Ask the EFF

my name is Marcia Hoffman I am a senior staff attorney at the Electronic Frontier Foundation how many of you have heard of us how many of you are members Oh nice to see you guys for those who may not be aware which are not many of you the Electronic Frontier Foundation is a non-profit here in San Francisco and we work to protect civil liberties in the digital age that's our that's our mission we have a panel here today full of AFF people and also a couple in the front row this panel is really not so much about us you know yakking at you but about you asking us questions and us answering your questions about our work

and so without further ado we're going to each very very very briefly introduce ourselves so you have a sense of who we are and the sorts of questions we can answer as I said my name is Marcia I am a member of our legal team and I work pretty broadly on civil liberties issues I do privacy free speech security related things these days I focus a lot on our coders Rights Project which works to ensure that security researchers can do the cool stuff that they do without legal danger hi I'm Jennifer Lynch and I am another attorney at EF F and I also work on privacy and civil liberties but I focus on Freedom of Information Act

litigation so I file requests with the federal government and sometimes state and local governments for information on what the government is doing and mostly that relates to surveillance and privacy we have a bunch of really interesting player requests out and we've gotten some good information on how the government uses social networking sites we have a FOIA request right now on drone authorizations and we have a lot of other great stuff so if you have any questions on that or ideas for interesting for requests we'd love to hear it everybody I'm handy for Corey I'm a staff attorney with EF F my background is mostly in criminal law and that's what I primarily do with EF f

I also do some privacy stuff too regarding Ekpo stored Communications Act and but mostly criminal all hi guys I'm Marc Jacobs I'm the legal intake coordinator and I'm usually the first point of contact and vet cases bring them to the lawyers and do a little bit of research and writing as well I'm Dan Auerbach I am a staff technologist I work on our various tech projects who here uses HTTPS Everywhere the Firefox extension Oh awesome a lot of people so there's a big release happening very soon so look out for that and I pretty much work on on that and the the observatory which is a piece that's being added to HTTPS Everywhere and also

a standalone project as well my name is Trevor Tim I'm an activist to DFF I do a lot of work on free speech in government transparency issues so the fast past few months we've been doing I've been doing a lot of work on SOPA and then WikiLeaks is also another thing I write about a lot and right now I'm doing a series of articles on mass surveillance and Western tech companies that sell this technology to authoritarian governments and governments in the Middle East and North Africa we also have in the front row two of our our staff activists Parker Higgens and Eva galperin and they may jump down if some questions come up that are particularly well-suited for

those guys to answer so now we're going to throw it up into you for questions a couple of quick ground rules first of all if you ask us about our you know our cases and specific things going on with our cases we may have to be a little bit careful with the answers to protect attorney-client privilege and so bear with us if that happens the other thing is if you have a specific legal inquiry about your own situation don't bring it up here in this open forum but rather come chat with us later so that we can keep that confidential and with that who asked questions one up there hi sure so the question that was asked is whether we can talk

about the two recent cases in which courts have addressed the question of whether people have a Fifth Amendment right not to turn over decrypted information that they have encrypted on their laptops how many of you have heard about these cases okay I'm not going to I'm not going to be too long about this but I will talk about it a little bit to kind of give you a sense of what's going on so a little bit of background the Fifth Amendment to the United States Constitution says among other things that you have a right not to be compelled to be a witness against yourself does anybody have a sense where this right comes from why do we have this

right

right and I also heard somebody say torture and that's that's very much the historical root of this right you know the idea is that the government can't make you can't coerce you to be a witness against yourself they have a job if they're going to prosecute you to collect information and gather evidence themselves and they can't force you to participate in in prosecuting yourself yeah they're not allowed to do that and so the way that the courts have looked at this over time is they say you have a right not to be compelled by the government to give testimonial evidence that is incriminating against yourself now if something is incriminating what that means is it can be used to

prosecute you okay and when I say testimonial evidence I mean stuff that would reveal the contents of your mind and that is very important that is the key to this so the way that this has developed if you have a physical thing in your possession the government can get a you know they can have the government can have the authority to take that physical thing from you but the Fifth Amendment very particularly protects you know what's going on in your mind and the Supreme Court has held that an act of producing something can have testimonial aspects so even though you're turning over a physical thing or you know a tangible thing perhaps it still reveals something

about what's in your mind and that that is really you know the deal here that we're talking about like telling them where the body is well you know here's one way to think about it that involves something very very tangible right let's say that the government suspects that you shot somebody and they say you know on the one hand they say give us the gun with the serial number bla bla bla bla now if you have that gun you may you may have to turn it over because you know basically you're just admitting that you have this particular gun in your possession but if they say give us the gun that you use to shoot that guy then when you're turning

over that gun you're basically admitting that you use this gun to shoot that guy and that is something that that reveals something about your knowledge right so I think that that's a really good way to think about it because this whole fifth amendment stuff can get really kind of tricky and muddled so okay the two cases first of all there is a case in Colorado going on right now federal district court in Colorado there there was a woman she and her ex-husband have been prosecuted on charges related to mortgage fraud and when when investigators were looking into this and gathering evidence about it they obtained a search warrant a couple search warrants actually two to seize

computers from this woman's home and he sees several laptops including one that turned out to have an encrypted hard drive she and her ex-husband were eventually indicted now here's an important fact about this case after the search warrant was executed this woman had a phone conversation with her now ex-husband he was in prison at the time and the phone conversation was recorded because he was in prison and in the context of that conversation she made mention to him about this encrypted laptop that had been seized from the home and she insinuated in the conversation that there was some stuff on it that investigators might be interested to know but she wasn't intending to turn over the password so that they could get

it they weren't able to break the encryption on the laptop and so eventually they asked a judge to force her to either type the password into a type of password and an encryption password into the laptop to decrypt the information or to turn over a decrypted version of that information she challenged that raised her Fifth Amendment right against self-incrimination claiming that if she had to do either of those things that they let you know that that would infringe her constitutional rights we filed an amicus brief in that case supporting her what the judge ultimately found was that because she had admitted in this phone conversation basically that there was information on that laptop that investigators might like to

see she really you know turning over a decrypted version of that data wasn't going to tell investigators anything more than they already knew which meant that she really wasn't revealing the contents of her mind so much is just turning over evidence that they otherwise would be able to get that is known as the foregone conclusion doctrine and what the courts have said about that is you know basically if you're just turning over something that they already know is there it doesn't really reveal anything about the contents of your mind and your Fifth Amendment rights aren't aren't infringed in that way so that's what happened in that case it has a lot to do with the

fact that she had this conversation with her former husband well so here's here's the thing right you know according to news reports her lawyer says it's possible she may have forgotten the password a judge has ordered her to you know basically produce the data we'll see what happens i I can't answer that I don't know hold on one second let me let me just continue please I just kind of want to get through this because I don't want to like just monopolize this with with discussion about these two cases so the second case you may have heard of totally different case I know a lot of people are thinking this is the same case but it just so happens these two

cases have come up at a very similar time in the second case there are a lot of facts we don't know what we do know is that investigators were investigating a man on suspicion of child porn related charges they asked a grand jury to force him to decrypt information on several devices they had seized from his home apparently a couple of laptops and some external drives he did not have a lawyer and yet he raised his Fifth Amendment privilege against self-incrimination and a judge didn't buy it and held him in contempt and sent him to jail the Eleventh Circuit Court of Appeals which is one of the most conservative courts in the entire country just last week

issued an opinion saying that he had a valid 5th Amendment right against self-incrimination and that that rate had been violated now in that case apparently investigators had no idea what was on these drives they just assumed that probably there was evidence of a crime on there and that is that I think the thing that makes this so different from the case in Colorado the free Kozue case because they just basically were speculating that there was incriminating information they couldn't identify with any certainty or particularity that any even existed and the judge said in that circumstance the man's Fifth Amendment rights were violated and so those are those two cases it kind of remains I mean they're

still very much playing out and as you might imagine this is a very lively GLE issue so if you're interested in this issue stay tuned and keep reading about them because I'm sure they're gonna be further developments and you know that's where it stands right now yes yes so in the Colorado case and actually also in the other case the the two witnesses were offered immunity and here's how immunity plays into this if you have a valid Fifth Amendment right against self-incrimination the government can offer you immunity and basically say if you do what we're asking you to do we won't use this evidence against you in a subsequent prosecution now if they do that the information is no longer

incriminating right because it can't be used against you and that basically cancels out your Fifth Amendment right against self-incrimination now in both of these cases the government said they offered a limited immunity and they said we won't use the act of your production against you so the fact that you know you are turning over this data is not going to be used to authenticate it or establish that you had control over this we would have to to prove that through purely independent means the court in the Eleventh Circuit actually addressed this very they said that that that much immunity is not enough to cancel out your fifth Amendment right against self-incrimination it would have to be

it would have to be more extensive than merely immunity for the act of production it would have to extend to anything that they learn as a result of the act of production and so they felt that the immunity in that case wasn't sufficient in the free Kozue case the immunity thing was never really discussed very fully because the court held bit she never really had a valid Fifth Amendment rights to begin with because of the for con conclusion doctrine now while the government you know offered her act of production immunity and the court apparently held that she didn't need it you know in order to you know in order for the government's of course her to turn it

over weirdly the court did say that the government had to observe that so that's kind of a weird and interesting little twist yes the woman in the back

well so so yeah so the question is isn't the password itself incriminating so what the court ultimately ordered her to do was turn over a well okay so yes I mean that the disclosure of the password itself the act of producing the password I I would say as an incriminating act and I think that you know probably the Colorado Court would agree with that although it didn't directly hold that but you know what it said was that in that particular circumstance since the government had a good enough idea about what they were going to find on the laptop you know basically the act of turning over the password you know wasn't really something that implicated

or Fourth Amendment rights because they already had a good sense of what was gonna be turned up so wait does anybody have any questions that don't involve these cases okay great you in the front row well so if you're an attorney you can file well if you're anybody you can file a lawsuit against the government and so that gives you some recourse one of the nice things about filing a lawsuit against the federal government is that then you get the Department of Justice attorneys involved and sometimes they are better at dealing with truculent agencies than just a FOIA requester so so that's one thing that helps if you're an attorney who files in a case like we are a tff we

can get attorneys fees if we substantially prevail on lawsuits and that's true under California Public Records Act law as well if you are filing a lawsuit pro se you're not an attorney so you can't get attorneys fees and I would think that that's probably true under California law as well but I don't know the answer that for sure

it's a really good question and a tff we've taken the position that that is violation of the Freedom of Information Act under the Freedom of Information Act there's specific time periods by which the agency needs to respond to you and so we if an agency takes too long to respond we will file a lawsuit in that situation if it's something that we consider to be an important issue so for example one of our outstanding lawsuits right now is a lawsuit against the Federal Aviation Administration for information on all of the certificates of authorization they've issued to fly drones or unmanned aircraft in the United States we filed our FOIA requests back in April the agency failed to

respond and so we filed a lawsuit at the beginning of January now there has been a case pretty recently in in one of the DC courts where a nonprofit hat was in discussion with an agency over getting some records the agency said we will probably be able to get them to you by X date and the date was not that far off maybe a month after that discussion the nonprofit didn't want to wait and filed a lawsuit and the court said that the nonprofit was required to wait that that they hadn't exhausted their administrative remedies that case I think the court was wrong in its reasoning and it's not something that we've ever tested because in the cases

we've filed you know we haven't been in conversation with the agency over production schedules so I think that might be a distinguishing fact in that case yes

wants to take that Evo do you wanna yes we have a whole international team unfortunately they're not represented here even does a lot of activism internationally but she has a problem right now so can't talk but so we have a director of international freedom of expression we have a couple lawyers who work with international issues a lot of intellectual property so recently we've been doing work trying to stop ACTA and its counterpart TPP it's called trans-pacific partnership and Gillian York who's our director of freedom of expression often travels around the world trying to promote freedom of expression in countries that don't have as robust protections as us but as far as did you have specific questions about

specific countries or yeah a little bit but we kind of have I would say the ik multi-pronged approach I mean we have one person working on policy at the OSC oacd EU levels might grant little bit so we have one person working on policy a lot a lot of it focus on the EU is more so like data retention this individuals katissa Rodriguez it's a it's data retention especially the EDPs the European data protection supervisor they are issuing these new legislation new rules so they're like one of these rights that is getting written a decent amount of the u.s. press is the right to be forgotten and so they're starting to push these types of rules and that's

gonna be you know a lot of work in the data retention sphere and privacy sphere at the EU level we also have another individual working on copyright issues and that as Trevor says more so TPP Act pretty much you know a lot of the international copyright treaties that are happening and have already happened and been signed like act in certain places and then we also have you know a nation activism team who achieve is is a part of shelter I some domestic things pretty multi-use tool like a Leatherman you know and so we have an individual writing at the act of this level about pretty much we do a weekly series on you know this week in the international

level where we kind of collate all the big stories that have been happening and yeah I think those are like the three type of prongs where we are in that at the international level for those who didn't hear either said the one thing we don't do is file lawsuits on the international level yeah our legal team you know our expertise and our licensing is all in the United States and so we don't do international litigation

yeah sure so there's a there are about two or three dozen companies in the EU in the u.s. that have been selling this mass surveillance technology which basically allows governments to read every email in the country listen every telephone call read every text but not only that but they can change emails from on roots of the recipient they can turn on webcams and your laptop they can turn on microphones on your phone they can turn your phone into a basically a tracking device where even if it's off they can figure out how to turn it on the track you and so this industry has been growing for the last three years right now it's estimated at five billion

dollars a year and it's growing by twenty percent and so they have these what they're called wiretap wiretap errs balls where three or four times a year they go around the country and all of these countries and all of these companies come together and authoritarian countries like you know Yemen Bahrain Saudi Arabia before the revolutions to Tunisia and Egypt were two the main examples and they buy this technology and install it in their countries with the help of these companies and a lot of times they say they're using it to track terrorists but what they end up doing is tracking democratic activists human rights advocates and journalists and so over the last few months as these countries

have fallen Tunisia Egypt and Libya every time reporters have gone into the countries afterwards and gone into these internet monitoring senators centers and found hundreds of files of all of these dissidents that did nothing wrong besides start protesting and so a lot of times there is evidence especially in Bahrain most recently where there are dozens of people who have been rounded up and tortured and while they're being tortured they're being read back transcripts of their text messages and phone calls so the problem with this industry is it's completely unregulated number one and number two it's very hard to regulate because a lot of it is dual use technologies so when you write a definition legal definition for this type of

equipment you end up capturing a lot of communications tools that activists use so in a lot of situations we end up writing regulations that are so broad that it ends up doing more harm than good like for example in Syria there's sanctions in Syria in the u.s. right now written by two different agencies and what they end up doing is cutting off some technology that the governments use but it also cuts off like Google Chrome and Google Earth so the activists can't use these basic tools that they may need to communicate or get around so it can cause a lot of problems so what we're trying to do is figure out a way to stop

these companies from getting this technology but also protect activists and make sure that things don't get worse and so it's kind of a very hard needle to thread and so what we've come up with is we want these companies to adopt their own human rights policies where they have to go in and investigate their customer beforehand because right now a lot of what's a lot of times what's happening is they're selling to one person and then this other person then sells to the government so the companies could hold their hands and say oh we didn't know you know we were selling this horrible technology to people who are mass murderers essentially so we're trying to institute

a policy where these companies have to investigate their customers they have to investigate echnology does and they have to investigate the government's where it's ultimately will end up and this is kind of a procedure that is already used in US law in a bunch of other situations so it won't be that hard to implement and these companies already have to follow it in a lot of other cases so hopefully that will both solve the problem of tool use and this end user problem where they can just kind of claim plausible deniability

why does the e FF hate Bitcoin so you know I can talk about it a little bit I I don't think I would say that we hate Bitcoin we made a decision not to accept Bitcoin our legal director laid that out in a blog post I think pretty pretty fully and you know for those who want to you know really dig into our position on it I would encourage you to look at that because she's representing the organization's perspective on it there but you know I think a big part of it for us is that there are a lot of laws that come into play for for a new currency like that that are very

complicated and it's not clear yet how those regulations apply and you know we didn't want to put ourselves in a position where we were risking legal liability ourselves for accepting it you know we we take the position that we like to be defending people who are taking risks that put them on the on the front lines of how technology and and the law come together we don't want to be the one being sued or prosecuted and so you know I think that that was really the root of it but we don't hate Bitcoin

well you know what if somebody were prosecuted for using or accepting Bitcoin or if somebody ran into legal trouble that's something we'd be very interested in I I don't think that there's any question about that it's you know it's hard to say before a case actually develops whether it's a case that you know we absolutely would do but it's the sort of thing that we are certainly interested in we just don't want to be that guy to say that you know our legal director has a you know a good kind of comment is that we we would rather have our resources and time spent you know you're helping to defend the people you know as Mark said on the

front line then using our resources to defend ourselves you know and so I think that really as Marsha said that really comes to play because the more we have to defend ourselves in in a legal quagmire or with legal issues the less time we have to defend you know you guys and all this time we have to apply our resources outside of kind of defending our existence right so that's you know that's also a very big part

shall I take this anybody else I'll take this one I have a comment about you after you're done do you want to go first you go first okay so you asked about the consumer Bill of Rights that the Obama administration recently introduced just this past week for those for those who missed this last week the Obama administration released a framework for protecting consumer privacy in the digital age and basically the the administration laid out a bill of rights a user Bill of Rights and said you know these are rights that consumers should be able to expect when they're using technologies and companies ought to respect that and the administration said that it's going to try to work with

Congress to make this bill of rights legislation and to create a situation where if companies agree to observe this consumer Bill of Rights then the FTC can enforce any any you know deceptive representations or you know refusal to you know thereafter observe the Bill of Rights and we think that this is a very interesting development I I think that at the end of the day we'll see how this works because you know companies if they're going to actually ensure that that consumers can interact with their technologies in a way that that is respectful of these rights it's going to require you know a commitment from industry to actually bring that to fruition and we'll see how

that how that works out you know I think that when the rubber really meets the road we'll see how effective this is and you know I think it also remains to be seen whether the administration really can work with Congress to make this a law but it's certainly a promising development now you asked about how the consumer bill of rights stacks up to the e use framework for Fair Information principles basically so there are a series of principles that have been out there for a long time that that people tend to talk about over and over again when they talk about privacy and it's basically like if anything if any law or if any technology

is really gonna be respective of privacy it has to observe these basic principles and these principles have been articulated by different people in different ways but you know they tend to boil down to things like you know consumers have a right to know what's being collected about them consumers have a right to make informed choices about that consumers have a right to you know give permission for information to be collected consumers have a right to have the information be maintained in a secure way and depending on who's articulating these these principles you know sometimes they're a little more detailed and set out and sometimes they they are a little you know kind of spare and scaled back and the OECD's

representation of these principles the OECD guidelines is I think commonly considered the most kind of you know the most fully articulated and protective set of these principles and you know I have not sat down with the consumer Bill of Rights and the OECD OECD guidelines and compared them side by side but I do have to say that I actually think the administration's articulation is a pretty good one as they go it guarantees I think a relatively full set of consumer expectations that is in the spirit of the OECD guidelines and there there may be a couple points that have been missed like I said I haven't really gone down and compared them side by side

but it's clear from the paper that the administration released that you know they're intending to you know really make this a global international push in in order to do that I think that the principles underlying this probably are going to have to be more aligned with the OECD guidelines because you know European regulators are going to expect a pretty high level of privacy protection if this is going to be a way forward that complies with their laws oh and just one more thing you might not sure if you were talking about the OECD guidelines or the privacy buildings before the eu-parliament right now that's what I was going to talk about just briefly they have this this section called the

right to be forgotten which actually in my opinion at least may go too far in one direction towards privacy and may end up infringing on free speech but what the right to be forgotten it basically is is say you are on a social network and you want to get off it you want to delete your profile and you want to leave your information so nobody can ever see it again you contact the company and they have to delete their your information from their servers too so they have nothing but the problem with this provision is that it also says that anybody who has copied that information off of Facebook or whatever it is to another website also has to

remove it and it makes Facebook liable for that so if so taking an extreme situation if there is a newspaper article where they quote somebody off of Twitter and then that account decides well I won't be forgotten and goes through the steps Twitter would be liable for this newspaper article quoting this person and they would have to get the newspaper to remove it but you I mean you can see like there's endless situations where it could be pictures it could be anything where they're copied onto another website or somebody else's somebody else's Network and it would bring up a myriad of free speech problems we wouldn't have probably wouldn't have this problem in the US because of our other laws like

the First Amendment and CDA 230 and whatnot but in Europe it could become a nightmare for these companies and on the top of that the penalties for social networks if they don't comply with this law are so astronomical it could end up really damaging their business - one last thing I just wanted to add is a concrete thing that we're excited about with respect to the consumer Bill of Rights is do-not-track a lot of the industry leaders have signaled that they're going to sign to that and we're still we've yet to see quite how it's gonna play out but that's really exciting for us for those of you who know do not track is

yeah that's a great question so that one of the company's called Narus was involved with AT&T and our warrantless wiretapping case they were the ones that set up the spy room for the NSA to go through all our emails and this is obviously a problem here too but in these other countries you're you have and you know I'm not excusing the u.s. at all and we actually are involved in lawsuits with the NSA over that but in these other countries right now it's becoming a life-and-death situation where a great example is the journalist the American journalist Marie Colvin who worked for The Sunday Times of London who just died last week in Syria she'd given an interview to CNN Anderson

Cooper last Monday where she was talking about how in the city of Homs Syria there was no military targets and that the Syrian regime was lying and they were just bombarding civilians they ended up probably tracking her location by using her satellite phone signal and purposely killing her and her photographer with her and we've seen evidence of this all over the place Libya is a great example where they were systematically going after journalists for al jazeera local journalists democracy rights advocates and this was all in the process of them saying that they were just going after terrorists and we you know there's evidence of these people getting rounded up and routinely tortured so and in a lot of

these countries the laws are more opaque than they are here to put it nicely these companies are selling to these governments knowing that they don't have laws or if they do that they routinely violate them and they can see this this evidence in public places so you know I'm not excusing the US government's approach to warrantless surveillance but in these other countries we can see it's just becoming a problem where thousands of people's of lives are at risk

there there is for a couple countries Syria was is one and like I was saying before they the definitions they use for the technology can be so broad also like in the United States the way it works is Treasury and commerce make these export restrictions and they do it separately so in Syria they write these broad regulations and then if you want to export communications tools like web browsers or email servers you have to apply for these exemptions and it takes a long time and there are two separate agencies doing it so it's very confusing for companies when one agency grants it and the other one still hasn't so a lot of times they they they just you know

try to stay safe and don't end up exporting this technology on the other hand you have these companies that are kind of skirting these export regulations like blue code blue code systems from a couple months ago it was found to have censoring and surveillance technology working in Syria while these export regulations were going on the same thing goes with an Italian company called area spa who all through last year was building this giant monitoring center in Syria as the government was escalating violence and as it was killing hundreds of people it wasn't until bloomberg reported on this company back in October that anybody knew about it and by then there already been 3,000 deaths fortunately

because of the report protests from outside their Italian offices and they ended up canceling the contract before they were completing this this huge project but it just shows the danger of writing broad regulations on one hand because it could hurt activists and because they might end up be able being able to circumvent them anyways yeah sure the answer is getting a little long so I wasn't sure if I should go into it but yeah do-not-track is a basically it's a header that is sent by a web browser that says hey don't track me and it's there there's a working group now in the IETF to sort of figure this out what exactly this means e FF is among the part the stakeholders

along with major browsers if you use Firefox Firefox already supports to not track and the the recent announcement that I was alluding to is that Chrome and other kind of major industry players have signaled that they're planning to support it as well as to the details of what exactly is stopped but by do-not-track there's still some stuff to be worked out for instance click fraud detection requires some collection of information so it's sort of not yet set in stone what exactly do not track will entail but the basic thrust of it will be that third-party tracking so double click tracking you across many websites will be prohibited if you set this header which you can do in Firefox right

now does double click on it right now short answer not exactly it no but there's been some signaling that this will happen soon

can you speak louder

I you know I have vaguely I have vaguely I saw like the blurb about it but I don't know about it in any detail in order to really comment on it sorry

so we did a FOIA request for for information on I don't know as much about the printer dots case so I'll just sort of tell you what what I know for information on potentially whether the government was requiring companies to use technology or to put in sort of a dot technology that distinguishes printer pronounced and we haven't gotten anything new on that I will say that our staff technologist who's done the most work on printer dots he's not on this panel but he's he's been around today his name is Seth Schon and if you want to talk to him more about that he may still be here so I encourage you to maybe go to the e FF booth and ask Kelly

to point you to Seth if you want to hear more about it yes

Wow that was a song ball you're not a member are you so yeah so our funding model we take funding from abroad source are a broad range of sources but the vast majority of our money comes from individual donors and so it's really important for people like yourselves to become members and donate because it keeps us it keeps us alive and kicking we also get some funding from foundation grants from attorneys fees from corporations or the government if we prevail in a case we do get a little bit of corporate funding here and there but never to espouse a certain position or work on certain things we will only take that money to do exactly what we would

otherwise do but the vast majority of our money does come from individual donations and so if you like the work that we do by all means consider giving a donation

yes we can comment a bit on that we have the coders rights project it was started in 2007 when Jennifer Granick joined EF f and the the work we do through their coders rights project is intended to help protect security researchers and others who are exploring cutting-edge technologies because a lot of the laws that come into play in those situations are very murky and they're very difficult to navigate and there's not a whole lot of guidance out there for people who are doing things like encryption research and finding vulnerabilities in technologies and so hany and I do most of the organisation's work on that project and we do quite a bit of counselling if anybody in this

room ever has any questions about the research that they are doing and they would like to discuss the legal ramifications you should by all means come and talk to us we will always be happy to talk to you and you know we spend a lot of time coming to conferences like this to get to know the community and you know help out if any legal craziness goes down at a conference the last time I remember this happening was Def Con in 2008 I believe when three MIT students were sued by the Massachusetts Bay Transportation Authority to keep them from giving a talk about vulnerabilities in the Boston T's fare system and we are always on the

lookout for cases like that and if anybody in this room ever or anybody listening to this on the Internet ever has any trouble from companies or if you are if you ever hear from the government and with respect to security research you're doing you should you should give us a call anybody else oh I think last question

stay tuned we just did a new centralized scan recently and we're waiting we're doing responsible disclosure there was a RSA random number generator bug that affected a lot of certificates so before we released this new data set where we're contacting the people who might be affected by that but stay tuned to the next couple months there should be a new centralized scan data set released all right thank you so much we appreciate it [Applause]