Texas LinuxFest 2014: Protecting Digital Privacy in the NSA EraTODO ?>
“Online Privacy” and “Internet Freedom” are at the top-of-mind for many because of the constant new revelations about government surveillance, and massive data collection by corporations. Golden Frog is pleased to welcome a very distinguished panel that will examine the current state of online privacy, what simple steps citizens can take to protect themselves and where government legislation is heading in the “NSA era.”
Ron Yokubiatis, Co-CEO of Golden Frog
Ron Yokubaitis is the Co-Founder and Co-CEO of tech companies: Golden Frog, Giganews, Data Foundry and Texas.net. Golden Frog was created to develop services that give people the ability to protect themselves online and access an uncensored Internet.
Scott McCollough, Principal at McCollough|Henry PC
W. Scott McCollough is an attorney whose practice focuses on telecommunications, Internet law, and economic regulation. He represents the interests of consumers, competitive communication companies, and technology application or service providers.
Scott Henson, Policy Director at Innocence Project of Texas
Scott Henson is a political consultant who has worked on Texas criminal justice policy for twenty years. He writes a widely read blog at gritsforbreakfast.org and is a co-founder of the Texas Electronic Privacy Coalition.
Brian Hauss, Legal Fellow at ACLU
Brian Hauss is a legal fellow with the ACLU’s Speech, Privacy, and Technology Project. At the ACLU, he has worked on a wide variety of free speech and privacy litigation, including challenges to the government’s use of location tracking technology, the suspicionless search of electronic devices at the international border, and the compelled disclosure of an internet service provider’s private encryption keys.
Panel Moderated by
Justin Freeman, Corporate Counsel, Rackspace
Justin Freeman is Corporate Counsel at Rackspace Hosting. With expertise in both the legal and technical areas of the rapidly expanding field of cloud computing law, Justin primarily represents Rackspace Hosting in technically complex enterprise transaction agreements (with a focus on Rackspace’s OpenStack portfolio), data privacy and compliance matters, legal review of product development efforts, and public policy matters with a focus on intellectual property, security and privacy issues.
Full Transcription (Download PDF)
Justin Freeman: We’re going wind our way through a couple of topics focusing on data privacy, internet security and open access on the internet. I’m going to pause naturally between some of the topics so feel free to hold your questions but ask them based on each topic throughout the presentation.
Introducing myself, I’m Justin Freeman. I’m the corporate counselor with Rackspace. I’ll be moderating today. Going down the panel here, in no particular order from my left to the end is, we start off with Mr. Scott McCollough who’s the principal of Nicola Henry PC. He’s an attorney whose practice focuses on telecommunications, internet law, economic regulation and he represents the interest of consumers, competitive communication companies, and technology application and service providers.
To his immediate left is Mr. Ron Yokubaitis, the co-CEO of Golden Frog, Giganews and Data Foundry. Ron has founded a number of tech companies including Giganews, Data Foundry, and Texas.net. Some of you probably used that for your modem access back in the day if you were up in Texas. Golden Frog was created in particular to develop services that give people the ability to protect themselves online and to access the internet in an uncensored fashion.
Directly to his left is Mr. Brian Hauss, who is a legal fellow at ACLU. Brian is a fellow ACLU speech, privacy, and technology project. He’s worked on a wide variety of free speech and privacy litigation including challenges to the governments use of location tracking technology, the suspicion list search of electronic devices at the international border, and the compelled disclosure of an internet service providers private encryption keys.
And down at the far end here, we have Mr. Scott Henson who is the policy director of the Innocence Project in Texas. Scott’s a political consultant who’s worked on Texas criminal justice policy for over 20 years. He writes a widely-read blog at gritsforbreakfast.org and is co-founder of the Texas electronic privacy coalition. I would like you to join me in welcoming our panelists.
Privacy’s a pretty broad area. We’re going to dice it up a little bit but just to kind of kick it off with something, put a pin on it, I’d like to just go head and start with you Scott. What do you see as the biggest threat on consumer privacy in the technology space and do you have any solutions you would propose to either illuminate, litigate, or alleviate that threat?
Scott McCollough: I consider that there are really three basic problems and one really important potential solution. Society is now becoming much more aware based on these Snowden revelations and other things. I don’t think that folks really understand the scope of surveillance that we have in our society today; both by governments and private interests.Nor do people really understand how the information is being captured and what it is used for after it is being captured. Many folks may believe that they have nothing to fear from a surveillance society. I think that everybody does. People close their blinds to their windows at the house for a reason. They close the bathroom door for a reason. Everybody has something to hide.
To bring it home to the electronic society, if you happen to be using a tablet or cellphone while you’re sitting on the toilet, folks may not be aware that there’s a technology that allows the webcam to be turned on and the microphone be turned on; even if perhaps the on switch is not on. They can see everything in its glorious detail. People do have something to hide; even honest, upstanding, god-fearing citizens. In fact, I would suggest that in some respects they have the most to fear from a surveillance society.
Justin Freeman: Ron, I would like to hear your thoughts.
Ron Yokubaitis: Well, I think I am here. Can you all hear me all right?
Male: Yes, perfect.
Ron Yokubaitis: I would say even non-god-fearing people have a lot to fear too. It’s everybody …. Can you still hear me? I’m just trying to unplug the device. Even like I said, non-God-fearing. This is something that we’ve … Can we get the audio down. Do we have an audio control on here? That’s better … we filed back in ‘06 about this with the FCC about the deep packet inspection by AT&T and it’s in your terms of service. So anybody with AT&T service, you gave them permission when you clicked right in considerations in filtering spam and everything to collect all your data and keep it safely [inaudible 00:05:34].
That’s the short for the legal jargon – you didn’t read and you don’t accept an Internet or Telecom board to really snap to what they are doing. You already gave it up voluntarily. It’s hit with all the Linux gurus in the room – ya’ll are giving up stuff right and left, the Gmail account of course.. now Google says “Ah, we have encryption to protect your privacy”.. except you can’t do it; you can’t protect it from Google. Nevertheless I am just so happy that Mr. Greenwald got people’s attention because you are just crying in the wilderness and even good geeks sit here and just push, push, push back, but you are not going to be anonymous.
That is … We’ve argued against that on Usenet – you can run but you can’t hide. You can do all sorts of things but if they want you, they are going to get you and if you don’t believe me go and talk to Osama Bin Laden. Again, with Bitcoin it’s not anonymous, it’s just pseudo-anonymous, they even say so. The block chain is a sausage but still they can chase back down that chain. You just need to put your clothes on as Scott would say . It’s not so much that you’ve got something to hide, just my wife taught me long ago in every family, it’s just none of your damn business, it’s that simple. It’s none of their business. You have to private stuff and it’s yours. I think Andy Everton in Washington has got Senator Cruz to say an answer to a question … Is people’s information their own property, their private property and he said yes. Well that is what they are getting, they are stealing your private property. You wouldn’t do that. You’ve got to hold on to your wallet and keep it out of view. I would just try and activate it personally, you are going to take the blinders off. I’m sure you secure your networks and servers and everything but here you are flapping in the wind out here. It’s ongoing but we are not going to be anonymous, we’re just going to be able to let them go pick the low hanging fruit next-door. We’re just trying to not be the nail that sticks up too high.
Justin Freeman: Brian, your thoughts on the largest threats facing consumers?
Brian Hauss: My pleasure. I’m going to start off by just issuing a general disclaimer. What I say here are my own personal views and not the views of the ACLU. I think the biggest threat in the world of privacy is what I call the mosaic problem. All the time, consumers and citizens are giving up lots of bits of seemingly anonymous information; where you are, what your IP address is when you login, all kinds of … Just tiny little bits of data that you are just giving up all the time as you go about your daily life.
In addition to just location information or IP address, you also got now biometric data – fingerprints, eye scans, and face scanning technology is something that we’re seeing increasingly used. The government and large corporations like Google or Facebook or what have you, are increasingly able to collect, retain, store, and analyze this data. Then thanks to the use and development of big data algorithms, they are able to take the data and figure out incredibly personal things about your life.
They can figure out whether you are a heavy drinker, whether you cheat on your spouse, what church you go to, what libraries you visit, how late you stay up, when you get up, all kinds of things. Even just little variances in those things can be surprisingly revealing about the personal things that are going on in your life, what you are thinking, what you are doing, what your habits are, what your vices are, what your virtues are. These are things that we traditionally thought of as private that the government couldn’t get without at the very least a warrant. Sometimes we thought that they were just practical barriers that prevented the government from getting it at all but increasingly, the government is able to figure out all these things and it’s able to figure it out from data that is publicly available to it, at least under current laws.
I think the big problem today is how do we address this Mosaic problem. It’s a hard thing to do. I think the first step is just to recognize that there is a problem. In that regard, I think Edwards Snowden’s revelations had been incredibly helpful for showing people the scope of the surveillance that’s been going on, the size of the dreadnought that everybody’s getting caught up in. Once we recognize that there is a problem, the next that is figuring out what to do about it. I think a big step in that regard would be to pass significant legislative reform. The electronic communications privacy act is more than 20 years old and it’s about time it got updated to actually regulate the technologies that exist today.
In 1986 you didn’t have Google, you didn’t have Facebook, email was a completely different kind of thing. You would actually just download it from some server and store it on your laptop and you wouldn’t keep it up in the cloud forever where it is now. That law is just not at all designed to protect the kind of information that we actively store online now. In addition, we want to encourage companies to self-regulate. If companies realize that consumers really care about the privacy, that they value it, that it’s not something that they can just take for free, that there are economic cost to invading consumers privacy, then I think we will start to see more self-regulation from companies and hopefully will move toward a more privacy protected sphere.
Justin Freeman: Great thinking Brian, Scott, your thoughts?
Scott Henson: Thanks for having me and I apologize, I’ve got a little cold coming on so nobody shake my hand and I apologize for my…. There you go. All right. I guess the thing I will add is that there are just a lot of layers to these issues. It’s like peeling back and onion. We have to distinguish between the federal and the state areas. The federal EPCA as we just heard is a mess. It was kind of a mess in 1986. It is just a ridiculous mess today. It was written at a time when no one had any … written at a time when no one had a significant amount of storage, how much storage was on your computer in 1986. The idea is that someone would keep 10 years’ worth of email was deluded, almost mind blowing. Who doesn’t have that or close to it somewhere on an email account? Texas law incorporates EPCA by reference. It says that they can get it under these three different standards that all conflict or you can get something under that federal EPCA standard. We sort of linked ourselves to that. As far as … Another thing I would add on the commercial and the consumer aspect, I try and make a distinction between some of the commercial privacy issues and issues surrounding law enforcement and the government.
I think it’s one thing if you’re sharing data in an app via these terms of agreement. It’s another thing if the police just have the authority to track you because they also then have the authority to try and arrest you and put you in jail. Those raise civil liberty’s issues beyond the terms of service. I couldn’t agree more, that is another big mess that I don’t know how to get out of that hole…
There was a famous episode about – I’m sure many people here have heard of – where a company in England created terms of service as sort of a satire spoof and said, this isn’t an exact, but something to the effect of, “If you sign these terms of service, you agree to hand over your firstborn to Satan and to pledge your eternal allegiance to his dark holiness or whatever it was.” And did this for several weeks and then announced it, “Hey this is just a joke, just wanted to let you know that nobody is reading these things.” That no one in that whole time had ever read through it and say, “Wait, can I get your email service without selling my firstborn to the Dark Lord.” That is a huge issue but I think that it is separate to me from some of the law enforcement issues which are just cleaner. You’re just handing out so much consumer information that it just makes a lot muddier and there are some people who would say, “You know what, I’m willing to give a little personal information to a company because I want a dollar or a quarter off of my next box of detergent,” or whatever it is they are going to get savings for that. That is muddy. The law enforcement issues to me, do you have to have a warrant? Does the law enforcement have to have a warrant? Does the IRS have to have a warrant? That’s … Yeah go ahead.
Ron Yokubaitis: Yeah Scott. When you were talking about how Texas refers to the ECPA, the Electronic Communications Privacy Act in the last legislature I believe we passed the statute… because I know Scott wrote some of it and Andy… [inaudible 00:15:25] that is that in Texas now, a search warrant is required for email, content of your Internet communications. We have done a remedy in Texas. We’re the only state so far. Other states have been looking to follow in Texas’ steps. You know, Andy that works with us, went to South Carolina and in Florida. We are trying to get the ECPA in Washington where it’s the crips and the bloods – to follow the Texas statute that they require a search warrant and probable cause they are going to do surveillance. We are freer here in Texas than any other state. You are more secure and more private in the law enforcement issues.
Scott Henson: On email content. There were two big bills last session on these topics. There was one on Geo-location data and there was one on the email content. Email content passed, geo-location data was approved in one chamber by 126 to 4 vote and in the other chamber, didn’t get out. The geo-location really is what I’m referring to. Definitely email was good, the email content was great. I will tell you, the tea party folks were ready here in Texas, it’s kind of funny. The breed of Republican who is populating the Texas legislature today is not your granddaddy’s Republican. It’s pretty funny to see some of the more libertarian minded kind of folks who see this stuff and just automatically … “Well obviously they shouldn’t do that.” It’s been pretty remarkable.
Ron Yokubaitis: The days of law and order of the Republican Party is now over because you’ve got too many tea party people coming in and saying, “Problem with the constitution.”
Scott Henson: It’s funny, some of these guys believe their own hype. You hear it and it sounds, “Oh that’s government, hypocritical.” Some of them are fairly real about it. I’ve had tea party type guys telling me, “Look, the US incarcerates more people than anyone else in the nation. Texas incarcerates more people than any state in the nation, which is true.” If I’m for less government then how can I actually support that. How can I not try and scale that back? Some of those guys believe that stuff, that’s not just rhetoric to them and they are in charge of that, so you will see …
Scott McCollough: I don’t know if there is enough copies, but I left a recent poll … Some thirty copies of a recent poll dealing with how the various liberals versus conservatives view the NSA program in particular. The information is quite surprising. Almost across the border, you will find that we think all conservatives are far more opposed to the NSA surveillance program then our liberals. There is a bit of an over generalization but generally speaking you will find that in today’s environment, those who call themselves conservatives are far more suspicious of surveillance programs by the government then are those who call themselves liberals.
On the other hand, you will find the conservatives are far more understanding and willing to countenance the gathering and use of information, private information, by private companies. In my own personal opinion, I am concerned about both because ultimately if a business gets it, then of course they can use it for its own purposes but also once a business gets it, then the question becomes how easy is it for the government to then obtain it?
Brian Hauss: If I could just jump in for a second on that. The third party doctrine is this kind of strange document constitutional law document when it came out in the 70s but what it essentially says and what the government is used it to say is that when you give a business your private information, even if that information is basically necessary for that business to operate …
So your cell phone location is used by cell phone companies to provide a cell phone service. As a result, they also collect private information about where you are through your cell phone just pinging the cell towers. Then the government and then the cell companies say, the consumer has already given up that information to you, no more expectation for privacy in that information, you have to turn it over to us. Enter the third-party doctrine now, what happens when you give information to a business, the government then comes in and say’s well there is no more privacy on this information, it’s already been given over so we are entitled to it.
That’s really I think … In the constitutional sense, they are connected in that way and that’s why I think it’s really important maybe legislatively to try to overturn the third-party doctrine so the ACLU can hide in the courts to try and limit it because clearly the results were never intended or foreseen by the Supreme Court when they handed out that decision, bad decision.
Justin Freeman: It sounds like we have a consensus then. A couple of things. First of all, one of the major problems facing people is that lots of private companies gather lots of data about you, which could be accessed by law enforcement or which they can share, putting together a big picture of you that substantially invades your privacy.
Do you guys think … You’ve talked about how problematic it is when companies use and effectively boiler plate their terms of service that often state or bury what they are going to do with your information. Does any company stand out to you or do any corporations stand out to you that are particularly bad in terms of companies informing users about what type of information they are gathering and how they may be using it?
Scott McCollough: I have both drafted and analyzed the privacy policies of countless companies. When I am drafting them, it is an exercise in taking away your privacy, it is an exercise in having you waive all expectations of privacy, all rights to its, giving the property rights to me and allowing me to use it for anything I want. It is much like HIPPA that you all do when you go to the doctor.
In the name of protecting your medical privacy, you’re supposed to file this form and you think, oh great, my privacy is protected. Instead, it is an exercise in wavering. Who has good policies? Since Ron over here is my favorite clients I won’t tell he’s privacy policies, I would commend them to you.
They basically say your information is yours, we don’t want it, we don’t want to fool with it, we think you ought to encrypt it and keep the key and the only time we are going to turn it over is when the government gives us a warrant. They say it’s clearly and so simply and without qualifications.
I challenge you to find any other company, and in particular internet access providers, and in particular, even my friends over at Google, to be so clear about what it is in terms of protecting privacy. There are reasons people do not read these privacy policies. They are obtuse, they are impenetrable, and only a lawyer can understand them, and that takes effort and we don’t do anything unless we’re billed.
Ron Yokubaitis: Let me defend myself. Listen, I could talk to some of the enlightened ones in this room and I really feel like I’m talking to a pretty hard head because they’re very combative but assume, assume, assume; and you just can’t assume. Assume the worst to protect yourself. Just because somebody say’s they don’t log, they are logging, especially in the cloud setting. You are renting servers but you don’t control the logging on cloud based server or the network flow stats on upload drivers, somebody else does. It’s not to say that you don’t log in because the login, you just quickly go to the hosting provider, you get whatever you want to get off the hosting provider who will divulge you. We can let Rackspace talk about how corrupt their policies are. There is severe problems, unless you are heavy around the servers, know router switches and even your DNS. Okay, a Google DNS, “Hi I’m from Google and I’m here to help you for free”. You know Google DNS has got all that critical data to be able to seek for an IP address that you or your customer, anybody uses.
You need to start looking at the big hole in your privacy that is open DNS and Google DNS. There is no free lunch as you all know, you should know. We didn’t grow up with a free lunch box, there is no free lunch on the end of that. When you find a free lunch, you’re the lunch of course. You’re just going to need to take … First you are going to have to believe there is a problem other than what Snowden says. The thing I am reading, well my son is reading me, Greenwald’s book. I’m about a third of the way through it and fall asleep but no, it’s a good book.
But like he said, you can’t hide. You can run, you can encrypt, you can go from here to there, you can run your proxies around the world but still, you can’t hide. You’re basically turning to … It’s still security through obscurity, that you need to obscure yourself.
Brian Hauss: I think Ron is exactly right. I think you should be suspicious of any service provider that gives you something for free. Dry speak on the Internet and nobody does anything for free; Drop Box are a classic example of a company that provides what seems like free storage but actually it just has access to tremendous amounts of your personal data that you just load up there for them to look at whenever they want.
I’m really gratified to see that now we’re finally seeing some companies like Golden Frog and previous Lava Bit before it shut down, come forward and offer these paid services. What we’re seeing is actually consumers really want to pay to protect their privacy. They are willing to pay to protect … it’s something they value and hopefully going forward there will be more options for people who really want to protect their information. The danger still is that companies that want to help protect your information aren’t always able to do it. I think Lava Bit is a perfect example here.
Lava Bit was a security known service provider crated by Ladar Levison I think right here in Texas. It encrypted all your … Gave you the key. The idea was that Lava Bit itself could not read any of your email. Its profit model was based solely on your pay subscription to the email service. The government decided it was very interested in somebody who was using Lava’s servers. There is speculation … No one has ever confirmed it but there is speculation that it was Edward Snowden and they want to do an investigation. They went to Lava Bit and they said okay, we want to install a PIN register device, a surveillance device on your servers so we can collect all the information that people are using as they are interacting with your service. From that, we’re going to figure out what the private key, what their private keys are and then we’re going to decode all the information; or all information of the person we are looking for. Lava Bit said to the governments, “I can’t give you my private keys, those protect everybody. I’ve got one set of private SSL encryption keys that secure the email traffic for everybody who is interacting with me so they know it’s me they are interacting with, not some other company, not the government.” The government said, “Too bad. We promise we will I be look at the person we are looking for, we promise we won’t look at anybody else.” It’s not like they were going to sign a contract saying that, they were just telling them this. He said, “I’m not going to do that. You can’t force me to blow up my business just to give you this one person’s information. If you want this one person’s information, come with a court order for that person and I will give you that information myself. I will create code in the program to download that specific information to give it to you without compromising the rest of my users security.” The government said, “Too bad, we don’t want that. That is not the kind of process we want to do, we want to run it ourselves. We want to install the device and we want access to everything and then we want to take out the person. We don’t want to have to rely on you.” And Ladar did very well and said, “I am not going to do this to my users, I made a promise to them, I advertise it this way, people trusted me,” and he was trying to do his business. The government still moved for sanctions against him. I think it was on the order of about $5000 a day or something like that. He appealed it up to the Fourth Circuit – the ACLU files these briefs to have – but ultimately the Fourth Circuit said, “Oh well you know, you waived all your arguments,” because he was representing himself before the District Court. He wasn’t able to hire a lawyer in time. The government was just railroading this through the district court process.
He didn’t know what he was doing, he’s not a lawyer. He didn’t know when to object, what to say, and how to say it. The Fourth Circuit’s, they go, “Too bad, you have waived your arguments; there is nothing for us to do here.” [inaudible 00:29:05] That company was shattered and you know with regard to the finding it was held in place. In the wake of that, you saw a number of security email search providers said wait a minute, the government can get these keys, our users information is not secure either and they all shut it.
So one the things we are going to do if we want to see companies actually take this really take this really proactive stance and we want to encourage this, we have to make sure that there are reasonable limits on what the government can do as far as its investigations; even when it has a court order.
That order should be specifically limited – the fourth amendment was all about fighting general warrants, the idea that the British could just come into your house and look for whatever they wanted. The idea was that they would be specifically limited to the specific thing they need and I think we need to make sure that those limits are put back in place.
Scott McCollough: Meanwhile, find a service provider that lets you have your own key and where the service provider does not retain that key.
Justin Freeman: Scott, do you have anything else to add?
Scott Henson: Especially for this crowd, one of the things that even Scott mentioned, if someone comes with a general warrants signed by a judge that they can go ahead and give the information. If it’s encrypted, that’s one more hoop they have to jump through. It’s not impossible for them to eventually … to get to that. For folks who are developers, for folks who are producing products that may use location data or have that as part of what your service is, keep in mind that there is one kind of data that they [the government] cannot access and that is data that you have not stored. If you don’t actually store non-essential meta data over time, then it is not there for them to get. That just sort of solves the problem on that end. Now that everybody sees Snowden and then the aftermath, that becomesmore reasonable saying that two years ago in December…
I’m telling you right now, especially because I learn more on government type issues, government type databases, making sure that that data doesn’t just sit there forever so there is no chance of getting it years from now. It matters and data retention is going to be a bigger and bigger issue. I also have a lot of … While I agree with most of what you said, I would also say that was more of a textbook example of how not to handle a legal situation. Law enforcements comes down and knocking on your door and there are a lot of writings on the sort legal setting actually of how all of that went down, a lot of hotshot defense lawyers think that if instead of trying to do this per say, “This poor guy …” I say poor guy … You make the decision to represent yourself against an attorney, I thought that was silly. There is a Darwin’s law scenario there, that is just going to happen. If he had actually understood his situation and immediately lawyered up and immediately went out and saw somebody, who really knew what they were doing to fight it, I think they wouldn’t have set some these really bad precedents.
There is a blog for a lawyer called civil justice who has written a lot about this and leads to all sorts of pros and cons, debates about how to handle this… so read his blog… Gosh “how did you let that happen” … [inaudible 00:33:33] $5000 just to [inaudible 00:33:35]. That would keep the data; call the lawyer, when they show up and don’t try to do something on your own.
Justin Freeman: I think Scott and I could both … You can’t argue rather with your advice that you should always find and pay a lawyer when you have the opportunity. I’m going to pause here for a moment for some questions. I know that we are diving almost head first and under the surface of all this discussion … It is comments about law enforcement and legal reform from government access. I would like to pause though for questions about commercial and consumer privacy if you could limit those for the moment.
Male: I have one question, have we ever considered the idea of doing some kind of open standard with these agreements? If user things or license things had common frame work across the industry, just like any of the other standards be for whatever protocols, maybe that would make it easier for people to understand what the actual agreement is.
Justin Freeman: For those of you that couldn’t hear, the question is relating to whether we can have a common platform or sort of an open source standard for privacy and user information and disclosure.
Scott McCollough: I would certainly commend it, there are several models for that in the intellectual property world and I’d be happy to work on a project such as that. I’ve never heard of one being tried. I think the industry would be well served best for the consumers if there was a specific template for privacy enhancing, set of privacy terms that people could understand and rely on.
Male: Especially if that included a scoring component.
Scott McCollough: Yes.
Justin Freeman: Anyone else?
Scott Henson: Above my pay grade.
Male: Who actually installs all the equipment or software that’s out monitoring us? Is it the FBI or NSA? Who can we talk to about making them stop?
Scott McCollough: I generally make my business, make my living representing businesses. Sadly I’m quite often pointing a finger at those very entities. The folks who have installed this surveillance mechanism for our country are the same ones who sold the information to the Iranians and the Chinese for the Great Wall of China. They’re very prominent companies, one of them begins with C and ends in O, they have equipment in virtually every company that is in this space. You all might be shocked to see what’s running on their motherboard and in their firmware.
Ron Yokubaitis: Also a provider like us gets a FISA court warrant which we now say we have. A few months ago you could never be divulged that you got it. But those will be located piece often below say piece equipment of port sailing a hoster. Their center operator gets the thing; the hoster may or may not know. We insist that the hoster knows and not be in treated like a suspect so they don’t do like they did to kem.com or the fact that Steve Jackson Gains here, in the secret service back in 1991.
The case starting, the EFF started here with Steve Jackson Games, online games, illuminati online, then it became the ispio.com, but they just took all the servers and now all the innocent people and even the suspects was innocent but they didn’t just hit on his stuff, they got everybody else at kem.com. They whirlwind in it, anybody that was storing a hard above the alleged cabal copyright purchase, they got their stuff stored. It’s pretty clumsy, they had the same thing. They wanted to come in, take it off, take the whole server out and still to this day … You got to resist, resist, make them specify the person or property that’s being seized and searched and it’s just still … They just want to blunder and you got to resist, call council on the back door. This is all [inaudible 00:38:18] sources and benefits and not [inaudible 00:38:21].
This is an FBI agent shows up, get out a brief case with a zipper on it, a lock and its top secret hush hush, you can’t tell anyone in the company you got one. Because I’m the guy that can serve that stuff. I can’t tell anybody in my own company! I just … that’s how it happens, that’s the operation of it and until the owner is satisfied to keep saying no but you have to, you have to say no until they get their stuff together. They’re going to try and wonder blunder bust you and you’ve got to make them constitutionally which the Tea Party is saying. We already got a law, they just won’t follow it.
I got a question for Scott, as the chief of this project, the ACLU, when it comes down to ya’ll – you’ve got somebody wrongfully in prison in Williamson County. Have ya’ll looked into the fact that the federal judges are paid by the very company they’re … outfit that they’re out to sanction, the federal government. I mean the judges, they’re asked to bite the hand that feeds them. For me, I don’t think that’s very constitutional, I think the federal judges ought to have … It can’t be that damn much money, probably the [inaudible 00:39:53] federal forces … we can put up the money to where the [inaudible crosstalk 00:39:57] but they don’t owe fealty to the federal government, state government, they are truly an independent judiciary. I didn’t think we have one so we get the Fourth Circuit shoving it down in.. all the really crony decisions I see out of the law enforces, especially the official FISA court.
Justin Freeman: Sorry for stopping you for a second to respond, I have one more question then we’re going to move on to something else.
Scott Henson: At first I should mention that the Innocence Project of Texas is one of my two main clients but the reason I’m up here was my involvement in the Texas Electronic Privacy Coalition. Hence it’s project doesn’t work on these issues per say but it’s very, very easy to get … once you get caught up in a criminal investigation, even if it’s by accident, it could take a life time to get extricated.
The worst of these guys get thirty three years plus in prison for [inaudible 00:41:01]. The consequence of errors in some of this stuff is huge. This is sort of untested forensics, never really no error ways. You’re tracking from cell tower to cell tower but you don’t necessary know which four towers connect, which one you’re really closest to. And so anyway I thought all that say that is all I can say.. well that actually is all I have to say.
Justin Freeman: One last question for the patient gentleman in the back with the sore arm.
Male: Yeah so, several services have cropped up. They offer something called client site encryption. That’s where you encrypt it before you send it to the server so nobody at the server; even if they have a court order, have nothing to turn over except the encrypted information.
Do you see that as becoming the norm in operate services and how do services that depend on actually analyzing aggregate data, build your business around that kind of standard or stat?
Brian Hauss: I think the most likely thing we are going to see is that there is going to be a range of options. I don’t think the big aggregating service; I don’t think Google’s going anywhere. I think that the services offer client side encryption with hopefully become much more popular as people start to value that stuff.
They will likely need to make their money partly by charging their clients and so some people will say, “You know what I don’t care, whatever, just put it on Google, I’m fine, really, just send me the ads.” Obviously with them you would argue that it’s not as innocuous as it sounds but I think that there will probably be a range of options and people will have to choose how much they value their privacy at the end of the day.
Ron Yokubaitis: I would just like to say of course you can do crypt your own content. PGB’s been around twenty plus years and … but one thing you might want to consider is what you can do with, for a law professor now terms a Geo-location evasion, or as we do for VyprVPN for Golden Frog. We take your surveiled IP address from AT&T, Time Warner, whatever. And put it on a shelf and encrypt you to another location or another country and lets you be assigned an IP address from that country; so that all the data is all about some person in Amsterdam.
We take your surveiled IP address from AT&T, Time Warner, whatever. And just kind of put it on a shelf and then encrypt you to another location or another country and let you be assigned an IP address that’s your located to that county. Such that the data is all about somebody in Amsterdam or Russian so that you can let them have an encrypted VPN to some place that is not identified with your locality via your ISP so there’s ….
You still running, but in the end you can’t hide and you not going to … I don’t think you prepared for them. You’re going to realize that there are some things you do, some applications you use that you’re going to want to encrypt and some other stuff you going to say, “Ah what the hell, it’s the price of Google.”
The point is that it’s your choice that then… if you don’t, it takes folks to get active. Some guy, or someone else is going to do it, you going to do it, you need to click on the EFF letter to whoever you’re compromised congress critter is. No matter what either party, it doesn’t really matter.
There’s a few that are more guilty than others because they got more awareness in the Internet, but ya’ll have to do something, its personal, personally to encrypt, personally to protect and [inaudible 00:45:25] publicly via letter, email – put in the pressure because they’re only going to respond to awareness and pressure.
Scott McCollough: In some respects the law generally tracks the technology here. There is a distension between the so called federal information which when we in practice call meta data, and the actual payload which we call the content. It is difficult in many respects to have any real protection of the meta data unless you are using a VPN service which can only protect some of it even in any event.
It is far more possible for you to take action to protect the actual content, the substance of the information that you are conveying because you have the right to avail yourself of some of the encryption options that are available, but even then it’s limited. There are now offerings on the market .. Ron over here has one, it’s called Dump Truck where you can encrypt your information and upload it to the cloud and it is stored in an encrypted fashion where you still keep the key.
If Ron gets a warrant, what he hands over is gibberish. If you are talking between two edge points, two edge devices who are going through each other on the network; it is still to this day somewhat difficult to have good encryption of the content on an end to end basis.
The two edge points have to have a way to negotiate the exchange of the key. You guys are the technologists in the room, if you can come up with a way to better facilitate the exchange of the key between two edged devices and make it ubiquitous, I think you got yourself a business. It’s out there now but it’s still very difficult for a common ordinary citizen to make themselves available to it.
Justin Freeman: We’re going to go now to law enforcement which I think will be with the largest area of questions. I know I saw a whole lot of hands going up the last break, don’t worry we’re going to reserve a lot of time at the end of this.
I’d like to put to the panel, the USA freedom act is currently winding its way, its wound its way through the house and its now in the center. Of all your concerns about the last minute changes or course to run that bill, I’d just like to get your sense of whether an NSA reform or just generally US government’s surveillance reform is possible and what your criteria would be to consider that reform effort is successful. We’ll start at the far end with Scott.
Scott Henson: Sure. It would be just a suckers bet for anybody to bet on any particular piece of legislation to pass in congress any time soon. Maybe it will happen, maybe it won’t, maybe it becomes a bit of the World Series …
There are lots of big maybes, but I would not count on that at all. I’ve been very hardened to see after Texas; which by the way we were just a tad ahead of our time. The Texas bills on cell phone location data and email require warrants for both … were filed a few months before, written and filed a few months before the Snowden revelation. To date, only two months earlier, they both were passed. One did, one didn’t but they both would have easily started,just happened a little bit earlier. Then for us it was a bit of a slog trying to educate people about things they didn’t understand. Now everyone has heard of it, even average folks know what you’re talking about and I think that makes it easier that you don’t have to just drag people who are not technologically savvy, into understanding why they should care about this.
Maybe something will pass at federal level. If it does – go team, if it doesn’t … Tennessee within the past week, the governor signed their state level legislation, saying state local cops can’t get cell phone location data without …
Ron Yokubaitis: Where is this?
Scott Henson: Tennessee. We’ve had Montana, Maine … two others, Utah and one other area that I’m forgetting. Who’ve done a full legislation. Then New Jersey and Massachusetts have done it at their state’s Supreme Court level. That’s just in the past two years. Texas have already passed what would have been the first in the country. We were the first in the country on email, to extend that warrant requirement to content in the cloud. There’s a national push for this … Virginia is the other. A lot of these are in probably red states and so this is …
I think we’ve got a great chance. I think that for this to happen with the state’s first, then the Feds who are still running around kicking and screaming; is more how I see this happening in the end. I guess I haven’t seen it pass anything so… maybe they will or won’t.
Justin Freeman: Brian?
Brian Hauss: I think with the ACLU you have to believe that NSA reform or intelligence reform it is a possible reason to spend so many time, so many resources fighting for it. I think the really important thing to remember here is just to look at what’s happened in the year, the year since Edward Snowden came forward. It’s almost exactly a year anniversary this month.
Over a year, just a little over a year ago we had a fight in the Supreme Court.. Clapper v. Amnesty. Where we challenged the government; we believed the governments meta data surveillance program was … we got kicked out of standing on judicial ground saying, “If you can’t show an injury then we’re going to throw you out of court.” Basically what the court said is you can’t even show what the government’s doing this. We have no idea if they are doing this or not. You can’t prove that any of your clients or you have ever been surveiled in any way or form so there’s no case here, we’re throwing you out. And then a month later, or two months later, we sitting in court and not only were our clients surveyed, we were surveyed, everybody was surveyed.
What you showed us was that the fifth [circuit court], the court that the government has set up to regulate intelligent surveillance, had been interpreting the relevant statutes in such a way that it clearly eviscerated that meaning. What the statute said was that the government could collect relevant data. The Fifth [circuit court] had interpreted relevant in anyway even marginally useful to the government. So if it’s useful for the government to have that haystack so it can find its needle, fine, give them the haystack. That’s just not a reading that anybody reasonably … any number of the public who didn’t know what the NSA was doing reasonably thought they were going to do.
Of course the senators on the committee knew it, but they were misled because they were afraid they’d get prosecuted for giving classified information. They asked, Senator Wyden asked General Clappert at the correctional hearing … Are you collecting Americans meta data, are you collecting Americans data, and he said, “No, not really.” He basically lied to congress. This was an entire bill of secrecy on this program and you couldn’t have the debate because the government was not willing to admit the very things it was doing. Now it’s out in the open, we know what the government is doing and I think that the public opinion has changed really quickly. The fact that we’re having this discussion at all about the USA freedom act just goes to show, what a difference the Snowden revelations made in this very short space of time. So we’re hopeful as time goes on, people really dig in and learn about this stuff and fights are waged that yes I think some surveillance reform is possible. I think if maybe we’ll have another moment like he did with [inaudible 00:53:55] hearing and that we will actually succeed in changing this abc culture. Would I bet on it in the short term? Maybe not. Hopefully in the long-term, change can happen.
Justin Freeman: Ron?
Ron Yokubaitis: I’m just not optimistic that we are going to get any reform in the surveillance and intelligence gathering in the United States [inaudible 00:54:16]. Just sorry, it’s got to go through Congress, it’s got to be passed on, if you object to it by court, paid by the very U.S. Congress and federal … I think it is up to us, each individual, that’s it. I’ve said for several years that encryption and VPNs are the Second Amendment for the Internet. A lot of people would disagree. The Second Amendment are [inaudible 00:54:47].
I think that folks at Fight for the Future, the political action group that focused on getting the emails on SOPA are a pretty outstanding group of young people. I’ve been on a panel with one of them South by Southwest. To a man in Massachusetts to be against us gun toten Texans, he knows we are not [inaudible 00:55:13] car jackings in Texas. Because they don’t know which one of our wenches have got [inaudible 00:55:17] are you talking about this car?
You’ve got Massachusetts but nevertheless, they are using that image of the Second Amendment. What is that, that is us, each one of us not counting on government surveillance. I am just [inaudible 00:55:36], we lobby in good faith, both parties. We are bipartisan – slanders and words but still I don’t put my family’s security in their hands of the government. I am not optimistic about …
I’m trying at a state level, we are working on the ECPA going back to several congresses but we see both parties are entrenched enough that they really don’t like it. Only now, only now with this and right now I think we’re at 214 signatories sponsored. How many are we at? 216, we need 218. I’m telling you what you could run out of here today and call your influenceable congress critter, whatever party they are.
We need some more Democrats, Lloyd Doggett here, Lloyd he gets it fast. He is one of the Democratic congressman here … The Democratic does the stronghold here in Austin. We don’t hold that against him when he snaps. He understands and is willing to listen very quickly on Internet security issues. We very much appreciative … It comes out, he would say it. We have just got to get to him and talk to him.
If you all talk to him, run into somebody somewhere, rather than talk sports or whatever, just say, “Hey what are you doing to protect the privacy of us from national surveillance? Are you protecting your own staff? What about you and your family?” [inaudible 00:57:26] not a congressman, Critter is what we say, it’s not Texas talk. I have lots of stuff, like, keep your mitts off my bits. We are just trying to get the ideas going but it’s up to you all individually. It’s not like somebody’s going to take care of your brother, you’re going to take care of yourselves and you best take care of your online self and just take simple measures.
For that stuff … I know we do lots of stuff that we don’t really care about. I don’t care if Google knows what bra I am looking for but there is a lot of stuff that you just need to protect the person at the other end from your loose lips. It’s going to sink somebody else’s ship. I’m not at all optimistic about our favorite surveillance state.
Scott McCollough: It’s a rare government that chooses on its own to limit its own powers and to restrict its activities. It is a common government that thinks it needs more information so that it can then efficiently take care of its subjects. The only way that there is going to be any reform with regards to surveillance is if the people rise up and demand it.
Ron Yokubaitis: That’s including geeks.
Scott McCollough: Meanwhile you need to take care of your own privacy through self action. Let me make sure that the audience year understands what the legislation is that’s going on in Congress right now because they’ve kind of been mixed up a little bit. With regards to the NSA reform, the Snowden revelation stuff; there was a bill in Congress called the USA Freedom Act that was originally introduced and largely was a good bill.
We worked with many of the progressive groups and you guys did an extraordinary job on it. We thought we had it coming out of the house but once it was voted out at committee, the powers that be in the dark of the night got together and gutted the bill. One of the people that did that by the way was unelected just a few days ago by his district in Virginia. Sadly, what passed out of house really is not satisfactory in the least. There is an effort now to try and fix it in the Senate. Nothing is going to happen; it’s good though so that the folks in the senate have every incentive to protect their underling over there in the executive branch because everybody that’s in the Senate … One of these days they are going to be over there running the executive branch. You need to be ringing their phones off and talking to them about an NSA reform bill that actually reforms the NSA.
Second and apart from the so-called Snowden’s revelations is the amendments to the electronic communications privacy act. That is the stuff that Scott and I were talking about requiring a warrant for content. The Texas version of the ECPA was what we passed last year. In the federal Congress, we’ve been trying to get that taken care of for many years. There was a Senate bill that came out of committee, largely a good one from Senator Lackey. It has been hung up not because the NSA wants to look at your stuff, but because the securities and exchange commission, the federal communications commission, the Federal Trade Commission, and all these other administration agencies want to be able to get your content without a warrant by sending a subpoena or something less than a warrant to the service provider. That bill will not come out of the Senate unless somehow or another, the so-called SEC . Don’t think it’s just the NSA that want your stuff, it’s all these regulators with all these letters and after their names, it’s not FBI. They want your stuff too and the problem is once an administrative civil agency gets it, then they can turn it over to the FBI without a warrant. It’s the same as when a corporation gets your stuff, the government can get it. If one agency gets it, they can freely give it to another government agency. You need to be aware of what this information is, how it’s collected, what’s it used for, and what happens to it afterwards. On the house side, there is the yoder bill and that’s the one where we now have a fairly large number of sponsors. We are three short of the mark.
Ron Yokubaitis: Y-O-D-E-R?
Scott McCollough: Yes, Y-O-D-E-R. If we can get a couple more Democrats to sign on as cosponsors, we will get what’s called a supermajority. It can be voted out of the house without having to go through a committee. That is a good bill, that is clean bill. It requires warrant for content. It does not have the so-called SEC carve out.
Ron Yokubaitis: We are not going to let the bureaucrats also protect their power because the bureaucrats want to protect their power. Those are regulatory bureaucrats that he calls administrators, they are regulators. Some people think regulation is the answer. Big companies just hire more lawyers, small companies can’t handle it but they do want to give up power – period.
Scott McCollough: I became a lawyer when I got out of the Marine Corps because I figured I needed to know my enemy. Once I got my bar card, I started to do administrative law because I found an even bigger enemy. These administrative agencies are almost as dangerous as the NSA and the FBI. They can ruin your life just as easily.
Scott Henson: After the hearing last year about the cell phone location data bill, the one that said they couldn’t look at your historical data, there was this long three-hour hearing in the house … Law enforcement Texas House. Yeah, Texas house, law enforcement said over and over, “Oh well, we don’t get this from a subpoena, we always get a warrant or we get these higher standards and reasonable suspicion, whatever.”
At the very, very last testimony of the hearing, this poor gal from the department of insurance had no idea what she was stepping into. He walked up and said, “I just wanted you all to know that we access this data all the time in nearly every one of our investigations. We just issue a subpoena, we don’t issue a warrant or anything. Just a subpoena, they always send them back – been very promptly. That is the standard here.” It’s very weird.
Scott McCollough: These were fraud investigations by the way, it just happened to be civil.
Scott Henson: Yeah, yeah, that’s why say about the regulatory agencies. It was just very strange because while Texas law seems to… by the way Texas law on this… I’ve been involved with legislatures since the late 90s, it’s the worst written statute I have ever personally been involved with. Five lawyers write seven different pages about what that statute means.
They debate over this…. but nobody really knows what the standard is. It could be a subpoena, there’s one reading where you could say it should be a subpoena under Texas state law. There is a reference to EPCA so it could be a standard of EPCA. There is another section that’s a very convoluted bit of code that references reasonable suspicion, it could be that.
Some people, some law enforcement agencies says they did not understand themselves of what was required. Were already getting warrants anyway just to have clean papers just because they were confused and didn’t really understand.. and just said look, we have a warrant. That is one of the most confusing worst written laws ever. It’s be