Ask the EFF

Deputy executive director and general Council of the Electronic Frontier Foundation we have Nate cardoo yes yes please raise your hands staff attorney on the electronic found Foundation Civ digital civil liberties team and Andrew Crocker who is a staff attorney on the electric County of foundation civil liberties team and you get to introduce the rest of them good sir hello so yes we in addition to our coders rights legal team we have some of our uh technologists uh from from eff with us as well uh Bill budington and Cooper Quinton and Noah Schwartz uh so we're going to do a brief uh introduction each of us will will say a little bit about uh what we've been working on um and

then we'll open it up to your questions uh we brought our our technologist on the stage so you can ask questions about our technology uh project as well as some of the legal issues um as uh as you usual if you've been to one of these before we uh have some uh I guess uh uh suggestions on how questions are first of all that uh while one of the things we do at the coder's rights project is provide legal council uh for free to security researchers uh this is not the Forum to ask questions about your legal advice that should be done in a private conversation uh at another place in another time uh so uh we welcome your

your questions and they can certainly touch upon legal issues but if it is H specifically about something that you're doing or planning to doing or wondering if it would be legal if you did that uh those are questions that should be done uh done privately uh so let me uh give a uh a brief introduction uh to myself so uh my name is Kurt opsol I'm an attorney with with eff uh I work on our coders uh rights project um and as I just said that's where we uh Prof provide some uh legal advice and counseling to security researchers um I wanted to uh touch on uh briefly uh something that that some of you may have uh heard about that we

are uh representing Chris Roberts uh and he is a security researcher um hey Chris uh and uh was recently uh detained uh by the FBI uh after uh tweeting during a flight about some security issues um and we're going to try to help him navigate that that situation um that that said uh we're not going to uh do too much uh uh talking about that in this session so um we'll ask not to do questions on that topic uh during this ask the uh and and with that we'll try and keep our our introductions short so I will pass the mic to Bill hi there um my name is B budington uh I am a software engineer at the eff

um I've worked on various projects um one of the primary projects I've been working on over the past year is called Phantom DC um it's something that basically takes Congress and Kicking and Screaming wraps them in an API um because they don't like that um but we find it important to have the tools of democracy be in the public sphere um so we want that to be a tool that's easily usable by everyone uh We've deployed it and various other organizations in uh our same space have deployed it um and uh it's something that I feel like is a very important project for open sourcing democracy um I've also uh worked a little bit on

let's encrypt uh the client side of let's encrypt let's encrypt is a project that basically brings um the process of getting SSL certificates um uh makes it much easier to do um makes it a much more streamlined process and also makes it a free process um so uh you know systems that want to deploy SSL on sites that they run uh can do so in uh a timely and efficient manner and uh and also uh has all the security guarantees that uh TLS and SSL currently have um so those are a few of the projects I've been working on uh and and uh with that I'll pass it over to Nate I'm Nate cardoo I'm a Staff

attorney at E I work on the coders rights team with Kurt and Andrew um and I'm one of the lawyers representing Chris I do a number of other projects at eff all of my work focuses on free speech and privacy uh I'm suing the government of Ethiopia for wiretapping they owned the computer of an American citizen in Silver Spring Maryland and wiretapped his Skype calls and I'm going to argue that case in a couple of months we don't have a date yet um I also H work on effs who has your back report this is the the the big chart where we recognize companies that have best practices in terms of protecting your data against government overreach so I

get to be on the nice calls with the companies where they yell and scream at me when I tell them I'm not going to give them a gold star um it's amazing the the lengths that companies will go for what we all used to like to get in kindergarten the gold star has uh has worth I don't know why exactly but it does um so those are the things that I do at eff and now Cooper hi uh I'm Cooper Quintin and I'm a Staff technologist at eff I work on a number of different projects my main project is privacy Badger which is our browser extension to block creepy thirdparty tracking online I also work

on https everywhere which is is our browser extension that tries to get you to use https whenever possible uh I web and privacy research uh an another project that I've been working on recently is called Canary watch which is a website and a tool that will track uh warrant canaries for changes and takedowns what's a warrant Canary a warrant Canary is a um so first I should explain what a national security letter is a national security letter is a um FBI order there a court order that the doj can send you and uh there which orders you to give up uh business documents Communications of your customers essentially subscriber information thank you um that National Security letter

also has a gag order attached to it which says that you can't tell anybody other than your lawyer that you've received this National Security letter and that gag order isn't overseen by a judge this is the only process of this type any random special agent in charge of an investigation an FBI investigation can send you this process and gag you from talking about it so a warrant Canary is a piece of text on your website or uh wherever else that says we have not received any national security letters and if you do receive a national security letter you could take that down or stop updating it so Canary watch watches these warrant canaries for changes and takedowns

um so that's another project that I work on thanks I'm Andrew Crocker I'm a Staff attorney at EF um was previously a fellow so I'm the newest staff attorney um and I work on the cod's rights project with niden Kurt I also do a lot of work on our national security and mass surveillance cases um sure many of you are familiar with our cases against the NSA and there various forms of mass surveillance uh one that's new in that area and maybe read in the Wall Street Journal in January or more recently in the USA Today that the DEA is also engaged in Mass surveillance they collected um all of Americans phone calls to various countries for a very

long time since the early 90s and in fact this program that they've been running since the 90s was the inspiration for the nsa's phone records tracking program um and so we at eff wanted to do something about that and with our friends at Human Rights Watch we just filed suit against the DEA and we're trying to uh make sure that program is fully stopped uh the de has said some things about how it's it's concluded it very conveniently right after Snowden came out um so we're going to we're going to get to the bottom of that with Human Rights Watch um I'm Noah Schwartz I'm also a staff technologist at the eff I work on

privacy Badger with Cooper uh privacy Badger is a browser extension that tries to watch for third-party resources on websites giving you tracking cookies or cookies that can uniquely identify you it blocks you from getting these cookies in the first place and it blocks requests from these websites if it not notices that they're tracking you across multiple domains so as you go and read the New York Times and CNN and ABC if the same resources trying to look at which articles you're reading on all those sites it stops accepting requests from them so they can't see what you're reading online or what websites you're going to um additionally I work on this uh privacy lab which is a sort of an

outreach program for people working on privacy tools or who do uh privacy activism we have an event coming up April 23rd uh at the Mozilla office uh and if you'd like to go to that I highly recommend it um you can find more information at wiki. mozilla.org privacyprivacy laab uh and I'd like to see all of you

there all right so that was our our brief introduction so uh we would like uh to to start uh answering your questions uh if you have any we have the the mic out there for for people to uh ask Amplified questions um so let me see does anybody uh have any questions that they would like to uh to ask uh eff oh come on you know you got a question all right

Chris uh that that is an excellent question uh how do you get hold of of e if you get in trouble um the the best way to do it is actually to email info.org we have uh a full-time uh intake uh coordinator who uh uh tracks all those emails coming in works with the internal teams to find the the appropriate person to respond uh in some instances we'll be able to represent uh people directly uh in other instances uh we will uh refer uh to additional councel who you can work with unfortunately we do not have the bandwidth to uh take uh all all the uh requests that we receive but uh we do our best to make sure that people are in

good hands hi hello um I at a small startup here in San Francisco and what I was wondering is do you have some self-service documents that we could provide to our legal department our developers our marketing people so that we as an organization rather than maybe doing an ad hoc job of trying to take care of people's privacy that we're actually being a little bit more uniformly holistic about it um uh so thank you I I'll um address at least some of that which which is sort of uh we have some things like uh white paper on best practices for logging um and you can look to that to to see what would be some good practices

there um we don't have something like a a standard privacy policy because we actually think that you shouldn't have a standard one the privacy policy describe what a particular company does and it's going to vary Company by company but for some of the best practices on how to protect your user uh we have who has your back andless we turn this over to Nate to explain a little bit about what we look for in that so yeah as Kurt mentioned we do have a white paper on online service providers best practices so definitely check that out uh and then in terms of the who has your back report we we we try and and say what we think best

practices are uh in terms of protecting user data always require a warrant before turning over content always notify your user uh before turning over content and give the user an opportunity to contest it uh unless of course you're gagged then you have to follow the gag um things like that and then be transparent tell your users what your policies are uh one of the things that that we recommend early stage startups do is wrap their heads around what they're going to do the first time they get legal process have a plan you don't necessarily have to have fully flushed out policies but you do need to know in general what you're going to do and if

what you're going to do is call eff that's great make sure your Frontline employees know that that's the plan um if you're if your policy is call outside counsel make sure that the Frontline employees know that that's the policy and make sure they know that they're going to do that before they comply with

process um additionally if your startup is something that provides a service to people and you collect data about the users of your product um privacy Badger includes in it a do not track policy which we think respects users privacy and it's so standards for how to anonymize data and how long to retain it and additional uh sort of privacy practices that we as the efff [Music] um think are good and if you do so then privacy Badger will allow you to use cookies for session in so if you are providing a service it's something that you should read and hopefully um I'll let Cooper I say the so the the do not track policy document is if

you're providing a third party service if you if your product is being embedded in other people's websites this will uh indicate that you do respect do not track and a very specific set of a very specific set set of standards for that so there's been a lot of bills in front of Congress right now think are calling it cyber legislation week um there's been a bunch of different activities from different groups uh opposing or supporting the various bills in Congress I haven't seen a lot of work from the eff on these bills and I'm wondering if you got well maybe I missed it I'm wondering if you guys think that being in San Francisco has isolated you

from the power Elite in Washington and if you need a bigger presence in DC so most of the work that we do uh that we're doing right now at least is behind the scenes Mark J Cox who's trying to hide behind that Banner back there is our full-time legislative analyst uh he's on calls most of the day every day um Kurt and I are working with a number of different groups um but at this point it's very much behind the scenes I'm not sure there's anything we support right now that's in Congress uh we you know so I guess 215 Deo is do you think that you need to have a bigger presence in Washington to be more effective or not

or are you okay out here on San Francisco uh we we are okay out here in in beautiful sunny San Francisco um and you know so this is a little bit of different strategies that there are there's uh ways in which you can influence uh uh policies uh that are uh sort of an inside play when you're in DC uh and there are ways that that you can do outside so we attempt to uh try and make the world a better place make a future we want to live in through more of an outside play so we get a lot of Grassroots activism uh this is a little bit of what uh bill was talking about uh

making it easier for constituents to get in touch with their representatives and tell them what they think uh uh are important to them and legislators uh uh listen to that um we we also so um try and put out you know policy positions explain our our our positions in in blog post and we have done so on some of the cyber security uh uh bills that are coming up um a lot of that was around the time they were uh first uh proposed by the White House um so this was in uh January sometime uh but we've also been sort of active in trying to get a Grassroots uh support or opposition to to bills uh we have a uh Connections in

DC uh but there's also an Insider strategy and there are groups based in DC who do more of that they have more uh you know direct meetings with uh with legislators um and with their staff um and you know there's there's value to that uh approach as well uh if you're familiar with uh the center for democracy and technology or CDT they are based in in DC uh they do more of of of that approach they're very much an insid and as you may know or or may not because it's getting to be kind of old history now but uh that was there was a split at one point where uh a portion of eff went and founded CDT uh wanting to

pursue more of that strategy while a portion of eff uh keeping kept the name and moved to San Francisco to do more of a an outsider litigation uh and Grassroots strategy um and I think you know there's there's a place in the ecosystem for for both um it's also important an activism team uh at efff can tell you this a lot better than I can um to build coalitions that can get the job done together so we work with you know as you said uh C uh CDT and other organizations such as sunlight Foundation um that are situated in the Beltway um so that we can uh more effectively reach out to uh the legislative bodies that that do exist um

a lot I mean basically when I whenever I go up to uh uh the activism portion of the building they're always basically on the phone with uh you know Coalition building uh creating those links that are important to actually get the word out um and you can visit our website act. f.org we have a number of actions that are available um that you can uh take part in um that are calling for any number of things for instance uh stopping the mass uh book collection by the NSA or um stopping the new size cisa Bill uh or any number of uh things the technology that makes that possible is uh is something that we've been building

uh through our Action Center um and a lot of the organizations in the Beltway are using that now too um and also uh so the action center is one and there's a part of piece of like micro infrastructure I would say called and I've been working very closely on this part called Phantom DC which is Phantom of the capital um and it's basically um something that wraps the process of filling out Congressional forms in an API as I said so the server actually goes out and through phantomjs fills out uh forms for the end user and common siiz is so you you know typically if you're targeting the Senate and the house you have to um know your

uh ZIP plus 4 you have to fill out your uh first name three times for each one of your members of Congress um you have to know who your members of Congress are a lot of uh ZIP codes are split in that um so this kind of process is very arduous for most people uh just trying to get in contact with their reps um this has been streamlined and this problem has basically been fixed by open sourcing the tools of democracy not um through any congressional action but through Grassroots uh activism making it possible uh for us to get in contact with our reps so um if and I'm happy to talk about any the um technology stack

that is involved there as

well do you guys have anything to say about the upcoming uh Patriot Act reauthorization in a few months or whatever um sure so uh what what the question was about the uh upcoming I guess well I would phrase it the upcoming Sunset of section 2115 of the Patriot Act uh the the question of course is whether it will be reauthorized uh so section 215 of the Patriot Act uh was first enacted along with the rest of the Patriot Act in the wake of 9911 on October uh 2001 and the provision said that uh it empowered the government me to obtain uh some records some tangible things actually was the the term um and uh to

to do so with a uh less than the sort of the ordinary uh process um and at the time uh uh when it was passed it was it was known as the library provision the the fear of civil Libertarians uh was that the government would would use this to obtain Library records look at what books you checked out and maybe make some assumptions about what your uh intents or behavior were uh based on your library books and it was opposed at that time uh and I could sort of only imagine that the the government was sort of you know chling uh when they saw this because in in fact they were using it for uh something something else and and

far more uh uh expensive and I would say nefarious um under uh this this section um they started in uh around uh 2004 for uh to uh issue 215 orders to various telecommunication service providers uh saying that uh uh they want all the records of all your customers calls uh you know foreign and domestic local included um every 90 days and then they would issue another one the next uh 90 days uh this was the the telephone uh Records program uh previous 20 before they had been doing this based upon the executive uh Authority the the president's sort of inherent power as as a president uh it turns out that wasn't a particularly strong legal basis uh there

was there was a big debate uh within the government about whether that was good enough which led to threats of resignation from uh the attorney general and the then director of the FBI uh and So eventually they they decided to Swit it not to stop the program but to come up with a well shall we say creative legal argument that this section 215 uh provided that Authority and then for the year since they've been gobbling up all of your records of all of the calls oh all right um and so uh uh as things were done in the Patriot Act and as often done when there are uh Provisions that are are heartily argued against by

uh people who are concerned about civil Liber say well you know we're in a special time right now but I'll tell you what we'll put a sunset provision in it so that on its own authority it will uh expire after a a certain period of time um and uh this section will expire on June 1st uh unless Congress does something to uh reauthorize it and uh what has happen since it was last reauthorized and uh and today is that the the uh Edward Snowden leaks have uh revealed in in some glorious detail what had been reported on in the news previously but now we got to see the actual orders to for example Verizon Business Services showing uh a a 90-day

order for all of the records uh and this has has made it so uh many people ourselves included have been saying that we should not reauthorize this was a bad idea it wasn't what the attent even the uh the author of The Patriot Act uh would would concede that this was not what was intended by this bill uh and so uh this is now if there's any time to uh do reforms and to try to re in uh the government's power to look at all the records uh now is that time uh Nate and if you want to help the fight against 2115 you can go to fight 215. org it's an e Coalition of 32 different

organizations um who are trying desperately to make sure that 215 is not reauthorized on June 1st so fight 215. org uh no what Mark is shaking his head never mind it's fight 215. org isn't

it okay to end Mass surveillance under the Patriot Act um hopefully also including not reauthorizing 215 sure I'll I'll yeah that's good enough all right anyone else more questions so what is the current status of the lawsuit against the LA Police Department and LA Sheriff's Department for one week's worth of license plate data and how does the recent release of all the License Plate Reader data from the Oakland Police Department figure you're into that if at all okay so background on the question e and ACLU of Southern California sued the LA Sheriff's department and the LA Police Department for one week's worth of alpr automatic License Plate Reader data um from a week during Ramadan a couple of

years ago the LA sheriff and LAPD denied our request saying that every every single license plate capture in Los Angeles that week was part of a an ongoing investigation uh and that as such they didn't have to release the data uh exempt under the California public records act um we sued we we filed a a petition for rid of mandate in Los Angeles Superior Court lost at the district court level uh and the appeal was heard last month or the month before um and I believe the California court of appeal has 90 days by Statute to rule on that so we'll get a ruling next month probably they usually wait until the last day because they're

judges and they can do that um so we'll get a ruling next month or so how does the release of the Oakland data affect the case not at all uh the Oakland PD uh had no problem releasing the same data that uh to ours Technica uh and a reporter named serus farar um who's a a great guy and a good friend um the that release makes no difference um different agencies are allowed to interpret the law differently uh and they're allowed to be completely arbitrary about it and that makes no difference Welcome to California Public public records act law oh sure we also have a a great visualization on our site of that Oakland data um that's such as music it

sounds like you've heard it but it's um it's it's pretty

cool yeah so uh I believe there are some within the eff who have taken a position against the sale of exploits like zero days and whatnot and you occasionally hear from some quarters accusations of hypocrisy uh on that because you also say code is speech so I wonder what you make of all this and whether eff actually does have an Institutional position on the sale of exploits all right thank thank you for for raising that so first of all absolutely code is speech this is something which is core to eff and uh we were part of the uh first code uh first case that uh that addressed that um and so uh and this is this has not been

varied and you know if uh if there were to be a law that said that you could not uh talk about a exploit give away an exploit that that law would face some serious First Amendment uh problems um what we've asked people to do not so much as have a law to prevent this but uh to think about whether a the exploit would be best uh exposed as a as a vulnerability and trying to to fix the problem I mean the concern is that uh if uh an exploit is is being used uh uh improperly and we have seen examples of of where exploits have gone to governments including our own and uh been used in ways that are not uh

Freedom enhancing but rather to to increase surveillance and and spying um and that is something that it would be it would be better for society if we work together to try and uh identify vulnerabilities and and get them fixed and there's there's a balancing that that can be done and one of the things actually we we are trying to find out a little bit more about is how uh the US government does that balancing uh that you know you might say look the exploit is a is an OD day on a system that is only used by a uh foreign military uh that you know there there's not much chance for Consumer harm out of

that and that may be correct but if it's an exploit on a you know popular operating system that is you know used by uh average civilians all around the world that uh it is better off if we try and fix that vulnerability because it could be found by others it could be being exploited by others and that the ders inherent of having that exploit uh unpatched are are greater dangers uh so we we actually did a Freedom of Information Act request to try and get more information about the government's uh vulnerability equities process um which um I'll turn over to Andrew to talk a little bit more about that yes so after the um heart weed

Revelations last April I guess um there was a story now now said to be false um that the NSA knew about heart bleed um and in response to that the NSA and other parts of the government came out and said no no we we didn't know about heart bed and in fact we have this policy that Kurt was mentioning the vulnerabilities equities process that helps us decide whether we should disclose a vulnerability that we find out about um we usually disclose but in some rare cases we we don't disclose it and we use it for intelligence purposes and that's about all they said about it um that led to us us to file a Freedom

of Information Act request um surprisingly they didn't respond to it so we sued them we sued the NSA and the office of the Director of National Intelligence and we've uh because we sued them received some documents very very few um that talk about the development of this of this process but really don't go into any detail uh I will say that tomorrow is the last release as part of our suit so fingers crossed maybe we'll see the policy and we'll we'll know a whole lot more tomorrow morning about exactly how the government does this but we have to wait and see um so far it looks like they they really don't have much of a policy

in place and we've seen other stories aside from the heart bed story um notably one in The Intercept about the cia's hacker jamere uh where they've use use all kinds of vulnerabilities to hack Apple devices and others um and no no mention in there or in any of the documents that went along with it of any kind of equities process so we'll see um and just to be clear there there is no law in the united states banning the sale of exploits there is such a law in Europe that's called the the vasar arrangement the vasar arrangement has been signed but not ratified by the United States it is not in force here uh and we have spoken uh early and often

and will continue to do so that the vasar arrangement if uh adopted into United States domestic law would violate the First Amendment as written um and it would have serious negative effects on this community so the vasar arrangement bad I mean not not everything about vasara is bad but there there are significant portions of vasar the portions that you guys care about are all bad

next so I had a question about Warren canaries and how effective they actually are in determining whether or not a company has been served with an NSL and kind of more specifically is there ever a situation where as part of the NSL they could the government could stipulate that they have to continue the warrant Canary in order to prevent from people from finding out or if after the fact the government could you know impose some fine or something like that for the use of a warrant Canary so the the short I'll let KK give the long answer but the short answer is warrant canaries have never been tested in court okay uh but I'll give the the the longer

answer so as an initial matter I mean a warrant Canary is kind of an interesting thing as as Nate said it's has hasn't been tested um and in a sense it is uh you know a a entity a service provider being as honest and transparent about government process as the law allows and so if they have never received a national security letter then they publish for example a transparency report and he put zero in the column for national security letters and in a a recent uh uh lawsuit uh concerning transparency about national security letters uh the government conceded in their in their responsive papers that while they think it's a terrible idea and no one should do this that it was

not illegal to say zero if you have never received a national security letter and that you know that's right they uh the obligations that arise with a national security letter do not arise until you receive one so then the interesting question arises if you do receive them then what and so if you previously said zero can you do you now have an obligation to lie to your customers and continue to say zero even though this is now false that is to say can the government compel you to say false speech um and that is a question which hasn't been addressed in the warrant Canary context it has been addressed in several other contexts uh so for example

The Government Can compel you to say truthful speech from time to time uh so an example of where that that has come up uh was is uh smoking cigarette warnings uh where you are compelled to put a warning on a pack of cigarettes if you're going to sell that in Commerce um and you know another another example that came up was that uh Planned Parenthood uh challenge a requirement that they tell people who were interested in getting an abortion that they would have an increased uh ideation of suicide if they did so or at least that was likely uh plan per and challenge that one of the questions the court addressed was was there science

behind this was this a truthful thing they they felt that that uh it was sufficiently established as truthful uh and then uh the uh plan pter was required to give out that that information um and so it would be a a fairly uh new thing if the government could compel false speech however not being tested in a national security context the government would probably argue that perhaps that was important um the way that I would like to see this challenged uh is well in advance of dis disclosure so that uh if somebody had previously said zero and then came into a circumstance where they got a national security letter uh this would be a really great time to call your councel

and if you don't have one info.org would be a good good way to uh to reach out uh because it would be best to go to the court for a declaration of whether or not you are required to do this uh before the time period comes where you either have to do it or not do it um and then uh you know there's some concern that uh if the you know uh if it's in an emergency situation and the FBI is telling the court you know blood will be on your hands unless you require this uh that that courts do not necessarily uh uh want to do something that is radical and would change uh you know endanger

somebody without fully considering it so uh so we want to uh uh uh come at the court under the right circumstances so I guess the the the longer answer uh to sum up is uh uh it hasn't been tested in court contact your Council uh should this uh situation arise and uh we we will hope for uh for the best and I think there was a second part to your question too which is how reliable is it if a canary goes away how certain can I be that this company did receive an NSL and the answer is it depends uh and it's there are a lot of reasons a canary could go down right the person in

charge of updating it if it's a standalone Canary could forget to update it or be sick or be fired right the um if it's in a transparency report other sections of the corporation might decide to change that transparency report for business reasons or uh you know maybe their lawyers have advised them not to have a canary and so they've removed it for that reason right so I think each case where there's a warrant Canary and it changes or goes away needs to be taken into consideration on its own right and you can do things like reach out to the organization and say Hey you had a warrant Canary and it's changed what happened there and if they say oh

we forgot to update it then you know right or if they say no comment right then you might uh have a better idea but the deal is you can't really ever know right and that's because of the gag order there's you know there there is really no Surefire way to tell so you know you just have to essentially do a little bit of threat modeling and decide whether or not it's worth the you know how likely you think it is and whether or not you want to continue using that service and and just on a related note we also um are in the process of challenging the underlying gag as unconstitutional uh so we represent uh

two companies we can't tell you their names because they're under gags uh but both of them have challenged the gag order associated with an NSL that they have received uh and we uh we won at the first level of Courts uh where the court found it was an unconstitutional gag uh but stayed its decision pending the government's appeal uh the government of course did appeal appeal uh we argued that case before the 9th circuit uh right here in San Francisco I I argued this case uh in October uh just a few blocks from here at the night circuit building and we are awaiting the the Court's decision uh six months is not an unusual time frame uh

so we are hopeful that we'll we'll come soon but uh we don't we don't know when it'll be we just have I think 10 minutes so time for two more questions I think sure yeah so it seems like there there appears to be quite a bit of momentum around new cyber crime laws uh in Washington of which many may impact security researchers due to the broadening of the de you know lack of definition and the technicalities of what we do can you kind of update the researchers on that and what if there's anything we should be doing in the short term that may uh you know put us In Harm's Way um well to to uh I'm me say how best

to answer that I mean we have a couple couple of proposals that have come out of the uh of the white house uh one uh is the Cyber information sharing uh Bill and that that seems to uh have some momentum uh another is a a set of uh changes to the Computer Fraud and Abuse Act which is sort of the primary anti-hacking law that's probably the one that as security researchers you should be the most concerned about um there's another one which is about uh reporting when there are security breaches uh so you should at least pay attention to that one um and the there are other processes which are underway uh to focus sort of briefly on

what I think is is the one of of most concern to this community uh the the White House has proposed a set of proposals which is actually similar to what they have proposed in the past these are not new ideas uh but they are adding the oh my God Sony just got ha you got to do something uh you know uh cyber cyber cyber to it um and so that that may give it a little bit more uh momentum um now none of the things that they have proposed if they had been in place would have made a difference in the Sony hat not actually would not have helped but you know these sort of things

don't necessarily matter in in in DC um and it has a couple of Provisions which are very concerning to us um one is uh that there was a a um a provision which uh uh had talked about um sharing of passwords and they broaden that to talk about sharing of means of access and this was not defined um there there are certainly concerns that means of access is fairly broad like you know when you're sharing a password there are times when actually it can be quite legitimate to to share a a password you might point out that a vulnerability is that this thing has this default password and and so on but uh nevertheless it is a fairly narrow

circumstance means of access there are a lot of things when you're doing a proof of concept uh you know an exploit you could decide that to be a means of access and so the the limitation that they put on this um is in in not not in so many words that you're you're doing it sort of um in in a bad way um and you know doing it in a bad way is also much broader than doing something illegal uh I I would I would hopeful that that of course no one would say that like uh talking about a vulnerability is one of these bad ways because It embarrasses the company uh but I don't want to give

prosecutors the opportunity to make that argument um and then a second aspect of it is uh there's currently a a provision about exceeding authorized access uh and so this is when uh uh you have some forms of access to a system and then you uh exceed what you are given and there are some ways of doing that which are kind of like hacking that that may make sense to be in an anti-hacking law uh where you're you're you're going past a technical protection me you're escalating your privileges um and there are other ways of exceeding authorized access which are not Technology based they're not hacking in any kind of traditional sense uh and that is

something like where there is a policy that says you shouldn't do that but there is no technical reason why you should not so this policy may be in a terms of use for the website uh or it may be in an employee handbook that says what employees may do and we we've taken the position and and several uh circuit courts uh appell at courts have agreed that uh you shouldn't criminalize what essentially a breach of contract even if the the the terms of service of the 17 Magazine online website says no one under 18 shall look at this site it shouldn't be a felony if a 17-year-old goes and look at 17 magazine they've since changed that term from their their

position uh so it's no longer a potential felony but nevertheless like we were pointing out some of these ridiculous things uh and and courts have agreed and what the Department of Justice would like to do would be to uh change that so it is uh clearer that that violations of uh terms of use and terms of service can be treated as exceeding authorized access uh they put some some limitations on that um but the limitations are not satisfactory so uh as it stands uh their cfaa proposal is a fairly dangerous piece of legislation if it is interpreted negatively uh obviously if it did pass we would go to the courts and and try to get the courts to

interpret it in a in a good manner and uh but it'd be far better if it if it didn't pass uh and we'll see it hasn't gotten the kind of legs uh that some of the other Provisions had so we have two minutes left so we'll we'll give it one last question well where are you guys at with the U the battle with the esa over the dmca uh exception for museums uh when it comes to preserving old software and games the DMZ exemption process um have either of you guys worked on that I don't think any of us on stage now oh really yeah so so we have been involved as an institution in the uh

dmca uh the dmca is a digital MIM Copyright Act it has a every three-year process where you can seek uh exemptions from rules that would otherwise prohibit you from hacking on DRM uh materials and I I believe that uh we have filed several comments uh seeking exemptions um I know that there was an exemption that would uh was proposed that would allow for the preservation of old video games uh but I have not worked on that project and my colleagues have so I don't know uh uh whether we were directly involved in that or not no oh no one might know all right great I know a little um this is specifically with running like Game

servers or stuff for abandoned video games and I think the state of it currently is that we submitted our comment um the games company submitted rebuttal it was turned down and I think there's an additional phase of comments going on and I think we're going to resubmit uh to try to get it to pass otherwise possibly do things outside of the normal um dmca exemption process to get it to

pass um on the previous question um of uh the Computer Fraud and Abuse Act it's um important to note and I'm not a lawyer so you can grab me wrong that there are local statutes as well um that are um subject to you being overwritten by local uh law um in a recent case um there was an eighth grader uh in Florida uh who was um charged with a felony for changing the background uh of his teacher desktop um so uh this is you know particularly egregious case and this is because the minimum requirements of the law in Florida are that the the perpetrator the the alleged perpetrator should be um charged with a felony

rather than a misemer the cfia mandates a misemer be charged so um oh yeah s i I should have added just one other thing oh well never mind we got the stop now so all right I'll just quickly add uh one of the other changes in the White House proposal about the cfaa is they basically eliminated ated misdemeanors everything is a felony with one or two small exceptions uh and here's the thing is that you know there there are people uh in in who who like to hack on computers and might be doing something that maybe you know we don't want to say is completely great but it probably would be best if it could be

charged as a misdemeanor so that they can go on and Lead productive aspects of society afterwards that having everything be a felony where the choice is either it's totally cool or it's a five-year penalty uh it really doesn't give the the space for people to to make a minor mistake uh know that it was a mistake and nevertheless be able to continue to be contributing members of society all right so thank you very much we loved your questions uh and and thank you for coming to [Applause] bides