 This talk is about developments in law and not so much about all the privacy infringement cases and privacy views, but also what does it mean for you on the actual work floor for technicians? What does it actually mean to other people? We see a lot of journalists speak and talk and everybody is speaking about the privacy infringements that might get involved from some of the developing laws. But there are also good laws that come out of it for artnoons, not even the actual English word for it, but the things that you have to do as a country to comply to the EU regulations. So, first of all, if you look at how these things happen, you can actually pitch for a new development in law. So, if you want to make a change, you can actually just apply for a change. And what you see actually is that the... So, I'm going to unhook this a bit. I'm a moving person. So, the gist is people really want to solve problems. The thing is, if a politician looks at a problem, some do, some not, they don't always actually know what the problem might entail. If they want to have a solution, maybe people would really want to move towards a solution. And the thing is, sometimes they really don't know what it might inflict as a side effect from getting a new law in place in a certain way that they actually developed it. It might have side effects that nobody actually saw, unless you were actually a technical engineer because you know how the systems work. The amount of people who are not well equipped with digital technology and knowledge about it, unfortunately, the scale is very unfortunate that most politicians are not techies. A lot of people influence politicians in very different ways to get their problem solved. And this is where things go sideways in some cases. An intelligence person might actually want to have a law that is very good for their activities. A company wants to have a pitch or a change in law for their activities. A privacy person wants to pitch for their privacy awareness and privacy for people in society. Everybody has their own role and purposes on why they want to have a change in whatever everybody needs to do by law. Material experts do move and can actually influence how this develops, but in practice it means that the politicians need to know what kind of questions they need to ask to make a proper assessment, actually have a good talk with the right set of experts who are not influenced in a particular way. The problem is if you look at the... in developments for identity systems, it takes an identity system expert to actually know what type of developments need to go into this and how you actually achieve a good privacy-aware system. It's very complicated, but we do see positive things. For instance, the GDPR requires companies to actually manage and start managing and mandating it with a very strict... I find if they don't comply to this and they have to manage personal identifiable information. If you think about it, it's a bit silly that we actually have to do this by law because this should have been just your good citizenship but also your good maintenance activity to actually know where all the identifiable information is stored in all the databases. In practice, this is a very complicated case because not all the vendors and all the software suppliers, hardware suppliers actually give a company a good chance to do this properly. But now a law is actually moving this forward and pushing all companies, big and small, to actually make them register all the locations of where all the personal identifiable information is stored and they have to create their own security policies and adhere to this and they have to make a statement every so often when there is an audit or even regulatory bodies that could actually ask you okay, please show me how you did it and if you don't comply, you will get a fine in this case from a regulatory body which can go into a very high number if you do this wrong, especially now with this GDPR rule. If you are a big company, 4% of your annual gross movement of money is quite a lot. In some cases a lot of big companies have only a very small margin of profit and in those cases it really hurts for them if they can't comply. These are positive incentives to actually make a difference on the security of all our personal identifiable information. Another thing that happened, at least here in the Netherlands, is very heavily debated also. And this is also a positive way of pushing everybody to actually make it transparent to the users on where your personal identifiable information is actually used and how you attract them with what and which other companies are actually using your data. So this is again a positive thing and this is something that we should have done earlier and sooner and aid all the transparency to the users. But we've got positive developments. Unfortunately, we also have very dodgy developments. For instance, in the Netherlands, we've got something that's called the wet computer criminality 3, the third one for third iteration because the old one was from many, many years ago where the technology was very, very different. And the law provides an ability for certain agencies to enter digital work from another. This basically means that they can actually try to hack a system for a very distinct purpose. The positive side of this is that they really require a very distinct process and purpose to actually do this activity, but this is how they can actually counter-move to all the digital black markets like we've seen with what's it called. Oh, I forgot the name now. But recently there was another black market infiltrated by the Dutch police and that was a very positive activity, I think, where they actually could follow all the trading drugs, weapons and other very bad things. There are positive sides to this, but it does mean that they now have the ability and if you're an infrastructural service provider, it does mean that they are now able by law to hack your systems and not tell you about it. And this is becoming a very practical problem now on the service provider side. The service providers now need to either make a distinction between this was a hack that was legitimate by Dutch law and if you stop this hack because you have a proper incident response activity and you see a hack happening, you might be able or might come into the situation that you might obstruct a lawful activity, in this case, for hacking into a system. How do you deal with those dodgy situations where you have to defend your customers or assist your customers? But on the other hand, you have to comply to the law and this stated that they had the ability to hack into the systems that are owned by either your company and used by a customer or actually the customer systems hosted in our own facility. It's a very hard way to distinguish because also the Dutch police or any other police are also aware of tools like TOR and so on. So you can't even distinguish between anonymity networks moving in and you can roam them out. There are other ways of proxying yourselves and police agencies all around the world are using the same techniques as the hackers to achieve these kinds of activities. The problem is if you obstruct them then the service provider is on the negative side and they can actually be forced to either seize their activities or get fined for obstructing the justice system. Another active problem is that there is a problem with the responsible disclosure versus... So when you hold back a security risk, the thing is that they have now in the Dutch law they have the ability now to not disclose or use zero days for instance. The problem is about zero days and that the zero days are used for the police to do the hacking activities. Now what do you do if the police actually develops these kinds of things? Do they send them responsibly to the software industry for a fix or can they still use them for the hacking activity that needs to be done for the justice so to actually get the better guys? I had a very bad sleep so my English is really rough so I'm sorry for that but that has to do with other activities that I had to do as well. But the problem is that you now have a law that basically is negative to the service providers because we want to fix stuff and keep stuff up to date. We have a statement that we need to do, need to assist the users and fight for the users and work for the users but in this case this is obstructing our activity in doing incident response properly and quickly enough. The Dutch police for instance now has the ability to also use these develop these odays which is the easy one but they could also perhaps and this is also something that is still being debated on how they actually do this is perhaps buy or keep a oday alive. If they keep the oday longer alive or they can actually buy it they can actually use it for getting criminals but it aids the black market because black market of odays I'm not sure if everybody knows it well probably here this community actually does is there is a black market for odays and if you assist in any way we would say as a service providers this is aiding the black market for the zero days. You should stop that you should focus on security on privacy and keeping all the infrastructure up and running and if odays are kept alive or you are aiding this industry then this is just very bad for the health of a vital infrastructure itself. A bonus risk is when a police department or a other research department or another agency is hacking a system of which they are not really sure where and in which country this exists. If you do not know where the system is and you do not know who actually owns the system what would happen if a Russian agency or any other American agency was hosting a service and a European agency hacked into that facility. This will get some political repercussions because you hacked a system that might be part of an international activity or an activity from a certain country and you are obstructing their activities. What does it actually mean? Well think about the case when there are services anonymized on the internet for embassies and by accident somebody hacks into the webcam or another service from an embassy from another country. This will get some geopolitical problems if this happens and the countries do not have a very good relationship between each other. This can escalate this can move into a very nasty situation and again service providers might actually be in the middle of this situation so this can also have a very negative business case. Another piece of this law and they do not really know how to do it because in some cases the technology is against them is that they really wanted to decrypt data streams or decrypt data. We've developed technology like forward secrecy to ensure that even if you have the private key in your hands that this has only a very limited value to the person that actually has it to successfully decrypt all the data streams with TLS or any other database encryption. Now the government actually stated we want to decrypt and with decrypt this actually means the service providers need to provide the keys the encryption keys and in some cases the decryption keys are so ephemeral they just disappear at the end of the session and nobody has them. So if the law moves into the direction that you always have to deliver those keys this will stop the quality of the enhanced encryption that we use today. We lower the quality to roughly the quality that we had from the 1990s to 2004 and this was when forward secrecy was first introduced with the Diffie-Helman key exchange and the problem is there are also devices like hardware security modules specifically designed to never ever disclose a private key into the open. If these keys need to be moved it also has another problem that if somebody actually has this private key they can impersonate the server or the host. This is again a problem because typically this means according to all the international standards from the IETF and from the CAM browser forum this means that this private key is now compromised or has to be treated as a compromised key. This should now be removed so now we won't encrypt new data with this key so we have to switch over so the service provider now actually has to make a change into these infrastructure to get a new key for this service. This again moves into a work that they have to do so that's an additional task the keys are now in flight where we actually had them stored properly and securely with all the best technologies that we had to secure those keys and now somebody just asks for them and we now have to or service providers have to create a huge infrastructure and a huge set of trainings that are very complicated measures and processes to actually get those keys securely to the agency that really wants them. So personally I hope this never happens especially for some of the service providers that actually outsourced a lot of activities to another continent. A lot of service providers use the powers of many hands from India, China, Russia, wherever around the globe services and those are now the actual system administrators or people actually involved with running the systems and keeping them up and running and if there is a design that these people will never ever touch the private keys of those systems and now the law states that they actually have to extract it and move them around this means that there is a global movement of private keys to an agency. Think about it, this could just happen over email. You have to have a proper system that actually has the most valuable sets of information for a general service and this takes up a lot of work. Another problem is the cable bound tabs so there is now an activity for the cable bound tabs and this is very complicated, how does that really work and what do they actually want and do service providers now have to adhere to a specific protocol assigned to the infrastructure capable to be tapped. So if a service provider says ok well we want to use a different technology we want to not use Ethernet anymore as a base layer which actually could happen because some of the transit and big cable environments use different protocols on that layer if it's not compatible you're breaking the law or you're not compliant to the laws this is already existing for the lawful intercept activities you have to adhere to a certain protocol and if you cannot adhere to the protocol spec on that version then you are in a discompliance you will get a fine. This can happen again but now on a very grand scale for the tabs if you want to tap the entire internet exchange or for instance there will be arguments towards the internet exchange to comply with the law which is again a downside for the service providers of any kind. Another interesting one is the Wasana arrangement let's assume you have a team that is internationally oriented because in a global world you have a lot of people from different countries and everybody has a very specific skill they're very good at their work but they have all kinds of different nationalities and they work in a for the example here a Dutch security team what if you have a security team composed of a Dutch-American, dual-national an Australian and Brazilian a Bulgarian, a lot of Dutch people and a Turkish guy hypothetically who can actually work with a particular vulnerability and what do you have to do with that arrangement which was luckily stopped, halted but halted is not removed or deleted it's halted this doesn't happen it means that if you're sitting on the same table and you have a different nationality you have to go to the UN or whatever the ticket office is to get a statement that you now are able to talk about a responsible disclosure or a vulnerability that you found have seen this is the thing that you have to do for nuclear devices and nuclear material I get that, that's pretty serious serious stuff information security problems and vulnerabilities moved into exactly the same direction so if you have a communication problem or you have a communication flow like for instance the Dutch guy needs to talk to the Brazilian and then he says oh well let's talk to the Australian guy and then again to the Dutch person or you have another flow and if you have a branch office in the US then what how many round trips do we have to go to this UN ticket office for the Wassenau arrangement it means for every step that you make, you have to make an assignment I really want to talk about a certain activity with the next guy involved in the scope of the first guy first set of people that actually talked about this vulnerability and this becomes a very unworkable, unfriendly situation for all the people that actually need to just work quickly and efficiently and fix incidents work with vulnerabilities or find vulnerabilities disclose vulnerabilities and solve them so the entire time frame of solving it would be enormously messed up if this would have been the new law that everybody had to deal with this was created by lawyers it was not created by technicians, no engineers not even the politicians it was created by lawyers in this case because they were given a task please develop this for the information security and everything that had to do with either cryptography or with vulnerabilities moved into the range of this could be dual use into a weapon therefore last night arrangement we can also move over towards the developments of digital warfare this is a bit of a story in development still but it's interesting that everybody who is in the military actually talks about digital warfare but nobody actually had a good idea of what digital peace means and because even the definitions are really vague you can't even really go into the things of ok we need to do digital warfare, we need to attack another country in a digital way what does this actually mean does it mean hacking, does it mean d-dossing what do you really want to achieve and then when do you stop and what are the rules of engagement in those cases none of these things were developed these things are the details that they think about because they think about the attack and the counter attack but not what it actually means for the people in the digital warfare people should actually think about the attribution problem, who actually did it I mean if you look at some of the malware that is created, it's typically created by a lot of authors at the same time people are sharing code it actually could be based on open source software from the linux environment is that just a part of the malware is that significant nobody really knows, so if you're very unlucky a good citizen could actually be part of the attribution for digital warfare activity because of sloppy forensics it's a very complicated thing attribution is the most complicated thing and most politicians do not understand that this is the biggest problem that you actually cannot really solve so if you can't solve it why do you think that you can start digital warfare based on the fact that you have a very good idea of attribution if somebody shoots a bullet at me, I kind of know where it came from you can do a forensic reconstruction on the physical angles and so on that you can figure out, ok it came from that direction this is something that you don't have in the digital world so this is a bit of a call to different communities including the internet society and everybody associated to that is to engage into a contact or communications with a politician or a proxy for that the biggest problem is obviously how do you tell a very complicated and technical story in simple terms we've seen that in all kinds of other activities that you have to do that as well we've seen this successfully with water treatment, we've seen this successfully with electronics and with power power management but this also has to happen once for the digital world please avoid fear, uncertainty and doubt we've got journalists to do that in some cases the journalists actually aid fear, uncertainty and doubt because they want to have a sensational news item and we have to stick to the facts, especially to politicians who are very sensitive, like in the first slide very sensitive for multiple inputs so I hope that we can all make a difference by engaging the right people and if anybody is working on these kinds of activities that we tell them this is how the actual digital world works and what you can actually change and do and tell them how you guys work in a work environment and try to get the story to all the non techies that was my talk, thank you