 So welcome to the current talk on regulating law enforcement Trojans So government hacking is basically the cyber utopia of law enforcement for some and to others They still just look like criminals on the wire in the end But naïve and Pila I am going to present a more nuanced approach to the whole topic and hope we can learn from it So welcome naïve and Pila one two three, okay so We made Those lights in an hour and an half because we were cooking pasta at the Italian embassy where you can all welcome to get some grappa after but comprehensive sharing of the experience that we had in Reaching a bill proposal to regulate the use of Trojan by law enforcement in Italy and West End to our Two years of our life for nothing since now everything in Italy is quite complicated in even this glow so what we wanted to share is Not just which are the juridically and technically technical aspects of the bill proposal That could make a sense But also which is the kind of process and experience that we that we had in doing it first of all We were set up in an casual way as a team of a technologies Parliamentarian in Italy. That's also an acre from late 90s early 90s An IT skilled lawyer and me and Pila as a augers forensics a technical guy And we're going to speak only of the regulation of Trojan by law enforcement agencies. So no Uses by intelligence or we are not going to speak also about export control to foreign countries specific focus on law enforcement agencies first We want to share the difficulties that we had within the debate because the topic of Regulating use of Trojan have a lot of stakeholder. I mean people in an organization interested in that may range from civil society different governmental organization all of the IT and criminal related Lawyer communities the forensics communities the prosecutors and the government itself It's represented also by a stakeholder like the privacy ombudsman that take care of privacy So the amount of stakeholders in place are a lot and often share I mean most of Sorry, I'm not shifted the right way So what we saw is that the conversation on the use of Trojan by the civil society It's mostly focused especially because of the media hype On the use of Trojan by non-democratic government that spy on activists with technologies provided by Western countries, but those are mostly used by intelligence And the kind of complexity of the topic when you approach it in a broader way and not very specific Vertical aspects like use of Trojan by law enforcement to spark Topic of export control humor rights compliance conversation geopolitical aspects technical evaluation of tools and detection of the Trojan Well aspects of leaking a public shaming I mean like it happened to again team for example and a lot of conversation on the topic of zero-day and Vulnerability disclosure by governmental agencies. This is kept out of this proposal and and so many time We were engaging in a different aspect of the civil society to speak about this kind of topic We also got a lot of criticism that are reasonable Regarding the fact that what we are doing it's pushing the legitimization of the government Hacking and but I mean we accept that there should be many different views And on average we have the civil society on one aspect that say stop government hacking at all And that's the kind of a campaign That's and the kind of a general feeling while the government say, okay due to encryption we lost investigative power now we need to hack to get it back and The different kind of requirements that need to be collected and put together by civil society and governmental agencies and differ different players are Investigative juridical and technical so are very different aspects of personally I didn't know almost anything about the Italian criminal procedural code unless the article related to computer crimes Now I know a little bit more that I learned that together with Andrea. Yeah from the lawyer So that's kind of difficult. There are many different point of views There is an investigative point of view juridical and technical point of views The the difficult part is that everyone of this point of views think they Point of view is the most important ones So everyone say the law must be regulated by my own point of view And they speak completely different languages So if you just speak for from your point of view a technical point of view to a lawyer They don't understand anything about technical the lawyer to speak with the investigator They say yes, so you are trying to defend the criminals say you don't understand anything about investigation and so on so it's a very difficult table and Obviously we are not counting the political aspect that's probably the worst things to have to do with the Politician teach people and explain basically how computer works So that's the kind of approach that we achieved. I mean during a couple of years I mean going on that's first we defined the problem that we wanted to achieve So that's a bill proposal and a technical regulation Then we developed a prototype as a core team that means a basic text of the kind of patch that we need to do to the law and The draft of the technical regulation that should come with it then we presented that that prototype So the text and the technical regulation draft to the different stakeholder in order to improve and collect criticism and contribution and requirement for stakeholder we really means from the Experienced and expert IT lawyer professor of law legal of universities But also the law enforcement agencies the specialized and unit for cybercrime the intelligence agencies the anti-mafia the Prosecutors the Ministry of Justice and all those kind where stakeholder we were speaking to we also had meeting with the privacy Homesman in order to collect from them. What do they think and what do they feel that this should go Integrating their suggestion when reasonable with our principle of guarantee and safety And then sharing again with all of the different stakeholders. So we iterated several time then we arranged a Private invite only conference after the senate where we invited the key stakeholders from the head of the anti-mafia commission to the privacy home do's man civil society and civil liberty groups computer forensics experts Lawyers that teach IT related law in the universities To have from them to all the other stakeholders Which what do they think about this draft or law from their point of view as a piece of the stakeholders? With a chat man now's rules It means that everyone can say outside what has been told in that meeting But no one can say who said it that's a kind of a rule of engagement for that kind of a private meeting to get Consensus then we iterated for several improvements I mean, I don't get in the technical aspect, but they it got the really important changes in the good And then we started a public consultation by publishing the proposal on a forum making some media campaign Collecting some feedback make some other small iteration finally we deposited it to the to the chamber of deputy So that's the kind of process that took about a couple of years. I mean using spare time in order to to Reach this kind of proposal in the meantime Italian government tried many times to propose different bills So every time some people say, okay, we need to introduce a trojan inside our Penal procedure call a code and every time they say, okay, my proposal bill was yes We can use Trojan nothing more So every time you need to Run to Rome and say no is this is not enough is a very complex thing We are working on it from two years. So it's better if you talk together So at the end you say that the political part is the most difficult one since they don't understand anything about technology They don't understand anything about the implication of from a forensic point of view from a juridical point of view From a technical point of view, they just want to have their own name on a new law. They say that the Trojan can be used yeah, and so we want let's say There are a certain amount of even juridical expert and privacy activists that argue against a law to regulate the Trojan by using for you and Law enforcement but without a law what happened? It happened that without a law everything. It's allowed with a single warrant So it means that in the criminal procedural code, there's not a written trojan You can use that for that kind of crime for that procedure following those rules So if I am a prosecutor I need to go to the judge and ask for an authorization that it's something to do something that the judge does not really Understand what the hell this prosecutor is asking for Because it's there's a technical related issue and the judge follow the law So it's an atypical tool. This is the definition from a juridical point of view and that these allow a prosecutor for example to Ask for a warrant to follow a person that in the Italian by the Italian law He can basically self-authorize himself So he cannot self-authorize to follow a person by using a Trojan in order to collect his GPS coordinates while moving But then, you know, once the Trojan it's on the device. He can collect everything Probably it will not use those data in court, but he will be able to see just trash it Just don't use it at a proof. Maybe at the later stage We will see the device and this is exactly what prosecutors were also doing in Italy We know of certain dynamics where the prosecutor used the Trojan during the preliminary investigation phase Because the judge easily sign a warrant on something that he don't know anything about those computers Acquired all the evidences, but it was preliminary investigation So they just closed the preliminary investigation started officially the investigation and sees that that not a book Exactly the day late the day after because they know that the evidence were on that device But they already saw that in the preliminary investigation phase with the Trojan In other words, we have a police who is playing like an intelligence agency So they collect all the evidences they understand the where to hit then they will go as he said in a specific Street in a specific hour and they stop a specific car and they found everything they want So now everything is legal Matt all the the past Investigation is not legal since it's acquired with an instrument which is more related than an intelligence agency instead of a police car Does some technical aspect is not clear because we are assuming knowledge of how the juridical things is going on or It's okay. Okay So Then without a law The jurisprudence so the tribunal that the different courts of different level will start right in the law on their own For example one case in Italy of mafia related things reached the supreme court In a case of mafia related case where the Trojan was used to record the surrounding environment and the defense lawyer challenged that It was not authorized to do so basically Because of limitation of the surrounding environment law Because the surrounding environment. I don't want to get into the technical aspect. Sorry So basically they authorized that the use of Trojan to listen to surrounding environment Prosecutor know that all juridical magazine speak about this the acquisition of the evidence from a Prosecutor and defendant point of view have an uncertain legal status because if I acquire Data from a suspect and then I go in court. I don't know if those data can I mean I cannot be just Contended because there's no way to validate the way the data was acquired. I mean we know that For what's related to computer and phones search and scissors there are clear custody chain and procedure for the acquired evidence to be collected with a read-only Hardware and all the procedures to be followed and recorded so that the defendant can check it That's not a case for the data acquired with the Trojan So let's now we get into the proposal. We wanted to give this kind of context To better phrases first our outcome We ask it that what we need to do to regulated Trojan by Low enforcement first we need to patch the criminal procedural code the criminal procedure put code It's the part of the law that define which are the investigatory tools and power that prosecutor have for Which kind of crime they can be used for how much time and how the data should be Handled and if there should be some kind of notification. So it means that for voice phone call interception is not going to be given for a crime of a Facebook Defamation and in the criminal procedure code. It's written that so there should be a proportionality between the seriousness of the crime and the investigatory power that is being used and We know that these already regulate interception of phone calls the recording of internet rafting following people searching a people house or property and seeding goods And all the operational rules when in details for example for telecommunication Interception rely on ministry regulation because it may need to be updated Now what we learned is that the jurist people that approach the law and policy making Entirely from a juridical point of view really don't like innovation within the existing code Especially they don't like innovation that they don't not don't understand So it means that the amount of modification and the wording to be done in the criminal code the should Follow this kind of approach of minimizing the modification Because they have to review and accept it and then there are I mean the ministry's technical regulation that it's everything defined by the Criminal procedure code on how stuff should be Should be done in our proposal We've wrote in the in the bill that the technical regulation must be done by the ministry of justice But with the binding opinion from the privacy omdos man so it means that the privacy omdos man could challenge the ministry of justice technical proposal and Until it satisfy the privacy and data protection requirement defined by the law Fabio said that the jurists don't like to change the criminal procedural code So see and this is special true when they don't understand anything about a specific technology So every time you need to spoke to speak with them you need to refer Actual technology to past example for example if I insert a trojan inside the cell phone Okay, and I use this trojan to check GPS Data from this this this device is like when you have an agent that following that these these guys so you can refer to the same part of the law and Probably you need to take this part on the loan and put inside the new law of the trojan This forever single function or feature of the Trojan you need to try to refer to some kind of Previews analog investigation So we need to use the criminal procedural code as a library as we are writing a software we need to touch the less code as possible and so we went referring to the trojan capabilities of information collection by Bringing any kind of information collection action that a trojan can does to his existing equivalents That's already regulated that way me not minimal modification can be done And it cannot really contested because they are already specifically defined for which kind of crime for how long and blah blah blah so With the bill proposal by the law a telephone wiretapping warrant would be required to listen a WhatsApp call because it's a voice call Remote search and see through would be required to access file on a remote device internet wiretapping warrant or recording of browsing session even Listening the surrounding environment. So using the microphone. That's a capability of information collection of a trojan It should follow the very same warrant to plant audio bug and for GPS tracking the same aspect to Follow a person that's very important because we are today one of the most Abuse the more important problem that the trojan have is that once on the device it can collect everything It's the entire life of the target Whatever the channel is using whatever the external information collection the capabilities the device has It can be done So we need to reduce the invasiveness of the use of the trojan that need to be justified that to a judge I need the photo stored on that phone is then since every time now they are Try to acquire the most easier Authorization for example is the one to work The warrant to follow a person and they extend this authorization to every single feature of the trojan Yeah, so today really a prosecutor can just to get Warrant to follow a person and inject our Trojan and then make a phone call illegally basically another Point that has been introduced by the policy proposal is that A trojan can be used only after other Investigatory tool has been used so because they usually we have preliminary investigation phase and investigation phase And you can use different kind of tools depending on the amount of Information that you have on the suspect during the preliminary investigation. So What we want to prevent is that the trojan it start to be used Against people only because they may be Be suspect of these but have not enough evidence to say at that stage trojan should not be used so One of the rule in the law say that only after you tried all other tools And you need to justify that that means try to intercept a phone call try to intercept internet traffic Try to follow the person you can use the trojan as a last resort Yes, and furthermore in for example in Italy there are a ton of different Crime about the fraud not paying taxing try to evade the taxes and so on so sometimes They try to be some do something like I suspect that that that guy Is somewhere related to terrorism or whatever they put a trojan and they have all the evidence about That if adding tax and so on so if you want to use the trojan for a crime must be used for that specific crime and nothing else I have a duplication so Then there is a point of the criminal procedural code that will say when the trojan should be used I mean by which kind of crime could be used if I say A bad words to someone on Facebook and that person I go to the police and denounce me It's worth to use a trojan. No, so when the proposal we limited the use of trojan only to mafia and terrorism Error is not related the crime, but we discovered that quite the fast lead that that's the kind of Investigatory tool that apply to a specific investigate the investigate a specific crime It's really a political aspect that we cannot rule out some Proposal to use the trojan for anti-corruption But when we had the meeting at the Senate the stakeholder representing the political the the political MPs were challenging not rojan can't be used to fight corruption Okay, someone where for pedo pornography and someone for cyber crime But that's a political discussion that we need to stay out because it depends really on context by context case This is something that I didn't copy and paste in the right way and then that the fact that the trojan Can be sold and operated only by law enforcement agencies people Because today what's happened today? It's happened. It happened. Sorry that the police the prosecutor go to the local hacking team or whatsoever and Ask a hey I need to inject a trojan that person and they do a full service like they do the open source intelligence They try to understand that they became part of the investigation as a private contractor They ended up installing the trojan and the remotely operating everything that's required now They will say that the police and the prosecutor can have help by private contractors But they should oversight what they do and they are responsible for the private contractor of operation that they engaged But if the police doesn't have the technical skills to operate the trojan How can they oversight someone operating the trojan on derby alph so in the law We've wrote that trojan should be sold by the police when we met the head of the cyber police Let's call it that way They say yes, but we need the training we need a lot of training to do that And they say yes, that should be the way to go. I mean, but we need to make a Policy proposal that works then it creates some difficulties. We know the difficulties should be surpassed and This is not a juridical aspect, but it's the operational issues Related to the juridical part of this proposal Basically one of the problem is the search and seizure the analog equivalent of a search and seizure I mean going into someone house Searching for stuff and looking for it require a notification to the person the house is searched Obviously if a Trojan get installed on your computer and the Trojan make a pop-up. Hey from now on I'm going to start intercepting you That's not going to work There is a tool of delayed the notification because by law at least in Italy for a search and seizure Notification have to be done as a right of the person being searched They can delay up to 90s days in case of mafia So on that that kind of problem We we had to create an entirely new juridical tool in the criminal procedural code because we were not able to patch the other Existing information capability in order to provide an explicit remote search and seizure juridical capability that there is an interesting aspect With this approach when we approach for example for the messaging application Let's say what's up or the email client now if the Trojan? Intercept email as they get sent and received that's a real-time Internet wiretapping and require an internet wiretapping warrant But if I wanted to collect the previously received email or what's up chat? That's a search and seizure and I did a different warrant so That's to be considered because even if the Trojan can technically acquire what's up stuff The Trojan depending on the warrant should be able to intercept the internet related communication Or should be able to acquire evidence with a search and seizure Well, then we discovered this kind of problem that in Italy the Juridical investigative tool to follow a person does not require a judge authorization So the prosecutor can self-authorize and they are abusing This kind of a self-authorized warrant to inject Trojan in preliminary investigation phase There is a problem Juridical problem for the collection of the screenshots because the Trojan can collect the string shot of the display but what if a screen shot have an open email that you just received or if it have a photo Or I don't know a previews. What's up a conversation? So all your open Google Maps Interaction with your location data those kind of data should are regulated in term of collection from other points so now I have to say it's an open issue the screenshot are not be properly addressed by this proposal and Then there is also the environmental listening issue from a juridical point of view because in Italy you can Put audio bug only in the place where the crime is being committed So you cannot just plant audio bug here and there and see if something happened But you can can carry yourself your smartphone everywhere So you have to limit the places where the Trojan is able to listen for conversation or even acquiring pictures or even Perform a video. So this is quite it's quite complicated. So you need to to control the GPS position of the of the Device and try to match the position with the place where the crime can be can be done and this is because we are bringing the equivalence of Analog information collection warrant that's placing an audio bug and Recording audio with a digital audio bug. It should stay on the same article and so this create a kind of limitation But it means that the Trojan should implement a geographical fence if they wanted to audio bug my house They need to use the GPS to do that only in the area They can leave the microphone open unless for mafia and terrorism because they say that because if it's organized a crime It's a usual crime conduct So you are a criminal every day and you are conducting crime every every seconds and so you can for that case Keep it on then we came today. Maybe more interesting at least from Point of view the technical Requirements now the technical requirements of the bills. Those are written into the law Not in the technical regulation in the technical regulation There are the details that follow that principle that have written into the law the first is that Source code of the Trojan need to be deposited to a specific authority That's already in charge of for state security technologies in Italy. It's called east economy in other countries like in France There is a an SSI and there are different kind of authorities in every country where those a certification body typically certify international common creative standard for state security technology use military diplomacy Intelligence and classified information generally at this point many stakeholders say very bad words to us Since they they say yes, my you you are crazy You are trying to force us to reveal or all our secrets since we are using zero-day Both of a ton of amount of money. We need to expose our injection at the Trojan and and so on So we talk to them and we try to Find an agreement so that Suscoed must must be deposited to our third Organization that is not related to the vendor and is not related to the Government and everything can be encrypted and will be a protocol to open the the sources and to Understand out to create a new Trojan just to verify all the all the the feature inside and so on but Two months just to understand and to talk and to try to find an agreement for this a specific point We need to go a bit faster because we have 15 minutes 14 So the Trojan must be verifiable with a reproducible build and that's a kind of a technical challenge But it could be achieved we discussed also with the people that we know that work in companies that do produce malware or the former CTO of a known Italian Malware provider that drinking beer were suggesting a lot of things So that the defendant need to be able as a last resort to make the inspection and Reproducible the reproduction of the Trojan being used in this case then the Trojan must be Certified so it means that the functionality needed to pass a clear acceptance the final test that satisfied those the technical regulation And important every operation made by the Trojan or by the operator Operating the Trojan must be logged in an integrity and time stamped way so that the log of the operation of the Trojan Should be given to the defendant so the defendant technical expert can In a detailed way look that the Trojan have done only legit things and there were no suspect of it other technical aspect of the technical regulation is that the Trojan production and use must be Traceable by establishing a national Trojan registry. We face the conversation with people from the police that we're saying I don't know if These other department of the anti-mafia. It's working on injecting a Trojan of these other guy on the same guy And so so we could read a situation where I look I'm asking it to a Water a warrant to inject and Trojan in a phone where there are more than one Trojan inject them by all that different agency in Italy So it's a it's a fucking mess. So in this case we need a Registry where to check if some other police car please is trying to Inject inject Trojan in the same to the same person or in the same device And the nice thing is that people from the cyber security cert and intelligence say yes But it will be also useful to know if one of the Trojan being used I mean it's a malware or it's from one of us They and this also enabled the defendant to check that that Trojan that was used by the By the court of Milan It's investigating the suspect while if the suspect is but if the Trojan it's from the court of Rome Well, then there is a procedural problem Then other two important requirements that the Trojan once installed shall not lower the security level of the device So that's to protect the integrity of the device and that the Trojans once the investigation is finished Must be uninstalled or otherwise the instruction to how to self-remove should be given to the defendant So it's up to the manufacturer to introduce a self-destruction that properly log the self-destruction Some of the lesson we learned is that first Politician needed to have a very basic explanation of how computers and network works But something like this is a banana. This is a computer. Do you know the difference? Okay, it was very different We found out that the fear that someone it's buying on their phone usually trigger the interest in regulating these kind of things So that's available available inside the during presentation to advocate for that That if you don't have a law the jury's prudence Some case that reached the highest court will take care of it and allow something this allows something But you don't know how it will end up And say a tons of nonsense from a technical point of view We also learned that that law enforcement mostly inject Trojan with the physical access I mean we are captured by the conversation of zero-day exploits and Intel international Intelligence related the fact and so on but at the local level the law enforcement Mostly access physically the device and when they are searching to plant an audio bug or a video bug There's a computer. There's a phone. Let's also try to load the computers by work in other words So you are passing that the custom they will stop you they will search Inside your bags and so on and someone else steal your phone and inject the Trojan so then we also got as a feedback speaking with the Law enforcement that also some intelligence agencies that they consider this tool to be very unstable and Inefficient because of the relatively low success rate especially since the new phone have a pin and device Encryption and such so it and that it end up that they are already using as a last resort tool because it doesn't work So well when a phone is protected by chance and then that policy-making at that velocity I think we never done it. It's tremendously expensive and slow process You think that from the idea to reach to a point that you say, okay, it's done Then let's see how it's going on you have an idea and some people tell you that you are a friend of cop And the other ones say you are a privacy protector So we are always the same the idea is the same but different point of view and they say every time by the thing to us Yeah, they go the goodies that you get a shame for almost any aspect But then if you engage people in the conversation people engage There are several open issue of this kind of policy proposal that has been also reviewed by access now that gives also some Hint specifically to the regulation of mutual legal assistant territories So when the police of a country a ask to the police of country be hey Can you inject a pro hydrogen on behalf of me or the problem of cross-border hacking that's a kind of Legal issue I mean when we speak about the law enforcement So police and prosecutor police and prosecutor of Italy can operate in Italy So they and what if they don't know where the target is Is supposed the target to be in Italy so he can inject a Trojan and what if the suspect it's in France They cannot surely Huck something in trance and this is this is in theory already regulated by the law But there is this open point when the police or prosecutor doesn't know where the target is Can they try to hack it or not? And that's really an open question because it fits also with the regasso international jurisprudence and such and also we got a feedback from one of the guy that it's inside the Trojan Manufacturing such that they say you know that doing something like that that will probably Create a single provider of Trojans because it will increase the cost of compliance to satisfy the regulation upload the source code Support the defendant that you ended up killing all the competitors and that could be a market related things Then is that now a law after all of this effort you will say short answer. No why Because the Parliament Passed that it's called the delegation law where the parliamentarian vote for principle to delegate the government to write the new criminal code procedures. That's the piece of electronic document that we were patching by proposing a law and so until it's not finished this will completely block any Proceeding of this proposal There's a point that Major Stegolder Considered this in Italy as a gold standard because any kind of Stegolder that could have been asked for opinion and can be Trusted party has been involved and his concern were considered The Justice Commission president to say that that they will schedule for parliamentary activity only after the code The criminal procedural code is reviewed if and only if the government Don't not crash again because in Italy. I don't know if you know but in five years. We had a three different prime minister So what we felt speaking about this also considering the other action Regarding policymaking on Trojan, especially late recently the CCC one is that it will be required to have a sort of International standard to define policy guidelines for Trojan because the argument it's complicated enough that the effort at a single national level is Not so good anytime you try to share the knowledge that you acquired with someone you find also that there are very Juridical country juridical specific aspects and so there should be the need to do some more research on it here The talk it's almost finished Here are some of the resources to Read the text online We've wrote an article on a boing boing and sent to dr. Who that was so kind to publish it to explain to a broader international audience the kind of approach in a three-page articles There is a summary in English that we have done to present this kind of effort There is the policy review made by Axis now. That's such an NGO working on digital rights based in Brazil and Here there are also all the other The bill proposal the technical regulation and so on but unlikely Ali in Italian So it need translation and those are the folks that work it on these and they're related contact So if you want we can move to some question and answer if I respect in the herald instruction Okay, thank you There are two mics in the center and they're open now Sorry, the microphone is So we have a microphone. Okay, just just use the one in the back Even this even this one Stole a trojan. Okay start again. Sorry What is the situation in Italy when you install a trojan? There's a difference in Europe in Austria? There will be a law that the law and enforcement can move into the Flat or somewhere else Even if it's closed in Germany, it will be forbidden. They must install the trojan. We are Malware and In what is in iteration in Italy? Of course, it's a is a mess. We are in Italy. So The problem is that I think to be one of the first people who install a trojan in Italy and it was the 2004 so 13 years ago. So we are in a gray zone. They installed Trojan. They tried to some way to Have a warrant to to to install this trojan, but there is no law at all So sometimes the trojan can be used sometimes. Sometimes it can't be used. Sometimes they Digital evidence can be put in court. Sometimes they use it to justify something to find some Specific evidence in the real world And it's not easy to answer to this question and prosecutors say that often The text for the war and it's written by the provider the private contractor that provide the trojan because they don't know That's much about it. Oh If this juridica question no, no, I have a question or Maybe a comment if you have a if you have a true young you want to install it and you You should start collecting zero days then is a did the secret service in my country Did everyone collect zero days and keeps them secret? so all the citizens are put to danger because the zero days are not a kept secret and I think therefore we should fight for haven't truly unsubmitted overall and have our secret service and our police work on Finding zero days and make them public and not keep them for themselves and use them for their trojans And so we should not take put effort into Making a good law that balances between the needs of the police and and Privacy but just be Contrary to trojans in general In my humble opinion Zero day should be connected to Weapons so you can't have a web A law in a country when you say you can't use the weapons at all Okay, since they are say they are useful for the fence They are useful for to fight crimes and so on so this is the same But we have some trouble to understand that is the same thing. Okay, if I'm Telling to you. Oh, Russian lost two Nuclear bombs. Oh my god. This is so it's a problem where will be These these bomb pants on if I telling you shadow broker still one terabyte of zero day from NSA Oh, it's just computer But it's the same thing. So you can't Write a law telling no you can't use zero day. You can't collect zero day since They they say is you is useful for cyber army is useful to her attack attacking is useful for police and so on So it is the same thing as weapon. So it should be the best thing in the world Okay, but but it is not possible in our real world at the present There should be a law telling that zero day must be keep secret must be skip In is in a secure place that in fact all three letter agency lost some kind of zero days That are what fed to the public But that that's another debate. I think just because And when we we got this feedback also speaking with the not the false of privacy international world We had a show we had a chat with the guy of privacy international not sharing this and the zero day and vulnerability disclosure process Was part of the conversation the issue here is that it's not the place It's not the kind of law where to put a kind of limits on the user The user not user of the of the zero day We were having a conversation with a few of the lawyer there asking ourselves How it could be possible to define a law that limit and the handling of zero day vulnerability and such and every time all the discussion reached a point that we need to have liability of the manufacturer and Mandatory insurance policies because this is the way to give the liability of the vulnerability to who created the vulnerability That's the software manufacturer. This was but this is another topic I mean we can if you want a later on we can have a conversation I would really love that there are many different opinions and it's a policy research aspect But I really got your ethical opinion that there should not be zero day and government should Fix that rather than exploit it. That's really I mean we felt the same There are any other questions Yes, no, maybe No, then there is a meeting at 6 p.m. 1800 C EST Central European summertime because you were in Europe near Amsterdam in case you haven't noticed It's a detail in embassy, which is down that way towards the woods It's basically where you drank from this milk this delicious grapple last night and then forget everything where you went Side message are still 12 liter left. Thank you