then answer those questions. So I took an extremely informal survey that my father would think is completely statistically inaccurate and I came up with the following questions and there we have some of them. I came up with about 10 questions that I thought that people would be interested in and for those of you who responded to my survey thank you very much. I swapped out one of the old questions to give us question number nine because I think that there's a lot of interesting things to say about that from a legal standpoint and the thing about it that you know thing about the whole issue that interested me from a legal standpoint and I'll give you some idea of my sense about what the law is behind all of that. So these are the 10 questions that I'm gonna be answering and I think since we have I see some more people coming but I think when I did a similar kind of format at Black Hat I asked for people to keep questions till the end but I think here since it's kind of a small group I think I can manage to take questions during I just don't want to get you know bogged down on one question and not get to the point where not get to the point where we get to kind of get through all of the questions so if you have questions that are relevant to something I'm talking about at the time please just raise your hand and and I'll see if I want to if I want to call on you. I see somebody there with a trademark infringing Newsweek shirt which I'm gonna tell my husband about since he works there. It's a parody yeah okay well then you're cool man you're cool. All right so when you're trying to cover 10 legal questions the thing I want to make pretty clear here is that I'm gonna try to give you at like a very high level some legal information. This isn't legal advice and it's not a substitute for talking either you know specifically with a lawyer about your specific situation but I think one of the things that's wrong with the law and especially the law in this area is that it's so complicated that it's hard to kind of get a sense of like what the deal is and of course every time you ask a lawyer what the deal is the lawyer will always answer I mean if they're giving you the truthful answer the answer is always well it depends and it depends isn't really all that helpful I can't but it's always the right answer so I'm not gonna give you an answer that's any different from it depends I'm just gonna try to give you some sense of what factors it depends upon and then you know hopefully that gives you a sense of what matters in in all of these issues okay so as you know that from reading my questions the first question that people asked was about wireless and why did I think that wireless would be an interesting thing to talk about well for those of you who are readers of the internet and you know that there was very recently a case in Florida where a Florida man was arrested for using wireless networks and he was charged with a crime under the Florida law so people wonder is it a crime to use open wireless networks because if so I think probably there's a lot of people here in the audience myself included who have been committing some crimes no one else has to no one else need confess I'll do the confessing for us I think the important thing about wireless is that when people say well I'm using the wireless network there's a couple of different things you could mean different laws are gonna apply to these different activities so what so depending on what you're doing where we can see which laws might apply the Florida case is a relatively rare situation I personally am only aware of two other instances in which people have been charged with accessing a wireless network one is a case that I was involved in in California which later morphed into a case about something else and the wireless was no longer an issue and the other is was a federal prosecution of a man named Stefan Puffer in Houston and he was acquitted following a jury trial so those are the only other two instances I'm aware of in which somebody was prosecuted for wireless so let's take the more easy instances first and see what laws might apply first accessing stored files through the network so the law that applies to protecting stored files is the electronic communications privacy act and I put the text of the statute up here for you but I want to take a moment to touch on or to really kind of talk about the two operative concepts that are the basis for this law and also for all of the also for the computer fraud and abuse act which is the anti hacking law and for many of these computer laws and that's the issue of unauthorized access so almost all of these privacy and computer crimes that we see are based on access that's unauthorized so what does that mean well access could mean a lot of things and you know I was having a conversation with my my parents at dinner tonight and we were talking about what it means to you know kind of get behind or go into a website or sort of go behind the front page or that sort of thing and you know you have this sense you can talk about access as being something kind of metaphorical like you know if I visit the website then that's sort of like the front page like the front door but it's not like I'm getting into the database of information that's behind it or if I ping and it sends me back a packet that says yes I'm here then it's not like I really went inside or got any of the information that's inside or you can look at it in the way the computers really work which is you send it packets and it sends you packets and when you send it packets you're causing that machine to do something and you're accessing it well courts have looked at it in the more broad sense and basically the cases have read that every time you have some kind of contact with a network computer you're sending it electrons and packets and so you are accessing it so it has this very broad thing in no case and none of the cases that deal with the interpretation of the computer fraud and abuse act has anyone ever been held to not have access to the computer so access is kind of it's like any use or connection with the network to computers access well so okay there's one element of the crime that we've all committed what about authorization is authorization really something that helps us distinguish between legal and illegal activity so authorization could mean a lot of things it could mean that you have explicit permission or it could mean that you weren't explicitly kept out and how does the law see this well a lot of technological people think that authorization is kind of about what the computer allows you to do so permissions are set in such a way that you can access a file or if the file is stored in a public space on the web server then you've had authorization because the computer authorized you to do it that's not the way that the law looks at it the law has a much more social or sociological view of what authorization means and there are many ways that you can do something that goes beyond your authorization there are cases that say that if you do something that's what a banner warning tells you not to do your use is unauthorized there are cases that say if you make access to a computer system contrary to the terms of a contract or terms of service that that's unauthorized cases that say that if you are notified that what you're doing is unauthorized and you continue to do it that that's unauthorized so we have cases like eBay versus bitters edge in which a robot spidering program that collected auction information from eBay was making unauthorized access to eBay's website because eBay told the company that ran the the spidering program they didn't want them there and we have cases where somebody who was a who was a former employee who had left that company and was told that as a condition of your having left this company you're not allowed to compete with us sort of a non-compete agreement and he then went on to his old company's website and collected data there about how much I think it was cruises travel packages cost and in that case they said well you were doing that to compete with your old employer and that was contrary to the terms of your termination contract and so that was unauthorized and the case that I think reads unauthorized access the most broadly is a case where a former employee started working for a new competitor company but before he moved to the new company he took a copy of the his old employer's customer list and he took it with him to the new company and then all companies do the new company and said you had your guy make unauthorized access to our computers and the new employer said hey he was authorized he had a password he was still working there he was allowed to access the the customer list maybe you know he took a trade secret or something but it wasn't this violation it wasn't unauthorized access to your computers what the court said is that no the court said at the moment that he knew in his mind that he was acting contrary to the interests of his employer and that he was acting contrary to the interests of his employer his use was not authorized well think about that every time you access some computer in a way that the computer owner might not like is unauthorized that's pretty broad okay so keep that in mind when we're talking about all of these things about what what unauthorized means and whether it's really a principled way to distinguish between something that's criminal and not criminal I mean my argument is that it's not and if you look at the civil cases that interpret these particularly civil cases but now some criminal cases think about whether search engines or spidering robots or shopping bots or those sorts of things or crimes because cases have held that all of those are making unauthorized access to computers so if you were to use wireless to access stored files on a network without permission that would be a violation of this particular law that I have listed up here what about intercepting communications that go over the network well there is a law that says that you are not allowed to intercept the contents of communications okay so when people ask me well what if it's unencrypted just going over a wireless network can I you know can I read it and take a look at it and I always say no and I feel even better about this after I use the wireless at black hat to check my email and then next thing I knew I was locked out of my email account because some bozo was logged on and so I couldn't get back in I've had to change my email password four times at black hat but I know I know what you guys are all thinking but I'm a lawyer I mean give me a break so I never so I always tell people you shouldn't be accessing the content of communications but I do think that if anybody and it wouldn't be any of my clients who talked to me about this beforehand but if anybody ever does make this mistake and ends up getting prosecuted for it I think there might be a defense within the context of the statute the statute does have an exception in it which I think was designed to protect people who were capturing radio signals and that exception says that it's not unlawful to intercept communications which are configured so as to be accessible to the general public readily accessible to the general public and I think there's an argument you could make that an unencrypted communications over wireless are readily accessible to the general public so hopefully none of you will ever have to mount that defense but if so we can you know we'll see how that goes all right what about just using the network so this is also gets us into question number two which is what are the federal and state laws regarding computer crimes and as I talked to you before there's the kind of triggering thing is this unauthorized access the computer fraud and abuse act which is 18 USC 1030 one of my favorite laws makes it a crime to access a computer without authorization and either obtain information or cause damage it's a very long statute and there's more to it than that but you get the basic gist so the question is is using wireless a crime under this statute and I have always been able I've always thought no just using it isn't because you know the wireless isn't necessarily a computer and as long as you're not overusing the bandwidth or doing anything to damage the network there's no damage and in order for this to happen you have to either obtain information or cause damage so I thought that that was pretty I thought that was pretty okay until we started seeing these California and Florida cases so why is it different under state law well state laws are phrased differently than the federal law and I have here the California law it basically says you don't have to cause damage and it doesn't have to be access to a computer if you use computer services without permission you may be committing a crime and this was the statute that they chose to arrest the person that I was working with under similarly the Florida statute says that it's a crime to willfully knowingly and without authorization access a computer system or computer network and you could say that the wireless or the access hub is part of the computer network so this is kind of scary because you know that you're accessing the wireless and how do they prove that it's without authorization well the way they usually prove it is not that hard basically as I said you know it's kind of in the mind of the owner is the way that the law looks at it and what I have seen them do in all of my cases is they get the person who's the owner of the computer system to come into court and they say you know did you ever give the defendant permission to use your computer services or computer and the owner says no I never gave them permission and boom they're done they leave and that's it what are you gonna say so authorizations always been pretty easy or lack of authorization's always been pretty easy to prove but with wireless how do you know right is there a question so it's question is isn't it kind of implicit if people leave it open that maybe you're authorizing that it's implicit that that you're allowed yeah I can there's thing well the box is called allow all and I can promise both of you that people who have wireless in their house have some many people have never seen that box many people just plug the thing in and it just automatically allows and that's it so do those people want other people to make access or don't they some ISPs encourage you to share your your your broadband connection and some ISPs in the contract tell you that you're not allowed to share but the vendors choose to leave the burden of actually excluding or including people actually including or excluding outside users to the people who purchase the the access and the wireless router and most of those people aren't like us most of those people are more like as I have my my poster children of my parents most of those people are more like my parents who are at you know best case scenario are gonna plug the thing in and be psyched that it works worst case scenario have to call in you know some expert technical assistance to help with that so the question is what do you know exactly the so the question is what do you what do you as the user know about what the owner wants just based on the fact that access is possible do you really know what's in their mind and as long as the courts look at what's in the owner's mind as opposed to what's you know what might seem reasonable to you you're in trouble you know in the in the case that that I was involved in you know one of the things that made them feel like it wasn't authorized is that my client was outside of somebody's house in his car and they're like why is he lurking around outside their house now that might seem like totally normal behavior to some of us you know when you need to get onto the wireless if nothing wrong with lurking around outside somebody's house but you know I don't know that a judge or a jury is necessarily going to to view it the same way and it's kind of risky to depend upon that and of course you don't know when the access points open you don't know whether you're allowed or the person's just you know too lazy or ignorant to have configured it differently so what I have argued with these laws is that it shouldn't be enough that you know you use wireless and that it's unauthorized I've argued that you should have to know that it's unauthorized like you and your mind know that you're not allowed to be doing what you're doing otherwise you don't have a guilty state of mind you're not doing anything that is you know the illicit criminal thing that's what we're trying to prevent and much of criminal law in fact almost all of criminal law requires you to have like a guilty criminal state of mind and that's what we do to distinguish between you know where you don't get punished and where it's okay to put you in prison so no court has adopted that yet but for annual if there are any lawyers out here who ever face some of these cases you can call me I wrote a brief on it and I think it's pretty good I think it's a really good argument but can you count on it you know so the question is what else could you do to make the fail open to make fail open more of a legal like more more robust legally so that you know in the absence of circumstances that clearly point to the contrary instead of assuming that you're not authorized we assume that you are authorized and I think that I mean that would be great right if we could communicate to courts or juries or you know or or Congress that or legislatures that in the absence of some kind of security measure or some kind of clear notice to the contrary if something is accessible we can assume that it's okay to access it and and you know so there's two ways that the law develops the law can either develop through well there's many ways but the law can mainly develops either through statute where you can have that be something that a legislature would pass or it can develop through the common law or through the process of judges making ruling something becomes conventional and is sort of the way that things are done and so you know many of these cases what you're hoping for is to develop the common law so that courts see that you know we're going to assume we're gonna assume freedom we're gonna put the burden of security the burden of closing something on the owner and we're gonna not put the burden on the public to assume that unless they're explicitly invited in they can't go anywhere so that that's the way that it works with the law I mean there may very well be technological ways we could do that as well which might include making it easier for people to make their preferences more explicit and putting maybe pressure on on vendors for example to make that process of deciding easier so that we don't have to assume that if it's open it's ignorance we can assume that if it's open it's intentional and that if it's closed that too is intentional okay so the Patriot Act and computer crime how did the Patriot Act change investigations of computer crimes well clearly the Patriot Act expanded surveillance in many areas but I'm gonna talk just specifically about this particular area and the Patriot Act changed computer crime investigation in two main ways first it made it it made it possible to get wiretaps to investigate computer crimes wiretap is a very privacy invasive investigatory tool and you can't get it to investigate just any crime you can only get it to investigate a certain enumerated list of crimes kind of meant to be the more serious or the more dangerous ones and now computer hacking is one of those more serious or dangerous crimes for which you can you can get a wiretap it also created this computer trespasser exception to the wiretap rules the trespasser exception gives the government additional rights to monitor somebody who is a trespasser on the computer system so if it's your system it gives you more power to bring the government in without the government needing to get a warrant and it gives the government more power to work with people who are owners of victim systems in order to do monitoring without having to go through the without having to go through the same kind of without them to show the same level of proof that they would have to show prior to the Patriot Act and here's the basically the terms and conditions of the trespasser exception yes so trespasser is defined it's very interesting I think how they defined it in this statute a trespasser is somebody who has no contractual relationship or authority to be on the computer and I think the thing that's really interesting about that is to contrast it with the definition in the computer fraud and abuse act which says that you you're just unauthorized and it's clear that unauthorized means you've gone beyond the terms of the contract here they're saying even if you go beyond the terms of the contract that's not enough to be a trespasser on this computer system and if you have any right to be there at all like if you are a you know if you're a legitimate user and you're just exceeding your authorized access you're not going to be falling in under the computer trespasser exception you're just not it's got to be somebody who has no authority or no right to be there at all and the thing that just really aggravates me about that is it shows that Congress knows that the computer fraud and abuse act covers people who are outside of the bounds of contract and that they're making criminal something that is just a breach of contract which I think is wrong and drives me crazy and you wonder whether maybe they just don't realize what they're doing and then you see that they excluded people with some kind of contractual authority when they made the trespasser exception which shows that they knew what they were doing all along and they just disagree with me as opposed to they don't you know they don't know what I know they know what I know and they like it the way it is okay where can you find out more information about the Patriot Act here's some places and basically at this point in time there are many controversial provisions of the Patriot Act which were due to terminate or sunset very soon and the House of Representatives has reauthorized those provisions and it goes to the Senate now so it's actually a time where there's a lot of legal work being done on the Patriot Act and it's a good chance and a good opportunity to get involved with Patriot Act issues. Seth, today or yesterday? Okay so Seth says that the Senate passed a bill that reauthorized most or all or okay so he says it has different sunset terms from the House that they reauthorized everything and I wasn't reading the newspapers yesterday so I'm totally behind but it shows you how fast things move right so is it too late for us or what okay so it's not too late there's still a chance when the House and Senate conference on the bill yeah it's late so see what happens will they bring us down here we're having fun in Las Vegas and they're busy working up there and stuff we don't like okay so one of the questions that people had asked me is like what when can the government surveil me this is question number four and I thought and I put that on my list of questions and then I realized it's just simply completely impossible to do that question any kind of justice in this in this format so I'm trying to figure out how much time I have okay but I thought I would just you know make some comments about privacy and about how the laws that govern surveillance work generally to give you a framework for what kind of thing should I be looking for asking when I'm wondering about when I can be surveilled so there's many different theories of privacy which are sort of operant in our law and what we've done is sort of we have like this mishmash of statutes which either try to protect or totally fail to protect privacy and I think that you can really a sort of a useful framework for looking at privacy questions and questions of surveillance is to ask yourself you know these five questions when you're looking at an issue of what is you know is this privacy protecting do I think it's privacy protecting enough or not or not enough so you know we're looking at what level of proof needs to be shown for a certain kind of information depending on its sensitivity and what safeguards are in place to make sure that there isn't any kind of you know unauthorized or excessive use of this personal information so a lot of people ask me questions about encryption the very popular topic in the in the in the survey and you know people wanted to know you know these sorts of questions about encryption mostly you know is using encryption a crime and why did this come up well again recently there was a case out of Minnesota in which the court appeared to be holding that the fact that the defendant had PGP on his computer was evidence of criminal intent now for those of you who aren't familiar with the case I can tell it basically this was a child molest case and the victim told the investigators that the defendant had molested her and had taken pictures of it and the investigators got a warrant and they went to search the defendant's computer and when they searched the defendant's computer they didn't find any pictures so it didn't that portion of the victims of the victim's story was not corroborated and in ruling on whether or not but they let in evidence the trial court let in evidence and considered evidence that the defendant had had PGP on his computer in saying that there was enough evidence for him to be convicted of the child molest and on appeal the defendant said that using the encryption evidence admitting the encryption evidence and using it in that way was improper and the court of appeal said no it's not improper it's fine well there's a couple ways that you can look at this so first of all did the court say that using encryption itself was a crime no so there are not cases that say purely using encryption as a crime in fact there are cases that say the encryption algorithms themselves are protected by free speech principles certainly we also have a right to communicate and a right to communicate anonymously and privately and so we don't have cases that say just encryption is bad but is it evidence of criminal intent now remember this is one case out of Minnesota and I don't know how influential Minnesota will be in other in other states but what you find often find in this area is that the very first case on a topic even if it's kind of poorly reasoned and poorly explained like this case is can become influential so you want to be really careful about what it is that the case really says and one wishes that judges were more careful about what they say that you know what they say that the law is the two ways to look at the at this particular opinion are either the one that we're all worried about which is that when you have PGP on your computer it shows that you have something to hide and it shows guilty knowledge and that you're trying to you know keep stuff from investigators so shows that you're here you have a yeah that you it shows you have consciousness of your own guilt another way to read this very same case is that the PGP evidence explains why there wasn't evidence on the defendant's computer so it wasn't that it showed that he had something to hide but it was an explanation for why they didn't find the pictures that they expected to find maybe they were encrypted or maybe he'd wiped them or something like that it's unclear which of these explanations the court is adopting one you know makes some kind maybe makes some kind of sense and doesn't necessarily penalize somebody for having encryption it just says well in the totality of the evidence and because I find the victim so credible I'm not going to say she's not credible just because I didn't end up finding the pictures because there's other things I can look to to figure out why the pictures might not be there and that's something maybe we can all live with as opposed to something that says oh yeah PGP that shows that you knew you did something wrong a question here I'll go to you in a second so he's saying the press for the press on the case and I agree with that interpret this interpretation it wasn't that the PGP evidence alone was enough but in context with all the other evidence was was was part of proof of their being sufficient proof to convict the defendant of this particular case and I think that that's a totally reasonable reading of the case and I think we want to be careful when we read these cases to not give them an interpretation and by we I don't necessarily mean you guys I mean we as lawyers and and and I was gonna say we as judges but we all know that's never gonna happen for me but but judges also need to be very careful when reading these cases to make sure that they're not giving an interpretation that's not warranted and taking something that made sense and in one small context and expanding it to be a general principle there's a comment over here gentlemen here so it's a question about employees on employers network and when you are you know when you're on your employers network this gentleman is right you have oh but you have very little privacy and that's for a couple reasons first of all many of our privacy laws like the Fourth Amendment don't apply to private parties so Fourth Amendment doesn't apply and many of the privacy laws that we do have privacy rights that we're entitled to by statute have exceptions in them which will apply to employers and allow employers to do a lot of a lot of monitoring and that sort of thing so people generally have very little privacy at work and employees employers rather have a lot of rights to surveil now we've seen limits to that for example with cases that involve you know video taping in changing rooms and you know those things like that but you know a lot of times what employers will just do is say in the employee handbook you know everything you do here on your computer is something that will monitor and you understand that and that's basically it so work is kind of not a works not a great place for privacy generally I'll take this question over here great question because this brings me to my next point and he's like why is it not covered by the Fifth Amendment okay so this is what I'm saying about we can you be compelled to turn over your keys so that they can decrypt your stuff and you know I hate to say this because if this ever happens to one of my clients I'm definitely gonna argue that it's a Fifth Amendment violation but I think the reason you would say it's not a Fifth Amendment violation is this okay Fifth Amendment you can't be compelled to testify against yourself there's a couple things there first of all it has to be compelled so the stuff you wrote that you're encrypted that you don't want to turn over no one compelled you to write that you wrote that voluntarily so there's no compulsion there the compulsion and they could search that if they could get it you know if they can get access to it without by violating the Fourth Amendment they can get it because it's not compelled it's not compelled testimony what about the keys you're being compelled to turn over the keys right but the Fifth Amendment has a second part which is that what you're compelled to do is something testimonial and there are a lot of cases about what's testimonial and for example cases say stuff like name rank and serial number are not testimonial so if you are compelled to turn over your key you're not being forced to do it say anything that's testimonial all you're doing is giving them the access to the stuff you wrote which wasn't compelled so the best argument that you have I think why you can't turn the key over is there is something testimonial about the divulging of the key something that is communicative and what that is is that you're the person who encrypted it that you're the person who has access at the very least to the information because you've got the key and I think that the downside of that argument is that what a prosecutor would do if they really wanted the stuff as they would say all right you've got a Fifth Amendment right and I'm gonna overcome it by giving you immunity Fifth Amendment rights can be overcome by giving you immunity which basically says we're not gonna use that against you but they don't have to say we're not gonna use what we find against you and they don't have to say we're not gonna you know use the fact that you what they say is we won't use the fact that you had the key against you so you're divulging the key to the extent that it's testimonial we're not using it against you now you have to give us the key and so then I think you're in a lot of trouble with your Fifth Amendment argument okay so he says well you know but let's say it's somebody with whom you have a privilege like your wife or something okay so you don't have privilege in information you confide to another person period you tell me something if I'm not your lawyer they can ask me and I can be forced to tell the reason why you have a privilege with people like your wife or your shrink or your doctor is because the laws picked out certain relationships that it wants to protect because it wants to encourage the free flow of communication and it's got certain little enumerated categories that it falls in there and the reason why it does that is because it's protecting that relationship now the spousal privilege they're protecting it because they don't want to tear your marriage apart by forcing your spouse to testify against you and they want to make sure that marital communications flow back and forth but if I write a letter to my husband and it's in my house and they have a right to come search my house like let's say they have a warrant and they find a letter to my husband they can use it against me just like if you rob a bank and you tell your lawyer you tell your lawyer I robbed a bank that doesn't mean that they can't use that statement against you it just means they can't make me testify that you told me that you well then the question is is the is decrypting a violation of privacy and what I would say to that is even if you say that even if the law says that the fact that you encrypted it shows you have an expectation of privacy and the information expectations of privacy can be overcome with warrants if there is probable cause to believe that it's a crime you don't have it you may have very well have an expectation of privacy but it is a conditional right which is overcome with a warrant or if there's some exception to the warrant requirement so just the mere fact that you encrypt it isn't going to give you any kind of absolute protection under either the fourth amendment or the fifth amendment and I'm going to take this gentleman in the back this is why I love speaking at DEF CON I never get questions like this at a black cat married to an android can it be compelled that's a great question I don't know whether the law would be willing to recognize a privilege between you and a machine even if the machine was serving the purpose that somebody who would otherwise fit under a privilege relationship with you would have and in that's the question you would have to ask is the law prepared to protect this machine's this person's relationship with the machine the same way that we would protect this person's relationship with a real wife or a real shrink or a real priest and you know I mean I I'm not I it's I'd be speculating but I'm gonna but I'm gonna guess I'm gonna guess maybe not that's a great question I just I'm sorry I'm laughing at your question but I actually I'm laughing because it's a fun question but but it but it allows me to say something which is that this is the way we deal with stuff exactly in the law right you've got computer technology that evolves because it's a beautiful question so you've got computer technology that involves and we have these old rules from way back and now we've kind of got to decide like what are we gonna do with these old rules in this new world and so the law has trouble with this like the law just doesn't and the question is so we you know what we try to do really is we try to go back to the reason why we had the law I mean in our in our best moments we try to go back to the reason why the law existed in the first place and try to preserve those values now into the new world which is why I say we'd have to ask whether society or courts would be prepared to say that the inter relationship between me and digital psychologist psychiatrist is deserving of the kind of protection that the relationship between me and flesh and blood psychiatrist was and if so we're going to say yes and if not then we're going to say no similar question with bloggers do bloggers get the same kinds of rights as journalists do you know we have all of these situations where we have new technology and we're looking to our old rights and privileges and saying you know how are these going to be in the new world so I laughed at your question but it is the fundamental question that I spend my whole life studying which is how are the what's what are we going to do with these old laws in this new context so less less you think I was laughing at the at the question I really just enjoyed your scenario yes TTY porn right yeah I thought so very hypothetical I mean what it yes there what I would say is the stuff that you wrote down that you then encrypted you know what the way the law would look at to say that's not compelled because you wrote it down voluntarily and it's quite I'm sorry his question was basically you know is there a difference between saying I'm compelled to testify versus I'm compelled to give them something which lets testimony against me happen and what I would say is that yes there is a difference because the Fifth Amendment only applies to compelled testimony and your this is where they're compelling you to get something that's or they're the testimony was not compelled and they're compelling you to give something that's not okay testimony or the you know the thing you encrypted was not compelled and they're just compelling you to give them something non testimony which is the case so I don't think that that will work I'm not sure what your question is but let's go for it let me just get through the rest of these slides and then we'll get I'm not saying you're compelled I'm saying let's say I write in my journal I killed him and then I encrypt it when I wrote I killed him I wasn't compelled to write it fifth amendment doesn't apply I encrypt it and now I have to turn over my key the key is not testimonial they can compel me to turn it over then they get access to my non-compelled testimony I'm the one who killed him boom you're done okay statute of limitations now I put this in because I thought this would be a nice easy question because statute of limitations is an answer I should just put a big number up which will be the number five and that'll be great because you know so many of these questions are it depends kind of complicated questions but even the statute of limitations isn't clear because while there's a five-year statute of limitations for computer crimes there's another statute that allows ports to suspend the running of statutes of limitations when they're doing investigations that involve evidence in a foreign country statute of limitations is the content of the key testimony no logs as evidence so a lot of people think you had a question before so I'm gonna let you ask it he asked me if there's a notification requirement for an extension of the statute of limitations I think that's an excellent question and I don't know the answer to that so I'm gonna have to look that up and I'm gonna have to get back to you so will you email me my email is on the thing and make sure that I tell you because I I don't know okay logs as evidence so a lot of people who are technological people feel that you know we know how malleable digital data is and we feel like there's a very high standard or should be a very high standard for admitting logs computer logs as evidence and I think people are always surprised at the extremely that was good actually by the way that you stumped me I think that there might be a prize in that for you I was gonna buy him a drink and a lot of people think that you have to you know that you have to show that it wasn't tampered with and that you have to prove that it is exactly the right thing there sort of it's almost like the reverse is true all you have to do to get computer logs admitted as evidence is just show that it is basically what you as the proponent of the evidence for port it is show that it's reliable enough and what they do is they bring in the person who's computer edit you know who is the system administrator and he says yes did we have this computer set to log and it logs in the regular normal course of business and these are the logs and I pulled this off of the computer in the place where the log files are stored and here it is and it looks pretty much like what it was that I pulled off the computer and at that point in time the court will say okay I'm ready to admit it and you can say yeah but I mean he could have edited it what was you know in fact I've had logs that were edited admitted I've had logs where they basically cut out all of the extraneous data leaving behind only the data that showed that it was my client who had been accessing their computer and said you know I just to make it shorter for you your honor I just you know left in the important relevant stuff and I didn't put any of the other stuff in there so you know here's your log and I was like you know you can't do that and the court was like well he says that this is accurate and so you know I'm willing to believe it unless you can show me that it's not accurate and what usually happens then is you try to show that it's not accurate and the court say well maybe there might be some question about it but I'll let the evidence in and then the trier of fact can decide what weight to give it so computer logs have been something that courts have been very forgiving about particularly in my experience this is why I sort of wanted to rush to make sure that we had a little bit of time to talk to this stuff so I think that probably everybody here is familiar with or has heard about the lawsuit that happened earlier this week after Mike Lynn's talk on Wednesday at Black Hat and I was involved in that case helping Mike with every with the aftermath of his talk and it's been particularly when we were in the six hour settlement conference with the nine attorneys from the other side trying to hash out a settlement agreement I was thinking to myself I can't believe I'm doing this I'm in Vegas and I'm you know I've been up since six in the morning and I'm working on this and I thought to myself you know and I'm not even getting paid and then I thought but I'm really saving a lot of money by not gambling so actually I'm way ahead here so I have I have Mike to thank at least for that but I think that one thing we haven't done a lot of talking about I mean I know that there's been a lot of you know talking and rumors and all of that stuff and I can't talk about the facts of the case or anything like that and I don't want to take any questions on that but I do want to talk a little bit about the law and what it was that you know what it was how it was that they claimed that what he did wasn't proper so basically this was a case that involves California's trade secret act and Cal the trade secret law prohibits the misappropriation of trade secrets now something that it's so what's a trade secret all right so this is this is awesome that you guys are here we have we have first of all this is this is Mike's cape we made him a superhero cape to go with his hat and we're gonna use it right now to let to let Jennifer change into her present that we got her and Jennifer she's doing such an awesome job she can probably share this cape with Mike she's just doing such an awesome job yeah thank you but I want that cake did you guys see the Incredibles no capes I'm like sure he oh that's beautiful I'll make sure he gets it um thanks you guys trade secret law it's very serious business so a trade secret is information that derives its value from the fact that it's not a trade secret law is is information that derives its value from the fact that it's not generally known to the public okay so that's thing number one and so the first thing you have to ask yourself when you got a trade secret case is what's the secret is it the thing that is is it the kind of thing that's protected by trade secret law and then the second thing you ask yourself is what's the misappropriation okay so look there's two there's two possible claims here one claim is that the information that he had about what the flaw was was a trade secret to his employer or rather I should say his ex-employer ISS the other possibility is that the case is about that there's something about the Cisco code that remains a trade secret to Cisco so quick question so his question is about whistleblower laws so let me make sure and that he's a researcher let me get to that because um my second summer of law school I worked at this whistleblower place in DC so I know a bit about the whistleblower laws but my particular whistle specialty is FIFRA which is the federal insecticide fungicide and redenticide act and I did a white paper on the whistleblower provisions of FIFRA so if anybody here has any rodenticide researcher issues I think that I'm the person most qualified to respond to those you laugh but it's true okay so the question is so then the question is was it misappropriated and so what what is misappropriation well the statute says specifically that reverse engineering is a proper way of discovering something even if it's a trade secret and reverse engineering is specifically allowed under California law and I have quoted here for you what the California law is about reverse engineering and you can see reverse engineering or independent derivation alone shall not be considered improper means so that's important thing number one but then other important thing about the statute is it does say that it's improper if you breach a duty to maintain secrecy okay so we've got these two functional things here one is there a duty to maintain secrecy and two or or was it independently derived so the issue in the case is basically you know what did he disclose and was it in violation of some duty to keep it secret or was it independently derived so the violation of a non-disclosure agreement for example a non-disclosure agreement with an employer might be a trade secret violation but that if you read the complaint wasn't part of the case there wasn't a claim that he had disclosed something that was a secret and was proprietary to his employer what the claim was really if you read looked at the complaint was that the machine code that he had disassembled from the Cisco binary was a trade secret as to Cisco and that he revealed that information to the public when he showed his slides at the at the presentation and so the question there clearly the statute clearly says although of course they don't cite the statute in their papers very much the statute clearly says reverse engineering is okay reverse engineering alone isn't improper and they said well it's not reverse engineering alone it's reverse engineering in violation of our eula because when you get the Cisco you know when you get the Cisco router our eula says and for those of you who don't know it's the end user license agreement or terms of service for use of the of the machine our eula says no reverse engineering so now eulas have a lot of issues and I think I've decided that next year for me is going to be eula year and I'm going to be worrying a lot about eulas and one of the ways that people have always attacked eulas it's been on the issue of formation is it really a contract if you just slap some warning on your product and I never click I agree or you know have any kind of you know intention to enter into a contract with you but I don't believe personally that attacking eulas solely on the grounds that it's not really a contract because we never had this offer and acceptance meeting of the minds that's required for contracts to happen is a very fruitful process I think that it's it's a dead end in the long run because we'll end up with things where they'll make you agree and most people will agree to something like no reverse engineering and those few people who do care to reverse engineer just simply won't but won't be able to buy the product but we can talk more about that in question and answer I think the question that was really raised by the lawsuit in this case and the thing that made me super interested in it was the question of whether the violation of a promise in the eula i.e. a promise not to reverse engineer is a violation of the trade secret law something beyond simply having reverse engineered and independently derived it the violation of some kind of promise that makes something that ordinarily might just be a contract breach a crime or at the very least something that imposes civil liability and as you may have guessed from my comment before about the website terms of service and employment contracts and that sort of thing it really makes me mad when suddenly breaches of contracts are crimes it's just not something that used to be true in the law at all in fact breaches of contracts are things for which you can't even get punitive damages usually because the law likes to see people breach contracts when it's economically efficient so if I have a contract with you but I can make more money with somebody else I'm allowed to breach the contract with you I pay you what you expected to get and I get to reap the profit of the fact that I you know that I got to enter into a contract with somebody else and the law is happy there's no like moral appropriation that attaches to breaches of contract so it really bothers me to see these kinds of things you know made criminal and I think that you know one of the things sort of in the bigger picture that the case raised is this question of is there a limit to the enforceability of eulahs and can eulahs be the grounds for these sorts of other kinds of offenses I have a question from this gentleman here the question is if the information is discoverable by reverse engineering is it a trade secret and the answer to that is no because you didn't first you you did not obtain it by improper means you discovered it no longer a secret so it's no longer a trade secret so you know the answer is basically no there's a question from this gentleman the green we don't have a decision in blizzard yet right no we don't have okay so okay so let so I will answer your question so blizzard versus bean at D is a case that involves a manufacturer of one of these multiplayer games and some people who reverse engineered that game and built their own server on which people could play the games compatibility and the case is now on appeal which is why I said there wasn't a decision but but this gentleman is right that there was a decision from the trial court below and what the trial court below said was that you know if you're if you have a user agreement that says no reverse engineering then those terms are enforceable there's another case that says the same thing it's Bowers versus Bay State and that case also says you'll uh you know terms and you'll is are enforceable and the you'll a picture is this to kind of give you the big picture of where we're at if so contracts require offer and acceptance it's really was one of my favorite classes in law school because it's so beautiful if you think about it there's an offer there's acceptance there's mutual consideration there's this meeting of the minds it's like very romantic and and you and and but those things are required right so a lot of cases that involve things like click wrap or browse wrap we have cases that say if there's not actually an offer and acceptance that it's not a contract so if it's just something that says legal at the bottom and you don't have to click on it or agree or anything then it's not it's not a contract and you're not bound by those terms and then there's other situations where you don't have notice or something like that or maybe you do have notice and you continue to use the site and then so the question is is there agreement to the terms and those are things I would call formation issues was there a meeting of the minds did the person know what the terms were and manifest their assent either through clicking okay or for using it or something like that so formation issues if there's formation there's offer and there's acceptance either through actual clicking okay or through notice and continued use then you're into the question of whether the terms are enforceable and my fear is if you have every term be enforceable no matter what you can have you list that say no talking nasty about this product and maybe 95% of the people in the world don't want to talk nasty about the product they just want to buy it and use it and so most of us will just agree and those people who do want to talk nasty about the product the company doesn't need to sell to them and so they'll never be able to buy it they won't sell it to them and they won't buy it and they won't have access to the product so they won't be able to you know test it or benchmark it or anything and all the rest of us will be happily using the product and no one will be allowed to tell us that the product sticks so you know when I say that I think next year will be you'll a year the thing that I'm really concerned about is are there limitations to the terms that will be enforceable in you'll is when you have a situation where the term is contrary to public policy individually it might not be a big deal but in aggregate it deprives the public of the right to know something or the right to do something that has great public benefit. A question right here. Okay so his question is you know how far does the contract extend so if I buy it with you know if I buy somebody's product maybe I agree to the EULA but when I sell it to somebody else and the software is already installed and everything you know those people the second you know the second purchaser hasn't agreed to the contract so maybe the second purchaser isn't bound by it at all and I think that you know in some ways that's a good argument I actually I'm not 100% sure of that question but I don't think that you know you could make me agree to terms of contracts simply by selling something to me without my also having notice so I think that that may be sort of a break and you know if if I were going to buy your machine with your ancient copy of Microsoft Windows on it and continue to use it without reinstalling or anything maybe I wouldn't be bound by that by those terms but if I let's say then I decided that I was going to criticize Microsoft's product or something and they wrote to me and they said hey we hear you're criticizing us and that's contrary to our EULA you can't continue either stop criticizing us or stop using our product then I'm on notice and what a lot of the cases say is that notice plus continued use will bind me to the terms of the contract so you know it hasn't always been a great defense well I don't know about the terms or I've never agreed because they managed to get you when they do the we're going to get to see the food again right and his his so this gentleman's point is well at that point you know you didn't break the contract so you could just stop using it and continue to be free to say or do whatever you want at that point and I think that that probably would be right yes so his question is what his question is what if I spent a lot of money on it and and either they tell me to stop using it or you know then I learned that the terms of service or something that I don't like and there was a class action suit in California on this issue because of shrink wrap so people buy software they take it home they open the box they see these restrictive license terms they don't want the software anymore so they take it back to Best Buy and Best Buy is like we don't take your open software so then they try to return it to the vendor and the vendor said we don't take your open you know we're not taking that back either and so what do you do so there was a class action suit in California which said basically you know if you're going to do this if you're going to have your terms of service on the inside of the box or if you're going to have your terms of service pop up only when you install you've got to let people take it back and get their money back so I'm so practically that never happens but legally it's supposed to happen all right some some other questions I can take a few more questions because the people who are coming after us are late so let's go for like three more minutes if anybody has other questions about this let me just do my last slide so when to talk to a lawyer so as you can see this is really complicated and so you know you sort of almost always need to talk to a lawyer unfortunately with it which is too bad for you guys but great for lawyers and it you know the law is really complicated and if you feel like I definitely know I'm doing something that I thought was kind of maybe risky but now I definitely know that it's either illegal or illegal then you definitely need to talk to a lawyer because if you think that the answers are really clear then you're not getting it at all if you think that the answer is it depends and I'm kind of know what it depends upon but maybe it depends on more things too and I might need to get a little more advice on this then you're in good shape so that's the sort of finale of my talk and I'll take a couple more questions if there are some I'll take one here is reading the machine code reverse engineering I think here it was they they I think here we agreed it was reverse engineering because he decompiled it from the binary but if you've got machine code reading it is I mean reverse engineering the courts of looked at reverse engineering is being a lot of things testing you know trying to watch processes and replicate decompiling so there are a lot of things are reverse engineering but I mean either it's legal because you're reading something that's already written or your reverse engineering and so he so what he's saying is it what his comment is that he doesn't think machine code is is is see either secret or is reverse engineering and I think there's a good argument for that the beer is not here yet so you have to so that's so I'm gonna which is a tragedy so I'm gonna I'm gonna take some a few more questions if people have other questions this gentleman in the back to try to take questions still so you guys have to be kind of quiet because I can't hear what he's saying so the question is do I think Cisco got what they wanted out of the case I'm you know I'm not a researcher so I may be a little more compassionate to to most of the players in this in this than other people are I think Cisco definitely didn't get what they wanted out of this case I mean I can tell you what their point what they thought they were doing was and in the settlement agreement that we entered into to settle the civil case Cisco and ISS insisted that the settlement agreement say that Cisco and ISS were working together on a presentation that would have revealed the problem without revealing stuff that they felt was trade secret information now I have no information personally whether or not that was true because I came into the whole thing you know after that but I think that what Cisco if you asked them and I'm not them but to try to be fair them I think what they would have said is that they really had certain things that they definitely didn't want which was the code and the pointers and that they ended up getting exactly totally not what they wanted in all of this because all of that came out and they look bad and they had to pay lawyers and they had to pay to have the materials taken out of the presentation stuff and they had to pay to get rid of the CDs and make new CDs so they they have had a really bad week in addition to the rest of us having a really bad week too I know it was tough but I got a cape out of it so so the question is our click-rap click-rap and shrimp shrimp aren't really meeting of the minds because it's kind of a take it or leave it thing can you modify the terms ahead of time and then click click I accept it so the question is can I modify the terms and the answer is no because then you don't have a meeting of minds on the other end so I'm told that I'm gonna should answer this phone call which I'm going to do since we're on on over time a call-in question okay I'll take a call in question let's see let's see if you I can do it through the let's see if I can just if you can do it through the microphone ready now it doesn't play it was a personal question which I don't answer appropriate professional non-personal question the question was about the encryption issue and the forced disclosure and I'm not a I'm not a I'm not familiar with these cases that you're referring to where journalists have been forced to turn over encryption keys the difference there might be that we're not talking about something that is incriminating I mean that might be one difference then you also have another difference which is you've got this journalist thing which brings in all this free press type of issues as well but I think the fundamental thing is that the Fifth Amendment applies very I mean the arguments for Fifth Amendment application to compulsory key turning over I think are weak I hate though I hate to say it there's no other question so I'm not going to keep going but as you can see we have the next thing that's up do you want to say something okay you guys let's see if you guys want to hear a story okay I'm gonna tell you I'm gonna tell you guys a story about the first time I tried to help somebody who got arrested at DEF CON this was back in 1999 when okay I'm not sure I don't remember what year it is but I don't know this isn't my laptop okay so actually this is a really long story I'll tell you I'll tell you a story yeah okay I'll tell the story so it was the year that DEF CON was at that Plaza hotel that was downtown and I was what year was that 97 90 it was 98 I think and maybe it was 98 anyway that's a great place by the way they have penny slots which are super cool because when you're just like totally down and out and you still need to gamble you can go to the penny slots and I was about to leave like I had just had my foot on the little shuttle van step and I remember this very clearly sort of looking down and seeing my foot on the step when suddenly a crowd of people come running out of the hotel and they're like wait wait don't let the lawyer get on that van phonies been arrested and I remember looking at my foot and thinking I'm gonna miss my plane so I get dragged off the little shuttle van and I'm told that this guy by the name of phony and I don't know do any of you guys here know phony who knows funny yeah there you go but you probably know the end of this story so they told me that this guy named phony had been arrested that you know it's the last day of DEF CON and he was about to leave and some cop came onto the floor of the show took him away in handcuffs hustled him off into some van and we don't know where he went so now what are we going to do so I said well let's go try to find where he is and see what he was charged with and we'll see what we can do so they say okay great and everybody's got like radio headsets on so I hear them say we've procured the lawyer bring around the vans so then two big black vans roll up and the door slides open and there's a bunch of hackers in there all in black all with the headsets and Emmanuel Goldstein's in there and he's got a giant video camera and they hustle me into the van and we're all like off and I say okay we need to find where the jail is so somebody's got the GPS thing and it's like 98 or whatever so this is pretty early and they've got the map and they're like finding where the jail is and they're calling back to the hotel it's okay we procure the location of the jail so we get there we go get to the jail and we're like stop in front of the jail and the doors to both the vans slide open everybody's ready to jump out and like converge on the jail and I'm like no no no no no this this is totally not gonna work okay like one person can come to the jail with me but you can't all come in so they're like take a little vote and everything and everybody's okay and Emmanuel's like filming everybody because he's got this documentary is doing about how hackers help each other and aren't criminals and stuff like that which is totally true and great although you know it's a little nerve-racking to have this big camera in your face and so I say okay so they pick who's gonna come in with me and I say okay now there's one thing other thing I need to know what's phony's real name and no they're just like can I say what phony's real name is or should I make up a name okay so they're like they're like it's Jeff okay Jeff what no one knows so so lots of frantic phone calls back to the hotel to try to find out what what phony's real name is and after about ten minutes we finally find somebody who knows his name and tells me I'm like okay and I go into the jail so I get to the jail and we go up to the you know the booking guy and and he's like you know what's up and I say hi I'm a lawyer my client just got arrested I'm wondering if he's here and you know what's going on and the guy takes a you know sort of says well I don't know if he's here what's his name I give him the name and he types it into his computer and he said well he's not in my computer yet but if he just got arrested you know it takes a couple of hours to go through booking he might be here and I just don't have him in the computer yet I can go check in the holding cell and see if he's there what does he look like so I don't actually know what he looks like so I'm like what does he look like I don't know so the guy I'm with runs out to the to the van and he comes back with somebody's digital camera that's got the picture of phony and he shows the picture and he's got green hair and a blue pentagram died into the back of his head so I show it to the sheriff and I go you can't miss him so the sheriff's like we do not have that guy here I would definitely know he's not here so I'm like okay he's not here and he says well maybe there's another jail across town maybe he's over there so we all pile back into the van and we've got the whole you know GPS thing with the where the new jail is and stuff and we're hustling off there and on the way suddenly we get a call over the radio and the call is like abort abort the mission return to base so we're like that's weird okay so you know I think we've been to like two jails by this time and we're like okay well to return to base so we return back to the hotel and we're like you know we don't know what happened I just know everybody's like what's going on I don't know and sort of like we walk into the hotel and we sort of go our own separate ways and I'm like you know wondering how I'm gonna get home now because I've missed my flight by quite a bit and and Pete Shipley comes up to me and he says can I talk to you and I'm like okay and we go over he takes me aside and he's like I'm really sorry but it was all a hoax that was phony's cousin and his cousin's a cop here in town and he thought it'd be really cool he thought it'd be totally cool if instead of just leaving the con he was dragged off in handcuffs and he called me from the he called me from the airport and I was like that's so weird that's phony's number how's he calling me and I said what are you doing he's like yeah dude wasn't that cool and and Pete's like we dragged Granica off of her airplane for you and now she can't fly home so phony who's a gentleman paid for me to fly back to San Francisco first class which I really appreciated and then later in honor of my effort to put me in a movie where I coast got to co-star with Mark Pauline as a evil naval officer in a in a movie that he was doing so he and I ended up being on on very good terms but that was the very first time that I helped somebody who had been arrested at Def Con and you wonder why I come back to to take this abuse again year after year but I just I just want to you know thank you guys for I just want to thank you guys for making my life so fun and have a good rest of your evening.