 So this is going to be a talk by Kurt Opsal who's an attorney with the Electronic Frontier Foundation and Yeah, the talk is called through a prism darkly give him a warm round of applause, please Thank you Thank you very much. Thank you for coming out here. It's great to see so many people I am Kurt Opsal. I am attorney with the Electronic Frontier Foundation. We are a nonprofit civil liberties organization dedicated to defending your rights online And I have been involved in litigation against the NSA spying program since 2006 And we've learned a lot over that time some of it actually first coming out in 2005 a lot of it coming out this summer And so we'll talk a little bit about what we know start out with the background where that where the program originated some of the Code names some of the spying laws that purported to enable The programs we're going to talk about basically two types of programs some which are purportedly authorized by law from the Foreign Intelligence Surveillance Act Amendment Act or FISA and the Patriot Act And then some which are not authorized by law but are done by executive order Which is just an order from the president to go do it and there's a particular executive order Which is dealing with collecting intelligence around the world on people like you And then finally we'll talk about fighting back what we can do to stop the spying So the background after 9 11 President Bush unleashed the full power of the NSA unleashed the eye of sauron to look around the world and Try and find everybody all the time The NSA had been operating under some constraints at that point Some of those constraints actually were from the original Foreign Intelligence Surveillance Act of 1978 which came about after a number of scandals Encourage Congress to reign in the NSA And they went ahead Beyond FISA ignoring FISA with what was called the president surveillance program A subset of that program was later called the terrorist surveillance program and that first was admitted by the president In 2005 The TSP was actually a tautology. It was that portion of the larger program that surveilled terrorists And so it enabled them to say things like the TSP only surveils terrorists Because by definition any part of it that didn't surveil a terrorist wasn't part of the TSP the TSP was done without any court warrants Without any of the legal authorities and niceties that generally are happened in a you know rule of law type of government So why did they do it or how do they do it? Well the main inspiration came from The fortuitousness of having US companies sitting on top of the wire This comes from one of the original Prism slides that came out back in June and it shows the paths of Communications between various regions in the world and the amount of bandwidth and as you can see the very large wide orange lines are Focused on US and Canada and what this means is that a lot of communications around the world Even if they're not going to and from the United States Even if they are going between two other regions will likely pass through the United States because that is the cheapest path That is the one that is going to be the more efficient path And that allows the companies who are sitting on the wire to look at what's going past So they started doing this program and they were doing it for a number of years In super secrecy so secret in fact that the the legal department the general counsel of the NSA Was not allowed to see the legal reasoning behind it Very few people within the US Department of Justice were allowed to see the legal reasoning behind it but eventually that broke down and Some of the people in the DOJ started to see The memos that that explained why they thought this was legal and there's actually a very interesting incident in 2004 Where the acting Attorney General got a hold of the reasoning and there was one aspect of it that he just couldn't buy and that was And you know just this is not a you know civil libertarian. This is a law and order, you know Conservative really ready to surveil kind of guy But it was still too much and it was that they had come up with a definition of Acquire such that the process by which Previously they didn't have it and then later they did have it was not an acquisition and This allowed them to get the stuff without acquiring it and thus not have to worry about those laws that talked about what you had To do to acquire things So he didn't buy it and he refused to sign off on the president surveillance program So at that time the White House counsel Alberto Gonzalez One side. Well, I'll go over his head He was the acting Attorney General because the actual Attorney General was in a hospital with pancreatic cancer and our pancreatitis and So they raced to the hospital and this was actually Done with you know sirens and lights blowing through red lights to get there first so what Gonzalez was trying to get the Sick Attorney General to sign off it and come a was trying to get there to prevent that from happening come a did get there first the Attorney General did not sign off on it and They threatened to resign if the program continued with this particular aspect Eventually the program actually stopped Going under that theory and there was a gap for a couple of months until they developed a new theory Being able to obtain the same information And we never found out about it because people did not resign however, about a year later The New York Times first revealed the existence of the PSP and they focused on content collection collection of content of internet communications and telephone calls And this caused a lot of fuss at the time This is when the president came out and said well, there is a terrorist surveillance program But don't worry it only surveils terrorists We're already discussing what that really meant and then in 2006 USA Today Revealed the call detail records program. That's the records of who you call how long you spoke when the call was And they named several companies that were participating in it AT&T and Verizon And this is when actually in that time period before the USA Today article But after the New York Times is when EFF first filed suit against the program in 2007 They decided that they were gonna say okay. We'll put it under the FISA court. That's the foreign intelligence surveillance court It is a secret court. We'll talk about that more in a moment And then to try to bulk up some of the legal problems they passed the Protect America Act This is part of sort of the American tradition of having these sort of vaguely Orwellian names And that was a one-year extension and then finally in 2008 they passed FISA and That added some additional authorities most prominently section 702 which will which we'll talk about So as we go forward a couple of code names to sort of keep in mind the original program The president surveillance program was known as stellar wind And you can think of it as having four parts and I've made a little grid here So like on one hand you have either telephony or internet and then they divide it into content and metadata and then within the grid you can see some of the Databases and applications that that information goes into now This does not mean that that's the only thing inside these databases so Marina You know takes in information from other sources as well, but this is where those things go into a Couple other code names to point out. There's one which is evil olive. This is for Geolocation one EF is one and foreign So in order to help justify their program They try and focus on one and foreign or at least one and foreign they use evil olive to do that I like evil olive because it has some neat characteristics. It's a palindrome It is also an anagram for I love evil So I think there are some people there have a sense of humor and Then fascia. This is the location database of where you are And the fascia it seems to be a reference to Well, it came too many words of fascism think to be really fair So boundless indeed boundless in format was one of the programs or one of the databases that was revealed This is a color map showing a heat map showing where the sig addresses are Getting information for sig addresses is a collection point There are 504 sig addresses which are being reflected here and this adds up to Billions of pieces of information and this is actually only showing it for a very short period of time now You might you know as you might imagine some places like Iran Is is in red Pakistan in red, but as you can see there is a lot of countries Which are considered to be US allies that are Getting more than just a little bit. You can see Germany there in orange So so too with the United States the same color as China So here are some spying laws There's the wiretap act that was one of the the first laws that we have in the United States To regulate when the government can listen in on your phone calls that passed in the 60s And it was largely for law enforcement in the 70s There was the foreign intelligence surveillance act that was born from some of the scandals that were discovered in the early 70s In the 80s came the electronic communications privacy act that was trying to modernize communication law to deal with email communications The USA Patriot Act passed in the wake of 9-11 in particular that had a section 215 which turned out to be very important to their spying program when that was passing that was Referred to as the library records provision people were thinking that this was a provision that might allow the Program to get records of what you checked out of libraries little did we know that it actually was far far worse The protect America Act this was a temporary measure the finite FISA amendment act brought another section section 702 Which we'll talk about which is the rules about spying on non-americans And then also executive order 12 triple 3 That was an executive order actually signed a long time ago by President Reagan It's been updated a few times since but it provides the framework for spying Outside of the legal frameworks passed by Congress So where we first found out about this came from Finding out about a splitter that was in room 641 a of AT&T's San Francisco facility Whistleblower mark Klein came to EFF with some documents showing how the splitter was hooked up where One copy of the light stream would go to the NSA and the other copy would go to its destination And even provided a photo of the room you can see the room is The door has no handles it was controlled access you had to be approved by the NSA to get access to the room Even to the point when there was a leak And it was actually causing some damage to the rest of the facility They couldn't get someone to go in there and fix the leak until they had gotten clearance and it took several several days to do so This graphic explains how it works in Sort of simple form you have all the nice people at the top Their communications go to the AT&T facilities the splitter takes the light beam makes two equal copies One of which goes to 641 a and the rest goes on So how much are they able to get by sitting on the wires and putting in the splitters? Well, the NSA says you know, it's not that much. It's only about 1.6 percent of the world's internet traffic But it was worth pointing out that that that actually turns out to be a lot of information First of all only about 12% of the traffic is web another 3% communications almost everything is video streaming And about two-thirds of those communications is spam So you can sort of bet that the NSA actually has some of the best spam filter technology in the world and Even if we take them at their word and say it's only 1.6 percent That's still 30 petabytes a day that they're ingesting and that is just of the internet traffic flow And as we know, they're also getting phone calls Call records and location So where do you put all of that data? Well, that turned out to be a problem And so they built this new facility out in Utah. This is Just broke ground the summer they finished it up in September It is a about a 10,000 square meter server space Various estimates have been given about the size of it could be up to 12 exabytes Uses a lot of power And so Brewster Kale you guys familiar with the internet archive the way back machine Anyone all right. It's good service. They store a lot of data and Brewster knows a lot about storing masses amounts of data and he estimated just for the US phone calls It would take four or four hundred sixty four square meters to store and process that That's a lot less than the total facility. So what is the rest of it? Well, it's all of your calls It's all of the internet data And what do you do with all that data? Well, so Ryzen and likbao two New York Times reporters Explained what they could do is comb through it in a large data mining operation John you who is one of the legal architects working for the Bush administration Described as plucking out the emails and phone calls that have a high likelihood of being terrorist communications So this is what they're trying to do And how do they do it? Well one of the ways they they do it is by playing a little bit of a word game on what they're doing Holding without collecting That is to say they were able to say to a number of congressional committees and other statements that they weren't collecting all of this information And then they later had to sort of explain what that meant So the director of national intelligence He said think of it like a huge library To me collection would mean taking the books off the shelf Now I don't think that's how most people would think of a collection like if you went into a Library and you said, you know, wow what a what a nice collection it is You can sort of imagine that Clapper would have to say no it's not I haven't read all these books yet when asked about How many Americans data were in there the director of national encounter McConnell said We can't know We can't know until we look at what's in there And so it's sort of if we don't look at it. It doesn't matter Instead they all sort of focus on what they are targeting And so these are so this is a slide that is giving some of the numbers about the selectors For targeting and you look at these numbers and they know they're fairly substantial numbers 15,000 19,000 But not supremely huge numbers and that is because what they're talking about is Targeting but when they are targeting something they're hitting a lot more than their target and so they try to minimize the amount of The the scariness of it by talking about the selectors But when one selector can mean a lot of information so Let's talk about FISA 702 FISA This is the section of the law the past in 2008 that Is set up to design designed for getting the content of communications Outside of the US and they have two sources. You should use both Upstream and that's sitting on the wire the fiber optic splitters we talked about earlier and then prism Which was revealed this summer and that is collection from the service providers And prism and involve collection both through 702 orders and Also through through other means they were were gathered in there. We will talk about those in a bit and it had some Targeting and minimization rules So one is that that the statute said, you know, you have to be targeting foreigners And so they interpret this to mean as a 51 percent chance or more That something is for it and so if it's slightly better than a coin flip Then they assume it's for them and unless it's proven otherwise So if it's unknown if they can't figure it out one way or the other then it's foreign and Then if if they can't tell exactly what it is because it's encrypted Well, they'll just keep it around forever until they do and to get these orders They go to the FISA court now the FISA court I've not seen it, but someone who has was helpful enough to drop make this drawing of its entrance This is the secure door. You can see the hand reader there He passed the code the court meets inside a Faraday cage. It is a highly protected it right now It is in the the court in Washington DC for a long time Actually for the first like 20 years or so it was inside the Department of Justice so In the same building as the attorneys who were going to get orders from it Then they finally sort of saw it. Well, that that seems to be maybe a little bit too much to see like we're working too closely together So we'll move it to a to a new building It was established under the FISA Act and in its original idea It was about spying on spies. So, you know, other foreign intelligence agents, maybe diplomats sort of the traditional notions of Foreign intelligence, but its role was massively expanded especially after 9-eleven and It is now being used to do far more And it goes in there and it is basically a rubber stamp court They go in there they provide the application They have a phenomenal approval rate It is an ex parte court what that means is only one side gets to argue They only get to see what the government has to say without any counter argument And they tend to just believe what it says now after some of the Revelations this summer the FISA court felt that it was necessary to sort of explain itself And in doing so they said basically the court does not have the capacity to investigate issues of non-compliance They don't know what what is doing They're basically unable to provide oversight nevertheless the government often points to this court as saying this is where we get the oversight Now there's a couple of definitions within the foreign intelligence surveillance act that that are important One is the United States person So this is what it is interested in protecting. It's not that interested in protecting you It's interested in protecting US citizens or permanent residents groups with substantial numbers of US persons or US corporations And then what it's trying to get at is foreign intelligence information Now that includes the things that you would sort of expect it to include national security terrorists But it has another provision here things that relate to the conduct of the foreign affairs of the United States Now as you might imagine that is an extraordinarily broad Definition almost anything could relate to the conduct of the foreign affairs of the United States And if you ever you've listened closely to when The government is trying to explain what they're looking for and what they're doing. They will be using examples such as going after terrorists including national security But of course also including the foreign affairs United States So we talked before about how it had to be 51 percent or more foreign So how do they figure that out? Well the hair we saw the X key score dashboard and it has a handy pull-down menu Where it has a pre-selected reasons why someone might be 51 percent or more foreign and all they have to do is Select one of these and then that as a pre-proved good reason and then they move on so you just go there select the one you want move on It's very hard to make a mistake because all of the answers are correct and then There is the targeting procedures So here's an example of what they mean sort of by targeting something. This is an example about Sweden and What they targeted was everybody in Sweden Who went to this particular? URL so you put in the URL in one field you put in the country code in the other push the go button and now you have a targeted collection One of the searches that was revealed in the document Sort of shows how broadly this can be it was looking for communications that had the word Ericsson, which I believe they were referring to the Swedish manufacturer and not just the last name And the word radio or radar and you can sort of imagine how many communications say to or from somebody named Ericsson might have the word radio in them But rather than miss any they're getting all of them and this is what they mean by targeting things Once they obtain the information they process it the slide is showing sort of how it goes You can see some of the databases we mentioned earlier marina mainway Nucleon so it goes through these various processes and then ends up in the database where it can be retrieved later Now I'll turn to section 215 of the Patriot Act They said this was originally thought of as a library provision. It was to allow them to produce tangible things And it had what was thought to be a restriction on how broadly could be used these things had to be relevant To an authorized investigation It was imagined to be similar to a grand jury subpoena Which is sort of the typical process by which a prosecutor could get records from You know from the phone company, you know, they get one record about one person at a time Then we saw the Verizon order and the Verizon order show what they meant by relevant was Everything all the calls of all the people all of the time All the information about them Dumped on a daily basis with the order being constantly reviewed renewed every 90 days So that sounds like a lot of information, but hey, it's just metadata So in the defense of the program President Obama said well, we're not listening to your calls We're just sifting through so-called metadata like how he adds sort of the so-called in there sort of make it Somewhat dismissive in it. They keep on saying we don't listen into the calls does not include the content But let's let's examine some of these explanations what say one of them was We're not getting the identity of the people involved Well, that that's nice, but it's possible that the NSA has access to phone book technology and they can cross-reference things They also said no location information Under this program More recently it was revealed then that well under a different program. Well, that's a that's another story They said well, it's only a few hundred selectors But then once they have each selector they take it three hops and so that's everybody you call everybody They call everybody they call and so on until one one selector Can be hundreds of thousands if not millions of people depending on how? Frequently they call people how many different people they call over the years and years of data that they are collecting So they had some legal basis for this defies a court Originally, they approved it by basically saying yep looks like it you know meets the statute go ahead And then you know the program got revealed There's a lot of public controversy and only then did they issue an opinion that that purported to have some some legal analysis They the first opinion came out sort of discussing some of the legal issues. They said yeah, you know relevance doesn't actually mean anything So it was okay, and then some people pointed out. Well, gee, you know, you didn't look at Supreme Court case that had talked about USB Jones, which is Supreme Court case that talked about how you couldn't you needed a warrant to go after people and Surveil them with GPS. So then they issued another opinion trying to deal with that This is after the fact justifications, which they felt were necessary because of the public controversy Not a true analysis that began looking at it skeptically from the beginning When it came to an open court Things were a little bit different. We've now had two court rulings that have looked at it in open court One good one bad So the first opinion found that it was likely unconstitutional And then earlier this week there was another opinion that unfortunately went the other way These are going to go up on appeal And we hope that the right decision will eventually be reached So I was taking a moment to talk about why it matters. So they're saying like it doesn't really matter It's just metadata. It's information about your calls, not the content itself But actually metadata matters a lot. And so we have some examples here on how Well, if you just know when the call is Who you're talking to what time how long you spoke you can get a great deal of information About the meaning of the communication effect It may be easier to figure out what you're talking about than listening to the content if you listen to the actual words people are speaking they may Be you know mumbling there might be some static on the line. You have to sort of parse it It's kind of a pain, but with metadata You have some hard facts and you can make inferences that can often tell you a lot more About the meaning of the communication than actually parsing the communications themselves So the final authority under this three-part system is executive order 12 triple 3 so this is It's an authority in some sense, but it is not a limit on spying it Unlike the foreign intelligence surveillance act Where it is trying to put some limitations and say there has to be the limitation and targeting and so on It is not a substantive limit It suggests you use the least intrusive collection techniques feasible if you know something Extremely intrusive is the least intrusive. Well, then so be it and It's okay. So long as it's in accordance with procedures So they can come up with procedures and once those procedures in our place Then they've satisfied the requirements of 12 triple 3 and then also helpfully at the end of 12 triple 3 They mentioned that if they if there's any violation of it, there's no substantive, right? You can't sue to say that that this was unlawful because they violated executive order 12 triple 3 So under that authority they do a couple things they do some bulk operations So we found out about some of the phone call operations 70 million calls and France 60 million in Spain Apparently with the assistance of the French and Spanish intelligence service They're using this to get financial records through Swift Swift is the cooperative owned by several several thousand financial institutions So this is getting information about your credit card transactions and what you're spending and where But that wasn't enough so they also needed to get some of the information from the internet providers So we recently learned about the muscular program And this was going into the data links between tech company data centers if you guys have been to several of the Talks here. You've probably seen this Graphic quite a bit. It's a pretty good one. They point out where the SSL is added remove add the little taunting smiley face This smiley face I think has come back to bite them It has been interpreted as a bit of a taunt by the companies and the companies have responded By encrypting the links between their data center increasing the adoption of HTTPS by default By using strict transport security adding forward secrecy We recently did a survey our crypto web report that's shown there on the slide You could the green check marks are for the companies who are doing some of these things The column on the on the left is for encrypting data center links There's a lot more check marks there than even when we started the survey though. There are some notable exceptions on there You'll notice that all of the Telcom providers well, they have a lot of Black red marks and unknowns. I don't think that they're going to be pushing too hard for additional encryption We learned about the co-traveler program This is the program by which they obtain a location information from a wide variety of sources And they automate guilt by association So if people are traveling together hanging out together and they don't like one of them Then they now don't like the other one and they look at the speed and trajectory of two people's cell phone patterns and Then say oh, they're traveling together So a given where we all are the cell towers around here has now done a lot of new Co-travelers to their database. So sorry about that. You're you're now part of this program They also have started looking for disposable cell phones Which is for one of the things that many people are trying to do in order to protect themselves from surveillance Maybe if they're a journalist, they want to talk to a source starting using disposable cell phones Well, they're trying to make that more difficult They're looking for phones which are being switched on you make a call you switch it off And they're looking for situations in which you've been using a phone for a while And then you stop using it and then a new phone Connects so if you are going to be switching to a new cell phone Don't do it at the same time leave the old one on for a while If you're trying to avoid being tracked on a phone leave the phone somewhere Instead of turning it off and on again and then they have the targeted operations So in addition to the bulk collection they use some of the information obtained in the bulk collection to go after specific people We know about our going after Chancellor Merkel's cell phone since before she was the Chancellor using American diplomatic buildings They have spied on at least 35 world leaders And they also has been revealed that this is not just for counter-terrorism not just for international espionage against adversary states, but economic sparring on allies And this comes back to the definition of foreign intelligence information Which includes anything having to do with the foreign affairs of the United States So economic spying falls within that system They're doing man in the middle of the great slide that came out from Brazilian TV flying pig Which was a program that was organizing some SSL certificates in order to basically get around SSL They own the router then do the attack One thing that came out from the flying pig. I think you compare that with prism It suggests someone in the codename department is a fan of Pink Floyd album covers We've also learned a bit more in the last couple of days about the tailored access Operations the Dow of NSA This is where they are doing particular targeted operations We've known about some of them against the Mexican president's email OPEC others One of the ways in which they are targeting is using the Google Pref cookie the advantage being that almost Everybody who uses a browser at some point in time is going to encounter some Google ads get a Google Pref cookie It is theoretically anonymized, but it is unique enough to have it become a point of target And then once they have a target they use the quantum insert This is a diagram of this. This is one of the ones that just came out yesterday showing how the quantum insert method works when your communication is going to a Website they get in the middle. They are sitting on the wire So they're able to operate faster than the in this case Yahoo server get the tainted communication Back to you and direct you to the Fox acid server the Fox acid server is then Program to serve up the appropriate malware The the actually the codename for the program that serves the malware is called the ferret cannon So the Farron Karen shoots the malware, which is appropriate for the circumstances What they are trying to do is make sure that they don't burn too many things So if they think that you're a sophisticated user which they may think for many of the people in this audience They're not going to put a sophisticated attack on there in case you find it and then it becomes known to the world Depending on the value of the target. They may use something which is a zero-day or they may use something which is not that important and Then bull run This is sabotage Inserting vulnerabilities trying to make the cryptosystems upon which we all rely Become well worthless putting the pseudo and pseudo random So we have learned some pretty compelling evidence that Dual EC has been horribly compromised and not only that that RSA was paid $10 million to continue to have it be part of the standard And then apparently in 2010 using the sabotage program They were able to break through vast amounts of data. We still don't know exactly what that is But it is Well, it's allowing them to look at things which seem to be encrypted on on the wires They've also been very interested in going after Tor The good news here is that Tor the fundamental security appears to be intact They are going after the Firefox bugs that are with the Tor browser bundle using Firefox We actually have an example of this technique that was was revealed in the NSA slides being used On freedom host which was using a JavaScript bug To identify people who went to dot-onion routers that were being hosted on freedom host When they were doing this it was rather not discriminatory Anybody who went to freedom host whether it was one of the targeted sites where it's we're Serving child porn or if it was somebody who was using it for an opposition site an activism site All of them got this bug and they were used to track them back And I think this this is a little bit dangerous We we made actually this was a the graphic at the bottom is a Modification that we made of the NSA graphic to show why this matters Is that it's very hard to tell the difference between a terrorist with the tour client installed and an activist with the tour class all But it's important not to treat them the same and to realize that activists use and depend on Tor We've also heard from the government that there hasn't been any abuse heard that for a while and then an audit came out finding that there were 2776 Incidences in one year of unauthorized collection and this was just in the DC and Fort Meade area which was one of or two of several NSA areas Things there's a one thing. This was not abuse So somebody mistyped a country code instead of putting in 20 to indicate Egypt They put in 202 which is the area code for Washington DC And they got all of the communications in Washington And this was deemed to be no big deal because it pertained to metadata. So there were no defects to report So when you hear the government say things about there, isn't that a mess abuse? Remember that they might be doing things we're saying well This wasn't the category of things that rise at a level of abuse But you might not agree well what their standards are it also reveals something rather amazing about the program that you could actually have Something by making a typo between 20 and 202 There's no further check you put in 202 hit the the return key and off you go without it saying You know, are you really sure that you want to do this? This is putting tremendous power in the hands of Analysts without much oversight And then another form of abuse that came out that he was cute because they had even name for it love it Where there were at least ten incidents where people were using their NSA superpowers to look after their ex lovers and spouses and see What they were up to and you might say well, you know ten incidents It's offensive but not not that many but keep in mind that these are ten instances of self reported ten times People came and told them that they had misused their powers This is not ten incidents that they have found after thoroughly scouring what everybody was doing and then finding what was being done One of the things they're also using for is discrediting radicalizers So they look at what they call radicalizers and they look at things like their visits to porn sites Look at their online promiscuity Try and find things that will make their voice less Valuable and what they deem are radicalizers are people who speak to extremist communities And so it's not so much that they are doing anything illegal themselves But there might be inspire somebody else to take some views that the NSA doesn't like And using this to undercut their message. So what are we doing about it? Well, one thing that we're doing is working on legislation and activism EFF worked with the stop watching us coalition and we got over half a million petition signatures Delivered to the US Congress. It's myself and our activism director rainy Reitman delivering those signatures in the US Capitol We have been interpreting What the meaning of both what the programs are and what the laws are for the public so they can understand The bills we've been looking at US law. So there are two bills currently That have prominence in the US Congress trying to address it one is a fake fix From senator Feinstein and representative Rogers. It is designed to actually do nothing about the surveillance Sort of the answer to it being illegal is to pass laws to make it more legal And the other from senator Leahy and sense and Brenner which is actually trying to reign in the NSA Those bills are going forward. So watch watch for them and hopefully through the Leahy and sense and Brenner bill We can get some improvements and get some US laws that will reign in the NSA But there's more than just the US laws. We're also pushing forward a 13 principles for International spying. This is basically principles to be adopted by various countries legal systems on when it is appropriate to Conduct surveillance making sure that it is only when it is necessary and only used in a manner that is proportionate So please go check out necessary and proportionate net to read the principles If you agree with them, you can sign Over 300 organizations have signed on to it and these principles have become the basis for a UN resolution There are also some legal processes that have been going forward the privacy International has submitted a claim to the European Convention on Human Rights and the organization of American states has been holding hearing But in addition to Lee whoa Sorry about that There we go In addition to the legal and policy efforts, there are things that we can do with technology fighting their their technology With better technology now one of them here is HTTPS everywhere. This is an EFF project As a browser add-on that you can use to make sure that any site that can be HTTPS is HTTPS But there's a lot of work that still needs to be done and hopefully some of the people in this room can work on these projects I think most importantly is to make these technologies easy to use So there are technologies that provide end-to-end encryption for phones for instant messaging and text But they're not very easy to use and to make them so basically that anybody can use these technologies In fact that everybody is using these technologies and then try and make sure that we're adding additional encryption to data at rest to data in transit Looking well, and we found out actually if you went to Jake's talk this morning We did a lot of works to secure things like our disc drives our flash memory our hardware We need to shore up our crypto tools against sabotage Take a close look at all the standards that have been promulgated by NIST It looks like that process has been compromised and we need independent open source tools that people can trust So and there is a lot that you can do you can start and I think a lot of you already doing this by paying attention There's a lot going on a lot of information, but absorb that information Look at it share that information You all probably know somebody who knows a little bit about this and should probably know more Also vote make sure that your representatives know that this is very important to you And they can put pressure on the US government to try and rein in the spying and this is actually we've already seen some of this some of the governments including Germany have been putting pressure on the US to stop spying as much and Well, hopefully That the economic pressure is really what's going to do it Diplomatic pressure is nice and then I think needs to be done But also what we're seeing is a lot of economic pressure coming from other countries Where it's affecting us businesses and that's something that Congress does listen to Another thing that's very important to you is use all of these tools We want it so that these Encryption tools safety tools and atomization tools are used by everybody Not just by people who who the NSA is trying to target But that we are all using encryption all of the time now some forms of encryption are becoming quite common place Like transport layer security, but end-to-end encryption is rare So start using it start using it more frequently and get your friends to use it and then finally build the tools Build the tools that are going to make a future that you would want to live in We have a choice now of moving forward to a future which is going to be like a dystopian Philip K. Dick novel Or we can have a bright future a future that has privacy for future that has security And you can build the tools to get to the future that you want So thank you Okay Thank you very much for this very interesting talk So we have still a lot of time for questions We're gonna start with the internet people in the room can line up behind one of the microphones and ask your question Do we have a question from the IRC or Twitter? Speaking at a Orchicon in June John Perry Bollard Bletch the EFF would do more to fight the rock for the rights of non-Americans The question coming for I thought from the IRC now is what if anything the EFF following through on this promise? So I'm sorry to the question was fighting for the rights of non-Americans Yes Yes, indeed. So we have been working on and I think probably most prominently is the necessary and proportionate project putting forth the 13 principles and organizing the 300 organizations To sign on to the principles promulgating them to various countries around the world And now also to the United Nations to get countries to adopt these principles Also, we are trying to stop the programs through the court system And if the if the programs stop then this will affect both ends of the calls And so we're hopeful that by finding that these things are unconstitutional That this can put a significant rain on the program Okay, microphone three, please. Yes. Hello. Thanks for the great lecture. I loved it one command when I read to the name of the cell phone tracking program Faschia Some little history when Benito Mussolini started his fascist work in Italy in the 1920s and 1930s the name of their groups was Faschia debattimento You can read it in Wikipedia. So perhaps they've chosen this name by accident. Perhaps not. I don't know Well, okay Two short questions. Is there any evidence that they used their knowledge of everybody of everything to To choose the politicians or managers they would like to have because when there is an upcoming politician Who is perhaps against surveillance or against America against anything they could just link Bad news to the media for example, which point he watches in the night in his room first question second question The genie program they spend 600 million dollars in 2011 to insert the backdoors in hardware Is there any evidence that they backdoor the bios or the firmware per default? In this case, you don't need to care about any encryption because you get all the key keystrokes from the bios Okay, very good questions on the first question I have not seen evidence that the current program has been used to undermine people except for the six people who who were not identified but mentioned in a Basically the radicalizers that we're talking before But the slides did not identify who those radicalizers were On the question of have they undermined it there is unfortunate history if we look back at Jay Edgar Hoover, who is the director of the american federal bureau of investigation for decades He actually did get information about some of the More embarrassing materials about people he needed to work with And is alleged to have used that information to obtain, you know favorable budgets for the fbi and things that he was Wanted so there is a unfortunate and dangerous history of that happening But we haven't seen direct evidence that it has happened right now And on your second question about worrying about Going on attacks on bios I don't know if you saw jakes talk from earlier today But it was revealing a lot of stuff about their misuse of bios and attacks on hardware So I would suggest you take a look at that talk and the slides that were revealed in today's der spiegel Thank you Thank you. So question from the internet again One question coming from isi Wasn't how could an individual detect or help to detect censorship if any if of any form for instance on broadband connection So how can you detect censorship? Um Well, it's an interesting question. So I guess if I'm interpreting this question correctly It's that how would you know if you are Going across a broadband that what you are Obtaining is what you expected to obtain and we can see from the quantum insert that they can modify What you are receiving when you go out into The the web and give you back something which is different from what Was originally planned to be given to you and I guess the way to to do that is from checking things through alternate channels Uh, if if what you're receiving is something different from what somebody else is receiving Then that may suggest that one of these things has been modified. Uh, so It's a way of detecting it Is my understanding that for most of this when they are are injecting packets and giving things which are different from What you're intending It's designed to be sneaky. It's designed to not be detectable and if you're changing What is being transmitted then that is somewhat detectable Though there's another form of censorship that is going on and is very unfortunate Which is the self censorship of intimidation that happens when you know that your communications may be monitored And then you may not go and get the information that you need And this is why it's very important to use tools tools like the tor browser Use encryption technologies so that you can go and get the information you need with more confidence When number four, please Yes, um, I was Interested about the programs that they have like a gtps everywhere and stuff so that um, maybe one day We'll have encryption by default But I was also thinking maybe maybe wouldn't it be possible To just spam the nsa by by having a demon service running on my computer That's sending our emails with the buzzwords in there and encrypting Nonsense and sending it over so the nsa will save it because it's encrypted Are you working in such a program because I think at the beginning the people who are using it Will be exposed and so it would be good to have an organization who is who is running this At one point of a time so that many users join at the same time And not no one is is really exposed to the nsa as an individual So I've seen a number of proposals along these lines trying to basically Overload the the channels with the type of information you might expect that they are Looking for and one thing I know if you saw the size of the utah facility They have a tremendous capability Of storing data. They have a tremendous capability of processing data So take an incredible attack to have any sort of meaningful denial of service So what we've really been focusing on is trying to do the first thing We're talking about is get htps by default all over the place all of the time One thing is the project like hps everywhere turning something which is Optional htps and making it by default through the add-on and the other is putting the pressure on companies to make it the default And as you go check out the encrypt the web report that I mentioned earlier And you can see a lot of check marks in the by default And actually a number of those were changed within the last couple of months were changed in reaction to what's going on So I think sort of the better use of resources is try and get as much encryption all the time all over the place Microphone too Yeah, I get two questions. The one thing is about economic pressure so Just to clarify what you're saying is That in reality one should for example exclude Windows products from all international Acquisitions with on information critical systems as you should do anyway, but So that they will not be able to sell it as an example for economic pressure And the second one. How about legal pressure Criminal legal pressure for individuals that clearly Work outside the scope of the law For example, would it should we all shouldn't we all perhaps file criminal Criminal accusations in our national legislations and see if those anti-terror laws work in our favor for once Yeah as activists proposal So, let me let me address these. Yeah, absolutely. So the first one economic pressure And I think actually this is this is the most effective It's something that we know that the u.s. Government does listen to it is concerned about the economics of the u.s. Companies and one of the things that actually was extraordinary is We had a number of u.s. Companies eight internet companies. They they signed a A statement asking the government to stop the spying I think in part because it was affecting their interests And the sabotage program that the nsa has been doing is sabotaging These companies ability to sell things around the world because they trade we have these products They are secure and then it turns out in fact, they're not secure. They're backdoor. They have these problems And that would be a reason why someone might not want to use these things That will have I think a potent effect Going after people criminally. I mean this is this has been tried There have been complaints that have been raised against members of the bush administration stemming from both some of the Earlier allegations or you know earlier revelations about spying and also about some things having to do with like the iraq war and so on This hasn't had a substantial effect on on policy so far Thank you. Okay. Thank you one more question from the internet, please What do you actually think about I think of efforts like canoe net to solve the fundamental problem of unencrypted by default internet traffic So the question is what do I think about? Sorry say that again What do you think about Efforts like canoe net to solve the fundamental problem of unencrypted unencrypted by default internet traffic So I'm not familiar with canoe net Um, I do think that uh on the whole we want to have it be the standard that all internet traffic should be encrypted Right the the internet was built in a time when it didn't seem the encryption was a You know necessary feature. It was an additional feature But it should become a default feature and we should try to change the standards to include encryption as a basic future of communications Okay, then one last question from microphone three, please Hi, um, so you mentioned a bunch of um, very nice examples where legal terms are reinterpreted in ways that Don't make very much sense. Like for example, when you said they acquire data without Using the word of acquisition and stuff. Um, so my question is um, why do they even come up with these pseudo legal escapes? That every reasonable person would think are um, illegal. It's just that they have an excuse once things become public Which they weren't supposed anyway. So why did they prepare for the excuse? So so what is all this legal framework for? For example, my expectation would be that the nsa or The agencies in general just do the stuff they want to do And um, of course and the next question is if there is more stuff outside that framework that's not pseudo legally, um, allowed and still done Well, so it's a good question and So why play the word games? There's a couple of reasons to play play the word games. One is internal and the other is external I'll look at two of them that we talked about one was uh acquisition Without acquiring and the other was sort of collection without collecting um I'll start with the collection without collecting This was used externally so that when they testified before congress They could say things like we're not collecting this we're not collecting that when in their heads They were secretly meaning by collecting, you know this crazy definition And then the the senator or representative who was asking the question Was thinking that they were meaning collection in the ordinary sense And so really they weren't doing this this thing that they were in fact doing And so that later when it came about they could not be brought up, you know, saying they lied to congress And so there was you know, there was one incident with the director of national intelligence Clapper where he kind of got into a bad way where one of the senators Asked him a very direct question About getting the information on phone calls and he said he denied it and then turned out that that was happening But by and large they're using these word games in order to be responsive But without giving the information that is really being sought But then you have the acquisition without acquiring now this was done in secret This was part of a secret memo that was only reviewed by a very small group of people And the reason I think for for that Is because believe it or not there are still some good people out there even within the government people who Need to see an explanation as to why this is legal Even if they are not morally opposed to to the surveillance They do believe in the rule of law and those people need to have this sort of explanation And they tried to do this in two ways by coming up with the Well bs explanation and then keeping it secret until well, don't worry. You're pretty little head about it We have this secret explanation that's all good And then one thing that that is useful about that is that Hopefully some of these people The ones that are good who do care about the rule of law are now starting to see Alternate views about what these these are Alternate views about the legal analysis. It might be saying that hey What we were doing was wrong what we're doing was beyond the law And then remember that the oath that they took was an oath to the constitution Was an oath that respects Free expression and respects privacy Okay, thank you very much for your talk. Thank you everybody