Welcome everybody to Ask the EFF and Meet the EFA and it's lovely to be back, sort

of, at DEFCON for another year. We've been doing Ask the EFF for I think since DEFCON 13. Taking your questions about the Electronic Frontier Foundation.

Sorry, I had two things on our channel here so I had to deal with the echo. So, it's great to be here. We have a amazing panel for you.

And we will be going down the panel, so you can get an introduction. Let me introduce myself. My name is Kurt Opsahl, I am the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. And I am delighted to be back here. I work on a number of different things at EFF. One of them is the Coders Rights Project along with Hannah, who you'll see shortly.

The Coders Rights Project is where we provide free legal advice to security researchers like yourselves when they have questions about legality of their research, issues that may arise from disclosing it when a vendor gets upset. And these are things that we often provide to this community.

I always begin this panel with noting that this is not the time for those questions. You need to have those conversations in an attorney-client privilege situation, which is not when it's being live streamed to everybody at the DEFCON Twitch channel. So we're happy to ask questions, including questions about general legal principles. But if it's about

your particular situation, and that includes when you're like asking for a friend but it's really you. Those are not the time to ask these sorts of questions, but feel free to ask your more general questions.

And we can talk about an addition of the Coders Rights things. We have Hannah here, so we'll introduce yourself in a second. We also have the opportunity to talk about, well, one of the things that come up lately that Eva and I worked on TikTok and the ban, also expanding to a ban on

ByteDance and Tencent, the parent companies, a lot of interesting implications there. You can hear a bit more about our activism work through Rory. So we've got a good thing show for you. Looking forward to your questions. So why don't we started out with Rory, you want to begin?

Yeah, sure. Hey, DEFCON. I'm Rory. I'm the newest member of the EFF Activism team. And I came on in March as the grassroots advocacy organizer. In that role, I work on the organizing team, which manages the EFA, which is our nationwide network of over 70 local grassroots organizations.

Not going to spend too much time talking about that because you're going to meet them for yourself in just a little bit. But the gist of it is, unfortunately, EFF can't be everywhere at once. And these local groups really do a lot of heavy lifting for city and state level issues and are incredibly important for our success.

And I'm lucky enough for my role to be building a lot of these relationships with local groups that are either currently members or potential members for the EFA. And I'm actually lucky enough to come to the EFF and this organizing team from an EFA group myself. I was a founding member of the cyber collective, which you'll also meet in a little bit.

So I'm really excited to have benefited so much from this network. And now I get to give back and help construct and build it further. In addition to that, part of my background, I care a lot about digital security for activists and LGBTQ plus communities. That's very much part of my cyber background.

I'm also technically still a grad student, but a former grad student and adjunct professor. So I care a great deal about student rights and teachers rights and concepts like open education, campus privacy, open science.

And then finally, we talk a lot about EFA being in kind of three buckets, unofficially, of the workshop bucket, the advocacy bucket, and the makerspace or hackerspace bucket. And it's that last one that I really am hoping to expand on moving forward. We already have a lot of great hackerspaces in the EFA, including several DEF CON groups. Shout out to DEF CON 201, 319, 313, and 919.

And then also artistic digital art spaces like Eyebeam and NYC. So I think it's really important that we expand into this creative territory. Because honestly, creativity and fun are a really important part of movement building, I think.

The old, if I can't dance, it's not my revolution. And I think these issues of freedom of expression and play are one of the best ways to get people engaged in digital rights issues. Because you might not think about copyright or patent or DRM or right to repair or any of

these issues until it becomes a barrier between you and this really cool project you want to do. So I think it's a really important part I'm hoping to expand. So I think there's a lot of folks in the audience that are involved in those sort of projects. I'll plug now. Reach out to me at Rory at EFF.org or organizing at EFF.org.

And then I guess we could go to Hannah. Hi, I am Hannah. I am a staff attorney at EFF. I'm super excited to be virtually part of DEF CON. Really looking forward to the day when we can attend in person.

But I, like Rory, I started very recently. I only started in April. It's kind of an unprecedented time and a very unique time to be starting work at EFF. There are a lot of issues that have come up in relation to the things that have been going around in the world in 2020.

COVID of course being one of the large ones, but also the protests that have risen up around the country and indeed around the entire globe for justice, racial justice against police brutality and related topics. My background is actually in criminal justice. So I come from having practiced in criminal defense law for a number of years before joining EFF.

So as Kurt mentioned, I am part of the Coders Rights Project and he already gave a really good explanation of that so I won't go into it.

But needless to say that it is an important part of our work and I as someone who very long time ago in a different lifetime for undergrad had a computer science degree really appreciate the kind of work that we can do for independent security researchers,

hackers, tinkerers, anyone who's interested in poking around in systems and the like. And recently at EFF, I guess my most recent cases, I've also worked a lot on police tech and forensic technology because law enforcement and prosecutors use a lot of different types of technology from,

things like automatic license plate readers and facial recognition, which we hear a lot about, to things that we hear slightly less about like forensic probabilistic software, which is supposed to do DNA analysis and match DNA of people.

And, you know, you hear these giant numbers like one in three trillion or something like that where people are matched and actually there's a lot of issues with these technology. And what we have seen before is that law enforcement, that these kinds of technology tend to be used against marginalized groups and against the most vulnerable community.

So we really should make sure that they're constitutional, that they're accurate, that they're not biased, and if they are, they should not be used at all. So I look forward to engaging with the DEF CON community and to listening to all your questions.

Thank you. Eva? Hi there. I'm Eva Gelper and I'm the director of cybersecurity at the Electronic Frontier Foundation. This is extremely not my first DEF CON. I have been coming to DEF CON since somewhere around the year 2000.

Dinosaurs were roaming DEF CON. And it was sort of in this setting that I discovered EFF, a little sort of clueless teenage me. I went, hey, these guys seem to be the good guys. I should do that one day. And then I did. So I've been at EFF since 2007, and I have done, I don't even know how many of these SQFF panels.

But right now what I do is I run the EFF Threat Lab, which is a group of researchers who work specifically on issues that affect particularly vulnerable populations.

So people who are protesting, people in LGBTQ populations, people who have unpopular political opinions, people who are part of ethnic minorities, we're interested in having their backs. And I don't know if you have been watching some of these DEF CON talks at the virtual event.

But my colleague Cooper Quinton gave a talk on his project, Crocodile Hunter, which had to do with tracking fake base stations. And I strongly recommend that. It's based on the work that he did with our colleague Young-Nung.

So I can answer questions about that. And also I can answer questions about TikTok and about general sort of privacy and security advice and how to reach out to people in a way that moves them to action but does not scare their pants off.

All right. Well, thank you for that. So that is the introduction to our panel. So Alexis is a little bit late, but still lovely to have you here. Alexis, you want to give an intro, please? Hi. Sorry for being late. I'm Alexis Hancock. I am a staff technologist at the EFF, and I've been around working at EFF about two years now.

So coming on my two-year anniversary, actually, just now I realize that. I work on the project HTTPS Everywhere, and mainly that's my main focus, but I

also do research on other aspects of consumer privacy and how it impacts different populations. So that's been my focus as of late, especially with COVID immunity passports, which mentioned verified credential technology. So dealing with mobile identities research and how that may impact the general public.

And that's my intro. All right. Well, thank you, Alexis. So that is our panel. We are now going to turn to your question. We've had a few questions come in. So one question is, what is the strongest and most readily understood argument to support protection of end-to-end encryption?

We're talking with organizations, particularly non-technical audience, working to address controversial complex topics such as the transmission of child sex abuse materials. So, Rory, did you want to have something to say on that? Yeah, definitely.

So this is something that I think comes up a lot when you're engaging different communities on things like end-to-end encryption or even just the concept of hacking. People have this very NCIS kind of concept of what that means, that you must be like a shady character. But what I usually like to pivot to is say it's less about being shady and being

on the margins, more about being on the margins, that end-to-end encryption is really important. Yes, sometimes for people with nefarious purposes, but also people with very good justice purposes. And the power of breaking end-to-end encryption or banning it is one that you have to consider.

Is that a power you want? You might be comfortable with the U.S. president having, but are you okay with another foreign leader having, current leader, future leaders? And thinking about who is on the margin and who are we protecting with this technology.

And ultimately, everyone has the right to have that protection, right? It's part of being able to speak freely and live in a free society, to have some privacy. So I think that's usually a good hook for folks that are kind of just honestly perplexed by why anyone would support end-to-end encryption.

Thanks, Rory. I'll add a little something from my experience. I've been to a number of events or conferences where people from the organizations that are trying to stop childhood sexual abuse were present. We talked about end-to-end encryption. And I'd say that they actually were understanding about the human rights concerns.

You know, they have their very strong position. They want to be able to do whatever they can to stop child sexual abuse materials. But I would say in terms of just talking about it, they were a lot more understanding that there were countervailing human rights concerns about breaking encryption than the government, people who were at

the very same conferences, who were often using or pointing to those groups in order to support their arguments. I think we're not going to agree on the ultimate path for encryption, but I think that they would say if there's a way to have great strong encryption, that is fine, so long as their needs are addressed.

But we can have the conversation at least. All right, we'll get to another one of your questions. What would you say would be the difference between Congress interviewing Mark Zuckerberg in 2018 and Congress interviewing the tech giants a few weeks ago? Anyone been following that?

We don't have our ledge team on. I did watch the antitrust hearing that came up recently. I won't be able to speak historically to what our ledge team thought of the previous hearing, but from what I did surmise from my colleagues that watch both.

Zuckerberg generally seems more prepared for these questions from Congress. The other CEOs that came through with the original intention of what the hearings are about are trying to

see like exactly where are the PowerPoints that you can focus in on with these organizations and where exactly are they overstepping and the differences between the last one and this one, from what I surmise was that they were just coming to terms with privacy issues and how the

general public are worried about them with Zuckerberg and Facebook, Cambridge Analytica. All those different types of like themes came up with his hearing in particular, and he seemed more strained then. And then this time around, he seemed way more prepared than the other CEOs. So the other CEOs had came and asked about this.

And we also want to call to the other previous antitrust hearing that Bill Gates attended two years back that the legislation team also mentioned, where that was kind of like the beginning of Congress's thought patterns on how to regulate and what to do when it comes to tech companies gaining such a mass amount of market power.

So I do suggest looking back at that hearing as well and seeing what people's opinions were on that, because that was kind of where it started, I believe, with Congress's thought patterns on what to do and what to ask when it comes to tech. Mark Zuckerberg's hearing was very much so rife with people who didn't quite understand how the

tech and were asking questions that didn't necessarily get to the meat of the issue on why exactly Facebook has been nefarious and why exactly Facebook practices are a problem versus understanding other things. That came up again at this recent antitrust hearing where a couple of Congress members or at least one I

remember in particular who didn't quite understand how spam email work and kind of tried to blame Google for that. So that was pretty much what I saw from the recent hearings from Facebook side. Apple was mainly quiet around the issues that we wanted them to talk about.

But overall, I did like the round of questioning that did happen from some of the representatives on the judicial committee and tried they tried their best to grill them on the things that did matter at times. But then it's a balance between the different parties and what their intentions were.

It seemed like the Republican Party was more focused this time around on censorship. And that's not antitrust. So it went from good antitrust question to really bad sidetracked censorship question. So not focusing on antitrust was a real big, I think, pain point for a lot

of people watching who really wanted them to focus on the antitrust portions of the questions. And that's my peripheral summation as a non-legislative person from EFF. All right. Yeah, thank you. And go to our website to get more information because we have blog posts covering both those sense of hearings.

So another question came in. Does EFF as a U.S.-based organization, how does EFF as a U.S.-based organization see its role internationally? I think Eva got this one. All right, I can cover this one. I worked as part of EFF's international team for many years.

And EFF started out as an American-based organization. And this was largely because we saw ourselves as a group of people who primarily did impact litigation. And so we had a bunch of U.S.-based lawyers because the U.S. is where most of the laws that were impacting the Internet, were impacting the cutting edge of technology, were being made and where the court cases were happening.

And we are not entirely about impact litigation anymore. And those cases aren't necessarily happening in the United States. You're starting to see them in European courts, in Brazilian courts, in Russian and Mexican courts.

The U.S. president apparently would like our Internet to look more like China's. And that is a fairly serious problem that requires an international approach in order to fix.

So having said that, what we did was we built an international team. We have people who do international law, who understand international human rights, who speak to the U.N. We have people who are not based in the United States. We have people who go and talk to the Hague and to Brussels.

And also people who understand that the Internet isn't just the developed world. The world is not divided up into the West and the rest. And that the rules which govern the Internet need to be fair, not just to Americans and to Europeans,

but also to people in the global south and that their voices really matter when it comes to this conversation. And often they're the people who get left behind when we talk about privacy and security because they're the people who are using some of the slowest infrastructure.

And they're often the people who are using the cheapest products in order to get online or to communicate. And often if you did not pay extra, then you are the product and you're essentially selling either your privacy or your security. We find that very alarming.

We also built a set of privacy and security guides, and we have those translated into eight different languages. We update them regularly, which almost no other security guide does. Everything has a date on it that tells you when, you know, this advice is good as of this date.

And we translate it into eight languages. So the Internet, in addition to being global, is not just English speaking. Thank you. Another question was, any advice for loosely federated national organizations working to

simultaneously prevent doxing while preserving accountability, i.e. doing IAM for an organization where the national may not know or want to know all of the local's members? Yeah, I could take that one. So it's a really interesting question. I'd want

to know a lot more of the specifics before giving any kind of concrete advice. But I will say loosely federated national organization makes my ears ring a little because the EFA is a national organization of a network of people coordinating efforts. So I think there's probably a lot of overlap.

If you went to eff.org slash fight, we have some really useful toolkits. So I think some sample suggestions would be establishing basic principles on the onset and maybe writing up like a simple mission letter and having those groups sign on to it. I think where it probably diverges a bit is if you don't necessarily want to know the individual federated instances particularly closely.

On our end, it's really important to build those kind of intimate relationships with our members and find these kind of intersections. So maybe finding another way of communication among maybe more anonymized communication among the members of the federation.

So those are some things that come to mind. Definitely check out the toolkits. It's not exactly the same as coalition building, but I definitely see some overlap there. Wonderful. Thank you, Corey. So the next question is from DC 201.

We are a lot of streaming on the crypto barons right now and did a review of the article about California using blockchain to track people's COVID-19 status under a social credit system and a secure record. We want to hear straight from you guys your take. Keep up the good fight.

Alexis, you've been working on immunity passport issues. What do you have to think about this? So actually the immunity passport work came directly from this bill. The bill in reference is AB 2004. And that's been in play for a while. And the EFF opposes it for several reasons.

One of it is the fact that it's using a techno solution based practice towards a very, very loose dynamic situation. Could verify credentials, which is the technology mentioned in the bill, is for more static purposes. And also immunity passports aren't something isn't something that is actually normalized for the

general public to enter buildings, to enter their job, to enter venues or public spaces. This is not a practice that's been in play in the history in the United States with immuno privilege isn't a good one. If you go back and look at the yellow fever in that position, you'll see that the United States has a very bad track record of handling immuno privilege when you have a certain

amount of population who can't exactly get testing at equal rates as other people in the population. So not being able to update your status as much. We don't know, according to health experts, exactly how COVID works still. People

are getting reinfected. There's other people out there with COVID who may be asymptomatic. There's other and we don't know how the antibody testing will be handled in the future. So rolling this out as a techno solution, using blockchain for the verified registry and a verified credential isn't necessarily something that calls to arms where

you're building up something with a technology that claims it's going to be very secure and very straightforward. But at the same time, this is not a straightforward time. COVID and immunity isn't a straightforward practice at the moment. So trying to build up something and say just because we're using encryption and just because we're using a secure tool doesn't necessarily mean the tool itself is good or the credential itself is good.

We don't even have a plan on like how we're going to handle sending kids to school. So like being able to roll out something as COVID immunity passports, we're using blockchain.

It's a very techno solution, Silicon Valley approach to something that we cannot just roll out something or an app or a technology and say we saw the pandemic, everybody go out and have a good time. That's not how this works. So that's our take generally on it. And we oppose this bill still. And you will see more recent

blog posts if you go on to the site. And going over that again, we've written several times on this and hopefully they listen. And generally, I just want this bill to die. And I don't want to see anything go through with this because I just don't think community passports, or verify credentials are using blockchain for a verify registry is the solution to this we're going to need a multifaceted

policy based approach to this pandemic, and we can't leave it up to all we use watching everything's fine. Thank you. And the next question is, what type of rhetoric do you think the force selling and restriction of tick

tock and other Chinese apps will set will network sovereignty be a philosophy, we will have to fight in the near future. So as it happens, actually, right before this, Eva and I were working on an op ed to talk about the tick tock ban. And we've been actually looking very closely on the ban on tick tock and also on 10 cent, the makers of WeChat.

And also things like League of Legends and a 40% owner of the owners of Fortnite. So this is a very, very hot issue here. And I think, from a legal and constitutional perspective, this ban is extremely troubling.

The the authority, the sanction authority that the the president has invoked here has an exception for communications, including a implicit prohibition of communications, and a ban that would stop people from using tick tock would be exactly that

it's a to be outside of the statute, but perhaps more importantly, on a constitutional level, it is banning a means of expression that the power to say, you know, unilaterally within executive order that the president could say, you can't use this

particular communication channels anymore, you can't speak to the audience through that channel has tremendous implications for for free expression. And it goes beyond what what should be tolerated. Now, I understand like a lot of people also are concerned about, well, D, you know, but tick tock, they're, they're gather a lot of data, they've had some privacy scandals, but I'll turn to Eva to talk a little bit more about the the privacy and security concerns.

So I'm not going to get up in front of everybody and tell you tick tock is totally safe. I will tell you that, for the most part, it uses the same, the same permissions and

is has many of the same security and privacy vulnerabilities that you see with similar social media apps. The only difference is that tick tock is located in China, they are owned by a Chinese company, they have employees in China. They say they do not keep any US data in China.

But the real question is how much, how much do you trust tick tock. Is this what tick tock would say, even if they weren't keeping us data in China, even if they were handing over all of the US data directly to the Chinese government. And I, for one, don't trust the Chinese government very much.

Having said that, we are deeply opposed to the idea that the president should be able to ban an app via executive order, there are a whole lot of there are a whole lot of legal problems with that. And it really sort of eclipses any kind of real conversation that we should be having about data sovereignty,

because after the Snowden allegations, one of the very first things that happened was the European countries started working on eventually becoming the GDPR and talking about data sovereignty in a much more serious way because they

felt that they couldn't trust US companies to not hand over data to the NSA, and they're right. And we should not be hypocrites who think that it's not okay for companies to hand data over to governments, unless it's ours, in which case it's totally fine.

You know, we have rule of law and human rights and stuff. My willingness to believe in our rule of law and human rights is increasingly strained. So, I think yes we are going to be talking about data sovereignty, and one of the biggest problems we're going to have is that we are going to find ourselves battling xenophobes.

People who are appealing to nationalism, and to sort of anti-Chinese hatred as a way of knocking out the competition or lashing out at people who are not like them. There are real concerns about TikTok, but these are not the concerns in question. The people who should be really

concerned about TikTok are the people who are worried about having their data fall into the hands of the Chinese government. So if you are a Uyghur, if you are a protester in Hong Kong, if you are friends with a protester in Hong Kong, if you're a journalist who wants to protect your sources, and you have sources that are of interest to the Chinese government.

If you're a COVID-19 researcher or a Fortune 500 executive who is worried about having the IP for your company stolen, then yeah, you should really be concerned about TikTok. But a full ban is absolutely not the answer.

Alright, thank you. I'll just add on to that. One of the aspects of this is it's balkanizing the internet. It's sort of the notion that there will be apps per country. And this is something that is very concerning. One of the benefits of the internet is that it is a worldwide forum.

I can see people's real concerns about the privacy and security of data in other countries and whether it is, as he was saying, the European Union was concerned about data in the United States. Brazil has been concerned about data in the United States.

Of course, sometimes, I think like in the case of Brazil, it's not because they want to protect data from themselves, they actually want the data locally, so they can be the ones spying on it instead of the NSA. And I think the better solution to all of this is to just worldwide have protections against massive spying, and that is a hard job. It will take policy, it will take law, it will take technology.

But the ultimate goal, I think, is to have a worldwide internet that also has safeguards to protect privacy. Alright, we'll get on to the next question, which is, what is EFF's position on spyware such as ProctorU currently being forced on students for exams in some North American universities?

Anna, did you want to introduce that topic? Sure. Of course, and I know others will have stuff to say about ProctorU and other types of software like ExamSoft as well. But of course, what ProctorU and ExamSoft and all these types of software do is very concerning.

I mean, student privacy is incredibly important, especially since students, the example I believe the question I gave is at universities, in which case, most of them are likely to be over the age of 18, but we know that some of these are also used in classrooms

where the majority of the students are under the age of 18, and that carries a lot of implications for their rights and what consent really even means in those situations when they're consenting to having their privacy invaded or to installing these apps and using them. It's also important to remember that these programs, as they are, are not the first instances of how

student privacy has been invaded. We know that students use a lot of school-owned and school-issued devices, and we really encourage robust protection for their privacy for their uses of even school-owned devices.

This is just another example, I think, of invading the privacy of students, the ever-increasing encroachment into their private lives by having these software. And of course, some of these so-called software's functionalities are really the type of Trojan horses and spyware that we really

rail against when they are from other companies and not exam ones, but I think others also had things to add to this.

Eva, you want to add something, or Rory? So our security researchers are currently working on a project in which we are looking at a lot of the software which is being rolled out to proctor tests all over the United States, especially as

it becomes increasingly clear that teaching is going to move online and is going to move online for a while. Frequently, these apps are incredibly invasive. They are not particularly great about explaining what they do or asking for consent.

Often, they can continue to monitor students long after their sort of schoolwork time, and we find that really disturbing. So research is coming. We will publish research. And Rory?

Yeah, and I just wanted to quickly plug, we have a blog post recently about this on our website called University App Mandates, or the Wrong Call, written by some of our colleagues. And it brings up some really important points I want to echo here. One of the main things is these mandates, not just for proctoring apps, but for contact tracing and

things like that, make a lot of assumptions about students that are problematic, for example, assuming their devices. A lot of these only work on Windows and Mac OS. Plenty of Linux users or even Chromebook users have complained about not being able to take their class because of those restrictions.

There's also a play of concerns about accessibility. For example, when students have screen reading software, it can become an issue to use these tools. And then just the broader issue of having reliable broadband and schools not offering an alternative to these online proctoring solutions. And then more broadly, it goes against all the stuff of open education that

we know and love. Education should be easy and not infringe on your other rights. To quote the blog real quick, universities should strike down any app mandates and should pledge to not include them in future student commitments. It's something that a lot of EFA student groups have reached out about so far.

So I really encourage you to also reach out. It's something I'm very interested in pursuing. Great. So another question we had was about, it's also on the international front, it was about whether there's an EFF affiliate in Canada.

And so we're actually going to give you some background. Once upon a time, in the midst of the past, there were international Electronic Frontiers affiliates. And in the 90s, the early years of EFF, we moved away from having an affiliate model, but we didn't kick people out until they had to stop using the name.

So there actually are a couple of Electronic Frontiers affiliates left. There's Electronic Frontiers Finland, I think is probably the most active chapter. There's also Electronic Frontiers Australia, and I believe Italy is still somewhat around. But we do not have a actual affiliate in Canada, but there are a number of

organizations in Canada that we have worked in. I think Eva you've worked a lot with some. The Citizen Lab for Gavil? Yes. So the two that I was about to suggest are CIPIC and Citizen Lab. Citizen Lab is based out

of Toronto, and they're all academics and security researchers. I highly recommend we put out some research with them, they're great. And CIPIC mostly does law and policy, which is good because the law and policy in Canada matters just as much as it does in the United States, having people who are working on this is really important to us.

Very good. So another question we have in here, how does the US approach to privacy legislation impact your work? I mean, sometimes it is the work, but is there any hope that it may be changing in the

next five to 10 years? Is there a realistic hope for any more GDPR style approach in the US? Anna, do you want to talk about ECPA and CALICPA? Sure. So I don't know if there is any realistic hope for a GDPR style federal legislation, given the type of gridlock that we see currently in DC.

It doesn't seem like that kind of tension that prevents something like GDPR being passed will really dissolve anytime soon. But what we know is that it is effective on a state to state level. So we do have the federal ECPA, which is the Electronic Communications Privacy

Act, and it's supposed to protect electronic communications and the stuff that you send. It is not nearly as protective as, for example, CALICPA, which is the California version of the bill.

And now the California law, CALICPA, is much more protective because it also provides a remedy that is a right for the person whose information has been collected, wrongly collected in violation of this law to challenge and have that information suppressed, deleted, which is not something that the federal law offers. A thing that we always joke in lawyer circles is you will

have all these laws that have rights, but when they are violated, the laws don't tell you what you get to do. You don't get money. So, for example, if you were wrongly convicted, you don't get any money from the state for the years that you spent in prison.

So you can have all these rights, but that doesn't mean that those rights come with ways to enforce them and to effectuate them. That's why something like CALICPA is such a monumental law. First of all, California being the largest or most populous state in the U.S., it affects a large number of people.

Second, obviously, the tech industry is centered in California, and third, because it is the most protective law in the United States of its kind. It requires that the government, any branch of government, so not just law enforcement, but

any government entity to have to comply with certain regulations in order to collect electronic data. They can't just pass a law that says, okay, from now on, we can collect, for example, schools can collect all this information about students, and in fact, there was some discussion on that.

And we actually have a case right now regarding CALICPA because the city of L.A. passed a law where it required all the scooter rental companies to provide real-time and historical movement

data of every single one of their scooters, and we are challenging it as a violation of CALICPA. So it really demonstrates that privacy legislation can work on a state-to-state level, so it's still very important to vote for your state representatives, your state assembly people, and your state senators.

And even if the D.C. will never see, or it is unlikely that D.C. will ever see a GDPR-style law in the near future or foreseeable future, it's still something that you can get passed on the state level, especially one where there may be state legislators who are interested in protecting this kind of thing.

All right. I'll just add a little bit of that on the CCPA, the California Consumer Privacy Act. So what Penny was talking about with ECPA is privacy, mostly vis-a-vis the government, but there

also has been a consumer privacy law passed in California, which provides certain rights that are like GDPR. It has a number of exceptions for smaller businesses. It is probably not considered to be as strong as the GDPR. It's not nationwide, of course,

just in California. On the other hand, a lot of the tech companies are in California, meaning that it does have a big effect on that industry. Now, what's going on there is that the law went into effect at the beginning of this year, but there's also a proposition on the ballot in California that would replace the CCPA. So I guess

we will find out in November whether the CCPA will continue or it will be replaced with something else. And I totally agree that the GDPR-style thing at the federal level seems unlikely, at least

for now, though one effect of the state-by-state process is if, as often happens, different states come up with different rules, that puts additional pressure on the companies to abide by the various rules.

And they become more receptive to having a national standard. On the other hand, they will also, especially if they're like data brokers and such, will want to lobby to make sure that those national standards are a ceiling, while the privacy advocates would like to have the national standards be a floor.

So that could move, well, it'll become all the more important to be involved. But I think, actually, you can be involved through the EFA. Rory? Yeah, if you're interested in being involved, please reach out to organizing at eff.org. We're always excited to have more

organizations join the network. But also, if you're not directly related, if your group's a little tangential, but would like to be put in touch with another EFA group that is in the organization, you can see a list of them at, again, eff.org slash fight, or email us and we'll put you in touch with some local advocates and get you involved.

Again, base building, the more people on our side, the better. And especially for local issues, the EFF is only so many people with so many resources. EFA groups really help us address these really local issues as well.

And so there's a lot of actually ways that you can get involved with EFF. So there's the EFA route, you'll get to meet the EFA. And we'll start that in about 10 minutes. There's also the Action Center, act.eff.org. You can go there and we'll try to help you get your voice heard.

And you can also get involved, a lot of you in this audience are probably coders. And you can get involved directly with our open source projects. Alexis, you want to speak about that a little bit? Yeah, sure. There's several projects that we have right now that definitely, you know, we're always open to people contributing certain things, especially when you have a certain fringe case that you feel may apply to others.

When you bring things like that up in the repo, we pay attention and we do our best to try our best to actually accommodate these scenarios and cases because we know people who use our tools are trying to stay safe online and private online.

So there's HTTPS Everywhere. That's a project that I'm the lead on. And we have Privacy Badger, which is another web extension that you all may use. And we have Certbot. And we have Panopticlick. I don't think Panopticlick is open source, actually. It may be, but it's another tech project that we have.

People can find this all on GitHub, right? Yeah, GitHub. And if you go on eff.org under tools, I believe there's a whole menu that lists our tools that we have and the ways you can use them and how you can download them for yourself or get involved. With HTTPS Everywhere in particular, we have community sourced rule sets for sites out there that may support HTTPS.

And a lot of those sites don't actually enforce it, as you may know. So a lot of our rules tend to those scenarios in particular. But if you could contribute to those projects and actually be able to contribute quite a bit of pull requests, we pay attention.

So people on HTTPS Everywhere project, actually, when they contribute over a certain amount of time, we tend to ask them to be rule set maintainers. And those are a higher level privilege of maintainers that help us in the repo and work together with us in the actual organization. And we actually coordinate with our maintainers in HTTPS Everywhere.

I can't speak to every project, but that's kind of like a little bit of how you can get involved. All right, super. So another question we got here. Can I get free eff swag like stickers? Well, you know, we are a nonprofit organization, we are supported by people like you who helped donate to keep the organization going. And so we ask that people

make a donation, and then we thank them for that donation with wonderful swag, like stickers, but at, you know, fairly high quality. low donation amounts, you can get some amazing stickers, supporters.eff.org, or just go to the website, the donate page. And,

you know, does cost us especially now, when we can't be in person at DEFCON and just hand something to somebody, we have to ship it to you and such. So I think it would be great if you want to get some stickers, we'd love for you to have them. But if you just pop by the website and give a donation, we're happy to set you up.

And let's see, there's another question here. What kind of risks do non California consumers have when posing as a Californian in hopes they can get CCPA rights?

I think a lot of cases where you're asking to say, I remove my consent, or you're asking for the information, you can do that without really saying where you are from. And it probably would work out. But you know, I can't recommend that you lie, you know, I can end up being a

get into a weird place later. But you can probably get pretty far with just filling out the forms saying you do not consent. And it is, I think for a lot of the companies that are trying to be honorable about this, they are applying it on purpose, applying it to, to everybody, because it's more difficult

for them to differentiate between one database and the other of California non Californians, especially if you're a non California, but you happen to be in California, you're still protected by the California law. It's like if you're an American citizen, and you are in the European Union, you are protected by the GDPR. So it is a lot better

for the companies. And I urge them to all to just try and be cool about these requests. And if somebody says, I withdraw my consent, and you are relying upon that consent for processing their data, maybe stop, that would be like a nice thing to do and not be a jerk about.

All right. Oh, uh, so what other questions? Um, any biometric data laws like Illinois's brewing in other states? So Illinois, they had a biometric privacy law. There was recently a I think it

was close 600 ish million settlement against Facebook for violating the Illinois biometric law, which is a, you know, Facebook makes a lot of money, but you know, still 600 million, it's so you'd notice, you still got to write it in up in the in the annual report.

So it is turned out to be a very powerful law that case and also that law is being used for a suit against Clearview, the company that scooped up all the photos they could find online to make a massive facial recognition database. But I actually don't know, does anybody know if there are any similar bills moving forward outside of Illinois?

I guess we don't have a member of the alleged team on today's program. So one of the things that we we have seen a lot of for biometrics

is facial recognition bands. These are usually at the municipal level. So there's a lot of municipalities that have banned their their governments and especially their police departments from using facial recognition.

And a lot of the EFA groups have been been supportive of that effort. And this is a yes, see cops is the general name of a community control over police surveillance ordinances, which is basically the idea that the elected representative the city council should have control over what surveillance techniques are being used or should never be used against their their citizens.

And with, you know, all the police departments getting pressure to add more surveillance, getting funding from DHS to buy more surveillance, getting deals proposed by companies like ring to get more surveillance installed by the consumers.

It's very important to have these kinds of organs. And again, the EFA has worked a lot with that. So maybe this makes this a wonderful moment to begin our transition over to the meet the EFA portion of our program tonight. So I would like to please join me in thanking our panelists and Hannah Rory Eva and Alexis.

It's been wonderful doing another as the EFA with with Def Con again, I miss you all so much. I wish I was there in person to say hello to you all. Indeed, indeed. But we will hopefully see you next year. And thank you. And then families, you want to say any last last comments.

Thank you. All right, well, let's, let's do the transition to the meet the EFA panel. Hello. Thank you, Kurt. Thanks. Thanks, all of you. So yes, I'm Nash. I am the

associate director of community organizing at the Electronic Frontier Foundation, where I lead the organizing team. Rory joins me also as well as a member of the organizing team, and we help coordinate the Electronic Frontier Alliance, which is a network of over 70 community and student led and grassroots organizations around the country. So before we jump in that ever just first like going to join everyone else has been everyone in the chat and really excellent

about it. I also want to join them in thanking Alexis and Rory and Hannah and Eva and Kurt for everything that they shared. It's really an honor to work alongside inspiring folks like you, and the rest of our colleagues at EFA. I also want to thank everyone here who's supported EFA I see in the chat there's lots of folks that are talking about you know the different swag and there's

donations and support that you're given that you're that you've given us throughout the years and that hopefully you'll will continue to do the work that inspires you to do that going forward. So thanks so thanks to all of you for the last 30 years and in advance for your support as we continue to fight for digital rights and free expression for decades to come. And with that said, one of the things that I enjoy the most about my role at EFA is supporting grassroots

and student led organizations around the country that are working to preserve digital rights in their communities and empowering their neighbors with the information that they need to make informed choices about the way that they interact with technology and the internet. So in this next portion of our time together we're going to speak with representatives of four electronics frontier Alliance affiliated groups.

And then I think that the folks that are joining now would agree with me when I say that the work that they do isn't easy work but it's work that all of us can be engaging in wherever we are and then you know it's great to you know folks like Eva and Kurt and Alexis and Rory are all you know brilliant experts that are doing inspiring work, but really all of

you are the are the experts in what the potential is and the ways to support and the threats in your own community. So I hope that in addition to learning from the folks that you're that we're going to hear from now, it may also inspire you to either join into the work that's already happening if there's a group in your community, or to or to launch a group that could also be joining them in that fight, based in in your area. So, so welcome to the meet the FA portion of our

session. And first person I want to introduce this Tracy Rosenberg who, you know, Kurt spoke a little bit about community control over police surveillance, and the local bands that have been passed on on on face surveillance and Tracy is in addition to being the executive director executive director of media Alliance is a member of Oakland privacy and Oakland privacy is instrumental in passing some

of the first and some of the strongest community control over police surveillance bands as well as bands on face around. And so, yeah, so Tracy Oakland privacy really has a remarkable origin story, as well as a unique organizing model and stunning list of successful

campaigns. Can you tell us a bit about Oakland privacy mission and how the group was formed and maybe divulge a little bit of the secret sauce that makes open privacy so successful. Absolutely Nash. First of all, I just want to say I'm sorry my cameras acting up. So I'm going to go ahead and say a couple of things and then hopefully I'll be able to see everyone in person.

As we work through the panel. Sorry about that. I don't know, technology. So open privacy was originally the privacy wing of the occupy Oakland encampment, which is some of you probably know is a fairly militant and fairly late occupy and encampment back in 2011.

Folks were basically wanting to sort of understand all of the equipment and devices and technology that was being used on them by the very men.

police that were in the proximity. Once Occupy Oakland broke up, you know, you can never be too paranoid because we were doing PRAs and taking a look at stuff, and we found a Homeland Security project called the DAC, or Domain Awareness Center. It was a citywide

surveillance gauntlet that essentially was about 30% of the way implemented, and nobody knew that it was going on at all. We mobilized the entire city, we stopped it in the spring of 2014. And

then we devoted ourselves to trying to make sure that nothing like this would ever happen again here or anywhere else. So we were talking a bit about CCOPS ordinances. And basically, we've been trying to implement that framework, which allows for reporting and consent, and when

necessary, bans. And we are at about 11 or 12 cities nationwide. And I believe the 11th facial recognition ban just went into place last week in Portland, Maine. Awesome. I'm so eager, there's so much of that I want to dig more into. But first, I want to

make sure we get a chance to speak with the rest of our panelists. And so the next person I want to introduce is Elliot from Cyper Collective. And Elliot is a motion artist and a creative coder who works in interactive fabrication and large scale immersive experiences. And Elliot blends visual work with an interest in mutual aid, security, and privacy online. And so it's

funny, in Elliot's bio, it also mentions that Elliot is based in Brooklyn. Cyper Collective is one of the earliest members of the Electronic Frontier Alliance, and they're based in Brooklyn. But I always think as someone who's also from Brooklyn, I always think it's funny how, you know, when you're, it doesn't take very long to know when someone is from Brooklyn, because they tell you almost immediately. So I want to welcome, I want to

welcome Elliot to the panel here. And so thanks for representing Brooklyn, and thanks for all the Cyper Collective out there doing works and inform folks and give them the information that they need to make informed choices in their technology. And we're all gathering right now in safe mode today because of the need to protect ourselves and our

communities from the global pandemic. But in normal non-COVID times, Cyper Collective puts on a range of workshops, socials, and other events. Elliot, why is that? Why not just stick to one format? Well, I guess I should start by saying that I am from Brooklyn. Now that we've gotten that out of the way.

Brooklyn is in the house. Yeah, it's the least I could do. So to your question, I think that, you know, a big part of Cyper's mission and what we've been trying to do over the last few years is to make security accessible to everyone. And I think that that is key to why we have so many

different types of events. Because, you know, we're trying to rather than kind of represent one way to learn about security, that some people might, it might work for some people and it might not work for others. We want to have, we want to be able to meet people in the way that they're comfortable. And I think that part of that

is having a lot of events so that we can teach in ways that people are comfortable learning. And also to kind of, you know, bring a social aspect to security and try and build a community around it. I think all of which makes it easier for the average person to feel comfortable with and then being comfortable, start to educate

themselves about security. Absolutely, I couldn't agree with that more. And so next, I'm going to introduce Abhi and Abhi is with Black Movement Law Project. We use the abbreviation BMLP. And in full disclosure, Abhi and I have worked together for a number of years. And in fact, after years of doing legal support work in a range of contexts, Abhi

also International Human Rights Attorney Nicole Lee and myself started BMLP to support the building of Black-led legal support infrastructure in the US. And it was actually Abhi's idea way before I joined the team at EFF for BMLP to join the Electronic Frontier Alliance and for us to do our first round of digital security workshops. In addition to work with BMLP, Abhi is an attorney and technologist.

He's currently a partner at O'Neill and Hassan LLP, a law practice focused on indigent criminal defense. And prior to his work with BMLP and the other, some of the work that he's engaged in right now, he was the mass defense coordinator at the National Lawyers Guild. Shout out to National Lawyers Guild and all the work that they're doing across the country to support folks that are raising their

voices to call for justice and an end to police violence. And Abhi has also worked as a political campaign manager and strategist, union organizer and community organizer. And Abhi conducts trainings, speaks and writes on topics of race, technology, injustice and the law. Now, Abhi, a lot of the EFA groups fit into one of three boxes. Are they are they are they are some are some of them

span like Lucy Parsons Lab does digital security trainings as well as advocacy work. But those with those boxes generally fall into ones that are like cyber collective that focus on popular education, about technology and privacy. There's also hackerspaces. I know there's folks in the chat right now from Crashspace in Los Angeles. Thanks. Thanks for joining us and all the work that you're doing out there. And then there's also the hackerspaces

where folks are sharing tools and skills and resources and obviously the advocacy groups like Oakland Privacy. But BMLP is a bit of an outlier as as the movement is changing. And what are some of the ways that that movement law can expand to meet the need of growing social movements? And why is for a group like BMLP that is focusing on,

you know, providing legal support infrastructure to support folks that are engaged in First Amendment protected activity? Why is digital security and privacy important? How does how does how did that become such a critical part of your work? Yeah, so, yeah, thank you, Nash. That's, thank you for the very nice

introduction. I mean, look, I got a preference, as we're saying, none of us know what we're doing, right? We're in an unprecedented moment where we all have to rethink and be on our toes and be flexible in how

we're engaging with everything, right. And so that, you know, that's my disclaimer. But like, you know, as far as the work that we've done, you know, we, like, as you mentioned, started doing this kind of legal support movement, legal support work, specifically, you know, in 2015, 2016. And we just, you

know, started with kind of the grassroots calls we got for, I mean, we joined the EFA, because people were asking us about digital security. And so we had to develop a digital security plan, we partnered with EF, with EFF, and helped with, you

know, EFA, and all of the, like, really great work that EFF has been doing to build on that digital security trading infrastructure. But like, now in this point where it's like, you know, I want to, I think that that space of digital security trading has grown. And like, you know, because of

cyber, EFA, EFF, and other organizations, it's like, that space has grown. And I think that we need to also start expanding what we're doing as movement technology people, like, and start thinking bigger, right? Like, also, like, we need to do that, that kind of core organizing work and that

core digital security work. But I think we also need to think about how we building at a different level, movement infrastructure, how we building at a different level, the types of, you know, how we incorporate technology in a holistic way with how we build movements. And like, that

is more than that, that is a big project. And so that's kind of where I see us going, where we're like, not, we're thinking about how we can build mass scale infrastructure and how we can, and how we can engage just

at different levels more more than just that digital security level. And so that's kind of where I want to see us going. And that's what I hope the MLKP can be part of building. Yeah, and I appreciate, you know, speaking of in terms of movement and encouraged in terms of the ways that that work

is essentially to support work that people are doing to knock down systems, you know, traditional and market systems of modernization and oppression. And that part of that is making sure that they're able to keep their information and their communication secure, and that technologists are communicating in effective ways with the folks that are doing that work. In keeping with that, actually, it's a great opportunity to introduce Emily St.

Pierre, it's really my honor. And Emily is the security ambassador for future Ada Spokane based nonprofit advocating for diversity and inclusion and steam. So I don't think I need to tell folks here security, technology, engineering, arts and mathematics, this is DEFCON. For the past six years, Emily has used her experience as an offensive security professional to provide privacy and security education within her community. Now though her work

with future now through her through it through Emily's work with future Ada rather Emily has established free regular workshops and one on one technical support to the Spokane community. So Spokane, Washington, definitely look out for future Ada. Now Emily's focus has been to make sure that these resources are explicitly available to underrepresented and under supported members of the public

that Emily future Ada is like it's one of my favorite names in the Alliance. To be honest, I don't I'm no don't play favorites, but it's one of my favorite names. Can you start off by telling us a bit about the significance of that name and what need in your community future Ada was launched to address? Thanks, Nash. I have to say, speaking of favorite names, I love cyber as well. But hey, um, so future Ada, you know, is

named after the Countess of Lovelace or Ada Lovelace, who was, you know, a mathematician and a writer. She's often recognized as the first computer programmer. And future Ada was founded by my wonderful colleague, Rebecca Long in 2017. And so after facing, you know, many challenges in

the industry in it, you know, she had a vision to start a nonprofit, which would help promote, you know, diversity and inclusion, you know, within those areas of steam, as you mentioned, um, and it this is all in the hopes, you

know, of helping the future Ada Lovelace is of tomorrow, you know, realize their potential, no matter their background, no matter how they identify and present themselves, you know, everyone deserves to be in feel included and to thrive within the areas of steam. Our nonprofit also puts on and

participates in events to help promote interest in these areas around Spokane, Washington, and some nice quarterly in Idaho. And my role as security ambassador is really to, you know, first and foremost, promote interest in privacy and security within our community. And, you know, secondly, to provide access to privacy and security

professionals to underrepresented groups, but also, you know, we are open to the general public because we feel that security and privacy is something that should be available to everyone. Awesome. Now, Emily, you know, given that we are here at Def Con, I have a question for you. And they're like, what

are the what are some of the things in your experience and given your unique perspective? What are some of the things that folks in the hacker community and folks in Def Con could like, what are some things you'd like to see them doing and being able to support the work the work that you're engaged in and some of the other work to give folks the information and power to be able to engage responsibly with their tech and with the larger sector?

Yeah, that's a good question. I thought about that a lot this week, you know, and I'd love to see hackers building more bridges with other communities outside of infosec. You know, I've seen amazing projects come out

of these types of collaborations, such as, you know, this paper presented at the USNX Security Symposium last year, by Sam Heyron, and Heyron and other researchers, you know, from Cornell Tech and NYU, they came up with a model where security professionals, you know, are integrated into the support infrastructure,

you know, for victims of intimate partner violence, you know, so they can help, you know, those victims or clients, as they call them in the model, they can help them assess whether or not their devices or accounts are being used or have the potential to be used for surveillance, you know, by their abusive partner. And we

love that model so much at future data that we actually implement kind of a version of it to all of our, you know, one on one consultations. And if there's anything I can do to, like, I really want to encourage you know, everyone who's listening to be a security and privacy

advocate, you know, and you can do that by, you know, volunteering, you know, and there are plenty of organizations around you that would benefit from having a professional work with them to help them understand and address their privacy and security concerns kind of like the example I just talked about, you know, and that can be you know, your local use center, your local

shelter, you know, any organization nearby. And if you don't have time, you know, to volunteer, you know, even doing something as simple as having conversations about security and privacy with people around you. Not only will that be a great opportunity to teach folks

about these topics, but it will help you learn about and better understand threat models and privacy and security needs that you may not be aware of. And I really want to encourage everyone to that. So not just help teach, but also help understand and listen.

Thanks, Emily. And that's so that actually, and one of the things that the that the Alliance does is creates an opportunity for groups that are working across the country to be able to share skills and tools and resources in that way, so they can so they can be more effective at being that person in their community. So I think that gives us an opportunity to address one of the questions that's that came

up in the chat. And which is, the question is, can I make my colleges cybersecurity club and EFA group? And I can answer that. And I can say yes, if you have more than three folks, and you are and you're you have a public openly accessible meetings, that folks that create an opportunity for folks to connect and support the work that your group is doing. Obviously, in you know, before

March of this year, that meant like having an opportunity to know having a space where folks could come and enjoy a training or meet and connect with folks. Now we have to obviously be much like, you know, the safe mode of DEFCON be a lot more creative and how we create opportunities for that. But I want to ask so so I hope that that's answered the question around the can I can someone make their colleges cybersecurity club and EFA

group absolutely reach out to us at organizing at eff.org. Check out eff.org slash fight to find out more about the Alliance. But I also want to like, kind of rephrase that question and put it out to the panelists here. And you know, what what were some of the things that like, why did your group decide to become a part of the Alliance? And you know, and what was the what, how did you how did you I know,

it's like cyber collective organizes like very horizontally, right? And so so they work in a way that, you know, make sure that everyone's voice is heard in the decisions that they're making. So I'm curious, you know, what was the, you know, if you if you have some insight into how your group decided to join the Alliance, but also like, what are some of the things that the opportunities, benefits and reasons that you might if someone

was asking if they should join the Alliance, what are some of the things that you would share? And so maybe I'll start off with with you, Elliot, and then we cannot work work around. So I mean, I think it's a big topic. But I think that one of the reasons we wanted to join the EFA was to kind of expand upon sort of one of our organizing principles, which

is, you know, a big thing that we've always tried to do is be big and have collaboration be an important thing. So that instead of us just saying like, you know, we kind of have this knowledge, and we're just pushing it out sort of not so sensitive to the context or accessibility or any

of those things have kind of it be more of a sharing process that allows for a lot of collaboration and allows us to learn as well. And I think that, you know, the opportunity to join the EFA really gave us an opportunity to collaborate with a lot of other fantastic groups around

the country and the world. And so in that way, we saw it as just sort of a natural extension of what we were trying to do at the local at the local level. Thank you. Tracy, I know Oakland privacy was in was in the Alliance before I before I started at EFA. And so I'm wondering, how did the Oakland privacy originally become part

of the EFA? And what's that relationship been like for y'all? We may we may have lost Tracy and Tracy is having some problems with the with the camera. So maybe I'll pass that question to Emily before I've got I've got another great question I want to ask Abby. So I'll pass it to Emily. And then yeah, what are your thoughts?

Okay, um, so we joined the EFA because we, you know, there's plenty of smart and creative and wonderful people part of the Alliance. And so we knew there was so much we could learn, you know, from other folks and other organizations. And we definitely have, you know, I definitely was not as

well versed in activism until we joined the EFA. And I've learned of so many different resources, thanks to being a member. And we're also spoken watching is pretty small, not everyone knows where we are, like, we're a pretty small

community. And it's really helped us, you know, get our message across and, you know, tell our community about, you know, everything that we offer the workshops we offer. So it's been really helpful for that. And along that lines and finding out more about future Ada, keep your eyes out for a blog that I'm going to be releasing soon with a profile and future Ada and the amazing

work that they do. And so it sounded like Tracy sound like you're back on Did you want to Did you want to speak to Oakland privacy in the EFA? Yeah, totally. I think what's been exciting for us about EFA is just seeing so many models in terms of how people do work

because the challenge, of course, is that one way or the other, you're a fairly small collective. And you're you're dealing with these big heavy weighty important issues and challenges. Really, you know, everything about internet freedom and digital security, the huge range of issues. And

there's so many different and interesting and creative ways that sort of groups of people get their mind around sort of how to tackle it, and how to approach it, and what to do first. And EFA is really just like an encyclopedia of what, you know, five or eight or 10 people can come up with in

terms of Okay, what should we do first? Thank you. Yeah. And that's actually that's the favorite. My favorite part of the job is like working with folks to figure out like, what is going to be not, you know, not that like, it's like a one size fits all like what we did here is going to work there. But like, how do we take lessons that were learned in one area and be able to figure out how they can adapt and be most effective for a

different community in the context of that community is working in? So absolutely. Thank you, Tracy. I'll be I'm going to give you a different question. Did you want to speak to that one? Because I want to give you a different question. Just real quick, I just want to say that that's really like, people who are thinking about joining EFA and getting involved and trying to apply their technical skills to larger

political projects. I think it's crucial to understand that like, the skills you develop, if you're actually doing threat model, if you're actually doing analysis, you are actually doing a form of political analysis as well. You are doing an app like if you're doing a good threat

model, you are doing a material analysis of the like organizational and institutional opponents to, like human freedom, basically. And so like, you really like, you, again, I want to warn the tech people, you don't actually know it all already. But like, you have, if you've

developed those skills, you've developed some insight, and the ability to collaborate and coordinate with more overtly political organizations and apply those like actual material reality, assessing skills can be incredibly valuable, especially if you approach it with like, a kind of

like, humility and openness, you know, so that's all I'll say about that. Yeah, I know. That's right. And when you were saying that it made me think about the security education companion, which is like a really an example of a tool that we were getting at EFF, we were getting lots of folks that were asking us, especially, you know, following the last presidential election cycle, that were concerned about the

impact that there was going to have on their communities and want to make sure that folks had information. And we thought about, you know, when could EFF just like, you know, parachute into different communities and have the answer and be able to provide and we realized that that wasn't a responsible or sustainable model. And so we helped them with with help of groups in the FA helped develop the security education companion, which helps folks that are

either maybe great teachers and facilitators, but need some help in making sure that their trainings effectively convey the the intricacies of the technology, or the other way around where they're technologists and need help to be able to adapt their pedagogy skills and what opportunities they have you. And so security and change campaign is also great. So if you're if you're in your community and want to be a resource for folks in your

community, that's a great tool and resource. And, and Abby, the question that I want to ask you that that that fits right perfectly on top of that is how would you recommend this is this comes from the chat. And so I'm going to read it the way it's worded, how would you recommend those of us who may not be members of the communities that most need security, ie, white males, build

trust and truly collaborative relationships with communities who most need security? I mean, you know, that's, that's, that's a tough question. I mean, I don't think there's one answer. I think building off what I just said is kind of like, it's, it's really about how you approach the issue, right? Like, what are you, like, again, like, you have

something to offer, you have something to learn. And if you approach things with that perspective, you know, you're going to do much better than if you approach things from the perspective of I know everything or whatever. But, you know, I think that the the name of the game is, is how do we build solidarity, right? How

do we build relationships and networks that that are collaborative, like across, across different identities and different communities, right? I mean, like, if if we're all completely siloed forever, we will be divided and conquered. I mean, that is just that is, like,

almost a fact of history, right? So, you know, there's not one simple solution to that conundrum, right? But I do think that like, building long lasting relationships,

sustaining relationships, approaching the work with humility, approaching the work with, like, an interest in learning and like, but also approaching the work as, you know, it's a hard line, right? How do you, how do you approach work as an equal, but also recognizing

difference, right? That is a hard thing to figure out. Because, like, you know, I think that we often get caught up like, it wasn't allies that won the Civil War, right? It was warriors to its fighters, right? Like, we need, like actual people engage in actual struggle, we

don't need people on the sidelines. But we also don't need people telling us what to do, and domineering and, and dominating conversation. So, you know, being very conscious and open and engaging in that struggle, even internally, and with other people and hashing it out and not and being open and honest about what you don't know. Like, that's,

that's the only that's all I can say is like, constantly engaging, constantly questioning, and constantly building networks and relationships of trust. Gotcha. Yeah, I mean, obviously, I've worked, I've been, I have worked really closely together and have that challenge this question together. And so I absolutely

couldn't agree more with what I've shared. So I part collective has an interesting thing that they do. And I'm hoping Elliot, you'll speak a little bit because I think that's one of the things about creating that trust and an opportunity to for folks to share kind of like the things that they're most concerned about and like their and

they're things that they feel the most vulnerable about is like creating a space in an environment that that that makes that possible that helps create a comfortability and an affinity to foster that. So and I always whenever I think about creating that environment, I think about security. And so I'm hoping maybe you'll share a little bit about what that is and why that model is effective

that way if it is effective that way. I think it is but I hear from you. It's your event. I think it can be effective. And I think security and also a lot of other events that we have, they kind of all share in common that, you know, while I think the overall topic might be security, and definitely is

security, it isn't sort of the only thing that we do. And I think that one of the reasons, you know, like, at some points, we have security, and the whole session might not even be about security at all. And then, you know, we also have movie nights, you know, where it might not even be discussed. And I think that the reason we do that is to create a community. But I

think that something that people should be aware of is that many of us come to security, because we find it to be something that's intellectually interesting, or, you know, we have kind of a general moral feeling about it. But I think that something that's important to realize is that many people come to security workshops,

because I guess to put it in the most simple way, they've had something bad happen to them. You know, it could be, as was mentioned earlier, intimate partner violence, it could be that they feel like the place where they work or the place where they go to school has taken advantage of them or made them feel vulnerable. And so

it's coming from a place where people already have had something happen to them that gives them a problem in trusting people. And so I think that, you know, many of the things that we do that are more social are for fun. But I think it's also sort of, you know, to build an important relationship with people so that they feel

comfortable, really opening up about, you know, what they're looking for help with. And so I think that that is kind of why we try and do the range of events that we have to help people feel comfortable and build trust. Thank you. And so we are at time, but I want to give everyone an opportunity to kind of like leave them with

their closing message. And so I'm going to go around the way y'all are on my screen, which is Tracy, Avi, Emily, and Elliot. And so Tracy, I want to give you an opportunity to specify especially since Oakland is such a diverse community, and y'all have done such amazing advocacy work there, if you want to build on to the question around like how building that trust and

building that affinity and maybe even saying something about building coalition. And so if you so if you want to talk to that, and also like what is like the one thing that like, if folks were wanted to wanted to, to recreate or to model the work that Oakland privacy has done in your community? What's the like the most important message you would want them to take? Right. Um, I think the most well, the simplest

thing that I could probably say is that, you know, the trust of your community is everything. We did a lot of listening, we did a lot of, you know, what do you want to see happen here. And we really saw ourselves as kind of the advocacy consultants, not

so much. Not so much coming in with a solution, but coming in with a here's what the community wants. And here are some tools that we can provide to sort of help us get to where we want to be together. And as we go out of Oakland to other

places, that's even more important. And so we just kind of try to look for the advocacy opportunities, the thing that's happening that gives us an opportunity to sort of step up and say something, and then sort of turn to the locals and partnership and say, you know, here are some things

that we can try to achieve the goal. And the goal is is almost always we want to have an impact on what happens. And when it comes to stuff like the spread of surveillance, it's it's it's all about consent. We want them to ask us and we want the opportunity to say no. Absolutely. And

yeah. And so and again, like Kurt mentioned earlier and Tracy's touched on it, really, like the community control over police surveillance ordinances are very much banning face surveillance because face surveillance, even if it worked perfectly, the First Amendment and Fourth Amendment implications would be would be to stop the harm before it grows. But with the

others, with the other surveillance equipment, it's really about making sure that the power goes back into the community to have a voice in it and for their elected officials to make the decision. So really, thanks to Oakland Privacy for all the amazing work that you've done making that a thing, not just in Oakland, but in many cities, and the support that you've given to folks throughout the Alliance and throughout our neighboring communities. Abhi, what is like what

is the what is you spoke a lot about technologists facilitating and helping working build, building the tools and developing things as a foot support folks that are engaged in movement work? If there's one thing that you want folks who are thinking about engaging that work could like, what would it be? And then if you want to, we had one question I didn't get in. I didn't get get a chance to respond to. So this will be an

optional. This will be bonus points. If you want to talk a little bit about the successes and failures of the GDPR in the limited time that we have, go look. So, you know, you said one thing. I'll give you three. I mean, like, I think you one framework that I find useful to looking at this is, you know, I'm going to preach

a holy trinity, right of movement work, right? Or of, you know, it's the holy trinity of time, space and information, right? Those are the three things that we can look at, look at everything through, right? And so when we're approaching the work, what of those three can we offer? And

what can we bring to building right? And they're all kind of work in a dynamic with each other whereas you have more space, you can kind of have less time and, you know, you can actually have more information, right? Like they all work kind of together. But like, thinking about, like, what, how we're engaging through through that lens, I think is very helpful in thinking

about how we build because like, that's how we those, that's how we create the bricks and mortar of, of building organization of building movement of building all the things I said before about networks connections. And that's what we need, right? Like our kind of opposition or like the forces that are working against us have

those things in spades. And we are very lacking, especially in any kind of holistic vision of how we have those three things working together. So that's the kind of time space information is my holy trinity. Thank you. And Emily, and I didn't I really I think that you Yeah, I don't think there's enough

praise, I could get to the work that you're doing, and also the work that you're doing pre COVID. And with COVID and make in trying to also not lose count of the folks who are not able to connect, like virtually, right, folks that like, when you were doing events and libraries, it was easier for them to connect and to be able to do that work. And so the fact that you're

keeping, you know, you're thinking about who's not in the room is really important, right? And so I really want to like, lift up, lift up that work and say, what are if there's anything that you could offer to folks around like being able to do that work effectively, and being able to center the folks who, who, who need who need it the most effectively in their communities, if there's some suggestions or guidance or are you

are that you can offer there? We'd love to hear it. Yeah, absolutely. You know, I think there's a lot of organizations around you that, you know, have also, you know, done their work of understanding what are the some of the issues within the community that they also wish to

address. And so to kind of cross pollinate with other organizations, will be a great way to learn really fast and effectively some of the issues that you know, might be going on that you need, perhaps maybe more of an expertise

like on from someone else, or you want, you know, a little bit more depth or understanding of an issue. And so, to I've really come to depend on my communications with other folks that do great work in our communities, to ask them questions to learn,

and to see also kind of how we can address issues that I hadn't thought about. And just to be that open line of communication, when they need, you know, objective security and privacy advice as objective as I can, humanly give, you know, so that they don't have to

be a vendor or just like not known is not an information security professional. So I, I do advise it to do that, if you can. Absolutely, coalition building and working directly with the folks who are impacted and recognizing that you know, there's you don't

have to reinvent the wheel every time you have to figure out the way that you can be most supportive in the system that's there to provide for the support for folks. So thank you so much for Emily. And Elliot, I want to give you an opportunity to like whatever you think that folks should leave knowing about cyber, but I hope that you'll also talk a little bit about one of the things I really like about cyber is the focus that you'll put

on making like learning accessible. So I'm sorry, wondering if there's any guidance you could leave for you could also offer to folks that are that would want to replicate cypers work around how to at least be thinking through making sure that your the work that you're doing is accessible for the broadest breadth of your community as possible.

Yeah, totally. I think that I guess I'll say two things about that. And then just one thing, sort of in response to what other people have said, kind of agree with them. I think that if there's two things that help and are important to making something accessible, it's first, don't feel blocked into

or limited to trying to teach something in one way. I think that there's like a variety of different ways to teach a specific topic. And you know, a way that works for some people might not work for other people. So it's okay. And I think even preferable to have like a variety of different approaches that somebody

can take to understand the material. I'd say that's the first thing in making it accessible. And I think the second thing is to listen to the people that you're trying to communicate with as you're putting together a presentation or even just organizing your thoughts. Because I think they sort of

checking in with your hopeful audience before you start to put something together, it's just going to be huge because everybody's got an opinion. I mean, I guess I'm from Brooklyn, so everybody really does have an opinion. But only ours count, though. At least here, everybody's going to tell you exactly what they're thinking at all moments of the day or night. So it's like, you know,

if you just check in with people before you go away and put something together, often, you know, they'll tell you exactly what they need. And that's why sort of community building beforehand is so important. I think the only other thing I wanted to quickly say was, I think that, you know, for people who want to set up EFA organizations, the great thing about the EFA is

that it's all over the place. So, you know, I think that one of the great things to ask yourself is, you know, how is security or privacy relevant to me in Brooklyn, in Spokane, in Baltimore, in Philadelphia, in St. Louis, you know, how can it grow out of your local community, your city, your town? And I think that

that will always, you know, be hugely helpful both to yourself and to the community in general. Absolutely. So I can't thank you all enough. This has been this has been excellent. And unsurprisingly, I know you all well and well enough to know that that's what it would be. And so I really want to thank you for the work that you're doing and remind folks that, you

know, there's everyone that's on here is amazing, but also like they are amazing because they did the work, they showed up and they and they work with folks in their community. And you can also be providing that kind of support and engaging your community and that you you are the expert in the in the needs of your particular community, from the perspective that you're able to see it and understanding, you know, that you can work with other folks that have different

perspectives in your community. And that there's a number of folks, all the folks that are here today, as well as the rest of the folks that you'll find at eff.org slash fight that are part of electronic Frontier Alliance associated groups. So reach out to us email organizing at eff.org, reach out to all you'll find links on that website to all of the groups that are in the Alliance. And so there's folks here that really like

inspired you and you want to be able to replicate their work, you can either reach out to organizing at eff.org and we'll try to put you in touch or go to the website and their links are there and you can contact them through the the opportunity of avenues that are available there as well. So yeah, and thanks again, everybody at Def Con. This has been amazing. Thanks again to Kurt and even Alexis and Hannah and

Rory, of course, and and just everyone have a good night, you know, go out and you know, whatever your however you unwind, take take advantage of it and just keep continued loving and take care of each other. All right. Thanks, everybody.