0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/169 Thanks! 1 00:00:09,230 --> 00:00:11,359 Um, this is Chris, Chris is 2 00:00:11,360 --> 00:00:13,519 going to talk about the really 3 00:00:13,520 --> 00:00:15,260 hot issue, which lot of you know, 4 00:00:16,340 --> 00:00:18,529 so please welcome him for his talk 5 00:00:18,530 --> 00:00:20,179 about because government hacking into the 6 00:00:20,180 --> 00:00:21,440 next crypto was. 7 00:00:30,340 --> 00:00:32,359 Can I get the display? 8 00:00:32,360 --> 00:00:33,360 There we go. 9 00:00:34,370 --> 00:00:35,560 That's a. 10 00:00:36,920 --> 00:00:37,920 I'm beginning. 11 00:00:39,230 --> 00:00:41,119 Sorry, I'm using Windows within Linux, so 12 00:00:41,120 --> 00:00:42,379 it's always a little bit complex. 13 00:00:42,380 --> 00:00:43,380 There we go. 14 00:00:44,240 --> 00:00:46,129 Hi, everyone. So thank you all for coming 15 00:00:46,130 --> 00:00:47,839 and coming to this room. 16 00:00:47,840 --> 00:00:49,249 So my name is Chris Soghoian. 17 00:00:49,250 --> 00:00:50,899 I work for the American Civil Liberties 18 00:00:50,900 --> 00:00:52,579 Union. I'm a technologist and I'm 19 00:00:52,580 --> 00:00:54,169 embedded within a team of attorneys. 20 00:00:54,170 --> 00:00:56,389 I work for a bunch of lawyers 21 00:00:56,390 --> 00:00:58,219 who sue the US government for various 22 00:00:58,220 --> 00:00:59,659 surveillance practices. 23 00:00:59,660 --> 00:01:01,100 It's a very, very fun job. 24 00:01:08,420 --> 00:01:10,369 And I actually say as much as I love the 25 00:01:10,370 --> 00:01:12,199 fact we were actually the first ones to 26 00:01:12,200 --> 00:01:14,839 sue over the latest surveillance program, 27 00:01:14,840 --> 00:01:16,909 we sued less than a week after Snowden's 28 00:01:16,910 --> 00:01:19,069 first revelations. 29 00:01:19,070 --> 00:01:21,080 And we have a lot more fun stuff coming. 30 00:01:22,610 --> 00:01:24,769 All right. So today I'm going to tell you 31 00:01:24,770 --> 00:01:25,999 a few stories. 32 00:01:26,000 --> 00:01:26,959 This is really about it. 33 00:01:26,960 --> 00:01:28,489 This is a history lesson. 34 00:01:28,490 --> 00:01:30,649 This is a history lesson and a story 35 00:01:30,650 --> 00:01:31,699 about today. 36 00:01:31,700 --> 00:01:34,099 Really, what I'm going to explain is how 37 00:01:34,100 --> 00:01:36,049 the U.S. government is adapting to 38 00:01:36,050 --> 00:01:38,239 changes in technology, how the US 39 00:01:38,240 --> 00:01:40,729 government is dealing with the transition 40 00:01:40,730 --> 00:01:43,099 from one industry to another. 41 00:01:43,100 --> 00:01:45,349 And the final eventual embrace 42 00:01:45,350 --> 00:01:47,150 of some basic security technologies. 43 00:01:48,320 --> 00:01:49,969 So this is Louis Freeh. 44 00:01:49,970 --> 00:01:52,249 Louis Freeh was the director of the FBI 45 00:01:52,250 --> 00:01:54,499 during most of the 90s, 46 00:01:54,500 --> 00:01:56,719 and Louis Freeh testified 47 00:01:56,720 --> 00:01:58,279 several times before the U.S. 48 00:01:58,280 --> 00:02:00,499 Congress complaining about the kind 49 00:02:00,500 --> 00:02:02,689 of technology that is near and dear to 50 00:02:02,690 --> 00:02:03,829 our hearts. 51 00:02:03,830 --> 00:02:05,899 Encryption technology 52 00:02:05,900 --> 00:02:07,819 so many of you may not remember, but for 53 00:02:07,820 --> 00:02:09,888 some period of time, for several 54 00:02:09,889 --> 00:02:11,989 years, for decades, 55 00:02:11,990 --> 00:02:14,779 cryptographic technology was regulated 56 00:02:14,780 --> 00:02:16,309 under export control rules. 57 00:02:16,310 --> 00:02:18,679 You were not permitted to export strong 58 00:02:18,680 --> 00:02:20,119 encryption from the United States. 59 00:02:20,120 --> 00:02:22,249 And so we had a system of good 60 00:02:22,250 --> 00:02:24,499 encryption for the Americans and shitty 61 00:02:24,500 --> 00:02:26,659 encryption for everyone else. 62 00:02:26,660 --> 00:02:28,429 Not only did we have that system in 63 00:02:28,430 --> 00:02:30,859 place, but the FBI and their friends 64 00:02:30,860 --> 00:02:33,109 also wanted to push for what was 65 00:02:33,110 --> 00:02:35,509 called as a cryptographic 66 00:02:35,510 --> 00:02:37,969 escrow or as escrow 67 00:02:37,970 --> 00:02:40,039 systems that would allow the 68 00:02:40,040 --> 00:02:41,959 government to get information about the 69 00:02:41,960 --> 00:02:43,519 encryption key is used by U.S. 70 00:02:43,520 --> 00:02:45,229 citizens. And so Louis Freeh was 71 00:02:45,230 --> 00:02:47,719 testifying before Congress in 1997, 72 00:02:47,720 --> 00:02:49,939 he said, quote The widespread 73 00:02:49,940 --> 00:02:52,249 use of robust non key 74 00:02:52,250 --> 00:02:54,019 recovery encryption ultimately will 75 00:02:54,020 --> 00:02:56,749 devastate our ability to fight crime 76 00:02:56,750 --> 00:02:58,189 and prevent terrorism. 77 00:02:58,190 --> 00:03:00,679 He added uncrackable encryption 78 00:03:00,680 --> 00:03:03,469 will allow drug lords, spies, 79 00:03:03,470 --> 00:03:05,539 terrorists and even violent gangs 80 00:03:05,540 --> 00:03:07,699 to communicate about their crimes and 81 00:03:07,700 --> 00:03:10,129 their conspiracies with impunity. 82 00:03:10,130 --> 00:03:12,499 The way the free portrayed encryption 83 00:03:12,500 --> 00:03:14,599 to Congress and to policymakers at 84 00:03:14,600 --> 00:03:16,669 that point. Encryption was the devil's 85 00:03:16,670 --> 00:03:18,769 technology. Encryption was something that 86 00:03:18,770 --> 00:03:21,049 would allow really horrible things 87 00:03:21,050 --> 00:03:22,039 to happen. 88 00:03:22,040 --> 00:03:24,349 And so obviously, policymakers took note. 89 00:03:24,350 --> 00:03:27,229 This was a very scary technology 90 00:03:27,230 --> 00:03:29,299 and what he what he 91 00:03:29,300 --> 00:03:31,369 described would be a world in which 92 00:03:31,370 --> 00:03:33,259 the government would be blind. 93 00:03:33,260 --> 00:03:34,909 The government would be unable to go 94 00:03:34,910 --> 00:03:37,639 after the worst of the worst. 95 00:03:37,640 --> 00:03:40,129 And so what Freeh called for, 96 00:03:40,130 --> 00:03:42,229 he said, quote the only acceptable 97 00:03:42,230 --> 00:03:44,929 answer is socially responsible 98 00:03:44,930 --> 00:03:47,539 encryption products, which permit timely 99 00:03:47,540 --> 00:03:49,759 law enforcement and national security 100 00:03:49,760 --> 00:03:51,949 access and decryption pursuant 101 00:03:51,950 --> 00:03:54,349 to court order or otherwise authorized 102 00:03:54,350 --> 00:03:55,459 by law. 103 00:03:55,460 --> 00:03:58,279 Socially responsible cryptography 104 00:03:58,280 --> 00:04:00,349 in the mind of the FBI was 105 00:04:00,350 --> 00:04:02,389 cryptography that didn't actually keep 106 00:04:02,390 --> 00:04:04,039 your information safe from the US 107 00:04:04,040 --> 00:04:05,329 government. 108 00:04:05,330 --> 00:04:07,609 This is in fact one version 109 00:04:07,610 --> 00:04:09,679 of that socially responsible crypto. 110 00:04:09,680 --> 00:04:11,749 This was called the Clipper chip, 111 00:04:11,750 --> 00:04:13,579 and the Clipper chip, thankfully was not 112 00:04:13,580 --> 00:04:15,289 a success in the market. 113 00:04:15,290 --> 00:04:17,268 Not only was it not a commercial success, 114 00:04:17,269 --> 00:04:19,338 but it wasn't even very secure. 115 00:04:19,339 --> 00:04:21,379 The idea was that a third party, 116 00:04:21,380 --> 00:04:22,819 potentially the government or someone 117 00:04:22,820 --> 00:04:24,949 else, would keep a copy of your private 118 00:04:24,950 --> 00:04:27,139 keys. And if you were later suspected 119 00:04:27,140 --> 00:04:28,669 of doing something bad, the government 120 00:04:28,670 --> 00:04:30,919 could go to that third party, obtain 121 00:04:30,920 --> 00:04:32,479 your keys and then listen to your 122 00:04:32,480 --> 00:04:34,429 telephone calls. And thankfully, the 123 00:04:34,430 --> 00:04:36,769 Clipper chip never took off, 124 00:04:36,770 --> 00:04:39,079 and the FBI is dreams 125 00:04:39,080 --> 00:04:40,999 of a world of escrowed encryption. 126 00:04:42,140 --> 00:04:43,190 They didn't materialize. 127 00:04:44,420 --> 00:04:46,879 A few years later, the export 128 00:04:46,880 --> 00:04:48,469 control rules that we had in the United 129 00:04:48,470 --> 00:04:50,209 States were lessened. 130 00:04:50,210 --> 00:04:52,459 In 1996, Bill 131 00:04:52,460 --> 00:04:54,019 Clinton signed an executive order that 132 00:04:54,020 --> 00:04:55,849 really got the ball rolling. 133 00:04:55,850 --> 00:04:57,409 And in the years that followed, we 134 00:04:57,410 --> 00:04:59,509 finally start to saw 135 00:04:59,510 --> 00:05:02,179 a sane crypto export control policy. 136 00:05:02,180 --> 00:05:03,949 This led, for example, to the United 137 00:05:03,950 --> 00:05:05,869 States granting a license to the P-gp 138 00:05:05,870 --> 00:05:07,939 Corporation to export pretty good 139 00:05:07,940 --> 00:05:08,940 privacy. 140 00:05:10,010 --> 00:05:11,839 And it's been, you know, this happened in 141 00:05:11,840 --> 00:05:12,889 1996. 142 00:05:12,890 --> 00:05:15,289 It's been nearly 20 years 143 00:05:15,290 --> 00:05:18,049 since these these rules were relaxed 144 00:05:18,050 --> 00:05:20,269 and the doomsday scenario that 145 00:05:20,270 --> 00:05:22,519 Freeh predicted hasn't happened. 146 00:05:22,520 --> 00:05:24,619 We haven't had drug dealers and 147 00:05:24,620 --> 00:05:26,749 pedophiles and terrorists using 148 00:05:26,750 --> 00:05:27,829 encryption and mass. 149 00:05:27,830 --> 00:05:30,199 We haven't seen wiretaps 150 00:05:30,200 --> 00:05:31,909 and other forms of investigation are 151 00:05:31,910 --> 00:05:33,349 frustrated by encryption. 152 00:05:33,350 --> 00:05:34,549 And so what happened? 153 00:05:34,550 --> 00:05:36,949 Why didn't the prediction of Louis 154 00:05:36,950 --> 00:05:39,169 Freeh and his colleagues come true? 155 00:05:39,170 --> 00:05:41,269 Why didn't the bad guys suddenly 156 00:05:41,270 --> 00:05:43,039 start using encryption because it was 157 00:05:43,040 --> 00:05:43,999 freely available? 158 00:05:44,000 --> 00:05:46,309 Anyone today can go to a number 159 00:05:46,310 --> 00:05:48,709 of websites and download email encryption 160 00:05:48,710 --> 00:05:50,959 software, hard disk encryption software 161 00:05:50,960 --> 00:05:53,299 and encrypt everything they're doing. 162 00:05:53,300 --> 00:05:55,239 But it hasn't happened. 163 00:05:55,240 --> 00:05:57,549 P-gp has not, in fact, been 164 00:05:57,550 --> 00:05:59,349 a problem for the FBI. 165 00:05:59,350 --> 00:06:01,539 And the reason is actually 166 00:06:01,540 --> 00:06:03,219 not a political one, it is a technical 167 00:06:03,220 --> 00:06:05,319 one or a one involving human 168 00:06:05,320 --> 00:06:07,479 beings. This is a research paper. 169 00:06:07,480 --> 00:06:09,489 More than 13 years old now by Alma 170 00:06:09,490 --> 00:06:12,009 Whitten, which was the first usability 171 00:06:12,010 --> 00:06:13,869 study of P-gp. 172 00:06:13,870 --> 00:06:16,179 And the idea was to examine how regular 173 00:06:16,180 --> 00:06:18,129 people used encryption software to figure 174 00:06:18,130 --> 00:06:20,469 out whether regular people could figure 175 00:06:20,470 --> 00:06:22,809 out how to use the encryption software. 176 00:06:22,810 --> 00:06:25,839 This is what he looked like in 1998, 177 00:06:25,840 --> 00:06:27,429 when the when the study was published, 178 00:06:27,430 --> 00:06:29,289 and in fact, the user interface for BGP 179 00:06:29,290 --> 00:06:30,970 hasn't really changed that much since. 180 00:06:33,730 --> 00:06:35,919 And so Auma describes these 181 00:06:35,920 --> 00:06:37,479 really horrific situations. 182 00:06:37,480 --> 00:06:39,429 I mean, horrific from the perspective of 183 00:06:39,430 --> 00:06:40,629 someone in the security field. 184 00:06:40,630 --> 00:06:42,249 She describes situations in which people 185 00:06:42,250 --> 00:06:43,959 thought that they were encrypting when 186 00:06:43,960 --> 00:06:45,639 they were in fact not encrypting or 187 00:06:45,640 --> 00:06:47,379 people sending their private keys instead 188 00:06:47,380 --> 00:06:48,549 of sending their public keys. 189 00:06:49,810 --> 00:06:51,789 And you know, you can crack jokes and 190 00:06:51,790 --> 00:06:53,769 say, Aha, these are the users are so 191 00:06:53,770 --> 00:06:55,809 stupid. But actually, this is a failure 192 00:06:55,810 --> 00:06:56,859 of the engineering community. 193 00:06:56,860 --> 00:06:58,869 This is a failure of our community to 194 00:06:58,870 --> 00:07:00,879 produce tools that are easy enough for 195 00:07:00,880 --> 00:07:01,930 regular people to use. 196 00:07:08,640 --> 00:07:11,549 And things haven't changed, you know? 197 00:07:11,550 --> 00:07:14,129 Glenn Greenwald tried to use BGP, 198 00:07:14,130 --> 00:07:16,229 failed to use PDP, Edward Snowden made a 199 00:07:16,230 --> 00:07:18,449 how to video that still didn't help 200 00:07:18,450 --> 00:07:20,669 and eventually someone had to help 201 00:07:20,670 --> 00:07:21,869 Greenwald out. 202 00:07:21,870 --> 00:07:23,969 And that's not to blame Glenn. 203 00:07:23,970 --> 00:07:25,769 I think Glenn actually Glenn skills are 204 00:07:25,770 --> 00:07:27,929 probably about average for a national 205 00:07:27,930 --> 00:07:29,609 security journalist. It's just these 206 00:07:29,610 --> 00:07:31,709 tools are really difficult to use. 207 00:07:31,710 --> 00:07:33,659 And we as a community haven't done 208 00:07:33,660 --> 00:07:34,660 enough. 209 00:07:35,250 --> 00:07:37,319 But so this is what this is, what 210 00:07:37,320 --> 00:07:38,549 has benefited the FBI. 211 00:07:38,550 --> 00:07:41,039 It has been the massive usability 212 00:07:41,040 --> 00:07:43,419 problems associated with encryption 213 00:07:43,420 --> 00:07:45,509 and the fact that you have to go and 214 00:07:45,510 --> 00:07:46,679 download something. 215 00:07:46,680 --> 00:07:47,759 The fact that you have to take 216 00:07:47,760 --> 00:07:49,619 affirmative steps to get encryption 217 00:07:49,620 --> 00:07:51,779 software means that most people won't 218 00:07:51,780 --> 00:07:53,699 in fact use it. And so the FBI has been 219 00:07:53,700 --> 00:07:55,769 able to take advantage of this as long 220 00:07:55,770 --> 00:07:57,839 as people are, as long 221 00:07:57,840 --> 00:07:59,579 as people are using the default tools and 222 00:07:59,580 --> 00:08:00,749 the default settings. 223 00:08:00,750 --> 00:08:02,939 The FBI wins when those defaults are 224 00:08:02,940 --> 00:08:04,169 not safe or secure. 225 00:08:05,520 --> 00:08:07,919 And so although it hasn't been a problem, 226 00:08:07,920 --> 00:08:10,049 neither has keeps the 227 00:08:10,050 --> 00:08:11,609 encryption that we use in our web 228 00:08:11,610 --> 00:08:13,829 browsers for years has 229 00:08:13,830 --> 00:08:16,199 not been widely used. 230 00:08:16,200 --> 00:08:17,819 This is one of the slides that was 231 00:08:17,820 --> 00:08:19,559 released by I think this one was released 232 00:08:19,560 --> 00:08:21,269 by The Guardian this summer. 233 00:08:21,270 --> 00:08:23,789 This is a GQ slide from 234 00:08:23,790 --> 00:08:26,429 2009 saying, Why are 235 00:08:26,430 --> 00:08:28,109 you interested in HDTV? 236 00:08:28,110 --> 00:08:29,939 And the answer was because at that point 237 00:08:29,940 --> 00:08:32,009 in nineteen ninety nine two thousand 238 00:08:32,010 --> 00:08:34,079 nine, nearly everything a user 239 00:08:34,080 --> 00:08:36,119 does was using HDTV. 240 00:08:36,120 --> 00:08:38,189 Back in 2009, just four 241 00:08:38,190 --> 00:08:40,408 years ago, Facebook, Yahoo, 242 00:08:40,409 --> 00:08:42,569 Twitter, MySpace, Gmail, 243 00:08:42,570 --> 00:08:44,789 Google Earth, Wikipedia, everything 244 00:08:44,790 --> 00:08:46,979 was going over the internet in 245 00:08:46,980 --> 00:08:48,629 clear text. 246 00:08:48,630 --> 00:08:50,879 Although SSL was available in 247 00:08:50,880 --> 00:08:53,189 the browser, consumers 248 00:08:53,190 --> 00:08:55,409 don't choose whether or not the sites 249 00:08:55,410 --> 00:08:57,359 they're visiting are going to be whether 250 00:08:57,360 --> 00:08:58,979 they will be going over SSL or not. 251 00:08:58,980 --> 00:09:00,689 That is generally a decision made by the 252 00:09:00,690 --> 00:09:02,549 server, particularly the server doesn't 253 00:09:02,550 --> 00:09:03,550 even support it. 254 00:09:04,560 --> 00:09:07,049 And so governments took advantage 255 00:09:07,050 --> 00:09:09,539 of this. They could engage in massive 256 00:09:09,540 --> 00:09:11,739 passive interception 257 00:09:11,740 --> 00:09:13,529 enabled because of the fact that 258 00:09:13,530 --> 00:09:15,329 encryption wasn't being used. 259 00:09:15,330 --> 00:09:17,699 Now, of course, that was in 2009. 260 00:09:17,700 --> 00:09:20,039 We're now in 2013, and a lot has changed 261 00:09:20,040 --> 00:09:21,149 in the last few years. 262 00:09:21,150 --> 00:09:23,039 Hell, a lot. A lot has changed in the 263 00:09:23,040 --> 00:09:24,569 last few months. 264 00:09:24,570 --> 00:09:26,639 And so Google was the first of the big 265 00:09:26,640 --> 00:09:28,349 tech companies, first of the big 266 00:09:28,350 --> 00:09:30,449 non-financial companies to finally 267 00:09:30,450 --> 00:09:32,579 roll out SSL by default in January 268 00:09:32,580 --> 00:09:34,109 of 2010. 269 00:09:34,110 --> 00:09:35,369 And then the next couple of years, 270 00:09:35,370 --> 00:09:38,099 several companies followed Twitter, 271 00:09:38,100 --> 00:09:40,019 Microsoft's Outlook email service, 272 00:09:40,020 --> 00:09:42,269 Facebook and then Google even moved their 273 00:09:42,270 --> 00:09:44,489 their search service to SSL by 274 00:09:44,490 --> 00:09:46,349 default. And so we've gone in the past 275 00:09:46,350 --> 00:09:48,449 few years from a world in 276 00:09:48,450 --> 00:09:50,399 which most information, most of our 277 00:09:50,400 --> 00:09:52,619 communications were going 278 00:09:52,620 --> 00:09:54,479 over the public internet and unencrypted 279 00:09:54,480 --> 00:09:56,759 form to a world in which some 280 00:09:56,760 --> 00:09:58,679 of our communications are going over the 281 00:09:58,680 --> 00:10:00,689 web in encrypted form, at least in 282 00:10:00,690 --> 00:10:01,799 portions of the internet. 283 00:10:03,780 --> 00:10:05,789 Even Yahoo has announced that they are 284 00:10:05,790 --> 00:10:07,289 allegedly committed to protecting your 285 00:10:07,290 --> 00:10:09,479 information and are finally 286 00:10:09,480 --> 00:10:10,439 turning on SSL. 287 00:10:10,440 --> 00:10:12,779 I think in a few weeks in 288 00:10:12,780 --> 00:10:14,070 January, they're going to be doing this. 289 00:10:15,210 --> 00:10:17,369 Now, if you see, some of this has 290 00:10:17,370 --> 00:10:19,859 in fact been a direct result 291 00:10:19,860 --> 00:10:22,679 of reporting by The Washington Post 292 00:10:22,680 --> 00:10:24,509 not only revealing that these companies 293 00:10:24,510 --> 00:10:26,369 information, the information between the 294 00:10:26,370 --> 00:10:28,379 users and the sites was being 295 00:10:28,380 --> 00:10:30,059 intercepted, but in fact, the information 296 00:10:30,060 --> 00:10:31,709 between the data centers of various 297 00:10:31,710 --> 00:10:33,809 companies, the internal links between 298 00:10:33,810 --> 00:10:35,909 companies are being intercepted. 299 00:10:35,910 --> 00:10:38,039 And so it was directly as a result of the 300 00:10:38,040 --> 00:10:40,079 reporting of The Washington Post that 301 00:10:40,080 --> 00:10:42,509 Yahoo finally got with the program and 302 00:10:42,510 --> 00:10:44,819 turned on SSL by default, that Google, 303 00:10:44,820 --> 00:10:46,619 Yahoo and Microsoft have announced that 304 00:10:46,620 --> 00:10:48,149 they are all encrypting their server to 305 00:10:48,150 --> 00:10:49,619 server links. 306 00:10:49,620 --> 00:10:51,419 And so we're finally getting to a point 307 00:10:51,420 --> 00:10:53,309 where things are getting a little bit 308 00:10:53,310 --> 00:10:54,310 better. 309 00:10:54,780 --> 00:10:56,819 If you've seen the If Encrypt the web 310 00:10:56,820 --> 00:10:58,949 report, which is a fantastic 311 00:10:58,950 --> 00:11:01,019 compendium of information, this sea of 312 00:11:01,020 --> 00:11:02,999 green that we're now seeing across tech 313 00:11:03,000 --> 00:11:05,729 companies is directly a result 314 00:11:05,730 --> 00:11:07,919 of the disclosures of this summer. 315 00:11:07,920 --> 00:11:09,389 And so we're finally moving in the right 316 00:11:09,390 --> 00:11:10,919 direction. 317 00:11:10,920 --> 00:11:12,869 And of course, the government probably 318 00:11:12,870 --> 00:11:14,279 isn't going to like this too much. 319 00:11:15,870 --> 00:11:18,179 I mean, it will frustrate some forms 320 00:11:18,180 --> 00:11:19,769 of passive surveillance, passive network 321 00:11:19,770 --> 00:11:21,959 surveillance, but HTP 322 00:11:21,960 --> 00:11:24,029 asked does not prevent the US government 323 00:11:24,030 --> 00:11:26,189 from getting data HDP 324 00:11:26,190 --> 00:11:28,409 asks prevents the US government from 325 00:11:28,410 --> 00:11:29,879 getting data from the companies that they 326 00:11:29,880 --> 00:11:31,739 would normally like to get it from. 327 00:11:31,740 --> 00:11:33,119 But it doesn't actually stop them from 328 00:11:33,120 --> 00:11:35,309 getting your data or my data right. 329 00:11:35,310 --> 00:11:37,139 So typically the US government would like 330 00:11:37,140 --> 00:11:39,329 to go to operators of backbone internet 331 00:11:39,330 --> 00:11:41,159 services. It was revealed by the New York 332 00:11:41,160 --> 00:11:43,139 Times that Level three communications 333 00:11:43,140 --> 00:11:45,029 provides the links between Google's data 334 00:11:45,030 --> 00:11:47,099 centers. We know that Verizon and 335 00:11:47,100 --> 00:11:49,559 AT&T have been providing assistance 336 00:11:49,560 --> 00:11:52,139 to the US government for a long time. 337 00:11:52,140 --> 00:11:54,119 And so the government would rather go to 338 00:11:54,120 --> 00:11:55,199 these telcos. 339 00:11:55,200 --> 00:11:56,789 They would rather go to these companies 340 00:11:56,790 --> 00:11:59,279 and get information in bulk. 341 00:11:59,280 --> 00:12:01,709 Right. They can do keyword searches 342 00:12:01,710 --> 00:12:03,359 through people's information or people's 343 00:12:03,360 --> 00:12:05,639 email accounts and other other 344 00:12:05,640 --> 00:12:07,019 forms of information when they get 345 00:12:07,020 --> 00:12:08,429 everything at once. 346 00:12:08,430 --> 00:12:10,349 They would rather do that, do this, then 347 00:12:10,350 --> 00:12:12,329 go to the tech companies and request 348 00:12:12,330 --> 00:12:13,379 information. 349 00:12:13,380 --> 00:12:16,349 And so the shift from http 350 00:12:16,350 --> 00:12:18,479 to S is 351 00:12:18,480 --> 00:12:20,669 also causing a shift in the way that 352 00:12:20,670 --> 00:12:22,619 the government obtains information about 353 00:12:22,620 --> 00:12:23,549 users. 354 00:12:23,550 --> 00:12:24,989 And the way that this shift is occurring 355 00:12:24,990 --> 00:12:27,059 is that they now have to go to Silicon 356 00:12:27,060 --> 00:12:28,679 Valley technology companies, whereas in 357 00:12:28,680 --> 00:12:30,989 the past they could go to friendly 358 00:12:30,990 --> 00:12:32,669 telecommunications companies who were 359 00:12:32,670 --> 00:12:34,799 probably more likely to say yes and 360 00:12:34,800 --> 00:12:36,689 to give them access to far more 361 00:12:36,690 --> 00:12:37,769 information at once. 362 00:12:38,920 --> 00:12:40,439 Right. And so what we've seen then 363 00:12:40,440 --> 00:12:42,929 naturally, is the development 364 00:12:42,930 --> 00:12:45,269 of relationships between the Silicon 365 00:12:45,270 --> 00:12:47,379 Valley technology companies and the NSA 366 00:12:47,380 --> 00:12:50,009 now prison. I think in some ways 367 00:12:50,010 --> 00:12:51,479 people have gotten the wrong impression 368 00:12:51,480 --> 00:12:53,009 about this. These companies have been 369 00:12:53,010 --> 00:12:55,199 providing access to the US government 370 00:12:55,200 --> 00:12:57,449 long before they were listed on the PRISM 371 00:12:57,450 --> 00:12:58,499 slides. 372 00:12:58,500 --> 00:13:00,029 All U.S. technology companies are 373 00:13:00,030 --> 00:13:02,519 required by law to respond to 374 00:13:02,520 --> 00:13:04,859 lawful requests, and the PRISM really 375 00:13:04,860 --> 00:13:06,719 is just about how are these requests 376 00:13:06,720 --> 00:13:08,429 processed and how is information 377 00:13:08,430 --> 00:13:09,959 delivered to the government. 378 00:13:09,960 --> 00:13:11,309 But let's be sure. 379 00:13:11,310 --> 00:13:13,859 Let's be clear, Google will respond 380 00:13:13,860 --> 00:13:15,929 to lawful requests from the Department of 381 00:13:15,930 --> 00:13:18,359 Justice. Facebook, Microsoft, Yahoo. 382 00:13:18,360 --> 00:13:19,889 All of these companies are required by 383 00:13:19,890 --> 00:13:22,139 law and will hand over data 384 00:13:22,140 --> 00:13:23,190 about their customers. 385 00:13:24,360 --> 00:13:26,399 What's happened, though? 386 00:13:26,400 --> 00:13:28,709 What SSL or that the use of 387 00:13:28,710 --> 00:13:30,809 transport encryption has done is 388 00:13:30,810 --> 00:13:33,059 it has. It has moved the point 389 00:13:33,060 --> 00:13:35,069 of interception and has moved the 390 00:13:35,070 --> 00:13:36,719 bottleneck to the technology companies. 391 00:13:36,720 --> 00:13:38,969 The technology companies want to be 392 00:13:38,970 --> 00:13:40,649 the one place through which the 393 00:13:40,650 --> 00:13:42,659 government can spy on their users. 394 00:13:42,660 --> 00:13:44,159 They don't. They've not said that they 395 00:13:44,160 --> 00:13:46,229 want to be or that they want their 396 00:13:46,230 --> 00:13:48,239 users to be safe from all spying. 397 00:13:48,240 --> 00:13:50,039 They just want to be the ones to perform 398 00:13:50,040 --> 00:13:52,019 the spying. They want to know when the 399 00:13:52,020 --> 00:13:53,339 government wants information about one of 400 00:13:53,340 --> 00:13:55,439 their users. They want to be the ones who 401 00:13:55,440 --> 00:13:57,269 receive the court order who examine the 402 00:13:57,270 --> 00:13:59,219 court order, maybe who pushed back or 403 00:13:59,220 --> 00:14:00,119 don't push back. 404 00:14:00,120 --> 00:14:01,829 What they don't want is some other 405 00:14:01,830 --> 00:14:03,959 company, like a telecommunications 406 00:14:03,960 --> 00:14:05,849 company, to be the one providing data 407 00:14:05,850 --> 00:14:06,850 about their customers. 408 00:14:09,850 --> 00:14:11,949 And so I think it's important 409 00:14:11,950 --> 00:14:13,629 to understand and to take note of the 410 00:14:13,630 --> 00:14:16,269 fact that the tech companies still 411 00:14:16,270 --> 00:14:18,429 have your data in unencrypted form. 412 00:14:19,580 --> 00:14:21,529 Right, even though the communications are 413 00:14:21,530 --> 00:14:23,539 going over the internet in encrypted form 414 00:14:23,540 --> 00:14:25,249 once it gets to Google. 415 00:14:25,250 --> 00:14:27,349 Once your emails get to Google's servers, 416 00:14:27,350 --> 00:14:29,569 once your direct messages on Twitter 417 00:14:29,570 --> 00:14:31,579 get to Twitter, they're sitting there in 418 00:14:31,580 --> 00:14:32,479 unencrypted form. 419 00:14:32,480 --> 00:14:34,039 That or at least encrypted form that 420 00:14:34,040 --> 00:14:35,719 their engineers can access when they need 421 00:14:35,720 --> 00:14:37,039 to. 422 00:14:37,040 --> 00:14:38,629 And that's not going to change anytime 423 00:14:38,630 --> 00:14:40,969 soon. It's unlikely that the major 424 00:14:40,970 --> 00:14:43,159 technology companies are going to roll 425 00:14:43,160 --> 00:14:44,929 out products that protect your 426 00:14:44,930 --> 00:14:46,369 information in such a way that they are 427 00:14:46,370 --> 00:14:48,289 never able to hand your information over 428 00:14:48,290 --> 00:14:49,549 to the government when they get a 429 00:14:49,550 --> 00:14:50,839 request. 430 00:14:50,840 --> 00:14:52,549 This is Vint Cerf, many of you. 431 00:14:52,550 --> 00:14:54,229 I'm sure everyone in this room has heard 432 00:14:54,230 --> 00:14:55,159 of him. 433 00:14:55,160 --> 00:14:57,409 One of the fathers of the internet, Vint, 434 00:14:57,410 --> 00:14:59,509 is now a senior executive at Google. 435 00:14:59,510 --> 00:15:01,640 I think his title is internet evangelist, 436 00:15:03,200 --> 00:15:05,659 and Vint was on a panel with me in 2011, 437 00:15:05,660 --> 00:15:07,909 and we were discussing whether 438 00:15:07,910 --> 00:15:10,219 Google could ever sort of deliver secure 439 00:15:10,220 --> 00:15:11,209 services to their customers. 440 00:15:11,210 --> 00:15:13,069 And he said, quote, We couldn't run our 441 00:15:13,070 --> 00:15:14,749 system if everything in it were 442 00:15:14,750 --> 00:15:16,609 encrypted, because then we wouldn't know 443 00:15:16,610 --> 00:15:18,109 which ads to show you. 444 00:15:18,110 --> 00:15:20,029 This is a system that was designed around 445 00:15:20,030 --> 00:15:21,259 a particular business model. 446 00:15:22,420 --> 00:15:24,579 And I have to give them, 447 00:15:24,580 --> 00:15:26,829 you know, a lot of respect for being 448 00:15:26,830 --> 00:15:28,569 on this open in this transparent, it's 449 00:15:28,570 --> 00:15:29,709 something, in fact, that many of his 450 00:15:29,710 --> 00:15:32,439 colleagues haven't done that Google 451 00:15:32,440 --> 00:15:34,899 cannot deliver a service 452 00:15:34,900 --> 00:15:36,999 to you right now where Google is 453 00:15:37,000 --> 00:15:38,139 never going to have to hand over your 454 00:15:38,140 --> 00:15:39,909 information to the government without 455 00:15:39,910 --> 00:15:41,589 shifting to a different business model. 456 00:15:41,590 --> 00:15:43,509 Google's advertising supported business 457 00:15:43,510 --> 00:15:46,029 model requires that they see the contents 458 00:15:46,030 --> 00:15:47,919 of your emails. It requires that they 459 00:15:47,920 --> 00:15:50,139 know the web pages you're going to 460 00:15:50,140 --> 00:15:51,939 and to move to a model where they don't 461 00:15:51,940 --> 00:15:53,379 know the contents of your emails. 462 00:15:53,380 --> 00:15:54,489 When they don't know where you're going 463 00:15:54,490 --> 00:15:55,659 on, the web and where they know nothing 464 00:15:55,660 --> 00:15:57,729 about you will be will require 465 00:15:57,730 --> 00:15:59,769 that they give up the advertising revenue 466 00:15:59,770 --> 00:16:01,449 that they make right now. 467 00:16:01,450 --> 00:16:03,189 And many of us don't give our money to 468 00:16:03,190 --> 00:16:04,779 Google. I'm not going to get into this 469 00:16:04,780 --> 00:16:06,099 business about if you're not paying for 470 00:16:06,100 --> 00:16:07,210 the product, you are the product. 471 00:16:08,230 --> 00:16:10,029 But right now, Google would have to 472 00:16:10,030 --> 00:16:11,559 switch to an entirely different business 473 00:16:11,560 --> 00:16:13,629 model to deliver end to end 474 00:16:13,630 --> 00:16:14,859 encrypted services to users. 475 00:16:14,860 --> 00:16:16,929 And it's not clear that that they want to 476 00:16:16,930 --> 00:16:18,189 move down that path. 477 00:16:18,190 --> 00:16:19,959 I think they want to stay a very 478 00:16:19,960 --> 00:16:21,309 successful advertising company. 479 00:16:21,310 --> 00:16:22,839 So the first thing is that Google's 480 00:16:22,840 --> 00:16:24,909 business model doesn't 481 00:16:24,910 --> 00:16:26,739 actually permit them to move to a 482 00:16:26,740 --> 00:16:28,449 situation in which they have only 483 00:16:28,450 --> 00:16:29,829 encrypted data. 484 00:16:29,830 --> 00:16:31,419 And the second thing is that it's not 485 00:16:31,420 --> 00:16:33,279 even clear whether the tech companies 486 00:16:33,280 --> 00:16:35,019 want to provide services 487 00:16:36,160 --> 00:16:38,229 that keep the government out. 488 00:16:38,230 --> 00:16:40,359 It seems if you listen to the executives 489 00:16:40,360 --> 00:16:42,189 at the Big Tech companies, it seems like 490 00:16:42,190 --> 00:16:44,709 they're actually OK with individualized 491 00:16:44,710 --> 00:16:45,789 surveillance. 492 00:16:45,790 --> 00:16:48,279 You know, they're OK with moving 493 00:16:48,280 --> 00:16:49,989 from a world where we are now to a world 494 00:16:49,990 --> 00:16:51,369 in which the government can only get 495 00:16:51,370 --> 00:16:54,279 information about individual users. 496 00:16:54,280 --> 00:16:56,349 If you listen to the statements 497 00:16:56,350 --> 00:16:57,789 of the executives or you see some of the 498 00:16:57,790 --> 00:16:59,979 things they've put out, for example, just 499 00:16:59,980 --> 00:17:02,049 a week or two ago, eight of the 500 00:17:02,050 --> 00:17:04,179 biggest technology companies published 501 00:17:04,180 --> 00:17:06,669 this is open call to reform 502 00:17:06,670 --> 00:17:08,078 government surveillance. You can see it 503 00:17:08,079 --> 00:17:09,879 online. I think it's reform government 504 00:17:09,880 --> 00:17:12,129 surveillance dot com, and they've called 505 00:17:12,130 --> 00:17:13,719 for the U.S. government and governments 506 00:17:13,720 --> 00:17:15,399 around the world to sort of reform their 507 00:17:15,400 --> 00:17:17,858 surveillance practices and laws. 508 00:17:17,859 --> 00:17:19,328 One of the things they say in that is 509 00:17:19,329 --> 00:17:21,189 that governments should limit 510 00:17:21,190 --> 00:17:23,439 surveillance to specific known 511 00:17:23,440 --> 00:17:25,719 users for lawful purposes 512 00:17:25,720 --> 00:17:27,969 and should not undertake bulk collection 513 00:17:27,970 --> 00:17:29,170 of internet communications. 514 00:17:30,850 --> 00:17:32,499 So on one hand, I guess we should be 515 00:17:32,500 --> 00:17:34,659 happy that these companies have come to 516 00:17:34,660 --> 00:17:36,759 our aid and are deploying their their 517 00:17:36,760 --> 00:17:39,219 PR and lobbying dollars in favor 518 00:17:39,220 --> 00:17:40,809 of surveillance reform. 519 00:17:40,810 --> 00:17:42,339 They clearly don't like dragnet 520 00:17:42,340 --> 00:17:43,239 surveillance. 521 00:17:43,240 --> 00:17:44,769 They don't want governments to get 522 00:17:44,770 --> 00:17:46,599 information about all of their users, but 523 00:17:46,600 --> 00:17:48,669 they do seem to be comfortable with 524 00:17:48,670 --> 00:17:50,619 individualized requests about particular 525 00:17:50,620 --> 00:17:52,029 users. 526 00:17:52,030 --> 00:17:53,409 Now, I don't know about you. Maybe you're 527 00:17:53,410 --> 00:17:55,569 comfortable with the police having 528 00:17:55,570 --> 00:17:57,219 access to your information. 529 00:17:57,220 --> 00:17:59,439 If they go to a judge and they obtain and 530 00:17:59,440 --> 00:18:00,699 you know, they show probable cause and 531 00:18:00,700 --> 00:18:01,749 then they get the emails. 532 00:18:01,750 --> 00:18:03,759 I don't particularly want my emails to be 533 00:18:03,760 --> 00:18:05,949 turned over under any circumstances. 534 00:18:05,950 --> 00:18:07,569 And Google and these other technology 535 00:18:07,570 --> 00:18:09,249 companies are not going to deliver the 536 00:18:09,250 --> 00:18:10,839 kind of encryption and privacy 537 00:18:10,840 --> 00:18:13,209 protections that I actually want. 538 00:18:13,210 --> 00:18:14,829 And that's fine. 539 00:18:14,830 --> 00:18:16,389 There are companies and they can choose 540 00:18:16,390 --> 00:18:18,729 to to target their products 541 00:18:18,730 --> 00:18:19,809 in the market the way that they choose to 542 00:18:19,810 --> 00:18:20,829 do. 543 00:18:20,830 --> 00:18:23,259 But let's be clear, Google and Facebook 544 00:18:23,260 --> 00:18:25,089 and Microsoft are not about to start 545 00:18:25,090 --> 00:18:27,639 delivering end to end encrypted services 546 00:18:27,640 --> 00:18:29,889 to their users. They are not ready to 547 00:18:29,890 --> 00:18:31,809 lock the government out. 548 00:18:31,810 --> 00:18:33,279 So this is Eric Schmidt, of course, 549 00:18:33,280 --> 00:18:35,349 Google's longtime CEO and 550 00:18:35,350 --> 00:18:36,579 now chairman. 551 00:18:36,580 --> 00:18:38,709 And in 2009, Eric Schmidt 552 00:18:38,710 --> 00:18:40,809 was interviewed by Public Radio in 553 00:18:40,810 --> 00:18:42,579 the United States, and he was asked about 554 00:18:42,580 --> 00:18:44,299 surveillance. He said sorry. 555 00:18:44,300 --> 00:18:46,539 He was asked about why Google keeps data 556 00:18:46,540 --> 00:18:47,529 about users. 557 00:18:47,530 --> 00:18:49,539 He said, quote, The reason we keep search 558 00:18:49,540 --> 00:18:51,609 engine data for any length of time is 559 00:18:51,610 --> 00:18:53,799 one we need to make our algorithms 560 00:18:53,800 --> 00:18:55,989 better. But more importantly, there 561 00:18:55,990 --> 00:18:58,059 is a legitimate case of the government or 562 00:18:58,060 --> 00:19:00,039 particularly the police function or so 563 00:19:00,040 --> 00:19:02,229 forth. One thing with a federal subpoena 564 00:19:02,230 --> 00:19:04,299 and so forth, being able to get access 565 00:19:04,300 --> 00:19:05,649 to that information. 566 00:19:05,650 --> 00:19:06,939 So this is not the most articulate 567 00:19:06,940 --> 00:19:09,039 statement that Schmidt has ever made. 568 00:19:09,040 --> 00:19:10,209 But what is clear 569 00:19:11,410 --> 00:19:13,359 is that he was justifying their data 570 00:19:13,360 --> 00:19:15,189 retention under the grounds that it would 571 00:19:15,190 --> 00:19:16,720 be useful to the police. 572 00:19:18,160 --> 00:19:20,079 Again, it's fine that Google wants to do 573 00:19:20,080 --> 00:19:21,249 that. I wish there would be a little bit 574 00:19:21,250 --> 00:19:23,109 more transparent about that. 575 00:19:23,110 --> 00:19:25,839 But Google is keeping your data. 576 00:19:25,840 --> 00:19:27,669 According to Eric Schmidt, because it is 577 00:19:27,670 --> 00:19:29,769 useful to the authorities, 578 00:19:29,770 --> 00:19:31,629 and I don't want my email provider to 579 00:19:31,630 --> 00:19:32,630 have that policy. 580 00:19:33,520 --> 00:19:35,919 And if you want your email provider 581 00:19:35,920 --> 00:19:38,889 to to not keep your data, 582 00:19:38,890 --> 00:19:40,569 then Google probably isn't going to be 583 00:19:40,570 --> 00:19:42,099 the right company for you either. 584 00:19:43,900 --> 00:19:46,239 So the government, 585 00:19:46,240 --> 00:19:48,369 my government has been concerned for 586 00:19:48,370 --> 00:19:51,009 years about the spread of encryption. 587 00:19:51,010 --> 00:19:52,539 They've been concerned about the spread 588 00:19:52,540 --> 00:19:54,459 of easy to use tools. 589 00:19:54,460 --> 00:19:55,460 And slowly, 590 00:19:56,590 --> 00:19:58,779 we are starting to get some 591 00:19:58,780 --> 00:20:00,939 form of encryption delivered to 592 00:20:00,940 --> 00:20:02,529 consumers and enabled by default. 593 00:20:02,530 --> 00:20:04,599 It's not keeping the government out, but 594 00:20:04,600 --> 00:20:06,459 it is limiting their ability to conduct 595 00:20:06,460 --> 00:20:08,829 bulk surveillance and in some cases, 596 00:20:08,830 --> 00:20:10,959 sophisticated users who are using 597 00:20:10,960 --> 00:20:13,779 end to end encrypted services may in fact 598 00:20:13,780 --> 00:20:15,789 cause the government to not be able to 599 00:20:15,790 --> 00:20:17,139 perform intercepts. 600 00:20:17,140 --> 00:20:18,969 The FBI has a term for this. 601 00:20:18,970 --> 00:20:21,369 They have a term for this problem 602 00:20:21,370 --> 00:20:23,049 of not being able to spy on users 603 00:20:23,050 --> 00:20:24,939 anymore. They call it going dark. 604 00:20:24,940 --> 00:20:26,709 This is something they've been predicting 605 00:20:26,710 --> 00:20:27,710 for more than a decade. 606 00:20:31,350 --> 00:20:32,729 This is Valerie Caproni. 607 00:20:32,730 --> 00:20:35,519 She was for a long, long time 608 00:20:35,520 --> 00:20:37,319 the general counsel for the FBI, the 609 00:20:37,320 --> 00:20:39,389 FBI's top lawyer. 610 00:20:39,390 --> 00:20:41,129 Just in the last year or two, she left 611 00:20:41,130 --> 00:20:43,739 the FBI and is now a federal judge 612 00:20:43,740 --> 00:20:44,740 in New York. 613 00:20:45,660 --> 00:20:48,090 And so Valerie Caproni went to Congress 614 00:20:49,380 --> 00:20:51,209 to complain about this going dark 615 00:20:51,210 --> 00:20:53,369 problem. She complained about 616 00:20:53,370 --> 00:20:55,499 the the world that the FBI was facing and 617 00:20:55,500 --> 00:20:56,879 the threat of these encryption 618 00:20:56,880 --> 00:20:58,199 technologies. 619 00:20:58,200 --> 00:21:00,389 She said quote the FBI and other 620 00:21:00,390 --> 00:21:02,399 government agencies are facing a 621 00:21:02,400 --> 00:21:04,649 potentially widening gap between 622 00:21:04,650 --> 00:21:06,869 our legal authority to intercept 623 00:21:06,870 --> 00:21:08,699 electronic communications and our 624 00:21:08,700 --> 00:21:10,829 practical ability to actually intercept 625 00:21:10,830 --> 00:21:11,999 those communications. 626 00:21:12,000 --> 00:21:13,529 What she is saying here is that they can 627 00:21:13,530 --> 00:21:15,809 get an order from a judge 628 00:21:15,810 --> 00:21:17,789 to intercept someone's information to to 629 00:21:17,790 --> 00:21:19,919 tap a phone or two to tap an 630 00:21:19,920 --> 00:21:21,389 instant message conversation. 631 00:21:21,390 --> 00:21:23,219 But once they have that court order, 632 00:21:23,220 --> 00:21:24,959 they're not actually able in all 633 00:21:24,960 --> 00:21:26,909 circumstances to actually tap the 634 00:21:26,910 --> 00:21:29,669 connection. Maybe the person is using 635 00:21:29,670 --> 00:21:31,679 some form of encrypted voice over IP or 636 00:21:31,680 --> 00:21:33,869 encrypted Real-Time text messaging, 637 00:21:33,870 --> 00:21:36,059 but she's saying that they get 638 00:21:36,060 --> 00:21:37,469 the court orders, but then cannot 639 00:21:37,470 --> 00:21:39,599 actually do the taps and the 640 00:21:39,600 --> 00:21:41,729 solution that the FBI called for. 641 00:21:41,730 --> 00:21:44,009 The solution that the law enforcement 642 00:21:44,010 --> 00:21:46,109 community proposed 643 00:21:46,110 --> 00:21:47,249 were legal backdoors. 644 00:21:48,600 --> 00:21:50,579 So what they wanted to do was to get 645 00:21:50,580 --> 00:21:52,679 expanded powers from Congress 646 00:21:52,680 --> 00:21:54,629 to be able to go to technology companies, 647 00:21:54,630 --> 00:21:56,909 to major technology companies and force 648 00:21:56,910 --> 00:21:59,069 them to build in law enforcement 649 00:21:59,070 --> 00:22:00,479 interception interfaces into their 650 00:22:00,480 --> 00:22:02,399 products. These are the same kinds of 651 00:22:02,400 --> 00:22:04,049 interception features that the 652 00:22:04,050 --> 00:22:05,969 telecommunications companies already have 653 00:22:05,970 --> 00:22:08,549 in the U.S. we have a law called CALEA, 654 00:22:08,550 --> 00:22:10,169 the Communications Assistance for Law 655 00:22:10,170 --> 00:22:11,549 Enforcement Act, and really what they 656 00:22:11,550 --> 00:22:14,009 wanted to do was to expand that 657 00:22:14,010 --> 00:22:16,139 to companies like Google and Facebook and 658 00:22:16,140 --> 00:22:17,639 Microsoft. 659 00:22:17,640 --> 00:22:19,709 Now, as recently 660 00:22:19,710 --> 00:22:22,169 as April 28th of this year, 661 00:22:22,170 --> 00:22:24,719 just before May, the FBI 662 00:22:24,720 --> 00:22:26,669 was ready. They had a proposal ready to 663 00:22:26,670 --> 00:22:27,670 go. 664 00:22:28,080 --> 00:22:29,009 That was that would. 665 00:22:29,010 --> 00:22:31,319 If passed by, Congress would have given 666 00:22:31,320 --> 00:22:33,659 the FBI the authority to find technology 667 00:22:33,660 --> 00:22:36,329 companies if they refused to provide 668 00:22:36,330 --> 00:22:37,769 this kind of surveillance assistance. 669 00:22:38,880 --> 00:22:40,949 Allegedly, the president was even getting 670 00:22:40,950 --> 00:22:43,109 close to signing onto it. 671 00:22:43,110 --> 00:22:44,669 And then something happened. 672 00:22:44,670 --> 00:22:45,809 Something happened that slightly 673 00:22:45,810 --> 00:22:47,219 disrupted their plans. 674 00:22:47,220 --> 00:22:48,220 This gentleman, 675 00:22:49,410 --> 00:22:50,759 you know, reached out to journalists and 676 00:22:50,760 --> 00:22:51,689 provided some documents. 677 00:22:51,690 --> 00:22:54,209 And thankfully, it seems 678 00:22:54,210 --> 00:22:56,429 like the proposals to make life 679 00:22:56,430 --> 00:22:58,559 easier for wiretap orders are 680 00:22:58,560 --> 00:22:59,489 dead in the water. 681 00:22:59,490 --> 00:23:01,679 It seems like right now there isn't very 682 00:23:01,680 --> 00:23:03,779 much appetite in Washington, D.C., 683 00:23:03,780 --> 00:23:05,309 for legislation that would make 684 00:23:05,310 --> 00:23:06,359 surveillance easier, 685 00:23:07,740 --> 00:23:09,149 but it probably won't stay that way 686 00:23:09,150 --> 00:23:10,079 forever. 687 00:23:10,080 --> 00:23:12,419 At some point, the FBI and their friends 688 00:23:12,420 --> 00:23:13,859 are going to come back to Congress, and 689 00:23:13,860 --> 00:23:15,809 the winds will change and they will say, 690 00:23:15,810 --> 00:23:17,039 we need new powers. 691 00:23:17,040 --> 00:23:19,559 We need powers to add surveillance 692 00:23:19,560 --> 00:23:20,880 features to our networks. 693 00:23:22,530 --> 00:23:24,779 Of course, many of you in the past 694 00:23:24,780 --> 00:23:27,029 few months have heard about 695 00:23:27,030 --> 00:23:29,249 the NSA's role in 696 00:23:29,250 --> 00:23:30,749 cooperating with technology companies, 697 00:23:30,750 --> 00:23:33,089 and we learned even the 698 00:23:33,090 --> 00:23:34,949 last couple in the last two or three 699 00:23:34,950 --> 00:23:37,349 weeks about RSA getting $10 700 00:23:37,350 --> 00:23:39,539 million to switch 701 00:23:39,540 --> 00:23:41,729 to a problematic random 702 00:23:41,730 --> 00:23:42,730 number generator. 703 00:23:43,620 --> 00:23:46,109 But these covert backdoors that the NSA 704 00:23:46,110 --> 00:23:47,429 has been able to get, they're not 705 00:23:47,430 --> 00:23:48,629 actually very useful for the law 706 00:23:48,630 --> 00:23:49,889 enforcement community. 707 00:23:49,890 --> 00:23:51,689 So what the needs of the NSA are very 708 00:23:51,690 --> 00:23:52,649 different from the needs of law 709 00:23:52,650 --> 00:23:54,839 enforcement for the simple reason that 710 00:23:54,840 --> 00:23:56,909 the stuff that the NSA does doesn't end 711 00:23:56,910 --> 00:23:59,039 up in court documents, things 712 00:23:59,040 --> 00:24:01,199 that law enforcement do end up in 713 00:24:01,200 --> 00:24:02,429 court papers. 714 00:24:02,430 --> 00:24:04,229 And so any secret backdoor will be 715 00:24:04,230 --> 00:24:06,479 revealed to the public when it's when 716 00:24:06,480 --> 00:24:08,609 someone is arrested and prosecuted 717 00:24:08,610 --> 00:24:09,719 in court. 718 00:24:09,720 --> 00:24:12,269 And so any backdoor that depends 719 00:24:12,270 --> 00:24:14,669 on secrecy is no good for the police. 720 00:24:14,670 --> 00:24:17,009 They don't want to spend $10 million, 721 00:24:17,010 --> 00:24:18,929 you know, convincing RCA to do something. 722 00:24:18,930 --> 00:24:20,789 And then it comes out in court a month 723 00:24:20,790 --> 00:24:22,409 later and then that money is wasted. 724 00:24:22,410 --> 00:24:24,479 Right. So they need backdoors that 725 00:24:24,480 --> 00:24:25,619 are not secret. 726 00:24:25,620 --> 00:24:27,389 And the way that you get backdoors that 727 00:24:27,390 --> 00:24:29,699 are not secret is through legislation. 728 00:24:29,700 --> 00:24:31,799 And so at some point, what we're likely 729 00:24:31,800 --> 00:24:33,899 going to see are our government 730 00:24:33,900 --> 00:24:36,209 officials providing 731 00:24:36,210 --> 00:24:38,399 or trying to provide powers 732 00:24:38,400 --> 00:24:40,469 that allow law enforcement agencies to 733 00:24:40,470 --> 00:24:42,179 access information in the same way that 734 00:24:42,180 --> 00:24:44,249 the NSA can already get 735 00:24:44,250 --> 00:24:45,569 information. 736 00:24:45,570 --> 00:24:47,249 I mean, many people will think that, like 737 00:24:47,250 --> 00:24:49,019 the government is this one big beast, and 738 00:24:49,020 --> 00:24:50,879 so the US government has the power to 739 00:24:50,880 --> 00:24:51,929 spy. 740 00:24:51,930 --> 00:24:52,919 That's not true. 741 00:24:52,920 --> 00:24:55,079 The NSA may have tools, but that 742 00:24:55,080 --> 00:24:56,489 doesn't mean that the local police have 743 00:24:56,490 --> 00:24:57,869 those tools, too. That doesn't mean that 744 00:24:57,870 --> 00:25:00,119 the FBI, in all parts of the FBI, 745 00:25:00,120 --> 00:25:01,379 have those tools as well. 746 00:25:01,380 --> 00:25:03,419 And so the NSA might be able to listen to 747 00:25:03,420 --> 00:25:05,159 every Skype call and might be able to 748 00:25:05,160 --> 00:25:06,629 hack into everyone's computer. 749 00:25:06,630 --> 00:25:07,769 But that doesn't mean that the local 750 00:25:07,770 --> 00:25:09,899 police have the ability to get encrypted 751 00:25:09,900 --> 00:25:11,609 Scott communications or have the ability 752 00:25:11,610 --> 00:25:13,019 to hack into cell phones to steal 753 00:25:13,020 --> 00:25:14,020 information. 754 00:25:15,330 --> 00:25:16,889 And probably what we're going to see is a 755 00:25:16,890 --> 00:25:19,289 call to give local police the same 756 00:25:19,290 --> 00:25:21,179 level of access that the NSA already 757 00:25:21,180 --> 00:25:22,589 enjoys. 758 00:25:22,590 --> 00:25:24,869 All right, so the back door thing 759 00:25:24,870 --> 00:25:26,409 isn't really working right now. 760 00:25:26,410 --> 00:25:27,689 Right? They're not able to convince 761 00:25:27,690 --> 00:25:29,099 Congress to give them these expanded 762 00:25:29,100 --> 00:25:30,599 powers. 763 00:25:30,600 --> 00:25:32,699 The companies, although they're willing 764 00:25:32,700 --> 00:25:34,829 to provide some assistance, may not be 765 00:25:34,830 --> 00:25:36,809 providing all the assistance that they 766 00:25:36,810 --> 00:25:39,899 want. And so law enforcement agencies 767 00:25:39,900 --> 00:25:41,939 have to go out and get it for themselves. 768 00:25:41,940 --> 00:25:44,579 And so the response has also been 769 00:25:44,580 --> 00:25:46,949 to use hacking technology. 770 00:25:46,950 --> 00:25:49,139 I don't know how many of you went and saw 771 00:25:49,140 --> 00:25:50,999 the excellent talk that was just 45 772 00:25:51,000 --> 00:25:52,679 minutes ago by Claudio and Morgan on 773 00:25:52,680 --> 00:25:54,629 government hacking. But those two have 774 00:25:54,630 --> 00:25:57,269 really led our community in exposing 775 00:25:57,270 --> 00:25:59,009 the use of hacking technology by 776 00:25:59,010 --> 00:26:00,689 governments around the world. 777 00:26:00,690 --> 00:26:03,089 The two biggest players in the commercial 778 00:26:03,090 --> 00:26:05,189 hack are commercial malware market 779 00:26:05,190 --> 00:26:07,499 are the German company called Finn Fisher 780 00:26:07,500 --> 00:26:09,719 and an Italian company called Hacking 781 00:26:09,720 --> 00:26:10,859 Team. 782 00:26:10,860 --> 00:26:12,989 I'm not going to go into the details 783 00:26:12,990 --> 00:26:15,239 of this stuff too much because those 784 00:26:15,240 --> 00:26:16,589 two individuals have done such 785 00:26:16,590 --> 00:26:18,239 spectacular research on it. 786 00:26:18,240 --> 00:26:20,399 But I will just show you one 787 00:26:20,400 --> 00:26:21,939 one cute thing about this. 788 00:26:21,940 --> 00:26:24,059 So this is Martin Munk, who is the 789 00:26:24,060 --> 00:26:26,009 CEO or managing director. 790 00:26:26,010 --> 00:26:28,889 I guess of he was Gamma now 791 00:26:28,890 --> 00:26:30,389 Finney Fisher. I guess he's. 792 00:26:30,390 --> 00:26:32,309 Is he a big player in the German security 793 00:26:32,310 --> 00:26:34,589 scene? I know that he was. 794 00:26:34,590 --> 00:26:36,629 He created BackTrack for the Linux 795 00:26:36,630 --> 00:26:37,769 security distribution. 796 00:26:37,770 --> 00:26:39,749 And so this is my favorite photo of 797 00:26:39,750 --> 00:26:40,649 Martin. 798 00:26:40,650 --> 00:26:43,379 He was profiled by Bloomberg last year. 799 00:26:43,380 --> 00:26:44,369 And the reason this is my favorite 800 00:26:44,370 --> 00:26:46,379 profile is it shows him with his laptop, 801 00:26:46,380 --> 00:26:48,509 and I'm just going to zoom in and 802 00:26:48,510 --> 00:26:50,699 enhance the image here, and you can see 803 00:26:50,700 --> 00:26:52,199 that he has a little sticker over his 804 00:26:52,200 --> 00:26:53,200 webcam. 805 00:26:54,060 --> 00:26:55,859 So he clearly knows what his own products 806 00:26:55,860 --> 00:26:56,860 can do. 807 00:26:59,190 --> 00:27:02,189 So gamma software has been used 808 00:27:02,190 --> 00:27:04,589 and sold to a bunch of really nasty 809 00:27:04,590 --> 00:27:05,700 governments around the world. 810 00:27:07,140 --> 00:27:09,269 This is the marketing literature for an 811 00:27:09,270 --> 00:27:11,429 Italian company called Hacking Team. 812 00:27:11,430 --> 00:27:13,589 Their stuff has also been widely used. 813 00:27:13,590 --> 00:27:14,939 This is just some of the information from 814 00:27:14,940 --> 00:27:16,409 the marketing literature defeat 815 00:27:16,410 --> 00:27:18,539 encryption, total control over 816 00:27:18,540 --> 00:27:20,519 your target's thousands of encrypted 817 00:27:20,520 --> 00:27:21,969 communications per day. 818 00:27:21,970 --> 00:27:23,159 Get them in the clear. 819 00:27:23,160 --> 00:27:25,589 So this software is being sold 820 00:27:25,590 --> 00:27:27,419 as a solution to the problem of 821 00:27:27,420 --> 00:27:28,420 encryption. 822 00:27:28,980 --> 00:27:30,989 If people were not using encrypted 823 00:27:30,990 --> 00:27:32,669 communications, I don't think we would 824 00:27:32,670 --> 00:27:34,829 see governments rushing out to 825 00:27:34,830 --> 00:27:36,569 buy these things. 826 00:27:36,570 --> 00:27:38,249 I'm not saying this is good or bad, 827 00:27:38,250 --> 00:27:40,889 although I personally am not a huge fan 828 00:27:40,890 --> 00:27:42,299 of this industry. 829 00:27:42,300 --> 00:27:44,279 But I think we should understand that the 830 00:27:44,280 --> 00:27:46,589 reason that governments are now 831 00:27:46,590 --> 00:27:48,929 rushing to buy this is because 832 00:27:48,930 --> 00:27:50,009 they're worried about encryption. 833 00:27:50,010 --> 00:27:51,209 They're worried that they're not able to 834 00:27:51,210 --> 00:27:53,279 tap all of the calls and all of 835 00:27:53,280 --> 00:27:54,749 the emails and all of the messages. 836 00:27:56,520 --> 00:27:58,709 So hacking team opened 837 00:27:58,710 --> 00:28:00,849 a U.S. office last year 838 00:28:00,850 --> 00:28:03,029 in Annapolis, Maryland, which is about 839 00:28:03,030 --> 00:28:05,309 100 miles, maybe from from Washington, 840 00:28:05,310 --> 00:28:06,310 D.C. 841 00:28:07,140 --> 00:28:08,309 They have spoken. 842 00:28:08,310 --> 00:28:10,859 Both hacking team and Gamma have spoken 843 00:28:10,860 --> 00:28:12,719 at some of the largest surveillance trade 844 00:28:12,720 --> 00:28:13,829 shows in the United States. 845 00:28:13,830 --> 00:28:16,139 This is Issa's world, which is commonly 846 00:28:16,140 --> 00:28:17,609 nicknamed the wiretap ball, 847 00:28:19,020 --> 00:28:20,309 and they even spoke. 848 00:28:20,310 --> 00:28:22,859 This hacking team also spoken exhibited 849 00:28:22,860 --> 00:28:25,049 at the Association of Law Enforcement 850 00:28:25,050 --> 00:28:27,689 Intelligence Units conference in Chicago 851 00:28:27,690 --> 00:28:28,690 this summer. 852 00:28:29,730 --> 00:28:31,769 Not only were they on a panel talking 853 00:28:31,770 --> 00:28:33,269 about their products, but hacking team 854 00:28:33,270 --> 00:28:35,129 also sponsored the coffee break in the 855 00:28:35,130 --> 00:28:36,130 afternoon. 856 00:28:37,620 --> 00:28:39,929 So I don't have 857 00:28:39,930 --> 00:28:42,089 the documents here that I can say, you 858 00:28:42,090 --> 00:28:43,529 know, I haven't caught these companies 859 00:28:43,530 --> 00:28:44,969 red hand and I cannot stand up here and 860 00:28:44,970 --> 00:28:47,159 say that they've sold their technology 861 00:28:47,160 --> 00:28:49,709 to local police in the United States. 862 00:28:49,710 --> 00:28:51,179 I think that their market in the United 863 00:28:51,180 --> 00:28:53,249 States, if they are successful, will be 864 00:28:53,250 --> 00:28:55,439 local and state law enforcement agencies. 865 00:28:55,440 --> 00:28:57,659 But I cannot tell you that they've 866 00:28:57,660 --> 00:28:58,799 sold their technology in the United 867 00:28:58,800 --> 00:29:00,839 States because no one's caught them yet. 868 00:29:00,840 --> 00:29:02,219 But what I can tell you is if they 869 00:29:02,220 --> 00:29:04,439 haven't sold it to law enforcement yet, 870 00:29:04,440 --> 00:29:05,609 it's not because they're not trying 871 00:29:05,610 --> 00:29:06,610 really hard. 872 00:29:08,160 --> 00:29:09,419 They've been showing up at conferences 873 00:29:09,420 --> 00:29:10,319 for several years. 874 00:29:10,320 --> 00:29:11,939 I think they will be successful at some 875 00:29:11,940 --> 00:29:13,199 point. 876 00:29:13,200 --> 00:29:14,550 OK, so what about the feds? 877 00:29:15,660 --> 00:29:17,849 The software that gamma and hacking team 878 00:29:17,850 --> 00:29:19,349 make? This is really 879 00:29:20,400 --> 00:29:21,959 this is not exclusive technology. 880 00:29:21,960 --> 00:29:23,249 You'll find that, you know, the 881 00:29:23,250 --> 00:29:24,809 government of Bahrain will be using the 882 00:29:24,810 --> 00:29:26,489 same hacking software as the government, 883 00:29:26,490 --> 00:29:28,139 the local police in Germany. 884 00:29:28,140 --> 00:29:29,789 And that doesn't really work for the FBI. 885 00:29:29,790 --> 00:29:31,859 The FBI wants a custom, 886 00:29:31,860 --> 00:29:34,229 exclusive tool that no one else is using 887 00:29:34,230 --> 00:29:36,299 that antivirus companies have been 888 00:29:36,300 --> 00:29:37,709 haven't been able to analyze. 889 00:29:37,710 --> 00:29:40,289 They want something unique 890 00:29:40,290 --> 00:29:41,759 and they're willing to pay a premium for 891 00:29:41,760 --> 00:29:43,859 that. Whereas local and state 892 00:29:43,860 --> 00:29:45,059 law enforcement agencies that have 893 00:29:45,060 --> 00:29:47,159 smaller budgets, they'll buy the off the 894 00:29:47,160 --> 00:29:49,439 shelf hacking software from these 895 00:29:49,440 --> 00:29:51,299 surveillance companies. 896 00:29:51,300 --> 00:29:53,429 So I've spent about a year 897 00:29:53,430 --> 00:29:55,409 trying to figure out what the FBI has 898 00:29:55,410 --> 00:29:57,719 been doing, and most 899 00:29:57,720 --> 00:30:00,869 of my research happened through LinkedIn. 900 00:30:00,870 --> 00:30:02,279 I'm not going to show you all the details 901 00:30:02,280 --> 00:30:04,559 here, but basically I 902 00:30:04,560 --> 00:30:05,909 figured out the name of the team at the 903 00:30:05,910 --> 00:30:07,979 FBI that does their 904 00:30:07,980 --> 00:30:09,989 hacking. They have a dedicated team 905 00:30:09,990 --> 00:30:12,209 called the Remote Operations Unit, and 906 00:30:12,210 --> 00:30:14,219 all they do is deploy malware to the 907 00:30:14,220 --> 00:30:16,289 target, to the targets. 908 00:30:16,290 --> 00:30:18,809 And I searched LinkedIn profiles using 909 00:30:18,810 --> 00:30:20,639 that term, and I found a bunch of former 910 00:30:20,640 --> 00:30:22,760 contractors who worked there and 911 00:30:23,820 --> 00:30:25,199 and that revealed the existence of the 912 00:30:25,200 --> 00:30:27,029 team and also some of the stuff that they 913 00:30:27,030 --> 00:30:29,219 do. I gave that information to The Wall 914 00:30:29,220 --> 00:30:31,309 Street Journal. Summer, and 915 00:30:31,310 --> 00:30:32,809 they published a bunch of information. 916 00:30:32,810 --> 00:30:34,549 But before I describe it, let me just 917 00:30:34,550 --> 00:30:36,709 also say that 918 00:30:36,710 --> 00:30:38,599 this isn't really a secret. 919 00:30:38,600 --> 00:30:40,669 The FBI has sort of admitted 920 00:30:40,670 --> 00:30:42,079 the fact that they're doing this. 921 00:30:42,080 --> 00:30:44,209 This is Valerie Caproni, their general 922 00:30:44,210 --> 00:30:45,799 counsel, back in 2011. 923 00:30:45,800 --> 00:30:47,689 Quote There will always be very 924 00:30:47,690 --> 00:30:49,309 sophisticated criminals that are 925 00:30:49,310 --> 00:30:51,259 virtually impossible to intercept through 926 00:30:51,260 --> 00:30:52,399 traditional means. 927 00:30:52,400 --> 00:30:54,229 The government understands that it must 928 00:30:54,230 --> 00:30:57,049 develop individually tailored solutions 929 00:30:57,050 --> 00:30:58,759 for those sorts of targets. 930 00:30:58,760 --> 00:31:00,619 Now, she didn't say the word hacking. 931 00:31:00,620 --> 00:31:02,059 She didn't say malware. 932 00:31:02,060 --> 00:31:03,319 She didn't say webcam. 933 00:31:03,320 --> 00:31:05,539 But this is what she means when Caproni 934 00:31:05,540 --> 00:31:07,429 talked about individually tailored 935 00:31:07,430 --> 00:31:08,359 solutions. 936 00:31:08,360 --> 00:31:10,129 What she meant was that they were going 937 00:31:10,130 --> 00:31:12,229 to use malware for targets 938 00:31:12,230 --> 00:31:14,539 who they couldn't otherwise reach. 939 00:31:14,540 --> 00:31:16,579 And it just took us a little while to 940 00:31:16,580 --> 00:31:19,279 figure out what they were doing. 941 00:31:19,280 --> 00:31:20,929 So The Wall Street Journal, based on some 942 00:31:20,930 --> 00:31:22,909 of my research and some some research, 943 00:31:22,910 --> 00:31:25,129 they they then also did was 944 00:31:25,130 --> 00:31:27,139 able to pin the FBI down and get a 945 00:31:27,140 --> 00:31:29,449 confirmation on the record that the FBI 946 00:31:29,450 --> 00:31:32,329 can remotely activate the microphones 947 00:31:32,330 --> 00:31:34,459 and telephones and laptops without 948 00:31:34,460 --> 00:31:35,749 the user knowing. 949 00:31:35,750 --> 00:31:37,489 Then, just a couple of weeks ago, The 950 00:31:37,490 --> 00:31:39,619 Washington Post did a follow up, 951 00:31:39,620 --> 00:31:41,329 revealing quote that the FBI has been 952 00:31:41,330 --> 00:31:43,009 able to covertly activate the computer's 953 00:31:43,010 --> 00:31:45,259 camera without triggering the light 954 00:31:45,260 --> 00:31:47,089 that lets the user know it's recording 955 00:31:47,090 --> 00:31:48,200 for several years. 956 00:31:49,730 --> 00:31:51,619 I personally think this is terrifying. 957 00:31:51,620 --> 00:31:52,909 I think it's terrifying that the 958 00:31:52,910 --> 00:31:54,409 government has this capability. 959 00:31:54,410 --> 00:31:57,079 I think it's terrifying that 960 00:31:57,080 --> 00:31:59,209 law enforcement agencies have known that 961 00:31:59,210 --> 00:32:01,459 our webcam lights are not reliable 962 00:32:01,460 --> 00:32:03,259 and haven't told us because of course, 963 00:32:03,260 --> 00:32:04,789 they're not the only ones doing this. 964 00:32:04,790 --> 00:32:06,319 There are other governments that have 965 00:32:06,320 --> 00:32:07,369 this capability. 966 00:32:07,370 --> 00:32:08,719 There are criminals who could have this 967 00:32:08,720 --> 00:32:10,099 capability. 968 00:32:10,100 --> 00:32:12,349 And so I think it's it's slightly scary 969 00:32:12,350 --> 00:32:14,059 that we have. 970 00:32:14,060 --> 00:32:16,489 We have slipped into a world 971 00:32:16,490 --> 00:32:17,989 where the government is hacking into the 972 00:32:17,990 --> 00:32:20,509 computers of domestic targets without 973 00:32:20,510 --> 00:32:22,669 having an informed debate about it first. 974 00:32:22,670 --> 00:32:24,439 There have been no public congressional 975 00:32:24,440 --> 00:32:26,779 hearings about the use of hacking 976 00:32:26,780 --> 00:32:28,249 by law enforcement. This is something 977 00:32:28,250 --> 00:32:30,679 that just happened. There have been no 978 00:32:30,680 --> 00:32:32,689 there's been no explicit legislation that 979 00:32:32,690 --> 00:32:34,609 has been passed. Empowering this, they're 980 00:32:34,610 --> 00:32:36,619 using the existing authority. 981 00:32:36,620 --> 00:32:38,239 They have to search people's homes or 982 00:32:38,240 --> 00:32:39,139 search their cars. 983 00:32:39,140 --> 00:32:41,149 It's the same kind of warrant that they 984 00:32:41,150 --> 00:32:42,649 get to search a house that they're now 985 00:32:42,650 --> 00:32:45,109 using to hack into a laptop 986 00:32:45,110 --> 00:32:46,429 and install this malware. 987 00:32:47,510 --> 00:32:49,639 Now there is a silver lining, at 988 00:32:49,640 --> 00:32:51,169 least for this community. 989 00:32:51,170 --> 00:32:52,579 The Washington Sorry, The Wall Street 990 00:32:52,580 --> 00:32:54,559 Journal also revealed that the FBI 991 00:32:54,560 --> 00:32:56,119 doesn't really like to use these tools 992 00:32:56,120 --> 00:32:57,919 when investigating hackers because 993 00:32:57,920 --> 00:32:59,059 they're worried that their tools will be 994 00:32:59,060 --> 00:33:00,739 discovered and they won't be useful 995 00:33:00,740 --> 00:33:01,740 anymore. 996 00:33:03,080 --> 00:33:05,089 So I guess congratulations, you're safe. 997 00:33:11,060 --> 00:33:13,159 I mean, it's funny, I guess, 998 00:33:13,160 --> 00:33:14,089 huh? 999 00:33:14,090 --> 00:33:15,589 But the sad thing is this is actually 1000 00:33:15,590 --> 00:33:16,549 happening. 1001 00:33:16,550 --> 00:33:18,139 The government really is doing this and 1002 00:33:18,140 --> 00:33:20,479 they have a dedicated team. 1003 00:33:20,480 --> 00:33:22,489 It's mainly contractors who are providing 1004 00:33:22,490 --> 00:33:24,259 the technology and then FBI agents who 1005 00:33:24,260 --> 00:33:25,549 are supervising it. 1006 00:33:25,550 --> 00:33:27,589 But whether or not you think this is a 1007 00:33:27,590 --> 00:33:28,969 good thing or a bad thing, whether or not 1008 00:33:28,970 --> 00:33:30,949 you think that, you know, maybe you think 1009 00:33:30,950 --> 00:33:32,599 that there are people who are so bad and 1010 00:33:32,600 --> 00:33:34,639 so evil and are such a big threat to our 1011 00:33:34,640 --> 00:33:36,409 society that the government should have 1012 00:33:36,410 --> 00:33:38,419 these tools. Even if you think that we 1013 00:33:38,420 --> 00:33:40,189 should at least have an informed public 1014 00:33:40,190 --> 00:33:42,409 debate are our elected 1015 00:33:42,410 --> 00:33:44,269 politicians should go on the record and 1016 00:33:44,270 --> 00:33:46,039 say that they wish for these powers to be 1017 00:33:46,040 --> 00:33:48,109 used. They wish to fund the acquisition 1018 00:33:48,110 --> 00:33:49,249 of these tools. 1019 00:33:49,250 --> 00:33:51,259 But that hasn't happened if no one who is 1020 00:33:51,260 --> 00:33:52,999 politically accountable has actually 1021 00:33:53,000 --> 00:33:54,469 embraced this, and instead it's happened 1022 00:33:54,470 --> 00:33:56,659 behind closed doors. 1023 00:33:56,660 --> 00:33:58,819 OK, so we 1024 00:33:58,820 --> 00:34:01,099 have the use of crypto 1025 00:34:01,100 --> 00:34:02,599 slowly. 1026 00:34:02,600 --> 00:34:04,849 We have the government 1027 00:34:04,850 --> 00:34:07,639 trying to force companies to 1028 00:34:07,640 --> 00:34:09,769 modify their products and not having so 1029 00:34:09,770 --> 00:34:12,198 much success unless it's through 1030 00:34:12,199 --> 00:34:13,488 bribes. 1031 00:34:13,489 --> 00:34:15,619 We have the acquisition 1032 00:34:15,620 --> 00:34:17,629 and use of hacking technology by law 1033 00:34:17,630 --> 00:34:19,309 enforcement agencies. 1034 00:34:19,310 --> 00:34:20,359 Is that enough? 1035 00:34:20,360 --> 00:34:22,339 No, probably not. 1036 00:34:22,340 --> 00:34:24,019 The US government will not rest. 1037 00:34:24,020 --> 00:34:26,119 They want to be able to access 1038 00:34:26,120 --> 00:34:28,249 every telephone call, every email, 1039 00:34:28,250 --> 00:34:29,209 every instant message. 1040 00:34:29,210 --> 00:34:31,279 And if there is one email that is 1041 00:34:31,280 --> 00:34:32,869 out of their reach, that will be enough 1042 00:34:32,870 --> 00:34:36,169 for them to seek additional authority. 1043 00:34:36,170 --> 00:34:37,879 And the problem that they're having is 1044 00:34:37,880 --> 00:34:39,948 that finally, there are some 1045 00:34:39,949 --> 00:34:42,919 tools and services that are coming online 1046 00:34:42,920 --> 00:34:44,839 that actually do deliver end to end 1047 00:34:44,840 --> 00:34:46,609 encryption to users. 1048 00:34:46,610 --> 00:34:49,968 Finally, independent researchers 1049 00:34:49,969 --> 00:34:52,099 and some small companies are 1050 00:34:52,100 --> 00:34:54,198 delivering services that are designed 1051 00:34:54,199 --> 00:34:56,749 to deliver end to end encrypted 1052 00:34:56,750 --> 00:34:58,279 communications to users. 1053 00:34:58,280 --> 00:35:00,529 And these are seen as a massive 1054 00:35:00,530 --> 00:35:02,629 and significant threat to the 1055 00:35:02,630 --> 00:35:03,829 government's ability to intercept 1056 00:35:03,830 --> 00:35:04,830 communications. 1057 00:35:05,570 --> 00:35:07,729 So for years, many people thought 1058 00:35:07,730 --> 00:35:10,099 that Skype was one of those services. 1059 00:35:10,100 --> 00:35:12,739 Skype had proudly 1060 00:35:12,740 --> 00:35:14,869 advertised its encryption, its end to 1061 00:35:14,870 --> 00:35:16,699 end encryption. They had hired an 1062 00:35:16,700 --> 00:35:18,769 independent security researcher 1063 00:35:18,770 --> 00:35:21,109 to conduct a study of the service, 1064 00:35:21,110 --> 00:35:22,579 and they put their report proudly on 1065 00:35:22,580 --> 00:35:24,769 their website. Whenever people asked 1066 00:35:24,770 --> 00:35:27,439 Skype about interception, their response 1067 00:35:27,440 --> 00:35:29,599 always was, You know, we have 1068 00:35:29,600 --> 00:35:31,519 built end to end encryption with keys 1069 00:35:31,520 --> 00:35:32,839 that we don't know into our products, 1070 00:35:32,840 --> 00:35:34,009 blah blah blah blah. 1071 00:35:34,010 --> 00:35:36,619 And so I think many people were surprised 1072 00:35:36,620 --> 00:35:39,169 when we learned this summer that 1073 00:35:39,170 --> 00:35:40,939 the NSA and the FBI 1074 00:35:42,410 --> 00:35:43,969 had been able to get access to Skype 1075 00:35:43,970 --> 00:35:45,619 communications. I think many people were 1076 00:35:45,620 --> 00:35:48,079 very surprised when we learned 1077 00:35:48,080 --> 00:35:49,759 that Skype had been served with a 1078 00:35:49,760 --> 00:35:51,409 directive to comply by the attorney 1079 00:35:51,410 --> 00:35:53,659 general and that the company had modified 1080 00:35:53,660 --> 00:35:56,119 their service to enable 1081 00:35:56,120 --> 00:35:57,709 surreptitious wiretapping by the U.S. 1082 00:35:57,710 --> 00:35:58,710 government. 1083 00:35:59,300 --> 00:36:00,529 Skype wasn't perfect. 1084 00:36:00,530 --> 00:36:02,599 Obviously, there are many flaws 1085 00:36:02,600 --> 00:36:04,939 in in both the technology, but actually 1086 00:36:04,940 --> 00:36:07,429 at a policy level, it was closed source. 1087 00:36:07,430 --> 00:36:08,809 We couldn't see what was happening. 1088 00:36:08,810 --> 00:36:10,549 And even though there had been an audit 1089 00:36:10,550 --> 00:36:12,289 of the technology originally it had, it 1090 00:36:12,290 --> 00:36:14,089 had of course, changed many times over 1091 00:36:14,090 --> 00:36:15,439 the years. 1092 00:36:15,440 --> 00:36:18,259 But I think many of us were surprised 1093 00:36:18,260 --> 00:36:20,869 that a company that had advertised itself 1094 00:36:20,870 --> 00:36:23,059 as being private had been able to 1095 00:36:23,060 --> 00:36:25,219 be forced to modify its products to be 1096 00:36:25,220 --> 00:36:27,709 less private, in fact, to permit 1097 00:36:27,710 --> 00:36:28,920 this covert surveillance. 1098 00:36:30,110 --> 00:36:32,419 After the Guardian story broke, 1099 00:36:32,420 --> 00:36:34,039 Brad Smith, the general counsel of 1100 00:36:34,040 --> 00:36:36,289 Microsoft, released a public statement 1101 00:36:36,290 --> 00:36:38,719 on the Microsoft blog and he said quote 1102 00:36:38,720 --> 00:36:40,819 as internet based voice and video 1103 00:36:40,820 --> 00:36:42,919 communications increase, it is 1104 00:36:42,920 --> 00:36:44,569 clear that governments will have an 1105 00:36:44,570 --> 00:36:46,999 interest in using or establishing 1106 00:36:47,000 --> 00:36:49,069 legal powers to secure access to 1107 00:36:49,070 --> 00:36:51,079 this kind of content to investigate 1108 00:36:51,080 --> 00:36:53,419 crimes or to tackle terrorism. 1109 00:36:53,420 --> 00:36:55,759 He added We therefore assume 1110 00:36:55,760 --> 00:36:57,919 that all calls, whether over the 1111 00:36:57,920 --> 00:37:00,589 internet or by fixed or mobile phone, 1112 00:37:00,590 --> 00:37:02,869 will offer similar levels of privacy 1113 00:37:02,870 --> 00:37:03,870 and security. 1114 00:37:04,520 --> 00:37:05,869 Now, those of you who've been coming to 1115 00:37:05,870 --> 00:37:08,029 this conference for years probably 1116 00:37:08,030 --> 00:37:09,829 know that there is zero privacy or 1117 00:37:09,830 --> 00:37:12,139 security in cell phone calls and landline 1118 00:37:12,140 --> 00:37:14,059 calls. And so I think this is Brad 1119 00:37:14,060 --> 00:37:16,399 Smith's way of telling us to expect 1120 00:37:16,400 --> 00:37:18,110 similarly nothing from Skype. 1121 00:37:25,400 --> 00:37:27,889 But look, Microsoft paid 1122 00:37:27,890 --> 00:37:29,809 an awful lot of money for Skype. 1123 00:37:29,810 --> 00:37:32,149 This is a service that has a huge 1124 00:37:32,150 --> 00:37:33,859 number of users. Many of us, I think, 1125 00:37:33,860 --> 00:37:36,169 probably still have Skype on 1126 00:37:36,170 --> 00:37:38,269 our handsets and it's now embedded 1127 00:37:38,270 --> 00:37:40,429 within various other Microsoft 1128 00:37:40,430 --> 00:37:41,389 products. 1129 00:37:41,390 --> 00:37:43,819 And I think it should be troubling 1130 00:37:43,820 --> 00:37:45,679 that this top executive at this company 1131 00:37:45,680 --> 00:37:47,779 has basically basically said, don't 1132 00:37:47,780 --> 00:37:50,869 rely on us for any kind of security. 1133 00:37:50,870 --> 00:37:53,029 Don't expect that we will deliver end to 1134 00:37:53,030 --> 00:37:54,239 end encrypted communications. 1135 00:37:54,240 --> 00:37:56,539 Don't expect that we will keep your calls 1136 00:37:56,540 --> 00:37:58,489 safe from the government. 1137 00:37:58,490 --> 00:38:00,469 They just said, don't worry, we haven't 1138 00:38:00,470 --> 00:38:02,269 provided the government with bulk access. 1139 00:38:02,270 --> 00:38:04,099 We just, you know, the government still 1140 00:38:04,100 --> 00:38:05,749 has to come through us. 1141 00:38:05,750 --> 00:38:07,909 But Microsoft isn't the only game in 1142 00:38:07,910 --> 00:38:10,009 town. In fact, there are other companies 1143 00:38:10,010 --> 00:38:11,359 who are trying to do something different. 1144 00:38:12,390 --> 00:38:13,759 A silent circle is one of these 1145 00:38:13,760 --> 00:38:15,979 companies. It's a small firm 1146 00:38:15,980 --> 00:38:17,629 created by Phil Zimmermann, the the 1147 00:38:17,630 --> 00:38:19,069 original creator of BGP. 1148 00:38:19,070 --> 00:38:21,319 And they have, you know, one of, I think, 1149 00:38:21,320 --> 00:38:23,059 a handful of companies at this point who 1150 00:38:23,060 --> 00:38:25,069 are trying to deliver products that are 1151 00:38:25,070 --> 00:38:26,479 truly end to end encrypted. 1152 00:38:26,480 --> 00:38:29,149 And they've said we have no backdoors 1153 00:38:29,150 --> 00:38:30,469 and they've actually said, in addition to 1154 00:38:30,470 --> 00:38:32,209 that, that if they were forced to build 1155 00:38:32,210 --> 00:38:33,559 in a backdoor, they would shut down the 1156 00:38:33,560 --> 00:38:34,999 company and move somewhere else. 1157 00:38:36,410 --> 00:38:38,209 And so you could imagine that a company 1158 00:38:38,210 --> 00:38:40,429 like Silent Circle is 1159 00:38:40,430 --> 00:38:41,839 going to ruffle a few feathers of the 1160 00:38:41,840 --> 00:38:43,309 FBI. 1161 00:38:43,310 --> 00:38:44,869 Similarly, Spider Oak, which is a 1162 00:38:44,870 --> 00:38:46,789 commercial operator of encrypted backup 1163 00:38:46,790 --> 00:38:49,099 services, they say that they've created 1164 00:38:49,100 --> 00:38:51,259 a system that makes it impossible for 1165 00:38:51,260 --> 00:38:53,389 us to reveal your data to anyone. 1166 00:38:53,390 --> 00:38:54,949 They want to provide a service to their 1167 00:38:54,950 --> 00:38:55,999 customers. They want to provide a 1168 00:38:56,000 --> 00:38:57,829 reliable backup service, and they don't 1169 00:38:57,830 --> 00:38:59,179 want to know what you're doing. 1170 00:38:59,180 --> 00:39:00,199 They just want to make sure that it 1171 00:39:00,200 --> 00:39:02,099 works, that it's reliable, that your data 1172 00:39:02,100 --> 00:39:03,469 is safe, but they don't want to be in the 1173 00:39:03,470 --> 00:39:05,779 business of receiving law enforcement 1174 00:39:05,780 --> 00:39:07,669 requests. And these are just two 1175 00:39:07,670 --> 00:39:09,739 companies from a growing 1176 00:39:09,740 --> 00:39:11,809 industry of firms that want to 1177 00:39:11,810 --> 00:39:13,969 deliver products to people who care 1178 00:39:13,970 --> 00:39:15,799 about their privacy and are willing to 1179 00:39:15,800 --> 00:39:16,789 pay for it. 1180 00:39:16,790 --> 00:39:19,279 And I'm actually really delighted 1181 00:39:19,280 --> 00:39:20,659 that these companies exist. 1182 00:39:20,660 --> 00:39:22,489 I have no financial relationship with any 1183 00:39:22,490 --> 00:39:23,809 of these firms. This is not an 1184 00:39:23,810 --> 00:39:24,889 advertising session. 1185 00:39:24,890 --> 00:39:27,469 I just bring them up as an example, 1186 00:39:27,470 --> 00:39:29,269 because these are the kinds of companies 1187 00:39:29,270 --> 00:39:31,009 that you might imagine law enforcement 1188 00:39:31,010 --> 00:39:32,719 agencies are not terribly happy about. 1189 00:39:33,830 --> 00:39:35,989 So Lavabit was sort 1190 00:39:35,990 --> 00:39:38,509 of one of these companies, although 1191 00:39:38,510 --> 00:39:40,159 their products were not designed to be as 1192 00:39:40,160 --> 00:39:42,559 secure as they might have advertised. 1193 00:39:42,560 --> 00:39:44,659 And Lazaro Levinson, the creator of 1194 00:39:44,660 --> 00:39:46,429 the company, I think learned the hard way 1195 00:39:47,570 --> 00:39:49,729 that that companies like his are 1196 00:39:49,730 --> 00:39:52,009 now seen as a threat to the government. 1197 00:39:52,010 --> 00:39:54,529 This summer, he received this subpoena 1198 00:39:54,530 --> 00:39:56,299 from the Eastern District Court of 1199 00:39:56,300 --> 00:39:57,379 Virginia. 1200 00:39:57,380 --> 00:39:59,479 I'm just going to read you a quick 1201 00:39:59,480 --> 00:40:00,739 selection from this quote. 1202 00:40:00,740 --> 00:40:02,809 You are directed to bring the grand 1203 00:40:02,810 --> 00:40:04,819 jury, the public and private encryption 1204 00:40:04,820 --> 00:40:06,650 keys used by loss of income 1205 00:40:07,700 --> 00:40:09,799 in any SSL or tailor session, 1206 00:40:09,800 --> 00:40:11,989 including sessions with clients 1207 00:40:11,990 --> 00:40:13,819 using the love of Bitcoin website. 1208 00:40:15,230 --> 00:40:17,359 This is the first that we know of 1209 00:40:17,360 --> 00:40:18,799 this kind of order, although probably 1210 00:40:18,800 --> 00:40:20,269 this is not the first that has ever 1211 00:40:20,270 --> 00:40:21,270 occurred. 1212 00:40:22,100 --> 00:40:24,229 And this is this is really 1213 00:40:24,230 --> 00:40:25,519 a new world. 1214 00:40:25,520 --> 00:40:28,369 It is really. It's one thing for 1215 00:40:28,370 --> 00:40:29,959 the government to go to a technology 1216 00:40:29,960 --> 00:40:32,059 company and say, you have some stored 1217 00:40:32,060 --> 00:40:33,739 data about your users, you have some 1218 00:40:33,740 --> 00:40:35,809 emails or some text messages 1219 00:40:35,810 --> 00:40:37,489 on your systems. Give us a copy of those 1220 00:40:37,490 --> 00:40:38,569 text messages. 1221 00:40:38,570 --> 00:40:40,729 It's another thing entirely 1222 00:40:40,730 --> 00:40:42,379 for the government to go to a technology 1223 00:40:42,380 --> 00:40:44,419 company and to say, give us your 1224 00:40:44,420 --> 00:40:46,519 encryption keys that are used to protect 1225 00:40:46,520 --> 00:40:48,709 all of your users information. 1226 00:40:48,710 --> 00:40:50,419 It's another thing to say we want to 1227 00:40:50,420 --> 00:40:52,549 install a DPI device 1228 00:40:52,550 --> 00:40:54,889 in your network that will grab 1229 00:40:54,890 --> 00:40:56,929 every single user's information. 1230 00:40:56,930 --> 00:40:58,279 And don't worry, just trust us. 1231 00:40:58,280 --> 00:40:59,809 We're only going to look at one person's 1232 00:40:59,810 --> 00:41:01,339 information once we scan everyone's, 1233 00:41:01,340 --> 00:41:03,439 which is in fact what the FBI 1234 00:41:03,440 --> 00:41:04,579 ultimately wanted to do. 1235 00:41:06,190 --> 00:41:09,319 Now, Lavabit has appealed 1236 00:41:09,320 --> 00:41:11,839 the decision of the court in this case. 1237 00:41:11,840 --> 00:41:13,789 They ultimately destroy the encryption 1238 00:41:13,790 --> 00:41:15,529 key and then shut down the company. 1239 00:41:15,530 --> 00:41:17,419 Sorry, they handed over the encryption 1240 00:41:17,420 --> 00:41:19,069 key in four point font and then shut down 1241 00:41:19,070 --> 00:41:20,070 the company. 1242 00:41:21,380 --> 00:41:23,839 But this is is, I think, 1243 00:41:23,840 --> 00:41:25,909 the first public example we 1244 00:41:25,910 --> 00:41:27,109 have, and I suspect that we will have 1245 00:41:27,110 --> 00:41:28,730 others at some point down the road. 1246 00:41:30,560 --> 00:41:32,509 So this is Valerie Caproni again, our 1247 00:41:32,510 --> 00:41:33,679 friend at the FBI. 1248 00:41:33,680 --> 00:41:35,779 Quote No one should be promising their 1249 00:41:35,780 --> 00:41:37,759 customers that they will thumb their nose 1250 00:41:37,760 --> 00:41:39,619 at a U.S. court order. 1251 00:41:39,620 --> 00:41:41,599 They can promise strong encryption. 1252 00:41:41,600 --> 00:41:43,189 They just need to figure out how they can 1253 00:41:43,190 --> 00:41:44,570 provide us with plain text. 1254 00:41:47,420 --> 00:41:49,099 All right. So again, it's really funny, 1255 00:41:49,100 --> 00:41:51,289 but this is the top FBI lawyer 1256 00:41:51,290 --> 00:41:52,819 telling you this. 1257 00:41:52,820 --> 00:41:54,589 And in fact, that's what they told a lot 1258 00:41:54,590 --> 00:41:56,719 of it. They said, by all means, you know, 1259 00:41:56,720 --> 00:41:58,789 say what you want on your website, but 1260 00:41:58,790 --> 00:42:01,040 we want a way to get your customers data. 1261 00:42:02,210 --> 00:42:04,309 And so this is the world we now live in. 1262 00:42:04,310 --> 00:42:06,439 We now live in a world where the 1263 00:42:06,440 --> 00:42:08,089 US government and likely other 1264 00:42:08,090 --> 00:42:10,129 governments will go to companies and 1265 00:42:10,130 --> 00:42:12,409 demand whatever it takes 1266 00:42:12,410 --> 00:42:14,419 to get their customers data. 1267 00:42:14,420 --> 00:42:16,369 This is a scary world and it's a world 1268 00:42:16,370 --> 00:42:17,869 we're going to have to adapt to. 1269 00:42:17,870 --> 00:42:19,939 And as technologists, we have to 1270 00:42:19,940 --> 00:42:22,219 design with this threat model 1271 00:42:22,220 --> 00:42:23,359 in mind. 1272 00:42:23,360 --> 00:42:24,789 The threat model is one. 1273 00:42:24,790 --> 00:42:26,529 And in which the government essentially 1274 00:42:26,530 --> 00:42:28,869 has pseudo power over any 1275 00:42:28,870 --> 00:42:29,870 company. 1276 00:42:31,270 --> 00:42:33,639 And so we have to build our products 1277 00:42:33,640 --> 00:42:36,069 to be resistant to this level of coercive 1278 00:42:36,070 --> 00:42:37,029 power. 1279 00:42:37,030 --> 00:42:38,829 That doesn't mean that the government 1280 00:42:38,830 --> 00:42:40,959 gets everything at once, but it means 1281 00:42:40,960 --> 00:42:43,329 as engineers that we have to design 1282 00:42:43,330 --> 00:42:45,699 our products and our technologies 1283 00:42:45,700 --> 00:42:47,979 ahead of time to withstand this 1284 00:42:47,980 --> 00:42:49,899 amount of coercion. 1285 00:42:49,900 --> 00:42:52,149 Now, Lava Bits design wasn't 1286 00:42:52,150 --> 00:42:53,979 sufficient. I think that's pretty clear 1287 00:42:53,980 --> 00:42:55,089 now. 1288 00:42:55,090 --> 00:42:57,069 But there are technologies and products 1289 00:42:57,070 --> 00:42:59,199 that could in fact withstand 1290 00:42:59,200 --> 00:43:00,670 this amount of coercion. 1291 00:43:02,460 --> 00:43:04,529 But we need to take a look 1292 00:43:04,530 --> 00:43:06,359 at everything that we're doing and 1293 00:43:06,360 --> 00:43:08,429 everything we're using and ask 1294 00:43:08,430 --> 00:43:10,499 ourselves if we actually trust this 1295 00:43:10,500 --> 00:43:12,629 piece of software or the design of 1296 00:43:12,630 --> 00:43:14,820 this piece of technology, for example, 1297 00:43:15,840 --> 00:43:17,699 many, many people who are using app 1298 00:43:17,700 --> 00:43:19,889 stores from either Apple or Google have 1299 00:43:19,890 --> 00:43:21,899 essentially given these companies the 1300 00:43:21,900 --> 00:43:23,699 ability to push software down to our 1301 00:43:23,700 --> 00:43:25,319 handsets without our knowledge or 1302 00:43:25,320 --> 00:43:26,549 control. 1303 00:43:26,550 --> 00:43:27,989 You can try this for yourself. 1304 00:43:27,990 --> 00:43:29,729 If you're using the Android operating 1305 00:43:29,730 --> 00:43:32,009 system, log in to the Google Play Store 1306 00:43:32,010 --> 00:43:34,439 through your web browser on your computer 1307 00:43:34,440 --> 00:43:36,389 and install an app, and it will show up 1308 00:43:36,390 --> 00:43:38,399 on your phone without asking for any 1309 00:43:38,400 --> 00:43:40,739 prompt. Google has the ability to push 1310 00:43:40,740 --> 00:43:42,359 code down to your phone. 1311 00:43:42,360 --> 00:43:44,429 Well, what happens when the FBI or the 1312 00:43:44,430 --> 00:43:47,069 NSA go to Google and ask them to deliver 1313 00:43:47,070 --> 00:43:49,019 an update to a particular user? 1314 00:43:49,020 --> 00:43:50,020 Well, we don't know. 1315 00:43:51,310 --> 00:43:53,139 Right now, the only thing protecting us 1316 00:43:53,140 --> 00:43:55,059 is Google's legals is Google's legal 1317 00:43:55,060 --> 00:43:57,309 team, and it would be very nice if 1318 00:43:57,310 --> 00:43:59,229 Google's technical team could protect us 1319 00:43:59,230 --> 00:44:00,579 from those kinds of threats to 1320 00:44:02,640 --> 00:44:03,879 to close. 1321 00:44:03,880 --> 00:44:05,889 This isn't all bad news. 1322 00:44:05,890 --> 00:44:07,179 It's mostly bad news, 1323 00:44:08,320 --> 00:44:10,269 but it isn't all bad news. 1324 00:44:10,270 --> 00:44:11,290 So concludes, 1325 00:44:12,460 --> 00:44:14,799 We really need to take these 1326 00:44:14,800 --> 00:44:16,509 government seriously. 1327 00:44:16,510 --> 00:44:18,849 They want to get our data 1328 00:44:18,850 --> 00:44:21,189 and it's our job to keep them out. 1329 00:44:21,190 --> 00:44:22,190 Thank you very much.