Ask Me Anything - The Electronic Frontier Foundation (EFF)

[Below0]

in the wake of Superfish and Lenovo, do we have to be afraid that every piece of tech we buy is bugged? Should have we been assuming that already?

 

[bythelake23]

do you have any plans for a Canadian chapter and how would you describe the state of ISP regulation/net neutrality in Canada?

 

[JGillula]

in the wake of Superfish and Lenovo, do we have to be afraid that every piece of tech we buy is bugged? Should have we been assuming that already?

I think it's appropriate to be concerned, but I don't think we've quite hit "ZOMG I'm going to abandon all my technology and go live in the woods" yet. (Though some days, when I read the news and find out about yet another bug that risks the security of large numbers of people, I do briefly consider that...)

Right, back on topic. I think it's important to distinguish between tech being bugged and being buggy. Superfish was buggy--the security vulnerability wasn't intentional, even if the purpose of the software was creepy, questionable, and poorly thought out. Sadly, lots of code has bugs--and it'll always be that way. The only way to defeat this is for companies to pay more attention to security, and to be more conscious of what third-party tools they're using. (In the specific case of Lenovo, something good did come out of the debacle: Lenovo has promised to stop loading their machines with crapware.)

As for being bugged, although the NSA has shown it definitely has the capability and wherewithal to intercept tech and bug it, or to load malicious firmware onto peoples' machines, I don't think the average person has to worry about that too much. (It's a different story if you're an activist, politician, businessperson, journalist, sysadmin, prominent engineer, etc., though.) Of course, that's also different from dragnet mass surveillance--which is why you should rely on trusted tools for encrypting communications.

But of course, that brings us back to software being buggy (even pervasive software like OpenSSL). So in the end, the best you can do is try to assess for yourself what your threat model is, and what tech you trust. (This kind of seems like a non-answer, so feel free to reply and ask for more clarification. )

 

[jcbeff]

in the wake of Superfish and Lenovo, do we have to be afraid that every piece of tech we buy is bugged? Should have we been assuming that already?

To add some more to Jeremy's response, the biggest immediate consumer lesson from the Lenovo/Superfish fiasco is that when you buy a new computer, you should re-install the OS if you are technically capable of doing so. And, yes, we probably should have been assuming that already. PC makers have been bundling software for years that is often unwanted, annoying, and wasteful of resources; in the case of Superfish bundled software also opened up an enormous security hole. It's sad that the state of the PC market has gotten to that point where user's can't really trust their PC maker not to abuse their position to make a few bucks. Hopefully the reputation hit Lenovo is continuing to take on this will help push the industry to reform this practice, but in the short term re-installing is still smart.

Unfortunately, even though some users are going to re-install their OS (or better yet, switch to an open-source OS!), this is harder on Android devices and very difficult (by design) on iOS devices. And as my colleague Cooper Quintin blogged for EFF this week, to really be safe you need to check what firmware is running on all of your hardware-essentially you have lots of little OSes to re-install if you really want to be sure you're machine is safe.

Ken Thompson famously laid these issues out back in 1983 when receiving his Turing Award (considered the "Nobel Prize for Computer Scientists"). There's always a level below that can undermine your trust. Even if you install all of your device firmware, BIOS, and main OS yourself (and you compiled it yourself from known-good source code), how do you know there isn't microcode running on your CPU that's compromised, or backdoor CPU instrucitons?

Ultimately it's not practical for any individual, no matter how technically skilled, to use a device as complicated as a modern computer and ascertain for themselves that the overall system is trustworthy. This is a social problem and we need to do a lot better to ensure that the organizations building our hardware and software are delivering platforms that we have high confidence are not bugged.

In the short term though, please do re-install your OS on a new computer 🙂

 

[natecardozo]

do you have any plans for a Canadian chapter and how would you describe the state of ISP regulation/net neutrality in Canada?

I had no idea the answer to these questions, so I asked my colleague Vera. Vera's a US lawyer, but she's a Canadian person, so she's the best situated here @EFF to answer. Here's what she said:

We don't do much work directly in Canada, we have lots of allied civil society organizations that do. See these for some more info:
https://cippic.ca/
https://openmedia.ca/saveournet/faq

The good news is that Canada currently has net neutrality! However, it's under threat recently with things like the zero rating ruling among other things.

Sorry, that wasn't the best answer, but hopefully it's a start.

 

[xor_eff]

When you speak of DRM tech, aren't companies like Blizzard/Ubisoft and the likes taking a strong dislike towards your campaign? After all it was a route that most folks thought were to curb piracy problems.

Yeah, it's possible the people who like using DRM to control secondary uses of their products aren't crazy about our pointing out how harmful to consumers it is. Probably the people who sell DRM software to those companies don't like it, either.

Beyond being bad for the users, though, there's not a lot of evidence that DRM is effective at stopping "piracy." You mention Ubisoft; last year that company's VP of digital publishing said as much. You get the same kind of comments about piracy being a "service problem" from Gabe Newell a few years back.

To the extent piracy is a business problem, there are solutions that don't involve DRM. Not only has DRM tech proven ineffective, but it comes at far too dear a price to your users' rights.

 

[Nadia_K]

If someone doesn't have a great deal of time or expertise (or money) to invest, what practical or specific actions would you recommend an individual take towards personal and community electronic freedom? What actions or choices have the biggest impact?

Thanks for asking! There are many things you can do. It's hard to say what has the biggest impact (especially when we deal with such a wide range of issues.) But you can check out our action center, where we have actions that deal with issues ranging from NSA spying to patent trolls. Sending emails does make a difference, when lots of people do it.

And on that note, educating yourself and others about the issues is a great thing to do to. If you don't have the time to check out our blog every day, you can sign up for our newsletter , which includes condensed versions of our top articles.

On a very practical tip, if you're concerned about surveillance, you can check out Surveillance Self-Defense. SSD is EFF's guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices. And fortunately, a lot of the tools for being more secure online are free and easy to use. If you start with threat modeling, you can figure out what the most meaningful privacy tools for you to use would be.

All that being said, if there's a particular issue that you're especially interested in, let us know. There may be a specific action we can point you towards!

 

[AndrewEFF]

A few questions:

• ■What's your thoughts on allowing [strike]electronic[/strike] online voting? Do you think the benefits in terms of increasing voter turnout (particularly amongst young people) outweigh the dangers of poor and insecure implementation?
  
  ■Some countries, notably Brazil, have chosen not to buy equipment from the US specifically as a result of the NSA's spying. Do you expect this to have any significant impact?
  

EFF,

By my count EFF took on 1 case (EFF v. NSA) and spent a total of 10 minutes in court (Smith v. Obama) for the entire year of 2014. EFF spent the year of 2014, primarily blogging commentary on national news stories, which is not legal advise. The legal documents EFF does spend most of it time filing, are public opinion Amicus Briefs. At that, a measly 7 Amicus Briefs were filed for new cases in 2014.

Can you help me understand why EFF spent such little time inside of a court room for the year of 2014? Do I have a misunderstanding of the EFF's mission? I thought the EFF was supposed to be an organization that protected our digital rights in the courtroom. All I have seen from the EFF in the past year has been drumming for donations, blogging, cheerleading, and foot stomping.

Can we expect to see EFF take on more legal cases, and spend more time in a courtroom, actively fighting for digital rights, in 2015? There certainly seems to be no shortages of legal challenges to take on.

-Long time EFF supporter

I'm sorry that you're disappointed in us, but I hope I can clear things up a bit.

First, I would say that assessing our legal work by the number of minutes we spend in court or even the number of new cases we take on is really a poor metric. Despite the television portrayals, litigation is a slow-moving beast, and most of it involves exchange of papers between the parties and the court, not arguing in front of a judge. Parties often have little control over when they actually appear in court; this is mostly a function of the judge's calendar and other administrative factors. Moreover, EFF practices impact litigation, which means we only take on cases if we think they can make a positive change in the law or prevent it from getting worse. So unlike your average law firm, we don't measure our effectiveness by billable hours.

Litigation is important, but it's not all the EFF legal team does--we file comments with administrative agencies, testify before state and federal legislatures, offer legal counseling and advice, and yes, do outreach work. Finally, that's just the work of the legal team; describing the work of EFF's other teams would take volumes.

We file a lot of amicus briefs, it's true, but those can impact the law. We are often contacted proactively by courts who want us to file amicus briefs in order to have input with a sophisticated understanding of technology. In one such case, United States v. Vargas, EFF filed an amicus brief that was relied on by a judge in ruling that the government's installation of a pole camera overlooking a defendant's front yard and secretly recording his activities for more than a month was unconstitutional. The government appealed, and EFF now represents Mr. Vargas directly.

To clear up any misunderstanding, however, EFF lawyers spent way more than 10 minutes in court in 2015, and we took on a ton of new cases, in addition to all of our other work. Off the top of my head, we had major hearings in our NSA cases (Smith, Jewel, and as amicus in Klayman v. Obama), our National Security Letter cases, defending student developers, arguing for government transparency, stopping patent trolls, on and on. We had a single hearing in Jewel v. NSA in December 2014 that lasted 3+ hours.

As for new cases, again I can't give you a complete list, but we filed a number of FOIA suits, defended clients against bogus copyright and trademark demands, initiated agency proceedings, and so on. Again, this is in addition to some of our bigger cases, like Jewel, which has been going strong since 2008. In other words, we play a long game and a short game. 2015 won't be any different.

To piggyback on Andrew, one of the cases I'm proudest of launched in 2014. We're suing the government of Ethiopia: https://www.eff.org/cases/kidane-v-ethiopia

I understand the difference between TV and the flesh reality world that we live in.

So the EFF spent about 3+ hours in a court room for the entire year of 2014. This is appalling.

So if this is a bad metric, please provide an example of a good metric. EFF has not had a single victory, in the entire year of 2014, that it can conclusively point to as an example of its progress. Yes, I would certainly say the fact that EFF spent a total of 3+ hours in a courtroom, for an entire year, attributed to such a poor performance by the organization.

Less legal blogging, more legal action.

I hope 2015 you spend 6+ hours in a court room fighting for digital rights!

Thank you,
-Long time EFF supporter

I don't know that I'm going to be able to convince you, but I will point out that I was saying we had a single hearing that lasted 3 hours. To repeat: we spent many, many hours in court in 2014.

I would still say you're taking a narrow view of our work. For example, in 2013 we won a major victory by having the National Security Letter statute (part of the Patriot Act) declared unconstitutional. We spent a sizable amount of time in 2014--including, yes, in a hearing--defending this victory on appeal. We still don't have a decision in that appeal yet, though, because litigation is slow. We can't control the courts--not their pace and not the decisions they issue. We make the most persuasive arguments we can, but we can't force victories in court.That's part of why we don't spend all of our time litigating. We have had numerous victories in getting legislative reforms, positive changes in technology, etc etc. I stand by our effectiveness and our success, but that's for you and our other supporters to judge.

 

[Guest]

I was looking around your website after you answered my question earlier. I noticed you sell stickers that cover laptop and smartphone cameras.

That actually scares me, as I never cover the camera. In the case of my laptop, there's a light that turns on when the camera is activated. Can that be turned on by third parties without the light going off?

 

[Someone Somewhere]

I was looking around your website after you answered my question earlier. I noticed you sell stickers that cover laptop and smartphone cameras.

That actually scares me, as I never cover the camera. In the case of my laptop, there's a light that turns on when the camera is activated. Can that be turned on by third parties without the light going off?

Yes.

http://arstechnica.com/security/2013/12/perv-utopia-light-on-macbook-webcams-can-be-bypassed/

 

[AndrewFreedman]

Hey everyone!

We're going to give our guests from the EFF a break to finish their day, get some food, sleep, and all that good stuff. They'll be back in the morning to finish answering your questions before the AMA closes at 12 p.m. EST. In the meantime, feel free to add questions overnight for them to get to in the morning.

Thank you all for your awesome questions, and thanks to the EFF for their time and answers so far!

 

[keepit100]

As I'm sure you know, the EFF is asking the Supreme Court to hear arguments about whether police should be allowed to collect certain kinds of DNA without a warrant.

"As human beings, we shed hundreds of thousands of skin and hair cells daily, with each cell containing information about who we are, where we come from, and who we will be," EFF Senior Staff Attorney Jennifer Lynch said. (source: https://www.eff.org/press/releases/eff-supreme-court-fourth-amendment-covers-dna-collection)

I'm all for not being in a database of DNA at my local police department, but I also don't worry about them collecting my toenail clippings. Should I? At what point is preventing DNA checks keeping police from doing their job?

This Raynor case seems quite specific, and I agree that lack of consent is lack of consent. But how do we expect the police to do their job, say, looking at crime scenes for hair and fingerprints if this goes through?

 

[natecardozo]

As I'm sure you know, the EFF is asking the Supreme Court to hear arguments about whether police should be allowed to collect certain kinds of DNA without a warrant.

"As human beings, we shed hundreds of thousands of skin and hair cells daily, with each cell containing information about who we are, where we come from, and who we will be," EFF Senior Staff Attorney Jennifer Lynch said. (source: https://www.eff.org/press/releases/eff-supreme-court-fourth-amendment-covers-dna-collection)

I'm all for not being in a database of DNA at my local police department, but I also don't worry about them collecting my toenail clippings. Should I? At what point is preventing DNA checks keeping police from doing their job?

This Raynor case seems quite specific, and I agree that lack of consent is lack of consent. But how do we expect the police to do their job, say, looking at crime scenes for hair and fingerprints if this goes through?

Hi Larry (can I call you Larry?),

Unfortunately, the Supreme Court just decided not to take the Raynor case, so we're not going to get their opinion.

But this isn't about keeping the police from doing their job. It's about making sure that the police follows the law while they do their jobs. I'll give you an example: in a case decided in 2001, the Supreme Court decided that law enforcement can't use forward looking infrared to peer through walls, unless law enforcement gets a warrant first. More recently, a federal appeals court noted that the warrantless use of handheld radar to look into a house was likely in violation of the Fourth Amendment. No one is saying that law enforcement can't use these technologies--only that they follow the Constitution (which here means getting a warrant) when they do.

As I said, our position in Raynor wasn't about keeping the police from doing their jobs. It's about exactly the opposite--making sure the police do their jobs, and get a warrant, before searching us unreasonably or seizing our property.

 

[RaNdOmReDnEcK]

no way look thru walls?? handheld radar to look into houses??? i guess DRONES are not out of the question then. I guess the other half of the question would be how do you protect yourself from such technology??? Aluminum foil???

 

[crooked windows]

We all know that every bit of electronic communication is being recorded by someone, somewhere, so what would be wrong with feeding them garbage say once a day?. just throw in the occasional trigger word during every ph call and txt and let the misinformation pile up.

 

[AndrewFreedman]

[
P.S. Thanks for ban hammering me from the site. For an AMA, there sure are a lot of rules.

-Long time EFF supporter

Just for the record, the EFF didn't delete or ban anything. You broke community policies on the Tom's Community. The EFF requested we restore your question.

 

[keepit100]

As I'm sure you know, the EFF is asking the Supreme Court to hear arguments about whether police should be allowed to collect certain kinds of DNA without a warrant.

"As human beings, we shed hundreds of thousands of skin and hair cells daily, with each cell containing information about who we are, where we come from, and who we will be," EFF Senior Staff Attorney Jennifer Lynch said. (source: https://www.eff.org/press/releases/eff-supreme-court-fourth-amendment-covers-dna-collection)

I'm all for not being in a database of DNA at my local police department, but I also don't worry about them collecting my toenail clippings. Should I? At what point is preventing DNA checks keeping police from doing their job?

This Raynor case seems quite specific, and I agree that lack of consent is lack of consent. But how do we expect the police to do their job, say, looking at crime scenes for hair and fingerprints if this goes through?

Hi Larry (can I call you Larry?),

Unfortunately, the Supreme Court just decided not to take the Raynor case, so we're not going to get their opinion.

But this isn't about keeping the police from doing their job. It's about making sure that the police follows the law while they do their jobs. I'll give you an example: in a case decided in 2001, the Supreme Court decided that law enforcement can't use forward looking infrared to peer through walls, unless law enforcement gets a warrant first. More recently, a federal appeals court noted that the warrantless use of handheld radar to look into a house was likely in violation of the Fourth Amendment. No one is saying that law enforcement can't use these technologies--only that they follow the Constitution (which here means getting a warrant) when they do.

As I said, our position in Raynor wasn't about keeping the police from doing their jobs. It's about exactly the opposite--making sure the police do their jobs, and get a warrant, before searching us unreasonably or seizing our property.

Not my name, but sure, call me Larry! (Glad you got the reference!)

That radar and infrared thing sounds spooky, so you have me convinced. My question was aimed more at a crime scene, though I suppose I don't want the police rubbing my doorknob for prints without asking!

Thanks!

 

[skipper_2]

I'll be frank... you guys come off as really, really liberal (perhaps the EFF considers itself libertarian?). I doubt you guys have an official affiliation, but that's how you come across.

Does that make it difficult to work with young Republicans, who are often some of the most knowledgeable about new technologies? How do you work with everyone on an advocate, activist, and legal level when you appear to be so established on one side of the aisle?

 

[JGillula]

We all know that every bit of electronic communication is being recorded by someone, somewhere, so what would be wrong with feeding them garbage say once a day?. just throw in the occasional trigger word during every ph call and txt and let the misinformation pile up.

Strategies like this have been attempted, and while they might work for automated tracking (e.g. targeted advertising profiles), they certainly wouldn't work against surveillance by a human (e.g. if law enforcement wanted to learn something about you specifically from your online communications). It's also tough to make this work even against automated tracking, because you're trying to mask something potentially unique (your actual communications) with something that's supposed to be generic (the garbage). It's tricky (when it's even possible) to find the balance.

 

[trilldriselba]

If I want to use tools like Tor or HTTPS Everywhere, I have to go download them from my current browser. Will going to those sites and downloading/installing those tools increase my risk for being spied on? How about those on my network (especially if they don't use the tools)?

 

[AndrewFreedman]

Hey all - The EFF is on the West Coast, so we're going to extend their time to 1:30 p.m. EST in order to give them time to answer all of your questions.

 

[turkey3_scratch]

What are your thoughts on the lack of technological education in many countries, particularly America? Do you think that if America was more technologically and cyber-security educated like Britain and had computer science as a required curriculum course, people would be more knowledgeable in seeing their own vulnerabilities and less susceptible to attacks, viruses, and phishing on their local devices, as well as troubleshooting how to fix these problems?

 

[jcbeff]

What are your thoughts on the lack of technological education in many countries, particularly America? Do you think that if America was more technologically and cyber-security educated like Britain and had computer science as a required curriculum course, people would be more knowledgeable in seeing their own vulnerabilities and less susceptible to attacks, viruses, and phishing on their local devices, as well as troubleshooting how to fix these problems?

I was educated in the both the UK and US systems (Bachelors and Masters degrees in the US and PhD in the UK). I don't think the UK has achieved a dramatically higher rate of education of computer science or tech. There's lots of room for improvement in both countries and around the world! Unfortunately school curriculums change very slowly, particularly at the lower levels of education, but we're starting to see some schools integrate computer science teaching at an earlier age.

In any case though as a technologist, I think it's important to focus on fixing tech and not fixing people. Cars have gotten much safer to drive without teaching everybody how antilock brakes work. Most of the problems you mentioned (viruses, phishing) can be improved technologically. Indeed there really has been dramatic progress on phishing in the past 5 years with automatic phishing blacklists, it hasn't been widely heralded but the problem has slowly declined in significance. And both Android and iOS have been, on the whole, less susceptible to viruses than Windows (newer versions of Windows have improved as well).

So I think universal computer science education is critically important-computers are too important in the world and it's valuable that everybody understands them on a basic level. But specifically for security problems, I think it's not particularly helpful to blame ignorant users when we have a long ways to go improving the technology.

 

[trilldriselba]

Is cyberwar an upcoming issue? Russia? China? Iran? North Korea? Is our data going to be the casualties in the next war games?

 

[natecardozo]

As I'm sure you know, the EFF is asking the Supreme Court to hear arguments about whether police should be allowed to collect certain kinds of DNA without a warrant.

"As human beings, we shed hundreds of thousands of skin and hair cells daily, with each cell containing information about who we are, where we come from, and who we will be," EFF Senior Staff Attorney Jennifer Lynch said. (source: https://www.eff.org/press/releases/eff-supreme-court-fourth-amendment-covers-dna-collection)

I'm all for not being in a database of DNA at my local police department, but I also don't worry about them collecting my toenail clippings. Should I? At what point is preventing DNA checks keeping police from doing their job?

This Raynor case seems quite specific, and I agree that lack of consent is lack of consent. But how do we expect the police to do their job, say, looking at crime scenes for hair and fingerprints if this goes through?

Hi Larry (can I call you Larry?),

Unfortunately, the Supreme Court just decided not to take the Raynor case, so we're not going to get their opinion.

But this isn't about keeping the police from doing their job. It's about making sure that the police follows the law while they do their jobs. I'll give you an example: in a case decided in 2001, the Supreme Court decided that law enforcement can't use forward looking infrared to peer through walls, unless law enforcement gets a warrant first. More recently, a federal appeals court noted that the warrantless use of handheld radar to look into a house was likely in violation of the Fourth Amendment. No one is saying that law enforcement can't use these technologies--only that they follow the Constitution (which here means getting a warrant) when they do.

As I said, our position in Raynor wasn't about keeping the police from doing their jobs. It's about exactly the opposite--making sure the police do their jobs, and get a warrant, before searching us unreasonably or seizing our property.

Not my name, but sure, call me Larry! (Glad you got the reference!)

That radar and infrared thing sounds spooky, so you have me convinced. My question was aimed more at a crime scene, though I suppose I don't want the police rubbing my doorknob for prints without asking!

Thanks!

In a crime scene context, assuming the police are legally there in the first place, I don't think anyone would argue that they couldn't collect shed DNA. In any case, back to your original question: should you worry about your DNA getting into a police database? I'd argue that unless you've been convicted of a crime (or according to some courts, simply arrested for certain types of crimes), it would likely be illegal for the police to collect and store your DNA data.