 Good evening everyone and welcome to the next talk for Hope 2020. I hope you are enjoying yourself, and I hope you've been watching lots of Hope talks. We have next up Alexis Hancock who is from the EFF. She is the lead developer currently for HTTPS everywhere. And she's been doing web and system admin work for the better part of 10 years now since she graduated from Rochester in technology RIT. And she's here to talk to us today about Mobile First. So with no further ado, Alexis, thank you very much for coming and over to you. Hello everyone. Thank you for coming to my talk today. I am Alexis Hancock and I am a staff technologist at the EFF. Sorry about the jump around there. And today I'm talking about digital identities and your privacy. So when over my title at EFF, I've been at EFF for about two years almost now. And I am the lead developer on HTTPS everywhere web extension projects. And it's a tool that helps encrypt your web traffic online and are offered in the most major browsers. And I definitely encourage you to download it and definitely encourage open source contribution to it. My other titles are also educator activists for close to 10 years now. And I have been mainly working in the space of helping others get their time together essentially when it comes to doing their work, educating others, or when they want to go organize in some sort of way. With this project at EFF, I have done quite a bit of research when it comes to digital identity in particular and people's privacy when they're online with the technologies with what that looks like and how does that get implemented in the world rather than just looking at data and transit? What does that look like where someone is being able to actually obtain something and go forth safely in security and securely in all modes? So I usually go down a lot of rabbit holes when I'm talking about this really broad, vague discussion of internet and privacy. And so the rabbit hole I'm taking you down today is something called self-sovereign identity. Today I want to talk to you about what that means exactly, the technologies that are involved with that, particularly with standards bodies like the W3C, the World Wide Web Consortium, which if you're not familiar with, they also have like an entire organization dedicated to web standards. So that's what the W3C is and the International Standards Organization. And a few other examples that I'll give to you today around the implications of privacy concerns that we have the EFF and that I have and further discussion around disparities around a digital first conversation and what SSI can look like in the future, especially with marginalized communities, compromised threat models, etc. So different parts of identity, you ask different people what identity is and what their identity is, you'll likely get different answers. I have very common concepts of what a person's identity may entail here. Identity doesn't encompass everything of what someone considers their identity. A lot of this is around like production in society. So take that with a grain of salt. Identity is much more than this, obviously. But some of the things you may have is certifications, degrees, government issue IDs and numbers of course would be a very authoritative stance in your identity as a person, as a citizen. Emails and email is very important because you sign up for a lot of online accounts via email. There's other ways to sign up for online accounts now with like single sign on through like maybe Google profiles or Facebook profiles and sort of authentication that way. But generally the standard way to sign up for something is through email. So your email may be tied to many sorts of identities that you may have online in different groups and different services. You may have publications, you may have blogs, you may have academic research, you may have just, you know, whatever forms that you may be involved with with commentary that could look like different things. Your job, a lot of people tie in their job to their identity or they may not. But it's definitely a part of who they are in the day to day function. You may have some awards out there that you may consider a part of your identity. And much, much more hobbies, whatever activities you may be into, these are the things that go for us in form and shape who you are. And that also considers your past and what your future ideals are and your principles. But I'm talking about more tangible things, of course, as you can see with the examples that I give in here. The concept of the self-sovereign identity is something that's been in development since the early 2000s, especially when people have been considering what does identity look like online. So self-sovereign identity has claims or one's identity that, you know, the data pertaining to one's identity is controlled by you and without having to go through the intermediary party or a centralized authority to verify who you are in different scenarios. So at its core, theoretically, identity credentials should be asynchronous, decentralized, and portable. So these go against the principles of centralized authority and identity we may have with like mobile driver's licenses or sorry, driver's licenses in particular or, you know, presenting any of the sort of form of identification like social security numbers, like those things are generally portable by, you know, paper, card or whatever material that's made of. But the sense of being able to verify who you are usually have to go through a process to do that, depending on what part of the process you're in. I mean, with your health data or having to get a referral or having to renew your license, things of that nature. So one of the models I wanted to talk to you about is the W3C verify credentials data model. So this is not in itself a technology. This is a data model that mentions many technologies. And a verifiable credential has been defined to be just a claim that is trusted between issuer, holder, and a verifier. And you can read more on that specification. But the model that gets displayed here is something called like the issuer, holder, verifier, trust model. That's not really a fancy name or term for it, I believe. But the trust model you'll see here with the holder, an issued document from the issuer, they have right privileges to the verifiable data registry and the verifier will have read privileges. And the holder will be able to present a immutable piece of identification digitally to the verifier. So this is what the trust model will look like in its most bird-eye view form. A part of a verify credential is something called decentralized identifiers. So decentralized identifiers or DID is also in working draft with the W3C. And it's a portable URL-based identifier, also known as DID, like I said, but associated with an entity in particular. And it's really important to highlight the context in the ID of where the DID is referenced. And this is a decentralized piece that you're alleged to be able to be portable from repository or repository to verifier or another verifier without linking personal identifiable information with these multiple verifications in different places with your DID. You should be able to express some sort of authentication of who you are with that DID. That's the concept around this. And involved with that would be something called JSON-LD. So there's other types of specifications and technologies that talk about link data sets and what that can look like within the decentralized identifier documents or DID. But right now we're just going to focus on one of the major ones, which is JSON-linked data. And linked data is a concept that programmatically has been discussed for a while. There's a video here explaining JSON-LD. But the irony is not lost on me that I was about to play a video in a video. And I won't put you through that. So built with this in mind was RESTful services. A lot of RESTful services follow JSON object notation. So does data interoperability and unstructured databases. So unstructured databases will look like things like MongoDB, CouchDB, those types of databases. And juxtaposition to the more traditional databases like SQL. So you'll see highlighted here context.id and context.id are very important pieces. I would say the most important piece is when talking about a JSON-LD set. And this gets incorporated into the DID document. So you'll see context.id there. So those two things are very important. And this would qualify as a JSON-linked data set. And being able to use some sort of authentication, you'll see some service here that's in context in public key infrastructure sets here that are linked here within the data set itself in the document. So another piece of technology that gets discussed often is something called a blockchain if you haven't heard of it. Peer-to-peer distributed ledgers is the main concept of blockchains, right? So our blockchain-based technology. And you'll hear blockchain get brought up in talking about decentralized identification measures where they're talking about necessarily the storage of the decentralized identifier in particular and storage in a distributed ledger. So having something that's immutable, easily tracked through a party that's allegedly decentralized and being able to not have to go through a centralized authority to gain such and to access such. So that's usually where blockchain comes in when we're discussing these things. And it's not a requirement. So the specifications that we discussed, like verified credentials, they discussed that blockchain is not required, but they do mention that it is a possible implementation for a data registry. And so going into another standards body, talking about the International Standards Organization here and the Mobile Drivers License Application, or MDL for short. And here you'll see that the MDL interface will mimic the same trust model that we saw earlier with the verified credentials. You'll see an issuing authority, a mobile driver's license holder, and a MDL reader. And that'll be presented by whoever the verifying party is. So in this case, this makes the technologies that we mentioned earlier a little different because this explicitly states something that's on your mobile device. Whereas the previous technology we talked about doesn't necessarily explicitly say your phone or your tablet, but you would generally consider that's how these technologies would get ported. Even though they discuss in a more broader range as in like using it in web applications, this in particular narrows the scenario down to using it to your phone. And this is very much so bird's-eye view of what could happen in terms of being able to exchange a document or your phone instead to verify who you are to an authority that asks for something like a driver's license, which you would think the first scenario popping your head would be law enforcement. This particular standard talks about examples where you have to give over a documentation or a piece of paper or whatever the material is for a driver's license to use. You would have to actually physically hand it over and it would list all the information that you would normally have to the party. And it may be a little bit of oversharing. So you may not want to share your address with the party that's asking for your state ID, but you have to hand over the whole document. This was presented as a means of actually alleviating that and not necessarily having to hand over all information on your driver's license, in particular your ID in one setting, but just having to having the choice of which pieces of information you want to give over that are relevant. So of course, I'm skipping over with MDL at the moment, the concerns that surround that because you can get into situations where it may be a hostile mismatch with law enforcement, where they ask for more information and really to get what happens in those scenarios. So MDL specification in particular talks about, you know, a lot of things like Cypher suites, but all specifications that I discussed go over the security concepts that they would use and the types of session encryptions they would use. But actually before I get into the privacy concerns in particular, I did want to share with you some documentation here, around what that data exchange could look like with a mobile driver's license. So once activated, you'll see it's activated through something maybe like NFC or barcode. And you'll see that transfer device engagement would occur and a very cyclical relationship between the tokenized data set that or the token authentication. That would have with a mobile driver's license reader. So when the MDL reader asks for this, this could happen a number of ways NFC Bluetooth Wi-Fi where a web API or web application particularly or OpenID Connect or OIDC. And this is a token set. So you would say that the token would send the needed authorization to be able to verify the person holding the mobile driver's license with the verifying authority. So this I tried to make the black and white graphic from the spec look a little bit more interesting. But either way, this is the graph that they had for the data exchange in particular. So data retrieval will look a little different and setting where they talk about that session encryption piece. And they talk about what they use and what type of hardware modules you would need in order to actually store this type of information on your phone correctly and what type of specifications that verify with me. So let me go back to discussing privacy concerns. And here I talk about what that looks like when you have discussing these digitized identities and a lot of discussions I've had a lot of low risk situations get, you know, explained like, you know, verifying for 21 to a bouncer rather than giving your whole information set from a driver's license. But I've seen in the wild very risky concerning scenarios, talking about different sorts of ways verified credentials get implemented in particular with COVID-19 pandemic that's currently happening with immunity passports and verify credentials immunity passports are not just simple immunization results. It's something that's it's a new type of document. It's a piece of health verification that would guarantee or disband you from actually being able to enter somewhere or venue or possibly keep you from coming back to work or possibly keep you out of some sort of area in particular. If you do not have the need to antibodies and according to health experts immunity passports and immunity testing is very, very elementary right now and the research for it is in solid. So we are concerned about the discussion around immunity passports was verified credentials because of the fact that this is something that's not necessarily standardized within the communities that we have. We don't really have something where immunity passports is a norm for different diseases. So presenting verified credentials doesn't necessarily solve the problem of the meaning passport itself and immunity privilege in the US in particular has a very long history of discriminating results. So With that, I'm sorry. With that said, with self sovereign identity and nationalized IDs. This became concerned when the private sector is using SSI based technology and thought to kind of deviate away from the privacy recommendations and sort of push their product through by using decentralized IDs or Some form of verify credentials in some way and We're concerned that State may go and say, well, this is a secure technology. This is a very well built engineer technology from a standards body. We're going to use this in order to push out and nationalize Our federal ID and that's not the direction we want to go. We don't want to have a nationalized ID and database for everyone to adhere to And we have seen that go wrong in so many ways, especially in places like India where there was a massive data breach with nationalized ID system and a large amount of discrimination. And also been it's been implemented in Latin America and that's also come up with a lot of concerns. One of the examples that I have is the clear company may have seen it in an airport. Next to TSA pre checked and it's pretty much privatized TSA pre check. And for those of you don't may not know what that is. It's just expedited way to get through security and airport. By going through a certain set of background checks and then when you get to the airport, you're verified to be expedite your way through security because you've met the requirements. How arbitrary they may be to go through airport security and clear offers TSA pre check in that way and They're not just a TSA pre check company. They offer themselves up as a digital identity platform. So they have actually pushed through something called health pass And they're advertising this to employers of what this could look like for them by having like some sort of way of the member identifying themselves through biometrics and biometrics is something that Has been very much so discussed as something that would not necessarily guarantee privacy or security in the context of verify credentials. This starts marrying actually more so to your identity than it would if it wasn't in use so This is an example of something that's been very worrisome when discussing verify credentials with other parties where It's not discussed where there could be some sort of discriminatory practice at play or some sort of Reprocussions that could happen because of the fact that you don't have your health pass and what occurs there. Digital first and digital disparities. So we want to talk about how the fact that, you know, even though smartphone access has been increased, even though overall internet access has been increased. It's still very much a huge divide, especially in the United States of Access to broadband internet. Even though the specifications talk about how like offline storage could possibly occur with digital identities. Things update things need to change within your phone system, your operating system and often to more often than not, people don't carry the latest and greatest with them all the time. So they can be susceptible to certain things that may That may occur as something that's a non factor for someone who has high speed internet Privilege to be able to access a new phone at the drop of a hat. And since in the United States, we pay the most for Broadband but have a slowest speeds among nations with similar development. That's something to consider, especially since 23.4 million rule Americans. Internet speeds are so low and with the digital divide, you can't necessarily say that we can get behind digital first identities because of the fact that Access until access is closed often gap until everyone is receiving high speed internet and doable access to New technologies phone software updates, etc. You can't push through digital first identities or you'll just exacerbate the digital divide that's already there. So we want to talk about self sovereign identity and harm reduction because so sovereign identity as a concept and Digital IDs as a concept isn't a bad thing inherently These things can help in probably certain scenarios, especially low risk scenarios with low correlation of personal identifiable information, especially with the age 21 scenario that it's given a lot. Device fingerprinting still exists. So any application that uses This in particular and asked for access to A DID in particular or uses it should be restricted from using the rest of the phones ecosystem that could Automatically marry and make a high correlation and a unique ID based off the information that's passed through. So we definitely need a structure for that for applications that uses and With self sovereign identity things like verify credentials and community and to COVID immunity passports We don't want to introduce new potential barriers for someone Especially if they're marginalized, especially if they're already struggling, especially if they're going through something like we're all going through right now with pandemic We don't want to add more stressors on a person's life by implementing a technology that Initially was marketed to be helpful and Continuing that line of thought Digitized SSI as a requirement situations with central authorities and law enforcement. That's always going to have an imbalanced relationship. So When we talk about driver's licenses when we're talking about any time that we have to go to an authority This defeats the purpose of the overall discussion around having your own ownership around data and having your own ownership That's decentralized and having a portable identification and not have to go through intermediary. It's actually Be able to prove who you are or carry who you are with you And if you should have the choice of whether or not you want to prove or carry who you are to law enforcement Through this means in particular you should have access to be able to minimize contact if needed and If you push through something like digital IDs first or mobile identification first that could cause some issues and handing over your phone to law enforcement may not necessarily need it Especially when you have technologies like NFC where you know, that's worth a knuckle for a centimeter range, right? Or Bluetooth technology with the range is a little bit more Even then those scenarios can be hostile because With the officer just ask for your phone phone wholesale because they're a verifier or their reader isn't working or some sort of Scenario that could could occur where they may ask for your phone Altogether already may ask for you to unlock your phone even though potentially with some of these specifications they say that you can actually preset and be able to Transmit your digital ID without having to unlock your phone These are moral theoretical and they haven't been really displayed in the wild or Deployed in different states as something that's been successful yet So we shouldn't assume these scenarios that they're going to be safe just because we implemented a secure way to transmit data So no matter how well engineered Some something is in particular especially with data in transit and data at rest There's always a risk for a breach. Nothing is unhackable. We all know that so in particular with data breaches We've seen that with national ID systems. I have mentioned one in India where they had a data breach and lots of information was leaked everywhere in terms of what type of information that the citizens had and that in turn Has a discussion around whether or not that digital first or a large set database that's centralized somewhere is a good idea so Even though we are discussing decentralized ID. There's Authorities that have mass amounts of data around about us with you know Driver's licenses etc and having all that information in one place and being able to issue it to a person And so they can have it portable doesn't really necessarily answer that question or help it in any way So issuing authorities have notoriously had issues with also updating status in the system Lots of bureaucracy. It could be on late paperwork It could be delayed paperwork and we should not tie these the same systems with law enforcement So Having digital first with law enforcement may not work out because things like license plates readers can be notoriously outdated to the point where out here in the Bay Area There was someone pulled over in a car that was allegedly dated as stolen when actually it was a rental car that was redeemed from that scenario when it was stolen some months prior and Given to a rental company or they acquired it in some way, but in the police the police saw and the license plate reader that It was a stolen car. So they pulled the people over and it was very hostile situation and it could have ended really badly if Engagement occurred, you know in any sort of way that was deemed quote-unquote threatening. So We don't want to marry these systems together where we have digital first and haven't solved the issue of Centralized authorities and their issues with data and data keeping So considered following if you get the Bill Nye reference cool But either way with self-sovereign identity We want to decouple the constant need to verify one's Personal identical identifiable information to gain state benefits. That could be an idea where In many cases there's been studies of when people try to go get benefits and social security They actually have to give over a lot of information about themselves Bill statements bank statements so many things where Something like self-sovereign identity could potentially help where you don't have to keep Shoveling out mass amounts of data to social services or whatever Sort of entity you may have to prove yourself to in order to gain the proper benefits that you need disability or could be Snap benefits or could be some sort of housing benefits veteran benefits, etc That's a potential please piece that could be Explorer SSI that acts as a temporary credential for services and facilities that normally ask for a state or a city-based Identification I'm thinking about New York City in particular where they have the NYC ID where they sort of took care of the need to have a state verified identification to enter and get free museum for a day access or Access library services. So I'm thinking that in low-risk scenarios like this where SSI could act As a temporary credential for a service or facility you may not use all the time You may only need to use it once every other month or you mainly want to go You know to the museum this time of year for this exhibit and you don't necessarily want to get a whole Permanent credential just to go and enter maybe a temporary credential based off of Information that you are already given before So low-risk scenarios online transactions that have Apps for state IDs, I know in particular that some online education platforms they ask for State identification, they want you to take a picture of the front in the back and send it to them and really feels unsafe to do Generally when you do something like that So maybe SSI can stay help here like a bear credential They discuss what bear credentials are more in depth in the W3C spec of verify credentials but basically it's a temporary issued credential one-time single-use thing that you can go through and potentially not have to actually give over your entire driver's license information just to Take a course online. So reducing that risk Reducing the surface area of someone's risk Reducing the amount of data that they have to give over those are great ideas in itself where SSI can possibly come in and actually Be a good solution so in conclusion Like I said, we want to reduce the area risk. We don't want to increase the service area risk with SSI techno solutions Digital identities can be offered, but it should not be enforced and Unless data laws are standardized nationally, we should not trust centralized entities implementing digitized credentials and in particular I'm thinking about like the COVID immunity passports where The state government is in California is looking into and there was other countries as well I believe Germany or the UK was looking into immunity passports where There's centralized authorities that wants to implement something that Generally doesn't have a premise and it doesn't have a good premise if if any so Unless data laws actually are enacted to protect our privacy on a national level in your country And especially here in the unit in the US. We don't want to push for something like this where Just because there's the technology that is there in present doesn't necessarily mean that the technology is the solution itself if the inherent concept causes risk and harm and Possible discrimination in future. You don't want to push an idea through simply because you have all your Needs met on a level of like, okay We have strong encryption strong encryption doesn't necessarily need that the concept that of itself is a good idea so you want to implement good security standards, but what does that mean when you implement something that a Person has to tie to their identity that wasn't there before and now they have to account for this piece of themselves as well to Authorities to venues to their job. We want to think about things like that So I want to conclude this with technology is political this form in dynamics influenced by society So we can't sit there and say that we're going to completely do something or roll a product out saying that hey We're using this web body Standard we're using this standard. We're using using this in order to Accomplish certain techno solution that may be pushed through if you're not thinking about who you're impacting if or who you may harm or who you're helping All together at once you don't want to push through a techno solution And you don't want to use the technology itself as a reason to implement a particular idea You want to implement the idea because you want to actually help the yours of your community help society and not cause more harm or more ways for someone to account for how Someone else can know about who they are online or Another data breach because of the fact that there's yet another data set out there that exists That shouldn't have existed in the first place or someone shouldn't have had access to in the first place Thank you so much for listening to my talk and please download a cps everywhere for Firefox and Chrome and I will be here waiting for your questions. So thank you And welcome back everyone That was the pre-recorded session and now we're going to go into Q&A with Alexis So I see some of you have been putting your questions into the matrix chat if you haven't and you have questions for Alexis Please head over to session Q&A and type in a question for her there What we've seen so far is a few people have thanked you Alexis for your work with HTTPS everywhere I think several of us use that tool and and very happy to See that you were doing that work the the other thing that came up was a question I know you answered in the chat for those that can't see the chat. I'll just read it out Was do you know? Excuse me if there is any existing precedent for US law enforcement reading NFC data of an arrested person with or without a warrant And and so, you know, you indicated that you haven't have seen any legal precedent there, although I think we all know that that happens But certainly that's something to keep an eye on one of the other things that you had mentioned in your talk was Until the digital divide is no more So is that just a very optimistic view Alexis or did you just not want to let your pessimism show through? It's my optimism trying to cover my pessimism as I try to strive for for a better future digitally So if I don't believe in a certain goal, then I'll then what's the use of all my organizing, right? What's the use of doing these talks? What's the use of educating people if I don't think that there's a possibility one day that the digital divide can close I do think there's a way of addressing this especially with broadband in America in particular and the access to it and getting fiber as a priority But until then I do not want to see efforts saying that they want to roll out things digitally and things that are connected to the internet Where the access to internet is highly variable from state to state county to county neighborhood to neighborhood So that's mainly just me trying to establish a baseline more than anything Awesome. All right. So we have a question on on what you were talking about the the question is have you looked at the California real ID standard at all and do you have any opinions about that? So I haven't looked at it in depth I looked at it from a bird's eye view because the real ID measure has hit You know pretty much most of the states in some way at some level. So New York's real ID this this general role indication saying that you need a certain amount of security credentials on card or indicators on a card to Suggest that you know tampering has not been done to that particular document and it's been a lot of issues especially how expensive it can be to switch over to real ID in particular and also obtaining and I and real ID when you already have a driver's license possibly already have an ID and Kind of going towards this more federalized standard of being able to travel state-to-state like I believe Pennsylvania had Was basically told that they do not switch over to real ID that US citizens we passports just to go to another state Because that has a security indicators on it that they wanted so there's been a lot of problems real real ID in general and EFF has Definitely written on this in particular, but I have not looked in in depth in California's real ID Okay, super and and so we have that Q&A channel open for any other questions But while we're waiting on that one question I wanted to ask you, you know, you brought up the question of People asking in various different transactions for a state ID And to what extent has EFF been working Around where that is invalid and and how we can push back on that further So in particular with law enforcement, we have been doing a lot of work especially on the border that's been the most contentious issue in the past couple years where Border security has been brought up as an excuse to Overdo sort of the the amount of Investigation that a law enforcement officer will do in one person if they found some sort of probable cause Or some sort of way to obtain more information than needed in that particular exchange So on the border in particular especially with immigration issues, there was a student that had came into the country And they tried to get them to a certain amount of information sharing social media sharing so We've done a lot of work, especially with that as of late Making sure that you don't have to unlock your phone for an officer if they ask or you don't have to give Biometric data over you don't have to put your fingerprint on the phone And generally we discourage if you go out and you feel like you may be a compromised person or has some sort of threat model that Indicates that you'd be worried about so that sort of thing with interactional law enforcement Generally indicate like do not have biometric systems because of the fact that you can be Subject to some sort of pattern of abuse by law enforcement So we've definitely been doing a lot of work around that and trying to see where that goes and with different cases Great. Thank you. Alexis our next question. You just mentioned being driven to make a positive difference What advice might you give to other people who also would like to choose projects and passions that will make a positive difference? The advice I would give to someone who want to make a positive change in the world is Develop as much empathy as possible for the people around you for the struggles around you and try to figure out How you can help More than anything you don't necessarily have to start an initiative You don't have to start a project. You can just join one see The struggles that happen occur there and you can usually find your place my place has been in tech and tech activism and I first I thought I had to go out and march and protest and Create signs, but then I realized most of my friends and activist friends that were protesting didn't really have a good Secure setup technology wise and I realized I knew a lot more of my network than most people so that's where I found my foot and I started walking in that step, so that's usually how you can find out is how you can help and Where where you can find your place? Usually, so I definitely say you don't have to start anything just start looking start seeing where you fit in and Where your skills are needed most? Okay Do you think that the reduced friction of digital ID will lead to more demands for presenting ID in our daily lives? Yes, I've already seen that happen with the specifications that I talked about in the talk Especially with the fact that the immunity passport issue in particular where it's like, okay We have a specification now that's been published. Let's start using it and people have kind of been using the excuse of Okay, we have more ease and more ways of being safe with this But then implementing something that is come entirely new president in America immunity passports are the thing so People asking more and more for a digital identification or digital sort of validation or reference Definitely seems like something that could be a more incurring problem Recurring so I'm definitely watching that so that's why I did this talk in the first place is to not only shed light on the Specifications that have been published and discussing those but kind of discussing those in the context of where I've seen them in Play in action and try to get people to re-scope it back to the privacy concerns That were listed in the first place about these particular issues When you're giving over a digitizer document to someone to a verifier that has a relationship when you're giving over something Especially to an authority like law enforcement that has a relationship. You have to address that dynamic is not even so I Definitely see that coming up more unfortunately and more negative ways and positive Absolutely So we have a couple more questions that are Varying on a tangent again, so I'm gonna take both of them in turn But if anyone has a last question on on the topic at hand, feel free to throw it in the Q&A The first one back to the work you're doing with HTTPS everywhere Which set of challenges are the worst technical political or social? I'm sorry. Can you say that question one more time? The question reads which set of challenges are the worst technical political social or whatever I believe the Challenges are intersection of socio-political. So Technology itself is not a solution in my opinion Techno solutions are not something I Advocate for when there's an existing societal problem when there's an existing political issue I would much rather address the political issue first much rather address the societal issue first before I start introducing technology Okay You brought up this is another one on the digital divide So this question of disparity of internet access and quality of internet between communities The questioner asks is the EFF doing any work to close this divide? Yes, so there's several initiatives. I do know We particularly work on broadband access and the definition of what broadband looks like with the FCC There's a recent post if you go on the deep links blog on EFF or you'll probably see that post in the most recent order Under a nestle Falcon he's the author and he does a lot of work around Trying to address the issue with broadband because the FCC actually has a very low bar of what they define as broadband I think I brought that up in one of my slides with that 25 megabits Versus down and Trying to raise that baseline to where it matches other countries with similar developments. So that's one piece. We do another Body of work around right to repair and I also think that has a lot to do with digital divide because if you're not able to go out And actually be able to fix your own devices and get the proper Management you need and maintenance and not have to go through one singular proprietary Entity just to get your laptop fix just to get your machine fixed in any sort of way I believe that closes the right to To the digital divide in some way being able to actually have that access to the parts You need in order to maintain machine and cut down on you waste and not have to buy an entirely new machine Just because your RAM is soldered in or your battery soldered in which that makes me very mad when I see Machines like that. So I Do think there's other pieces of work that you have does that helps to close the digital divide But those are the two things and the two most active parts of it I believe I've seen as of late that we do a lot of work around Absolutely, so the last question we have actually plays off of that. I think and The conversations we've been having which is can you summarize please Our fourth amendment rights as they relate to being asked for digital ID, right? So and for that matter having digital ID taken without our permission That is definitely something that I feel like one of our lawyers would have a better time my short question, right? Yeah So I feel like with the fourth amendment and being able to actually Summarize along with digital ID doesn't have a lot of legal premise yet But what I want to say around that is with your mobile phone in particular You do not have to go and give over your device to law enforcement without a warrant You do not have to talk to law enforcement My first rule is don't talk to law enforcement that remains silent Utilize that with the fourth amendment in particular You do not have to give over biometrics data. That's tied to the fourth amendment now with legal premise. So In particular of unlocking your phone with biometrics. Well, thank you again, Alexis great talk great Q&A and Unfortunately, we have to wrap it there, but we hope everyone will hang around for the next talk. Thank you