Ask the EFF

[Music]

all right thank you thank you for coming to the ask the FF Peloso it was a pleasure to be back here at b-sides and talked to the community my name is Kurt Opsahl I am the deputy executive director and general counsel of the Electronic Frontier Foundation I assume that most of you are generally familiar with EF F but just so briefly if you are not EF F is a non-profit civil liberties organization dedicated to defending your rights online so we fight for things like privacy and free speech and innovation trying to make the the future one we would want to live in one of the things we do with it with this community in particular we have our coders rights

project where we advise researchers and presenters about the risks they may face in conducting research and in presenting that research to try and make sure that conferences like b-sides are able to go forward without things like temporary restraining orders and you know the kind of ugliness that might occur but fortunately things have generally gone smoothly so but if you are a security researcher one of the things we do is provide advice but here's the thing this is not the place for that you want to have that in a privileged private conversation so this is the ask the FF panel we invite people to ask any any questions they may have but if it pertains to you and you're particularly

GLE situation that is best to be a conference a conversation then we have another another time in place so with that we will we'll briefly introduce our crew here and then turn it over to our questions so Stephanie hi I'm Stephanie la cumbre I'm the criminal defense staff attorney at iff I work on pretty much the deployment of government surveillance technologies in the criminal justice context when it comes out in the context of criminal prosecutions so when criminal defenders need help trying to challenge everything from automated license plate readers to sell-side simulators to digital device searches in their cases they come to us and I will help marshal our resources for them all right Thank You Nate

I'm Nate Cardozo I'm a senior staff attorney on the digital civil liberties team at EF f I do cybersecurity privacy free speech encryption expert controls and I work on our who has your back report and as part of my job I counsel people like you I'm Catherine Trend Acosta I'm a policy analyst on the activism side of e FF I work on net neutrality is be privacy fair use an IP and sort of the DMCA ban on breaking encryption I'm Sydney Lee I'm on the tech projects team at yaja I work I spend about 1/3 of my time working on certain BOTS which is EFS client for let's encrypt and the other two-thirds of my time I spend

trying to bring that success we've had on the web to email so we're working on a new project called start TLS everywhere and for those of you who haven't had the enormous pleasure of being an email systems administrator start TLS is the equivalent of HTTP email so we're working on tooling to make start TLS deployment easier and better I'm Andrew cracker I'm another one of the attorneys on the civil liberties team I do national security and surveillance work and I work with of Curt and data on our coders Rights Project and who has your back alright well thanks again for everybody who are coming on we're ready for your questions does anybody have a question to begin

with all right right here in the front room all right so the question was about the GDP are the European data privacy regulation and whether in light of it coming out in Europe and going to effect on May 25th and then Facebook Cambridge analytic a will that come to the United States I think it's a very interesting question I think it will come to the United States in the sense that companies who are in the United States the bigger ones is in particular all have European customers so and they have European offices they can't do the haha you can't get me approached so they're gonna have to deal with the GDP are one way or the other

one of the things that was interesting that that coming out of the Facebook and Cambridge analytic is Facebook put out there that they were going to apply the GDP Rs privacy protections worldwide that it was not just going to be for the European residents so well you know we'll look at that with with some interest to see how that that rolls about whether there will be a GDP our legislation here probably not in the same form there there are very different views on privacy in between Europe and the United States also while the GDP are doesn't there's a variety of things to design to protect your privacy there were also uh speech implications for what does in particular the right to

erasure so which is a new new term for what was previously more commonly known as the right to be forgotten and while you know you can be very sympathetic with somebody who had an episode in their past that was relatively private got onto the internet and they they kind of wanted to be forgotten in practice it is often being used by like public figures politicians in order to sanitize their history so that people don't you know consider that when evaluating their candidacy so that would run up against the First Amendment here if you tried to say that something could not be published even though it was factually true so in the u.s. we have a very strong sense than if

it is a factually true statement then that is your right to be able to say that so that aspect of the GDP are probably wouldn't work under a constitutional system and then I'm more practically the European view on privacy is very much the privacy is a human right it is an inherent right that one shouldn't be able to sort of wave while much of the u.s. system is looking at more transactionally where the key is to to make sure that people are agreeing to to a particular deal but once they've agreed then then the buyer beware so it will it a little bit of a different system all right question back there sir

or so the question is about cesta FASTA the recent bill that passed Congress where they put some limitations on section 230 of the Communications Decency Act to make it easier to go after service providers who host racy content it is being positioned at least by the proponents as an effort to combat prostitution and sex trafficking and the question is what what we're gonna do about it okay so one of the one of the parts the question was are we planning to fight it in court and the answer is we're not going to say right now where we are looking at all of our options but we haven't decided exactly what the best path forward is in terms of a best

practice guide for service providers that's actually not something that we had considered it's not a bad idea so let's take that back to the team all right another question please all right

so I'm this is an issue that we are we're aware of I think none of the people here have worked on the Whois issue but to give you sort of other the broadest strokes is that is an interesting sort of conflict that under the the Whois system you are supposed to be able to identify who is behind various domains you know in practice a lot of times people will use a third party intermediary so that you you look up who's behind a particular domain and you you come to a company and then you have to get the information from the company but they're they're sort of a the the gist of the Whois system is to

say who does this belong to and this of course is personal data that would be covered by the the GD P R and the GD P R is designed to provide greater privacy protections so these things do have some some conflict the ICANN the Internet Corporation for Assigned Names and numbers is is working on this trying to sort of figure it out I know a lot of people who do like attribution forensic research trying to determine where a bad actor is coming from rely heavily on the Whois system as a clue to get there and have some interest in being able to track down who the users are at the same time you know of course I have sympathy

for those who wish to have it private a lot of times domain names are used for political speech and it is useful to be able to do so as anonymously as possible but I don't have a current update on that my suggestion is to look up Brian Krebs as latest writing on the issue

all right so the question was about the cloud ACK that Leeson Lee passed as part of the the budget bill concerning the ability to get access to information stored overseas who's up on the cloud act so the cloud act does two main things one is it clarifies that when US law enforcement get a warrant and serve it on us providers that they can get that content wherever that content is held so that had the effect of muting a lawsuit that was already in front of the Supreme Court about whether Microsoft had to respond to a warrant for data that happened to be held in Ireland the answer is now yes so that's one thing it

does it also allows governments the US and other governments to enter into bilateral agreements where they can each request data from companies about citizens held either in the United States or in the other country so that would be a case where Google holds data about a citizen on US citizen in the United States u.s. entered into an agreement with say the UK the UK can request data on on one of those citizens so theoretically it does not affect data held about you a US citizen held in the United States they would still need a warrant to get access to that information so they still have to go either to a US Court DOJ would or a

foreign government would have to go through the Department of Justice to then get a warrant all right the front row

all right so there was another GDP our question looking about where it might go in in Canada and in in the US so I think well as an initial matter you know the u.s. is a bit different from a lot of the rest of the world like is extremely common for our country to have a data protection law data protection you know government officials and this this is not part of the u.s. system I am NOT an expert on the Canadian system but I do know that they do have some data protection laws so they they may move around to be something like the the GDP are you know that a lot of the data

protection initiatives have originated in Europe and spread elsewhere but it's it's actually commonplace all around the world as I was mentioning before the u.s. is a bit different sort of philosophically and for some you know good reasons we have again like the the First Amendment puts a greater primacy on the ability to speak freely without the government telling you what to say then on protecting privacy so if these things come into conflict there there is balancing tests likely the court will look at they're gonna balance out the interest but there is a very strong tendency that if something is factual and true you can definitely say it and you know this this is would include

private information so it seems that there it's likely that Congress will do something about Facebook in Cambridge analytic because there's a problem there is something that has got the national attention and when there is a national attention problem Congress feels the obligation to do something that obligation is fulfilled by doing anything it doesn't actually have to solve the problem it just has to be that like we we have now responded to this so I highly suspect that Congress will do something in that sense whether it will actually be ultimately useful something remains to be seen so the question was about net neutrality that where we're losing the net neutrality war but what what can we do so I so net neutrality I

know that it looks really bad like it's really depressing but it's it's actually way less awful than it looks um in the sense that the thing the FCC passed the restoring Internet freedom order which is what they called it is incredibly vulnerable it's not written swell and so as I think a lot of people know I think it's twenty four states have sued over it in addition to Mozilla the internet Association and a bunch of others it's currently gonna be in the DC Circuit they're gonna hear it I think these are the schedule for not four but they set a schedule for it there's gonna be a hearing on it and we'll see what happens

with that and and that's in the future the the thing about net neutrality that is bad is any resolution that comes is going to come in a long time because of the way that our government works but I'm I fully believe that there will be that we lose in the short run and win in the long run what was definitely gonna pop up is you'll see net neutrality preserved in states Washington Oregon both passed and signed net neutrality legislation that restored all of the protections that the 2015 open Internet order had California has three net neutrality bills currently pending ones already gone through the Senate one has a he set of hearings this week and I

don't know the state of the third which is a little bit more tangentially related to net neutrality than the rest and we actually had a day of action on the California net neutrality legislation on Thursday and we got word from Sacramento that the phones were ringing off the hook and please stop tell them that like like we had the ability to tell people to stop calling so it's an issue that people think is really important and because eighty three percent of Americans support net neutrality no one can say publicly that they don't so what's actually more dangerous than anything the FCC did or that order that they issued is to keep an eye out for

laws that sound like net neutrality but aren't marsha blackburn has one senator kennedy has one as well both of those leave out certain protections that are vital for net neutrality they've been blocking and throttling but they don't ban pay prioritization and so we need to agitate for an actual bill that does those things but the good news is everyone likes net neutrality it's a really hot issue and you need to look like you're on that side so we have a lot of leverage there all right question back there yes indeed so the question was does EF f track right for repair and yes we do yeah we we track right to repair we do a lot of work on the bills

that are going through we testify in support of the right to repair bills I think we actually it's either happened already or is happening this week I can't quite remember that one of our attorneys was testifying for the California right to repair bill so we have the right to repair bills there's also in reference to right to repair with the DMCA which bans circumventing any sort of digital lock or encryption on things that you own those hearings were held last week two of our attorneys testified in DC about that they'll also be testifying in Los Angeles in a week and I will be there as well to explain why it is necessary to break encryption on things you own so that you

can fix the things you own which seems pretty straightforward we've also done a lot of work with Kyle Wiens and I fix it on right to repair those are that's a really solid resource and we've worked in the automotive security space to ensure that right to repair extends to cars the auto manufacturers are dead set against it and so we want to be the voice of the tinkerer on that note apparently during the hearings the reason brought up for why you shouldn't be able to break the encryption on your car was because you might use your car to rip a DVD all right that's fair all right another question is there let me first see of

anyone in the in the back it's hard for me to say if you want to check to see there all right there there we go in the just two of you right in a row the further one back first sir yes you yeah

all right so the question is about the the recent article in The Washington Post about stingrays in found in DC and I guess we are going to invite up to the stage here our colleague Cooper Quinton who goober who was working on the very issue hi yeah so there were I think two questions has anybody stepped forward claiming to operate them and the legality of them is that correct for you but as for the first question nobody has stepped forward to claim ownership of them which is not surprising and it's actually really hard to do attribution on stingrays which is I think you know we can give DHS a lot of credit there when they say they don't

know who operates them there's a very good reason for that it's very hard to tell who is operating a stingray as for the legality of it so as a on the legality front I mean in terms of like looking at what is what is being sort of broadcast to to make some determinations of that we think that that is generally cool I think like there's been a specific case that has dealt with this this very issue but if you have something which is attempting to detect whether there is a a stingray by observing what is is going on in in the air that that's not a particularly high risk if you wanted to mess with them

that starts to get into to sort of more interesting grounds because of course as a baseline there is things like the Computer Fraud and Abuse Act the federal anti-hacking statute that you know instigating unauthorized access to a computer Stingray as a computer because basically everything except calculators our computer and they would be computers if it didn't specifically say not calculators so you know but there are other things that the people who are putting them up are probably not going to go to like the you know FBI and say hey someone messed with my sting right I mean was assuming that these are not US government stingrays but one of the things about them is that people don't

want you to know who did them and to fight you in court they'd have to do that so apparently there's a question is what is a stingray a stingray is a fake cell tower that is operated by someone other than the cell company in order to usually locate a cell phone also at times it can be used to read the content of text messages or voice conversations or even data depending on the capability I would also note that if you're planning to mess with or interfere with the Stingray just remember that most of the bands that are that are used by cell site simulators as well as actual cell towers are licensed spectrum broadcasting in a licensed spectrum

without a license is not permitted

so let me clarify the naming thing a little further - so we talked about sell-side simulators MC catchers and stingrays and we often use these terms interchangeably a cell-site simulator is probably the best technical term for what people usually think of it is a device that is actively masquerading as a legitimate cell site to get your phone to connect to it to get some amount of MC or location or metadata or data off of it there's so this is an active device it's broadcasting and trying to get your phone to connect to it there's also passive devices which could probably be more appropriately called MC catchers that are just trying to pluck that data out of the air without

of act without actually broadcasting anything Kurt brings up a good question what's an MC MC stands for international mobile subscriber ID this is the unique ID that's associated with your sim card this is your subscriber number with the phone company and it's a unique ID for your SIM card so it's good for tracking you because nobody else will have this ID so that's the difference between an MC catcher and a cell-site simulator and stingray is a brand name a popular brand name for a cell site simulator that was sold to a lot of law enforcement in the US and abroad earlier in this century and has now been supplanted by from the same company a device called the

hailstorm which purports to have much better capabilities and the ability to intercept 4G communications whereas the Stingray could only do 2g I think well also here triggerfish or dirt box the brand names are myriad so just to wrap that up if in fact one of you is interested in in messing around with with stingrays this is just the sort of thing that one would want some legal advice on so this is not as if he said the time or the place for that but you know proceed with caution all right next question I'll go midway in the back there all right so the question was a back to the gdpr on the right to be

forgotten and proposing a step one become a nice citizen of Estonia step two ask in teleosts and other data brokers to forget you well you know that's it that's an interesting strategy the I'm actually I didn't realize the stonee was so cheap for most places if you want to buy into citizenship it requires hundreds of thousands of dollars okay so the GDP are by the way it actually covers residents of the European Union so if you are a citizen and you're here it theoretically doesn't cover you and if you're not a citizen but are there it theoretically does so in that sense citizenship is not the key but let's just assume you you go to

Europe and do the same thing so it'll be interesting to say you see what happens because sort of under under the GDP our view you would have in the first instance the the right to ask for that to be forgotten and they would have to fit that into some sort of exception to allow it to to continue I have not really sort of analyzed how that that would play out I mean you know for the most part we actually opposed to the the right to be forgotten on free speech grounds but I do know that some people once the GDP art goes and affects max schrems and others are planning on testing some of its features right away so we will have

an opportunity to see how that pans out all right so we had one other in the in the back there which yeah and the green here

all right so the question was about the Digital Millennium Copyright Act and our challenge to the constitutionality of that act where we represent Matt green in bunny Wang as near as I can tell from every meeting we've had every week we are still waiting to hear back on that we filed and now it's just we're waiting for the court to tell us what we should be doing next what can work in progress all right here in the in the second row

all right so the question was about given given the Supreme Court's decision about putting a GPS and requiring a warrant to put a GPS on a vehicle how does that play into things like a LPR automatic license plate readers and other another forms of tracking Andrew sure so you actually said something very important which is that the Supreme Court held that the placement of the GPS on the car was was what implicated the Fourth Amendment what was made it a search and you had five justices who were not the majority opinions say that the long-term monitoring also seems to implicate reasonable expectations of privacy so unfortunately as is so often the case of the Supreme Court we have a

kind of gesture in the direction of something interesting and useful for other for other things like license plate readers or cameras but no guidance on on exactly how long-term that would be and it's not the holding of the case so sort of has to wait for another day so you have you have lots of efforts to sort of analogize in just the way that you're saying you know tracking in public over a long period of time correlating lots of things the way some of these other technologies do it seems problematic and should sort of implicate expectations of privacy but we haven't had definitive rulings so you've had some some technical efforts to say how long is too long there's a

well-respected scholars who say I think it's two weeks you know and you can read that paper and sort of get into why that is it may be that we see a bigger change in a case that's in front of the Supreme Court right now called carpenter and that's about weather tracking cellphones via you know cell site data from the provider implicates freezable expectations of privacy up until now it's been thought that under older case law because it's obtained for a third party you don't have any expectation of privacy in that and and the reason that might be useful for some of the things you're asking about is it may upend all of these ideas of what is a reasonable

expectation of privacy and how does it sit in this sort of tracking in public and and you know intermediary world that we live in so I think it sort of remains to be seen how that how that'll play out that case should be decided by June so we actually may see a very big change in Fourth Amendment law okay well we are running out of time here so have one more one more question how about you sir so the question was about backdoors and the going dark problem or you know sometimes I called front door whatever you call them but weakening encryption to better allow law enforcement access and what we can expect Nate you want it though yes so

your question also said what what do we expect in terms of legislation um I think that the legislation that we'll see is not going to be from the US I think we're gonna see something from Australia or the UK before we see anything from the US the our senator from California Dianne Feinstein led the charge in the last Congress against encryption and to mandate backdoors with her colleague Richard burr from North Carolina there's been some mumbling that that bill might be reintroduced and there's been some mumbling that it might not be the the Department of Justice christopher ray the FBI director and a number of others have been lobbying pretty hard on the hill that something

must be done their message has been undermined pretty significantly by people like celebrate and gray shift it's been reported in the press that for 50 bucks you can unlock any phone on the market celebrate of course is the Israeli company and their solution is a little more expensive than 50 bucks but they also claim the ability to unlock every phone on the market so when we see people like so fans the District Attorney of Manhattan say that he has 7800 iPhones in active Criminal Investigations that he can't unlock his words are ringing a little less true in front of Congress right now is something going to be proposed probably what do we expect that to be I

have no idea the thing that I'm more worried about than legislation is backdoor pressure I have had clients who are encryption software developers who have had visits from three-letter agencies and they're shown you know pictures of children being beheaded and saying that your software has enabled this and if you don't give the US a backdoor their blood will be on your hands that's the kind of pressure that I'm more worried about my nightmare situation my nightmare scenario isn't legislation mandating backdoors that's possible but we can fight that in the courts my nightmare scenario is silent capitulation from the companies and that's still definitely on the table all right well that brings us to the end of

our sdff panel today so there are some more questions out there sorry we didn't get to everyone we will be around a little bit afterwards here and also there's an e FF booth up on the on the top floor if you want to try and catch us at another time thank you all for coming as I was a wonderful to to be here and we looked forward to talking to you someone thank you