<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">Hey
folks,<br>
<br>
Below is EFF's response to the Daily Dave thread entitled "Neal
Stephenson, the EFF, and Exploit Sales." <br>
<br>
</span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">In
March, in the midst of a heated public about cybersecurity, EFF
published an article entitled "</span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:bold;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">Zero-Day
Exploit Sales Should be a Key Point in the Cybersecurity Debate</span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">."
Unfortunately, it has been mischaracterized and distorted on this
list and other public forums, so we want to take the opportunity
to clarify what we said, and importantly, what we didn't say.</span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">The
confusion seems to stem from this paragraph:<i><br>
</i></span>
<blockquote><i><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">If
the U.S. government is serious about secur</span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">ing
the Internet, any bill, directive, or policy related to
cybersecurity should work toward ensuring that vulnerabilities
are fixed, and explicitly disallow any clandestine operations
within the government that do not further this goal.
Unfortunately, if these exploits are being bought by
governments for offensive purposes, then there is pressure to
selectively harden sensitive targets while keeping the attack
secret from everyone else, leaving technology—and its
users—vulnerable to attack.</span></i></blockquote>
<br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">Based
on this, we’ve been accused of calling for regulation of coders’
free speech rights. But that is not what this paragraph (or the
rest of the blog post) says. This paragraph is about what <i>the
</i></span><i><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:bold;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span></i><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"><i>U.S.
government</i> should do, and not about coders at all. </span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:#ffffff;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">Indeed,
EFF established that code is speech in the 1990s in a case called
Bernstein v. Department of Justice, winning the right to export
cryptography (</span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:#ffffff;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"><a
class="moz-txt-link-freetext"
href="https://www.eff.org/press/archives/2008/04/21-29">https://www.eff.org/press/archives/2008/04/21-29</a></span>).<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:#ffffff;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">
We continue to defend these rights to this day. Any legislation or
other government action that would restrict coders from writing
code (and offering it to the government) should be presumptively
unconstitutional, and rightly so.</span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">The
blog post was written while the House of Representatives was
debating CISPA, a dangerous bill that would carve a huge hole in
existing privacy law while not actually making the Internet any
safer:<br>
<br>
</span> <span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"><a
class="moz-txt-link-freetext"
href="https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-disturbing-privacy-dangers-cispa-and-how-you-stop-it">https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-disturbing-privacy-dangers-cispa-and-how-you-stop-it</a></span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">
</span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;"></span><span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">The
basic point we were trying to make is that Congress should look at
the government's own actions and consider what it could do to
improve security before passing sweeping new legislation to scale
back everyone else's rights. That includes the government’s own
decisions to keep information from companies and the public that
could help secure networks, systems, and critical data -- as part
of a hidden offensive strategy or otherwise. </span><br>
<br>
<span
style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;">The
main cybersecurity bills are no longer moving forward, but the
debate about policies to address information security will
doubtless continue. In these discussions, EFF will continue to
fight for the users, for the researchers, for robust privacy and
security technology, and against governmental restrictions on the
freedom to code. While you may not agree with everything we do,
we thank you for the opportunity to participate in the discussions
on this forum.</span><br>
<br>
<pre class="moz-signature" cols="72">--
Trevor Timm
Activist
Electronic Frontier Foundation
<a class="moz-txt-link-abbreviated" href="mailto:trevor@eff.org">trevor@eff.org</a>
415.436.9333 ext. 104
<a class="moz-txt-link-abbreviated" href="http://www.eff.org">www.eff.org</a>
454 Shotwell Street
San Francisco, CA 94110
Defending your civil liberties in the digital world.</pre>
</body>
</html>