This week Paul Ford and Rich Ziade talk to two people with very different roles at the American Civil Liberties Union. Marco Carbone, Associate Director for Internet Technology, works on the ACLU’s website, while Daniel Kahn Gillmor, Senior Staff Technologist for the Speech, Privacy, and Technology Project, does policy-oriented work, especially on digital privacy rights. Topics covered include the recent influx of donations to the organization, poor security standards on our social media platforms, warrants, and more.
0:17 Paul Ford Hi, I’m Paul Ford and this is Track Changes, the official podcast of Postlight, a digital products studio [music fades out] in New York City at 101 5th Avenue, and I’m joined by my co-founder, Rich Ziade.
Rich Ziade Good to see you, Paul.
PF Good to see you too, Rich. So today we have a hot political show for our listeners. Rich, who’s on the show today?
RZ Well when you say ‘hot’ you make it sound sexy.
PF I mean these are two good looking guys.
RZ They are pretty sharp looking. Uh we have Marco Carbone and Daniel Kahn Gillmor.
PF But wait, what organisation are they from?
RZ Well that’s —- I was trying to build some suspense here. They’re from the ACLU.
PF [In deep voice] The American Civil Liberties Union.
RZ Ooh you got deep there for a sec [chuckles].
PF I know. Well it’s a serious organisation, it’s been around for 97 years. Marco, hi!
Marco Carbone Hey, how you doin’?
PF Thank you for being here. Daniel, hi.
Daniel Kahn Gillmor Hello.
PF Where do we even start with what’s going on in the world today? What — first let’s hit pause —
RZ Give ‘em a minute!
PF I know [chuckling in background], you guys have jobs, you do things, you work for the ACLU.
PF Marco, let’s start with you: what is your job?
MC Ok. I am Associate Director for Internet Technology so I manage the technology side of all of our public facing websites, the online fundraising and advocacy platforms, and all the data that comes into that, and how that gets stored in our databases and how we use them.
1:34 PF Oh so you’re a gatekeeper for an enormous amount of money.
MC Uh . . . yes, in a sense. That’s only been true fairly recently. There’s always been an active donor base, what we call our members, people who give to us um through the online website or through, you know, snail mail but yes.
PF Do people still send in cheques?
MC They do. So when we, you know, we recently uh gotten a lot more attention than usual um since the election and after — you know after the executive orders and the court orders and the ACLU being in court, our immigration rights team being in court, we saw a huge surge in online donations and then also on our desks we have pile and pile of snail mail that we have to sort through as well. So these come in at the same time.
PF These are good days at the ACLU.
RZ So did you crash? Did everything stand up . . . as you were getting this massive uptick in usage?
MC I can talk a little bit about that, not everything stood up um but we did pretty well.
MC You say things are good at the ACLU, they are good at the ACLU but also terrifying at the ACLU at the same time. I mean we’re doing our work, we’re all like — our heads are down —
MC Um but it’s also, you know, a very challenging time for us to figure out, you know, how to act in this environment. I mean, we’re out there, we’re like first responders, um but — for the constitution, that’s kind of how we see ourselves but —
PF That’s a great phrase: you’re first responders for the constitution.
MC Yes. I didn’t come up with it but yes.
PF Right so it’s like you’re secret service. You jump in front of the constitution when somebody wants to attack it.
MC Yes. Yes. But yes in terms of donations and members and the public, you know, reaching out and being active and thinking about the ACLU and thinking about how they can be involved in what we’re thinking about, yes. Things have been very interesting and good.
3:20 PF So Marco you’re there making sure the website’s up, making sure the money can come in, making sure it all works. Daniel, what do you do?
DKG I’m a Senior Staff Technologist within the Speech, Privacy, and Technology Project at the ACLU. So that means I’m a policy-oriented technologist, I’m not responsible the way that Marco is for the upkeep of the organisation but I’m, rather, looking at questions about the intersection of civil liberties and civil rights and technology. So I end up with a bunch of different responsibilities in that role but that means that I evaluate internet standards um and advocate for them to be improved with respect to privacy, surveillance, censorship kinds of concerns and I also um interact with lawyers and lobbyists on staff to try to make sure that they’re aware of the technical issues that are going on and that our briefings and filings have basis in technical fact. So I try to bring technical concerns to those lawyers, help them understand the details, more and more of our litigation and lobbying concerns have to do with the way that the tools that we’re using are being used and who has control over them. Um and then also try to bring ACLU’s civil rights and civil liberties concerns out into the broader technical community, making sure that we have better defaults on the software that’s out there, making sure that people are aware what some of the tradeoffs are that are being made as our communications infrastructure continues to evolve.
PF What is an issue that you’re working through now? Like what’s an example?
DKG Um I can give you several different examples —
RZ What’s at the top of the list? Like what’s top of mine right now?
DKG So we talked earlier about sort of the immediate crises that are going on as we see the, you know, civil rights and civil liberties concerns being kind of shredded. Um a lot of the work that I’ve been doing is more long-term facing. So, in some ways, I’m not an immediate responder on those things but I have had, in terms of very high urgency things that have come up, people come up to me and say, “We’re trying to organize to protect people. We’re gathering data in doing that protection. How do we do that in a way that is safe?” And so I’ve been working with a bunch of people to help them start to think through information security questions at a level that they haven’t thought them through before. So some of that kind of response is to like walk people through — I mean I don’t necessarily know what risks they’re trying to avert. So I need to talk to them to find that out and then reflect that back through —
RZ When you say ‘them’ who are you talking about?
DKG Um, I’ve had lawyers come to me both within the ACLU and outside of the ACLU who are working to um try to defend people who are being unjustly detained, wanting to know — you know, they’re gathering data about who’ve been, who are in delicate situations, and they wanna make sure that they’re gathering that data and collaborating with other people. For example, down at JFK as the travel ban hit, there are a bunch of lawyers who went out to volunteer there. Well lawyers create a bunch of documentation about a bunch people, working with people who they haven’t met before. So I’ve been asked by a lot of folks who are in those positions to try to help them think through some of those risks. That said, that’s not my primary focus. That kind of, Marco mentioned being a first responder, I’m not a first responder so much in that sense but the fact that I understand what some of the technical tradeoffs are puts me in a position to try to help in those cases. In sort of longer term pictures, I’ve been working on things like the Transport Layer Security protocol. Um so TLS, you might know better by it’s older name SSO, um but that’s the thing that puts the ‘s’ in ‘https’ when you go to a secure website connection that’s just the web over TLS.
6:49 PF And so for the listeners, that’s when you put in a credit card and it’s got a, you know, the URL bar gets a little green thing on it. That means everything’s encrypted going back and forth. Your regular HTTP web connection is not encrypted.
DKG That’s right. So I’ve been involved in standards work around defining the newer version of TLS and trying to deprecate older versions that we know to not be as secure, to not offer the same kinds of guarantees that you would like to have — this protocol offer.
PF Why does the ACLU care about this?
DKG Well uh we care because the communications infrastructure that you use has an affect on the kinds of social interactions that are possible, right? So if the only way that I can communicate to you is a mechanism that’s completely surveillable [mm hmm] and is completely surveilled, then that’s gonna color the way that I interact with you, it’s gonna change the intimacy of our conversation, and it’s gonna even whether I’m willing to reach out to someone potentially.
PF Sure. I mean we’re having a conversation right now that’s public.
DKG This is a surveillable conversation and it’s intended to be so.
PF Yeah. Exactly, exactly. But we’re all behaving in a certain way [right] and might say things a little differently than if we were just talking one on one and nobody was listening in.
DKG Right and our fundamental rights: freedom of association, freedom of expression, freedom of thought. Um, you know, you build your thoughts in the basis of communication with people who — with private communication. And so if our communications can’t actually be private, or if we are concerned even that the communications are not private, there’s a potential for a very serious chilling effect, and a weakening of public discourse.
8:30 PF So the paranoia — even if you aren’t being listened to, the ACLU, and you in particular, are concerned that the paranoia would limit people expressing themselves if they’re — I mean and it’s a justified paranoia in that people have been spied on en masse in America.
DKG And people have been spied on and targeted in ways in America too [right] — let’s not forget — much of my work involves pushing back against mass surveillance but I also wanna make sure that we can push back against targeted surveillance too, given the history of targeted surveillance against dissenters and activists in this country . . . and outside.
RZ People today seem to be completely comfortable with — even though they’re on a secure channel, their audience is in the hundreds and, in fact, in many cases don’t even know how big their audience is. For example on Facebook your audience could be your friends but if others — if your friends like it, it gets out to their friends. In a sense, people are just being a lot more cavalier about sharing what they think, actually they don’t really know what the boundaries are at this point which is I guess a less of a technical challenge and more of an education or social one. Um how do you deal with, I mean what is the stance, what’s the position on something like a Facebook where they’re doing the job, technically, but the reach and the ability for information to sort of spread is sort of up to Facebook, in a way.
DKG Right, so I mean I think I would always hesitate to say that any of these problems are specifically technical versus social or educational. Like many of these things — or legal, for that matter —
DKG — these things are — there’s a mix. Um and all of the factors sort of influence the other ones which makes it sort of complicated to tease them apart. Um with Facebook there’s a bunch of different ways you could approach that question, right? So one this is that it’s not clear that Facebook has done a good technical job of explaining the scope of your speech on Facebook [right], right? So as a user you could argue that it’s a technical failure that the user doesn’t know who’s gonna be reading that post . . . because it hasn’t been properly communicated to them, the tool hasn’t provided them with the information they would need to make an informed decision. On the other hand, maybe that information is so complicated that no one would be able to understand it anyway.
RZ I think it probably is.
PF No, you know, I don’t think so. I think that everything we do was incredibly complicated ten years ago . . . and we have UX design patterns and understandings that have arisen over the last, you know, decade or so about what an app should look like and what a website should look like. It strikes me that if the same amount of attention and diligence was applied to privacy, like you could have an icon system where it’s like, “Hey, you know you’re talking to this many people,” and there’s a lot of little dots and a circle and overtime everyone would go, “Oh I’m engaged in a kind of public speech right now.” Like we don’t — the tools —
11:10 RZ It’s not a priority for Facebook to communicate that. Right? I mean —
DKG No, it’s not. It’s not.
RZ My mom comes up a lot on this podcast, for various reasons, when she first started using Facebook she asked me to bring home some coffee beans, on Facebook. She didn’t know —
RZ — that that message to me, she didn’t know that that essentially got broadcast on her wall to all her friends.
PF And did you bring home the —
RZ I brought the beans home. But —
PF So, honestly, the platform works great for her.
RZ It — another part of it is I think even if you do communicate it, by the way, I think there’s such an addiction to the virality of what you put out that people uh I think — my mom knows, today, that her stuff gets liked a lot and shared a lot and I think for a lot of people this sort of conscious self-policing has kind of been watered been down such that we don’t care. People don’t seem to care as much [PF But I’ve never seen — ] — even if you have them that graphic, do you think they’ll care?
PF I’ve never seen any organisation truly try to communicate your level of privacy at a given moment on a platform.
RZ No, that’s true.
PF That is a design task — I mean I would love to take that design task on, right? Like that is a —
RZ It’s a — yeah.
PF It’s a challenge. It’s a real challenge.
DKG And we don’t have a good vocabulary for it right now. So there’s a cultural component to this, right? People need to learn what some of these things mean, so there’s an educational and cultural component [RZ yeah] and then there’s a real engineering task of how do you present that in a way that’s not overwhelming and communicates what needs to be communicated?
12:42 MC And there’s another aspect to this which is it’s not just what happens on the Facebook platform. I mean Facebook is all over the internet, right? Anywhere where there’s a Facebook ‘Like’ button, Facebook knows when you’re looking at that web page [PF mm hmm]. So even if you’re not someone who is registered as a Facebook user, they can surveille your online behavior depending on how many people are using that. So it’s not just about when you’re communicating to people, it’s just looking at the web.
PF Actually this is a great moment cuz we can pin you down. I gave 200 dollars to the ACLU [mm hmm] and, you know, I’m assuming I have to go to a camp five years from now . . . with all the other people who gave 200 dollars to the ACLU but what happened to that — like in your world, Marco, I’m on a list because I did that [yes] and it’s the list of people who are gonna get mailings from the ACLU —
RZ Which is incredibly intrusive.
MC I mean look [RZ laughs] there’s actually historical, you know, and I’m not an expert in our history but, you know, in the 1950s, the Mccarthy era, this was something that people [PF sure] wanted to hide from the public. Like, “Are you a member of the ACLU?” Right?
PF I mean card-carrying, right? [Yeah] it actually is a joke in our culture [yes] that it’s just such an archetypal lefty thing and it’s a wink and a nod.
MC So yeah of course we still think about. We still think about protecting our members’ data. We don’t give that list out to anyone. Of course people are also more freely willing to talk about it, people say on Twitter — like a lot of the fundraising that happened during the travel ban executive order weekend were people saying, “Hey, I’m raising —” A lot of VCs actually. “I’m raising 550 thousand dollars —”
RZ Yeah I saw a lot of that.
PF Yeah like Fred Wilson and Chris Sacca and people like that.
MC So all those people that responded to them . . . of course, now we know that their, you know, support is at the ACLU and people are more willing to talk about that on social media. But if you don’t do that. If you just go on our website and you type in your information and it goes into our database and, of course, you can look at our privacy statement, we talk about, you know, how we share your data, how we give to third parties, cuz there are third parties involved. You know we use systems like Salesforce to store that data and we have a vetting process for security, like any large non-profit would do.
14:48 PF It’s fascinating right though because it’s — you’re in the middle of this and you’re using Salesforce which is just this like giant company. As you’re saying that, I’m like, “Yeah, of course, they use Salesforce. Everybody uses Salesforce for managing relationships in the hundreds of thousands.”
MC Sure, yeah.
PF But no one walking down the street is thinking, “ACLU: a happy Salesforce customer,” right? But you and every other NGO and every other org like this has to participate in the big world in order to thrive.
MC Yeah, you know, we were talking about this, Daniel and I, before, like there’s a tension, you know, between the work he does and the work I do sometimes [PF right]. Where are we putting our data? How do we grow as an organisation and support our members in a way that doesn’t completely buy into like the digital surveillance state [PF sure] and we think about that all the time. We make decisions. Um it’s probably not at the level that Danny would want at all times but I think we think about this a lot more than most large non-profits. There are other non-profits out there, like EFF or, you know, that think about this stuff very aggressively. It’s like what they do but the ACLU is a multi-issue organisation. Technology and privacy is not our only issue. We’ve got, you know, I can list LGBT rights, racial justice, you know. So there’s more — not everyone in the organisation is thinking about these things all the time like Daniel and myself are . . . more often. Yeah.
PF I mean that’s the thing the EFF — that’s the Electronic Frontier Foundation, like that is an organisation that is as purely of the internet and as purely of — they are . . . really kind of represent the hardline on things like digital rights management and, you know, access to cryptography and so on. You guys have a broader mandate.
DKG I wanted to point out that the digital privacy and anti-surveillance, anti-censorship work actually — while we’re saying this is one of the issues that the ACLU covers, it’s actually related to many, many issues.
PF Sure. It’s a substrate, right? Like it’s the new digital layer of free speech.
DKG Absolutely! And it’s, you know, if we’re talking about, you know, freedom of religion, if there’s a Muslim registry that’s gonna be built, it’s gonna be built using these tools, it’s gonna be built using the data that’s extracted from the surveillance economy.
PF Here’s the tricky thing, we — Rich and I have talked about this and we just assume that the Muslim registry already exists in a variety of forms, right? It can be plucked from Facebook —
RZ I mean I’m of Lebanese descent and I’ve — I have family members that are not American citizens that travel and during the Obama administration it was not usual to find ourselves waiting an extra 45 minutes for them to come out with their luggage because they a) knew all their travels, this wasn’t just about stamps on a passport. Their systems, I think in the last — it feels like the last five to ten years got upgraded to the point where they knew the trip from Lebanon to Italy, even though it had nothing to do with the United States. They somehow had that record. The other thing that was happening was she — I mean ‘detained’ sounds dramatic but it wasn’t unusual for her to get pulled in for a bunch of questions on her way in . . . and, you know, they were kinda weird, cryptic, unusual questions and then they’d let her out.
18:04 DKG And you say ‘detained’ sounds dramatic and, you know, you also said you had to wait an extra 45 minutes. I can imagine some people listening to this are like, ‘Ah 45 minutes, you know, whatever. So that’s like extra long lines at the coffee shop.” [RZ yeah] but I have to say as someone who has been held in the secondary screening, even if it’s 45 minutes. 5 minutes into that you don’t know that it’s going to be over in 40 minutes —
RZ Right. True!
DKG It’s a very different experience.
RZ No, right, right. I guess what I’m getting at is . . . is this really new?
DKG Well, no.
RZ Did this really kick in two weeks ago, right?
DKG We — I mean there is, you know, we have a long history in this country both of um impressive civil rights and civil liberties activism and of really discouraging, problematic overreach by government, making people unwelcome. My own great uncle was actually blacklisted and had to flee the country. He was a Hollywood screenwriter and he spent five years, his entire family, his children [RZ wow], um fled to Mexico because they were being targeted by J. Edgar Hoover. So I mean this is not that long ago that that sort of thing was happening. It hasn’t been particularly, you know, abated since then.
MC And it’s not new for ACLU, right? This is why we were ready for this moment, the moment that we’re currently in, is because we were doing this work during the Obama administration, we saw what was coming during the election. So we were, you know, ready on day one to act the way that we’ve been acting.
PF But during the Obama administration everybody was like, “Oh c’mon, guys. It’s fine. Relax.”
MC But we know that’s not true, right? Like this — maybe it’s not at the surface in terms of how President Obama was speaking but, you know, what’s happening at the federal government level in terms of TSA and the deep security state, all those things are still happening it’s just not as — it wasn’t as present in everyone’s minds until this happened.
19:56 PF And so now it’s all . . . it’s coming to a head, right? Like we’re — suddenly we have the president who makes people aware of civil liberties and care about them in a very personal way, and we have narratives about people being detained and people’s, you know, just sort of their basic security being a risk and —
RZ I mean blessing in disguise, no?
DKG Well, sure, I mean when you said these are good times for the ACLU, that early question, right? [RZ laughs] like in some sense, yes, these are good times because the issues that we care about are actually visible to people, but it’s bad times for the ACLU because the issues that we care about are very much at risk, you know?
PF Well it’s also this is not like a little constitutional trickle, this is a constitutional tidal wave of crazy. I mean it’s a lot. So you have to react to that. Now, Marco, how did you experience the sudden uptick? Like you’re sitting there, you’re the guy who’s in charge of the web stuff —
RZ Wait. Can I ask before the uptick? Like, what did you think was coming your way after the election [MC chuckles]? Like there’s no uptick yet, right? But —
MC I’m gonna admit something which is I scheduled a two and a half week vacation after election day.
RZ Smooth. Well done. Did you go?
MC I did.
RZ Where’d you go?
MC I went to Southeast Asia. You know but I was making phone calls from Southeast Asia [PF laughs] [RZ wow] uh I left two days after the election . . . and yeah we immediately saw an uptick in donations, actually on day one —
RZ I would imagine.
MC And then on day two after the election it was our biggest online fundraising day that we’d ever seen . . . and that was the day of my flight. So I left and I, you know, but my team, my whole team worked on it and my supervisor came in and was covering for me. So it was amazing. But the website held up. I mean we were ready for it. You know it’s a website, it’s a content management system, we’d done load testing, all that kinda thing, but we’d only load tested based on the donation counts we had seen in the past [PF ok] and on that day we saw, I think, ten times or, you know, 15 times our biggest day ever which is like typically near the end of the year.
21:54 PF You know it’s good for listeners to know like that order of magnitude increase is when things break. Like usually things will kinda like keep going for two to three times as much as [MC sure] your worst case scenario but when it hops up ten times or 100 times, everything melts.
MC So when it melted is actually when our executive director went onto Rachel Maddow . . . and he, you know, he’s very uh effective in what he does, and he got people really riled up, and it was a very emotional period.
PF What’s his name? I’m sorry.
MC His name is Anthony Romero.
PF Anthony Romero. Ok.
MC Um and so we had some issues that came out of that. Our site went down for about 11 minutes when that happened.
RZ This is when? When did he go on?
MC This was like November . . . third week in November, something like that.
RZ Ok so —
MC I was on vacation during that.
MC Um so we noticed, we looked at like, you know, New Relic and that kinda thing. We said, like, “Ok! Like we have some slow queries that are causing problems.” We brought in some people to kind of, you know, some hired guns and we did some quick work and —
PF So you looked at your analytics?
MC We did. We looked at our analytics and um we did some load testing and suddenly we could handle a lot more.
MC Um and we were sort of ready but we still had some issues that we were working on like other parties are now getting involved in terms of bottlenecks. Um so then the uh inauguration happened. That’s a big day. We handle it fine. And then the executive order comes down. On that Saturday when we were in court in Brooklyn, right? We had this victory. We walked out of the courtroom —
RZ That was —
MC Everyone on social media was talking about us.
23:16 PF It was a great legal moment. It really was, kinda extraordinary.
MC It was beautiful. Um yes it was an historic ACLU moment, an historic national moment, all these people at the airports and our website saw huge amounts of traffic. Except this time we were ready for it. We knew that we had a limit that we could handle and we had a failsafe ready to trigger as soon as it happened. It happened. We turn on this failsafe, everyone was — you know through our CDN, everyone was redirected to a static page with a PayPal link and that was up for about ten minutes. We took a bunch of money through PayPal, things calmed down. We went back to our site. So we were ready for it and we’re still working on being even more ready than that —
RZ So PayPal is watching the eastern district in New York [laughing] very closely here.
PF But they can handle it. PayPal can handle it.
MC That’s why we have them as our failsafe.
RZ No I know but I’m saying — but PayPal also makes it big on all those transactions. Do you guys have a special non-profit relationship with PayPal?
MC They have a non-profit thing. I mean it’s not our preferred way to take these donations —
RZ Yeah yeah, but —
MC — but it’s better than a 500 error.
RZ — not falling on your face, I’m sure.
MC Yeah so.
PF Ok so you have your regular website, it runs along, runs along, runs along and you literally flip the switch here. I mean not a physical switch but you said, “Alright, put the one up that is a simple static page and let PayPal do all the weird computational stuff because we know we can host a million of those an hour and it’s no big deal.”
MC Yeah, as long as we needed it. We’re just looking at the CDN, things calm down a little bit, site went back up. We’re good.
24:38 PF Oh and we should, for listeners too: that’s a, it’s Content Distribution Network, right?
PF So a CDN is a place where you put stuff and it actually distributes it around the internet so that it gets to everybody’s computer really, really fast. Most big sites use CDNs in some way or another, for images or so on. So this is a way to ensure that somebody in Minneapolis is getting the closest, fastest, quickest version of aclu.org that they possibly can.
RZ I’m gonna give a shout out to the CDN!
MC Sure, it’s Fastly. They’re great to work with.
PF Oh yeah they are great! We’ve worked with them too.
RZ Yeah, Fastly’s awesome.
PF We really like Fastly . . . I think that’s our first like corporate shout out.
RZ It might be.
PF I love that it’s for the ACLU.
MC Yeah, right, I’m a non-profit shill!
PF Ah endorsed [RZ laughs] by the ACLU! That is —
MC No, it’s a big moment. I mean it’s cool.
PF But that’s what every startup wants is the ACLU —
MC You know this is easy to find, anyone can go look at, you know, an IP address and find this stuff out so.
PF Right, right. Ok so you got your plan. You knew. You were ready.
MC Yes, we were ready for that. And I mean we stayed up and uh you know this is public, we raised 24 million dollars that weekend . . . online.
PF That’s a helluva lot of money.
RZ And you typically raise, on an annual basis?
MC Um . . . I’m not the numbers guy but it’s a lot lower than that. I think it was, I dunno, ten million for the entire year maybe.
25:55 RZ I heard less than that.
MC Maybe less than that. Maybe it’s like —
RZ I heard three of four.
MC That’s might be — that might be right.
RZ Which is — I mean that tells you . . . that is one heck of a weekend. It was over a weekend, essentially.
MC Over a weekend. Of course we continued to see strong traffic after that.
RZ Yeah, yeah. Sure.
RZ Very cool.
PF Ok so just so now it’s interesting too because suddenly the web is the dominant way to get money into the ACLU. Was it before? Were most donations coming online?
MC No, I mean of course we are — you know we get grants, we have private donors, you know, it’s a mix of sources. Again, I’m not the fundraising numbers guy but yes I know that online has never been the largest piece of the pie but all of a sudden it’s a pretty darn big piece of the pie.
PF You know it’s um it’s also just a good object lesson in that you have your site that gives people a good experience and explains what the ACLU is but there is a part of the web that is just dumb and simple and it has — it’s like three components: it’s like your CDN, your PayPal link, you can make that work [right] and that is a way to scale. People don’t always think about that. They think about like, “How can I have 50 servers that will host this simultaneously?” And this is a much more, in some way just elegant way to do it because you got it down to bare bones. It’s just like, “Oh my god, we can’t deal with this . . . this level of attention. So let’s do something incredibly simple.” Most people don’t think that way. They think, “Let’s complicate the system that we have.”
MC Well and we do have a lot of complications involved — involving like how we reach out to people by email and, you know, how do we handle one time versus monthly, we have a different mobile exper— like we actually don’t expose PayPal as a payment option unless you’re on a mobile device because they take a bigger chunk. So but we know that on a phone it’s a lot easier to push a button and you’re automatically logged in to donate. So we think about all these things . . . I mean these are front end things, a lot them, but it’s a lot of complex thinking behind our fundraising platform that I work with our fundraising online fundraising team with. But, yes, ultimately, on a weekend like that it’s the bare bones like, “Get to a form, fill out some fields, push a button.” That’s all that needs to work.
28:02 PF It’s a good feeling.
PF Yeah it had to be a good feeling.
MC It was a very good moment. I mean it wasn’t —
PF Were you refreshing that PayPal account?
MC Ah so [laughs] I was actually out of town that weekend —
PF What is the ACLU’s vacation policy?
MC I know, right?!
RZ [Laughs] this is the best.
MC My timing is so — but I was at a place without wifi but I was on my cell phone, thankfully. Again, working with my amazing —
RZ Where were you this time?
MC I was in the Catskills, so a lot closer [RZ laughs]. I know I feel like a playboy on this podcast.
PF This is so great.
MC So I was on phone working with my tremendous team and they were like — they were ready for the failsafe, they were looking at all the stats and I realized when we set up this PayPal account for the failsafe I never — I directed all the transaction emails to my inbox [RZ chuckles].
MC So I’m sitting in this house, my phone suddenly says 6000 emails. I can’t even actually see the emails that are trying to send me.
28:56 PF On your crappy Catskills wifi?
MC No, no, I was on a phone signal.
PF Oh ok. Oh even better.
MC I think it was 4G but anyway so that’s what I was dealing with that weekend.
PF So that part of the plan maybe not that —
RZ No sympathy for Marco.
MC No, I mean but look we were ready for it. I’m not the only person in front of a . . . laptop. So —
RZ “Team effort, guys, while I’m in the Catskills. Team effort.” [MC laughs.]
PF The question I have is um what’s the stack we should be using to communicate? Like how do you guys communicate? What are the tools?
RZ Oh boy.
DKG Um so I mean different people have different choices and different people have sort of different requirements. So I’m gonna give you the classic ‘it depends’ answer [PF mm hmm] but I can tell you about myself personally.
PF Yeah, what do you use?
DKG So as someone who does a lot of work investigating the sort of surveillance and social control aspects of communications platforms . . . I really don’t like them. So I don’t have a mobile phone.
DKG I have a laptop. I’m a Debian developer. It runs Debian.
PF For the listeners, that’s a very old and respected Linux distribution that’s also the root of the Ubuntu Linux.
DKG That’s the root of I think 350 other distributions as well.
RZ Paul just wanted to sound badass for a second.
PF I just wanted to get in there on that [laughter]. Ok so you have your Debian laptop. This is starting — are you, ok, this is starting to get Stallmanesque here.
DKG So um —
RZ So no phone?
PF Uh Marco is nodding and laughing [MC laughing].
MC Well because Stallman is someone who often contacts me about the ACLU but I can talk about that separately [laughter].
DKG So I’ve actually had a conversation with Richard Stallman where he asked me whether I had a mobile phone because he was trying to get into a talk he was going to give and I said, “I’m sorry, I don’t.” And he said, “That’s good. You’ve made the right decision. But right now I need to find someone who has a mobile,” [laughter].
PF The real world is very complicated.
DKG It’s complicated, right? And you know um . . . but um so most of my communica— I’m a contributor also to the GnuPG project and to the Enigmail project and —
PF So these are all encryption tools?
DKG These are encryption tools. So in terms of my personal communication, I rely pretty heavily on internet-based stuff as opposed to mobile phone [PF mm hmm] um things. And then I prefer encrypted communication where possible but I also do a lot of public communication and that communication doesn’t need to be encrypted, obviously, in the same sense that this podcast is an easily surveillable thing, but so yeah so most of my communications platforms are pretty standard, internet-based platforms with the exception that I happily accept and will send to people who want it encrypted communications.
PF And do you uh have an opinion on the new sort of secure apps that are floating out there like Signal?
DKG Yeah um so I actually use Signal Desktop. It’s registered to my own phone number [PF mm hmm] um I am a big fan of the simplicity of those apps [PF sure], in terms of — I mean I see the ways that we have as a community, and by the community I’m talking about the encrypted mail community, failed for the last 20-something years.
32:00 PF It’s true it never caught on. It never did.
DKG It’s simply not — it hasn’t caught on because it’s not actually usable in the way that people use mail.
DKG And one of the nice things about these new apps is that the developers of these apps have an opportunity to just say, “Forget that you’re using mail. Don’t bring any of your mail expectations with you. We’re gonna give you something new and by default it’s gonna be right.”
DKG And so I’m actually — I’m a big fan of what Signal, in particular, has done. Although there are still some questions. I’m concerned, in particular, about the centralization of routing messages.
DKG There’s a signal server and all messages are routed through that.
PF Now they are encrypted when they’re going through.
DKG They are encrypted, that’s right. So what that means is that the operator of Signal which is Open Whisper Systems . . . which is Moxie Marlinspike’s group, they can the metadata of all of the messages. So I’m concerned about the content. And, in fact, encrypted mail has never done anything about the metadata either and it hasn’t really taken off. So Signal’s a win in multiple ways. But Signal still leaves us a problem: the fact that the metadata is all centralized [RZ mm hmm]. So that means that the operators of those servers can see who is speaking to who, they can see when they’re speaking, they can see what size of those messages are, because of the way the Signal protocol works, they can also see whether the messages have attachments or not. Um and of course with Signal, all of the identifiers are bound to telephone numbers . . . because that’s the way that Signal bootstraps its authentication and its address book scheme. So as a result they have the potential to be sitting on top of a metadata map of who is communicating with who and how much, and who gets responded to, and actually if you look at sort of social graph analysis, that’s actually a particularly powerful way to evaluate what’s going on. There’s a great post, uh and I’m forgetting the guy’s name but it’s called something like “Metadata Analysis of the American Revolution.” So —
PF Oh it’s about Paul Revere.
PF I’ve read this, yes.
DKG Yes, finding Paul Revere —
PF We’ll dig it up and put it in the links below the post.
34:02 DKG Yeah so that’s a great example of like, “Ok, I don’t even need to know who — I don’t need to know what people are writing. I just need to know who is connected to the different groups.”
RZ Right which tells a lot.
DKG Which tells a —
RZ There’s a ton of circumstantial evidence there.
DKG It tells a lot and actually with the timing information, that also tells a lot.
DKG I mean Uber did a thing where they published, I don’t know if you remember this, I think it was last year or the year before, they published data sets that they called “Ubers Rides of Glory” to demonstrate that — and I forget whether LA was getting laid more than New York or New York was getting laid more than LA —
RZ That’s amazing.
PF Ah yes.
DKG But it was basically like how many people are calling Ubers at three in the morning in these different cities.
RZ Oh goodness gracious.
PF So that’s a terrible idea. That was an awful idea . . . by Uber.
DKG Uber? An awful idea?
PF Yeah I know.
RZ General generic information [PF grunts] [chuckles].
34:52 PF Um this is something as I’ve talked to other computer scientists and security folks like you ask, you know, “How can I be truly secure?” And everyone just sort of blinks and is like, “Well, you can’t really. I mean it’s —”
DKG I mean I think the right response to that is that security is a process and not an end goal [PF mm hmm], right? And even with more nuance: the security question, you have to ask yourself what are you trying to secure? Similarly with privacy, right? To be completely private means you have to not talk to anyone. Privacy is relational construct. So I mean I wanna be private but I still wanna communicate with people. Those people could break my — like they could violate my privacy by sharing things that I’ve shared with them, right?
PF Well it strikes me that it’s just incredibly hard to keep secret that one party is talking to another party.
DKG Well, there’s actually a bunch of interesting research going on in — there’s several trade-offs that are involved in making something like that possible. But there’s a bunch of active research. So um I’m involved with the Tor project [PF sure]. Tor is the onion router, it’s an anonymity network that allows you to hide your location on the network and that’s coupled with a browser that’s basically a Firefox derivative . . . that has additional privacy preserving features turned on. There’s a lot of things about the way that the web itself — the standards of the web are architected that can leak information and Tor Browser is probably the browser that’s the best out there at minimizing those leaks. So the Tor project um that produced the browser, you can just go and install from torproject.org. It’s called the Tor Browser Bundle. And if you run it it’ll be a web browser, it’ll look like Firefox, basically. And it allows you to communicate on the network without whoever you’re communicating with knowing where you are on the network. It doesn’t provide complete anonymity, and again, this is like: what are we trying to secure? [PF mm hmm] Right? If you login to Facebook through Tor . . . which you can, which Facebook encourages. Facebook actually has a hidden service, what they call an onion address where you can go to Facebook directly through Tor. So you never leave — your communications never even leave Tor and go back onto the normal internet, they just go straight to Facebook. If you login to Facebook, of course, you’re not anonymous to Facebook [chuckles], right? But they don’t know where you are and your traffic isn’t visible at any of their public network endpoints. The reason that they put that there is because there’s a lot of things that anonymity like that can provide on the network. It doesn’t just provide you with the ability to hide from people who might be surveilling you, it also provides you with a way to circumvent attempts at censorship, another core ACLU value. So we think that it’s an important thing to have these kinds of tools available, so that people can route around people who would like to constrain your ability to speak.
PF Got it. Security is hard [sighs].
DKG It is but that doesn’t mean we should give up on it.
37:32 PF No, we should not give up on it.
DKG There are steps we can take to make things better and the reason I think that we failed at email encryption for the last 30 years is a posture that I call Security Nihilism. And there’s a lot of great papers in academic literature that say, “Such and such isn’t secure because of this corner case.” And they’re right. It’s not secure . . . cuz there’s a corner case. And you can attack it and exploit that corner case. However, it might be expensive to attack that corner case. Right? And so the Security Nihilism posture is like, “Oh well, we can’t adopt that because it’s been known broken.” But hey, it’s way better than cleartext. Can we just like move — you know, raise the floor, at the very least?
PF Sure. So it should cost a couple of hundred thousand dollars to crack it instead of zero dollars.
DKG That would be — right. Instead of just sending them the message without them having to do any work anywhere.
PF Right so it means that the person who wants to look at your data has to do some work.
DKG I can give some examples of specific technical projects that are taking that approach. We call that Opportunistic Security, which is just like raise the floor . . . without trying to replace the stuff that’s supposed to be fully secure.
PF Mm hmm.
RZ Where do you guys stand on warrants being issued that allows for, “Ok, I need to see what’s on your phone. I have a search warrant”?
PF I’m sure the ACLU is totally for this. I’m sure this is like their favorite thing ever.
RZ Cuz I’m nodding at everything you saying and in support of everything you’re saying but there’s a point where there’s a logical breakdown around search warrants — like you can’t, as a police organisation, go take a battering around anyone’s house. But if you show enough evidence to a judge, they’re given a search warrant [DKG yup] and can do that. Here it’s nearly impossible, right? Even if they got the warrant, the state of the data doesn’t allow for it to be unraveled.
DKG Um, well that depends on what data we’re specifically talking about, again —
39:23 RZ Well let’s not get into the data part but where do you stand?
DKG So I’m not a lawyer . . . so I’m not prepared to give you a deeply legal answer but I will say a few things about warrants. First off: there’s been a bunch of attempts to search these devices without any warrants whatsoever, and those are clearly, clearly unconstitutional searches.
RZ Right, agreed.
DKG So there’s also been a number of cases where search warrants or subpoenas have been issued by judges who haven’t been fully informed of what they’re actually granting access to. So there are a number of constraints you would like to have for a warrant. A general warrant is a warrant that allows you to search basically anything. It’s not a specific and focused warrant. And we have a long history in this country of saying that general warrants are a bad idea and are not allowed, right? You can’t just — the king can’t come in and say, “Here’s a piece of paper that allows you to ransack any house you want because you’re looking for a certain thing.”
DKG If I get a warrant to go search your house for a particular type of contraband, I shouldn’t be allowed to search your house for other kinds of contraband, for example.
RZ Mm hmm.
DKG The trouble with the phone is that people are being granted warrants to search the device when the device actually has far more information in it than if you go back even 40 years what would you have in your filing cabinet would be a fraction, a tiny fraction, of the data that’s available on your phone data.
DKG And a warrant to search the filing cabinet would’ve specified the document you were looking for in the filing cabinet. Not like, “Sure, go on a fishing expedition through the filing cabinet.” So there’s a lot of warrants that I think have been issued without the sense of scope that we would expect from a warrant because the technology isn’t actually well understood by the legal system yet. So part of my work has been to try to help lawyers and judges understand those trade-offs.
RZ Ok so you do feel like there are, with proper scope, warrants should be — warrants can be applied such that you could get at the information inside of a phone.
DKG At some of the information? I believe there are legal processes —
41:20 RZ I mean it’s a search — a search warrant is for searching. Right? “I’m gonna see some other stuff. I’m gonna see your kids’ pictures. Um you happen to be the shooter and your phone was left in the car and I wanna see if there are any accomplices but I’m gonna see some of your kids’ pictures.” I mean that’s just human sensory — [laughs] intake, right?
DKG Well so this is a really good point, right? We’re talking about human sensory intake and in fact the way that a lot of these digital searches are done is not at all with human senses, right? [RZ right] these are done with massive machine ingestion and potentially indefinite retention with no clear —
RZ Sure. Sure, sure, sure.
DKG Like so, ok I get to search your device. What am I allowed to take off of it? What am I not? How much of that am I allowed to keep? And we don’t have I think a good set of rules and guidelines around that.
RZ Really quick I wanna get, Marco, your thoughts on this?
MC Uh [laughs] I’m like, similar to Daniel, I’m not a lawyer.
RZ This is fun! Cornering the ACLU guys is fun.
PF It is fun [RZ laughs].
MC No, now I feel like I should have — I know the guy to call.
RZ They’re well armed though [laughs].
MC Look, the ACLU is not against the concept of warrants period. I mean —
MC You know the fourth amendment exists [RZ yeah], that’s what we’re trying to protect. And all the things that Daniel was talking about [RZ yeah] applies to that: what is reasonable search and seizure [RZ right, right] and that’s what we talk about.
RZ That’s the fine line, right? I mean that’s the —
MC That’s my non-lawyer answer to that.
RZ Question: but correct me if I’m wrong, just so I understand Signal, you — even if — the way it works, you couldn’t get anything anyway. Isn’t that true?
42:44 DKG Well who is you and what are you getting it from? Right? If I have my phone, are you telling me I can’t read the old messages that I got — I mean I don’t have a phone but if I have —
RZ Again, I’m speaking from a purely technical perspective: they can’t decrypt it anymore. Isn’t it gone?
DKG So, let’s say that I send you a message via Signal.
DKG That message if I go into my Signal application and I go look at the history, I can see the cleartext of that message.
RZ Oh if I get at the phone you mean?
PF Well, you can set an expiration, however.
DKG You can set an expiration, whether that works properly depends on what versions of Signal the different parties are running and there’s —
PF Right, right, right.
RZ Oh I’m thinking about like subpoenaing Signal, “I need Daniel’s chat.” They can’t even get it, right?
DKG That’s right. They can’t get the contents of that chat. And, to Signal’s credit, again, Open Whisper Systems does a very good job of not even keeping any metadata. There was a case recently where Open Whisper Systems worked with ACLU —-
RZ So there’s nothing to subpoena?
DKG That’s the whole goal, right? Is to have nothing to subpoena, right?
RZ Got it. Got it. Got it. Interesting. Well we fell into the deep side of the pool here, Paul Ford [laughter].
PF We did. We did. You know —
RZ Fascinating! Really, really interesting, actually . . . cuz it intersects — I’m a former attorney and technologist and this intersects so interestingly for me. Uh so this is all about me [laughing] being entertained, Paul [laughs].
44:00 PF Here’s what I’m curious about cuz this is a show about how people do their jobs. You have very different jobs.
MC Very different.
PF So, let’s start with Marco. Marco, what do you do all day? You’re on vacation a lot.
RZ [Laughing] let’s back off of that! This poor guy.
MC I have not been on vacation since that moment.
PF Those two moments when you were on vacation.
MC That was a weekend.
PF Oh really? No, yeah, ok, ok.
MC Yeah so you know we have a team of inhouse developers that manage our, you know, www.aclu.org content management system, our online fundraising platform and advocacy platform that’s like action.aclu.org.
PF What platforms do you use, by the way?
MC I’m an old Drupal guy.
PF Sure. That’s really normal for NGOs.
MC It is! Yeah. And actually one of the — one place where Drupal really comes uh one of its strengths come to fore is um our affiliates. So we have 54 affiliates through all the states. Three in California, Porto Rico, DC. They’re all their own organisation, their own legal entity, they all have their own websites, but national sort of manages some technological services for them like email sending and the online platform. So we manage a website, a Drupal distribution, it’s called, that can be used by as many affiliates as they want. So we have over 30 affiliates that are gonna be on there by this year [RZ cool] and we can kind of manage that. So that’s, you know, that’s the thing that we’re doing inhouse with the developers, we’ve got this Salesforce thing I mentioned earlier where that’s actually happening right now that we’re moving to that. So that’s a big project. So I’m kind of working on that. You know, projects, keeping the websites running, that kind of thing.
PF So you sort of you have two customers, really, aside from you and your bosses, you have the affiliates [MC mm hmm] who may or not — you wanna make attractive software for them to use that makes it easy for them to be an online affiliate of the ACLU [MC mm hmm]. And you have the users and the donors who you want to reach out to in meaningful ways in order to get them to engage with the ACLU and, ultimately, maybe give you some money too.
45:58 MC I mean those are the two big audiences and then we have people that just come to our website to read a blog post, right? They’re not necessarily supporters.
PF A kid doing a book report.
MC Um we have — and then we have to think about actually our impacted, our potential clients and our clients. Like we have Know Your Rights resources like, you know, what to do when you’re stopped by the police, what are your rights at a protest, what are your rights as a photographer. So we provide those materials that’s as kind of a service to the public.
PF So you’re juggling those users whenever you’re making a change?
MC Yeah and then there’s the internal like communications teams, fundraising teams, yeah, the legal team, yeah.
PF So this is actually an interesting moment too cuz right when the pressure was on the site and you went down to the simplest possible version, it sound — you know, somebody thinking could be like, “Well, you know that’s — why don’t they just stick with that? Like why don’t they just use that?” But there’s all these other people who need the site at any given time.
MC And, by the way, I should say it wasn’t the www site that went down. It was the fundraising site.
RZ The landing page, yeah.
MC Everything was still kind of there, all the information.
RZ That makes sense.
MC Because other things besides donation forms, we have petitions, we have legal intake, all that stuff was kinda down for those ten minutes.
MC So yeah we can’t be in that situation.
PF Sure cuz that is one of the ways that we provide service.
MC Mm hmm.
47:11 PF Ok. Daniel, what about you? What’s your day?
DKG Um so I have a bunch of different things that happen during the day and I can just give you some examples of the sorts of things that I might do. Um so in some situations I end up consulting with a lawyer who has a specific technical question that they’re working on. So a question about one example of a case that we’ve brought recently is Wikimedia versus NSA. So that’s a lawsuit where Wikimedia has been surveilled by the NSA. It’s out of scope what the NSA is supposed to legally be able to do and some of the lawyers in that lawsuit are ACLU lawyers pushing to try to get the NSA to stop doing upstream surveillance. Upstream surveillance is where they basically monitor internet backbone links.
PF Why would the NSA be interested in —
RZ NSA will suck anything into its pipe [chuckles] —
DKG There motto seems to be “Collect it all.”
RZ Yeah [chuckles].
DKG And so if they can get their hands on a pipe —
PF Pokemon, sure.
DKG Yeah exactly [soft chuckling]. I mean they actually literally do have the slides that say “Collect it all.” Right?
DKG It’s not just Pokemon. This is actual organisational policy.
RZ Forward those slides, we’d like to include them as a link at the bottom of this podcast [laughs].
DKG If you search “NSA collect it all” you’ll find the slides. They’re on the public web.
PF We’ll put a link at the bottom.
RZ Wow [laughs].
DKG It’s even worse than collect it all. I forget what the other verbs are but it’s basically like, “analyze it all” you know “track it all” it’s —
48:32 RZ We’ve got the title for the podcast, Paul.
PF Collect it all.
MC Collect it all [RZ laughs].
DKG Um uh so I’ll talk, you know, I’ll spend some time working with the lawyers who are working on that case to help them understand what is upstream surveillance, how would that be implemented, and, in some ways, you know, it’s a challenge because we’re working within what can we present to the courts that the courts will accept. You can’t go to the NSA and say, “Excuse me, are you using deep packet inspection devices and, if so, what model?” They’ll say, “National security, we won’t tell you.”
DKG But so helping the lawyers understand what the range of ways you could do upstream surveillance are and make sure that they can have a clear argument that they could then explain to a judge.
MC I want to say that he also goes to standards conference . . . which is like —
PF Honestly, when you’re talking to me and Rich, that’s normal behaviour.
PF Rich once wrote a standard to extend our SS.
PF I want to an XML conference that I snuck into cuz I was so into XML [RZ laughs].
MC I’m the odd man out here.
DKG So yeah so another example is I’m going to be going to the Network and Distributed Systems Symposium — Network and Distributed Systems Security Symposium. NDSS. It’s an internet society conference that is on the west coast. Um there’s a session specifically about DNS privacy. So this is an example of an internet standard that I’m working on is the domain name system which underpins most of your ability to use the network.
49:55 PF Sure, I just call it the internet’s phone book or like it’s a way to find another computer.
DKG Right! Um it actually turns out there’s a bunch of other things you can do with a DNS besides just name to address lookups but that is, by far, the dominant thing that people use it for. That is an old, totally non-secured protocol. And then there’s a couple of security elements that have been added to it over the years that are not particularly widely adopted called DNSSec, in particular. And those security elements provide you with authentication but they don’t provide you with confidentiality at all . . . so when we were talking about metadata earlier. If you imagine that every time you looked something up in the phonebook you revealed — even if you didn’t make a phone call —
RZ You looked it up.
DKG If you just looked it up, then anybody who happened to be nearby could tell what you were looking up. That’s a little bit disturbing [RZ yup]. And so there’s a group of folks who are working on DNS privacy extensions and some standards and this is, again, it’s an opportune— like we have an opportunistic model, we have a more secure model that would prefer to fail then have the opportunistic — so we’re looking at how do we do this in a way that’s deployable and what are sort of the tradeoffs? And so I’ll be presenting at a DNS privacy workshop with NDSS.
RZ Very cool. Well, this was a different podcast and a very enjoyable one.
PF Agreed, agreed. Let’s um let’s thank our guests, first of all.
RZ Well let’s do that. Yeah. Thank you.
PF Marco, Daniel. You know if anybody wanted to get in touch with either one of you, how would they reach out?
RZ Well, you can’t get in touch with Daniel. Forget that.
DKG Sure, sure you can!
RZ Home address, Daniel, go ahead [laughs].
DKG My handle is just my initials. I’m dkg pretty much everywhere. So I’m [email protected]
RZ Oh! Cool.
DKG You can send me mail. I have an open pgp key if you wanna send me encrypted mail but yeah —
51:40 RZ [email protected]?
RZ Cool. Marco?
MC And I’m [email protected] and I also have a Twitter presence that’s very light.
RZ You guys seem open to sharing them, we’ll put them into the —
MC Mm hmm.
DKG Sure, that’s fine.
RZ — the show notes. Cool.
PF Great. And your social security numbers? [RZ laughs.]
DKG 1234567 [laughter].
PF Alright well look, I guess we should tell the people out there in the world of podcasts that this is Track Changes, the official podcast of Postlight, a digital products studio. We build your apps, we build your APIs, and your platforms. Um we do it for everybody. We do it for banks, and media companies, and NGOs, and we like doin’ it. [Music fades in] my name is Paul Ford, I’m a co-founder.
RZ And I’m Rich Ziade, the other co-founder of Postlight.
PF And if there’s anything you want, you just send an email to [email protected], [email protected], and we will reply. We like getting questions, we like giving advice, and talking about the work we do. Feel free to get in touch. And we hope that you will go to iTunes and give us a good rating but mostly we’re just excited that you listened, and we’ll gladly receive any feedback, good or bad. Thank you so much.
RZ Thank you!
PF Let’s go to work! [Music ramps up to end.]