 All right. Thank you, everybody, for coming to the Ask the EFF panel. It's so great to see so many people here filling up this room. We are the Electronic Frontier Foundation. And it's always a pleasure to come here to DEF CON. There are so many people who have been great supporters of us here and so many people who are doing interesting things that lead to interesting issues, trying to help make the world a better place, and we really also enjoy helping defend the people in this community. No arrests so far, and we're going to hope that for the rest of the weekend. So I'm Kurt Oppsall. I'm one of the attorneys at the Electronic Frontier Foundation. I do work on the Coders Rights Project, which is designed to try and make sure people understand what their legal risks are when doing security research and talking about it. I also work on some of our other stuff. What I'll be talking about a bit is the NSA surveillance and some of the recent revelations in what EFF is doing about it. What we're going to do is we're going to go down the line here where each of us will talk a little bit about some of the projects that we're doing and introduce themselves. And then after we have that sort of brief introduction, we're going to turn it over to you to bring up your questions. There is a microphone over on this side. So if you have questions, you can just line up in front of that microphone and ask them. A couple of things I wanted to say about the kind of questions. We're happy to talk about a lot of the legal and policy issues that we do, our technology project and such. But this is not the forum to ask for legal advice. We do provide legal advice to people, but that is something that is best done in a confidential setting. And this is not only not confidential because of all you find people who are here, it's also being recorded for posterity. So it's really not the right place for asking, you know, here I did this thing last night. Was that legal? All right, so let me just begin with just one of the things that EFF is working on that I've been part of. And that is about the NSA warrantless surveillance program. It's been a little bit in the news lately. Some of you may have read about it. And we've actually been working on these issues for quite a long time. In 2005, The New York Times published some reports about a warrantless surveillance program that was rebranded by the Bush administration as the terror surveillance program, at least part of that. The following year, the USA Today published some reports about a program to get the call detail records from various telecommunication companies. And we have actually from based on the information that we learned at that time, a case that we brought representing some people against the NSA and the government to try and stop the surveillance. And that was called Jewel versus NSA. And that has been going on in the courts for years now. But we have recently had a little bit of good news there, which I'll get to in a second, but I also want to say it was a second case that was brought about last month. That was first Unitarian versus USA. So in the Jewel case, the government put forward the state secret privilege. They said, hey, this has got some secrets to it that prevented from being litigated. And so we can't allow this case to go forward. And they brought up a number of other defenses. And what we have said is that under the Foreign Intelligence Surveillance Act, there is a procedure set out by Congress after the church commission found a whole bunch of misuse of surveillance powers to determine the legalities. Have a court rule about whether what it is that they're doing is or is not legal. And that's the procedure that trumps the state secret privilege. So this case has gone up and down in the courts. It went, we lost an initial round, went up to the appeals court, we won the appeal, went back down to the district court. And last month the district court said the case can go forward. We can go through this under the Foreign Intelligence Surveillance Act. And so that case is ongoing. We're going to see whether the next move from the government is to appeal that or to move forward in the district court. After some of the more recent revelations that have confirmed a lot of the stuff that we had seen before, but provided something special. I assume that most people here have been paying a fair amount of attention to some of the stuff that's come out in the Guardian. One of the things that came out was a copy of an order that was for Verizon to hand over all of the records. And this was the call detail record. These are who you called, how long you spoke, and sort of the time of the call. And it was for all of them, not just one end foreign, not purely foreign, but also all the way down to local calls. And on a daily basis they would turn over to the FBI to hand over to the NSA or more or less directly to the NSA. This database, the previous day's calls, and then it would be added into the pool for analysis of contact chains. Basically this is a kind of taking the metadata. The government will say, oh, it's just metadata, it's not a big deal. But metadata is a big deal. It shows who you call and that can reveal a tremendous amount about your relationship. It can be a tremendous amount about you. If you are, you know, all of a sudden you're making a lot of calls to a doctor that says something about your health situation. If you are calling certain representatives or political groups, it may say something about your political affiliation. There's a lot that it says about you that doesn't require them to listen to the content of the call. So this is very important information. It's very sensitive. The new case that we filed last month, first unitarian versus NSA, was a collection of 18 different political advocacy organizations, church groups, people who have a right of association, a right to get together with other people who are like-minded and try and act together. And this comes under the First Amendment, where a lot of the other litigation about the NSA has been under the Fourth Amendment. Because that's exactly what the call detail record program is about, is trying to find out what the associations are. And cases have found that indeed that is a First Amendment right. You can organize, get together with like-minded people, try and do collective action without having the government know everybody who you're connecting with. So that case was filed last month. It's just in the beginning phases, but we're moving forward on a new angle. So that's a very brief summary of some of what we're doing on the litigation front for NSA. And with that, I'll turn it over to Eva. All right. Hi, my name is Eva Galperin, and I'm a global policy analyst for the Electronic Frontier Foundation. I understand that those are three words that can mean just about anything. I work on EFF's international team. There are five of us. EFF is a relatively small organization, and we have a reasonably large number of lawyers who specialize in litigation within the United States. But in the meantime, the internet is global, and so are we. So it's up to the international team to cover the rest of the world. So that's a little exhausting. And in some of these places, rule of law is relatively strong. And so we can pursue our protection of the internet through policy venues. We can fight bad laws. We can go to the European Parliament. We can fight secret trade treaties like TPP and ACTA in this sort of policy space. But a lot of my favorite work happens in countries or working with people who are located in places where the rule of law is even less strong than it is in the United States. And you really cannot pursue the goal of internet freedom through policy venues. And instead, you have to go through this sort of process of helping users to protect themselves often using technical tools. So I spend a lot of time talking to journalists, especially independent journalists in countries where the mere act of independent journalism is almost indistinguishable from activism. Simply having your opinion and publishing it about the news is an act of activism in many countries. So I talk to a lot of terrified journalists and I talk to a lot of terrified activists, sometimes difficult to tell the difference. And I spent a lot of time advising them on best practices for protecting their security and privacy and talking about sort of their rights as they travel around and try to publish the information that they have. So in a lot of ways, I rely on you guys because the only way to really understand best practices is to understand what the threats are on the internet right now and what kind of threat models people are looking at. And what both governments and individuals are capable of doing when it comes to compromising people's privacy and security. So I follow the hacker community very, very closely. This is my seventh DEF CON, not in a row. I think the first one that I ever attended was in 1998. It was a much smaller room. So one of the things that I wanted to talk about really quick was while most of the people here are going to be talking about what they can do for you, I'm going to talk a little bit about what you can do for me. The biggest project that I was working on last year was the project in which we were finding, documenting, reverse engineering and then writing up the reports on Syrian malware which pro-Syrian government forces, forces sympathetic to President Assad were deploying to spy on activists throughout Syria. The idea being that even if you're using, even if you're using encryption that they would install, surreptitiously install a root kit on your machine, therefore bypassing all of your precious, precious encryption and all of the good advice that I could possibly give to Syrian activists. So we spent a lot of time tracking down this malware, reverse engineering it and writing up reports. We had those reports translated into Arabic because there's no point in writing them if they can't be read by the people who are being targeted. And this, this was actually very successful and as a result I have terrified activists coming to me with more malware from all over the world, from places like Ethiopia and Vietnam and occasionally China that there are a lot of people who reverse Chinese malware. And so what I really need from you, show of hands, who hear reverse malware? Anybody? Anybody? I see some hands. I need you all and over here. Yeah, so I need you all to come talk to me after this talk because I have, I have more terrifying malware than I have reversers and this is where I go to pick up more reversers. So I desperately need your help. I am here to answer questions about anything involving the rest of the world, including Julian Assange. I can talk a little bit about Julian Assange. We'll do the questions at the site afterwards. So yeah, Julian Assange, Edward Snowden, Akta, TPP, China, Iran, all kinds of terrible malware, Gamma, FinFisher, U.S. companies selling to authoritarian regimes in Turkmenistan. So that's what I do and if you have questions about that, I'll be happy to answer them later. Hi there. My name is Marcia Hoffman. I was a senior staff attorney at the Electronic Frontier Foundation for a long time. I was there for seven years and I left just a couple months ago to start my own little private practice focused on technology law, very specifically privacy issues, copyright issues, hacking and security related things, free speech. And I remain involved with EFF as a fellow. And so that's why I'm here on this panel today, because I'm still an EFF fellow. And I also became an EFF member last night for the sole selfish purpose of getting the totally amazing Rockin EFF DEF CON t-shirt. I don't know if you've seen the new one, but you should visit the booth and check it out. It's really amazing and fantastic. I love it. So I wanted to talk to you today about a case that I became involved in while I was still at EFF, but when I left I remained involved in it and EFF is also involved in it, so we're partnering on it. This is a case some of you may have heard about. It's called United States versus Oornheimer. How many, just show of hands, how many people have heard of this? Okay. You may also know it as the Weave case or the iPad Hacker case. Does that ring any bells? So let me tell you what happened in this case. There's this guy named Daniel Spittler. And he notices something interesting about iPads a few years ago. Specifically what he notices is that if a person has an iPad and wants to go set up a data plan on that iPad, then the person goes and visits the AT&T website using the browser on the iPad. And when they visit the browser, they see a pop-up window that has pre-populated in the pop-up window, the account holder's email address, and then the account holder is supposed to type in the password to get into the account. And he notices that when you see this pop-up window in the browser, in the URL, there is a number. And he recognizes that this is an ICC ID, which is a unique identifier associated with the SIM card of the iPad. So basically what was happening was the AT&T servers were recognizing that this is this particular iPad. AT&T knows that this iPad is associated with this account holder, so then they pre-populate the email address. And he says, oh, well, I wonder what happens if I change that number? What if I change one digit? And boom, there's a different email address. And so he wrote a script that basically just iterated through the ICC IDs in the URL and managed to harvest about 140,000 email addresses this way. And then while he's in the process of doing this, he goes online and he tells some of his friends there, oh my God, I just figured out that AT&T does this thing and I wrote the script and I'm harvesting this stuff. And one of the people that he was speaking to about this is this guy named Andrew Arnheimer, who's also known as Weave. Weave says, well, we should see if in that list of email addresses there are any reporters and we can tell them about this and maybe they'll write about it. So they identify several reporters, including a Gawker reporter, and Weave sends them an email and explains the situation, frankly, in rather provocative terms to attract attention. And then Gawker published a story about it. And both Spitler and Weave were then indicted on two felony counts each, conspiracy to violate the Federal Computer Fraud and Abuse Act and identity theft. So basically the government's argument for the violation, the conspiracy to violate the Computer Fraud and Abuse Act was that Spitler's script, his access to AT&T's servers, amounted to unauthorized access to protected computers. And I think that this is a really concerning interpretation of the law because this is information that AT&T published on the Internet. It was hidden, but there was no barrier in place to protect that information. There was no password, there was nothing. AT&T basically just hoped that people would never notice it was there. And so what ended up happening was Spitler cooperated with the government, testified against Weave, and in November, Weave was convicted on two felony counts sentenced to three and a half years in prison in order to pay AT&T $73,000 to compensate them for what they needed to do to rectify the situation. And we are in the midst of appealing this case. EFF is on it. I'm continuing to work on it pro bono. We're joined by Oren Kerr, who's a very well known and respected computer crime professor, and Weave's trial counsel, Tor Eklund and Mark Jaffe, and we're partnering to appeal this to the Third Circuit Court of Appeals. We filed our opening brief in July, July 1st, and the government's opposition will be filed in just a couple of weeks. And so that's kind of the deal with that case. And if you have questions about it, of course I'll be happy to discuss or any number of other things that you want to talk about. Thank you. Hi, I'm Mitch Stoltz. I'm an attorney at EFF and the intellectual property team. And I apologize in advance for the effect of a very old kind of malware known as a head cold. So bear with me and I will keep this brief. I work on cases where intellectual property laws like copyright patent, although I'm less of a patent expert, and some other random laws interfere with freedom of speech, freedom to build, freedom to tinker. And I'll just quickly mention two things that are, you know, probably, you know, really current issues and probably of interest to some of the people here. One is the Digital Millennium Copyright Act. This was a law passed 15 years ago. And part of it is a federal civil and criminal ban on breaking what's commonly known as DRM, so digital access controls on copyrighted works. For the start, we think was bad premise because with a few generally not that useful exceptions, it is illegal to break DRM, even if you are breaking it for otherwise legal purpose. Now, there are some exceptions, but those exceptions are hard to use for the most part. They protect certain people and not others and there is a process where the Library of Congress can pass new exceptions every three years. The problem with those is they're generally very narrow and they only last three years. What happened this year, a couple of things that were interesting in the last three-year cycle, which was 2009 to 2009, beginning in 2009, EFF asked for and got a exemption for jail-breaking smartphones. A declaration of shield against lawsuits for people who want to install unapproved apps on a mobile phone device. And at the time there was another group, actually this was EFF at the time, I also got an exemption for unlocking, that is for modifying a smartphone to use it on a different wireless network, different cellular network. What happened this year, we successfully renewed the exemption, sorry, in 2012, we successfully renewed the exemption for jail-breaking, but the Library of Congress decided not to renew the exemption for unlocking. This was really strange to a lot of people and the way it was reported in the press, mostly accurately, was the Library of Congress says that unlocking your phone to switch carriers is now illegal. Maybe not true exactly, a couple of courts have gone one way, a couple of courts have gone the other way. There is no connection to protecting copyrighted works here, which was arguably what this law was supposed to do, but some of the major cellular networks, the cellular carriers have claimed and continue to claim that if you unlock your phone or if you hire someone to unlock your phone without their permission, that they can sue you and that there may even be criminal penalties. This is separated apart from your contract. Obviously you break a contract, usually you have to pay an early termination penalty, this is something everybody understands, it's a bargain that you make when you sign up for mobile phone service, this is on top of that, the claim that because of this law that was supposed to protect and restrict for example the encryption on DVDs, because of that law you can't change carriers without the current carriers permission. Really fairly ridiculous. Now there is a bill going through Congress, just passed out of a house committee last week that would fix in a very narrow way this very specific problem about phone unlocking, but only for the next two years and without getting at the deeper problem which is that this law is used as a club to stop and to punish lots of things that could be called circumventing a digital access control. Going beyond just protection of copyrighted material movies, music and so on, books, to really being yet another kind of anti hacking law that gets used as a club. We are looking for ways to hopefully get Congress to fix this law in a more really comprehensive way, but in the meantime we continue to ask the Library of Congress for exemptions. We are interested in hearing people's stories about how they, and what circumstances do you need to circumvent or undo or avoid digital access controls and if you have ever been legally threatened for those things, those are things that we would be interested to hear about in private and confidentially, or if you have thoughts about that law. And the other area that I will mention briefly is patent trolls which has been a really big area for us this year and for the country we have seen really strong statements out of the White House, a lot of sectors of the digital technology economies about patent trolls. Now what are patent trolls? There is not a really widely accepted definition, but generally speaking we are talking about companies that don't build or produce or sell things, they simply own patents, excuse me, and they simply own patents and sue over them. The really damaging ones are in the information technology space and in the internet space. So for example recently there is a company that has been threatening blockers with patent infringement lawsuits because they claim to own a patent that covers some really basic aspects of web publishing, things that have really have been done for over a decade. Excuse me, was the other one recently, it will come to me. There is a number of things that are being done and a number of things that EFF is doing. Now we just launched a site called trollingeffects.org where we are trying to collect the legal threat letters that people have received from patent trolls or likely patent trolls, see if we can develop a picture of who is doing this, what patents do they actually own, it's hard to tell who owns what because they tend to use shell companies and if you will false identities when they send these demand letters but if people send them to us to trollingeffects.org we will be able to hopefully get a picture of who is doing what and it can be resource for people who get a threat letter to figure out how legitimate it is, whether this is a company that's likely to actually sue and so on and so forth. So again, we are interested to hear from you how patents on software, patents on protocols, patents on communications technologies, et cetera have affected you. And I'll leave it at that. Hi everyone, my name is Dan Auerbach, I'm a staff technologist at EFF, we have a team of four technologists and part of my job is to provide technical support for the organization in terms of if someone wants to know what's an IP address or how does network address translation work or these sorts of questions, I give that information to our legal team and activism team and to journalists. But today I wanted to give an overview of the other aspect of what we work on which is we have a bunch of tech projects. A kind of theme of our tech projects is encrypting the web. So this is kind of a mission that we have at EFF to try to encourage the adoption of HTTPS and the use of HTTPS as much as possible. And we've been encouraged with recent news based on the leaks, the NSA leaks that encryption does seem to work. The NSA doesn't have some sort of magic ability to decrypt things, which is great news and it means that we really need to deprecate HTTP. We need HTTP to become like Telnet to what SSH is now. And so towards that end we have a project that we launched in 2010 which is called HTTPS Everywhere. It's a browser extension for Chrome and Firefox. This is probably our most visible project. And the way this works is there's just a giant list of rules and your browser understands that some websites offer an HTTPS connection but don't do it by default. And so HTTPS Everywhere encrypts those connections. It recognizes hey, this is a website like Wikipedia until today, I believe, which by default was over HTTP but with our add-on it would encrypt that traffic. So that was kind of our first foray into this area. But then we started noticing, well, HTTPS is great but PKI, public key infrastructure, the certificate authority system seems really problematic. And so what we did next was this project called the observatory where we did a scan on port 443 of the entire IPv4 internet and we collected all the security certificates. And with that we made a map of the existing certificate authorities and the relationships between them. So some certificate authorities are root and they're trusted in your browser, others are intermediate, some certificates can be cached by the browser even though they're not explicitly trusted. So it's kind of this messy world of how certificates are handled. And for people who kind of follow this issue, it's well known that PKI is pretty broken that we need to fix it. But the observatory was kind of a tool that we tried to use to study this problem. We also have something called the decentralized SSL observatory, which for HTTPS users on Firefox, you can opt in to sending us the certificates that you see as you browse around the web. And so this is a way for us to detect attacks. So for example, if your browser thinks that it is seeing a valid certificate for Google.com, but we notice, whoa, this is very different than a lot of the other certificates we're seeing. We'll be able to warn the user about that. And we also will be able to kind of get some more information about how certificates vary from region to region and how web servers generally deploy their SSL certificates. So that's kind of some of our projects in the vein of encrypting the web. But we also have other stuff we work on too. So another area that we've been kind of investigating lately is the issue of non-consensual tracking on the web. So 10 years ago when you visited a site like the New York Times, your browser loaded resources mostly just from the New York Times. Now if you inspect when you load the New York Times and you open a debugger to see all the resources you're loading, it's from maybe dozens or hundreds of different companies, many of which are kind of invisible third party trackers which are amassing browsing histories of users. So we think this is really bad. People don't know about it and it's happening more and more. There is an effort called Do Not Track which was supposed to help mitigate this problem. But unfortunately the W3C tracking protection working group which I'm on has stalled quite a bit. And so users are left with a few different options. They can install an ad blocker which I'm sure many of the savvier people in this room have already done. But advertising does form a significant portion of revenue on the web and we don't think that you should have to block all ads in order to stop tracking. So what we did is we are building a tool which is actually an experimental Chrome extension which you can download now. It's called the EFF tracker blocking laboratory. And so what we thought we would do is add to the ecosystem of blockers by instead of having a list based blocker like most blockers today if you use ad block plus or disconnect or ghostry there's kind of a manually curated list in a central crawl. What we're doing instead is it's a heuristic based blocker. So we from within the browser as you browse around we notice this domain seems like it's tracking you and we block it based on that. This is very experimental but this is a direction we're going to try to add to the ecosystem so that we can hopefully eventually land a feature like this in browsers so that we can start to fight back more against this non-consensual tracking. And then finally we have a project to promote open wireless access. So we are trying to make it easier for people to provide open wireless guest access with a de-prioritized, sorry with a second wireless land that's de-prioritized so that your bandwidth isn't affected. And we're trying to think about how to build security properties into that open wireless solution. It's actually the case that WPA2 doesn't provide much security especially at a conference like this. It's essentially an open network because everyone has the password. So we're looking at ways to get WPA2 kind of equivalent security for open networks. So that's just a little overview of some of our tech projects and if you have any questions about any of those I'm the guy to ask. Thank you. Hi everyone, I'm Mark J. Cox. I'm a legislative assistant for EFF working for the legal and activism teams. And that involves working with dealing with Congress and legislation and also blogging, helping out run coalitions and things like that. I'm going to give probably just a quick overview of my year with what we've been doing and what we've been working on. And so the year kind of started off with the CISPA which is the Cyber Intelligence Sharing and Protection Act. And before the leaks it was this was a law that granted broad legal immunity for companies to bypass a privacy laws and to share a lot more information. So we started off the year with that. Congress year after year has continuously pushed cyber security, really online security, network security bills. All cyber talk has taken over Washington D.C. They often, at least the language they offer is not very technical. The terms are always pretty bad. And so we started off this year with the House debating this issue and kind of arguing for these massive exemptions. And we over the course of a few months, you know, we had a very large campaign to combat this bill. And it was one of many bills that comes back every year. And so it was this was in the House. We created, you know, CISPA is back campaign as kind of the zombie bill that comes back. Last year we had defeated it. This year in the House it had passed. But we ran a pretty successful campaign with numbers we haven't seen since the CISPA campaign. We had, you know, over 100,000 signatures against this bill and a very good show out of Congressmen coming out against this bill. And it was such a good showing that and we were able to do such a good job with the help of the community that the Senate, you know, saw the bill, looked at a lot of our critiques and agreed with the massive privacy invasion that the bill had. They also agree that it wasn't the right way to really deal with online security or network security when it comes in the federal government and private companies. And so the year kind of started out with that. Fortunately, they have kind of stopped pushing that these types of bills so far we'll see with the recent leaks. And it's segwayed, we moved on and segwayed into CFA reform. So the Computer Fraud and Abuse Act. And for the past, you know, from probably January until June, EFF along with Stanford and CDT and Demand Progress has been pushing for CFA reform, especially in light of Aaron. And it was a really big issue and it was really important to us, it's important to the community. And so we have this coalition, a pretty broad left to right coalition and we spent, you know, many months putting the pressure on Congress, creating a campaign from a wide and diverse set of individuals to change the Computer Fraud and Abuse Act, to decrease the penalties in it, to clarify the law so that it can't be abused and it's much harder to be abused by the Department of Justice and by companies. And to make sure that it's actually used for its original intent. Right now, CFA on the civil side tends to be used a lot more for trade secrets than for protecting against hacking. And that shouldn't be the case. And so after many months in about a few weeks ago, actually four weeks ago, three or four weeks ago, so Lofgren, Jim Sensenbrenner, and Senator White and introduced Aaron's law. And so this is a law that decreases some of the penalties, doesn't allow the government to bootstrap multiple penalties to jump up the prison time and clarifies and incorporates the two better judicial decisions that are out there in the ninth and fourth circuits. And so right now we have, this is one of our major campaigns that's going on. And we actually have a phone booth that we brought that's in the contest area that is a direct line to Congress so you can call up the Congressional Switch Board, ask for your rep and give them your mind and speak to them about it. Because if anything, I mean especially with these bills every year and kind of how DC is has been for a while but it's starting to get right in our faces that it's time for the community to really push back and it's time for the community to engage with them and tell them what's up. And so that's one of our bigger campaigns. We have this, it's a pretty cool 80s phone booth that we have. And so yeah, I encourage you to go to the contest area and check it out. We also have another thing that is part of CFA reform is the security researchers letter and letter to Congress from the community from DEF CON besides also. And the letter demands Congress to take up CFA reform which increasingly looks like a possibility and that they're going to do it and move it. And it's a letter from the community and from security researchers pretty much pushing for Aaron's law and pushing for CFA reform. And so that's kind of what's been going on with CFA reform and you know, it does look like that they are listening and the campaigns have been pretty fantastic so far and the response community has been fantastic so far and it looks like they will pick it up. They're going to discuss that there'll be hearings on it and we'll see where it goes. I mean, it's something that EFF is going to continue to push for and so is demand progress both in the courts and in front of Congress. And then coming off of that, obviously what happened next, right? So that was probably right until June mid June and what happened next was the NSA spying leaks. And focused around that, we just have had there are over ten bills to fix this. We had overnight campaigns launching, especially with the most recent the first time since the leaks that Congress has had to speak out on this, the Amash Amendment, which I don't know how many people know about but it was an amendment that would essentially defund and curtail and curtail one part of the spying, the use of the Patriot Act and the calling information that Kurt was talking about. And so, you know, since the leaks, my pretty much what I've been doing is focusing on the legislation and the legislation deals with a variety of things from fixing section to 15 so that this kind of bulk spying can happen and doesn't happen to fixing the the spying is overseen by the secret surveillance court called the Foreign Intelligence Surveillance Court, the FISA Court or FISC for short. FISA Court this is my preferred term. And some of the bills, you know, half of these 10 bills deal with exposing the legal opinions and the legal rationales that the just the government proposes to the secret court and remain top secret. You know, we don't this is secret law that none of us get to see. It's interpretations of the Fourth Amendment interpretations of the statute that we haven't seen. And so, these bills push for transparency around those opinions and also just pure structural reform of the court making sure the court right now is composed of people selected by the Chief Justice of the Supreme Court. He nominates he nominates them and confirms them. And so, we have a couple of bills that push for or we're not pushing for but the senators have a couple of structural reform bills that were just released this week and we should be blogging about shortly once I get out of here. And so that's part of the NSA spying and the most recent thing was the Amash Amendment where the Amash Amendment this is an amendment again that was going to curtail part of the part of the Section 215 program just a pretty blunt instrument an amendment to the defense budget bill and the house rate has the right they have the power of the purse. And so we found out this was an amendment that we had known about for a week or so. It was unclear and the house works the way the house works is that the leadership decides what amendment gets thrown to the floor. So we didn't really know that this was going to come to the floor. And we found out about seven o'clock the night before and overnight we had a pretty aggressive campaign from across the board again. ACLU, CDT, Demand Progress, Free Press, a whole bunch of people tech freedom. And overnight we pretty much created an activism campaign riled up support. A lot of people picked it up the community reacted brilliantly. And we got the best vote that we've got since the reauthorization of these laws. And it's a tremendous step forward. It's really a clear signal from Congress that they are, in my opinion, it's a clear signal from Congress that they are very dubious of how Section 257 is being used and they want to change it. And so that's kind of been my first or the first six months of this year. It's been really fun. It's been really intense. And that's kind of what I've been focusing on. All right. Well, now it's time to get your questions asked and answered. So anybody who has questions about anything we just discussed or other aspects of EFF's work, please come to the microphone here. And we will do our best to answer your questions. The FISA court seems to my mind to be a secret court as a tool of a police state. What would it? I mean, it seems like it probably has a thin justification. And what is the justification? And why can't that court be abolished in total? So the question is, what is the justification for the Foreign Intelligence Surveillance Court? The Foreign Intelligence Surveillance Court was created by the Foreign Intelligence Surveillance Act, which oddly enough was actually an attempt at reform, which is to say that there was previously no courts that were being involved. And so they created the Foreign Intelligence Surveillance Court in order to have judges be involved. So in that sense, it was an attempt to bring some aspects of the judiciary into it. But what has happened is that as a secret court is doing secret reinterpretations of the law. And these have gone into some very strange directions. And I'll just give one sort of example of where this has gone in some very weird directions. So the law that allows the government, or the government says it allows, to get your phone records is section 215 of the Patriot Act. And section 215 says, amongst other things, that you can get business records that are relevant to an authorized investigation. And under that secret interpretation of the law, all of the records of all of the people for all of the time are relevant to an authorized investigation. And we haven't seen what that interpretation is, but I'm really curious to see it. Because I think it's going to be an amazing piece of BS, right? I mean, how can you make it so that everything is, it means relevant becomes essentially a meaningless word. There's no difference between that statute with the word relevant and without the word relevant in terms of what you can get. And interestingly enough, Senson Brenner, represented Senso Brenner, who was actually the author of that section in the Patriot Act, a supporter of the Patriot Act when it passed, he has agreed that that was not what it meant to say. So this is what the problem has to come with the secret. Well, wouldn't that require 310 million search warrants? And I mean, the CATS case, and that can't be legal. Well, I mean, on the Fourth Amendment says you need a search warrant for 310 million, if every... It's true, but illegal and unconstitutional are not the same thing, but we think the program is both illegal and unconstitutional. You talked about EFF's add-on for blocking tracking cookies. How does your approach compare to Firefox's approach of blocking third-party cookies by default and then having a cookie clearinghouse to create whitelists and blacklists based on privacy policies? Sure. So ours is not a third-party cookie blocking in general. What it how it works is it's more like an ad blocker. So first of all, it's not just blocking cookies, it actually like black holes resources, similar to the way many ad blockers work today. So if you look at kind of the spectrum, there's blocking based on very general metrics like block all third-party cookies and then there's here's a list of particular resources you should block and we're trying to kind of find somewhere in the middle. I mean we think both of those approaches are valuable and users should install an ad blocker and they should disable third-party cookies in their browser. But in addition, we wanted to add to that by having this middle area where it's sort of functioning like an ad blocker except as you browse around, it's dynamically updating the list of resources that should be black hole. So I hope that answers the question. Yes, thank you. Hi there. I also wanted to ask about the marketing firms like private sector marketing firms and the non-consensual tracking piece of it. You know, you hear a lot of stories about people like browsing for baby stuff and then getting catalogs for maternity wear two weeks later or marketing that can look where your mouse goes and so on. So I guess my question is how bad are the capabilities of these private sector marketing firms in the first place and then secondarily are they being subscribed to by governments in order to turn that anonymous metadata into uniquely identifiable data? Those are great questions and the short answer I think is we don't really know. We don't know too much about whether the government has gone to these firms to request data because those requests are secret. Some companies are starting to publish transparency reports but these are generally the larger tech companies that have first-party presence like Google and Facebook and Microsoft and Twitter. But not the invisible third-party ad companies that you've never heard of. So we don't really know what data is being requested of them. As far as what abilities they have also it's hard to know. I think there's a lot of data that gets passed around in the background because right now it's the Wild West. There's just no rules about what you can do or can't do with user data. So it's probably safe to assume that a browsing history associated with a pseudonym is in the hands of many companies if you, the corresponding to you if you're browsing around the web. So that's kind of a half answer but that's the closest we get to really knowing. Well I wanted to add out to that. I mean one of the aspects of this are our data broker companies, commercial companies that collect information from a variety of sources and repackage that and make that available for commercial sale. And I think that you should basically rest assured that the government has purchased subscriptions to these services. I can say that there has been some FOIA work done by the Electronic Privacy Information Center or EPIC that confirms that confirmed that several years ago. Okay, thank you. You have kind of a two-part question about the Computer Assistance for Law Enforcement Act. I don't know if maybe you can, okay. Yeah I wrote an article earlier this year pretty foolishly which the title inferred that the FBI was planning on surveilling our real-time online communications that was before the NSA revelation. So the two-part question I guess is one, is Kalea receiving enough, I guess, awareness in the public? Is that still a threat? And I know that the FBI made some statements several times, one of their previous legal counsels and of course later this year about their desire to expand Kalea to allow for real-time online surveillance as well as extending some of those privileges to local law enforcement. And then the second part of the question is concerning jurisdiction if, for instance, a local law enforcement agency had permission to do surveillance online, I mean how exactly do you think that would work? Obviously like it's difficult for them to identify where the person is when they're doing online surveillance and I see that it kind of is the equivalent of someone from Las Vegas police department coming to my home and in a different state and performing a search. So I'll just answer as to if Kalea is still a threat and then I think and then yeah I think Kurt Marsha and Eva can tackle the other stuff. Perfect. So the answer is yes, definitely, but what we've seen is the government become very reticent and nervous about discussing Kalea or discussing even, you know, I'll jump back to the online security bills or the cyber security bills. They've been very nervous because it's completely outlandish right for them to push such bills when we still don't know what's going on with the surveillance. We still don't know what's going on with how they use the FISA part intelligence surveillance act and things like that. So I would say it is still very much a threat and it's something that, you know, we as a community, we as the FF have to keep our toes on because right, the second we fall asleep or the second, you know, we miss something they may try and slip it in or they may try and continue to push it. But for now I don't think at least for now though, short term right next month or two, right? I don't think it is a threat but definitely medium to long term. It's something that they've been very vocal about and it's something to watch for. And you know, I really hope that we don't have to go through another crypto war. And I just wanted to add like in terms of like extending those abilities down to local law enforcement. The first time that that was discussed with their legal counsel in front of the subcommittee and Congress, the two examples they brought up were the importation of drugs and like child pornography which are not national security issues. To be clear for everybody here, Kalea does not at this time include the ability to wire tap the internet. And there's actually been a lot of questions about whether or not this includes Skype which is a voice over IP service and it is used by hundreds of millions of people all over the world until fairly recently until a couple of years ago. Skype was a European-based company and therefore was not even potentially coming under Kalea because it was out of Kalea's jurisdiction. But when Skype was purchased by Microsoft, suddenly there were questions about whether or not Skype would be required to include sort of backdoor wire tapping capabilities in order to comply with law enforcement requests. In order to clarify this, EFF was part of a coalition of individuals and NGOs that wrote a letter to Microsoft requesting a transparency report on Skype saying, hey, if you could just clarify whether or not you're tapping hundreds of millions of users, you know, voice over IP phone communications would really appreciate that. So in a very gratifying moment, Microsoft did us one better. A few months later, they came out with a transparency report for all of their products including Skype. And if you take a look at Microsoft's transparency report for Skype, it says we have never given up any phone calls, any content data, anything to the government's in response to a request to any government. Then the Snowden revelations came around and we started looking at the prison slides, which actually included Skype as a source of content. And a lot of the other Snowden revelations have seriously implied or outright stated that at one point or another, the NSA has had the ability to tap Skype communications. So I think that Microsoft and Skype have a great deal of explaining to do and it's really unclear the extent to which the NSA is capable of use dropping on Skype communications. One of the things that does appear to be clear is that they're probably not doing it under the auspices of Kaliya, that they have a different legal justification for doing this. But it could very well be happening and we are very interested in learning just what the extent of that use dropping is and whether or not Microsoft or Skype were really capable of telling us that it was going on. I just wanted to briefly address your jurisdictional question. I mean, Kaliya is mostly about requiring service providers to have tap ability, like the ability for law enforcement to be able to get telecommunications that went over them. But where they're getting the authority to do the wire tap comes from other sources. So you have like the wire tap actually might, some kind of information would be obtained through a warrant that is obtained through the wire tap act. If they are going through the foreign intelligence surveillance court, there are processes there like that. I guess the jurisdictional question was sort of about their desire to sort of extend these real time surveillance powers down to local law enforcement. Well, local law enforcement actually has wire tap powers. If they go to a court and get an appropriate court order, then local law enforcement can do tap it. Okay. Just not on the internet. Right. And not under Kaliya. All right, thank you. Also free weave and thank you for bringing that up. So my question is, like we all get to go home at the end of this and go back to our families. But the guy who started this whole conversation is locked in an airport terminal. He's out now? Okay, I haven't seen a newspaper in Vegas since I got here. But how can we help him? How can I help him? How can we help him? He's stuck in Russia though. Yeah. He's stuck in Russia where the food is notoriously bad. So in terms of the news, I mean, I guess to make sure everybody caught it, the Russians granted him one year asylum. So he is no longer in the airport. We just applauded the Russians. Don't be fooled. I mean, the Putin government is not a wonderful government. They're very authoritarian and they've done some terrible things. Especially with the internet. Especially with the internet, yeah. This is part of a global power play as between the United States and Russia. And that just sort of happened how it happened to play out here. But one of the things I think is sort of very important about this is, what we're trying to do, especially with some of the work that we're doing, with filing new lawsuits, pushing forward with that, going to Congress, trying to get better legislation, is take advantage of what Snowden has put out there. That he put this information out there not for himself but for all of you. So people could find out what was going on and what we can do with it. So we have all this information, study it, figure it out, figure out what's going on, and see what we can do to stop illegal and unconstitutional surveillance. So on the topic of Snowden and Weave and others, what are the federal definitions of whistleblowers? How does the government get around that in order to prosecute someone in a criminal or civil case? And what protections do we have? So whistleblower law is primarily the whistleblower laws are designed to protect people who go to the government to whistleblow. So what the government's position on this actually is like, oh yeah, you should have gone to your supervisor at the NSA and told them all about it. And they will take it up the appropriate channels. And some people have tried to do this and have not gotten responses. I mean, there may actually be a lot of people who are part of the system who have gone through the existing whistleblowers, talked to the inspectors general, talked to appropriate people. And of course we never found out about it because the people upstream just ended the inquiry. So unfortunately, the protections for whistleblowers who are whistleblowing to the press and to the public are not very robust in the laws because a lot of times the government is actually not that keen on things coming out that way. But there's actually a number of really good organizations that focus on whistleblowers, whistleblowers.org and the government accountability project. Focus and try and help people who are interested in blowing the whistle. So if you know someone who has information and wants to blow the whistle on it, those are really good resources for them. And then on the topic of CFAA and Booz Allen and other very interesting curious government contractors. So when you would end up breaking into something that is owned publicly, and that's clearly in violation of intended access. So does that mean that the people that would be working for the government to build stuff like that are actually committing felonies? And are they at risk to get prosecuted by that? If, for example, they blow the whistle on something. It's like if you install a root kid on a device and it's intended to go affect China, but you're still effectively jailbreaking the device to add different firmware. You're right. So I'm not really sure about your question, but let me see if I can rephrase it and see if I understand it. You're talking about somebody who is working for the government and in the course of their work for the government, they get access to a device or exceed authorized access. Yeah. So if they are doing so lawfully, that is to say pursuant to a warrant that authorizes the access, that's one story. And if they're doing it unlawfully, which is to say because it is exceeding what they are allowed to do under the Constitution, it's a different story. And it would be illegal and in some circumstances you can prosecute government officials who exceed their authority. But the law is actually fairly friendly to law enforcement officials who overstep bounds and it sort of comes to whether you're exceeding a clearly established constitutional right. So if it's the first time that the courts are dealing with the question, there's a bit of a pass and there's a question of sort of whether it was intentional misuse. It is fairly rare for a government official who exceeds their authority in a manner that the government wanted them to do to get prosecuted. If somebody exceeds their authority in a manner that the government didn't want them to do, then absolutely they're at risk of being prosecuted. I'm thinking more in terms of civilian contractors, people that aren't government officials but are still producing stuff that the government purchases. So. I think that there are less protections but if they were doing it pursuant to a lawfully authorized warrant, then that should provide protection. There's a lot of things in the law where it says good faith, compliance with a lawfully authorized warrant can be pressured. If somebody is not acting in good faith and they're doing something that's just, if they knew that it was illegal, then there might be something that could go forward. But I think it's unlikely that Booz Allen will find itself indicted or prosecuted for what it's done. I will also say that the CFAA has an exception for any lawfully authorized investigative, protective or intelligence activity of a law enforcement agency of the United States or of any intelligence agency of the United States. And so, particularly to the extent that a private contractor is doing work on behalf of the government in that vein, I think the statute pretty clearly wouldn't apply to them. Yeah. Okay, thank you very much. First I wanted to say thanks. I appreciate everything the EFS is doing to protect our rights. We supposedly already have. I wanted to continue in the vein of whistleblowers. How can grassroots or legislative reform help to protect leakers and whistleblowers? Because I think if you study history, you see that governments are always prone to abuse and to becoming oppressive at various points and we need leakers and whistleblowers like Snowden. So how can we, as an internet savvy community, solve that bigger problem of protecting, like with the Pentagon Papers, restoring some of those protections to leakers and whistleblowers? Unless there's stuff you want to talk about. In general, there are a couple of things out there. I mean, there's an attempt to get a very federal reporter shield law. Now this gets at the problem in a little bit of a different direction, which is to say it protects journalists from having to disclose who their sources were so that if somebody goes in confidence to a journalist and says, you know, here's the evidence of wrongdoing, and the government says, okay, who gave that to you? If there were a federal shield law, they would be able to say, I'm protected by the shield law. I don't have to disclose who my source is. A lot of states have shield laws. Some of them are very protective. Some of them are modestly protective. But there is no federal shield law. And then there's also the First Amendment, and it's protections for freedom of speech and freedom of the press. And how that has shaken out in the courts is that on the whole, there are protections for having reporters having to give up their sources, but they can be overcome by a sufficient showing of need by the government. The government has tried to get this information from other sources and failed. And so the other thing it would do would be to use litigation, impact litigation in a court and try and show a court that the First Amendment does apply and to give greater protections because, you know, there's a quote from one of the founders of this country that I think would probably badly paraphrase. But a popular government without access to popular information is but a prelude to a farce or tragedy or maybe both. And what is meaning by that is that if we're gonna have a democracy where people are voting about, you know, representatives and the representatives are voting about the laws, but we don't know what's really going on where we don't have access to full information, then it just becomes a farce. That we're not able to have a functioning democracy without a good amount of information and without a good amount of transparency. I just wanted to add one quick thing, which is that one of the reasons why EFF is made up of activists, technologists and lawyers is that sometimes the answer is not litigation or legislation. Sometimes the answer is technology. And one of the strongest protections that we can offer to whistleblowers is strong encryption. And if I could add at a most basic level, something that all of us can do is get in touch with our elected representatives and simply tell them that this is something that we consider important. Now, this is an area where unfortunately for those of us who care about technology, phone calls are better than email and personal visits to a member's office are better still, but they listen. And on some level that one constituent took the time to come in and tell them how important this issue is to them. They see that as representative of thousands of constituents. Hi, regarding technology patent rolls, kind of a much less important issue than a lot of these civil liberty discussions, but can you discuss the current situation with some specific patent rolls claiming ownership of the entire idea of podcasting and podcast protocols and where that kind of stands legally now, if any of you. I can't, I'll do that to the extent of my knowledge. I'm actually not the staff patent expert. We have two of them, but this was a person who created a pre-internet audio distribution company. The idea was I had something to do with sending audio programs on cassette tape to subscribers in sort of a, so I guess sort of an early version of Netflix mailing DVDs. And this was in the mid 90s before there was podcasting. My understanding is there may be some examples in patent law that is known as prior art. This is evidence that something was invented before the patent owner claims to have invented it. In other words, that their invention was not in fact new. My understanding is there may be some prior art for podcasting for the ideas that this gentleman is claiming. And if that's so, then we may be able to get the patent office to nullify that patent, which would probably end the lawsuits and the threats. And that's what we're pursuing. Thank you, good luck with that. Yeah, well there's trolling effects, which is on the particular thing, the podcasting patent, there is a method we're trying to gather information about prior art that's out there. I don't remember the content, but basically if you look through our blog posts and see the one about this, it will give you how you can submit prior art that you're aware of. Basically things from the early to mid 90s would be particularly useful. It was like the patent was issued slightly before the internet archive started gathering things, which has made it a little bit more difficult to look back at some of the history, but we still have found some so far and gathering more. The other site that we maintain on that subject, and I think that it might be of use, it's called defendinnovation.org. I have two questions. One is if you guys might be able to talk about a recent court ruling talking about local law enforcement not being required to have a warrant to track cell phone location, that just recently came up, and maybe the reasoning behind that, and then the second part, the second question I've got is anything on drones? You guys published a new list. I just hadn't heard anything about it. I was kind of surprised. All right, so let me hit, the first of those questions about cell phone tracking, and so unfortunately there was a recent case that was saying that warrants were not necessary. It was an appellate court decision. Two out of three said that you didn't, you know, warrant one dissented. It has actually been a mixed bag out there in the courts. We've gotten some courts that have agreed that a warrant is necessary to use cell phone tracking. I think actually if you look at the recent Supreme Court case from last year, USV Jones was talking about a GPS tracker being used to track someone. They said a warrant was required for that, and I think that if that case is properly extended to the cell phone base, it should come to a similar conclusion that a warrant is required. But yeah, unfortunately there was that decision. We are continuing to work on this and try and find cases that are going to be good opportunities to show that the Fourth Amendment applies to cell phone information. Can I add? Please. So because I've been here and I've been crazy busy and this case just came out earlier this week, I haven't actually read the opinion yet. But what I understand from the reporting is that the rationale that the court adopted was based on the third party doctrine. And this is something that you guys all ought to know about and really have on your radars. So the deal is the Fourth Amendment as a general matter protects you against unreasonable government searches and seizures. And so the government is supposed to have a warrant to search something in which you have a reasonable expectation of privacy unless some exception applies. Okay, that's the general rule. So back in the 70s, the Supreme Court decided a couple of cases, one involving bank records and one involving the numbers that a telephone company collects when you dial a call. And in those cases, the Supreme Court basically said you don't have a reasonable expectation of privacy and information that you convey to a third party like that, like a company, right? Your bank records, your financial information that you convey to a bank, they create records from and the numbers you dial that you convey to a phone company, you don't have any reasonable expectation of privacy and information like that. And the reason is because you know that you're giving it up. You're voluntarily giving this information over to them and so how can you have a reasonable expectation of privacy in that? And that has developed into this concept that we call the third party doctrine which broadly seems to suggest that you don't have any reasonable expectation of privacy in anything that you give to a third party. In this day and age where we store so much information with companies like Google, Facebook, Microsoft, et cetera, et cetera, et cetera, that's a very dangerous precedent and that's something that we need to make go away. It just doesn't translate to the world we live in now. And in the case that Kurt spoke about, Supreme Court Justice Sotomayor just really called this out and said, this is something that we've gotta look at. And so I think you're gonna see a lot of cases in the future dealing with this. And I think the fifth circuit from what I've read has really gone the wrong way on this because they basically said, well these are cell phone records and they're stored with your company, so. And so that's very problematic and I think you're gonna hear a lot about this in the coming years. Yeah. And so speaking of reasonable expectations of privacy and the next question was about drones. So recently the FBI responded to, I believe it was Senator Leahy who sent a letter explaining what the standard is for drones and they took the position that you did not have a reasonable expectation of privacy against drones. That is to say that it was not reasonable to expect that you would be private from a drone circling over your house and taking pictures of what you're doing in your backyard. And they based that on some cases that they were involved like manned plane surveillance that had been done in the course of the drug war. And this is sort of a little bit illustrative of how things have sort of been going in terms of government surveillance is they are looking for cases in which there have been statements about what reasonable expectation of privacy is that have stemmed from some particular circumstances and then say how far they can be applied. So they find a court that says that at some point a plane flew somewhere and looked down and there was not a reasonable expectation of privacy on that. And that also means there could be a drone 24 or seven hanging over your house. That like once they establish that there is a reasonable expectation of privacy they can take it to the nth degree and it doesn't matter. And it really does matter. They like even though it's entirely possible that a police officer would follow you around where you go and make handwritten notes about where you're going and what you're doing. This does not mean that it is a good society, a future that we would want to live in where everybody's movements are tracked all of the time. And there was a, and so this has made this sort of the third party doctor and the reasonable expectation of privacy is become outdated and it's becoming misused to take some things which be rare occasional things where there was a natural limit of resource based limit to how much the government can do it when things become cheaper. They can do it all the time. And so we're very much working on trying to stop that. And just to sort of wrap up on drones so that the people on this panel right now are not our drones experts, but one of them actually is here, our colleague, Parker Higgins, who is gonna be in the contest area. He's working the CFAA phone booth. But if you have questions about drones, he knows a lot about them. At the same time that the NSA panopticon was being discussed, it also seemed to be apparent that the government was going to top tier providers and asking them to give up their encryption keys. I don't think the subjects has gotten to that, to this extent yet, but what does that do to the concept of non-repudiation and contract law or even a chain of evidence, digital evidence where our digital identities are now no longer solely our own. Or to put another way, if the whole, if the... I mean, the question is raising the sort of the possibility that as you may be communicating and what you believe to be an encrypted channel, that nevertheless someone might be forced to give up the key such that your communications could be decrypted and that you wouldn't have the level of security that you are coming to. What the phrase I was looking for, if you backdoor key escrow, does my digital identity, my uniqueness and non-repudiation suddenly evaporate and become negligible as a point of law? Well, I've not thought of it in terms of the digital identity because usually what we've been hearing about is more on the sort of encrypting communications on a channel, not as an encryption method, not as a digital signature method. But nevertheless, it is quite troubling that we have a number of systems that are designed to be able to encrypt communications using a public key infrastructure and certificate authorities. And these systems have a lot of problems and I think what Dan was talking about earlier are some of our attempts to try and at least understand and investigate those problems. Ooh, I guess we can put it this way. I mean, the more that is known and revealed about government access to encryption keys, the more likely it is that a good lawyer in a contract dispute or anything involving chain of digital evidence will be able to convince a jury that the contract was forged or that the evidence was manufactured. So that risk will increase. Thank you. Just to quickly add one last point to that, I think that it's a really good question. I understand you as saying providers having to give over their private encryption keys to law enforcement. And I think that this is, there's kind of a hole right now in terms of statutes about this. So law tends to focus on user data, but there's a big question mark about, well, yeah, you can get user data if you have these keys and are companies forced to hand over the keys under various warrant or subpoena circumstances? And I think there's just a lot of unclarity about that right now. And it's something that is really alarming. I also want to add just one sort of general point on this is that companies may be required to provide some technical assistance to the government when they want a wiretap, but there's also a notion that they shouldn't be required to break their services. And I think if your service is involved providing encrypted communications and you're not actually providing that, that may break the service and that may be an available argument. Thank you. Hi, so since this Snowden revelation, I've been trying to think about, there's three different contexts for data retention. So there's this NSA program that we just learned about. And then there is the data retention that my service provider is already doing of my metadata of their own volition. And then there's, and this is in the United States and then there's internationally how data retention works. And my understanding is that in Europe, it's more regulated than it is here. And so I wanted to ask if you would mind sort of characterizing the difference between those three contexts in terms of how long my data is retained and how it's exposed to access by the government with an eye to what you think the right answers are. So I can talk a little bit and if you wanted to add. So Europe, I understand is kind of a mixed bag because there is greater protection in terms of user data and how it's handled. But on the other hand, there are also mandatory data retention laws which we do not have in the United States. So it's kind of a double-edged sword. But beyond those mandatory data retention laws, I think as I said earlier, it's kind of the Wild West in the private sector. So it's just sort of up to the company how long they want to retain your data. And they can have privacy policies right now which disclose that. And if they break those privacy policies, they're opening themselves up to FTC complaints or possible other lawsuits, class action lawsuits and this sort of thing. But basically there's no information in terms of, or there's no limit to what data they can retain. On that front, I think the right answer is a lot of transparency from companies and also ensuring that we don't pass a mandatory data retention law. So if a VPN doesn't want to keep data, they shouldn't have to. So I think that's the way that we should be going for the private sector. With respect to government data, I don't know if someone else wants to take that but I also think that there's no clear rules about it. I think there's one more important point to make about the private sector in the United States especially in Silicon Valley where you have a lot of startups and people are sitting on a lot of user data. There is a tendency among engineers to want to save everything. Because you never know when it's going to be useful. Yeah. In fact, your company might go completely under and then that might be the only thing that you can sell. So there's a very strong push to retain as much data as possible for as long as possible. Saving data is cheap. Backups are cheap. The consequences of not having the data when you need it are dire and deletion is computationally expensive. So usually when sort of Silicon Valley companies have a choice between storing everything indefinitely and defining some way to regularly delete it, they will choose to just store it all indefinitely because it's easier. It's not a conspiracy against user data. It's not a conspiracy to make things more convenient for the government. It's the, if you've ever walked into an engineer's office and seen piles of paper and noticed that they never throw anything away, this is just sort of an outgrowth of that. And in some ways, that is potentially very, very worrying because even if you don't have mandatory data retention in this manner, sometimes you wind up having de facto data retention. And so to address the government storing an end of it, I mean, the question is, are they supposed to have it in the first place? And the problem with some of these sort of mass storage things that have been confirmed recently with reports about the NSA getting just gigantic piles or sort of the five years, that's what they say they're doing. Except actually, if your information isn't encrypted, then it's until it's decrypted. So they'll keep it around forever or at least until they figure out how to decrypt it. So the problem is really that they get it in the first place, that they should only be able to get the information when they meet legal standards and then only keep it so long as it is needed for that valid purpose. If that helps answer the question. With regards to the development of the U.S. cyber warfare, I guess it's the architecture, maybe? I don't know if that's the correct word, but it seems like that our government has been penetrated multiple times by groups like Lowell Sec. While at the same time, we've developed advanced cyber weapons like Stuxnet and now regularly are tapping into other countries. Could you speculate on that? Yeah, sure, I can speculate on that. We actually don't have to speculate because the White House released this thing called the Presidential Policy Directive and it's a document that the president creates that instructs the divisions and the cabinet agencies about what the policy is for the administration. And so the document actually as part of the Snowden leaks what came out was this, it was a classified Presidential Policy Directive. It was the Presidential Policy Directive number 20. And what it did was it kind of confirmed what a lot of academics and people, and security researchers, people were watching where the government is going with kind of this online warfare and virus making, malware making. And what it did is it revealed that they have pretty much rootinized the processes and are beginning to study and look into and create working groups for how the government is going to deal with this and what the government is going to do. Before this document we saw very vague outlines, right? Like the US government will follow the laws of war and the US government would follow, we will follow the UN convention and international law. What this document revealed was it kind of got into much greater detail on what the government is doing, how they will act in defense if they suppose any sort of exfiltration of data or if they suppose they're under any type of attack. And the document provided a pretty good foundation for how they justify Stuxnet. And we also know now within the past couple of weeks, right, that one of the generals is being investigated over leaking the fact that Stuxnet was a US Israeli project. And so what we're seeing right now and what we're paying much attention to and fighting against is this increased militarization of the internet. It was something that was always kind of in the backgrounds, it was something that we were always hesitant and watching and thought was happening but what we're seeing now is that, yes, it's happening. The government is creating these things and there's hardly anything to be regulating it or figuring out how to stop it and what to do about it because we don't know what they're doing. And so what I think is going to happen and what especially part of the transparency efforts we're fighting for is to talk with the government and issue kind of these policy papers and what we think should happen in this area and what we think really shouldn't happen with the increased militarization of the internet because especially Stuxnet, flame is another good example. When you use an online virus, it is very different because you're no longer, you can try as hard as you may to target a foreign nation state or something you want to exiltrate from a government but it's hopping the network, right? And it's hopping the network into the public sphere and it's causing citizens and it's causing individuals who are not associated with the government and who aren't supposed to be your targets and it's something that's very dangerous that's happening. I just wanted to interrupt for a second, rudely, and talk a little bit about the rhetoric of cyber warfare. One of the very interesting things that came out of the presidential directive was the sort of declaration that cyberspace had been sort of declared to be a theater of war. And I think that one of the biggest problems when it comes to talking about this stuff with the US government is that there is an entire culture of people who say cyber. Which is generally a good sign that you're talking to someone who has very little in common with the Electronic Frontier Foundation. And the biggest problem with the term cyber warfare is that packets are not bullets and as a general rule they do not kill people. And once you start using the rhetoric of warfare and guns and bullets and cyber bombs and cyber shields and cyber tanks or whatever it is they are using. Cyber Pearl Harbor. Cyber Pearl Harbor, I'd really like to know what the hell this cyber Pearl Harbor is that we've been promised for so many years. So yeah, once you start using this kind of rhetoric it leads you to all kinds of very erroneous conclusions about what kind of protections we need and what the US can do and what the US is justified in doing in protecting sort of the American internet in as much as there is an American internet. So I'm generally very wary of the term cyber warfare and anything that begins with cyber and the entire war rhetoric because I think it really frames the problem in a highly misleading way. Oh, just that is also seriously blurring the distinction between a civilian and a military when it comes to the internet. A lot of the things that we've been reading about sort of proposed protections for the US cyberspace have to do with protecting US companies' trade secrets. And honestly, as far as I can tell that's not a valid military objective. You know who protects companies' trade secrets? Companies who have hopefully many people employed to protect their own security. This should not be something that American tax dollars pay for and this should not be something the US military does. My question is regarding the EFS thoughts about the preemptive web filtering that's happening in the UK. It was originally slated as being for pornography blocking but has since revealed to be spread to other subject matter and what, if any, actions are being taken in regards to that. Oh, British internet, we can't take you anywhere. What's particularly interesting about the UK pornography filters is to begin with, these are not mandatory filters in any way but what's happening is that every household in the UK will have porn filtering turned on by default by the major ISP in the UK. And if you want porn, you have to make an affirmative decision to contact your ISP and ask for porn. And they really don't see what the possible chilling effect of such a thing might be. And really the chilling effect shouldn't matter because children, this is a terrible idea. EFF frequently comes out against porn filtering. We think that porn filtering is fine if you decide to put it on your computer, on your network but having this sort of tyranny of defaults in which you have to make a rather public disclosure to someone else that you want porn is highly problematic and poses a potential chilling effect. Not to mention that it looks like the filters are blocking things other than just porn and that this really gives the power to censor the internet to these ISPs and to the people who are building the blacklists and we think that blacklists in general are a very terrible idea. They don't work and they block all the wrong stuff. So I'm actually from the UK and I am really looking forward to moving back into my parents' new house and finding one of two situations. Either the porn filter is off and I'm hung out to dry or the, sorry, the porn filter is on and I'm hung out to dry or the porn filter is off and I know something about my dad that I didn't need to know. To be fair, you may also know something about your mom. Yeah, sorry, my bad. She can't really use computers, like. So, secondly, I just wanted to sort of add to your point about data retention. You said that with a lot of these stellar companies, you know, data can be, if a company goes under, the only thing they have left. I would actually, I'd add to that. I would say that data is the only commodity they have in the first place and the best way to make sure it doesn't get into the wrong hands is just not to give it to them. My real question was about prison. So, being from Europe, you guys actually have nothing to worry about as American citizens because prison doesn't actually target you guys. If what the NSA says is to be believed. If they believe that you have a 51% chance of being foreign, then you are a legitimate target. So, as a foreigner, this is this. More than 51%? Yeah, this is really strange because, you know, a billion, more than a billion people around the world using Facebook, you know, the US has effectively, almost, I mean, I hate to use this word, but because like you say, it's kind of inappropriate, but they have kind of declared we're on the world by, you know, having all of this data stored in the private companies within your borders and yet you have access to all of it. So what can we from, well, firstly, is the European governments doing anything? Do they have a leg to stand on at all? And is there anything we can do to support them? Well, let me talk about prison real quick. A lot of the time when American NGOs and civil liberties organizations talk about prison, it's very focused on outrage over the NSA spying on Americans. And the reason why this outrage is so focused is because spying on Americans is very clearly outside of what the NSA was originally entitled to do. It is outside of its purpose. And so it is very, very clearly illegal. Now, what about the rest of the world? A lot of these NGOs will simply leave the rest of the world out to dry. They'll say the NSA exists to spy on the rest of the world and we can't get all upset when it runs around spying on non-U.S. persons. And on this particular point, I disagree. Just because you are a non-U.S. person doesn't mean that you suddenly don't have rights. And not just, you know, it's not like the Bill of Rights and the U.S. Constitution and U.S. Law are the only law on earth. And in fact, it seems very likely that the NSA's wiretapping has, or the NSA's sort of dragnet surveillance does infringe on the privacy rights of hundreds of millions of Internet users all over the world. The problem is that it's very unlikely that we're going to get any kind of legal recourse for it. There's simply nowhere for us to go to appeal having our basic human rights violated as non-U.S. persons. What we can do is use strong encryption and also there has been a great deal of talk within governmental bodies all over the world looking into the state of NSA surveillance. There was a bill proposed, I think Bill actually made it to the floor earlier this week in Mexico. There have been a number of proposals in the EU. People are really quite riled up about this and it's possible that we'll see some legislation in other parts of the world, especially because one of the key parts of the revelations that we've seen about NSA spying is that we're not just running around spying on non-U.S. persons who are a threat to the U.S. We're also spying on our allies and needless to say that this makes our allies, including the Five Eyes, including the U.K., somewhat outraged. So the question line is back. Am I good to go? Yeah. I'm just gonna keep it in order here and sometimes we'll have to return to a follow-up question but I think people who have been waiting should get that right. She didn't wanna ruin a good thing. In terms of the privacy movement, I kind of have a two-part question. I think in information security we're very aware of all the implementations or whatever you say of what can happen with all this data but how do you get someone that just goes on Facebook and looks at pictures of cats all day to really understand what this means and what is the next step for the privacy movement like Project MeshNet or something, what should we be working on in the meantime? All right, I guess before we get to the legal aspects of this which Kurt will address shortly, I think that it's a misnomer. It's a misunderstanding to say that people these days either don't understand the privacy that they're giving up or don't care about the privacy that they're giving up when they use social networks like Facebook and I can say this because I talk to people all over the world all the time about their concerns about this very issue. If you want to see somebody who has a deep and intrinsic understanding of every single one of Facebook's privacy protections and how they work, look at a teenager whose parents have just friended them on Facebook. They know how that stuff works backwards and forwards and they keep up with every last update because they are very interested in making sure that they maintain their privacy from people who really shouldn't know that they're what they're doing out on a Saturday night. And I think that this is also true for other people who have things to lose by losing their privacy. People are very aware, they're smarter than we give them credit for. And really the task that we have as privacy trainers is just to give them the right tools to use in order to protect themselves and also to help them understand their threat model, help them understand what information it is that they're trying to protect and who they're trying to protect it from. And if you give users that information, they can usually make smart decisions about what to do with their privacy. Well, I just wanted to add onto that. Like how do we make them care considering the, I'm sorry, the NSA thing, the spying, right? How do we make them really care considering in other countries they protested the spying but we realistically didn't do as much of like put forth an effort as much. So, I'll address this, we only have a few minutes remaining in the session so I'm going to try and address this briefly. I think actually we also have to cut off the question line. But one of the things that I think has helped resonate this issue when I've talked to people about it is talking about privacy in terms of control of your information. To get away from the whether it's something that you have to hide in particular but don't you want to have it so your information only goes to the people that you want it to go to and not to the ones that you don't. That you have a sense of autonomy and control and where your information goes and what the spying is doing is taking away the autonomy and giving control away to somebody else. So, I found that has been helpful. I would also just add that I think people, just to reiterate what Eva said but add on that, at least I don't know how much people trust polls but there's been a slew of polls in the past few weeks that have been released that by Pew, Gallup, Washington Post and a few others that really shows a clear change in people's attitudes, the large American public's attitudes towards the government privacy and towards the NSA spying in particular. And so, I think the job is to continue to hammer home what we've been saying and what we've been talking about talking about the lawsuits and what exactly is metadata and things like that because at least from these recent polls, we're seeing, I think we're seeing for the first time since maybe 9-11 where the larger public shift towards privacy and shift towards kind of this government surveillance regime is changing. There's a active ongoing petition on the whitehouse.gov, a website to pardon Edward Snowden. Last time I checked it had 132,000 signatures. Is that just an empty gesture? Is that a valuable tool or does that come up with a free IRS audit for all the signatories of the petition? I just wanted to know about what, if anything, the government has to do to respond to that petition? Well, I just want to take the chance to talk about the White House petitioning system because it's something that I don't think a lot of people know about, but the We the People site, the White House petitioning site is a massive emailing list for Barack Obama's campaign. So you give them your information and they harvest all your data, is my quick 10 seconds. So you should always watch out when you sign those petitions because it's essentially a campaign tool for the president's political operation. So we have like one minute remaining, so I guess one more question and then for there, thanks for being in line, we can talk to you afterwards but we're gonna have to move, so sir. Yeah, question and comment. So Congressman Rick Holt of New Jersey has introduced legislation to roll back the surveillance state which asks for repealing the Patriot Act, repealing FISA amendments act, not having a requirement to have back doors and telecommunication equipment and then one more item. What do you see as the prospects for that bill? Well, Representative Holt's bill is one of these strongest bills presented in Congress thus far. The only kind of nuance with the bill is that it completely obliterates, the government has some sort of need for a grand jury subpoena to get some sort of information and so Representative Holt's bill doesn't have that in it because there should be a process by which that happens but it's the strongest bill thus far and it's just another indication that Congress is going to tackle this issue and knock on wood, I think they're gonna fix the problem. Very quick comment because it's relevant to this, he's standing for election for the US Senate in the special election in New Jersey in the Democratic primary which is on August 13th and if people want to support him. So we're actually, we're out of time. So thank you all for coming.