BSides Rochester 2016: Nate Cardozo: The State of the Law: 2016

foreign

thanks for having me can everybody hear me is this is Mike's on great uh so yeah I am a lawyer for the Electronic Frontier Foundation in San Francisco I am uh I was a web developer in a very long past life I was a Microsoft front page administrator for the city of Santa Monica so that dates me a little bit um I am not your lawyer and I will not be giving you legal advice uh in this very much non-privileged context this is being recorded and streamed if you have questions I would be happy to answer them in a more private setting I've been working on cryptography policy for the last two and a half three years at the

Electronic Frontier Foundation and the last year and especially the last couple of months have been a very exciting time the things that I've been working on uh for years have been Have Become dinner table conversation and that's different uh I'm gonna talk a little bit about the past about how we got here about where we are what's happening and what has just happened uh and I'm going to make some predictions and talk about the future where I expect us to be what I think is likely what I think is unlikely uh in 2016 and maybe even a little bit out beyond that one of the founders of eff and something like the number four employee at Sun

Microsystems John Gilmore in 1993 said that the internet interpret censorship as damage in routes around it in 93 there was no tour there were essentially no vpns there were no anonymizing proxies we barely had the first inklings of TLs but there were words and there were lots of them and images and code and politics and art and for more than two decades the internet has provided us with a truly Global platform for expression today anyone can write an opposition party blog post and get it up anonymously post photographs of of their cats which I do a lot if you follow me on Twitter uh organize a street protest contribute to open source crypto projects uh participate in the search

for extraterrestrial life mine for Bitcoins swap selfies use pgp or send 419 scam emails from Nigeria you can you can do any or all of that not that I recommend that you do all of that um the first crypto wars in the 1990s uh made this illegal this is a pearl implementation of RSA which is actually an anachronism Pearl didn't exist then um but in the 1990s it was illegal to do what I am doing right now you could not post this publicly the United States government attempted to regulate this uh this was a weapon and in order to post it on the internet you had to get a license the same type of license that you'd have to get if you

wanted to sell hand grenades tanks or nerve gas uh to get this posted remember Netscape Navigator uh if you wanted a full version of Netscape with actual TLS which we then called SSL uh all you had to do was click a button that said you were inside the United States and you got the 128 bit version otherwise you got a 40-bit version because that's all that the US government said that it was legal to export encryption with a key length of more than 40 bits was a weapon military grade which is a word that needs to go away and I'd never want to hear any of you say ever again in relation to encryption and its export was illegal but there

were no Geo blocks there was no IP fencing there was nothing like that in the 1990s and so the regulation ended up being an ineffectual checkbox are you in the US or not uh and I'm going to get back to that in a little bit and what we ended up was things like this we saw people putting algorithms on t-shirts we saw Theo dorat doing his work in Canada where the export laws didn't apply anyone recognize this uh but I a lawyer in eff is an organization of lawyers among other things and if all you have is a hammer then everything starts to look like a nail so we represented a Berkeley grad student young man named Daniel J

Bernstein who had designed an algorithm known as snuffle and he wanted to talk about it he wanted to present papers about it and he wanted to publish his dissertation on the internet his dissertation didn't actually even contain the algorithm it only contained a description of it and he was banned from doing so the state department listed encryption on itar the armed circulations that I described earlier and so we went to court we represented djb and we sued the Department of Justice and we won uh we we got a ruling from the Northern District of California that code is speech that ruling was upheld by a panel of the ninth circuit that the ninth circuit panel opinion is

no longer applicable but that's neither here nor there the ruling stands code is speech its expression and the internet is a safer place for it uh we in 1996 launched the golden key campaign golden keys meant something a little bit different then than they do now and we encourage webmasters to put this image on their home page as a as a response to the Clipper chip for those of you of a certain age you'll remember that among other key escrow requirement uh possibilities an encryption today is legal we won or we thought we had uh encryption is legal and Export exportable our friends in Mountain View and Cupertino are free to ship products you know like this that

have strong encryption on them uh people like Moxie and Adam Langley are free to publish their free Libra and open source crypto tools for anyone and all to use right now right here in this room we are free to publicly discuss cryptography to our hearts content but thanks to the FBI director James Comey more work remains and we're back everything that was old is New Again 2015 brought us a new set of challenges iOS 8 and Android M brought us full disk encryption by default you can put a little asterisk next to Android M but anyway Android uh most Flagship Android phones are encrypted by default uh WhatsApp joined iMessage to say nothing of signal uh wire please don't use

telegram um but the the other ones you can use uh so now we have with WhatsApp a billion people using strong end-to-end crypto every day and the director of the FBI is pissed very pissed and he wants legislation um and it's our job to make sure he doesn't get it the conversation started with Device encryption but very quickly moved to end-to-end Communications the prime minister of the United Kingdom asked are we going to allow a means of communications which simply isn't possible to read I think that we can agree to the end the answer to that question is yes um and it's not a matter of allowing it it's the fact that it exists and there's

nothing any government can do about it C slide one okay so what if we renamed backdoors what if we called them front doors or what if we asked the Wizards in Mountain View and Cupertino to create a secure golden key okay well I want a pony and I'm not gonna get one

um sliders NS cells are not Magic there is no legal tool in the United States that can force a developer or a company to insert a back door it doesn't exist or to compromise crypto or to shorten key length you name it uh that's it there's no requirement to be able to provide plain text on demand if you are a developer or if you work at a company and you get such a demand from a US entity US Government entity uh email me please I will put my email address on the last slide um I would love to take that case um but we're not done as I said earlier we thought we had solved the field but

unfortunately more work remains uh many countries around the world are considering legislation to mandate a backdoor to mandate access to plain text or otherwise endanger encryption and I'm going to talk a little bit about that now uh in the United Kingdom the snoopers charter also known as the investigatory Powers bill is currently being debated by Parliament and it's really bad it would contain a legal obligation to at the home secretary's discretion if she determines that it's practicable in her own judgment and Theresa May has some pretty bad judgment for any of you following UK politics uh can order operators to remove electronic protection and it doesn't really talk about anything else there but if you ask gchq

what they say is that uh this can this will permit Theresa May at her at her personal discretion to ban end-to-end encryption in the United Kingdom the chances of this passing seem pretty good at this point in Australia they passed the defense trade controls act they spelled defense wrong but they do that a lot down there uh that prohibits the intangible supply of encryption Technologies without an export license that includes teaching it it is now illegal in Australian universities for professors of mathematics or computer science or computer engineering to teach encryption without getting an export license that's ridiculous but that's the law in Australia today um by the way most professors down there flaunt it regularly

um bless them uh India last fall released a draft uh policy on encryption that would have required everyone using encryption plain text for 90 days uh and cap key lengths at 64 bits um they withdrew it but I think it can be safely assumed that it'll be back in another form uh China passed an anti-terrorism law last year the draft version would have required companies to hand over encryption codes that came out of the draft but in the final uh you can see what they put in instead ooh got dark and it got light in the fall the president said he didn't well he didn't actually say this this was an official leak to The Washington

Post um Pro tip if you ever see Ellen nakashima's byline in the Washington Post she's a great reporter I love her to death but she gets all the official leaks so if you see Ellen Nakashima quoting unnamed Administration sources she is both right and that's official so anyway uh this was an Ellen Nakashima article in the Washington Post that Obama was quoted as saying that we will not for now call for legislation requiring companies to decode messages for law enforcement uh and of course there's a bullet there uh but Bloomberg leaked a National Security Council Memo from a little bit before when Obama said this which was uh they are not going to pursue legislation

right now they're going to instead wait for something big to happen uh that was sometime around Thanksgiving and of course something big happened just a couple of weeks later in San Bernardino and we got Apple versus FBI this uh I I can talk a little bit about this the the legal geekery is of Interest pretty much only to lawyers um but what was this case really about this case was about the FBI wanting the ability to mandate that companies turn our devices into tools of surveillance it was not about this one phone and it never was uh the National Security memo National Security Council memo that Bloomberg leaked uh I think demonstrates that quite well this was the uh the

tragedy that the doj cynically excluded to seek what they had been wanting for about a year and a half it's about a master key the the particular iOS version that they that Apple was being asked to code in San Bernardino probably wouldn't have functioned as a master key there are ways of making sure that it only would have booted on that one phone but that's neither here nor there because it wasn't about that phone it was about the legal precedent and the legal precedent isn't a technical master key but it is a master key and the only reason that the FBI pursued the case was to set the legal precedent uh Comey admitted so in uh under oath in

a hearing in the house in March uh they want the ability to demand that U.S tech providers stop providing end-to-end encryption or some secure device storage uh and the FBI saw this case's win-win if they won in San Bernardino they would have an order that they could then take to courts around the country and get follow-on orders to kill end-to-end encryption as we saw it but if they lost in San Bernardino they could take that loss to Congress and say look we don't have the legal powers that we need um there's also there also was a case in the eastern district of New York that case went away last night at about 8 PM when the government gave up just like

they did on the eve of the hearing in San Bernardino the FBI strategy was flawed for three reasons uh first legally what the FBI was asking for would have represented a fundamental shift in the way that American courts interpret the all Ritz act no court for instance had ever ordered Brinks to create a master key that had never happened and that is essentially what FBI was asking Apple to do here uh it was flawed technically we barely know how to create secure systems and if you think that this is 100 secure you're fooling yourself and everyone around you uh the fact that FBI's demand seriously demanding that we make our systems less secure is insane to me uh we can barely

keep data out of the hands of people who shouldn't have it uh and to make that harder doesn't make any sense and it's flawed for policy reasons uh if FBI got what it was asking for in San Bernardino it would have absolutely crippled American Business and there's no way that anyone outside the U.S would buy uh devices that they knew were backdoored um and then foreign governments would demand exactly the same access and Comey has no answer for how to prevent that there are some other litigation going on too maybe we don't really know it's not all Ritz act litigation uh the New York Times had a report that WhatsApp which is owned by Facebook is under a decryption order we

think that's not being actively litigated we think that they're doing they have a wait and see uh stance there but we don't really know um there may be fisa court orders we don't think that there are uh we've heard some rumors but they're not particularly credible um Ellen Nakashima hasn't published an article in the Washington Post saying that it's happened um and just this week we filed a Freedom of Information Act lawsuit uh to demand answers on that we think we actually have a pretty decent chance at that one the USA Freedom Act which was passed in June of last year requires that fisa Court opinions that contain a newer significant interpretation of Law and

this certainly would be are required to be Declassified so that's uh that's the the the core of our lawsuit that we filed last week but there is there is Congress it was leaked a couple of weeks ago and then formally introduced as a discussion draft uh last week that would require providers to decrypt Communications or devices on demand it carries civil and criminal criminal penalties for manufacturers who don't uh and as I said applies to Communications storage and Licensing what does that mean it means it includes app stores and open source it means that GitHub is all of a sudden illegal as is the Apple App Store as is the Play Store because they're not

scouring every application to make sure they don't include end-to-end encryption or otherwise non-key escrowed encryption uh and it's not just end to end in full disk that that the burf Einstein bill would outlaw it would also Outlaw computers as we know them because there's no way of keeping a computer I mean these are general purpose turning devices right there's no way of keeping a computer from running an encryption encryption algorithm that the FBI doesn't have click of the mouse access to and that's what burfeinstein would demand um I'm as a aside I'm a lifelong Californian and to see my senator's name up there is depressing and as I said burf Einstein is problematic on every possible level it's

unconstitutional as we as we saw at the beginning of this talk code is speech and to uh to ban end-to-end encryption including open source is a prior restraint and I have a post up at eff from last summer talking about why exactly this bill would be unconstitutional even though I hadn't I was 10 months away from seeing the bill uh it would break the internet as we know it I mean it would mandate that everything be decryptable all the time and that's not just not how encryption works uh it would [ __ ] American Business for the reasons that I already discussed and it would be totally ineffective right the internet interpret censorship was damaged and routes around it we can

all get pgp we all probably have end-to-end crypto and there's nothing anyone can do to change that fact that is just a fact and law enforcement needs to learn to to live with it so in 2016 what are we looking at uh what so I I've done Christmas Past and Christmas present now I'm going to do Christmas Yet to Come uh what are we what do we re what are we what are our options well we could do something like China and have a a kiosk or a mandate um the New York attorney general has a kiasco mandate which which was put into effect last year for banks so banks that use secure Communications within

themselves um symphony is the big uh big provider of that now have to Escrow all of their keys so we might we we're looking at something like that but I don't think that's actually going to happen at least not on the federal level uh burf Einstein we're definitely looking there um but that definitely won't happen right burf Einstein is crazy pants uh and is doesn't have a realistic chance of making it out of committee

uh bur Feinstein we think was actually introduced as an opening Gambit um it was you know when you sit down I'm going to use a lawyer analogy which probably you know you'll get it and when you sit down into mediation and your opening demand is 30 quadrillion dollars right everyone knows that you're not asking for more money than exists in the universe um you're you're giving that as an opening demand because you're going to back down from it and that's what bur Feinstein was um so we're gonna get something maybe more like that last bullet we don't care how as long as you make plain text available and now I'm going to go into real

prediction mode what's actually likely informal pressure so one of the things that I do at the Electronic Frontier Foundation is I'm on the coders rights team I represent developers academics hackers cryptographers and occasionally small and even sometimes not so small companies and this happens a lot you'll get a call from an FBI agent says can we set up a meeting we have some things to talk about you say sure they show up and they show up with an NSA agent as well sometimes and they say if you don't backdoor your crypto you will have blood on your hands and they show you some sort of evidence that Isis is using your product this happens a lot I've dealt

with it um a handful of times and I'm just one of the lawyers at eff no ban is going to reach for your open source crypto that's just not going to happen um it's way too problematic because we have this thing called the First Amendment here so that's not going to happen uh we might get a kalia-like mandate Kaliyah is the communications assistance for Law Enforcement Act passed in 1994 which says that the telephone networks now including VoIP need to be wiretapable we might get something like this that won't hit software it won't necessarily hit device encryption but it might say that if you provide an end-to-end encrypted service you have to have a way of getting it plain text

that's not going to stop OTR it probably won't even stop signal but it might stop WhatsApp and iMessage and that's doesn't have a lot of the same First Amendment flaws uh that the Bert Feinstein bill would have uh India Australia and the UK May or maybe already have done really stupid things um Kazakhstan is mandating that everyone include a uh their own certificate in your in your trust store now so that they can man in the middle of your TS TLS connections um so things like that might start happening around the world but until it happens in the US it's not going to really catch on um but no matter what happens it's not going to stop anyone with even a modicum

of sophistication from going dark going dark is what the FBI calls encryption it means people using technology that they can't immediately wiretap there's nothing FBI can do about that um that's sort of the beauty of Open Source so here are my predictions my predictions are the US government is going to go after defaults not Primitives what do I mean by that they don't care if people like you people who go to besides Rochester are capable of using uh pgp or OTR they don't give a crap about that what they care about is average Americans and they want to deny average Americans uh there's digital security we will see a lot of backdoor pressure and I don't think that we're going to

see a backdoor mandate passed in 2016. I would be surprised if that happened but we will see lots of pressure pressure on companies like Google Facebook and apple especially I don't really think that they care about signal I don't really think that they care about pgp they care a lot about WhatsApp they care a lot about iMessage and they're going to try as hard as they can to make those guys stop encrypting by default and as I said any mandate that does pass will affect only the masses it won't affect Isis it won't affect International pedophile Rings it won't affect organized crime why because as I said earlier anyone with a modicum of sophistication is free to use crypto

there's nothing anyone can do about that uh and we might get court rulings for uh we thought that we were going to get one in San Bernardino we thought we were going to get one in New York the FBI pulled the plug on both of those um the that wasn't particularly surprising to me but it it wasn't um it wasn't exactly expected either so we haven't gotten a Court ruling on crypto since the 90s we might get one this year and that's it questions

um so okay so that's a great question I'll repeat it for people who couldn't hear being recorded to what extent is the degradation degradation of security for the masses harm us the people in this room uh privacy isn't about you right security isn't about you I don't have anything to say and yet I benefit from the first amendment I benefit from other people having the right to free speech Just as I benefit from other people having the right to privacy um social movements don't start in public they start in private having having security for people who aren't tech savvy is critical that's the way that social change works and security and privacy are critical uh they're

prerequisites for democracy and without security and privacy we can't have we can't do the hard work that social change requires the Civil Rights Movement almost ended because of J Edgar Hoover and and ubiquitous surveillance it almost ended before it started um and that's not something that I'm I'm willing to gamble on uh and especially people around the world right if you're an LGBT activist in Saudi Arabia you [ __ ] need crypto and you need it bad if your International committee for the Red Cross red crescent in Syria you need crypto and you need it really badly um and to not and WhatsApp is how they get it right now iMessage is how they get it right now

um you we you can do security trainings for people doing work outside the country and it might stick it might not but it needs to be ubiquitous otherwise you get things um uh you you you can't get social change

um yeah there's there's some legal there's some legal differences so they that would only that wouldn't uh those sorts of requirements don't apply to products they only apply to services so uh it's a lot easier to pass a law that says you can't provide a messaging service without a back door than it is to say you can't provide a messaging client without a back door there's some stupid First Amendment and due process reasons why that's true yeah

doesn't scale I mean that might work on a one-off but it doesn't scale so it looks to me like uh gameplay is really going after the content and Communications here yeah do you see any bad lines being drawn now or in the future uh anonymizing software protecting metadata um that's a that's actually a really good question uh maybe so we haven't so things like tour messenger and don't use Pond but things like oh sure uh so the the question was right now it looks like the focus is on content but what about uh anonymizing or metadata masking um has FBI started to attack that and the answer is no not yet because I think no one really uses it no one uses Tor

messenger or at least knowing that the FBI cares about um no one uses Pond uh nor should you because Adam hasn't uh updated it in like a year and a half um but it that's possible that we might get something like that right we saw uh the the former head of the CIA say that we kill people based on metadata right the NSA and the CIA almost don't care about content they really just care about uh when where and to from they don't care about the what they don't even need to know what's being said or even who's saying it um so long as they they know the connections um so this is really about law

enforcement law enforcement wants content intelligence agencies are fine not getting content they're fine with metadata uh blows out the scale scale yeah so we we might get some tension on anonymizing uh or metadata masking if those tools become useful at scale they're not yet

come out actually in favor of encryption and I thought it was more because hey they're just going to steal the keys anyway that's so that's possible the question is uh heads of Informer heads of intelligence agencies here in the states have come out in favor of encryption um there's a number of reasons why uh stealing Keys is certainly one of them um interestingly the burf Einstein bill is in the Senate intelligence committee not in judiciary or Energy and Commerce uh so that's interesting that the intelligence Committee in the Senate is what's pushing back doors even though the intelligence Community doesn't seem to be

and I understand why why there's a you know there's this argument this battle about but the bigger problem that I see is a lot of people that I talk who maybe aren't as technical they don't necessarily understand why it's important and they you know I often hear things like well if you don't have anything to hide like that what's the big deal what do you what do you what do you argument or words of Enlightenment and kind of things that we could all post on uh where whatever forums we like to try and help people overcome so my my response to if I don't have anything to hide why should I care about encryption is essentially what I said

earlier about privacy it's not about you it's about everybody else it's and you have nothing to hide is irrelevant um there are people with things to hide and that's a positive for society um the other uh the other response um that I have is in 2013 according to a poll by idg and Lookout something like 4 million phones were lost or stolen in the U.S fully a quarter of those lost or stolen devices uh ended up causing identity theft one quarter a million phones a million Americans uh were victims of identity theft because of lost or stolen phones uh that's not true anymore with full disk encryption that has stopped uh that's the other thing right if FBI gets

its way we're right back to where we were all the way in the back

uh great question uh do I see this trickling down to the States uh yes and no on two different levels so both California and New York have proposed legislation that would require phones sold in those states to have back doors both of those bills are unconstitutional because they violate something called the dormant Commerce Clause um pretty cut and dried so we're not going to see legislation on the state level in terms of local sheriffs and whatnot demanding the same access as FBI I mean sure they're they're gonna ask for it I don't think they're gonna get it right NSA has a whole lot more than FBI has and they don't share their toys I don't see FBI sharing it's toys with

with local PDS it's possible I don't see it though yeah

before you're in like this dude if I just screamed quiet and everyone panic that's technically against freedom of speech so uh Coke yes so code is speech but speech is the the first amendment is not absolute right so if a requirement and I'll go deep into the law a little bit for a second if a requirement uh would affect speech based on content which any end-to-end encryption band would then it has to meet what's called strict scrutiny so it has to be narrowly tailored for a compelling governmental interest narrow tailoring means it has to be neither over broad nor under broad here any ban on crypto would be both over Broad and under broad so saying

code to speech you're right that's not that doesn't mean anything sort of from an absolutist perspective but what it means is any regulation on code is going to be subject to strict scrutiny and it wouldn't pass yeah so when we talk about end-to-end encryption and especially with WhatsApp like recently uh switch but if you think about all the major companies their business model like like they want your name and they want to sell as basically data and there was a reason for wrappers that actually highlights this that whether WhatsApp really does yeah so the quarter post has been debunked but anyway let's see if you're not there so but if you think about that like all the

companies still have data and playing things and that's it the government wants it they will get it from sure so the question is uh yeah there is some end to end but really most things are still just I wouldn't say plain text I'd say TLS and that's absolutely true um it's absolutely true that Google has access to your Gmail and they they are going to keep that forever because they want to scan it and display you ads same with Facebook Messenger the issue is there is is whether end-to-end encrypted tools are legal right because if they're not that has huge trickle-down effects to the rest of the ecosystem so yeah people are free to use whatever tools

they like I actually signed this of course this again dates me I sign into AOL Instant Messenger every day is one of the protocols that my uh my chat client signs into um of course every conversation I have there is OTR so yeah there are there are plain text protocols and that's fine that's a business model choice but it needs to stay a business model Choice it can't become a legal requirement yeah in public discourse and in legislation you know when we discuss this it always comes down to the issues of privacy and constitutional rights how come economics is never really factored into it I mean when we talk about you know selling products that are are hampered you know

by back doors or wheat crypto you know no one's really addressing the economic impact of that because of course are just not going to buy products that they um so I think the economists are looking at it hard but most of that intelligence is behind paywalls I think that's the answer to that we don't have Economist at eff for instance okay last question okay

it's in the rise of e-commerce um where do you see the financial incentives kind of lining up right now ooh where do we see the financial incentives of crypto um well so we see the financial incentives with bad crypto all the time right um when when the RSA be safe thing hit the fan uh RSA sales plummeted um when the Juniper thing hit the fan we all know what happened uh right we no one outside the U.S is going to buy U.S products uh if any of this comes to pass all right um thanks if you have additional questions

foreign