 He's a guest from the United States and he's working, or he's not only working, he is the Executive Director and General Counsel of the Electronic Frontier Foundation and he is a long-term working attorney and he has had many high profile cases against the National Security Agency for example and that's also his topic I guess. It always feels like the Five Eyes are watching you so give a nice warm welcome to Kurt please. Thank you, thank you everybody. Hello, welcome to the talk. It always feels like the Five Eyes are watching you. It always feels like the Five Eyes are watching us from different countries. We translate here Castel and King Barbecue and now it's on. The Five Eyes are a group of countries that have shared information through Spionage, which are Australia, Canada, New Zealand, United Kingdom and the United States. They share information about all sorts of different types of information, for example signal, that is, mass data, human data, for example, what to do with Spionage and all kinds of satellite data. Originally it was created in the Second World War, it went through the Cold War and they are still in Spionage nowadays. So now let's start with the members, for example the United States. Many already know the NSA, the National Security Agency, but there are also many others, for example the CIA, the FBI, then we have the United Kingdom, they have the GCHQ, this is the Government Communications Headquarters, the headquarters of the communication of the British. Then we are in Australia, there is the Australian Signals Directorate. If you look at different partners here, then they share the responsibility over the regions of the earth. For example, Australia, we have a section here, a text section that shows that it is taking care of Indonesia, Malaysia and various other Southeast Asian countries. They then listen to these countries and share them with the other members. Then we have Canada, they have CSEC, Communication Security Establishment. Then there are also various other Spionage Services. Then there is another text section here that shows how deep the use of this exchange of information is with the Spionage agencies. And then we have Zealand, the Government Communication Security Bureau and two other agencies. Here the text section shows how ready they really are to share the data with the other members. Here it is also about X-Key Score, we will talk about that later. We hope that we will share the data in advance, that we can create the full take. That means that we can simply exchange all the data with all members. And now it is so that after the Second World War, the United States and the United Kingdom had a Spionage income and that also includes many Western European allies and is then ultimately put together on the USA and the United Kingdom. And the term Five Eyes comes from the abbreviations for the countries like Australia, Canada, New Zealand, the United Kingdom and the USA. And they abbreviated it to Five Eyes. And then there is another abbreviation called FVEY for Five Eyes. And then there is the main outcome that they have decided, it is between the United States and the United Kingdom. This was before a British-American exchange of information about Spionage income. And it is still the case that the USA and the United Kingdom are still primary partners. And Canada, Australia, New Zealand are only secondary partners. There were different suggestions to expand it to a sixth member, for example, France or Germany. There are also other groups that are a bit more focused, for example, where you can take third parties, such as Nine Eyes, Denmark, Norway, the Netherlands and France. And then there is even a group called the Sick in Seniors of Europe. There are 14 eyes on the spot. So that would be still with Belgium, France, Germany, Italy and Sweden. But maybe I forgot which one. The Five Eyes outcome was not public until 2005, because it was not known that it existed and the texts were only published in 2010. And under this URL, you can read the text again. The different parties that participated were the NSA, the Canmerche, the GCHQ and the CSIC. They were completely unknown until the 70s. They decided again and again that there was this one. And the NSA said that there would be no agency at all, but they would not give it at all. In Australia it was even so that the Prime Minister of Australia had no knowledge until 1973. And there was a great excitement in Australia about how it all came about and that it was not even the secret service. The Five Eyes are now a bit more open, more open about what communication is about and they have annual meetings and there are also press releases. During the Cold War, the Five Eyes mainly focused on the Soviet Union and China. And that was a collaboration between the American secret service and the English secret service, in any case. These are the two pictures on the right side. And there was the Q in Iran, which the CIA supported. And there was a Q in Chile, which was supported by the Americans and by the information collected by the individual agencies. The main program for the beginning of the information was Echolon and there you can analyze the data together. Echolon is only one of the various codenames that there was for this program. Meanwhile, it was very well known. In the 1960s, the whole program was started and information was collected mainly about satellites and data that would be transmitted via the satellites, i.e. via telephone data. And since it was just radio data, they were relatively easy to access. Even if you were not the successor, you could always catch and decrypt them and access the data. The Five Eyes were distributed all over the world and they used that to build up the different reception stations in the individual countries and to start the data and then bring it together. Echolon was then relatively quickly unimportant or not as important as it was before. A lot of communication was no longer about satellites, but about the glass phase and the data that became less and less about satellites. And now it is the case that the metadata that runs on the Internet is sometimes much more interesting and much more important for the clarification than the data itself. And the Internet became more and more important to record the data. In the 9th century, it reached a real high point. In 9-11, it solved the various secrets and always tried to live on the Internet. To be part of the Internet and to go through the Internet traffic through the five member states of the Five Eyes and tried to compare themselves to the Internet and Internet technology to dig more and more data and dig data in a large scale. There was an upstream program from the NSA, and Temporar from the English agency. This is an example of the NSA upstream program. There was a complaint from the EFF against the NSA. The complaint was still not covered. We are still working on it. And what you see in this picture is an establishment in the Folsom Street, in San Francisco. This is a key point for AT&T, for the data, for the Internet data, and a lot of stores go through this access point. They have built a splitter that divides the data where the data usually goes on the one hand, where it should not go originally and on the other hand, when the data is duplicated and goes into a space that is controlled by the NSA and where you don't know what happens. In a secret space where the data is taken over and taken away. Temporar, what the English did there, they do something similar. They go to the glass fiber cables, where the data on the phone as well as the Internet data go over and share it with the other members of FIFI. And as you can see in the comment below, they are very proud that they have taken a huge amount of data. 40 million individual pieces of data will be taken off every day and then used and given to the other members. On the one hand, they take passive data, but there is also an active approach of data. On the one hand, they use malware or known backdoors. There is a term called tailored access to data, where the data will be taken off. And then data will be taken over different companies. From the different ISPs, for example, from internet companies, PRISON, there is the program PRISON, which was known by the public from Snowden. There are secret search orders and other legal procedures to get to the data of the company. And when they had the feeling that they didn't get enough data through these normal methods, they used pressure to get even more data. They went to the data center of the company and tried to get the data directly out of the data center by Google, for example. Now let's take a look at some examples. PRISON is an example. This is a malware that was created by both the UK and the USA together. It was found by a Belgian telecommunications provider and also by the computers of this company. They were used by the 5Is to extract European data. Snowden's publication showed and proved that it was used in the various networks and was used for data. Another example is Eternal Blue. It was exploited in the Secure Message Block protocol, which was developed by the NSA. There was a Shadow Brokers, a group that published it and which also used WannaCry, which caused a lot of problems worldwide. And although the weak point is known and there is a patch out there, it is still very dangerous because many people need a lot of time to play patches. Another example is Uniper. Uniper ScreenOS used something called Dual DC DRGB and NSA built in a weak point and compressed the whole thing and allowed them passively to extract the data, to extract the traffic, without them knowing when the whole thing flew up, but used other keys than the NSA. And that makes us suspect that this rear door was also used by others to extract data. Let's take a look at how 5i works. There are partners that collect data and then there is a contract. There is a 5i restriction that is divided into five members and the data is distributed and they have agreed that they don't extract and not extract the politicians and the government of the other countries and that there is also an agreement that they can also extract and that they are actively involved in the extraction of the others but still get the data. So I say, we have nothing to do with them and they can continue to use it. And it is very dangerous because there are also workarounds in the individual countries that local laws can be passed. David, there are restrictions in England when the individual, when the own citizens are allowed to be expelled but there is no law in England that other people are allowed to be expelled from England. And David Blankett, a security officer of the parliament in the Great Britain added that the NSA had the restrictions in England and they didn't have to ask and they didn't have to say we can get the data because they simply offered it without the UK asking for it and that's why there was no law. And when data is just unintentionally, not directly or consciously collected but simply collected data in large quantities, metadata, for example, when simply collected data and it is not clear who collected the data and who is the English citizen then it is legal in order to collect the data completely and to pass on if you don't look at it. And that's very dangerous with this mass collection of data. And as soon as you have collected the data it's very easy to share it with others. FK can share data with other members and also collect the data by themselves. And that was simply possible with a click on a checkbox to say what you want to have. And with the third parties who are in the 5-1 Direct they are a bit more or they choose which data they give out to the Direct. Now let's look at an example what these third parties can do and what data they get. There is the... the German BND also got data from the X-Key-Score and the German Inland Service would have liked to have more data and asked for more data and the NSA did so and liked to pass on the data. The circle doesn't get everything but they get a lot of the data that are available. Now let's dive a bit deeper into what translation means. Because it's very, very important for the world there are billions of people around the world and the privacy of these people can be protected or must be protected and the 5-1 would like to return the clock to the days when it was easy to get the data from the individual citizens. FOSnoten has a PDF document or published where there was a PDF document where there was a presentation and where it was written for the F-Key and there were a few examples of how you can go around translation or which data you want to get exactly. The data is saved as long as it can be solved but the whole translation will be very frustrating for the 5-1. This is the percentage of data in Chrome that was solved in the last few years and you can see that and the trend goes up and here you can see in the trend that translation is standard and more and more data is being translated and it will be more and more difficult for those who want to spend the data to really spend it. In 2017 the individual ministers of the 5-1 met and a joint communication was published. In the past they didn't talk about it but now they talk about it and here they say they are very concerned about connections and we will continue the connection with individual companies that will introduce the connections we want to work with them we want to bring them so that the connections are no longer being translated. And there is the United Kingdoms Industry Power Act It is as far as I am familiar with it that it doesn't have to be called backdoor it has a very interesting property it is about the technical capability so the information about technology it shows basically that we don't want to cut behind the connections but we need from the companies the possibility to say we want to cut the data from other sources and that is how the connections are translated. The question is how can we implement it how do they want to do it and we got a clue at the beginning of the year and the technical director of the GHCQ suggested that we set up a big user that is someone who shares the chat and the other one is not visible and then the signal attacks so he is always part of the communication so that it works and it is not visible and then you have to press the warnings to the clients normally you see when people are added to the chat but of course this is not foreseen and that is how they created a backdoor so that they don't have to cut the connections but they just go around shortly after and they gave a common communication and one of the discussions in this publication is that the governments are not allowed to favor a certain technology that is a a layer that they pulled from the cryptobores in the 90s that back then they had like clipperchips for example and it turned out that it was not a very good system so that they no longer want to suggest certain solutions but so that they don't have to put it behind them but that is the problem of the manufacturer or the provider in this case that they have to take care of the solution so that they can read the message if you don't do that that is the message to the provider if we don't get the opportunity then they threaten you with other technical legal or other measures to keep in touch and that is not a empty threat because at the same time they worked in Australia on a new law and Australia is a bit special the Prime Minister of Australia said about the decision the laws of mathematics are great but the only law that is in Australia is the law of Australia that is they basically want to remove the laws and get the back door without having a back door and in the beginning of the month they signed the Assistance and Access Act that is a rather complicated law but it has a few interesting highlights a part is it is in principle similar to investigative powers act they allow they force the companies reverse engineering on the protocols to operate and that is a relatively high penalty both money as well as prison foreseen to force the companies to cooperate on the solution that is relatively on the protocols that are not similar in size as in other international law it is foreseen to us that when you are talking to someone to reverse that is a penalty they can now single engineers employees reverse engineering companies reverse engineering companies and they force to cooperate with them the question is what is the focus of this law and what is the extent that they look at it is forbidden that specific intrinsic weaknesses or injuries in the software but they do not define how the terms are they want probably things that only few people meet but there is probably a big difference between the basic research where people work on the protocols and the companies that produce the products the discussion is about what is systemic which are fundamental and the intrinsic system and the terms are not defined furthermore there is a designated communication provider that means an selected ISP and they have defined that company that has a node in australia that means they do not need a office they do not need any employees that is a fairly broad formulation with which they want to bring as many companies that they have to agree with the law now it is like in the open source projects there are many of them that will probably be avoided and they will try to get through the process but for example apple does not come out now the question is what kind of companies can they demand from the affected companies for example there is a form of electronic protection that can be removed what they are now worried about then you have to provide the design for the intelligence agency exactly so they take this box, put it into a network and they do not think that is a bit of software on it and they will do something but we do not say anything and then it runs on the network of the company and the next thing is they also have to help software and systems to test on the network of the provider and see if they can crack things with it the companies have to inform the agency when big changes are carried out on the system what is going on there when they build something that makes it safer they had to maybe get the whole thing and now it is so that the companies that have to inform about it when they enter such security mechanisms that is, when you have an iPhone and make a backup on the iCloud then a copy of the data is sent to Apple where Apple also has the key and when the phone is hit then they do not get the data on the phone itself but they can go over the iCloud to get the data and there is the difference whether you have the key yourself or Apple has the key whether you get it or not and these are maybe changes that they want to know beforehand where they want to be notified when they are introduced and the last point on this list is they have carried out a covered operation to install it on the network but nobody says and nobody is allowed to talk about it and many people said to the Australians you cannot do that it is not practical, it is difficult and you cannot remove the key without breaking it and the top Secretary of State in Australia and the decision maker here is the Australian Parliament and they can say that these things must be carried out and these things must not be carried out and they can decide whether the regular mathematics are valid in Australia or not they can decide and why is it important there are many reasons why it is important on the one hand that the 5I is on global surveillance measures through in large styles data is being taken for example the panopticon on the picture you can see in the prison and all prisoners in the prison are all the cells in the middle is someone who is watching and nobody can look in the middle but nobody knows and because the individual prisoners don't know if they are watching or not they would behave better because they know that they are watching and that is why they don't do anything bad the different and what they want to do is that the people know that all communication all data can be monitored that there is no security there is no absolute security that there is always someone from the outside that there is this crazy machine that might listen to me in the chat and and with the panopticon you always know that the big brother can always watch and that is not just for people who are identified who are dangerous where you know that they would do something bad about terrorists for example but they simply collect data from everyone and they also do something like a time machine that means they save this data and they can then enter it afterwards if they find it out or if they suspect something just look back temporarily and then just look at the emails from 5 years and what did they look for 5 years ago in the browser before they slipped into the target cross into the target cross the NSA also built a huge complex where they can save incredibly many data many, many years of data they can save it completely and can then look back for a long time and use all the data and also use it against the individual people and that simply destroys very strongly against the human rights against the privacy human rights and all the execution of the different human rights there is the privacy as a right and what happened at the moment is that this privacy the right to the privacy of the human will be taken away and the data will be saved and we can always look at it again and with that and it simply contradicts many principles that are there to protect the privacy one principle is that surveillance is only carried out if there is a reason to carry out this surveillance and if the state has an interest to monitor and they do to be proportional the danger has to be proportional to the things that are carried out and under this URL necessary improper principles we need a balance between these fundamental rights that we have between the basic rights and the needs that have started at this point and it is important that we ensure that that the individual surveillance adjusts but this mass surveillance does not do it and what they have done that it is destroyed to allow this mass surveillance they have so much they actually have the help to allow individual people to listen but the the mass surveillance and this data collection and methods like XGscore these and the principles of our society and prevent us from being able to live freely the problem is also that this mass surveillance normalizes the problem is that the 5Is western democracies is a principle of the Nimbus that we do not have to take care of because these are the good ones but in principle it does the mass surveillance normalizes so that also less high-ranked states, such as dictators autocrats in the third world can basically say and do and every weakness that the technology companies to build in is also there for everyone else it is it is so that for example if an australian attacks data then they can the other 5, 9, 14 states but in China for example maybe not good but normally with the examples that we have seen the weaknesses that were introduced by the 5Is were also used by other organizations and states they simply went out even if they had the feeling that it is not an intrinsic weakness that they built has still stood out that someone else could use, for example through security researchers we know that weaknesses, no matter how they look, if you build them they will need someone else and the case simply does not offer any real protection for its allies so for example the other member states of NATO which one would usually consider allies and there is no protection for ordinary citizens not even for the rest of the world and they simply have no measure of what it is no regulation that is against it and it is important that the security of the information is a problem but the problem is not that the security is too powerful and that if you are able to control the game that they pass then that is not the solution what they have done now is relatively widespread insecurity and the most important thing that you can take out the key is the key what they want is access to data and the only what they say that they want is responsible that they get access but the only responsible solution is a very strong solution and that allows us to create a fully trusted system and if you destroy it then you can not trust the system anymore what the security researchers are saying now is that we have to find ways how to continue to have strong trust-worthy connections and we can still deal with it what they are doing now is no new research but what they are saying is you have to find the weaknesses in the existing systems and we should make sure that we have the strongest possible connections to keep up our democratic society there is still a lot of time left then let's see if there are questions put the microphone then the questions can be asked a question from the internet can you give a comment what about weapon exports that the conclusion is that weapons are under weapon exports that is an arrangement where different things are not allowed to be exported for many people there are weapons that they have in their heads like tanks or weapons but what they also understand are pentest tours that they should also be limited in their export also strong connections and I keep that for a mistake what they don't understand is that to test security you have to use them to use such tours as pentest even if they appear to be evil there is a longer discourse about it and they want to make it more difficult that you sell such attack tools to different autocratic regimes but that makes it more difficult for the security researchers thank you for your presentation my question is do you have the technology to do overhang do you also have the possibility to manipulate the data or do you manipulate it maybe even through? that is an interesting question I have no evidence until now that it was done on mass but the ability for example if you have a glass fiber cable as we understand it they use an optical splitter and remove the data and of course it is possible that you set a more complicated system instead of the splitter and with which you look at parts of the data and then think about what you should change and the problem is that you are much more confused that the question is how to do it on a bigger scale for example the lag that is created can be measured so we have no evidence that it happens on a bigger scale but the last time when the fall was together years for example during times of conflicts like Vietnam on a small scale in the past it was found in the city that they have scattered misinformation but on a big scale I can't imagine thank you very much for the depressing for the depressing lecture everything that you have presented lawful attacks everything that you have presented lawful attacks and no technological attacks maybe there is still a place in the world where you are not legally allowed to be splitted or have we completely lost this war? that is a very good question there is still a rest of the possibility depending on which country you are depending on how your knowledge of the laws are so that you still play the citizens than for example what you can't what you can't imagine whether the citizens of the third act for example the fall was played for example in Switzerland it is possible that the external for example the fall for example Switzerland there is no evidence or no evidence but of course a lot of interesting things happen in Switzerland for example all the money flows that are not as secure as it used to be or not so secret anymore that is a bit of a risk but do you think as a use of more use of more for example if you need a regulation with which you use the laws then there is also a technical solution with which you can trust the communication and with which it is less harmful it is about you still have trust in the system and they will continue to exist for example we have an open source that you could develop and then you could still look through the code and then you can at least try to find out if there is a clear background where you have to check the certificates and keys so that means that you check the software maybe that is more a comment than a question there is something in the current messaging program like Signal for example I believe that when one of the devices is compromised that you the identification between the individual devices is simplified and allowed to read this spirit in the meantime and how would you estimate this the ghost user problem is perhaps the right way to think about it how can you to keep this the continuation of communication so safe to say that it is mathematically impossible to hide and if not an interesting remark thank you for the comment the first reaction that I received I am I am a notary and not a technician but in my in my experience the signal is working on the problem and it is possible that they solved it but as a bit overordinary thought what I have to give you as a technician what we need is a good user interface that this whole key user administration and similar things makes it easy so that the users the keys of the other users can easily verify that it is very difficult to add a non-verified key now comes a question from the internet there are a few questions from the chat how far do you think they have developed since it was published is it much worse now? again a good question we have received a lot of information from WikiLeaks some that we got in 2013 that happened a lot earlier then there are a few things that happened since and then there were some reactions for example that there was more legislation that was passed that authorized parts that happened and that were legal for example the surveillance act in the USA that doesn't give me much trust or hope it's just more coverage of legal nature for the things they do and they don't take much into account the basic rights some of the legislation is in that you have to implement weaknesses or if you consider the court then the court has to determine experts that means the agencies it's very difficult that the judges with technology influence but we don't really have the trust that serious reforms have been passed and that the basic rights will be protected at the same time to grasp their abilities and to secure further growth and you have to think what the costs of a petabyte in 2015 were and what it costs now and you have to think how much traffic can be accessed how many years can be secured by all the data and it will be cheaper to save even more data so that they can build a time machine that can follow the entire traffic back in the past that means the cost reduction that they experience the costs were the best protection we had that it was just too expensive to save everything we produced it was so that they had to take individual measures how to follow them or listen to your car now we have a telephone that non-stop information about our place is sent back to the agencies these are all things that give them so much more opportunities than they used to have we are in principle in the golden age of surveillance Hello, what can you tell us about the role of the European Commission in the whole the European Commission Commission the EU, ok when a few things came out the EU also made a few disadvantages and in general they said it was a problem it was basically a reaction to the Snowden leaks but the the data protection that was introduced is basically aimed at the data that is available to the economy but in principle there is no good weapon against state actors and you could better understand that this is not acceptable for us I wonder how the Australian government looks how the whole thing looks how the business looks how the different companies deal with it and how they can avoid the whole thing by maybe not making any business in Australia and whether there are companies that have made no business in Australia I think some of the companies have clearly opposed this law for example Apple has clearly commented about the mistakes in the proposed law but it is one thing to say that this is a mistake but it is of course much more complicated to say we just don't go into the country but for global multinational companies it is really difficult and they have to make some decisions about which they have to think whether they want to come into business with different states that may be a bit confusing and we also have examples for example when Google found out that China cracked its system and pulled information about the dissident for a while simply no more service offers in China and they have thought about it but now they are back and we have thought about a search engine that would be acceptable for the Chinese and Australia is not the biggest market but some of the companies could actually think about it but whether they do depends on many factors and the question is how much would we lose if we don't come here and if we continue to work here how much would we lose if we would compromise our products worldwide and the other possibility is we make an extra version just for Australia and in the past they all didn't go that far there were two versions in the 90s that had a rather popular bronze network one for the national market in the USA and one international version that had weaker investments so that it was easier for the NSA to crack the investments because it was very simple for someone to get such a version outside of the USA and because of the export control there was a law so that we have the strongest version but it would be the same if we had different versions then they would say why would I use them that's the end of this talk if someone else has questions you can find them that's the end of this talk we say goodbye to Kaste and King BBQ thank you for listening and see you soon