0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/508 Thanks! 1 00:00:09,270 --> 00:00:11,429 Even before the Congress, I did 2 00:00:11,430 --> 00:00:13,619 not know what the Wassenaar 3 00:00:13,620 --> 00:00:16,078 arrangements are, and 4 00:00:16,079 --> 00:00:17,519 I don't know, it's an international 5 00:00:17,520 --> 00:00:20,429 treaty that has some 6 00:00:20,430 --> 00:00:22,979 security implications for us 7 00:00:22,980 --> 00:00:25,079 and all about that will now tell 8 00:00:25,080 --> 00:00:26,080 you, Walter 9 00:00:27,150 --> 00:00:28,949 Nate Cardozo, 10 00:00:32,820 --> 00:00:34,949 Meredith Patterson and 11 00:00:34,950 --> 00:00:37,019 Richard Tienen have a 12 00:00:37,020 --> 00:00:38,020 warm welcome. 13 00:00:44,960 --> 00:00:47,059 Just to introduce us briefly, a night 14 00:00:47,060 --> 00:00:48,709 with my far right is 15 00:00:49,880 --> 00:00:51,799 with the Electronic Frontier Foundation 16 00:00:51,800 --> 00:00:53,629 that probably doesn't need any further 17 00:00:53,630 --> 00:00:55,099 introduction. 18 00:00:55,100 --> 00:00:57,409 Meredith is mostly responsible 19 00:00:57,410 --> 00:01:00,079 for the language security, 20 00:01:00,080 --> 00:01:01,189 what I call the cult. 21 00:01:01,190 --> 00:01:02,870 But as apparently nice to call it, 22 00:01:04,200 --> 00:01:06,799 Richard is the 23 00:01:06,800 --> 00:01:08,629 chief technologist with Privacy 24 00:01:08,630 --> 00:01:10,459 International, which probably does not 25 00:01:10,460 --> 00:01:11,880 need much further introduction as well. 26 00:01:13,220 --> 00:01:14,899 I'm just a loudmouth recipient of the 27 00:01:14,900 --> 00:01:16,969 panel and have been 28 00:01:16,970 --> 00:01:17,929 helping out a bit. 29 00:01:17,930 --> 00:01:20,239 Lukumi me in Brussels focuses on behalf 30 00:01:20,240 --> 00:01:23,509 of secrecy involved in this policy area, 31 00:01:23,510 --> 00:01:25,699 trying to make 32 00:01:25,700 --> 00:01:28,549 things less wrong on this topic. 33 00:01:28,550 --> 00:01:30,949 And basically 34 00:01:30,950 --> 00:01:33,529 what we will briefly do is 35 00:01:33,530 --> 00:01:35,779 discuss, well, what 36 00:01:35,780 --> 00:01:37,339 the hell is best not to begin with? 37 00:01:38,420 --> 00:01:40,459 How much of a problem is it for I.T. 38 00:01:40,460 --> 00:01:42,649 security community and 39 00:01:42,650 --> 00:01:44,719 how we came here 40 00:01:44,720 --> 00:01:46,519 and go through this? 41 00:01:46,520 --> 00:01:48,889 And basically, 42 00:01:48,890 --> 00:01:50,599 we were actually not supposed to have a 43 00:01:50,600 --> 00:01:52,309 panel to begin with on the program. 44 00:01:52,310 --> 00:01:54,079 And for that reason, we will open up the 45 00:01:54,080 --> 00:01:56,149 floor to questions from the audience 46 00:01:56,150 --> 00:01:57,769 in about 10 minutes or so. 47 00:01:58,920 --> 00:02:01,159 So start thinking about 48 00:02:01,160 --> 00:02:02,839 some questions to the panelists, because 49 00:02:02,840 --> 00:02:05,359 it will be kind of a partially 50 00:02:05,360 --> 00:02:07,069 a conversational stage, but also a 51 00:02:07,070 --> 00:02:08,709 conversation with this. 52 00:02:08,710 --> 00:02:10,849 Well, not necessarily intimate room, but 53 00:02:10,850 --> 00:02:12,439 hopefully it will be a good conversation 54 00:02:13,670 --> 00:02:14,959 anyway. 55 00:02:14,960 --> 00:02:16,340 That's not what is it? 56 00:02:17,630 --> 00:02:19,699 It's a very posh suburb of The 57 00:02:19,700 --> 00:02:21,199 Hague, the Netherlands, king of the 58 00:02:21,200 --> 00:02:23,689 Netherlands live there with Gutteridge, 59 00:02:23,690 --> 00:02:25,609 places like I see on screen. 60 00:02:25,610 --> 00:02:28,009 It's also a framework 61 00:02:28,010 --> 00:02:29,689 between most of the industrialized 62 00:02:29,690 --> 00:02:31,819 nations on export 63 00:02:31,820 --> 00:02:33,739 controls and weapons technology. 64 00:02:33,740 --> 00:02:35,899 Mostly conventional weapons and 65 00:02:35,900 --> 00:02:38,419 secretaries' range from basically 66 00:02:38,420 --> 00:02:40,699 all the NATO members plus Russia. 67 00:02:40,700 --> 00:02:42,979 Yeah, most of the former Warsaw Pact 68 00:02:42,980 --> 00:02:45,169 countries are also signatories to 69 00:02:45,170 --> 00:02:47,929 Wassenaar and 70 00:02:47,930 --> 00:02:51,169 it is actually technically not a treaty, 71 00:02:51,170 --> 00:02:53,269 but has a lower standing status 72 00:02:53,270 --> 00:02:54,770 in international law. 73 00:02:56,120 --> 00:02:57,120 And what it 74 00:02:58,940 --> 00:03:02,269 does is it sets policies 75 00:03:02,270 --> 00:03:04,399 on conventional weapons as 76 00:03:04,400 --> 00:03:06,259 well as dual use goods. 77 00:03:07,370 --> 00:03:10,189 And so December 2013, 78 00:03:10,190 --> 00:03:12,739 that didn't touch much 79 00:03:12,740 --> 00:03:14,329 upon it. 80 00:03:14,330 --> 00:03:17,329 Security issues, apart from cleptocracy 81 00:03:17,330 --> 00:03:19,159 remnant of the past couple of hours, 82 00:03:19,160 --> 00:03:20,509 which are reheating again. 83 00:03:21,680 --> 00:03:24,499 But in December 2013, 84 00:03:24,500 --> 00:03:26,839 Tulu elements were introduced 85 00:03:26,840 --> 00:03:29,569 as dual use technologies, 86 00:03:29,570 --> 00:03:31,309 and the first one is surveillance 87 00:03:31,310 --> 00:03:33,439 technology, and the second 88 00:03:33,440 --> 00:03:36,169 one is called intrusion software. 89 00:03:36,170 --> 00:03:38,359 And to give you an idea 90 00:03:38,360 --> 00:03:39,800 of the definitions of these two, 91 00:03:41,240 --> 00:03:43,429 this is the definition of surveillance 92 00:03:43,430 --> 00:03:44,430 systems is. 93 00:03:46,150 --> 00:03:48,659 Basically, anything that can intercept, 94 00:03:48,660 --> 00:03:51,309 I think it's a very great IP networks 95 00:03:52,630 --> 00:03:55,419 and can target 96 00:03:55,420 --> 00:03:56,759 specific sectors, 97 00:03:57,970 --> 00:04:00,189 I'm bringing up this definition not 98 00:04:00,190 --> 00:04:02,619 because it's such an enjoyable definition 99 00:04:02,620 --> 00:04:04,869 to read, but 100 00:04:04,870 --> 00:04:06,639 from my perspective as someone who's 101 00:04:06,640 --> 00:04:08,499 interested in the intersection of policy, 102 00:04:08,500 --> 00:04:10,839 law and technology is it's 103 00:04:10,840 --> 00:04:12,369 very fascinating that this. 104 00:04:13,790 --> 00:04:15,499 This idea of having surveillance 105 00:04:15,500 --> 00:04:17,480 technology considered a 106 00:04:20,149 --> 00:04:22,129 weapons like technology that is very free 107 00:04:22,130 --> 00:04:24,499 of regulation, that we because we 108 00:04:24,500 --> 00:04:26,179 don't want to have it fall in the wrong 109 00:04:26,180 --> 00:04:29,269 hands like extreme regime, etc., 110 00:04:29,270 --> 00:04:31,279 I'm not in that process. 111 00:04:31,280 --> 00:04:33,109 They are very funny exceptions made in 112 00:04:33,110 --> 00:04:34,189 surveillance technology. 113 00:04:35,920 --> 00:04:38,139 Because if it's for a marketing purpose 114 00:04:38,140 --> 00:04:40,149 or for quality of service or quality of 115 00:04:40,150 --> 00:04:42,519 experience, whatever that may be, 116 00:04:42,520 --> 00:04:44,829 then all of a sudden it's not deemed 117 00:04:44,830 --> 00:04:46,659 to form these export regulations. 118 00:04:48,890 --> 00:04:49,890 And. 119 00:04:51,040 --> 00:04:52,839 Conversely, that's the definition of 120 00:04:52,840 --> 00:04:53,840 intrusion software. 121 00:04:56,370 --> 00:04:57,660 And the of the following. 122 00:04:59,440 --> 00:05:01,599 Extraction of data information from 123 00:05:01,600 --> 00:05:03,969 a computer network, capable device 124 00:05:03,970 --> 00:05:06,939 for modification system or using the data 125 00:05:06,940 --> 00:05:09,069 or the modification 126 00:05:09,070 --> 00:05:11,139 of the standard execution path of 127 00:05:11,140 --> 00:05:13,389 a program, a process in order to allow 128 00:05:13,390 --> 00:05:15,439 the execution of externally provided 129 00:05:15,440 --> 00:05:16,440 instructions. 130 00:05:18,730 --> 00:05:21,159 I'm not a techie, but having 131 00:05:21,160 --> 00:05:23,319 JavaScript sent from an HP server to 132 00:05:23,320 --> 00:05:25,479 a browser does not alter the 133 00:05:25,480 --> 00:05:27,669 execution path, the browser. 134 00:05:27,670 --> 00:05:28,670 I think it does. 135 00:05:30,280 --> 00:05:31,869 And this may be a bit of a broad 136 00:05:31,870 --> 00:05:32,870 definition. 137 00:05:34,630 --> 00:05:37,029 And to give you an idea 138 00:05:37,030 --> 00:05:39,549 why we brought this up now is 139 00:05:39,550 --> 00:05:42,009 and is that this 140 00:05:42,010 --> 00:05:44,139 arrangement will be translated into 141 00:05:44,140 --> 00:05:46,359 legislation on 142 00:05:46,360 --> 00:05:48,579 in the signatory countries and I cannot 143 00:05:48,580 --> 00:05:50,289 really speak for the other side that will 144 00:05:50,290 --> 00:05:52,099 briefly be done by night. 145 00:05:52,100 --> 00:05:53,169 When I'm finished talking about the 146 00:05:53,170 --> 00:05:55,299 European side and the European 147 00:05:55,300 --> 00:05:56,949 Union, you have a regulation that 148 00:05:56,950 --> 00:05:58,779 basically copies the list of covered 149 00:05:58,780 --> 00:06:00,969 technologies by the Russian arrangement 150 00:06:00,970 --> 00:06:03,249 and says if you want to export 151 00:06:03,250 --> 00:06:05,529 any of this stuff, you must apply 152 00:06:05,530 --> 00:06:07,699 to for an experiment 153 00:06:07,700 --> 00:06:08,700 in your member state. 154 00:06:09,610 --> 00:06:11,679 And the member states have done 155 00:06:11,680 --> 00:06:13,359 some additional rules on that. 156 00:06:13,360 --> 00:06:15,129 The country, banned from the Netherlands, 157 00:06:15,130 --> 00:06:17,199 appears to have a royal decree saying 158 00:06:17,200 --> 00:06:19,119 thou shall not export any of the stuff on 159 00:06:19,120 --> 00:06:21,099 the list and the regulation basically 160 00:06:21,100 --> 00:06:23,349 meaning what's on the Russian arrangement 161 00:06:23,350 --> 00:06:25,449 and otherwise you will be punishable by 162 00:06:25,450 --> 00:06:26,450 law. 163 00:06:27,520 --> 00:06:29,829 That particular European regulation 164 00:06:29,830 --> 00:06:30,970 is up for review. 165 00:06:32,610 --> 00:06:34,679 And that review will also 166 00:06:34,680 --> 00:06:37,229 include the updates that have been 167 00:06:37,230 --> 00:06:38,609 in the meantime to the Russian 168 00:06:38,610 --> 00:06:41,159 arrangements, the current EU regulation 169 00:06:41,160 --> 00:06:43,349 on this topic is from 2009 and there 170 00:06:43,350 --> 00:06:46,409 have been about yearly annual 171 00:06:46,410 --> 00:06:48,539 updates of the Russian arrangements. 172 00:06:48,540 --> 00:06:50,729 So in 173 00:06:50,730 --> 00:06:52,799 the upcoming two years, there will be 174 00:06:52,800 --> 00:06:54,869 a new European regulation that 175 00:06:54,870 --> 00:06:57,149 may or may not affect your ability as 176 00:06:57,150 --> 00:06:59,969 an I.T. security expert from Europe 177 00:06:59,970 --> 00:07:01,490 to travel to China. 178 00:07:03,710 --> 00:07:05,809 That we don't even know what 179 00:07:05,810 --> 00:07:07,189 the commission actually will be doing on 180 00:07:07,190 --> 00:07:09,439 this on this topic, but we do know 181 00:07:09,440 --> 00:07:10,909 what on the other side of things is 182 00:07:10,910 --> 00:07:11,819 happening. 183 00:07:11,820 --> 00:07:13,939 And for that, I for tonight. 184 00:07:16,450 --> 00:07:17,439 Thanks, Walter. 185 00:07:17,440 --> 00:07:18,369 So on the U.S. 186 00:07:18,370 --> 00:07:20,499 side, the Bureau of 187 00:07:20,500 --> 00:07:22,239 Industry and Security, which is a 188 00:07:22,240 --> 00:07:23,979 division of the Department of Commerce, 189 00:07:23,980 --> 00:07:26,139 is in charge of implementation 190 00:07:26,140 --> 00:07:27,849 of the voluntary arrangement. 191 00:07:27,850 --> 00:07:29,979 In May 192 00:07:29,980 --> 00:07:32,049 of this year, the 193 00:07:32,050 --> 00:07:34,239 Department of Commerce released its 194 00:07:34,240 --> 00:07:35,919 proposed rule, its proposed 195 00:07:35,920 --> 00:07:37,389 implementation. 196 00:07:37,390 --> 00:07:38,559 And it was atrocious. 197 00:07:38,560 --> 00:07:40,779 It was it was a shock to 198 00:07:40,780 --> 00:07:42,579 pretty much everyone involved. 199 00:07:42,580 --> 00:07:44,919 And it 200 00:07:44,920 --> 00:07:47,409 caused an enormous amount 201 00:07:47,410 --> 00:07:49,689 of fear and uncertainty 202 00:07:49,690 --> 00:07:51,789 in the infosec community, both in the 203 00:07:51,790 --> 00:07:53,679 United States and abroad. 204 00:07:53,680 --> 00:07:56,109 Intrusion software is not actually 205 00:07:56,110 --> 00:07:57,699 controlled under the biggest 206 00:07:57,700 --> 00:07:58,700 implementation. 207 00:07:59,530 --> 00:08:01,629 Only technology 208 00:08:01,630 --> 00:08:03,579 and knowledge implementing intrusion 209 00:08:03,580 --> 00:08:05,679 software is controlled 210 00:08:05,680 --> 00:08:07,569 as well as command and control systems 211 00:08:07,570 --> 00:08:09,429 for intrusion software. 212 00:08:09,430 --> 00:08:11,799 The problem is, under 213 00:08:11,800 --> 00:08:13,929 the United States, definitions 214 00:08:13,930 --> 00:08:16,569 of deemed exports in the U.K., 215 00:08:16,570 --> 00:08:18,729 there's a similar concept of 216 00:08:18,730 --> 00:08:21,249 intangible knowledge transfer. 217 00:08:21,250 --> 00:08:23,319 Simply talking about 218 00:08:23,320 --> 00:08:26,199 something like an exploit 219 00:08:26,200 --> 00:08:28,539 could be considered a deemed export 220 00:08:28,540 --> 00:08:30,549 and therefore controlled. 221 00:08:30,550 --> 00:08:32,798 So this is really, really, 222 00:08:32,799 --> 00:08:33,820 really bad. 223 00:08:35,530 --> 00:08:37,779 So as another 224 00:08:37,780 --> 00:08:39,849 part of the U.S. implementation is, 225 00:08:39,850 --> 00:08:41,889 if any of this software contains 226 00:08:41,890 --> 00:08:43,509 cryptographic or crypto analytic 227 00:08:43,510 --> 00:08:45,669 capability, the 228 00:08:45,670 --> 00:08:47,169 the person applying for the export 229 00:08:47,170 --> 00:08:49,329 license must on demand 230 00:08:49,330 --> 00:08:51,489 turn over source code to the National 231 00:08:51,490 --> 00:08:52,479 Security Agency. 232 00:08:52,480 --> 00:08:54,669 And you can tell who put that 233 00:08:54,670 --> 00:08:56,379 little nugget into the U.S. 234 00:08:56,380 --> 00:08:57,380 implementation. 235 00:08:58,680 --> 00:09:00,959 So essentially, what it means is that 236 00:09:00,960 --> 00:09:01,949 if you're a U.S. 237 00:09:01,950 --> 00:09:03,929 researcher, it well, OK, so these rules 238 00:09:03,930 --> 00:09:05,879 haven't gone into effect, into effect in 239 00:09:05,880 --> 00:09:07,889 the United States. But if they do, what 240 00:09:07,890 --> 00:09:09,959 it will mean is if you're a researcher in 241 00:09:09,960 --> 00:09:12,059 the United States or a United 242 00:09:12,060 --> 00:09:13,949 States person, so someone with 243 00:09:13,950 --> 00:09:16,889 citizenship or a green card, 244 00:09:16,890 --> 00:09:18,749 you have to dump all your photos to the 245 00:09:18,750 --> 00:09:20,519 NSA before you can talk about them to 246 00:09:20,520 --> 00:09:21,940 anyone else, even in private. 247 00:09:22,950 --> 00:09:24,499 That's. 248 00:09:24,500 --> 00:09:27,919 Problematic, to say the least. 249 00:09:27,920 --> 00:09:30,139 Also, what the regulations don't do, they 250 00:09:30,140 --> 00:09:32,509 don't actually stand in the way of 251 00:09:32,510 --> 00:09:34,639 someone like Hacking Team or finfish or 252 00:09:34,640 --> 00:09:37,009 selling their stuff to Ethiopia, 253 00:09:37,010 --> 00:09:39,199 Bahrain or the Saudis, 254 00:09:39,200 --> 00:09:41,089 all you need to do is get a license. 255 00:09:41,090 --> 00:09:42,499 And as we could tell from the hacking 256 00:09:42,500 --> 00:09:44,689 team dump, getting a 257 00:09:44,690 --> 00:09:46,789 global export license under Wassenaar is 258 00:09:46,790 --> 00:09:47,870 relatively easy. 259 00:09:49,460 --> 00:09:51,949 So what what do the regulations 260 00:09:51,950 --> 00:09:54,289 do? They make bug bounties, conferences 261 00:09:54,290 --> 00:09:56,689 and small teams working on defensive 262 00:09:56,690 --> 00:09:59,059 or offensive research next 263 00:09:59,060 --> 00:10:00,229 to impossible. 264 00:10:00,230 --> 00:10:01,729 They make distributing things like 265 00:10:01,730 --> 00:10:03,949 medicine or pen testing tools 266 00:10:03,950 --> 00:10:05,509 nearly impossible. 267 00:10:05,510 --> 00:10:07,579 And they create legal uncertainty for 268 00:10:07,580 --> 00:10:09,649 folks doing research on essentially 269 00:10:09,650 --> 00:10:11,599 anything interesting. 270 00:10:11,600 --> 00:10:13,729 If you could get a security paper 271 00:10:13,730 --> 00:10:16,069 accepted here at C.C.C., 272 00:10:16,070 --> 00:10:17,629 it would not be exportable under 273 00:10:17,630 --> 00:10:19,219 Wassenaar. That's, of course, a gross, 274 00:10:19,220 --> 00:10:22,039 oversimplified oversimplification. 275 00:10:22,040 --> 00:10:25,159 I began my journey into Bosna 276 00:10:25,160 --> 00:10:27,349 when the Beis released its 277 00:10:27,350 --> 00:10:28,350 proposed rule. 278 00:10:29,240 --> 00:10:31,339 If was not closely 279 00:10:31,340 --> 00:10:33,679 following Bosna in 2013, 280 00:10:33,680 --> 00:10:35,809 when the intrusion, software and 281 00:10:35,810 --> 00:10:38,029 network surveillance definitions were 282 00:10:38,030 --> 00:10:39,469 entered. 283 00:10:39,470 --> 00:10:41,749 I can speak only for myself, but 284 00:10:41,750 --> 00:10:43,669 I regret that fact. 285 00:10:45,790 --> 00:10:46,799 OK, OK, 286 00:10:48,030 --> 00:10:50,349 I'm going to have Meredith 287 00:10:50,350 --> 00:10:52,209 explain a little bit from her perspective 288 00:10:52,210 --> 00:10:54,279 as an American living in Europe, how this 289 00:10:54,280 --> 00:10:56,319 may affect her life, but also will 290 00:10:56,320 --> 00:10:58,719 announce that from now on, people 291 00:10:58,720 --> 00:11:00,399 will want to ask questions to this panel 292 00:11:00,400 --> 00:11:01,719 panelists to just walk through a 293 00:11:01,720 --> 00:11:03,919 microphone and 294 00:11:03,920 --> 00:11:05,229 go from now on. 295 00:11:05,230 --> 00:11:06,309 The floor is open, basically. 296 00:11:06,310 --> 00:11:07,310 But Meredith. 297 00:11:08,530 --> 00:11:10,809 Yeah. So I'm originally from Texas, but 298 00:11:10,810 --> 00:11:13,839 I've been living in Belgium since 2009. 299 00:11:13,840 --> 00:11:16,119 So this actually makes 300 00:11:16,120 --> 00:11:17,799 me subject to both the U.S. 301 00:11:17,800 --> 00:11:20,849 and EU implementations of 302 00:11:20,850 --> 00:11:22,989 all of the Wassenaar arrangement, 303 00:11:24,370 --> 00:11:26,529 the ones that and like Nate 304 00:11:26,530 --> 00:11:28,359 was just saying, the ones that are most 305 00:11:28,360 --> 00:11:30,849 relevant to me are the deemed expert 306 00:11:30,850 --> 00:11:32,740 and intangible transfer 307 00:11:33,880 --> 00:11:35,979 regulations, which I have 308 00:11:35,980 --> 00:11:37,689 to point out. I mean, those are those are 309 00:11:37,690 --> 00:11:39,729 things that like the U.S. 310 00:11:39,730 --> 00:11:40,719 and the U.K. 311 00:11:40,720 --> 00:11:41,619 came up with. 312 00:11:41,620 --> 00:11:43,449 And I guess it was the UK that presented 313 00:11:43,450 --> 00:11:45,609 it to the EU because intangible 314 00:11:45,610 --> 00:11:47,709 transfer was totally, you know, the topic 315 00:11:47,710 --> 00:11:49,989 of the day at one 316 00:11:49,990 --> 00:11:52,389 of the the meetings in Brussels 317 00:11:52,390 --> 00:11:54,529 on on the Wassenaar implementation 318 00:11:54,530 --> 00:11:55,509 that I went to. 319 00:11:55,510 --> 00:11:57,309 But the intangible transfer mean in 320 00:11:57,310 --> 00:11:58,179 practical terms. 321 00:11:58,180 --> 00:11:59,829 Well, I mean, in practical terms, it 322 00:11:59,830 --> 00:12:01,749 means that if you have an idea in your 323 00:12:01,750 --> 00:12:04,209 head that qualifies as an export, 324 00:12:04,210 --> 00:12:06,069 you can't cross a border. 325 00:12:06,070 --> 00:12:07,959 And I don't know how they plan to enforce 326 00:12:07,960 --> 00:12:08,179 that. 327 00:12:08,180 --> 00:12:10,239 Oh, it's way worse than that. 328 00:12:10,240 --> 00:12:12,789 What it means. So I'll give a 329 00:12:12,790 --> 00:12:13,719 discussion. 330 00:12:13,720 --> 00:12:15,399 You know, I'll talk about it in practical 331 00:12:15,400 --> 00:12:17,709 terms. Open Whisper Systems is based 332 00:12:17,710 --> 00:12:19,299 in San Francisco. 333 00:12:19,300 --> 00:12:22,209 It produces signal tech, secure, 334 00:12:22,210 --> 00:12:24,339 all those lovely things that I have 335 00:12:24,340 --> 00:12:26,139 on my device so that I can talk to people 336 00:12:26,140 --> 00:12:27,140 here. 337 00:12:27,850 --> 00:12:29,949 And if there are people with multiple 338 00:12:29,950 --> 00:12:31,809 citizenships, even sitting around a 339 00:12:31,810 --> 00:12:33,879 conference table in San Francisco 340 00:12:34,900 --> 00:12:37,359 speaking about it to someone without 341 00:12:37,360 --> 00:12:39,459 a U.S. citizenship is 342 00:12:39,460 --> 00:12:40,719 a deemed export. 343 00:12:40,720 --> 00:12:42,489 So you don't even have to cross a border. 344 00:12:42,490 --> 00:12:44,349 All you have to do is open your mouth to 345 00:12:44,350 --> 00:12:45,609 get into trouble with Osmar. 346 00:12:45,610 --> 00:12:47,859 Yeah. And so I'm in a situation where, 347 00:12:47,860 --> 00:12:50,019 you know, because of the citizenship I 348 00:12:50,020 --> 00:12:52,119 have and the place I live, there 349 00:12:52,120 --> 00:12:53,799 are two different sets of regulations 350 00:12:53,800 --> 00:12:55,179 that can basically constrain me from 351 00:12:55,180 --> 00:12:56,949 traveling or from even talking to 352 00:12:56,950 --> 00:12:59,109 anybody, because I 353 00:12:59,110 --> 00:13:01,179 understand the general principle 354 00:13:01,180 --> 00:13:03,429 of how to construct exploits 355 00:13:03,430 --> 00:13:05,659 from differences in how 356 00:13:05,660 --> 00:13:07,270 input handlers parse things. 357 00:13:08,470 --> 00:13:10,809 That's obviously not the intended result 358 00:13:10,810 --> 00:13:13,059 of this. But, you know, it's only one 359 00:13:13,060 --> 00:13:15,369 of a lot of side effects 360 00:13:15,370 --> 00:13:17,649 that the that the 361 00:13:17,650 --> 00:13:18,819 people who wrote this language were 362 00:13:18,820 --> 00:13:20,469 clearly not thinking of when they wrote 363 00:13:20,470 --> 00:13:21,470 it. 364 00:13:21,730 --> 00:13:23,799 And that brings us we have now invented 365 00:13:23,800 --> 00:13:26,409 a new class of thoughtcrime off. 366 00:13:26,410 --> 00:13:28,959 And on that happy note, 367 00:13:28,960 --> 00:13:30,730 I would like to ask Richard 368 00:13:32,200 --> 00:13:34,389 how we got here. 369 00:13:34,390 --> 00:13:36,949 And I just follow on with the interesting 370 00:13:36,950 --> 00:13:39,609 button button presses, the 371 00:13:39,610 --> 00:13:41,769 intangible technology transfer 372 00:13:41,770 --> 00:13:43,989 and giving lectures 373 00:13:43,990 --> 00:13:45,879 and on various things like that are are 374 00:13:45,880 --> 00:13:46,989 problematic. Even if you don't 375 00:13:46,990 --> 00:13:49,059 necessarily know who's in the room. 376 00:13:49,060 --> 00:13:51,249 If they are a foreign citizen, 377 00:13:51,250 --> 00:13:52,629 they can take it elsewhere. 378 00:13:52,630 --> 00:13:54,009 And there's also another problem, that if 379 00:13:54,010 --> 00:13:56,199 you were to go to a company and 380 00:13:56,200 --> 00:13:57,909 potentially disclose some of this 381 00:13:57,910 --> 00:13:59,889 information in your own jurisdiction. 382 00:13:59,890 --> 00:14:01,869 But that company had many offices around 383 00:14:01,870 --> 00:14:04,149 the world, which most companies 384 00:14:04,150 --> 00:14:06,249 that that we use products in our everyday 385 00:14:06,250 --> 00:14:08,379 lives are based 386 00:14:08,380 --> 00:14:09,369 around the world. 387 00:14:09,370 --> 00:14:11,529 They may actually send on that 388 00:14:11,530 --> 00:14:13,929 information internally, 389 00:14:13,930 --> 00:14:15,999 which may also include crossing a border 390 00:14:16,000 --> 00:14:17,979 to various other different teams so that 391 00:14:17,980 --> 00:14:19,539 the other to the other teams could 392 00:14:19,540 --> 00:14:20,559 potentially fix 393 00:14:21,640 --> 00:14:22,569 the problem. 394 00:14:22,570 --> 00:14:24,669 In terms of the starting point 395 00:14:24,670 --> 00:14:26,799 for this, I 396 00:14:26,800 --> 00:14:28,899 guess it probably started back in 397 00:14:28,900 --> 00:14:31,089 2010, 2011, where 398 00:14:31,090 --> 00:14:33,579 the goal was to 399 00:14:33,580 --> 00:14:35,769 limit the spread 400 00:14:35,770 --> 00:14:38,049 of tools like 401 00:14:38,050 --> 00:14:39,879 finfish or tools with the capabilities of 402 00:14:39,880 --> 00:14:42,249 finfish or to 403 00:14:42,250 --> 00:14:44,529 regimes like Ethiopia and 404 00:14:44,530 --> 00:14:45,909 Morocco and various other different 405 00:14:45,910 --> 00:14:48,189 places where we see that technology 406 00:14:48,190 --> 00:14:50,319 been used very, 407 00:14:50,320 --> 00:14:52,389 very in a very, very nasty 408 00:14:52,390 --> 00:14:54,489 manner for journalists and human 409 00:14:54,490 --> 00:14:55,779 rights defenders. 410 00:14:55,780 --> 00:14:58,179 And very often these countries, 411 00:14:58,180 --> 00:14:59,709 what we've seen is they wouldn't even 412 00:14:59,710 --> 00:15:01,719 have the technical capabilities to 413 00:15:01,720 --> 00:15:03,219 develop this stuff by themselves. 414 00:15:03,220 --> 00:15:05,259 And ironically, one of the hacking team 415 00:15:05,260 --> 00:15:07,599 dumps the the guys 416 00:15:07,600 --> 00:15:09,669 were very, very concerned about 417 00:15:09,670 --> 00:15:12,039 a particular country's technical skills 418 00:15:12,040 --> 00:15:14,709 and their ability to use their tools, 419 00:15:14,710 --> 00:15:16,329 not that they wouldn't get what they 420 00:15:16,330 --> 00:15:18,249 wanted, but simply that just by screwing 421 00:15:18,250 --> 00:15:20,379 up the use of these tools would actually 422 00:15:20,380 --> 00:15:22,629 reveal their use and potentially 423 00:15:23,650 --> 00:15:26,019 provide a sample or some material 424 00:15:26,020 --> 00:15:28,089 that techies could then use 425 00:15:28,090 --> 00:15:30,159 to to counteract them. 426 00:15:30,160 --> 00:15:31,959 So that was the, I guess, the starting 427 00:15:31,960 --> 00:15:34,269 point. And as I understand 428 00:15:34,270 --> 00:15:36,969 this, back at that time, 429 00:15:36,970 --> 00:15:38,769 Vasana was considered a very 430 00:15:40,120 --> 00:15:41,649 attractive target. 431 00:15:41,650 --> 00:15:44,529 You essentially lobby one 432 00:15:44,530 --> 00:15:46,619 organization. And who can pitch 433 00:15:47,760 --> 00:15:49,889 text into the agreement and if it's 434 00:15:49,890 --> 00:15:52,019 all agreed by default, you get up to 435 00:15:52,020 --> 00:15:54,329 41 different states, who 436 00:15:54,330 --> 00:15:57,149 who would who would follow suit 437 00:15:57,150 --> 00:15:59,129 would, of course, as we've seen the 438 00:15:59,130 --> 00:16:01,379 implementation, the text, the various 439 00:16:01,380 --> 00:16:03,929 things like that have 440 00:16:03,930 --> 00:16:05,429 not been ideal. 441 00:16:05,430 --> 00:16:06,929 In fact, far from ideal. 442 00:16:06,930 --> 00:16:09,479 And many of the the 443 00:16:09,480 --> 00:16:11,189 not only the technical definitions are 444 00:16:11,190 --> 00:16:13,259 not necessarily correct, but the 445 00:16:13,260 --> 00:16:15,449 the lack of inclusion 446 00:16:15,450 --> 00:16:17,579 of factors such as the 447 00:16:17,580 --> 00:16:20,369 intention of the individuals when they're 448 00:16:20,370 --> 00:16:21,869 exporting this stuff. 449 00:16:21,870 --> 00:16:23,759 There's no distinction between an export 450 00:16:23,760 --> 00:16:26,939 for, for example, generating 451 00:16:26,940 --> 00:16:29,069 new support rules to detect 452 00:16:29,070 --> 00:16:31,199 malware that's on people's 453 00:16:31,200 --> 00:16:33,299 machines or antivirus 454 00:16:33,300 --> 00:16:35,770 signatures or potentially and 455 00:16:36,990 --> 00:16:39,419 the disclosure of malware 456 00:16:39,420 --> 00:16:42,119 that represents an entire class of 457 00:16:42,120 --> 00:16:44,459 new type of attack, 458 00:16:44,460 --> 00:16:46,799 which would allow much more general 459 00:16:46,800 --> 00:16:48,929 safeguards to be put in place like DP 460 00:16:48,930 --> 00:16:50,759 Acel or those kind of things. 461 00:16:50,760 --> 00:16:52,829 So the starting point, 462 00:16:52,830 --> 00:16:55,109 I think, was was 463 00:16:55,110 --> 00:16:57,209 well intentioned and the 464 00:16:57,210 --> 00:16:59,279 implementation, as we saw, has 465 00:16:59,280 --> 00:17:00,389 left a lot to be desired. 466 00:17:00,390 --> 00:17:02,879 And I think it's the question now is 467 00:17:02,880 --> 00:17:06,029 whether Vasana itself can 468 00:17:06,030 --> 00:17:08,098 capture the nuances of 469 00:17:08,099 --> 00:17:10,409 the problem to achieve 470 00:17:10,410 --> 00:17:12,629 the goal, but also to 471 00:17:12,630 --> 00:17:14,729 not screw things up royally 472 00:17:14,730 --> 00:17:16,828 for the entire Internet 473 00:17:16,829 --> 00:17:18,929 security and the very 474 00:17:18,930 --> 00:17:20,669 infrastructure that we rely on on a daily 475 00:17:20,670 --> 00:17:21,659 basis. 476 00:17:21,660 --> 00:17:22,769 But I do think we also have to look 477 00:17:22,770 --> 00:17:24,749 beyond the text of Wassenaar itself, 478 00:17:24,750 --> 00:17:26,489 because deemed export and intangible 479 00:17:26,490 --> 00:17:29,249 transfer were bolt ons from, 480 00:17:29,250 --> 00:17:30,250 you know. 481 00:17:30,870 --> 00:17:31,979 You know, from from the U.S. 482 00:17:31,980 --> 00:17:34,049 and the U.K., so we have to look 483 00:17:34,050 --> 00:17:36,209 at the implementation and shepherd that 484 00:17:36,210 --> 00:17:38,969 through as well as the text. 485 00:17:38,970 --> 00:17:41,039 So I would say that the 486 00:17:41,040 --> 00:17:43,529 I totally agree with Riggi in 487 00:17:43,530 --> 00:17:45,719 that the intention was good. 488 00:17:45,720 --> 00:17:47,939 But in my mind 489 00:17:47,940 --> 00:17:50,129 at least, the trying trying to make 490 00:17:50,130 --> 00:17:52,349 a legalistic definition to separate 491 00:17:52,350 --> 00:17:54,539 good software, defensive stuff 492 00:17:54,540 --> 00:17:56,909 to bad software offensive stuff 493 00:17:56,910 --> 00:17:58,199 is a fool's errand. 494 00:17:58,200 --> 00:18:00,539 The definitional problems overwhelm 495 00:18:00,540 --> 00:18:02,669 any possible benefit here. 496 00:18:02,670 --> 00:18:04,739 The chilling effect of a bad definition, 497 00:18:04,740 --> 00:18:07,259 which is exactly what we have, is worse 498 00:18:07,260 --> 00:18:09,059 than any of the possible benefits, 499 00:18:09,060 --> 00:18:11,099 especially because, you know, is the one 500 00:18:11,100 --> 00:18:14,069 of the founders of FZ in 1995 501 00:18:14,070 --> 00:18:15,809 or 1996. 502 00:18:15,810 --> 00:18:17,789 The Net interprets censorship as damage 503 00:18:17,790 --> 00:18:19,369 and routes around it. Right? 504 00:18:19,370 --> 00:18:20,759 Software isn't magic. 505 00:18:20,760 --> 00:18:23,309 Finfish and hacking team are barely 506 00:18:23,310 --> 00:18:25,049 more functional than Vincey. 507 00:18:25,050 --> 00:18:28,199 I'm exaggerating, but you get the point. 508 00:18:28,200 --> 00:18:29,879 It's the service and support that 509 00:18:29,880 --> 00:18:31,229 actually matter, right? 510 00:18:31,230 --> 00:18:34,049 You can you can give Ethiopia 511 00:18:34,050 --> 00:18:36,359 finfish and the IT Folke 512 00:18:36,360 --> 00:18:37,710 there won't know what to do with it 513 00:18:39,000 --> 00:18:40,589 without the service and support. 514 00:18:40,590 --> 00:18:41,609 And it's the service and support 515 00:18:41,610 --> 00:18:43,049 contracts that actually matter. 516 00:18:44,250 --> 00:18:46,709 So take that for what software 517 00:18:46,710 --> 00:18:48,539 isn't weaponry, right? 518 00:18:48,540 --> 00:18:50,519 Software isn't guns. 519 00:18:50,520 --> 00:18:52,379 You can't control it in the same way that 520 00:18:52,380 --> 00:18:54,989 you can control the export of physical 521 00:18:54,990 --> 00:18:56,039 devices. 522 00:18:56,040 --> 00:18:58,439 So my in 523 00:18:58,440 --> 00:19:00,149 my opinion, trying to fix the definitions 524 00:19:00,150 --> 00:19:03,149 in Bosna is, 525 00:19:03,150 --> 00:19:04,919 you know, I admire people who think they 526 00:19:04,920 --> 00:19:06,989 can do it, but I don't 527 00:19:06,990 --> 00:19:09,299 delude myself to think that I can do it. 528 00:19:09,300 --> 00:19:11,219 So I think we need to ditch intrusion 529 00:19:11,220 --> 00:19:12,689 software from Vossler altogether. 530 00:19:12,690 --> 00:19:14,430 OK, we have a first question from a room. 531 00:19:17,150 --> 00:19:19,369 So one important note 532 00:19:19,370 --> 00:19:21,529 for the Wassenaar is and you haven't 533 00:19:21,530 --> 00:19:23,929 mentioned it yet, Open 534 00:19:23,930 --> 00:19:26,059 is exempt from Wassenaar. 535 00:19:26,060 --> 00:19:28,579 Well, so opensource 536 00:19:28,580 --> 00:19:30,260 is sometimes kind of exempt 537 00:19:31,850 --> 00:19:33,439 if you're for the purpose of this 538 00:19:33,440 --> 00:19:35,269 discussion that there really is not a 539 00:19:35,270 --> 00:19:35,989 bright line. 540 00:19:35,990 --> 00:19:38,419 I tried very hard to get 541 00:19:38,420 --> 00:19:40,849 a public domain, OK, public domain 542 00:19:40,850 --> 00:19:42,529 is exempt that aren't the same as open 543 00:19:42,530 --> 00:19:43,129 source. 544 00:19:43,130 --> 00:19:45,259 So there's a slight problem to 545 00:19:45,260 --> 00:19:47,479 interject here, right by 546 00:19:47,480 --> 00:19:49,819 introverts interpret international 547 00:19:49,820 --> 00:19:52,129 treaties for 548 00:19:52,130 --> 00:19:53,149 the Treaty of Vienna. 549 00:19:53,150 --> 00:19:54,859 You're supposed to use the common 550 00:19:54,860 --> 00:19:56,479 interpretation of words and like other 551 00:19:56,480 --> 00:19:58,189 legal documents which have create their 552 00:19:58,190 --> 00:19:59,569 own reality. 553 00:19:59,570 --> 00:20:01,759 So public domain is no longer 554 00:20:01,760 --> 00:20:04,339 necessarily a copyright thing. 555 00:20:04,340 --> 00:20:05,899 There's two problems. 556 00:20:05,900 --> 00:20:07,279 The Russian arrangement is not a formal 557 00:20:07,280 --> 00:20:08,869 treatment, so I don't actually know how 558 00:20:08,870 --> 00:20:09,870 to interpret it. 559 00:20:10,750 --> 00:20:12,049 The second problem is I've been looking 560 00:20:12,050 --> 00:20:13,499 for exemptions like that as well. 561 00:20:13,500 --> 00:20:15,649 I'm nowhere near as much of an expert as 562 00:20:15,650 --> 00:20:16,579 the other people are. 563 00:20:16,580 --> 00:20:18,649 But at this table, there are much 564 00:20:18,650 --> 00:20:20,809 clear exemptions for, let's say, 565 00:20:20,810 --> 00:20:22,909 open source or source 566 00:20:22,910 --> 00:20:25,369 availability for the crypto bits, 567 00:20:25,370 --> 00:20:27,439 but less so for this. 568 00:20:27,440 --> 00:20:29,599 And I would just add to that that 569 00:20:29,600 --> 00:20:31,819 while. Yes, in the in the tax 570 00:20:31,820 --> 00:20:33,439 on on open software, the general 571 00:20:33,440 --> 00:20:35,029 technology notes and general software 572 00:20:35,030 --> 00:20:37,399 notes and open 573 00:20:37,400 --> 00:20:38,989 source software, as I understand it, 574 00:20:38,990 --> 00:20:41,269 doesn't isn't always open source, 575 00:20:41,270 --> 00:20:43,639 at least in the initial embryonic 576 00:20:43,640 --> 00:20:44,509 stages. 577 00:20:44,510 --> 00:20:46,579 And while, yes, it may become open 578 00:20:46,580 --> 00:20:49,099 source later on and we may become 579 00:20:49,100 --> 00:20:51,319 in the public domain later on while 580 00:20:51,320 --> 00:20:53,689 it's sitting on a laptop of a developer 581 00:20:53,690 --> 00:20:56,059 who has yet to commit their changes 582 00:20:56,060 --> 00:20:58,279 into a repository 583 00:20:58,280 --> 00:21:00,229 that is open source. 584 00:21:00,230 --> 00:21:01,849 To the best of my understanding, that is 585 00:21:01,850 --> 00:21:04,279 still not public domain information, 586 00:21:04,280 --> 00:21:05,599 that that is still information that 587 00:21:05,600 --> 00:21:07,339 resides on the laptop of the individual 588 00:21:07,340 --> 00:21:09,799 or individuals who are 589 00:21:09,800 --> 00:21:11,359 creating the next version of the 590 00:21:11,360 --> 00:21:13,139 particular open source software. 591 00:21:13,140 --> 00:21:15,259 And this this 592 00:21:15,260 --> 00:21:17,299 regime may limit the ability of those 593 00:21:17,300 --> 00:21:18,919 individuals to communicate. 594 00:21:18,920 --> 00:21:21,199 And in the formation 595 00:21:21,200 --> 00:21:23,389 of the next, 596 00:21:23,390 --> 00:21:25,009 the better improvements to the open 597 00:21:25,010 --> 00:21:25,969 source software. 598 00:21:25,970 --> 00:21:28,099 And so even things like we've 599 00:21:28,100 --> 00:21:29,629 had very conflicting statements from 600 00:21:29,630 --> 00:21:31,249 government saying things along the lines 601 00:21:31,250 --> 00:21:33,409 of, well, if you if you're 602 00:21:33,410 --> 00:21:35,539 working on something and 603 00:21:35,540 --> 00:21:37,639 you intend to present it at a conference 604 00:21:37,640 --> 00:21:39,859 at some time in the future, well, then 605 00:21:39,860 --> 00:21:41,689 maybe it's open source. 606 00:21:41,690 --> 00:21:43,819 But how are we supposed 607 00:21:43,820 --> 00:21:45,019 to prove that? How are we supposed to 608 00:21:45,020 --> 00:21:47,359 demonstrate that when we're working on 609 00:21:47,360 --> 00:21:49,429 bits of code and bits of technology, 610 00:21:49,430 --> 00:21:50,839 not all of them are going to work. 611 00:21:50,840 --> 00:21:52,219 Some of them are ever going to see the 612 00:21:52,220 --> 00:21:54,559 light of day. And it's a thought process 613 00:21:54,560 --> 00:21:56,899 before things become opensource or before 614 00:21:56,900 --> 00:21:58,699 things become in the public domain that 615 00:21:58,700 --> 00:22:00,469 can actually limit the the ability for 616 00:22:00,470 --> 00:22:02,029 people to to conduct their work. 617 00:22:02,030 --> 00:22:03,889 And to make matters worse, the general 618 00:22:03,890 --> 00:22:05,329 software note, which is what Ritchie was 619 00:22:05,330 --> 00:22:07,399 discussing, is not included 620 00:22:07,400 --> 00:22:09,229 in all of the national implementations, 621 00:22:09,230 --> 00:22:11,779 including the biggest implementation. 622 00:22:11,780 --> 00:22:14,059 The biggest implementation specifically 623 00:22:14,060 --> 00:22:15,739 exempts the general software node 624 00:22:15,740 --> 00:22:16,769 exemption. 625 00:22:16,770 --> 00:22:17,949 Right. 626 00:22:17,950 --> 00:22:19,789 There's not a question on the left. 627 00:22:21,510 --> 00:22:23,609 So I want to share 628 00:22:23,610 --> 00:22:25,619 an experience I had there in dealing with 629 00:22:25,620 --> 00:22:27,749 the senator for voice encryption and 630 00:22:27,750 --> 00:22:30,149 how it may be related with that 631 00:22:30,150 --> 00:22:32,369 for export or for strong 632 00:22:32,370 --> 00:22:34,829 encryption products that are 633 00:22:34,830 --> 00:22:37,259 precise specification, whether 634 00:22:37,260 --> 00:22:39,299 it fit in the category of a mass 635 00:22:39,300 --> 00:22:41,369 encryption tools or whether it's 636 00:22:41,370 --> 00:22:43,169 subject to export control. 637 00:22:43,170 --> 00:22:45,389 And it'll dictate a very 638 00:22:45,390 --> 00:22:47,519 precise rule, like 639 00:22:48,660 --> 00:22:50,849 if the end user is 640 00:22:50,850 --> 00:22:53,669 able to change the encryption algorithm, 641 00:22:53,670 --> 00:22:56,129 if the end user can acquire 642 00:22:56,130 --> 00:22:58,649 directly without and 643 00:22:58,650 --> 00:23:01,139 can install without any substantial 644 00:23:01,140 --> 00:23:03,149 support from the manufacturer. 645 00:23:03,150 --> 00:23:05,519 And those are specific kind 646 00:23:05,520 --> 00:23:08,339 of details related 647 00:23:08,340 --> 00:23:11,099 to the way of deploying 648 00:23:11,100 --> 00:23:13,709 and the purpose of 649 00:23:13,710 --> 00:23:16,349 the technology for voice encryption, 650 00:23:16,350 --> 00:23:18,569 for strong encryption subject 651 00:23:18,570 --> 00:23:20,759 to export. So I'm wondering 652 00:23:20,760 --> 00:23:22,979 if it will not be useful 653 00:23:22,980 --> 00:23:25,529 to think and propose 654 00:23:25,530 --> 00:23:27,659 from a policy standpoint of your set 655 00:23:27,660 --> 00:23:29,999 of rules that create the boundaries 656 00:23:30,000 --> 00:23:32,609 of what should be subject to 657 00:23:32,610 --> 00:23:34,829 regulation and what will not be subject 658 00:23:34,830 --> 00:23:37,079 exactly like strong encryption 659 00:23:37,080 --> 00:23:39,209 is already in the provision of us 660 00:23:39,210 --> 00:23:40,319 in our arrangement. 661 00:23:40,320 --> 00:23:41,879 What I would I would say that is very, 662 00:23:41,880 --> 00:23:44,309 very difficult to look at 663 00:23:44,310 --> 00:23:46,409 a specific piece of software, just the 664 00:23:46,410 --> 00:23:48,479 ones and zeros, and make a 665 00:23:48,480 --> 00:23:50,369 determination on that basis. 666 00:23:50,370 --> 00:23:52,499 And so without the ability 667 00:23:52,500 --> 00:23:54,719 for an agreement such 668 00:23:54,720 --> 00:23:57,059 as this or a regime to achieve 669 00:23:57,060 --> 00:23:58,829 the stated objectives that I said at the 670 00:23:58,830 --> 00:24:01,379 start, it can capture things like 671 00:24:01,380 --> 00:24:02,999 what you just said about what the the 672 00:24:03,000 --> 00:24:05,099 intent of the individual who's going 673 00:24:05,100 --> 00:24:07,199 to receive it or what they 674 00:24:07,200 --> 00:24:08,819 could do with it. 675 00:24:08,820 --> 00:24:10,889 And that was expressly that 676 00:24:10,890 --> 00:24:13,019 wasn't included in the intrusion software 677 00:24:13,020 --> 00:24:15,189 definition or any of the exemptions 678 00:24:15,190 --> 00:24:17,249 in Investa as it was 679 00:24:17,250 --> 00:24:19,140 under transposing legislation into the. 680 00:24:20,720 --> 00:24:22,919 It's also not always obvious 681 00:24:22,920 --> 00:24:25,139 on its face what a piece of software 682 00:24:25,140 --> 00:24:27,329 actually does if you've ever looked 683 00:24:27,330 --> 00:24:29,369 at the underhanded see contest, there are 684 00:24:29,370 --> 00:24:30,809 a lot of examples of software that 685 00:24:30,810 --> 00:24:32,609 appears to do one thing but actually does 686 00:24:32,610 --> 00:24:34,169 something else. 687 00:24:34,170 --> 00:24:35,459 I mean, I haven't I don't think we've 688 00:24:35,460 --> 00:24:37,079 seen this as an export controls dodge 689 00:24:37,080 --> 00:24:39,359 yet, but it's certainly possible on 690 00:24:39,360 --> 00:24:39,569 it. 691 00:24:39,570 --> 00:24:41,729 And just to to pile on on 692 00:24:41,730 --> 00:24:43,919 the crypto front, you know, 693 00:24:43,920 --> 00:24:45,779 it has long been Jeff's position that 694 00:24:45,780 --> 00:24:48,329 crypto should not be export regulated 695 00:24:48,330 --> 00:24:51,299 at all in the United States. 696 00:24:51,300 --> 00:24:53,459 We have there's 697 00:24:53,460 --> 00:24:55,589 very little regulation on 698 00:24:55,590 --> 00:24:56,729 publicly available crypto. 699 00:24:56,730 --> 00:24:58,379 So open source crypto. 700 00:24:58,380 --> 00:25:00,509 All you have to do is notify the NSA that 701 00:25:00,510 --> 00:25:01,619 you're putting it online. You don't 702 00:25:01,620 --> 00:25:03,369 actually have to ask for permission. 703 00:25:03,370 --> 00:25:04,789 Most people don't even do that and 704 00:25:04,790 --> 00:25:06,029 hopefully enforce as far as I'm 705 00:25:06,030 --> 00:25:06,539 concerned. 706 00:25:06,540 --> 00:25:08,879 And following on from Meredith's point, 707 00:25:08,880 --> 00:25:10,169 there's a there's a very interesting 708 00:25:10,170 --> 00:25:12,119 competition that's held every year. 709 00:25:12,120 --> 00:25:14,489 And I think based on a Linux 710 00:25:14,490 --> 00:25:17,129 vulnerability that was that was found 711 00:25:17,130 --> 00:25:19,289 a few years ago where where semicolon was 712 00:25:19,290 --> 00:25:20,189 inserted. 713 00:25:20,190 --> 00:25:22,679 And that to any cursory 714 00:25:22,680 --> 00:25:25,199 reading of the of the code 715 00:25:25,200 --> 00:25:27,419 might indicate that things were hunky 716 00:25:27,420 --> 00:25:29,519 dory. But in reality, what it allowed 717 00:25:29,520 --> 00:25:31,769 was basically anybody 718 00:25:31,770 --> 00:25:33,059 to gain root on the box. 719 00:25:33,060 --> 00:25:35,579 And it was all in there in in 720 00:25:35,580 --> 00:25:36,479 the open source. And there's a 721 00:25:36,480 --> 00:25:38,519 competition each year to find new and 722 00:25:38,520 --> 00:25:40,709 innovative ways to 723 00:25:40,710 --> 00:25:42,899 hide in plain sight, essentially, 724 00:25:42,900 --> 00:25:45,119 and issues with software 725 00:25:45,120 --> 00:25:46,829 that just a cursory analysis may not 726 00:25:46,830 --> 00:25:49,139 actually reveal. 727 00:25:49,140 --> 00:25:50,999 There are several people want to ask 728 00:25:51,000 --> 00:25:52,769 questions over that. 729 00:25:52,770 --> 00:25:55,019 OK, so first off, thank 730 00:25:55,020 --> 00:25:56,189 you so much for this panel. 731 00:25:56,190 --> 00:25:57,389 It's been very informative. 732 00:25:57,390 --> 00:25:59,549 I have two questions that are really 733 00:25:59,550 --> 00:26:01,169 tightly related. 734 00:26:01,170 --> 00:26:04,079 The first one is coming from 735 00:26:04,080 --> 00:26:05,969 basic knowledge of policy standpoint. 736 00:26:05,970 --> 00:26:08,069 It seems that if you have an agreement 737 00:26:08,070 --> 00:26:09,599 that was presented at the end, there was 738 00:26:09,600 --> 00:26:11,639 probably a chain of events like Mehrens 739 00:26:11,640 --> 00:26:13,739 and so on that led to the formation 740 00:26:13,740 --> 00:26:15,239 of that agreement. And I'm curious, is it 741 00:26:15,240 --> 00:26:16,769 possible to go through the meeting notes 742 00:26:16,770 --> 00:26:19,079 and infer who introduced these terms and 743 00:26:19,080 --> 00:26:21,329 what the context of the discussions 744 00:26:21,330 --> 00:26:23,489 were? The second question that I have, 745 00:26:23,490 --> 00:26:25,619 how have these kinds 746 00:26:25,620 --> 00:26:27,749 of agreements actually been enforced 747 00:26:27,750 --> 00:26:28,649 in the past? 748 00:26:28,650 --> 00:26:30,659 Because if this was introduced in 2009, I 749 00:26:30,660 --> 00:26:32,129 assume that there were things before them 750 00:26:32,130 --> 00:26:33,689 because cryptography is not a new thing. 751 00:26:34,920 --> 00:26:37,179 I think the first question is best 752 00:26:37,180 --> 00:26:38,219 authority. 753 00:26:38,220 --> 00:26:39,579 The second one and I'd like to further 754 00:26:39,580 --> 00:26:41,100 note, I also want to note 755 00:26:42,180 --> 00:26:44,219 that we've been asking the questions. 756 00:26:44,220 --> 00:26:45,849 We are very thankful for your gratitude. 757 00:26:45,850 --> 00:26:48,029 But let's stick to the questions. 758 00:26:49,350 --> 00:26:51,869 So I guess the first time 759 00:26:51,870 --> 00:26:53,999 and look, obviously, I may not 760 00:26:54,000 --> 00:26:56,099 be aware of the entire picture, 761 00:26:56,100 --> 00:26:57,100 but the first time 762 00:26:58,260 --> 00:26:59,969 Privacy International became aware of the 763 00:26:59,970 --> 00:27:03,109 text was almost 764 00:27:03,110 --> 00:27:05,309 before days before it was 765 00:27:05,310 --> 00:27:07,649 actually completed. 766 00:27:07,650 --> 00:27:09,089 So to the best of our knowledge, there 767 00:27:09,090 --> 00:27:11,699 wasn't a consultation process. 768 00:27:11,700 --> 00:27:13,889 And it's almost a 769 00:27:13,890 --> 00:27:15,390 problem with the actual, 770 00:27:17,160 --> 00:27:18,989 I guess, the drafting process that that 771 00:27:18,990 --> 00:27:21,599 people were involved not only too late, 772 00:27:21,600 --> 00:27:23,759 but that the potential 773 00:27:23,760 --> 00:27:25,889 consequences were huge and they 774 00:27:25,890 --> 00:27:27,959 should have been involved at a very, very 775 00:27:27,960 --> 00:27:29,819 early stage. So we didn't have to get to 776 00:27:29,820 --> 00:27:32,009 this point that we're in now where 777 00:27:32,010 --> 00:27:34,199 the implications are are very real. 778 00:27:34,200 --> 00:27:36,119 I think most will be aware of HP pulling 779 00:27:36,120 --> 00:27:38,609 out of the book bounty contest 780 00:27:38,610 --> 00:27:40,979 during the year and simply 781 00:27:40,980 --> 00:27:43,139 because of the maybe it was Microsoft can 782 00:27:43,140 --> 00:27:45,929 remember which company was and 783 00:27:45,930 --> 00:27:47,999 because there was a question 784 00:27:48,000 --> 00:27:49,319 marks over whether they could actually 785 00:27:49,320 --> 00:27:51,599 have and people 786 00:27:51,600 --> 00:27:54,209 showing up and presenting bugs and zeros 787 00:27:54,210 --> 00:27:55,169 and things like that. 788 00:27:55,170 --> 00:27:57,089 And what legal regime had did they need 789 00:27:57,090 --> 00:27:59,339 to get an export control license 790 00:27:59,340 --> 00:28:01,439 for every country and things like that? 791 00:28:01,440 --> 00:28:03,509 So there is tangible 792 00:28:03,510 --> 00:28:05,879 evidence that this stuff is is stopping 793 00:28:05,880 --> 00:28:07,229 things. But as far as I'm aware, there 794 00:28:07,230 --> 00:28:09,419 was no consultation outside 795 00:28:09,420 --> 00:28:11,759 of governments who were drafting 796 00:28:11,760 --> 00:28:12,760 this. 797 00:28:14,990 --> 00:28:17,419 And so I stuck to your second question, 798 00:28:17,420 --> 00:28:19,249 how are these sorts of agreements 799 00:28:19,250 --> 00:28:20,779 enforced? 800 00:28:20,780 --> 00:28:22,729 The answer I can only answer. 801 00:28:22,730 --> 00:28:25,099 I'm a U.S. lawyer. I can only answer in 802 00:28:25,100 --> 00:28:26,209 states terms. 803 00:28:26,210 --> 00:28:27,319 They're enforced by the Department of 804 00:28:27,320 --> 00:28:29,389 Commerce and they're enforced sort 805 00:28:29,390 --> 00:28:32,419 of very rarely and very selectively. 806 00:28:32,420 --> 00:28:34,819 So that would be a big problem in the EU 807 00:28:34,820 --> 00:28:36,799 because selective enforcement is like 808 00:28:36,800 --> 00:28:38,569 you're not allowed to do that in Belgium 809 00:28:38,570 --> 00:28:40,729 and Belgium being Belgian, 810 00:28:42,710 --> 00:28:44,479 but that that selective enforcement gives 811 00:28:44,480 --> 00:28:45,559 rise to a chilling effect. 812 00:28:45,560 --> 00:28:47,599 The mere possibility that it could be 813 00:28:47,600 --> 00:28:49,699 enforced is often sufficient to 814 00:28:49,700 --> 00:28:51,889 trigger the negative consequences 815 00:28:51,890 --> 00:28:53,419 that everybody, I think, here in the 816 00:28:53,420 --> 00:28:55,519 audience have, which is that you want 817 00:28:55,520 --> 00:28:57,679 people to engage actively and in 818 00:28:57,680 --> 00:28:59,299 improving things and improving the 819 00:28:59,300 --> 00:29:00,619 software that we use. 820 00:29:00,620 --> 00:29:02,839 And that necessitates in the modern age 821 00:29:02,840 --> 00:29:04,189 the ability for people to collaborate 822 00:29:04,190 --> 00:29:05,329 across borders. 823 00:29:05,330 --> 00:29:07,430 And so I'm not necessarily sure whether 824 00:29:08,570 --> 00:29:11,059 the fact that it could be 825 00:29:11,060 --> 00:29:12,769 enforced, people could go to jail, which 826 00:29:12,770 --> 00:29:14,419 obviously is a disgrace. 827 00:29:14,420 --> 00:29:16,609 But and the 828 00:29:16,610 --> 00:29:18,589 the the chilling effect of people 829 00:29:18,590 --> 00:29:19,969 actually engaging in this research in the 830 00:29:19,970 --> 00:29:21,529 first place, you don't want to be on the 831 00:29:21,530 --> 00:29:22,859 receiving end of enforcement. 832 00:29:22,860 --> 00:29:24,799 I mean, specifically the questions from 833 00:29:24,800 --> 00:29:25,800 the Internet. 834 00:29:26,670 --> 00:29:28,549 Yes, thank you. I have a bunch of 835 00:29:28,550 --> 00:29:30,739 question regarding open source 836 00:29:30,740 --> 00:29:32,809 again and 837 00:29:32,810 --> 00:29:35,089 determine what is the expected 838 00:29:35,090 --> 00:29:37,429 impact on projects like Metabolite. 839 00:29:37,430 --> 00:29:40,189 That's partly open source and 840 00:29:40,190 --> 00:29:41,449 Linux. 841 00:29:41,450 --> 00:29:43,849 So meta split 842 00:29:43,850 --> 00:29:46,189 the the lawyers over at Hacker one, 843 00:29:47,390 --> 00:29:49,489 not a hacker, one at Rapide seven 844 00:29:49,490 --> 00:29:51,200 have determined that 845 00:29:52,340 --> 00:29:54,529 the open source displayed projects 846 00:29:54,530 --> 00:29:55,999 and modules. 847 00:29:56,000 --> 00:29:58,009 There will be no impact on them. 848 00:29:58,010 --> 00:30:00,169 The Mets played pro, however, 849 00:30:00,170 --> 00:30:03,259 is subject to the license. 850 00:30:03,260 --> 00:30:05,329 So metastable open 851 00:30:05,330 --> 00:30:07,159 source just fine. 852 00:30:07,160 --> 00:30:10,039 Keep exporting, keep using, keep posting. 853 00:30:10,040 --> 00:30:11,330 Métis pro 854 00:30:12,890 --> 00:30:15,049 is going to become a lot more expensive. 855 00:30:16,360 --> 00:30:17,979 And just another question from your 856 00:30:17,980 --> 00:30:19,270 backlog of instance questions. 857 00:30:21,810 --> 00:30:23,879 Yes, this one question, what 858 00:30:23,880 --> 00:30:25,979 is the detail problem, 859 00:30:25,980 --> 00:30:28,079 is it that exploits would be 860 00:30:28,080 --> 00:30:30,479 more open or is there also 861 00:30:30,480 --> 00:30:32,039 a financial aspect in this? 862 00:30:33,300 --> 00:30:35,429 Individuals would be criminally 863 00:30:35,430 --> 00:30:36,869 liable for 864 00:30:38,820 --> 00:30:40,499 for having exploits, basically. 865 00:30:42,490 --> 00:30:44,049 Having an crossing the borders. 866 00:30:45,340 --> 00:30:47,619 We're talking about exploits to foreign 867 00:30:47,620 --> 00:30:48,620 nationals. 868 00:30:52,920 --> 00:30:55,229 So I'm a 869 00:30:55,230 --> 00:30:57,359 I'm an academic from the United 870 00:30:57,360 --> 00:30:59,429 Kingdom, and I was 871 00:30:59,430 --> 00:31:00,749 wondering if you could comment on the 872 00:31:00,750 --> 00:31:02,969 possibilities of this affecting research, 873 00:31:02,970 --> 00:31:04,889 particularly I'm thinking of my own 874 00:31:04,890 --> 00:31:07,049 research would be classified under 875 00:31:07,050 --> 00:31:09,119 the the very broad definition of 876 00:31:09,120 --> 00:31:10,679 surveillance. 877 00:31:10,680 --> 00:31:12,809 And a follow up question is, 878 00:31:12,810 --> 00:31:14,519 what about teaching? 879 00:31:14,520 --> 00:31:16,499 How am I expected to teach an 880 00:31:16,500 --> 00:31:18,539 international group of students in my 881 00:31:18,540 --> 00:31:19,540 university 882 00:31:20,790 --> 00:31:22,439 without an export license? 883 00:31:22,440 --> 00:31:24,209 I'm afraid you need an export license if 884 00:31:24,210 --> 00:31:25,649 you've got international students in 885 00:31:25,650 --> 00:31:27,419 there, because when you impart it would 886 00:31:27,420 --> 00:31:29,519 be deemed an intangible technology 887 00:31:29,520 --> 00:31:31,499 transfer in the sense that the transfer 888 00:31:31,500 --> 00:31:33,119 actually occurs in the heads of your 889 00:31:33,120 --> 00:31:35,159 students when you've delivered that 890 00:31:35,160 --> 00:31:37,289 lecture and they go on to their their 891 00:31:37,290 --> 00:31:38,939 countries. And that would be an 892 00:31:38,940 --> 00:31:41,309 intangible technology transfer. 893 00:31:41,310 --> 00:31:43,659 And it's really not clear like 894 00:31:43,660 --> 00:31:46,049 there are not drawing clear lines 895 00:31:46,050 --> 00:31:47,969 about what kind of research. 896 00:31:47,970 --> 00:31:50,129 I mean, because politicians have 897 00:31:50,130 --> 00:31:52,349 been have been telling us to our faces, 898 00:31:52,350 --> 00:31:53,879 oh, researchers don't have anything to 899 00:31:53,880 --> 00:31:56,849 worry about, but they don't tell us why. 900 00:31:56,850 --> 00:31:58,859 And so when I sit and so when I ask, OK, 901 00:31:58,860 --> 00:32:01,259 well, why, for what reason 902 00:32:01,260 --> 00:32:03,749 do I not need to worry about 903 00:32:03,750 --> 00:32:05,669 about intangible knowledge transfer? 904 00:32:05,670 --> 00:32:06,869 You know, I just sort of get patted on 905 00:32:06,870 --> 00:32:08,819 the head and they move on to the next 906 00:32:08,820 --> 00:32:10,409 question. 907 00:32:10,410 --> 00:32:13,199 Nobody really seems willing to clarify 908 00:32:13,200 --> 00:32:15,299 how this is going to affect, you know, 909 00:32:15,300 --> 00:32:16,919 how this is actually going to be brought 910 00:32:16,920 --> 00:32:18,719 down on research. 911 00:32:18,720 --> 00:32:19,889 With the exception of Australia, 912 00:32:19,890 --> 00:32:21,449 Australia apparently seems perfectly 913 00:32:21,450 --> 00:32:23,999 happy to just like shut off all crypto 914 00:32:24,000 --> 00:32:25,500 teaching in the entire country. 915 00:32:26,760 --> 00:32:28,079 But, you know, that's Australia. 916 00:32:29,100 --> 00:32:31,319 And we've already seen and I'm now 917 00:32:31,320 --> 00:32:33,329 forgetting the gentleman's name, but 918 00:32:33,330 --> 00:32:35,009 we've already seen one doctoral 919 00:32:35,010 --> 00:32:37,679 dissertation heavily redacted 920 00:32:37,680 --> 00:32:40,829 by the by his committee in the UK 921 00:32:40,830 --> 00:32:42,299 because of Bosna. 922 00:32:42,300 --> 00:32:43,929 And that's fucked up. 923 00:32:43,930 --> 00:32:45,929 And incidents like that are going to 924 00:32:45,930 --> 00:32:47,579 produce continued chilling effects. 925 00:32:47,580 --> 00:32:49,379 Fewer people will get into research 926 00:32:49,380 --> 00:32:50,459 because who wants to end up in a 927 00:32:50,460 --> 00:32:52,079 situation like that? 928 00:32:52,080 --> 00:32:54,419 Poor guy in the USA who 929 00:32:54,420 --> 00:32:57,509 did a geography PhD on 930 00:32:57,510 --> 00:32:59,339 maps of critical infrastructure, 931 00:32:59,340 --> 00:33:00,719 Department of Homeland Security 932 00:33:00,720 --> 00:33:02,039 suppressed his thesis. 933 00:33:03,510 --> 00:33:04,979 If you don't get to graduate, that kind 934 00:33:04,980 --> 00:33:06,869 of wastes the all that time you spent on 935 00:33:06,870 --> 00:33:07,649 a PhD. 936 00:33:07,650 --> 00:33:09,719 And so, like that's fewer people 937 00:33:09,720 --> 00:33:11,549 will be coming into the field and people 938 00:33:11,550 --> 00:33:13,559 who are already in the field are going 939 00:33:13,560 --> 00:33:16,229 to, you know, are going to have a lot of 940 00:33:16,230 --> 00:33:17,969 fear and worry about, you know, am I 941 00:33:17,970 --> 00:33:20,099 about to get busted for trying to 942 00:33:20,100 --> 00:33:21,599 publish a paper? 943 00:33:21,600 --> 00:33:23,399 And I'm also not sure what security 944 00:33:23,400 --> 00:33:24,599 research actually is. 945 00:33:24,600 --> 00:33:26,759 And when security research stops 946 00:33:26,760 --> 00:33:29,069 and ends, RPN Testa's 947 00:33:29,070 --> 00:33:31,199 security researchers are people 948 00:33:31,200 --> 00:33:33,239 who go out and just tinker with software 949 00:33:33,240 --> 00:33:35,429 and say reverse engineer bits 950 00:33:35,430 --> 00:33:37,859 of bits of bits of code 951 00:33:37,860 --> 00:33:39,569 simply because that's what they like 952 00:33:39,570 --> 00:33:41,729 doing where they're not affiliated to, 953 00:33:41,730 --> 00:33:43,169 say, an official university, are they 954 00:33:43,170 --> 00:33:45,509 covered? And so many of the 955 00:33:45,510 --> 00:33:47,669 many of the supposed protections 956 00:33:47,670 --> 00:33:49,979 or exemptions for things 957 00:33:49,980 --> 00:33:52,049 like academic material, 958 00:33:52,050 --> 00:33:54,359 I just it just doesn't make any sense 959 00:33:54,360 --> 00:33:56,459 to me about what and what the what the 960 00:33:56,460 --> 00:33:58,109 definition of a security researcher is 961 00:33:58,110 --> 00:33:59,669 and whether it includes pen testers in 962 00:33:59,670 --> 00:34:01,829 their collaboration across borders to 963 00:34:01,830 --> 00:34:03,959 to to ensure that all their tools 964 00:34:03,960 --> 00:34:05,159 are as UP-TO-DATE as possible. 965 00:34:05,160 --> 00:34:06,749 And I'm in exactly that boat. 966 00:34:06,750 --> 00:34:08,789 I'm not affiliated with a university and 967 00:34:08,790 --> 00:34:10,559 I do not do security for my day job. 968 00:34:10,560 --> 00:34:13,468 I'm a bog standard programmer at Nuance. 969 00:34:13,469 --> 00:34:15,029 All of the security stuff I do, I do in 970 00:34:15,030 --> 00:34:16,169 my copious free time. 971 00:34:16,170 --> 00:34:18,448 So I wouldn't even be protected 972 00:34:18,449 --> 00:34:20,698 by protections 973 00:34:20,699 --> 00:34:21,988 that only apply to academics. 974 00:34:21,989 --> 00:34:23,279 Well, luckily in the U.S., you don't have 975 00:34:23,280 --> 00:34:24,479 to worry about that because there is no 976 00:34:24,480 --> 00:34:25,769 security exemption. 977 00:34:25,770 --> 00:34:27,109 But this is in Brussels. 978 00:34:27,110 --> 00:34:28,799 You have maybe a very short follow up 979 00:34:28,800 --> 00:34:29,698 question here. 980 00:34:29,699 --> 00:34:32,729 Is there any chance to get out of here 981 00:34:32,730 --> 00:34:35,099 claiming that it's freedom of speech? 982 00:34:35,100 --> 00:34:37,169 So these kind 983 00:34:37,170 --> 00:34:39,209 of all the academic area. 984 00:34:39,210 --> 00:34:41,428 So I can give you an answer from 985 00:34:41,429 --> 00:34:43,539 the European perspective, they 986 00:34:43,540 --> 00:34:45,359 may probably come from the U.S. 987 00:34:45,360 --> 00:34:47,729 perspective as 988 00:34:47,730 --> 00:34:50,279 a kind of groundwork for Darkspore. 989 00:34:50,280 --> 00:34:52,138 European countries don't even have a 990 00:34:52,139 --> 00:34:53,670 constitution like the United Kingdom 991 00:34:55,020 --> 00:34:57,199 and other kinds of Beckwith's 992 00:34:57,200 --> 00:34:59,279 monomaniacal monarchies like 993 00:34:59,280 --> 00:35:00,809 the Netherlands and and all that. 994 00:35:01,950 --> 00:35:04,049 The European Convention on Human Rights 995 00:35:04,050 --> 00:35:07,289 is kind of actually the EU constitution. 996 00:35:07,290 --> 00:35:09,689 That Article Ten says that 997 00:35:09,690 --> 00:35:12,209 freedom of expression shouldn't be a I'm 998 00:35:12,210 --> 00:35:14,589 paraphrasing. I'm not Krasniqi, but 999 00:35:14,590 --> 00:35:15,590 it will be. 1000 00:35:16,450 --> 00:35:18,549 They showed me prior restraint, unless 1001 00:35:18,550 --> 00:35:20,649 by law and 1002 00:35:20,650 --> 00:35:22,329 proportionate to the public interest for 1003 00:35:22,330 --> 00:35:25,059 which the law is brought into being, so 1004 00:35:25,060 --> 00:35:27,489 there's no evidence 1005 00:35:27,490 --> 00:35:29,589 of that by you could or 1006 00:35:29,590 --> 00:35:30,609 could not have that. 1007 00:35:30,610 --> 00:35:32,229 We already do have the cybercrime 1008 00:35:32,230 --> 00:35:34,419 convention, which has equally 1009 00:35:34,420 --> 00:35:36,189 chilling but not equally, but also 1010 00:35:36,190 --> 00:35:38,289 chilling effects and security measures 1011 00:35:38,290 --> 00:35:40,149 that has never been challenged in that 1012 00:35:40,150 --> 00:35:42,239 court, as far as I'm aware. 1013 00:35:42,240 --> 00:35:43,240 So 1014 00:35:44,440 --> 00:35:46,179 but it's a very good question, basically. 1015 00:35:46,180 --> 00:35:48,579 Can we fix this on 1016 00:35:48,580 --> 00:35:51,059 alternate covers, the 1017 00:35:51,060 --> 00:35:52,159 the First Amendment issues? 1018 00:35:52,160 --> 00:35:53,859 I'd like to move on to that, but. 1019 00:35:53,860 --> 00:35:55,719 Ah, thank you. I'll just follow on with 1020 00:35:55,720 --> 00:35:57,819 what what was that freedom of expression, 1021 00:35:57,820 --> 00:36:00,279 at least as you said in the UK, in the EU 1022 00:36:00,280 --> 00:36:02,109 is what's called a qualified right, like 1023 00:36:02,110 --> 00:36:04,239 privacy is. And the qualification is 1024 00:36:04,240 --> 00:36:06,369 based on law. But many 1025 00:36:06,370 --> 00:36:09,489 times freedom of expression can 1026 00:36:09,490 --> 00:36:11,949 or can be compelled to yield to 1027 00:36:11,950 --> 00:36:13,879 privacy rights of individuals. 1028 00:36:13,880 --> 00:36:16,119 So, for example, would my doctor be able 1029 00:36:16,120 --> 00:36:18,459 to engage their freedom of expression, 1030 00:36:18,460 --> 00:36:20,799 rights to breach confidentiality 1031 00:36:20,800 --> 00:36:21,789 and publish information? 1032 00:36:21,790 --> 00:36:23,709 And should I be able to prevent that from 1033 00:36:23,710 --> 00:36:24,129 happening? 1034 00:36:24,130 --> 00:36:27,189 So not only is there a 1035 00:36:27,190 --> 00:36:28,599 balancing act between freedom of 1036 00:36:28,600 --> 00:36:30,729 expression and the general 1037 00:36:30,730 --> 00:36:32,409 legal regime in a country, 1038 00:36:33,430 --> 00:36:35,019 freedom of expression and privacy very 1039 00:36:35,020 --> 00:36:37,519 often can collide 1040 00:36:37,520 --> 00:36:40,299 in the real world. 1041 00:36:40,300 --> 00:36:42,669 From a U.S. legal perspective, if these 1042 00:36:42,670 --> 00:36:44,469 if the proposed implementation went into 1043 00:36:44,470 --> 00:36:46,539 effect, I 1044 00:36:46,540 --> 00:36:48,279 would love to take the case that would 1045 00:36:48,280 --> 00:36:49,280 bring it down. 1046 00:36:50,320 --> 00:36:52,539 One of the first major cases was 1047 00:36:52,540 --> 00:36:55,089 Bernstine, which you probably 1048 00:36:55,090 --> 00:36:57,759 know better as DGB 1049 00:36:57,760 --> 00:36:59,079 versus United States Department of 1050 00:36:59,080 --> 00:37:00,280 Justice. And we got 1051 00:37:01,480 --> 00:37:03,969 code declared as speech, which was 1052 00:37:03,970 --> 00:37:06,879 good, and we got 1053 00:37:06,880 --> 00:37:09,369 cryptography pulled out of the 1054 00:37:09,370 --> 00:37:11,619 United States munitions list and into 1055 00:37:11,620 --> 00:37:14,859 a much lower level of export control. 1056 00:37:14,860 --> 00:37:16,929 So I think that in 1057 00:37:16,930 --> 00:37:18,099 at least under U.S. 1058 00:37:18,100 --> 00:37:20,590 law, at least for open source software, 1059 00:37:21,640 --> 00:37:23,349 even if it wasn't publicly available, 1060 00:37:23,350 --> 00:37:24,969 even if it wasn't public domain, I think 1061 00:37:24,970 --> 00:37:27,789 you would have a very, very good argument 1062 00:37:27,790 --> 00:37:29,439 that the regulations would fail under the 1063 00:37:29,440 --> 00:37:30,339 First Amendment. 1064 00:37:30,340 --> 00:37:32,079 And then there's another thing under the 1065 00:37:32,080 --> 00:37:34,629 under the United States Constitution, 1066 00:37:34,630 --> 00:37:37,119 which is if a criminal law 1067 00:37:37,120 --> 00:37:38,859 and all of these export controls are 1068 00:37:38,860 --> 00:37:41,409 criminal, is 1069 00:37:41,410 --> 00:37:43,539 not readily understandable by 1070 00:37:43,540 --> 00:37:45,639 a person of average education 1071 00:37:45,640 --> 00:37:47,799 and intelligence, then it 1072 00:37:47,800 --> 00:37:48,849 fails. 1073 00:37:48,850 --> 00:37:50,529 It's the doctrine is called void for 1074 00:37:50,530 --> 00:37:51,819 vagueness. 1075 00:37:51,820 --> 00:37:54,099 So I 1076 00:37:54,100 --> 00:37:56,169 would say that this would fail, as 1077 00:37:56,170 --> 00:37:58,269 would I'm not sure also about this 1078 00:37:58,270 --> 00:37:59,979 far from registering the church of the 1079 00:37:59,980 --> 00:38:01,869 weird machines as an actual church in the 1080 00:38:01,870 --> 00:38:03,489 United States, and then we get freedom of 1081 00:38:03,490 --> 00:38:05,109 religion into the mix. 1082 00:38:05,110 --> 00:38:06,279 Amen, brother. 1083 00:38:06,280 --> 00:38:07,419 Oh, please do. 1084 00:38:07,420 --> 00:38:10,059 So I must emphasize 1085 00:38:10,060 --> 00:38:11,529 that I am not aware of any European 1086 00:38:11,530 --> 00:38:13,419 jurisdiction that has such a lovely 1087 00:38:13,420 --> 00:38:15,549 concept as void for 1088 00:38:15,550 --> 00:38:18,489 vagueness. Yes, definitely. 1089 00:38:18,490 --> 00:38:20,559 No, I don't think any of the European 1090 00:38:20,560 --> 00:38:22,239 countries have such an exception. 1091 00:38:22,240 --> 00:38:23,829 Basically, if you don't understand the 1092 00:38:23,830 --> 00:38:25,959 law Selya problem, I blame 1093 00:38:25,960 --> 00:38:26,960 France. 1094 00:38:28,090 --> 00:38:29,949 Well, yeah, let's not blame the French 1095 00:38:29,950 --> 00:38:30,939 for everything. 1096 00:38:30,940 --> 00:38:33,039 I assume there's some jurisdictions which 1097 00:38:33,040 --> 00:38:34,509 have the phrase that ignorance of the law 1098 00:38:34,510 --> 00:38:35,469 is no excuse. 1099 00:38:35,470 --> 00:38:37,479 Yeah. And I think that unfortunately 1100 00:38:37,480 --> 00:38:39,549 might be operative in in many of 1101 00:38:39,550 --> 00:38:40,550 those situations. 1102 00:38:42,480 --> 00:38:44,579 But since you're speaking, how 1103 00:38:44,580 --> 00:38:47,429 fixable is this and 1104 00:38:47,430 --> 00:38:49,619 also if we look at some of the the 1105 00:38:49,620 --> 00:38:52,619 objectives that were were set out 1106 00:38:52,620 --> 00:38:54,689 at the start in terms of the very 1107 00:38:54,690 --> 00:38:56,280 well-intentioned, very well 1108 00:38:57,570 --> 00:38:59,279 kind of, you know, there was a there was 1109 00:38:59,280 --> 00:39:01,649 a very bad problem there to be fixed. 1110 00:39:01,650 --> 00:39:02,969 There are a number of potential 1111 00:39:02,970 --> 00:39:04,949 shortcomings in Boston itself, which I 1112 00:39:04,950 --> 00:39:07,409 think we need to look at addressing 1113 00:39:07,410 --> 00:39:10,169 and potentially saying, well, 1114 00:39:10,170 --> 00:39:12,519 if a tool or if a if a mechanism 1115 00:39:12,520 --> 00:39:14,609 that we're looking at isn't able 1116 00:39:14,610 --> 00:39:16,679 to capture the kind of 1117 00:39:16,680 --> 00:39:18,929 nuances of this problem that, 1118 00:39:18,930 --> 00:39:20,339 you know, we may need to look at at a 1119 00:39:20,340 --> 00:39:22,019 different mechanism. So some of the ones 1120 00:39:22,020 --> 00:39:24,119 that are are kind of open 1121 00:39:24,120 --> 00:39:26,999 questions is that that Vasana 1122 00:39:27,000 --> 00:39:28,499 obviously looks at everything and the 1123 00:39:28,500 --> 00:39:30,119 basis of the ones and zeros and not on 1124 00:39:30,120 --> 00:39:32,519 the intention, as we said before, 1125 00:39:32,520 --> 00:39:33,520 and. 1126 00:40:59,750 --> 00:41:02,569 In court on GB's behalf, and 1127 00:41:02,570 --> 00:41:04,939 it was it was such a catch 22 1128 00:41:04,940 --> 00:41:07,029 for the Department of Commerce that 1129 00:41:07,030 --> 00:41:09,319 they eventually backed down completely 1130 00:41:09,320 --> 00:41:10,320 and thought that that 1131 00:41:11,380 --> 00:41:13,819 was going to 1132 00:41:13,820 --> 00:41:16,219 say, sorry, go to court 1133 00:41:16,220 --> 00:41:18,079 or something you do after the legislation 1134 00:41:18,080 --> 00:41:19,699 is passed that is clearly 1135 00:41:19,700 --> 00:41:21,079 unconstitutional or otherwise 1136 00:41:21,080 --> 00:41:22,699 contravening your fundamental rights. 1137 00:41:22,700 --> 00:41:24,049 We're both in the U.S. 1138 00:41:24,050 --> 00:41:25,729 and Europe in the position that the 1139 00:41:25,730 --> 00:41:27,949 pretty vague criteria of us now have 1140 00:41:27,950 --> 00:41:30,169 to be transposed in more 1141 00:41:30,170 --> 00:41:31,309 concrete legislation. 1142 00:41:31,310 --> 00:41:33,559 And that process is still not 1143 00:41:33,560 --> 00:41:34,999 finished. And especially on the European 1144 00:41:35,000 --> 00:41:37,369 side, the only 1145 00:41:37,370 --> 00:41:39,259 tangible thing we have is a normal 1146 00:41:39,260 --> 00:41:41,869 legislative report by Mary Cachaca, 1147 00:41:41,870 --> 00:41:42,870 an MEP. 1148 00:41:43,940 --> 00:41:46,429 And while the normal legislative 1149 00:41:46,430 --> 00:41:49,279 report has not been ideal 1150 00:41:49,280 --> 00:41:51,229 as he managed to get in amendments to 1151 00:41:51,230 --> 00:41:53,269 specifically acknowledge that this has 1152 00:41:53,270 --> 00:41:55,699 potential for a chilling effect on 1153 00:41:55,700 --> 00:41:57,849 research, although we inserted 1154 00:41:57,850 --> 00:42:00,019 a bona fide research that I regret 1155 00:42:00,020 --> 00:42:02,149 in hindsight, of course, 1156 00:42:02,150 --> 00:42:03,469 is probably not helpful either. 1157 00:42:05,000 --> 00:42:07,259 But at least 1158 00:42:07,260 --> 00:42:09,379 there is potential to 1159 00:42:09,380 --> 00:42:11,479 have a European implementation of 1160 00:42:11,480 --> 00:42:13,579 this bit in Wassenaar, which may 1161 00:42:13,580 --> 00:42:15,319 be revised within Bosna in the near 1162 00:42:15,320 --> 00:42:17,429 future, but also in European 1163 00:42:17,430 --> 00:42:19,789 implementation to make 1164 00:42:19,790 --> 00:42:21,169 this less bad. 1165 00:42:21,170 --> 00:42:22,400 But I'm not sure whether that's 1166 00:42:23,990 --> 00:42:25,730 how that will survive that process. 1167 00:42:27,050 --> 00:42:29,029 And that's the I mean, the most 1168 00:42:29,030 --> 00:42:31,339 frustrating thing about all of this to me 1169 00:42:31,340 --> 00:42:33,439 is that we keep finding ourselves 1170 00:42:33,440 --> 00:42:35,809 at daggers with people who are supposed 1171 00:42:35,810 --> 00:42:37,459 to be our allies, like we're supposed to 1172 00:42:37,460 --> 00:42:39,589 be on the same side as the 1173 00:42:39,590 --> 00:42:41,069 anti surveillance people. 1174 00:42:41,070 --> 00:42:43,159 But what's happened is well-meaning 1175 00:42:43,160 --> 00:42:45,169 anti surveillance people who don't 1176 00:42:45,170 --> 00:42:47,749 understand the technical landscape 1177 00:42:47,750 --> 00:42:49,909 propose what sounds like a good 1178 00:42:49,910 --> 00:42:52,339 idea to them without ever 1179 00:42:52,340 --> 00:42:54,079 without ever actually asking technical 1180 00:42:54,080 --> 00:42:56,389 people. Then the NSA and GHQ 1181 00:42:56,390 --> 00:42:58,489 get involved and they push 1182 00:42:58,490 --> 00:43:00,739 their agenda and the technical language 1183 00:43:00,740 --> 00:43:02,899 ends up constraining the people 1184 00:43:02,900 --> 00:43:04,729 who the surveillance, the anti 1185 00:43:04,730 --> 00:43:05,899 surveillance people are supposed to be 1186 00:43:05,900 --> 00:43:06,829 allies with. 1187 00:43:06,830 --> 00:43:08,929 I mean, and then we 1188 00:43:08,930 --> 00:43:11,089 have to then it ends up being 1189 00:43:11,090 --> 00:43:13,519 our problem to massage people's 1190 00:43:13,520 --> 00:43:15,739 egos and get them to 1191 00:43:15,740 --> 00:43:17,719 go and find them a way to save face when 1192 00:43:17,720 --> 00:43:18,799 they're backing down. 1193 00:43:18,800 --> 00:43:20,569 And I'm sure I'm not very good at that 1194 00:43:20,570 --> 00:43:22,459 personally. Kadeem Assuras did a 1195 00:43:22,460 --> 00:43:24,679 fantastic job of it 1196 00:43:24,680 --> 00:43:26,119 a couple of months ago. 1197 00:43:26,120 --> 00:43:28,699 But, you know, we're kind of an abrasive 1198 00:43:28,700 --> 00:43:30,499 tribe like, you know, being nice to 1199 00:43:30,500 --> 00:43:32,060 people is not really our job. 1200 00:43:33,580 --> 00:43:35,059 Well, maybe it is. 1201 00:43:35,060 --> 00:43:36,060 But 1202 00:43:37,310 --> 00:43:39,379 still, I mean, it's extremely frustrating 1203 00:43:39,380 --> 00:43:40,939 to be put into this situation that we 1204 00:43:40,940 --> 00:43:42,559 didn't ask to be put into in the first 1205 00:43:42,560 --> 00:43:44,269 place. And so I'd also like to you know, 1206 00:43:44,270 --> 00:43:46,099 if we can get into, like, how can we 1207 00:43:46,100 --> 00:43:47,869 avoid this happening next time, that 1208 00:43:47,870 --> 00:43:49,189 would be real nice, too. 1209 00:43:49,190 --> 00:43:50,599 But we also didn't learn the mistakes 1210 00:43:50,600 --> 00:43:51,499 from the crypto wars. 1211 00:43:51,500 --> 00:43:53,749 So it's almost like this is the 1212 00:43:53,750 --> 00:43:55,969 problems with that 1213 00:43:55,970 --> 00:43:57,499 happened back in the 90s seem to be 1214 00:43:57,500 --> 00:43:58,849 repeating themselves. 1215 00:43:58,850 --> 00:44:01,759 And the lessons that were learned then 1216 00:44:01,760 --> 00:44:04,669 seem to cyclically go out the window. 1217 00:44:04,670 --> 00:44:06,769 And unfortunately, I just 1218 00:44:06,770 --> 00:44:08,929 wonder what in ten years time 1219 00:44:08,930 --> 00:44:10,309 they'll do next. 1220 00:44:12,410 --> 00:44:13,369 On Happy Now? 1221 00:44:13,370 --> 00:44:15,649 Oh, sorry to interrupt at that point, 1222 00:44:15,650 --> 00:44:17,119 please. First, the question from the 1223 00:44:17,120 --> 00:44:18,289 Internet. 1224 00:44:18,290 --> 00:44:19,290 Thank you. 1225 00:44:19,990 --> 00:44:22,069 The Internet wants to know our defensive 1226 00:44:22,070 --> 00:44:23,989 technologies potentially going to be 1227 00:44:23,990 --> 00:44:26,459 restricted by this arrangement. 1228 00:44:26,460 --> 00:44:28,249 One defensive technology that is not 1229 00:44:28,250 --> 00:44:31,069 simultaneously an attack technology 1230 00:44:31,070 --> 00:44:33,109 or in other words, and this is a quote, 1231 00:44:33,110 --> 00:44:34,819 will we end up with shitty everyday 1232 00:44:34,820 --> 00:44:37,949 security because things are not exported? 1233 00:44:37,950 --> 00:44:38,989 Yes. Yes. 1234 00:44:38,990 --> 00:44:40,849 That will happen if this gets implemented 1235 00:44:40,850 --> 00:44:41,719 the way it's been written. 1236 00:44:41,720 --> 00:44:44,029 So part of the problem is that the Bosna 1237 00:44:44,030 --> 00:44:45,769 arrangement definition's risk throwing 1238 00:44:45,770 --> 00:44:47,749 away the solution that it's trying to 1239 00:44:47,750 --> 00:44:49,879 solve, you know, harden 1240 00:44:49,880 --> 00:44:51,769 the endpoint, harden the server, harden 1241 00:44:51,770 --> 00:44:53,929 the pipes. The tools to do 1242 00:44:53,930 --> 00:44:56,119 all those things potentially get screwed 1243 00:44:56,120 --> 00:44:57,109 by Bosna. 1244 00:44:57,110 --> 00:44:58,879 Right. We want to get secure devices and 1245 00:44:58,880 --> 00:45:00,649 services into the hands of the folks who 1246 00:45:00,650 --> 00:45:01,650 need them. 1247 00:45:02,330 --> 00:45:04,609 And banning Penn 1248 00:45:04,610 --> 00:45:06,679 testing tools is not the way to 1249 00:45:06,680 --> 00:45:07,680 do that. 1250 00:45:09,000 --> 00:45:10,000 Number one, please. 1251 00:45:11,040 --> 00:45:13,229 So one one, the insidious things 1252 00:45:13,230 --> 00:45:15,299 about ITAR 1253 00:45:15,300 --> 00:45:16,769 regulations, which the arms trafficking 1254 00:45:16,770 --> 00:45:18,839 regulations in the U.S., is that you are 1255 00:45:18,840 --> 00:45:21,029 also liable for whatever end users 1256 00:45:21,030 --> 00:45:23,130 of whatever you export is like. 1257 00:45:25,360 --> 00:45:27,429 Use it for is there are similar 1258 00:45:27,430 --> 00:45:29,649 things in the implementation of the 1259 00:45:29,650 --> 00:45:31,989 like VESTINE argument is just on the US 1260 00:45:31,990 --> 00:45:33,429 munificence list, or is it some 1261 00:45:33,430 --> 00:45:34,599 different? It is not. 1262 00:45:34,600 --> 00:45:35,529 It's not on the U.S. 1263 00:45:35,530 --> 00:45:37,779 musicians list. It's on the air rather 1264 00:45:37,780 --> 00:45:39,429 than etat, which is the Export 1265 00:45:39,430 --> 00:45:41,769 Administration regulation list. 1266 00:45:41,770 --> 00:45:44,319 So you're not liable for end use 1267 00:45:44,320 --> 00:45:46,239 and user. You're only liable for the 1268 00:45:46,240 --> 00:45:47,769 export. 1269 00:45:47,770 --> 00:45:49,749 And I was in the U.S., I think one of the 1270 00:45:49,750 --> 00:45:51,939 problems that we're seeing is that 1271 00:45:51,940 --> 00:45:54,009 traditionally the kind 1272 00:45:54,010 --> 00:45:56,169 of technologies that 1273 00:45:56,170 --> 00:45:57,789 that the regulators have been used to 1274 00:45:57,790 --> 00:46:00,009 dealing with have been 1275 00:46:00,010 --> 00:46:02,379 either solely military goods or 1276 00:46:02,380 --> 00:46:04,179 so-called dual-use goods. 1277 00:46:04,180 --> 00:46:06,699 And I think one of the things that are 1278 00:46:06,700 --> 00:46:08,799 potentially this this falls into is 1279 00:46:08,800 --> 00:46:10,869 that there's actually another use 1280 00:46:10,870 --> 00:46:13,179 which is highly beneficial to 1281 00:46:13,180 --> 00:46:15,309 the overall security of our 1282 00:46:15,310 --> 00:46:17,259 systems, as the question from the 1283 00:46:17,260 --> 00:46:19,149 Internet pointed out, that that is one of 1284 00:46:19,150 --> 00:46:20,349 the consequences. 1285 00:46:20,350 --> 00:46:22,599 And so it's 1286 00:46:22,600 --> 00:46:24,909 not necessarily clear that 1287 00:46:24,910 --> 00:46:26,949 these things should be on something like 1288 00:46:26,950 --> 00:46:29,349 a Julias list. But maybe we need 1289 00:46:29,350 --> 00:46:31,809 a recognition that the positives 1290 00:46:31,810 --> 00:46:33,969 of these things drastically 1291 00:46:33,970 --> 00:46:36,159 outweigh the negatives and that by not 1292 00:46:36,160 --> 00:46:38,499 having secure or not having the offensive 1293 00:46:38,500 --> 00:46:40,629 tools to create the defensive 1294 00:46:40,630 --> 00:46:42,759 protective measures that we potentially 1295 00:46:42,760 --> 00:46:45,219 leave ourselves open to much cheaper, 1296 00:46:45,220 --> 00:46:46,869 much at 1297 00:46:47,980 --> 00:46:50,139 ghostwrite, whatever, whatever you want 1298 00:46:50,140 --> 00:46:52,899 to buy on on Alphabeat 1299 00:46:52,900 --> 00:46:55,419 or whatever the new 1300 00:46:55,420 --> 00:46:56,469 marketplaces. 1301 00:46:58,000 --> 00:46:59,529 Another question from the Internet, 1302 00:46:59,530 --> 00:47:01,629 please, thank you is 1303 00:47:01,630 --> 00:47:03,699 this was an arrangement draft 1304 00:47:03,700 --> 00:47:05,309 openly available? 1305 00:47:05,310 --> 00:47:06,609 Yeah, we are to get it. 1306 00:47:06,610 --> 00:47:09,399 It's no Glazner arrangement, 1307 00:47:09,400 --> 00:47:10,889 just Wassenaar dot org. 1308 00:47:10,890 --> 00:47:11,829 Yeah. 1309 00:47:11,830 --> 00:47:13,059 And it's not a draft. 1310 00:47:13,060 --> 00:47:15,159 It's just published document 1311 00:47:15,160 --> 00:47:15,879 on that site. 1312 00:47:15,880 --> 00:47:16,909 Yeah. It's final. 1313 00:47:16,910 --> 00:47:17,910 It's not a draft. 1314 00:47:19,230 --> 00:47:21,959 Number four, please, sir, 1315 00:47:21,960 --> 00:47:24,449 I think the high level point I'm hearing 1316 00:47:24,450 --> 00:47:26,609 here is that 1317 00:47:26,610 --> 00:47:28,889 we have learned in the 1990s 1318 00:47:28,890 --> 00:47:30,959 there was no arrangement with its 1319 00:47:30,960 --> 00:47:33,299 weird, reserved word definition 1320 00:47:33,300 --> 00:47:35,769 of public domain. 1321 00:47:35,770 --> 00:47:37,889 It's in scare quotes and 1322 00:47:37,890 --> 00:47:40,049 it's weird framework 1323 00:47:40,050 --> 00:47:43,169 has been an awful fit for crypto. 1324 00:47:43,170 --> 00:47:45,329 Back then, we sort of got ourselves out 1325 00:47:45,330 --> 00:47:46,859 of it. That's great. 1326 00:47:46,860 --> 00:47:47,819 It's coming back. 1327 00:47:47,820 --> 00:47:50,670 It's an awful fit for 1328 00:47:51,780 --> 00:47:54,329 the sort of possibly intrusive 1329 00:47:54,330 --> 00:47:55,739 software we're talking about here. 1330 00:47:55,740 --> 00:47:57,689 But actually it's possibly a little bit 1331 00:47:57,690 --> 00:48:00,029 closer in its original 1332 00:48:00,030 --> 00:48:02,129 intent to the software than it was 1333 00:48:02,130 --> 00:48:04,559 to crypto. After all, its original 1334 00:48:04,560 --> 00:48:06,779 intent is to keep that heavy truck 1335 00:48:06,780 --> 00:48:08,939 out of its use as a troop 1336 00:48:08,940 --> 00:48:11,460 transport. It is to keep this 1337 00:48:13,350 --> 00:48:15,449 dual use tool out 1338 00:48:15,450 --> 00:48:17,579 of another army's hand. 1339 00:48:17,580 --> 00:48:19,799 And what we're talking about here is 1340 00:48:19,800 --> 00:48:21,899 keeping this overtly 1341 00:48:21,900 --> 00:48:24,029 dual use, low tech technology 1342 00:48:24,030 --> 00:48:25,829 out of the hands of an oppressive 1343 00:48:25,830 --> 00:48:27,899 government that wishes 1344 00:48:27,900 --> 00:48:30,209 to use it against its citizens while 1345 00:48:30,210 --> 00:48:31,799 maybe keeping it in the hands of 1346 00:48:31,800 --> 00:48:32,789 researchers. 1347 00:48:32,790 --> 00:48:35,609 So that framework sounds attractive. 1348 00:48:35,610 --> 00:48:37,979 We're learning in this conversation 1349 00:48:37,980 --> 00:48:40,199 it probably has a lot of secondary 1350 00:48:40,200 --> 00:48:43,139 effects that are unpleasant. 1351 00:48:43,140 --> 00:48:45,299 I would like to hear from the panelists 1352 00:48:45,300 --> 00:48:47,699 what your view is as to what 1353 00:48:47,700 --> 00:48:50,459 a reasonable regulatory 1354 00:48:50,460 --> 00:48:52,859 environment around these offensive 1355 00:48:52,860 --> 00:48:54,029 technologies looks like. 1356 00:48:54,030 --> 00:48:56,539 I heard tonight say for crypto it is just 1357 00:48:56,540 --> 00:48:58,589 take it out of export control, make it 1358 00:48:58,590 --> 00:48:59,579 freely available. 1359 00:48:59,580 --> 00:49:00,689 It is so beneficial. 1360 00:49:00,690 --> 00:49:02,729 Are we saying the same thing about 1361 00:49:02,730 --> 00:49:03,659 offensive technology? 1362 00:49:03,660 --> 00:49:05,759 I, I want to give a mark to Meredith 1363 00:49:05,760 --> 00:49:07,679 on that because she has published a paper 1364 00:49:07,680 --> 00:49:10,169 on that together with Sagai Brothas. 1365 00:49:10,170 --> 00:49:12,269 Well, I mean, honestly, my 1366 00:49:12,270 --> 00:49:14,489 my perspective has changed 1367 00:49:14,490 --> 00:49:16,559 over the course of this conversation, 1368 00:49:16,560 --> 00:49:18,239 you know, because what Serguei and I have 1369 00:49:18,240 --> 00:49:21,449 have been writing about 1370 00:49:21,450 --> 00:49:23,519 is how to change the language 1371 00:49:23,520 --> 00:49:25,889 to something. Seiner is one 1372 00:49:25,890 --> 00:49:27,689 thing that's come up over and over again 1373 00:49:27,690 --> 00:49:29,759 in discussions on the 1374 00:49:29,760 --> 00:49:32,399 current language is that 1375 00:49:32,400 --> 00:49:33,400 the 1376 00:49:34,560 --> 00:49:37,079 the language about execution paths 1377 00:49:37,080 --> 00:49:38,430 is essentially meaningless. 1378 00:49:40,170 --> 00:49:42,959 Nobody really agrees on what it means. 1379 00:49:42,960 --> 00:49:45,059 And even if they did agree on what 1380 00:49:45,060 --> 00:49:48,089 it meant, it wouldn't actually help. 1381 00:49:48,090 --> 00:49:49,739 There's a wonderful paper from Unix 1382 00:49:49,740 --> 00:49:51,419 security earlier this year 1383 00:49:52,560 --> 00:49:54,359 called Control Flow Bending. 1384 00:49:55,470 --> 00:49:57,629 And they they take 1385 00:49:57,630 --> 00:49:59,729 a look at control, flow, integrity 1386 00:49:59,730 --> 00:50:00,719 systems. 1387 00:50:00,720 --> 00:50:02,579 This is these are basically like systems 1388 00:50:02,580 --> 00:50:04,889 that try to whitelist what 1389 00:50:04,890 --> 00:50:06,839 paths through the control flow graph of a 1390 00:50:06,840 --> 00:50:09,179 program are considered 1391 00:50:09,180 --> 00:50:10,559 legitimate. 1392 00:50:10,560 --> 00:50:12,689 And then you only whitelist those and 1393 00:50:12,690 --> 00:50:14,380 anything else is considered an exploit. 1394 00:50:15,660 --> 00:50:18,510 Turns out you can actually 1395 00:50:19,650 --> 00:50:21,539 have all kinds of memory, corruption, fun 1396 00:50:21,540 --> 00:50:23,759 and get arbitrary computation 1397 00:50:23,760 --> 00:50:25,109 with printouts. 1398 00:50:25,110 --> 00:50:26,969 You don't actually have to. 1399 00:50:26,970 --> 00:50:28,859 You can you can violate even 1400 00:50:28,860 --> 00:50:31,049 theoretically, you can get an exploit 1401 00:50:31,050 --> 00:50:32,939 on even theoretically perfect control, 1402 00:50:32,940 --> 00:50:33,989 flow, integrity. 1403 00:50:33,990 --> 00:50:35,699 So like what they've described doesn't 1404 00:50:35,700 --> 00:50:37,529 even make sense and doesn't help. 1405 00:50:37,530 --> 00:50:39,599 But I mean, I think 1406 00:50:39,600 --> 00:50:41,729 what I think what you said earlier 1407 00:50:41,730 --> 00:50:43,919 about the provision of services 1408 00:50:43,920 --> 00:50:45,780 is the far more important point like. 1409 00:50:47,260 --> 00:50:49,539 The government of random Third 1410 00:50:49,540 --> 00:50:51,669 World nation is not going to get a lot 1411 00:50:51,670 --> 00:50:54,039 of use out of, you know, here's finfish 1412 00:50:54,040 --> 00:50:54,939 Fisher, have fun. 1413 00:50:54,940 --> 00:50:57,129 They need that support contract, regulate 1414 00:50:57,130 --> 00:50:59,199 that or, you 1415 00:50:59,200 --> 00:51:01,209 know, impose a strong liability regime. 1416 00:51:01,210 --> 00:51:03,309 I'm lead counsel at YAF in our 1417 00:51:03,310 --> 00:51:04,689 case, where we're suing the government of 1418 00:51:04,690 --> 00:51:07,359 Ethiopia for using finfish 1419 00:51:07,360 --> 00:51:09,399 on a democracy activists in the United 1420 00:51:09,400 --> 00:51:11,529 States. We were lucky enough to get a 1421 00:51:11,530 --> 00:51:13,869 client who we were able to catch 1422 00:51:13,870 --> 00:51:16,179 Ethiopia using finfish or redhanded 1423 00:51:16,180 --> 00:51:18,009 within the United States, which gives us 1424 00:51:18,010 --> 00:51:19,689 jurisdiction to sue them. 1425 00:51:19,690 --> 00:51:22,059 But Pyi is is 1426 00:51:22,060 --> 00:51:24,549 pursuing a case against Gammer 1427 00:51:24,550 --> 00:51:26,889 in the UK for the same thing. 1428 00:51:26,890 --> 00:51:28,989 You know, EAF was involved in cases 1429 00:51:28,990 --> 00:51:31,209 against Cisco for helping build the Great 1430 00:51:31,210 --> 00:51:33,489 Firewall and against IBM 1431 00:51:33,490 --> 00:51:35,619 for building South Africa's apartheid 1432 00:51:35,620 --> 00:51:37,809 ID card system. 1433 00:51:37,810 --> 00:51:40,179 That kind of liability 1434 00:51:40,180 --> 00:51:42,399 on the on the back end for doing 1435 00:51:42,400 --> 00:51:44,919 the stuff that we care about that that we 1436 00:51:44,920 --> 00:51:47,739 that we don't want companies doing, 1437 00:51:47,740 --> 00:51:50,379 I think would be 1438 00:51:50,380 --> 00:51:53,319 possibly much more successful 1439 00:51:53,320 --> 00:51:55,329 and would have chilling effects on the on 1440 00:51:55,330 --> 00:51:57,159 the bad stuff without touching the 1441 00:51:57,160 --> 00:51:58,299 security research. 1442 00:51:58,300 --> 00:52:00,039 And I think that's the really big ask, 1443 00:52:00,040 --> 00:52:01,449 because good luck getting any government 1444 00:52:01,450 --> 00:52:03,519 to, you know, be willing to be sued for 1445 00:52:03,520 --> 00:52:04,089 anything. 1446 00:52:04,090 --> 00:52:06,399 But but I think the 1447 00:52:06,400 --> 00:52:07,779 one of the points in relation to the 1448 00:52:07,780 --> 00:52:09,909 question is that, you know, to 1449 00:52:09,910 --> 00:52:11,349 someone with a hammer, everything is a 1450 00:52:11,350 --> 00:52:13,959 nail. And Vasana 1451 00:52:13,960 --> 00:52:15,939 is is the tool that was there. 1452 00:52:15,940 --> 00:52:17,469 But as as has been highlighted just 1453 00:52:17,470 --> 00:52:19,179 there, there are potentially other 1454 00:52:19,180 --> 00:52:21,279 alternatives that may 1455 00:52:21,280 --> 00:52:23,619 or may not be the be better and maybe 1456 00:52:23,620 --> 00:52:26,229 the the exploring whether the 1457 00:52:26,230 --> 00:52:27,999 language can be fixed with investment to 1458 00:52:28,000 --> 00:52:29,410 take account of the various different 1459 00:52:30,430 --> 00:52:32,619 situations or whether there's other 1460 00:52:32,620 --> 00:52:34,509 mechanisms in place I think needs to be 1461 00:52:34,510 --> 00:52:35,259 explored. 1462 00:52:35,260 --> 00:52:36,999 Yeah. And as a lawyer, as someone with a 1463 00:52:37,000 --> 00:52:38,439 law degree, everything looks like a 1464 00:52:38,440 --> 00:52:39,699 lawsuit. So I'm like, sue the. 1465 00:52:44,120 --> 00:52:45,709 Number four. 1466 00:52:45,710 --> 00:52:47,859 I just have 1467 00:52:47,860 --> 00:52:49,809 noticed something in a new South African 1468 00:52:49,810 --> 00:52:52,569 cyber security cyber crime legislation, 1469 00:52:52,570 --> 00:52:54,639 I'm not sure if it's influenced by Vasana 1470 00:52:54,640 --> 00:52:56,199 or if it's just the current environment. 1471 00:52:57,340 --> 00:52:59,439 And yeah, 1472 00:52:59,440 --> 00:53:00,429 basically in South Africa. 1473 00:53:00,430 --> 00:53:02,949 Now, according to the cyber crime bill, 1474 00:53:02,950 --> 00:53:05,559 malware would include any electronic 1475 00:53:05,560 --> 00:53:07,419 mechanical instrument or device that 1476 00:53:07,420 --> 00:53:09,969 could create a vulnerability, modify 1477 00:53:09,970 --> 00:53:12,069 it would appear, or interfere with 1478 00:53:12,070 --> 00:53:14,379 the ordinary functioning of a device 1479 00:53:14,380 --> 00:53:16,299 computer network. 1480 00:53:16,300 --> 00:53:18,399 So that occurred to me that if I did 1481 00:53:18,400 --> 00:53:19,779 my phone, for example, there would be 1482 00:53:19,780 --> 00:53:20,830 malware on my phone, 1483 00:53:22,010 --> 00:53:23,469 a whole lot of things. 1484 00:53:23,470 --> 00:53:25,840 And secondly, it also got me thinking, 1485 00:53:26,950 --> 00:53:28,899 how does one actually distinguish between 1486 00:53:28,900 --> 00:53:30,429 possessing malware? 1487 00:53:30,430 --> 00:53:31,719 And then on the other side, the people 1488 00:53:31,720 --> 00:53:33,939 who are owned have being infected 1489 00:53:34,960 --> 00:53:37,149 could not be a catch 22 that might 1490 00:53:37,150 --> 00:53:39,759 be useful in state judicial contexts. 1491 00:53:39,760 --> 00:53:40,760 I mean, 1492 00:53:41,890 --> 00:53:44,169 an exploit is still an exploit 1493 00:53:44,170 --> 00:53:46,779 that's still taken across the border. 1494 00:53:46,780 --> 00:53:49,029 If it's in the hands 1495 00:53:49,030 --> 00:53:51,309 of a research attacker or 1496 00:53:51,310 --> 00:53:53,529 possibly even an infected computer. 1497 00:53:53,530 --> 00:53:54,909 We do have a problem already with the 1498 00:53:54,910 --> 00:53:56,179 cybercrime convention. 1499 00:53:56,180 --> 00:53:58,239 In practice, it's basically not really 1500 00:53:58,240 --> 00:54:00,639 happened. So we have no idea 1501 00:54:00,640 --> 00:54:02,499 because this the cybercrime convention is 1502 00:54:02,500 --> 00:54:03,489 an entirely different framework. 1503 00:54:03,490 --> 00:54:05,649 And Wasner, it's again, 1504 00:54:05,650 --> 00:54:08,199 most industrialized nations have signed 1505 00:54:08,200 --> 00:54:10,539 it has become in most implementations 1506 00:54:10,540 --> 00:54:13,479 a crime to possess 1507 00:54:13,480 --> 00:54:15,819 a piece of malware. 1508 00:54:15,820 --> 00:54:17,320 Even if you are just a victim, 1509 00:54:18,520 --> 00:54:19,520 you're technically. 1510 00:54:20,910 --> 00:54:23,219 A criminal, I'm not 1511 00:54:23,220 --> 00:54:25,349 aware of any public prosecutors stupid 1512 00:54:25,350 --> 00:54:26,789 enough to pursue such a case. 1513 00:54:26,790 --> 00:54:28,979 I would love to hear the way 1514 00:54:28,980 --> 00:54:30,839 South Africa is a signatory to Wassenaar, 1515 00:54:30,840 --> 00:54:30,989 though. 1516 00:54:30,990 --> 00:54:32,459 I just looked it up. 1517 00:54:32,460 --> 00:54:33,509 And I think under U.S. 1518 00:54:33,510 --> 00:54:36,029 law, there's always an intent requirement 1519 00:54:36,030 --> 00:54:38,339 for virtually every crime except 1520 00:54:38,340 --> 00:54:40,379 possession of child porn. 1521 00:54:40,380 --> 00:54:42,539 So if you're a victim of malware 1522 00:54:42,540 --> 00:54:43,799 and you happen to cross the border, you 1523 00:54:43,800 --> 00:54:45,029 don't have the intent to export. 1524 00:54:45,030 --> 00:54:45,929 So no crime. 1525 00:54:45,930 --> 00:54:47,789 And I think the some of the other tools 1526 00:54:47,790 --> 00:54:49,619 that might fall into that would be things 1527 00:54:49,620 --> 00:54:51,719 like FISAs idea pro that would 1528 00:54:51,720 --> 00:54:52,949 you'd be able to manipulate various 1529 00:54:52,950 --> 00:54:54,719 different bits and bobs through the true 1530 00:54:54,720 --> 00:54:56,259 decompiled piece of software. 1531 00:54:56,260 --> 00:54:58,559 But at the start, 1532 00:54:58,560 --> 00:55:01,069 I think mentioned that the 1533 00:55:01,070 --> 00:55:03,359 the actual piece of malware itself 1534 00:55:03,360 --> 00:55:05,519 and strictly speaking, 1535 00:55:05,520 --> 00:55:08,429 or at least that's probably not for 1536 00:55:08,430 --> 00:55:10,739 the intent of Asnar, was not 1537 00:55:10,740 --> 00:55:13,079 to control anything which could go 1538 00:55:13,080 --> 00:55:15,359 on the individual's device precisely for 1539 00:55:15,360 --> 00:55:17,939 that reason that an innocent victim 1540 00:55:17,940 --> 00:55:20,069 crossing the border and be found 1541 00:55:20,070 --> 00:55:22,469 now as as experts have analyzed 1542 00:55:22,470 --> 00:55:25,109 the the actual text 1543 00:55:25,110 --> 00:55:27,239 and found various different ways in which 1544 00:55:27,240 --> 00:55:28,780 potentially at 1545 00:55:30,090 --> 00:55:32,759 code or executables 1546 00:55:32,760 --> 00:55:34,829 on a victim's device 1547 00:55:34,830 --> 00:55:37,629 could potentially be considered 1548 00:55:37,630 --> 00:55:39,059 a court under Vasana. 1549 00:55:40,530 --> 00:55:42,569 Thank you. Oh, so here's a wacky thing, 1550 00:55:42,570 --> 00:55:44,819 under the U.S. implementation, 1551 00:55:44,820 --> 00:55:47,489 the code is arguably 1552 00:55:47,490 --> 00:55:49,559 not subject to control, but the 1553 00:55:49,560 --> 00:55:51,989 comments to the code are definitely 1554 00:55:51,990 --> 00:55:52,990 subject to control. 1555 00:55:56,750 --> 00:55:58,369 I think we're kind of running out of 1556 00:55:58,370 --> 00:56:01,109 questions from the room and 1557 00:56:01,110 --> 00:56:02,989 no. All right. 1558 00:56:02,990 --> 00:56:03,599 Sorry. 1559 00:56:03,600 --> 00:56:04,730 And once 1560 00:56:05,900 --> 00:56:07,729 you mentioned that hacking team very 1561 00:56:07,730 --> 00:56:09,739 easily got a license. 1562 00:56:09,740 --> 00:56:11,959 So why why would 1563 00:56:11,960 --> 00:56:13,819 it be very hard for all of us to get a 1564 00:56:13,820 --> 00:56:14,959 license? 1565 00:56:14,960 --> 00:56:16,879 Well, I think hacking team had a special 1566 00:56:16,880 --> 00:56:18,919 relationship with the Italian regulator 1567 00:56:18,920 --> 00:56:19,920 that allowed them 1568 00:56:20,980 --> 00:56:22,339 to get that license. 1569 00:56:22,340 --> 00:56:24,559 And I don't think people who who want to 1570 00:56:24,560 --> 00:56:26,599 play with software and figure out the 1571 00:56:26,600 --> 00:56:28,519 problems with it should have to register 1572 00:56:28,520 --> 00:56:30,589 with their government in order to get a 1573 00:56:30,590 --> 00:56:32,149 license. They probably should be able to 1574 00:56:32,150 --> 00:56:34,339 conduct the research themselves, because 1575 00:56:34,340 --> 00:56:35,599 then you're running into the problem of, 1576 00:56:35,600 --> 00:56:37,789 well, supposing somebody in 1577 00:56:37,790 --> 00:56:39,979 in Canada gets their hands on finfish 1578 00:56:39,980 --> 00:56:42,229 or hacking team and then they have to go 1579 00:56:42,230 --> 00:56:44,359 and register for a license 1580 00:56:44,360 --> 00:56:45,919 with Canada, who are potentially 1581 00:56:45,920 --> 00:56:48,139 customers of finfish and hacking 1582 00:56:48,140 --> 00:56:50,479 team to say, hey, I'm doing 1583 00:56:50,480 --> 00:56:52,519 reverse engineering or malware analysis 1584 00:56:52,520 --> 00:56:54,949 on the very tools that they have bought. 1585 00:56:54,950 --> 00:56:58,249 And I wonder if that information 1586 00:56:58,250 --> 00:57:00,469 stays within the 1587 00:57:00,470 --> 00:57:02,539 the authorization 1588 00:57:02,540 --> 00:57:04,129 department or whether that may 1589 00:57:04,130 --> 00:57:06,439 potentially get passed to the companies 1590 00:57:06,440 --> 00:57:08,809 who are involved in the in the sale 1591 00:57:08,810 --> 00:57:11,059 of the material so that they get tipped 1592 00:57:11,060 --> 00:57:13,309 off that, hey, somebody's got a 1593 00:57:13,310 --> 00:57:15,469 sample of your latest malware version 1594 00:57:15,470 --> 00:57:17,599 and you might think of changing 1595 00:57:17,600 --> 00:57:18,729 it. 1596 00:57:18,730 --> 00:57:21,189 I mean, one thing that could 1597 00:57:21,190 --> 00:57:23,379 you know, one thing that could be done to 1598 00:57:23,380 --> 00:57:25,509 sort of point out the absurdity 1599 00:57:25,510 --> 00:57:27,669 of of particularly 1600 00:57:27,670 --> 00:57:29,979 restrictive licensing requirements, 1601 00:57:29,980 --> 00:57:31,209 you know, could be the equivalent of a 1602 00:57:31,210 --> 00:57:33,489 work to rule. Strike did 1603 00:57:33,490 --> 00:57:35,739 ask the the licensing agency 1604 00:57:35,740 --> 00:57:37,719 with requests for every single time you 1605 00:57:37,720 --> 00:57:39,010 install open SSL. 1606 00:57:40,570 --> 00:57:42,609 So that's one possibility. 1607 00:57:42,610 --> 00:57:44,529 And on that note, thank you all for your 1608 00:57:44,530 --> 00:57:45,910 attention and. 1609 00:57:47,080 --> 00:57:48,080 And join.