Steven Murdoch leads a session about reading gov't docs and pushing

how to talk to gov'ts (in particular UK govt)

 * strong approaches vs less-strong -- tradeoffs

Most friendly: go to local representative, talk to them about Tor.
  (did this with Runa)

* Talk to the press, tell them about bad things the gov't is doing

* write documents: letters, responses to consultations.  Either
  personally or with an affiliation.  UK Gov't cares about companies
  and people who pay taxes, so sometimes writing on behalf of a
  company works better.

* talk to technical people: no direct way of changing policy, but they
  have implicit trust, which results in influence over policy.  this
  includes tech folks at places like GCHQ.

Ground rules for discussion:

 * initial discussion needs to be kept private -- so if you're
   discussing it with tor, use tor-internal.

UK investigative powers bill requires telecom providers (w/o
definition) to provide reasonable technical assistance in removing
encryption.  After coordinating internally with Kate, Steven wrote the
response for Tor, which was mentioned in the report.

Rules for submission to certain calls for comments is that your
comments are private until the parliament makes them public.

Generally, public discussion makes the government participants and
parties makes them nervous.

 * when talking to technical people in gov't, they don't want public
   name listed.  This is similar to Tor people: respect it.  GCHQ
   folks only go by their first name.  Steven is clear that he doesn't
   have a security clearance so that they don't share things that he
   wouldn't be able to share.  Steven is also clear up front that if
   he gets something from a GCHQ employee, he explains that it will
   say it's from the GCHQ (without names), so that he avoids
   laundering GCHQ opinions (doesn't want to end up in the NIST role
   in the NIST/NSA relationship).

This is similar to journalists -- set up the rules at the beginning of
the conversation, don't tell them at the end.

other suggestions: in the US, start with off-the-record, then have a
discussion afterward about whether there are things that can be
on-the-record.  Be explicit about information and about expectations
of sharing.

Q: how do you characterize the attitude of the public in the security
   v. privacy false dichotomy?

A: very diverse opinons, and the answers tend to be different
   depending on the examples you give them.  it's easy to manipulate
   people's answer by how you ask the question.

Q: if you talk to a politician, how do you do things?  demo, walk

A: research their background first; they're not stupid.  they often
   have no tech expertise, but have a law background.  they might have
   never had a real job.  Find out about their opinons, look at their
   voting record, and adjust your message for them.  Demos are good,
   real stories are helpful, some places encourage "policies by data",
   but a few anecdotes are usually more powerful than statistics.

Q: any EU work?

A: a little bit, about privacy and security.  I've been invited, but
   the MPs are likely to be super busy.  often end up talking with
   technical staffers.  being able to contribute to reports that
   establish things like "there is a broad consensus in the tech
   community that backdoors are bad"

UK has parliamentary office for science and technology, with board of
people from houses of parliament, and they provide technical guidance.
If you can influnce them, or something similar, that can give you
better leverage.

Politicians like to think they're important, it's important to show
them respect.  In the discussion about the investigatory powers bill,
some bigger companies (google, facebook, twitter) submitted comments,
then they were invited to appear in front of parliament committee, and
they declined to appear.  It hurt their position because parliament
was upset that they hadn't accepted.

When Steven appeared on behalf of Tor in front of the committee, it
was a private appearance, and he was given the ability to redact
minutes afterward.  So you might be able to request the same if there
are people who are concerned about publicly-attributed statements.

Q: how do you push back against the idea that the Dark Web etc is all
   about child porn and terrorism.

A: you can find the exact number of cases of certain kinds -- the dark
   web is a small percentage of those crimes compared to the rest of
   the web.

Q: if you accept that, that's for today: what about future criminals?

A: criminals can already do anonymous comms quite well with things
   like botnets.  Tor provides these anonymous protections to normal

   Tor is a security tool for a wide range of people, including law
   enforcement.  Law enforcement uses Tor to do things like
   researching criminals without tipping them off that it's an

Q: can you expect the politicians to make rational decisions?  in the
   US it seems like we have no such expectations.

A: in the UK, there are some situations where the gov't overrides
   public sentiment.  For example, UK public approves of death
   penalty, but officials won't permit it.  House of Lords (appointed

Q: quiet lobbying is useful -- you can give parliamentarians arguments
   pre-crafted for them to use.

A: right, and you can also encourage them to ask the right questions.

Q: if the law enforcement use case is known, why isn't it being
   reported on?

A: often those articles have an agenda -- they want to report the
   dangerous bits.

"Dark web" is often conflated with Tor, but most Tor usage is to the
regular web -- help people clarify them.

open question: what percentage of hidden service traffic is actually
law enforcement crawling or running honeypot/watering-hole services?

how do you handle messaging when the public discussions and goals are
different across cultures.

Last modified 18 months ago Last modified on Mar 18, 2016, 11:54:15 PM