I'm Chris Soghoian, I work for the ACLU. Yeah. I
feel you! I've been thinking about this talk for a
while. Many of us have been trying to convince people
and companies to encrypt their communications for a while.
And the last few weeks and few years have been a really
good time. There has been a lot of positive movement
in the right direction and I'll talk about that today.
But I want to get us all the way there. I really want
to talk today about how we start to get default
encryption for everything and how we really start to do
As a reminder, I work for the ACLU, the American
civil liberties union. Last summer when I came and
gave a talk, we have a table in the vendor area where
you can get T-shirts like this and someone came up and
said why aren't you going anything for Ed Snowden. Why
aren't you helping him? My boss, Ben, who is a Snowden
employer smiled and couldn't say what was happening.
We've been helping Ed for some time. And I don't think
it's overestimating to say -- just to say really we
wouldn't be where we are now were it not for his
disclosures and bravery. The amount of changes in the debate and the pressure on companies to encrypt is staggering. He couldn't
be here. We don't have the Snowden 5,000 walking
around the halls at DEFCON but we have it in New York.
And Snowden made this a lot easier.
This woman is Diane Planstin you can boo
her if you like. Only at DEFCON. So she is the
chairwoman of the senate intelligence committee. I'm
going to read you a quick quote of hers from last year.
This is after the first few Snowden story broke, as the
administration and the defenders of these surveillance community really started to go on the attack and
defend everyone's communication this is what she said,
it's necessary for the NSA to obtain the haystack of records in order to find the terrorist
needle. They need to do bulk surveillance, not because
they care about our communication but because they care
about the bad guys. There is a problem with this
analogy and this drives the talk today and drives a lot
of the work I'm doing. We are the haystack. We have
the hay stake whose communications are being monitored
and it's not right. We can fight in the courts which the ACLU is doing. and other organizations are doing, We can fight in congress which the ACLU and other organizations are doing. And we can also fight
through technology and make it more difficult for bulk surveillance to take place. thats what this talk is about today, How do
we use math and technology to prevent them from
collecting the whole haystack.
Going back in time to 2009. A long time ago in a
galaxy far far away. If you cared about encryption on
the web, 2009 was a really bad time. Things weren't
good. With the exception of some banking websites that
you used, most of your communications over the web were
not protected with basic encryption built into all web
browsers. Even your authentication could be easy for
someone to steal your information.
In 2009 all the big cloud computing companies and social
networking sites and email providers none used SSL by default. Everyone
was vulnerable to surveillance. Not just by
individuals but by the state. There is a slide that I
haven't included in here from GC-HQ slide deck 2009 in which they're
cheering and patting themselves on the back because so
many services are not encrypted. Without SSL,
surveillance was a question of how to do the tap and
how to process the data rather than how to break any
technology or security.
This is a blog post from Google in 2009. When
they first announced the availability of an option, a
configuration setting to force SSL in the future. This
was an option that wasn't turned on by default. You
had to go in and set it. SSL can make your mail
slower, your computer has to do extra work to decrypt
that data. And encrypted data doesn't travel across
the internet as efficiently as unencrypted data and that's why
we leave the choice up to you.
this was a false choice because this was an option that was hidden from most
people. If you clicked into the advanced settings in G
mail it said use HTTPS question mark. Nothing to
indicate that this was important. It was the 13th of 13
configuration option after the vacation auto away message, after unicode settings. Most
people don't know what unicode is. The user interface of
G mail screamed to users this isn't important. It
doesn't matter. So say this is a choice for the user,
it's false. What you're doing then is allowing a
system to ship in an unsecure manner and blaming the
user for not seeking out the option and enable it
That was Google in 2009. That meant that for the
people that work in this building or at NSA, life was
good. Bulk surveillance is easy in a world where
everything is going over the network without any
protection. For the NSA in 2009, the internet was an
all you can eat buffet. We know what happens when a
society is dominated by all you can eat buffets. The
NSA gorged themselves. They gorged themselves until
they got sick, actually until one person got sick and
blew the whistle. Now it's time to put the NSA on a
diet. Sorry for the analogies but they make sense.
We need to starve the NSA of the data they've come to
depend on. That is because of people like Ed Snowden
that we now have an understanding of what is taking
place and how they're collecting information which
means we have an understanding of what we can do to
In the last year there's been a number of
disclosures about bulk surveillance targeting internet
communications. And these it's fair to say, set the
internet on fire. The first slide that galvanized the
tech community is this slide that says the NSA is
monitoring the links between Google's data centers-- Google believed --
after 2010 Google turned on SSL. Google believed they
needed to encrypt the links between the user and the servers. google thought that the privately slime cables that they were renting from companies like level 3 could never be tapped so even though they had data centers in other countries they didn't feel they needed
to protect the links. Google is wrong. The NSA and
their GCHU partner tunneled into the private network and got
information that wouldn't have left the internet
The Washington Post revealed that the NSA has been
monitoring the address books of many popular
communication services, Yahoo, Google, Facebook. The
NSA is interested in instant messenger lists. They
show communications and patterns and who you're
interested in talking to.
On this slide the thing that is the most
interesting and damning for the tech companies is the
news that Yahoo users are being targeted by the NSA in
the order of magnitude and more time than Gmail or
Facebook. Why were Yahoo users having their address
books collected an order of magnitude more? Because
they weren't using SSL. The fact that Yahoo is using
it now is directly as a result of the Snowden.
We've seen the tech companies beef up security.
Companies embracing SSL. weve seen them tightening their choice
of encryption algorithm. The adoption of perfect forward secrecy of
HST browser headers. making sure that you always go back to the secure version of the website. you never go to port 80
We've seen instant message platforms all migrate to
user, to server encrypted links.
We just saw yesterday, Yahoo announced they -- by
2015 will be offering encrypted e-mail to all their
users. encrypted end to end email, Not by default but they're offering it. We're
at a point where there is this movement. There is a
movement to encrypt all the things.
And it's working. We're seeing Yahoo, Google,
Facebook, twitter and Microsoft, we're seeing the
technical teams within these companies finally have the
power within the organization to get what they want.
For sure their security engineers within Google and
Yahoo who for years wanted this stuff. I'm sure that
the people in the paranoid team at Yahoo were
embarrassed by the fact that the website wasn't SSL
enabled. At the end of the day they don't choose the
resources they're given and it's difficult when you're
a company thats not doing well, losing users to justify the expense, both in human resources and equipments to make that kind of shift, change. What pressured Yahoo and got
the powers that be to allocate those resources was to hire CISO like Aleck Stamos was
major negative publicity. Front page stories in
newspapers around the world showing that Yahoo was
successfully targeted by these intelligence agencies.
The stories in the newspapers help. Naming and
shaming also helped in a big way. Earlier this year
Google released data on websites that do and do not use
encryption for e-mail. We can all visit our bank and
e-mail service and look for the lock icon in the URL. You can see
whether the website is encrypting the data. It's much
more difficult to see whether the e-mail that you're
sending is going over encrypted links the whole way.
And earlier this year as recently as January of
this year the answer may have been 25 or 30 percent of
servers on the internet were encrypting. Google
started releasing this data a couple months ago and
it's really, really useful, because it's allowed us to
name and shame. And the fact is there isn't a
performance reason not to have encryption, server to
server encryption. No reason at all. It's because no
one ever did it.
For the last few months I've been calling up the
general counsels, the chief privacy officers, the chief security officers of
the companies and one by one explaining why they need to do this.
And having this data online has made it easy. I have
now something in URL form that I can include in an
e-mail and say why are you not doing this. why you have an F letter score Over the
past few months we got Comcast and apple and Microsoft
and many, many companies are slowly doing this. It
makes a big difference.
To be clear start CLS is opportunistic encryption
and not resistant to active attacks. but if the name of the game is protecting us against bulk surveillance this is moving us
in the right direction.
So naming and shaming is one technique. Another
one that I know a lot of people in the tech community
think is stupid is gamification this idea of badges. And it's
stupid but it works. That is why every app built
badges into their system. We've seen two really,
really useful and successful examples of gamification
that thrive the adoption of encryption. The first is
SSL labs. You can go to the website and type in any
other website's name or URL and they will run a bunch
of tests and tell you how good the SSL configuration
is. And more importantly they give you a letter score.
And it's for things like configuration options and
algorithm and and perfect forward secrecy and resistance to the beast attack and other
In the last 6 months to a year we've seen server
operations changing their configurations because they
want an A plus score. This makes surveillance more
expensive. Perfect forward secrecy reduces the risk to users
when ket are compromised or stolen or compelled from a company. A
couple Norwegian guys started start TLS info. You can
type in any domain name and it gives you a letter score
for the SMTP encryption options. The NSA still has not got
the best score in the world.
And this also has been really, really useful in
getting people to turn this stuff on, So we've had naming and shaming.
We've had gameification. And another method that
worked well is bribery. For the last six months
I've been offering whiskey to administrators of
servers to turn on SSL for their websites. It started
as a joke but it's actually working.
So the first major site to go SSL by default was
tech dirt citing the whiskey offer. I need to send
them three bottles of whiskey to say thank you. I
cant released the secret yet but I got an e-mail
from an engineer at a very, very large website
yesterday telling me they will be going SSL by default and
specifically asking for whiskey. They didn't even say
please. This stuff works.
Then of course yesterday Google announced a huge
move in which they're going to give a boost in the page
rank scores to sites turning on SSL by default. This
is a really big deal. When you think of all the scummy SEO people )search engine optimization and the tricks that they will pull to get their websites one step
higher on the Google result, this is going to be huge
in terms of getting websites to do the right thing.
The combination of the carrot and the stick is definitely moving in the right direction.
So that's where we've been in the last couple
years. How we've gotten companies to turn on SSL. How
we've gotten companies to flip these options. In many
cases our messaging can use some work. Not just around
SSL but in interacting with policymakers in D.C. Some
of the messaging that we use in this community is good
for us but scary to the outside world. its so scary that it hurts us down the road when were litigating cases I'm going to
give you a few examples of that. It's really sort of
funny in some case bus it's funny in a private way.
We need to clean up our act and use a little bit
of marketing. To spin some of these technologies in a
better sounding way. I'm sure in the last year many of
you have seen companies touting their NSA proof
technology. Of course this stuff isn't NSA proof. And
there's a debate to be had about the merit of this and
whether if this is false sense of security. For the
purpose of this discussion, the problem with saying
that your stuff is NSA proof is that it strikes fear
into the hearts of policymakers. Members of congress,
they don't want NSA proof technology. They think the
NSA is doing their job. They think that police
wiretaps are a good thing. We can quibble about how
often they're used. But members of congress mostly
support some kind of surveillance. If we tout
surveillance proof, FBI proof, what they see in their
minds are technologies that that help the bad guys and that's not
This is Mushadin sectrets a largely ridiculed terrorist
encryption app online. No one uses this thing but
every couple years there is a story about how there is
a different version of Al-Qaida encryption app. This is
really, really scary to people in D.C. and policymakers
and they really believe this stuff exists and that it's
used and it's preventing the FBI from capturing the
next terrorist. When we use language similar to this
stuff. Maybe you don't have an AK-47 as the logo for
your app, but when we use this it looks really, really
scary to the people in power and to the courts.
This is an excerpt for a case from the ninth
circuit called the cotterman case where a guy brought a laptop back
from Mexico. this is a foot note in a majority decision From the court saying we do not suggest
that password protecting an entire device as opposed to files within a device can
be a factor supporting a reasonable suspicion determination. This is
a really long winded way of saying that the ninth
circuit thinks that disc encryption is okay but per file or
per folder encryption is suspicious. thats laughable but These are judges
that don't know a lot about technology. They think
that the encryption that comes built into your
operating system, the whole disk encryption is
reasonable. its a legitimate Cyber security technology that protects data breaches, but they think if
individual people choose particular folders to
encrypt, that is a sign of something suspicion. so that were just up against
We're up against judges that think a file or a folder level
encryption is inherently suspect. When you're app or
the program you're using is a wiretap proof technology,
that judge freaks out. You look like a bad guy just
for using it in the first place.
The message I'm going to give you is we need our
technologies to be as boring as possible. We don't
want to be exciting. I know it's great to have a
DEFCON person on stage with flashing lights and talk
about how you hacked this and that but that is really
scary to judges. The security and encryption
technology that we're pushing now that we want the
public to use, they need to be non-threatening. Not to
the user but the court. The members of congress, the
FBI. They need to be as boring and standard as
Another example. There was a supreme court oral
argument about O'Reilly about whether police need a
warrant to look at your phone. You are arrested for
something, can they look at your phone and download all
the data from the phone. It's an exchange between the
lawyers and the chief judge of the court. I'll show
you the excerpt in a minute. Chief justice john
Roberts thinks that someone with a single cell phone is
okay but someone with two cell phones is a drug dealer.
Roberts himself says that people with two cell phones
are suspect. And when a lawyer says no, he says what's
your authority for having people with many cell phone
on their person. He never met someone with two cell
phones even though the majority of the lawyers in the court have
multiple cell phones on them.
In D.C. where I live, people are forced to use
blackberries and they also have a second phone because
they want a useful smart phone. Having two cell phones
in our world makes you a bad guy. How do we push back
against the court when two cell phones are suspicious.
If you have an app on one of your cell phones that lets
you make wiretap proof calls, you're a really, really
bad guy. and i dont want you to be a really really bad guy, And when we end up litigating one of those cases I don't want our defendant to be a really, really bad guy. with two phones and an NSA proof calling out. which means don't talk about the NSA. The services that you're building, the
cool apps and protocols you're designing need to be
boring and not involve nations, state and intelligence. You
can do what the Tor project does and talk about your
threat model and global pass adversaries. but don't talk
about the NSA. It doesn't help anyone.
This is a really good example of this point. This
woman is Pamela hash boar Jones. A Federal trade and commision- commissioner. She
left in 2010. And she was the first U.S. government
official to ever give a public speech in which she
mentioned the word SSL. She worked at the FTC, an
agency that I worked at. And in March 2010 she gave a
speech and asked all cloud computing companies to turn
on HTTPS. she said; Today i challenge all of the companies that are not yet using SSL by default that includes E-mail providers, et cetera, step up and
protect consumers. dont do it some other time, make your website secure by default. This is really powerful language.
Really good language from a senior presidentially
appointed U.S. official. She is calling for something
we all want. We all want widespread encryption. She
doesn't talk about the NSA. Like wise this guy. Chuck
Shumer. super super law enforcement friendly senator from new york, He loves law and order and surveillance. This
is him in 2011. Providers of major websites have a
responsibility to protect individuals who use their
sites and submit private information. It's my hope
that the private sites put in secure HTTPS sites.
again we have a pro Law enforcement senator calling for companies to deploy technology that
make network based wire taps more difficult. How do you get a
senator to do that. how do you get a senator to call
for a technology that makes life more difficult for the
police? Bribes are one way.
Whiskey is another way. Or you don't talk about
the police. We didn't talk about the NSA. These folks
didn't talk about the NSA. Instead they were talking
about hackers. Sorry, that's what hackers look like to
people in Washington, D.C. You guys have your ninja
masks in your bags. They were both responding to a
tool called firesheep released by Eric butler. This was a easy
to use graphical interface. a Firefox plug in that
captured authentication cookies by going over the wire and let you log into the
accounts of other people that were sharing the
the same wifi network as you. This was the wall of sheathe in browser plug in form. What made
it a big deal, this was a plug in that anyone could
download and in fact, several million of people downloaded it, then it made it to The New York Times.
There was a story about the firesheep and then a month or two later Chuck Shumer is
sending letters to Yahoo and Amazon and Twitter
telling them to hurry up and turn on its SSL.
The way we get this encryption stuff deployed is by making it palatable for the people in power, making it
it seem like an anticrime technology. Antitheft
technology. In 2009, I and 37 other researchers signed
a letter to Eric Schmidt back then the CEO of Google in which we called on
Google to turn on SSL for Gmail. in this letter we said we urge you to follow the lead of
the financial industry and enable SSL by default. This
is because of the huge threat posed by identity threat.
We didn't mention the NSA. We didn't mention the
police. This was criminals at Starbucks.
Of course Bruce Schneider know about the bulk
government surveillance. But you don't have to
advertise it. Right. Make it easy for the people in
power to do the right thing and take advantage of the
boogie men that we have which are identity thieves. The
other thing to note is that in the United States we
don't have a privacy commissioner. In Canada and
European countries they have privacy commissioners that
are responsible for all things privacy. We don't have
that in the United States. We have the federal trade
commissions that regulates accepted business practices
and goes after tech companies for lying about privacy.
The FCC that goes after obscenity like Howard stern on the air. We
don't have a national privacy regulator. If we want
the two regulators that we have to do thing that we
care about we have to portray in language that they
understand. We have to make it seem like it's
consistent with their mission. so the federal trtade commission cares about identity theft, The FCC cares about the
radio and phone networks. If we want them on our side
and want them to pressure companies and give speeches,
we need to help them to do so and that means not
talking about the NSA. We can talk about it in this
community. But when talking to the outsider we can't use
that language that isn't scary t them
That means we need to talk about cyber. I know
that there are many people that think the word cyber is
stupid. It's ridiculous that people in suits talk
about cyber as something serious. When you hear the
word cyber you think of something that looks like this.
It's really difficult to find an image that
captures cyber sex that is funny but not too offensive.
It took me hours to find this.
Most of us when we think of cyber we think of
awkward conversations in AOL chat rooms with people who
may or may not be the actual age they tell us they are.
And we don't think of something that is serious. We
don't think of cyber-security. For many of us when we
hear the word cyber we think of age, sex, and location.
But the fact is that for the people that matter, the
people in power, right, for them ... For them cyber is
real. Cyber is the real deal for people in D.C.
Cyber-security is the only part of the defense
department budget that is going up. The only part of
the DHS budget that is going up. One of the things legislation actually moves in D.C. so by us ridiculing cyber,
we're not part of the debate around cyber. We're
absent. We let them set the agenda around cyber
because we think it's silly because they're using the
wrong words. This is the director of national
intelligence. Famously lied before congress. And so
James Clapper in March of 2014 said when it comes to
the distinct threat areas, in their annual threat
assessment, this year leads to cyber and it's hard to
overemphasize its significance here we have the top national security
official in the United States telling the senate that
this cyber thing is the biggest threat this country
faces. Bigger than terrorism. These cyber threats put
all sectors of our country at risk. Again, with this
language, the average non-tech savvy senator or member
of congress, they're thinking oh my goodness this
cyber-security stuff is huge. It's a huge threat and
we have to do something and we're not present. We're
not present in that debate. And we really should be.
So you may think, okay, well the reason these people
are talking about cyber-security all the time is
because of money. And that's entirely true. Right.
They're a defense contractor that are advertising zero days,
on the sub way in D.C. You the ex-director of NSA that
leaves and offering himself at a million dollars a
month to clients. Cyber security business is big business in
D.C. But so what. What matters is that people care.
What matters is if you're talk about cyber-security you
get in the meeting. People listen to you. People
think it's important. Cyber-security is important in
the eyes of policymakers which means we should be using
the language of cyber-security for all of the stuff
we're doing. Every technology that we're building we
should be pitching as cyber-security. And the reason
for this, cyber security is moving through D.C. whether
we like it or not. Let me explain how this works. You
have these ex-generals and ex-government officials who go on and work for defense contractors and
every week they go to a meeting with congressional
staff to pitch how big of a threat cyber-security is.
On one side of the table you have this ex-general or
ex-senior government official that doesn't really
understand technology. And on the other side of the
table you have a member of congress that doesn't
understand technology or a 24 year-old staffer with a
science and technology degree that doesn't understand
technology. They never get into the detail of saying
this particular technology is a threat to our
cyber-security. If the meeting is a success, the best
possible outcome is the member of congress leaves with
a feeling that China is attacking us. Cyber-security
is a massive threat. We need to dedicate more money to
this and maybe the company that had the meeting, their
technology might be useful. That is it. We had one
person that lives in D.C. who is laughing.
This is true. This is actually how it works.
What that means is this is happening every day, every
week, these meetings are taking place in hearing rooms
and committees, every week someone is coming in ask
saying that cyber-security is a huge thing. Now if we
try to stand there and say, in fact this cyber stuff is
bull shit, they're going to ignore us. There are too
many people saying that cyber-security is a problem.
We cannot push back against that. But what we can do
is say that these other things are a cyber-security
problem and the technology that we're building protects
us all from cyber threats. We're not telling them the
briefings they got from ex-generals are wrong, we're
just saying there are better things to do to keep us
The average member of congress doesn't understand
technology. This is Ted Stevens for all of you that
don't recognize the face. He became famous for this
internet as a series of tubes thing. My guess is the way that meeting
went down is you had some tech person come into a
briefing and he was describing the internet as a bunch
of pipes. And pipes is like a fairly accurate
description. We talk about pipes in the tech community. And
Stevens is sitting there drawing on his note pad and
that one word sticks in his head and then he gets to
the senate and gives a speech and pipes become tubes
and he becomes a laughing stock. He retained from that
meeting that the internet involved tubes. All we need
to do is convince them that our technologies protect
cyber-security. We don't have to go very far because
they don't go too far into the woods.
Traditionally those of us who work in this space,
the lawyers, the law, the advocates, those of us that
work in this space, we have a real uphill battle. We
go into a meeting with a member of congress and say you
shouldn't pass legislation requiring backdoors in encryption
technology. You shouldn't pass laws requiring
companies to retain records of everything their
customers do. you shouldn't pass laws prohibiting what people do with the technologies they buy, We find some people who are sympathetic
to this message but there are a lot of people in
congress whose first priority is public safety. And in
their eyes there is a trade off between public safety
and privacy. There are some members who really care
about privacy and civil liberties and are willing to go gun hoe
down the privacy and civil liberties path path. But there are many others care a little bit more
about public safety. They're worried the next time
there is an attack, their vote no on a bill will come
back to haunt them. that they will loose election No one wants to vote no on a piece
of legislation that will make it more difficult for the
police to catch the bad guy. That's the reality of the
world. We can only convince so many members of
congress to put privacy and civil liberties ahead of
What if it's a security versus security debate?
What if instead of trading off privacy against national
security, there are different security threats that the
members have to weigh. What if adding back doors
to communications network opens those networks up to
compromise by hackers. It's a security versus security
debate. What if you retain large amounts of data that
data becomes an attractive targets for criminals. oh suddenly data retention is a more complex
issue. By embracing the language of cyber security we can shift this from a
debate where we lose to a debate where we might win.
Many of you may have heard of the four horseman of the
information apocalypses. There are trump cards in
political debates. Pedophiles and drug dealers, it's
tough to push legislation when members or pro-law
enforcement people say this bill or this technology
helps terrorists hide their stuff. And traditionally
those of us on the public interest side of the table
have always had a bad set of cards.
We've had the bad facts. All the case law, all the fourths in
the case law is drug dealers and pedophiles.
Everyone's fourth amendment rights come from really bad
cases with really bad attacks. Traditionally the four
horse men were not good for our side. But now there is
a now horseman. And he looks like this. His name is
Wang Dong. This is a real FBI wanted poster. this is one of the chinese military officials who
was indicted by the U.S. government. Foreign nation
hackers are a huge threat and a threat that
policymakers take seriously. Chinese cyber hackers are
just as big of a boogie man as pedophiles and drug
dealers. Now members of congress have to way decisions
that pit things that may help the police against things
that help the nation state attackers. Suddenly we
don't get steam rolled.
What that means is we need to reframe the debate
around the technology that we all care about. For far
too long Tor has been a technology to help citizens
protect their privacy online where the internet is paralleled and censored, that is not
the case. TOR is not about journalists or dissidents. It's a cyber security
technology. Silent circle or signal, two voice apps
that encrypt your communication that goes over the
carrier's network. These are not wiretap proof
telephone communication acts. These are cyber security technology that protects you from nation state adversaries using MC-cachers. see how this works? Tech secure is not
an anti-surveillance technology. It's a
pro-cyber-security technology to keep you safe where
the phone companies have not employed strong security
technologies. We need to embrace this language that everything we're
doing must be cyber. Even if you think it's silly,
just keep saying it. Cyber, cyber, cyber.
It sounds silly, but in a few years we're going to
have a face that the ACLU will almost certainly join in
some way where the government will say that encryption,
a particular form of encryption is a devil's technology
used by drug dealers and bad guys. Now we can see
that -- then we'll be able to say that most of the web
is using HTTPS and government agencies are using PGP, well be able to say that govt agencies are using TOR to
protect our data from bad guys. When that happens the
courts will not be able to demonize these technologies.
suddenlu sing TOR or voice encryption or full disk or folder
encryption will not be suspicious and the way we get
there is through cyber. its a war lets fight this cyber war...
Thank you very much.
"This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings."