>> global war is a clash of systems. it's which system can produce the wherewithal to project power in the atlantic, the pacific, the indian ocean, southeast asia which system can produce the civilian leadership to create the transportation systems,he

civilian leadership that's able to produce 96,000 airplanes in 944. >> sunday, june 2nd, two-time pulitzer prize-winning author and journalist rick atkinson will take your calls, e-mails and tweets on "in depth" live at noon eastern on c-span2. >> a mars exploration summit focusing on the challenges facing a manned mission to mars. but first, a discussion on how government surveillance is affecting online privacy. >> i am extremely pleased to have a very distinguished group of panelists who, actually, many of them have flown in from different parts of the country. it's a particularly interesting group today because we have technologists, we've got researchers, we've got an activist, and we have a lawyer. so we have what i think of as

the perfect spectrum of digital rights defenders sitting in one room today willing to talk to you very frankly about their thoughts on government surveillance, what the problems are, and what you and i should be trying to do about it and whether or not there's even anything we can do about it. i'm hoping to sort of move back and forth free flow style between government surveillance issues and privacy issues as far as consumer and corporate collection of data. and so as this sort of moves along, feel free to, again, write your questions down. i'm going to go through and introduce people, and then we're just going to jump into it. i know a lot of panels like to have long introductory remarks by folks, and i promise you this one has been the only one you guys will have to suffer through. so our first panelist is -- [inaudible] raise your hand.

[laughter] >> she is a senior research fellow at the new america foundation's institute including the potential harmful aspects of internet adoption due to data mining, data profiling and other forms of online surveillance and privacy-invasive practices. she's a longtime contributor and ally of the media justice movement. peter is policy counsel for access where he manages telecom advocacy advancing the dialogue toward a more rights-respecting, telecommunications environment worldwide. a lawyer by training, peter also tracks and campaigns new cyber crime laws in countries from peru to iraq. jonathan mayor is a graduate student in computer science and law at stanford university where he is a cybersecurity fellow at the center for international

security cooperation and a junior affiliate scholar, and caid is at the aclu of massachusetts where she quarterbacks the -- [inaudible] and defending core first and fourth amendments and due process rights. is i wanted to kick off this discussion by describing one of the major surveillance battles that we've been facing over the last few years, and it's a story that's particularly close to my heart which is the story of mark klein. mark klein was a 64-year-old retired at&t technician who came out publicly including coming to my organization with schematics, plans, detailed blueprints from at&t's folsom street facilities in san francisco. and these plans showcased a

secret room based in at&t's facilities. it was locked on the inside. we've actually seen picktures of it -- pictures of it. and inside this room was a fiber optic splitter that created a copy of the internet communications of americans and sent it to the national security agency. caid, i wanted you to kick off this panel by talking about what is the national security agency, what what does this kind of surveillance mean for everyday users? >> sure. thanks, diane. thanks, everybody, more waking up so early to talk about this scary subject. i hope it doesn't give you nightmares. so, yeah. the nsa is an organization that is extremely secretive. we actually don't even know how much money we spend on the nsa. there are about 30,000 employees. it's larger than the cia. it's a really huge bureaucracy actually. and, you know, over the past 12 years since 9/11, we've learned

a substantial amount about what the ci -- what the nsa, rather, has been doing only because of people who have left the nsa and left the whistle on sop of the abuses going on there. i'm going to give you a brief chronology of what's happened since 9/11. so after 9/11 we now know the nsa took the gloves off, is how people have described it. and that's to say the nsa for a long time its mandate was to surveil overseas communications, right? to look for, you know, information in foreign countries though, you know, the nsa could, in other words, listen to people in england having conversations with people in pakistan or in sweden without warrants. this has been the case for a long time. but the nsa's first amendment, as whistleblower thomas drake has said, was for a long time that the nsa never spied on

americans without warrants. that changed after 9/11. the gloves came off, and suddenly they were sucking up vast quantities of our internet and phone conversations, you know, data mining them looking for so-called terrorist patterns. and, you know, essentially, operating a dragnet spying operation which including the private communications of americans and doing so without specific warms. warrants. so we learned that, actually, too late, much too late in 2005 as a result of a new york times story that broke that news to the public. "the new york times," by the way, it's important to say at a media conference, "the new york times" sat on that story for a full year. today knew, you know, they had received information about what was going on before the 2004 election, and they did not tell the public until after the election. they did that on purpose. they said that they did it because the journalists needed

more time to research the story at the cough the bush -- at the request of the bush administration. it's pretty clear they did it to beat until after the election, right? so anyway, in 2005 this is what we learned. later there was a massive outcry in this country, you know, opposing this warrantless surveillance, so what does congress do but enshrine it into law in 2008 with the fite saw amendments act. essentially, this legalized this warrantless spying program. not only that, it also immunized companies like a, the and, the who had, as rainey's described, provided the nsa with information without warrants. congress protected them from lawsuits. so the fisa amendment act, yeah, of 2008. so that was 2008, right? just recently in december --

well, i should back up again and say the day that the fisa amendment act passed and was signed into law, the aclu filed a lawsuit opposing it. there have been recent developments just within the past few months that are extremely important as they pertain to the nsa's surveillance. one of them is that in december of 2012 just days after christmas when everybody in this country was paying zero attention to what was going on in the news, congress rushed through a reauthorization of the fisa amendments act with hardly any debate. it's really just shameful, actually, what congress has done in this respect. so passed the fisa amendments act through without any of the, you know, very, very minimal privacy and transparency amendments that some sort of valiant senators had proposed x so we now are stuck with the act through 2017. there will be no debate about this law, there is no opportunity to challenge it now

because just this past february the supreme court ruled in a 5-4 decision that the aclu's lawsuit challenging fisa amendments act could not even be heard on the melters because our -- merits because our clients, a group of human rights lawyers, activists, journalists who, essentially, said to the government, look, you know, we believe because you're spying on american communications with foreigners without warrants that our private be communications that are very, very sensitive having to do with people whose human rights have been abused by the u.s. government, lawyers who are handling, you know, cases at gitmo, they said, you know, we think you're spying on our communications, we think it's unconstitutional, we want to sue. the supreme court said 5-4 you don't even have an opportunity to sue because you can't prove you've been spied on. so this is a catch-22. it's sort of garish and nightmarish, the kind of legal situation we've found ourselves

in. congress and the courts have abdicated responsibility and, you know, that is a much larger problem. i think that some of the things that we're going to talk about op this panel will elucidate that. you know, congress has -- if they've done anything in the surveillance and privacy space, it's been to make things worse. and, you know, we have a whole separate set of issues which i think peter's going to talk about about the electronic communications privacy act which are so obsolete that they, essentially, don't protect our e-mails from warrantless government searches. so congress hasn't acted to update privacy law, to bring it into the 21st century. and on the other hand, has actually set us way, way back by doing things like passing the fisa amendments act again for five years without any debate, without any transparency or any kind of amendment. the last thing i just want to say about that is that people like bill binny who devised, actually, some of the data mining programs who's a whistleblower, left the agency,

has now said that he believes the nsa's going beyond even what fisa allows which is to say he believes the nsa's sucking up all of our communications, even domestic to domestic and, you know, essentially main tapes a file of every finish maintains a file of every e-mail, phone call, text message. what he has described as sort of a totalitarian society could be turned on with the flip of a switch, is what he says. that the systems are all in place. the nsa is building a data center in the middle of the desert in utah which is going to be able to hold all of the digital information in the world for a hundred years. so after i've really uplifted your spirit, i'm going to pass the mic pack. [laughter] >> thank you, kade. [laughter] so i wanted to read something. i wanted to read the fourth amendment of the constitution which is supposed to protect people from unreasonable search and seizure. it says the right of the people

to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated, and in warrant shall issue but upon probable cause supported by oath or affirmation and particularly tribing the place to be search -- describing the place to be searched and the person or things to be seized. peter, you're a lawyer. how can the government be doing all those things that kade described and engaged in this kind of mass surveillance without running afoul of the united states constitution? >> um, thanks for the question. it's a good one. i just want to, yeah, take a step back and look at the fourth amendment. which i think is pretty good. it sets out the substance, unreasonable searches and seizures. it talks a little bit about what it covers, papers, effects, and

it sets out some procedural aspects as well. so, you know, all things told, this was a pretty good principle to put in place, and i'll talk a little bit about the limitations, but i just want to acknowledge that it set up a pretty good somebody whereby this one -- system whereby this one principle could be reinterpreted in for the years o come. a couple of the limitations, though, i want to highlight are structurally the amendments weren't designed to protect us from corpses, perhaps because they didn't exist. and the structural limitation i could talk about personally for losing data to a corporation. so i just want to say in the summer of 2001 i had some computer problems. it was crashing, so i sent my machine in to a computer manufacturer in texas, and then i went and studied abroad.

while i was over there, 9/11 occurred. a couple months later my mom got a message back while i was abroad that suspicious literature had been found on my machine. the computer came back sans hard drive. so, you know, either a pretty crafty postman took my hard drive -- [laughter] or, so i'm very privileged, i was able to buy a new machine. but fourth amendment was not designed to protect me from that very unreasonable search and seizure of my hard drive, because it applies to the goth. to the government. the second limitation is, you know, the language. unreasonable, what does that mean? it's left to judges to decide. what does it cover? it talks about your house, your papers, effects. it doesn't talk about things in the cloud, as we all know. so, um, one of the -- yeah, what i wanted to lead to was one of

the interpretations of unreasonable searches and that is what's known as the third party consent doctrine. in the '60s courts were starting to get hip to wiretapping and starting to draw the bounds of, you know, the fourth amendment talk thes about our houses. but what happens when we leave our houses? what happens when data leaves the house? and talk about the bounds of public and private. one of the decisions, the miller case, looked at bank records, information you share with an institution like a bank, and saw that you consented to share that information with them and decided that your consent would carry over for whatever ways that institution wanted to share your information, be it with the government or third parties. so that became known as the third party consent doctrine. it's got some corollaries with wiretapping, and it has a lot of

implications these days. because we share so much. you know, we're transmitting information right now that we're sharing with our telecommunications providers. perhaps the equipment makers. we don't necessarily know the extent. and the government is able to use this doctrine to get at that data because of the way the fourth amendment has been interpreted. more specifically, about ten years later the stored communications act became part of ecpa, the electronic communications privacy act. this was dealing largely we mails -- with e-mail which kind of really was at the forefront. and its authors saw that e-mail was being downloaded from servers onto people's machines and tried to come up with a threshold for when that e-mail, that stored data, the content

information, that possibly sensitive business information of ours, when that was no longer so sensitive. and came up with a 180-day limit. because if you didn't download something and you left it on some server, you obviously didn't want it, right? >> so the goal of ecpa was to protect privacy. >> it's called the privacy act. >> yes. that was put in place in 1986 to protect privacy. >> yeah. so things have changed, but congress hasn't caught up. and be that law is still in place. and so the government can without a warrant, with simply a subpoena which just can be issued by an attorney, doesn't go before a judge, can access that con at no time information. and -- content information. and there's a number of other laws, patchworks that have been stretched, wrangled and really destroyed in order to kind of adapt to this internet age that's the mass amount of

electronic communication. and these laws were not designed for today's day. >> rainey, can i just say, i mean, it's true that congress has thus far failed to update ecpa, but that might change very soon actually. so if you're not already, you all should join the e-mail list of access and the aclu, and you will receive e-mail action alerts. we actually, it seems like we might actually get a warrant for all e-mail within the next couple of years or maybe even sooner than that. this has been a long-running battle, and i think we might actually win. so, please, get involved. call your legislators, tell them that you want your e-mail protect with the a warrant standard, because i think it might actually happen. so that's some good news. >> um, well, i second that. so i wanted to talk in particular about the role that corporations are playing in

government surveillance, because i think we've already started to see a hint of that. we talked about how at&t had put together a secret room and fiber optic splitters, and if there's nothing else you walk away with this panel, i want you to know there's an important role that corporations play in allowing this type of thing to take place. wikileaks began releasing documents about the surveillance industry, and today they've released 287 files on their web site about this, documents today call the spy files. these documents detail the activities of surveillance companies, the companies that reveal the backbone of governments in egypt, libya, china and other places. and i want today read a little portion. they said the industry is in practice unregulated. intelligence agencies, military forces and police authorities are able to silently and en

masse and secretly intercept calls and take over computers without the help or knowledge of the telecommunications providers. users' physical locations can be tracked if they are carrying a mobile phone even if it's only on standby. jonathan, you're a technologist. can you talk to us about how this is actually happening? how are these companies able to take over computers to physically track locations with phones? how does this work? >> all right. so in short, it's not that hard. technical surveillance is, is something that the internet was to a rough approximation not built to withstand. the internet was built to be to be resilient against parts of it stopping functioning. it's very good at connecting networks of different types. but there aren't really privacy

or security guarantees built in. and so if some entity whether it's ab -- an internet service provider or a government that sits between you and whoever you're talking to decides they would like to accept your traffic, modify your traffic, to a first approximation, the internet's not going to do much to help you out. the way computer scientists think about these problems tends to be in layers. so there is a layer that represents the physical connection between your device and a network, then there's a layer that represents the internet protocol, it's the protocol that all devices on the internet speak, above that there's some applications that you may be running that are talking to each other. and at each of those layers there's a possibility of compromise, in fact, building in various sorts of back doors, and there's also the possibility of building in various sorts of privacy and security guarantees. and so while it's easy to build

intrusive technologies, it also turns out it's not too hard to build technologies that provide protection for users in ways that perhaps the legislatures in this country and other countries and the courts have been somewhat reluctant to do. and so i want to briefly touch on some of the protections that may exist at any of those layers to help think through this in many very roughly the way a computer scientist would. the three properties are confidential, integrity and authenticity. so the idea of confidentiality is someone else can't read your communications. the integrity being someone hasn't tampered with them and authenticity being that you're talking to who you think you're talking to. actually, there have been good ways of guaranteeing these properties for a number of years, very well-studied problems in computer science.

but it turns out one theory these properties are fairly easy to -- are fairly well conceptualized, in practice they're actually kind of hard to implement. so this brings me to the second point i wanted to be sure to address about consumer protection or user protection as against interception, notedification -- modification by companies or government. so it's really easy the get this stuff i don't think wrong. and so -- stuff wrong. and to the best way to protect yourself against some sort of surveillance is having it vetted. there are plenty of experts who spend all their time making sure these technologies are implemented correctly. and there are some technologies that have been thoroughly vetted. there are many that have not though. so, for example, you may have seen in the news over the past few days some discussion of whether the government can intercept imessage communications, apple's chat protocol. and it's not entirely clear in

part because the i message protocol isn't documented, it hasn't been vetted, and that's why the conventional wisdom among computer security experts tends to be you should hold off on making bold claims about what is or isn't interception-proof until we have a much better idea of what's going on. so let me give a concrete example of that, research that was done in my lab at stanford looking at implementations of secure web communications by mobile apps. so in theory these properties of confidentiality, integrity and authenticity are fairly well solved in the web. if you've used a browser, some folks are prefixed with https instead of http, that means your browser's making some attempts to garon tease those -- guarantee those properties. in the process, they had not actually checked the identity of who they were communicating

with. so there was a bug in these programs. as long as a server responded with some valid https response -- not necessarily identifying itself as who the mobile app was talking to -- then the app would go ahead and chat away, share user credentials, share user information. so this is a great example of secure in practice, or secure in theory, insecure in practice. the last point i want to touch on in the design of these technologies that could protect users in ways that the counters or legislators have not is in their design. the fist component of that being whether it's a security property as between users or devices, so providing these guarantees between the users and devices using the system. so is communication encrypted, authenticated from, you know, my

phone to whoever i'm talking to's phone or is it encrypted and authenticated to whoever the cloud provider is for this messaging system. but then once it's in the cloud, the message might not no longer be encrypted. so if government were listening in to the communication between my phone and the cloud, they couldn't get anything. but the government could, for example, order disclosure by the cloud provider. so let me give a concrete example of a time when this has come into play. the david petraeus gmail debacle involved a communication service, gmail, that is secure from a user to the cloud. so gmail used https. the nsa presumably -- not that they would have, but suppose they could presumably have not intercepted the e-mails going from david petraeus' computer to google. but with, of course, law

enforcement could show up at google with a warrant, valid warrant, and google could produce those e-mails. this is actually a very ambiguity that's playing out thousand in the imessage news coverage. there's an open question -- open in part because the ims' protocol isn't documented -- when apple says it's secure, are they talking about user to user or user to cloud? so if law enforcement went to apple and asked for historical imessages, could they provide them? we don't have a good answer right now. okay. so the very last point i wanted to make on design considerations touches on user experience. and increasingly i think many computer security researchers are recognizing this is kind of the whole enchilada. no matter how well you design a system in theory or practice, if it's not very usable, then you haven't really accomplished much. and so let me give some concrete examples of where user experience have gone a long way

in security and pryce. so there's -- privacy. so there's a feature in the fire fox web browser called do not track that is intended to limit data collection and use by third party web sites, web sites you don't interact with. in firefox 4 it was under the advanced practices menu. so seemingly kind of meaningless user interface change. just a different tab. it actually looks like very roughly that moving the check box from advance to privacy doubled the uptake of in this feature from -- of this feature from its initial release. so user interface matters a lot. another concrete example, there is a feature in the safari web browser that blocks information that might be used to track the browser around the web by default. there are somewhat similar features in the other major web

becausers, but they're not enabled by default. roughly 80-90% of safari users have third party cookie blocking enabled. and i think it's, you know, i'm an apple user, and i don't think that makes me smarter than even else when it comes to configuring my privacy settings. [laughter] so i think what gets sometimes bandied about is lewd rouse. >> -- ludicrous. no. 80-90% versus 1-2%, it's the user interface. and the last example i want to give is this update to firefox that just moved into alpha yesterday. it's a patch i wrote that implements a feature very similar to the safari cookie-blocking feature by default. so presumably will increase

adoption rates as users from the low digits up to the high digits. and unsurprisingly, the response from companies negatively impacted by this change that are in the business of collecting consumer information of this sort very hostile. the initial response from one of the trade group vps i think it was called a nuclear first strike or something like that. yeah. and that's all about user interface. firefox has had a third party cookie-blocking option for nearly a decade, but because users don't have to go hunting for it, the game has totally changed. so that's the closing note i wanted to make sure to include. that even if you have this right in theory and practice, it really takes very careful design work to make sure users can actually take advantage of one of these systems. >> rainey, can i answer that question in a slightly different way? >> yes. >> okay. so you guys should really check out the wikileaks spy files

because they're really -- crazy stuff is in there. essentially, what they are is a series of promotional materials produced by these companies that make highly advanced surveillance equipment for government. so some of these -- and they're like powerpoint presentations in there that these companies have produced which they presumably trot out to the nsa and the cia and the fbi when they want to sell this stuff. and it's incredibly revealing. you can see that there are programs that exist that enable, you know, law enforcement and intelligence agencies to bug your phone in a way that not only, um, allows the government to see what you're doing and, you know, read your e-mails and intercept all your communications, but also turn the microphone of your phone on, right, when you're not using it to east drop on you just -- eavesdrop on you just when you're talking to someone in the same room, to take over the camera and take video sup

repetitiously. all kinds of crazy stuff. this is the interception side where the government supposedly goes to google, and then there's also the government installing malware on your machine, right? that's a whole separate issue. so they can actually turn your own computer against you. and i just, you know, i think one of the really key things to note about what these, all of these promotional materials say if you look through them is they all say, you know, we provide lawful interception capabilities to government, right? what does lawful interception mean in the united states in 2013? it's not pretty. so, you know, until we change the laws to reflect the basic, you know, principle of american justice which is that unless the government has individualized suspicion to believe we're involved in a crime and shows that evidence to a judge and gets a warrant, they should not be involved in our business, right? we don't actually have assurances right now that that's

what's happening. so anytime you hear a lawful interception, be wary. >> i just, i want to really quick, would the user -- anyone on the panel, would the user realize that their computer was bugged in this way? would somebody talking on their cell phone with able to tell at a glance? everyday users, somebody that doesn't have the ability to kind of -- does the everyday user see, is this any way they would know? >> well, it makes your phone hot, that's one thing. literally. you know, if you're not using your phone and you touch it and it's warm, that's a warn withing that something's going on, that minute's using your phone while you're not using it. i think the same is also true with computers. if you find that there's a computer running somewhere on your computer that's taking up all kinds of disc space and you can't figure out what it is, that might also be a warning. jonathan? >> whoever wrote the malware wasn't very good.

[laughter] malware has gotten a lot more sophisticated in the past decade plus. if an entity really wanted to go out of its way to compromise an end user's device in a way that was fairly sufficient repetitious and had -- surreptitious and had access to what in the field's jargon are called zero day exploits, so exploits that are not generally known, have not been, have not been patched yet or if a user happens to be running old software and there are old exploits that could be used, it certainly could be very possible to take over a device. and i want to be -- i'm really glad kade raised this, because i want to make sure i caveat everything i said about security in theory and in practice and the design of security with at the point of which your computer, your phone or your tablet has been compromised, the technical term for the security

properties you gotten are hosed. [laughter] you are out of luck. you are hosed. >> i'm going to jump in here to piggyback on not just the conversations that have -- >> [inaudible] >> am i not talking into the microphone? thanks. so i want to jump on to what jonathan was saying about theory and security in practice because that, um, that touches upon some of the work that i do. and i also want to simultaneously try and ground the conversation potentially in a different way than it's been talked about thus far. i'm a senior researcher focusing on online surveillance and private issues as rainey mentioned at the new america foundation's open technology institute. and for the past year i've been looking at, if we want to call them a user community -- i

wouldn't necessarily use those words, but a specific portion of the population that doesn't have access to the internet or is thinking about using the internet or internet-enabled devices for the first time. and so within this world of new users of the internet, i think issues of privacy and online surveillance are perhaps thought about in a slightly different way. so, you know, a lot of the conversation here and among surveillance or privacy advocates -- not surveillance advocates, but you know what i mean. [laughter] has been around thinking about rights and individual rights. and, you know, the relationship, for example, between having private communications and being able to dissent as an individual in free speech rights and all of that. and i think what i'm seeing in the field as i go out and talk to people is that, first of all,

it's not just about rights, it's really about power because the way in which both technical features of surveillance are enabled by corporations and then the practices that are put into place by either government or corporations that do surveilling and data mining and targeting and tracking and so forth, that affects, too, existing social inequalities. and i think that's a -- that's something important to foreground in this conversation. it means that surveillance and privacy are not just about individuals, they're about communities. so, again, the communities i'm interested in are the communities that don't have access to the internet or are just coming online for the first time. sit at the intersection of a variety of inequalities. they exist -- they live in communities with high incarceration rates, they have, you know, the school -- the public schools around them are

closing, they have low literacy rates. there are a number of problems that they confront be on a day-to-day basis. so when you're talking about, jonathan, the security and practice concept, most of the security solutions are the privacy-protecting solutions that are in place right now are a complete failure for the end users that i'm looking at, right? they simply just do not have both the time and the know how to download, tour and use it, to use a plug-in, to use -- >> [inaudible] from oh, well, i'll leave somebody else to talk about that. i don't want to get into that just yet. [laughter] so, you know, the types of tools that are out there for people to use to protect themselves are really out of reach. i've looked at a number of

communities both through class room observation, you know, people that are taking classes, intro to computer and the internet for the first time, identify talked to -- i've talked to people in public libraries and senior centers and anti-poverty organizations. this is not what people are thinking of, first and foremost. they come to the internet, and the type of surveillance that's in place is invisible to them. perhaps even more invisible to the average internet consumer or the average internet be user. and they're a long way away from being able to understand how these practices of surveillance and corporate tracking take place. you know, if you're learning how to use the computer for the first time, you spend a lot of time literally trying to figure out where the cursor is on the screen and how to drag it to the other side of the screen, right?

so i've sat in classes where instructors are trying to get people registered to an e-mail account, right? and there are all sorts of problems that are involved in there, right? many some people don't know how to type on the keyboard be, there are spelling mistakes, they need to ask the instructor how to design a password. the password is then e recorded on a piece of paper that the instructor has, you know, the instructor may, for example, tell people to run through the privacy policies and consistent with other research on how infrequently people pay attention to terms of service agreements or privacy policies, they just click through it. it doesn't mean anything to them. what i'm trying to say is that for this portion of the population, learning is really, really slow. that's not to say that a people can't learn or won't learn, it's that the expectations that i think a lot of people have

around learning how to be the, you know, perfect privacy-protecting end user is simply out of reach. and it's something that we have to think about it as we're pushing these conversations forward thinking about who the most vulnerable populations are and also thinking about end users. the other thing that i want to say is that in the research that i'm doing a lot of the communities that i've seen, for them privacy is really a luxury. it's not -- people don't think about their first or fourth amendment rights, right? they come in to a public access center. you know, say, for example, a library. they're under pressure to fill out their benefits forms. they will ask the library provider to help them register for an e-mail account. they don't have one, right? again, all of this divulging of personal information happens over and again. and then on top of that, they're divulging more information to the benefits providers whether

it's for family assistance or, you know, for unemployment or otherwise. to, you know, again, reveal bits and pieces of their lives in ways that the ordinary or average internet, excuse me, internet user isn't normally subjected to. and is i think when -- and i think when the conditions of your internet use are, when your entry into the internet is under a condition of chronic surveillance, there's a problem, right? and we need to think about how we of that problem collectively. >> jonathan wants to respond. i just want to remind everybody that if you want to participate in the twitter discussion going on, the hash tag is ncmrpriv. you can also submit questions there. jonathan, did you want to respond? >> yeah. i'm really grad to see the seasonstivity to -- glad to see the sensitivity to knock among users. one thing i wallet to make sure

very related is the issues on levels of -- >> talk into the the microphone. >> language in some cases may be different. so, too, the rule of law may be very different in foreign countries and the very legitimacy of government may be very different. so whatever the merits of american law in this space, i promised i was going to wear my tech hat today. so i'm not trying to opine on that. i think we can all agree practices in other countries are really pretty concerning, china, rapp, and so -- iran and so on. what we learned after the fact about tunisia. and this, in fact, has given rise to some tensions within the federal government around user protections against with surveillance. so, for example, tour, that's an anonymizing tool that operates at the network level, so below applications, above the physical

link between your devices and the network, was funded in part by the department of defense. and the state department has given out, i believe it's tens of millions of dollars to projects to promote privacy and security tools for use overseas. meanwhile, we hear from the department of justice that there's a need to revise federal law, in particular the communications assistance to law enforcement act that would require certain forms of back doors for authorized surveillance. >> what do you mean by back door? spell it out. >> so intentionally-designed loopholes in the guarantees i talked about earlier. so if you have a system that's designed to provide confidentiality, integrity and authenticity, you build in from

the get go some way of undermining those very properties. >> so that -- >> so that, for example, if government were to show up with a warrant, then the provider of the service would be in a position to provide government with whatever information it requested. so an example of this in practice might be skype which for a long time did have some very -- at least it's generally understood to have had very good security and privacy properties. and following the acquisition by microsoft, there is fairly widespread speculation that some book -- back doors were built into the product. the jargon that gets kicked around the department of justice for inability to surveil individuals because of their use of technology that have privacy and security properties built until is going dark.

and so you may see in hill hearings or statements out of various federal law enforcement agencies there's concern around going dark. and we should have legislation to remedy the going dark problem. calea2.0 as some pitch be it. related to this is the imessage issue that the dea flagged this week, the inability to intercept imessages. here we have some part of the department of defense, some part of the state department saying they want to facilitate building these tools, and here we have a memo out of dea saying they're concerned that this tool that apple's put in the hands of countless people provides security and privacy properties that they would like to be able to work around if, for example, they had a warrant to intercept imessages. >> if you've got a piece of paper with a question on it, just go ahead and raise your piece of paper, and somebody's going to come around and pick them up. peter, you talked about what we

found out in tunisia after the fact. you talked about all of these problems in countries all over the world. can you -- you've worked on these things. can you respond a little bit? >> yeah, sure. yeah, there are, you know, take what happens here and make it much more egregious, and, you know, you can imagine the situations in syria and iran. and luckily, we've had some opportunities to really look at the, look at the files. and in tunisia, you know, once the government offices were raided, the same in egypt after the uprising there, we saw the transcripts, we saw the calls, we saw the text messages that were being recorded through surveillance equipment often provided, sold by providers in the u.s., in canada, in england that are perhaps still being maintained. there's a lot of these authoritarian abuses countries, and it's sold sometimes through

third parties, sometimes through third party countries, often illegally under u.s. law and, um, our sanctions regimes. but the software has capabilities to monitor everything. there is some pack lash. -- backlash. once actually in libya the, some of those tortured who were arrested and tortured for their communications were able to see those records. they filed lawsuit against the equipment maker which is part of bol in france. there are a couple other lawsuits like that. this is all coming to light after the fact, unfortunately. and so one thing we do at access is work with the company, the telecoms. because in situations lacking rule of law, there's little civil society can do. you know, we talked about multistakeholderrism and involving civil society in these

questions. but a lot of times the companies jump into these emerging markets that lack protections, lack rule of law and, you know, make a huge buck and then fumed out, you know, five -- find out, you know, five years later the contract had gotten through, and users have been arbitrarily arrested, tortured. one anecdote, this euro vision -- one act from every country in europe, musical act or what not is put forward, and you have to vote for some other country's act. this guy in asker pie january really loved this armenian song, thought it was great. he was arrested and brought in for interrogation by his police force be asking why he voted for azerbaijan's sworn enemy,

armenia. that shows how brazen these security forces can be. so it's something to think about, you know, as we look around the u.s. >> i see one -- two with people responding, and then i want to, i had another question. both of you go. >> i was just going to say i think that, um, just to kind of draw the connection between what i think is happening or what i think the problems are here guestically and what's happening across abroad is -- and jonathan has certainly alluded to it -- is there's a terrible asymmetry in the type of power that corporations and governments have versus the type of power that the end user has. and, you know, in terms of like i don't know what the mobile phone penetration rates are in iran or china or in other authoritarian regimes across the world, but as these areas increase their usage of mobile phones and other mobile or

web-enabled devices, we can only expect that this type of surveillance is going to increase. and so i think it is really a moment to think about how, as jonathan referred to earlier, how do we think about privacy by default and privacy be by design so that we can avoid some of these problems from the get go. >> i just want to take issue with what i think is often the false dichotomy that's created between this country and so-called authoritarian regimes elsewhere. i think that someone who if he were alive to talk about it would really take issue with that is abdul rackman al-awlaki, a 16-year-old u.s. citizen from denver who was blown up while he was eating lunch with his cousins in yemen. the u.s. government is, you know, still imprisoning 1 of 6

people -- 166 people at gitmo indefinitely without charge. you know, the u.s. operates secret prisons all over the world at so-called black sites where torture still occurs to the this day. a yemeni journalist -- i'm sorry, a somali journalist is currently being imprisoned right now at the direct request of barack obama himself for reporting things about actually cia black sites and secret prisons in somalia. so the notion that the u.s. government is a democracy and other governments are authoritarian nightmares, i think, is really something that needs to be contested, because i don't believe it's true actually -- [applause] and i think, i think it's really incumbent on people in this country to focus on what our government is doing. i believe that it's important to look at what happened in places like tunisia, you know, using surveillance equipment that is produced and sold by united states companies.

those products are being used by the cia as well which kills people in drone strikes even when it doesn't know what their names are and so-called signature strikes based on sort of like terrorist patterns or something that, you know, we don't even get to understand. so, again, the u.s. is involved in extensive, you know, operations that violate all sorts of basic human rights all over the world, and the cia and nsa and fbi are using these technologies to pursue those programs. so i just really want to caution the dichotomy that people draw between, you know, the u.s. on the one hand and china and iran on the other. i don't think it's so simple. >> i'm getting a lot of really great questions in. a lot of them have to do with what are we supposed to do about all of this. i think like half of the questions are what are we supposed to do about this. and i want you to know we're going to have at least a half an hour -- i believe it's an

hour-and-a-half long panel. if it's not, someone should tell me soon. [laughter] with that in mind, i am planning on -- okay, it is. i am planning on dedicating at least the last half hour of this talk to the what do we do about it question. and maybe now is the time to get started. i thought this was a really interesting -- well, actually, there's one more question before we dive into that. i think that this is a particular issue we're sort of dell offing into. are there -- delving into. are there particular groups that suffer more as a result of surveillance than other groups? anybody on the possible want to to -- on the panel want to speak to that or have some insight into it? seeta? >> so historically, you know, there are certain kinds of communities that have been targeted more than others. you know, in the work that i've done around data profiling, i've looked at historical cases of

nondigital profiling, so thinking about red lining, thinking about racial profiling, thinking about medical research and bio profiling. that's happened across time in the united states, so thinking about the tuskegee case, for example, when african-american men were targeted as research subjects and used unethically to discover or basically exploit for discovery of causes and effects of syphilis. so there's a long history of surveillance and targeting that happens unfairly in the united states, it falls upon the most marginalized communities. mostly african-american, increasingly latino, increasingly new immigrant populations. and again, it's for me it's not

just a question of government surveillance, though i think that is a really important area of concern. i think it also relates to corporate surveillance. so now we see, um, these technologies being used to categorize different communities in different ways. so there's been research out of harvard university by latonya sweeney who has looked at people that do searches for african-american-sounding names and the types of advertisements that they're getting. and, in fact, some of the advertisements that they're actually getting are related to i think it's called insta check me. so it looks at your arrest records. and it pegs an african-american-sounding name to incarceration history, right in so there's a way in which we're categorized by these new technologies that i think really adversely affects both how you're per sued on -- perceived

on line and what you see online. and i think, you know, the repercussions are dangerous. sometimes as dangerous as being targeted one-on-one by the government with, right? because it means you are being welcomed into a world where you're systematically excluded, or you're systematically tagged in a particular way. >> yeah. i would just add to that that as far as government surveillance is concerned, it's very clear who the targets are. the targets are people of color, poor people through the drug war which is a massive driver of government surveillance through targets are immigrants which are proviled and surveilled through programs like secure communities and multiple other programs. they are muslims, especially right now in this country. muslims are the new communists, basically. and dissenters. anybody who raises tear voice against the government -- their voice against the government and say, you know, i don't want like what you're doing.

documents just came out last week showing dhs was with involved in surveillance of the occupy movement. two people standing on a corner, all sorts of e-mails who are supposedly involved in protecting us from terrorism. yeah. hardly anything really, i think, has changed. and again that's yet another reason when we want to talk about how government surveillance impacts people in the world, we need to actually look at home as well. >> um, we have a bunch of interesting questions, and i want to ask some of them. one of them was about ecpa reform which we talked about earlier. we referenced the electronics communications privacy act, the bill passed in 9 -- 1986 which has dangerous loopholes that are allowing the courts to make the argument that they can access your e-mail after it's six months old to. we've fought back pretty effectively, and also to your

data in the cloud. the question is, given the willingness of intermediaries -- companies like google and facebook and such -- to voluntarily turn over data to the government, how meaningful is ecpa reform, and what can we do about it? does anybody want to take that? [laughter] >> i've talked about it. [laughter] >> as a nonlawyer, i can take a stab at it which is to say, you know, i think that part of what we've been talking about on this panel is that legal solutions are not really the only solutions in place or that are in our tool kit with the ever-shifting sans of surveillance and privacy online, right? from where i sit, i see very little hope in reform for not just ecpa but also other existing privacy legislation. partly because it's such a