Cindy Cohn on privacy battles old and new

Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) and she gave the Saturday morning keynote at SCALE 23x in Pasadena about some of the work she and others have done to help protect online rights, especially digital privacy. The talk recounted some of the history of the court cases that the organization has brought over the years to try to dial back privacy invasions. One underlying theme was the role that attendees can play in protecting our rights, hearkening back to earlier efforts by the technical community.

Cohn has been the executive director for the past decade and worked for EFF for 26 years, plus a few years before that informally. She is soon to be the former executive director as she is stepping down, "because it's time to pass the torch", sometime over the northern-hemisphere summer. She was wearing a T-shirt that colleagues had made for her which said "Let's sue the government"; she said "I'm not done suing the government" even though she is leaving the leadership role. On her way out she has written a book, Privacy's Defender, which came out on March 10, two days after her talk. The keynote was her "first official stab at a 'book talk'".

She wrote the book in part to help capture the history of the early internet that wasn't just about "dudes and the companies they built", which was part of the story, of course, "but they were incredibly rich times" with "a lot of people who weren't named 'Jobs' or 'Gates'". She also wants to reclaim the word "hackers" from the "people who want to make it about something illegal", which was met with loud applause.

In my world and where I came up, being a "hacker" meant someone who hacked away at a problem until they solved it, like the way you take a small ax to a large tree. [...] So I am very intentionally calling this community "the hacking community" and if you don't like it, you can take it up with me afterwards, but my fight is not with you, it is with the people who tried to take something beautiful and make it something nasty.

She put her cards on the table early on: "I'm trying to recruit you". She works for an advocacy group and believes that "we need all the hackers in the world to help us make the world a better place".

Privacy

The book is primarily about privacy, she said; it is part memoir and part legal history, according to the publisher's description. But privacy is not what some people think it is: some kind of "cloak of invisibility" that can be used when someone is about to do something they don't want anyone to know about. It can work that way, but that is not why privacy is important.

"Privacy is important because it is a check on power", she said, "it is a way that people with less power can have some protection against people who have more power". It is a check that works on multiple levels. It starts with the personal—EFF works with domestic violence victims who are trying to get out from under surveillance by their former partners, for example—"it is a check on power, literally in people's homes". It also checks corporate power, where the surveillance by companies is impacting people's lives, including the prices they pay and whether they can qualify for a mortgage.

Privacy is one of the ways we can regain our power against the companies, large and small, who want to control us and manipulate us and, you know, empty our bank accounts as much as they can.

Beyond that, privacy is a check on governments, which is what she has mostly worked on throughout her career. Privacy enables dissent and allows planning; all of the efforts in the US to bring more rights to more people had both public and private parts. For example, during her lifetime, gay people were able to go from being violently attacked just for talking about the idea that they should have equal rights to same-sex couples being able to legally marry; "the public parts of that work could not have happened unless there were private parts of that work".

We are seeing privacy being used right now to organize against some of the injustices occurring in the US; that needs to happen in private "if it's going to get a leg up and a chance to catch fire" so that it can be effective. Privacy "ultimately enables democracy", which is easily seen in the secret ballots in the US that shield voters against pressure from the powerful to vote in certain ways.

Freeing cryptography

"Now I want to tell you a little story about something that happened in the 1990s." It was about the Bernstein v. United States lawsuit; in that case, she helped lead the fight to "free cryptography from governmental control". It was filed in 1994, which means that the fight to free cryptography pre-dates the world wide web, she said.

Her involvement came about in an interesting way, when a hacker she knew socially (John Gilmore, she noted later) asked if she would be willing to help a math PhD student who wanted to publish some code but was told he would go to jail as an arms dealer if he did. She asked if the code "blows things up" and was told that it simply "keeps things secret", which sounded like a First Amendment violation to her; he agreed and she took the case.

But that was not the only involvement of the hacker community in the case. In a reading from her book, she set the stage for the first day in court at the San Francisco Federal Courthouse, which she called; "Cypherpunk dress-up day". When she arrived at the courthouse, she was greeted by around 30 people from the hacker community, mostly 30-something, long-haired, scruffy looking, and in suits and ties. "They all seemed to be in outfits their mothers picked out for them." It is possible that she was projecting, however, as she was 32, conscious of her appearance, and was dressed in a suit her mother had picked out.

It was something of a motley crew, but they were there to show support for her arguments when the case reached court in September 1996. Both she and the assembled hackers knew that "what happened in that courtroom would be crucial to the future of the internet". The hackers were there in part to show the judge, Marilyn Patel, that they were serious about making a change; they had followed the EFF's request to dress in their finest to make it clear that the case was important.

And it was clearly important, Cohn said, reflecting on what the internet would look like without encryption. While she does not think today's internet is "as secure or private as it needs to be", she listed lots of different ways that the internet would be worse off with no (or weak) encryption, "the way the government wanted it". For example: No secure messaging for organizing and other purposes, stolen or seized phones would compromise the identity and communications of its owner, no way to know for sure that communication is with the expected party, no e-commerce, and so on. Ultimately, the internet could have remained a tool of academics, governments, and a few hackers, like it was in those days, but it would not have gained the worldwide reach (with consequences both good and ill) it has today.

In the 1990s, the US government treated "software with the capability of maintaining secrecy" the same way it treated surface-to-air missiles and tanks: a license was needed to be able to "export" any of them to foreign countries. Making something available on the internet was considered an export, which was not just of theoretical concern. Phil Zimmermann faced a criminal investigation due to the release of his Pretty Good Privacy (PGP) tool. Dozens of others, mostly academics, had been threatened as well.

Because the issue involved publishing, which is a free-speech right protected by the First Amendment, the lawyers decided to build the case around the legal doctrine of prior restraint. That doctrine says that requiring government permission before speaking or publishing must meet a particularly high standard or else it violates the right of free speech. In the early 1990s, it had not yet been established whether the internet would be a place of "full First-Amendment protection" and they knew that freeing up encryption and the science of cryptography, along with the ability to share code, "was going to be key to making the internet itself a place of freedom of speech".

Beyond the cypherpunks who showed up on the first day, the case was bolstered by the support of a wide variety of people and organizations: cryptographers, computer-science professors, open-source toolmakers, privacy groups, and more all wrote declarations in support. Even outside of the courtroom, she and the other lawyers were supported by hackers of various stripes who took the time to patiently explain cryptography to her in a way that she could understand what it was and did. That allowed her to translate cryptography and the internet to the judges who heard the case at various levels.

That patient explanation was empowering for her and she thinks it is a lesson that we should be applying today. "People are hungry for privacy and security and the people in this room have the knowledge to help them." In recent times she has seen much more engagement from hackers toward educating people and inviting them into the hacking community. "I think you are standing in the shoes and following in the legacy of those early hackers and I really want to commend you for it."

There were also efforts to publicize the case through T-shirts with the RSA code printed on them, for example. Companies in the computer industry gave their support, even though they are generally loath to go up against the US national-security apparatus and the US Congress started looking into the matter, as well. Eventually, the courts ruled that "code is speech", first in the district court and again in the court of appeals for the ninth circuit. "We won", she said to applause.

That particular story ends in Washington, DC in mid-2000, when she and others on the case were invited by her counterpart on the government side, Tony Coppolino, to talk about encryption regulations. She read another excerpt from the book describing a majestic conference room in some storied building in the US capital, which was a bit intimidating. But she and the others had "come to negotiate the terms of the government's surrender". Coppolino had sent her a draft of the new export regulations that dropped the requirements for pre-publication review for open-source encryption code in favor of anyone exporting (publishing) said code just needing to send a copy or a link to the government when they do so. "It was 95% of what we wanted."

Unusual

While it was a "tremendous victory", it has needed defending over the years, like many other victories. There were efforts by the government to undermine encryption, many of which we learned about through Edward Snowden, for example. The Bernstein case was "a fun story", but it is not the way that these kinds of changes typically happen when you are up against the government, she said.

The other two stories she tells in her book represent the more usual path. One is about spying by the US National Security Agency (NSA) and the other about national-security letters; both of those are "post-9/11 spying that the government did, some of it publicly known and some of it not until much later". Those cases have a rather different trajectory, she said. A dramatic courtroom victory as in the first story is definitely outside of the norm.

The NSA spying case came about because whistleblower Mark Klein "literally knocked on the front door at the Electronic Frontier Foundation in early 2006". He brought details of how the NSA was tapping the internet backbone in various locations, including a secret room in the AT&T building in downtown San Francisco (the city where the EFF is located). It is the most "cloak and dagger" of the stories in the book, she said, due to the courage of Klein and, later, Snowden in 2013.

After a few early victories, "Congress rushed in to protect ... the phone companies" by killing the lawsuit that had been filed. The EFF was able to get a few reforms passed by Congress after the Snowden revelations, "but not nearly enough". Eventually, the US Supreme Court sided with the government when it ruled that which telephone companies participated in the mass spying was so secret that the case could not go forward—though the world already knew about NSA spying and the EFF had evidence of exactly how it worked in 2003.

The third story from her book is about cases that had a similar trajectory: an early win in the courts, and some reform in Congress, "but still not enough". She calls them "the alphabet cases because we couldn't even name our clients for six years", so they were called "case Q, case Z, and case X". The cases were an attempt to scale back a kind of subpoena that the US government was using on telecommunications providers, which are called national-security letters. Those letters were "demanding information about their customers and gagging the companies from ever telling anyone that anything had happened".

The EFF was able to get the gags lifted and to add some more procedural safeguards to the process. One of those allowed the companies to produce transparency reports where they could characterize the number and scope of such requests. Those numbers are eye-opening: "there were hundreds of thousands of these issued that implicated millions of people in the times that we were able to track".

Hackers

So the Bernstein case was "amazing", but it was an outlier; most cases are more like the other two, where any progress made is via "a thousand tiny cuts" rather than a sweeping courtroom victory. All along, though, the EFF had the support of the hacking community in various forms. Both Klein and Snowden are technical people, and hackers in her mind, though Klein would probably avoid that label were he alive today, she said. The community has also helped keep the media informed and to raise public awareness of surveillance and spying so that voters can apply pressure.

Because it's opaque, it's hard for people to see it, it's hard for people to understand it. And the hacking community has played a huge role in continuing to keep attention on these issues and continuing to talk about how important they are. And that pressure did lead to congressional reforms, increased pressure from courts, and some administrative shifts that we should all be proud of even as there's more work to do.

She had a slide with a picture (seen below) of a blimp that the EFF and others had flown over an NSA data center in Utah in 2014. The data center was being built to hold all of the records that were being gathered from the NSA spying efforts. The blimp had an arrow pointing down with the message "Illegal Spying Below", which she recounted to laughter. "Our friends at Greenpeace lent us their blimp; we're not above a little stunt every now and then to draw attention to things."

She had a message for the Linux builders and users in the audience about the role they can play. As builders of the tools people use, the open-source community can help ensure that encryption is built into everything—and that it is easy to use. "My plea to the open-source community for at least 30 years now is: 'please, user interfaces'." While that may not be the fun part, "I'm here to tell you that you need to do the not-fun part too".

She suggested defaulting to privacy-preserving architectures, along with minimizing data collection and retention. Meanwhile, conducting security research and publishing the findings is important so that users have the most secure products they can. In addition, she hoped builders would push back against surveillance features being built into products they were working on for their employers.

Things feel really dark right now, she said, listing a bunch of developments that are taking us further down the "surveillance state" path. She sometimes feels like Cassandra, having warned about a future that those in power apparently could not see, but that we are now living through. For example, databases created for commercial purposes are increasingly being used by the government, which is the largest purchaser of information from data brokers, as a weapon against its targets. "Those targets are increasingly more political than legal." And on and on.

The courts have created a "national security shaped hole in the Constitution"; it has been built over many years, by administrations of both political parties in the US. That is why the magic "national security" phrase is used so frequently these days, since it is "the easy road" for the government at this point. She noted that Benjamin Franklin had said that the US Constitution created "a republic, if you can keep it". She believes we are in the "if you can keep it" part at this point; everyone needs to participate in the fight for that, and not just sit back and wait for others to do it, Cohn said.

Closing and Q&A

"We have some things to learn about the cypherpunk legacy." Beyond showing up in ill-fitting suits in 1996, they built PGP, published cryptography research, and pushed for privacy. The cypherpunks recognized that privacy needs more than just technology, it requires society and its laws to support the technology. "Just adding encryption does not equal privacy or security, there's much much more to it."

The work of the cypherpunks (and others) enabled the internet that we have today, Cohn said, "and you are the next generation". She had some ideas for how attendees could join the fight, starting with: "Show up" to represent privacy-preserving views at various levels of government, from courtrooms to homeowner associations. "Privacy is a team sport", so use the tools yourself and help others to use them too. Also, educate people, young and old, contribute to privacy-oriented open-source projects, advocate for encryption and other privacy protections at your workplace and beyond, and build the tools that the next generation will need to further the effort. As the EFF executive director, "I am almost contractually required to say 'please join the EFF'", as well, of course.

She closed by noting that it surprised a lot of people that the "crazy, wild-eyed misfits" who were outnumbered and outgunned when they took on the government in 1996 were able to prevail. That was one successful path, but Cohn does not believe it is the only one available. "I think we need to figure out new strategies and new ideas [...] and not get stuck just trying to replicate the ones from before."

SCALE organizer Ilan Rabinovitch asked the first question (after announcing that he would donate matching funds for EFF memberships made that day—an offer that many seemingly took him up on). He noted that in recent times EFF has done more with developing privacy tools and related technology, such as Let's Encrypt, and he wondered how the organization had ended up shifting somewhat from advocacy to technology.

Cohn said that early on she would call out to technical people to ask for explanations of various things; those people were quite helpful and generous with their time, but eventually the organization decided to bring on someone in-house. EFF hired Seth Schoen as the first-ever staff technologist at an advocacy organization; he was followed by hiring Peter Eckersley, who did a lot of work on Let's Encrypt before he died in 2022. "And you know what happens when you get a bunch of technologists hanging around? They want to build something."

In particular, they wanted to build things that aligned with the fights that the organization was having on the policy and legal side. Early on, even before it had a full staff, the EFF had helped build the DES cracker to show that the then-standard Data Encryption Standard (DES) was insecure due to the mandated 56-bit key size. In the end, "the reason that the EFF has a tech team is that hackers want to hack".

She mentioned Privacy Badger as another project that the organization built, to applause. It is a browser extension for third-party cookie blocking that came about because one of the EFF technologists got angered "that the techs on the browser side were basically lying" about how hard it was to build such a thing. Having people who can work both on the policy side and on the technology-building side is "kind of deep in our DNA at this point".

The next question was regarding the battle between the US government and Anthropic over two red lines that the company wanted to enforce on the use of its large language models (LLMs). Cohn said that one of those red lines, not use the LLMs for mass surveillance, was of particular interest to the EFF.

It is important for companies to be willing to draw those lines and stick to them, she said; she is no real fan of the company, and it "did not draw the line where I would draw the line, but at least they drew it somewhere". She pointed out that the OpenAI position, "if it's legal, then we'll do it", is worrisome in part because the law is so malleable; every genocide and human-rights violation around the world is done "legally" (complete with air quotes). Beyond that, our privacy should not be decided by the CEO of a tech company, it should be protected at every level of government.

Another question asked about the difference between Bernstein's algorithm and the encryption that was being used all over the world at that time; why did the government allow export of some encryption schemes but try to stop Bernstein? The answer, Cohn said, was key length; "the government would grant a license if the key length was short enough that they could break it". Bernstein was making a larger point with his algorithm, which he called "Snuffle", that adapted a widely used hash function and turned it into an encryption algorithm. The hash function was used for authentication, and was unregulated by the government, but his point was that the same basic algorithm could be used for encryption, so the encryption restrictions made no sense.

The final question was from Denver Gingerich, who keynoted at SCALE 2025, about attracting staff litigators to a non-profit organization. He works for Software Freedom Conservancy (SFC), which sometimes has to bring lawsuits to try to enforce the GPL. Cohn agreed that it was a hard problem and suggested that SFC had it worse than EFF: "I offer people First-Amendment law, Fourth-Amendment law, and you offer people kind of the puzzle that are open-source licenses." She said that EFF tries to have a fun working environment, for one thing, and also has an internship program that brings in law students, but that it is a difficult problem, especially with regard to salaries.

The talk provided some interesting history for those who were too young to live through some of those times. There are more fights ongoing and surely more to come; EFF will be part of those efforts, but Cohn made it clear that there is far more that needs doing, so attendees should figure out how they can pitch in. A video of just the talk will likely appear before long, but those interested can see the talk in the livestream YouTube video.

[Thanks to LWN's travel sponsor, the Linux Foundation, for its travel funding to attend SCALE in Pasadena.]