 Thank you everybody for coming. Welcome. Welcome to the Ask EFF panel. We're so glad to see so many of you people here today This is going to be kind of a lightning round. We have about 30 minutes in here and with a transition That means about 20 minutes for questions So we're going to do very brief introductions and then we'll look forward to answering your questions Brief word of warning as many of you know one of the things we do here is we provide some legal advice to People who are in need from this community. This is not the place for those questions. You want to have that in private conversations with the Privilege attaching these are this place for more of your general questions about some of our work and policy initiatives And so while you're thinking of the great questions to ask I'll begin with the introductions My name is Kurt Oppsall. I'm the general counsel at the electronic frontier Foundation EFF as you probably all know because you're here We are a non-profit civil liberties organization dedicated defending your rights online And with that I will let our esteemed collection of panelists introduce themselves. My name is Jeremy glula I'm on the tech projects team at EFF So we're the team that develops things like cert bot and let's encrypt and each of us everywhere in privacy badger and also explain Tech to the lawyer people Hi, my name is Katitha Rodriguez. I'm EFF international rights director. I work on global surveillance issues Helping group fight draconian surveillance laws and in particular in Latin America Hi, I'm Andrew cracker. I'm a staff attorney. I work on our civil liberties team, especially in our national security privacy Hi, I'm Eva Galperin. I work on EFF's international team mostly on issues regarding privacy and security of vulnerable populations all over the world. I also do our state-sponsored malware research And I'm Nate Cardozo. I'm a senior staff attorney at EFF I do crypto and security policy as well as free speech and privacy litigation and I will be giving a talk Immediately after this one in the same room about crypto law So yeah, save your crypto law questions for that talk because it's gonna be great So we have a mic here in the center aisle So if you have a question why don't you come on forward and ask on the mic? My question is do you think we can trust Tom Wheeler? Tom Wheeler? Take that one So I'm probably the only person on this panel who's worked on net neutrality issues. So I I mean in some sense, we don't have to trust him right because everything that he would do that would have any Consequence ends up being a public thing But I have been very pleasantly surprised by the direction. He's been pushing the FCC So I mean I trust him, but I also keep an eye on it So trust would verify. Yeah, exactly So what do you think the privacy and security implications are for Americans following the IANA transition? Anyone? The person who worked on ICANN is not here And none of the rest of you does anything Yeah, we have at this point about 70 employees and we bring a good selection Here this is a great group of folks, but unfortunately we can't cover every possible possible issue And also ICANN staff and the IANA transition is not a topic we give priority All right, anyone else have a question to come forward We can also I'll give a little brief discussion of some of the things that that we have been working on While you're getting your your questions ready Let's Please hi, I just got asked by a friend if the EFF would endorse his campaign for judge And I said I was sort of dubious about that Can you elucidate whether EFF can or cannot participate in political endorsements of candidates or positions? And why are why not? Well, we actually cannot as a nonprofit organization We don't get involved in what's known as electioneering This means on the plus side if you donate to EFF is a tax-deductible donation and we get some Advances as an organization But that that also comes that we are a non-partisan non-political organization that doesn't get involved in elections Well to talk about export controls I see you trolling One thank you for your guys help with the net neutrality stuff. I think everybody in here greatly appreciates it So thank you. Is anybody on the pan? Thank you Actually, I'm curious is anybody here familiar with the kind of stuff that's going on in Europe right now with the privacy shield and GDPR Danny, I don't know the the content of the GDPR right now. I know that European Union have passed a new regulation for data protection directive and it's a GDPR But due to max terms litigation the safe hardware provision which allows It's a European provision that compels companies to if you want to transfer data from European Union to the United States You have to or to any country have to be adequate country So so the question you may not know the answer, which is fine but I was just curious like I've been looking at it pretty heavily and I don't think America is ready and I The the like right to be forgotten clause is that even from a technology perspective There's just a lot in there that I think is going to be extremely disruptive And I just didn't know if you had a take on that or not. I got it. Yeah Okay Oh the right to be forgotten If you want to see people from EFF really squirm uncomfortably ask us about the place where your right to privacy and your right to free speech overlap In Europe the right to be forgotten is actually quite reasonably popular in the United States we tend to sort of err on the side of the First Amendment and EFF believes that the right to be forgotten is actually quite problematic on one hand Who among us has not done things that have ended up on the internet that we're not terribly proud of that? We would like to see not indexed by Google On the other hand what we're really worried about is that the right to be forgotten Can and will be used by the powerful to cover up their misdeeds And in fact we have a great deal of evidence that this is exactly what is happening So EFF does not support the right to be forgotten. We think it's super extra problematic But that's just one provision of the GDPR and I want to put an example in Latin America We copy a lot of laws from Europe and from that retention to the right to be forgotten So we already have bad presidents in for instance right now in Peru that they Are right to be forgotten case when they put a huge fine to Google But also to another another case that they put a huge there investigating investigative journalists So we have problems in Mexico and in Colombia the sentence in Colombia was favorable to Google but it was not good for the media the media have to take down the content The this index and contact from their website Please go ahead Is there anything that the EFF is doing or can do to? move technologies that are itar restricted and dual use that are out there and Essentially that is there a way to move them from itar to dual use or off of that I'm sure thank you for biting on my export control taunt We do a lot of work around export controls Most recently the State Department proposed listing cyber products on itar Without defining what that is or what it means or what it would be So we wrote we only caught wind of it a couple of days before it was debated And we along with our friends at access now wrote a very strongly worded letter saying don't Do this this is stupid We are also working to make sure That things like pen testing tools don't get included in the EAR Right now crypto is still unfortunately in the EAR. It's not in itar. What what's an EAR? Oh EAR is the export administration regulations. It's administered by the Commerce Department And it covers dual use technologies It's a lot better than itar, which is the United States munitions list Crypto used to be treated the same way as Tanks and hand grenades now it's treated the same way as MRI machines So we're making we're trying to make sure that things like pen testing tools don't require a license to export So stay tuned. That's the Vasanar arrangement Process I was on a panel last year in this hall talking about that and it's still very much live So we blog about it from time to time Eva and I are leads on itar and EAR stuff at EFF Hi I always leave deaf con feeling a bit deflated So I wondered if there's some good things that happened in the last year or some good trends That maybe you could highlight hopefully What's the what the good news well we won the Apple FBI case Yeah So last year Yeah, the launch of let's encrypt in the past year. Oh, did I still I'm sorry. I didn't feel it. Yeah Free certificates easy to set up. I'd say that's a pretty big win I have pretty with wings in small countries, too We defeat that retention in Paraguay, which is a big issue because the European Union have been the feeding Exporting these laws to developing countries and that was the first wing in that country another big win is the increasing use of end-to-end encryption as you probably know EFF has a lot of interesting projects to encrypt the web Encrypting data in transit. So we have HTTPS everywhere and we started surf the cert bot But this year we saw the implementation of the signal protocol For end-to-end encryption in all what's that messages and what's app is the largest sort of messaging Platform in the world. So that brings end-to-end encryption by default to hundreds of millions of people and I think that's kind of 1.1 billion people 1 billion dollars. So I think that's a pretty big deal. It's a big win So last year let's encrypt was just in beta and this year. It's you know, it's everywhere I mean in the developer community at least and I'm using in production now and It's I was sick of paying for certificates every year and everything. So thank you for that What's what are the next steps for let's encrypt and how do we get it kind of everywhere? I might that the default for everyone from the WordPress guy all the way to the back-end server admin So one thing that either just happened or it's about to happen is that the let's encrypt root certificate is going into the Mozilla trust store, which is pretty awesome and then Let's see. We're working on new challenge techniques or new challenge protocols And we're just gonna keep pushing it out. I Mean it at some level. It's just just it'll just keep being adopted people keep using it It I think third, but I also think it depends on how you measure So Yeah, I mean just keep telling everyone to use it basically it Hi guys So I have two questions. You probably know that the FF is a big player nowadays and a lot of people use your Extensions and let's encrypt. So the first question is can the FF be in any way forced to cooperate with your favorite three letter agencies? The first question the second is if that happens What kind of safeguards and ways you have to notify users that this is happening some kind of kills which may be for add-ons or something like that? So we have not received any national security letters Nor any orders to modify our code so we can put that out there for now And that's question again next year through happens But I think that you know this would be something that Of course, we would fight we believe very strongly That the government should not be able to force a back door that one of the core issues that EFF has been working on for most of its existence since the 90s is the notion that code is speech that you have First amendment rights to publish code and that if the government is going to come along and tell us what kind of Code we have to publish that would violate our rights We also think they don't have the statutory authority to to tell us what to put in our code, but even if they Did have a statute that that statute would be Unconstitutional and I think that the second way that there's some some assurance is that we put our source code out there I think Jeremy could you yeah? I was gonna say that the other addition is all of our extensions as well as let's encrypt are all open Cert bot are all open source so you can check the source you can compile it yourself if you don't want to you know Trust the distribution channel And then the other thing is also just by default. We don't really collect any data HTTPS everywhere if you turn off the SSL observatory Doesn't send anything back to us whatsoever Privacy Badger doesn't send anything back to us. I think maybe like crash reporting or something like that if you turn it on So we don't have much to give the feds even if they you know came to us, which is of course by design Also, we're a hard target. Yeah They would they would have to have some brass To think that we were going to backdoor anything Similar to what we've heard before thank you guys so much for everything that you do It makes us able to as a pen tester and I'm sure as many other people here Thank you makes us able to do what we do We also you mentioned earlier the signal protocol, which has been incredibly successful with its integration in several different apps Including WhatsApp is EFF doing anything to help either from the technical side Help develop it or from the legal side make it more available and make it easier for people in maybe other countries to access it crypto export plug Well, I was gonna say so one thing we are working on some of you may be familiar We had this secure messaging scorecard up for a while We're working on a revamp of it and really the main focus of that is to encourage developers to Basically adopt better protocols better tools better designs for secure messaging And so watch I would say watch this space That's gonna come up again soon and we'll be rating not so much rating, but basically, you know listing, you know, which Tools we think are secure which ones we would say avoid at all costs And so that's part of it. I don't know if you teach you one or Just one quick preview of the revamp secure messaging scorecard There is no such thing as a completely secure tool There is nothing that will be in our top tier of this thing is perfect Sort of nothing is getting five stars everybody has room to improve there's lots of ways to go and We're hoping we're going to see a whole lot more integration of end-to-end encryption in secure messaging tools in the future To answer your question we promote some tools on our surveillance of the fence one of those is signal And we do and even as a lot of security trainer To potential trainers in developing countries and around the world We just finish a tour in Mexico through all the country and so we do a lot of that Our guy is in several languages And we are also looking to translate it to more I also want to thank you very much for all your work that you're doing including net neutrality My question is about net neutrality. It seems a certain mobile carriers are getting away with Getting around that neutrality by zero rating certain streaming providers What are the F are the EFF thoughts on like white listing only particular websites like like streaming sites so We definitely have Zero ratings complicated right because on the one hand, it's very easy to say Well, I mean and there's there's reasons to say like it can be useful in certain scenarios and make it a lot easier To access the web for people at the same time. It's really easy to make it into a tool that distorts Competition and really makes it hard, you know, it can almost be a form of censorship in some sense One thing that we are I mean, so we are keeping an eye on Zero rating if you saw our blog post at the very beginning of the year that got the T-Mobile CEO Cursing at me via Twitter So and we're continuing to look at that I Don't know. I mean and we don't at the at the moment have any like big complaints or anything Plan But we are sort of staying on the topic keeping an eye on things and so we're it's on our radar And we're following the FCC enforcement actions pretty closely Thank you Let's let's encrypt presents obvious threat to the incumbent industry. What do you what does the EFF? See is the future of for-profits of authorities and what do you think they should do to stay relevant if anything? Okay Well, so so so one big thing that let's encrypt doesn't do is it doesn't do extended validation. It's only domain validation So it is really just it's just authenticating that you control the domain. You say you you do It's not saying that you are in fact the organization that you say you are and so and you know We don't there's no way to easily automate that and because let's encrypt wants to be an automated system We don't see I mean we're never gonna really get into the extended validation business And so that's an area where you know for-profit CAs can still Do things I mean, I would say just off the top of my head. That's the biggest one I Mean in some sense, you know, I mean part of it too is just we wanted to get really hit that long low tail You know, I don't think you know Bank of America or whoever else is gonna switch to a let's encrypt certificate Just because they really like that extra little green bar in the in the URL bar, so Thank you my question is regarding the root cause for a canary watch being abandoned and What the best direction forward is for national security letters? Well, thank you. So I worked on the the canary watch project and I work also on our national security letter cases So with canary watch You know, we had a lot of ambitions for for the site we wanted to have something that would list out what various canaries were have Automated checking to see if there are any diffs and then It ended up having a lot of false positives that were just because of like the URL change or the format change or something about it Change that wasn't a meaningful one There were also a couple of instances in which people just didn't update things in a timely manner But then they then they did and so it was a sort of human error false positive So it was not really being effective at sort of the the the concept Actually think that that for People who want to be transparent who want to be able to to say that you know, they have not received a national security letter That regularly issued transparency reports where you list everything you put the subpoenas the warrants What it whatever is you might be getting, you know, and you would say national security letter zero Fires a court order zero And you issue those just as many companies do you know going all the way up to giant telecoms and internet companies regularly issue those And then every you know say six months, you know you issue a new one And in each one you say the most that you're allowed to by law So if it's zero you can say zero if you receive one you might not be able to say anything at all but in all cases you just do the most that you can allowed by law and Also, if you get that NSL in the meantime Reach out to EFF because we want to work on that. We are already litigating On behalf of two companies that have received national security letters We're challenging the constitutionality of the letters that they're gag orders That is going up to the Ninth Circuit Court of Appeals right now and we're Well, we think that they are a tremendous constitutional problem Do these letters are going out without court involvement having a gag order that only has court involvement on the back end after you complain about it And it doesn't comply with the First Amendment. So that's what we do about NSL We need to get NSLs found unconstitutional and stopped You can send your email to info at EFF.org All right, thank you And we have two minutes. So this may be our Want to thank all the good work you guys do and I've donated to you in the past. Thank you But having said that I don't actually follow you guys that closely But I do have a question you guys are rooted in you know the Western You know legal systems in Europe in the United States But what about areas of the world in particular China and Russia where the legal systems are you know not as The same basically and do you have partners? What what what kind of work have you done in those areas? And that's pretty important because they're like 300 million people now in those areas Yeah, that actually has an extensive international team. The internet is global and so are the problems on it and Some of what we do is Is policy work? Obviously, we don't do impact litigation outside of the United States because this would require us to have a lawyer from every country and That's more staff than we actually have at all of EFF but what we do is We do trainings. We provide all kinds of technical advice We have a project called surveillance self-defense which you can find at ssd.eff.org Which is translated into eight languages Including Russian if I remember correctly That gives you all kinds of a technical advice on how to keep yourself safe Especially in situations where you do not trust the government Basically, if you don't trust the government encrypt everything And we do policy work. Yeah, and we do policy work We we usually because we cannot have lawyers in each country. We work with lawyers in each country To fight draconian surveillance law we chair knowledge on the topics But we also use international human rights law in order to defeat those bills that are in Congress Because in many countries outside the United States, especially developing countries and the European Union the European Court of Human Rights or the Inter-American Court of Human Rights Really, you have a little teeth and you can sue That the country is violating international human rights law. It's not as powerful as the other kind of litigation But we can do we can testify we can use those to defeat laws Alrighty, so I unfortunately we're out of time now But before we finish up, I just want to do a little public shaming. How many of you are EFF members who have renewed in the last year? Okay, great. So for those of you who don't know We are not as big as you might think we're a group of you know 70 employees who make all the amazing things you know EFF does happen and we are a member supported nonprofit So please stop by one of the booths get an awesome Def Con t-shirt And so that we can keep doing the awesome work. We're doing And we're in the vendors room in the contest room and stick around Because Nate is going to give an awesome talk about the state of the law with respect to crypto So thanks everybody for coming. Thank you