Digital Detectives

Encryption, Cyber Security, and Domestic Surveillance

In the wake of the Panama Papers breach, securing law firm and client data has been a huge concern for many practitioners in the legal space. Similarly, other information leaks like the Edward Snowden revelations have made the general public more aware of government surveillance than ever before. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek sit down with executive director for the Electronic Frontier Foundation Cindy Cohn to discuss domestic surveillance concerns, encryption technology, and how lawyers and law firms can protect themselves and their clients from cyber attacks.

Cindy Cohn is the executive director of the Electronic Frontier Foundation. From 2000-2015 she served as EFF’s Legal Director as well as its General Counsel. Ms. Cohn first became involved with EFF in 1993, when EFF asked her to serve as the outside lead attorney in Bernstein v. Dept. of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography.

Special thanks to our sponsors, PInow and SiteLock.

View transcript

Digital Detectives
Encryption, Cyber Security, and Domestic Surveillance
09/15/2016

Intro: Welcome to ‘Digital Detectives’, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 71st edition of ‘Digital Detectives’. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises. We would like to start out by thanking our sponsor SiteLock, the global leader in website security solutions. You can learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

We would also like to thank our sponsor PInow. If you need a private investigator you can trust visit HYPERLINK “http://www.pinow.com” pinow.com to learn more.

John W. Simek: I am John Simek, Vice President of Sensei Enterprises. Today on ‘Digital Detectives’ our topic is the three hottest topics at the Electronic Frontier Foundation; Encryption, NSA Spying and the Lenz case.

We are delighted to welcome as today’s guest Cindy Cohn, who is the Executive Director of the Electronic Frontier Foundation. From 2000-2015 she served as EFF’s Legal Director as well as its General Counsel. Ms. Cohn first became involved with EFF in 1993, when EFF asked her to serve as the outside lead attorney in Bernstein v. Department of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography.

Thanks for joining us today Cindy.

Cindy Cohn: Thank you.

Sharon D. Nelson: Well, Cindy, some of our listeners will know a lot about the Electronic Frontier Foundation, but as we learned at lunch today with somebody who is pretty sophisticated a lot of people don’t know a lot about the EFF. Can you give us a brief overview of what it does?

Cindy Cohn: Sure. The EFF is 25 years old. We were founded in 1990 by Mitch Kapor, who founded Lotus; old timers will remember Lotus Notes, a guy named John Perry Barlow and John Gilmore, and Steve Wozniak had a role early on as well.

And the goal of the Electronic Frontier Foundation is to make sure that when you go online your rights go with you, and so we have been involved since — before the World Wide Web was introduced in making sure that the Internet remains a place of free speech of privacy, a place where innovation can flourish, and where people are essentially free to use the technology in ways that helps to make the world a better place.

John W. Simek: Cindy, can you also give our listeners an introduction to digital privacy issues kind of in general?

Cindy Cohn: Well, one of the things that has happened with the switch to a lot of digital technologies is that a lot more information about you and your activities online is generated and collected and increasingly used by both government entities and companies.

So if you and I went out to a café and had a conversation before the rise of digital technologies, not very many people would really know about that. You would have to really follow us around.

If you and I go out to a café now, well, we both have beacons in our pockets called phones that are recording where we are, that will notice that we are together. If we set up that meeting by sending an email back and forth, there will be that digital trail, and then a whole lot of metadata surrounding that to basically give a pretty good picture of what we are doing, who we talk to, who we associate with and ultimately kind of what we are thinking and believing and feeling.

Digital technology is really awesome in that it lets us do a lot of these things a lot more easily than we used to and gives us new powers, but it also really does mean that we are leaving a trail of digital breadcrumbs behind that can be used. So that can be used and frankly can be misused.

So one of the things that we try to do is to make sure that all of these systems that we all used to enjoy to set up our lunches and communicate with our loved ones and our doctors and our banks really serve to protect us and are on our side rather than on the side of other people who may have interest in selling us things, which is totally fine, but there are still some lines that they probably shouldn’t cross. And increasingly we worry about the government’s access to all of this information and their ability to really limit or dissuade us from engaging in associational activities or political activities and thus kind of put our democracy at risk.

(00:04:50)

So privacy I think often gets talked about as if it’s kind of some little niche thing that not very many people care about, but I think that when you step back a little bit and you think about the role that it serves in our society, it’s a tremendously important one and indeed one I think that a lot of our other rights rest upon.

You asked me about privacy, but I think the other side of privacy that increasingly people are realizing is that the privacy tools that we use to protect ourselves are also many of them security tools, tools that keep us safe online, and tools that ensure that all the data that we have on our phones or in our banks doesn’t leak out and get used against us by people who might want to engage in identity theft or in the business context steal trade secrets or gather confidential information.

Obviously, right now with the hacks into the Democratic National Congress, the hacks into the General Accounting Office and other things, we see the increasing risk that the large amounts of data about us that are being gathered and held by third parties have for us and our ability to continue to operate in this society. So privacy and security end up being the two sides of the same coin and EFF is deeply invested in protecting both of them.

Sharon D. Nelson: I think what a lot of people worry most about, and they know the old, trust me, I am from the government line is no good, but of all the agencies they worry about, they worry the most about the NSA, which you have identified as one of your three hot topics, and what makes it one of the three hot topics for the EFF?

Cindy Cohn: Well, the NSA has engaged in really kind of dramatically tapping our Internet infrastructure. They have a goal and have largely implemented it of making sure that nobody can ever be sure that they are having a private conversation online or connecting with a private association online.

So because the scale that they are operating at is so huge and their goals are so obviously to try to stamp out the promise of privacy that technology can give us, not with bad intent, I really don’t — I mean, obviously there may be good people, there may be bad people at the NSA at any particular time, but overall they have an admirable goal and I do believe that most of the people who work at the NSA are trying hard to keep us safe.

But we have to draw, as a society that wants to be self-governing, we have to draw reasonable limits on their power, just like we draw reasonable limits on the power of the police say to detain people or the power of the government to say what words you can say and what words you can’t say, we need to have those same kinds of limits on the NSA’s ability to have access to basically all the information that flows over the digital network.

And so I think that they are a priority for EFF because the scale that they are operating on is so huge and so breathtaking and frankly so troubling for both Americans and people around the world. The more the people have learned about the extent of the NSA’s activities, the more there have been calls to try to rein them in.

Calls that were successful last spring when we were able to rein in one of the NSA’s programs, the Telephone Records Programs, pretty significantly, not as far as I would like to go, but pretty significantly. But I think our work is not done. I think we still need to bring that agency back into kind of respecting a reasonable balance between peoples’ privacy, the needs of a functioning democracy and their desire to try to keep us safe.

John W. Simek: Well Cindy, over the last year or so there has been a lot of talk about encryption and the Apple versus FBI scenario and backdoors and I know you spoke about it as well in your keynote at ABA TECHSHOW last year, but to what extent is encryption really a solution to protecting our privacy?

Cindy Cohn: Well, I think encryption is one of the best tools we have to protect, not only our privacy, but our security, and again, encryption is a great example of the kind of dual nature of privacy and security.

Encryption is pretty straightforward in concept; it’s just — it’s kind of the science of secret codes. The ability to speak and to encode information in a way that only your intended recipient can actually read it, and there is very fancy math involved, there’s factoring of prime numbers. There are all sorts of technical tricks and skill required to deploy encryption well, and that itself is an ongoing struggle, because it’s actually pretty difficult to securely encrypt lots of information. But when it’s done correctly it really does put you as the user back into control over who can read your messages and who can know who you are talking to.

We believe strongly at EFF that free people is the people that have control over who gets to read what they write and who they talk to, but the fight over whether people are going to have access to strong encryption is one of the earliest fights of the Internet.

(00:10:05)

In fact, there was a pretty big battle in the 1990s that I was deeply involved in, in a case called Bernstein v. Department of Justice, where we were able to get the government’s regulations on the export of encryption technology thrown out as unconstitutional and a violation of the First Amendment free speech part of the Constitution. And we were able to do that because of a number of reasons, but I think most important of them is really standing up for the right for Americans to be able to protect their information in digital environments. And that protection you get is protection from government snoops, but it’s also protection from bad guys, the identity thieves and other people who we have really struggled with so much as a society over the last years. Encryption gives us that double protection; it protects our privacy, but it also protects our security.

Sharon D. Nelson: Well, I know that we are always looking — our radar is always up and sensing legislation which pops up, good and bad legislation in terms of protecting privacy, so what’s on your radar currently at the EFF for legislation that’s pending?

Cindy Cohn: Well, in the long run, back to the NSA spying, some of the major powers that the government claims it’s using to do the mass spying that makes me so nervous, the tapping into the Internet, is under something called FISA Amendments Act, Section 702, and Section 702 is up for renewal in December of 2017.

So long-term that’s something you are going to be hearing about a lot from EFF and a lot of our colleagues in the digital rights communities, and I think your listeners should kind of keep your ears up for that, because Section 702 being up for renewal is really our next best chance to try to get major reform through the legislative process. Of course, the EFF has lawsuits against the 702 surveillance as well, and we will continue to pursue those.

In the shorter term we have got a small session of Congress coming up in the next month or so. There are several things that law enforcement is trying to get crammed through in that short time period that we are going to be trying to defend against.

One of them is kind of a weedy thing that they call ECTR, but that basically is an attempt to let the government use subpoenas to get even more information about you from your service providers than they can already get. They can already get a lot of information about you from your service providers, but there are some limits and this ECTR Fix is an attempt for them to try to get even more information from your ISPs about your activities with just a subpoena, which means there’s no judge involved.

On the good side, there’s a bill called FASTER, which is an effort to try to make sure that publicly funded research gets available to the public much faster than it does now. It’s a good bill. It doesn’t go as far as we would like, but it’s actually a really pretty big step forward in making sure that your tax dollars that are being used to fund research actually end up with that research being available to the public, so we can all benefit from it rather than it being locked up in proprietary publications. And that’s a bill.

Open Access bill that we have supported along, with a lot of other people; some of your listeners may be familiar with Aaron Swartz, who was an Open Access activist who tragically passed away a couple of years ago. This FASTER bill is one of the bills that we are supporting as part of supporting his legacy. And we think it has a shot at getting through Congress in this upcoming moment and we think if it does that the President will sign it, which would be a really positive step to come out of what I think most of us think was a pretty horrible tragedy.

John W. Simek: Well Cindy, I know about these really cool and helpful tools that the EFF has, but could you describe for our listeners like Privacy Badger and HTTPS Everywhere and Let’s Encrypt.

Cindy Cohn: Yeah, sure. At EFF we have three tools that we use to try to make positive change in the world. We use law and we bring lawsuits and do things like that.

We use activism, where we are educating people and talking about these issues.

But third one is technology. Sometimes the right thing to do to try to make the world a better place is to just build a tool that people can use to do that or at least that points the away. And we have three of them right now that we are very, very proud of.

The first one is called Privacy Badger. This is really aimed at consumers who are nervous about the breadcrumbs that they leave behind as a traveler on the Internet, being gathered up by all sorts of companies, some scrupulous and some not and being turned into profiles about them.

(00:15:00)

Privacy Badger is a plug-in for Firefox and Chrome that blocks third party cookies that are placed by websites you visit when you go around the Internet and gives you the power to say no to the tracking that happens with them.

It’s really dead easy to use. It’s the kind of things that I have installed for very non-technical family members who need help and they can use it really easily. It has got green and red sliders that you can use to try to allow a website that you want to collect information about you to collect it and slide it to red if you don’t want them to, and companies have to abide by those rules, because the plug-in doesn’t let them get the information if you have slid it to red.

This is we think a really important and easy to use tool to give power back to you to decide what information about your online activities gets collected by the websites you visit.

The second one, HTTPS Everywhere is a security tool, also a plug-in for Firefox and Chrome, that you can use to stop one of the problems that people engage in online, which is, you think you are going to your bank’s website, but really you are going to a fake website that is collecting your data and maybe maliciously used against you.

HTTPS is the secure version of HTTP and it does extra checks to make sure that you are actually going to the website that you think you are going to. It’s a really easy plug-in to use and you can plug it in and you can just rest a little more assured that you are not going to be mislead by a phishing attack or some other thing into going to a website that’s different than the one that you thought you were going to. And it helps ensure that HTTPS is used, that where it’s available it’s used to protect you by the websites you visit.

The third one is a little geekier, but in some ways the biggest and the most important of all, it’s called Let’s Encrypt. The web works through something called certificate authorities, which is a way that websites authenticate themselves to each other, and again, it’s one of the ways that your browser knows that you are going to the place you are actually — it ensures that you are actually going to the place that you thought you were going to.

Let’s Encrypt is a certificate authority that people who run and maintain websites can use. It’s free and it’s dead easy. To offer to the people who come to visit you significantly more security than they would otherwise have.

And this is a tool that we have put together with a consortium of other organizations, including Mozilla and are text built to try to increase the number of websites on the web that are offering more security. It has been a tremendous success in the first few months; we launched this in December, I believe we already have issued over 7 million certificates, which makes us I think the second or third largest certificate authority on the Internet, behind GoDaddy and a couple of others.

And extra special good news about this, because we are a nonprofit and we are not looking to build a business here is that the vast, vast majority, I think well over 70% of the websites that have used the Let’s Encrypt certificate are new. They are websites that were not secured before, but are secured now because we made it as easy as possible and as free for them to offer more security to their visitors.

So really, we have an overarching goal at EFF to try to encrypt the web and get as much of the web as we can available to you in an encrypted form, so that it’s secure and you can trust it, and on that scale Let’s Encrypt has really made a huge difference and we expect it only to grow.

John W. Simek: That’s great.

Sharon D. Nelson: It is great. And you know John, as you know we are putting together Legal Technology Tips session, I think we just got three good candidates right there.

John W. Simek: But I have to ask a follow-up question though, who determines what you name these things, Cindy?

Sharon D. Nelson: Yeah, how did we get to Privacy Badger?

Cindy Cohn: Those are the funnest meetings at EFF. We have a team at EFF that we call the Meme Team, that is cross-organizational team, actually anybody can come, but it’s usually led by our activists and our artists. We have two staff artists at EFF so Privacy Badger is not only a cool name, if you look at this stuff; we have really fun logos and stuff because we have very talented artists who work with us. And we just sat around and talked about it and the Privacy Badger name came because at the time we were thinking about it lots of people were watching that Honey Badger video.

Sharon D. Nelson: That’s what I wondered. I wondered about that.

Cindy Cohn: Yeah, we kind of thought, well, Privacy Badger don’t care if you don’t respect your customer’s privacy. Privacy Badger don’t care because Privacy Badger is giving them the right to decide what information you collect.

(00:20:04)

Sharon D. Nelson: Okay, John and I want to be called into — we want to be called into the Meme Team for one of these meetings.

Cindy Cohn: Let me tell you, they are so fun. Literally, people are crying with laughter most of the time in these meetings. They are one of the funnest things we get to do at EFF. When you spend a lot of your time fighting the NSA and slogging through discovery responses and then getting to spend an hour or two brainstorming the name of our next tech project is really kind of candy for us.

John W. Simek: That’s great. Well, before we move on to our next segment let’s take a quick commercial break.

[Music]

Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? HYPERLINK “http://www.pinow.com” pinow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit HYPERLINK “http://www.pinow.com” www.pinow.com.

Sharon D. Nelson: Welcome back to ‘Digital Detectives’ on the Legal Talk Network. Today our topic is the three hottest topics at the Electronic Frontier Foundation; Encryption, NSA spying and the Lenz case. Our guest is Cindy Cohn, who is the Executive Director of the Electronic Frontier Foundation.

Cindy, a lot of people have heard of Tor and they think about it mostly in relation to the dark web and crime, but it really is a privacy tool for many folks. Can you explain just briefly what Tor is and how it works to preserve privacy?

Cindy Cohn: Yeah, absolutely. Tor, I have just proudly joined the Board of Directors of Tor, because I think it’s such an important tool especially, for dissidents and human right activists around the world.

What Tor does is when you go to visit a website ordinarily you have something called an Internet Protocol address or an IP address that gets recorded by that website that can be used to track back to you. So if you need to access information that you don’t want to have tracked back to you, Tor is a really awesome and easy to use tool that hides basically where you are coming from. It’s kind of a complicated protocol where your request is bounced through a bunch of different computers and then the website that you are visiting doesn’t know your actual computer that you are coming from, it knows one of those intermediary ones, and this has been used literally to save lives around the world.

Chinese democracy activists who need to either access information or get information out of a very dangerous situation have been known to use Tor to try to do this. There’s activists all around the world who literally rely on this technology to save their lives, because if their local law enforcement or local bad guys knew that they were the ones who were sneaking this information out of a dangerous situation, their lives would be at risk. And EFF has worked with activists in Mexico, in the Middle East, in South America, in Central America, I mean really all around the world, in Asia to try to make sure that these activists have these kinds of tools to protect themselves.

It’s also a good tool for ordinary people to use if you don’t want to be tracked. If you are just not interested, if you are a child or you have a child and you don’t want your child to be tracked by the websites they visit and a profile being made to them. We hear from moms actually quite a bit that they are not at all comfortable that so many of these commercial websites are developing profiles about their children when their children go online that they will use something like Tor to help keep their kids from becoming profiled by web trackers.

John W. Simek: Well Cindy, can you tell our listeners if there are any privacy resources that they can read up on?

(00:24:57)

Cindy Cohn: Sure. On the kind of range of things that people who need kind of serious protection for their privacy, the human rights activists and political activists that I talked about earlier, Tor of course is one of them; there is a bunch of them. EFF has a set of materials called the Surveillance Self-Defense Manual available on our website, that is a really useful tool for people to walk through kind of what their needs are for security and privacy and what tools are available for them that may assist them.

It’s really aimed at helping people kind of — there’s something that security people call Threat Modeling, which is a term for basically figuring out what your needs are for security and privacy and making sure that you have the right tools, because there’s a range of things available. And security Self-Defense is a good way for people to begin to kind of try to access this information and make smart decisions for themselves.

There is a group called Tactical Tech that does a similar kind of tool; there’s other tools available, but ours and Tactical Tech are two that we think are — that we don’t have any — we are not trying to sell anybody anything. We are nonpartisan and we call them as we see them and so we don’t have any secondary agenda, and again, our friends at Tactical Tech don’t either, so those are good places to look.

Some of the privacy tools that we see people use a lot are get Tor for texting and phone security, there’s one called Signal that’s easy to use, easy to download, open source, and available for conference calls. There’s something called Jitsi, which is kind of a Skype-like thing, but also again provides much more privacy protection than some of the commercial products that are available out there.

There are others as well, and again, they are referenced in SSD, but for lawyers especially something like Signal, something like Jitsi, and something like PGP or GPG. PGP is the commercial version, GPG is the noncommercial version; for email security, it’s a nice little suite of tools that can help people. And then for chat there’s something called — for Mac it’s called Adium and for Windows it’s called Pidgin, which is also kind of a nice chat app that is secure.

So there’s a range of things that are available for lawyers when you are talking to your clients, especially if they are sharing sensitive things. These tools are available and they are increasingly easy to use, and it used to be something that I didn’t lightly recommend to kind of lawyers who weren’t tech lawyers to try to use. Now, I think that these kinds of tools are — if it’s important enough to your clients to really — to need real security, those tools are available and much easier to use than they used to be.

Sharon D. Nelson: Let’s take us to the Lenz case, which I suspect many people have never heard of and have no understanding of its implications. Tell us a little about that please.

Cindy Cohn: Sure. The Lenz case is, we represent Stephanie Lenz, who is a mom, who took a video of her kid dancing in the kitchen to the Prince’s song, Let’s Go Crazy and posted it on YouTube so that her family could see her adorable toddler, and it was taken down by Universal Music on a claim that it violated copyright law.

And we took on Stephanie’s case because we think it shouldn’t violate copyright law to publish a 20-second video of your kid dancing in the kitchen, no matter what’s playing in the background. And this case has gone on for several years now and we are actually at the US Supreme Court this month asking the Court to take a look at the case, because Universal Music is taking the position that it can take down anybody’s video any time it wants and it doesn’t have to do anything more than the most cursory review to see whether your video uses any of what they call their music.

We think that Universal and other rights holders have to do a real analysis of whether what you are doing is infringing or whether it’s a fair use or not, and that if they don’t do that and they take your speech down, they should be held responsible for that, and that’s the center of the fight.

The Ninth Circuit agreed with us that Universal had to do a copyright analysis, but they made this standard for Universal to meet — in doing that analysis very, very low and we are asking the Supreme Court to take a look at it and make them have to do a very — a much more robust analysis, not so much that it will harm them, but a real one, and to have the remedies kick in if they don’t.

Universal is arguing that Mrs. Lenz — that nobody could ever be hurt by having their speech taken down off the Internet and so there is never any harm from what they do, which I think is clearly wrong and should be very, very troubling for anybody who believes in free speech.

John W. Simek: Well Cindy, we are going to close up here, but this is your moment for your closing thoughts, but in addition to your closing thoughts, can you tell our listeners about how they can get involved and support the work of EFF?

(00:30:03)

Cindy Cohn: Sure. EFF is a member supported organization, so if people think what we are doing is important and right, they have an opportunity to join with the 27,000 other people who help ensure that EFF stays strong and robust. So you can join EFF, you can be a member; we have awesome hats and stickers and all sorts of cool stuff. We have very cool schwag.

But in addition to the cool schwag, you get to feel like you are part of making the Internet and the digital world better, and I think that is something that we need people to do. We stand on the shoulders of giants, we stand on the shoulders of people who understand how important having a free and open Internet and digital technologies are and that’s how people can get involved.

For the lawyers we have a list of cooperating attorneys. We get lots and lots of requests for help at EFF and we help as many as we can, but for many people we try to get them into the hands of competent counsel, so that somebody else can help them. And so lawyers who are interested in getting involved, there is a special opportunity to be one of our referral lawyers at EFF, and if you just email HYPERLINK “info@EFF.org%20” info@eff.org, you can get connected to that legal referral network.

Sharon D. Nelson: Well, I am a big advocate of party hats, so I will go right on the site and check that out.

Cindy, thank you again for joining us today, marvelous always, you gave a bravura performance at ABA TECHSHOW. I know everybody enjoyed listening to what you had to say and today more of the same. So thanks for illuminating all of these issues for us and for taking the time out of your day to spend some time chatting with John and myself.

Cindy Cohn: Oh, thank you so much for continuing this conversation. I love talking with you guys because you are smart, you guys know what’s going on and I think you have a great audience.

John W. Simek: Well, that does it for this edition of ‘Digital Detectives’. And remember, you can subscribe to all the editions of this podcast at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast, please review us on iTunes.

Sharon D. Nelson: And you can find out more about Sensei’s Digital Forensics Technology and Security Services at HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on ‘Digital Detectives’.

Outro: Thanks for listening to ‘Digital Detectives’ on the Legal Talk Network. Check out some of our other podcasts on HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.