Keynote

the b-sides DC 2016 videos are brought to you by clear jobs net and cyber sex calm tools for your next career move and Antietam technologies focusing on advanced cyber detection analysis and mitigation alright I'm Marcia Hoffman and thank you all for coming out so early on a Saturday morning to listen to me blab on and on and on about legal stuff I really appreciate you you coming out and feel free to come up a little bit if you want I feel like the slides are a little bit small on the screen so how many of you how many of you know me how many I ok have we met before not many of you ok so i used to work for the

Electronic Frontier Foundation I was a staff attorney there for seven years and then I left and I started my own practice and I consider my practice area to be digital civil liberties that's how I describe it so I'm interested in privacy a free expression creativity innovation and I really am interested in hacking and in information security in general and a number of my clients are security researchers so I love conferences like these ones I'm a big fan of everything you all do and it's nice to meet you all and I didn't actually expect to talk about the crypto Wars I feel like every conference you go to these days you know the legal people at least all conferences I go to the

legal people are talking about the crypto Wars and it's a very important topic but everybody's talking about it all the time so I was going to do something really crazy and innovative and go in a totally different direction and talk about something else but then there are some really interesting developments in the past few days and I thought this is a great time to talk about what's what's new and hopefully teach you all something that you you don't already know about about the crypto Wars that I think is very important and something we need to keep an eye on so to start out talk about a little bit of recent history just to make sure we're all on

the same playing field and in the same ballpark and the place I want to start is not the crypto Wars like 20 years ago but actually much more recently than that I think that the invention of the cell phone is a really huge moment in human history and when you think about it it's incredible that you know the iphone has only been around since 2007 the vast majority of Americans at this time have a cell phone it's it's incredible what a what a important part of our lives this type of device has become most of us carry it around with us all the time it's one of the first things we reach four in the

morning it's one of the last things we look at at night and it has information about our families our business relationships communications with pretty much everybody that we know can have financial information tracks your location all the time I don't think there's ever been anything quite like it in human history in terms of the information that it reveals about each and every one of us and of course that makes it very interesting to a lot of people including law enforcement and that's one of the key things that we're going to talk about today now as quickly as this little device has taken a key role in all of our lives the law around what the law around of how we treat this

kind of information and we treat these devices has been a lot slower to develop and that's pretty typical technology moves fast law moves slowly and you know there are a lot of reasons why that is but one of the most interesting challenges I think in my work is that we see these really interesting new creations that are widely adopted by everybody enter in common use and you have to do a good job of explaining to the courts what the implications are and why that's important and judges are often people who are not early adopters and they may not easily and readily get the implications so it's a fun and interesting challenge but it's something that you always have to think about

you're always struggling with now that said the courts are starting to catch up and we've had a lot of interesting situations in which the courts have looked at questions involving law enforcement access to data on mobile devices such as such as smartphones the issues that I'm going to focus on today involve the Fourth Amendment and the Fifth Amendment the Fourth Amendment protects us against unreasonable government searches and seizures all right and the basic rule is that if you are engaged in an activity or if you're in a place that you reasonably consider private as a general rule law enforcement would need to get a warrant and signed off on by a judge that says that

they are allowed to search or seized evidence of a crime in that place and there are exceptions to that rule we'll talk about some of them today but that's the basic rule and we saw a number of cases over the past few years raising the question of when law enforcement needs to get a warrant to search your phone and I think the most interesting of these cases involve the question of what happens when law enforcement is in the course of arresting a person are they allowed to search the phone there is an exception to the Fourth Amendment requirement that law enforcement needs a warrant to search something in situations where the search is performed incident to arrest

so the idea is if you get arrested and law enforcement is allowed to Pat you down they're allowed to see if you have any weapons on you because that implicates officer safety they're allowed to see if you have evidence of a crime on your person that you might easily be able to destroy they can take it away from you and they don't need to get a warrant to do all that stuff right and so in some of these early cases we saw situations where somebody's getting arrested and the officer finds a cell phone perhaps in this person's pocket and the question becomes can they search that phone right there incident to arrest or do they have to get a warrant

and the government's perspective of course was well we have this long-established you know rule that were allowed to search things incident to arrest why would a cell phone be any different and on the other hand people said well a cell phone is different right there's a lot of information on there that implicates a much wider variety of privacy interest than anything you might anything else you might have in your pocket and this question when all the way up to the Supreme Court and the Supreme Court said law enforcement has to get a warrant to search a phone they're not allowed to search it incident to arrest there could potentially maybe be certain case-by-case situations where a

different warrant exception maybe could apply but as a general matter a warrant is needed to search a cell phone and basically the reason is because a cell phone the Supreme Court says really and truly is different it is not like anything we've ever seen before and so that was a very interesting development in the law and I think that for many people who follow these issues it was a big surprise and it shows that even at the highest levels the courts are starting to understand that technology is not quite the same thing that we've been dealing with for decades and centuries that we've been developing the law around up until now right the other legal interests I want to talk

to you about is the Fifth Amendment privilege against self-incrimination so the Constitution says that the government can't compel you to give testimony against yourself that would be incriminating okay so three requirements government compulsion testimony and incriminating and there been a number of cases in the last several years that have raised the question of whether in attempt by the government to force somebody to decrypt data or provide a password or perhaps provide a thumbprint to unlock a phone raises these concerns something is considered testimonial when it reveals the contents of your mind that's the general rule and the courts have recognized that sometimes that doesn't involve saying things out loud what it could mean is you've been asked

to take some kind of an action and that action itself would implicitly admit certain things like for example that you have control over something or that certain information exists or that it's authentic and in those situations if the government is trying to compel you to take a certain action you can have a valid Fifth Amendment privileged that protects you from having to do that because of the implicit testimonial aspects of that action and it's a little bit confusing right um and I think that there are some blurry lines between what is testimonial what is not testimonial but we can talk about that a little bit later many of the cases that we've seen so far

in this area have not involved phones per se but we're starting to see that more and more and this question hasn't reached the Supreme Court yet it's just starting to kind of percolate up to the appeals court level which is kind of the the middle between the the district courts which are the trial courts and the High Court which is the Supreme Court so to further complicate all of this the Snowden if that happened so after Edward Snowden gave a tremendous amount of information to journalists with which then was ultimately published a lot of tech companies decided that they wanted to take additional action to try to keep the NSA out of their systems and try to protect

the data on their systems which meant that encryption by default became much more widespread it was built into products it became less difficult for users to take advantage of and in many cases users were encrypting their data just totally by default because that's how the products at that point were built and so to make the Fourth Amendment and the Fifth Amendment issues even more complicated we through a wide deployment of encryption into the mix and so then we've started to see these questions emerge about what happens when law enforcement is trying to collect evidence of a crime that's encrypted and they're not able to they're not able to get around that you know how do we deal

with that and this has been a topic of great discussion for a couple of years I would say you all may remember this Washington Post editorial in which the editorial board suggested that perhaps companies like Apple and Google might invent a kind of secure golden key that they would keep and could be used by law enforcement only when a court has approved a search warrant and this led to a lot of discussion about whether it's a good idea or a bad idea to be building backdoors into the encryption and certain products and that is a debate that is ongoing so a lot of the stuff you probably are well aware of due to events in the news over the past

several years one of the things that's gained a tremendous amount of attention and is the pressure that's been put on certain service providers to give assistance to law enforcement to get around some of these problems and the clearest and most obvious example is Apple I'm sure that many of you read in the news about a very particular situation in which the Department of Justice was investigating the really terrible and unfortunate incident in San Bernardino we're a couple murdered 14 people injured 24 others and then killed themselves and in the course of investigating the situation after the fact the FBI learned that one of those suspects had a work phone that was an iphone 5c and

the FBI wanted to see whether there was anything on that phone that might help in the investigation the issue is that that phone was running iOS 9 which had encrypted the information on the phone and had certain mechanism mechanisms that made it so that if you attempted to pass code too many times the keys to decrypt that information would be permanently wiped so the government was in this tough spot where they really wanted to see the information on the phone but weren't in a position to to get it and you know they had a valid warrant you know by by all legal rights they should be able to get it but they couldn't get it because

of the security features that Apple had built into the phone so what does the Department of Justice do it goes to a court and it says listen we need some help here court could you please issue an order under the all writs Act and to help us out now that all writs Act is this old law I actually read last night that it was first signed into law by George Washington amazingly and that basically says that the courts have the power to issue any orders that are appropriate and necessary to make sure that and certain events occur as long as its lawful and and it's necessary and no other law would would make it happen so

the Justice Department says listen could you issue an order under the all writs Act basically so that we can execute our search warrant and what we want you to do is order Apple to develop a special version of its operating system that would basically compromise some of the security features that are in place to protect this data so that we can decrypt it and initially the court ordered Apple to do it and then Apple said no absolutely not and they went to the mat on it they lawyered up they hired some of the best lawyers in the country and they basically said listen you know if we have to build the software this is going

to be a big problem you know we think this is going to put us in a position where we have to compromise the security on our products basically at large because if we do this one-off thing for you surely we're going to have to do this for everybody else who comes asking as well right and the government says no no no no it's not like that's just you know one time thing that you're really making this something that it's not and it was this huge public deal I'm sure I'm sure all of you probably read about this in the news and then it kind of fizzled and the reason that it fizzled was because the FBI found a private party a security

firm that was able to help it get into the phone and it said hey listen we got this stuff we were looking for we don't need this order from the court anymore you know no harm no foul we're all done here right and so you know we kind of end up in this situation where there's this you know i would i would call it at least publicly you know this it appears to be an uneasy truce where you know certainly i think the government knows that apple doesn't wish to be terribly cooperative with helping the government to XS encrypted information that's stored on Apple products and so you know the government needs to think about how else to deal with that

situation and I think that this leads us to a place where the pressure becomes more diffuse it gets shifted from the providers to the users of the technology because you know that is another that is another place where perhaps the government might be able to access this information right so here's the new development but i think is really really really interesting what we have learned in the past couple of weeks is that there have been a couple of situations in which the government has gone to a court and said hi we would like you to issue a search warrant that allows us to go into a home and compel everybody in that home who we

think has a mobile device that can be unlocked with a with a thumbprint to give us or blue the word that the government uses is too depressed to depress their fingers and their thumbs on the phone on their phones so that they can be unlocked and you know this is the front of this filing it actually appears to have been under seal it's not a hundred percent clear to me how it all came out and but you know I'm sure you all are going to have a hard time reading that but basically you know this is exactly what the government asked for authorization to depress the fingerprints and thumb prints of every person who is located at

the subject premises during the execution of the search and who is reasonably believed by law enforcement to be a user of a fingerprint sensor enabled device that is located at the subject premises and falls within the scope of the warrant the government seeks this authority because those fingerprints when authorized by the user of the device can unlock the device so so we now get into a situation where the government goes to a court and says give us the authority to go into a home and do this right you know imagine you are the person in the house when they show up or the people in the house when they show up right and they say hey listen I

have a legal order here that says that I'm you know I'm allowed to have you depress your fingers on the phone to unlock it right is it possible you might have a valid Fifth Amendment privilege against self-incrimination I think it's possible depending on the circumstances but I think very very few people are going to be comfortable in that situation trying to assert a privilege like that and in the Fifth Amendment cases we've seen before the the timing was different in those cases what happened was law enforcement would seize a device take it away find that they couldn't get into it and then would ask a court to basically force the person to decrypt the information that person

raises Fifth Amendment privilege and then we fight over it right but you know a court gets to hear about it and a court gets to decide but when it's done this way what this means is that I think we're going to see fewer challenges because people i think are not going to be in a position in the heat of the moment to say wait a minute i have a think i have a valid constitutional privilege here to not do this and you know i think it takes a special person to take that stand in that moment so i think it really shifts the dynamics of things in a very interesting way and i can see how for law enforcement there's

a great deal of incentive to go in that direction so what does this mean for the future what do we think we're going to see so i think we can expect to see more law enforcement efforts to force users to decrypt data on demand in the moment before their devices are taken away from them because after their devices are taken away from them I think we get into a situation where the courts are in a bed our position to look at those issues and make a reasoned decision about it here both sides of the issue before hand if you know this all comes as the result of a warrant application the court hears one side of the story

which is the site of the government doesn't hear from the user you know for these reasons I think these these are situations they're going to be more difficult for the users to challenged in court than they've been in the past which i think is concerning and I think we're not going to see very many public battles over this because a lot of it's going to be done in secret with approval sought to do it unilaterally and under seal by the government before it ever even happens and yet I have to say I feel kind of optimistic because I do think we don't need a gazillion battles to happen in court I think that we only need a few of

the right battles to happen in court and as I mentioned earlier i think that the supreme court and other judges are starting to recognize how important it is to be thoughtful about how we think about the legal implications of technology and the balance of power among users and government and private industry and how we protect those interests and how we make sure that at the same time law enforcement can do what it needs to do right and I think that the more that the courts tend to think about this in that way you know I don't I don't think we need a gazillion challenges in court I think we just need to make sure that

it happens at the right times occasionally at the very least because then we have an opportunity to litigate it so you know I I'm curious to hear what you all think about this yes I can't got it is that they can't compel you type in your PIN code then you should use pins instead of using fingerprints you can't change your fingerprint it makes a horrible password once attacked it's available forever and so nobody should using fingerprints on your phone fingerprints a great user maintenance of stinky password and so am i right that if I put it in my coat I can't the right to say no I'm not going to give you my pin but our behalf word

but the difference they can compel so a couple of thoughts about that I think you're correct that a password is more testimonial I think just inherently more testimonial than a fingerprint because a password is something that is in your mind right unless you've like written it down or you're keeping it at a password manager / say we can talk about that later of course right but even with a password manager you've got at least one password that you know right and so it's that that piece of it that's in your mom that's in your brain that's the important part and I think you're right that on the whole pass pass codes or passwords are better for maintaining

your likelihood of being able to assert a Fifth Amendment privilege right I do think that there can be circumstances where a fingerprint would work and but it has to be the right circumstance right it's like they have to ask you the right question and it has to be a situation where you know putting your fingerprint on the phone would reveal something right so like if the government says for example unlock this for me and you say okay here you know I think what you're revealing that could have testimonial aspects to it testimonial value is that this is you know you know that this finger well unlock this phone right so you have control over it

so I think that there could be testimonial aspects to that but as a general matter you know like the government is allowed to take fingerprints is allowed to draw blood is allowed to take DNA without Fifth Amendment implications because you know those are things that don't reveal anything about what you know they simply reveal who you are right so I agree with you that as a general matter i think passwords are better you know two factors pretty great too you know i think to factor resolves both of these issues but fingerprints alone I think your your your legal protection in the Fifth Amendment sense isn't as robust yes so you said you're optimistic about how all

this shakes out what in your research and your travels have you seen you feel with the government's next step to try to erode this kind of privacy something that we as users can look to be on the lookout for so that we know it's coming chance favors the prepared mind right so if you're prepared and you know what you're looking for you're ready for that situation what is something that we would be looking for for them to take the next step when you say no screw you you're giving me you're giving it to me whether you like you're not late what do you see what do you feel would be if a value added to the government as their

next step Selena so I think that the trend is going to be more in the direction of putting pressure on users because I think you know a users are in a less strong position to fight back I think the best thing you can do is know what your legal rights are and know enough to realize when you get into a situation where you could assert a right and be brave enough to assert it you know I think for a lot of people that's really scary right you need to think and the in the moment you think oh my gosh you know if I'm not cooperative here maybe I just get arrested you know who knows who knows what's going to happen

right but I think that we need to have some people who are willing to take that risk if we're going to be able to fight the battles yes understanding still challenge court system as part of the case what do you do other real negatives of interacting and nothing about your petition but but the fingerprint data and challenging in court during the trial well you know I think that part of the issue is that if you give them you know if law enforcement shows up at your home and you know says I have a warrant here that says you need to unlock this device and you do it I don't know that you're going to have a very good leg to stand on

later to challenge it in court because you know I think what they're going to say is basically you agreed to do it right you know I worry that one is going to waive their rights if they try to do that and to make it even a little bit more complicated there was a case that the Supreme Court decided a few years ago the in which the court basically said if you want to assert your Fifth Amendment privilege you need to like make clear that that's what you're doing you're not supposed to just remain silent and not answer questions you're supposed to specifically say I assert my Fifth Amendment privilege and so I think a lot

of people will not do that in the heat of the moment right so I think that those are all things to to keep in mind and you know those are all things that are important to know if you ever find yourself in a situation like the one we're talking about you know know when that type of privilege is likely to arise know if you're likely to have it and realize that you need to specifically say you're asserting it yes so tidy doesn't work the first time you fell on a device if you power off in two places you guys like you need a coming it out at all does that leave you guys like obstruction of justice yes

idea ask you I think it just totally depends on the circumstances um you know I mean how would you necessarily know they're coming for one thing right and you know I think that the way that that would probably play out is if the government thinks that you did something to obstruct their ability to get the evidence that they're looking for you know they probably would tell a judge that they thought you did that and if the judge believed that that was true then you you could be in trouble right so I think we're just about it time it appears to me looking at the clock on my laptop but I'm going to be around feel

free to come up and chat with me I know a lot of you have questions happy to talk thank you [Music]