 Good morning everybody. It's a good Saturday morning, not Sunday morning, so I'm happy about that and happy that you guys dragged yourself over here from wherever you were last night, so for some of you may not realize it is the next morning. And I'm going to talk today about hardware hacking and the law. I'm Jennifer Granick. I'm the Civil Liberties Director at the Electronic Frontier Foundation, and my colleague Matt Zimmerman is here with me today and he's going to talk about these issues as well. So I'm just going to give a little bit of introduction. I think you guys all know what EFF is. I hope I see some people with our shirts on, thank you very much, and the kinds of work that we do at EFF, in this area having to do with computer security and coders and programmers and hackers, and then also all of our free speech and intellectual property work and privacy work that we do. So if you have interest in EFF and you don't know about us, you can visit our website. And what I'm going to talk about today, this morning, is hardware hacking and the special kind of legal regimes that relate to hardware hacking, and I'm going to talk specifically about the Digital Millennium Copyright Act, the rulemaking that happens under the Copyright Act, and how EFF won exemptions from enforcing that law against people who unlock or jailbreak their phones, people who make non-commercial videos, and then I'll talk about Professor Halderman's security exemption that he won for looking at video games, just because I think that that's something that this community of people might be interested in. So why have a talk that's particularly about hardware hacking as opposed to other kinds of hacking? Well, increasingly, devices have embedded software in them, so that now we have everything, not just smartphones but calculators, e-readers, and even cameras that have software in it, and the hacking that involves accessing embedded software raises special issues under the Digital Millennium Copyright Act, which is this crazy law that we'll discuss in detail. So there's these particular DMCA issues, but one of the basic things that relates to what your rights are with regards to hacking or reverse engineering embedded software are terms of service, and so I'm going to turn it over to Matt for a while to talk about terms of service and what the law is there and how it affects your rights with regards to manipulating pieces of software. Good morning, everyone. So to understand the lay of the land, to figure out your potential liability for hardware hacking and other related kind of hacking activities, we have to understand the role that the use of end user license agreements, private contract, terms of service play into the potential liability realm, and there have been a series of cases over the past few years that many of you have probably heard about to some extent or another that really does kind of inform how we're watching these issues go forward and kind of mapping what direction, what path it follows. The first is the Lori Drew case that, again, is probably the most high profile of these cases, and the case had to do with a woman who put together a fake MySpace page saying that she was a teenage boy who then entered into communications with the neighbor girl pretending to be someone who was interested in this girl and kind of strung her along for a very long time and then turned on her and said that she was an awful person and it's a really tragic story, the girl in this case ended up committing suicide, and the authorities were left with this kind of bad situation from their standpoint of not really having a legal regime, a law to apply to the situation, nothing really kind of fits well, so someone had the clever idea of using the Computer Fraud and Abuse Act, which limits your ability to gain unauthorized access to remote computing networks, and so the theory was that because the MySpace Terms of Service banned what this woman did, creating a fake profile, including fake information, including age information, that not only was that a violation of the Terms of Service, but that's actually a crime, and you can go to jail for that. A jury convicted her on this claim, clearly she was not a very sympathetic figure, at the end of the day the judge did what we think was the right thing and ended up overturning that conviction saying that no, this is not what the CFAA was created to do, it was about more hardware specific hacking crimes, not a way to turn this kind of private agreement between private individuals into a way to impose criminal liability, but that theory has kind of caught on and given others, especially in law enforcement, this bright idea that that's a way that we can get after people who are violating Terms of Service. Another case that we worked on, the second one up there, is the Calixte case, which had to do with a Boston College student who was accused of sending emails on the Boston College listserv outing his roommate, the students that had a falling out, apparently, and they suspected him of sending these emails. This isn't directly on point, but I thought I would mention at least a couple of the things that are in the statement are probable cause that you might find interesting, these are bits of information that given to the judge to let him, so that the judge could decide whether there was probable cause that he might have committed this so-called crime, a couple of things in there. Mr. Calixte was, quote, a computer science major who was considered a master of the trade among his peers, clearly, you know, notorious behavior, that Calixte had a reputation as a, quote, hacker, that it is, quote, not uncommon for Mr. Calixte to appear with unknown laptop computers, which he says that are given to him by Boston College field testing or that he is, quote, fixing, unquote, for other students, and that he, my favorite, that he uses two different operating systems to hide his illegal activities. One is the regular BC operating system and the other is a black screen with white font which he uses prompt commands on. So, you know, so clearly- For those of you who are in the probable cause talk yesterday, now you know. It's, you know, they had him dead to right, so, so they, it was the same theory, you know, similar one to the Lori Drew case, go through all of that information in the probable cause statement and the theory was, well, there's some, there's some terms of service that you must have violated. They didn't quite mention what it was and it could have been, say, the Yahoo terms of service that you, you know, can't use it for harassing purposes and what they actually, what the police actually said when they ended up briefing this was like, well, at the time we sought the warrant, it was pretty reasonable to think that there was a, a terms of service somewhere that would have, that would have borrowed this and it probably would have, you know, violated, violated that. We ended up taking that to the, the Massachusetts Supreme Court and they, and the court thankfully ruled, ruled in our favor so it was kind of scaling back that, you know, that attempt to, to use the terms of service as a, as a theory in that way. There are two more recent cases that have, have really given, given some momentum to this effort to, to discourage people from using this, using this theory. One is a US versus Lawson, which is a case that we filed an amicus brief in a few weeks ago, has to do with Ticketmaster and individuals using automated efforts to purchase tickets from Ticketmaster in violation of their terms of service. Again, the government's position is that while you're, you know, violating the terms of service, this is clearly not, it's clearly not a, a tort, it's not a private civil issue, it's actually a crime that you could, that you could do time for. And most recently the Facebook versus Power case, similar technology power developed a tool to aggregate, to allow people to aggregate information across social networking sites. Facebook didn't like that and tried to raise the same kind of computer fraud and abuse act theory. Just last week the court issued a ruling saying that no, that, that doesn't fly, that's not what the statute was, was intended for. This is not what unauthorized use meant under, under the statute. So, so it seems like the law is at least moving in a, in a good direction on this point, even though people continue to, to try to use this theory. There, there are one aspect of the, of both the Lawson and the Facebook cases that still raise some concerns and that's the, that ties into what I've been talking about already and that is to the extent that sites use technological protection measures like captures or doing IP blocking and the, and the, and when you route around those efforts to find, say, a way to automate a way around the captures or to change, you know, change your IP address when someone was clearly trying to block you specifically. How does that play into this, into this, this legal regime? And the court in the Facebook case left open the possibility that, that, you know, if you knew, if you circumvented an IP block that could actually mean that you've gained unauthorized access to the system whereas just the generalized terms of service violation may not, may not impose liability. Doing, doing something else above and beyond that may, may very well impose, impose liability and that, that issue is still, still live in the, in the Lawson case. So, so this all, to come full circle all becomes important. It's not just simply relevant for websites usage. It's, it, it implicates really what happens when someone slaps a terms of service on their product, not only their service but their product there, you know, they can, can someone add a, add a license agreement to their product saying that, you know, you're not allowed to, you know, do X, Y and Z and can, can you not only find yourself in trouble when, if they sue you but can you, can you also find yourself in jail? So, I'd be interested just generally in what people think about that circumvention issue because we've tried to, you can see what we said about it in the Facebook case and in the Lawson case where we discussed the questions of what kind of technological measures are when circumvented equal unauthorized access. And so, so these licensing issues really matter when you have hardware hacking because the software, the embedded software will come with some kind of license usually. And that license seeks to condition how much you can use the, and what you can do with the software. And those licenses are generally considered to be enforceable even when they have terms that prohibit reverse engineering and those sorts of things. And the licenses often will say that you're not the owner of the copy of the software, that the copy of the software is actually just lent to you and that the ownership rights remain with the, remain with the company and all of that implicates what your rights to do security testing or reverse engineering are under the copyright law. So I'm going to talk a bit about the copyright law about the DMCA and show you some of the problems with this law and then talk a bit about the rulemaking and how we got around some of these things. So there's, when we talk about the DM, when we lawyers talk about the DMCA usually we're talking about one of two provisions. There's the safe harbor provisions under section 512 and there's the anti-circumvention provisions under section 1201. And so I'm talking about the 1201 provisions which are the ones that I think are so fascinating. And when Congress went through and passed this law I think the idea behind it was that it was going to be a law that says that you cannot break technological locks that protect copyrighted works. And the idea was to first of all, first and foremost to prevent digital piracy of particularly DVDs and music and that sort of thing. But also there's this idea that it enables new business models because companies can control the way you get to the work. So even when it has nothing to do with infringement necessarily, if you could have protection, legal protection for things like for different technological protection measures, TPMs, you could have streaming or you could have leasing of music, digital music and that kind of thing. So the law is structured to have two basic prohibitions. One is a prohibition against the act of circumvention and the other is a prohibition against the distribution of tools which are used for circumvention. And these are all terms of art under the statute. But I think you get the basic idea is that a technological protection measure, TPM is something that controls access to the work. It doesn't control copying. We're not talking about something that prevents infringement. We're talking about something that controls the way you use or access the work. People at this point usually raise their hand and they ask me what's effectively mean in the terms of the statute. Effectively does not mean that it is in fact effective. It means in effect that's what it's trying to do. So obviously I mean I guess I kind of think that makes sense because if it were, if the TPM were so effective then probably it wouldn't be so darn easy to hack. So the tools provision basically says that you cannot traffic and distribute tools that are primarily designed, valuable or marketed for circumvention of a TPM that controls access to a copyrighted work. So acts and tools. What kind of things are TPMs? You guys can think of these whether it's DVD encryption, code signing, obfuscation, maybe protocol encryption. There's a bunch of things that could potentially be TPMs and then the question that courts look to when trying to decide if this is something that you are or are not allowed to circumvent is what effect does the TPM have? How does it govern the work? And the statute has a bunch of exceptions to it that are built into the statute. The three that I think are most relevant to what you guys do are the exception for reverse engineering, the exception for security testing, and the exception for encryption research. I don't want to talk too too much about the parameters of the exception, but I wanted to give you guys some examples just of what the language of the statute is so you can see why it is that we, I don't believe that the exceptions are enough, that they don't do enough to protect the kind of research that people need to do. And this is just, here's your example, this is the exception for reverse engineering. And reverse engineering exception is only interoperability and you can see all these conditions on it. You have to lawfully get the copy, the sole purpose can be to analyze the elements that are necessary to achieve interoperability and it cannot have previously been available to you and then there can be no infringement. So you can see in the way that Congress has chosen to draft these that while you generally are allowed to reverse engineer and reverse engineering is generally considered to be not a copyright infringement or justified under fair use or something like that. Here when you're reverse engineering also is a circumvention of a TPM, the right gets very narrow and small. You know, all these factors condition it. Security testing exemption is similarly cabin. It says that you can only do claim that exemption for a testing that goes to a computer or computer system and it has to be for good faith and the owner or operator of the computer has to, you know, has to be the one that authorizes it. So, you know, it's very much this narrow cabin thing that you have to, that also controls where you can or to whom you can give the information that you derive from the security testing. So basically just to kind of sum up this slide, I think if you look at this, I went through the factor or went through all of the exemptions that are listed under the statute and tried to pull out some things that I think are factors that feed into the question of whether one of these exemption applies just to give you sort of a sense of it. And I think that, you know, it gives me as somebody who represents researchers and reverse engineers a real pause about how you condition or plan your research ahead of time if you are a person who's doing research on TPMs to make sure that you would fit in under one of the exceptions. And I think the conclusion that researchers like Professor Halderman came to is that the exceptions that are granted under the statute are simply not broad enough to cover the types of things that people want to do when they're taking a look at various security issues. So you'll see when we talk about the, about Halderman's exemption request to the copyright office exactly that the copyright office agrees with him that these, that the security office's exemption is not broad enough but also disagreed that he gets an exemption anyway. So another, one thing that I'll also say is that as much as the, the exemptions might be so narrow for acts of circumvention, they're much more narrow even than that for tools. So if you are a person who is in the business of creating tools that circumvent TPMs, it's a good idea to talk to a lawyer ahead because it's very complicated and very narrow little path for, for when you're allowed to distribute tools. I'll just say one thing, tool, the tool provision is not about information, it's actually about tools but it can be components of tools and so it's sometimes unclear exactly how that, what that means for people who are trying to simply publish research papers but generally we like to think that the tools provision doesn't impact speech or publication that's just pure information but if you try to communicate your ideas as computer scientists so often do in code then we have problems. If you're interested just more generally in the DMCA, you can take a look at our webpage, we publish a, kind of a sum up every three years about, I think we do it every three years or maybe it's every two years about the unintended consequences of the DMCA and the types of cases that have been filed in the interim period of time attacking things that we think are legitimate, legitimate research or legitimate efforts. So Congress put in some safeguards in order because it recognized when it passed the DMCA that this was kind of new and people thought it would really screw up researchers and other sorts of legitimate free speech and fair use activities so they said okay you can have this rule making and this should be the fail safe, like the copyright office can recommend and the Librarian of Congress can issue rules that exempt certain things and basically you define a class of copyrighted works say what the technological protection measure is and if you can show that it fits these statutory factors including primarily that it doesn't enable any kind of infringement or anything like that then maybe we'll grant you an exemption for that class of works and it was in this rule making that we recently won the jail breaking and the unlocking exception and the one for a non-commercial the rule making is super complicated in terms of the way that the procedure goes and the burden on the proponent is really high and then when you win the rule making if you win the exemption goes to acts of circumvention it does not address tools so that's a very important thing for people to remember. The proponent has to show that for the class of works that you define the DMCA has had or is likely to have an adverse effect on non-infringing use of that class of works and I participated in this rule making back in 2006 and got an exemption for phone unlocking. This is the class of works that I defined this year as being the one I wanted the exemption for for phone unlocking so the idea here being that you have a handset it's locked to a certain network and you want to change it and some entities including particularly track phone had filed lawsuits against people who are unlockers claiming that the unlocking violated section 1201. So how did that how did it you know how did it violate 1201 the idea was that for specifically these lawsuits were about CDMA phones and specifically for these phones then when you altered or changed the lock and manipulated the values so that you could put your phone from Verizon to sprint or some other network whatever it was that you were running the underlying software that makes the phone operate and it's that underlying software which is the class of works and they so that you know that's that's what they argued now where's the infringement there right because this is the thing that I think is so interesting about hardware hacking that's different from a lot of the other copyright issues which is that there's you know there's very often going to be some kind of block or something that controls how you use the firmware but there's nothing here whatsoever that has to do with infringement we're not taking the software off the phone and distributing it on the internet or anything like that where's the where's the arguable infringement here and what the companies have said when they oppose our exemptions is that the infringement comes from your running the software in a way that we don't want you to run it entitled to do this under the licenses so I'll show you this a little bit more with the jail breaking but you can see so for the unlocking we had clients our clients were phone recyclers and we identified the copyright work as the software on the phone and we pointed to the track phone lawsuits and said look there's actual harm the DMCA is interfering here and this is non infringing activity so we wanted in 2006 I was really happy and surprised then and we wanted again this year in the 2009 rulemaking I know that's 2010 but the rules were supposed to come out in November and we've been waiting since November for it to happen so I'm pretty happy if the copyright office was going to be late that they issued the rules right before DEF CON because otherwise all these slides would just be like a big question mark like who knows what they're going to do and but look at how they changed my exemption from what I had in 2006 they really you know they I say they chopped the pinky off of it and they limited it not to all wireless handsets that you want to put on a different network but only to used ones and they put in this word solely that said the circumvention can be solely for the purpose of connecting to a different network and the operator of the network has to agree which I'm fine with that but the reason why I think they did this is because the exemption was opposed by CTIA and also by Virgin mobile because those companies Virgin and track phone they sell the handsets with a subsidy at a you know at a loss and then they try to make up the loss by having people go month to month you know get the month to month service and what people were doing is that they were going to these big box stores and buying the track phones and the Virgin mobile phones in bulk unlocking them and then reselling them for closer to their true value on the marketplace and just you know pocketing the subsidy and you know for obvious reasons Virgin and track phone didn't like this or feared with their business model which was basically the razor razor blade model and then when we you know litigated this and debated this in front of the copyright office the copyright office guys were like what do you have to say about that and I was like it's not a copyright problem you know I'm sorry you know it sounds bad but it's not a copyright problem this is their business model and you know they're going to have to figure it out maybe they have contract remedies you know they can make the big box stores only sell one or two to a person at a time or whatever and so what they clearly did this is to try to make sure that those bulk purchasers didn't enjoy the benefits of my exception so what can I say okay so jailbreakings this is the one I think a lot of people were really interested in and which really blew my mind when they actually granted it this is the class of works that we defined so I just do you guys see how like arcane and weird this whole rulemaking is I mean it's like this is a class of copyrighted works and we're sort of like the description has to be the description of a type of software so here's what we described it as it's programs that let you let you run software applications if the software applications are lawfully obtained so this is what we asked for and we tried to cabin it so that it was just going to be about interoperability because we wanted you know the copyright office to like it and accept it and what are the copyrighted works that we're talking about with the iPhone well there's the bootloader and then there's the iPhone operating system and the question I guess was that we had to show and this is one of these weird you know political things about doing the rulemaking is in order to win you have to show that the DMCA adversely impacts what you're doing which means you have to say that it's unlawful under the DMCA except you don't want to say that this thing that you think is important for people to be allowed to do is unlawful so you have to kind of say well it's arguably unlawful and so the DMCA poses this danger and then on the other side you have Apple coming in and Apple wants to say oh you know there don't worry about the DMCA here there's no harm or anything like that but they don't want to say it's lawful so they're in the same kind of catch 22 just a little dance where you know everybody's kind of like suggesting that they believe the opposite of what they wish were true and so you know basically you know Apple came in to the hearing and said you know we don't think that this exemption should be granted we have engineered the iPhone very much so that we control access to both the bootloader and the operating system and they gave evidence in the hearing about the chain of trust and how you know basically when you boot up your iPhone there's a cryptographic check on each level of the software to make sure that it is something that is approved by by Apple and starting you know from the bootloader and then validating the operating system which validates the applications and that this chain of trust is their technological protection measure and so you know we said yes okay so now we have to show that there's something out there that is going to that you know that circumvents this and that this circumvention is legitimate and is in danger so we looked at and presented evidence about one of the jailbreak tools that's out there and how it works to circumvent the chain of trust or to basically circumvent the technological protection measure that Apple put on the put on the phone so this is basically how one of the jailbreaking tools work and you can see that this is like it's very interesting it's a you know it's a circumvention so the question then at that point in the rulemaking for Apple was well they have to show that we don't fit in under the statutory allowances for issuing exemptions because somehow or another we're violating copyright law and the factors aren't met and this gets to the point that Matt was trying to make about terms of service and eulas and licenses one of the things that they said is well when you modify the copy of the bootloader that's sitting there on your phone you have created a derivative work and that is infringing so that's thing number one that they said thing number two is that when you have the operating system or software on your phone we issue it to you under a license you are not necessarily the owner of that piece of software you're a licensee and so owners of software have certain rights under section 117 of the copyright act to do adaptations to enable them to enable you to make your software interoperable with other pieces of software if you're not an owner you don't get the section 117 rights so they said well there's no rights of adaptation here that apply and so when you do adaptations it's infringement they also said that the infringement from other people not just the people who are the owners of the iPhones who wanted to jailbreak them that the people who developed the tools were infringing Apple software and Apple's copyrights and that people who made independent applications might also be infringing as well or at least in violation of their software agreements whether it be the SDK license or the SDK agreement or other pieces of software license so we had big argument about this in the before the copyright office and it was really interesting how the copyright office decided to deal with these very difficult copyright issues and basically what the copyright office said was we've looked at all the case laws surrounding when you're a licensee and when you're an owner of a piece of software and we've looked at the cases about when the section 117 adaptation rights applies and when it does it and what we've decided is that the cases are unclear we don't know yes we're the copyright office but we don't know what the issue is here so instead of resolving that problem we're going to say that either it's we're going to say that we think that to the extent that in some cases the 117 are fair use right applies or it's not infringing we think that this is going to be okay and they just sort of like moved beyond that issue. So I just thought it was really interesting that they recognized and sort of acknowledged the fact that the cases that we have to grapple with every day in order to help determine what people's adaptation and fair use rights are are just like all over the map nobody really knows what the answer is there and that they nonetheless said this isn't going to be infringing because you're just running your own applications on the phone and so they issued the rule and here's the language that they chose to use. This I think was just so unexpected and great for people who have iPhones and who want to jailbreak them and run their own applications I think it's what we believe at EFF is you bought it, you own it, it's your phone you can do what you want with it but the other thing that I think is so great about this is how this promotes innovation in that market for applications so there's lots of independent apps stores out there now that are starting up and I also think that what we've seen in the iPhone smart phone platform is that really interesting applications get their foot hold in the marketplace having been on the jailbroken platform like whether it's tethering or VoIP or something like that and then once they are adopted by people and there's like a real market for it there's pressure for it to be adopted by the app store for the rest of us who haven't jailbroken our phones so I think this is really a great thing not just for the kind of it's mine and I can hack it if I want to but also for the marketplace for apps for those of us who are like me who haven't jailbroken their phone and don't know how but want there to be a real wide variety of applications out there I mostly think of tethering and VoIP and not the fart ones but whatever you like it's fine because that's what capitalism is all about I want to mention the other EFF exemption that we won this I think is mind blowing really because whoever thought they'd do anything good for people who want to make fair use of DVDs we asked for an exemption for non-commercial videos basically like mashup videos that people create from ripping DVDs and then put up on YouTube or other distribution sites there were film professors who had basically blazed the way for this so Pete Descherdes a film professor in 2006 had asked for an exemption to allow professors to circumvent CSS on DVDs so they could take clips of DVDs and show them in their film class and he presented evidence to the copyright office in 2006 that the alternative there was let's say you were having a class about oh I don't know surveillance in the movies instead of being able to rip the DVD and take little chunks of the films to show them to people you would have to have like an array of DVD players all queued up and everything to play one for each movie that you wanted to play the clip on in order for your class to go smoothly at all and the copyright office was like yeah actually that does sound kind of bad so that was sort of like a an in really for them to understand that there are lots of fair use reasons not just for film professors and for criticism and commentary and all of that stuff but a lot of fair use reasons documentary filmmaking and non-commercial mashup type of videos why we should be able to circumvent CSS so they issued this rule I almost fell on the floor but it's awesome so you know for those of you whether you're somebody who makes these or somebody who somebody who watches them it's awesome I want to talk a little bit about Alex Halderman's exemption that he asked for with the assistance of the clinic at the University of Colorado and Paul Ohm's students there Alex had asked for you know he has done a lot of research on TPMs that are on CDs and that sort of thing he was the one who found the Sony root kit and he had done research on other TPMs as well and asked that security researchers like himself be allowed to circumvent these measures in order to find out what whether these access control measures compromise the security of computers more generally and also to figure out whether there was in fact one of these types of backdoor TPMs on any particular sort of media and this is basically the language that he had asked for the works he asked for were video games and then also more general literary works like sound and AV recordings and he said look you know we actually can't do the research that we want to do because of this one of the things that the other side said was well hey you have a security testing exemption so what's the problem there's a congress has already given you an exemption for security testing so if you recollect back when I was talking about the security exemption that is only for computers testing on computers and this isn't testing on computers this is testing on DVDs and CD ROMs and those sorts of things so it doesn't apply this is just the security testing exemptions too narrow and then of course the argument there as well that's what congress wanted it didn't want anything broader so don't give them the exemption and you know the battle goes on what the copyright office eventually recommended was that the exemption be granted for looking at TPMs control video games but not for the broader class of AV and musical works and they rejected the full exemption because they said that Halderman had not made a factual record that there was going to be real harm in the next you know three years so this is another weird thing about the rulemaking is you've got to show that there's likely to be harm in the next three years which is like what's going to happen you know based on just what happened before and he in the evidence that he presented that they were able to present looked to secure ROM few things that were out there but those were about video games and not about this broader work so they said well you haven't shown it I bring this up I guess I just want to point out like a lot of people ask me when we talk about the jailbreaking exemption does this mean I can also jailbreak my iPad and the answer to that is no because iPad didn't exist when we asked for the exemption so we didn't frame the class of works as being those that cover the iPad we didn't know and it's the same thing sort of here you've got to look at what happened in the three years prior and then project what might happen in the next three years and you just don't know and if you try to be more broad and expansive about what might happen then the copyright office rejects your exemption because you didn't have factual evidence in the record this is the the text of the exemption that that the copyright office did issue for video games so you can see the same kind of very broad and narrow stuff that we talked about before it's got to be used that primarily is better than the solely in my exemption but you can see that try to narrow it and keep it small okay I'm going to take a few questions here and then I know there may be more questions and we'll be in room 111 across the way but if people have questions I'll repeat them yeah right over here what's good faith testing when it comes to security if I ask me that question I'm not admitting he doesn't know he wants to know what other people think it's a great question this idea that somehow some people have good faith and some people don't have good faith and what do you look to is it like people who have PhDs or somehow in good faith but people who are independent or self-taught somehow or not like what is the what is the atmospherics that go to good faith and this is one of the things that is interesting as a you know not as a theoretical lawyer but as an advocate in this field is all the stuff around it that helps you try to convince you know a court or somebody that something's good faith so I mean I guess that's a long way of saying I don't know five minutes does full disclosure mean you're not good faith you know the disclosure comes if you look at the exemptions the exemptions some of the exemptions are conditioned or exceptions are conditioned on you're using the information solely to help the owner so if you make full disclosure to help the owner then that could be under the statute something that removes from you the ability to claim the exemption not in every case because each exemption is different but you know that it's an issue there I don't think congress meant to be taking a position in the full disclosure versus limited disclosure debate but it's a factor it's definitely a factor and for those of you if anybody's in the audience who's ever come to talk to me about disclosure issues you know what I always say which is that the disclosure is legitimate but the way you do it is going to condition what's going to happen just because it's how people feel about you and that those sort of atmospherics when you're operating in a legal regime that's kind of fuzzy really matter yes here on the aisle what's used when you talk about used handset do I answer to this question is the same as my answer to the last question I don't know I guess I know what's definitely used I think that they just put it in there and figured let track phone and virgin mobile litigate it yes over there so if you put tethering software or some other unapproved app on your phone can they turn off your network access and the answer to that's yes conditioned just on whatever your service contract is because the contract probably lets them do whatever they want and then you have a cause against them for contract violation or something like that they preserve for themselves as network operators all of those rights but you know there's some difference of interest between AT&T and Apple here and I haven't heard of them doing that what I have heard more of what we hear is that Apple will issue a software update that breaks the jailbreak or you know as everybody's always afraid will brick the phone so that's the thing that we really worry about and then there's all sorts of warranty issues where they could incur liability for intentionally doing something like that okay I'm going to look over here on this side of the room any questions yes this gentleman here in the front you're talking about when you do full disclosure somehow issuing it with a click wrap license that says I promise not to sue I waive my right to sue or something like that oh I see to condition the release of the information through a toss on saying that you're not going to use it for bad purposes but for good and then the security researcher can say look I didn't you know distribute it in a bad way because I had this toss on it do you have a thought about that it's true you know if you do that and let me know so we can see if it works or not I don't think it can hurt I mean I don't know I'd have to think about that usually what I say with stuff like this is I say you know we can try to be crafty but it doesn't always work as well as we would like so I'm going to take this person here and then I'll come to you and say yeah can you say again yeah if you're just deleting programs you don't want are you saying you have to circumvent some technological measure to delete the software off the phone huh I got to think about that I mean this exemption certainly isn't about that particular thing see this is really good because you know the rulemaking is actually going to start up again in like about a year and a half or so and we're going to ask for more so you know if you can email me about this I'd be very interested in thinking about it and also thinking about where we want to ask for an exemption for it yeah thanks this gentleman over here yeah his question was about EFF's work on terms of service and other kind of adhesion contracts and limiting you know what's allowed in there do you want to take that Matt okay so we have a lot of stuff we do on this involving trying to say that you cannot waive reverse engineering rights or other kinds of fair use rights through these click through agreements we have our work we do on the computer crime area that Matt talked about involving and saying that terms of service can't be enforced as a matter of criminal law and we have a bunch of like sort of young continuity type work we do on other terms of service issues so the thing with terms of service is a question of is it a contract and that's like the first thing is about formation and then the second part is about substance the second attack is on substance and is the substance of the contract unconscionable or otherwise we have a lot of stuff on that because exactly the reason you say these are contracts of adhesion so that's all the questions that we can take here we're going to be in room 111 and I want to thank you all for coming at this ungodly early hour and talking about this interesting topic alright also if you are leaving and you do not have to please go out the back door not out the side doors it's incredibly crowded out there for the ATM talk and if you expected to get in there don't bother