 Hello. Hello. Nice to meet you. We're from the EFF and we're here to help. Thank you all for coming tonight. This is the Ask EFF panel. We're glad to see so many people here. I assume that many other people are at the Meet the Fed and will be along after they've done meeting the Fed. So as many of you probably know, we're the Electronic Frontier Foundation. We're a non-profit grassroots member-supported organization that is dedicated to defending your digital rights, your rights online. We like to focus on things, defending and protecting your free speech rights, privacy rights, the rights to fair use, to make innovation, to bring transparency to government, and to bring sanity to electronic voting. We have a good panel tonight of EFF staffers here. So to start things off, we're each going to introduce ourselves. I'm Kurt Oppsall. I'm a senior staff attorney, and I focus on free speech and privacy issues. Hi, I'm Kevin Bankston. I'm a staff attorney. I focus on the government surveillance beat. Peter, I'm a staff technologist. I work across the whole range of EFF issues, explaining the technology to lawyers and vice versa. Hi, I'm Matt Zimmerman. I'm a staff attorney at EFF. I work on a range of sundry things, but primarily on what was it, bringing sanity to e-voting, or at least attempting to. I'm Marcia Hoffman. I'm a staff attorney with EFF, and I focus on open government work. Hi, I'm Daniel Bryan. I am not a lawyer. I am the international outreach coordinator for the EFF. Bonjour. Hi, I'm Jennifer Granick. I'm going to be new at the EFF starting in the beginning of September, and I'm going to do criminal law, computer security law, and Fourth Amendment staff. And I have my cards now for those of you who might have been in my session earlier when I didn't have them. All right, super. So we're going to start off with each of us saying a few words, a brief presentation about what we had up to over the last year, and then we're going to go on to your questions. So we're going to start things off with Peter. Some of the projects that I've been working on over the last year, one that I'm going to talk about this evening is search privacy, both from a practical point of view as a user and also as a policy question that EFF is campaigning on. Another recent project I've been involved in has been an electronic voting case in Oakland in California where we were involved in a case where a court appears likely now to overturn an election on the basis of poor record keeping with electronic voting machines. I've been involved in doing some research on iTunes plus files and the various tracking mechanisms that are intentional or otherwise that are embedded in them when people download them from Apple. And yeah, a whole range of issues so I can feel broad questions about DRM and trust of computing and DPL v3 and anything else anyone wants to ask about. Oh. Right. Sorry, that was a general thing. So the particular talk I'm going to go through here is this a little better? Can you hear me? Is on search privacy. And particularly a project that we're working on to measure search privacy across different search engines so that you can decide whether you want to use Google or Xquik or some other search engine and how much you're trading off when you make that decision. Now, if you'll pause for a moment and think about the things you've typed into search engines over the years, over the last 10 years that you might have been using the internet or longer and the fact that almost certainly every single one of those queries was logged and recorded and probably associated with your identity and the kinds of things that people, maybe yourselves or other people type in are potentially very sensitive. Here are some examples of the kinds of things that someone might have typed into a search engine at some point that could be a cause for privacy concern. So health, sexuality, politics, illegal habits probably more than 50% of the population of the United States engage in illegal downloading or use of illegal drugs and so forth. All of this information if they've ever mentioned it to a search engine is there and recorded. So we might like to keep that private. You can think about the things that can go wrong if this data that's collected by search engines is misused. If you really want to go far out and think about worst cases, you can imagine blackmail, you can imagine someone who had access to a search engine's records being able to go to someone anonymously and say, well, we know that you were having this affair or we know that you were engaged in this potentially illegal activity or anything else, pay us some money or else we'll tell someone about it. So that's the argument. Maybe not a government in the developed world but maybe in the third world a government deciding that some of its population have political views that they're not happy with and they want to use violence or intimidation as a method of controlling those beliefs and a search engine might have a fairly accurate record of who's thinking about particular dissident ideas. You can imagine search records being used for insider trading. If you had access to other people's search records you could probably figure out from them even in aggregate whether a particular company was thinking about launching a particular product at a certain time or not and you could trade on that. It would be untraceable unlike insider trading that comes from within a company. You could use perhaps even these records for election campaigns in all sorts of interesting ways particularly if you could figure out what the other campaign was searching for you could do research on what they're thinking about if there's an issue they're worried might come out they'll have searched for it so you can actually find dirt on them by looking at whether they're searching for that dirt. You could do campaigns targeted at individual people based on their search histories because their search histories will tell you which issues are important to them. You can build a profile of them and then send them a marketing message that's tailored to their beliefs and is quite different to the message that their neighbour gets. Etc. Potentially there are uses for stalkers and other personal threats. Perhaps they're less likely or less seriously an issue for search privacy because there are a lot of other avenues by which you can get other parts of people's traffic that's very sensitive like just their straight out browsing activity may be visible through the same channels. So a point I was making before without really elaborating on is that search records are tied to people's identities and that's not necessarily obvious but if you think about it at some point who here has typed their name into a search engine? Who here has never typed their name into a search engine? Three names. So you three people who didn't type your names into a search engine ever do you ever log into an account at a search engine? So between those two identification mechanisms you've basically got a real world identity associated with every single search history and the search histories are connected together not only by accounts at search engines but also by a combination of IP addresses cookies user agents and other HTTP headers and all of this information can be used to link these different searches together and even if one of those variables changes if you change your IP address for example by walking over to a net cafe but you didn't change your cookie maybe you had session cookies enabled or on your laptop whatever those different sets of searches can be stitched together statistically speaking and there was a famous example that hit the front page of the New York Times where a woman was identified without having any of these mechanisms linking her name to the records or to an account but just the fact that she lived in a particular community and had particular hobbies and particular things she was thinking about was to track her down based on that apparently anonymous information so who are the adversaries we want to think about how we look at these threats to people's privacy and what you can do to mitigate these threats and the adversaries are actually pretty diverse you have for a start someone at the search engine the search engine has the data sitting there and they might not have an official policy of using their records for blackmail for instance is the risk that a systems administrator or a senior executive at that firm might be able to take a copy of that database or run a set of queries on that database and walk off with the results and use them what are the chances that someone a hacker might intrude into the search engine's network and get access to those records it's probably less likely than an internal attack but it's possible there are governments governments can probably be categorized into two groups here there are governments that follow strict rules about how they use procedure to pursue suspects and so you need to think about that kind of government in one sense and perhaps generally we would have expected the United States Government to be an example of that but perhaps with some of the stuff we're seeing with NSA spying that may not in fact be the case the US government may be willing to step outside the law in its pursuit of records on people and then of course there are other governments like Iran or Turkmenistan or China where there won't be any legal regime really restraining the government's use of these data points if they can get them there are civil litigants it's not something that people think about very much but actually if you're involved in a civil court case to get someone a divorce case or a copyright infringement case or any kind of civil case you could send a subpoena to Google and say can you give me the search records of this person I'm involved in a lawsuit with but that's relevant to your case and then there's the good old creepy person on your Y4A or indeed anywhere on your internet link a proxy server at your ISP etc that can sit there and watch your traffic and lastly there's the possibility that your search engine will do obnoxious things like selling your data to a data brokerage and so you've got a certain set of commercial adversaries there so when you think about mitigating threats to search privacy you really need to think differently about all of these people who might get access to the data how am I going through time by the way I'll be fast so there are countermeasures we've published a paper about these you can think about what you would do I think everyone in this audience will be able to figure out the kind of steps that they could take to defeat all of these tracking mechanisms but you'll also realise when you look through this list that it's actually quite hard to follow and so while you might be able to do it the vast majority of the population is never going to successfully mitigate search privacy threats on their own so what we want is changes to policy either governmental policy legislation that protects this data or changes to policy at the search engines so that everyone doesn't need to be responsible for their own countermeasures to search engine data collection and we know that the marketplace will respond to this AOL lost 20% of their market share after they had that scandal on the front page of the New York Times but we also know that while search engines are willing to engage in this kind of competition they prefer to do it based on spin rather than actually delivering improvements to people's privacy so Google for example came out with a post saying they had reduced their cookie lifetime to improve privacy but in fact their cookies were now going to last for two years and be continuously renewed and so they also have a program to anonymize their data after two years but that's still an incredible warehouse of information on all of their users I've got some nice quotes from Microsoft in their response to Google's move where they gave all sorts of hints that they would do nice things like letting people search and surf at sites without being associated with a personal and unique identifier which sounds like they're going to let you search with MSN search or live search without being recorded but then they place this nice little qualifier afterwards used for behavioral ad targeting so you will still be tracked so long as it's not for behavioral ad targeting and that's only if you opt out similarly they promise not to do unauthorized correlation of the data figuring out which set of searches went with which other set to compile that record on you long term except they've got the qualifier authorized and they don't really say what authorization means if their policy says well we'll do it for marketing purposes then they'll do it so what we're going to do this is a project that we're working on at the moment is compiling scorecards on all of these search engines based on these factors that you can see up here and we're going to go through and rank the search engines according to or rate the search engines according to their compliance with these various things that we want or users would want to protect their privacy so you've got SSL have data retention which is a complicated question what kind of data you're retaining for what periods of time can you opt out from being logged altogether ask.com recently made that move and we're hoping other search engines can be induced into matching it do you have decent terms of service or are they kind of deceptive a classic example of the deceptive terms of service are promising not to disclose information unless permitted by applicable law and of course US law basically always permits you to disclose the data so the user reads it and thinks oh I've got these legal protections when in fact they're actually giving themselves the right to give your data to anyone we want to know that the search engines will have legal backbone to actually fight requests for disclosure rather than just handing over data I've lost my slides I was hoping to get some feedback about the scoring mechanism we were going to try and use but perhaps I'll just say this about it it's really hard to know for any particular user or for the average user which of those adversaries are the most serious they're really quite different people who might get access to your records and you want to know one person might be worried about being stalked someone else might be worried about a civil lawsuit someone else might be worried about a government so we're going to assume for our scorecard that each of these are equal threat they each account for an equal percentage of the score and then we're going to look at the different that list of things that we want from search engines and you see that for each of them they apply to some adversaries and not to others so we're just going to calculate the score by saying well this countermeasure if it's taken by a search engine reduces the threat from three out of the five adversaries and score it that way yep I mean I know that nobody has seen any doing that again so I think what we'll do is we'll I'll finish this quick talk about search privacy and then we'll bounce to questions afterwards alright and so the feedback I was hoping to get on the particular search privacy project we have here is one the thing that we don't know about is internal security at search engines and so that's the hardest unsolved problem puzzle we'd love to hear feedback from people at DEF CON provided that you're not incriminating yourselves by telling us something and you're not violating an NDA so if anyone has stories or insight into how secure comparatively secure the practices of the different engines are that would be great because we can't get that data otherwise and I guess we'll be publishing some of these results shortly so keep an eye on our blog so I'm going next again oh yes here again I'm Kevin Banks and I'm a staff attorney working mostly on government surveillance issues and I see a lot of familiar faces here thanks for coming this is my fourth year at DEF CON and I absolutely love it except DEF CON usually overlaps with congresses last week before recess which means they're rushing crap out the door before they run out the door and that's actually happening right now if you know anything about our lawsuit against AT&T you may have heard of something called the Foreign Intelligence Surveillance Act which is the primary statute that AT&T and the government violated with their warrantless wiretapping program now the administration has been beating the democrats with the Your Week on Terrorism stick for the past two weeks primarily based on the new national intelligence estimate which says that the al-Qaeda threat has grown worse and that there's a lot of chatter much like in the summer of 2001 such that the senate just voted 60 to 28 tonight to weaken FISA and expand the administration's ability to wiretap without warrants probably even far beyond what the terrorist surveillance program authorized such that the concern is that this bill threatens to legitimize just what we've been suing AT&T over which is the NSA living on the domestic network without a judge in the loop able to scoop up everyone's communications and filtering out to get what they want based on an only just a trust us and without any warrants so the most important thing I have to say tonight is call your representative tomorrow morning first thing you do call your representative and say no to any FISA expansion before recess because they are going to be pushing this to the floor of the house tomorrow again the senate just approved it 60 to 28 if you're a democrat right now you should be pretty ashamed this is particularly frustrating because our litigation on this issue has gone exceedingly well albeit slowly if you were here last year we were throwing about our victory in front of the district court AT&T and the government had moved to dismiss our case based on the state secrets privilege their privilege against disclosing information that could harm the national security we won the court did not grant their motion to dismiss and just to give you an idea of how slowly the wheels of justice turn the 9th circuit will finally be hearing argument on the government and AT&T's appeals this month August 15th in San Francisco if you're in the Bay Area try and hit it it's going to be very interesting so so the AT&T case is moving along a pace there are some other interesting developments you may have heard of a case called USV I'm sorry War Shock VUS out of the 6th circuit this is a case where instead of directly litigating we were amici or friends of the court and the issue in this case was whether the 4th amendment protects the email you store with a third party say your gmail or your yahoo mail or your hotmail and to my mind this is an issue that should have been litigated and decided a good decade ago but it hasn't been and so we put in an amicus brief to the 6th circuit arguing that yes you have a 4th amendment right you have 4th amendment privacy interest in your stored email such that the government has to get a warrant before it obtains it and the 6th circuit explicitly relying on the arguments that EFF made agreed and for the first time a federal appellate court has held that you indeed have that 4th amendment right we're very pleased with that ruling of course the government is seeking review of that decision we will be opposing that another case that we wish we'd been involved in but we weren't aware of it was one called USV Forester this is sort of I like to call it the hangover from the war shock party because it's a really bad 4th amendment internet decision this was a 9th circuit decision where the court found that you have no 4th amendment interest in the IP addresses and email addresses you communicate with and that the government can install what's called a pen register with your ISP to intercept that information in real time without probable cause and without a warrant we weren't aware of the case when we should have been but we're jumping in now to much like the government in war shock we are going to seek, trying to seek review of that forester decision so we're very busy directly litigating the AT&T case we're trying to influence these other key 4th amendment issues as applied to the internet which are finally after way too long really finally hitting the big courts and so we're very excited that these issues are really coming to the fore but again I'm much less excited because the senate just voted 60 to 28 to pass this crappy bill so please call your rep tomorrow to say no to FISA expansion thank you very much Hey there, my name is Marcia and for those of you who were here last year I'm feeling a little bit sentimental this evening because the first thing I ever did when I joined EFF last year was speak on this very panel at DEF CON and so this marks precisely a year that I've been with EFF so thank you all for being here with me and now Jennifer has the same experience pretty much right? I mean this is like your first EFF thing the tradition continues I love it so when I was here last year for those of you who were here I told you about the fact that we were starting a new project it didn't have a name at the time but now we have a name for it the FOIA litigation for accountable government or a flag project very patriotic and basically what we do is we submit requests under this federal law called the freedom of information act or FOIA to government agencies to learn about what they're doing in the realm of national security criminal law enforcement yada yada yada with technology to gather information about people and it's been an interesting experience so far we filed about 50 requests over the past year and we filed lawsuits over about 10 of those requests you know the big problem with the freedom of information act is that it actually doesn't work very well so you file these requests and under the law agencies are supposed to give you documents responsive to your request in 20 working days and that almost never happens in my experience I can probably count on one hand the amount of time that's happened so instead of getting the information that we want usually we end up having to sue the government to get a judge involved to order the government to release information so that's really my big job is suing the government for stuff like that and so we filed lawsuits over about 10 of these requests and we've had some interesting results coming in here especially you know right now I mean this is the time when things are getting really interesting we had our first big really nice result a few weeks ago we had filed a freedom of information act request with the department of justice specifically the FBI to get information that was related to a report that was issued in March by the department of justice inspector general which is like the internal watchdog of the department of justice and the department of justice internal watchdog had found that the FBI had broadly misused its power to issue national security letters under the law so we filed this request to get information underlying that report the information that that report was based on and as often happens the request wasn't processed in the amount of time it was supposed to be so we sued and a federal judge ordered the FBI to release 2500 documents to us every month and we got the first release of those documents in July and among other things that the attorney general was aware of NSL misconduct in the FBI before he testified to Congress in 2005 that he was unaware of any verified civil liberties abuse coming out of the Patriot Act so that produced some interesting news coverage and made the attorney general's life even more hellish for a short time and so next week actually we're getting our second release of those documents which we're really looking forward to and we will of course put up on our website for you all to take a look at very very soon after we get them and we also have another interesting couple of things coming up that you all might be interested in I hope you're interested in we've already gotten some documents we're going to be putting them up on our website shortly that are related to an FBI electronic surveillance system called DCS3000 the FBI uses this technology to gather information of people in the course of both criminal law enforcement and intelligence gathering operations so we've got things like security assessments and actually a user guide for this for this technology which is pretty interesting and we also have gotten some documents out of one of our lawsuits that are related to this army unit called the Army web risk assessment cell and this army unit actually monitors websites and blogs to see if there's information that's been posted that poses any sort of threat to operation security or OPSEC and one of the interesting things about these documents that we found is that actually what the unit has found is that the vast majority of the time when operation security information has been posted improperly on a website it's been posted on an official military website thousands of times it's been posted on an official military website and less than 20 times has information like that been posted by soldier bloggers so that's pretty interesting so anyway I am eager to hear any thoughts you have about the FOIA work we're doing or any suggestions you have for FOIA requests because that's sort of the grist for our mill of course or ideas for FOIA requests and so I'm looking forward to hearing from you all either during Q&A or after this panel thank you Hi again my name is Matt Zimmerman I'm here at EFF also and my main task is trying to help bring a little bit of sanity to the world of electronic voting I think we concluded a while ago that that's actually utterly impossible the solution is going to be to get rid of these machines they're so broken that it seems impossible to ameliorate the problems to bring them up to speed and create the transparency and accuracy that everyone demands out of their elections this should be a rather obvious problem but unfortunately it hasn't been and how we got here is pretty straight forward in 2000 after the debacle in the presidential election Congress said we are going to do something about this problem and they did precisely that they cut a check for about four billion dollars and said go out and buy some machines and we hope everything works out okay unfortunately as we all know it didn't actually work out terribly well so EFF has spent the last three or four years working primarily towards fixing problems wherever we can and helping put pressure on the various decision makers to unwind unwind their decisions unring that bell to the extent that they can and it's a multi faceted problem we have brought suits in a number of jurisdictions or we've assisted suits in a number of jurisdictions with some limited successes in North Carolina for example about a year ago a year and a half ago we were finally able to convince a court to come down with a ruling that resulted in D-Bould leaving the state so it's a good day's work to make D-Bould flee anywhere so unfortunately courts since then have not been terribly, have been terribly willing to follow suit we have a couple of cases ongoing right now you may remember the problem in Sarasota, Florida in this midterm elections where all of the jurisdiction was using ESNS touch screen machines and at the end of the day when the congressional race was decided by about 350 votes we had an under vote rate counted of about 15% which amounted to about 18,000 votes and that is these machines recorded no vote for anyone on congress on about 18,000 votes to give you a little bit of comparison a little bit of control group the ordinary under vote rate for top ticket races is about 2-3% so we went to court and asked the obvious question of can we look at the machines and the judge there God bless him and I will only say good things we're continuing in litigation has said now you haven't really demonstrated any need to actually look at the machines at all you need to give me evidence as to why there's a problem apparently 18,000 no votes on the machine wasn't good enough that judge has stayed firm with his decision we've gone to the court of appeals there who haven't so far been terribly enthusiastic but we're hopeful that someone in Florida will finally come to their senses and actually let us take a look at this we have another ongoing lawsuit in Ohio challenging a lot of the procedures that have been in place since 2004 or prior to 2004 but since there's been a change at the top there, there's a new secretary of state other than Ken Blackwell who blocked every single move towards sanity in that state we have a little bit of a shot and we're talking to the secretary of state there who will hopefully give us an opportunity to implement some new some new procedures this week has actually been a very good week on the e-voting front Deborah Bowen, the secretary of state of California carried through with her campaign promise to take a hard look at all of the machines used in the state she commissioned a study that demanded or that forced all the vendors to turn over all of their code, all the documentation all of their hardware to the state and then we have a review the results came in this last week and I know you're waiting for this debold sucks is the conclusion last week the red team reports came out and they found that every single system, every system not just debolds was incredibly chock full of holes of course the response was as you might expect well this is a controlled situation this would never actually happen in the real world translation we can leave as many holes in our product as possible and it's now on the volunteer poll workers and election officials to fix the problem on election day across the country that hasn't been terribly convincing it's got some play in the media this isn't a real election excuse until yesterday when the source code review reports finally came out you can go take a look at them they're on the secretary of state's website I'm hoping to show you a couple excerpts here we're having some technical difficulties up here but let me just read a couple of the highlights here in the debold reports our analysis shows that the technology controls on the debold software do not provide sufficient security to guarantee a trustworthy election anyone surprised by that the team the source code team here came up with a list of about 30 serious security vulnerabilities based only at looking at the code and they objected vehemently since they only had about a month to look through all of this code but they came up with a nice list that's chock full of problems such things as the TSX automatically installs bootloader and operating system updates from the memory card without verifying the authenticity of the updates I don't see what the problem is actually with that the TSX automatically installs application updates from the memory card without verifying the authenticity of the updates again I failed to see the problem one of my favorites is a two-parter a local user can get to the main menu system setup menu without a smart card or a key remember that one of the excuses here is well you're not taking into account all the physical security and all the crack procedures we have in place to prevent anyone from getting access to this the team notified us that they discovered a way for a voter in the voting booth using only a paper clip to trick the machine into sensing a smart card reader hardware failure which then sets the voter, sends the voter to the main menu system setup screen now combine that with our next fun hack that Peter found a buffer overflow and the handling of IP addresses might be exploitable by voters so we now have a situation where you can take a paper clip to go back to the main menu of this system you can punch in an IP address of over 256 characters and it shuts down the machine so this is someone takes about 30 seconds to a minute to do this and it will it very, at the very least cause this system to crash so if you look through the reports we have a wide range of vulnerability security, serious security vulnerabilities that that will allow individuals to either alter the results of these machines or to crash the system if their strategy was to just slow the system down, try to reduce voter turnout, things like that so sorry, go ahead so the report also conjectured that that IP address overflow that a voter could trigger was potentially going to lead to arbitrary code execution although it's hard to imagine how he would be typing in shell code while sitting in the voting booth but potentially also I mean shell code isn't necessarily what a voter would want to do if they were say a Democratic voter in a strongly Republican precinct they might just need to write in enough code to zero all the votes and if you can zero the votes in the memory and on the smart card and you walk in it towards the close of polls you can wipe out all the records of voting in that particular precinct that might have a political bias so it's quite a serious vulnerability so you have quite a toolkit of fun little hacks that you can perform on these machines and give election officials everywhere nightmares and that's precisely the problem we have jurisdictions who purchased these machines thinking that it was going to solve all the problems that they had in 2000 obviously wasn't the case now we have all this money spent and no one wants to admit that they screwed up so everyone is blaming everybody but the excuse is why we can't change this system there's currently federal legislation in the house that we have been supporting all along that would roll back some of the most serious problems of these systems do things like allow access to source code allow qualified persons access to source code and then they can make public reports to identify some of the system vulnerabilities that will hopefully bring pressure then on the vendors and the election problems things like mandatory audits things like that at the end of the day the solution I think is still going to be get rid of these machines they're just awful there's no way to fix them as the source code source code teams specifically said in these reports they got as close as I've ever seen an engineer and get to saying this is utterly, utterly broken and there's no way to fix it and if you look at the end of the debold report that wasn't limited to debold look at the conclusion to the sequoia report virtually every important software security mechanism is vulnerable to circumvention virtually every important software security mechanism so it's a little tough to figure out where exactly to begin with these guys so anyway so in the meantime we are bringing attacks on the litigation front to try to call these jurisdictions and the vendors out when these systems screw up in addition supporting legislation to try to get rid of the machines once and for all I think this battle is over we will win it but it's going to still take some time because there's a lot of money at stake there's a lot of people who have put their reputation on the line to saying that these systems are fine so it's just a question of how long it's going to take to unwind this hopefully it's sooner rather than later I'm hopeful that this top-to-bottom review result should really dispel any notion that these systems are adequate and hopefully speed that process along thanks Hi, I'm Danny O'Brien I'm the international outreach coordinator at the EFF I didn't used to be about six months ago I was working on a lot of the domestic policies so if we have any questions in the Q&A section I can talk in particular my job was basically to every five minutes desperately try and stop the broadcast flag from going through and I should point out because usually these things sort of go on for a bit and we only really tell you when we're in dire emergency you should point out that there are often happy endings and the broadcast flag is still nowhere to be seen and that was and really genuinely I think that was down to people constantly calling their representatives I mean it's very hard to do that with a lot of controversial issues specifically if they can raise the root password of national security but it's kind of hard to say that people will die if the broadcast flag gets implemented so only people who stick their fingers in it at some point or something so that was good news as I say I'm now the international outreach we've now got relatively a new department at the EFF if you turn around show the shirt it's the shirt I want, not your nothing else so this is our new icon this is our international icon international is American for foreign and incidentally on the issue of this new t-shirt when we say e-voting we mean no e-voting if anyone's confused on the t-shirt just be clear fair use e-voting for all so we've always had a fairly major international presence various of you have probably heard me bang on about this at various levels of drunkenness yesterday and my talk today but our primary concern from a sort of US centric point of view is free laundering which is the process by which stupid ideas get raised by lobbyists in the United States by some fluke congressman I don't know a wake that day or Ted Stevens is in another room and it doesn't get through and then the lobbyists immediately go to an organization like WIPO which is a long way away from normal human people and gets it through and then comes back to congress and says we have to do this we signed a treaty an example of this which is interesting we've just done a free trade agreement with South Korea notoriously technologically backward and needs to be taught how to do this sort of thing so the copyright industry came in and said they're doing these strange and mysterious things with their 20 megabits per finger operations and one of the things that they specifically ask the South Koreans to clamp down on in a free trade agreement is so called web hard systems and web hard is a great term but what it actually means is online hard drives basically storage systems so anything like web DAV or systems like this that offers that has basically been portrayed in the free trade agreement as tantamount to filming in a cinema and this is storage this is like running an Apache server this is Amazon S3 and in a free trade agreement which incidentally isn't binding on the United States says that if South Korea agrees to this and there have been riots in the streets over this free trade agreement then they will have to shut down all their storage services or at least have them investigated so these are the things that go on behind the backs of the usual democratic processes in strange mysterious places called other countries so if AFF has now sort of got a department I do the activism and unlegally passed statements to the public we have a senior international attorney who does a lot of work, Gwen Hines who does a credible amount if you read the stuff about the broadcasting treaty at WIPO that was pretty much down to Gwen working with the industry to form a coalition to prevent basically rules that would say that broadcasters would have a pseudo copyright in anything that they retransmitted including creative commons material, podcasts or whatever and that was almost certainly a done deal at WIPO and would have gone the same way as sort of DMCA type language if it hadn't been for plucky NGOs turning up and pointing out that nobody actually wanted it genuinely true like the Americans turned around there was basically a WIPO debate that everyone went well you know but the Americans want it and lots of people wrote into Congress saying do you know that this is going through and Congress wrote back as one and said in their form letters no we have no idea what you're talking about went to the pain office and the pain office went I'm sure there was a lobbyist who was demanding this I can't remember who and it ended up with the American lobbyists at WIPO the government lobbyists saying who is for this and we thought you were all the bad stuff is American wasn't it you and eventually it just stumbled and fell another victory by the stupidity of the other side we've opened a department of Brussels and this has been incredibly useful because the next stage in policy laundering is this sort of policy ricochet between Europe and America you can see this at the moment in two particular areas all being coordinated by by Mr. Gonzalez one of which is sadly already passed in Europe which is data retention Europe used to be absolutely fantastic for privacy law and now there's just this huge hole that can be walked through where as Peter mentioned just having these huge honey pots of data collection is an incredible risk to privacy and now having a government requirement that all data should be kept for a certain period of time whether you are under investigation or not is just making these honey pots even more tempting both to government and subpoena and malicious attacks so that was unfortunately actually passed the week that we opened our Brussels department nothing we could do wasn't our fault wasn't some sort of hazing ceremony that European Parliament threw on us but so we were a bit too late for that the next one is the criminalization of copyright infringement which has been on the agenda for a very long time by the rights holders and this is the idea basically as the rights holder has realized it's such an expensive process and thanks to court cases that many attorneys are very bravely fought and we've attempted to support it's getting more expensive to sue individual music lovers for very under very small amounts of evidence the file sharing so the rights holders plan for this is to make the government pay right just actually make it a criminal act so that the investigation will take place through law enforcement and we've seen how successful that is some of you may remember Mixtape white label DJs being arrested for the very thing that they are paid under the table for by musicians and record companies which is to put out interesting mixes of existing material and then being arrested by the police for doing this for copyright infringement so it's a nightmare that the idea that people could go to jail for essentially failing to navigate the incredibly dangerous and e-sign and really increasingly vindictive copyright law there's a fight on in Europe that we're helping to lead with Edri and various very good European groups like FFI who fought the software pattern Eric Josephson who is our man in Brussels is actually ex FFI and has an apartment next to the European Parliament and he's sitting there with binoculars all day and he's very good at going in there and speaking to them just after the lobbyists have come down and we've done incredibly good job we managed to get it watered down in the European Parliament we've got the UK Government casting very strong doubts about whether it's a good idea to criminalize like this and we've even pointed out drafting errors that the European Parliament votes on something and then the drafters come along and say we thought this was unclear so we've changed it and none of the MEP's noticed and FFI and EFF came in and actually raised this as perhaps a slightly undemocratic procedure to be following of course even before that law has been passed that directive has been implemented the Mr. Gonzalez is already he's like his timing is wrong now he's going to go down the process and he comes in going well they're doing this in Europe well they will be doing this as soon as they've got through this drafting error and some of you may have seen that a proposed draft has been to do the same sort of copy crime in the US we've always been fighting on two fronts but now we've actually got forces on two fronts and that's been really useful a couple more things that have been really interesting in this area as Web 2.0 or cross site scripting alert as it's known here is sort of proceeding a lot of these small companies a lot of them in Silicon Valley where EFF is based internationalizing and bringing in new people often in areas which don't have the same strong constitutional as we used to have and there are problems here and I think it's really easy to describe what these problems are which is threat model a lot of these companies are very sincere in wanting to protect their users against attacks for instance in corrupt oligarchies in Russia and Eastern Europe or in China protecting their users against the sort of investigative procedures government use against dissidents but they don't have a useful model for what those attacks look like and one of the things that we don't often sort of talk about outside of Silicon Valley is we do try and work with companies who come in and if they come in and want to discuss this kind of thing we'll try and point out how their systems might be hardened not against the normal sort of hacker threat but against actual authoritarian governments and I'm very pleased to say that a lot of companies even ones that you might not expect to be interested in that kind of thing have increasingly felt that protecting privacy and enabling a free expression in those countries is actually something that works very well for them and is a good publicity coup and is something that their own employees are very concerned about and to that end we're working with Amnesty International CDT in Washington and a bunch of other NGOs in an ongoing discussion with Microsoft Google, Yahoo Vodafone and groups like this to actually develop a code of conduct so that when they go into new countries or even actually here in the United States they don't sort of stumble into by making technological errors in how they build out their infrastructure creating weak systems that are exploitable by governments and it's an interesting conversation and I hope it will continue into the future and you should see something hopefully by the next DEF CON. And finally on an individual basis one of the things that we're increasingly hearing and I'm sure you do in the news as well is the individual oppression and arrest and investigation of online journalists and bloggers and hacktivists in these countries technology really now has wrapped right around the world and the sort of technology that is developed here and elsewhere in the world and the developing world is now being implemented everywhere and what does that mean? It means that tools that you guys devise suddenly have really important ramifications for dissidents in other countries and we actually on a daily basis now get requests about how to remain anonymous how to protect people's identities and how to use the tools that are really being devised here I mean tools the obvious example but really all kinds of defences and protections particularly when this is just anecdotal repressive regimes are hiring hackers of basically outsourcing oppression to groups in other countries to try and hack their own citizens without any legal protection so I hope to maybe talk in the Q&A and afterwards about how we can help protect those individuals So am I working here? Can you guys hear me there in the back? Yeah? Okay thanks. So I said I was going to do criminal cases and some other stuff too I just want to talk a little bit about the kinds of issues that I'll look for as we take cases and decide what to work on because not all criminal cases are going to be great for me it's not going to be like a new public defender office or something like that You know what? I want to work on projects that have to do so if I get a case I want to know does it have to do with extending privacy rights to digital communications? Does it have something to do with promoting information flow and innovation and creativity in the computer security world? Is it something that will where I can argue or try to help keep the definition of computer crime nice and concrete and comprehensible and relatively narrow? So those kinds of issues come up a lot in the computer crime cases that I've chosen to work on while I've been at Stanford and I want to extend that Also, does it involve new investigation or maybe not even all that new, but does it involve modern investigation technologies that maybe we don't really understand that well or courts don't understand or defense attorneys could use some help figuring out how that stuff works and what should be the reaction of courts and juries into that sort of evidence. And that's all the way from the interesting stuff we've heard about forensic tools that are pretty commonly used now like NCASE all the way through more modern kinds of tools that we're using on the battlefield and eventually I think we're going to see in the courts like FMRI and other kinds of brain scan information as well. So when you guys call me and some of you will and not because you're going to get into criminal trouble necessarily but because you have questions or something happens those will be the kinds of things that I'll be looking for in your case. Now if it turns out that we can't help you that's okay, we'll do our best to try to refer you to somebody who is good, who might be able to help you as well and just a general thing I'll say to people who often want to know the main thing that they call when they get in some kind of trouble or they think that the FBI is investigating them. The main thing I say is that you shouldn't fret too much about trying to get somebody who's super computer savvy what you really should try to do is you try to get a great criminal defense attorney who understands the system where you are and understands the laws where you are because there's so much that goes into a criminal case that doesn't have anything to do with technology like do you get out on bail and how to schmooze the prosecutor and then a good these are seriously important things and then a good attorney doesn't know everything already a good attorney knows what they don't know and how to figure it out and who I can consult with or work with or talk to or refer to a real technological expert or something like that so if something does happen to you you should kind of think about it that way that maybe you're going to need to have kind of a team of experts to help you out so I'm not going to necessarily only do criminal stuff I think I mentioned this for those of you who are at my talk earlier today that in this security power tools book that O'Reilly is coming out with a chapter in there about laws that affect computer security research and you know you can have questions about that too that arise in the civil context as well and those will be things to contact me about also so I will look forward to talking with you guys about those sorts of things in a kind of happy non-criminal context as well thanks well super we have a lot more things that EFF is working on it's just a sampling other things include protecting your right to speak anonymously with defending against John Doe lawsuits, people using subpoenas to get your identity copyright misuse in the sense of using the DMCA takedown procedures to take down things which are not infringing we're involved in a bunch of litigation to try and expose that misuse and take people to task defending fair use rights for sale doctrines which says that once you buy something that it is yours to resell thank you we have a patent busting project which is decided to find some thank you but we don't have time to go on all of these things in detail and we're time to turn it over to your questions and we'll do our best to provide you with informative interesting answers yes there is no audience mic alright I'll just repeat the questions but go ahead the senate had already voted for it yes I'm not you wanted more information about the FISA bill we don't have all the details yet all we know is that it does expand the administrations ability to wiretap transit traffic across the United States without going to the FISA court on the authority of the AG or the director of national intelligence and the concern here is that the method by which they will do that is the method by which they've been doing it all along on our allegation which is that they will have secret rooms of data mining equipment attached to the domestic network such that all of our traffic goes in and we have to trust them that they're filtering our stuff out and it appears again details are sketchy if you're wondering why I keep checking my phone I don't typically do this when we're speaking but new details keep coming in it apparently has a sunset of six months but we all saw how sunset worked with patriot that meant that pretty much everything ended up getting renewed and so this might have seriously reset the bar in terms of FISA and kind of gutted a law that served us well for nearly 30 years and so again the house is voting on this tomorrow the outlook is not good please, please if you get the chance do call your representative and at least let them know that you don't approve because even if they end up voting for it they need to know what you think you would ask about why should we call the representative after they've already voted only the senate has voted and so your congressperson house of representatives has yet to vote on this they are trying to do this over the course of the weekend so waiting till Monday may not be soon enough and if you need some assistance getting that contact information the EFF Action Center action.eff.org has tools that will help you identify the contact information for your applicable congress voter email as a political tool is often overused with form emails and even though people do things like put random scripts to make them not look like forms it just is not as effective as a phone call sir, my love thank you can you say it because it's been all over the papers for the past week might I ask which of your representatives are senators House of Representatives it's great for the democratic process sir he'll know about it now because that's the reason why they can't go home so they'll be like oh jeez yeah the question is if I'm understanding correctly do we have things underway to get more responsiveness and more disclosure out of government and indeed is an aspect of our flag project well yes and no the freedom of information act doesn't extend to congress so if you're asking about responsiveness from legislators really the freedom of information act doesn't help however you know I I would say that our action center is a really excellent tool in terms of connecting people with their legislators and the more that people contact their legislators the more that legislators understand what their constituents want sounds like so you're asking a moral question about things like seeing the bills as they are being drafted seeing as that's not really something that has been in our strikes and we do pay attention to this sort of materials in an advocacy sense trying to stop bad bills and promote good bills but we aren't working generically on this now one thing we have done is sort of a roundabout thing we've helped with a project to take some of the c-span materials that are videotaping this and making that available working with some third parties who wanted to make that available and helping them in their discussions with c-span to make that happen this is something that obviously hits us sort of internally we're members of the open government initiative the group that there's a coalition openthegovernment.org and we've also been doing quite a lot of talking with the sunlight foundation as well which is a really good sort of grassroots hack driven essentially attempt to open this up. One of the things that they did was offer a thousand dollars to anyone who managed to persuade their representative to publish their diary and what people would do is go to prospective candidates this was before the last election and say will you commit to publishing it because one of the great problems with tracking what's happening with representatives is you don't know who they're meeting with who they're talking to and you don't know who's influencing them and there's a big anti-corruption movement going on in Washington at the moment and I think the best trick at the moment is to try and hit your ride on that and for instance Senator Obama has put his name to a reform that would require various documents to appear within a certain number of days online and I think that would be incredibly useful and so we support this and it would be useful for us and we put people in contact with people but it's not something that we're driving through ourselves. So there's a comment more than a question but mentioning that you should indeed note the bill by bill number when you're calling and say please take a look at our actioncenteraction.eff.org which has all the necessary information to make this an effective call. I'm not sure we have the bill number yet on this particular bill do we know that it's the bill that passed? Way to go Derek. Okay, yes, then hit our action center. I'm so glad we have people back at the office. There was a question that had been asked that I wanted to address which was how do NSLs apply to search log data and that's a very important question and it's one we simply don't have an answer to because it turns on what the DOJ reads the law to mean and it turns on what the search engines compliance people read the law to mean and neither will say what they read the law to mean and so the basic answer is we don't know it's whatever the feds and the compliance people agree to in their closed door meetings. I think there's an argument that, well let me put it this way, the Department of Justice has argued when it was good for them that search engines are not electronic communication service providers. However, NSLs only apply to electronic communication service providers so if the DOJ doesn't talk out of both sides of its mouth then it shouldn't be able to use NSLs for search engine logs but of course it talks out both sides of its mouth all the time in terms of its legal argument particularly when it's making legal arguments in secret so I think the assumption has to be that of course they can get your search logs with the NSL but in the end we do not know and neither the search engines nor the government will tell us. I only have a post about it so I don't have the bill no more. It doesn't say the bill no more in the alert? I think I have a connection to all the bills. Again, it is the bill that they're staying this weekend for so if you say the McConnell-FISA bill they will know what you're talking about or better yet simply say no FISA expansion before recess. They will understand that. Being in the unique situation is that this is not a situation where we're going about knowing the exact number. Yes, leave a message. If no one picks up leave a message. If we said just a good idea and I was giving talks over that we do not have and like here we give F or A so you don't have that yet so Europe needs you. Well, you do now. EFF Europe is actually sort of a membership organisation where actually lobbyists unfortunately there is also EDRI which you may know about E-D-R-I Well, it's a coalition of grassroots organizations, and so, I mean, the big problem that, as someone who is European, I totally sympathize with myself, that, yeah, there is this problem because what you have is grassroots organizations that generally concentrate on the national scale, and none of those organizations have European representation, right, apart from very briefly, well, FFII is a good example, and also, it's a freedom, I did a lot of work sort of trying to build up a European department, a Brussels department, this is one of the roles that we're hoping to play, right, is that we have a paid for staff employee in Brussels all the time, he has a really nice sofa, and that any activist who wants to go and lobby in Brussels, seriously, you know, his sofa is always open, and you can come and he'll take you and introduce you to the MEPs, and yeah, the MEPs are totally shocked when anybody from their country actually turns up and cares, because they're completely isolated and cotton-walled away from actual, the people who voted for them, so what we're trying to do is to break that down and provide ourselves as a resource at the European level, which is what our grant is for, for national digital rights groups, and we just had a really good, useful summit organized by the Open Society Institute, which was exactly this, where we brought everyone together and said, okay, what are the European problems, and now we have some staff at Brussels all the time, we can do something about it, I really wish we had the same in Geneva actually, that would be, I think our next stage would be to have a permanent person at Geneva, because it really does change things. So the question, I don't know if I need to repeat it, but was about Wendy Seltzer, the DMCA, and the NFL. For those who are not familiar with the situation, Wendy Seltzer, a law professor at Brooklyn Law School and a former EFF lawyer, put up a clip of an NFL game on her blog on the YouTube, and Viya embedded a YouTube on her blog, and that clip was mostly the copyright notice. When they say, you know, this may not be retransmitted, any description or account of the game must be kept quiet, and she wanted to make some commentary about that in her class. But nevertheless, the NFL took Umbridge on that and sent her a DMCA takedown notice, and then she counter notified, and then the clip was put back up, and there was a bit of a brouhaha with some talking points. And this is something that we would have been happy to proceed if it had devolved into litigation, but it did not go into litigation, so our help was not needed, and Wendy is very capable herself. But these are the types of situations which we actually do get involved in. We've been making a bit of a push in DMCA misuse situations. There's two aspects of the DMCA, and many of you may be actually more familiar with the anti-circumvention, no circumvention tools, that aspect of the DMCA, which is fairly horrible stuff, but there's another part of the DMCA which is not so bad, and that is the DMCA's safe harbor, which provides protections for service providers who are hosting allegedly infringing materials, and it provides that that safe harbor is available so long as they do a notice and takedown process where they receive a notice from a copyright holder, and then they take down the material, and then there's procedures for counter-notifying, and so on. But one of the problems that has emerged is sometimes people will use this notice and takedown procedure when they don't actually have a good copyright case, or not even, in some cases, where they don't even own the copyright. But through the incentives built into the law, the service provider has extraordinarily strong incentive to continue to comply with this notice and takedown procedure, which basically means that the material is off the line for about ten days, even if you counter-notify and there was not even any question of whether you had a good claim. So we've been involved in cases about misuse because there's a provision in the law that says that if you make a misrepresentation, then you can be liable for the damages that you have caused, and so we have been involved in a couple of cases, one of the ongoing cases now is involving the magician or psychic, Uri Geller, and somebody, our client, who has worked with the rational response squad, and put up a clip that showed Uri Geller and some of the interesting things about how he does his psychic powers. And the clip might be something that Uri didn't particularly like, and Uri's organization did a takedown notice getting that clip off of YouTube, and we thought this was kind of interesting because the clip actually came from Nova, and so really it wasn't Uri's copyright or so it didn't seem, but in fact he does assert a copyright, and it's become clarified that eight seconds out of a thirteen minute clip consisting of somebody else introducing, like the next person to appear is going to be Uri Geller, and he's amazing, that language was, Uri asserts a copyright, and therefore that was why he took it, not because of the critical nature of it, but because of the strong feelings in copyright. So I just called one of our crack folk at the home office, and it is S1927. You should still go to action.ef.org to find out the number to call, but the bill that we would like you to oppose and make clear to your representative that you oppose is S1927. Thank you. Yes. Well, fair use is your right to make a, the question was about fair use and the DMCA takedown procedure, so if someone uses a DMCA to takedown material and you have a fair use right to have posted that material, they may have misused the DMCA, and this was actually a case where we brought this all the way through to a published decision, was our good friends at Debold, and there was some material about how their voting machines worked that had been available on the internet, and they used the DMCA to try and get that unavailable on the internet, and the court found that that was so obviously fair use that to assert that it was a copyright violation was misuse of the DMCA. Now, the other aspect of your question was what about YouTube and their terms of service? YouTube has pursuant to the terms of service agreement the right to takedown material, and it doesn't have to be because it's copyrighted, it could be because they feel like it, and if you look through their terms of service, you'll see they have a very wide latitude, and so the cause of action for DMCA misuse is against the person who sent the notice to YouTube, not against YouTube. We haven't seen that yet, but to keep in mind, national security investigations typically do not result in a criminal prosecution, they are for prevention, and so we would not typically be learning of that. Similarly, often information may be developed that may lead to other evidence that does not end up being used at trial, but the only, the closest example we've seen is people's caches evidencing their searches being used, but I don't believe, Jennifer correct me if I'm wrong, but we have yet to see subpoenaed or NSL or warrant seized search logs in a criminal prosecution yet. Well, one reason might be that the NSL process is not all that revealing. You know, you get all this information, but what do you do with it? I think the FBI's justification for this is to say that the NSL is just one tool and a whole arsenal of tools that they use when they're doing an investigation, and if the investigation does end up resulting in a court case, what they say is that they use other evidence. So, you know, what we most often see when you have these national security type investigatory tools used is that they'll be, you know, they may result in a criminal investigation of some sort later on, but it's not always readily apparent from the information that's in the case that it was national security type information that was used. So, one of the ways that we found out about some of the kinds of surveillance that they were doing and some of the information sharing that was going on between the national security kind of, people with a national security mission and people with a law enforcement mission was in that case that involved that truck driver or taxi cab driver or whatever was supposedly plotting to blow up the bridge on the east coast, and in that case, you know, he had gone through, there was surveillance, they had wire tapping, they went through, he pled guilty, I think, they convicted him, and it was only kind of subsequently after the fact that they had been doing this, that the NSA had been doing this massive, you know, kind of dragnet surveillance, only after that did we realize that some of that evidence was used in this dude's case, and so then his attorney filed an appeal and wanted to try to get more information and that kind of thing. So, you know, even the attorney who was involved in the criminal case there didn't know that this kind of specialized new national security investigatory tool, which maybe wasn't legally authorized at all, but they didn't even know, you know, that that was what it was. He, the lawyer didn't know what he was looking at when he was looking at it. Similarly, Kevin Polson recently discovered the use of a magic lantern type technology, you know, where they can install technology to surveil you remotely onto your, remotely install technology that surveils you onto your computer, and, you know, we don't exactly know how Kevin found that out, but it was revealed later, they had basically what had happened is they had been using it, and they were looking for, or they wanted to use it and they put information about, this is what we want to do in a search warrant application, and that search warrant application was in a court record, and then by looking at that court record. So one of the problems we have done, something which maybe you guys can kind of think about, which would be useful, is how can we, as you know, how can we like find out more about what's going on in these court cases than we currently know? You know, how can we take a look at what's publicly filed on PACER, which is the federal court records of documents that are filed, or some other way to kind of give us more, give all of us, you know, in the civil liberties world, and the public too, more of a sense of how these tools are being used, and more of a sense of when these important issues are being raised, kind of at an earlier stage. So some kind of, you know, our own sort of data mining of PACER, I think would be really great. But I think that's the reason. I don't, I think to some extent it's because, you know, these cases are getting, are just investigatory and they stay in the national security realm. I think another reason is oftentimes we don't know. Yeah, why don't we see it used more in just sort of your every day, day to day crime? And I think some of that is, you know, we have our way, you know, the criminal justice system is slow. And the way we lawyers do things is like we have our way we do things and it's like this is the type of stuff we look for. And, you know, maybe these investigators, these aren't, you know, internet people, they know all sorts of other stuff, but they don't necessarily know a lot about what records are out there and they're not thinking, hey, I could get a search histories, you know, and try to use that information as well. I mean, there are laws that were passed like right when I got out of law school about changes in discovery and stuff like that, that, you know, in the criminal defense bar in California, at least in Northern California, we still don't follow those because like that's just not the way it's done, man. You know what I mean? It's like we have the way we, we have the way we've always done it and, you know, when we get into a fight, we point to the statute, but basically like there's a way things go down and that's how we do it. So, you know, some of it is just, you know, we're slow dinosaurs. Absolutely, divorce lawyers. Actually, there was a great story about FastTrack, the RFID-based transit, you know, toll charging thing where it's become a serious honeypot for civil litigators, particularly divorce lawyers. And so there's no reason why that won't become the case with search logs. It just hasn't happened yet. Don't Google your new girlfriend's name. The only time we've seen that was actually in a civil case of the governments, the government, the ACLU and us and a group of plaintiffs are challenging a law called COPA, the Children's Child Online Protection Act, and the DOJ, the defendant in that civil case, subpoenaed Google as well as several other search providers for a variety of types of logs. And Google eventually had to give some logs up, but not all of what the DOJ asked for, and not any identifiable logs. So the question was, what are we doing in the first sale doctrine, an area of copyright? Okay, I was wondering it, fair enough, check back on Monday. What, our website? Yes, your website. Yeah, our website. We'll do. I leave it to you then. There's something cool going on, as you might imagine, and luckily, Joe is right here. It's a short answer, because the specifics will all be out on Monday. But the EFF, along with my firm, Keker & Van Ness, is taking on a pro bono case, sort of testing both where, how much you can do with things you buy and how much companies can do to try and stop you, particularly when you try and sell them on eBay. So check the website on Monday. I understand there's likely to be a press release, and should be really cool. Likely to be a press release, and we're thinking it'll be fun. So more generally, we're interested in the first sale doctrine. One of the things that is, is to be able to erode your rights is the notion that once you buy something, it is not yours to dispose of. And, sorry, the question is, sorry, it's very hard to hear you. Well, indeed. The rhetoric, the question, or the point he's making was that you hear a lot about theft of intellectual property rights, but not about the theft of property rights, the theft that would be occurring if you weren't able to make a first sale. And this is also part of the transition of, instead of selling you something, people purport to license it to you, that it may seem like you go into a store and pick up a piece of software and you walk away with it, and it's yours, and you hand them some money and such. But nevertheless, people might argue that, in fact, you didn't purchase anything and you just have this license right, or maybe you have it when you click I agree during the setup screen and so on. But the move towards a world where you're getting a license to something instead of an ownership of something is a more challenging one. Further questions? In 1996, the law was amended to specifically provide that if you want electronic copies of records, you can ask for that. And the agency needs to give you basically what you ask for. So if you specify you would like electronic copies, you can get them. One of the problems that's come up in this is that agencies or people who process the FOIA documents and prepare the copies for disclosure sometimes haven't fully understood that they can make redactions and the redactions can then be removed by the people who actually get the documents. And that's been a source of concern. And I think that agencies have been a little bit hesitant to really take this and run with it even though it makes things more efficient for them. So in my experience, typically what happens is when I get electronic documents in their PDFs, usually they were records that were printed out, the redactions were made in black magic marker, then they were scanned back in, and then that's what I get. Which is interesting but pretty much I suppose fail-proof in terms of being able to remove redactions. I've also gotten things like spreadsheets which have been very helpful. I've gotten things on CD considering the fact that what I try to do is make things available to the public on a website. I really am glad to get stuff like that and it's certainly short answer to your question. Yes, you can get them. Pardon? It's a good question. I suppose they can do whatever they want. All right, further questions? Oh, the arbitration clause decision. I can talk about this if you want because I wrote my wired column about it last week. I wrote a column about it that came out this Wednesday for Wired News. I wrote a bi-weekly column and I wrote about this EULA issue and the contracts. This is kind of a great decision. There's two decisions I wrote about. One was Gatton and one was the other one. You're talking about the other one, the Ninth Circuit one. What's the name of it again? I forget. Yeah, it's some kind of normal name that I forgot what it is. But basically what this case says is for those of you who are in my talk earlier today, I talked a little bit about contracting and what the deal is with contracting. And there's always been with these kind of click-wrapped, shrink-wrapped contracts, there's been kind of two issues there. One is, is it really a contract? Was there the meeting of the minds that makes it an enforceable agreement? And the second is, what happens if somebody did click agree, what does that really mean for you? So we went through this whole kind of series of laws about the first thing, and basically what courts ended up saying is you've got to have some ability to look at the terms or something like that. They can't kind of hide the terms from you and then sort of spring them on you later because that's not really a contract. The essence of contract is, you know, this meeting of the minds, which is really this beautiful thing between two people, and it's lovely. It was my favorite class in law school. It's the most romantic of the law school classes. You're mutually bound. There's mutual consideration. There's an offer. There's acceptance. It's lovely. It's different online. So now what happens is they show you the terms of the contract and you click agree because you're like, what the hell? I want to get through to my thing, and nobody really actually reads it. Sometimes it's a million pages long, and did you really agree? So there were cases, specifically a case in 1996 that said, well, when you click or if you just buy something and you see that there's some terms of service stuffed in the box that you bought and you didn't bother to go return the thing, and you kept on using it, you agreed. You manifested your assent either by clicking or by your actions of continuing to use the product. So you're bound by the terms and conditions that are there. Based on this very kind of simplistic understanding of contract law is this meeting of the minds between two equals and arms length negotiation, which we know is total crap when it comes to the way that modern mass contracting is done. And the great thing about this case, and one of the reasons why this case is really important and interesting, is it recognizes the reality of modern mass contracting and says, listen, there's something inherently off about the way it happens. We're not going to say that these aren't contracts because mass contracting is great. It provides this great efficiency, this isn't what the case says, but it is great. It provides this great efficiency so that we can have agreements without having to, like, all meet and take time to hash out the language. But we have to recognize that the balance of power between us, the individual consumer, and them, the vendor, or the producer of this computer or whatever the heck it is, is totally skewed. And these terms are offered on a take it or leave it basis. You either buy it or you don't. You don't have any right to negotiate. And we're going to think of this as being inherently, inherently problematic. So they say that it's procedurally unconscionable, right? There's some element of procedural unconscionability there. There's something off about it. It's not necessarily big, but it's big enough that it gets us past the question of, well, you agreed, so we're not going to second-guess the contract and let the court go to the second level where it looks and says, are these terms, then, substantively unconscionable? Is there something wrong with what's inside the contract? And courts won't scrutinize that unless you have a bit, at least, of procedural unconscionability. So it basically says for every mass market, you know, take it or leave it, adhesion, click-through, or box-wrapped contract, we're going to take a look. And we're going to see whether these terms are overbearing or oppressive or unreasonable in some way. And in this case, it was the arbitration clause case. The state courts hate contracts that have arbitration clauses because they get rid of provisions that legislators put through to protect the citizens of that state and allow for consumer rights and class actions and that kind of thing. So there's a long history of case law saying, like, we look a scant at arbitration clauses anyway. And that this case is well solidly within that, you know, kind of that line of cases. But the thing that's new and great about this case is it says, don't you basically like, sorry, Judge Easterbrook, back in 1996, you were wrong. There's something about the way that online contracting or modern contracting is done that's a little bit fishy. And we're going to make sure that customers are still protected. We're not going to just assume, hey, well, whatever you agreed to, you're stuck with. So it's a great case and will help us get to the point where when you do have contracts or ULAs that prevent or prohibit, prohibit, not prevent, reverse engineering or benchmarking or critiquing a product or any of those other things that we've come to count on as kind of like core and important things that support public access rights. It gets us that much closer to courts taking a serious look at those and striking those down as well. Yeah, so he's talking about another case that was also in the same article that I wrote. Two cases came out. One was like a couple weeks ago and one was a couple weeks ago. One was some time before that. And there's Gratton, which I think is the California case. And then there's a Federal Ninth Circuit case. And one case is the one I just described. And the other case is the case that you're talking about. And there you're totally right. It was like unilateral change to the contract terms. And basically what they said is, you can't just unilaterally change the contract terms on somebody without notifying them. At the very least, you've got to send them a notice and say, hey, things have changed. And then at that point they can have an opportunity to say, well, I'm sorry, I don't want to take your deal anymore. So you're totally right. That's another case. It's another great case because so many of these eulahs in terms of service and website things have, well, you know, we agree to respect your privacy until we decide not to agree to do it anymore. And basically what this case says is, oh, you can't do that anymore. You've got to notify people and let them kind of pull out and withdraw. So you're totally right. There's two cases I'm talking about. I don't remember the names, so I'm mixed up about which one is which. But they're both relatively recent and in my wired thing. Oh, that's the ninth circuit one? Okay, sorry. Well, the other one is cooler to me. But they're both good. And I wrote about both of them in my wired thing. So if you want to check that out and then you could see what the name is of the one I actually talked about. The other one's... Yeah, Douglas. Thank you. Yeah, exactly. Sir? Well, I'll give it a whirl. So the question is whether... we're pointing out that there are new e-discovery rules, electronic discovery, and whether EFF is in a better position to take advantage of those e-discovery rules. Is that a fair assessment? Well, we actually, you know, so we try and do impact litigation. And the ideal circumstance would be cases in which we can win with a summary judgment or a motion to dismiss. So we're really... we are not looking for circumstances in which there would be substantial amounts of discovery because it's the legal issues we're trying to advance. And often cases where you have a lot of discovery and you would have such voluminous discovery that you really want to take advantage of e-discovery, those are ones where usually it's not so much that the facts are unclear. In those cases, the facts are unclear. In the cases we're looking for, often the facts are more clear. And the question is whether or not what will happen will be legal. Nevertheless, we have some cases which are larger than others. If by good fortune we are able to continue on with our AT&T case for their surveillance, I would imagine that e-discovery will be an interesting aspect of that. However, we probably will need to go up to the Supreme Court before we would be able to get any discovery in that case. So we'll have to worry about it at that time. So you were first. Maybe not about e-map use, but e-discovery, the shorthand name of it, when they said that's the address that they're at, that primarily stores and prams. You sort of answered your own question there, even in that case. Alex, get your hand out. He's busy. Any other questions? Oh, Alex. Sorry? We are. What a great question. We are. And this t-shirt that you was modeled earlier is available as a premium for member donations. If you join as a member for $35 and above, you get that lovely t-shirt. And we are in the vendor room, in the center of the vendor room, on the side towards the parking lot, I guess, towards the back. And we rely upon the goodwill of our members and the support of our members to keep on doing what we're doing. So please do come by and get yourself a membership. Get yourself one of our new t-shirts. This is the dunk tank as well. Aaron and I were dunked earlier today. It was good fun. And every time you throw a ball, that raises money for EFF. And we should have some good fun with the dunking. So the question was about malware, adware, I guess is another term for this category of things. And we have taken some policy positions that are relevant to that. We would come from a perspective of people should have control over their computers. And so that would mean that we like tools that enable you to have that control and enable you to get rid of material that has popped up and having things that are installed upon your computers without your knowledge and consent is a bad thing. But we haven't been involved in any litigation about that. Well, that brings us to the end of our time. Because we just spent an hour with Q&A, we will not be doing the Q&A session. But if you have further questions for us we will be at our booth for the rest of the convention here. It's so great to be here. We really enjoy it. And we look forward to seeing you all around and about the con.