The Tech in Tech Policy

Joseph Lorenzo Hall, Chief Technologist, CDT [ShmooCon, January 2015]

Outline

Background
- Who am I? What is CDT? What do we do?
Selected War Stories
- SOPA/PIPA, Backdoors, Mobile device privacy
Coming Battles
- Crypto, zero-days, Internet of Things, Hostility towards hacking!

Background

Who Am I?

Background in hard science
- Planetary astrophysics (atmospheres)
"Hacked" voting machines for my Ph.D.
Work regularly in:
- Consumer privacy, health tech, national security, cybersecurity, technical standards, (some e-voting, space policy)
Half lawyer, half computer scientist

What is CDT?

Non-profit digital rights organization, focusing on research and advocacy
Support: foundations, companies, cy pres
Principles:

The internet empowers people
Forward-looking, collaborative solutions
Tangible, pragmatic policy outcomes

Some of what we do is never public

What do we do? What is Tech Policy?

The rules we set about technology.
Policy is not just laws.

One cuts the cake, other chooses

Align incentives for best outcomes: Social, technical, and ecnomic
This can prohibit certain things!

satellite imagery, 3D-print Sarin, eavesdrop on pagers

Selected War Stories

1: SOPA and the DNS

Combatting Infringement

COICA in 2010 and SOPA/PIPA in 2011 allowed "seizure" of domains
Technical community was concerned:
- Content would still be accessible despite seizure
- Getting around domain blocks pose security/performance risks
- Siginificant risk of collateral damage due to dependencies
- Would formalize activity that looks like a threat to DNSSEC

https://www.cdt.org/files/pdfs/Security-Concerns-DNS-Filtering-PIPA.pdf

https://www.scribd.com/doc/73106069/Napolitano-Response-Rep-Lofgren-11-16-11-c

2: Backdoors

FBI Wants Backdoors...

The FBI has wanted backdoors into systems/ciphertext since the 1990s
Widespread use of crypto was thought dangerous without access
Key escrow systems like the Clipper Chip were proposed...
... and subsequently technically destroyed by folks like Matt Blaze (1994)
But proposals were revamped, tweaked until...

https://www.cdt.org/files/pdfs/paper-key-escrow.pdf

FBI Still Wants Backdoors...

In recent years, FBI has been arguing they are "going dark"
Early 2013, floated various "targeted backdoor mandate" proposals
- On notice, add a backdoor or face increasing fines
These proposals made key escrow seem not so bad!

https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf

3: Mobile Device Privacy

Riley and Wurie cases

Two cases involving cell phones before the Supreme Court.

Riley v. California – Search of smart phone incident to arrest
U.S. v. Wurie – Search of feature phone incident to arrest

Fourth Amendment requires a warrant before a search
Limited exceptions: danger to arresting officer, evidence destruction

https://cdt.org/insight/riley-v-california-amicus-brief/

Arguments, implications

Cops can search your wallet on arrest, why not your phone?
What lies in the balance?

How much of one's life is on the devices around them?
To what extent are things local to the device?

USG is very worried about encryption and remote wiping

In a nutshell...

Our cell phones can contain more personal information than we carry in our briefcases, store in file cabinets or even have on personal computers. These are our personal papers and effects and should be fully protected under the Fourth Amendment. It's critical that private conversations, photos, and documents are protected from warrantless search whether they're stored inside your house or carried in your pocket

Jake Laperruque, CDT Fellow on Privacy, Surveillance and Security

Coming Battles

Encrypting the Net

With NSA/Snowden revelations, it's critical we encrypt the net
Ted Hardie (Google): "We're addicted to cleartext."
- Optimization, caching, exfiltration, malware, ad injection ...
Some are fundamental tensions: caching
Integrity concerns due to injection should win the day
RFC 7435: "Opportunistic Security: Some Protection Most of the Time"

http://www.ietf.org/proceedings/90/slides/slides-90-httpbis-6.pdf

Zero days, Hacking Back, Rule 41

If no backdoor, how does LE accomplish lawful access?
- Targeted exploitation? USG will need to buy, develop zero-days...
- But what rules should apply?
Hayden: hacking back akin to "stand your ground" laws?!
LE wants to hack too! Seeks to amend to Rule 41 of FRCP for:
- malware/CIPAV install (Tor), forum-shopping (botnets)

Internet of Things, Digital Hygiene

IoT has the potential to weave vulnerability throughout our environment
Holy shit, where to begin?
- Very encouraged by iamthecavalry.org, builditsecure.ly, etc.
- We almost need a civil cyber engineering corps...
Much more broad than simply devs and IoT...
- Society desperately needs an intutive grasp of tech
- Each interaction as an opportunity; trainings like cryptoparties

Hostitlity Towards Hacking

Obama's CFAA reforms: believe what you've heard
- Stiff increase in already harsh sentencing; no more misdemeanor
- Appears to criminalize sharing information that then aids an attack
- TOS violations a felony on government computers?
- CFAA violation as a RICO predicate!?!?
Likelihood of Obama's proposals going anywhere are slight...
That should be no comfort, we will fight.

Consider Working in Digital Rights!

Many of us have technologist positions
You can help in your free time:
- Help out the cavalry...
- Support CDT, EFF, ACLU, Access, OTI, ...
- What can you do to help humanity with each interaction?
We are so good at tearing things apart, but it's time to build.

Thank you!

email: joe@cdt.org
phone: 202-407-8825
PGP: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871
web: https://josephhall.org
HTML5 Presentation enginge by shwr.me (github)