Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:14
CT. Tea.
Speaker 2
0:15 – 1:42
Welcome to CDT's Tech Talk where we dish on tech and Internet policy and dig into what these policies mean to our daily lives. I'm Brian Waslowski, and it is time to talk tech. Social media firms are facing increasing pressure to monitor their networks for terrorist activity. Should these companies be mandated to police user posts and communications? And is it even possible to identify all terrorist activity? We'll take a look at this issue through both a free expression and a technological lens. And if you consider yourself a of and our chief technologist will give us his firsthand highlights from his week in Las Vegas. The Senate Intelligence Committee raised raised some controversy recently with a provision they worked into the annual intel funding reauthorization bill that would require Internet companies, such as Facebook, Google, and Twitter to report any content on their network that could be construed as terrorist activity. Some of the intelligence community believes companies aren't doing enough to help them fight terrorism, while free speech advocates are raising flags about the potential for a government mandate that would lead to more citizens being monitored online. We're lucky to welcome back to Tech Talk, CDT's free expression director, Emma Alonso.
Speaker 0
1:42 – 1:47
Welcome, Emma. Hi, Brian. How are you today? I'm doing quite well. How are you? Fantastic.
Speaker 2
1:47 – 2:13
Thank you. So you are the media darling of CDT these days on this issue and many more. Clearly, the topic of terrorist activity and social media is a hot one right now. One of the quotes that you've had in the press recently, was that this intel reauthorization bill would turn online service providers into law enforcement watchdogs. What do you mean by this? And why is this potentially such a bad thing?
Speaker 0
2:14 – 3:40
So what this provision does, is actually, it would require, all electronic communication service providers computing service providers. That's basically every different part of the Internet from your ISP to your email provider or to your social media, network to report to the US government when they become aware of apparent terrorist activity on their networks. So this means that you would have kind of every component of the online communications environment reporting about their users to the government under the label of apparent involvement in terrorist activity. And what terrorist activity is is not at all defined in the bill. So this means, on the one hand, that users aren't gonna have really any good idea of what they might do or say or engage in that could put them under scrutiny from their ISP or their, social media provider. And companies are also not going to know what they will and won't have to report to stay within the bounds of the law. This kind of really broad mandate would create a massive incentive for companies to over report and to to try to play it safe and do more reporting rather than less because otherwise, they run into some kind of liability for having failed to fulfill their obligation to report something
Speaker 2
3:40 – 4:12
related to terrorism. I thought you did, a great job. You did a graphic recently that illustrated just how hard it is to actually figure out what terrorist content is, you know, in quotes. I'm putting it if people are watching air quotes, terrorist content hate air quotes, but it works for this. So what you did in that was showed, quotes from either famous people or terrorists. Let's let's have our listeners try this out. You give the answers. I'll read the quotes. The first one, there is no substitute for a militant freedom, terrorist, or famous figure.
Speaker 0
4:13 – 4:15
I believe that was actually
Speaker 2
4:15 – 5:24
President Calvin Coolidge. That was Calvin Coolidge. There we go. She knows this because she created the graphic. But we'll keep going, so guess at home. Also, second one now. He who would be free must strike the first blow. So that's Frederick Douglass quoting a poem by Lord Byron. Mhmm. And last one we'll do, although you had more examples. He, today, who sheds his blood with me shall be my brother. You may recognize that from Shakespeare's Saint Crispin's Day speech. There we go. So, You may recognize that from Shakespeare's Saint Crispin's Day speech. There we go. So these are examples of things that, if taken out of context or in isolation, could very easily be construed as terrorist content. And I'm assuming that this is one of the main reasons that we are concerned about this. People have talked about there's been different advocates out there who said, listen, if internet companies can do this with child pornography, why can't they do it with terrorist content? You know, obviously, context matters. Is that the only reason that, you know, this is a challenge for companies to implement greater monitoring? Yeah. So there are some really big differences between the kind of, monitoring and reporting that companies do for,
Speaker 0
5:25 – 7:35
apparent images of child pornography and this provision around terrorist activity. For one, the reporting that companies are required to do about images of child pornography is very much centered around specific discrete images. You if you're a a company who, runs into or finds themselves in this circumstance, what you have is an image that appears to be a child being abused and you have a a statute that kind of clearly outlines what are the, what's the information that you have to submit, to the National Center for Missing and Exploited Children, but you have that discreet image as the center of the report. Under the terrorist activity reporting idea, it's not clear what might constitute kind of the the generator of the report. Is it an image? Is it a comment? Is it a video? Is it a pattern of of network activity or a set of, you know, friends or mutual followers on a social media platform? That's not at all defined in the bill. And with, with child pornography reporting, the National Center for Missing and Exploited Children has, worked to develop a, a hash database or basically the fingerprints of files of images of what they call the worst of the worst apparent child pornography. There's no similar reference database for apparent terrorist activity. Right? You don't have there may be some videos or some images that people think of when they think of, advocacy from certain terrorist groups, but the fact is there's a lot of different kinds of advocacy that crosses the political spectrum, crosses the ideological spectrum that the majority of which falls under some kind of category of protected speech as opposed to, you know, a direct incitement to violence or something that might be unlawful under the laws of another country. So you've got just a much more diverse, set of content and activity that could even
Speaker 2
7:35 – 7:57
possibly be at issue under this terrorist activity reporting idea. And I know even internally here at CDT, we have conversations when the word, you know, sometimes attached to terrorist content is extremist content. What is extremist? Where do you cross the line between having a view and being an extremist? Is being an extremist necessarily a wrong or an unlawful thing to do? No. And we all have rights to hold
Speaker 0
7:57 – 8:20
extreme and radical ideas and opinions. I mean, that's something that's protected by the constitution. What we don't protect in our society is acts of violence are or direct threats of violence or harm to other people. But merely espousing very extreme political or ideological views is something that's protected.
Speaker 2
8:21 – 8:42
So, the FBI director James Comey, I think speaking specifically about Twitter, said that companies are actually, quote, doing a pretty good job about reporting potential terrorist content. Can you tell me a bit about what companies are actually doing and if there's any laws that are already compelling them to do this? Sure. So under the electronic communications
Speaker 0
8:43 – 10:59
privacy act, Internet companies, communications companies are already allowed to report to law enforcement when they become aware of, communications related to the commission of a crime or in emergency circumstances. So there's there's no law currently prohibiting companies from reporting if they see, you know, something that is clearly to them evidence of a a crime or some really, emergency imminent circumstance. We also see a lot of different companies taking different approaches to, content policies and and content flagging on their platforms. So most most content platforms that people are familiar with have some kind of content policy and a lot of these policies will have either prohibitions against harassment or threats or particularly violent, images or video or or speech. And so we see different platforms kind of interacting with different content in in some different ways and what might fall under the, you know, harassment prohibition on one platform could also fall under the, you know, advocacy of violence prohibition on another platform. Mhmm. So there's a there's a lot of variety across platforms, but what we seem to hear from at least some legislators and and law enforcement officials is the idea that there should be a specific prohibition against terrorism or again using using our air quotes, terrorist activity on platforms. But, again, it comes back to this definition question. What do you what do you mean by that? When you look at you know, we're we're always hoping that and and encouraging companies to make their content policies very clear because, I mean, that's what your users deserve. Right? If if I'm gonna go use a platform, I should know at the outset what I can and can't say on that platform. But if I and so if if I see a prohibition against you know, specific threats of violence to another person or, you know, harassment of specific individuals, that gives me a sense of what is and isn't allowed. If I just see some sort of general prohibition against you, you know, you ought not be involved in anything related to terrorism,
Speaker 2
10:59 – 11:42
I don't know what that means. Right. Right. And you could be speaking about terrorism in the sense of, you know, being opposed to certain acts or whatnot. But if they set up a system that's just using keywords or whatnot, you may very well use those words in your posting and potentially could be flagged and then sent over to whatever intelligence agencies based on this. Just a couple more questions. And this is just me thinking out loud. At least when it comes to Twitter, when I think about this, much of the content, and maybe even Facebook, depending on how you have your account settings, is public. You know, LinkedIn, another example of things where you post things publicly. Couldn't the case be made that this information being online could actually help intelligence and law enforcement efforts?
Speaker 0
11:43 – 13:08
You know, I think there's a an active debate among the law enforcement and intelligence communities on exactly that point. You know, there are there are ways that seeing this activity happening in public and online, can be very helpful in identifying, speakers and actors in, you know, who may be engaged in in certain kinds of conduct that the government wants to investigate. And I think it's important to to keep in mind that we're talking about the Internet here, obviously. We're talking about a globally connected network. And what Congress is considering is a provision that would only apply to companies that fall within in the jurisdiction of The United States. So it's very easy to see a future where if this kind of law gets passed and if it becomes known around the world that US based Internet companies are required to port report on their users to the US government, I would not be at all surprised to see many users, whether they have any inklings of involvement in so called terrorist activity or not, just deciding to use companies that or to use services provided by companies that aren't bound by that kind of obligation. Well, that makes perfect, especially after all the backlash from the Snowden revelations and whatnot and the belief that the US government is already sweeping up all the Internet communications.
Speaker 2
13:09 – 13:21
That's a very, very good point. So senator Wyden, who seems to be on our side on so many things, put a block on the bill. Mhmm. Does that mean that it's dead? Or what are we gonna see in the fall when Congress comes back into session?
Speaker 0
13:22 – 14:29
Right. Well, we hope this will help, the the rest of the senate understand that, that this provision is very contentious. There's been a lot of attention to it over the past couple of years, you know, several different, coalition letters going to congress or going to the senate to say that, you know, we're not talking about the rest of what's in the intelligence authorization bill. It's just this provision that's causing a big problem. And the intel authorization bill tends to pass the Senate through unanimous consent. So I think the more that we can emphasize that it's just this provision that's really causing, causing the concerns, I that sets up a good situation for that provision coming out. Now whether that means we don't see it come up as a standalone bill at some point, you know, I unfortunately, as as you were saying, this issue is getting a lot of attention right now. There's a lot of focus on, you know, how social media and online how social media and online communications plays into the whole, fight against global terrorism. And I would not be surprised to see something like this,
Speaker 2
14:29 – 15:45
keep coming up. Well, that's why we have you here. Just remain vigilant. You're yet again in the middle of a very, very tough topic. So we're glad to have you here. Thanks so much for coming on, Emma. Oh, absolutely. And Emma also has a panel proposal in for South by Southwest, and the topic is titled how to fight ISIS without breaking the Internet. So if you wanna hear even more on this and you wanna send Emma to Austin, go to the South by Southwest panel picker. That's what it's called panel picker and vote her up. You thumbs up it. Thanks so much again, Emma. Thank you. Defcon twenty three is in the books. And if you're like me, it's a bit of mythical creature seen and experienced only by the upper echelon of techies and hackers. You've read about the radioactive badges, the stunning hacks of seemingly secure systems in cars, planes, and pretty much any technology you can think of. Pure magic, at least to me. For our chief technologist, Joe Hall, it's not magic, though. He was at Defcon and joins us now to demystify it, but also maybe tell us just how cool it really is. Welcome, Joe. Thank you, Brian. You look well rested. So I'm assuming you slept through Defcon mostly, just, you know, went to bed at a practical hour. That would be not correct. Not correct. Okay.
Speaker 1
15:46 – 16:14
So tell me in your own words, what is Defcon? What is this? So Defcon is a is a is called the Hacker Conference. It's been going around, it's been going on for twenty three years now and it's essentially a place gathering of hackers, about 20,000 hackers. And what I mean by hackers are folks that love to tinker with computer software and hardware, information networks, electronics, all sorts of stuff. Then it's really an environment for people that relish in tricks, mischief pranks, and just clever approaches to problem solving in general.
Speaker 2
16:14 – 16:19
Cool. So what you were there all week. Right? Yeah. What is
Speaker 1
16:19 – 20:17
what are some of the cool things that you saw there? I I won't limit you to one because I'm sure there's just too much. Much. And I know that some of the stuff you probably can't even talk about, but Yeah. There's definitely stuff that you hear about on the down low, which is, like, keep it close to the vest. But there's a whole bunch of stuff that is very public. I'm sure as you saw, like, the car hacking stuff that we talked about previously on this podcast resulted in a recall of 1,400,000.0 Yeah. That was incredible. Absolutely. Right? So there's a lot of things like that. For example, a former CD tier, Runa Sandvik, and her husband, Michael, hacked a a Internet enabled sniper rifle. It's kinda weird that you would put a sniper rifle on the Internet, but they were able to make it shoot things you weren't pointing at. Who put the sniper rifle on the Internet? It's a company that name will that are barely almost not out of business. But, it it actually it it has some merit in the sense that it's so smart that it it can a novice after about five minutes training can hit a one inch target at a thousand yards, which is, you know, if you know anything about shooting, that's crazy. Anyway, but it is hackable. And that was pretty scary seeing how many ways it was hackable. You could update the the software inside to do things it wasn't supposed to do, but that will be hopefully be patched sometime soon. Yeah. I would hope so. Right? Yeah. Anything else you saw that was, like, amazing and super cool? So there's a whole bunch of there's a whole trend of hacking the hackers kind of stuff. And so, you know, for the longest time, DEF CON has been about hackers. Here's ways you could do neat new tricks and neat new ways to get into systems and and stuff like that. And and and I talk about this as if it's an offensive we're we're going after people, but often it's helpful for us as defenders to know how the offensive attacks are gonna come at us. But there's a whole set of things, like, like, you may have heard of you may not have heard of, but one of the the things that has been sort of popular are these things called pineapples, and this is a small thing you can have. I have not heard of it. Yeah. It's it's got a weird name, but you'd know it if you heard about it because you'd know pineapples. But it's basically something that mimics a Wi Fi network, and so it looks exactly like the Wi Fi network you would normally have connected to, but it's a rogue network. Mhmm. And intercepts all your traffic. And there was a really cool presentation by a guy named Wesley McGrew from, I believe, Mississippi, State University or something like that, who essentially showed how to hack into to these rogue versions of them and then, you know, mess with the hacker himself. And so it was sort of like hitting back at the hacker and he did it in a way that would make the hacker learn a bunch of things before he was able to get his stuff back. So it was kinda neat in this weird, you know, rogue hacking kinda way. That's very cool. So what about the the side events and the parties? Whenever you go to conferences or events, those are often the things that you remember the most. What are those like at DefCon? DefCon. The parties are notorious. In fact, fact, we were on the 20 Second Floor, and on the 20 Sixth Floor in the penthouse was this place you could go to. It was sponsored by the conference that had, tech, you know, techno and stuff all night long. Things like Alec Empire, MC Chris, if you know anything about Nerdcore rapping, for example. And it was loud and lots of boos. And there's just the parties at Defcon are notorious. But there's also a set of things that aren't sort of, you know, just to, you know, get alcohol into your system and music and deafening your eardrums. But there are sort of a whole set of things called villages, just as much space that you have for the talks are associated with these things called villages. And there was a crypto privacy village, which aren't sort of scheduled talks, but they're new things that people are thinking about. There was a social engineering village, which in this whole idea here is, you know, how do you use slight of hand? How do you talk to people to make them do things just by being nice that they might might be sort of against their own interests and stuff? And how do you protect against being socially engineered like fished, which is a really big problem these days. I can imagine. And there's also things like the DEFCON shoot, which is basically like a 100 nerds shooting fully automatic weapons in the desert. And, you know, that seems to go very very well and people seem to learn a lot about luckily, none of those things are Internet enabled, but, they may be soon. Hopefully, they're secure.
Speaker 2
20:18 – 20:36
Yikes. So during, the actually, the idea for this podcast DEF CON and the different group DEF CON and the different groups that were, there. Can you tell me more about what was so impressive and what inspired you Yeah.
Speaker 1
20:36 – 22:30
While you were there? The longest time, the information security community has been a bunch of dudes. You know, a bunch of sort of linear thinking. I'll I'll I'll not insult all of the half of our species, but But, you know, it's been very hard for women to fit in in that kind of a culture. And and I think we're starting over the years, we've seen a lot of attention play to this, especially to things like, you know, inappropriate behavior. You know, there's this famous phrase of Hansi McHanderson's, which is a cute sort of cute name for guys who are touching women inappropriately, and a whole set of sort of like hacks to actually deal with those kinds of things. But more importantly, there's increasingly sort of solidarity amongst women and information security. And despite women making up maybe 10% of the 20,000 people at Defcon, they end up having sort of the tightest support network and making contributions that are way out of proportion to to how how numerous they are. We still have a a pretty long way to go and and, you know, I think those of us who who care, like, you know, part of this is I want my niece to be able to grow up and have this as an option and not feel like she has to sort of fit in with a bunch of bearded guys and to to really have fun and and think about, you know, security and and those kinds of those those topics. But, you know, there's a, Katie Maceras from HackerOne has a really good phrase that I thought I'd I'd mention, which is, you know, if you're a guy and and you're we wanna help women fit in. She was talking about how, you know, so often I don't want men men around that will fight for me when things go south, when things, you know, sort of, clearly are being sort of, problematic. I don't want men around me that will fight with for me. I want men that fight with with me. And I think that sort of helps, you know, set the stage is that it's an inclusive thing, you know. It's not about pointing out differences. It's about, you know, collaborating and really bringing people into the fold and and doing things as a community, as a holistic community that that allows anyone to contribute. That's fantastic.
Speaker 2
22:31 – 22:40
Also, lots of policy folks went. Why are policy, you know, tech policy people going to Defcon? Why is that important? Sure. Yeah. It used to be the case
Speaker 1
22:41 – 24:12
it's hard for me to remember when, but it used to be the case that you could hack away on a computer or solder some electronics in the, you know, privacy of your garage, and you know, you wouldn't have a lot of effect on the outside world. That's no longer the case, you know. Now we have the Internet, sort of the network of networks, where a lot of hacking involves making a connection over the Internet to to test a system or or to break into a system or whatever. And there are laws like the digital millenium DMCA, the Digital Millennium Copyright Act, the Computer Fraud and Abuse Act that prohibits certain kinds kinds of hacking that you might otherwise do in the privacy of your garage. You can't hack certain kinds of things if they protect certain kinds of entertainment content. And increasingly, you know, at this one, especially, there are a number of events at Defcon centered around how the legal landscape is evolving and what kinds of things we really need to think about in order to protect security researchers and and sort of the practice of of of being in information security. And and for best for better or for worse, unfortunately, hackers need to learn about the law and and actually ethical behavior in general before they even write a single line of code or solder a wire onto something these days. That's sort of an increasing thing I think people recognize. You can't be ignorant of these these things or you're gonna have a bad time. You know, you really need to think carefully about them. And we need them to show up in places like DC to help us make sure that the laws know about the things they do and and allow them the freedom to to help us make things more secure while punishing people who actually do things that are that are bad and destructive. Well, this is a a bit related. You actually put together a group of technologists
Speaker 2
24:13 – 24:27
while you were there that are interested in policy or advocate advocacy work around human rights. Tell us a bit about that group of people you brought together. They sounded awesome. So this is our own side of that. This is Yeah. Where the second for the second year, we had what we call the Digital Rights Technologists
Speaker 1
24:28 – 24:28
Summit.
Speaker 2
24:28 – 24:31
And this is Sounds very important. Well, I actually
Speaker 1
24:32 – 27:37
you gotta come up with descriptive terms, but it ends up sounding more lofty than it is. It's really sort of a group of 20 or so, technologists, people like me who work at at nonprofits or work with nonprofits that specialize in digital rights issues and do online civil liberties. Since we don't have a conference of our own and because we all have very limited budgets, you know, we really have to take advantage of places where we'll have a lot of us in the same place to hang out, to get together, and share what we're working on and what we see coming down the pike. And this is about building solidarity amongst this group of folks that were, you know, less often running around putting out fires and more often thinking collaboratively and proactively about what we work on as a community. We talked about things like, EFF has this new tracker blocker, which is something you can install in Firefox or Chrome called Privacy Badger that follows you around the the net and takes a ride with you around the web. And basically says, hey, I've seen that thing track you across three different places that clearly is tracking you across the entire web. We'll block that from now on. Wow. And that's a pretty neat thing. And things like Let's Encrypt, which is a way to set up a secure website within like thirty seconds rather than like four hours to two days, which is what it takes now. And you don't sort of have to know all the things I know about how to set up a secure website. So these are really interesting things that, you know, industry wouldn't do on their own that that that we have to sort of motivate, and then some people come along for the ride later. Very cool. How often does that group get together? Just to definitely In fact, I think, you know, we're we're talking about maybe doing it more often now because, you know, because it's opportunistic. If we do it once a year, some people may not be able to come one year. They miss this two whole years of this. You know, it's the kind of thing where we really are thinking about having, you know, a regular call that people could join, you know, sort of a a mailing list of Slack, which is something that our audience probably doesn't know, but it's a new way to interact amongst teams. Various ways to sort of make sure that we're regularly touching base and we can say, you know, part of the value of this is, hey, what do people think about this idea? Is it crazy? Is it cool? Is someone else doing it? And that's often a big problem is if a number of us are working on the same thing. We'd really like to know because either we can, you know, resonate or we can one of us might do it better and say, oh, yeah. You do that and I'll work on something else. That sounds great. So you're planning to head back next year? I hope so. I really hope so. It's always sort of up in the air in the sense that, you know, I'd like to. I plan on it right now, but, you know, I I don't know. Ideally, I'm not the biggest fan of Vegas, but when it comes down to it, that's if you wanna get 20,000 alcohol pranksters in one place, that's probably one of the few places that will take your money. I can imagine. Any tips for someone going thinking about going for the first time? There's a lot of good resources if you if you search online for first time Defcon or something like that. But, you know, the the real basic thing is turn your phone off. You just don't even use your phone or attach your computer to any WiFi network around that place because that's the whole point of hacking is getting into your stuff and then you not knowing it's there. And so that a lot of us were you could tell I was probably, you know, not as communicative
Speaker 2
27:38 – 28:18
as I normally would have been. Yeah. Yeah. It was a little radio silence from Joe, but now it makes a lot more sense. Thanks so much, Joe. Really appreciate it. No problem. That's it for this week's CDT Tech Talk. You can find more information about today's topics at www.cdt.org. And be sure to vote up the panel CDT submitted to South by Southwest for 2016 on the South by Southwest panel picker. Your votes will help get our experts heard in Texas. As always, tweet us any questions you have or topics you'd like us to cover to at SendemTech. Thanks for listening.