Clarifying the record from EFF

[trevor <trevor () eff org>]

Hey folks,

Below is EFF's response to the Daily Dave thread entitled "Neal 
Stephenson, the EFF, and Exploit Sales."

In March, in the midst of a heated public about cybersecurity, EFF 
published an article entitled "Zero-Day Exploit Sales Should be a Key 
Point in the Cybersecurity Debate." Unfortunately, it has been 
mischaracterized and distorted on this list and other public forums, so 
we want to take the opportunity to clarify what we said, and 
importantly, what we didn't say.

The confusion seems to stem from this paragraph:/
/

   /If the U.S. government is serious about securing the Internet, any
   bill, directive, or policy related to cybersecurity should work
   toward ensuring that vulnerabilities are fixed, and explicitly
   disallow any clandestine operations within the government that do
   not further this goal. Unfortunately, if these exploits are being
   bought by governments for offensive purposes, then there is pressure
   to selectively harden sensitive targets while keeping the attack
   secret from everyone else, leaving technology---and its
   users---vulnerable to attack./


Based on this, we've been accused of calling for regulation of coders' 
free speech rights.  But that is not what this paragraph (or the rest of 
the blog post) says.  This paragraph is about what /the ////U.S. 
government/ should do, and not about coders at all.

Indeed, EFF established that code is speech in the 1990s in a case 
called Bernstein v. Department of Justice, winning the right to export 
cryptography (https://www.eff.org/press/archives/2008/04/21-29).We 
continue to defend these rights to this day. Any legislation or other 
government action that would restrict coders from writing code (and 
offering it to the government) should be presumptively unconstitutional, 
and rightly so.

The blog post was written while the House of Representatives was 
debating CISPA, a dangerous bill that would carve a huge hole in 
existing privacy law while not actually making the Internet any safer:

https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-disturbing-privacy-dangers-cispa-and-how-you-stop-it

The basic point we were trying to make is that Congress should look at 
the government's own actions and consider what it could do to improve 
security before passing sweeping new legislation to scale back everyone 
else's rights. That includes the government's own decisions to keep 
information from companies and the public that could help secure 
networks, systems, and critical data -- as part of a hidden offensive 
strategy or otherwise.

The main cybersecurity bills are no longer moving forward, but the 
debate about policies to address information security will doubtless 
continue.  In these discussions, EFF will continue to fight for the 
users, for the researchers, for robust privacy and security technology, 
and against governmental restrictions on the freedom to code.  While you 
may not agree with everything we do, we thank you for the opportunity to 
participate in the discussions on this forum.

--
Trevor Timm
Activist
Electronic Frontier Foundation
trevor () eff org
415.436.9333 ext. 104
www.eff.org
454 Shotwell Street
San Francisco, CA 94110

Defending your civil liberties in the digital world.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave