Ask the EFF

hi everyone this is a ask the e FF and so we'll let them in come alright thank you everybody thank you for coming out so it was a pleasure to be back here at beside San Francisco for our ask the e FF panel this is a panel in which you can raise any any questions that you'd like to ask our collection of staff will do introductions and in just a second I'll start with myself actually I am Kurt Opsahl I'm the deputy executive director and general counsel at the Electronic Frontier Foundation and one of the things that I work on there is our coders rights project and that is a project where we work a lot with

security researchers to advise them on the risks associated with doing the research and with disclosing or going public with a with a research and we try to help people sort of navigate those risks both for research that they are planning to do in the future try and understand the risks of doing it and then if the research has already been done and they want to disclose it how to do so in a manner that minimizes admitting felonies so I'm happy to take your questions in general about course rights but one of the things we like to emphasize is that with these panels is that we do provide legal advice to security researchers but this is not the

place for that you would want those conversations to be protected by the attorney-client privilege and even even though everyone here is very lovely and I'm sure understands about confidentiality this is not the place to have a privileged conversation so if you a question about your particular situation that's something to talk to us about privacy privately in a different forum however you have general questions about computer at prime law I came in then this is a fine place for that and so that's my intro and we'll go down list to let you meet the rest of our staff hi my name is Cooper I am a senior staff technologist and security researcher on EFS new project threat lab threat lab is

a project for us to research targeted threats against at-risk populations so this is like journalists human rights defenders activists dissidents in the US and around the world and what this means is looking at a lot of things like state-sponsored malware that targets journalists and activists police spying technologies such as Southside simulators also known as sting rays license plate readers and other technologies the police used to spy on people locally and abroad and malware such as spyware which is the type of malware like people abusive partners and small install on their partner or lovers phone to spy on them and get information about them most recently a notorious for the chapo drug lord trial it came out

that he had installed spyware on his girlfriends and also lieutenants phones to spy on them and make sure they were reading him out but it turned out that his sis ID main was had turned and was working with the FBI and they were able to use all of that information that that they were getting from the spouse where to help with the case against El Chapo but it's also very bad for other reasons because it's abusive and terrible so that's that's what we're working on I've mainly been studying emcee catchers and cell phone networks for the last year or so working on a project where the goal is to actually secure the phone networks and make MC catchers a thing of the past

to make it so that they can no longer exploit the flaws that they use to locate people and potentially spy on their conversations previously I worked on the tech projects team working on some of our projects like privacy badger and so I have a lot of knowledge around that when tracking and things like that as well hi there i'm andrew crocker I'm a senior staff attorney at EF F I work with Curt on the coders Rights Project that you heard a little bit about already I also do a mixture of national security privacy and InfoSec stuff so some of the things on my docket recently worked on a brief filed with the Indiana Supreme Court about compelled sub

cellphone decryption and whether it violates the Fifth Amendment so that the question there is can you be forced to unlock your cell phone if the government gets a warrant to it and you you know you you say I don't want unlock it can you be forced to do so does it matter if it's a passcode or if it's your face or fingerprint those are all things we can talk about if you're interested I also work on our long-running cases against the NSA's suing over warrantless wiretapping collection of telephone records our flagship cases jewel purses NSA it's been going since 2008 we're after several courses of you know up to the appeals court back to the district

court we're back in the district court we're mostly focused on conduct that the NSA engaged in before the passage of the various wiretapping laws that authorized this kind of behavior and just looking at things that happened when it was just authorized by President Bush for a long time the government has has gotten in our way they said this is secret stuff you can't even litigate about it you can't you know you can't see it the court can't see it we just got a ruling in another case from the Ninth Circuit Court of Appeals here in San Francisco earlier this week which says that's wrong and actually the Congress has passed a procedure for dealing with

secret evidence and it can be used in a lawsuit it can be shown to the judge and the judge can determine whether use it and we think this should be a big shot in the arm to our dual case we're sort of looking forward to a hearing at the end of this month and then the last thing in the in NSA land is section 215 of the Patriot Act that's the law that was being used by the NSA to collect everyone's telephone records in bulk for over a decade you may remember that from Edward Snowden's debut in The Guardian that's that's up for renewal in in December and so we're focusing our efforts on trying to get it narrowed get

some good reforms to Oh India talk about that in more detail so my name is India McKinney my title is legislative analyst and basically what that means is I'm a lobbyist for the FF so one of the jokes I like to make internally is that the principles of social engineering are actually very similar to the principles of persuasion to be used in lobbying only instead of trying to get your account information or your social security number I'm trying to convince you to vote the way that we want you to vote or to sign a letter or to ask some questions or to do the oversight that FF and its members think that Congress should be doing so

one of the things that I'm working on is inter mentioned is section 215 is up for reauthorization by the end of this year which means Congress is going to have to work on this it's challenging at the moment because Congress the same committees that will be responsible for renewing or reauthorizing or reforming section 215 are a little preoccupied by some other things that are happening in the intelligence and judiciary sections at the moment so part of what my job is there is also education and is also reminding them that this is a thing you're gonna have to pay attention to here's some paper here are some thoughts here are some questions you can ask when

the FBI or the NSA come to talk to you about what they think the reauthorization bill should look like we don't agree maybe you should talk to them about these things another big part of my portfolio right now is the possibility of federal legislation dealing with consumer data privacy there are a number of state bills that have happened across the country both in California Illinois Vermont and there's some others that are in the works and so the question is whether or not there is going to be a big comprehensive federal consumer data privacy bill and will this bill preempt what's happening at the state level what that would look like if it does what it would look like if it

doesn't what does federal data privacy mean what should it mean what do these words mean how are you defining these words when you're creating a piece of legislation especially for something that the federal government has not looked at before again there's a lot of Education that has to go into that and that's when we really rely on both the attorneys but also the awesome engineers and tech projects people to talk about what personal information looks like it's not just your name and your address it can also be your IP address it can also be any other number of things and most of Congress doesn't have a tech background and so that's a huge part of the value

add that we provide and we've consulted with some of the individual senators and individual representatives on some of the legislation that they're working on at the moment if it's public and been introduced I can talk about it if it's not public and has it been introduced then I can't talk about it until then but that is something that we're working with and we're in conversation with a lot of members because that's my job hi I'm Alexis Hancock I am a staff technologist at uff on the tech projects team I am the lead EV on HTTPS Everywhere a web extension yeah yeah you fans um overall if you don't know what the extension is I basically we use a

magical technology called regex to help people upgrade from a unencrypted connection to a encrypted one on the web it's mostly available on Chrome Firefox and opera it's also packaged into other browsers as well like braid in tor so we often work with them to watch and deploy this extension on these platforms mamie straightforward as far as what we do as an extension but also there's a community platform as well that is open so please come look at the contribution contribution Docs and see we can where you can help with we're always open with people to help us maintain our rulesets go over testing infrastructure and also the code base itself as a web extension the web extension ecosystem is fairly

easy to grasp once you look at it so if you're familiar with web technology you're not interested in helping us develop with the extension I would appreciate it very much they're open on github feel free to open issues if you have though we often try to respond as much as we can for our pending issues and as far as the future of SPS my main goal is to not have any GPS everywhere exist one day and that browsers will just automatically have a CPS everywhere but until then I'll be working on the extension hi my name is Alex Moss I'm another attorney id-ff I focus on intellectual property and AFF does work in the whole family of IP and copyright

and Trademark but I focus your hyper focus even on patents and and most of what we do of course isn't helping people apply for patents it's mostly helping people deal with patents of either people who have been threatening people who have been sued and trying to figure out how to help them defend themselves and we also do a lot of work in trying to make the law better both through bringing lawsuits in an way in as an amicus and also through trying to talk to policymakers in particular lately for a long time EF F has been working on issues around the eligibility of software for Pattinson and what circumstances software should be patentable for a long

time until the 1990s there were actually no software patents and a decision by an appeals court that made the patentable and it took a long time but the Supreme Court finally took a case and considered the eligibility of software and they issued a great decision called Alice versus Els Bank and they really narrowed it down and said you can't just add a computer to some basic idea and unfortunately since that decision there have been efforts a lot to start even changing that both for the courts and also to actually change the law to change the Patent Act which has had this same language since 1952 so we're doing a lot thanks to India and her team to try to prevent that from

happening one of the things we like to say is that if people really believe in in patents and having good ones you know you should want to kick out the stupid ones it's like if you have a party and you kick out the bad guests it doesn't mean you're an tea party it just means you want you know a party that doesn't suck and so that's what we try to do is you know try to get fewer patents that suck at the party mm-hm all right so the main format here is is we answer your question so hopefully now that you've heard from my colleagues here that has given you some ideas so if you have a question just raise your hand

and we'll call on you and all right first question yes and before you add it repeat the question so the question is is there any path to a federal data privacy law that doesn't suck because the concern is that the federal law will be weaker than any of the loss of this days have passed that's actually the million-dollar question and you previewed my answer which is a way that it doesn't suck is if it's a floor not a ceiling there's a lot of other stuff that's already happened HIPAA is a federal law that states build on top of there's a bunch of different environmental regulations that the federal government has created a floor and California has additional standards

on top of that there's a lot of examples of how this can work and work really successfully and industry hasn't failed so we still make cars and they still get sold in all of the states you still go to the doctor and the rules still apply they figured it out there's a lot of different ways that it could suck there's ways that it can't but right now it's just really a big question and so now we play our game all right thank you I guess with it yeah here and then back there or back there first okay it works really well as a follow-up um I was just wondering with gdpr happening is that it's something that we can use

to build our own federal privacy law and have there been any big wins or any big surprises around how gdpr has affected this country and our privacy systems and so on well the gdpr was fairly huge we came into effect on May 25th of this year and last year that's right of 2018 time does fly so the general on data protection regulation or gdpr is a European regulation it applies two people who are in the European Economic Area which is essentially the EU but because many companies especially the us-based Internet Giants have lots of European customers it also has had a tremendous effect around here and in some cases has been that companies will apply aspects or all of the GDP are just

in general because it's easier to do supply it than to subdivide as to who is who there have been a couple of prominent people who are companies that have said no like the LA Times for a while just like if your IP came from Europe you were just blocked because they didn't want to deal with GDP our compliance but the the temptation to do business with Europeans from the United States has brought GDP our compliance to the US for at least the the larger companies who have an overseas reach it also has inspired the question of like should we have something like the GDP are inside the United States very prominently here in California there is

a California privacy bill that was passed last year will go into effect January 1st 2020 but it was passed because well somebody put a ballot proposition out there to say to add some protections the legislature worked at a deal if they passed some legislation then they would withdraw the ballot thing and so the legislation was passed but the whole idea is that we'll get amended heavily before the goes into effect in 2020 so we don't actually know what is that going to end up so I guess the the upshot to the question is yes the GPR is having an effect here where that effect will will roll is still being determined all right question here

ok I've had a hard time keeping up with all of the biometrics and force or not force people to unlock phones so if we can get like a tldr on that that would be great and then if it comes to pass that people cannot be forced to unlock their phones via biometrics where does that land with regards to how do we essentially hold law enforcement accountable on that because it's one thing to strong-arm someone and be like you must enter your passcode but like hold my phone up to my face and I can make a dumb face but it's still gonna unlock like how do we make sure that the use of biometrics isn't being

against people's wills so it's a good question so just to maybe recap the this or baseline law that we're talking about here the Fifth Amendment protects you against self-incrimination so you can't be forced to testify against yourself the way that that's been interpreted over the years is you can't be forced to tell the government tell the police something that comes from the contents of your mind and against your will so you can't be forced to answer questions you don't want to answer if there are self incriminating and that then has been extended to things that are non-verbal so you know you can't be forced to nod yes to a question that you can't answer that you can't be forced to

answer yes to so that's that's where the this this law is grounded in the last 10 15 years or so the question has arisen of whether that includes being forced to tell the government police your past your password to a device or type in a password and and the law is still evolving there but I think the leading opinions and certainly ffs view is that would violate your Fifth Amendment rights because it forces you to recite the contents of your mind to tell your passcode or to type it in which is essentially like writing it down right the way that courts have treated biometrics is actually very different and it comes from a different set of law

you know from from pre digital context where you you can't be forced to give the contents of your mind but you can be forced to do physical things so you can be forced to put your finger on a fingerprint pad to be fingerprinted you can be forced to stand in a lineup you've seen the usual suspects that scene where they all recite the same line that's not a violation of their Fourth Amendment rights you can be forced to give blood have your photograph taken all these sorts of physical attributes that can be taken from you or forced be forced to do them without violating your Fifth Amendment because it doesn't come from the contents of your mind

so courts have have generally looked at biometrics and said well that's like being fingerprinted or it's like having your photograph taken because you're pressing your finger on the phone to unlock every you're holding your face up to it it's sort of a weird outcome right that depending on how you choose to lock your device you either have this pretty strong constitutional protection or you don't at all and it's not clear how we should get to a different ruling but it seems wrong that that's that there's not this functional equivalence there was a decision just earlier this year or in January from a magistrate judge in Oakland at a federal court who said basically that that because it is

functionally equivalent whether you use a pass code or whether you use your face they should be treated like as such and therefore the Fifth Amendment should protect it unsurprisingly the government has asked that to be reviewed so the way that works is it goes the next level which is the district court I believe there's a hearing in April so we're watching that very closely but it's really a it's really in flux and your second question about how we can make sure that the police are held to account is a really good one how this happens on the ground is always very different than you know then the way it you know is sort of hypothesized

to be by a court you know we have a whole a whole area on our website surveillance self defense which is sort of a know your rights training and so you know exactly what you're entitled to do are you allowed to say no and when you're being asked to consent a surgeon and so I think at least a part of the answer is is is you know raising raising awareness of what the rights are and what the what the law holds right now you know you the law does seem to be protecting passcodes strong more strongly and so you know depending on your threat model of course you might choose to use it Pascal as I said the

concern of yours and just a quick addition of that internationally speaking like not not every country has a fourth or fifth amendment and not every country even necessarily follows the rule of law so you might have very different concerns in a country like that that may be happy to force you to give up your password or force you know through put the phone in front of your face and that requires separate threat modeling and separate thinking right and in those cases you may not want to use biometrics at all but you may also need to be the fact that they may be willing to go too much further lights to get your password and maybe you just want to use

biometrics and not keep sensitive information on your phone to whatever I agree that's possible all right thank you my front is the if I'm doing anything to address the impact on the Internet especially in marginalized communities in the weight of cesta going into effect yes so we are we are challenging the cesta FASTA allegation saying that it is unconstitutional so we're bringing a court challenge to that and we are we are hopeful that that can at least either invalidated or significantly scale back the the effect of it we've also been in some conversations with folks who have been fair wasn't familiar with justify so we've the okay I heard some news okay so sister FASTA is a bill that law now that

it was passed there was two different bills one called tester one called FASTA so we just sort of call it says to foster now and it was trying to well the proponents at least squirt were saying that this was trying to stop sex trafficking on the on the internet but was doing this in a very ham-fisted way that that was potentially going after the communities that were providing support food to people in the sex work industry platforms upon which things weather was ones in which there were transactions or ones that were providing other form support and care and it kind of has put a chilling effect a lot of speech around the internet because of

the potential for the platform to be to be liable I'm sad or

for those kid here that was a saying that it's had impact on discussion groups online dating trance right discussion groups a lot of things that really are protected speech are the kinds of things that should not be chilled in this manner and so it is a terrible law it is a classic I think of Congress where it was it was put forward with the you know we're doing this to protect the children and keep everybody safe from from the bad guys without much thought about it and without much deep analysis and the a lot of the companies the prominent companies didn't put up much of a fight against it they had a political capital to spend elsewhere

with a lot of privacy scandals it wasn't so much that they didn't put up a fight against it they actively endorsed it we spent a lot i personally spent a lot of time lobbying against this bill last summer and one of the conversations we had around this a lot you know we explained all of the issues we explained the collateral impact we explained all of this stuff but there were two things that were happening that we're working against us and one was that there was very little engagement of the public around the whole idea of section 230 and Communications Decency Act section 230 that deals with speech on the Internet there were uh we just we couldn't get

traction we were doing action alerts we were doing everything that we could do to get people engaged and involved and it we could just couldn't connect we couldn't click somehow right after it passed the house and I'm like what's gonna get passed by the Senate immediately all of a sudden Twitter blew up around this idea and we were like guys I needed this two months ago so there's that the other thing is talking to members of Congress you know we could explain the whole issue and why this is important and why this is necessary and why this law why this bill that you're looking at why it is bad here all of these let me list out for you all of the

reasons that this is bad and they would listen and they're like I totally agree with you but it's child sex trafficking and I can't vote against that but if we do something similar with like guns or opiates or terrorism we're totally with you on that and like I don't believe you but that's one of the other things that I'm continuing to work on to guard against but that's actually something that we are going to need help from bigger wider community is when we start trying to get traction on something like that we need people to pay attention and call their rubbers and one of the other things about this bill is that it's actually had the effect of

driving sex workers who aren't being trafficked who are doing this independently and who are doing it consensually underground and off of off of these sites which were very important for their safety which were very important for vetting their customers and and making sure that they could operate safely and it's rivet lots of them back into pimps and actually being trafficked so it's had the opposite effect and one of the things that we are one of the ways that we and you can help in that is we have the security education companion and some of us have also been working with sex worker communities to try to help them be safe as far as their digital technologies in

their jobs and that's if you are somebody that has contacts with the sex worker community or is a part of that community getting that knowledge from the security education companion SecDef Joerg helping with security trainings and helping people be safe is a really important thing to do as far as harm reduction in this time until we can you know hopefully eventually get a much more sane framework in place and thank you okay this may be outside the scope of this talk but you mentioned what just pointing at another person yeah okay you mentioned being cognizant of your threat model and even advising certain clients to not use biometrics and one idea that I've been kind of like tossing

around in my head lately is the idea of zero days and like you could be following all the best practices and doing everything a hundred percent right but we don't know about zero days mmm and disclose that you know all right do you have any considerations at that level like am I just being too paranoid I mean that I've always thought there are certain things that should not be entered into a computer ever survey one thing I think we need to be cautious about is sort of security nihilism that that like because somebody might be able to defeat my security then we shouldn't care about it what you want to do is do do as many

of the best practices as you can understand your threat model prepare as best possible and then you may have to adjust that if something else comes comes later and it may be true that if some you know Mossad or NSA ninjas come to try and find your stuff they'll probably succeed but that doesn't mean it's not very helpful and to put this if everybody is using sort of best practices they have fully preached materials they are protected against known threats and somebody has to burn in O'Day in order to go after them that makes it expensive and so that means that even if they're not doing everything that we would want in terms of getting a warrant and going through

lawful procedures and such it's still a limitation on the ability to engage in that thing because they have to burn something to do it because they have to put that expense out there so even if you can be totally owned under some circumstances if everybody is doing the best possible practices it makes it expensive and reduces the the harm and it only works once err for at least a short a very short amount of time ideally so yeah I would love for people to only be able to burn those dead people that'd be a great position for us off be it and I want to add to that because often faces like people coming in saying quantum computers are gonna

break everybody just drop everything don't enforce this encryption because it's it gives a sense of resigning yourself to not putting up measures so in my security education experience it's way more beneficial in the user at least understands our person at least understands a base level of what's going on versus you know I have no idea how encryption works in the first place I'm really overwhelmed by the concepts and I generally don't want to engage in that and I just want it done for me but when I say a person actually takes an agency and understand a base level that they can at least advocate on behalf of themselves and come better self advocates instead of you know like AFF

what we do and it's very important work I feel but at the same time it needs to be disseminated with everyone to have the self agency so I think I often face a lot of people my superior education work where you know it's like they were all watching us they all have our data anyway and I usually have to bring everybody back down and just say like these are the measurable obtainable things you can do for now because me studying SPS PKI and all those things like yeah I have to still be cognizant of where and not just resign myself to okay quantum computers gonna break everything because what I've noticed in my time is infrastructure takes a lot to

actually implement build and be sound and sufficient and a lot of these powers that be that usually try to for some things drag their feet on actually implementing new things on a wide scale so it's usually coming down to normally a nation-state having to have that much fire power to actually do something like that versus an individual or a group I think we might need to stop the session unfortunately we have to depart no I guess the e FF will be outside to take more questions potentially yeah I think oh thank you all for coming it's a pleasure to be here sorry we have to end now but we all appreciate your questions if you have more questions for us I

think after this we're gonna head up to the the booth though we have an e FF booth in the chill-out room which also is where the reception is so it's a win-win for you and so if anyone has any any follow-on questions will be up by the e FF booth all right thank you thank you [Applause]