Jennifer Granick brings constitutional law and threat modeling into the same room at Black Hat 2025, arguing that the real threat isn’t just cybercriminals—it’s unchecked government surveillance. Her keynote offers a call to action for technologists to help restore privacy through design and engineering.
At Black Hat USA 2025, Jennifer Granick—Surveillance and Cybersecurity Counsel at the American Civil Liberties Union—takes the keynote stage to make a bold case: we are long overdue for a new threat model, one that sees government surveillance not as a background risk, but as a primary threat to constitutional privacy.
Granick draws from decades of experience defending hackers, fighting surveillance overreach, and engaging with the security community since DEFCON 3. She challenges the audience to reconsider outdated assumptions about how the Fourth Amendment is interpreted and applied. While technology has made it easier than ever for governments to collect data, the legal system hasn’t kept pace—and in many cases, fails to recognize the sheer scope and sensitivity of personal information exposed through modern services.
Her talk doesn’t just raise alarm; it calls for action. Granick suggests that while legal reform is sluggish—stymied by a lack of political will and lobbying power—there’s an urgent opportunity for the technical community to step up. From encryption to data minimization and anonymization, technologists have the tools to protect civil liberties even when the law falls short.
The session promises to be a wake-up call for engineers, designers, policymakers, and privacy advocates. Granick wants attendees to leave not only more informed, but motivated to build systems that limit the unnecessary collection, retention, and exposure of personal data.
Her keynote also surfaces a critical cultural shift: from the “Spot the Fed” days of DEFCON to a more nuanced understanding of government roles—welcoming collaboration where it serves the public good, but not at the expense of unchecked surveillance.
This conversation reframes privacy as a design problem as much as a legal one—and one that requires collective effort to address. If the law can’t fix it, the question becomes: will the technology community rise to the challenge?
___________
Guest:
Jennifer Granick, Surveillance and Cybersecurity Counsel at American Civil Liberties Union | On LinkedIn: https://www.linkedin.com/in/jennifergranick/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com
___________
Episode Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
BlackCloak: https://itspm.ag/itspbcweb
Akamai: https://itspm.ag/akamailbwc
DropzoneAI: https://itspm.ag/dropzoneai-641
Stellar Cyber: https://itspm.ag/stellar-9dj3
___________
Resources
Keynote: Threat Modeling and Constitutional Law: https://www.blackhat.com/us-25/briefings/schedule/index.html#keynote-threat-modeling-and-constitutional-law-48276
Learn more and catch more stories from our Black Hat USA 2025 coverage: https://www.itspmagazine.com/bhusa25
ITSPmagazine Webinar: What’s Heating Up Before Black Hat 2025: Place Your Bet on the Top Trends Set to Shake Up this Year’s Hacker Conference — An ITSPmagazine Thought Leadership Webinar | https://www.crowdcast.io/c/whats-heating-up-before-black-hat-2025-place-your-bet-on-the-top-trends-set-to-shake-up-this-years-hacker-conference
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
KEYWORDS
marco ciappelli, jennifer granick, black hat usa, surveillance, privacy, encryption, constitution, threat modeling, cybersecurity, civil liberties, event coverage, on location, conference
[00:00:00] Marco Ciappelli: Hello everybody. This is an on location, uh, on ITSP magazine with Sean and Marco, but. There's no Sean, so yay. I I got, got rid of him. Um, he was, uh, having some technical difficulties, but, uh, in the next, uh, day or or so, we will be together in the car heading to Black Hat in the Desert in Las Vegas for the.
[00:00:24] Marco Ciappelli: USA edition 2025, and we are doing one of our last chats on the road, which it means any conversation that we record before getting on location and then recording sessions there. And as part of that, we like to talk to speakers and keynotes and people that are gonna be also in Las Vegas, a black cat. And today I have Jennifer Gran with me.
[00:00:49] Marco Ciappelli: Join me because she's actually speaking there and I know she has other plan as well, which maybe we'll touch on it as we chat. So, Jennifer, welcome to the show.
[00:00:57] Jennifer Granick: Thank you. Thanks for having me on. I [00:01:00] appreciate it.
[00:01:00] Marco Ciappelli: It's a pleasure. We've already been chatting a little bit before starting recording, so we, we know what's going on there and, uh, what we are focusing here is actually your session and, and yourself.
[00:01:13] Marco Ciappelli: Like, gimme a little background about, uh, who you are, what you do, and. How do you gonna end up having a keynote on threat modeling and constitutional law, which
[00:01:24] Jennifer Granick: yeah, seems pretty much of a
[00:01:25] Marco Ciappelli: mouthful to me, but
[00:01:27] Jennifer Granick: you know, it's true. I'm trying, you know, I have 40 minutes, uh, on Thursday and I am, uh, trying to, you know, fit it into that period of time.
[00:01:36] Jennifer Granick: Um, but you know, it. So life's work being a privacy lawyer. So, um, but if I can't make it interesting in 40 minutes, then I don't deserve the stage. So,
[00:01:46] Marco Ciappelli: um, it's like one of those things where you cannot explain it to your grandma. You're, you're, you're not very knowledgeable about Exactly,
[00:01:53] Jennifer Granick: exactly. Like that.
[00:01:55] Jennifer Granick: Um, and it's actually my second time. I've given a keynote at Black Hat. [00:02:00] Um, I gave the keynote in 2015, um, which was a huge honor. I mean, it's an honor to be invited back too. Mm-hmm. Um, but uh, I did give the keynote back in 2015, which was some time ago. My hair was purple then. Uh, and it's gray now, but other than that, uh, you know, not too much has changed.
[00:02:20] Jennifer Granick: Um, and I am basically a privacy surveillance lawyer. I work at the, um, American Civil Liberties Union and my title there is Surveillance and Cybersecurity Council. Um, but I also work on free speech issues, first Amendment issues as well. Um. I'll be doing the speech in my private capacity, uh, you know, not as a representative of the um, ACL U, but, you know, I have a long history of, you know, both working in this field but also of connecting with the cybersecurity hacker community.
[00:02:53] Jennifer Granick: Um, I think my first DEFCON was DEFCON three. Oh wow. And I, [00:03:00] you know, COVID was kind of like a break, but I have been to most of the DEFCON since then. Um, and I just have learned so much from that community. I have a lot of good friends, um, there, so I always look forward to getting back to Las Vegas whenever I can.
[00:03:19] Marco Ciappelli: Yeah, that, that's why we call it, I, I don't know if, if the younger generation call it that, but I know that we call it hacker Summer Fest.
[00:03:26] Jennifer Granick: Hacker Summer camp. Yeah, exactly. Fest camp. Exactly. And
[00:03:30] Marco Ciappelli: uh, and there is a reason for it because if you wanna stay there for much longer than just Black hat or Defcon and there is a lot going on, there is B sides, there is other events.
[00:03:39] Marco Ciappelli: Yeah, there's the villages, like you were
[00:03:40] Jennifer Granick: saying earlier, there's the talks just like hanging out with people in the halls. And then of course, Vegas. Yep. There is that
[00:03:49] Marco Ciappelli: too. There is that too. Yeah. Listen, let, let's, before we get into the, the threat modeling and, and constitutional law and, and privacy and all you do, let's talk [00:04:00] about a little bit about how things have changed beside the purple hair and uh, I remember I was at Defcon, I believe was 2018, was when the first time that actually people formed the government where.
[00:04:14] Marco Ciappelli: Coming in and be visiting the villages. I, I still have this vision. Remember, I think I was at the, at the, at the car hacking, car hacking village when they arrive. And it was kind of like the moment that instead of spot the Fed was like, let's welcome. Government and Yeah. And, and I know it's been a very important step, I believe, for the hacking community to connect so that actually we could change, uh, the law and we can change the, the way that hacking is perceived, which is not a bad thing by the definition.
[00:04:47] Marco Ciappelli: Cyber crime is right. Hacking is not right. So how, how do you see the evolution of this and maybe going together with. Solution of what you have been doing and the, and the importance of what you do in this community?
[00:04:59] Jennifer Granick: Yeah, [00:05:00] I mean, it's been a real ride because what I remember is that before the first time I spoke at Defcon, I got a call from an FBI agent.
[00:05:10] Jennifer Granick: Who wanted to advise me that I should be careful about what I say on stage to these miscreants that are like out there in the audience. Um, and you know, that was definitely in the spot, the Fed. Era. But you know, as the conference got bigger and as Black hat became associated with it, like a more professional, you know, version of of Defcon, there were more government employees who were invited.
[00:05:40] Jennifer Granick: And I remember one year, Keith Alexander, who was head of the National Security Agency, was invited and he gave a, a presentation or a talk, and it was very soon after that. That it was 2013 and the, um, revelations of massive spying that we, um, learned from Edward Snowden. And after that [00:06:00] there was this real feeling, I think, in the community that, you know, these guys have been lying to us and, you know, and, and just spying on us and we don't really want them around.
[00:06:12] Jennifer Granick: Um, and I think that there was, you know, some evolution there where, um, you know, there was, um, you know, people from the, from csa, the Cybersecurity Information Security Agency, if I got that right, were invited to come and sort of, you know, interact. As a non like law enforcement or national security entity, but as a cybersecurity, civilian type of, um, agency, you know, interact.
[00:06:38] Jennifer Granick: So there was kind of slow going where I think government, um, officials were kind of invited back in. Um, and I mean, just. You know, sort of a corollary was the relationship with the, um, you know, with, with businesses. And there was, you know, especially in the early days, all that tension [00:07:00] between companies and hackers because of vulnerability testing.
[00:07:03] Jennifer Granick: And so companies, you know, didn't wanna, um, you know, didn't want their systems tested by outsiders, didn't want anybody reporting the vulnerabilities, didn't wanna pay any bounties. You know, or anything like that. And that's actually how I got my start in this business was I was a criminal defense lawyer, and it just was like suddenly various people who were hackers were getting.
[00:07:30] Jennifer Granick: Sued or investigated for their, um, you know, for their hacking, for their, um, exploration of systems, for their vulnerability testing and that sort of thing. And so I became a lawyer for people who were, um, you know, retaliated against for this kind of work by, you know, whether it was corporate America or, you know, investigated by the FBI or whatever.
[00:07:56] Jennifer Granick: Um, and that's how I learned about. You know, [00:08:00] this information security world, and I learned about computer hackers and I eventually kind of segued into just being, um, not a criminal defense lawyer, but into being the kind of lawyer that I am today.
[00:08:13] Marco Ciappelli: Yep. And I, many things come to my head. I mean, safe harbor and, and all those things that we've been trying to do and, and, and how important has become.
[00:08:22] Marco Ciappelli: Right. Team and pen testing versus what. I was perceived before on top of say, well, you, you be, you better get hacked by somebody that does it ethically than Yeah. Than find out when the bad guys are actually much later.
[00:08:37] Jennifer Granick: I mean, people have finally realized, like, you know, you, you gotta make friends with the people who have information that can help you.
[00:08:43] Marco Ciappelli: Yeah. Yeah. For sure. So, in term of what you, you talk about during your keynotes, I, I feel like two words that. There actually four, but two are together. Threat modeling and constitutional law. So they kind of like, can you put them together? [00:09:00] Why, why they end up in the same sentence.
[00:09:03] Jennifer Granick: Yeah. I mean, I think the, um, goal of our privacy protections in the Constitution, which basically boils down to the Fourth Amendment, um, is to try to, you know, kind of, um, strike a balance between.
[00:09:18] Jennifer Granick: Um, the government being able to get the information that it needs in order to prosecute crime and understanding that the government investigations themselves can be dangerous. And so there should be limitations on those investigations, which are the provisions of the Fourth Amendment requiring a warrant and that sort of thing.
[00:09:42] Jennifer Granick: And you know, I think what's happened is that we have not really, um, revised our understanding of the threats that government surveillance poses, um, in light of changes in technology. So we have so much more information about [00:10:00] us that's available than ever before. The government's powers, um, in terms of keeping track on, of us buying on us are exponentially and sort of magically more than what the founders could have.
[00:10:14] Jennifer Granick: You know, we even possibly imagined at the time that the Fourth Amendment was written and we are still operating on a threat model that's like, we're just trying to get a warrant and catch the bad guys. Um, but if you look around, you know, and see how our information is being accessed and how it's being used, we need to understand that the government is more of a threat and people are more vulnerable, and then expand our protections of this information accordingly.
[00:10:46] Jennifer Granick: Now that we're living in this new world.
[00:10:48] Marco Ciappelli: Yeah, certainly you can't unplug the computer anymore and be safe or unplug exactly from the internet. Like back in the days,
[00:10:56] Jennifer Granick: it's not possible. You know, it is like we, that's just blaming the victim, [00:11:00] right? I mean, it's, it's our responsibility, I think, as lawyers and security professionals to protect the public.
[00:11:06] Marco Ciappelli: Yeah, so my, my podcast, it's called Redefining and Technology because I, and unlike your opinion, um, it's not just about looking at privacy and, and identity and, and, and the way that we, that we've always considered that and, and how we can still. Preserve our privacy, let's say. But, but my point on many conversations that we, we need to redefine the concept of privacy in this modern day and identity.
[00:11:38] Marco Ciappelli: Yeah. So we, we, it's a very. It's a moment of change for, for society. And what I normally hear is that legislation and in the United States, in this case, Congress, but even in other countries, it the, the reaction time, it's always. [00:12:00] Much slower than the way that technology evolve. And, and of course. Oh, absolutely.
[00:12:04] Marco Ciappelli: That, that's, that, that, that's a big issue. So does this require some kind of systemic changes also in the way that the government works? Yeah. I mean, I know it's a big question, but I'm sure you have an opinion on that.
[00:12:16] Jennifer Granick: I mean, you know, the, for the Supreme Court has never held that we have. Uh, expectation of privacy in our email such that it's protected by the Fourth Amendment.
[00:12:26] Jennifer Granick: There's like one case from 2006 and you know, in terms we just had a couple years ago a case that was about tracking people with their cell phone data. Over a long period of time, but we don't have cases about tracking with, you know, like our social media data or short-term tracking or, you know, there's just a whole bunch of unanswered questions.
[00:12:51] Jennifer Granick: Still that like, you know, the Supreme Court only takes a few cases every year. So you have all these differences [00:13:00] in, you know, federal districts in different states and that sort of thing. And you know, a lot of times these, um, judges are making terrible decisions that vary important sensitive information about us, isn't protected by the Constitution at all and is sort of just free game for law enforcement to access.
[00:13:20] Jennifer Granick: So normally what you would do is you would go to Congress or to state legislatures and you would get statutes passed that would fill in these privacy gaps. Um, that either, you know, time lag or just, you know, absence of law would. Have so you could have this protection. But to be perfectly honest, we're all afraid to go to Congress or to go to state legislatures because the law enforcement lobby is so powerful that nobody really believed.
[00:13:50] Jennifer Granick: That the, um, statutory law is gonna actually be able to get better because kind of of what you said, people don't really [00:14:00] understand why privacy is important. Um, they don't really value it the way that they should. And so, um, you know, we're, we're not seeing a real, you know, the same kind of like push you, you might see for that there are bills certainly in Congress that are meant to try to patch these holes.
[00:14:19] Jennifer Granick: Um, and I can talk about, you know, one or two of them if you're interested. Um, but there, it's hard to get Congress to do anything these days, you know? Whether, whatever it is, they're, you know, not very, um, productive in terms of actually passing laws, right? So here we are, you know, kind of swimming around in a world that has a lot of uncertainty about how our most sensitive data is protective, if at all.
[00:14:47] Marco Ciappelli: So see the thread modeling is not working. What, what will be, and I'm sure that's what, what you're gonna talk about in the presentation. So without telling me the end of it, don't spoil it
[00:14:58] Jennifer Granick: because I want people to still [00:15:00] come. So Exactly. That's the goal.
[00:15:01] Marco Ciappelli: We want people to be like, Hey, that's gonna be an interesting, uh, presentation for sure.
[00:15:06] Marco Ciappelli: Uh, but so what, what, what are the points that you're gonna touch on, let's say. Let's say this during your conversation and who do you think or wish would take part in the audience to what you say? Yeah.
[00:15:19] Jennifer Granick: I mean, my view is that to a large extent, technology has taken our privacy away. By creating all these services that we know and love and that we can't stop using, but which are just basically feeding off of our information in a variety of different ways, legitimate and illegitimate.
[00:15:36] Jennifer Granick: Um, and the law hasn't stepped up in the way that we just discussed, but I believe in, I'm optimistic that technology can give us back some of the privacy that it's taken away, just like we've seen more and more, um, uh, chat services. Go end-to-end encrypted. I think we can, as you know, designers and engineers and security [00:16:00] professionals look at the information and figure out, um, you know, data minimization, data retention, is there a way that I can, um, engineer that my company can use the data that it needs in a way that is anonymized, uh, and, you know, in a, in a safe way.
[00:16:19] Jennifer Granick: Um, you know, there are various, uh, you know, sort of. Options that technical experts, if you really took it seriously, could do to take this information and, you know, not basically just have it out there for, you know, not just governments, um, and certainly not just our government, but for hackers and identity thieves and all those other, um, you know, threats as well.
[00:16:45] Marco Ciappelli: Yeah, when you, so sometimes we say tech's gonna fix tech and people will roll their eye. Like when I heard that AI should fix ai, I think Schmidt said that, but I'm like, okay. Maybe to a certain extent. And I [00:17:00] think that's the key to a certain extent, meaning not gonna fix it itself, but we definitely have the, the technology to fix.
[00:17:07] Marco Ciappelli: That technology that is not working and I'm, yeah. I always bring that example in coming with ASME and Sean for the longest time, where if you walk into a bar and you have to prove that you're over 21 to drink, they don't need to see where you leave. They don't need to see, right. A lot of other things about you.
[00:17:26] Marco Ciappelli: They just need to see that you're 21 and when you get your thing back, there's not gonna be a record of that driver license that is being scanned. Yeah. So it's kind of like you're, yeah. Right now, the way it works from my perspective is that you're just accessing so much information and you're not actually need, well, you may need it later.
[00:17:44] Marco Ciappelli: It's almost like, let's get the data. We may need it later on. Yeah, and that's, that's the, I think that's the, that's the dangerous attitude.
[00:17:51] Jennifer Granick: I think that's the dangerous attitude. Like let's just take it and have it sitting around in case we it for some other purpose later on. Yeah. [00:18:00] Yeah. But I think your point, you know about the driver's license is this is something my colleague does a lot of work on.
[00:18:05] Jennifer Granick: You know, sometimes all you need to know is the person is over 21. Mm-hmm. That's all. That's all you need to know. And with technology. We have the capability of doing that, um, you know, in engineering systems that give you just the right amount of information and no more. And so, um, you know, I'm a, a lawyer so I'm not an expert on how to do these things exactly.
[00:18:30] Jennifer Granick: But here I'll be in a room full of people who are experts. Mm-hmm. And, you know, maybe I'm giving away the end. But what I am hoping is that when people realize that the law is not here to save us, that they will put more time and energy into thinking through how the technology and the security, uh, structure is developed.
[00:18:51] Jennifer Granick: And as you said, tech can't solve tech, um, and law can't solve tech, but, you know, defense in depth, right? We try to make every, [00:19:00] every layer as strong as we can.
[00:19:02] Marco Ciappelli: Yeah. It's, it is that, uh, complexity that. When you have the right time, I feel like you have a, a, a convergence of technology and maybe thinking, and maybe it's the, again, it's the right time to.
[00:19:18] Marco Ciappelli: You get the right tools to make things happen. And I, I honestly, I want to be optimistic. I mean, I can go utopian to dystopian in literally one faction of a second and, and it's kind of like, you know, really weird, but living, they're both like, oh, this is awesome. And they're like, oh my God, no, this is horrible.
[00:19:35] Marco Ciappelli: Yeah. You know, and vice versa. So, yeah. I, I, I think, I think maybe we, we are there and I think conversation and presentation like this, so if you could imagine, uh, you know, a few, like a question or two, just, just to end it, you will like people to ask you at the end of the presentation. What, what would that be?
[00:19:55] Jennifer Granick: Um, that's a, that's a good question. What question would I [00:20:00] like to be asked?
[00:20:01] Marco Ciappelli: Yeah.
[00:20:01] Jennifer Granick: Um. Uh, I think you know it if you have a speech where you're always like asking people to do something, you know, you always want people to be like, where can I sign up? Mm. But, um, I actually don't know the answer to that, that question.
[00:20:18] Jennifer Granick: Um, but being, you know, sort of motivated to, to understand it I think is, would be awesome. Um, I, you know, in a way I hope that. You know, everybody understands me so much that they don't even have to ask a question.
[00:20:35] Marco Ciappelli: But, but if somebody comes and say, you know what? I'm with you. I don't know yet what, but I know we need to do something and we're gonna look a little bit deeper into this.
[00:20:44] Marco Ciappelli: Yeah, exactly. That would be a good thing.
[00:20:46] Jennifer Granick: Yeah. Thank you. You helped, you helped me with the answer. There you go. Right.
[00:20:49] Marco Ciappelli: Raising sometimes, yeah. We don't have the answers, but, but if we. We work together, people think a little bit more than, than we're succeeding, I think in doing podcasts and in doing [00:21:00] writing articles and in doing presentation and keynotes, of course.
[00:21:03] Marco Ciappelli: Yes. So just to refresh it, I have it here. I say it's, uh, Thursday, August the seventh at 10:20 AM to 11:00 AM So 40 minutes. It's a long, it's a lot of stuff to pack in there, but I'm sure you'll do just fine. Ocean side level two, and of course it will be in the keynotes as well as the way to connect with you on LinkedIn and uh, and maybe to bring this conversation even more to life, not just during the event, but.
[00:21:30] Marco Ciappelli: After and that, yeah, that event black out. Yeah. And that's what I hope to
[00:21:33] Jennifer Granick: hear from people, you know, to hear people have ideas about how this can be done. So I'm on the board of the ISRG, the Internet security research group, which does Let's encrypt. And so, you know, I just see through being on the board there, up close how creative and innovative this community of people can be when they identify a problem that needs to be fixed.
[00:21:57] Marco Ciappelli: Mm-hmm. Cool. All right. That was a [00:22:00] great, uh, way to end this quick conversation. I'm actually looking forward to see you. I hope I have the time to come and see the, the, I'll keep an eye out for you there. Keep, keep an eye. I will be waving at you and, and come and ask you some question after maybe. Thank you, Erica.
[00:22:16] Marco Ciappelli: But, uh, really appreciate you being here. And for everybody else, stay tuned. Uh, there'll be the link to the, uh, own location. Coverage of Black Cat, which if I am not wrong, it's uh, itp magazine.com/bh 25. And if it's not, just check on the notes. I'll be there. Thank you again, Jennifer. See everybody in Las Vegas.
[00:22:38] Marco Ciappelli: Thank, and for those that are not there, just follow us and we'll try to bring Las Vegas and Black blackout to you. Thanks to
[00:22:44] Jennifer Granick: everybody for listening.
[00:22:45] Marco Ciappelli: Thank you.