 Today my name is Cindy Cohen and I'm the legal director of the Electronic Frontier Foundation This talk will be apparently talked to of what is an EFF trifecta here today at Def Con because at 6 o'clock tonight With the the the kind approval of Agent X and the Def Con folks We're gonna hold a special session just to talk about the RIAA versus the people all the subpoenas that have been coming out We want to talk, you know kind of give you guys some straight talk about what's been going on Where we think things are going in the future What we're thinking that we can do about it at EFF, but actually I think most importantly So let's start a brainstorm together to decide what we can all do about it together But today I'm gonna talk about something different I want to talk about our dear friend mr. Ashcroft and his friends up in Washington, DC And what they've what's been going on since September 11th Because one of the things that was most disturbing to us in the aftermath of the two towers attacks on September 11th is that suddenly we started seeing all sorts of legal changes that were aimed at hackers and You know hackers had nothing to do with the blowing up of those two buildings and the killing of those fat 3,000 people but yet suddenly it seemed to be an extremely Opportuned time for some folks in the Justice Department to decide to ratchet up the situation Facing people who are involved in hacking so I wanted to talk kind of about those kinds of changes And I think what hackers the title of this is what hackers need to know about the loss since September 11th This is a talk that I give in a this is a shorter version of a talk that I give in about a four-hour training session for all sorts of activists and Usually it is designed around a set of scenarios, which you'll find on the CD that you got Where we talk about you know some some scenarios, you know the police show up at your door You know you decide to do you and your friends decide to do a denial service attack against somebody You don't like or you build a software tool to help build freedom and and talk about the law in this context This is a much shorter time frame So I'm going to talk just about the legal changes and then I want to answer your questions I'm happy to talk a little more about the scenarios that are in the materials if folks want to but I I think with this crowd Getting over the overview and to the questions as soon as possible is more important than kind of the the baseline What do you do in the cops show up at your door stuff? So you know catch me in some other presentation and you can hear the whole thing. It's a lot of fun The the US at Patriot Act is the main thing I want to talk about because it did the major change to computer hacking offenses the the you know USA Patriot Act was passed a few weeks after the September 11th attack is the response to try to make it safer from terrorism as I pointed out hackers had nothing to do with the terrorist attacks, but nonetheless We saw a whole raft of provisions in the law that changed in some pretty dramatic ways the legal landscape involving hacking offenses Frankly when the bill started out It had even worse things in it and due to some good work on behalf of my organization and several other organizations And especially actually Kevin Paulson a security-focused magazine We got some of the worst stuff out of the bill frankly, but it's still pretty bad The the big the the major series of the changes happened to a law called the computer fraud and abuse act And if you're a hacker at all you should know about this law It's the basic federal hacking law and there are similar laws in almost every state in the country and they all follow a same pattern They make it illegal to exceed the authority in a protected computer that and And cause more than five thousand dollars worth of damage again The damages amount changes from state to state but the keywords there are exceeding the authority in a protected computer and What is exceeding the authority mean? Well, it's a little gray, but then we've got some clear pictures about what it does mean if you're tapping into a computer Where you don't have? Authority to have access let's say you're going into a government computer or you know AT&T's computers And you don't have the authority to do that You are exceeding the authority in a protected computer because you don't have any authority to begin with to be there similarly if you've got an Account that lets you do certain things on a computer and you decide instead that you want to become root and do a lot of other More interesting things you are exceeding your authority in a protected computer So that's the idea, you know, what do you have permission to do? And if you're outside of those permission things, you're exceeding the authority now There's a lot of places in the law where this is really vague and it's been applied in some pretty strange ways in my opinion But that's the basic idea What protected computer what does that mean? Well, that means any computer used in interstate commerce That's the federal keywords for how how can the feds rule make a law about this and what does that mean in practice? That means any computer connected to the internet There's no leeway in this. That's what it means So if you're using the internet you're coming over the internet to get into somebody's computer And you don't have the authority to be there. You're under CFAA jurisdiction because that's a protected computer There's a subset of computers that are called that that I'm sure to remember the name It's I think it's called government computers that are any computer that's owned by or used by the government And that can actually include people who are governmental contractors who are working on things as well That's another subset of CFAA and the penalties there are more severe. We'll talk about a little bit But remember that even if it says protected computer, that doesn't mean a government computer That means any computer on the internet There's another category for when you're going after the government's computers and both got worse under the Patriot Act so that's the basic law and The law said before September 11th and still does that you have to you have to cause about $5,000 worth of damage to meet the minimum threshold to be liable under the law It has both criminal and civil liability So not only can the government come after you under CFAA private parties who you heard Let's say you go into an AT&T computer AT&T can sue you under CFAA as well It has joint authority So that's the kind of basic law now what changed in the Patriot Act Well, a lot of things changed after the Patriot Act The first thing is it used to be if the government was Believed that you were hacking into a computer They couldn't go get a wiretap after you Wiretaps are traditionally the kind of thing the government can only get for a small select category of really serious offenses and CFAA offenses did not used to be on the list for wiretap offenses. Well, thank you Congress They now are so they can get a wiretap after against you if they think you're doing CFAA things They the law changed such that if you have an attempt to To to break into a protected computer you are now punished as if you had succeeded So if you try and you still cost $5,000 damage, that's still there Even if you don't actually succeed in what you're trying to do You can be liable. Now, how can you be liable? How can you get to $5,000 if you didn't actually succeed? Well, I'll tell you how it's because they've changed how they count the $5,000 the $5,000 now is much easier It includes absolutely everything they could possibly think of to do to try to stop you So if they bring in one guy to try to figure out what those extra pings are You know and and you know well one guy might not get your $5,000 Let's say, you know a guy over a month And it's their internal cost on how much they paid a guy They can get to $5,000 if they take steps to close off their network because of something that you do They can get to $5,000 with that and then they can get there with the easier more traditional things Like if you actually hurt some from data and they've got to reconstruct something or they lose something of value Then they can do the $5,000 so $5,000 used to be a pretty low threshold now I think it's fair to say in most situations It almost doesn't exist Because you can get to $5,000 so easily and as we've seen in watching how corporations try to count their damages in technology hacking cases They grossly overestimate how much everything costs and I think it's fair to say that that's not really much of a barrier anymore after the Patriot Act The other thing that changed about the $5,000 threshold is that you don't need to intend to cause $5,000 worth of damage there were some earlier decisions that said well You know all he really all this person really intended to do was go look around he was just a kid He wanted to know how the system worked He was he was engaging in in legitimate inquiry. He may have caused $5,000 worth of damage But that wasn't what he meant to do Well, the Justice Department took care of that one in the Patriot Act doesn't matter What your intent is if you get in and he causes and they can qualify the damage That's all that matters. So they really took care of the you know, sorry I didn't mean to you know the Robert Morris I didn't know the worm was going to take down the internet defense is no longer available for CFAA So that's changed and then the other thing is that they've allowed them to aggregate damages So if you've gone it's not $5,000 to one computer anymore. It's $5,000 to all the computers owned by a single system Which is some folks may know You know in order to get to a system that you might be interested in looking at you may go through a couple computers on the way They can count all those together to get to their $5,000 So that's why I say, you know, I haven't seen a case since Patriot Act passed where 5,000 wasn't just passed in the wind. That was easy So CFAA changed a lot And I think it's really important for people who are doing that kind of exploration to think about You know that that if you thought you were below the below the threshold of the law now The chances are you might not be and it's important to at least Figure that out before you go in. I mean my my basic position on this is that you know It's not my job to tell you whether to engage in civil civil disobedience or not. You're all adults That's your decision. I think my job is to make sure you don't stumble into it That you you know the difference and that nobody gets caught and says well, I didn't know that was actually illegal that's that's kind of how I view my role in Trying to to give advice to folks on these issues The other thing that we've seen is that computer crime is now a terrorist offense under USA Patriot Act under certain situations If you again, it didn't terrorism offenses are very small category of the law that used to involve things like blowing up buildings And things like that now suddenly under Patriot Act again No connection to the September 11th bombings are frankly any other terrorist attack that we've been able to track in the history Suddenly computer crime is on the short list of crimes that qualify as terrorist offenses Now that's not any computer crime. It's important to know the limits It's it is first of all an act that is calculated to influence the government That's actually or the government by imitate intimidation or coercion or to retaliate against governmental conduct So if it's protest type activity or if it's retaliative activity, then you meet the first prong for getting into the terrorist provision the second prong is that you either must be getting going after classified information or Other kind of protected national security sort of information or and this is the one that gets tricky You have to cause damage that causes either a governmental computer system to go down or Medical problem or physical injury So it's not as bad as it would be if it was just flat any Computer offense, but you could see that happening if you were someone who was assisting giving computer assistance to people Who are involved in protest activities and somebody got hurt at the protest As a direct result of something you did you could end up in the terrorist defense category? Why does that matter? Well because terrorist defense category is kind of the mother load for punishments, right? It's what we've done with the drug war in terms of ramping up what happens. What does that mean? That means they can seize your assets They can seize your assets first and ask questions later They they can so they can get preconceived conviction forfeiture That's what that's what lawyers call seizing your assets post convictions and to eight-year statute of limitations Which is much longer there are Alternative maximum penalties which can go up to life imprisonment or the death penalty in certain situations and It it allows asset seizure not only of you, but of anybody who is planning perpetrating Or a source of influence over someone engaging in a terrorist activity And as we've seen in the use of the terrorism laws in the non-computer context That can include people pretty far away from the actual attack It can include people who maybe give funds donates funds or let you sleep on their couch while you're doing stuff so It's a pretty scary thing to suddenly have computer offenses, which I think we're already over-criminalized by the law suddenly have the specter of potential terror treating as terrorist offenses now and again, it puzzles me completely because Again hackers didn't have anything to do with any terrorist attacks and haven't ever the next The next category is material assistance to terrorists This is a category that got that existed before the Patriot Act But got beefed up a lot by the Patriot Act and and furthered its reach It used to it includes training of anyone So if you train somebody and then they go out and are involved in a terrorist act You can be held liable as a material assistance to terrorism and by the way if you're charged with material assistance to terrorism the Offense carries the same penalties as terrorism itself. So You're not, you know, you're not actually any better for that and Someone who is a facilitator is what material supports terrorism calls a facilitator You can be culpable whether or not the underlying offense was committed and you don't have to have any intent for the specific underlying Defense you only have to know that it's going to be used For for a specific offense. So you don't have to say well I wanted to blow up the thing but you but if you know that the person who your training is going to use it to do some Kind of a legal activity Even if that wasn't your intent, you're still in you're still in the loop of this law And and this all makes us very nervous It gives prosecutors even if that isn't exactly what you did it gives prosecutors so much more leeway to start charging people broadly And and you know, that's as big a problem as the people who they actually can convict and we've seen again Since the Patriot Act is passed in the name of terrorism and protecting us from terrorists The prosecutors are really willing to go far beyond what they would normally do in a rational situation about who they're going to charge And what they're going to charge them with there's a there's a hysteria going on now And I really worry that some hackers are going to get caught in the crossfire I should point out that you know, you know while I'm scaring the hell out of all of you That so far this hadn't happened. I'm not aware of any hackers who've been charged under this law yet But it's disturbing that the law exists and frankly, it's not the case that we would necessarily know Most of these kinds of investigations happen under all sorts of gag orders and protective orders And so it's very difficult to know But apparently that wasn't enough for the government they've got a new one that they're they're thinking about now It's called Patriot 2 It's DSE a defense security. I don't remember the acronym actually It is it has been floated and it has not been put forward and there was enough noise when it was floated that I'm not sure They're gonna go forward with it So I don't want to scare you too much with it But it is on the horizon and certainly it gives a glimpse into what the Justice Department would like to do next And I think it's quite disturbing that they're already going back to Congress and starting to make noise about how the Patriot Act wasn't enough The first thing that it does I called this in my thing Everyone rats on you whether they want to or not and they can't tell you about it. These are things called administrative subpoenas This is something again that existed prior in the law that was very rarely used and gets beefed up a lot by Patriot 2 They can be issued by the government. They don't need any court approval They aren't even reviewed by the courts unless unless the person who receives the subpoena objects And so they just issue these administrative subpoenas to anybody and that person has to turn over all the information about you that they have And they almost always come equipped with a gag order So the person or entity you have to turn over all that information can't tell you I think these things are one of the scariest things around The next thing is called a national security letter. It's another way to skin a cat for the government It's a way they can essentially do the same thing under national security grounds Which is require anybody without prior court approval To to hand over any information about you that they have and the important thing to remember of all of this is you know In the digital age and we think of people in this crowd know this But when I talked to non techies, I always have to point this out Now you're leaving bits of data behind with every step online And so there are lots of people who know lots of things about you unless you're real, you know Crypto and anonymity junkie and you use those tools and you use them Well, there are a lot of people there who do a lot about you and the idea that they can be required without any court review To just hand over that information to law enforcement. I find rather chilling you had a question It's it's actually in practice. It comes out of what entity issues it a national security letter comes out of the kind of The the part of the FDA the FBI that does the nationals the FBI kind of has two pieces There's the domestic and then there's the the international national security cops basically They don't look any different They don't have to wear any different insignia or anything but they work in different divisions And generally you'll see the administrative subpoena is coming out of the civil domestic side and the national security Letters coming out of the other side So it really for me as a lawyer it tells me more about who issued it than it does about the justification Now in theory that before patriot The argument was that the national security people's Jurisdiction is just national security sorts of issues and and foreign governments in spy versus spy sorts of things And so they would only issue those You know when they're doing their work and their work is national security work So you could feel kind of safe that a national security letter was only going to be issued for a national security purpose This is another thing that the Patriot Act did it tore down all of those laws Sorry about them using it for them. I'm using it for time The it tore down all of those rules that said that well the national security people can only be working on national security stuff And that domestic people can only be working on domestic stuff, and they can't talk to each other Unless there's a really high showing they could always talk to each other a little You know that these kind of walls came up in the 70s when it was revealed that the FBI kept dossiers on millions of Americans just in case some of them might be criminals and so There was a commission called the church commission Senator church put into place and they put up all these walls between the national security and Domestic security because the reason the FBI said this was because they were going after communists So they put up all these walls and Patriot Act tore them largely down So now you can't really be assured that a national security letter is actually coming out of the national security purpose as you Could before September 11th because the folks on the domestic side can say you know what? We don't actually have enough authority under our laws to issue a subpoena in this process And they do have limits and in internal limits that they follow So could you guys over there on the right-hand side just issue a subpoena for us and get the information? This is one of the issues that that EFF and the ACLU and epic and everyone has with the Patriot Act It's kind of hard for ordinary people to get But basically it gives the government a lot of different and runs around what used to be the limits on their jurisdiction And this is one of them What part of critical infrastructure? The well basically government systems are defined as any system that aid the government in any of its efforts I could pull out the exact statute, but that's that's roughly it Telcos that are involved in that kind of work It wouldn't be just general telco because the government uses the phone, but it would be a Defense contractor who's developing something for use it would be somebody in Silicon Valley Who's you know developing the next tool of surveillance for the NSA? Hmm. I don't think it'll go that far It really does have to be for a specific governmental purpose because otherwise there'd be no limit to what a government computer is because the government Buyservices like the rest of us there is actually a rational distinction in how it's how it's defined and it's it's really people I think it's fair to say that you can say it as people who are working under government contracts for things involving National security type stuff are protected, but not just anybody who sells stuff to the government because that you know That that would be everybody you know that would be every big entity right every every big entity would be covered Steel So the question is if somebody were to use Tell me if I'm right about this, but they've asked me to repeat the questions if somebody were to use a Technique to sniff out passwords from a wireless system That they learned here today could the person who taught them that be liable if they then use that as part of a terrorist activity That's the fear. I think you know, I don't I can't tell you it's completely likely But I think the person who does the teaching has to know that the person's who's learning is Gonna use it for that kind of offense. I don't think it would reach just general teaching I think that would be really that'd be too far However in a place like Defconn you might have a hard time arguing that you didn't know that some of the people in your audience We're going to use the tools that you're teaching them for an unfair use purpose You know, thank God We haven't had to go through the kind of thing with Defconn that we did say with slash dot in the DCSS case where you know the The entertainment companies put the argument forward that well because something happened on slash dot, you know You knew a lot of things that I don't think made sense to anybody who is a reader slash dot We haven't done that with the Defconn sorts of conferences yet and you know Hopefully, you know knock on wood everybody that'll never happen, but I still think it's pretty remote I think that you really have to have some level of knowledge You don't have to be a co-conspirator like you're working with them But you have to know that the person you're teaching it has that kind of intent I think before the law is going to really reach you Yes So the question is how does how does the Patriot Act? These changes affect people who both aren't citizens or who launch whatever they're doing not from the US The second one's an easier one and if it's one of the things I hate about the Patriot Act It extended the government's jurisdiction for these kinds of offenses to people outside the US So, you know how they swoop down and they got you know, they've they've Recently started really working Well, let me see if I can say this in a nicer way than I was just about to say it the government has been more aggressive in reaching out to non-citizens who are living in foreign countries and dragging them here for To to to stand under US laws for things and the jurisdictional basis for that Hasn't been fully litigated because frankly they didn't do it very often before except for like Noriegan some high-profile cases But it's a we'll see that litigated out But they certainly have now got congressional authority to do that for hacking offenses Which is reach out grab the guy in Russia who launched the attack bring him here and hold them responsible under US laws on the grounds that the effect was here, so That unfortunately is one of the things that I hate about the Patriot Act and actually I think it's really bad law I think jurisdiction on a matter But second the second question is How would it affect people who aren't citizens and the answer is it'd affect you the same in some ways? I think it'd affect you worse Because the other part of Patriot that we're not talking about now is all the changes to the immigration laws and the way that the immigration situation has changed now they can deport you for Anything even remotely related to a Patriot Act defense or a computer crime thing So not only are you still subject to these laws as long as you know This is this is the basic Cindy theory of jurisdiction that that I've taught to several hackers of so far So let me just share it all with y'all right now Where do your feet touch the ground if your feet touch the ground they can get you there always So unless you live in cyberspace and your feet never touch the ground you're never outside of jurisdiction You're always under some jurisdiction at least one where your feet are touching the ground at that moment Now you might also be subject to jurisdictions of other places But there is no quick fix that says well because it happened on the internet and it was here and there and I Bounced it off here. You know they can never get me. They may not be able to find you That's a different question But they can always get you where your feet touch the ground and that's where your feet touch the ground where you live Or where your feet are happening to touch the ground when they catch you So if you've broken the British laws and you're not there when you break them But later you end up going to England and the statute of limitations hasn't passed your feet touch ground on British Soil they can get you there then It's it's a fundamental concept that I think was lost a bit in the early days of the internet because there was this heady Idea that you know you could be above the law It's not the case. It wasn't the case then and it's certainly not the case now We've got a lot of case law on that question So ah So this is a question. This is a this is a person who trains foreign nationals for working with it sounds like local governments And he's concerned because he doesn't know what these people's motives are and some of them are actually on the list Come from countries that are on the bad list. What is your liability? Responsibility well, I think the first thing you ought to figure out is who's your boss and what's your arrangement for indemnity? and and Responsibility for what you do if you're a freelancer, I think we maybe talked to me afterwards if you're working Under somebody else's direction and they're telling you to teach these people then generally you have a Degree of protection as long as you're acting within the scope of what they asked you to do So if you're training under orders from your bosses at your bosses who have to think about the effect Not that you're completely immune, but really you know again, you know The other thing is you know once you know that they're going to use something for a bad purpose And I think you need to stop and you need to take some action as long as you don't know I think again, you're acting under orders from superiors. They're telling you to train these people I think that that's a pretty solid first line of defense. It may not be complete though, and you still might want to see me afterwards Just portions of it the part that the most of the CFA a step actually sunsets in 2005 not all of it And so one of the things that you'll start hearing from the FF I hope you're all members and you get the effector because then you can watch and you can see when we say It's time for Patriot to expire Start putting pressure on your member of Congress to let it die and not reauthorize it This is going to be important. The Patriot Act was passed in such a rush Congressman I think felt like they had to do something and look like they were more like they had to look like They were doing something to respond to terrorism but in 2000 by 2005 Hopefully that pressure will be off of most of them and news from their constituents that we think you went too far with the Patriot Act You know It's time to let some of the stuff that we enacted in haste when there was an emergency Just die off and go back to the way the things were before really important I actually think there is a chance that it won't get reauthorized because one of the things about the sunset provisions is you know in Action means it goes away So it's easier to convince members of Congress to do nothing Then it is to convince them to do something and we have the benefit here of being able to say guess what just do nothing And those situations are rare since most of the time when the EFF is concerned about a law We need it fixed. This is one where we just got to let it die. So that's a good point. Thank you for asking Yes Federal employees In general the federal employees are subject to all the laws they don't there's not a general federal employee exemption to most laws If they if they cause the damage you probably could although actually frankly I should I should be straighter about that There is no blanket immunity But law enforcement purposes is probably one of the ways that they would be able to get out from under it It'd be interesting to try depending if they really actually cause damage by prodding around in your computer Real damage not the kind of phony made-up damage that they get to do that the corporations get to use I think it would be an interesting case to try to bring An action against the government for for that Well it it depends on what they're getting I mean it wouldn't have to be a warrant It could be a subpoena, but you're right It depends on how they're doing it right if they're just unauthorized pinging around though, which they actually do a lot of It'd be interesting and they actually caused a bunch of damage It'd be an interesting case to try to bring I wouldn't say I'm totally optimistic But it's the kind of thing that might be fun to try and see what happens It's fun to be the EFF lawyer Let's try that If they're connected to the internet they're protected computers educational computers. I don't think have any They don't have any federal special federal protection, and I'm aware of there may be some state laws what Well, but they wouldn't qualify under protected computers for the special Patriot Act kind of you know Seventh wall of Dante's and what you know seventh circle of Dante's inferno special penalties that when you go into a government computer Yeah Not unless I mean I suspect that there are actually a lot of computers say at Berkeley and Lawrence Livermore lab and stuff That would because that but but it's what is the computer doing not where is it that is the the correct? analysis to start Oh, thank you for this question Oh, you just lead me into my conclusion of my talk so well, thank you. What can you do? One of the best things you can do it's funny. I've been joking that EFF is becoming the anti logging society Really one of the worst problems with a lot of this Patriot Act stuff And it's the same problem now that the RIAA is taking kind of is that all the system ins I know are pack rats, right? They write all of these servers and systems to gather as much data as they can possibly gather I Understand why system ins are like that. I believe me. I've worked with computer people for a long time now We got to break you that habit if you really care about freedom You have to think about what information do you really need to get your work done? What information don't you need and how long do you need it for? Collect the information only the information that you need use it the way you need to use it and then get rid of it Because one of the worst problems with Patriot and I talked about the libraries are having this problem under There's a Patriot Act section called 215 That that was just challenged by the ACLU But we'll see how they go with it that requires libraries to turn over this information But frankly with these subpoenas these various kinds of subpoenas and other tools Lots of people are being asked to turn over this kind of information that they have about other people And one of the things that the Patriot Act did was it made clear something that was unclear in the law It used it's clear that the government needs a warrant Which means the judge has actually looked at the situation in order to get the content of messages that you might have on your systems What was unclear in the law beforehand was what's what did the government need in order to get all the other stuff? The logging information The login all the other the all the other information that you have about a transaction other than the actual content of the particular messages And there had been a fight between My you know our side of this in the government about what the standard was well Patriot Act of you know wasn't written by us And it allows something called a pen trap order Which is one of the lowest kinds of governmental things where you basically they just run to a judge and say here It's all filled out correctly sign it and the judge can't even say wait a minute This looks crazy to me if it's filled out correctly They have to sign it and then they can turn it over and they can get all sorts of logging information That includes your google searches. They can you know or any kind of searching you do any on any site If it's logged and it's available then you got to turn it over Then the person who has it has to turn it over So the best and the easiest thing to do both in terms of your headache your time and other people's freedom Is not to have it so that when they show up you don't have anything and you can explain why you don't have anything um And and one of the things that we've seen with the ri double a stuff is that the isp's are starting to put a Dollar figure on how much it costs to recreate their records and go through all their backups and find all that stuff for people It's really expensive and i've worked with some individuals as well who've gotten subpoenas for archives of news feeds and other things that they have And it's darned expensive to go back and do that kind of forensic work Or if you do it yourself, it's a it's a lot of time So you can save yourself a lot of hassle and a lot of time And you can protect the privacies of the people who who who are using your system If you just don't keep anything you don't need We do not this we do the question is in the uk there is a bill that is being passed to try to do Data retention and some folks in the uk have done a great job of trying to to knock that thing down Although i'm not sure they're going to succeed, but we're rooting for them In the united states we have no affirmative requirements that you keep logging information or any data about your users on your computers Yes, once you get a once you get an order from the court that says or from a subpoena that says We want this information if you there after go and destroy things then you're tampering with evidence and you can be liable Both civilly and criminally, but before the request comes in you've got no ongoing free flowing duty to keep data There aren't any we're very concerned that the the the law enforcement is going to try to get it And now they're going to probably have the ri w's backing, but in the meantime We cannot log, you know and and we'll fight that battle and we'll fight it hard and you all hear from us because we'll be screaming for help So so the police can make you start logging user information in the uk You could probably get a specific sort of order to do that in the us But frankly it is it is contrary to the general tide of the way the american law works american law in both civil side and frankly on the criminal side doesn't Generally require affirmative acts of changing systems or doing anything In order to assist law enforcement or civil people We had this fight in the replay tv case some of you may have followed the replay tv case where uh, this is uh This is a situation where the tv studios and the movie studios were wanted to require sonic blue the company that makes replay tv's To affirmatively start tracking what their users were doing with the boxes to find out whether they were engaging in commercial skipping and sending shows around which were the two main things that they were concerned about and um The the initial ruling from the court was very bad It was appealed to the higher to a to a higher judge We joined in the fight at that point So did a bunch of other people and we got the right ruling out of the second judge Which is there is no general duty even under the discovery laws in the us for you to Create new information create new data in order to assist in a discovery dispute And the same is generally true in criminal law though They can get those orders a little easier in criminal law than they can in civil but they have to get the order There is nothing They that you have to go judge for that you can't just do that The best that they can do without going to a judge is to make you freeze And not get rid of anything that you already have at the time you get hit with the order Yes Yes, if they do that, can you give you a bill can they give if they do that? Can you give them a bill generally the answer is yes The amount that you'll get paid per hour will be far below your hourly rate I can guarantee it and you might have to fight to get the money But there are provisions in the law for third party bystanders to get reimbursed for the costs That they incur in trying to comply with either civil or criminal orders Well the court will a general consultant will be 150 bucks or more you aren't going to get what you bill You're going to get what the court thinks is fair And what the court thinks is fair trust me is not what you bill It's going to be significantly smaller In the back There is nothing in patriot too about document retention yet the question is is there anything in patriot too about document retention? No, not not it's not there yet. Um, and you know, I have my way it never will be there Um, I want to just I've got about 10 more minutes. I want to keep answering question But I want to get through my what can you do stuff because we there are a couple things on there that this crowd actually I think can do and really ought to think about doing We've already talked about you know eff anti logging society Use crypto I personally spent six years of my life fighting the federal government to free cryptography from governmental control in the Bernstein case I wish that you would actually use it Um, please you guys all know how to use crypto find five people who don't and teach them I had a nice man help me yesterday actually figuring out how to do it better on os 10 Um, and those of you who write crypto three words for you all actually two words three times user interface user interface user interface Please help people who aren't lead to use this the more of us that use it It's you know that crowds thing the people who actually need it can hide a little better if more people are using it And if we if it's limited to just this crowd or just linux users or just people who can you come to def con? It's not very useful to anybody. So please that's my own personal appeal Please use crypto. Please teach it either people other people how to use crypto and think about it Both in terms of your communications with other folks, but using pgp disc So, you know my view is nobody should travel across the national border Unless they've got their data encrypted We've seen far too many people especially in my work with the human rights community who get the laptop taken at the border And they never see it again um So use use crypto Then what information? What footprints are you leaving think about you know, where you're going? What are you doing think about using services again? You know, we I was in the the anonymous remailer system yesterday meeting yesterday And I think they're great. They need more support. They need more people to use them Please do that. It's it's wonderful. I think I think as a result of this We're finally going to convince the ff techs to let us put a remailer on our system so you can bounce off of us I see damone's back there my tech guy nodding. So I know that's going to happen now See you have to embarrass him in public and then That's not his responsibility actually And then if something happens and you hear from law enforcement, please come tell us Not only will we try to help you we we try to help people find lawyers all the time We can't always help everyone. We're a very small organization But we do have a pretty impressive list of lawyers who have volunteered to take eff cases some of them for free Sometimes not but we will try to help you get connected with lawyers who actually understand enough about the internet to be able to help you There aren't nearly as many of those as there needs to be but we know a lot of them But also try to help them because what we're trying to do is gather evidence that we can use in the battles When the time comes that the patriot act comes up for renewal I need some stories to tell congress about why this should go away why this was a bad thing And if we don't hear about them if stuff happens and it goes away quietly I can't marshal that evidence to try to make it so the next person doesn't get hurt So if you hear about this kind of stuff, please let us know we're very easy to find And we really do want to keep track of this. We actually Just recently received a fellowship to hire somebody to work full time for the next two years A wonderful lawyer that we stole from the ACLU To work full time on post patriot civil liberties issues So we've actually Staffed up to be able to try to help you and all of your friends if you run into these kinds of problems And we really want to do it. Um, I think are we about done goon or do I have some more time? Ten five a couple minutes. Okay How do I feel about being in a country that was once free and and now it's turning into police state? Well, I I haven't yet, but I probably will before the end of the day by the t-shirt out there that says I missed my freedom You know, this is this is you know, I think it's horrible You know, I would much rather spend my time trying to make your world better rather than trying to stop it from becoming worse Um, and I'd really love to get to that place. Please. Let me get to that place Um, and it's awful. I think it's it's terrible. I think we're really in a serious backslide I'm hopeful that there have been a few things, you know the that that have started to do we've there There is a growing consensus in congress that things have gone so far too far We need to help support those people frankly There are as many there are more of those almost in the on the right than there are on the left right now But we need to really push But on both sides on that and you know, I I I have to think otherwise I couldn't get up every morning that the pendulum swings and that we're over here now But that if we work hard we can bring it back here and I just hope one of these days it'll be over here, right? Now that's part of patriot too, you know, you guys started asking question I think it's the rest of patriot too, but that's part of patriot too And it's one thing that we're very worried about it would be a mandatory Sentence enhancement for the use of crypto Which is written so broadly that it appears to reach, you know, a lot of firewall activity No, at least the one in patriot too is a sentence enhancement So if you were if you're convicted of one crime and there was crypto used Then you get a five-year Ding on top. It's not good, but it's not a separate crime anymore. The thing that was floated right after after after september 11th that that Would have made crypto a separate crime died really fast and it did in large part because this community rose up I don't know if you know this but lots of people rose up and said Don't you know over my dead body. You'll touch our crypto. We work too hard to get it free So I think, you know, that makes me happy that You know, we were able to stop that backslide And it makes me feel like crypto is on pretty solid ground now You know, there's still going to sentence enhancements are bad and we need to fight those but the the dark days I think I think it's just not politically expedient to try to go back to those days right now And the fact that we survived a terrorist attack without that it gives me hope Yes Yes, I you're right. He said what about financial institutions and logging and he's right. I should have made a small caveat to that there are You know professional financial institutions Have some requirements that are sec requirements that they keep information about trades and shares and stuff That still doesn't mean that they have to keep a lot of things, right? They don't have to keep everybody who just shows up on their website But they do have to keep a certain amount of data And they have they have some data retention requirements, but they're about the only ones Yes, they are for trades anything trade related. They're supposed to track and and there was a recent ruling So are they they have to log instant messenger things for traders and the answer is yes Anything involving its financial trade has a data retention requirement There was a recent ruling out of the sec that says It doesn't matter what technology you use if it's a communication about a trade you need to track it You know And and that's the rule And it it's it's really designed to try to stop the kind of cook the book sorts of things that we've seen with our corporate Our corporations right now Yes Is the rule effective now? I think it's effective now. In fact, I think it was already effective in Yeah, it was already effective before The law passed and that they just issued a clarifying ruling that said I am Are included in what the rule already said Are you treated differently if you go just from one box to another box in the u.s Or if you go bouncing around a bunch of hosts and then end up in the u.s Well, I think I mean there's a there's a double-edged sword I mean if you go bouncing around a bunch of posts and then end up at the u.s You might be harder to catch But I think that you could also engender potential liability in all the other places And so one of the things that we've seen the us do in non hacker context is kind of You know, I don't you call that jurisdiction washing, you know Where they'll they'll send somebody to another jurisdiction where things are a little tougher if they don't qualify under us laws Wherever you came from, but I think it's Are they getting more jurisdiction foreign wise to grab logs? Yes, the answer are they getting more jurisdiction to grab foreign logs? Yes, they already had actually quite a bit Of jurisdiction but now patriot act makes that more explicit But more importantly what they do is they have all sorts of friendship agreements with other governments and they They they they hand stuff off voluntarily to each other. Yeah, those connections in the last couple of years have really Got much more team talking that people at the Department of Justice to do this work They have much tighter ties with overseas authorities that they did five years ago Yeah, that's a fred von lohmann and our senior intellectual property attorney is pointing out that uh, The uh, that the ties between the u.s. Justice Department and foreign They're foreign compatriots in the last few years are much much tighter than they they used to be And it makes makes them makes jurisdiction hopping much easier for them to track because they just call their friend Louie in italy and and get the information they need The question is what about people who build systems? That protect people's anonymity and do other things that that you know are used for legitimate purposes But could also be misused for illegitimate purposes. Um, that's actually one of my hypos that I didn't get to But um, the answer is I think that as long as there are a lot of general purposes For your system, it's going to be hard for them to track back to you And doesn't mean that they couldn't get to you though. I think the law is vague enough and it hasn't been decided You know, that's exactly the kind of thing that you should Call us but You know, it's our position and I think it would be, you know I think we'd have a really good shot at it that if you're running a general purpose anonymity tool, especially in the united states You know, we have a first amendment right to anonymous speech in this country that has been upheld Over and over and over again, including just last year by our supreme court I would go to the wall on that one I think I think the general purpose the thing you want to think about is keep a general purpose if you're really If you're really customizing something for a particular illegal purpose, you're going to have a much harder time And you'll hear this as a theme. I think when you look through all of the ff stuff about technology is Really think about You know Legal uses for whatever you're developing Develop such that they can they can happen and they do happen that you've got a really good Argument that you're developing a tool and that the tool could be used for legal or illegal purposes And if you're customizing it and aiming it think about the difference between napster, which only let you change mp3s And morpheus where we won the case Due to a lot of different changes But one of the big changes that that was different between napster and the cases that have survived Is that the technology could be used for a lot more purposes and the argument that it could be used for a lot More purposes carried a lot more weight because in fact it was being it is being used for a lot of legal purposes I think the same is true on the criminal side if there's potential criminal liability for somebody misusing a tool that you make You need to really think hard about making sure that there are legal uses too and that they're actually happening And you'll be in a much better place to stand up in front of a judge and say This is the tool I made and this is why I made it and they won't be able to poke so many holes in you and say Well, yeah, actually, but you say that but it was really about this Um, the gun is telling me that we're done I'm going to go out into the hallway and I'm happy to continue talking to folks. Also, please come at six