One year of Snowden, what's next?
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 32 | |
| Number of Parts | 119 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/19957 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language | ||
| Production Place | Berlin |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
EuroPython 201432 / 119
1
2
9
10
11
13
15
17
22
23
24
27
28
41
44
46
49
56
78
79
80
81
84
97
98
99
101
102
104
105
107
109
110
111
112
113
116
118
119
00:00
Physical lawGroup actionComputer programmingCodeBitStatement (computer science)Level (video gaming)Information privacyForm (programming)AutomationStrategy gameTelecommunicationService (economics)Bit rateColor confinementInsertion lossSystem callRight angleComputer animationLecture/Conference
02:47
Event horizonService (economics)Repository (publishing)Scaling (geometry)Hacker (term)InformationMetadataBitDifferent (Kate Ryan album)Sound effectTelecommunicationLevel (video gaming)Physical systemBuildingGroup actionContinuum hypothesisDatabase transactionMixture modelLecture/Conference
05:39
Observational studyInformation privacyHacker (term)Price indexObservational studyProduct (business)Morley's categoricity theoremInternetworkingWordNeuroinformatikComputer hardwareSpywareRight angleCellular automatonDifferent (Kate Ryan album)Game controllerMobile WebIntercept theoremService (economics)Computer animationLecture/Conference
06:48
Information privacyObservational studyHacker (term)Price indexService (economics)Prisoner's dilemmaArithmetic meanRight angleCASE <Informatik>SphereRegulator geneScaling (geometry)Complex (psychology)Product (business)Form (programming)Computer programmingMechanism designInformation privacyHacker (term)Computer animationLecture/Conference
09:18
Decision theoryComputer networkIntrusion detection systemGoogolVideoconferencingSoftwareFacebookComputer programmingLogic synthesisPresentation of a groupDigital photographyMassPrisoner's dilemmaVideoconferencingDecision theoryOnline chatBitComputer animation
10:06
Service (economics)Block (periodic table)VideoconferencingPhase transitionComputer programmingGraph (mathematics)Pointer (computer programming)Digital photographyTelecommunicationDecision theoryWordInternetworkingState of matterOnline chatConnected spacePattern languagePhysical lawBitLoginLecture/Conference
12:18
Decision theoryComputer networkIntrusion detection systemGoogolVideoconferencingPerspective (visual)Physical lawComputerSphereDecision theorySineMassBitPresentation of a groupPhysical systemPole (complex analysis)Basis <Mathematik>Sheaf (mathematics)Form (programming)CASE <Informatik>CausalityTraffic reportingSound effectTheory of relativityInformationPhase transitionPower (physics)Computer animationLecture/Conference
14:35
Decision theoryIntrusion detection systemComputer networkGoogolVideoconferencingForm (programming)InformationSpeech synthesisAtomic numberOrder (biology)NumberCartesian coordinate systemMoment <Mathematik>Group actionWebsiteWeightTraffic reportingException handlingGoogolValidity (statistics)MetadataComputer animationLecture/Conference
16:26
VolumeMetadataStandard deviationNeuroinformatikSoftwareTouchscreenMetadataAbstractionComputer animation
17:11
Right angleForm (programming)Filter <Stochastik>MetadataMathematical optimizationExecution unitIdentifiabilityDecision theoryInformation privacyVolume (thermodynamics)Multiplication signNumberTelecommunicationTouchscreenSystem callSoftware bugComputer programmingHypermediaMultilaterationArithmetic meanEmailLecture/Conference
19:10
VolumeDigital filterMetadataGame theoryDisk read-and-write headComputer programmingLine (geometry)DatabaseCodeSystem callCharge carrierRoutingMetadataCore dumpComputer animationLecture/Conference
20:52
Metropolitan area networkConnected spaceRoutingComputer programmingMereologyInternetworkingLecture/Conference
21:50
Event horizonLevel (video gaming)Temporal logicTask (computing)Content (media)Volume (thermodynamics)DataflowMobile appTerm (mathematics)Instance (computer science)Computer programmingComputer hardwareInternet service providerEvent horizonPhysical systemTelecommunicationTupleInternetworkingMereologyBitPrisoner's dilemmaEmailYouTubeComputer animationLecture/Conference
23:16
Event horizonLevel (video gaming)Filter <Stochastik>FrequencyVolume (thermodynamics)Peer-to-peerWordWeightData streamEmailData storage deviceAttribute grammarComputer programmingNumberNetwork topologyDifferent (Kate Ryan album)Address spaceComputer animationLecture/Conference
24:59
CodeData typeNumberDirectory serviceHacker (term)MassLimit (category theory)SphereWordMultiplication signComputer animationLecture/Conference
25:59
Electronic mailing listSoftwareComputer programmingWeb pageProfil (magazine)Disk read-and-write headComplex (psychology)DemosceneGraph (mathematics)Lattice (order)Software maintenanceArithmetic meanPresentation of a groupSoftware frameworkMatrix (mathematics)InternetworkingFigurate numberStandard deviationSlide ruleMultiplication signWebsiteDatabase normalizationInfinityOperator (mathematics)Uniform resource locatorService (economics)Theory of relativityTelecommunicationProcess (computing)Charge carrierContent (media)Type theoryCybersexHypermediaPasswordMetadataWritingMassTraffic reportingConnected spaceMereologyHoaxLecture/Conference
32:41
Inclusion mapCybersexStability theorySoftware frameworkArmContent (media)Service (economics)Information securityStability theorySoftware frameworkCybersexThermal conductivityObject (grammar)Frame problemEvent horizonComputer animation
33:47
System callInformationInformation securityComputer programmingFourier seriesLecture/ConferenceComputer animation
34:37
Pointer (computer programming)BitDimensional analysisService (economics)MereologyOffice suiteNumberDeterminantMeasurementLecture/ConferenceDiagram
35:58
BitOperator (mathematics)Arithmetic meanMoment (mathematics)Multiplication signFerry CorstenService (economics)Lecture/Conference
37:10
Electric generatorRandom numberHacker (term)EncryptionKey (cryptography)Operations researchExploit (computer security)SphereHacker (term)Operator (mathematics)Content (media)HypermediaMassStandard deviationService (economics)Random number generationEncryptionStatement (computer science)Multiplication signDifferent (Kate Ryan album)National Institute of Standards and TechnologyComputer programmingMereologyVulnerability (computing)Strategy gameMalwareKey (cryptography)Physical systemNeuroinformatikArithmetic meanScaling (geometry)GradientInformation securityWindowWeb pageBitPersonal digital assistantComputer animationLecture/Conference
40:56
Non-standard analysisInstance (computer science)TelecommunicationMetadataInformation securityTelecommunicationMetadataInformation securityService (economics)Confidence intervalMassInstance (computer science)Traffic reportingContent (media)Computer animation
41:58
Pattern languageMereologyServer (computing)CodeTraffic reportingRight angleMereologySoftwarePresentation of a groupDigitizingRule of inferenceProxy serverLecture/ConferenceComputer animation
43:10
Disk read-and-write headService (economics)InformationOnline helpState of matterMassIntercept theoremPhysical lawRepository (publishing)Directory serviceDirection (geometry)BitChaos (cosmogony)NeuroinformatikScaling (geometry)Cellular automatonProcess (computing)Right angleMusical ensembleSet (mathematics)Insertion lossLecture/Conference
45:41
Right angleInformation privacyScale (map)Information privacyFamilyScaling (geometry)MereologyRight angleGraph (mathematics)Intercept theoremDifferent (Kate Ryan album)Open setGroup actionComputer animationLecture/Conference
46:25
Local GroupOpen setCartesian coordinate systemBitRandom matrixLibrary catalogEncryptionCASE <Informatik>Process (computing)PressureComputer programmingGroup actionSoftwareRule of inferenceSummierbarkeitRight angleMassScaling (geometry)Endliche ModelltheorieComputer animationLecture/Conference
49:59
Non-standard analysisContent (media)TelecommunicationPattern languageHypermediaInformation privacyRow (database)Right anglePurchasingExpressionScaling (geometry)MassNatural numberMessage passingLecture/Conference
50:53
Finite element methodNon-standard analysisRight angleSoftwareDesign by contractCharge carrierContent (media)System administratorLoop (music)TelecommunicationConnectivity (graph theory)WhiteboardInformation securityEncryptionPhysical lawMixture modelComputer fileMoment (mathematics)Perspective (visual)PressurePoint (geometry)Social classFormal languageCASE <Informatik>InternetworkingStandard deviationAxiom of choiceInformation privacyDrop (liquid)Group actionService (economics)Process (computing)Negative numberPoint cloudSphere2 (number)MassWritingComplex (psychology)Open setNormal (geometry)Arithmetic meanGoodness of fitLecture/Conference
Transcript: English(auto-generated)
00:15
So, welcome also from me, we're going to listen to Constanze Kurz, and for those of you who
00:28
don't know Constanze, she is a speaker for the CAAS Communication Club, they are very instrumental in Germany for many, many things regarding data privacy, and she has
00:42
been expert witness to the Constitutional Court that finally stopped data retention, first in Germany, and then later on in Europe, but she's also involved in many
01:04
other legal struggles, and she's going to talk a bit about this, and just one statement I'd like to give in regarding that. Many of you probably know Lawrence Lessig, who said, code is law, right? Have you heard of that? What he meant by that is actually that programming determines many things in our societies, and I think
01:26
we've come to realize that laws and what governments do also influences very much what we can do with programming, and how programming is actually used by the government, by secret services, and that's kind of one
01:41
of the topics that evolved especially in the last year, and again Constanze has launched some actions. I think so far in all of the court struggles she's been involved at, she had a 100% success rate, right? So that was, and I
02:09
hope she continues with that, and in other news she's also a co-writer of very interesting books about the increasing automation that we
02:21
have in our societies. The German title is Abbeitsfrei, which means something like out of work, like automated way, something like this, and what we can expect in the next ten years, but this is not the topic of her talk now, but also something she is doing, and so I'm very happy to have her and give the keynote to Constanze. Yeah, thank you Holger for the very warm words, and you
02:56
of course for the applause, since I didn't even start it, thank you very much.
03:02
Yeah, it's one year of Snowden, what's next? And I guess I'm happy to be back in that building, as you maybe know, I've been here for quite some years because the hacker community had the really largest European Congress here for quite some years, and so I'm happy to be back and speaking in front of
03:24
another tech community about the Snowden revelations. It's gonna be a mixture of of course technical topics, but also questions of legalese and of course political questions, because after that year of elevations, and the elevations
03:41
will go on of course, we have to ask some questions, and we should show as a wider tech community that we care, and that we don't accept the way it is, and that we try to change it. And I will maybe in the end of the keynote have
04:02
some ideas what to do about it. Since June last year we learn more and more about American and British and other spies' deep appetite for data and information, and of course about economic spying, and about the technology they use to collect data as well as their hacking skills, because they also pay a
04:25
lot of hackers as we know now. And we know that the spies systematically tap international communication on an industrial scale, that's what we know. And the NSA and the GCHQ and the partner services and contractors
04:43
metadata repository is capable of storing billions of transactions and events daily. So the question is, is there a way to defend against an agency like the NSA with a monstrous budget, and where 8,500 NSA contractors have
05:06
access to the data, thinking about economic spying, as we know now from the Guardian and other papers' elevations. After more than one year of Snowden documents, we have to conclude the democratic oversight system failed at
05:24
each level of oversight. So then let's see how to fix it actually. First we need to analyze what's really going on if we want to fix it of course, and I want to talk a little bit about the surveillance industry that happens to to
05:44
be nowadays. There is a study of Privacy International, a research study of surveillance companies that offer their products nowadays. The study is a collection of what is being sold, it's also a categorization of the
06:02
technologies, and also an explanation of what these technologies actually do, can do and cannot do. And those companies as you see here worldwide, they are 338, they sell different kinds of technologies for surveillance, like cell
06:24
phone monitoring equipment, interception equipment as in hardware, of course technologies for internet monitoring, spyware packages that allow users to take complete control over the computers and over mobile devices, and they even
06:42
buy cell spyware packages for law enforcement mostly, or secret services that allow the user to take access to all the data and even the camera microphones. That is the status we have today. It's really an industrial complex, and not only monitoring, filtering and censorship technologies, but
07:06
also passive and offensive hacking tools. Privacy International really did go to the marketplaces and to the fairs, which are worldwide, and took a
07:21
look at the marketing brochures those companies have. We should have that in mind if we think about the Snowden revelations, because there's a reason for all that's buying complex, and the reason is simply money. Those companies usually do not take human rights concerns into account or think about the
07:43
risk of misuse, meaning that their products are used to target pro democracy, activist, journalist or any political opposition in regimes or, as we know from the Snowden fights, now in democracies, because since those technologies in the last decades were used in regimes only, we now know that
08:05
they are used in democracies as well, and the technical tools to defend against it should not only be used in regimes, but also in democracies. And in the rare case that there are export restrictions because those
08:22
companies mostly come from the Western sphere, and if one of the companies can't get any approval to export their surveillance products from one country, then they simply do it from another. That's the way it works today. So we have on a political agenda the question to ask about
08:40
export regulations of those technologies, not only using it in our democracies. As it is the same for the secret services like NSA and GCHQ, this surveillance industry lacks effective oversight or any form of accountability to. So we have a problem that comes together with those industrial
09:05
surveillance complex and the secret services. Well, really, the start of the Snowden year, at least on a worldwide scale, was the PRISM scandal, the PRISM program. What you see here is a picture from orbit, which NASA took, and
09:25
artificially you see the Facebook network plotted on that photo. And I guess since the PRISM program mostly used social network data
09:42
and made some videos and video chats and photos, the scandal really emerged because most people felt that they have to care about those PRISM programs because everybody, or at least most of the people in the Western world, are targeted by those mass surveillance programs.
10:04
Actually, I want to talk a little bit about the FISA decision. I come to that later. But most important for me is that that program already started in 2007. So we have the situation that those secret services have a social and communication graph.
10:23
From the whole Western world with a history of some years, what never happened in history of mankind, actually. They know the communication pattern of everybody who uses that services. And all the companies who see there are cooperating, but they
10:45
do not do this willingly at most, but they are legally obliged to do so. And that's why I want to talk a little bit about the FISA, the Foreign Intelligence Surveillance Act, because that's kind of the problem which emerged, of course,
11:02
for those companies, because this Snowden year is also really a trust crisis in not only between the state and the secret services, but also in the rearm of the companies.
11:21
This worldwide attention to the NSA program. In the beginning, it was NSA and FBI and CIA, not the British GCHQ, started on June 6 last year, as you maybe remember. Glenn Greenwood, and even McAsker for The Guardian and Barton Gellman and Laura
11:42
Poitras for The Washington Post reported on a US domestic collection of foreign internet related data. And I quote, Washington Post from this June 6. The National Security Agency and the FBI are tapping directly into the central service of
12:01
nine US internet companies, extracting audio, video, chats, photographs, emails, document, and connection logs that enable analysts to track foreign targets. So it was really, that's why I quoted this from the law's perspective. It was really
12:23
intended to target US citizen, not intended to target US citizen, but us, as in Europeans and everybody else who's not US citizen or on US soil. And so the discussion on a political basis today in the US Congress and the US
12:41
Senate is just about the domestic spying. It's not a question if that form of spying or mass surveillance will end for people outside US soil or non-US citizen. We should keep that in mind. PRISM is of course, the system, the
13:01
internal computer system that collects this data. And that is what two days later on June 8, the US Director of National Intelligence released in a fact sheet. So what I speak about here is only what is, where's no Dementi from the US
13:21
governance side or from Director of National Intelligence. There are some rare cases in that year of revelations that the US government said, no, here is the reporting not correct, but mostly, they didn't even bother to write a Dementi. I want to talk a little bit about the
13:43
FISA decision because in my opinion, in the public sphere, it's not quite clear to everybody that this form of mass surveillance is legal in the most forms because of that FISA, Foreign Intelligence Surveillance Act. Generally
14:02
speaking, under that FISA, any form of electronic surveillance is permissible if there is a probable cause to believe that the target is a foreign agent or foreign power. And the primary purpose of the investigation is collection of foreign intelligence information. And
14:21
in Section 218 of FISA, even that requirement that foreign intelligence gathering be the primary purpose of the investigation was eliminated. Now it only requires that it be a significant purpose. And this act, you maybe read about it in
14:42
the newspapers, also established a special secret court composed of hand selected court judges to review the applications for electronic surveillance orders. But the secret courts hears only the government's evidence. And the
15:01
FISA court is not revealing any public information, information concerning electronic surveillance, with the exception of an annual report detailing only the number the request made. So the secret FISA court is also a very silent court. And this silent court and secret
15:22
court have never refused a single request in its 21 year history, until 2002, when the Bountess US Patriot Act became law. So that is the kind of oversight we have, which completely failed, not speaking about the political oversight, but the judges. Well, but allowing secret
15:45
trials based on secret evidence with secret outcomes and no public scrutiny to ensure any form of fairness would be a talk on its own. So I stopped talking about that that legal side now. Well, speaking of the
16:01
companies, the cooperating companies, then if a company like Google receives a valid FISA court order, it has, of course, to deliver any information requested, of course. So from the beginning, and it's even after a year, one of the largest scandals and all those revelations, they emerged in an interesting discussion
16:24
about metadata. You see on the picture, an example, this is from a Greek scandal some years ago, where the whole government, the president and the ministers were tapped. And this is a press conference,
16:43
actually, a picture from a press conference where they plotted from one of those surveillance software products, so that you see what metadata will be seen at the screen. Of course, if you have it on a computer, you can interact, of course, with that. It's just the
17:02
problem is that metadata and most of that surveillance stuff is really, it's abstract in a way. I mean, it's not really, you cannot really feel the surveillance. If you sit in a cafe and there's somebody really staring at you the whole time, then you would maybe
17:23
say, stop doing that. Don't look at my screen, don't listen to my phone calls. But if you have that metadata discussion, it's not the same as surveillance in a physical world. So what's really at risk here, most people don't realize. But the metadata
17:44
discussion goes on until now, and maybe we will have a decision about that from the U.S. Supreme Court later that year or in the next year that is possible. I come back to that metadata later. Of course, why they are interested in that metadata
18:04
so much is because it's significantly easier to collect and store because of the volume of the data, and it's much easier to detect any anomaly, meaning anomalies in personal communication behavior. Like is there a person starting to communicate with each other? Is it maybe on, is it
18:24
maybe in nighttime? So you can have filters or triggers in any form to detect those anomalies and ask maybe for special identifiers like phone number or email numbers. And it's of course, it's
18:40
optimal for any form of automatic filtering. So that metadata discussion is not over now. Of course, in Europe, metadata belongs to the data that is protected by the right privacy. It's maybe not the same in the U.S., but we will maybe see from court decision this or next year. After the
19:05
first revelations about the PRISM program and the starting metadata discussion, General Keith Alexander, the then director of the NSA, which is of course a general because the head of the NSA is always a military guy, confirmed in two public hearing of
19:24
U.S. congressional intelligence review committees that the NSA collect both domestic and international telephone core metadata from all major U.S. carriers and maintains a database of all such codes for five years. So we now know, but actually
19:42
that is for all the revelations that I speak about here. We just know nothing really changed. There is an initiative right now in the U.S. Congress to change some of those programs, but actually it's
20:01
just for domestic spying. It's not for European, let's say not for us. The next step in that scandal, which is the third one from, or I believe that it's one of the largest scandal, is a
20:23
tempura program. What you see here are undersea cable, commercial undersea cable, which we have today. You see a little anomaly because if you would have an undersea cable today, then you maybe wouldn't choose that route from U.K. to
20:45
New York over the ocean. But that came from the telegraph lines more than 100 years ago. And as the telegraph lines were invented actually, they didn't know very much about the underground of
21:00
the ocean, so they just took a direct route. And that is the reason that more than 85 percent maybe of all the connections between the European continent and the Americas goes through the British island. And that's why with the
21:21
tempura program, the GCHQ started to be part of the scandal, that is the British, one of the British spy agencies. GCHQ wasn't actually exaggerating when it invented the phrase mastering the Internet, which is the name of
21:41
one of the programs, as to be found in the Snowden documents. Within those tempura program, some 300 GCHQ plus 250 NSA agents have the task to analyze the data that goes or flows through the undersea cables. And this is a
22:01
stored app for up to three days for content and up to 30 days for metadata, because the volume is, of course, not that high. You see, we talk about a 20 petabyte, that means million gigabytes in that three days. And
22:22
those events, it's really the stuff we do every day on all mobile phones and over the Internet. So it's not an event like a technical term, but it's our communication and our emails and our photos and stuff. And of course, it's the same as in the prison program, the cooperating companies, which are
22:42
not only the well-known companies like British telecom or Verizon, it's also the backbone providers, because, of course, part of the tempura program are hardware devices, all the places where the undersea cable land on British soil. As we know, most of the
23:06
bits we click is BitTorrent, YouTube and U-Porn, of course. And to reduce the sheer volume of the data running through the undersea cables, like peer-to-peer downloads, it's
23:21
discarded, of course, by filters. And this reduces the volume by 30%, maybe. And those filters, not only reducing the data volume, but also are triggered by words, by email
23:41
addresses or phone numbers. So the data stream is actually filtered, categorized and stored if it's of any interest. All in all, GCHQ and NSA, which work as a, yeah, it's more like, it's really close working
24:03
together, at least in the tempura program. And they use around 40,000 of those triggers to filter and analyze the data that flows over the undersea cable. So, we know that for a year now, and the
24:24
question for all the European countries, and not only Europe, but worldwide actually is what we're gonna do about it. We talk about the tempura program here in Europe, but there's also an exact duplicate of the program for the PUCnet, which is an Asian
24:41
Pacific undersea cable net. So it's actually a worldwide undersea cable surveillance program. For my opinion, at least in Germany, the public debate, it's not only Germany, it's worldwide, I guess, really changed when one prominent German person and
25:06
her mobile phone was tapped. And to me, it's until now, a scandal that only this one tapping of a mobile phone, which is
25:21
Chancellor Angela Merkel, of course, is really a scandal in the political sphere, and not the mass surveillance and the offensive hacking techniques we learn from. Okay, I see you agree. And since I don't
25:44
have the time to follow that chronology of that year, step by step, because you could really need five hours for that, I just want to have a short break and tell you just in some words what
26:00
happened afterwards, until maybe the end of the year, because I guess you remember from reading the newspaper what happened in this year. After June 21, where GCHQ's tempura tapping fiber optic cables became known, which was from the Guardian, in July we also had a attack list, a target list, reported
26:24
by the Guardian about cyber attacks. That was a list of quite a lot of targets worldwide. In July we also learned that the NSA is spying explicitly in Asia, in Hong Kong, and
26:41
there are also hacking attempts against China, and that the US hacked PACnet, which is the 18th Pacific fiber optic in the network, as I mentioned, and not only from one year or two, but from 2009 on. In July 31, we also learned
27:01
about X-key score, which is a central tool the NSA uses to aggregate nearly everything from the internet, as the Guardian wrote. In August, it was just one month later, and we all thought somehow maybe the population stopped. We learned about
27:22
even more cyber attacks by the US, mostly NSA, and that were 231 offenses operations, even in one year. And in September, the first time, there was really blood on the data, because we learned from an article in the
27:41
Washington Post that the NSA has ties to the US drone attack, and that metadata and content data explicitly were dumped into the US drone program. That means that the data triggered the CAA-driven drone program and, well, the Reaper and predator
28:06
drone with the Hellfire rocket were sent to mobile phones to deliver the bombs. So actually, that was not really reported in Europe very much, but in the US, it was reported from the
28:22
Washington Post, as I said, and I guess that is a discussion we should follow closely, because I think in this year, 2014, we will have more of those connections between the CAA drone program and the metadata and content
28:41
data collection of the NSA, because if you want to fire a Hellfire rocket, then you need the data to know which mobile phone to target. In September, we even had the first cyber war attack as defined by the NATO, and that was
29:02
as the GCHQ targeted in spite on Belgium, which the Spiegel reported. Actually, Belgium is one of the main telecom carriers in Belgium, and the GCHQ passively sniffing, hacked some of
29:20
the maintainers of that network, and faked LinkedIn pages to target those engineers, and they had success, and that is really a cyber war attack as defined by the NATO against another NATO country, which is Belgium. That was really interesting, because that kind of
29:40
attack was the first time we heard about that. We even had a, in October, it was in October 2nd, a location data scandal, but it wasn't really reported worldwide, because the NSA collection, a mass collection of US cell phone
30:01
location data, was only reported in English and not so much on the European country. So we see we have also, of course, not only the communication and social graph from PRISM, but also a geolocation program, which runs geolocation profiles, of course. Maybe I'll stop here.
30:24
I mean, you can read it in the newspapers, and I guess as I took a look of all the papers I'm researching for that scandal for about a year now, some of those reports in the different
30:40
newspapers, not only American and European, but also Brazilian and Asian newspapers, I simply forget, because all the small scandals in between are really forgotten when you think about the really big scandals we have here, and the lack of oversight for that mafia
31:02
like secret service complex. Well, what we learned from that chronology, and I took it on one slide because I wanted to have it in one place, that's what we learned over the months. These are priorities as targets from those NSA
31:24
programs. As you clearly see, these are the top terrorists we have in the world, and the targets are the EU institutions and also the Parliament, 80 embassies worldwide, heads of foreign governments, and two from those heads we
31:42
know by name, which is the Brazilian president, Rousseff, and the German Chancellor Merkel. We also have the top terrorists at the G20 meetings, which were tapped, and even in the G20 meetings, they even invented fake
32:01
internet cafes to grab the passwords of the teams of the politicians meeting at the G20. Also the World Bank, large companies like the Brazilian Petrobaso, we have a list of priorities here, but we have even more.
32:21
We also have from the revelations the national intelligence priority framework, and this is a kind of matrix from, this was just a part you see here, and you don't have to read it, I copied it. You see it in the next slide. It's a
32:41
contents. What is really, what kind of topics are those secret service interested? And you would maybe wait for national security issues, but I copied it for Germany from that framework, and what you see here are the targets in
33:04
that framework. That is cyber attack counter espionage emerging strategic technologies, clearly a top terrorist problem, international trade policy, arms export, arms control, foreign policy objectives, economic and financial stability. So it's really, what we
33:24
learned from that year is that it's much more about economics buying than the political discussion and the discussion in the newspaper is about. They always argue with the questions of national security, but as we know from the revelations, it's much more about
33:42
economic spying, and actually the scandals are much more about power and access to information than about national security. If you see the ideology behind that, and I quote that
34:03
from the deputy attorney general James Cole, then you have that metaphor of the hay stick. He said, if you're looking for a needle in the hay stick, you have to get the hay stick first, and what we learned from all those programs
34:20
is that they are piling even more hay, and what we also learned, and I come to that in a minute, is that that piling on more hay doesn't really help to find the needle. But before I come back to that ideology, I want to talk a
34:41
little bit about the dimension of what we actually fight against now, and that is part of the revelations too. It's a so-called black budget, and in German, most German, at least, yeah, most German countries, you know about the
35:01
budget those secret services, as in money, receive. When we have the 19 German secret services, so we know as a population what money we spent on that. That was different in the United States, so the black budget revelation was really interesting to take a look at
35:21
U.S. national intelligence budget, and that is, of course, you see it here, over 50 billion dollar a year, and that is much more than even some
35:41
of the politicians and the review committees knew. As I talked to William Binney, who's been here in Berlin because we have a commission in the German Bundestag, the NSA, Unterzuchen Ausches, we talked about the budget on a podium here in Berlin, and he said, okay,
36:03
that 50 billion dollar per year is not sufficient, and I looked at him like, what do you mean not sufficient? It's not that much or even more. He said, it's even more because some of the secret service budgets are in,
36:21
let's say, in military stuff. It's hiding somewhere. He said in his active time in the NSA, the budget was already 80 billion dollar per year, and he said that some years ago, so it's maybe even more. That meaning he corrected the budget above.
36:42
I was really staring at him at that moment because I thought 50 billion dollar was quite a lot, if you think about how many nurses you could pay from that, or how many rockets you can send to the moon from that
37:00
money. I'm running a little bit out of time, but I want to talk a little bit about the tailored exit operation because most of the scandal in the public sphere talked about the mass surveillance, metadata, content data, and the, you know, the little and the
37:22
larger standards. But for me as a hacker, it's of course interesting what they do in the tailored access operations, and what kind of exploits they really have, and what are the methods actually that they are using.
37:41
In the Snowden papers, we now know that the TAO, tailored access operations, have has exploit against Windows, macOS, Linux, and iOS, and some more which are named, and that some of those exploits
38:00
are really zero-day exploits, but most of them are known, so they spend maybe quite a lot of money to have access to those exploits. And we also learned actually that the gray and black market for computer vulnerabilities or mobile
38:22
phone vulnerabilities and malware of all kinds, that that gray market is paid from those secret service budgets. So we wouldn't even have that gray and black market on that large scale if they wouldn't spend that money on
38:40
that. They had had different methods within that TAO operation, meaning of course backdoors, that's what we expected. It was a manipulation of random number generators because that's a good way to weaken encryption.
39:00
They had an intensive cooperation with NIST. NIST is a standard institute where every 10 years new encryption standards are somewhat invented, I shouldn't say invented, but NIST was really
39:21
releasing a press statement and in some parts they said yes we did cooperate with secret services. They even tried for that part of the data collection they had which was encrypted to get the master encryption keys with different methods and the
39:41
programs they have for that called bull run for the NSA and actually for the GCHQ. They have really 255 million dollars a year and it's, if you think about it, in fact an anti-security program and it undermines of course
40:00
the trust we have and the IT systems we use every day. That was really interesting to learn about the offensive strategies from those secret services. They really have a lot of hackers and that they pay and it's really hard to
40:23
change it on the ideological way. Because if you take a look at the British and the American hacker community it's quite common to work for some years for NSA contractors or even for the NSA itself.
40:40
It's maybe very different from the European habits. Well, we heard all that and I missed a lot of revelations because I don't have time to collect them all here but I want to talk a little bit about the success. So what about national security? And I copied
41:00
this from the so-called White House panel which US President Barack Obama initiated as a commission really run by secret service veterans and even those secret service guy who
41:20
clearly belonged to the intelligence community wrote this in their report. The metadata of the telecommunication brings only a modest contribution to the nation's security and there has been no instance in which NSA could say with
41:40
confidence that the outcome of a terror investigation would have been any different without the metadata. So the stupid phrases we heard in the beginning of that scandal that all that mass surveillance explicitly metadata but also counter data would help against terrorist attack is quite nonsense
42:03
and we see it in the White House report and the intelligence community itself who is sitting in that commission stated it in its own report. That was really interesting and as you maybe know it wasn't really reported, at least not
42:23
in German. You maybe know and I'm coming to the optimistic part of the talk now right yeah. They also targeting Tor. We know from October where the presentation, the NSA presentation Tor stinks were published. That Tor is really
42:43
targeting, Tor is an anonymizing network as you maybe know. And this July the German R.I.D. and the Züdercher Zeitung had a publication that explicitly target users
43:00
Tor users are targeted. That was really interesting because they released some of the filter rules for the deep packet inspection which the NSA and the GCHQ used to have triggers for every Tor user and not only Tor user but also people who search for information about Tor.
43:21
That was really interesting because right now Tor is the only affordable and reliable technology for people in for example China or Iran to communicate encrypted and anonymized with the rest of the world. One of those Tor services is operated by the chaos computer club here in
43:40
Germany. And so the data traffic to and from those so-called Tor directory servers is being taken into the repositories of the NSA. And that was the reason that we filed again a criminal complaint against Angela Merkel,
44:04
ministers in Germany, the head of the secret services in Germany and foreign secret services, and mostly everybody who could be maybe responsible for that because I guess at least we don't only
44:23
need political help and we need technical tools to fight against those NSA mass surveillance and especially targeted surveillance like that one. But we also should use the laws existing. And that's why we filed a criminal complaint against
44:40
those aggressive surveillance in Germany directly. And we just hope that the Generalbundesreinweit is a state federal prosecutor I guess, or maybe do his job and ask the NSA and the GCSQ some questions. And
45:02
so I'm not quite sure if this will work out but we even we even tried. I want to talk a little bit and that's the last thing I want to want to talk about,
45:20
about other ways to defend against those mass surveillance. And a quote here from a GCSQ memo from May 2012 where the GCSQ said, our main concern is that references to agency practices,
45:41
meaning the scale of interception and deletion, could lead to damaging public debate which might lead to legal challenges against the current regime. And the scale of interception and retention required would be fairly likely to be challenged on article 8, the right to privacy grants, and that
46:00
is exactly what we did. Because the article 8 is part of the European Human Rights Convention and the UK, different from the US of course, ratified that convention in 1951. So it's bounded to that convention. And Big Brother Watch, open rights
46:22
group and the English pen and myself, we had a joint application to the European Court of Human Rights in Strasbourg. So we try to go the legal way, though I think
46:40
we should protect ourselves on a technical way to begin with, of course. Maybe in the end of July we will know a little bit more from the court, because we, until now we have so-called Rule 41,
47:01
which means that our cases are prioritized, but actually the court, although we have that fast track, has stopped the process a little bit because of the British tribunal, which is also a secret court on UK soil, where groups like
47:22
Privacy International try to make a case too. So they waited for that outcome, so we just know maybe in a few days where the case goes. We just right now have a catalogue of questions for the British government and also for the German government, because I'm a German
47:41
citizen, but until now the German government decided to not really answer any of the questions. But I guess it's just a legal way and we should try that, and I'm really very satisfied that a lot of people, thousands of people, spent money on
48:00
that case. We had in just 48 hours the 20,000 pounds we needed for that case together, and little, which is five or six euro, come from all over Germany and in just 48 hours we had that the sum we needed together. I'm very proud of that and I feel
48:20
different from the opinion you read in the newspaper. People actually care and they want to support. That's our fear at least, but the legal way is one thing and to put political pressure on those responsible for that. But I think as a tech community, first of
48:42
all, we should use encryption and not only use it, but implement it. That is what we should do in our normal working habits, because we should, we as a technical community, should help the normal user because he will rely on us
49:02
to have working encryption because the NSA must surveillance programs that doesn't scale. If just 10 or 15 percent of users really switch encryption on, they get blinded and that's what we actually should do. So that's actually what I
49:31
demand from you. Use encryption, but not only use it, but implement it and be as transparent as possible
49:41
when using encryption in technologies or software you build. That is, I guess, to rebuild the trust that is lost, that is essential for that. So be as transparent as you can. We should not only cut, we should not only cut the budgets
50:05
of the professional peeping tones, but also raise the standards in general for the government to look at everyday communication data, metadata, content data, purchase records, medical records and so on, because by its very nature
50:22
mass surveillance is neither necessary nor proportionate, because these technologies enable the violation of human rights. It's a human rights issue, particularly the right to privacy and also the human rights of freedom of
50:40
expression. So eavesdropping on that massive scale is simply not acceptable in free society, so let's fight it. Thank you. I'm not quite sure, Holger, are
51:18
we supposed to have a question and answer? I don't know.
51:26
I don't want to be that negative. I hope you have an optimistic feeling right now. There are two microphones. You can go over there or here and you have like let's say five minutes and then we... Is this thing on? Yes it is. Thank you for these amazing insights.
51:43
Thank you. I have two questions which are actually basically one. What would happen if one of these companies at some point just says, no, and what would happen if all these companies, their CEOs, come together and they make the agreement and they
52:02
say no? Can you tell me? Do you have any insights into that? Well, that is not such a trivial question. It's a really complex question actually. The point is I have maybe to remind you that
52:22
law-interception techniques are built into all commercial telecommunication networks by law and they have standards, so-called ETSI standards. So the technique to intercept is from a legal perspective necessary to be a commercial
52:40
telecom carrier in all western countries, meaning that the possibility is already there. And from a legal perspective, and not only the U.S. companies, but in many European countries too, they are simply obliged to hand over the data. What they could
53:01
do actually is to switch on encryption to not lock any content and in that way help the users a little bit. What they actually do right now, mostly in the U.S., is of course write open letters because they see that the trust crisis
53:22
is a question of economy right now in the European and Asian markets because they see that mostly the cloud companies, that well it really drops. The partners,
53:41
not even, they don't have a lot of new contracts, but they also have second contracts from Asian and European partners demanding from the U.S. companies that they have special privacy contracts to the normal cloud contracts and stuff. And so the pressure from the economic
54:01
sphere to the U.S. administration, it's getting higher. So maybe that trust crisis will be not solved in a political realm, but in an economic realm. We have a lot of small companies who say okay we built our technology that way
54:23
that we can't hand over data like in the Tor network or other examples, but really the huge telecom carriers and internet companies, they don't have a choice. Well it's interesting because if you step
54:42
out for a moment and you look at what's happening, it's basically it's the nation-state, an institution with an army, which is very powerful of course, but it's interesting to think what would actually be happening on the enforcement side of
55:01
things if a group of these companies just agree not to participate. Well they actually do. Point is that we as users, we tend to use the large companies. So maybe I urge you to think more decentralized. Thank you.
55:30
Hi, we're here at the Python conference. Guido van Rossen, the creator of Python has been working in a company that
55:43
makes sure we all have our data secure, our most important data secure for the last three years. This company has just acquired a new member of the board of directors, which is Condoleezza
56:02
Reis, one of the main supporters of massive surveillance, which is working at the same company of the guy who created this beautiful language. What are your thoughts about it? Yes, what you're referring to is
56:22
actually the so-called revolving door, right? Is that what you meant? The so-called revolving door that you have is a lot of people who switch between companies, contractors, secret services and stuff. That's what you mean? I mean Dropbox.
56:43
I don't really get your answer. Well, sorry, Dropbox is a company where you can keep, yeah, you can keep all your most important files in the cloud. Well, Guido van Rossen is working, the creator of Python, is working for that company for the last three years. This company just added a new
57:02
member to the board of directors, which is Condoleezza Reis, one of the main supporters of massive surveillance, one of the people who explained that it's necessary to have some. Now I get you. Of course, I read in the news, and maybe since
57:23
at the Hope 10 in New York, Edward Snowden referred to that case, so maybe most people are aware now. Well, I don't have really any good comment on that. I guess it's not the only case, I feel. I think it's just something we
57:43
should all think about and maybe talk to Guido about it. Thank you.