0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/626 Thanks! 1 00:00:13,130 --> 00:00:15,799 Specifically, programmers 2 00:00:15,800 --> 00:00:18,289 and hardware manufacturers are getting 3 00:00:19,340 --> 00:00:21,019 more and more pressure from law 4 00:00:21,020 --> 00:00:23,089 enforcement to get 5 00:00:23,090 --> 00:00:24,290 back doors in. 6 00:00:27,220 --> 00:00:29,499 In their products and 7 00:00:29,500 --> 00:00:31,479 Curt over here, his general counsel, 8 00:00:31,480 --> 00:00:34,419 Latif's, in 2007, he received 9 00:00:34,420 --> 00:00:36,249 the title of one of the best attorneys of 10 00:00:36,250 --> 00:00:39,519 the years in that 11 00:00:39,520 --> 00:00:42,249 California lawyer, Somersby 12 00:00:42,250 --> 00:00:43,569 Years magazine. 13 00:00:43,570 --> 00:00:45,819 And he will tell us more 14 00:00:45,820 --> 00:00:47,799 about this problem with an overview of 15 00:00:47,800 --> 00:00:49,809 today's issues. 16 00:00:49,810 --> 00:00:50,810 Thanks. 17 00:00:51,250 --> 00:00:52,839 All right. Thank you. 18 00:00:52,840 --> 00:00:53,840 Thank you, everybody. 19 00:00:54,910 --> 00:00:56,559 Good afternoon. 20 00:00:56,560 --> 00:00:57,489 Welcome. 21 00:00:57,490 --> 00:00:58,779 Welcome to C.C.C.. 22 00:00:58,780 --> 00:00:59,689 And I'm glad to see you. 23 00:00:59,690 --> 00:01:02,219 So many people here today 24 00:01:02,220 --> 00:01:04,539 we're going to talk about today is is 25 00:01:04,540 --> 00:01:06,729 the fight for encryption in 26 00:01:06,730 --> 00:01:09,169 twenty sixteen and 27 00:01:09,170 --> 00:01:11,349 you're going to get the slides up here 28 00:01:11,350 --> 00:01:12,259 and we go. 29 00:01:12,260 --> 00:01:14,019 So, yeah, my name is Kurt Opsahl. 30 00:01:14,020 --> 00:01:16,059 I'm the deputy executive director and 31 00:01:16,060 --> 00:01:17,949 general counsel with the Electronic 32 00:01:17,950 --> 00:01:20,109 Frontier Foundation, which is a 33 00:01:20,110 --> 00:01:22,149 nonprofit organization dedicated to 34 00:01:22,150 --> 00:01:24,639 defending your rights online. 35 00:01:24,640 --> 00:01:26,829 Thank you. It sounds like there are a few 36 00:01:26,830 --> 00:01:27,830 people familiar. 37 00:01:29,710 --> 00:01:31,929 In the audience, so 38 00:01:31,930 --> 00:01:33,639 let's start out with a bit of an overview 39 00:01:33,640 --> 00:01:35,919 of how things have gone over the last 40 00:01:35,920 --> 00:01:37,389 year in the fight for encryption. 41 00:01:37,390 --> 00:01:40,059 There is some good news that, 42 00:01:40,060 --> 00:01:43,089 first of all, that strong and encryption, 43 00:01:43,090 --> 00:01:45,409 both communication, encryption and 44 00:01:45,410 --> 00:01:47,589 end and device encryption 45 00:01:47,590 --> 00:01:50,559 remain legal in most jurisdictions today, 46 00:01:50,560 --> 00:01:52,089 more deployments than ever. 47 00:01:52,090 --> 00:01:53,769 These things are rolling out all over the 48 00:01:53,770 --> 00:01:54,789 world. 49 00:01:54,790 --> 00:01:56,919 We'll talk about that a little bit more. 50 00:01:56,920 --> 00:01:59,409 The bad news is that this as 51 00:01:59,410 --> 00:02:00,549 governments are still at it, they're 52 00:02:00,550 --> 00:02:02,829 still trying to find ways to weaken 53 00:02:02,830 --> 00:02:05,199 encryption, to get plain text 54 00:02:05,200 --> 00:02:07,839 access to encrypted materials. 55 00:02:07,840 --> 00:02:09,638 And they're trying to do this by 56 00:02:09,639 --> 00:02:11,949 pressuring companies as well as 57 00:02:11,950 --> 00:02:14,019 pushing forward some laws. 58 00:02:14,020 --> 00:02:16,839 A couple of bad laws have passed. 59 00:02:16,840 --> 00:02:19,089 And then probably 60 00:02:19,090 --> 00:02:21,249 the worst aspect is some of the ways 61 00:02:21,250 --> 00:02:23,679 of sort of getting around that 62 00:02:23,680 --> 00:02:26,559 which are blocking technologies, 63 00:02:26,560 --> 00:02:28,629 trying to make it so people can't use 64 00:02:28,630 --> 00:02:30,339 strong encryption by blocking at the 65 00:02:30,340 --> 00:02:32,589 network level, placing 66 00:02:32,590 --> 00:02:34,539 malware on devices to get around 67 00:02:34,540 --> 00:02:36,969 encryption by attacking the endpoints. 68 00:02:36,970 --> 00:02:38,949 In some cases, governments have resorted 69 00:02:38,950 --> 00:02:41,049 to arresting 70 00:02:41,050 --> 00:02:43,149 individuals associated with 71 00:02:43,150 --> 00:02:45,549 some encrypted communication 72 00:02:45,550 --> 00:02:47,829 tools in order to really push 73 00:02:47,830 --> 00:02:50,379 the pressure on those companies. 74 00:02:51,640 --> 00:02:53,050 And before we get into the 75 00:02:54,340 --> 00:02:55,909 nuts and bolts of things, I just want to 76 00:02:55,910 --> 00:02:57,429 at least take a moment to provide an 77 00:02:57,430 --> 00:02:59,529 overview of the encryption 78 00:02:59,530 --> 00:03:01,629 debate and how it has been going 79 00:03:01,630 --> 00:03:02,619 as an initial matter. 80 00:03:02,620 --> 00:03:04,119 I mean, why do we love encryption? 81 00:03:04,120 --> 00:03:06,279 I think many people here are 82 00:03:06,280 --> 00:03:07,209 already convinced. 83 00:03:07,210 --> 00:03:09,459 But just to go over some of the reasons 84 00:03:09,460 --> 00:03:11,199 encryption protects our data and our 85 00:03:11,200 --> 00:03:13,329 infrastructure, it helps 86 00:03:13,330 --> 00:03:16,389 ensure both privacy and security. 87 00:03:16,390 --> 00:03:17,439 But at the same time, you have a 88 00:03:17,440 --> 00:03:19,569 government who are concerned 89 00:03:19,570 --> 00:03:22,029 that they are, quote, going dark. 90 00:03:22,030 --> 00:03:24,459 This is their their euphemism for having 91 00:03:24,460 --> 00:03:26,889 less ability to access materials. 92 00:03:26,890 --> 00:03:29,019 They say it hinders their ability to 93 00:03:29,020 --> 00:03:31,519 conduct law enforcement efforts, 94 00:03:31,520 --> 00:03:33,279 national security. 95 00:03:33,280 --> 00:03:35,349 Over the last year, we've had some 96 00:03:35,350 --> 00:03:37,089 some good shifts in the debate. 97 00:03:37,090 --> 00:03:38,829 And one of the ones I wanted to highlight 98 00:03:38,830 --> 00:03:40,959 was moving from a 99 00:03:40,960 --> 00:03:43,509 discussion of privacy versus security 100 00:03:43,510 --> 00:03:45,429 to a discussion of security versus 101 00:03:45,430 --> 00:03:48,069 security, that is to say, recognizing 102 00:03:48,070 --> 00:03:50,169 that encryption provides 103 00:03:50,170 --> 00:03:52,029 security in and of itself. 104 00:03:52,030 --> 00:03:53,739 This is particularly good news because 105 00:03:53,740 --> 00:03:56,379 oftentimes when a debate is framed 106 00:03:56,380 --> 00:03:58,749 as privacy versus security, privacy 107 00:03:58,750 --> 00:04:00,849 versus safety, it is privacy 108 00:04:00,850 --> 00:04:02,019 that loses out. 109 00:04:02,020 --> 00:04:03,969 And this was a rhetorical device used by 110 00:04:03,970 --> 00:04:06,549 people who wanted to weaken encryption, 111 00:04:06,550 --> 00:04:08,679 wanted to get more access to 112 00:04:08,680 --> 00:04:11,049 encrypted communications to try and frame 113 00:04:11,050 --> 00:04:11,979 it in that way. 114 00:04:11,980 --> 00:04:14,799 But people have come forward, talk to 115 00:04:14,800 --> 00:04:17,018 their legislators, talk to policymakers, 116 00:04:17,019 --> 00:04:19,479 and pushed a shift toward understanding 117 00:04:19,480 --> 00:04:22,779 it as a benefit to security. 118 00:04:22,780 --> 00:04:24,669 That can be contrasted with some of the 119 00:04:24,670 --> 00:04:26,109 concerns the government has about 120 00:04:26,110 --> 00:04:27,719 reducing security. 121 00:04:27,720 --> 00:04:29,739 And there's also been a recognition among 122 00:04:29,740 --> 00:04:31,389 some policymakers that weakening 123 00:04:31,390 --> 00:04:33,489 encryption does have severe consequences, 124 00:04:33,490 --> 00:04:36,339 is not a cost free 125 00:04:36,340 --> 00:04:38,019 improvement to law enforcement's 126 00:04:38,020 --> 00:04:39,369 abilities. 127 00:04:39,370 --> 00:04:40,689 And there has been at least some 128 00:04:40,690 --> 00:04:42,819 recognition of 129 00:04:42,820 --> 00:04:45,399 a core tenet from from my organization. 130 00:04:45,400 --> 00:04:48,069 That code is speech that there are First 131 00:04:48,070 --> 00:04:50,499 Amendment free expression 132 00:04:50,500 --> 00:04:52,569 implications that come from 133 00:04:52,570 --> 00:04:54,939 both regulating the ability 134 00:04:54,940 --> 00:04:56,589 of people to use cryptography. 135 00:04:56,590 --> 00:04:59,049 And also there are enhancements 136 00:04:59,050 --> 00:05:01,209 to freedom of expression that come from 137 00:05:01,210 --> 00:05:03,609 the ability to have that encryption 138 00:05:03,610 --> 00:05:05,739 and anonymity help enable freedom 139 00:05:05,740 --> 00:05:06,740 of expression. 140 00:05:09,670 --> 00:05:11,829 So I want to take it before 141 00:05:11,830 --> 00:05:14,379 we get in another brief Segway 142 00:05:14,380 --> 00:05:15,789 to put some perspective on things. 143 00:05:15,790 --> 00:05:16,959 But one of the things that government 144 00:05:16,960 --> 00:05:19,209 talks about were going dark, that 145 00:05:19,210 --> 00:05:21,879 this is an unprecedented 146 00:05:21,880 --> 00:05:24,009 inability of government to get into 147 00:05:24,010 --> 00:05:26,079 places that can be they can be locked out 148 00:05:26,080 --> 00:05:26,959 of. 149 00:05:26,960 --> 00:05:28,959 And I wanted to go back a little bit in 150 00:05:28,960 --> 00:05:31,359 time into the seventeen 151 00:05:31,360 --> 00:05:33,579 hundreds when a locksmith, 152 00:05:33,580 --> 00:05:36,069 Joseph Barama, created a 153 00:05:36,070 --> 00:05:38,769 uncrackable lock and 154 00:05:38,770 --> 00:05:40,909 for for 67 years for 155 00:05:40,910 --> 00:05:42,999 the lock out there, he put what we call 156 00:05:43,000 --> 00:05:45,099 an early bug bounty program on it. 157 00:05:45,100 --> 00:05:47,509 Two hundred guineas he offered to anybody 158 00:05:47,510 --> 00:05:49,629 you could pick his lock, had it 159 00:05:49,630 --> 00:05:51,609 hanging up in the store so people could 160 00:05:51,610 --> 00:05:53,979 come along and give it a whirl. 161 00:05:53,980 --> 00:05:56,049 And it took fifty one sixty seven 162 00:05:56,050 --> 00:05:57,889 years for it to happen. 163 00:05:57,890 --> 00:06:00,669 Fifty one hours for the 164 00:06:00,670 --> 00:06:02,889 lock picker to actually do 165 00:06:02,890 --> 00:06:04,509 the first break through it. 166 00:06:04,510 --> 00:06:06,849 And during those decades 167 00:06:06,850 --> 00:06:09,129 there was something which provided pretty 168 00:06:09,130 --> 00:06:11,499 good security that made it very difficult 169 00:06:11,500 --> 00:06:13,359 for government, even if it had a warrant 170 00:06:13,360 --> 00:06:15,009 to get within the lock. 171 00:06:15,010 --> 00:06:16,689 Now you could have implementation flaws. 172 00:06:16,690 --> 00:06:17,799 This is kind of the same thing with 173 00:06:17,800 --> 00:06:18,800 crypto today. 174 00:06:19,840 --> 00:06:22,809 The safe built with this 175 00:06:22,810 --> 00:06:24,909 might have a weak, weak metal, you 176 00:06:24,910 --> 00:06:26,979 know, hinges in the wrong place, 177 00:06:26,980 --> 00:06:28,599 but nevertheless. 178 00:06:28,600 --> 00:06:30,429 Like Krypto today, it provided strong 179 00:06:30,430 --> 00:06:32,539 security and society survive 180 00:06:32,540 --> 00:06:34,269 through those 67 years. 181 00:06:34,270 --> 00:06:36,069 So this is not quite as unprecedented as 182 00:06:36,070 --> 00:06:37,119 they would like you to believe. 183 00:06:38,140 --> 00:06:39,699 All right. So let's turn, first of all, 184 00:06:39,700 --> 00:06:41,529 to the big thing that happened that last 185 00:06:41,530 --> 00:06:44,169 year, a very big 186 00:06:44,170 --> 00:06:46,299 public showdown between 187 00:06:46,300 --> 00:06:49,749 Apple computers and the FBI 188 00:06:49,750 --> 00:06:51,909 and the FBI for 189 00:06:51,910 --> 00:06:53,769 for many years has actually been seeking 190 00:06:53,770 --> 00:06:55,719 access to smartphones. 191 00:06:55,720 --> 00:06:58,539 They recognize that smartphones 192 00:06:58,540 --> 00:07:00,249 are an incredible window into people's 193 00:07:00,250 --> 00:07:02,319 lives. And they wanted access to 194 00:07:02,320 --> 00:07:03,789 that when they wanted to look at and see 195 00:07:03,790 --> 00:07:05,589 what people have been doing. 196 00:07:05,590 --> 00:07:07,479 And they were trying to do this through 197 00:07:07,480 --> 00:07:09,100 through the courts with court orders. 198 00:07:10,150 --> 00:07:12,309 And there were two key cases 199 00:07:12,310 --> 00:07:14,529 that help help frame this debate. 200 00:07:14,530 --> 00:07:16,629 One was a case in 201 00:07:16,630 --> 00:07:18,879 Brooklyn, New York, outside of New York 202 00:07:18,880 --> 00:07:19,859 City. 203 00:07:19,860 --> 00:07:21,939 And the other one brought a 204 00:07:21,940 --> 00:07:23,979 little bit later was in San Bernardino, 205 00:07:23,980 --> 00:07:25,679 California. 206 00:07:25,680 --> 00:07:28,119 And the first case, 207 00:07:28,120 --> 00:07:29,170 the Brooklyn case, 208 00:07:30,190 --> 00:07:32,439 was a relatively routine 209 00:07:32,440 --> 00:07:34,599 case. It was they were trying to get onto 210 00:07:34,600 --> 00:07:36,669 the phone of an alleged meth 211 00:07:36,670 --> 00:07:38,859 dealer, sort of a 212 00:07:38,860 --> 00:07:40,539 small time local dealer. 213 00:07:40,540 --> 00:07:42,279 They weren't able to get on the phone. 214 00:07:42,280 --> 00:07:43,629 They wanted the evidence there. 215 00:07:43,630 --> 00:07:45,429 They had a lot of additional evidence to 216 00:07:45,430 --> 00:07:47,739 be able to convict the guy, but 217 00:07:47,740 --> 00:07:50,169 they they wanted a little bit more. 218 00:07:50,170 --> 00:07:52,569 And they submitted a 219 00:07:52,570 --> 00:07:54,879 application for an order to 220 00:07:54,880 --> 00:07:56,949 get Apple to help them onto the phone, 221 00:07:56,950 --> 00:07:59,229 which they relied upon something 222 00:07:59,230 --> 00:08:01,779 called the All Writs Act. 223 00:08:01,780 --> 00:08:03,759 We'll discuss them more in just a second. 224 00:08:03,760 --> 00:08:06,309 But this was 225 00:08:06,310 --> 00:08:08,239 not unusual for the 226 00:08:10,000 --> 00:08:11,889 FBI to go to the court to ask for this 227 00:08:11,890 --> 00:08:13,149 access. 228 00:08:13,150 --> 00:08:15,339 A little bit unusual to ask 229 00:08:15,340 --> 00:08:17,649 for a third party, an unrelated party, 230 00:08:17,650 --> 00:08:19,809 to assist in 231 00:08:19,810 --> 00:08:21,609 helping getting access to the phone. 232 00:08:21,610 --> 00:08:24,399 And the court did something very unusual. 233 00:08:24,400 --> 00:08:26,589 Was it asked for more briefing? 234 00:08:26,590 --> 00:08:28,569 Oftentimes, these are arguments made by 235 00:08:28,570 --> 00:08:30,129 the government directly to the court 236 00:08:30,130 --> 00:08:32,918 without anybody else weighing in. 237 00:08:32,919 --> 00:08:34,149 But in this case, the court was like, 238 00:08:34,150 --> 00:08:35,558 well, I don't know. I don't know if this 239 00:08:35,559 --> 00:08:38,439 this argument really works. 240 00:08:38,440 --> 00:08:40,178 And I would like to get some additional 241 00:08:40,179 --> 00:08:41,259 briefing on that. 242 00:08:41,260 --> 00:08:43,449 So Apple filed a brief EFF 243 00:08:43,450 --> 00:08:45,729 and ACLU filed a brief. 244 00:08:45,730 --> 00:08:47,799 And we attempted to explain this to 245 00:08:47,800 --> 00:08:49,449 the to the court. 246 00:08:49,450 --> 00:08:51,069 And this is why we didn't believe that 247 00:08:51,070 --> 00:08:53,319 the All Writs Act was the 248 00:08:53,320 --> 00:08:55,419 was provided the authority that 249 00:08:55,420 --> 00:08:56,589 the government signed. 250 00:08:56,590 --> 00:08:58,809 The All Writs Act is kind of a 251 00:08:58,810 --> 00:09:00,129 catchall law. 252 00:09:00,130 --> 00:09:02,409 It is actually one of the oldest laws 253 00:09:02,410 --> 00:09:04,149 in us. 254 00:09:04,150 --> 00:09:06,609 It was originated in 1789. 255 00:09:07,780 --> 00:09:09,819 It's you have the language up here. 256 00:09:09,820 --> 00:09:11,979 It's a it's a little bit convoluted, 257 00:09:11,980 --> 00:09:14,109 but all the writs that are 258 00:09:14,110 --> 00:09:16,629 necessary or appropriate basically 259 00:09:16,630 --> 00:09:18,609 to allow the court to do its job. 260 00:09:18,610 --> 00:09:19,989 So if the court had power to do 261 00:09:19,990 --> 00:09:22,359 something, then it could issue a writ 262 00:09:22,360 --> 00:09:24,819 in order to enforce that power. 263 00:09:24,820 --> 00:09:26,589 So when it was written, obviously wasn't 264 00:09:26,590 --> 00:09:28,209 thinking about things like smartphones, 265 00:09:28,210 --> 00:09:30,279 it wasn't really thinking anything 266 00:09:30,280 --> 00:09:32,019 along these lines. 267 00:09:32,020 --> 00:09:34,149 It was just a basic tool. 268 00:09:34,150 --> 00:09:35,769 And pretty much it's the fallback 269 00:09:35,770 --> 00:09:38,079 position. If you have nothing else, 270 00:09:38,080 --> 00:09:39,969 you can always go to the All Writs Act 271 00:09:39,970 --> 00:09:41,739 and see if that will that will fly 272 00:09:42,820 --> 00:09:43,209 so well. 273 00:09:43,210 --> 00:09:45,039 That was pending. 274 00:09:45,040 --> 00:09:47,139 A new case came up in February of 275 00:09:47,140 --> 00:09:49,419 twenty sixteen, the California iPhone 276 00:09:49,420 --> 00:09:51,459 case. And this was out in San Bernardino, 277 00:09:51,460 --> 00:09:53,199 California, where there had been a 278 00:09:53,200 --> 00:09:55,779 horrific terrorist attack. 279 00:09:55,780 --> 00:09:58,239 Two people, employees 280 00:09:58,240 --> 00:09:59,739 of the San Bernardino County health 281 00:09:59,740 --> 00:10:02,169 system, went to their 282 00:10:02,170 --> 00:10:04,539 office holiday party and 283 00:10:04,540 --> 00:10:06,639 opened fire, killing scores of 284 00:10:06,640 --> 00:10:08,979 people before before 285 00:10:08,980 --> 00:10:11,499 fleeing and eventually perishing 286 00:10:11,500 --> 00:10:13,989 in a in a shootout with police. 287 00:10:13,990 --> 00:10:16,659 It was a fairly devastating attack 288 00:10:16,660 --> 00:10:18,859 and really made 289 00:10:18,860 --> 00:10:19,929 it made a lot of news. 290 00:10:21,190 --> 00:10:23,949 Several months after the attacks, 291 00:10:23,950 --> 00:10:26,349 they decided they wanted to get access 292 00:10:26,350 --> 00:10:28,719 to an iPhone that actually belonged 293 00:10:28,720 --> 00:10:31,809 to the county, San Bernardino County, 294 00:10:31,810 --> 00:10:33,909 but had been in 295 00:10:33,910 --> 00:10:36,249 use by one of the attackers. 296 00:10:36,250 --> 00:10:38,469 And he had left it in a car, 297 00:10:38,470 --> 00:10:40,239 a black Lexus. 298 00:10:40,240 --> 00:10:42,339 So the case was actually styled 299 00:10:42,340 --> 00:10:44,379 in a search warrant of black Lexus. 300 00:10:45,820 --> 00:10:48,699 And a couple of months after 301 00:10:48,700 --> 00:10:50,859 the attacks, they wanted to 302 00:10:50,860 --> 00:10:52,179 to get into this phone. 303 00:10:53,740 --> 00:10:55,449 And so they submitted an application to 304 00:10:55,450 --> 00:10:57,579 the court. And that very same day, the 305 00:10:57,580 --> 00:10:59,649 court turned around and issued the order 306 00:10:59,650 --> 00:11:00,289 to Apple. 307 00:11:00,290 --> 00:11:02,649 They in the court signed off on 308 00:11:02,650 --> 00:11:04,719 the government's brief without any 309 00:11:04,720 --> 00:11:06,429 modifications on their proposed order, I 310 00:11:06,430 --> 00:11:09,219 should say, without any modifications, 311 00:11:09,220 --> 00:11:10,899 and issued it the same day. 312 00:11:10,900 --> 00:11:12,789 And it was a fairly lengthy order. 313 00:11:12,790 --> 00:11:14,859 So this this may suggest that 314 00:11:14,860 --> 00:11:17,229 not a whole lot of deep thought 315 00:11:17,230 --> 00:11:19,660 went into whether this was possible. 316 00:11:20,710 --> 00:11:22,809 And under that 317 00:11:22,810 --> 00:11:25,149 government requested order, they wanted 318 00:11:25,150 --> 00:11:27,309 to bypass the auto 319 00:11:27,310 --> 00:11:28,749 erase phone. 320 00:11:28,750 --> 00:11:31,089 We're after a certain number of failed 321 00:11:31,090 --> 00:11:33,129 attempts to access the phone, it would 322 00:11:33,130 --> 00:11:34,479 erase itself. 323 00:11:34,480 --> 00:11:36,969 They wanted to be able to submit 324 00:11:36,970 --> 00:11:40,059 passwords or pass codes electronically, 325 00:11:40,060 --> 00:11:42,489 and they wanted to have no delay 326 00:11:42,490 --> 00:11:43,619 in the password attempt. 327 00:11:43,620 --> 00:11:45,729 So what basically they were asking for 328 00:11:45,730 --> 00:11:48,069 was to remove the features that 329 00:11:48,070 --> 00:11:49,959 were designed to protect brute force 330 00:11:49,960 --> 00:11:52,059 attacks so that they could brute 331 00:11:52,060 --> 00:11:53,060 force the phone. 332 00:11:53,920 --> 00:11:56,619 So Apple called this gov os 333 00:11:56,620 --> 00:11:58,719 that they were being asked to to 334 00:11:58,720 --> 00:12:00,849 make a new operating system to be 335 00:12:00,850 --> 00:12:03,009 used just on this phone in order 336 00:12:03,010 --> 00:12:06,129 for enabling government access. 337 00:12:06,130 --> 00:12:08,409 And the court left open one thing, 338 00:12:08,410 --> 00:12:10,479 which was, well, Apple, 339 00:12:10,480 --> 00:12:12,639 if you want to challenge this, 340 00:12:12,640 --> 00:12:15,489 if it is unreasonably burdensome, 341 00:12:15,490 --> 00:12:17,379 you can do so. 342 00:12:17,380 --> 00:12:19,089 So indeed, Apple did challenge it. 343 00:12:19,090 --> 00:12:20,619 They asked the court to reconsider its 344 00:12:20,620 --> 00:12:21,620 order. 345 00:12:22,600 --> 00:12:24,999 And somewhat unusually, 346 00:12:25,000 --> 00:12:27,699 Tim Cook, the CEO of Apple, 347 00:12:27,700 --> 00:12:30,699 wrote a big public letter about it. 348 00:12:30,700 --> 00:12:33,459 And he considered this something that, 349 00:12:33,460 --> 00:12:35,259 first of all, they didn't have, but more 350 00:12:35,260 --> 00:12:37,569 importantly, they considered it too 351 00:12:37,570 --> 00:12:39,039 dangerous to create. 352 00:12:40,600 --> 00:12:42,939 And Apple filed its brief. 353 00:12:42,940 --> 00:12:45,039 There were many amicus briefs 354 00:12:46,060 --> 00:12:48,249 filed in this case, something like 40 355 00:12:48,250 --> 00:12:50,349 or so. Mostly there 356 00:12:50,350 --> 00:12:52,059 were civil liberties organizations, 357 00:12:52,060 --> 00:12:54,399 industry groups, mostly on the side 358 00:12:54,400 --> 00:12:56,439 of Apple, though there were a few who 359 00:12:56,440 --> 00:12:58,029 were in support of the of the 360 00:12:58,030 --> 00:12:59,619 government's position. 361 00:12:59,620 --> 00:13:00,909 One of them I want to highlight in 362 00:13:00,910 --> 00:13:03,039 particular from the San 363 00:13:03,040 --> 00:13:04,989 Bernardino County district attorney. 364 00:13:04,990 --> 00:13:07,599 This is the chief prosecutor of the 365 00:13:07,600 --> 00:13:09,249 local area. 366 00:13:09,250 --> 00:13:11,109 He said that they ought to be able to get 367 00:13:11,110 --> 00:13:13,089 access to the phone because it might 368 00:13:13,090 --> 00:13:15,369 contain a lying dormant cyber 369 00:13:15,370 --> 00:13:17,019 pathogen. 370 00:13:17,020 --> 00:13:18,999 And he wanted to make sure that we we had 371 00:13:19,000 --> 00:13:20,379 access to that. 372 00:13:20,380 --> 00:13:21,549 The logic of that was a little bit 373 00:13:21,550 --> 00:13:23,109 unclear, because if it was really that 374 00:13:23,110 --> 00:13:25,149 dangerous, maybe we shouldn't get access 375 00:13:25,150 --> 00:13:26,289 to it. 376 00:13:26,290 --> 00:13:28,089 But nevertheless, he thought that was a 377 00:13:28,090 --> 00:13:29,090 reason to get in the phone. 378 00:13:30,640 --> 00:13:32,769 The FBI director, Comey, he 379 00:13:32,770 --> 00:13:34,839 started out by saying 380 00:13:34,840 --> 00:13:36,699 that this was just about trying to get 381 00:13:36,700 --> 00:13:37,929 into one phone. 382 00:13:37,930 --> 00:13:41,139 It wasn't about setting a precedent. 383 00:13:41,140 --> 00:13:43,299 But later, under questioning before 384 00:13:43,300 --> 00:13:45,519 the US Congress, he admitted that 385 00:13:45,520 --> 00:13:47,259 it was about precedent and they wanted to 386 00:13:47,260 --> 00:13:49,389 set this precedent so they could access 387 00:13:49,390 --> 00:13:51,279 more phones. 388 00:13:51,280 --> 00:13:53,439 And then he asked the question, if there 389 00:13:53,440 --> 00:13:55,539 are warrant proof spaces, 390 00:13:55,540 --> 00:13:57,249 what does that mean and what is the cost 391 00:13:57,250 --> 00:13:59,349 of that? And this is 392 00:13:59,350 --> 00:14:01,629 a reminder of the time 393 00:14:01,630 --> 00:14:04,299 when we had for sixty seven years the UN 394 00:14:04,300 --> 00:14:05,689 correctible luck. 395 00:14:05,690 --> 00:14:07,509 We may have had warrant proof space 396 00:14:07,510 --> 00:14:09,699 before and 397 00:14:09,700 --> 00:14:11,559 we may have them again. 398 00:14:11,560 --> 00:14:13,899 And it also is not recognizing 399 00:14:13,900 --> 00:14:15,369 that there are something fundamentally 400 00:14:15,370 --> 00:14:17,859 different about access to smartphones 401 00:14:17,860 --> 00:14:19,809 because of how much of your lives are 402 00:14:19,810 --> 00:14:21,819 part of the phone or on the phone. 403 00:14:21,820 --> 00:14:23,619 If somebody has access to that, they have 404 00:14:23,620 --> 00:14:25,749 a more than just 405 00:14:25,750 --> 00:14:26,799 a little bit of evidence. 406 00:14:26,800 --> 00:14:29,379 They have a window into your soul and 407 00:14:29,380 --> 00:14:31,599 protecting that is more important than 408 00:14:31,600 --> 00:14:32,600 ever. 409 00:14:32,920 --> 00:14:35,089 So this became a major controversy. 410 00:14:35,090 --> 00:14:37,359 It became international news. 411 00:14:37,360 --> 00:14:39,039 They had a poll that went out during this 412 00:14:39,040 --> 00:14:41,319 time period and 413 00:14:41,320 --> 00:14:43,509 it was about 50 50 414 00:14:43,510 --> 00:14:45,579 on whether Apple should provide 415 00:14:45,580 --> 00:14:47,679 access or whether they should 416 00:14:47,680 --> 00:14:50,109 deny access, which may not 417 00:14:50,110 --> 00:14:51,729 sound like OK, if people were divided. 418 00:14:51,730 --> 00:14:54,279 But what sort of particularly impressive 419 00:14:54,280 --> 00:14:56,709 about that is that when 420 00:14:56,710 --> 00:14:58,059 they're doing a case where they're saying 421 00:14:58,060 --> 00:14:59,619 we need to get this information for a 422 00:14:59,620 --> 00:15:02,709 terrorist attack, putting all of the 423 00:15:02,710 --> 00:15:04,899 pressure is associated with a 424 00:15:04,900 --> 00:15:07,149 national security case, saying this was 425 00:15:07,150 --> 00:15:08,619 vital for our national security. 426 00:15:08,620 --> 00:15:10,899 And still, they weren't even able to get 427 00:15:10,900 --> 00:15:12,879 a majority on their side. 428 00:15:12,880 --> 00:15:15,249 I think this was a lot less 429 00:15:15,250 --> 00:15:17,469 support then than 430 00:15:17,470 --> 00:15:18,849 the government was expecting when they 431 00:15:18,850 --> 00:15:20,709 brought this case. 432 00:15:20,710 --> 00:15:22,929 And both civil society 433 00:15:22,930 --> 00:15:25,179 and industry brought together to 434 00:15:25,180 --> 00:15:27,129 to help support Apple in this. 435 00:15:27,130 --> 00:15:28,419 People understanding this would be a 436 00:15:28,420 --> 00:15:30,669 precedent, that it would be not just 437 00:15:30,670 --> 00:15:32,859 a precedent about accessing phone, but 438 00:15:32,860 --> 00:15:35,019 a precedent about the government ordering 439 00:15:35,020 --> 00:15:36,549 you to make a new version of your 440 00:15:36,550 --> 00:15:38,979 software that has security 441 00:15:38,980 --> 00:15:40,719 weaknesses in it. 442 00:15:40,720 --> 00:15:42,189 So this was coming forward, coming to a 443 00:15:42,190 --> 00:15:44,289 head with a hearing scheduled in 444 00:15:44,290 --> 00:15:45,730 March of 2016. 445 00:15:46,840 --> 00:15:48,549 And then we heard from the from the 446 00:15:48,550 --> 00:15:50,619 Brooklyn judge. Now, this this briefing 447 00:15:50,620 --> 00:15:52,779 had been going on since 448 00:15:52,780 --> 00:15:55,179 October of the previous year. 449 00:15:55,180 --> 00:15:56,829 And in the ordinary course of things, you 450 00:15:56,830 --> 00:15:59,289 know, judges will take time to carefully 451 00:15:59,290 --> 00:15:59,709 consider. 452 00:15:59,710 --> 00:16:02,529 It might take a while, but 453 00:16:02,530 --> 00:16:04,909 not very long after the 454 00:16:04,910 --> 00:16:06,939 the news really hit about the California 455 00:16:06,940 --> 00:16:09,459 case, the Brooklyn judge issued his 456 00:16:09,460 --> 00:16:11,799 lengthy and fairly detailed 457 00:16:11,800 --> 00:16:14,919 opinion, concluding that Apple 458 00:16:14,920 --> 00:16:17,379 did not have to unlock the specific 459 00:16:17,380 --> 00:16:19,599 device, that the All Writs 460 00:16:19,600 --> 00:16:21,939 Act did not provide the authority that 461 00:16:21,940 --> 00:16:23,590 the FBI was seeking 462 00:16:24,850 --> 00:16:27,219 then moving forward into the hearing. 463 00:16:28,260 --> 00:16:30,329 We had a sudden new news 464 00:16:30,330 --> 00:16:32,699 that came out the day before the hearing, 465 00:16:32,700 --> 00:16:35,309 the FBI said, well, we're exploring 466 00:16:35,310 --> 00:16:37,709 a way to get onto the phone. 467 00:16:37,710 --> 00:16:39,059 We need a little bit of time to check 468 00:16:39,060 --> 00:16:41,519 this out. Can we get a delay 469 00:16:41,520 --> 00:16:43,049 in the hearing? 470 00:16:43,050 --> 00:16:44,699 This came out the day before the hearing. 471 00:16:44,700 --> 00:16:46,319 Actually, a lot of people who I know 472 00:16:46,320 --> 00:16:48,179 we're going to go down there had already 473 00:16:48,180 --> 00:16:50,309 departed for Southern California. 474 00:16:50,310 --> 00:16:52,409 I was actually just about to head off 475 00:16:52,410 --> 00:16:54,509 to the airport myself when the news 476 00:16:54,510 --> 00:16:56,729 came in and I was able to 477 00:16:56,730 --> 00:16:58,859 save myself the trip down there. 478 00:16:58,860 --> 00:17:00,809 But this was sort of a very surprising 479 00:17:00,810 --> 00:17:03,089 last minute development. 480 00:17:03,090 --> 00:17:05,519 And then a week later, the FBI reported 481 00:17:05,520 --> 00:17:08,009 that, yes, they had gotten access 482 00:17:08,010 --> 00:17:10,169 to the phone and 483 00:17:10,170 --> 00:17:11,429 the hearing was canceled. 484 00:17:12,450 --> 00:17:13,739 And we got a little bit a little bit of 485 00:17:13,740 --> 00:17:15,809 details about this, 486 00:17:15,810 --> 00:17:17,879 that it was an exploit that 487 00:17:17,880 --> 00:17:20,189 cost well over 488 00:17:20,190 --> 00:17:21,889 a million dollars. 489 00:17:21,890 --> 00:17:24,358 And this was calculated 490 00:17:24,359 --> 00:17:26,818 because the director, Comey, 491 00:17:26,819 --> 00:17:29,099 said that it was more than his entire 492 00:17:29,100 --> 00:17:31,049 salary for the 10 years that he is going 493 00:17:31,050 --> 00:17:32,039 to be FBI director. 494 00:17:32,040 --> 00:17:34,379 So people did a little math and figured 495 00:17:34,380 --> 00:17:35,999 out that that would be over a million 496 00:17:36,000 --> 00:17:37,319 dollars. 497 00:17:37,320 --> 00:17:39,299 And this was a hack that apparently works 498 00:17:39,300 --> 00:17:41,579 on the iPhone five C 499 00:17:41,580 --> 00:17:43,619 and older devices. 500 00:17:43,620 --> 00:17:45,869 A key factor there is it doesn't have 501 00:17:45,870 --> 00:17:48,359 the secure enclave, doesn't have the 502 00:17:48,360 --> 00:17:50,279 touch ID feature, which requires the 503 00:17:50,280 --> 00:17:52,139 secure enclave. 504 00:17:52,140 --> 00:17:54,479 And so it was apparently something 505 00:17:54,480 --> 00:17:56,999 that was defeated by the secure enclave 506 00:17:57,000 --> 00:17:58,739 that we have very little detail. 507 00:18:00,360 --> 00:18:03,089 So the FBI withdrew 508 00:18:03,090 --> 00:18:05,190 the case after the exploit worked. 509 00:18:07,380 --> 00:18:09,809 And there was no no ruling by the judge 510 00:18:09,810 --> 00:18:11,999 on whether their power under the oil 511 00:18:12,000 --> 00:18:14,579 rich act extended this far 512 00:18:14,580 --> 00:18:16,709 and shortly thereafter, the 513 00:18:16,710 --> 00:18:18,989 government also they had appealed 514 00:18:18,990 --> 00:18:21,119 the Brooklyn judge's order, but 515 00:18:21,120 --> 00:18:23,699 then they withdrew the that appeal, 516 00:18:23,700 --> 00:18:25,889 saying that they had somehow 517 00:18:25,890 --> 00:18:28,409 obtained the passcode. 518 00:18:28,410 --> 00:18:31,289 According to news reports, apparently 519 00:18:31,290 --> 00:18:33,599 the suspect remembered and provided 520 00:18:33,600 --> 00:18:35,339 is his code. 521 00:18:35,340 --> 00:18:37,499 So what this means is that 522 00:18:37,500 --> 00:18:39,779 right now we don't have binding 523 00:18:39,780 --> 00:18:41,999 precedent on the question of whether 524 00:18:42,000 --> 00:18:44,429 the government has this power. 525 00:18:44,430 --> 00:18:46,169 There is the one decision out of Brooklyn 526 00:18:46,170 --> 00:18:48,269 that remains on the books, but 527 00:18:48,270 --> 00:18:50,069 that was a decision issued from the 528 00:18:50,070 --> 00:18:52,229 lowest level of judge, a 529 00:18:52,230 --> 00:18:53,549 magistrate judge. 530 00:18:53,550 --> 00:18:56,339 It is not binding on any other judge. 531 00:18:56,340 --> 00:18:58,559 And if they had appealed and lost 532 00:18:58,560 --> 00:19:00,629 and took it up the chain, then it becomes 533 00:19:00,630 --> 00:19:02,219 more and more of a of a binding 534 00:19:02,220 --> 00:19:03,539 precedent. 535 00:19:03,540 --> 00:19:05,549 But that that is not so. 536 00:19:05,550 --> 00:19:07,739 We're still waiting for 537 00:19:07,740 --> 00:19:09,989 the next shoe to drop and 538 00:19:09,990 --> 00:19:11,849 get to bring these arguments out again 539 00:19:11,850 --> 00:19:13,379 and see if we can get some precedent on 540 00:19:13,380 --> 00:19:14,380 that. 541 00:19:14,940 --> 00:19:17,459 Also, the government didn't disclose 542 00:19:17,460 --> 00:19:19,289 how it got access to Apple. 543 00:19:19,290 --> 00:19:21,779 Apple was seeking that information 544 00:19:21,780 --> 00:19:24,209 and they actually had suggested that if 545 00:19:24,210 --> 00:19:26,429 the case had continued and gone forward, 546 00:19:26,430 --> 00:19:28,499 that they would use the case as 547 00:19:28,500 --> 00:19:29,849 a vehicle to try and obtain that 548 00:19:29,850 --> 00:19:31,259 information. 549 00:19:31,260 --> 00:19:33,269 And it's also brought up in some people's 550 00:19:33,270 --> 00:19:35,519 minds the the vulnerabilities 551 00:19:35,520 --> 00:19:37,229 equities process. 552 00:19:37,230 --> 00:19:39,389 This is a process that 553 00:19:39,390 --> 00:19:41,999 came out through a Freedom of Information 554 00:19:42,000 --> 00:19:44,759 Act, open government request. 555 00:19:44,760 --> 00:19:47,550 And it is a process that the executive 556 00:19:48,890 --> 00:19:51,149 supposed to go through when it's deciding 557 00:19:51,150 --> 00:19:52,619 what to do with a vulnerability. 558 00:19:52,620 --> 00:19:54,389 So if the government has a vulnerability, 559 00:19:54,390 --> 00:19:56,729 it weighs the equities of disclosure 560 00:19:56,730 --> 00:19:59,279 to the vendor versus exploiting 561 00:19:59,280 --> 00:20:01,019 that vulnerability. 562 00:20:01,020 --> 00:20:03,119 When should they disclose and how 563 00:20:03,120 --> 00:20:05,669 do they balance out the security 564 00:20:05,670 --> 00:20:07,799 harm from the availability 565 00:20:07,800 --> 00:20:09,869 of this vulnerability versus 566 00:20:09,870 --> 00:20:11,939 the advantages that they would see 567 00:20:11,940 --> 00:20:13,919 with being able to exploit this? 568 00:20:13,920 --> 00:20:15,689 This would seem like something that 569 00:20:15,690 --> 00:20:18,149 perfectly fit within the vulnerabilities 570 00:20:18,150 --> 00:20:19,979 equities process, and they should have 571 00:20:19,980 --> 00:20:20,939 used it here. 572 00:20:20,940 --> 00:20:23,429 But now, as it turns out, 573 00:20:23,430 --> 00:20:25,529 the FBI didn't buy 574 00:20:25,530 --> 00:20:26,639 the vulnerability. 575 00:20:26,640 --> 00:20:29,729 They bought a black box exploit, 576 00:20:29,730 --> 00:20:31,859 so they didn't have anything to 577 00:20:31,860 --> 00:20:34,199 disclose in their view and 578 00:20:34,200 --> 00:20:35,279 didn't need to go through the 579 00:20:35,280 --> 00:20:36,990 vulnerabilities equities process. 580 00:20:38,520 --> 00:20:40,679 So what did Apple do to to 581 00:20:40,680 --> 00:20:42,869 respond? Well, these are some of the 582 00:20:42,870 --> 00:20:45,059 goals that Apple put forward. 583 00:20:45,060 --> 00:20:47,399 This came from a presentation they gave 584 00:20:47,400 --> 00:20:49,739 this summer at the Black Hat Security 585 00:20:49,740 --> 00:20:51,809 Conference, and 586 00:20:51,810 --> 00:20:53,160 they were trying to 587 00:20:54,540 --> 00:20:57,899 continue to use the secure enclave, 588 00:20:57,900 --> 00:20:59,939 tightening up to try to limit the number 589 00:20:59,940 --> 00:21:02,279 of passcode attempts to take 590 00:21:02,280 --> 00:21:04,439 brute forcing out of the picture 591 00:21:04,440 --> 00:21:06,269 to make it difficult to do offline 592 00:21:06,270 --> 00:21:09,329 attacks and to 593 00:21:09,330 --> 00:21:10,769 with a secure enclave. 594 00:21:10,770 --> 00:21:12,959 There is a true 595 00:21:12,960 --> 00:21:14,729 random number generator or a hardware 596 00:21:14,730 --> 00:21:16,739 random number generator. 597 00:21:16,740 --> 00:21:19,319 They try to make it so Apple doesn't know 598 00:21:19,320 --> 00:21:20,969 what that number is and then it gets 599 00:21:20,970 --> 00:21:23,119 entangled with 600 00:21:23,120 --> 00:21:25,289 the user ID and the past codes. 601 00:21:26,420 --> 00:21:28,169 This makes it so that Apple has very 602 00:21:28,170 --> 00:21:30,419 little information to give 603 00:21:30,420 --> 00:21:32,579 that would be necessary to to crack this. 604 00:21:34,080 --> 00:21:36,329 They also put forward 605 00:21:36,330 --> 00:21:38,729 a bug bounty program. 606 00:21:38,730 --> 00:21:40,709 So still slightly less, certainly a lot 607 00:21:40,710 --> 00:21:43,079 less than what apparently the market 608 00:21:43,080 --> 00:21:45,179 is. Two hundred thousand at the top 609 00:21:45,180 --> 00:21:47,249 of it. But this is a very important step 610 00:21:47,250 --> 00:21:49,349 forward. Apple had been actually one 611 00:21:49,350 --> 00:21:51,389 of the last major companies to put out a 612 00:21:51,390 --> 00:21:52,769 bug bounty program. 613 00:21:52,770 --> 00:21:54,389 And so I'm very glad they finally came 614 00:21:54,390 --> 00:21:56,220 around to just start doing that. 615 00:21:59,420 --> 00:22:01,609 So the government well, 616 00:22:01,610 --> 00:22:03,709 what are they going to do now? 617 00:22:03,710 --> 00:22:05,869 They don't want to rely on 618 00:22:05,870 --> 00:22:08,329 buying hacks, that 619 00:22:08,330 --> 00:22:10,729 this is not to say that they are opposed 620 00:22:10,730 --> 00:22:12,229 to this. In fact, there are many 621 00:22:12,230 --> 00:22:13,230 instances in which 622 00:22:14,360 --> 00:22:16,609 the governments have either created or 623 00:22:16,610 --> 00:22:19,669 purchased exploits. 624 00:22:19,670 --> 00:22:21,619 They have what some governments around 625 00:22:21,620 --> 00:22:23,389 the world have bought from places like in 626 00:22:23,390 --> 00:22:25,129 a hacking team. 627 00:22:25,130 --> 00:22:27,259 The NSA group sold a 628 00:22:27,260 --> 00:22:30,019 exploit to U.A.E 629 00:22:30,020 --> 00:22:32,539 that was used to get access 630 00:22:32,540 --> 00:22:34,759 to a phone of a 631 00:22:34,760 --> 00:22:37,039 opposition activist. 632 00:22:37,040 --> 00:22:38,959 So these are continuing to go on rule 633 00:22:38,960 --> 00:22:41,029 forty one. This is a new rule 634 00:22:41,030 --> 00:22:42,030 in the US 635 00:22:43,670 --> 00:22:45,809 criminal procedure, and 636 00:22:45,810 --> 00:22:48,139 it makes it easier for judges 637 00:22:48,140 --> 00:22:50,389 to issue orders to allow the government 638 00:22:50,390 --> 00:22:52,969 to use NYTs network intrusion 639 00:22:52,970 --> 00:22:55,459 tools, which is another 640 00:22:55,460 --> 00:22:58,009 euphemism for basically malware 641 00:22:58,010 --> 00:23:01,099 getting onto people's endpoints. 642 00:23:01,100 --> 00:23:02,779 So the governments are certainly willing 643 00:23:02,780 --> 00:23:04,849 to do that, but they would prefer 644 00:23:04,850 --> 00:23:07,069 to have the government, the companies 645 00:23:07,070 --> 00:23:09,349 just provide the easy access, not 646 00:23:09,350 --> 00:23:11,629 a back door, of course, but something 647 00:23:11,630 --> 00:23:13,460 like a secure golden key. 648 00:23:15,090 --> 00:23:17,459 So so what could go wrong 649 00:23:17,460 --> 00:23:18,460 and. 650 00:23:23,480 --> 00:23:25,609 If you if you have access to the 651 00:23:25,610 --> 00:23:28,309 secure, I guess these are brass keys 652 00:23:28,310 --> 00:23:30,439 for a TSA lock, you should be 653 00:23:30,440 --> 00:23:31,969 able to get into it. In fact, if you have 654 00:23:31,970 --> 00:23:34,279 this photograph and 3D 655 00:23:34,280 --> 00:23:36,409 printer, you probably could make these 656 00:23:36,410 --> 00:23:37,759 keys. 657 00:23:37,760 --> 00:23:39,409 And this is this is the problem when you 658 00:23:39,410 --> 00:23:41,689 have something which gives you in 659 00:23:41,690 --> 00:23:43,909 a nutshell, if you if you give access 660 00:23:43,910 --> 00:23:46,219 through a special method, 661 00:23:46,220 --> 00:23:47,509 well, you've got to be make sure that 662 00:23:47,510 --> 00:23:49,009 that special method doesn't get into the 663 00:23:49,010 --> 00:23:50,010 wrong hands. 664 00:23:51,500 --> 00:23:53,179 So turning to a bit for the to the 665 00:23:53,180 --> 00:23:55,279 politics of it, from 666 00:23:55,280 --> 00:23:57,379 the beginning, actually, 667 00:23:57,380 --> 00:23:59,839 slightly over a year ago, 668 00:23:59,840 --> 00:24:01,519 there was an effort to push President 669 00:24:01,520 --> 00:24:03,979 Obama to take a stance 670 00:24:03,980 --> 00:24:06,079 in favor of strong crypto. 671 00:24:06,080 --> 00:24:08,539 There was a petition up at Save Crypto 672 00:24:08,540 --> 00:24:10,819 Dog with over one hundred thousand 673 00:24:10,820 --> 00:24:12,559 signatures. 674 00:24:12,560 --> 00:24:14,809 And his initial 675 00:24:14,810 --> 00:24:17,599 response was that, well, 676 00:24:17,600 --> 00:24:19,729 for now will not call 677 00:24:19,730 --> 00:24:21,859 for for legislation, which is not 678 00:24:21,860 --> 00:24:23,449 a very strong response, but at least it's 679 00:24:23,450 --> 00:24:25,279 not not the opposite. 680 00:24:26,390 --> 00:24:28,759 And then later 681 00:24:28,760 --> 00:24:31,039 in 2016, Obama 682 00:24:31,040 --> 00:24:32,809 said, well, we shouldn't have an 683 00:24:32,810 --> 00:24:35,479 absolutist view on this. 684 00:24:35,480 --> 00:24:36,949 And what is sort of meaning by that is 685 00:24:36,950 --> 00:24:39,049 people are saying, well, that you 686 00:24:39,050 --> 00:24:41,989 either have to have security 687 00:24:41,990 --> 00:24:43,909 or if you have a back door, you will 688 00:24:43,910 --> 00:24:45,109 weaken security. 689 00:24:45,110 --> 00:24:47,449 You can't have both a back door and 690 00:24:47,450 --> 00:24:48,949 strong security. And that's like an 691 00:24:48,950 --> 00:24:50,839 absolutist view. 692 00:24:50,840 --> 00:24:53,269 And I think this is very symptomatic 693 00:24:53,270 --> 00:24:55,999 of politicians looking at this 694 00:24:56,000 --> 00:24:58,399 where it's all about trying to find 695 00:24:58,400 --> 00:24:59,659 compromises. 696 00:24:59,660 --> 00:25:01,729 And if the technology doesn't permit for 697 00:25:01,730 --> 00:25:03,589 compromises, this is a political 698 00:25:03,590 --> 00:25:05,839 question, not a mathematical question, 699 00:25:05,840 --> 00:25:08,119 not a technology question, 700 00:25:08,120 --> 00:25:10,159 and that we need to find a middle ground. 701 00:25:10,160 --> 00:25:11,869 And I think that this is actually 702 00:25:11,870 --> 00:25:13,969 dangerous thinking that 703 00:25:13,970 --> 00:25:16,249 if saying that is absolutist, 704 00:25:16,250 --> 00:25:18,049 to say that we need strong security, 705 00:25:18,050 --> 00:25:19,729 well, you might call me an absolutist, 706 00:25:19,730 --> 00:25:20,869 but I think it's more than that. 707 00:25:22,460 --> 00:25:24,859 And then on November 708 00:25:24,860 --> 00:25:27,379 8th, we have a 709 00:25:27,380 --> 00:25:30,349 new president coming coming online. 710 00:25:30,350 --> 00:25:32,209 And so how is that going to be? 711 00:25:32,210 --> 00:25:34,519 Well, Trump is not yet 712 00:25:34,520 --> 00:25:35,419 not yet in office. 713 00:25:35,420 --> 00:25:37,849 But we're able to look at a few things 714 00:25:37,850 --> 00:25:40,609 to get an idea of how this is 715 00:25:40,610 --> 00:25:41,869 going to be. 716 00:25:41,870 --> 00:25:43,789 First of all, just on the Apple iPhone 717 00:25:43,790 --> 00:25:46,399 controversy, Trump had a few statements 718 00:25:46,400 --> 00:25:47,359 in the beginning. 719 00:25:47,360 --> 00:25:49,459 He was saying that 720 00:25:49,460 --> 00:25:51,439 who do they think they are? 721 00:25:51,440 --> 00:25:53,899 We have to open up this phone. 722 00:25:53,900 --> 00:25:54,900 And then as the 723 00:25:56,120 --> 00:25:58,309 debate continued, he was 724 00:25:58,310 --> 00:26:00,679 noting that he used both the iPhone and 725 00:26:00,680 --> 00:26:03,479 Samsung and said 726 00:26:03,480 --> 00:26:05,569 we should boycott Apple if 727 00:26:05,570 --> 00:26:08,149 they don't give over the information. 728 00:26:08,150 --> 00:26:10,369 And yet it's 729 00:26:10,370 --> 00:26:11,869 a question of how serious that really 730 00:26:11,870 --> 00:26:12,870 was. 731 00:26:13,310 --> 00:26:15,829 Still tweets from from an iPhone. 732 00:26:15,830 --> 00:26:18,229 This is a picture of him doing a Reddit 733 00:26:18,230 --> 00:26:21,379 AMA after his boycott call and looks 734 00:26:21,380 --> 00:26:23,029 pretty much like a Mac there. 735 00:26:24,620 --> 00:26:27,409 So we can't really tell how serious 736 00:26:27,410 --> 00:26:29,029 this was. 737 00:26:29,030 --> 00:26:31,759 We also have some additional clues 738 00:26:31,760 --> 00:26:33,739 from the nominations that Trump is 739 00:26:33,740 --> 00:26:35,839 putting forward for key positions in 740 00:26:35,840 --> 00:26:37,369 his new government. 741 00:26:37,370 --> 00:26:39,739 The proposed new attorney 742 00:26:39,740 --> 00:26:41,060 general, Jeff Sessions, 743 00:26:42,110 --> 00:26:44,599 well, he has been long in favor 744 00:26:44,600 --> 00:26:45,600 of 745 00:26:46,960 --> 00:26:49,819 law enforcement access to phones. 746 00:26:49,820 --> 00:26:52,369 He felt that Tim Cook, CEO 747 00:26:52,370 --> 00:26:53,989 of Apple, didn't really understand how 748 00:26:53,990 --> 00:26:56,059 serious this was. 749 00:26:56,060 --> 00:26:59,279 And then the new proposed CIA chief, 750 00:26:59,280 --> 00:27:00,349 Mike Pompeo, 751 00:27:01,430 --> 00:27:03,589 he wants to remove barriers to 752 00:27:03,590 --> 00:27:06,709 surveillance and also 753 00:27:06,710 --> 00:27:08,659 was pretty suspicious of somebody who use 754 00:27:08,660 --> 00:27:10,489 strong encryption. 755 00:27:10,490 --> 00:27:12,589 It could be a red flag just if you 756 00:27:12,590 --> 00:27:14,989 use it, which is a pretty dangerous 757 00:27:14,990 --> 00:27:15,990 line of thought. 758 00:27:17,500 --> 00:27:18,759 There was also some efforts in the 759 00:27:18,760 --> 00:27:21,219 legislative world, the Burj Feinstein 760 00:27:21,220 --> 00:27:23,349 bill, that Senators Burr and 761 00:27:23,350 --> 00:27:25,299 Senator Feinstein. 762 00:27:25,300 --> 00:27:26,859 It was actually called the Compliance 763 00:27:26,860 --> 00:27:28,399 with Court Orders Act. 764 00:27:28,400 --> 00:27:31,149 They were trying to sort of key off of 765 00:27:31,150 --> 00:27:33,339 a rhetorical point being made about the 766 00:27:33,340 --> 00:27:35,499 Apple iPhone controversy, 767 00:27:35,500 --> 00:27:36,849 which is we're just asking people to 768 00:27:36,850 --> 00:27:38,559 comply with court orders. 769 00:27:38,560 --> 00:27:41,169 This is this can't be that unreasonable. 770 00:27:41,170 --> 00:27:43,959 But it was actually that unreasonable. 771 00:27:43,960 --> 00:27:45,789 It would require providers to decrypt 772 00:27:45,790 --> 00:27:48,159 things on demand and 773 00:27:48,160 --> 00:27:50,289 on pain of severe penalties 774 00:27:50,290 --> 00:27:52,089 and applies to communications, to 775 00:27:52,090 --> 00:27:53,649 storage. 776 00:27:53,650 --> 00:27:56,019 It applied to the App Store so that if 777 00:27:56,020 --> 00:27:58,269 you were to have your Apple or 778 00:27:58,270 --> 00:28:00,579 Google Play, having an app store, 779 00:28:00,580 --> 00:28:02,379 all the apps that were for sale on that 780 00:28:02,380 --> 00:28:04,539 store would have to have weak 781 00:28:04,540 --> 00:28:06,489 or backdoor crypto, and then you would 782 00:28:06,490 --> 00:28:08,440 need to enforce that. 783 00:28:09,850 --> 00:28:12,009 And it was more than just end to end 784 00:28:12,010 --> 00:28:14,529 and full disk encryption 785 00:28:14,530 --> 00:28:16,629 pretty much as it was drafted, 786 00:28:16,630 --> 00:28:18,849 it would have outlawed computers as 787 00:28:18,850 --> 00:28:20,799 we know them. It was a fairly terrible 788 00:28:20,800 --> 00:28:23,049 bill, but it 789 00:28:23,050 --> 00:28:24,699 fortunately didn't get a whole lot of 790 00:28:24,700 --> 00:28:26,079 traction. 791 00:28:26,080 --> 00:28:28,689 And the rest of Congress 792 00:28:28,690 --> 00:28:30,579 decided to do a little bit of looking 793 00:28:30,580 --> 00:28:32,559 into and having committees look at the 794 00:28:32,560 --> 00:28:36,249 issue and issue reports. 795 00:28:36,250 --> 00:28:39,309 The House Homeland Security 796 00:28:39,310 --> 00:28:41,409 Committee, they made a big 797 00:28:41,410 --> 00:28:43,479 step forward by recognizing that 798 00:28:43,480 --> 00:28:45,369 is more of a security versus security 799 00:28:45,370 --> 00:28:46,370 debate. 800 00:28:48,110 --> 00:28:50,389 They rejected the legislative 801 00:28:50,390 --> 00:28:52,129 fixes and and most importantly, they were 802 00:28:52,130 --> 00:28:54,679 Feinstein we just talked about, 803 00:28:54,680 --> 00:28:57,079 the House Judiciary Committee 804 00:28:57,080 --> 00:28:58,819 recognized that there would be severe 805 00:28:58,820 --> 00:29:00,550 problems with weakening encryption. 806 00:29:01,580 --> 00:29:03,709 They still called for cooperation between 807 00:29:03,710 --> 00:29:05,569 technologists and law enforcement 808 00:29:05,570 --> 00:29:06,889 agencies. 809 00:29:06,890 --> 00:29:09,139 And a little bit dangerously, 810 00:29:09,140 --> 00:29:10,939 they were saying one solution to this 811 00:29:10,940 --> 00:29:12,979 would be compelled decryption by the 812 00:29:12,980 --> 00:29:15,049 user. So rather than going to the 813 00:29:15,050 --> 00:29:17,719 companies and asking for a backdoor 814 00:29:17,720 --> 00:29:20,539 have laws that would insist that 815 00:29:20,540 --> 00:29:23,000 the users decrypt their material under 816 00:29:24,080 --> 00:29:26,449 penalty of criminal penalties. 817 00:29:26,450 --> 00:29:27,859 This is a bit of a dangerous thing for 818 00:29:27,860 --> 00:29:29,689 some other reasons. 819 00:29:29,690 --> 00:29:31,999 But at least in terms of looking 820 00:29:32,000 --> 00:29:34,609 at the availability of technology 821 00:29:34,610 --> 00:29:37,129 in the without back doors, 822 00:29:37,130 --> 00:29:39,049 the committee on the whole was headed in 823 00:29:39,050 --> 00:29:40,050 the right direction. 824 00:29:41,680 --> 00:29:43,449 And that's that's where where it stands 825 00:29:43,450 --> 00:29:45,339 at the moment. 826 00:29:45,340 --> 00:29:47,349 So I want to turn now to the United 827 00:29:47,350 --> 00:29:49,779 Kingdom, the Investigatory 828 00:29:49,780 --> 00:29:52,479 Powers Act. It was for a long time 829 00:29:52,480 --> 00:29:53,829 the Investigatory Powers Bill. 830 00:29:53,830 --> 00:29:55,899 It is now the act is now passed and been 831 00:29:55,900 --> 00:29:58,179 signed off, is often 832 00:29:58,180 --> 00:30:00,639 called the snoopers charter 833 00:30:00,640 --> 00:30:03,039 because it is a broad expansion 834 00:30:03,040 --> 00:30:05,229 of surveillance powers. 835 00:30:05,230 --> 00:30:07,689 It would allow access to communications 836 00:30:07,690 --> 00:30:09,759 data from all sorts of 837 00:30:09,760 --> 00:30:12,309 agencies, the police HQ, 838 00:30:12,310 --> 00:30:14,289 the Ministry of Defense. 839 00:30:14,290 --> 00:30:15,699 They would have access to Internet 840 00:30:15,700 --> 00:30:16,629 connection records. 841 00:30:16,630 --> 00:30:18,399 Internet service providers would have to 842 00:30:18,400 --> 00:30:20,469 store metadata about communications, 843 00:30:20,470 --> 00:30:23,439 made websites you visit, 844 00:30:23,440 --> 00:30:24,640 what time you do it, 845 00:30:25,660 --> 00:30:26,859 all sorts of information. 846 00:30:26,860 --> 00:30:29,199 And that would be stored for up to 12 847 00:30:29,200 --> 00:30:30,309 months. 848 00:30:30,310 --> 00:30:32,589 But then the European 849 00:30:32,590 --> 00:30:34,719 Court of Justice said, nope, 850 00:30:34,720 --> 00:30:35,720 not going to do that 851 00:30:36,990 --> 00:30:37,669 for this. 852 00:30:37,670 --> 00:30:39,250 Yeah, that's a very important ruling. 853 00:30:41,200 --> 00:30:43,599 The European Court of Justice 854 00:30:44,620 --> 00:30:47,649 felt that this went went too far, 855 00:30:47,650 --> 00:30:49,779 that it was general and indiscriminate 856 00:30:49,780 --> 00:30:51,849 retention of emails was 857 00:30:51,850 --> 00:30:54,339 illegal, and they only 858 00:30:54,340 --> 00:30:56,469 allowed for targeted interception 859 00:30:56,470 --> 00:30:58,539 of traffic that is justified 860 00:30:58,540 --> 00:31:00,909 when it is necessary to combat serious 861 00:31:00,910 --> 00:31:03,159 crime. So this was a very 862 00:31:03,160 --> 00:31:05,559 important push back on the snooper's 863 00:31:05,560 --> 00:31:06,859 charter. 864 00:31:06,860 --> 00:31:09,429 Now, for purposes of our talk today, 865 00:31:09,430 --> 00:31:11,709 it does not affect the portions of it 866 00:31:11,710 --> 00:31:13,419 that we're requiring. 867 00:31:13,420 --> 00:31:15,039 Back doors will go over those in just a 868 00:31:15,040 --> 00:31:16,209 second. 869 00:31:16,210 --> 00:31:18,879 And then another important caveat 870 00:31:18,880 --> 00:31:21,369 is that soon the UK 871 00:31:21,370 --> 00:31:23,859 will be leaving the European Union 872 00:31:23,860 --> 00:31:25,629 and maybe pulling out of the jurisdiction 873 00:31:25,630 --> 00:31:27,819 of the European Court of Justice. 874 00:31:27,820 --> 00:31:29,979 So this ruling may not be as 875 00:31:29,980 --> 00:31:31,929 powerful as it might have been, but it 876 00:31:31,930 --> 00:31:33,729 also sets the stage for additional 877 00:31:33,730 --> 00:31:35,589 challenges, hopefully both 878 00:31:36,910 --> 00:31:39,069 to continue pushing back 879 00:31:39,070 --> 00:31:41,739 on the data retention features and 880 00:31:41,740 --> 00:31:44,589 the encryption features in the future. 881 00:31:44,590 --> 00:31:46,899 So what does it say about encryption? 882 00:31:46,900 --> 00:31:49,629 Well, it says some pretty complicated 883 00:31:49,630 --> 00:31:51,039 things that don't really mention 884 00:31:51,040 --> 00:31:52,959 encryption by name. 885 00:31:52,960 --> 00:31:55,869 So this is a quote from the 886 00:31:55,870 --> 00:31:57,789 code of practice, which accompanied the 887 00:31:57,790 --> 00:31:59,919 legislation, and it 888 00:31:59,920 --> 00:32:01,659 talks about some things like technical 889 00:32:01,660 --> 00:32:02,849 pazhani notice, 890 00:32:04,110 --> 00:32:06,219 and that you might have to provide a 891 00:32:06,220 --> 00:32:08,139 technical capacity. 892 00:32:08,140 --> 00:32:10,269 And it is interesting that 893 00:32:10,270 --> 00:32:12,339 it requires you to notify the government 894 00:32:12,340 --> 00:32:14,679 of new products and services in advance 895 00:32:14,680 --> 00:32:15,699 of their launch. 896 00:32:15,700 --> 00:32:17,799 So apparently you need to go get approval 897 00:32:17,800 --> 00:32:19,869 from the UK government before you 898 00:32:19,870 --> 00:32:21,460 launch anything that might have 899 00:32:22,600 --> 00:32:24,280 new encryption technologies. 900 00:32:25,510 --> 00:32:27,069 But it all comes out. What is this thing, 901 00:32:27,070 --> 00:32:30,039 this technical capacity known as well? 902 00:32:30,040 --> 00:32:31,489 The statute defines it a bit. 903 00:32:31,490 --> 00:32:33,639 It is something which is issued by 904 00:32:33,640 --> 00:32:35,319 the secretary of state, better known as 905 00:32:35,320 --> 00:32:37,179 the home secretary. 906 00:32:37,180 --> 00:32:39,549 And after the home secretary 907 00:32:39,550 --> 00:32:41,649 looks at it thoroughly and they 908 00:32:41,650 --> 00:32:43,239 have considered whether it's practicable 909 00:32:43,240 --> 00:32:45,969 to apply, whether it's proportionate 910 00:32:45,970 --> 00:32:47,739 there, to take into account the technical 911 00:32:47,740 --> 00:32:50,469 feasibility and likely cost of complying, 912 00:32:50,470 --> 00:32:51,969 these all sound like pretty good things 913 00:32:51,970 --> 00:32:53,169 for someone to say. 914 00:32:53,170 --> 00:32:55,119 But I'm not sure that the home secretary 915 00:32:55,120 --> 00:32:57,449 is really the best person that is 916 00:32:57,450 --> 00:32:59,799 a position to weigh all those features. 917 00:32:59,800 --> 00:33:02,439 And they may end up having a 918 00:33:02,440 --> 00:33:04,659 lean towards allowing for for 919 00:33:04,660 --> 00:33:07,419 back doors, allowing for 920 00:33:07,420 --> 00:33:09,609 these technical orders to go out. 921 00:33:11,020 --> 00:33:13,119 They also they come with an automatic 922 00:33:13,120 --> 00:33:15,189 gag order so that if somebody 923 00:33:15,190 --> 00:33:16,419 receives one, they're not supposed to 924 00:33:16,420 --> 00:33:18,309 talk about it with anybody, which makes 925 00:33:18,310 --> 00:33:20,409 it hard to organize and 926 00:33:20,410 --> 00:33:22,419 fight back against them. 927 00:33:22,420 --> 00:33:24,549 And then it can be given 928 00:33:24,550 --> 00:33:26,679 to persons outside the United Kingdom. 929 00:33:26,680 --> 00:33:28,809 So in their view, everybody 930 00:33:28,810 --> 00:33:30,639 in the world could get one of these 931 00:33:30,640 --> 00:33:31,780 technical capacity 932 00:33:32,920 --> 00:33:35,109 notices and be required 933 00:33:35,110 --> 00:33:37,089 to well required to do what? 934 00:33:38,200 --> 00:33:39,969 Well, they might have obligations 935 00:33:39,970 --> 00:33:42,039 relating to the oh, it's a back 936 00:33:42,040 --> 00:33:43,040 door. 937 00:33:43,960 --> 00:33:46,059 They want to remove the electronic 938 00:33:46,060 --> 00:33:48,189 protection that the 939 00:33:48,190 --> 00:33:50,469 operator may have put there. 940 00:33:50,470 --> 00:33:51,879 So they've disguised it with a lot of 941 00:33:51,880 --> 00:33:54,069 wording. But in the end, it's a pretty 942 00:33:54,070 --> 00:33:56,409 dangerous provision that may 943 00:33:56,410 --> 00:33:58,779 both be be challenging 944 00:33:58,780 --> 00:34:00,879 for people trying to do business 945 00:34:00,880 --> 00:34:03,129 in the UK and for those who 946 00:34:03,130 --> 00:34:04,569 might not even be doing business in the 947 00:34:04,570 --> 00:34:07,029 UK, but might receive one of these 948 00:34:07,030 --> 00:34:08,948 under that authority and have to wonder, 949 00:34:08,949 --> 00:34:11,049 am I under the jurisdiction, do I have 950 00:34:11,050 --> 00:34:12,669 any business there? 951 00:34:12,670 --> 00:34:13,899 So it's a pretty dangerous thing. 952 00:34:15,460 --> 00:34:17,408 Elsewhere in the EU, things have been 953 00:34:17,409 --> 00:34:19,269 moving on a little bit of a of a slower 954 00:34:19,270 --> 00:34:20,270 track. 955 00:34:20,770 --> 00:34:22,419 The EU justice ministers have been 956 00:34:22,420 --> 00:34:24,459 discussing the issue. 957 00:34:24,460 --> 00:34:27,158 The Justice and Home Affairs Council 958 00:34:27,159 --> 00:34:28,779 discussed it thoroughly. 959 00:34:28,780 --> 00:34:31,238 They looked at different views. 960 00:34:31,239 --> 00:34:33,519 They spoke of the importance of a balance 961 00:34:33,520 --> 00:34:36,099 between individual rights and privacy 962 00:34:36,100 --> 00:34:37,959 and law enforcement agencies. 963 00:34:37,960 --> 00:34:39,669 So it's still under discussion, still 964 00:34:39,670 --> 00:34:41,869 under. Consideration, but hasn't 965 00:34:41,870 --> 00:34:43,579 moved forward, and we had some really 966 00:34:43,580 --> 00:34:45,649 good report out of Inessa, 967 00:34:45,650 --> 00:34:46,790 that is the EU 968 00:34:47,870 --> 00:34:50,419 cybersecurity agency, the Agency 969 00:34:50,420 --> 00:34:53,479 for Network and Information Security, 970 00:34:53,480 --> 00:34:55,609 and they issued a report 971 00:34:55,610 --> 00:34:57,889 earlier this month which rejected back 972 00:34:57,890 --> 00:34:59,419 doors that saw the problems as 973 00:34:59,420 --> 00:35:00,919 outweighing the benefits. 974 00:35:00,920 --> 00:35:03,409 And they recognized it is very difficult 975 00:35:03,410 --> 00:35:05,509 to restrict innovation 976 00:35:05,510 --> 00:35:07,789 through legislation that, you know, even 977 00:35:07,790 --> 00:35:10,489 if you have the best possible 978 00:35:10,490 --> 00:35:12,619 platonic ideal of legislation, 979 00:35:12,620 --> 00:35:14,719 it's still going to be only good for 980 00:35:14,720 --> 00:35:16,459 the technology as it was envisioned the 981 00:35:16,460 --> 00:35:18,649 day that it was passed and will continue 982 00:35:18,650 --> 00:35:20,449 to become more and more outdated over 983 00:35:20,450 --> 00:35:22,519 time. So it's a difficult solution 984 00:35:22,520 --> 00:35:23,809 to to move forward on. 985 00:35:25,450 --> 00:35:28,689 Elsewhere around the world, in April, 986 00:35:28,690 --> 00:35:30,789 compliance began with 987 00:35:30,790 --> 00:35:32,949 the Australian Defense and Strategic 988 00:35:32,950 --> 00:35:34,509 Goods List. 989 00:35:34,510 --> 00:35:36,429 This has a provision which prohibits the 990 00:35:36,430 --> 00:35:38,679 intangible supply of 991 00:35:38,680 --> 00:35:40,209 encryption technologies. 992 00:35:40,210 --> 00:35:41,799 And this has gotten a lot of people very 993 00:35:41,800 --> 00:35:44,469 worried. That expansive definition 994 00:35:44,470 --> 00:35:46,600 will not just be for 995 00:35:47,920 --> 00:35:51,219 actual military technologies, 996 00:35:51,220 --> 00:35:52,929 but might encompass such things as 997 00:35:52,930 --> 00:35:55,299 giving, giving a talk at 998 00:35:55,300 --> 00:35:58,089 a computer conference in India 999 00:35:58,090 --> 00:36:00,189 on the plus side, that they 1000 00:36:00,190 --> 00:36:02,439 had a terrible encryption 1001 00:36:02,440 --> 00:36:04,779 provision that would have required 1002 00:36:04,780 --> 00:36:07,089 companies to retain plain text for 1003 00:36:07,090 --> 00:36:08,449 for a period of time. 1004 00:36:08,450 --> 00:36:11,319 They dropped that requirement and plan, 1005 00:36:11,320 --> 00:36:13,389 but they have proposed something which 1006 00:36:13,390 --> 00:36:15,279 is a little bit, 1007 00:36:16,630 --> 00:36:19,359 well, potentially dangerous. 1008 00:36:19,360 --> 00:36:20,859 Are asking the various phone 1009 00:36:20,860 --> 00:36:23,169 manufacturers to add their 1010 00:36:23,170 --> 00:36:25,689 their internal biometric 1011 00:36:25,690 --> 00:36:29,049 authentication system to their phones. 1012 00:36:29,050 --> 00:36:31,449 This is a system widely used 1013 00:36:31,450 --> 00:36:33,879 in India for authenticating 1014 00:36:33,880 --> 00:36:35,379 people, for receiving government 1015 00:36:35,380 --> 00:36:37,269 services, and they want to integrate it 1016 00:36:37,270 --> 00:36:39,009 into the phones. 1017 00:36:39,010 --> 00:36:41,799 This could open up security holes, 1018 00:36:41,800 --> 00:36:43,869 having some government code on the on 1019 00:36:43,870 --> 00:36:44,979 the phone. 1020 00:36:44,980 --> 00:36:47,739 Apparently, Google, Samsung and Microsoft 1021 00:36:47,740 --> 00:36:50,169 did meet with India, but Apple 1022 00:36:50,170 --> 00:36:51,170 refused to go. 1023 00:36:55,000 --> 00:36:57,129 In Egypt, they started to try to 1024 00:36:57,130 --> 00:36:59,589 block access to the signal 1025 00:36:59,590 --> 00:37:01,659 messaging group, and this 1026 00:37:01,660 --> 00:37:03,309 was this is going to be actually continue 1027 00:37:03,310 --> 00:37:04,509 to be somewhat interesting. 1028 00:37:04,510 --> 00:37:07,059 So after Eagle, Egypt 1029 00:37:07,060 --> 00:37:09,879 blocked that access signal 1030 00:37:09,880 --> 00:37:12,019 released and update, the update 1031 00:37:12,020 --> 00:37:13,689 is using something called the main 1032 00:37:13,690 --> 00:37:15,039 fronting. 1033 00:37:15,040 --> 00:37:17,259 This disguises the signal track 1034 00:37:17,260 --> 00:37:20,259 traffic to look like it's going to 1035 00:37:20,260 --> 00:37:22,209 Google dot com. 1036 00:37:22,210 --> 00:37:24,159 And this makes it much more difficult to 1037 00:37:24,160 --> 00:37:25,509 block. I mean, you can still block it, 1038 00:37:25,510 --> 00:37:27,699 but you'd also have to block all 1039 00:37:27,700 --> 00:37:29,239 of Google. 1040 00:37:29,240 --> 00:37:30,669 And this really ups the stakes for 1041 00:37:30,670 --> 00:37:33,249 censorship that they can't just 1042 00:37:33,250 --> 00:37:35,379 as easily target the one 1043 00:37:35,380 --> 00:37:37,629 system, but have to remove something 1044 00:37:37,630 --> 00:37:39,669 which is used daily by millions of 1045 00:37:39,670 --> 00:37:40,689 people. 1046 00:37:40,690 --> 00:37:42,339 And that makes it harder for for 1047 00:37:42,340 --> 00:37:44,770 government to try and block technology 1048 00:37:46,330 --> 00:37:47,330 like. 1049 00:37:51,450 --> 00:37:54,059 Also, some some good news 1050 00:37:54,060 --> 00:37:56,159 in the Netherlands, they came out 1051 00:37:56,160 --> 00:37:58,559 very strongly 1052 00:37:58,560 --> 00:38:00,060 in favor of encryption 1053 00:38:01,500 --> 00:38:03,719 so that counterbalancing 1054 00:38:03,720 --> 00:38:05,939 some of the efforts to to 1055 00:38:05,940 --> 00:38:08,129 push back on encryption, the United 1056 00:38:08,130 --> 00:38:10,709 Nations issued a report this year 1057 00:38:10,710 --> 00:38:13,679 recognizing that encryption and anonymity 1058 00:38:13,680 --> 00:38:17,009 are necessary for freedom of expression 1059 00:38:17,010 --> 00:38:19,229 and that encryption saves lives. 1060 00:38:19,230 --> 00:38:21,389 Without encryption, lives may 1061 00:38:21,390 --> 00:38:22,530 be endangered. 1062 00:38:25,010 --> 00:38:26,629 And we've also had this year has been 1063 00:38:26,630 --> 00:38:29,029 tremendous for the rollout 1064 00:38:29,030 --> 00:38:31,189 of encryption technologies, so 1065 00:38:31,190 --> 00:38:33,379 WhatsApp has added 1066 00:38:33,380 --> 00:38:35,509 end and encryption by default to 1067 00:38:35,510 --> 00:38:37,309 all of its chats and calls. 1068 00:38:37,310 --> 00:38:39,229 This is over a billion monthly active 1069 00:38:39,230 --> 00:38:41,299 users who are getting encrypted without 1070 00:38:41,300 --> 00:38:44,419 having to do much of anything. 1071 00:38:44,420 --> 00:38:46,519 Facebook has added an encryption 1072 00:38:46,520 --> 00:38:48,769 to their messenger project, but not 1073 00:38:48,770 --> 00:38:50,329 by default. 1074 00:38:50,330 --> 00:38:52,279 So this is this is a half step, but it 1075 00:38:52,280 --> 00:38:53,989 needs to go further. 1076 00:38:53,990 --> 00:38:56,029 Encryption by default is really the gold 1077 00:38:56,030 --> 00:38:56,929 standard. 1078 00:38:56,930 --> 00:38:59,059 Likewise, Google's alow included 1079 00:38:59,060 --> 00:39:01,489 encryption in incognito mode. 1080 00:39:01,490 --> 00:39:02,809 But again, something that you had to 1081 00:39:02,810 --> 00:39:04,129 purposefully select. 1082 00:39:04,130 --> 00:39:06,739 So it's again, a half step 1083 00:39:06,740 --> 00:39:09,079 and then signal has 1084 00:39:09,080 --> 00:39:11,119 their downloads have gone through the 1085 00:39:11,120 --> 00:39:13,399 roof? Apparently they reported a 400 1086 00:39:13,400 --> 00:39:15,889 percent increase in daily downloads 1087 00:39:15,890 --> 00:39:17,030 since November 8th. 1088 00:39:19,280 --> 00:39:20,869 And every man for that. 1089 00:39:23,860 --> 00:39:26,229 And then we've done tremendous progress 1090 00:39:26,230 --> 00:39:28,509 in encryption on the Web, the 1091 00:39:28,510 --> 00:39:30,939 Let's Encrypt project is providing 1092 00:39:30,940 --> 00:39:33,039 certificates to over twenty 1093 00:39:33,040 --> 00:39:34,959 one million websites. 1094 00:39:34,960 --> 00:39:36,609 It is, by some measures, the largest 1095 00:39:36,610 --> 00:39:38,919 certificate authority in the world, and 1096 00:39:38,920 --> 00:39:40,479 it is free. 1097 00:39:40,480 --> 00:39:42,489 So this is a tremendous success. 1098 00:39:47,050 --> 00:39:49,329 More than half of the page loads 1099 00:39:49,330 --> 00:39:51,519 in Firefox and Chrome are using 1100 00:39:51,520 --> 00:39:53,829 https, you can see a chart 1101 00:39:53,830 --> 00:39:56,049 there which shows I think this 1102 00:39:56,050 --> 00:39:58,329 is for, I think 1103 00:39:58,330 --> 00:40:00,729 Firefox and it's causing 1104 00:40:00,730 --> 00:40:02,499 the 50 percent mark over the course of 1105 00:40:02,500 --> 00:40:04,359 the year on various operating system. 1106 00:40:04,360 --> 00:40:06,109 Android is the laggard. 1107 00:40:06,110 --> 00:40:08,079 So hopefully anger can can pick up the 1108 00:40:08,080 --> 00:40:09,489 steam. 1109 00:40:09,490 --> 00:40:11,619 But nevertheless, it is a 1110 00:40:11,620 --> 00:40:13,359 good positive trend. 1111 00:40:13,360 --> 00:40:15,519 And then if you look different measure on 1112 00:40:15,520 --> 00:40:17,649 time that 1113 00:40:17,650 --> 00:40:19,899 two thirds of people's time is spent 1114 00:40:19,900 --> 00:40:21,159 on secure websites. 1115 00:40:23,220 --> 00:40:25,349 So what what do we see looking 1116 00:40:25,350 --> 00:40:27,869 forward in twenty seventeen? 1117 00:40:27,870 --> 00:40:30,239 Well, we'll probably see more 1118 00:40:30,240 --> 00:40:32,439 technical assistance laws. 1119 00:40:32,440 --> 00:40:34,289 One of the things that policymakers have 1120 00:40:34,290 --> 00:40:36,389 learned from the the first crypto 1121 00:40:36,390 --> 00:40:38,999 wars is that it's dangerous 1122 00:40:39,000 --> 00:40:41,579 to actually propose a specific 1123 00:40:41,580 --> 00:40:43,019 solution. 1124 00:40:43,020 --> 00:40:44,399 So when they came out with the Clipper 1125 00:40:44,400 --> 00:40:46,709 chip in the 90s, this was quickly 1126 00:40:46,710 --> 00:40:49,049 attacked, revealed to be vulnerable and 1127 00:40:49,050 --> 00:40:51,539 then disregarded as a good idea. 1128 00:40:51,540 --> 00:40:53,549 And so they've moved to a different 1129 00:40:53,550 --> 00:40:54,509 model. 1130 00:40:54,510 --> 00:40:56,189 Rather than provide a target which could 1131 00:40:56,190 --> 00:40:58,949 be attacked is to say 1132 00:40:58,950 --> 00:41:00,689 the technology companies need to learn 1133 00:41:00,690 --> 00:41:02,819 harder and figure out how 1134 00:41:02,820 --> 00:41:04,919 to give us the assistance so that 1135 00:41:04,920 --> 00:41:06,239 we can get access. 1136 00:41:06,240 --> 00:41:08,639 And they create laws similar 1137 00:41:08,640 --> 00:41:11,369 to what the Investigatory Powers 1138 00:41:11,370 --> 00:41:14,279 Bill has tried to do, requiring 1139 00:41:14,280 --> 00:41:16,349 technical assistance without 1140 00:41:16,350 --> 00:41:17,879 any specific of how that will be 1141 00:41:17,880 --> 00:41:19,619 accomplished. It's just up to the 1142 00:41:19,620 --> 00:41:21,809 companies to figure it out. 1143 00:41:21,810 --> 00:41:23,939 There also will be a lot more public 1144 00:41:23,940 --> 00:41:26,159 pressure where there 1145 00:41:26,160 --> 00:41:29,099 have been pushes for compromise 1146 00:41:29,100 --> 00:41:30,509 things saying, well, you really don't 1147 00:41:30,510 --> 00:41:32,769 want a bill like that, 1148 00:41:32,770 --> 00:41:35,129 that these bills that would require 1149 00:41:35,130 --> 00:41:36,149 you to weaken encryption. 1150 00:41:36,150 --> 00:41:37,829 So you should just go ahead and weaken it 1151 00:41:37,830 --> 00:41:40,079 ahead of time to forestall the bills, 1152 00:41:40,080 --> 00:41:41,969 which will be worse. 1153 00:41:41,970 --> 00:41:44,429 Also putting pressure on whenever 1154 00:41:44,430 --> 00:41:46,559 there would be a big 1155 00:41:46,560 --> 00:41:48,989 controversy, trying to highlight 1156 00:41:48,990 --> 00:41:50,429 that encryption may have made it 1157 00:41:50,430 --> 00:41:52,079 difficult for law enforcement. 1158 00:41:52,080 --> 00:41:54,269 These pressures will continue to 1159 00:41:54,270 --> 00:41:55,049 exist. 1160 00:41:55,050 --> 00:41:57,329 And then in some places, some 1161 00:41:57,330 --> 00:41:59,699 countries where they are very 1162 00:41:59,700 --> 00:42:02,579 upset on 1163 00:42:02,580 --> 00:42:05,519 how people have been using 1164 00:42:05,520 --> 00:42:07,289 the technologies, they'll continue to 1165 00:42:07,290 --> 00:42:09,599 have blockages 1166 00:42:09,600 --> 00:42:10,600 that will 1167 00:42:11,820 --> 00:42:13,799 like in Brazil, where they have blocked 1168 00:42:13,800 --> 00:42:15,749 WhatsApp three times over the course of 1169 00:42:15,750 --> 00:42:17,969 the year, where they've arrested 1170 00:42:17,970 --> 00:42:20,069 some of the executives saying 1171 00:42:20,070 --> 00:42:21,569 you have to give us the information, even 1172 00:42:21,570 --> 00:42:22,859 though they know that it's technically 1173 00:42:22,860 --> 00:42:23,909 impossible for them to give that 1174 00:42:23,910 --> 00:42:25,709 information, these pressures will 1175 00:42:25,710 --> 00:42:28,019 continue to exist and 1176 00:42:28,020 --> 00:42:30,599 we'll see more attacks on the endpoint. 1177 00:42:30,600 --> 00:42:32,369 Where we have law enforcement is going to 1178 00:42:32,370 --> 00:42:34,499 be continue to work in a world where 1179 00:42:34,500 --> 00:42:36,299 there is strong encryption, then the way 1180 00:42:36,300 --> 00:42:38,079 around that is to get to the endpoint. 1181 00:42:38,080 --> 00:42:40,199 So we'll see more and more use of 1182 00:42:40,200 --> 00:42:42,719 malware and more and more importance 1183 00:42:42,720 --> 00:42:44,789 and people looking not just at making 1184 00:42:44,790 --> 00:42:46,829 sure they're using encrypted tools, but 1185 00:42:46,830 --> 00:42:49,439 they are using good security advice 1186 00:42:49,440 --> 00:42:51,719 to avoid being attacked and phished 1187 00:42:51,720 --> 00:42:52,720 as best they can. 1188 00:42:55,170 --> 00:42:57,089 Another important prediction, I think 1189 00:42:57,090 --> 00:42:59,189 that free and open source software is 1190 00:42:59,190 --> 00:43:01,469 here to stay, that for a lot 1191 00:43:01,470 --> 00:43:03,719 of these laws and policy things, they're 1192 00:43:03,720 --> 00:43:05,909 less effective when going into open 1193 00:43:05,910 --> 00:43:07,139 source projects. 1194 00:43:07,140 --> 00:43:09,779 There often aren't companies to 1195 00:43:09,780 --> 00:43:11,969 put pressure upon 1196 00:43:11,970 --> 00:43:14,279 that. If you attempt to legislate a 1197 00:43:14,280 --> 00:43:16,409 requirement for a back door, it's 1198 00:43:16,410 --> 00:43:17,459 going to be ineffective. 1199 00:43:17,460 --> 00:43:19,229 Even if somebody decided they had to put 1200 00:43:19,230 --> 00:43:21,599 the backdoor into the open source code 1201 00:43:21,600 --> 00:43:23,109 when so many compiles it, they could 1202 00:43:23,110 --> 00:43:25,319 always comment out that section. 1203 00:43:25,320 --> 00:43:27,929 So it's pretty ineffective to go at them. 1204 00:43:27,930 --> 00:43:29,339 The real challenge for some of these 1205 00:43:29,340 --> 00:43:31,529 software projects is in 1206 00:43:31,530 --> 00:43:33,209 deployment, getting them out into the 1207 00:43:33,210 --> 00:43:35,669 hands of billions of people, 1208 00:43:35,670 --> 00:43:38,129 making them usable, making them 1209 00:43:38,130 --> 00:43:40,199 as as part of people's daily lives. 1210 00:43:41,250 --> 00:43:43,589 And then an important thing for moving 1211 00:43:43,590 --> 00:43:43,859 forward. 1212 00:43:43,860 --> 00:43:45,509 How we should move forward is that 1213 00:43:45,510 --> 00:43:47,219 policymakers can be reached. 1214 00:43:47,220 --> 00:43:49,829 We've seen when there have been 1215 00:43:49,830 --> 00:43:51,809 some policymakers who have taken the time 1216 00:43:51,810 --> 00:43:54,119 to get experts views, conduct 1217 00:43:54,120 --> 00:43:56,339 hearings, investigate the issue, then 1218 00:43:56,340 --> 00:43:58,139 we're starting to see things more like 1219 00:43:58,140 --> 00:44:00,269 it's really security versus security. 1220 00:44:00,270 --> 00:44:02,549 We can encryption can harm security. 1221 00:44:02,550 --> 00:44:04,199 Their important interests here are at 1222 00:44:04,200 --> 00:44:04,979 play. 1223 00:44:04,980 --> 00:44:07,079 And this is a 1224 00:44:07,080 --> 00:44:08,849 positive step forward. 1225 00:44:08,850 --> 00:44:10,469 It's fighting against a strong lobby. 1226 00:44:10,470 --> 00:44:12,179 Law enforcement agencies are a very 1227 00:44:12,180 --> 00:44:14,489 powerful lobby and legislators 1228 00:44:14,490 --> 00:44:17,189 look to them very seriously. 1229 00:44:17,190 --> 00:44:19,379 But technologist's views can make 1230 00:44:19,380 --> 00:44:20,380 a difference. 1231 00:44:21,060 --> 00:44:23,099 So what you can do well, if you're a 1232 00:44:23,100 --> 00:44:25,409 coder, include 1233 00:44:25,410 --> 00:44:27,869 default and encryption in 1234 00:44:27,870 --> 00:44:29,819 any products that you have wherever 1235 00:44:29,820 --> 00:44:32,009 wherever it needs to be, and 1236 00:44:32,010 --> 00:44:34,349 also work on usability. 1237 00:44:34,350 --> 00:44:36,719 Making it accessible for 1238 00:44:36,720 --> 00:44:39,719 billions is a key point 1239 00:44:39,720 --> 00:44:40,889 for websites. 1240 00:44:40,890 --> 00:44:42,329 Encrypt all the things. 1241 00:44:42,330 --> 00:44:45,269 Start using search bot 1242 00:44:45,270 --> 00:44:47,249 support as a program that works with 1243 00:44:47,250 --> 00:44:48,989 Let's Encrypt that makes it easy to set 1244 00:44:48,990 --> 00:44:51,329 up a cert on a website used. 1245 00:44:51,330 --> 00:44:52,709 Let's encrypt. There's really no excuse 1246 00:44:52,710 --> 00:44:54,989 anymore to have a website 1247 00:44:54,990 --> 00:44:57,150 that doesn't have Ayckbourn's 1248 00:44:58,230 --> 00:45:00,029 and then for individuals, well, you can 1249 00:45:00,030 --> 00:45:02,579 use encryption in your daily lives. 1250 00:45:02,580 --> 00:45:05,339 We saw before that the nominated CIA 1251 00:45:05,340 --> 00:45:07,409 director was suggesting that the use of 1252 00:45:07,410 --> 00:45:09,719 strong encryption might be a red flag. 1253 00:45:09,720 --> 00:45:11,819 Well, if everybody is using encryption 1254 00:45:11,820 --> 00:45:14,009 all the time, it becomes less of a 1255 00:45:14,010 --> 00:45:16,319 red flag to try to incorporate 1256 00:45:16,320 --> 00:45:18,539 encryption as much as possible to 1257 00:45:18,540 --> 00:45:20,669 make it less of a red flag that someone 1258 00:45:20,670 --> 00:45:22,349 is using that technology. 1259 00:45:22,350 --> 00:45:24,419 And then keep active. 1260 00:45:24,420 --> 00:45:26,699 Pay attention to what's going on, help 1261 00:45:26,700 --> 00:45:28,229 defend encryption by talking to 1262 00:45:28,230 --> 00:45:30,389 policymakers, signing petitions, 1263 00:45:30,390 --> 00:45:32,760 paying attention and being a participant. 1264 00:45:33,870 --> 00:45:34,870 Thank you very much. 1265 00:45:52,120 --> 00:45:54,489 Feel free to queue over the microphones 1266 00:45:54,490 --> 00:45:55,920 over there if there is any question 1267 00:45:57,190 --> 00:45:58,599 we've got already something on microphone 1268 00:45:58,600 --> 00:45:59,600 one. 1269 00:46:00,360 --> 00:46:01,360 Yeah. 1270 00:46:01,810 --> 00:46:02,810 Doesn't work that. 1271 00:46:04,450 --> 00:46:06,159 The microphone one. 1272 00:46:09,130 --> 00:46:11,559 Yeah, thanks for your great talk. 1273 00:46:11,560 --> 00:46:13,029 That was really, really interesting to 1274 00:46:13,030 --> 00:46:15,309 see how F and 1275 00:46:15,310 --> 00:46:17,559 your colleagues are battling bad ideas 1276 00:46:17,560 --> 00:46:20,409 to the Stiffle 1277 00:46:20,410 --> 00:46:22,959 encryption. I have one question that 1278 00:46:22,960 --> 00:46:25,569 addresses the argument that 1279 00:46:25,570 --> 00:46:27,789 if encryption is 1280 00:46:27,790 --> 00:46:29,859 illegal, only the bad guys use 1281 00:46:29,860 --> 00:46:30,819 encryption. 1282 00:46:30,820 --> 00:46:31,989 Do you think this argument, which 1283 00:46:31,990 --> 00:46:34,239 basically means it makes no sense to 1284 00:46:34,240 --> 00:46:36,249 pass laws against encryption because 1285 00:46:36,250 --> 00:46:37,929 those who want to break the law won't 1286 00:46:37,930 --> 00:46:39,819 respect that law either? 1287 00:46:39,820 --> 00:46:42,009 Do you think this argument has 1288 00:46:42,010 --> 00:46:45,189 has gotten enough traction, for example, 1289 00:46:45,190 --> 00:46:47,799 among lawmakers in Washington? 1290 00:46:47,800 --> 00:46:49,569 Have you heard of any conclusive 1291 00:46:49,570 --> 00:46:51,309 counterargument to that line? 1292 00:46:51,310 --> 00:46:53,469 Well, what I've seen is, is that a 1293 00:46:53,470 --> 00:46:54,369 you raise a good point. 1294 00:46:54,370 --> 00:46:56,409 Well, first of all, the tautology, if 1295 00:46:56,410 --> 00:46:58,119 encryption is illegal, then indeed anyone 1296 00:46:58,120 --> 00:47:00,099 who uses it would be a criminal because 1297 00:47:00,100 --> 00:47:01,509 to be a criminal by virtue of using 1298 00:47:01,510 --> 00:47:02,979 encryption. 1299 00:47:02,980 --> 00:47:05,049 But I think that one 1300 00:47:05,050 --> 00:47:06,279 of the things that policymakers are 1301 00:47:06,280 --> 00:47:08,439 really trying to do is get to 1302 00:47:08,440 --> 00:47:10,659 the most widely deployed 1303 00:47:10,660 --> 00:47:11,589 encryption. 1304 00:47:11,590 --> 00:47:13,719 So they may recognize that 1305 00:47:13,720 --> 00:47:15,549 there will be open source projects, that 1306 00:47:15,550 --> 00:47:16,719 people will be able to download 1307 00:47:16,720 --> 00:47:18,129 encryption made outside of their 1308 00:47:18,130 --> 00:47:20,109 jurisdiction, that they won't be able to 1309 00:47:20,110 --> 00:47:22,479 stop and that the 1310 00:47:22,480 --> 00:47:24,699 the bad guys will be able to find 1311 00:47:24,700 --> 00:47:26,979 and use those technologies. 1312 00:47:26,980 --> 00:47:29,229 But they still want to make it a 1313 00:47:29,230 --> 00:47:31,719 lot easier to get access to 1314 00:47:31,720 --> 00:47:33,369 things which are widely deployed, where 1315 00:47:33,370 --> 00:47:34,899 there are billions of users. 1316 00:47:34,900 --> 00:47:35,979 And I think one of the things you can 1317 00:47:35,980 --> 00:47:38,079 infer from that is that it's not 1318 00:47:38,080 --> 00:47:39,429 just about targeted 1319 00:47:40,600 --> 00:47:43,089 decryption going after a known 1320 00:47:43,090 --> 00:47:45,159 bad guy, but they want to be 1321 00:47:45,160 --> 00:47:47,499 able to have ready access to mass 1322 00:47:47,500 --> 00:47:48,579 communications. 1323 00:47:48,580 --> 00:47:50,649 And it ties in with some of the 1324 00:47:50,650 --> 00:47:52,539 attempts to sort of predict who would be 1325 00:47:52,540 --> 00:47:54,729 bad by looking at information before 1326 00:47:54,730 --> 00:47:56,709 it happens, which raises its own civil 1327 00:47:56,710 --> 00:47:57,710 liberties concerns. 1328 00:47:58,960 --> 00:47:59,960 Microphone for. 1329 00:48:01,950 --> 00:48:04,269 Hey, the assumption 1330 00:48:04,270 --> 00:48:06,459 that you had is that we are living 1331 00:48:06,460 --> 00:48:08,769 in a democracy, so this struggle 1332 00:48:08,770 --> 00:48:10,929 between you guys and the government 1333 00:48:10,930 --> 00:48:12,819 is going to be a healthy one. 1334 00:48:12,820 --> 00:48:15,429 But the transition from a democratic 1335 00:48:15,430 --> 00:48:18,579 to something like authoritarian, 1336 00:48:18,580 --> 00:48:20,529 like in Turkey, it seems to be like 1337 00:48:20,530 --> 00:48:21,519 really fast. 1338 00:48:21,520 --> 00:48:23,829 Do you have any, like, 1339 00:48:23,830 --> 00:48:26,169 plan B, anything 1340 00:48:26,170 --> 00:48:28,269 for the case that something 1341 00:48:28,270 --> 00:48:29,589 like that might happen? 1342 00:48:29,590 --> 00:48:32,439 I mean, except from like Second 1343 00:48:32,440 --> 00:48:34,769 Amendment rights and like 1344 00:48:34,770 --> 00:48:36,219 that kind of stuff. But do you have any 1345 00:48:36,220 --> 00:48:38,409 plans that we could 1346 00:48:38,410 --> 00:48:40,659 have for a case like 1347 00:48:40,660 --> 00:48:42,849 a group of reactionary 1348 00:48:42,850 --> 00:48:44,959 politicians slash 1349 00:48:44,960 --> 00:48:47,139 the rights of of a democratic 1350 00:48:47,140 --> 00:48:47,979 society? 1351 00:48:47,980 --> 00:48:50,139 Yeah, I mean, this is one 1352 00:48:50,140 --> 00:48:52,209 of the reasons why you want to have 1353 00:48:52,210 --> 00:48:54,639 encryption widely available 1354 00:48:54,640 --> 00:48:56,829 when you can is so that if 1355 00:48:56,830 --> 00:48:58,899 later things move into an authoritarian 1356 00:48:58,900 --> 00:49:01,509 mode, that those things are already 1357 00:49:01,510 --> 00:49:03,159 widely deployed. 1358 00:49:03,160 --> 00:49:04,959 For those who are living in authoritarian 1359 00:49:04,960 --> 00:49:07,029 regimes, encryption very 1360 00:49:07,030 --> 00:49:09,579 directly can help save their lives by 1361 00:49:09,580 --> 00:49:11,499 protecting their their information from 1362 00:49:11,500 --> 00:49:13,809 being tracked and observed by 1363 00:49:13,810 --> 00:49:14,979 by the authorities. 1364 00:49:14,980 --> 00:49:17,019 They might want to put opposition figures 1365 00:49:17,020 --> 00:49:19,239 in jail for the mere act of opposing 1366 00:49:19,240 --> 00:49:20,949 the government. 1367 00:49:20,950 --> 00:49:23,049 The challenges there are dealing 1368 00:49:23,050 --> 00:49:24,279 with things like that. 1369 00:49:24,280 --> 00:49:26,379 Using encryption might be seen as a as 1370 00:49:26,380 --> 00:49:28,449 a red flag that, you 1371 00:49:28,450 --> 00:49:29,679 know, if you get stopped by the police, 1372 00:49:29,680 --> 00:49:31,449 they're going to want to get onto your 1373 00:49:31,450 --> 00:49:33,549 phone. They may 1374 00:49:33,550 --> 00:49:35,889 use strong measures 1375 00:49:35,890 --> 00:49:37,659 to try and get your passcode. 1376 00:49:37,660 --> 00:49:39,999 So even if it has the best encryption on 1377 00:49:40,000 --> 00:49:41,379 the device in the world, if they're going 1378 00:49:41,380 --> 00:49:42,969 to beat you with a rubber hose until you 1379 00:49:42,970 --> 00:49:45,189 give up the password, this isn't 1380 00:49:45,190 --> 00:49:46,599 going to help. So these are very challenging 1381 00:49:46,600 --> 00:49:47,709 things. 1382 00:49:47,710 --> 00:49:49,239 But I think that the best thing that you 1383 00:49:49,240 --> 00:49:51,939 can do ahead of time 1384 00:49:51,940 --> 00:49:54,879 is make it so that everybody is using 1385 00:49:54,880 --> 00:49:57,009 encryption as much as possible so 1386 00:49:57,010 --> 00:49:58,419 that it becomes less suspicious that 1387 00:49:58,420 --> 00:50:00,639 someone is using it and having it be tied 1388 00:50:00,640 --> 00:50:02,139 into widely used products that they would 1389 00:50:02,140 --> 00:50:04,299 feel bad about blocking. 1390 00:50:04,300 --> 00:50:05,769 So that's why it's nice that there's 1391 00:50:05,770 --> 00:50:07,539 encryption and things like Facebook 1392 00:50:07,540 --> 00:50:08,829 Messenger and WhatsApp. 1393 00:50:09,890 --> 00:50:12,219 And then after a country 1394 00:50:12,220 --> 00:50:15,219 has already gone into the authoritarian, 1395 00:50:15,220 --> 00:50:17,589 it is those who are outside that country 1396 00:50:17,590 --> 00:50:19,749 who are providing technologies in 1397 00:50:19,750 --> 00:50:20,889 should try and make sure that those 1398 00:50:20,890 --> 00:50:23,280 technologies are effective and secure. 1399 00:50:24,650 --> 00:50:25,650 Um. 1400 00:50:27,150 --> 00:50:29,309 We've got a question from Iasi 1401 00:50:29,310 --> 00:50:31,529 and it's what 1402 00:50:31,530 --> 00:50:33,389 is your view on so-called warrant proof 1403 00:50:33,390 --> 00:50:34,859 devices? I'm not actually sure what 1404 00:50:34,860 --> 00:50:37,079 what's meant by this search warrant proof 1405 00:50:37,080 --> 00:50:39,389 devices warrant and whether 1406 00:50:39,390 --> 00:50:42,089 they will remain legal in the future. 1407 00:50:42,090 --> 00:50:44,249 Well, so this this was what Comey was 1408 00:50:44,250 --> 00:50:45,269 referring to. 1409 00:50:45,270 --> 00:50:46,559 He didn't want to have a world where 1410 00:50:46,560 --> 00:50:48,059 there was something that was warrant 1411 00:50:48,060 --> 00:50:49,559 proof. 1412 00:50:49,560 --> 00:50:51,629 And I think that 1413 00:50:51,630 --> 00:50:53,789 I'm in favor of having full 1414 00:50:53,790 --> 00:50:56,099 disk encryption on phones where 1415 00:50:57,540 --> 00:50:59,459 that the government, you know, they can 1416 00:50:59,460 --> 00:51:01,589 try it under their own power to 1417 00:51:01,590 --> 00:51:02,789 try and get in. That's what happened. 1418 00:51:02,790 --> 00:51:05,459 But they shouldn't be able to compel 1419 00:51:05,460 --> 00:51:07,799 the provider to 1420 00:51:07,800 --> 00:51:08,759 change its code. 1421 00:51:08,760 --> 00:51:10,769 And calling it about whether something is 1422 00:51:10,770 --> 00:51:13,529 warrant proof is a is a rhetorical device 1423 00:51:13,530 --> 00:51:15,719 that the government is using to try and 1424 00:51:15,720 --> 00:51:17,999 set it up as a discussion about the rule 1425 00:51:18,000 --> 00:51:20,159 of law or whether a warrant should be 1426 00:51:20,160 --> 00:51:22,109 effective. But it's missing the larger 1427 00:51:22,110 --> 00:51:23,319 policy issues. 1428 00:51:23,320 --> 00:51:25,409 And so I guess in some sense, 1429 00:51:25,410 --> 00:51:26,699 when they talk about something as being 1430 00:51:26,700 --> 00:51:28,829 warrant proof, that may be a side effect. 1431 00:51:28,830 --> 00:51:29,999 What happens when you have strong 1432 00:51:30,000 --> 00:51:32,219 encryption, but it is 1433 00:51:32,220 --> 00:51:33,509 not really hitting to the heart of the 1434 00:51:33,510 --> 00:51:34,510 policy debate. 1435 00:51:36,910 --> 00:51:39,099 Hi, on the subject 1436 00:51:39,100 --> 00:51:41,139 of rhetoric, it seems like in the past 1437 00:51:41,140 --> 00:51:43,599 year or so, but more about two years, 1438 00:51:43,600 --> 00:51:45,519 we've heard a lot about strong encryption 1439 00:51:45,520 --> 00:51:46,899 versus weak encryption. 1440 00:51:46,900 --> 00:51:48,489 And it seems like it's going to be more 1441 00:51:48,490 --> 00:51:50,649 and more a tool used by those 1442 00:51:50,650 --> 00:51:53,229 in power to tell us, well, the bad guys, 1443 00:51:53,230 --> 00:51:54,729 they're the only people who need strong 1444 00:51:54,730 --> 00:51:56,709 encryption. You, the common folk, the 1445 00:51:56,710 --> 00:51:58,449 good people, you only need the normal 1446 00:51:58,450 --> 00:51:59,769 encryption. What would you go for? 1447 00:51:59,770 --> 00:52:01,599 The bad one. So I think you've touched on 1448 00:52:01,600 --> 00:52:03,369 that on that subject, but maybe you could 1449 00:52:03,370 --> 00:52:05,309 tell us a bit more about it. 1450 00:52:05,310 --> 00:52:06,759 Yes, I think I'm mean, strong encryption 1451 00:52:06,760 --> 00:52:07,989 is really what we need. 1452 00:52:07,990 --> 00:52:09,669 And we've seen actually the terrible 1453 00:52:09,670 --> 00:52:12,069 effects of this when there was a 1454 00:52:12,070 --> 00:52:14,229 misguided attempt to have weak and strong 1455 00:52:14,230 --> 00:52:16,599 encryption in the 90s where there was 1456 00:52:16,600 --> 00:52:18,759 export grade encryption and 1457 00:52:18,760 --> 00:52:20,829 domestic grade encryption out of the 1458 00:52:20,830 --> 00:52:22,029 United States. 1459 00:52:22,030 --> 00:52:24,099 And so Netscape Navigator 1460 00:52:24,100 --> 00:52:26,529 had a weakened 1461 00:52:26,530 --> 00:52:28,869 international version only with fifty 1462 00:52:28,870 --> 00:52:31,239 six K strong 1463 00:52:31,240 --> 00:52:34,719 keys, 56 bit keys. 1464 00:52:34,720 --> 00:52:36,849 And then that that turned out to be 1465 00:52:36,850 --> 00:52:39,009 sort of an unwise policy move. 1466 00:52:39,010 --> 00:52:41,229 They said, well, this will be good enough 1467 00:52:41,230 --> 00:52:43,089 for the average person. 1468 00:52:43,090 --> 00:52:44,289 And I think there's a couple of things to 1469 00:52:44,290 --> 00:52:45,459 think about that one as we've seen it 1470 00:52:45,460 --> 00:52:47,299 happen in a kind of failed. 1471 00:52:47,300 --> 00:52:49,419 But the second one is that, you know, 1472 00:52:49,420 --> 00:52:50,769 if you're trying to protect yourselves 1473 00:52:50,770 --> 00:52:52,839 now, you have to protect yourself from a 1474 00:52:52,840 --> 00:52:55,059 wide variety of threats and 1475 00:52:55,060 --> 00:52:56,979 you're gonna need strong encryption from 1476 00:52:56,980 --> 00:52:57,909 those threats. 1477 00:52:57,910 --> 00:53:00,189 And they may be an authoritarian regime. 1478 00:53:00,190 --> 00:53:02,589 It might be a computer 1479 00:53:02,590 --> 00:53:05,049 criminal, but the value 1480 00:53:05,050 --> 00:53:07,569 of strong encryption is there for 1481 00:53:07,570 --> 00:53:09,699 all these threats and deliberately 1482 00:53:09,700 --> 00:53:11,919 weak encryption. Every time that it has 1483 00:53:11,920 --> 00:53:14,049 come out, it has turned out to be far 1484 00:53:14,050 --> 00:53:15,639 more of a disaster than the government 1485 00:53:15,640 --> 00:53:17,139 has predicted. 1486 00:53:17,140 --> 00:53:18,140 Thanks, microphone one, 1487 00:53:19,270 --> 00:53:21,339 hello. So we've seen that 1488 00:53:21,340 --> 00:53:22,899 governments try again and again to pass 1489 00:53:22,900 --> 00:53:25,269 legislation that weakens encryption, 1490 00:53:25,270 --> 00:53:27,489 what would need to happen so that they 1491 00:53:27,490 --> 00:53:29,559 can't try to pass such 1492 00:53:29,560 --> 00:53:30,919 legislation again and again? 1493 00:53:30,920 --> 00:53:32,369 And are we moving to that direction? 1494 00:53:33,910 --> 00:53:35,319 Well, I think there's there's not much 1495 00:53:35,320 --> 00:53:37,599 that's going to stop them from trying 1496 00:53:37,600 --> 00:53:39,549 because they're facing pressures from 1497 00:53:39,550 --> 00:53:41,709 from law enforcement. 1498 00:53:41,710 --> 00:53:42,969 So I guess, you know, we're moving that 1499 00:53:42,970 --> 00:53:44,229 that pressure, but that seems very 1500 00:53:44,230 --> 00:53:46,329 difficult. But I think the 1501 00:53:46,330 --> 00:53:47,799 key is to 1502 00:53:48,910 --> 00:53:51,129 try and convince policymakers 1503 00:53:51,130 --> 00:53:53,199 to actually pass after 1504 00:53:53,200 --> 00:53:54,999 pass anything at all, pass something that 1505 00:53:55,000 --> 00:53:57,219 encourages the development and use 1506 00:53:57,220 --> 00:53:58,809 of encryption. 1507 00:53:58,810 --> 00:54:00,939 You know, I think I'm very heartened by 1508 00:54:00,940 --> 00:54:03,219 the Dutch government's response 1509 00:54:03,220 --> 00:54:04,929 where they were strongly in favor of 1510 00:54:04,930 --> 00:54:07,569 encryption and the EU 1511 00:54:07,570 --> 00:54:09,519 cybersecurity, the network information 1512 00:54:09,520 --> 00:54:11,799 security group also 1513 00:54:11,800 --> 00:54:13,569 coming out strongly in favor of 1514 00:54:13,570 --> 00:54:15,879 encryption to get the policymakers ahead 1515 00:54:15,880 --> 00:54:18,069 of time, be looking at this as something 1516 00:54:18,070 --> 00:54:20,529 that is beneficial to have 1517 00:54:20,530 --> 00:54:22,779 so that there's less incentive to go 1518 00:54:22,780 --> 00:54:24,790 and push for further weaken encryption. 1519 00:54:27,200 --> 00:54:29,059 I'm sorry to burst your bubble, but the 1520 00:54:29,060 --> 00:54:31,309 Dutch passed a law last week 1521 00:54:31,310 --> 00:54:34,249 that allows us to hack into any 1522 00:54:34,250 --> 00:54:36,799 hackable device and 1523 00:54:36,800 --> 00:54:38,899 that allows the 1524 00:54:38,900 --> 00:54:41,179 government to buy backdoor 1525 00:54:41,180 --> 00:54:42,679 software from companies. 1526 00:54:44,060 --> 00:54:46,099 All right. Well, so I try to keep this 1527 00:54:46,100 --> 00:54:47,449 thing is up to date as possible, but 1528 00:54:47,450 --> 00:54:51,249 thank you for that information. 1529 00:54:51,250 --> 00:54:52,879 And, well, I think that is something that 1530 00:54:52,880 --> 00:54:54,949 is is in line with 1531 00:54:54,950 --> 00:54:57,709 going after the endpoints so that 1532 00:54:57,710 --> 00:54:59,959 even if you do have a strong 1533 00:54:59,960 --> 00:55:02,209 encryption along the way, attacks 1534 00:55:02,210 --> 00:55:05,299 on the endpoint are a common government 1535 00:55:05,300 --> 00:55:07,429 solution to try 1536 00:55:07,430 --> 00:55:09,520 and get around that difficulty. 1537 00:55:12,140 --> 00:55:13,879 We've got one more question from Iasi, 1538 00:55:13,880 --> 00:55:15,349 which goes into a similar vein like this 1539 00:55:15,350 --> 00:55:17,509 one, What could we do 1540 00:55:17,510 --> 00:55:20,030 to stop all politicians from 1541 00:55:21,170 --> 00:55:23,299 wrong, not just wrong actions, but 1542 00:55:23,300 --> 00:55:25,399 simple politics, like 1543 00:55:25,400 --> 00:55:27,359 in the vein of the Berlin attacks? 1544 00:55:27,360 --> 00:55:29,119 Again, they were asking for more video 1545 00:55:29,120 --> 00:55:30,829 surveillance, which clearly does not 1546 00:55:30,830 --> 00:55:32,449 prevent attacks like this. 1547 00:55:32,450 --> 00:55:34,249 What can we do on a political level to 1548 00:55:34,250 --> 00:55:36,319 stop our politicians from trying to enact 1549 00:55:36,320 --> 00:55:38,689 laws that are basically orthogonal 1550 00:55:38,690 --> 00:55:40,189 to the problem? 1551 00:55:40,190 --> 00:55:41,869 Yeah, this is this is a very common 1552 00:55:41,870 --> 00:55:43,249 thing. 1553 00:55:43,250 --> 00:55:46,069 Whenever there is is an incident around 1554 00:55:46,070 --> 00:55:47,629 the world, especially something like a 1555 00:55:47,630 --> 00:55:49,909 terrorist attack, legislators feel a very 1556 00:55:49,910 --> 00:55:52,459 strong desire to do something 1557 00:55:52,460 --> 00:55:54,649 about it and and 1558 00:55:54,650 --> 00:55:56,839 that something may 1559 00:55:56,840 --> 00:55:59,689 not be directly 1560 00:55:59,690 --> 00:56:00,690 related to 1561 00:56:02,750 --> 00:56:04,789 the problem, but they will be able to go 1562 00:56:04,790 --> 00:56:06,089 back to their constituents, the people 1563 00:56:06,090 --> 00:56:08,119 who vote for it and said, well, I did 1564 00:56:08,120 --> 00:56:09,499 something. 1565 00:56:09,500 --> 00:56:11,899 And part of that is educating 1566 00:56:11,900 --> 00:56:14,389 the voters so they are less fooled 1567 00:56:14,390 --> 00:56:15,529 by this behavior. 1568 00:56:15,530 --> 00:56:17,329 And to get people active and calling 1569 00:56:17,330 --> 00:56:19,609 their representatives and telling 1570 00:56:19,610 --> 00:56:21,889 them that they want 1571 00:56:21,890 --> 00:56:24,319 to have strong encryption, 1572 00:56:24,320 --> 00:56:26,209 that they don't want these kinds of 1573 00:56:26,210 --> 00:56:28,009 measures. The other thing that can 1574 00:56:28,010 --> 00:56:30,679 sometimes be effective is legislators 1575 00:56:30,680 --> 00:56:33,019 don't like to look stupid. 1576 00:56:33,020 --> 00:56:35,209 And so if they are doing something which 1577 00:56:35,210 --> 00:56:37,879 is a technologically bad 1578 00:56:37,880 --> 00:56:40,489 response to a given area and you can show 1579 00:56:40,490 --> 00:56:42,769 how it is ineffective, that 1580 00:56:42,770 --> 00:56:45,289 can sometimes help you understand 1581 00:56:45,290 --> 00:56:47,150 that it was sort of a bad move. 1582 00:56:51,830 --> 00:56:54,109 This argument is often 1583 00:56:54,110 --> 00:56:55,340 portrayed as 1584 00:56:57,260 --> 00:56:59,959 between citizens and governments, 1585 00:56:59,960 --> 00:57:02,329 and I'd like to propose another argument 1586 00:57:02,330 --> 00:57:04,219 and ask what you think of it, which is 1587 00:57:04,220 --> 00:57:05,220 that. 1588 00:57:06,970 --> 00:57:08,859 Foreign nation states are actually a 1589 00:57:08,860 --> 00:57:11,229 bigger threat than crime, 1590 00:57:11,230 --> 00:57:13,599 and therefore states 1591 00:57:13,600 --> 00:57:16,449 need into encryption more than 1592 00:57:16,450 --> 00:57:18,519 anyone else, and therefore they should 1593 00:57:18,520 --> 00:57:20,889 get on the side of being pro encryption 1594 00:57:20,890 --> 00:57:21,890 because they need it to. 1595 00:57:23,670 --> 00:57:25,739 Absolutely, I think that 1596 00:57:25,740 --> 00:57:27,419 something so sometimes that that is 1597 00:57:27,420 --> 00:57:28,679 actually an argument can work with 1598 00:57:28,680 --> 00:57:30,879 legislatures where they they're 1599 00:57:30,880 --> 00:57:33,749 they're not so worried about 1600 00:57:33,750 --> 00:57:35,759 the citizens directly, but they're 1601 00:57:35,760 --> 00:57:37,169 interested in the balance of power 1602 00:57:37,170 --> 00:57:38,909 between nation states. 1603 00:57:38,910 --> 00:57:40,889 And this has come up in some of the back 1604 00:57:40,890 --> 00:57:43,019 door discussions where, you know, 1605 00:57:43,020 --> 00:57:45,119 if you provide a back door to one 1606 00:57:45,120 --> 00:57:46,889 government, let's say you think this is a 1607 00:57:46,890 --> 00:57:49,019 great democratic government that only use 1608 00:57:49,020 --> 00:57:50,459 this power wisely. 1609 00:57:50,460 --> 00:57:53,279 What do you do when the other governments 1610 00:57:53,280 --> 00:57:54,399 try to ask for that? 1611 00:57:54,400 --> 00:57:56,039 You know, do they give them the same 1612 00:57:56,040 --> 00:57:58,259 access? And some 1613 00:57:58,260 --> 00:58:00,029 legislatures will understand there 1614 00:58:00,030 --> 00:58:01,949 actually is a very important national 1615 00:58:01,950 --> 00:58:04,499 security component to having widely 1616 00:58:04,500 --> 00:58:06,509 available strong encryption. 1617 00:58:06,510 --> 00:58:08,399 And I think that, you know, an example 1618 00:58:08,400 --> 00:58:10,679 that that comes to mind 1619 00:58:10,680 --> 00:58:12,119 is that there's been a lot of emails 1620 00:58:12,120 --> 00:58:14,459 released from the Democratic 1621 00:58:14,460 --> 00:58:16,949 National Committee in the United States 1622 00:58:16,950 --> 00:58:18,869 that maybe now when they think back on 1623 00:58:18,870 --> 00:58:20,459 it, maybe we should have encrypted that 1624 00:58:20,460 --> 00:58:23,039 information, maybe we should have put 1625 00:58:23,040 --> 00:58:24,659 stronger resistance. 1626 00:58:24,660 --> 00:58:26,979 It's very difficult to fight against 1627 00:58:26,980 --> 00:58:29,039 a nation state attacker, but at 1628 00:58:29,040 --> 00:58:30,749 least you can make that a difficult job 1629 00:58:30,750 --> 00:58:31,750 for them. 1630 00:58:32,870 --> 00:58:34,009 Hi, thanks for your talk. 1631 00:58:34,010 --> 00:58:36,469 I was quite curious to hear about the 1632 00:58:36,470 --> 00:58:38,839 fact that there is actually an act 1633 00:58:38,840 --> 00:58:41,149 in the United States that governs 1634 00:58:41,150 --> 00:58:42,649 the use of vulnerabilities. 1635 00:58:42,650 --> 00:58:44,179 Are there similar acts throughout the 1636 00:58:44,180 --> 00:58:45,649 rest of the world? I think it would be 1637 00:58:45,650 --> 00:58:47,629 amazing if we can enact a sea change that 1638 00:58:47,630 --> 00:58:48,949 made it a buyback. 1639 00:58:48,950 --> 00:58:50,479 So I should be clear, the vulnerable is 1640 00:58:50,480 --> 00:58:52,819 equities process is not a legislative 1641 00:58:52,820 --> 00:58:54,949 act. That is something that that came 1642 00:58:54,950 --> 00:58:56,509 from the executive. 1643 00:58:56,510 --> 00:58:57,589 So it was 1644 00:58:59,390 --> 00:59:02,029 not commanded by the legislature, 1645 00:59:02,030 --> 00:59:04,129 but rather done 1646 00:59:04,130 --> 00:59:06,679 on its own authority by the executive 1647 00:59:06,680 --> 00:59:08,929 branch, in part to 1648 00:59:08,930 --> 00:59:10,729 to mollify some of the critics who have 1649 00:59:10,730 --> 00:59:12,889 said that 1650 00:59:12,890 --> 00:59:14,329 they should be reporting more more 1651 00:59:14,330 --> 00:59:15,979 vulnerabilities. 1652 00:59:15,980 --> 00:59:18,349 So it is something 1653 00:59:18,350 --> 00:59:20,479 that one could put into 1654 00:59:20,480 --> 00:59:23,269 a legislative process to require 1655 00:59:23,270 --> 00:59:25,799 governments to go through that balancing 1656 00:59:25,800 --> 00:59:27,079 and make sure they do it. 1657 00:59:27,080 --> 00:59:28,759 But I'm not aware of any legislation that 1658 00:59:28,760 --> 00:59:29,760 is yet proposed that. 1659 00:59:35,300 --> 00:59:36,259 Don, thank you. 1660 00:59:36,260 --> 00:59:37,819 All right, thank you, everybody. 1661 00:59:37,820 --> 00:59:38,820 Pleasure to be here.