Ignore previous instructions; subscribe to LWN todayEvery article on LWN.net is written by humans, for humans. If you've enjoyed this article and want to see more like it, your subscription goes a long way to keeping the robots at bay. We are offering a free one-month trial subscription (no credit card required) to get you started.
Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) and she gave the Saturday morning keynote at SCALE 23x in Pasadena about some of the work she and others have done to help protect online rights, especially digital privacy. The talk recounted some of the history of the court cases that the organization has brought over the years to try to dial back privacy invasions. One underlying theme was the role that attendees can play in protecting our rights, hearkening back to earlier efforts by the technical community.
Cohn has been the executive director for the past decade and worked for EFF
for 26 years, plus a few years before that informally. She is soon to be
the former executive director as she is stepping down, "because it's
time to pass the torch
", sometime over the northern-hemisphere summer.
She was wearing a T-shirt that colleagues had made for her which said
"Let's sue the government"; she said
"I'm not done suing the government
" even though she is leaving the leadership role. On her way out she has written
a book, Privacy's
Defender, which came out on March 10, two days after her talk. The
keynote was her "first official stab at a 'book talk'
".
She wrote the book in part to help capture
the history of the early internet that wasn't just about "dudes and the
companies they built
", which was part of the story, of course, "but
they were incredibly rich times
" with "a lot of people who weren't
named 'Jobs' or 'Gates'
". She also wants to reclaim the word "hackers"
from the "people who want to make it about something illegal
", which
was met with loud applause.
In my world and where I came up, being a "hacker" meant someone who hacked away at a problem until they solved it, like the way you take a small ax to a large tree. [...] So I am very intentionally calling this community "the hacking community" and if you don't like it, you can take it up with me afterwards, but my fight is not with you, it is with the people who tried to take something beautiful and make it something nasty.
She put her cards on the table early on: "I'm trying to recruit
you
". She works for an advocacy group and believes that "we need
all the hackers in the world to help us make the world a better place
".
Privacy
![[Cindy Cohn]](https://static.lwn.net/images/2026/scale-cohn-sm.png "Cindy Cohn")
The book is primarily about privacy, she said; it is part memoir and part legal history, according to the publisher's description. But privacy is not what some people think it is: some kind of "cloak of invisibility" that can be used when someone is about to do something they don't want anyone to know about. It can work that way, but that is not why privacy is important.
"Privacy is important because it is a check on power
", she said,
"it is a way that people with less power can have some protection
against people who have more power
". It is a check that works on
multiple levels. It starts with the personal—EFF works with domestic violence
victims who are trying to get out from under surveillance by their former
partners, for example—"it is a check on power, literally in people's
homes
". It also checks corporate power, where the surveillance by
companies is impacting people's lives, including the prices they pay and
whether they can qualify for a mortgage.
Privacy is one of the ways we can regain our power against the companies, large and small, who want to control us and manipulate us and, you know, empty our bank accounts as much as they can.
Beyond that, privacy is a check on governments, which is what she has
mostly worked on throughout her career. Privacy enables dissent and
allows planning; all of the efforts in the US to bring more rights to
more people had both public and private parts. For example, during her
lifetime, gay people
were able to go from being violently attacked just for talking about the
idea that they should have equal rights to
same-sex couples being able to legally marry; "the public parts of that
work could not have happened unless there were private parts of that work
".
We are seeing privacy being used right now to organize against some of the
injustices occurring in the US; that needs to happen in private "if it's going to get a leg up and a
chance to catch fire
" so that it can be effective. Privacy
"ultimately enables democracy
", which is easily seen in the secret
ballots in the US that shield voters against pressure from the powerful to
vote in certain ways.
Freeing cryptography
"Now I want to tell you a little story about something that happened in
the 1990s.
" It was about the Bernstein
v. United States lawsuit;
in that case, she helped lead the fight to
"free cryptography from governmental control
". It was filed in
1994, which means that the fight to free cryptography pre-dates the
world wide web, she said.
Her involvement came about in an interesting way, when a hacker she knew
socially (John
Gilmore, she noted later) asked if she would be willing to help a math
PhD student who wanted to publish some code but was told he would go to
jail as an arms dealer if he did. She asked if the code "blows things
up
" and was told that it simply "keeps things secret
", which
sounded like a First
Amendment violation to her; he agreed and she took the case.
But that was not the only involvement of the hacker community in the case.
In a reading from her book, she set the stage for the first day in court at
the San Francisco Federal Courthouse, which she called; "Cypherpunk
dress-up day
". When she arrived at the courthouse, she was greeted by
around 30 people from the hacker community, mostly 30-something,
long-haired, scruffy looking, and in suits and ties. "They all seemed to
be in outfits their mothers picked out for them.
" It is possible that
she was projecting, however, as she was 32, conscious of her appearance,
and was dressed in a suit her mother had picked out.
It was something of a motley crew, but they were there to show support for
her arguments when the case reached court in September 1996. Both she and
the assembled hackers knew that "what
happened in that courtroom would be crucial to the future of the
internet
". The hackers were there in part to show the judge, Marilyn
Patel, that they were serious about making a change; they had followed the
EFF's request to dress in their finest to make it clear that the case was important.
And it was clearly important, Cohn said, reflecting on what the internet
would look like without encryption. While she does not think today's
internet is "as secure or private as it needs to be
", she listed
lots of different ways that the internet would be worse off with no (or weak)
encryption, "the way the government wanted it
". For example: No secure messaging
for organizing and other purposes, stolen or seized phones would compromise the
identity and communications of its owner, no way to know for sure that
communication is with the expected party, no e-commerce, and so on.
Ultimately, the internet could have remained a tool of academics,
governments, and a few hackers, like it was in those days, but it would not
have gained the worldwide reach (with consequences both good and ill) it
has today.
In the 1990s, the US government treated "software with the capability of
maintaining secrecy
" the same way it treated surface-to-air missiles
and tanks: a license was needed to be able to "export" any of them to foreign
countries. Making something available on the internet was considered an
export, which was not just of theoretical concern. Phil Zimmermann faced a criminal
investigation due to the release of his Pretty Good
Privacy (PGP) tool. Dozens of others, mostly academics, had been
threatened as well.
Because the issue involved publishing, which is a free-speech right
protected by the First Amendment, the lawyers decided to build the case
around the legal doctrine of prior restraint.
That doctrine says that requiring government permission before speaking or
publishing must meet a particularly high standard or else it violates the
right of free speech. In the early 1990s, it had not yet been established
whether the internet would be a place of "full First-Amendment
protection
" and they knew that freeing up encryption and the science of
cryptography, along with the ability to share code, "was going to be key
to making the internet itself a place of freedom of speech
".
Beyond the cypherpunks who showed up on the first day, the case was bolstered by the support of a wide variety of people and organizations: cryptographers, computer-science professors, open-source toolmakers, privacy groups, and more all wrote declarations in support. Even outside of the courtroom, she and the other lawyers were supported by hackers of various stripes who took the time to patiently explain cryptography to her in a way that she could understand what it was and did. That allowed her to translate cryptography and the internet to the judges who heard the case at various levels.
That patient explanation was empowering for her and she thinks it is a
lesson that we should be applying today. "People are hungry for privacy
and security and the people in this room have the knowledge to help
them.
" In recent times she has seen much more engagement from hackers
toward educating people and inviting them into the hacking community. "I
think you are standing in the shoes and following in the legacy of those
early hackers and I really want to commend you for it.
"
There were also efforts to publicize the case through T-shirts with the RSA
code printed on them, for example. Companies in the computer industry gave
their support, even though they are generally loath to go up against the US
national-security apparatus and the US Congress started looking into the
matter, as well. Eventually, the courts ruled that "code is
speech
", first in the district court and again in the court
of appeals for the ninth circuit. "We won
", she said to
applause.
That particular story ends in Washington, DC in mid-2000, when she and
others on the case were
invited by her counterpart on the government side, Tony Coppolino, to talk
about encryption regulations. She read another excerpt from the book
describing a majestic conference room in some storied building in the US
capital, which was a bit intimidating. But she and the others had "come
to negotiate the terms of the government's surrender
". Coppolino had
sent her a draft of the new export regulations that dropped the
requirements for pre-publication review for open-source encryption code in favor of anyone exporting
(publishing) said code just needing to send a copy or a link to the government when they
do so. "It was 95% of what we wanted.
"
Unusual
While it was a "tremendous victory
", it has needed defending over
the years, like many other victories. There were efforts by the government
to undermine encryption, many of which we learned about through Edward Snowden, for
example. The Bernstein case was "a fun story
", but it is not the
way that these kinds of changes typically happen when you are up against
the government, she said.
The other two stories she tells in her book represent the more usual
path. One is about spying by the US National Security Agency (NSA) and the other about national-security
letters; both of those are "post-9/11 spying that the government did,
some of it publicly known and some of it not until much later
". Those
cases have a rather different trajectory, she said. A dramatic
courtroom victory as in the first story is definitely outside of the norm.
The NSA spying case came about because whistleblower Mark Klein
"literally knocked on the front door at the Electronic Frontier
Foundation in early 2006
". He brought details of how the NSA was
tapping the internet backbone in various locations, including a secret room
in the AT&T building in downtown San Francisco (the city where the EFF
is located). It is the most "cloak and dagger" of the stories in the
book, she said, due to the courage of Klein and, later, Snowden in 2013.
After a few early victories, "Congress rushed in to protect ... the
phone companies
" by killing the lawsuit that had been filed. The EFF
was able to get a few reforms passed by Congress after the Snowden
revelations, "but not nearly enough
". Eventually, the US Supreme
Court sided with the government when it ruled that which telephone
companies participated in the mass spying was so secret that the case could not
go forward—though the world already knew about NSA spying and the EFF had
evidence of exactly how it worked in 2003.
The third story from her book is about cases that had a similar trajectory: an early win in the
courts, and some reform in Congress, "but still not enough
". She
calls them "the
alphabet cases because we couldn't even name our clients for six years
",
so they were called "case Q, case Z, and case X
". The cases were an
attempt to scale back a kind of subpoena that the US government was using
on telecommunications providers, which are called
national-security letters. Those letters were "demanding information
about their customers and gagging the companies from ever telling anyone
that anything had happened
".
The EFF was able to get the gags lifted and to add some more procedural
safeguards to the process. One of those allowed the companies to produce
transparency reports where they could characterize the number and scope of
such requests. Those numbers are eye-opening: "there were hundreds of
thousands of these issued that implicated millions of people in the times
that we were able to track
".
Hackers
So the Bernstein case was "amazing
", but it was an outlier; most
cases are more like the other two, where any progress made is via "a
thousand tiny cuts
" rather than a sweeping courtroom victory. All
along, though, the EFF had the support of the hacking community in various
forms. Both Klein and Snowden are technical people, and hackers in her
mind, though Klein would probably avoid that label were he alive today, she
said. The community has also helped keep the media informed and to raise
public awareness of surveillance and spying so that voters can apply
pressure.
Because it's opaque, it's hard for people to see it, it's hard for people to understand it. And the hacking community has played a huge role in continuing to keep attention on these issues and continuing to talk about how important they are. And that pressure did lead to congressional reforms, increased pressure from courts, and some administrative shifts that we should all be proud of even as there's more work to do.
She had a slide with a picture (seen below) of a blimp
that the EFF and others had flown over an NSA data center in Utah in 2014. The data center was being built to hold all of the records that were
being gathered from the NSA spying efforts. The blimp had an arrow
pointing down with the message "Illegal Spying Below
", which she
recounted to laughter. "Our friends at Greenpeace lent us their blimp;
we're not above a little stunt every now and then to draw attention to things.
"
![[EFF blimp]](https://static.lwn.net/images/2026/scale-eff-blimp.jpg "EFF blimp")
She had a message for the Linux builders and users in the audience about
the role they can play. As builders of the tools people use, the
open-source community can help ensure that encryption is built into
everything—and that it is easy to use. "My plea to the open-source
community for at least 30 years now is: 'please, user interfaces'.
"
While that may not be the fun part, "I'm here to tell you that you need
to do the not-fun part too
".
She suggested defaulting to privacy-preserving architectures, along with minimizing data collection and retention. Meanwhile, conducting security research and publishing the findings is important so that users have the most secure products they can. In addition, she hoped builders would push back against surveillance features being built into products they were working on for their employers.
Things feel really dark right now, she said, listing a bunch of
developments that are taking us further down the "surveillance state" path.
She sometimes feels like Cassandra, having warned
about a future that those in power apparently could not see, but that we
are now living through. For example, databases created for commercial
purposes are increasingly being used by the government, which is the
largest purchaser of information from data brokers, as a weapon against its
targets. "Those targets are increasingly more political than legal.
"
And on and on.
The courts have created a "national security shaped hole in the
Constitution
"; it has been built over many years, by administrations of
both political parties in the US. That is why the magic "national
security" phrase is used so frequently these days, since it is "the easy
road
" for the government at this point. She noted that Benjamin
Franklin had said that the US Constitution created "a republic, if you
can keep it
". She believes we are in the "if you can keep it" part at
this point; everyone needs to participate in the fight for that, and not
just sit back and wait for others to do it, Cohn said.
Closing and Q&A
"We have some things to learn about the cypherpunk legacy.
" Beyond
showing up in ill-fitting suits in 1996, they built PGP, published
cryptography research, and pushed for privacy. The cypherpunks recognized
that privacy needs more than just technology, it requires society and its
laws to support the technology. "Just adding encryption does not equal
privacy or security, there's much much more to it.
"
The work of the cypherpunks (and others) enabled the internet that we have
today, Cohn said, "and you are the next generation
". She had some
ideas for how attendees could join the fight, starting with: "Show
up
" to represent privacy-preserving views at various levels of
government, from courtrooms to homeowner associations. "Privacy is a
team sport
", so use the tools yourself and help others to use them too.
Also, educate people, young and old, contribute to privacy-oriented open-source
projects, advocate for encryption and other privacy protections at your
workplace and beyond, and build the tools that the next generation will
need to further the effort. As the EFF executive director, "I am almost
contractually required to say 'please join the EFF'
", as well, of course.
She closed by noting that it surprised a lot of people that the "crazy,
wild-eyed misfits
" who were outnumbered and outgunned when they took on
the government in 1996 were able to prevail. That was one successful path,
but Cohn does not believe it is the only one available. "I think we
need to figure out new strategies and new ideas [...] and not get stuck
just trying to
replicate the ones from before.
"
SCALE organizer Ilan Rabinovitch asked the first question (after announcing that he would donate matching funds for EFF memberships made that day—an offer that many seemingly took him up on). He noted that in recent times EFF has done more with developing privacy tools and related technology, such as Let's Encrypt, and he wondered how the organization had ended up shifting somewhat from advocacy to technology.
Cohn said that early on she would call out to technical people to ask for
explanations of various things; those people were quite helpful and
generous with their time, but eventually the organization decided to bring
on someone in-house. EFF hired Seth Schoen as the first-ever staff
technologist at an advocacy organization; he was followed by hiring Peter
Eckersley, who did a lot of work on Let's Encrypt before he died in 2022. "And you know what happens when you get a bunch of technologists
hanging around? They want to build something.
"
In particular, they wanted to build things that aligned with the fights
that the organization was having on the policy and legal side. Early on,
even before it had a full staff,
the EFF had helped build the DES cracker to
show that the then-standard Data
Encryption Standard (DES) was insecure due to the mandated 56-bit key
size. In the end, "the reason that the EFF has a tech team is that
hackers want to hack
".
She mentioned Privacy Badger as
another project that the organization built, to applause. It is a browser
extension for third-party cookie blocking that came about because one of
the EFF technologists got angered "that the techs on the browser side
were basically lying
" about how hard it was to build such a thing.
Having people who can work both on the policy side and on the
technology-building side is "kind of deep in our DNA at this point
".
The next question was regarding the battle between the US government and Anthropic over two red lines that the company wanted to enforce on the use of its large language models (LLMs). Cohn said that one of those red lines, not use the LLMs for mass surveillance, was of particular interest to the EFF.
It is important for companies to be willing to
draw those lines and stick to them, she said; she is no real fan of the
company, and it "did not draw the line where I would draw the line, but
at least they drew it somewhere
". She pointed out that the OpenAI
position, "if it's legal, then we'll do it
", is worrisome in part
because the law is so malleable; every genocide and human-rights violation
around the world is done "legally" (complete with air quotes). Beyond
that, our privacy should not be decided by the CEO of a tech company, it
should be protected at every level of government.
Another question asked about the difference between Bernstein's algorithm
and the encryption that was being used all over the world at that time; why
did the government allow export of some encryption schemes but try to stop
Bernstein? The answer, Cohn said, was key length; "the government would
grant a license if the key length was short enough that they could break
it
". Bernstein was making a larger point with his algorithm, which he
called "Snuffle", that adapted a widely used hash function and turned it
into an encryption algorithm. The hash function was used for
authentication, and was unregulated by the government, but his point was
that the same basic algorithm could be used for encryption, so the
encryption restrictions made no sense.
The final question was from Denver Gingerich, who keynoted at SCALE 2025, about attracting
staff litigators to a non-profit organization. He works for Software Freedom Conservancy (SFC),
which sometimes has to bring lawsuits to try to enforce the GPL. Cohn
agreed that it was a hard problem and suggested that SFC had it worse
than EFF: "I offer people First-Amendment law, Fourth-Amendment law, and
you offer people kind of the puzzle that are open-source licenses.
"
She said that EFF tries to have a fun working environment, for one thing,
and also has an internship program that brings in law students, but that it
is a difficult problem, especially with regard to salaries.
The talk provided some interesting history for those who were too young to live through some of those times. There are more fights ongoing and surely more to come; EFF will be part of those efforts, but Cohn made it clear that there is far more that needs doing, so attendees should figure out how they can pitch in. A video of just the talk will likely appear before long, but those interested can see the talk in the livestream YouTube video.
[Thanks to LWN's travel sponsor, the Linux Foundation, for its travel funding to attend SCALE in Pasadena.]
| Index entries for this article | |
|---|---|
| Conference | Southern California Linux Expo/2026 |