Ask the EFF
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36276 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2435 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Roundness (object)Group actionWordData conversionCivil engineeringCausalityMusical ensembleStaff (military)CryptographyInformation securityInformation privacyRight anglePhysical lawFree groupSpeech synthesisVulnerability (computing)State of matterSelf-organizationProjective planeEncryptionMalwareRobotComputer animationEngineering drawingLecture/Conference
02:11
WeightDirection (geometry)Lecture/Conference
02:57
Point (geometry)Selectivity (electronic)Staff (military)Group actionPosition operatorInformation privacyInformation securitySelf-organizationMusical ensembleHidden Markov modelComputer icon
04:22
Self-organizationInformation privacyGame controllerWeightContent (media)Right angleRegulator geneDirection (geometry)Maxima and minimaLecture/Conference
05:27
Physical lawProjective planeInformation privacyDuality (mathematics)Group actionFree groupGame controllerRight angleState of matterCybersexProduct (business)Software testingInternetworkingSystem administratorRegulator geneInheritance (object-oriented programming)Latin squareCryptographyHeat transferMultiplication signInstance (computer science)Computer virusTwitterCASE <Informatik>EncryptionHypermediaPublic key certificateVulnerability (computing)Content (media)Context awarenessSubject indexingWeb 2.0RobotPerspective (visual)Speech synthesisWebsiteTerm (mathematics)Virtual machineTunisProcess (computing)BitPlastikkarteElectronic mailing listLecture/Conference
10:54
Product (business)Public key certificateEncryptionDefault (computer science)Front and back endsServer (computing)System administratorRootSpeech synthesisCodeRight angleSoftware developerLevel (video gaming)Extension (kinesiology)Information securityOrder (biology)ImplementationBackdoor (computing)Communications protocolCore dumpMessage passingExistenceQuicksortData storage deviceComputing platform2 (number)OntologyLecture/Conference
13:55
AutomationInformation securityProjective planeMessage passingValidity (statistics)Focus (optics)Domain nameSoftware developerSelf-organizationExtension (kinesiology)Source codeOpen sourceINTEGRALInformation privacyFlow separationMultitier architectureDifferent (Kate Ryan album)EncryptionMobile appOnline helpBlogCryptographyAreaDisk read-and-write headMereologyTraffic reportingNP-hardGrass (card game)Multiplication signSoftware testingForm (programming)Communications protocolTwitterMoment (mathematics)PlanningQuicksortRobotDistribution (mathematics)Default (computer science)Crash (computing)Group actionPresentation of a groupAuthorizationCodeStatuteFormal languageWeightRight angleCharge carrierInternet service providerWebsiteBit rateWeb 2.01 (number)Public key certificateUniform resource locatorPerfect groupRootCausalityDirection (geometry)CASE <Informatik>SpacetimeRAIDElectronic mailing listComputer animationAdditionLecture/Conference
20:42
Error messageMultiplication signProjective planePosition operatorState of matterPhysical lawTraffic reportingOrder (biology)Musical ensembleTelecommunicationInternetworkingRight angleQuicksortInsertion lossFront and back endsAreaPhysical systemStaff (military)Wave packetDifferenz <Mathematik>Formal languageMathematicsInformation securityCASE <Informatik>InformationFile formatInstance (computer science)Shared memoryDigital electronicsEmailLecture/Conference
Transcript: English(auto-generated)
00:00
thank you everybody for coming welcome welcome to the ask EFF panel we're so glad to see so many of you people here today uh this is gonna be uh kind of a lightning round we have about uh 30 minutes in here and with a transition that means about 20 minutes for questions uh so we're gonna do very brief introductions and then we'll look forward to answering your questions uh a brief uh uh word of warning uh as many of you know one
00:25
of the things we do here is we provide uh some legal advice to people who are in need from this community this is not the place for those questions you wanna have that in private conversations with the uh privilege attaching these are the place for more of your general questions about some of our work and policy initiatives uh and so while you're thinking of
00:44
the great uh questions to ask I'll begin with the introductions my name is Kurt Opsahl I'm the general counsel at the Electronic Frontier Foundation EFF as you probably all know cause you're here uh we are a non-profit civil liberties organization dedicated to defending your rights online uh and with that I will let our esteemed
01:02
collection of panelists introduce themselves. My name is Jeremy Glula I'm on the tech projects team at EFF so we're the team that develops things like Certbot and Let's Encrypt and HPS Everywhere and Privacy Badger and also Explain Tech to the lawyer people. Hi my name is Katitza Rodriguez I'm EFF international rights director I work on
01:22
global surveillance issues helping group fight draconian surveillance laws and in particular in Latin America. Hi I'm Andrew Crocker I'm a staff attorney I work on our civil liberties team especially on our national security privacy crypto stuff. Hi I'm Eva Galperin I work on EFF's international team mostly on issues regarding privacy and
01:42
security of vulnerable populations all over the world I also do our state sponsored malware research. And I'm Nate Cardozo I'm a senior staff attorney at EFF uh I do crypto and security policy as well as free speech and privacy litigation and I will be giving a talk immediately after this one in this same room about crypto law. So yeah save your
02:06
crypto law questions for that talk because it's gonna be great uh so we have a mic here in the center aisle so if you uh have a question why don't you come on forward and and ask on the mic. Hey um my question is do you think we can trust Tom
02:25
Wheeler? Sir? Tom Wheeler? Go for it. Uh so I'm probably the only person on this panel who's worked on net neutrality issues so uh I I mean in some sense we don't have to trust
02:42
him right because everything that he would do that would have any consequence ends up being a public thing uh but I have been very pleasantly surprised by the direction he's been pushing the FCC so I mean I trust him but I also keep an eye on him. So trust but verify? Yeah exactly. Uh so what do you think the privacy and security
03:04
implications are for Americans following the IANA transition? Hmm anyone? The person the person who worked on ICANN is not here so yeah. Ask Danny. And none of the rest of
03:20
you does anything with him. Jeremy Malcolm. Jeremy Malcolm. Yeah we have at this point about uh 70 employees and uh we will bring a good selection here this is a great group of folks but unfortunately we can't cover every possible uh possible issue. And also ICANN staff and the IANA transition is not a topic we give priority to. Alright
03:42
anyone else uh have a question to come forward? So we can also uh I'll give a little brief discussion of some of the things that that we have been uh working on while you're getting your uh your questions ready. Uh let's uh please. Hi I just got asked by a friend if the EFF would endorse his campaign for judge and I said I was sort of
04:04
dubious about that. Can you elucidate whether EFF can or cannot participate in political endorsements of candidates or positions and why or why not? Uh well we actually cannot uh as a non-profit organization uh we don't uh get involved in what's known as electioneering. Uh this means on the plus side if you donate to EFF it is a tax
04:26
deductible donation and we get some uh advantages as an organization. But uh that that also comes that we are a non-partisan non-political organization that doesn't uh get involved in elections. Alright well. Who wants to talk about export controls? I see you
04:45
trolling. One thank you for your guys help with the net neutrality stuff. I think everybody in here greatly appreciates it so thank you. Um is anybody on the panel? Thank you. Uh actually I'm curious is anybody here familiar with the kind of stuff that's
05:07
going on in Europe right now with the privacy shield and GDPR? Danny? Um I don't know the uh the content of the GDPR right now. I know that um European Union have
05:22
passed a new regulation for data protection directive and it's a GDPR. Um but uh due to uh Max Sherm's uh litigation um the safe harbor provision which allows it a European provision that compel companies to if you want to transfer data from European Union to the United States you have to or to any country has to be adequate country. So the
05:45
question I I and you may not know the answer which is fine but I was just curious like I've been looking at it uh pretty heavily and I don't think America's ready. And I would the uh the like right to be forgotten clause is even from a technology perspective. There's just a lot in there that I think is going to be extremely
06:01
disruptive and I just didn't know if you had a take on that or not. I got it. Yeah um okay I also got it. What? Oh the right to be forgotten. Um if you want to see people from EFF really squirm uncomfortably ask us about the place where your right to privacy and your right to free speech overlap. Um in Europe uh the right to be
06:23
forgotten is actually quite reasonably popular. Uh in the United States we tend to sort of err on the side of the first amendment and uh EFF believes that the right to be forgotten is actually quite problematic. On one hand who among us has not done things that have ended up on the internet that we're not terribly proud of that we would like to
06:42
see not indexed by Google. Uh on the other hand what we're really worried about is that the right to be forgotten can and will be used by the powerful to cover up their misdeeds and in fact we have a great deal of evidence that this is exactly what is happening. So uh EFF does not support the right to be forgotten we think it's super
07:02
extra problematic. Um but that is just one provision of the GDPR and I want to put an example in Latin America we copy a lot of uh laws from Europe and from data retention to the right to be forgotten so we already have bad presidents in for instance right now in Peru that they um a right to be forgotten case when they put a
07:21
huge fine to Google but also to another another case that they put a huge they are investigating uh investigative journalists. So we have problems in Mexico and in Colombia the sentence in Colombia was favorable to to Google but it was not good for the media the media has to take down the content or the the syntax the content from their
07:42
website. Yeah. Now please go ahead. Uh is there anything that the EFF is doing or can do to uh move technologies that are ITAR restricted and uh dual use that are out there and uh essentially that is there a way to move them from ITAR to dual use or off of that? Um
08:04
sure thank you for biting on my export control taunt. Um we we do a lot of work around export controls uh most recently uh the state department proposed listing cyber products on ITAR um without defining what that is or what it means or what it would be.
08:21
So we wrote uh we we only caught wind of it a couple of days before it was debated uh and we along with our friends at Access Now uh wrote a uh very strongly worded letter saying don't do this this is stupid. Um we are also working to make sure uh that things like pen testing tools don't get included in the EAR. Um right now crypto is still unfortunately in
08:46
the EAR it's not an ITAR. What? What's an EAR? Oh EAR is the Export Administration Regulations it's administered by the commerce department uh and it covers dual use technologies. Uh it's a lot better than ITAR which is the United States Munitions
09:02
list. Uh crypto used to be treated the same way as tanks and hand grenades now it's treated the same way as MRI machines. Um so we're we're making we're we're trying to make sure that things like pen testing tools don't require a license to export. Um so stay
09:22
tuned that's the Vosnar arrangement uh process. I was on a panel last year in this hall talking about that uh and it's still very much live. So we we blog about it from time to time Eva and I uh are leads on ITAR and EAR stuff at EFF. Hi. Hello. I always
09:42
leave DEF CON feeling a bit deflated. So I wondered if there's some good things that happened in the last year or some good trends that maybe you could highlight hopefully. What's the what's the good news? Well we won the Apple FBI case. Yeah. So um last
10:09
year oh sorry. Do you want to talk about Let's Encrypt save for a second? Yeah. Oh yeah the launch of Let's Encrypt in the past year. Oh did I steal I'm sorry I didn't even feel it. Yeah. Free certificates easy to set up I'd say that's a pretty big win.
10:25
I have uh pretty weak wings in small countries too. We defeat data retention in Paraguay which is a big issue because the European Union have been defeating uh exporting these laws to developing countries and that was the first win in that country. Another big win is uh the increasing use of end to end encryption. Uh as you probably
10:46
know EFF has a lot of interesting projects to encrypt the web. Uh encrypting data in transit so we have HTTPS everywhere. We started CERTbot um but this year uh we saw the implementation of the signal protocol uh for end to end encryption in all WhatsApp
11:03
messages and WhatsApp is the largest uh sort of uh messaging uh platform in the world. So that brings end to end encryption by default to hundreds of millions of people and I think that's got 1.1 billion people. 1 billion dollars. Um so I think that's a pretty big
11:20
deal. It's a big win. So last year uh Let's Encrypt was just in beta and uh this year it's you know it's everywhere. I mean in the developer community at least and I'm using it in production now and uh it's I'm I was sick of paying for
11:41
certificates every year and everything so thank you for that. Um what's what are the next steps for Let's Encrypt and how do we get it kind of everywhere and make that the default for everyone from the WordPress guy all the way to the back end server admin. So uh one thing that uh I think it either just happened or it's about to happen is that the Let's Encrypt root certificate is going into the Mozilla trust store which is
12:03
pretty awesome. Um and then uh let's see we're working on uh new uh challenges techniques uh or new challenge protocols. Um and we're just gonna keep pushing it out. Um I mean it at some level it's just it gets it'll just keep being adopted. People keep using
12:23
it. Um. I think third but I also think it depends on how you measure. Uh so yeah I mean just keep telling everyone to use it. That's basically it. Hi guys. So I just
12:45
have two questions. You probably know that the FF is a big player nowadays and a lot of people use your you know extensions and Let's Encrypt. So the first question is can the FF be in any way forced to cooperate with your favorite three letter agencies? The
13:01
first question and the second is if that happens what kind of safeguards and ways you have to notify users that this is happening with some kind of kill switch maybe for add ons or something like that? Uh so we have not received any uh national security letters. Uh nor any orders to modify our code so we can put that out there for now
13:23
and you know ask this question again next year see what happens. Um but I I think that you know this would be something that uh of course we would fight. We we believe very strongly uh that the government should not be able to force a back door. That uh one of the core issues that uh EFF has been working on for you know most of its
13:43
existence since the 90s is the notion that uh code is speech that you have uh first amendment rights to publish code and that if the government is gonna come along and tell us what kind of code we have to publish that would violate our rights. We also think they don't have the statutory authority to to tell us what to put in our code but uh even
14:07
if they uh did have a statute that that statute would be uh unconstitutional. Uh and I think that the second way that that there's some some assurance is that uh we put our source code out there and I think Jeremy could you? Yeah I was gonna say that the other
14:22
addition is all of our extensions as well as let's encrypt are all open or uh certbot are all open source so you can check the source you can compile it yourself if you don't wanna you know trust the distribution channel. Uh and then the other thing is also just by default we don't really collect any data. Uh HTTPS everywhere if you turn off the SSL observatory uh it doesn't send anything back to us
14:45
whatsoever. Uh privacy badger doesn't send anything back to us. Uh I think maybe like crash reporting or something like that if you turn it on. Um so we don't have much to give the Feds even if they you know came to us which is of course by design. Also we're a hard target. Yeah. The the they they would have to have some brass uh to to
15:07
think that we were going to backdoor anything. Uh similar to what we've heard before. Thank you guys so much for everything that you do. It makes us able to as a pen tester and I'm sure as many other people here uh thank you. Uh makes us able to do what we
15:23
do. Um we also you mentioned earlier the signal protocol which has been incredibly successful with its integration in several different apps including WhatsApp. Is EFF doing anything to help either from the technical side uh help develop it or from the legal side make it more available and make it easier for people in maybe other
15:44
countries to access it? Crypto export plug. Well I was gonna say so uh one thing we are working on uh some of you may be familiar we had this secure messaging scorecard uh up for awhile. Uh we're working on a revamp of it and really the main focus of that is to
16:02
encourage developers to uh basically adopt better protocols, better tools, better designs for secure messaging. Um and so watch I would say watch this space uh that's gonna come up again soon and we'll be rating not so much rating but basically you know listing you know which tools we think are secure which ones we would say avoid at all costs. Um
16:25
and so that's part of it. I don't know if Katica you wanted to or? Um just uh one quick preview of the revamp secure uh messaging scorecard. Uh there is no such thing as a completely secure tool. There is nothing that will be in our top tier of this thing is
16:41
perfect. Uh sort of nothing is getting 5 stars. Uh everybody has room to improve. There's lots of ways to go and uh we're hoping we're going to see a whole lot more uh integration of end to end encryption and secure messaging tools in the future. Uh to answer your question we promote some uh tools on our surveillance of defense. One of
17:03
those is signal. And we do uh EVADA as a lot of uh security trainer uh to potential trainers in developing countries and around the world. We just finish uh a tour in Mexico through all the country and so we do a lot of that. Our guy is in several languages and we are also looking to translate it to more. Yeah. I also want to thank you
17:26
very much for all your work that you're doing including uh net neutrality. Uh my question is about net neutrality. It seems uh certain mobile carriers are getting away with uh getting around net neutrality by zero rating certain streaming providers. Uh what
17:41
are the uh are the uh EFF's thoughts on like uh white listing only particular websites like uh like streaming sites? So uh we definitely have uh zero ratings complicated right? Because on the one hand it's very easy to say uh well I mean and there's there's reasons to say like it can be useful in certain scenarios and make it a lot easier to
18:02
access the web for people. Uh at the same time it's really easy to make it into a tool that distorts uh uh competition and really makes it hard uh you know it can almost be a form of censorship in some sense. Uh one thing uh that we are I mean so we are keeping an eye on uh uh zero rating. Uh if you saw our blog post uh at the very beginning of the
18:25
year that got the T-Mobile CEO uh cursing at me via Twitter. Uh so and we're continuing to look at that. Um I don't know I mean we don't at the at the moment have any like big complaints or anything planned. Um but we are sort of staying on the
18:43
topic keeping an eye on things and so we're it's on our radar. And we're we're following the FCC enforcement actions pretty closely. Thank you. Let's let's encrypt presents uh obvious threat to the incumbent industry. What do you what does the EFF see as the future of
19:02
for profits for the authorities and what do you think they should do to stay relevant if anything? Okay uh well so so so one big thing that let's encrypt doesn't do is it doesn't do extended validation. It's only domain validation. Um so it is really just it's
19:21
just authenticating that you control the domain you say you you do. Uh it's not saying that you are in fact the organization that you say you are. And so and you know we don't there's no way to easily automate that and because let's encrypt wants to be an automated system uh we don't see I mean we're never gonna really get into the extended
19:41
validation business. And so that's an area where uh you know for profit CA's can still do things. Um I mean I would say just off the top of my head that's the biggest one. Um I mean in some sense you know I mean part of it too is just we wanted to get really hit that long low tail. Um you know I don't think you know Bank of America or whoever else is
20:04
gonna switch to a let's encrypt certificate just cause they really like that extra little green bar in the in the URL bar so. Thank you. Uh my question is regarding uh the root cause for canary watch being abandoned and uh what the best direction for it is for
20:22
national security letters. Uh well thank you so I I worked on the the canary watch project and I work also on on our national security letter uh cases. Um so with with canary watch uh you know we we had a lot of uh ambitions for for the site we wanted to have uh something that would uh list out what various canaries were have uh
20:43
automated uh uh checking to see if there were any uh diffs and then um it ended up having a lot of false positives that were just because of like the URL change or the format change or something about it change that wasn't a meaningful one. Uh there were also a couple of instances in which people just didn't update things in a timely manner but
21:05
then they then they did and so it was uh a sort of human error false positive. Uh so it was not really being effective at sort of the the the concept. Um I actually think that that for uh uh people who want to be transparent who want to be able to to say that
21:23
you know they they have not received a national security letter. Um that regularly issued transparency reports where you list everything. You put the subpoenas, the warrants, what whatever it is you might be getting you know and you would say national security letter is zero. Pfizer court order is zero. Uh and you issue those uh just as
21:41
many companies do you know going all the way up to giant telecoms and internet companies regularly issue those. Uh and then every uh you know say six months you know you issue a new one and in each one you say the most that you're allowed to by law. So if it's zero you can say zero. If you receive one you might not be able to say anything at all. But in all cases you just do the most that you can allowed by law. And
22:05
uh also if you get that NSL in the meantime uh reach out to EFF because we want to work on that. We are already litigating uh on behalf of uh uh two companies that have received national security letters. We're challenging the constitutionality of the letters. They're gag orders. Uh that is going up to the uh ninth circuit court of appeals
22:25
uh right now. And we're we're uh um well we think that they are a tremendous constitutional problem. These letters are going out without court involvement. A gag order that only has court involvement on the back end after you complain about it. Uh and
22:40
doesn't uh comply with the first amendment. So that's what we do about NSLs. We need to get NSLs found unconstitutional and stopped. You can send your email to info at EFF dot org. Alright thank you. And we have two minutes so this may be our last question. Alright I want to thank all the good work you
23:01
guys do and I've donated to you in the past. Thank you. But having said that I don't actually follow you guys that closely. But I do have a question. Uh you guys are rooted in you know the western um you know legal systems in Europe and the United States. But what about uh areas of the world in particular China and Russia where the legal systems are
23:21
you know not as uh the same basically. And do you have partners? What what what kind of work have you done in those areas? And that's pretty important because there are like 300 million people now in those areas. Alright. Uh EFF actually has an extensive international team. Uh the internet is global and so are the problems on it. Uh and some of what we do is uh is policy work. Uh obviously we don't do uh policy work
23:45
uh impact litigation outside of the United States because this would require us to have a lawyer from every country. And that's more staff than we actually have at all of EFF. Um but what we do is um we do trainings. Uh we provide uh all kinds of technical advice.
24:05
We have a project called surveillance self defense which you can find at SSD dot EFF dot work. Uh which is translated into 8 languages. Uh in including Russian if I remember correctly. Uh that uh gives you all kinds of technical advice on how to keep
24:21
yourself safe. Especially in situations where you do not trust the government. Basically if you don't trust the government encrypt everything. Alright. And we do policy work. Yeah and we do policy work. We we usually um because we cannot have lawyers in each country. We work with lawyers in each country. Uh to fight draconian
24:41
surveillance laws. We co uh share knowledge on the topics. But we also use international human rights law in order to defeat those bills that are in congress. Because in many countries outside the United States, especially developing countries and the European Union, the European Court of Human Rights or the Inter-American Court of Human Rights uh really uh it have a little teeth. And you can uh sue the
25:07
countries violating international human rights law. It's not as powerful as the other kinds of litigation. But uh we can do uh we can testify. We can use those to defeat laws.
25:21
Alrighty so I uh unfortunately we're out of time now. Uh but before we finish up I just want to do a little public shaming. How many of you are EFF members who have renewed in the last year? Okay great. So for those of you who don't know uh we are not as big as you might think. We're a group of you know 70 employees who make all the amazing things you
25:41
know EFF does happen. And we are a member supported non-profit. So uh please stop by one of the booths. Get an awesome Defcon t-shirt. Uh and so that we can keep doing the awesome work we're doing. Uh and we're in the vendors room in the contest room. And stick around uh because Nate is going to give an awesome talk about the state of the
26:02
law with respect to crypto. So thanks everybody for coming. Thank you.