 So welcome, everybody. I'm Terry Fisher. I teach intellectual property here at Harvard Law School. And I've been asked to moderate this session. The topic is intelligence gathering and the unowned internet, a huge and obviously very important and very controversial subject nowadays. In very caricatured form, the way in which this topic has emerged is that once upon a time the internet was created by and used by scientists like my ex-brother-in-law, a neurophysiologist in San Francisco to communicate with his colleagues in Cornell and Washington, DC. People trusted each other in many ways, and they used it for what began as private conversations. And then, as everyone in the room knows, this institution devised for one purpose, morphed. It became used for ever more extensive forms of communication and, gradually, its role in commercial exchanges and political exchanges increased. Not surprisingly, as the density of this medium grew, organizations interested in mining the extraordinary amount of information flowing through it also intensified. And those organizations included commercial businesses who can make more money by capitalizing on some of the information flowing through the system and governments, which seek, among other things, to shield their citizens from terrorism or other forms of unacceptable behavior by locating threats before actions happen. This intensification of interest on the part of organizations, both commercial and political, has generated and continues to generate oscillations, efforts by the users of the system to deny access to their information to the organizations and efforts by the organizations to increase their information-gathering capabilities. And we have seen, increasingly in the last couple of years, explosions rising out of the friction between these groups. So we have here today a rather remarkable group of experts in this area, which does not include me. I know the least, by far, of anybody on the panel. But everybody else knows a lot about this field. Rather than devote scarce time to introducing them, I opted for circulating a handout, which describes their backgrounds. So you have only to match their extraordinary biographies with their pictures. In terms of... I'm sorry? It's extra easy in my opinion. In terms of mechanics, here's what we're going to do. We have between now and 1.30, and we're going to end at 1.30 sharp to enable people to catch planes and teach classes and so forth. The bulk of the session will be conversational. So we'll begin with conversations between me and the panelists and among the panelists, and then we will gradually incorporate your questions and comments. You should be aware, the panelists should be aware, and the audience should be aware, that this session is being recorded. It's not being webcast, so nobody's watching this live, but it will be available to the public later on. So that means, necessarily, for better or worse, we are not observing here Chatham House rules. So if you speak, as I hope you will, you should recognize that your identity, given modern face recognition software, will reasonably quickly be matched up with the substance of what you have to say. Now, last word about tone. Extraordinarily important issues are at stake in this field. People's lives, not just their fortunes, hang on the answers to some of the questions we'll be addressing today. That gives rise to appropriate deep seriousness in the discussion of these issues, but there is a line between seriousness and ad hominem attacks. And so let's try, in our discussion, to maintain a combination of seriousness and respect. Okay, so here's where I thought we might start. Yochai. Could you identify one aspect of the current combination of technologies, social practices, and legal rules in this field? That is undesirable. Say why and propose a solution. You have 10 seconds. To me, the single most important problem with our current debate is that it is occurring primarily at the level of details and operational analysis, both of the legal system and the technical systems. And instead what we need is a public conversation of the state of emergency since 9-11, whether it continues and how we're willing to live with it. All the institutions in the world, all the three branches looking at things in one mind frame, lead us to Japanese internment and Korematsu, lead us to McCarthyism and Dennis V.U.S. with the U.S. Supreme Court permitting. And in a different mindset, lead us to get up in the morning and say what on earth were we thinking then? To me, as I look at the surveillance questions, as I look at the debates over the Senate Select Committee on Intelligence report on torture and its revelation, we're beginning to wake up from a dozen plus years worth of panic and the solution needs to be a direct public conversation that simply abstracts away from the details. Is it around the 702 or under 215? Are there Z-minimalization rules or Z-minimalization rules? And ask the basic question, did we get ourselves into a corner where we stopped understanding intuitively what the right balance is? And if so, where is it? If you were then to participate in this public conversation. Not a chance. Oh. I'm not. Hypothetically. I assume you would say we have got the balance wrong and what particular change would you advocate in the either public or private regimes that seek to manage these issues? So I think the one of the things that has been most significant in the disclosures of the documents that came from Edward Snowden's disclosures has been the diversity and complexity of systems and how they interoperate to achieve an outcome that from the perspective of people on the inside seems well-ordered, reasonable, in fact necessary and from the perspective of people on the outside seems utterly insane. And that complexity has to do with the fact that the court system that's relevant here, the FISC is imbalanced. The internal oversight system and secrecy in particular rewires the degree to which people who have professional norms with regard to law some are inside and some are outside that the technical systems and the trade-off between weaker technical systems in the commercial framework, which is to say programs that have come under the title of Bull Run last week's report from Reuters that RSA, the Basic Encryption Standard is compromised in conversation as it were with the NSA. These systems all interrelate to create a general weakness so we're going to have to have all sorts of solutions in all of these areas, none of them resolved. So the president's review group that came out with reports had a variety of organizational arrangements that would effectively break up the single uniform cyber command, NSA, signals intelligence, communication security into separate components. That will diffuse some of the things. They had some interesting ideas about how to change the privacy and civil liberties oversight board. So those are things inside that are building systemically different ways than we have now with the post-watergate delegated oversight system. We also have a lot of work in the world of people building better encryption that simply won't play nicely. And rejection of the idea that we have to build a system that government, at least with the right order can always access because that turns out to fail as well. And so we need these mult and we have the cultural acceptance both outside and inside of whether we are in a state of emergency in war, temporary, short and allowing much more than we would in normal state of peace even under threat of substantial criminal disruption. And that's a change that's more conceptual and cultural and will traverse both people inside and outside the system. So John and Ann, you know the system and have significant responsibility for this system from the inside. So first, thanks on behalf of everybody here for your willingness to come and participate in this discussion. It's our pleasure. Now there are many points of delicacy here and the most obvious one is whether you are going to be speaking individually or on the half of the NSA. You can make your own choice in that regard, probably best to be explicit. So from either of those standpoints, and let's start with you. It's the NSA, right? It's our joke here, right? And it's the moderator. Nothing you can do at that point. I'll ask the same question obviously from a different angle. Is there in your judgment anything wrong with the combination of technology, social practices and law that currently manages this space? Well, actually leave it there and then there'll be follow up questions depending on what you think. Sure. I'll jump in. I'll follow on to John. Sure, so I like Yochai's comments in that he talked about raising the discussion up from this particular authority or this particular protocol or this particular technology. And maybe I might disagree just a little bit in the sense of I think it's a good point, maybe a feature, not a bug, that when we dive down into those details and you look at, for example, what the presidential review group found, what the privacy and civil liberties oversight board is that the president said in his speech is that the men and women of NSA faithfully follow the protocols that are designed to protect US person privacy. That's a necessary part of the equation and in a discussion that has so many seeming angles to it and very good discussions. I think there should be some comfort taken that you have an agency that again, we can talk about what the protocol is all the big societal issues, but an agency that review group after review group has come in and looked at and said, these are men and women, this is the technology they employ that is very much attempting to faithfully and consistently follow the policies, the rules, the laws, the orders of the court. And I think we should, can and should, and you see a lot in the presidential review group and the president's speech, have discussions about those institutions, about the court, about oversight from the different branches of government and especially if you asked for kind of a, what would you add to wrong, maybe the wrong word, but what would you add to it? I think it's got to be a slice across transparency in all those and informed public discussion and there's various mechanisms to do that. I don't think we've squared the circle on exactly how that occurs, especially in an intelligence agency that, for many, many years, 35 miles outside of the Beltway, really being responsive as a DOD agency to military, you mentioned terrorism. So I guess I just to sum it up, I think there's a lot of moving parts of this discussion and I think there should be some comfort taken in that whatever we reach as new orders of the court or new authorities from Congress or changed authorities from Congress or removed authorities from Congress or that, that the NSA will faithfully follow those because there's really no separate and apart NSA goals that are devoid from the broader US government and broader societal goals. So I just would like to sort of plant that as a fixed point and very much recognizing the need to have that broader discussion about what are the right institutions, right? There was a big contract made in the 1970s when we went through the church pipe commission that we would have all three branches of government involved in very especially sensitive intelligence matters. And I think what we're finding now is that was certainly necessary and continues to be necessary. It may not be fully sufficient in a need where there's more and more wealth and treasure, communications, et cetera on a shared space and the need to more appropriately understand and have those societal-based discussions. So I'll stop my remarks there. I'd like to draw on Yochai's first point because it's one that I fundamentally agree with. And that first point is that many of the programs that we are talking about here were developed following 9-11 in a direct response to the perceived failure of the intelligence community. So there was a, I'd encourage folks, I actually picked up and read over the weekend, there was a joint report of the Senate's luck committee and the House in February of 2002 after September 11th. And it was really fascinating to read them walk through what led to a number of the intelligence failures. And the programs were directly developed to address those. So for example, the issue that when there were foreign terrorist planners overseas communicating with a U.S.-based person, there was no way for, first, the report strongly criticized NSA for completely avoiding any communications, even those like a foreigner communicating with a domestic individual. When the foreigner, it was clear, was part of a terrorist planning effort, but NSA completely avoiding those communications, lest it be observed or lest it be described as monitoring U.S. communications. So the programs were put in place following 9-11 in direct response to that. And I fully agree with Yochai's point that, I'm picking up on John's point, NSA implements the programs that are passed by Congress, reviewed by the various other branches of government. That national-level conversation to say, it's a decade later, what have we learned about the effectiveness of these different efforts? What have we learned about where the national thinking is on what the acceptable balance is at different stages? And then, how do we then determine what, as a country, we believe that balance should be? That's a conversation that we do need to have. And I think one kind of exhibit A for all of us as citizens is, one of the programs, the one that collects metadata on U.S. to U.S. communications, section 215, that was continuously reauthorized by Congress, approved by the executive branch, et cetera. And it didn't generate that conversation. It was in a completely open manner. So I think as a citizenry, we ask ourselves, why not? And in a related piece to the question you asked about what would be appropriate measures, for example, I think what we're all seeing is heightened transparency, but transparency on both sides. So within the intelligence community, there's a lot of concern, for example, about arcs of instability across the Middle East, individuals traveling around the world, gathering training and weapons, and what the impact will be for various transnational threats. That's one side of the discussion. The other side of the discussion is, how has technology advanced in the last decade? What's happening commercially? What's happened in terms of advances in just processing power, advances in data, and how data moves along? And getting an understanding of that, and then bringing the two together for an informed conversation to say, as a country, how does a country use those technologies to protect itself from various threats? And how does its citizenry think about that balance between the invasiveness of those technologies, the use of, the government use of technologies that may be widespread in a commercial world? Where are we, where is the balance as a community? So I think that's exactly the conversation that needs to happen. It's one of the reasons that we're happy to be here and be a part of the discussion because that informed debate needs information to help shape it. Very helpful and interesting. So I want to pursue for a moment a structural issues which were common to both of your interventions and to your guys. So if I understand John and your comments accurately, it would seem that you are advocating and saying we already have the following structure. Political branches directly or indirectly, which include the president, executive arm, Congress and the special court, which collectively set the authority of and limits on the authority of the NSA, which faithfully abides by all of the instructions. And then we have or should have, a little bit of slippage here, transparency in the formulation of the instructions but presumably not transparency in the execution of the instructions. The NSA, I'm guessing here, is not going to be in a position to reveal all of the information it gathers, certainly, and is unlikely to reveal all of the details of the mechanisms by which it's gathering. So we have a boundary between political branches that are fully transparent and engaged with and attempt to stimulate a public conversation, but a line between the political branches and the agency itself below which there is not transparency. So here's the follow-up question. Is that right? Is that what we really have here? And a second more subtle one is, can you really have a fully open, transparent discussion about the line without knowing what happens below the line? Do you want to take that first? I should. That is a, I think that's a very insightful question. So you asked two nested questions within there. The first is, is transparency above the line but a lack of transparency below it an acceptable mechanism? And then does it allow for the informed debate that then ensures that the programs above the line are appropriate? Just to kind of reframe, make sure we got the questions right. It's a very, one of the, I think one of the most interesting internal discussions we have at the National Security Agency today is about transparency. There certainly, the intelligence community serves the American public. We look at our job as keeping the country safe. The loss of trust that we clearly see following the media leaks. The sense that the efforts are out of, out of bounds with what perhaps the American public is ready to sign up for is something that gives everyone inside pause. So I think the framing of the question is can we learn together what is the level of transparency required and things like what are the programs? What are the bulk programs? What are, what's the distinction? Do we have a common definition for metadata and content? For example, many of the laws today make a key distinction because of a sense that the content of communications was far more sensitive to privacy concerns than metadata on those communications. There are some who might say that with the advent of technologies that then allow analytics on that metadata, you can glean a lot of information about the individual that reshapes that question in terms of the relative sensitivity as an invasion of privacy between metadata and content. So I believe the question needs to be what is the level of detail about what those programs are, the roles they serve in an interlocked way as well because many of those address specific areas. And then what is the frequency of update and then what is the information update about how they operate? Here's an example. And this actually occurred in our earlier panel which I found fascinating. Until the media leaks, so as many folks here know, US companies as our foreign companies around the world are compelled to comply to lawfully provide, are compelled to comply with lawful requests and those are subject to reasonable suspicion, et cetera, to provide data, subject to identifiers on their subscribers. Those are common, such lawful intercept programs are common across Western democracies. US and foreign companies are compelled to comply with the laws of the countries they operate in. Prior to the media disclosures, companies were permitted to release the number of law enforcement requests and the number of national security letters. They were not permitted to release the number of FISA or national security requests for content. There was following the media disclosures, many companies felt that there had been a loss of trust in users and a sense among the users of a desire to understand the scope of the number of requests. There's a lot of intergovernment communications and decisions to say, how do we get to where we satisfy the company's appropriate request? And that was changed to now permit companies to release the number of foreign intelligence surveillance act FISA request. Because that then rounded out the full scope of government requests under the one particular program. Within the US government, that was both being responsive to company's appropriate demands. But there was a sense that this added transparency in a way that was useful. Now is where the conversation needs to start to say, did it add sufficient transparency to give citizens re a sense of what these programs are, not only what they are in written law but in practice, how they work. And then if not, with that in mind, what is required to allow for that level of transparency? So John, if I can ask you to hold your comment from them because I think it would be appropriate to pursue this theme and I gather you are alluding to a conversation you had with Bruce beforehand. So if appropriate in this session, do you want to pick up the thread here? Sure. I mean, what we're talking about is transparency. And it's a common thread. And I think there are many aspects to this. When I look at... Actually, let me start talking about trust. Trust is inherently social. It's human, it is interpersonal, it's situational, it's fluid. And as human beings, we trust. This concept flows to trust of organizations, trust of systems, and it is still very much a human process. Like when I say I trust the cafeteria that I had lunch at, there's a whole lot of things I'm trusting, but that's being personified. And when we talk about trust in technology, what we generally mean is that technology does what we think it does. And this is where, and I actually use this term very exactly, this is where the NSA has poisoned the internet. That fundamentally, we believed that the technologies of security on the internet lived and fell on their merits. Not that they were perfect, not that they were immune from surveillance, but that they worked as we thought they did. And we learned through the Snowden documents that this is actually not the case. That the NSA could go, as we know they did, to Microsoft and say, change Skype to make it easier to surveil and don't tell your customers. That the FBI could go to Lava a bit and say, give me the master key to every one of your users and don't tell them. And so when you look at some of these transparent, we're just talking about the transparency report. We looked up the, so we know that Verizon got an order to basically let the NSA spy on everybody, turn over everybody's data. So when we go to the transparency report from Verizon, the question is, is that one request or millions? We pulled up the transparency report and the number was a couple hundred thousand. So we know that that order is one number in that tally. So now we have transparency reports that don't actually reflect reality because there are a number of court orders, not number of individuals. And as people being spied on, we don't count court orders, we count results. So when we look at how, I mean, and you were talking a lot about how should the NSA regain trust? And it's gonna be through real transparency, knowing what's being done and how do we get trust back on the internet is sort of knowing that deliberate subversion, not going into the front door and saying, I have a reasonable suspicion on this person, therefore I want the data. We know that happens. It's the I have no suspicion and I want everybody's data or even worse, I haven't even got the suspicion yet, but I might have it later so you need to fix your product. So when I have suspicion, you can meet my demand for data. That as we step back from what we expect, right, articulable suspicion, you've got a telephone call, you've got a person, we want the data to these more systemic changes. That's where the opacity gets more toxic. So that's a flavor of what we were talking about. And there's one final point. There's a really great article in The Atlantic a couple of weeks ago and the title is something like, why isn't the Fourth Amendment secret? And the question is, I think quite reasonably, the Fourth Amendment and the case law around it is a manual for criminals in how to evade the Fourth Amendment. The arguments we hear from national intelligence is we can't have these discussions at tactical level in the open because it gives the enemy information. Well, I think we've learned from the United States, the criminal case law, that in fact we can have a safe society, a robust criminal justice system with a lot more transparency and the notion that the foreign terrorists are somehow an order of magnitude cleverer or able to parse legal decisions, then domestic organized crime doesn't make sense. We're living in a world with much more transparency. We need to learn to do intelligence with much more transparency. I think it's possible. So a follow-up question, let's pursue this last criterion a little bit further. If I understand you correctly, you are suggesting that the standard governing how much the government in general, but the NSA in particular has to demonstrate in order to be permitted to gather information should be a matter of public revolution, public discussion. So that issue, like the presence of the Fourth Amendment, should move into the zone of the transparent. Is there anything that the agency does that's appropriately below the line that you would say transparency need not and should not reach that far? Yes, it actually is a really important distinction between espionage and surveillance. Traditional NSA mission was espionage, spying on foreign governments. That was necessarily a military task, that's necessarily a secret task. That mission changed with September 11th. When the president said, never again, they gave, that president gave the NSA, I think an impossible task. Ensure that something never happens. The only way you could possibly even remotely try to do that is to try to figure out everything that does happen. And that's when espionage moved to surveillance. When targeting a foreign government became, we have to look at everybody everywhere because the threat can be anybody anywhere. So that mission of surveillance, because it is so broad, because it is so encompassing, because it is so overreaching, needs the transparency. Then the traditional mission of espionage, I think can do with much less transparency because it's intergovernment. What's the distinction between espionage and surveillance? Is it just foreigners versus domestic? No, it is government, it is targeted against government, against state actors versus not targeting against anybody. The Verizon order to collect all of our information is not espionage. That's surveillance. So tapping the phone of Andrea Merkel is- It's perfectly okay. And I'm always kind of surprised that we have so much debate about that. Tapping phones of foreign leaders seems like what the NSA should do. Like why do we have them? Okay. It's Jonathan. It's great to see Bruce Schneier in his angry taxpayer mode. Good stewards. Yeah, a lot more efficiency. What's missing from the discussion this far? That's a big question. Not everything, just- Right. What's missing that's relevant? So some thoughts. First, by way of disclosure, you can visit my home page where I have a disclosure page which discloses things that might be material. What I have to say, not least of which, are that I'm on an NSA advisory board and that I'm a member with Bruce of the board of the Electronic Frontier Foundation. So I have multiple points of view on things. Bringing us together. Yes. So first I'm struck by Yochai's description of kind of two cultures that had been insulated from one another as he was describing a system that had a ton of money and resources poured into it after September 11th and grew without a lot of public input. And that's how in Yochai's words, more or less you end up with something that seems reasonable to one group of people and insane to another. I would take that descriptor and also apply it to something like copyright, which seems entirely reasonable to copyright lawyers whom we train here and whom you train. And also insane once you realize that if I were to sing happy birthday right now, I'd be technically in hawk to warner brothers for daring to have a public performance. So I won't do that. For several years. Harry doesn't look like he agrees you'd be there. Another panel. And I think it's all to the good actually for the pot to be stirred. We should be clear that it's probably being stirred among people who feel strongly in our thought leaders about it. I think the general public runs into copyright when they see a takedown on YouTube and wish it wasn't there rather than having fully theorized ideas about how it should be. And so this is all to the good that it's being stirred and that different cultures are encountering one another right now. Another field that I borrow a little bit of an observation from is consumer privacy where many of us including me wonder how consumers allow such intrusions into their privacy. And when asked by pollsters say they care about it but then by behavior clearly don't. I think one lesson there is just it's really hard to set and forget to think that the first time you use your browser you could specify 18 things about how your information should be shared. And then three years later everything is as you want it to be. That this is necessarily going to be iterative. And while it is kind of overdue to have a constitutional convention style discussion about what the general principles should be many of us are enough into the common law and into the case method that we know that we are gonna have individual reactions to things and maybe from that we'll build the principles rather than once and for all trying to figure out the right balance between X and Y. All of this is against a backdrop of change in the past 10 years. Yochai has detailed what I think it was either he or Bruce at one time called the collective post-traumatic stress America has had after 9-11. That's one thing in play that may be receding a little bit now. Another thing in play is that the unowned internet you described in your introduction has come into the mainstream and it is almost miraculous that it continues to function more or less well. I know internet engineers who still think of it as a pilot project that so far so good but the jury's out as to whether the internet will ultimately work. And we're at a mode where it's prime time enough that you could see at least collectively cement getting poured or hardened as to what the technology permits or doesn't. So there's a lot I think of urgency right now about how fundamentally encryptible should our communications be and there's a sense of if anybody tries to hold the quill too tightly on answering that question there is suspicion about that entity. We had that play out in the law enforcement context in the early 90s with the communications assistance to law enforcement act which there was great skepticism about for many quarters because it seemed like the cat was cheating the mouse by just declaring that by fiat digital telephone networks had to be designed to be tappable more or less once the warrants were provided for at the press of a button. You didn't have to go to the trouble of sitting in a cramped truck with alligator clips out the back to the telephone pole near the person you wanted to listen to. One lesson I take from that is there maybe are some forms of surveillance that might ultimately be doable and should be doable but there ought to at least be some sweat on the brow. You should have to really commit to doing it rather than having it be as casual as a push of a button. I think it's a very counterintuitive thought. If it's lawful, why shouldn't it be cheap? Lawful but expensive might be one path through this morass that we haven't thought about too much. And the other thing I just wanted to observe was there may be some ultimate reconciliation that we should seek between the kinds of surveillance whether or not you call it espionage that happen through the side window that say there are certain circumstances that pretty much every government will recognize where whatever you can get is what's fair because the person against whom you're collecting or the place where you're doing it all combined to mean it's fair game, it's spy versus spy. How much that should be the way it works versus the more law enforcement model of we have a certain process and we serve an order, maybe the order represents more than one kind of surveillance but we should count it properly. That's sort of through the front door rather than the side window. As between the two, and I guess it's fair for some people to say I want neither, but as between the two, I guess I prefer, this is my law background, the front door to the side window. And in fact, to the extent we have seen what Yochai and Bruce have variously described as subversion or poisoning of internet standards and such, that if it is a technique is getting less and less useful now that the cat's out of the bag and I would think that for the rest of 2014 and onward it would make a lot of sense to try to figure out how to devise protocols that are exactly as secure as they purport to be, that don't have any surprises for people. This is like, you know what you're in for and then let the game begin to see what you can surveil lawfully, knowing exactly how secure to the customer those technologies are. I'd love to get to a place where that's where we end up. John, I deprived you of your response earlier on. So this would see, I think, an appropriate opportunity to end the first round of questioning. So feel free to respond to anything that's been said since you last spoke, but including. Yes, yes, no, no, yes, yes. Well, that was it, nice to see that. Including Jonathan's last point, which I take it would be centered on a truth and advertising principle. So as we have truth and advertising vis-à-vis tools and practices, we're all set. Great. So maybe to rewind a little bit to your first question, which was kind of the macro level description of there being an above the line and below the line concept. And I think at a macro level that works, this can be transparent. This may have to be non-transparent. And actually, I think if you look at the documents that the government has declassified, the specific procedures, the actual implementation procedures of how it's all supposed to work, those are largely all now above the line. And I think that's the proper place for those to be. Just rewinding, giving you a little inside baseball. A year ago, we were having the discussion and even pre-note about what are those procedures? And I used to describe them as, well, they're very specific because not only do they proscribe what we can and cannot do, they say, if you're gonna make a query, here's the level of suspicion you need to have. If you're gonna share information, here's the steps you have to go through. But they also, in many respects, describe how we actually conduct the assembly line that you wanna call, right, foreign intelligence of collecting or targeting, collecting, analyzing, and then sharing. And I think if you look at the discussions that were occurring, the fear was by revealing those, you would not only be showing what the rules are, but you'd be showing the methodology of how exactly we go about our activities. And I think we've reached now a, that this is a great place for the nation to be, which is those procedures, those specific procedures that then we are assessed with compliance against are now out there in the public to be reviewed. I would comment, actually, interestingly, they have not gotten a lot of press and study if I were to just take a little push. Because I think, partly, I would very much agree with you, okay, which is, we are, I naturally, as a compliance person, it warms my heart to see people down in the weeds in the sense of that's where I live. But again, if you're just down in the trees, you're missing a larger forest discussion. And so, but I would just point out, I think that it's a great place for the, it's a tough place for the nation to be here, but we are gonna, there are policies that have already been modified, they're even the 215 program, the one that Anne brought up, the telephony metadata program, has already gone through changes, it will go through more changes. And it's a nice place to know that when those policy and laws change, that the implementation of those will change with them, and that we're very much committed to that. Am I right on one point here is that you also agree, not just with Yochai, but with Bruce, namely that you are with the aspect of Bruce's conversation, presumably not the reference to poison, but the reference to we need not fear terrorists more than we fear bank robbers. Specifically, we can be as transparent concerning the criteria we are using with respect to terrorists as we do with the Fourth Amendment vis-a-vis bank robbers. Got it. Is that directed to me? Yeah. So maybe you asked us to cabin our comments. I'm not sure there's a uniquely NSA position to that, so I'll speak just how I would approach that. Okay. And I think Bruce makes a good point of obviously and other concepts and other areas we've revealed capabilities and what the laws are in a more transparent way and work around them. I maybe would think, and I think Bruce has an interesting distinction between espionage and surveillance, I guess my question would be where to, for example, does terrorism fit in those two buckets? And I think partly the answer to that then maybe determines whether you think, right, revealing capabilities and techniques that maybe are applied in the terrorism world are more or less worthy of being disclosed and would generate more or less risk to privacy and national security, the entire concept. So I didn't mean to ask Bruce a question, I'm not allowed to do that. As a compliance person, I don't want to do that, but I do think that where you put terrorism in espionage or surveillance as Bruce has characterized it to some degree guides your answer to that. And Jochai answered that when he, when we started because that's where fear comes in. That if we are living in the world of fear, terrorism becomes this and this is the crazy word that was used, an existential threat against our country. It's just insane to say it, but people said it all the time. If you have that notion, then of course, terrorism flows into national security and doesn't flow into normal time crime fighting but 20 years ago, it flowed into normal crime crime fighting much more. So we as a nation need to decide. We know how to deal with normal time. We have normal rules. We know how to deal with exceptional time. It just seems crazy that we've decided that for the rest of our civilization existence it is special time because of this change in technology. So the terrorism showed up and the question is which norms did it get? Did it get the norms of national security? Did it get the norms of crime fighting? And right now it has the norms of national security and that seems to be toxic, that it really needs the more normal norms. Okay, that's a provocative note to end on. So let's turn to the audience. We have to repeat 40 minutes. So when you speak, please identify yourself. Sorry. You could lie though if you want. Are we going to use microphones here for the recording purposes? Okay, then hang on just a second. I'm going to have this gentleman here like to speak. Hello, my name is Eric Skase, really. In the discussion of transparency and formulation of policy versus transparency and the execution of policy, where does the role of detecting and correcting failures in execution occur? Because we know all systems fail at various times for various reasons. How transparent should that be transparent? What is the policy? What are the methods for dealing with failure? And we think that's you. I think that from a compliance perspective. Yeah, I guess, I mean, there's been a lot out from the leaks and we've also published a number of documents describing both compliance and non-compliance and the mechanisms to detect and correct those. And we actually had some of that discussion in the prior area about the roles of inspector generals, the roles of internal accountability systems. I take your question as being a little broader, which is kind of, and maybe to Yokai's point of, the big construct from the 1970s was have all three branches of government involved, have a definition of minimization procedures that doesn't actually have the word spying in it. You can look across all the procedures, that word spying does not exist. And maybe that's a bug or a feature, who knows what. But it describes the balance and the achievement of privacy and national security, how to think about that. And Bruce and I were discussing this earlier as a series of information rules that if followed properly, and that's why you see in the review groups, following those information rules, those minimization procedures, is by definition the goal of compliance. And again, a lot of the discussions have gone very much into the weeds, but Yokai and others raised this bigger issue. Bruce raised the bigger issue of, where do you put terrorism, for example. But again, that is the construct that was put in place in the 1970s. And we've seen a large growth in the internet. We've seen a large growth in national security threats. I don't think we should minimize that. There really is a threat out there that does exist. And so the question is, how do you add additional ways to get more folks involved? And I think you see the privacy of those. Oversight Board is being another one of those that's been added. You see a number of recommendations from the presidential review group for how even to address some of those activities. So I take your compliance point, and I think that's where we put a lot of energy, internally to NSA, with oversight from various branches of government. But maybe your question is much broader, and I'll turn it over to the other. Ann, I don't know if you wanted to... Yokai has a look on his face. I am sorry that I'm so expressive with my brother. You're just so transparent, Yokai. The embodiment of transparency. There's nothing to hide. Despite that, it's very black. How's that? How's that for you? I take this question to be pushing much harder than the gentle manner in which it was presented does on the idea that we have transparency, so-called above the line, and lack of transparency below. And I think one of the things that has been so powerful in both the Snowden disclosures and the declassified materials in response to the Snowden disclosures is the systematic failure of the post-watergate delegated oversight system. That is to say, we don't actually have all three branches of government involved. What we have is a facsimile of all three branches of government, in each case severed from its most critical operating component, which is its responsibility to the public. So we have an executive highly segmented internally, and we saw beautifully in the description of the five inspectors general study of the presidential surveillance program that ran from 2001 to 2007, how secrecy is used to carve out within OLC who gets to look at it for the first two years so that the professional norms can't be applied, how secrecy is used to carve out the presiding judge of the FISC so that only she gets to see it and approve in differential opinions in one context, and the rest of the FISC is only brought in after the leaks from TAM and TICE and Klein in late 2005, 2006 forced the issue on the table. We saw then later on in the opinions from 2009, the opinions from 2011, that well-intentioned, conscientious actors within the NSA trying to comply, nonetheless are encounter judges who say, for three years you haven't been doing anything that you said you were doing. The program never operated according to the way that we said it. So I think that the idea that we have transparency above the line because we have a notion I'll borrow from Bruce's idea of security theater. We have oversight theater with facsimiles of the three branches. But it's not at all clear to me that what we've seen is actual above the line transparent oversight and then below the line lack of transparency. So I'd like to make a distinction. I think, Yochai, you're making two points nested within there that perhaps if we pick apart we can make some insightful thoughts there. And I think one of the points is there is very extraordinary and effective from our perspective within the system oversight below the line in terms of what actually is occurring in these programs and the very critical comments led to real operational changes on the ground which is a sign of effective oversight. I think where our current system at least from my perspective falls short is so the initial set of laws that followed 9-11 and the various programs that went there those were generally reauthorized with full transparency those were open hearings, et cetera. But how within our system the fundamental we think to say are those at the strategic so above the line level the oversight of us as a citizenry to say what are the programs that are in place and are those the right balance? I think that's where more engagement occurs and more engagement needs to occur. So at least from my perspective within the system there's very effective below the line oversight by all three branches and the level of criticism you see in many of the leaked and or declassified documents highlight that and the changes that occur on the ground. I think where we see the failure is above that to say once programs are put in place sometimes it appears it's almost as if they're approved continuously but the conversation to say what needs to be adjusted at a larger level doesn't appear to occur. Please, one second. Dan, you've been inside the system. Is the account that Yochai just offered of the failures within the oversight systems accurate? So I'm Dan Meltzer, I'm here on the faculty but I also am a member of the president's intelligence advisory board which as it sounds like is a group that offers advice to the president on intelligence policy and I also worked in the White House Council's office at the beginning of the Obama administration. I think the question of oversight is very important and very challenging and I don't think we have a perfect institution in the government for providing oversight. We have several institutions that I think have strengths and weaknesses and I think one of the great difficulties with oversight is that to provide oversight in the sense that Yochai mentions which is oversight that in turn engages with the public and creates the kind of public trust and legitimacy that's very important for all government programs including intelligence programs requires a level of disclosure with which officials and agencies in the intelligence community are going to be a little bit uncomfortable. I think there isn't above the line, below the line problem that's inherent in intelligence gathering. It isn't just for the NSA, it'd be equally true for the CIA, they're very protective of their sources and methods so we all assume that the CIA is trying to collect information about I don't know, Vladimir Putin's intentions but exactly how they go about that is not something that we necessarily want to have disclosed. So I think that it requires a good deal of creative thought to think about how to strengthen oversight institutions. I mean there have been suggestions made recently as to several for example providing adversary process for the FISA court. That doesn't mean that the court is gonna be the answer to all problems but it's one example of how you could tweak one oversight body to try to improve it. There is also a certain amount of oversight within the executive branch. John can speak to this much more effectively than I can but as there occasionally are operational difficulties in the way that an agency like NSA is going about particular programs and the court doesn't think that the agency has understood what the directives were. The Justice Department is involved in auditing and overseeing those programs. They're self-reporting from within the agency and so there is a certain amount of self-correction that comes from within the executive branch but again no system is foolproof. Bruce, did you want to follow up? Yeah, very quickly. I think there's two kinds of oversight that are being conflated here and it's important to separate them. There's the oversight of are we following the rules and a lot of what we're hearing about are the NSA's procedure for following the rules as the NSA sees them and that's all very good, I think very important. The other kind of oversight is are these the right rules? It's very different. How are we interpreting the laws to make the rules? And that's what Yochai is talking about when he's talking about the failures. I don't think it's, we really can't say that Congress approved the Patriot Act therefore when you have Representative Stenson-Better who wrote the thing, look at this note in his closures and say I didn't mean that, that you need the tactical information, the below the line to inform the above the line because you've got this translation step between the laws to the rules to the execution. So separating them and seeing the interplay I think is critical in understanding how oversight works, how it fails and how to make it succeed. Someone on the side. Yes. My name's Ryan Vyadesh. So with the transparency reports that you discussed particularly Verizon's, it was released after this DOJ agreement that specifically laid out the types of information that companies could release and one of the things that it did was that it, in addition to the number of requests for national security letters, it said that the companies could disclose the number of customers affected. But for Pfizer requests they switched the wording and they said that companies could disclose the number of customers targeted or number of accounts targeted. They switched from affected to targeted. And the, which serves for 215 if you're not targeting anyone then you get a zero there. So it seems to me that the purpose of that legal wording switch was in a sense to disguise the existence or the size of the 215 data collection. But maybe there was some operational reason for this. And so my question is as a trying to be a critical citizen thinking about these things, how are we supposed to distinguish between the times when legal word games are played in order to hide legitimate operational secrets versus the times when they're being used to hide the existence of things that the NSA just thinks people wouldn't like to know and would want to reform or change if they knew about them? So I think that's a good question. I'll take a first pass at that. First the changes in terms of information that could be shared was made in direct response to the web services companies and the public statements they made, really pressing the government to allow them to be more transparent with the number of requests because of a sense that both the large number of their users are foreign users and also a deep sense of a loss of user trust. So that's what prompted the government's review and really pressing itself to think could that request be satisfied? I don't know answering candidly. I don't know in terms of how that was considered for national security letters. A lot of the requests had been very focused on FISA because here too for the companies had not been permitted to share anything about FISA requests that they received. So I just don't know the answer to that intermediate question. From the perspective, speaking, you said to make a distinction, speaking on behalf of NSA, there's a real desire to be more transparent. There's also a recognition that there is a greater need for transparency. One thing that the US has uniquely is a tech sector. So whereas virtually every Western democracy has programs like these, compelling providers to share information on users following a period of course making proof that it's required, et cetera, what's unique about the US is that the tech sector has been a driver of our economy and is a key driver of innovation. So as a result, there's a real desire to consider that this is a shared space and to really make whatever decisions are required to allow companies to be as transparent as they would like to be to regain their users trust. Jonathan, I want to step back to one thing that Bruce raised that if I understood him correctly, he's inconsistent with your suggestion in the end of your comments. So in particular, Bruce seemed to suggest that at a minimum selective revelations concerning actual surveillance practices. In other words, disclosure of stuff, operational details through Snowden or whatever is necessary to make effective our, the willingness of the agency to abide by the rules that are dictated by the ostensibly oversight organizations. And therefore truth in advertising concerning the efficacy of tools is not enough. Is that right? Well, it's how much is enough truth to be fully disclosing is really the question. And I think we have to feel our way there. I mean, there may be, there's certainly gonna be a level of disclosure that would be so much that people, many people wouldn't find it that helpful in coming to a judgment about whether they like this program or not. And in turn, it may be helping out and I'm aware that the level of disclosure, truth and advertising of Fourth Amendment law can be painfully specific. I confess I forget the difference between the glove compartment, the trunk and under the seat of a car. But those each represent a case. Dan, I guess can, I apologize, Dan. I think you taught it to me actually. Too late to, oh, it's changed since then. Good. See the details aren't important. But it's amazing to me. I remember amazing as a first year law student find that the chambers of the mighty in the Supreme Court had been disturbed three separate times to hold forth on each of those locations in a car. I guess it relates to what we were just talking about in that. Wait a minute, I wanna pursue this metaphor a little bit further. So in the criminal context with rare exceptions, not only are the rules governing whether you can search the glove box or not visible and open for debate. But whether this particular defendant had something in the glove box is revealed in the course of adversary proceedings. Yes. So by contrast, in most aspects of what the NSA is doing, if our panelists are correct, then we are at least moving toward an environment in which the rules about the glove boxes are made visible and debated, but not toward a situation in which we know who had what in his or her glove boxes. Now, Snowden revealed a lot of who had what in the glove boxes. Is that good or bad? I don't know if it's true. I'm sorry? I'm not sure I categorized it as true. That's Snowden revealed what was in the glove compartments. I see. Yeah, there's a lot that. That's revealed in the glove compartments. Yeah, Snowden appears to have revealed mostly top level kind of policy documents more than raw signals intelligence, for example. And I was thinking it would depend on what's the problem we're trying to avoid for which we might have different levels of disclosure. One problem that surprisingly, perhaps to those who are most worried has been, I think, utterly absent from the Snowden revelations is the kind of classic bad actor Mr. Burns rubbing his hands together, kind of let's spy on our opponents, call it Watergate. Or also from the Watergate era, but not related literally to the Watergate break and recover up the so-called Houston memo and Houston plan by which a memo went to the chief of staff suggesting that the mail just be opened and looked at to look for internal subversion. And it said pros and cons. And the pros were, we'll learn a lot more about internal subversion. The first con was this is blatantly illegal. And then there's a line. You can see this memo, like literally the memo is available online, a copy of it. And there's like, please initial here for your choice. And they had initial like, yep, let's get those mail covers going. That to me is like, I was feeling outraged. I was, I think I was two when it happened. I was retroactively outraged. I was like crapping my diapers over it. And that kind of perfidy has not been, a closest has been, I think, a memo summarizing the amount of so-called love-int where people are going off the rails as individual analysts. And that was NSA disclosed. Right, that's what I mean. That's internal audit. So that's one category. And to me, that's an example of, it can be really hard to know what's right here, but it's easy to know what's wrong, and that's wrong, and that's not on the table. The second category would be what Yochai referred to, the terrorist surveillance program for which this joint inspector's general report is a total pot boiler read, ready to be made for Hollywood. In fact, I think there is a script going around in which Jack Goldsmith, our colleague, is the plucky hero where, among all the players being Republicans in the executive branch, there is great conflict and skull-duggery around who's allowed to know what to try to keep that program going. And I think institutionally, great regret that that kind of skull-duggery took place. It came that close to mass resignations from the Department of Justice over the program. And I think many of us would not want to see that happen again, and it is not, even with the disclosure, there's not evidence of something of that caliber happening. And then finally, you have questions just about, with the right public oversight, would the decisions about what programs to engage in and how far be made the way they are? And that, I think, does auger for more oversight, but probably less of the operational detail and more otherwise. Burst, you're pointing at Yochai. He has to leave, so he has to leave. He has to leave, so you get your chance to. I apologize, teaching dominates all other obligations in this institution, so I will leave. And in the nastiest way possible, I will leave with a little stink bomb and see what you do. Look at Parthian. Bulk, right? You distinguished Bruce between espionage and surveillance, and between criminal and military. But I think one of the things that at the moment we haven't quite had in the conversation, and I'd love to be here, I'll see afterwards what you're talking, what you say. Bulk surveillance is a fundamentally different problem, both from the perspective of the normative implications of knowing that you live in society where in principle, everything you do might be recorded and stored, particularly on the background of a family of very vague and punitive laws, including the various terrorism-related and espionage-related laws vis-a-vis particularly weak populations, be it Muslims or be it critics of the national security system. A computer fraud and abuse act, which is extremely punitive and extremely vague for people who are activists and activists, and the broad definition of terrorism for various subversive activists, as we saw in the DOJ's Inspector General's report on surveillance of domestic political groups, which is much older and not related. That is to say, five, six, when I say older, five, six years old. All of these together suggest that bulk is a particular problem because it creates tremendous data sets into which you can then dig afterwards under extremely punitive and vague laws. That's one problem. The second problem is it's specifically the difficulty of bulk surveillance that has forced all of the interventions in commercial systems design, in professional standards setting organizations, in FISC oversight and the move from particularized orders to generalized orders in the circumvention or limitation of what the understanding of Congress was. So achieving that capacity to capture everything, as Bruce was talking about, was a huge shift from targeted operations, which are something that is, some of the materials that were described with regard to tailor-access operations were remarkably impressive, and not creating the same concern. So on the normative side, bulk surveillance is the thing we all worry about in terms of living in a panopticon society, and also because of its technical and legal newness is what drove the subversion of all of the other systems, the commercial, the technical, the legal, the social norms. And so the question is to what extent is that question susceptible to being on the table? Can we go back, can we put that particular demon back into the box? Not in the very, very, very narrow way that the president did with regard to 215 of basically saying you keep the data and we'll come look for it, but in terms of saying it imposes too high a cost on too many systems to continue. We'll continue to focus on searching based on suspicion. I'll watch your answer. I apologize. Great. I'll jump in. So again, the discussion, the first revelation right was the 215 program, which we would all describe as a bulk, lots of metadata. You know, Yokai asked, is it gonna be put on the table? It very much is on the table. The broader discussion about bulk collection. And so I just wanted to walk through a few things that have happened in the past couple months. And one of which is a presidential policy directive 28, which has a specific section on bulk collection, which is separate and apart from the changes to the 215 program. So that was in the presidential review group. It's a section in the presidential policy directive, essentially limiting down what we would call, and again, the one thing I find is, one person's bulk collection is another person's targeted collection. And so I know Bruce doesn't like it when we talk about different authorities, but there are people that have described the 702 program, the prism collection, for example, as bulk. There's nothing in the procedures themselves that say this is bulk or this is not. It's a lot of quality versus quantity, those kinds of discussions. So the short answer to Yokai's question is absolutely discussions about the appropriateness, the wisdom, the benefits of certain types of bulk collection, especially in certain areas of the world or in certain contexts, counterterrorism. You'll see the president and his presidential policy directive limited it to six categories, right? And to make sure that they were appropriately cabined in maybe just collection and use. So the short answer is absolutely it's on the table. Again, it's one of these discussions. You mentioned legal words and all that. To some degree, this is a legally dense discussion to have. And again, there's two ways to approach that. One of which it really is a legally dense and fairly highly regulated space, in which case we need to discuss the legal density and the regulations. But if we're gonna have that discussion, then we need to use the words that exist in the laws. So bulk is not a word that files neatly into the different authorities that have been laid out. The presidential policy directive is now further defined what that is. And that's an important thing that we're then working through in the interagency. So I just leave it with that, Ann, I don't know. I think just a couple of quick points. We've had a discussion about bulk versus content. I think one thought just to add is, what is the mission driver? Because I think it's an important point to understand why bulk programs were even pursued in the first place. And the reason they were pursued is one of the hardest problems with regard to transnational threats. And we talk about transnational threats, those are cross-border threats. Those are also often threats that use commercial technologies because they're ubiquitous, they're free, they operate around the world. The main reason bulk programs are generally used is to discover first evidence of that kind of activity, the first evidence of a terrorist plot, the first evidence of a drug trafficking or trafficking in persons. And that's where thinking through and to say how could that mission be pursued in ways that are more tailored, in ways that minimize bulk, that's actually was one of the presidential review group's recommendations. And it's a fascinating area of both technology and policy that needs to be explored because I think it's at the root of until the mission can be pursued in far more tailored ways that allows for then real progress in becoming, it's certainly a very much a policy goal both U.S. government and the National Security Agency to be as tailored as possible. The question is how do you do that first discovery in as tailored a manner as possible? Sir. Hi, it's all kind of about a citizen journalist here in Cambridge. I think one of the ways there's a disconnect, I mean, you folks from the NSA just pointed at, if we're all concerned about, quote, bulk collection, unquote, and the laws and policy directives don't even talk about bulk collection. Well, they do. You said the word didn't exist. You said the word didn't exist. No, I'm sorry, again, to be precise, the presidential policy directive talks about bulk collection defines it. What I'm saying is, is I've had folks say to me a certain type, like prism, they say that's bulk collection. There's nothing in the 702 procedures that use that word. That's all I'm trying to say. I'm just trying to say, if we're gonna have a good discussion, this has gotta be, this has gotta be part of the discussion. This is part of transparency, is being very clear about what words mean, and not introducing too many new words that are emotionally charged or politically charged, such that discussion becomes about feelings which are very important, but if we're gonna operate in a regulated environment, we need to have discussions about what the regulations are. So, my apologies if I was not clear. I take that. Yoke, I will see that I'm admitting that I was not clear in my response. Do you really think that the NSA disclosures have served to make, and I mean, the stuff you've declassified, not the leaks, made it possible for an informed citizenry to have that sort of discussion because, I mean, I'd like to think I'm a smart guy, and I mean, I get lost in this very, very quickly with overloaded acronyms and trying to use a prism, and it's like, was that the thing that's collecting all my email, or was that the Yahoo address books or whatever? I mean, it's, you know. So the short answer to your question is no, I don't think that that achieves full transparency. Again, many of the documents that were released, either through the leaks or were not written, essentially, for public release. You have court opinions, you have even letters, I just, Bruce talked about the Patriot Act. There's another thing in there that was released which was the executive branch letter to the congressional committee saying, you need to know that this statute in the Patriot Act has been interpreted and used to do the telephony metadata program. You need to know this before you vote to reauthorize it. Sort of a clockwork orange moment where you're holding people's eyes open and saying, look at this, I promised Jonathan I'd use the term clockwork. But short of that, again, a lot of this is making sure, and that letter was written for more, again still classified at the time, but more clear statements about exactly what's going on. If you try to pour through the legal memos, which I do on a day-to-day basis as a compliance officer, they're written with a decade of understanding and terms and it's like being in law school again. I mean, it's exactly what it is. There's a common law this developed, there's a written law, there's policies, there's definitions, there's representations that have been made over the course of years, and so the short answer is no, I don't believe that even 2,000 pages of declassified, partially redacted, and you're always wondering what's behind that three-letter black spot, or maybe it's five, and you're trying to figure out what the difference is. It might have been my name. Right, five, right, you know, those kinds of things. No one I think believes that that is, that's the end all and be all of transparency, and so the real issue is figuring out going forward. How do you maybe write those opinions? I mean, I've seen the Foreign Intelligence Surveillance Court put opinions on the public web almost faster than sometimes they come through our internal channels, because they recognize that some of their things they're dealing with, for example, preservation orders, it's really important for that kind of transparency to be immediate, and you can see a change in how those are written, such that they're more available, consumable. Because that's the disconnect. I mean, you talk a lot in authorities and policy, the public debate doesn't happen at a legal level. It happens at those feelings and emotions and charged words, and that's where the public has to have the debate. The public cannot talk about this directive and that law and that authority because even people who follow the issue, who are not being paid to be in the minutia are going to be lost. We have to have this debate on, is this the right thing, what we wanna do, and it's hard, but we gotta pull you guys out of the noise, I mean, you being the NSA, you being the administration, into this more vernacular. I would, I mean, violently agree, I would say. Sir, you've got your end up for quite a while. Hang on just a second with the microphone. I appreciate Jonathan referring, sort of referring to the lack of malevolence that appears to be in these revelations, but there was one revelation that struck me, as extremely malevolent, which was what was called parallel construction, where the NSA is collecting data, supposedly about national security and terrorism, but they find something about drug dealers, they hand that off to prosecutors. The prosecutors can't use that evidence because it was violated the Fourth Amendment the way it was collected, so they won't fabricate new evidence that can be used in place of the inadmissible evidence. That strikes me as like breaking all kinds of proper boundaries in the way that the government is supposed to work, and how can the NSA defend that? Do you wanna respond? Not to the last point, but I'll be curious to find out. But I've actually tried a little bit to get to the bottom of that because when I saw the initial reports and kind of my Ralph Nader in this area, my person who, if Ralph Nader is happy, I guess the car is safe, that's Nancy Gertner, and Nancy Gertner was quoted judge Gertner, former judge Gertner is saying this greatly troubles me. If indeed it involves the fabrication of evidence, the bus stops here, like that's just, we can't have Santa's workshop making evidence up to cover the trail of something, and if that's what's going on, I am with you in outrage. I don't think that's what's going on, and we'll hear for a moment maybe from a more authoritative source than I, but let me just put it to you this way as a hypothetical, and we'll find out if this is closer to the truth. If it turns out that as the result of stuff collected lawfully, and perhaps later the policy will be changed with more transparent, but it's collected lawfully, let's presume that for a moment, there is incidentally within it, evidence of a crime, let's suppose we care about. So it's a crime that's of violence and et cetera, et cetera, that's maybe in the planning stage or about to be uncovered. If that gets passed along to law enforcement saying, you might wanna stand on this street corner and just watch at 2 p.m. today because something bad is about to happen, perhaps. If law enforcement does what it is otherwise entitled to do, which is stand on a street corner and take a look, and something bad then happens, is law enforcement under an obligation to say that it was tipped off to be there through the following thing. That seems like a more complicated, less outraged, laden question to me than the fabrication of evidence to cover up something else. At the very least, we should agree that if there's evidence being brought for a grand jury or for a warrant or into a trial, certainly in the latter two examples, there needs to be a right by the defendant to confront it. I'm hoping I'm making Dan Meltzer at least not outraged, not proud by recollection of CRIM Pro. And so we should see if we can get more about what is the reality there. At least if it amounts to something lawfully collected, it's as if it's in plain view, you may not owe something. It's notable to me that we have started to see in the past couple months the executive branch and what I think is a new thing starting to notify defendants that certain evidence possibly used along those steps of the way rather than telling police when to stand on the corner has been brought to bear. And that's a new policy and I'll be very curious to see its meaning. Yeah, so that's kind of point three. So I mean, point one, just to be clear, NSA is not a law enforcement agency. So if your question is about law enforcement use of information in criminal proceedings, that question is sort of best addressed straight to law enforcement. See if I can give you. This is about NSA handing information off to law enforcement. So NSA does gather information and then report on it. And those reports are made available to a variety of policy makers, agencies, et cetera. So that then, how they use that is again, appropriately addressed to those other agencies. We do not, we cannot receive a request from law enforcement and circumvent the warrant process to then gather information, hand it back for use in a, you says something they would have to get a warrant for. Second issue, and Jonathan mentioned on this, or pointed this out, was in the course of normal foreign intelligence collection, we do occasionally, and you can see this in the procedures, we're not looking for it, but occasionally we come across evidence of a crime. And there are procedures to go up through our office of general counsel to hand it over to the Department of Justice to then appropriately handle that. So it doesn't happen all as much as people would imagine just because we're not looking for crimes. We're looking for foreign intelligence to inform policy makers. The third then is there has been a lot of discussion and some changes in notification from the law enforcement side of defendants about certain types of information. You get the whole derive from thing, but that's gotta be a justice FBI type answer. I would step way outside of my, to your guidance NSA zone to then answer that. So we're not a law enforcement agency. I wanna make sure that's clear. I just wanted to add quickly, I do wonder five, 10 years out, if it turns out there are databases gathered for searching for foreign intelligence purposes. And we know that the identity of the murderer, the solution to the Agatha Christie mystery is within it. Could we, will that, I mean, there's gonna be pressure to do that. And when we look at something like the Boston Marathon bombings, and we're all in this city locked in our houses for hours at a time wondering if there's somebody around the corner about to come after us. I gather there was a connection to Chechnya, so that's maybe foreign intelligence stuff. If it were purely, clearly domestic from the outset, a Timothy McVeigh situation, it's worth asking what pressure would there be to use every resource we have? Right now I think the law would say, the NSA wouldn't have much to say about that if we know it's purely domestic and within this territory involving US citizens. And that's, I mean, that's an example of the kind of sacrifice that Yochai was talking about. I don't know how much longer the polity would welcome it given Bruce has written about the kinds of threats that a single person can pose. And the tech is there. I mean, the Verizon metadata database would be a perfect thing than in a McVeigh style investigation. The FBI could say, you have to search this. Go up to the justice, go up to the president and the exception is made. The data being there, data begs to be used. And how could you say, or make up a hostage situation, a kidnapping, pick your emotionally charged, need the information now crime. And I just don't think we could restrain ourselves. But actually we have restrained ourselves and I think the good point is we're now having a discussion before we get to that moment that you're worried about. So for five plus years, we've restrained ourselves. And again, that's a great, it's a difficult discussion and I very much take your point that discussing in the details and versus the more macro level is a chasm we have to cross. And I think that's probably the nugget I think we all need to take away. And we have the other side too. The defendant saying, I'm innocent of this crime, this murder and the NSA database can exonerate me. Please produce my phone conversation my metadata because that will declare me innocent. I mean, how can we as moral society not do that? Somebody's been in one. And we didn't do it. Which is like mean. I mean, it's really mean, right? Okay, we are at the witcher. On that note. Yeah, so one more note. We've covered a lot of ground. There's been a great deal appropriately of disagreement but also a surprising amount of convergence. And there at least seems to be consensus on two points. First that public discussion of these issues is essential and that it has to be conducted in terms that is accessible to the public at large. That's challenging because it means oscillating between the law and the language accessible to non-lawyers. I would add a third that characteristic of the conversation we need to continue to have which is that has to be engaged in before public sentiment rotates inadvertently to match social practice. The hazard, the long-term hazard in this area is that we grow accustomed to an environment. Yokai, we describe it as the panopticon society that alters our understanding of the proper balance between privacy, autonomy on one side and security on the other. So these conversations have to be had or should be had before that adaptation occurs. You might be too late. So our hope, my hope anyway, is that this session has contributed and will through the recording contribute to conversations of that sort. Please join me in thanking our panelists.