 Well, thank you all for coming. My name is Chris Connolly. I'm an attorney and technologist with the ACLU of Northern California and what I'm going to talk to you about today is bad and sometimes good tech policy. It's not just a DC thing. So I want to talk to you a little bit about what happens in the states, what happens with local government, you know, your local law enforcement, your state police, your schools and universities, how these people are actually impacting what technology is, how it can be used, how our freedoms and rights are affected by their decisions. What I'm not going to do is try to fit 50 states and everything that happens there into a 20-minute presentation because I've been told I get cut off, Mike is dead in 20 minutes and I'm already coughing so I'm not going to try to yell after that. Also because I can only be at one place at once and the hidden message in this is that I can only be at one place and I can't see everything but you guys can be in a lot of places at once and you can help me really understand what's going on and make a difference at the state and local level the same way people have at the national level. But that's my end of the talk sales pinch so right now I'm just going to give you a quick summary of some of the issues that are coming up in state law with local activity and how they really impact how we use and how technology impacts our lives. So again when we think about tech policy everyone knows what SISPA and who knows what SOPA is? Who's heard of SOPA? So quite a few people. SOPA is the big stop online privacy act in DC was going to basically take copyright and give it the authority to take down and cripple even more communications basically broaden the extent the powers of copyright and a lot of people heard about it and they heard about it because it was happening in DC because it was a big national issue because it had the attention of the media had the attention of EFF and ACLU and others and it really got a lot of play and as a result we had a blackout there was a lot of activism and SOPA and PIPA had at least for the moment been killed and that's because these people you know everyone knows these people they're they're big names they're our presidents there are legislators in Congress in DC and it's easy to follow what they do but it's a little harder to follow other people probably everyone knows this person as well but your mayor your local representative your state senator they're doing things as well that really impact technology so a lot of people know what SOPA is how many people have heard of RCW 961-260 anyone anyone no so this is a bill in Washington state it says summarizing briefly that if a person with intent to harass intimidate torment or embarrass another person makes an electronic communication to such person or a third party anonymously or repeatedly whether or not a conversation occurs that is a crime so that's not just cyber bullying really targeted things that's probably this that's impacting a whole lot of what we think of as freedom of speech of people's ability to express themselves of flaming someone online of maybe maybe going online and posting about somebody's failure to fix to patch unknown vulnerability or baiting a scammer from Nigeria or all sorts of things that are legitimate protected activities that the Washington legislature decided well we're going to write this bill in a way that maybe covers that yes the bill is RCW 9.61.260 so this is um there's there's a some good news about this bill which is that it's unconstitutional if you try to apply to something like this it will be it should be shot down in the court and there's a court case going on right now challenging the constitutionality of this bill of course if you're the one who's being charged with a criminal offense for doing this you have to hire a lawyer you have to find defense you have to go through the time and age you do it or you avoid it in the first place so even laws that are clearly unconstitutional that are coming out of states can really impact people and in a lot of places the constitutionality is a little bit harder to figure out and one of the main ones I want to talk about is schools so how many students do we have in the room right now have any students a handful of students so schools are a place where you know the principle we've always embraced is your rights do not end at the schoolhouse gates you do not surrender your right to free speech you not surrender your right to privacy when you walk through the school gates but a lot of school administrators don't necessarily agree with that they want the ability to monitor their students they want to know what they're doing on facebook they want to know what they're doing off campus you know they make and they do things that sometimes are incredibly egregious the you know one of the the worst example I know of was in Pennsylvania the lower marine school district which just thought that it was going to issue all of its students laptop computers that were equipped with cameras that were equipped with software to remotely activate those cameras the reasoning for that is still a little bit murky but it was used by people who were monitoring activities and in fact one of the school administrators tried to punish a student for something that was captured on a camera while he was at home of course then the ACO got involved is that actually it's blatantly illegal to do this there's actually law that says you can't but again when the law says you can't put a school district does it anyhow there are real impacts here so but that's a that's an egregious example and not the most common one much more common is something like students posting on facebook so the student goes on facebook and says I hate my classmate I think she's a jerk or slightly more colorful language you might see out of a teenager this is an expression this is what people do but schools in many cases have taken this idea that if you do it on the internet it's special and therefore it has to be controlled has to be contained you don't have the same right to speak on facebook as you might elsewhere and so we see school districts that try to punish people for making fun of their teacher or making clearly you know phony threats about their students I wish I could just kill so and so you know this is not a actual threat this is not a criminal offense this is not something that the school has any right to do this kind of stuff if it were offline and yet they're claiming because it's online because it's special they have the authority to go in and basically trample on someone's free speech rights in order to control the internet and that to me is a real concern because our students are learning in their schools you don't have rights on the internet what you say can be controlled what you you know what you say not what you say have consequences that's something that people absolutely need to learn but you learn that by saying that by evolving through society by understanding how you interact with people not by being told you can't make fun of your teacher because you said something stupid yesterday or you'll get suspended because you posted on facebook you know you could do it to your parents you could do it to your friends that's okay but the internet is special so that's kind of one of the things that I watch for when I'm looking at state and local things is that the cyber exceptionalism so when you see cyber bullying when you see cyber threats from a state level it often means this is something that we already have a lot of cover or maybe we don't even bother covering in the real world but we're going to treat it specially because it's on the internet and state legislatures don't necessarily understand the internet they don't think about all the consequences to free speech to privacy to individual rights when they do this so that gives us a real that really raises our concerns and it encourages us to really focus on what are these people doing when they're addressing the internet as something special are they as a result crippling what makes it special are they making it a forum where you have to think very very carefully before you can say anything and therefore you might not say anything at all are we teaching students that you shouldn't be searching for active for sensitive content at school because it might be monitored so you can't go on your school computer and search for an lgbt support group or an AA meeting or anything like that because this can be monitored because you're at school and therefore you've given up your privacy rights these are the kind of things that we see schools do across the country in different cases and it's really a concern so that's one topic another one that of course is coming up all over the place is what are people doing with cell phones location information so the ACLU just had a comprehensive freedom of information act and public records that request across the country asking how different law enforcement agencies demanded information about cell phone locations how did they go to their local phone carrier to Verizon to AT&T in spring to get this information and the answer was all over the map some law enforcement agencies including actually North Las Vegas did a search warrant they say look we know this is sensitive information we go to a judge we present our evidence saying there's actually evidence for crime here you know we're doing our job we're making sure the checks and balances are met and they get this information other law enforcement agencies don't require a search warrant they just go in and they get a subpoena or they get a court order or some of them say their policy is well it depends on the situation we'll figure out what we need to do when it comes up so this is an area where the constitution might apply we just had a big Supreme Court case earlier this year called the United States versus Jones but that was really just about sticking a GPS beeper onto a car so the courts haven't decided whether the US constitution requires a search warrant or not so we're seeing all the local agencies make their own decisions and it's a case where obviously location information can be extremely sensitive you know we see more and more research about what you can glean from someone's location you can you know obtain their you know their behavior you can tell that someone's a death count right now by their location you can determine their associations and determine their interests you can figure out whether they're going to church every Sunday or not you figure out whether they're going to AA meetings that happen to meet every Tuesday or not there's all sorts of sensitive information in location information and we want that to be protected but there isn't a standard and local agencies are making the decisions about how to treat this kind of information there's another cell phone topic I want to touch on very briefly because I'm already halfway out of time which is data on cell phones so as everyone here knows a cell phone or a sword phone is a pocket computer it happens to have sensors and actuators that let you make calls but the reality is it's far more than that it has your contact list it has your location information it has all the apps you're running your browsing history you know it may be tracking some of your communications and there's a very real question about how secure this information is particularly in the context of arrest so different law enforcement agents have claimed that if they arrest someone they have the right to search your cell phone because it's just like your wallet where you might be hiding your drugs or it's just like your backpack where you might be smuggling a gun this to us is kind of crazy because you're not hiding a gun in your cell phone pretty clear yes they're smaller now it's actually yes probably you can make smaller guns now as well but for the most part cell phones are not weapons they're not you know containers where you store evidence they are much much bigger than that and law enforcement local law enforcement agencies are deciding in many cases whether or not they search and whether they when they're doing so it's not always coming up to the national level it's not always coming up to everyone's attention it's only happening at local levels and unless the people who are living locally are paying attention and doing something about this it tends to continue to happen so you know part of my job I work for these new northern California I work in California one of my goals is to actually protect this kind of information and we have a bill that we're passing that would protect location information from demands for all sorts of things but other states are doing the same but they can use support they can use more people who really care about privacy who care who understand how this information can be used I'm already getting ahead of myself in my sales pitch so I'll go back to what I'm looking at again location information another thing we're seeing a lot more of these days is automated license plate recognition systems these are cameras with scanners that can read license places they drive by now these can be a really good police tool if you think about I have a list of stolen cars and it's a legitimate list of stolen cars and I just watch for the license places they go by that makes a lot of sense that's a great tool to actually deter crime and catch criminals on the other hand if your idea of what a license plate scanner is is I watch everyone who goes by I record their information indefinitely maybe I sell it to a third party maybe I stick in a shared database because it might be useful later there's a huge civil liberties issue there because most people drive most people's information can be collected while they're driving they don't know what's happening they have no way of paying attention and opting out of this service system whatever you want to call it it's not much of a service to them the same thing happens for things like toll records and again this is a place where states are making these decisions they decide when they have the system how do they use it they decide when they have the system how long they retain the information do they share it are they using it for this purpose only or are they just kind of keeping it around in case they want it is there any kind of access control or auditing is there any kind of security on this data you know these are important questions because this is sensitive data and it's things that local groups local law enforcement state agencies these decisions are made in DC they're being made where you live unless you live in DC in which case they are being made elsewhere too but so the issue here again is that this is a place where some law enforcement in some states are actually doing good things so I picked on Washington a little earlier Washington has a very strong law prohibiting reuse of toll records so they have they delete toll records they don't allow reuse they have very good privacy protection not many other states follow that most other states nothing's in the law so people decide on their own what they're going to do with that you know it's an opportunity to push for better things and I'm going to hit one last topic that's been on my mind a lot lately and it's a really good one for DEFCON I think so another topic that people have been on have been talking about lately is Facebook passwords so when can your employer demand your Facebook password can your employer demand your Facebook password answer is no that's a good answer you know when can your school demand your access to your Twitter account if you're an athlete can they demand that so there are a lot of states that actually are concerned about this and they're trying to do good things and so they want to pass a law and there are some states that have passed a law that says you can't demand someone's Facebook password how many people in this room can think of another way to get to a Facebook account without demanding a password two ways four ways yeah there are a lot of ways this is a place where law workers actually want to do good things but they don't think like hackers they don't think like security people they think about oh I've heard this one specific threat model and I'm going to fix it and they don't think about well what's the issue the issue is not the password the issue is the account the access the credential any kind of credential whether it's captured rather than demanded whether you know I tell someone to log into their account and then walk away you know whether I require them to otherwise disclose their information you know you don't have to give me your password just print out everything on your Facebook account and bring it to me it's a very you know expensive way of doing it but would be perfectly legal if I can't demand your password so this is a case where people actually want to do good things you know local governments trying to do good things they're trying to protect privacy they're trying to in other cases promote free speech but they don't understand the technology they don't think the way the people at this conference do they don't really have the grasp of the issues they don't think like a hacker to do it really really well unless you help so like I said I'm really here for a sales pitch and my pitch to you is basically how can you think about helping your local law enforcement agency how can you help your state government how can you work on these issues in a way that can make a difference that can help you know not just from the DC from the big internet rallies and so PEPA and everything else what can you do as an individual to actually engage and promote this and there are a lot of different things you can do the first one basically is just pay attention as I said I'm I'm surveying this because I know some of what goes on in the world it's my job to pay attention to this I still miss probably I don't know what percentage I miss I know enough to know that I miss a whole lot of what happens you know I don't know how many places have automated license recognition systems we hope to find out soon but that's something that's going on I don't know how many schools have different policies because I don't have the bandwidth to police every school but it has happened to you you can help people who care about this you can help the ACLU the EFF first freedom of information rights I can't remember if fire is acronym but fire is a first amendment in education organization there are organizations out there who really need eyes and ears on the ground who can help them figure out what's going on so that's step one is you can really pay attention to this and help bring it to other people's attention part two is you can actually talk to people most people in a lot of cases they want to do the right thing they want to try to make a good law they want to try they want to have the right policy you know most law enforcement officials are not trying to invade privacy they're trying to do their job they want to catch criminals they want to prevent crime they want to protect people when they're doing something with technology that they don't really think through the consequences you can help them understand you can actually go to someone who's in law enforcement and say look think about what you're doing when you're downloading everything on a cell phone is this really helping people trust you or is it making you seem even more suspicious is this building your relationship with the community is the information you glean going to be beneficial or is it just going to cause more and more people to refuse to talk to you in the first place because they don't want to be anyway involved with all of this so there's a lot going on there that people can learn and going forward there's we are always looking for help we the ACLU we the EFF I'm a former EFF intern I will not really speak for them but they would help happily take help as well other organizations who work in this space we need help we don't have ACLU has an affiliate in every state but some of those affiliates are two or three people so the more people we have on the ground the more people we have who are engaged in this who care about this who can support the work that we do okay who can find ways to really dig deep and you know dig into the technology you know whether it's focusing on one particular technology you know everything about stingray devices um who knows what stingrays are anybody here stingray um stingrays are basically fake cell towers short version is you set up a stingray device near where you think a criminal suspect might be or where you're interested you can't hear me all right sorry I look up I lose the mic so a stingray device allows it basically allows you to make a dummy cell phone tower and thereby capture identifying information and possibly even communications from a cell phone in the vicinity it's a great way to identify you know you don't have to even go through the cell companies and therefore maybe you don't need a warrant or something else and it's all constitutional well we don't think so but again this is something that local law enforcement agencies are often making decisions about there's a big story Gilbert Arizona decided they were so excited about stingrays they wanted to buy one that's a half it's a quarter of a million dollars for a municipality to buy their own device you know is this a good use of of time and money and energy or is this just invasive this is something that people don't think about unless you really raise the issue with you know local with your city council with your local law enforcement with others so there's a lot of things that can be done and you know again there's I'm scratching the surface uh different law enforcement agencies are taking DNA evidence and collecting information from anyone who's arrested if you're not convicted of anything if you're not even charged with a crime that still stays in the database there's all sorts of stuff going on with computer searches at the border which local law enforcement is deciding what they're doing in some cases as well as obviously the federal agencies there's a whole lot of stuff going on that your local police your city council your state government is making decisions that really impact how technology works and I'm just here basically to invite you to reach out to us work with us find ways to just pay attention as you see something going on that's crazy don't just roll your eyes at it you know talk to someone talk to us talk to EFF talk to the people doing it tell them that look you're not really understanding what this technology does you're not understanding how sensitive this information is you need to think about the consequences we care and so should you and if you're interested in that then I'm glad I hope you are because you came here to listen to me if you want to get in touch with me please do you can also stop by our table at in the vendor area and learn more and that's all I have so thank you for coming unless there are any questions because I do have a few minutes so I should have said that first one question I did not I was working at our table and then I went in when I looked at the line and then I went back to work at the table did anyone go there so I didn't hear that one you know I think the idea that they don't have the time to organize this when that their primary job is organizing information is suspicious I'll give a second example I talked about our location privacy bill we we actually originally in our California bill we wanted to have phone companies report every year on how many requests for information they got and and the cta which is the telecom industry association wrote us a letter saying we don't have the time to collect and record information about how many demands we get because we're working night and day with law enforcement to fulfill their demands first of all it's kind of suspicious that cta are kind of wrong that cta is working for law enforcement and not for us for their customers protect their privacy the other thing is that we know that part of working for law enforcement is building law enforcement at the end of the day which means they have a record of every time they build law enforcement so I think in a lot of cases you know the capability to to reel that data is there and you know it's at this federal level I'm very suspicious that they can't do it state and local agencies maybe not because they may not design their systems very well again the security issue audit logs may not exist there are lots of things that could be improved at that level that aren't there but I think at the NSA level I'm skeptical that they just can't do it do I have time for one more? sir can you repeat that? the reference for that it's a SB 1434 it's authored by Senator Mark Leno all right time is up thank you very much