[Noisebridge-discuss] EFF talk notes

Tue Dec 1 17:19:15 UTC 2009

Attached. Transcribed by me & Glen for the benefit of Eli, our
(d/D)eaf attendee.

Apologies for the quality; we ain't exactly real steno typers, and
Jennifer talks fast and jargony. ;-)

Feel free to use however; hopefully it's useful to someone.

- Sai

PS Eli - how'd it work out for you? Any suggestions for the future?
(e.g. 5MoFs - though those'll be mostly less jargony and hopefully
easier to 'terp)
PPS Jennifer - Thanks for coming! It was very neat.
-------------- next part --------------
Notes on EFF talk 11/30/09

? Brown & Jennifer Granick - EFF

Answering questions about how the law interacts w/ hackers & hackerspaces.

You can write down questions on cards. Or on the wiki.

J. is civil lib director @ EFF; has 10+ yr exp w/ crim defense law. Known as def lawyer to the stars. Is on DEFCON speeddial. Joined EFF to do a # of projs incl coders rights (see papers @ table).

EFF relies on donations on ppl like you, so we appreciate your donations.

Jennifer:

I'm JG, civ lib dir @EFF, started 2yr ago. Was @ Stanf law school... came to EFF 'cause wanted to do more for actual people w/ real problems in courts. Stanford is great place for students, difficult problems, etc but I was too young to be in academia, wanted to get into court & do more stuff.

EFF does ... recently closed case w/ TI calc hackers, they put different OSs & apps on calcs - I had no idea you could put a custom OS on a calc, but it's awesome. You can do this w/ cameras too. Camera hackers find out crypto signing keys for this; lets you put unapproved OSs on... this is regulated  by DMCA, TI wrote mean letters to calc hackers saying they can't talk about these numbers.

We talked to them, they got t put their stuff back on. Yay freedom of speech. The camera ppl wrote to us today; saying this is fairly similar to calc hacking... coders rights project is here for that, so we can continue to explore & innovate & speak about stuff like this.

I'm doing representation about cases like this; we're interested in helping out w/ those kinds of things.

In addition to this fun ahcker stuff, I was a crim def attorney... laptop seizures, iphone searches, dealing w/ cops, etc etc.

We were going to take written questions; I'm going to talk abt some of the q that were on the wiki, but for the rest I'll take q w/ raised hand.

Caveats:
- I do this a lot, and I want to pt out that I can't give legal advice unless I'm actually your lawyer. This isn't an attny / client setting, so I can't give legal advice. Can give legal info, but it's not advice; will help you understand what's ok, what's not, but if you're in the middle you should talk to a lawyer.
- If you have sthg confidential, don't say it here. Claim it's your cousin or something or talk later in private.
- Ppl will have theoretical & personal qs; will be going between these two extremes so it's most generally useful. If you want to talk further, do so later.

Q: collection of info on users; if you wanted, you could make routers collect info (cameras? sign in?) - do you have to collect this?

A normal company might want to. NB probably doesn't want to. If you don't want to - it's not directly useful for your purpose - it's best not to collect it. No law req you to collect info on your users. Having that info can be a liability, because if you have it, someone mgiht want to access it; someone might want to subpoena it, etc. Can be disadvantage to keep too much info around.

What is best to do if you don't collect info, or only for a short period of time, is to have a data retetntion/deletion policy. e.g. you never keep it, keep it for a week encrypted, etc... 

q- What if retn plcy includes assured deletion on request from 3rd party?
a- Not OK. Once there is a req on the table, that triggers obligation to preserve it. Not necessarily to turn over, but needs preserved in case court is engaged. Similar, if you're about to be in civil suit, you again have to not delete. But if your regular policy isn't triggered by a req, etc., then you just do that.

q- Couldn't LEO just give you req all the time to prevent you from deleting info? If they could do that, would it be legally feasible?
a- If you get a req and it's improper, e.g. it req you to keep data for some pt in time, ask a lawyer if it's legit. But if you get req, you can't delete.

q- NB is a weird case, 'cause what's NB infrastructure & what's someones personal stuff is a blurry line. NB as org won't spy on ppl, but some individual might do so. 
a- You are only responsible for yourself, or your agents. Eg you aren't responsible for someone else's stuff.

q- What if we get a req w/ a gag order?
a- Lots of these are set up for Sprint, Comcast, etc... they have legal dept set up for that. Not really meant for a place like NB, Long Haul (in S Berkeley), etc... depends on subtleties of how an org is formed. Someone's paying rent for this space... whoever's paying rent, they have some authority. If they have a title, ditto. They can talk to a lawyer, and ask them who they can tell about it. It can be fact-specific.

q- Is it useful to talk about customs & practices of LE re. places like this?
a- They will do the same as w/ Long Haul - they have an inherent mistrust of decentralized orgs, where they think the leaders may have sypathy w/ perp they're investigating. In that case, cops thought they had probable cause that someone threatened UCB animal researcher from LH shop IP. Polite would be to go to LH and ask; instead they got search warrant and took all the computers, broke down the doors, etc. Common practice when not dealing with Sprint, Comcast, etc is to just get a search warrant. Nothing illegal about this; they think they may need one since they don't know which router was involved, etc.

q- If there's a lot of infiltration, sruveilance, etc... anyone who hasn't read about cointelpro should..

q- Noone in particular controls infrastructure here. Anyone can eavsdrop on it. It'd be silly to put up "you have no expectation of privacy" signs, but that's a legal term; how can you say that without implying we give up rights?
a- 1. 'hacker space' communicates that you might be surveilled; I turned my iphone off when I came here [comment: it's not off enough :p]
2. some kinds of interception are governed by statute; you have rights against interception by govt under wiretap act or elec. comm. privacy act that aren't necessarily triggered by 4th amendment privacy rights... I don't think under the statute your rights would be affected by such a sign. LE would make claim under 4th amendment claim if they were here, 'cause the sign said you didn't. Remedy is only to suppress evidence... supposedly you can sue the cops, but it takes a really long time. For that you need 'expectation of privacy'. Maybe say instead "stuff you transmit here (like anywhere) might be inercepted, so plz be careful".

It helps not to use those words; q of what's a reasonable expectation of privacy has been litigated, viz Katz case. Is subjective, waht society's prepared to recognize as reasonable, depends on what judge thinks... most winning cases depend on explaining something that offends the judge. :) First judge needs to imagine it happening to them, & has to be offensive.

EG drug case, meth, cops search drive & passenger. Found meth in passenger's purse. Judge paused witness, asked: "you looked through a lady's purse without permission? a gentleman doesn't look..."

Can be iffy; if you told new members that "you might be surveilled", I don't know what court would say. Closest is course I litigated - US v Hekkencamp? re whether exp of privacy on computer connected to school network. School policy said they might monitor for school purposes. LE claimed they had no exp of priv at all. Court rejected it; that has reasonable exp of priv, even thoug hschool reserved some rights to look at it... therefore probably still have rights. 

q- There woudn't be expectation of privacy to the general public. How do you define the 'general public'?
a: - On the one hand, I don't think thegoverment should use.. oh the other hand, I'm thinking about .... It's not something taht is clearly defined. IN the statue it was put in there to mean 'radio' or broadcast.. to mean 'ears' or something.

q2: so basically, the answer is that.. there is no definition.. and it may mean at one instance and another in another.
a2: This is always teh point when I do these things. When some people become completely disgusted side.. others vow to go to law school and make it their life work.. 

But, yes, that's right.. it's not soemthing taht's been tested in this area at all.

A2:  Lawful intercept. Lets' setup a hypothetical situation because we have a VPN between us and the end point. Could an organization be enforced to premptiely log anything. Can law enforcement come in and say 'you need to intercept this s..." 
A2: No, but you can collect the information "Prospecrively" for interception of the actual communications, in real time, you need a title -3 intercept order. That is harder to get than a search warrent. It  requires.... damn...

There has to be minimization. They can't just collect everthing. There has to be a wshowing of necessity. There are reporting requirements. And, of course, hey would have to report those statistics to that .. it can'tjust be "you're hackers" you need to intercept.. For the tracking order.. it's a ....  the udges use the order and they force... Are you ..... Do you guys fit that explanation....  It can be argued both ways. Anyone can sign up.. Anyone can get on the network.. Or.. the other side... It's more like a club.. not really for the public...

The statute provides privacy protection...  You kinda want to be under that protection.. even if it subjects you to some lawful process by police officers..

q2: Could noise bridge would occur any obligations against any COLEA law ???  D I don't think an org like this .. COLEA is more like infrastructure providers more than coffee shops...    

Q: What about with the Open Tracker Project. It's setup so that they don't keep any records of who is using it... 
a; COLEA is more for the backbone providers, internet providers, hose type of organizations where they can make them put the COLEA boxes on the network. It doesn't mean that you can't use really srong encryption. Or that you can't refuse to keep records about our users.  

Purposely designed to keep anonymity- perfectly okay..

Q: If you were served with an order.. he odds hat it would come along with a gag order are *really* small. NB may not even be an organization that would fall under that...

Q: May members be subject to it? Members or Officers?
A: If you were served with a gag order. Go call me.. no one else...

Q: If you are faced with one of these inercept requess, can you just suddenly stop providing the service. What if you just stopped providing for that user... 
A: I don't think the statue requries you to continue providing the service. I don't think that , if you go the order...  I don' tthink that closing up shop would be the problem.

Q: Even if you stop jus for that particular person
A: If you stop for that person, they would know, and that has ramifications in aidiing and ebiting, etc...  You can terminate for everyone -- not just that one customer..

Q: On television, you see the police say "Give us this information, or we'll come back with a warrant" -- I'd like to do business with companies that *ONLY* give his way when forced...   

a- Because of that problem, there are statutes that privde privacy protections to customers. Esp. elect. surveil, they're not very clear... ongoing debate between DoJ & others re whether they need a warrant. We don't know. (!) Appalling, really.... if you can prove these statutes are vioalted, they have $ penalties. EFF is legislating vs. warrantless wiretapping cases - telco, Jewel, etc. Multiyear, heavy litigation. State secrets priv., jursidiction, etc... not yet about the dragnet surveillance per se! (& financial penalties as result, etc)

Theoretical, yes. Practically...

Can shop around for cos tht do better w/ your pvacy than others. EFF encourages to be better w/ pvcy policy, etc... hopefully ppl vote w/ their feet & capitalism will help provide privacy. Bigger problem is individuals feel they cave in to ppl w/ badge & gun.

q- diff between policies ... I can get in trouble in "emergency" situation, etc. Every one of 50k ppl can get in trouble...
a- Important to have real penalties for violating privacy policy. There's court of public opinion, real court, FTC, etc... hard to enfroce these provisions.

q- re wiretap warrants, there's minimization req... mobster movies show that you have to stop listening after 30s and then stop if it's not related. Similar for data (eg garbage for first 1mb of comm?)
a- big battle. Case in 9th circ now that says for comp searches, you need independent forensic ppl to do searches. LE can't rely on 'plain view', etc... trying to 'cabin' offline searches (e.g. seized computers)

All trying to meaningflly limit forensic intercepts. The way they do it is dependent on tech. We fear they capture everything and then do a search for just the relevant bits. Maybe they come up w/ other stuff, maybe not. Case in 9th circ re comp seizures applies; need to be very specific safeguards to avoid wholesale collection of everything just 'cause it's packet vs voice network. But no bright line rule.

q- Mentioned laptop seizures, etc. What if someone knocks on door - do we have to let in cops? Not 'cause it's membership org? Can you say no to taking laptops? etc
a- If police knocks on door, it's like vampire... if you let them in, it's all over. They can't come in w/out warrant. Less likely to trash the plce w/ warrant when they hgave to report back to judge. If they're authorized, they'll just come in; they don't need permission. So just say no.

Is it public? can be argued. Entitled? Probably not; even library can ask ppl to leave even if initially open to pblic.

q- What if they're already in? 
a- Ask to leave

q- "No cops" sign?
a- Sure. "Come back w/ warrant" doormat. 
q- Are those legally binding?
a- Yes. It is in fact legally binding. Would work w/out doormat, but... what's wrong w/ belt & suspenders :)
Might put it in req to judge...

IF they can come in, 1 of 2 thgs will happen:
1. have warrant - need to show. Says they need to search for some things. Can detain everyone, stop ppl from touching anything, etc. so they can secure the area. Can keep people here for the search. Don't talk to them, sit quietly, take notes, photographs, video, etc. Cops will beat the shit out of you though. Technically allowed, but they really don't like it. Notes are OK though. 
Can try to talk to ppl while detained; don't have to answer questions, only judge can force you. Except asking for ID - used to be you can't be forced to. Rule now is unclear; maybe they can take you to station and take fingerprints etc... but better idea to just tell them? Don't lie to cops though, eg don't say you don't have ID, jsut say you don't want to show. Don't need to tell name? Sometimes better to just cooperate re name so they don't take you to station etc.
q- what if ID isn't physically on me?
a- don't lie :p 

They take whatever they'll take. You get receipt. Make motion later on to get back stuff...

q- changed re ?Heibel case?
a- used to be they can't take in for ID infractions. If just detained...? Used to be had to suspect of misdemeanor to take to station. Maybe new case says OK for infractions too. But if just detained because here during warrant...? Not sure, think no. Worse, but not that bad.

q- At what pt can we ask them to leave? If someone lets them in, can we tell 'em to leave then?
a- Yes. Circumstances change, people act stupid. But! Vampire part: Once here, if they see something, you're fucked. If they havep robable cause, they can keep looking... e.g. a baggie of "cocaine" w/ straw & $100 bill, you'll be searched for cocaine. But if they don't see anything, they can leave. Of course, cops lie sometimes... but you can still ask. No downside to refusing to answer, tellling them to leave, etc. Only judge can force you to answer questions. Don't consent to seizure, don't give passwords, don't boot it, etc.

1 problem, they want to seize my laptop, ask if it's mine. Should I answer? Can be used against you if there's something incriminating... music, pics from weekend, etc. If you admit it's yours, that's evidence that... but if you don't say anything, they take it, you don't get receipt, hard to get back, ... proof of ownership? maybe you stole it and don't have proof? hard to be certain, need judgment. 

2. don't have warrant -

DJ case: laptops seized from party. Cops know whose lptops they are. Not investigating music. Ppl want to get lptops back, answered yes it's mine, wouldn't have advised different. 

q- earlier mentioned data retention policies that'd be illegal. Would it be illegal to make s/w that has illegal d.r.ps? That provides destruction of data if... eg if you don't come home by certain date. Maybe incendiary device....
a- 2 diff hypotheticals

--

We're back and we have two orders of business.
1) No warrant -- There has to be an exception to the warrent requirement. They need to really tailor that investigation to that reason. Again, take notes. You an see what they're doing....  That's why it's more important if they don't have a warrant, if they ask permission... say no.. if they take it.. they take it.. at least you said no..  don't giv them  other reasons to look fourther.. don't give them consent..
2) indindiary device thing. There are a few statues that prohibit the creation and disributions of serveral tools. The statutes vary... and run across a wide range of subsitance fields...
A ool for example that.. deletes all of your data if a certain thing doesn' thappen at a certain time.. verss a ttool that sets something on fire if something doesn't hapen..
I'm also thinking of security tools, encrypted dvds, info about tools, instructions.. those sorts of things.

In the absense of any criminal intent... not illegal.. there are exceptions.. primary - doing those things with ciriminal intent...  edge quesitons (i.e., tell people how to not pay your income tx)....  most are okay..

Q: My question is more about software and tools...  Some software that does illegal things that is unlawful under statuees.. others are not..

Lets take a tool that cracks a password -- not unlawful... But, a Denial of service tool... possession not unlwful... sometimes it's your intent that matters... These tools are almost all dual use tools..

posession is okay.. but used with an intent to defauld or cause damage.. is unlawful..

there are specific ares where that's definately not true.. here's a whole statue that has a DMCA prevent tools and components of tools to decrypt and descrable and get copywritten works...  the law doesn't really doesn't regulate regulation necessary (but these are exceptions)..

Another example, are things that create fire.. some things create fire (lighter), but a bomb isn't... example.. screwdriver.. if it's in my toolbox at my house, it's a screwcdriver.. if it's in my pocket as 'm breaking into a car, it's a break-in tool...

Q: The cupability of the org if someone is doing something illegal... 501c3... 
a: org libability is for actions of the offices/agents of org....  individual liability comes from you doing something that is unlawful.. or in cahoots with someone doing something unlweful...  has a clear social service that' it's provided... org not found unlawful... the person is

there is a law... misprison of ffelonty...  more com use... vicarious/collaborator libability.. you share crimital purpose...  all ways in which vicarious liabilities.

As a provider of services (like internet/wireless).. I don't know... there's a general rule that says the intermediary that carries traffic isn't liable... for those areas...  for the people doing crimial stuff through wireless.. then we go back to "the incoate infences"  - you don't have a requirement to police what people do here.. and you aren't liabile if people hack someone from here.. but it's fact dependent....

Q: Laptop being confiscated...  You said police can take it and 'there it goes'... is there any case you can demand a receipt
a: yea, and in my dj case... you can say 'it's not mine ''  but i want a receipt... in my case the officer didn't do that... In a warrant.. you get a receipt! In warrently searches, they're loosy goosy about it..

q: would there have been any benefit to having a cable lock?
a: they'll just cut th elock and take the stuff 

q: you wouldn't need a warrant to do that?
a: no.. they can just do that.. 

q: if they have probable cause, they don't need a warrant..

--

The only time that dosn't work in the rare occassion where you're both stdning on the steps...  one says come in.. other says no.. cops can't come in

q: in a place like nosebridge.. tons of stuff that doesn't belong to any one present.. would it be prudent for someone in charge to ask for a receipt...can we ask for a receipt?
a: they'll either provie it or they won't.. there's no harm asking...   

q: how fast can you get it back?
a: good question.. in my dj case.. one person back in 5 days.. the other not yet.. some four of five months...   it can be a while

With a federal investigation.. it's very common that you don't hear anything 1-2 years... you can make a motion to have it returned in the interrim.. I alwys receommend it.. it gives you a feeling of why they are holding it...

q: if you do something stupid like set up a script...  like make a script that, when the police take it, it connects and downloads down porn.. could you make a case tht the police are downloading child pornography...
*laugh*  
a: yes, that would work.. real forensics would prvent that.. I have doubts whethere that would work....   I wonder if you would get in more trouble if you automatically downloaded child porn

q: 2 questions:
1) Is the built in encryption on OSX... is that generally adequate in cracking it?  
a it depends on who is the advseary... national level (terrorist investigation), probably not.. local drug case.. probably not...  use a really long passphrase...

2) the dj cases.. why did the cops take djs laptop
they're going to say the laptop is evidence that this is an illegal party (they organized it)...  i will argue this isn't...

q: supposed that I'm at this part, and they ant to seize my laptop. how much of a hard-ass cn I be about it? if it's what I use for work, can I insist they arrest me..... so i go to court fster...
a: it never helps to be a hard ass.. if they want to take their laptops, they will..   

q: What if i forget my partiion password when standing in front of judget.
a: obstructing justice...2 years...  (limit for two years), there is a question about whther be punished gagain... 

q: has anyone been jailed in the US for refusing to turn over encryption key
a: no .. one case.. and they haven't been jailed in it... very hot legal issue right now...

q: usb things to 'suck everything out' through your usb ports...
a: if it's a bit-by-bit copy, it doesn't matter.. that's what 'encase' (forensic software) does...  but, they still need to encrypt it

q: If we at noisebridge were ordered to give up something, and if the machine was maanaged by  amember and the only one with a password, would the member....  
a: if you don't have management of the information.. you can't be "served" (don't remember legal phrase)

The question is, weknow who has this information.. they are just someone that we know.. are we obligated to tell the cops that .. you have totalk to a lawyer about that...

I would jus sa, that's it .. we're at 8:30.. if people have other quesitons, I may not be albe to answer them.. you can email me..

If you ever get any of these survelnace orders.. with or without ...... a gag order.. we're interested in all of these caseds.. criminal tresspass.. criminal use of computers.. encrytpion...

we're ver interested in keeping tools legal even if the illegal use is illegal... I'm around..  I'll be back...

Email: jennifer at eff...