Suing The Government with Cindy Cohn
If you've ever heard code is an expression of free speech you have Cindy Cohn to thank. Her decades of work in courtrooms and at the Electronic Frontier Foundation has been keeping Open Source, open and private communications, private. We got to chat about her new book Privacy's Defender and take a look at the future by hearing stories from the past.
Welcome to Fork Around and Find Out, the podcast about building, running, and maintaining software
and systems.
Hello and welcome to Fork Around and Find Out, the podcast all about defending your
privacy and not giving everyone your data.
I'm your host, Justin Garrison, and with me as always is Autumn Nash.
I am so excited for this episode.
Yes, this is going to be wonderful.
Today's guest is Cindy Cohn, the executive director of the Electronic Frontier Foundation,
the EFF, and also the author of Privacy's Defender.
Cindy, thank you so much for coming on the show.
Well, thank you so much for having me.
My boys are walking around covered in the lanyards from Scale.
Like they have them everywhere.
They've got like stickers all over their laptops.
And that's actually where I wanted to start the conversation.
Cindy, you gave a keynote at Scale.
And one of the things you called out in that keynote was recruiting hackers to help defend
basically the internet as we want it to exist and not necessarily as it exists today.
And I wanted to use this podcast, this platform to also amplify that.
And for everyone listening, there's people out there that are skilled in what they do.
They might be, not to say like, I know you're broadly using the term hacker here, but in
general, someone that's skilled in infrastructure and software and maintaining and knowing how to
do it.
And I think that's a great way to start the conversation.
Turn the knobs to make things private.
What sort of help are you looking for from folks that might be listening to the show?
I mean, all kinds, right?
There's plenty of open source products, tools out there that people are developing.
It's usually one or two people who desperately would like other people to help them find one,
adopt it, you know, adopt an OS project would be a great thing to do.
And I also think people who don't, you know, you don't have to be a deep coder or whatever.
Like we need user interface like crazy.
We need people.
We need people who can think about how to let people who aren't already in our community
in and feel welcome and feel like they can be part of making things better.
I mean, I think a lot of people are frustrated right now that we're in this world with the
five big tech companies with one business model controlling everything, but there are
nascent efforts to try to build a better, whether that's social network or tools of
all kinds, you know, join in to, to one of them, I think.
And the other thing I think about this is that there's a lot of people that are not
interested in this.
And part of the reason I told the story about the Bernstein case, uh, the cryptography case
is that like, actually the hackers showed up in court with me.
They helped me get expertise.
They taught me enough about the technology so that I could stand up and push in the court.
So tech people doing tech, isn't the only way that you can help making sure your expertise
is spread around and can help in other dimensions is one of the things that the, the hacker crew
that I fell in with in the 90s did.
And I feel like that's a important avenue that sometimes people don't think about.
Can you tell us more about that case?
Just for people that might not have been able to listen to your scale talk?
Sure.
So in the 90s, the US government treated encryption, strong encryption, like a munition.
On the list of things that you could not export from the United States without a license,
there was like surface to air missiles, tanks, and software with the capability of maintaining
secrecy.
And the creators of the EFF, especially the EFF, the EFF, the EFF, the EFF, the EFF, the
EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
the EFF, the EFF, the EFF, the EFF, the EFF, the EFF, the EFF,
John Gilmore, who founded the EFF and a couple other of these kind of early hackers, some of
them which were working for the Free Software Foundation at the time. And I think I was like
one of the only lawyers they knew. And they were certainly the only hackers we knew. And we got to
be friends because they were thinking about what the world would look like when everybody got to
use the technology that they were starting to use. This is 1990. So this predates the World Wide Web.
They were starting to think about what did we need to put in place to make sure that we were
building a better world, not a worse one with the internet. And I, of course, was coming out of
human rights and was interested in how do you lift people up? How do you protect people's rights? And
I started looking at what they were doing through a very similar lens. This is going to be cool
when everybody has access to it. It's going to mean that we can instantaneously communicate with
people all around the world, something that used to be very, very expensive, and do it with a lot
of people at once as opposed to a single long distance call and have ongoing communication.
What is that going to mean?
It's going to mean for people's ability to gather together, to make change, to protect themselves,
to build community outside of the community that they live in with people who might share other
aspects of their lives. And so we were all thinking along the same lines together. I would
say we were also just friends. And then one day John called me up and said, you know, I've got
this math PhD student. He wants to publish code on the internet. And if he does, he'll go to jail
as an arms dealer. Do you want to take the case? And I said,
yes. And was able to convince my little law firm to let me do it. And so I kind of fell into it. And
I got really lucky in that the hackers all took the time to teach me stuff. You know, I've always
viewed myself, I'm not a technical person, but I am a really good translator and a really good
listener. And that's really, I think, my value add to this conversation was that I could take
what they were saying and figure out how to say it.
to a judge in a way that would make sense for the judge. So really, it's a it's an active
translation out of this community into another community is kind of where I think I was the most
helpful. And it was fun. And we won. I mean, geez, we were we were able to marshal a lot of people
to join us. And and we were ultimately able to get the government to back down and reduce these
encryption regulations to something that would allow the technology to flourish.
I'd even like to
tie that back into what you're saying before of like getting started in open source and helping
people like just start contributing in certain ways. I don't have a software engineering
background at all. And like my first contributions for pretty much any open source is in documentation,
where I say, Hey, I tried to use your thing. It didn't work in this scenario or under this
configuration. Here's some docs to fix it. And almost every case like that's the initial start
for me to like, here, let's let's see if this works and translate it for someone else in the
future. And most of my contributions as a non software engineer were, you know, not pull
requests.
For code or anything. It was like, here's some docs. And then I started a podcast back in 2008
was like my first podcast for like the mint cast community. It was mint cast of the podcast for
Linux mint. And that was my contribution to the community. It was like, Hey, I don't know how to
do the software thing, but I can help tell people about what's going on in the community, what the
news is, what else is happening. And those are also ways that people can get involved, even if
they don't think they might have the skills or be afraid to commit code into a repo or something
because I'd get it is a very scary thing of you don't have a software back. How do you think some
of this is changing in 2026? With AI as a as the first thing that's like drowning open source
maintainers in contributions?
Can I just add to what you had said before, like, I think that writing code is like the least hard
part of our job. Like, you know what I mean? Like being a software engineer, like they're so
but it's also one of the most intimidating.
Because it's but I don't mean like, that it's not intimidating. I just mean that, like, I think if
you're not a good communicator, and you can't truly like, translate something, you're not going to be
able to translate. I think that's the harder skill for people to really like get good at. So I hope
people that are good at what like Cindy had said is like translating and kind of like explaining
concepts. Like I really do see software engineering, very much like a science of where you're
experimenting and like, collaborating with other people, just like you would in maybe like a
scientific lab of like chemistry or other things, because that's kind of the basis of what it is,
because it's a lot of failing, and then kind of working at it and seeing what you're like,
where you're having issues. And like, we'd be nowhere without,
code reviews and other people looking at your code. So I think that's right. And I think that
that, you know, one of the changes I've seen in the open source community over the years
is a lot more openness, there's a lot, it used to be like, if you you know, there was this kind of,
well, if you can't code, you don't don't show up or whatever, right. And, and I think that that,
that mentality, I don't see anymore at all. In fact, I see much more welcoming, and the results
are really clear, you go to these, these conferences, and it's not all people who,
you know, look the same.
come from the same context, it's always, it's a much wider aperture of humanity that feels like
they can be at home in the open source community than when, you know, kind of when I first started
doing these kinds of things. And I think that people are really learning how to be welcoming
at a level and you can really see it. And I mean, I just think, you know, we need to double down on
it, the world needs open source, like at a much wider level than we're still able to meet the
needs. But I've seen a huge,
a huge change in some of the really rotten behaviors that kept people out and the really
rotten kind of hierarchy, like unless you're elite coder, you don't really, you know, you
shouldn't be here. Like, I don't hear that kind of stuff at all anymore, at least, you know, in the
interactions I've had. And I think that's a community growing and maturing. And also, in some
ways coming into its power, right? You know, you can all be like little boys in the clubhouse when
you don't matter, but like open source matters. And so it can't keep that meant it hasn't kept
that mentality. And people really,
really opened up. So I think continuing to reinforce that is really important. But I will
say just as somebody who's been around for 30 years, it just feels a lot better and more open
than it used to. Have you seen? I'm just curious if you've seen the power shift to me has gone from
individuals that were, you know, these single people that had their clubhouse. And they're
like, I'm gonna say yes or no to people. And now it moved to corporations that do open source in
very specific ways where there's a there is a
business behind the thing. And and there's just it turns to money, right? At the end of the day,
it's just like, who's making money off of this. And then there's we get things like rug pulls for
license changes, and who can host it and all that sort of stuff. It the the power dynamic has
changed, they'll still welcome everyone, partially because it's free labor, and not because it's
it's actually like an open good community be part of. Yeah, I think that I'm seeing that as well.
And the rug pulls are bad. And the AI, you know, obviously, the using open source to train up
models in ways that is not responsive.
To the community, like I'm, I'm not anti AI. But I think that user control, community control is
really an important piece that's missing from a lot of this stuff. So I do see that. And I think
it's, it's the, it's the current, it's the current moment, we're in that we need to like band
together to try to create a, you know, a way to exist in, you know, what they call the third
spaces, right? They're not work, and they're not home, they're this third space. And I think of
open source is kind of the third space of the
of the digital world that is needs to, we need to nurture and have have that really work. And I
agree, you know, in some ways, it was great that some of the companies came along, I think they
helped grow and mature a lot of different products. But, you know, at the end of the day,
the company is going to company, right? And you need to, we need to make sure that that's not not,
we haven't sold our soul, sold everything to them in a way that is problematic. And I think
you're right. That's, that's the current one of the current fights.
I think people are also selling their soul for cool gadgets, when it comes to like privacy.
And I feel like we haven't really educated people enough to realize what they're giving up when they
agree. Like, I think it's like when people say that social media or like different,
like subscriptions to different, like, assistants were free. And they said that's so cool that
they're giving us this for free, but it's not free, you're the product, right? So like,
how do you think that we navigate this new age of,
like, privacy and how those things are coming home to roost because roost roots, but because like,
I think a lot of people, I don't think they want to believe that we're giving away as much as we
are, like, how do we really translate that to people that maybe aren't in tech and kind of
explain the dangers, I guess. I mean, I think it's important to continue to explain the dangers. But
I also think that like, individual choice isn't going to get us out of this problems.
So it's great to educate people, but we need to educate them to demand a better deal, not just
change their own settings, or don't use a product that's bad. You can do all those. And I don't have
any judgment about it. But like, this thing is cooked. And it's going to take law and policy
to protect people you're we don't individual choice isn't going to get us out of this situation
in any real way. And again, I really resent it. I want all the cool toys. I don't like a world in
which
I have to be afraid to use the cool new tool because it's got a secondary business model
that's not on my side. Like, we can fix this, we can say like, you just don't actually get to do
surveillance as a business model. If you collect information for one purpose, you don't get to use
it for a second purpose, like, period, like, you know, or maybe at a very, very high bar rather
than a click wrap license. But I think that the answers I worry that I don't say don't educate
people, but I think that the answers I worry that I don't say don't educate people, but I think that
I worry that sometimes when the side effect of the education is that people feel like it's their
fault, and they just should say no, as opposed to they should get angry and demand better.
I think that's a really wonderful viewpoint, because I've never thought of it that way.
But also, it's like really interesting, because it also like, these companies are benefiting and
making money off of it. But they're putting the onus on these people that they're not even aware
of how they're using it. I also don't understand that we I feel like privacy kind of is like,
a dirty word. Sometimes like people don't want to talk about it. And it's like viewed as like an
anti capitalism or anti company thing. But to me, like, if we lose the trust of customers and
consumers, and people do get to the point where they don't want anything to do with technology,
to me, like you're, you're alienating your customer base, you're like, you're making
people have a you're losing the trust that they have with technology. So wouldn't it be in
companies best interest to do better with privacy, and data collection,
so that way people continue to want their products?
I mean, I think nest got a good ring, I'm sorry, ring doorbells got a good lesson in that right
after the Super Bowl recently, where they, they tried to present a kind of community surveillance
network as something beneficent and your dog, right. And, you know, I looked at that as a
privacy advocate. And I'm like, Oh, my God, that is just scary. But the thing that was great was I
wasn't the only one, right? The whole bunch of people were very, very, very, very, very, very,
very unhappy with this, including I love this, the we rate dogs guy who I adore. And they had to
drop of, you know, a deal that they were thinking they were going to put together with flock the
license plate reader cameras as a result of this outcry. So that's a good moment, right for them.
And I think they haven't learned their lesson yet, because I see their CEO going around.
Yeah, I feel like he's he hasn't had it bad enough yet. But it's funny. Yeah, there was like,
the first lesson. Yeah, go ahead. There was a meme that was like, when you piss off the rate
dog.
Guy, you've really like, you know, you've really messed up.
That was a great moment. Again, you know, the lesson will be repeated until it's learned,
we need to make sure that he gets this lesson repeatedly that the company does. But I think
that was a good moment for people to realize that there were a lot of us who are pretty offended at
this. And there were enough of us that we could, we could change the course of at least in this
small way. But I think, you know, so it's, it's good. And it's important. And I do think so. But
you know, I think of privacy a little differently than some people think of privacy. And maybe this
will help. I don't know. But a lot of people think of privacy is like the Harry Potter cloak of
invisibility that you throw over your head before you're going to do something you don't want anybody
to see. And it's not like privacy doesn't do that. But I think of privacy as a way that people with
less power, get protection from people who have more power. It's, it's, it's a fundamental thing,
protecting the vulnerable people have a zone of safety from people who have more
power over them. And I, you know, it happens in large ways and small ways, like in, you know,
very kind of in inside households. My colleague Eva Galperin does a lot of work with domestic
violence victims who have spyware put on their devices by their abusers so that the abusers can
see everything they're doing, everyone they're talking to and maintain power over them so that
they can't leave. They need privacy to literally get out of what can be a life or death situation
in their own homes, all the way up to government.
And if a government sees everything that you're doing, you're not going to be able to organize to
make change. You're not going to be able to vote them out because they're going to be able to
intimidate people and countermand. You need to be able to have a zone of privacy to make social
change. That's why we have a secret ballot so that nobody can force you to use your vote to vote for
who they want to. And this was a historical problem. Bosses used to tell workers who they
had to vote for, right? I think that's like my favorite part of your,
your, your talk that you gave at scale, the keynote, because I think the struggle is,
is when you're trying to explain or have that conversation with people, their first thing that
they say is, well, I have nothing to hide. I'm like, it's not about you having anything to hide.
And I really love that you, your Harry Potter analogy really brings it down to like an everyday,
almost a tangible thing that you can think of in your mind. Because I remember being at Google
Next and I was talking to different booths and one guy was like,
he was so excited about this thing they were building. And it was basically like an aggregator
and like a collector of all this data. And it would put it through pipelines. And it was basically
like you, your employee comes into the parking lot and you scan their license plates and then
you can do their faces. And then, you know, you do this stuff outside of your house. And like,
he was so excited. And like, they just argued with me because I was like, but you could use that
to track domestic violence victims. You could use that to, you know, like for multiple like
malicious things. And I was like, I don't know. I don't know. I don't know. I don't know. I don't
know. And he was like, I understand that you think it's great. And he was like, I would want
that at my like at my house. And I'm like, okay, but and then he went on to like one of the
salespersons were like, well, what if it's a custody thing and you're divorced and then somebody
picks the kid up from school? And I'm like, yes, but nine out of 10 of those times, like human
nature and capitalism, that's going to be used to collect things in ways that are, you know,
you're more likely to have that being used in a bad situation than a good.
I almost always think of it as like the power, the people in power, the people not vulnerable,
think of it as convenience. And the people that have
don't have the power, it's a restriction, right? It's a further restriction and removal of any
sort of power or agency that they have. And for me, I like I usually equated like a door on a
bathroom, right? Like, I'm vulnerable when I'm going to the bathroom or whatever, like, I'm
just going to close the door. It's my privacy to have a door closed. And and I think if I equate
that to anyone else that might have any vulnerable moment that maybe even just in society, they're
vulnerable, they should be able to have some privacy and be able to restrict who can see them
and what they're doing.
Like I was at home.
People the other day, and my boyfriend was in line and I got out of line and sit outside because
Home Depot was recording us while we're standing there. And I'm just like, at no point did we give
consent for any of this? What are you doing at the door? You walk in and it's their property.
It's just you know what I mean? Like it but it's everywhere. Like who thought we were going to be
like record it just checking out of Home Depot to buy like, anchors? You know what I mean? Like
it's everywhere. The one thing that I think is a is a weird side effect benefits of the United States
in the last four or so years is people are paying attention to these things. Now. People notice these
things now when it happens, right? If if ring made this announcement in, you know, I don't know, a
decade ago, like people were like, Oh, that's cool, right? Like people may may not have noticed. But I
think bringing up like news, or there's more news about court cases that I probably would have never
seen before. Like Google's a monopoly in ads, like judge ruled it like it's a thing that happened. It
was a big deal. And it's still ongoing. But like, I may not have known about that if it happened 10
years ago.
Right? Because consequences, though, like, I feel like we know a lot is going on. And it's just
like, Oh, well, like, you know what I mean? Like, I think there's enough people that pay attention
now that they realize that they can't just ignore it, right? They're also like, they're not really
following the laws these days. Like, have you seen how many like, maybe it'll come back around at
some point. So like, how do you feel like when you look at what's going on today? And like,
you've got this very, like tenured career in law, and you've been doing this since like,
you know, the internet was a thing. Like, do you think that we're too far?
Like, they've they've scraped the social security data, they've remote accessed into like data and
put it all in one place that we've never allowed before? Like, do you think that we can come back
from this? And how does this then like shape the future? Because I mean, some of that information
is going to be out there now, you know, I mean, we've solved harder problems as a country.
This is a 20 year old problem, maybe, like, this isn't like enfranchising women or, you know,
ending slavery, like these are this is this is not that deep. And I think that,
we can excavate it. I also don't think it's over. I mean, yes, so there's a lot of data around,
but it's actually not organized very well yet. You know, the guy who walked out,
thank God, really drive of social security stuff, like that's a problem. Don't get me wrong. But
it's not game over. And, you know, one of the things you learn when you hang out with like
intelligence types, and even advertisers, the most recent information is the most valuable.
So the older so once we stop the data collection, it gets their ability to,
use it gets worse and worse and worse, the value to them gets worse and worse over time.
And so, yeah, anytime is the right time to stop this. It's never game over around. And let's,
you know, that makes me really, we're still going to keep living our lives. And like the business
model needs to know what we did right. Yesterday, not what we did 10 years ago in order to be
effective at at what it wants to do. And same with the government, right? Like the, the, you know,
old surveillance.
Not all that useful, new surveillance is what's useful. So, yeah, I mean, there's some putbacks,
we're gonna have to do, we're gonna have to do some remedies, we're gonna have to do something,
you know, EFF is filing a brief in the next week or two to try to get the, you know, all the dozers
out of office of personal management, permanently, and find out what happened to all that data,
we have to do an investigatory thing and try to figure out where it went. But, but this idea that
it's one and done with our privacy is another one of the myths that I think,
they used to try to keep people feeling powerless. And I, you know, you've got to recognize that there
is a very active strategy on behalf of companies and the governments to make you think there's
nothing you can do, and it's all over. And it's not worth fighting. And I, you know, you just have
to ask yourself, like, am I, am I going to fall for that?
I think that is one of the biggest things people say, well, I have nothing to hide. And oh,
well, they already have all the data. So it doesn't matter.
Yeah. And I don't think either of those are true. On the I have nothing to hide. I think that I hope
that I have nothing to hide. And I don't think either of those are true. On the I have nothing to hide. I think that I hope
anyway, that people are starting to see what a moving target it is, right? Like people, that's,
you know, before the Dobbs decision overturning Roe versus Wade, I would think a whole lot of
people who were seeking reproductive justice, reproductive services didn't think they had
anything to hide. I mean, even the period trackers are going to be used like against women.
So like, suddenly, there's a, you know, what, 52% of the population, give or take,
is potentially got risked. Either they're, they're seeking that help, or they're
helping people who are seeking that help, because all of the statutes that we've seen
make it illegal to help people too. So it's not just in fact, some of them have harsher penalties
for people helping them than for people seeking reproductive health themselves. So that's a lot
of people that didn't think so people use, you know, you're engaging in your First Amendment
right to observe the police and follow the police like that didn't used to be something that people
thought would put them at risk to the government, because after all, the Constitution says we can do
it. But yet, we've got to do it. And so I think that's a big part of it. And I think that's a big
We've got ICE agents with, you know, facial recognition claiming they're creating domestic
terrorist things. That's a whole group of people who did not think that they were at risk before
the current administration who do now, you know, people with green cards, people who are brown,
people who look like they may not be in the country legally based on some racist assumptions,
like the, even if you're not in the crosshairs now, I don't think you could safely think you're
never going to be in the crosshairs, given how fast things are moving in our country,
I think even just saying normal things about, like, standing up for just, you know, like, what's
right on the internet, like things that we teach, like our five year olds about how to treat people
how you want to be treated, or how to stick up for like your friend, if someone's picking on them,
like at this point, like, are we going to be, I guess, looked at and put on a list because we say
things on social media when things are wrong, like, you know, the goalpost is constantly moving.
And I think after the Charlie Kirk murder, lots of people who were engaged,
engaging in, you know, like, maybe it isn't pretty speech, but it's certainly protected speech
found themselves in the crosshairs. So I just think that the, the I have nothing to hide. So
I have nothing to fear is a pretty entitled position in the best of times. And now I don't
think it's a very safe position for anybody to take. And there's nothing I can do. You know,
I mean, again, I think that's kind of entitled, like, you know, like, we, you know, they're
sweeping up our neighbors, like, really, you're gonna sit in
and pretend like you don't have any power. I think that it's important for, for people to
execute it. You know, John Perry Barlow taught me once a long time ago, like, nobody gives you your
rights, you have to take them. And I think that this, this, there's nothing I can do is a is a
kind of helplessness that they want you to feel. And I don't think we should give into it.
I also think that it's sad, because people fought for the rights that we have now. And they fought
a long, hard, you know, many times putting their bodies and their lives on the line. So to give up
so easily is almost like, not appreciating the sacrifice that they made.
Yep, I agree.
Cindy, why'd you write the book, Privacy Defender? What's in the book? And who should read it?
I wrote the book for a couple of reasons. First, I felt like too many of the histories I saw of the
early internet, especially in the 90s, were about dudes in the companies they founded,
which of course happened, you know, there was a guy named Gates and a guy named Jobs,
like, it's not like they didn't exist. But,
that's not the whole history. And that's not the part of the history that I lived. And
they were pretty rich times, there was a lot going on. And I got to be a piece of a pretty,
I think, important and crazy part of that story. So I felt like instead of complaining,
that the histories were all this kind of corporate tech history that I should write the
story of where I sat and what it was like. So that was the first thing. The second thing is,
I really think that these stories,
have something to tell us today about people who stood up in the past to try to set things right.
And we didn't win all of the things, but we won quite a bit. And you know, there's unfinished
business, I'm trying to recruit more people into thinking that they can be part of making the world
a better place. So I tell three stories, we've talked about the Bernstein case,
which is about freeing up cryptography. The second set of stories are about the NSA mass spying.
And they feature a whistleblower that you might have heard of,
named Ed Snowden, a whistleblower that you may not have heard of named Mark Klein,
both of whom were technologists, who came forward with information about the mass spying that then,
you know, helped us fight the mass spying and change it quite dramatically, even if we still,
we still have work to do to get it all the way done. And the third set of stories are about
things called national security letters, and the government's habit of going to our service
providers demanding information about us and then gagging them,
and then gagging them, and then gagging them, and then gagging them,
forever from telling us about it. So it's a set of cases where we had to keep the name of our client
secret for six years and fight for their ability to be able to tell people that they had been
required to hand over information. Tell their customers, hey, by the way,
all of your data was given. Yeah. And, and not even the individual customers. I mean,
I have some sympathy if they're doing an investigation that you, you know,
you don't tell the target, but being able to tell Congress that this is a tool that was
developed with the idea that would be used in very narrow situations for national security and
terrorism investigations, that's now being used hundreds of thousands of times a year to reveal
information about tens of many more people, that there's something wrong here. There must be a,
there's a disconnect between what was supposed to be a very narrow tool and the way the government
was using it. That was a story we wanted to tell the Congress and, and we couldn't tell it for a
very long time because we were gagged too, as the lawyers. We couldn't tell Congress,
uh, about this so that Congress could fix it. And once we got to be able to tell Congress about it,
we got some fixes. Again, there's still more work to be done.
It's wild that they wouldn't let you give them that very important, like, you know what I mean?
Like, okay, now we know this, but we can't talk about it. We can't fix it.
Yeah. Do you think that's a problem of the tool itself or the application of the tool? Because I
see that very similar parallels of cryptography, right? Like cryptography is a, is a broadly
useful tool, but kind of narrow focus.
Initially of like, we want to protect some communication and now it's used pretty much
anywhere that cares, right? Of like, oh, why don't we just encrypt this data? It's data.
We should encrypt it. Why not? It's like, it's essentially free. Cause back in the day, right?
Like 40, 96 keys, RSA keys were like hard to compute for servers. And we're like, well,
we can't do that because the server bogs down. And so, but, but now computation and tools are
so much easier. Like, oh, just do it everywhere. I don't care. And, and post, uh, post-quantum
cryptography is even better, right? Like it's just like, oh, guess what? New computers are
going to come out. They're just going to blow all that away. So like, how do we,
how do we make the tool useful? So do you think specifically with those letters that like that
tool was wrong to implement or was it just used poorly, uh, or abused by the governments?
I mean, I, I call it in the book, I call it the cat that became the lion, right? That as a,
as a nasty little house cat, I guess it was okay. We didn't like it very much. We would,
we would much prefer a world in which in order to get information about you, the government has to
go to a judge and has to ask a judge for permission. They have to get some
outlawed information from the government. And so, and so, and so, and so, and so, and so,
independent validation that what they're doing is like legal and reasonable before they get
information about us that I would like that to be the baseline rule. I didn't have a huge problem
with the NSLs as a subpoena where they get to issue it themselves. If it's only used in really
narrow national security things, but the way the FBI works is if you give them a crack, they will
run as much through it as they can. And the Patriot Act switched this house cat into a giant
lion. And so, and so, and so, and so, and so, and so, and so, and so, and so, and so, and so,
and you turned it into something that was their go-to tool. I don't know how to analogize it to
the encryption, but it definitely is the case that, you know, the law enforcement is going to,
they are not going to voluntarily observe limits on their own power. Those limits have to be placed
by Congress and they have to be placed by the American people. That's what the whole constitution
is. It's a whole set of things that the government can't do except in narrow circumstances. And I
think without that balance, then there is, then they will do all the things as much as they can,
because, you know, they're, they want power and they want to solve crimes. I mean, don't get that,
I don't, I don't fault them for wanting to solve crimes. I fault them for not wanting to recognize
that there are other people's rights in the balance. And, and since we know that over time,
they don't really do that, that's what Congress needs to do. Do you think it's also the lack of
the technology, the knowledge and understanding technology that most people in our government
have? You know, I would have said that in the 90s, sometimes in the 90s, I showed up and I was like,
I'm the weird tech lawyer from the future. Let me tell you about this internet, you know.
Now, I think they have a lot of the skills that they, sometimes lawmakers don't, and they need,
they have, they need to have a better staff, honestly.
I feel like with the aging members of Congress and the Senate.
But, you know, we have Ted Lieu,
you know, who's a real technologist. We have, we have, we have a mix now in Congress of people.
And then we've got people like Ron Wyden, who's not technical at all, but always hires smart people
and comes down on the right side of things. And, you know, he, he's not a technical.
Which is truly their job. If you're going to be in a position of power,
it is your job to hire the people that are good at the things that you might have a gap in.
They don't need all the knowledge, but they need access to the right knowledge.
Well, and both sides. I mean, sometimes what happens is this, you know, there's a side effect,
of the, how expensive it is to lobby is that the, you know, the tech companies are in there
or the government's in there. They've got the resources to be there telling their story.
People who advocate like me on behalf of the public, we have much less of a window to be
able to do that. And so I think that does put the onus on lawmakers to make sure that they
are hearing from not just the voices that can afford to come before them,
but a much wider range of voices. And whether that's by inviting people like EFF in, or making
sure you have people on your staff who don't come from those communities, but can give you a
different perspective. There's multiple ways to get that other perspective, but I think that that's
one of the things we see more currently than that they don't understand. It's more that they they're
not, they're being told a technical story from people who don't stand on the side of users.
And half the time, especially because you guys come out of the open source world,
half the time we have to just show up and be like, wait a minute, it's
you know, like, we've got a whole set of laws now where we have to point out that like,
you're not just regulating Facebook, you know, when you're demanding,
you know, hooks to age verification in code, you're not you may think that you're only talking
to Apple and Google, but you're not like there's a whole other community of people that are going to
get hurt dramatically by this rule. So it works both ways, like both when they're doing the bidding
of the companies, and then sometimes when they're mad at the companies,
they they miss the complexity and the breadth of the technical community and how they're legislating.
I think multiple times we've seen them try to do like the the ban on tick tock,
like age verification, like I think we've seen them re, I think that they don't understand how
to like make laws proactively, and they do reactive things. And they're reactive laws that
are not fleshed out to truly do good. And they don't like just like the California law that is
going to affect the effect Linux distros, like, I don't know, I don't know, I don't know, I don't know,
it's like, I get what you're trying to do. But it's like, these laws are so black and white that
but they don't fit technology and how technology works. And they don't think of the ways that
it can be used for bad or you know, like the age verifications are, they're not going to work the
way they think it is. No, no, not even close. And it's just going to hurt a bunch of people.
Where do you think we go from here? Like, I mean, we're in this state of a lot of changes and a lot
of like, it feels like everyone's suing everyone at the end of the day. And like that, it's just
going to take a long time to play out in the technology is marching forward with its own
business plans and and things are being laid out. Like what what do you think the next five years
look like? Where should we even try to focus to help protect privacy and and help secure the
internet so it lasts for, you know, ages and ages? I mean, I think there's a few things where
I think that, you know, look, we have to continue to defend encryption, it's still under attack.
Especially now, kind of internationally, but the open source community is international as well.
And so we need to stand up for for encryption and make sure that we still have access to the tools
that keep us safe. I think that's incredibly important. And honestly, but still pisses me off
that we're still having to fight this. You know, I think that like the need for a comprehensive
privacy law that really limits the ability of companies to collect information from us that
they don't need, and limits their ability to, you know, you know, you know, you know, you know,
the ability to reuse it is just paramount, right? We need to cut the surveillance business model off
at the knees, especially as we're heading into the time of AI, where the power of the information
that what they can do with the information about is that they're collecting is is is is, it's more
and more powerful. We also see very clearly that it's going to the government, it's being used,
you know, there was testimony in Oregon just recently about a Palantir product that that the
ICE was using to decide where to whether where to do their their deportation sweeps, that had
location information, right little things, they said it was like a Google map with the little
drops of where multiple immigrants were so that they could target their suits. Well,
that information comes from us, that comes from the location information that is collected on us
from various means, we don't know exactly what fed into that. But you know, it's definitely
coming from the commercial sector, because the government doesn't have that kind of
information in the in the real time way. So we need to start connecting the dots, we need to
start demanding transparency in this. And I just think we need to take some really clear decisions
about, you know, both what information private industry can collect about us and what they can
do with it, and what government can get access to and what they can do with it. And there's just
there's really two rules. One is surveillance as a business model should go away, secondary uses of
data should go away, and get a warrant. If you want information about people who are, you know,
Americans going about their business like this, there's international versions of this, but warrants
and all of this, I'm using the American frame. I think those are some basic principles, and we just
need to start showing up for them. I think the other piece for this community is is the deploying
encryption where we can making sure that we're thinking about security and what we're doing don't
play into this secondary data. I think the other piece for this community is is the deploying encryption where we can making sure that we're thinking about security and what we're doing don't play into this secondary data.
market in the way that you're building things and using things, and help people have better tools,
better choices. I always go back to this phrase that Steve Gibson from security now podcast uses
called the tyranny of the defaults. Yes. And and the defaults are what is majority going to be used.
And I know like, when I look at the Microsoft lawsuit, when they were a monopoly, and then they
had to like in I think it's Windows seven, they had to have like a three prompt of like, it was
in the UK was like, Hey, which browser do you want? Because I ease a monopoly. So we have to give you a
choice. And most people just picked an IE anyway, right? Because there's like, Oh, well, that's the
one I already know, because I used it before. But like Firefox was there and something and I almost
feel like at some point, I would love to see this because of a business model, because the laws
require it. When I start a new iPhone, I get the choice, do you want to use signal? Or do you want
to use iMessage? And and the default is still going to be there. But I'm going through like,
with lots of groups that I'm a part of, and helping them just learn how to use signal,
or I've been using it for more than a decade. And hey,
I will help you get on boarded, I will show you how to use it in a secure way, I'll change a couple
settings, give you some backups, and you won't even notice, right, it's gonna be a different
messenger, but it's still there. And I just keep coming back to that, like, we need to force the
defaults to be secure by defaults. Yeah, you have to force the defaults. But also, like people will
go and give way too much information as signal chat, believing that because it's a signal chat,
they're safe. And I'm just like, it's the government's gonna invite us in there anyway. So
it's like, just like, people are gonna mess up, invite a journalist into your
pentagon planning, I can't stop people from using the tools, or even just like,
when we are creating, like community, like groups, and we're trying to keep our neighbors safe,
don't invite just anyone and don't give like specific locations, because you know,
I was talking to a friend who does help helps out in Minnesota, and like their OSINT skills for
adding people to the signal group are rock solid, where it's just like, because they were adding,
like, yeah, other people to it, you know, yeah, you are getting like a burner signal username,
you're showing up in person meeting someone in a coffee shop to make sure that this is like,
that is amazing. I love that. I don't think everyone's going to be at that level. But also,
just I think that Apple should turn off the ad ID by default in iOS, right? You just shouldn't have
an ad tracker that follows you across all your apps. Like goes back to what Cindy was saying
about third places, like open source is one of my favorite third places. And because we've lost so
many third places that we have lost like that community and village, you know, and I think that
Okay, go ahead.
I feel like we haven't lost it, but it shifted to corporations, right? It's gone towards
convenience, because I look at BBS is an IRC, and things that were community run and community
organized, but I mean, like, everything like, right, like, think about how women are trying
to work in the workforce. But like, now, like everything is so individualized, we've almost
commoditized individuality, like, think about it when you used to have a village, actually,
a woman I follow on the internet, she's Vivian, she does, she's called your rich BFF. And she's
talking about how, like, we used to have a village, right? We used to have some like your
neighbor would walk your dog, because they know at some point, they're going to be out of town,
and they need you to you to walk their dog, right? Or go check on your house. And now we have Rover,
we have Instacart, like, nobody's asking, Hey, do you need something from Costco anymore,
we have to worry about always having different sitters, because we're not swapping sitters with
the girl down the street, you know what I mean? And like, that lack of village, like, I think
that I hope that's the one good thing that comes out from it. And what we're like, really trying to
like learning how to take care of each other again, and making those third places because
if we don't have these conversations and talk to each other as humans and verify that people are
humans and really get to know each other, I think a lot of that is going to be like, paramount and
like us moving forward just as like a society because we've lost the like looking out for each
other and village. But the mutual aid networks that have popped up, and again, you know,
Minnesota, they didn't start with the recent ice rays, right? It started after George Floyd,
right? Yes. Yeah.
Why?
It's been going for a while.
They were, they were ready. And but these are not technical people. These aren't like bad,
you know, these are like ordinary people. And some of them are some. Yeah, yeah. Amazing.
One of our like, one of the coolest security, like, tech people like lives in Minnesota and
shout out to Ian Caldwell. Yes. And it's just like, it's so amazing, because it's like, so random.
And they're such a rad human. And it's just like, on brand. But I think what you're I think you're
really right, though. Because it's like, it's just like, it's just like, it's just like, it's just
like, it's just like, it's just like, it's just like, it's just like, it's just like, it's just
I think George Floyd helped them to exercise their like muscle of empathy and knowing what they would
would not stand for. And they started to exercise that community. And that feeling of like going
against the grain. And I think Minnesota was so much better suited to be able to deal with this.
And I don't think that this administration fully understood what they're getting themselves into.
They were very equipped for ice in 2026.
Yeah, very, like, every day, like Minnesota gives me hope the way that they stick up for
their neighbors. And you see people like, they're like, they're like, they're like, they're like, they're
there's like, moms and dads walking whole, like walking buses of kids to school. And like, that
makes me so happy, like that on a human level, the way that they've taught their neighbors how to use
technology. And like, to me, that's how we get, like, we get through all of this stuff that we're
going through.
I dislike people calling themselves non technical, just because I know there's so many
aspects of people's lives that like, they don't assume is like the right technology. But I think
of like, like, 15 years ago, we had like eight remotes on my coffee table. And in order to like,
play a game,
Exactly, you keep saying you're not technical.
you had to know,
you are technical, like,
the right sequence of buttons to push to get the, you know, the Nintendo to show up on the
TV was very technical. And you can figure that out. And people can figure out a lot of things.
But exactly what you're saying, Autumn, with like, communities is why like, my New Year's
resolution was to meet my neighbors, right?
I'm a very shy person. And I like will hide from people. But like, at the same time,
I'm like, I've got to go find people and means that I'm like, especially like, moms groups can
be super scary. But I'm like, look, if we have to do some clothing swap, swap some diapers,
give each other food, but like, you need to know your neighbors, because if we have to hide in the
house, you'd be able to call somebody for Costco. I'm knocking on doors to say like, Hey, by the way,
I've lived here for 15 years, I just want to know your name, right? And like, my next goal is like,
maybe I'll get their phone number. And then it's easier for us to communicate. Like,
but just having that empathy of who lives next door to you. And you're like, actually,
we're very similar in a lot of ways. And what you're saying earlier,
Cindy, you said that you had already known these hackers, and you were friends, like,
that's still like community, right? Yeah.
And that kind of like, so I just think that that's so rad that that like,
me and Justin met in a random yelling slack group, like, you know, like, just it's so
started that channel. Wonderful how you find other humans that are like,
willing to, like, stick up and stand up for you. And like, just how we were talking about, like,
when one of the first interviews I've ever saw you on was a really famous talk show host. And I was
like, let her talk, you know, like, and honestly, there's been times where Justin has walked into
a room and just been like, Can she talk like, you know, like, you just thought,
like, the way that you like, have each other's backs, like, you've really like,
your talk and just your book and just all the stuff that I've seen on seen about you, like,
even my my little, like, six, eight and 12 year old went to your booth at scale. And they were
like, Yeah, Mom, we need to like, stand up for like, privacy. And like, you don't even know what
privacy means. But I gotcha. Like, yeah, next gen. I'm all in. That's great. And we will have
given me so much hope. Thank you. Thank you have links to Cindy, your talk, your book,
and then also the, the interview on on Stephen Colbert. So people can check it out. And Jon
Stewart. She's on. Yeah. How did how did you get? How do we get involved? Like all of the people
that are sitting at home, and they see this stuff going on? Because honestly, it feels like we're
being gaslit right now. And it makes you feel even crazier. Like, how do the people that are sitting
at home and that maybe they have technical skills, maybe they don't? How do we all get feel less
helpless and get involved and like do good? How do we become part of your mission? And I mean,
I think you've laid it all out. I mean, obviously, I'm the executive director of EFF,
we stand on the shoulders of 30,000 members who give us money. So that would be great. And it's
how I can pay a bunch of other lawyers to stand up for you and other things. But company educational
budgets might pay for people to be members. Yeah. But also, I think you guys think about,
you know, what are what are the what are the causes that you care about, get involved,
meet your neighbors. And the nice thing about the internet is your neighbors may not live next
door to you. They may be, you know, like, again, you know, you guys met over a slack channel,
the internet means that your neighbors don't have to just be the people you're physically
interacting with. They're the people who you're spending your time with my favorite part about
the internet. And you can you can invest in them, you can invest in those communities as well. What
do they need? How do they help and so much of this stuff, like there's just not an offline online
bright line anymore. Is there a way to become a part of the EFF? Sure, you can join you remember,
we got cool merch, we got hats and t shirts. And you know, the shirt I wore on January,
Jon Stewart that said let's see the government is available. There's all sorts of fun merchant
stuff, but also just the feeling like you're part of the good guys, you're part of the people.
I honestly think that like, right now, like I've talked to so many friends,
and they're just like, I feel like there's nothing I can do. And I feel hopeless. And like,
even getting a part being a part of like, just doing whatever work you have, I just feel like
it would really help people feel like they're doing something and not just sitting there.
And I think that there's plenty to do whether it's local or your bigger community or
elsewhere. And, you know, again, support the organizations that are standing up for you.
EFF isn't the only one or the the biggest and oldest digital rights organization,
but especially in the open source community, the open source advocacy organizations are way
too small, they need help, and then figure out what projects if you've got skills of any kind
thinking about what where where can you put those skills to use to try to make the world better. And
I think you're exactly right that even doing a little and being able to do a little just helps,
you know,
I don't think the only reason to do it is that it makes you feel better. But it's one of the benefits
you get of standing up with other people is that it really does make you feel better. And it helps
other people too. So it's win win. Volunteering and like, just like,
being a part of the community efforts, as small as like sitting around and like giving out food,
or like we did whistle campaigns and just different things like it just that camaraderie
that you feel with the people that are doing it and the people that are also deeply upset and care.
Like, I swear, it just, it's like a different level of like, good for your mental health,
just because you understand that you're all in it together, and you don't feel so alone.
Cindy, thank you so much for coming on the show. Thank you for listening. And we will
talk to you again soon. This was so fun. Thank you. Thank you for coming. I really appreciate it.
Thank you for listening to this episode of fork around and find out. If you like this show,
please consider sharing it with a friend, a coworker, a family member, or even an enemy.
However, we get the word out about this show helps it to become sustainable for the long term.
If you want to sponsor this show, please go to fafo.fm slash sponsor and reach out to us there
about what you're interested in sponsoring and how we can help. We hope your systems
stay available and your pagers stay quiet. We'll see you again next time.
.
