Ask the EFF: The Year in Digital Civil Liberties
3:52PM Aug 1, 2020
Thumbs up releases free for download.
I'm a big advocate of free culture and copyright reform. And I'm also an active member of the demo scene doing some programming code for graphics and also artists, digital artists of different sorts, doing noise, music and that kind of stuff. So, yeah. Oh, nice to meet you all and hope you have a great help.
Good afternoon, good morning if you're on the West Coast welcome back wherever you are. We are here with the E FF panel which I am excited to see come back to hope yet again. Our hope of course is supporting the E FF with a fundraiser and we would very much encourage You to visit the website. Look at the information on that we want you to donate to that fundraiser, we want to hit our goals this year to support the E FF, our nation's premier civil liberties organization for for digital rights and for the internet. So I'm going to turn it over to Kurt Opsahl from E FF to introduce our panelists and for them to give us their update for the year. And we're going to be going into a q&a session a little bit later. So if you're not already signed into matrix chat, please do sign in there. Please prep your questions. And we'll be picking from those questions for the conversation for the rest of the two hour session that we have here. Cut over to you.
Thank you. Thank you. It's great to be back at hope. It's a little strange this year, not not being with everybody in person. I certainly miss seeing you all directly but we're glad to be back and offering as the E FF. The year in did Civil Liberties as we do. So, for those who are new to this, this is a basically an AMA style conversation with the Electronic Frontier Foundation. We will give a short introduction sumos will go down the panelists are my co panelists to introduce themselves and to talk a little bit about their work. And then we turn it over to you for your questions and, and we hope that the introductions inspire some of your questions, but you can feel free to ask any questions that you'd like for the FF a couple of things to sort of start out as ground rules. One is that as many of you know, the E FF does provide legal advice. Particular for this community. We have the coders Rights Project, where we represent security researchers who have legal questions about their research about publishing In their research, however, this is not the time to bring your privileged conversations or questions about specific things that you may have done. You want that to be an attorney client privilege conversation, which is not something which is here, but the entire world on a live stream. So and this also includes, you know, thinly veiled hypotheticals about your friend who has a surprisingly similar situation. Like if you have a real legal question about your own situation, talk to us on a different forum. But we can talk more generally about legal issues. And then if you if you do need to reach out info at ef f.org email address, it goes to our wonderful intake coordination team, who will then route it to the appropriate people and it goes into our ticketing system. So we will try to get back to you quickly with any any kind of legal situation You may have. So so with that. Well, I'll start out talking a little bit about some of the things that that I've been working on. One, of course, is the decoders rights. We've been talking to a number of people who are presenting at various summer security conferences. That has been exciting So far, so good on that.
But not much in detail. I can go into the particular situations until their their presentations and concluded that we found there's no troubles. But another thing that I've been working on is COVID apps. We currently have a pandemic, where contact tracing is considered to be a very important aspect of trying to rein in that contact tracing is the process where you find someone's infected and you try to figure out who they may have infected themselves before they went into quarantine as used to help stop the spread And get those people either to get tested or to quarantine themselves until they can get tested. So it can be very helpful. And a lot of people said, Well, why don't we apply technology to that? And I totally appreciate that people want to use technology to try to improve the circumstances are oftentimes, when you bring technology, these things, it raises new, additional issues. And this is no different from from contact tracing and COVID apps. So we were looking about that and have a bit of a trade off. I guess some people will say it, but I think you could actually do it well without making sacrifices to essential liberties and the rising like winner and this is the notion of decentralized contact tracing, which is more proximity tracing, trying to get the have records of when you've been in proximity with somebody else, as opposed to location. And I think a lot of the bad ideas that came out in contact tracing, were focused on trying to keep permanent records of where everybody was at all times to enable contact tracing later. And that's a lot more information than you need to accomplish the job. And it has a tremendous effect on civil liberties, if there's a permanent record of where you've been. But nevertheless, your right to association is also an important aspect of similarity. So a permanent record of who, whoever you've met, also sensitive. And so the better way forward on that is to have user control. The information stays on on the device until it is needed a lot trying to optimize the information when it is provided. And it is notifying people that they may have been contacted, and they can take the next step of going into getting stuff So a lighter touch, but one more protective of civil liberties. But that is not more than all in how do we make sure that doesn't do any harm Jeffrey, and will a very important one a starting point is informed voluntary and opt in consent, the fundamental requirement. And this includes informal pressure, for example, saying that you can't enter into this space unless you have this app, working, things like that are a way to manufacture consent. And we have the ability to turn it off. There may be times when it is your agent, something sensitive, like political organizing, or maybe you're a healthcare worker and you're going into a situation where you're going to have high contact with COVID people and you don't want to create a whole bunch of unnecessary contacts. Because you know what that situation is and you're taking appropriate precautions. Another key principle minimization of proximity tracking for contact reason to collect the least possible information. So this is maybe just that you're in proximity, maybe the vagueness of the eye, you know, a vague piece of information about the time, you don't need to know the precise time You don't need to know the precise location just needs to know approximately when something where the quarantine time to get another thing, we're probably very important to this community information security. This is these are going to be apps that are going to be running constantly on people's phones, they're going to have access to at least Bluetooth and maybe some other functions on the phone. Unfortunately, I've seen that apps that are rushed into into production due to a crisis, sometimes skip over the information security step. And this will be a tempting target if it is actually at have gets pumped realized and is used by millions and millions of people, costs so these people apps need to be robustly tested by independent researchers, also some transparency, put out the code, a lot of people to look at that not only testing the app, but looking for bugs within the in the code, and make sure as best we can, that we've identified as many bugs as possible before it goes into popular use.
And we're making sure that the apps are addressing some of the biases that will come from use of these apps. The apps will be well, it can be used in two ways of bias. One is that to the bias inherent and who has access to smartphone technologies, and would be able to use the app that is not 100% of the of the population. And if you make things dependent on having a smartphone app, you're leaving some people out of that picture. It also may affect the resources that are required. provided by the government. So if they are looking at the app as a source of what the what the truth is and where resources are needed, that means that these communities will be less likely to get the materials because they didn't have the smartphones in the first place. I think sort of Finally, in a very important limitation, to kind of have an expiration date has to end. In a way it has been, there's been an unfortunate history of things done in an emergency situation that continue after the emergency is ended. And so any of these apps need to have an expiration date, along with the ability of someone to independently turn it off, you know. Anyway, that's just some of our thoughts on COVID apps. But let me turn it over to our next panelist, Alexis, introduce yourself. Thank you.
Hi, I'm Alexis Hancock. Am a staff technologist at the Electronic Frontier Foundation. I primarily work on HTTPS Everywhere a web extension that's available on Chrome and Firefox and package engine tour and also use within brave. And I probably work on that piece where building tools within tech projects and I also focus on researching things around the realm of like mobile phones and consumer privacy. And with what Kurt said, around COVID, I've been working on COVID immunity, passport research and digital identities. So a lot of it had entail where he, as he said, where there's been some technical solutions around, enforcing what it could look like when we reenter society without proven science or knowledge whether or not what immunity looks like. So I've been seeing a lot of problematic apps out there and proposals around COVID immunity, passports and Particular. And that really concerns me around tech equity and researching the standards that are being put in place to enforce these things. The fact that immunity passports aren't really standardized documentation is not just simply test results. It's an actual formal document that could have a dynamic status and a permanent status, depending on what type of technology gets used and when, and in what context, especially with law enforcement or your employer or a venue you're trying to enter or simply a space you're trying to enter in the public space. So those really worry me in particular, when it comes to COVID. And I've been focused on that piece, especially with a bill that's been in California that mentioned COVID immunity passports, not in that particular language, but it's pretty much hinting at that and we're scared that will give us a way to formalize digital documentation as the first standard and that's probably We lead to conversations around nationalized IDs in the US, and a database where it's more centralized in more subjects in breach. Other than that, I do a lot of research in other realms where I try to focus on tech equity in particular, and usually around usage of mobile phones and discussing with different communities and my activism around how to keep themselves safe with their tech. And with that I work on a security education companion at EF f sec. ef f.org. To help security trainers and people out there stay safe and train other people to stay safe online.
And I'll pass it to the next panelist.
I believe me Yeah. So hi, my name is Dr. McKinney and I am the director of federal affairs at emff which is a fancy way of saying that I am a lobbyist. So the first time I ever went to one of these conferences, and I learned a little bit about social engineering, I felt very uncomfortable because the principles of persuasion that social engineers use to talk people out of their passwords and their social security numbers are the same principles that I use to convince lawmakers that they should listen to us. And sometimes it really helps when current events sort of overtake some of the things that we've been working on. So for example, one of the things that I've been working on for a number of years with the FF is our facial recognition, advocacy, and all of the civil liberties, risks that come with facial recognition technology when it's deployed, and who has access to it and should be, should your face be able to be used for your identification, and all the ways the TSA wants to use it. And we think that's terrible. And so what's really interesting with some of the news events that have happened in the world is lawmakers are really attuned to what's happening back home in their districts. And so then all of a sudden, people started calling us back, because we had already established this incredible body of record. And a body of work. And so we had just kept putting it on their desks. And so when they finally had some questions, and they wanted to actually introduce legislation related to a ban on facial recognition, they called us to make sure that their legislation was actually going to do the things that they wanted it to do. So that was a really great thing to do. So I used to work on Capitol Hill. So I actually understand the legislative process from the inside. And I use some of that knowledge to help you figure out how to target our resources, on bills that are actually a threat, as opposed to the thousands of other federal bills that never move. Every two years cycle. There's about 5000 pieces of legislation that are introduced. Most of them are never going to go anywhere, you're never going to know about them, you're never going to hear about them, they don't matter. So what's the difference between those bills and the bills like the earnings act, that are a very real threat in the world. So for those No, no. The earnest Act is a bill from senators Blumenthal and Graham, that would massively change the way section 230 works for internet platforms, with a little side bonus of allowing the DOJ to actually force companies to break encryption, if recognized very, very early on what exactly the threat to the that this bill was what the legislation actually said. Because they were very sneaky about how they did it. And so we have been very active in opposing this bill very early on. And I'm very proud of the way our advocacy around this has unfolded. In fact, in a large part, because of our activism and our lobbying and our successful grassroots efforts. The bill sponsors actually radically changed the structure of the bill. So it's now it's a little more complicated and it's a little more sneaky. Still very bad. And we can get into all the details later if you want. But a lot of the ways that the bill process unfolded had a lot to do with the way that we were successfully talking to the world and talking to other lawmakers and really convincing people that it's a really terrible idea to let the DOJ control whether or not you're allowed to have end to end encrypted messaging, which it is full stop. So, really looking forward to taking your questions. My job is super awesome. And I really love talking about the legislative process. So really interested to hear whatever questions you have for us on that, and I will pass to the next person.
companies have terms prohibit things with all kinds of things from reverse engineering scraping, you know, what have you that a researcher might need to do. But government's really broad interpretation of the cfaa would make that kind of research a crime if it violates terms. And that's a serious disincentive that prevents some independent researchers from doing this really important work right and work that's to everyone's benefit. I'm going to stop there for now. I am happy to take questions about this. I love talking about And we're expecting a Supreme Court decision about it sometime in this next year, which is very exciting. So stay tuned for that. But for now I'll pass it along to Rory.
Hey, thanks. And thank you again, for having us. I'm Rory, um, the most recent addition to the FF activism team. I started in March. So it's been an interesting time to join the organization, to say the least. I'm the grassroots advocacy organizer, which is part of the organizing team, which manages the Electronic Frontier Alliance. So the Electronic Frontier Alliance, hopefully you've heard of is a network of local organizations working on important local issues that aren't always taken up by national organizations like the E FF. Unfortunately, the E FF can't be everywhere at once. So it's really falls on these local organizations to advocate for their city for their state, to make sure that our digital rights are defended. To make sure that their neighbors and people in their community are also empowered to take action, and are well informed about how to stay safe and how these technologies work. So the FAA started, the FS started the FAA, I should say, to support these organizations and give them a system of support. And I'm happy to say we now have more than 70 grassroot organizations in our network across the entire US, and it's continuing to grow. So prior to the E FF, I was actually a member of one of these DFA organizations, the Cypher collective in New York City. So I'm lucky enough that I'm now on the managing side of it. But I was a member of one of the groups earlier so I get to see the whole picture of what it has to offer. So groups in the network do remain completely autonomous. And it's really important to us to keep it distributed instead of overly centralized because we don't want to be the best bottleneck preventing people from organizing, we want to make sure that they are empowered to work together, share resources, and all while we still offer whatever support we can, and plenty of opportunities to join our campaigns, when it's aligned with their local issues, and I think it's a really cool aspect of the Alliance is these community organizations. While the E FF might be experts in digital rights, these community organizations tend to also be experts in their own community. An example might be a student group, there's many student groups in the FA and they know plenty about student rights and issues particularly to their campus. So we can help lift up the digital rights component of that, for things like the upcoming semester, a lot of concerns with the pandemic concerns with contact tracing apps being required or proctoring software being required. We can help them on the digital rights front and they bring their own expertise to the issue as well. So members of the FAA are just asked to have accessible events. And to endorse the FAA is five core principles which are supporting free expression, security, privacy, creativity, and access to knowledge. And as long as they endorsed those principles, we're happy to work with folks. It's okay if they don't have full alignment with E FF stance on issues. As long as we're all working towards the same end. We want a really broad coalition, a really broad network. And broadly speaking, these groups fall into three buckets. One Community Education Advocates, and that's like the cyber collective I was a part of, or crypto party and Arbor and Michigan that are working to usually with libraries, or universities to help people learn how to stay safe having crypto parties. There's also hackerspaces and maker spaces like crash space in LA or DEF CON 201 in new New Jersey. And then our advocacy groups, such as surveillance technology oversight project, and NYC, or Pete x privacy in Portland. And it's really interesting to bring all these different kinds of strategies and all these different type of community engagement together, especially when people cross
cross those different categories.
So some recent big wins I want to throw out there is especially for the educators and makerspaces. It's been really hard to pivot to be online. That sort of community work kind of necessarily involves hanging out with people in your community and talking with them face to face. So it's been a difficult transition, but I'm really happy to say our groups have been incredibly resilient and have been sharing resources on how to have streaming events, and maybe even conferences. For example, we are privacy lab is a member that had the fun the curve summit in July. And then just a shout out at DEF CON 201, and ethics and tech, again for being super involved in streaming events. And of course, at events like this one, I'd hope we have cyber collective and DEF CON to a one to many talks and engaging with the community in that way. And then, of course, advocacy. We've had some really great wins and great efforts. I'll shout out surveillance tech and oversight project in New York passing the post act or the police oversight and surveillance technology act in New York City, and amazing when totally unaware of their efforts. So now the NYPD must set policies on surveillance and actually follow those policies. And then there's groups like PDF privacy, which have been doing great work on banning face recognition and their city and saying things like see cops or the community control over police surveillance and militarization. So We have these groups across the country doing these amazing local things. I want to just quickly plug if you are part of a group and I think there's a lot of folks that are, feel free to email me very at E FF. org or organizing at E ff.org. Or if you want to learn more, there's ff.org slash fight. Yeah. Happy to work with y'all. All right.
Well, thank you, Rory. So, cut. Do you want to take some questions now?
Yes, absolutely. I've had some some good questions come in. And so thanks for keep those questions coming. So one of the questions, do you want to read our last question?
Yeah, so we have a few questions already in the chat. I just want to remind people if they're not logged into matrix, please log into matrix chat for your questions in the session q&a channel, and we will get them teed up for here. So one of the things that's come up a couple of times with the comments in the q&a is summed up, I think by this question, what more can we do, besides encouraging others to visit sites like the FF to inform and educate others, from attorneys, to activists to average technology users to learn about their civil rights and liberties and violations of search, and to advocate for themselves?
So I can take that? That's a really, really great question. And it's sort of the fundamental basis for all of the work that we do. So the first thing is like, there's a lot of stuff out there, that's really scary. And especially once you start looking under the hood of what is technologically possible with a lot of things, there's a lot that can really freak you out. The thing is, though, that doesn't mean you should just give up. There are, there have always been a lot of threats that have always existed in the real world as well as that now the digital world, but when we leave our home every day, we lock our front door when You go somewhere in your car, you get out of your car and you lock the door. That doesn't mean that somebody can't break into your house. That doesn't mean that somebody can't break into your car. But you still lock your door, you still lock your house. So the thing to focus on is the specific actions that an individual can do both to make themselves safer as a person. And also to help create a system that creates more safety and more transparency and more openness to protect us all as a structure. So, you know, something's really easy like you want a password manager, you want to make sure that each one of your passwords for all of your sites is unique and long and complicated. A lot of us dff use one password. We do not endorse any products whatsoever. I'm just telling you what we happen to use. You want to make sure that your passwords are unique and different. And you want to make sure that you're Using two factor authentication on anything that has to do with your personal information, you're not giving your personal information to people who don't need it. Especially in the pandemic. I'm really annoying for a lot of people like legit services that I want to buy where they want me to give them their credit card, my credit card number over the phone, and I just don't do that as a practice. There's just a couple of things that you can do that are not that difficult. You know, if you want to start getting more into appsec, you can start looking into other things like Tor and other stuff to protect some of your browsing history. But you don't have to start Start with the password manager. And then for other things I mean going to the E FF website signing up for the action alerts, working with the grassroots groups like you definitely want to be talking to your elected Representatives technology is becoming a much much bigger part of our global structure. or country structure and they need to hear from their constituents. One of the things that I run into a lot on Capitol Hill Is that a lot of Capitol Hill staffers don't think fully understand technology in the way that y'all will. And that's okay. They understand the legislative process but they need to hear from people who do understand the technology and They need to understand what the limits of the technology are. So a lot of lawmakers And a lot of people who don't know technology all that well, so sort of thing. Technology is magic. So if it's all magic to start with, why can't you sprinkle the Doesn't make it do exactly the thing that you want to do. So you know encryption is a great example. You can totally have end to end encryption where it's Totally saved from all of the hackers and the bad people and whatever but The DOJ has this secret key that only they have that they will Never ever misuse that they can go in and Get the messages from the bad people. Magic super fairy dust. That sounds like a great thing in theory, it just the math doesn't work. But you have if you don't know that it's based on math if you don't understand how it actually works. Then there's like, if it's all magic, why can't you have the magic do the thing that you want it to do? So, you want to make sure that your voice is being herd decisions are made from those people who show up. So you want to make sure that you show up, go to town hall meetings, ask questions, talk to your elected officials, a lot of stuff as well. happening at the Civic, local civic level City Council's school boards, all that stuff. Make sure that it can be really boring, but make sure that you just show up and say hello, this is who I am. I live in your district and this is what I think. And that does a lot more than you think. It does.
If anybody has access to do something you wanted to add to that.
Yeah, I'm in Michigan. During training experience, the one thing I just tell people, especially technologists, because I feel like we fall into this category a lot when we explain things to people There's a difference between informing people And telling people what you know. So a lot of us Very excited to talk about things we know And try to share that information. But if you're not coming down to the level where You're informing someone on what they can and Can't do, what the limitations are and what tools They can use and translating it to how what their needs are and their context, then the information can often get lost and overwhelming. So I just wanted to add that piece.
Thank you both. So our next question How do you think the relationship between masks and facial recognition will evolve?
He wants to go. I can take that question. So I've actually been looking At mask visual waking The NIST nine Institute for science and technology just published a study on masks and facial recognition. They're actually they are working to try to make it so that facial recognition can get past working with a DHS and the Customs and Border Patrol. But nevertheless it was very interesting study because They revealed in great detail how well algorithms were working with that. And masks surprisingly do help protect you against facial Recognition but there are a lot of different branches out there. So a couple of handy tips that came out of that research Is that you want to have a mask. That goes all the way up to the top. Your nose, the where your eyes are the more of The nose you cover, the more difference it makes up to 3060 times more protective Then the median algorithm them for a full coverage and then also full coverage on the sides. That also helps That's about two times better than the Round masks the sort of word work Typical end 95 construction dust masks style and then Black was Better and protected against visual recognition black led to a lot of new face where they were the wasn't able to detect a face in the first place. Too To measure against or to come haircuts. However, this is seen by the government as a problem that masks are making facial recognition more difficult facial recognition is something that they really wanted to do DHS The last report came out last year that they were doing something in the order of 45 million face rate. scams each year. They are frustrated that masks are getting in the way and so The next NIST study is going to be looking at New mask enabled algorithms that are are going to try to be able to answer Via people despite wearing mask. So I'm very curious to See how that will go and when The lessons we can draw wear masks will protect you from from existing facial recognition algorithms will also continue to protect you otherwise and the other interesting aspect of The research was talking about, you know, various things that would increase the error rate. But it was Increasingly error rate in the no match direction which If you're trying to protect your privacy is the direction you want and was not Increasing the air Rate very significant In the false match, which is to say gives a false answer are saying that you are somebody else which is good Because one of the dangerous things that happens with facial recognition is It recognizes you with somebody else's picture and the whole sudden they think that you've done the crime and, you know you get caught up in some things that we've had people who have been arrested because their face Matt somebody else's photo. And these were arrested them and of course Fortunately, a lot of these algorithms show racial bias Where they are less effective on more of these phones matches for minority communities and this has a terrible effect on on civil liberties. Where we have a false accusation based on a flaw in our algorithm. The other thing is You know Science of this. They're going to try to make it so the algorithms can figure out who you are even despite having a mask on, but there's also the the politics, which is trying to get it. So that There are laws really effective so far at the local level that are prohibiting police use of facial recognition, and I think actually worrisome that's been with the FAA groups you want to say A few things on that.
Yeah, the local e FF. It's really been great with recent success and Boston and looks like in Portland. So Yeah, it's part of About face campaign If you go to ff.org slash about face There's a lot of materials there. Sample language you can use for advocate for these face recognition events. locally and yeah, meeting up with local FA groups to work on that.
All right, super. So talking about facial redness ignition on next question is focused on New York. And what do you think of the link NYC key All around NYC that have three cameras in each of them.
I'll put Please speak only NYC and then I'll Pass it to Rory to add to that So What I think about them is that Initial roll I was inherently flawed in a lot of ways. Link NYC it was an If that allegedly was bringing Wi Fi to the general public in New York City and after Someone from from from there and live there. For quite some time it was very troubling to see to roll out have such so there was no real secure way of like handling the Wi Fi and there's a discussion around VPN and such but the cameras in particular were worried Because I'm worrying particularly because of the religion With NYPD and the way they could use that footage and that data, since it's a public service that is handled by the city that In partnership with Google, so there's a corporate surveillance aspect to that. So those are my initial worries and concerns especially since they rolled it out in five boroughs, I believe I'm not sure it's in Staten Island. I don't really include them half the time but their borough right
I've seen a massive rollout This these kiosks everywhere and you see them no By like train station so I think The footage and the extra surveillance is usually around training. transit center. In particular and seeing people Walk in certain patterns from day to day so you can link a lot of data in there. way right so That's my initial thought on those and Now pass it to war.
Yeah definitely. I also recently lived in New York and Link NYC definitely felt like A Trojan horse of sorts of we're providing community life Hi and like modernizing the city and then there's all these questions of surveillance And privacy violations and I want to really plug and defer to rethink link and myself Another FFA member who are calling in For a few demands, so link NYC halt the construction Remove surveillance cameras and Bluetooth beacons. Answer public questions because there's just A lot of unknowns about These casts Working and Provide genuine community wide That kind of make good on that initial point. Promise and Institute some sort of oversight to make sure that networks not being abused. So definitely check out rethink link NYC for more depth policy on that.
Okay, thank you. So changing from one coast to another but staying on the streets, we have a great questioner who is learning during the course of protesting in Seattle about The way that activists are doing their research on cops via paper Sir, what is the state of liberating Pacer? How much progress Have we made
Yeah, I can speak to that. So Pacer for those who might not know is this government run system that's, you know a document retention system that collects all the papers that are filed in federal courts. This is what lawyers And judges to look through the dockets of federal cases and see what's been filed and the general public also All of these materials are publicly available right there's a there's a First Amendment right to access documents that are publicly filed in courts. But because they're collected online in this database The problem is that this database is female. Just so you know even if you could like physically walk up to a courthouse and ask to inspect documents, which is Of course right now you probably can't. And in general, maybe you can't because there are these courthouses all over the country. So your option is to find them online and Then you're going to be charged for them and the charges are often pretty exorbitant and add up quite quickly. So this is a huge problem because it limits public access to these public documents. But the good news is that there is a A great project that is set up to address this It's called recap which is Pacer backwards. It is an online archive And I there's a Chrome extension I believe and I think there's a Firefox On and the way that it works is that You can download this extension And then when you go to Pacer, two See a document and pay a fee for it. will automatically upload a copy Have that document to the recap archive where it will be available for free to anybody on recap, so If you just download recap, you can go to their art archive you know, find it online and See what's available online and that's it. Not everything but a lot of Documents saved and Pacer are available. there and I would really recommend for Of all death. Look for documents there before going to pay Sir and then if you do go to Pacer Please download this extension because it is about benefit to everyone and a huge boon Public transparency in the courts. Super so we can
A shout out from you guys to DEF CON to a one earlier. They said thank you very much for that inside pocket sent in this question. What is your opinion about President annoyed Orange wanting to ban tik tok We at DEF CON 201 Feel that while Tick Tock is a nightmare And we have a tick tock 20 Form people on Tick Tock about its issues. It seems obvious that Tick Tock is being bad Not because of privacy invasion but that the press invasion is for China and not for the US. pound sign delete Facebook
All right, yeah I can take that question. I've been looking a bit about the the ticks Talk situation and when serve as a starting point Is that when when President Trump Well as a technique he often uses which is to say something. I will ban Tick Tock without explaining what that means what law might be invoked to do this, what a thought are listed I have the authority and what does that exactly mean? So we have seen for example from the US actions against way that when they said they were doing Against weigh what it meant, was saying that like there are no federal funds would be spent to buy their routers There, they were even not going to use using them in various government entity, and that's something that could be a band that our government could easily do could say that like no federal employees Their government phone shall have Tiktok though, you know, I don't know if that really would make a big difference to to tiktoks usage Or make them care. You could also have a say no no federal funds being spent on too Doc, which I guess could affect some advertising something Your federal government would no longer advertise a ticket. But There'd be like, a real bad like a band saying, you know, what one form of band might take is No one can use Tick Tock again US citizens. I hear why that doesn't work like There's no authority that gives the president the power to do so. If he nevertheless asserts that power. It raises serious constitutional issues there. There's a First Amendment issues that were raised when a medium of expression is being cut off by the government So all the people who are using tik tok for their expressive activities most of which are not having to deal with national security and that's the whole point. good reason for the ban protecting national security and if you're a teenager making a cool dance video. This may not implicate national security Even if the Chinese Know About that I can also Say that you can simultaneously Think that Tick Tock has Bad security bad privacy. practices
The government shouldn't have the power to ban it
Now sometimes people Trying to like conflate those two things, but If the President did have the power to by Fiat say I hereby ban this app, they could do with signal they can do it with a host of encrypted messaging apps that people rely upon In order to have secure communication, we can't do that. There there are other things that a band may mean I suspect that the thing is actually happening now. This entity called The Committee on Foreign investment in the United States Looks at acquisitions of US companies for national security implications bite Dance the Chinese paradox Talk purchased musically merged. To create the TIC Tock you You know and love today or going hate for that Winter and They can say you need to unwind that investment. That might be something that Could Happen That is not exactly a bad But the weird thing that happened was Yesterday After things came out you indicating perhaps they're going to be asked to develop By dance was gonna be out to divest tik tok, which probably Just musically was an aspect of tik tok. The President doubled down by saying, No, no, I'm banning it. And this was in response to reports that Microsoft was interested in purchasing tickets and yet again, it's like he's saying something but it really is should be on the government, you know, obligation of the government to explain What authority you have to do that? You know what what? constitutional authority or statutory authority You know, that doesn't happen, just says things. So We'll see if a idle comment Main on reporters on Air Force One where Where that ends up having meaning But if it attempted to be one of these words And it would have severe cost.
Absolutely. Next question is have you thought about organizing a federal citizens grand jury as displayed Ride by Justice Scalia
Let me let me answer that. One no
Citizen grand jury is a performative thing that some people have Like people have done this too. indict Mueller, as I did. Like what he was doing with the best occasional Trump. They've used it about 911 is a method of activism of you know saying it's a citizen grand jury and say, you know, you think these people should be indicted. It doesn't actually do anything. For anyone who is going to be prosecuted, they need to in fact be indicted in the ordinary course. Some things and that's not really our style of legal work. One is that we are not prosecutors. Right We are the defense side. We are the defenders of the game. Internet and we're trying to protect people. So we're not really going to get into the prosecuting end of things. And the second is that, you know, we would rather work through the legal system file lawsuits in the courts try and create precedents At least for our legal and then we have other things where activism things
So next up CF. Faye, Can you discuss what you would considered to be the likely bet case in worst case outcomes that might stand From the cfaa decision as well as the answer Next in which you think the court We'll be considering most critical making the decision So
So The Van Buren case is actually fairly narrow in what the specific issue that it's presenting to the Supreme Court. And it might be helpful to just describe the actual facts of the case briefly. So at The case is about is a police officer in Georgia who had access To a law enforcement database through you know as a normal part of his Job and abuse that access by Using the database to Look up a woman who a friend of his You know, told him that he wasn't In it turns out the friend was an FBI More. So, so the The federal appeals court His jurisdiction that covers Georgia said that even though the cop was allowed to access that database for his job
You violated the cfaa because he vile he access the database For an improper purpose right
Okay, thank you, Naomi. So the next question A lot of us freaks are doing parties lines and VoIP calls and discussing appsec against lawless evil act. When it comes to call recording If one caller is in a one party consent state like Philadelphia, but I assume it's Pennsylvania and another isn't a two party for New York, which law applies
I can speak To this also,
you know, like every question posed to a lawyer The answer is it depends and It's a little complicated, and the law is actually going to vary on that. Question from jurisdiction to jurisdiction. So as a general matter, I I would say that the best thing to do is comply with the most Privacy protective law Bye The Reporters committee for freedom of the press. issues a guide called can we tape That's a 50 state guide that actually does state by state details. So it can be a helpful resource if you want to look it up and figure out exactly what the rules are in your specific jurisdiction
and under that, the can we take guide also has This section we'll discuss some of the issues in more detail about interstate phone calls. But you know it also includes the use of more restrictive one more private one.
So the next question is on HIPAA. Any thoughts on HIPAA and privacy in our new panel? are a dime of online medical care? I feel this is the question or it's increasingly problematic Especially for those that have no alternative for their medical care.
So much can only speak to that a little bit. So HIPAA is great law because it is a good example of what a federal Privacy standard can look like when it's a floor and not a ceiling. So one of the cool things coming from a consumer data privacy standpoint which is entirely different than medical privacy. The Federal government has set a floor. There are certain things that are so sensitive And that are so unique to an individual that there has to be all kinds of explicit permissions between from the individual That type of information to be shared beyond The initial point of contact When you go to your doctor and they do a special of your insides. They are only allowed to share that information with very specific people for a very specific time. purpose and each state actually has Different ways that either HIPAA has been interpreted or done protections on top of the federal standard
And it's a great
Complex It's an incredibly complicated piece of legislation There's another person At E FF, who's Quite a lot of time looking at At the intersection of HIPAA and some of the other pieces data privacy proposals We have been working on And all I know about Because we've been in the same meetings with him and it's, it's a really, really complicated set. HIPAA is not completely ironclad. It's not like you Only you and your doctor Good to see it but it's like you and your doctor and your insurance company can get to see it but they can't advertise based on the information that is collected in the course of legitimate proceeding. There are a lot of protections that are built into HIPAA, which is why you can't just text your Doctor you have to go into a portal that is secure so you get encrypted messaging to go or you can't just email them that you have to go into a special website. That's extra layers of encryption to go over there. So there's a lot of hurdles that you have to jump through. And that's all because of HIPAA. That's Trying to keep you and your information private. So it's an ongoing landscape. It's I'm sorry, I don't Have more on that it's an incredibly complicated landscape and I don't want to go out beyond my skis.
All right, thanks
So we messed up. We have a short question here about how to engage. So what is the best way to engage with elected official Who will fall from us on the political spectrum
can take so Yeah, that's definitely a question I hear a lot. Since I'm working with organizers In all different parts of the country all sorts of ends of the political spectrum But luckily for us, the E FF mission And the FAA principles are extremely Popular and there are ways to address issues in a different way that'll often be more appealing to folks. People think about these issues in terms of narratives that they hear. So something like face recognition might For this audience is very clearly privacy invasive and limits our autonomy. Some folks see that as helping The police that it's like a good thing because it helps them catch criminals. So I think working on reframing that and saying you know We would say that Not the case but it's also Definitely a case of Big invasive government getting in involved in your life and on altering your personal life. So kind of engaging on the individual level. You can definitely reframe the discussion in a way that hits on, again, these values that are ultimately very popular. And in terms of elected officials. The nice thing about organizing is if you can't change their mind, you can work against them and block their efforts and maybe get some Someone else elected. So yeah, definitely encourage organizing building. That's support across the political spectrum on the ground, and then the elected officials hopefully you can press into doing the right thing.
Yeah, so I mean as the resident lobbyists I lobby everybody on the political spectrum you know in the House of Representatives that are 435 votes and If you're going to win on a particular legislative measure, you need a majority In the Senate, there are 100 votes. There are You know, especially in our issues, there's an area where Liberty carians and civil liberty Advocates there is a Venn diagram gram of those people where they really come together and you know some But he was mentioning in the chat and this is totally correct focus on the thing. You agree on so there are Definitely members. I am not a single issue voter for as much as I work at E FF. Like there. A lot of other things that I care about in the world. So I care about your position. On this and this is my day. job so I'm going to only talk to you about the things that are in DFS for polio and in the areas that I am Want you to focus on right now. So if We're talking about like Pfizer Patriot Act stuff. There's a lot of stuff that was coming up earlier this year. It has to do with what program Are we going to reauthorize allow the government to say the religious community to secretly listen to our messages. There's a lot of distress around that particular process. And some of the lawmakers that I have With who agree with the E FF position that we need to do A lot of reform. I don't agree with them on little Anything else and some of the things that I overheard here when I'm sitting in their front Office areas I'm waiting to meet with the staff To talk about the Patriot Act, so I can learn more Mmm I don't want to don't want to hear I don't want to have anything to do with that, because this is what we're focusing on. They're on the committee that is going to vote on this legislation if they're going to support our position if they're going to support the legislation That's what I'm here to talk about right now. can talk about all of the other stuff later in my personal capacity but right now this is what we're focusing on because it's important. So you sort of pick the things that you want to pick On and then just drill down on that.
so let's Focus on maybe another legislative question in a sentence The questioner is asking, do you There are any legitimate government uses for this technology. They're talking about facial recognition and biometrics, but I think the The question that goes on to is the only path forward towards a full ban
of facial recognition.
That's a really Great question. So we are currently advocating at the federal level we are advocating for a full Ban fomorian torium on facial recognition right now because the short answer to The rest of your question is, it depends but What we know right now is there are so many things abuses and potential abuses for The way this technology is being used Now that we need to put a floor moratorium a full ban on it right now, immediately so that we can figure out if they're actually Are any circumstances where it would be appropriate? What are the correct safeguards? Transparency requirements and oversight capabilities that need To be put in place Later, but you can't do that. While the technology is still on the street and still being used all over the Place and people are worrying about which facemask To cover your nose all the way to the top so that you don't You know get tripped up on the thing. It's important to put a ban on it now. Because that also supports a lot of the great work. At the FAA group have been doing and state and local government Maybe San Francisco's got a ban on one person. Use of facial recognition there are other cities that do too. We really want to make sure that we're supporting Those local options And we think the best way to do that right now a ban on facial recognition There's actually a bill in Congress right now both in the House side and the Senate side from senators Merkley and Markey and representatives Jaya Paul and Presley. on the House side that would put this type of ban in place. We have an action alert on the E FF website if you want to contact Your local representatives to tell them to support this legislation. That is A ban right now and again This is facial recognition ban of facial recognition to something We've been advocating for for a very long time. Time and Once a lot of the protests started And people started realizing Exactly what law enforcement can do. With this type of power if it's not really curtailed or looked at Critical We started getting a lot of phone call calls back from legislators who don't really like to see this legislation. forward so anything that y'all can do to contact your local elected officials would be great.
Super and of course, we Support e FF at hope so, just another plug for the donations to E FF as part With hope and making sure we hit our goals that I also just want to mention That we still have the q&a chat. Open in May Trix Please post your questions there and This panel will be continuing For the rest of the hour up to 150 Eastern, so Please do. Throw away into the matrix chat. there for We have a panel. The next question we have are there any plans For the E FF to set up a presence on the federal The US
So I'm not aware of any plans to do that. The fediverse is a bit interesting because it offers a variety of federates a number of different networks and so that may be the end above you know we have a number of online presences. It requires some resources to maintain additional or So we don't like jump into the next latest thing you Sometimes we put a bunch of effort into something and then it became less Widely used So we're a bit cautious on you know what wants to put that kind of effort in. But in some cases we maintain a presence and it seems to be worthwhile. So I don't I'm not aware of any plans to jump into the fediverse but it's something that we may consider. Okay, we're ready You're on the activism team. Are you aware of any anything on this?
Can you not at the moment
I think it's a cool idea. But yeah, I think like Kurt said, we have to be strategic about how we use our music. versus both in terms of hardware and in terms of hours or Wonderful tech ops team has been working around the clock having us all working from home So, yeah, I think it would be cool But no current plans.
Yeah but it is very good. Because it tries to solve the fediverse try to solve a little bit of that by Having a number of different protocols federated into one place, but
it's we haven't gotten there yet.
Okay, thank you good and Rory. So I think the next one is also Asking a little bit about how you're you're working and what you're interested in doing. in a different way Has e FF thought at all about forming any state BFFs to focus on state legislation
So Come back through the mists of time. You know, we're now on the 30th anniversary. EF F and in the first decade In the 90s e FF did have a chapter model there were there are a couple of stages chapters. There also were some international chapters and that that turned out to be Have a
Abandon that model though. Those who had been chapters at the time We're allowed to continue we did one of them too. To cut them off, and there were a few that that survive to this day. Electronic frontiers Georgia and Electronic Frontier is Austin in the United States. Electronic frontiers, Finland They have the EU and I don't think we've done much Recently but electronic frontiers, Italy has done some things and then relatively recently Pass a buck So that Here's the thing, just talking about the state legislation and we're getting Add a little bit to it. But the FAA so the Electronic Frontier is Austin and electronic frontiers ga are part of our electronic frontiers Alliance. And we have worked with them on state legislation issues. There was one with electronic frontiers, Georgia where they were really useful. Bye And a powerful voice for advocating not so bad Security legislation being proposed in Georgia. And it made a big difference that it wasn't some, you know, San Franciscans coming to tell Georgians what to do. It was people to tell who lived Georgians what to do. It was people who lived in Georgia, who were like CS, people from Georgia Tech who were in the community, they're going to their representatives and talking about it. And we've also, both those, those chapters have had a strong presence at big conferences in their own. So if Austin with the SXSW conference, we've done some joint things for them. They're the EF ga with the Dragon Con conference, they run the electronic frontiers track where we're going to speak and talk a lot about FF issues. So it's great working with these organizations. But our model for doing that today is the Electronic Frontier law. do you want anything?
Yeah, just want to urge you to be the FF you want to see in the world. If you're interested in starting an E FF chapter, there's no reason you can't start an organization and join the CFA work on state level issues. And as Kurt mentioned, we'll be happy to help you every step of the way.
Okay. This one,
I'm assuming is a follow up to the prior one on on phone calls and one party state two party state. Does a normal phone call have more legal protections against wiretapping?
Normal versus a Yeah,
I'm wondering about that. I don't know if you interpret that I interpret that as maybe versus the party line versus the voice of IP. But if it's not meaningful, we can skip that one.
Well, I'll say a few things about the zombie. Little sure what normal means it could be plain old telephone system call I guess you might call that a normal one and their their husband there was some difference for a while under Kalia the computer system to Law Enforcement Act where internet was treated differently they they changed the regulation a little bit to significantly I should say to add Voice over IP for a long time Kalia was hands off the year completely brought under Voice over IP under Kalia
other forms of communication so when the atrium but separate from that right other internet communications might be separate from that. What that means is Is that whether or not the provider has various obligations to assist law enforcement is sort of the question. So maybe it's like treated differently in that way. But if you extend up to, like the Electronic Communications Privacy Act, covers all sorts of communications. The wiretap act is designed about, you know, communications that go over a wire. So we would cover whether it's a normal phone call or any abnormal phone call would have all the same protective armor. And there you go, finally, up to your things like, you know, your constitutional rights, and you know, those are not a technology. And so that's a little bit of more color on that. Yeah, actually,
we did just try and clarify what the question you meant. That was big confusion that but it's about mental health was the question I think originally so it was really versus a call discussing mental health issues. But and if you want to add anything to that in that context.
I mean, all communications deserve to have protections and privacy medical ones. I think a lot of people can see where that's all do. And then the question is were like related to HIPAA. What I was talking about was protections visa v like government, law enforcement, listening into your your conversations, and HIPAA is not about protecting you from one. So.
Okay, so the next question we have is actually a follow up on the facial recognition conversation. Should we also work we've been talking about the government uses, but should we also work to ban facial recognition technology in private spaces, like corporate managed environments?
Yeah, so that one's a lot trickier. Um,
So it's easier
to focus at the federal level because we have a lovely thing called the Fourth Amendment. And that is a great backstop to all of the things that we're trying to do to protect biometric information in your face print is a pretty out there easy to understand version of that. Once you start getting into the corporates, the relationship between employers and employees, that is an entirely different landscape of workers rights, and the contracts between the employer and the employee. And there are a lot of things about various requirements that are concerning. And again, it really sort of depends on the specifics of the individual information. There's a lot of people that are working on workers rights, specifically related to privacy and security and biometric safety. And that's I'm not fully versed in all of that, but I know that it's very, very different. There could be other legitimate uses that they're using. using it for where it's not connected to the internet, it's not part of a database. It's not, you know, the way your phone, if you've got an iPhone, the way your phone recognizes you do your face or your fingerprint is technically facial recognition, but it's not set up in such a way that it's ever going to be used or accessed by anybody an apple, anybody. It's not in the iCloud, it can never be stolen. There's a different there's a lot of different ways that that can work. So there are ways where it would probably be okay. And there's ways where it's deeply deeply concerning. So it really depends on the specifics of what you're talking about.
Alright, super. Next question is also coming back to the medical side of things and HIPAA a little bit. Why was this such a focus on protecting medical information very early on, but in every other aspect of life? Our life was fair game for surveillance. Yeah, I
can talk briefly about this. And then maybe turn it over to my colleagues. But the first thing that I would say is that one of the biggest hurdles that we always face in getting people to care about privacy and surveillance is in getting people to think that it impacts them. Right. And there is a narrative that some people have that, you know, they have nothing to hide, and so why not have mass surveillance to improve safety? Right? And obviously, obvious to us. The idea that anyone has nothing to hide is just not true. So a lot of our advocacy and our litigation strategy around surveillance is working to reframe this for people, right? So reframing it so people aren't thinking whether they have a criminal enterprise to hide, but do people value their own privacy? Right? Do people have things that they don't want to broadcast to every member of their family or their community or or workplace. And one of the examples that always has a really big impact on people is medical privacy. And so this is an example that we always bring up in litigation, we always talk about how, you know, just to give an example, if you have location, surveillance, you know, automated license plate readers that track your car, for example, then Okay, maybe people think I don't care if people know I'm going in my car. But when you point out that that means that your car is being tracked to the oncologist right? Or to the Planned Parenthood, or the A meetings or whatever it is, whatever medical appointments, you might have, people people do care about that. And so I think this is just an area where people inherently really value their own privacy.
And to add to that, normally, my security trainings, what I try to tell people is okay, you have nothing to hide, but what do you have to lose? So the Those are the things I usually discuss with people the exercise that always start with at these workshops is normally is so if you lost your phone right now, what would happen? What is the logistics look like behind retaining your accounts? What will happen if you didn't have a PIN code on your phone and someone could just unlock it what happens and when people can look at Are you comfortable with that? Do you feel okay about the state of your affairs? personally if you just lost your phone, let's say you did it on bus or on BART or train or anything of that nature. What will happen and walking people through the exercise you can kind of see like the the freakout that happens like man, if I lost my phone right now, like that'd be very devastating to my day, in my week, possibly. So that is what I usually go for. When people are going the route of I don't have anything I
would add one other thing to that which is that just kind of a weird fact out there about your private Many people think what what is the most protected information about you? And it turns out the answer to that is what videos you watch. So the video Privacy Protection Act is the strongest privacy protection that the federal government has
interest to anyone what videos you're you've been watching came from
us from court confirmation hearings, where they were looking at
confirming things Bork and some enterprising reporters found the vdu rectal records. And by that conversation, they were not actually particularly shocking. Do rectal records but then Congress simultaneously realized that what they had rented at the video store could be found out. And very quickly enacted and extremely strong privacy protection for what videos you watch, and it talks about videotapes, but it defines it in such a way that it is still a relevant statute for for online. So there it is even more than your medical privacy even more than your financial privacy, your social security number. It's what videos you watch the Congress as protected the most. Yeah, I mean,
the thing with medical privacy isn't very easy for people that are not in this community to understand why it's important to have medical privacy. You know, they Congress passed and George W. Bush signed into law, the genetic records Privacy Act, because that was when gene sequencing first became a thing in the early 2000s. And if you got tested and you found that you had the braca gene, the breast cancer Gene, Congress really wanted to make sure that you couldn't be discriminated against either in hiring or for insurance prices or all sorts of other stuff. And so it was really, really easy for people to understand the connection between this personal private thing, and also other potential negative consequences of that. So again, in our world, like we understand what all of the privacy means, and it's sort of second nature, so an E FF when the whole Cambridge analytical analytical scandal broke, we were all a little confused, because we knew that this kind of thing had been a problem for a while, like, we understand why this is an issue. But all of a sudden, there's this special secret sauce that everything happened to, you know, the same time and the rest of the world understood exactly the type of information that all of these data brokers have about all of us, and what that means for us and what they can do with that information. And it became terrifying to a lot of people who've never thought about that before. So what did you know that I like to read those? Oh, you know, I like this type of burrito. And that means I'm more likely to vote for this type of political candidate. So you're going to advertise and send me this type. Like, that's terrifying. And that's when we started talking about a bunch of consumer data privacy laws in the United States, which is great. There were still a kind of a long way from getting a solid piece of legislation in that to protect regular data, the way that we protect made of medical data, but we're in a good place in the conversation. And we're continuing with that. So, you know, keep up the good work, folks. All right. So the
next question we have is as a society, we put a lot of trust into the idea that the staff at the private companies holding our data are not abusing their access. For example, we trust that Gmail does not read emails and competitively to outbid competitors when hiring candidates. This trust is sometimes attacked as we saw in the recent Twitter hack that made us defensive sight is and have internal tools, what legal safeguards are in place and their efforts to strengthen these legal safeguards?
My short question for you
are well, let me rephrase is a very important point to say like the the insider threat, and this was very strongly illustrated by by the recent Twitter hack where they got on to the account management tool. But we've also seen you know, years before there have been other instances in which the, the means of attack to get onto a system was either a, an issue with the insider going rogue or an insider, innocently being compromised, but with a someone escalated to the insiders, privileges and was able to do things and it has Absolutely makes sense to to, for for companies who have this kind of position to look at things to have all sorts of protections against that kind of internal access. So they may need that access. But that maybe makes sense to have a title for certain things to people have to approve the the access if it is like in Twitter's case, if you know someone is going to change the email address of a blue check account with a million followers, maybe multiple people need to sign off that that is a real request, do these kinds of things. But uh, for the most part as far as legal protections that are involved in this, it has a lot to do with fair trade practices, is to say, if they have made promises to you about security and didn't live up to them, then they can be held accountable for making the false promises. However, if you ran a website and said it's you know, it's the YOLO site, and we have no security whatsoever, then you wouldn't have to worry about the false promises issue. So you'd have a really terribly insecure site. And actually, Twitter and it is under a consent decree with the FTC about their security practices from a run that happened many years ago. One aspect of it was that there was like a sudo password and I believe it was Chuck Norris was the password for for pseudo. I thought that was funny. But it turned out that that was ended up being a big problem for them and led to a 20 year consent decree with the FTC.
I don't have anything else to add on that one.
Duck Duck, I'm not very good. I don't know if anybody else is. Oh, my apologies.
The one is trying to keep background noise down. So what is a DFS position on electronic voting? we're actually seeing your vote counted is impossible.
Yeah, yep, absolutely opposes electronic voting where that's happening without a paper record. And it's such a good question, because this is such an important thing for everybody to be talking about and thinking about right now. You know, look, I don't think it'll surprise anyone in this audience today that electronic machines are subject to breaches and malfunction. And that's not just a hypothetical, right? This happens all the time. We see independent researchers who do pen testing into electronic voting systems are able to breach those systems to do it extremely quickly to delete people votes or change people's votes. And these breaches are not even always detectable, right? You don't even know when they're happening, which makes it so important to have paper records so that you can detect these kinds of breaches and correct for them. And not only protect the integrity of people's votes and the election results, but but also to protect the appearance of integrity in the election. Right, because almost of equal importance is for people to believe that the results are reliable. And so having paper records is just absolutely critical for that. We want paper
records and we want regular risk limiting audits to go through and make sure that everything is showing up appropriately. And of course, these are really important things right now everybody should be registered to vote everybody go vote. This is incredibly important. Now and always, but start now.
Right on next
question, is, I think about continuity of guns. And particular criteria in our US federal system. I'm just going to read it out as it's written here. Are there different majority definitions for the House of Representatives and the Senate such as if the Senate has 100 seats and 10 senators have died of covid? Are 51 votes still required? 51 out of 90 could be more difficult than getting 51 out of 100. If terrorists on Congress, like in Designated Survivor and less than 30 senators survive,
a majority would not would not be possible. Does anyone want to comment on that? So that
is a great if slightly terrifying procedure question. Um, so the way the rules are written is it is a majority and so you look at so there's a process after the election where the members get seated, so you know after their status like state and a lot of election infrastructures, so they get sent to Congress. And then Congress seats them. There's a process on either January on January the third, usually depending, unless it's a Sunday, where there is they all get sworn in, and then they're officially seated in Congress. So that's what takes the total number of Congress on that day. So at the beginning of this Congress, for example, there was an election dispute in North Carolina, I think, was North Carolina that took a couple of weeks to resolve. So that district wasn't seated for a couple of months. So there weren't 435 members of Congress, there were 400 members of Congress, and so the majority is based on the number of members who are seated. So there is also times if members die. There's a process to remove they're no longer seated because they're dead. Also, members can take leaves official leaves of absence. There have been times when members have taken maternity leave
since you can't Do
you can't vote in Washington
if you're actively having a baby, they've taken official medical leave for cancer diagnosis and treatment, things like that. So there is a difference between just missing votes and not being around because then you still have to get 51 votes, like when john mccain was nearing the end of his life, he was still an official seated member of the Senate. And so he still counted towards the overall total. So he could come in famously and, you know, thumbs down the votes who protected the Affordable Care Act as it currently stood while undergoing cancer treatment, because he was still a seated member of the Senate, had he taken official leave from the Senate, then the total number of seated senators would be slightly less. So in the event of a Designated Survivor situation where you only have 30 members of Congress, it's defined as majority and two thirds not A static number. So we tend to conflate those two things a lot, but they're not the same. And the rules are written very clearly to be majority and two thirds, depending on what you're talking about. So it's set up to be in that particular type of situation. But there's, there is a process that members have to go through to be seated or to temporarily not be seated, and it does change the margins. All right,
thank you for handling that, India. Our next question is slightly shorter one, we have a question about COVID and COVID. Tracking, what is efms position on the mobile apps and the COVID tracking of these things on iOS and Android
are well, we talked about this a bit at the very beginning of this show, but for those who have joined since then, in my introduction, I was talking about some of the work we've been doing on contact tracing apps in particular where We're focused more on the proximity creasing
the location based apps are too much of a infringement on
personal, personal privacy
and are not necessary.
we put out a series of of principles that we would like to see. We want to have it be voluntary. opt in, there should be regular security audits, you should be able to turn it off and on at your your or at your whim, and as to be an expiration date. And your wishes are the iOS and Android. And so probably a reference to the Bluetooth program that have been put out by Apple and Google. That is a protocol. So the apps will be on top of That protocol. And we haven't seen one that got very widespread. Here in the in the US, there are a number of apps out there. But that would coalesce or give us one app to be widely used. But that probably it will be the more likely one because it doesn't really work to use Bluetooth determine proximity, it needs to be on in the background all the time. And you have to use this API in order to have Bluetooth background probably 10 towards those things. But to really sort of judge whether it's a meet the standards of security, privacy, civil liberties protections, is the complete picture that is necessary to not adjust the protocol, which we know about, but a deeper dive on the app itself, being put forth by the public health authorities.
Okay, next up
on data brokers, Do any in particular stand out as a greater threat? How do we defend ourselves from data brokers?
Sure, so I'm Data Broker. Yeah, my data brokers are a way that your information will be sorted and sold to the highest bidder, and does make it very easy for people to find out about you. Sometimes, data brokers will actually package information to sell to consumers, marketing and as like background checks. More often data brokers are selling it to entities like corporations or governments. And so the you know, the best way to protect yourself from a Data Broker is to not have your information go into the Data Broker. So, you might check out things like the Privacy Badger and the extension that you can put on your browser to make a resume Tracking cookies. But the truth is, it's hard. It's hard to not have your information ever get into a Data Broker. Like if you are perfect about this year, you know, all your life and then one day you click the wrong box of saying, Oh, I agree, then that information is out there that that broker sells it to another broker does another broker. So it's very hard. You can go to a number of Data Broker websites and say, I'm opting out. Some make that easy, some make that difficult, some use dark patterns. It's a process you could do but that is, you know, you are blowing against the wind. It may help but it's not going to get you all the way all the way there. And then another thing, legislation. So in Europe, there is the GDPR in California. There's the ccpa There are some some statutes being contemplated or acted, that are trying to give people some of these rights to revoke their consent. And if someone revoke their consent, then something it was previously done, it has to stop doing it. So data brokers, you know, they, at least the least shady and of the Data Broker spectrum, theoretically will respect your consent. And, you know, if you are, if they're required to be under these laws may remove your information upon request. Again, GDPR also does that. It protects people who are in the European Economic Area, basically Europe, but it does not protect people in the United States. Nevertheless, many people use it for the NSA. It's because companies will say, well, we just it's easier for us to avoid it. Really, I don't know, data brokers are going to be that friendly about it.
So I'd also like to add
that one of the things that we are really, really strongly advocating for and any federal consumer data privacy legislation is something called a private right of action, which means that if you have if the Data Broker has violated any of the statutes that get passed any of the ways that your information is supposed to be protected, if we have a private right of action, that means you as an individual or FF on behalf of a class action of its members, etc, is able to sue the Data Broker because they have violated the law as opposed to waiting for the Attorney General, or the DOJ to build a case. There's a lot more enforcement mechanisms that are just sort of built into a private right of action system. We see this in Illinois in particular. So they have a biometric identity Privacy Act above which we really like that has a very robust private right of action and There's currently a lawsuit. aclu is one of the lead
against Facebook for violating the law. I believe e FF is one of the making in the case. But that's the type of thing that you see with a private right of action is what allows individuals to step forward and say you violated this and this is not okay. You need to stop. And that happened almost immediately. And that's a really, really great way to make sure that the law is doing what it's supposed to be doing to protect your information.
private right of action.
So our next question is about and I think we all understand that. Corporations ask for phone numbers, not just so they can send you a text message but for other reasons. But the questioner is asking around the trade off of convenience versus privacy. He agrees having to FA is more safe than not having to have But at the same time feels like it's being used to force giving up more private contact information. What thoughts do you have on those trade offs?
I can answer that. So with two factor authentication or multi factor authentication, one of the biggest problems is hasn't been rolled out in a way that's been uniform account to account. So something like SMS information has been considered the worst practice of two fa so far because of all the vulnerability with SMS. Not just with corporations themselves using the phone number, but also the vulnerability like like signaling system seven, which you know, dominates the SMS infrastructure. So that's something that genuinely don't tell people to go for at first for SMS and then there's, I would like more accounts out there and more services, to FA to have multiple ways of being able to recover your account. Because it sort of addresses the whole single point of failure aspect where if something happens to your phone, and all your to FA tokens are on your phone, that you're kind of like, you know, left out in the wind and you have to instance very difficult to retain your accounts unless you set up some sort of other way or secondary email to recover, right. So I'll just go ahead say like, I don't think like an official e FF standpoint, but this is how I approach to FA normally and that multi factor. If an account offers different ways of actually being able to factor things in I usually things like UB keys are on my person. Yes, you can lose these two like these are the that's the trade off like I could possibly lose a yubikey. My toddler can go run off and hide it like she did a couple weeks ago and I had to search for an account
a way of storing your recovery codes in another place, possibly on your desktop somewhere and then have encrypted there. also being able to use different tokens like one time tokens where you can have that on your phone, where if you do lose your phone, you can at least have your UB key, or I can at least have my recovery codes that are stored somewhere else. Does that expand the breadth of attack? Where have multiple things multiple places? Yes, but you store it in a way that makes sense for you and your model. I usually enforce that and suggest that so to FA and has been an issue because a lot of my friends outside my network are really annoyed by especially my academic friends. They really hate that the universities they like do well and enforce people to use to FA just to access their email, etc. So it's not something that that feels convenient at the moment because there hasn't been a rollout that's been uniform account to account and it hasn't been discussed and in been informing users on why this is good or bad. Right now I'm seeing something called credential stuffing. Some of you may be already heard of where credential stuffing has been one of the most useful ways of accessing other accounts and escalating your privileges with other people's accounts. If you simply have the, you know, the plaintext password access from some database somewhere that got leaked from some, you know, in somewhere and you have their email, you can try it against other accounts, and to FA help against credential stuffing in that way. And so that's why I'm really, really behind to FA in that way. I understand it can feel inconvenient efforts. And if you don't store it in a way that makes sense for you, especially to it and you just do SMS or you know, one time tokens on your phone and you lose your phone, then it can be a huge amount of hassle to get back your account. But that's the way I Usually teach to FA and MFA. And how to, like parse that out in a way that makes sense for you. Maybe not do it for all of your accounts, maybe your most important accounts that you feel. So maybe not everything at once. So I try to roll out for somebody where they feel like, you know, it's just being enforced on them. And they're able to access anything because they lost their phone. And they're scared about those two factor tokens, wasn't it? Not the general position behind two fa, but that's where it's kind of led us to, so we have to, we have to reckon with that as a security community.
Okay, thank you, Alexis. So our next question, the Internet Archive is being sued by book publishers. Does the E FF have a position on that case? Will you be helping them at all? Absolutely. We
are helping them we are representing them along with our good friends at a law firm called jury hungry. And just as background here, what's happening in this case? Is that the Internet Archive is a nonprofit organization that functions as a digital library, right? So it provides electronic access to all kinds of information that they have. And they have a program. And just like almost all libraries, right now that allows people to check out digital copies of books, right? And their program just like almost all libraries, it lets people check out books for two weeks or less. It only lets readers check out as many copies of the book as the Internet Archive actually owns, or its partner like we own. And so you know, if the archive and its partner libraries only have three copies of a book physically, then only three patrons can read that book in its format at a time. So this is how all libraries pretty much are dealing with ebooks right now. And we are very proud to be working with your eat hungry to defend yourself. Apart from publishers, copyright lawsuits, and really
all librarians right
near me, we aren't we're coming closer to the end. So I'm going to ask you to keep the remaining responses brief. I think we can probably fit two questions in the next question. What global alliances or privacy organizations do you work with? What is the biggest global privacy issue can GDPR be created, and work in the US and government and corporate oversight by customers?
So we work with a lot of organizations around the world.
We are members of entry for example, entry is European digital rights, which is an umbrella group of lots of organizations that the European Union and as well as privacy international In the UK, we have also a network of organizations with throughout the rest of the world, I've done a lot of work in Latin America with local NGOs who are doing a, what we call a who has your back project goes back to something FF, where we examine the practices of various online service providers on how well they protect your data against government intrusions. or government requests. The local NGOs we work with customize that for their particular
legal and political situation and sports about things in their country. So
we're, we're absolutely working with with a lots of global organizations. So we are running out of time so we'll keep this kind of short just to one other thing on the GDPR. They just taking the GDR sales bringing into United States not a good idea. There are things about the GDPR that perhaps we've learned some lessons of how it was implemented, that could be improved. There are things which are specific to a European experience, also worldwide. For a lot of countries out there. There's other data protection laws that those countries have. And not everybody is keen and having Europe be the decider of what your best data protection policies are. So it's an important thing, but
I wouldn't say just take the GDPR super well thank
you very much. And thank you to all of our panelists from the E FF today. We did have one other question we were going to get to, which frankly, I think the answer to is a lot of what you've heard already, go look at the E FF website to stay up to date to stay up to date with with Muse to stay up Muse to stay up to date with case Laura date with case law update dates, and by all means today please look at the hope dotnet website for our goals during this conference and we want to make sure we're keeping up with our expectations on the donations there. So again, thank you to the whole panel that we are going to be having a short break with our info Beamer with our bumps, hope dotnet slash bumps dot htm before we start the next conversation at the top of the hour, thank you very much. Thanks everybody. Yeah