 Good afternoon, and thank you so much for joining us here at New America for this afternoon's debate on law enforcement versus smartphone encryption Is the FBI going dark or is it in a golden age of surveillance? hashtag crypto debate for those of you on Twitter New America for those of you who aren't familiar with us Is a non-profit non-partisan public policy enterprise that invests in new thinkers and new ideas to address the next generation of challenges? Facing the United States and the global community I'm Kevin Bankston. I'm the policy director of New America's open tech Well, I should know my organization's name. Shouldn't I the new America's open technology? Institute the tech policy and tech development wing of New America where we're dedicated to fostering a stronger and more open internet for stronger and more open communities OTI is pleased to host today's event which is focused on a technology policy controversy that's recently been in the news But has its roots in the 1990s That is the societal costs and benefits of widely deploying strong encryption Technologies to secure our data and our communications the most recent iteration of this debate was prompted by Apple and Google's announcements in mid September that the data on new iPhones and Android phones would be encrypted by default so that only the users themselves Can unlock their phones On one hand this announcement was quickly met by strong public complaints from law enforcement representatives arguing that the move would Irresponsibly deprive them of critical evidence stored on those encrypted phones Even in cases where they have lawful search warrants authorizing them to obtain that evidence the Attorney General and the FBI director have gone so far as to suggest that Congress may need to step in and Tell companies how to redesign their products to ensure that government investigators can access encrypted data or wiretap online Communications whenever they have appropriate legal authority Otherwise they warn that lawbreakers will effectively be able to go dark and evade detection or prosecution On the other hand technologists and privacy advocates argue that any attempt to create a surveillance backdoor for government Into these products and services will undermine the overall security of our data and devices while also putting us companies of the serious disadvantage in the global technology marketplace and They point to the fact that law enforcement and our intelligence agencies already have access to more data about us Our communications and our movements than at any other time in human history of riddable golden age of surveillance if you will So which side is right? well, we at OTI have our own perspective and You can probably guess which way we fall on the question But in response to a recent event on this issue here in DC that was built around a speech by FBI director Comey We thought it important to provide a more balanced view and allow policy experts on both sides an opportunity To fully air their arguments We've also posted for your info To our blog a complete bibliography of all the substantial writing that's happened on this issue since Apple's original announcement So director Comey said he wanted to begin a national conversation on this issue So we're taking him at his word and doing our best to contribute to that conversation a Conversation that might turn into a live legislative issue in the next Congress And we have really lucked out in terms of who we've been able to get to participate in that conversation First representing the law enforcement view. We have Andrew Weissman sitting in the center Who is a senior fellow to both the Center for Law and Security and the Center on the administration of criminal law at NYU Law School? Andrew was the FBI's General counsel its top lawyer until last year and prior to that amongst other things He worked as a partner at the law firm of Jenner and Block and his special counsel the former FBI director Robert Mueller With a wealth of experience in law enforcement and as a longtime advocate for the FBI on the issue of going dark I expect he'll be quite the able opponent to privacy scholar Peter Swire who will be representing the pro crypto pro privacy view And is uniquely qualified to do so Peter is currently the long professor of law and ethics at the Georgia Tech Scheller College of Business After recently leaving his longtime perch as the C. William O'Neill professor of law at Ohio State He's sometimes been referred to as one of the White House's tech policy czars He served under President Clinton as the chief counselor for privacy at the OMB Served his special assistant to President Obama for economic policy and most recently served as one of the five experts on the Presidentially appointed review group on intelligence and communications technology that issued a comprehensive report and recommendations on the NSA surveillance programs Including recommendations regarding encryption policy that I'm sure will inform his perspective here as well I expect his paper going dark versus a Golden Age of Surveillance which served as an inspiration for the title of today's event And finally our moderator for the afternoon with a unique perspective that finally balances both the civil liberties and law enforcement perspectives Is Nancy Libbin? Nancy served over three years as the chief privacy and civil liberties officer of the US DOJ Department of Justice Before settling into our current position as a partner at the law firm of Wilkinson Barker and Nour Before going to the DOJ Nancy served as counsel to Senator Joe Biden After cutting her teeth as a young digital rights lawyer at the Center for democracy and technology Small world the same nonprofit that I worked at before joining OTI last year and where Peter is currently a policy fellow So we have an absolutely incredible group of law and policy experts here to discuss this issue today What we don't have on stage today admittedly is our technologists Which is why we're hoping to find a good pair of technical experts to also debate this issue in the near future In the meantime though I'm going to hand things over to Nancy to kick things off starting with Opening statements of less than five minutes from Andrew and then Peter then questions from Nancy directed at both or either of them until Around the turn of the hour and then we'll open things up for questions from the audience Thank you again for coming enjoy the debate and again if you're tweeting the hashtag is crypto debate. Thanks Great, thank you Kevin. Thanks everybody and thanks for hosting today So we're gonna we're gonna start with opening statements and I think we'll start with Andrew great. Thank you. Well, thanks to the New America Foundation I Hope this is informative for all of you So I tend to like to think in spite of the fact that I am a litigator This is a discussion more than a debate because I think that there's a Lot of heat and not necessarily a lot of light that's brought into this topic so let me start by Talking about something that may be basic to Many of you but make sure everyone's on the same page and that is I'll deal with a little bit about the facts deal with the current law and what I see is the Issue that confronts not just law enforcement and the intelligence community, but all of us So I assume that like me I brought a prop with me, which is all of you have something that looks a lot like this And if we do our job correctly You will not be using it during this Discussion slash debate, but I suspect that we will fail in that and that many of you will be checking your emails And even sending emails during all of this Yes, or well perfect. It's like you're a plant for my exactly my point you'll be doing emails messaging instant chatting You know the one thing you won't be doing ideally is actually placing phone calls and talking to somebody And the reason I raise that is that the world we live in Is really different than the world we were in in 1994 The ability to communicate in myriad ways has just changed completely From the time that I was a kid reminds me of I have a nephew who when I talked to him about typewriter said to me What is a typewriter? So things have really changed in 1994 when Congress passed Calia It covered what at the time was a basic way of communicating people either communicated in person letters or by phone calls and by Congress requiring that when you make a phone call There needs to be a way that if the government got a court order Based on probable cause and met sufficient standard That there would be a way to effectuate an intercept of that telephone call The problem is the world we live in is different than in 1994. So when you email when you message That is no longer covered. It's not no longer. It is not covered by that 1994 statute So the ways in which we all communicate Including criminals is not something that law enforcement can have access to by law so that's the problem the thing that's not an issue here is This is not a question of can law enforcement just unilaterally get something when the law says that it is not required to have an intercept of Ability to go into emails That means that even if the government met the standard of proof beyond a reasonable doubt and convinced an independent court an article 3 court that an Order should be issued allowing an interception that it still would not be possible to do that intercept So the issue is not about sort of what is it that what is the showing that law enforcement can make to allow the government to actually Do an interception? Because under when you have something not covered by Kalea It means that even if there was proof beyond a reasonable doubt, you're not going to be able to get it absent the company voluntarily deciding that you can do it But it wouldn't be legally required all of this came to fruition as Kevin noted when Apple announced that it was going to as a default have its iPhone encrypt Its communications capabilities now frankly there was nothing new about that the issue of going dark has been one that law enforcement in the United States and overseas has been focused on the thing that was somewhat novel about the the way in which Apple said it was that it announced this at not as an ability to Have a more secure system But rather this was going to make it impossible to comply with court orders So normally that is not a the outright goal. That is sort of an unfortunate byproduct of trying to make something more secure so the debate the the issue for all of us is that there is no Perfect world. There's nothing where you can have both a completely secure system where you can be hack-free and you can have the most Bulletproof system in the world and yet also have a system where a Court can make sure that its orders can be effectuated. There's going to be trade-offs There's going to be a balancing in order to make That normative assessment about what it is that should happen when if ever should the government be allowed to effectuate an intercept of an email or a telephone call there are a lot of Sort of factual questions many of which are unanswered And I think one of the reasons that director Comey called for this conversation and called for Congress also to look into this is because there needs to be I think more Data law enforcement. I think and the intelligence community has to do a good job and certainly I think a better job of articulating the costs that it is experiencing in terms of preventing criminal acts preventing criminal acts that that are sort of more routine law enforcement type issues from criminal acts that are are really intelligence community issues meeting terrorism by the same token, I think that the Internet service providers have to do a better job at talking about what exactly is the cost to them In terms of if you create a system where you can have an intercept capability What are the best ways to minimize the damage? In other words, what are the risks that you face from that? What are the economic costs? What are the abilities to prevent hacking? And for elite to prevent illegal intrusions, but at the end of the day, there will have to be a normative decision Where I come out at this and it is certainly informed but the fact that I worked in the government and I worked at the FBI and I It was part of seeing daily threat streams both criminal matters and national security matters Is that in that trade-off? I rather have a system where with a court order You can help minimize the risk of serious criminal acts including terrorism as opposed to the also the downside of having a system that will be more subject to intrusions and hacking But that is that is going to be a judgment call for all of us and for Congress to make But I think that that normative decision requires a much greater vetting of the factual issues on both sides In terms of what the costs are Thank you Andrew Peter. Do you know? Yeah, thanks Good afternoon everybody. Thanks to Kevin and OTI and New America for hosting and it's a delight to be here I'm gonna highlight in these opening remarks two themes one is why we want to have good cyber security and The second is this debate between going dark and the golden age of surveillance Very fundamentally There's a device manufacturer now to that proposed a new feature that makes the device more secure and We can imagine a government regulation coming in and saying you can't do that That's a really strange and surprising thing to tell to device manufacturers All of us have been around the cyber security debates where this is an existential threat to the United States This is one of the the biggest threats facing us a cyber security executive orders and legislation and in the course of our discussion I think we'll get into more the technical things but for now The basic story is strong cyber security that everybody knows you're supposed to use encryption for a lot of things And that's what Apple and Google are adding in this particular way at this time So I think that this is a security argument for what Apple and Google have done the second point is in These debates about law enforcement national security privacy civil liberties. We go through phases. We go through periods. We're not 9-11 was a while ago. Snowden's recent. There'll be some other bad time when bad things happen As a society, we have to make some basic judgment. Are we going dark? Are our forces of law enforcement national security too weak? Or have we given really quite substantial powers and benefits and advantages in a period right now? And I'm going to say it's the second so the going dark term previous FBI general counsel Valerie What's your lesson? Caproning was I think the first person to testify at least saying going dark the instinct from the FBI side was This technology is changing Kalea doesn't apply to software and hardware and Encryptions going to mean that we go blind. We come in we get a wiretap and all we get is ones and zeros We don't see anything. That's the going dark instinct I've written a paper a few years ago before Snowden about why instead we're in a golden age of surveillance And I'll give you three reasons for that the first reason is That as Andrew said we are now in a world of the most prevalent tracking devices in human history All of us carry tracking devices almost all the time criminals do because they have to talk to their fellow people to do it in Human history there was never GPS on bad guys and good guys alike so an enormous change in the ability to track people Second thing if you're law enforcement a lot of times you don't care what I say you want to know who I say it to Who are my co-conspirators? Who are the other possible leads that will lead you in the investigation to these things? That's what's called metadata We are in a fabulous period for metadata. How many texts do you write? How many emails do you do how many social network posts how many I'm checking in from here? Do you do the explosion of metadata means that law enforcement has an unparalleled period where they can link me to my confederates? huge advantage for law enforcement third all the other databases Somebody was talking to me as I was getting ready for this about uber and lift You know what uber does uber takes a cash transaction for a taxi and turns it into an identified Credit card followed where I went transaction on uber That's happening throughout our society as all these different databases happen One of the biggest ones is what's called the data broker industry that the FTC has done a report about Law enforcement is able to subscribe to amazing databases in a huge range of things So when we add up the ability to spot people and then we add it to the people to find all my confederates and add it to the Fact that there's multiple subsidiary databases everywhere That's a period of surveillance that is absolutely better for the FBI and others than the pre-internet world was so instead of saying We have lost something the Golden Age's surveillance argument is that the surveillance people have tools they've never had before and I think after Snowden and all the press stories We've seen the idea of going dark as the description for the surveillance Capabilities just doesn't match what we all have seen and I thought these arguments were clear before the Snowden revelation So I think we are in a Golden Age of surveillance our need to write new rules to help surveillance is not where I think Congress should go Great. Thank you Peter. I'm gonna start with an opening question for Andrew and Andrew you mentioned at the beginning of your presentation that Kalea, I think you mentioned Kalea, which is the communications assistance for law enforcement act which was passed in 1994 Put some limitation on providers obligations with respect to encryption and under Kalea providers are obliged to turn over plaintext to law enforcement when law enforcement comes with a warrant or whatever legal process is required Providers are required to turn over plaintext if number one they have Provided the encryption and number two they have the ability to decrypt data And that's where the law stands right now, which is why Apple and Google Will no longer fall in that category because of the new policy So we also As you were at the FBI when the conversation about Updating Kalea Kalea 2 was taking place the FBI and DOJ are in the process or have been in the process of an interagency discussion and Looking at new legislation several years ago your predecessor Publicly stated that Valerie Caproni publicly stated that encryption was not on the table that That the FBI could live with the bad guys using encryption Even when that would preclude FBI access in some cases that the FBI did not want to relitigate the crypto wars of the 1990s But there were other concerns and they could deal the FBI would would Address other concerns it had with Kalea. So my question is a long question. That's right Is what's changed since that? How does the Apple Google announcement change that calculation that the FBI had made sure? so the So I think that's not exactly what Valerie was on this in terms of the going dark problem because the going dark problem is really The same except factually we're sort of in a worse position Because the more that there are communications that fall outside of Kalea the more that there is a problem that you can get a court order And it's it's not worth the paper. It's printed on because if you show up with that piece of paper It's not going to be effectuated no matter what showing you've made to the court so her concern was That you've not imposed an obligation on a company that had no power to Deal with the encryption issue as part of that or it's if they didn't either provide the The key or the encryption, but they kept the key if they had or if they had created a system where they deliberately Made it so that you didn't have a key. That wasn't something that the FBI was saying. Oh, that's great That's always been something that's problematic For the FBI it's been certainly I don't mean to drill down this but it certainly has been problematic I'm wondering though why because she was very clear publicly at the time that They were not that the FBI was not interested in changing the obligation of the provider to break Encryption you have to remember the issue was when Kalea happened. This is this is the state of Kalea It's you're dealing with Telephone companies where the issue was simply that's the way in which Americans communicated other than in person and you put clips on it The issue was what to do with all the new written forms of communication to put it bluntly So that are happening sort of in real time. So let's say you have email traffic or messaging if it's encrypted and the company had and it was done entirely by the consumer and The company didn't do I didn't have any responsibility for it there Everyone said look that you have to deal with that issue On a sort of individual basis, and I think those were exact words. We understand that there have to be individual solutions, right? but the issue of a company Dealing with just we're just not going to create a system is something that she battled and I battled as well with dealing with that Where the lodge doesn't require companies to do anything different than what Apple's doing But trying to get companies to understand what the risks are so I just don't think that's sort of correct reading of it the way in which Kalea to me the debate is in some ways about the FCC because when Kalea was passed the People who passed it were trying in fact to make it evergreen They understood that technology changes and the method for that was that to extent that there were going to be new means of communication that were going to functionally be the same as telephone calls that the FCC is supposed to update the Way in which Kalea works to Encompass those So I think the biggest change which was an expansion of Kalea was for voice over internet protocols But to me this is a perfect example of in some ways this debate has already been had which was that Kalea was supposed to be Expanded by an agency So it was supposed to be a more streamlined process than Congress to include things like email I think all of us would say email now is the functional equivalent But you don't have the FCC acting so either the FCC or Congress I think needs to step in to essentially put us in the same place that we were in In 1994 I'm a little itching having having lived through the 90s Kalea as past was a couple first of all is the is the law that said the telephone companies had to make their Systems wiretap ready. So if a court order showed up the phone company wiretap would work That's the basic story for Kalea and at the time there was a big fight in Congress and there was a deal in Congress that said the internet was going to be Excluded that IP protocol software hardware for the internet was going to be Excluded and that's been the law ever since and they didn't have the decision to move forward in Congress until that carve out Happened 1994 was not pre-history the internet was out there email was out there the electronic communications Privacy Act was 1986 and the Congress decided not to include it And it to expand it to people doing new hardware new software to go through the absolutely Crippling complexity of the Kalea litigation that we saw in the DC circuit after the first law Would slow up innovation would put regulation deep into an awful lot of things So I think in a big expansion of Kalea way beyond what the 94 deal was is a dramatic departure from the status quo Let me just for a second come try to say Something about the going dark really crisply Imagine if you will that there's a situation where you have access to 50 new databases You never had before and one or two of the things you used to do sometimes you can't do anymore That's the way that I look at the facts around this and the one or two things There's a paper in the Article in the intercept that said that three of the four examples that director Comey used to justify this Didn't stand up to scrutiny would not have helped in the investigation in a material way And so with all of the knowledge of the FBI about Investigations and they don't have cases to show that match the concern That's a really crippling factual problem in a time when there's so clearly so many access to databases They didn't have back in the 1990s So can I respond to that so that might make it sort of so I think this is a really I think this is a legitimate Point to raise which is the issue of when you're comparing sort of where we were to 1994 because that's sort of a benchmark And you're sort of asking well What is law is law enforcement in a worse position or a better position in terms of what are the costs from a law enforcement? perspective that is a totally legitimate question But as I said the same token you could raise the same issue with respect to Technology what would be the cost of having an expansion of some form of Kalea? So the way I look at that is I think that it there is no question that the issue of GPS devices Being able to track location Understandably with with court Process where you have to meet a certain level are you willing to have caused warrants for that? Well, right now under Jones. I think that's what the FBI is doing if they tell No, no, that's what the Jeff the eyes doing. There isn't trespass So but the to me there's no question that GPS is something that law enforcement and intelligence communities has now in a way that is broader than it had in 1994 you certainly could make the argument that in 1994 you could figure that out using Telephone calls. I mean you can obviously telephone calls. You can get a lot of data from that Who's calling who? It can help you in terms of where they are But it's not in any way comparable to looking at GPS So that is definitely something that is that you have that's more But if you asked somebody in law enforcement and intelligence community Which I think actually Peter does in one of his articles sort of which would you prefer? if you had a system where every single email And chat was beyond you could not look at it. It was one gigantic tour and you did not have the ability to get content What you did have was GPS? I think that you would say of course I want content that is a huge huge loss that In 1994 you could get the content of the communication on a telephone You cannot get that now. I now used to be an organized crime prosecutor there's one thing to see mobsters doing walk talks and know who they're meeting with and Law enforcement would look and see who is at weddings and who was at funerals and who walked around the block But until you actually knew what people were saying you could not make a case You couldn't make a criminal case if you were dealing with terrorism. You would have no idea what they were plotting Yes, it is data That you have when you can see who people are associating with But the cut there's just no question that the content of communications is going to be extremely valuable from both an intelligence perspective and from a law enforcement perspective, so if you imagine the world of Where we were in 1994 when you have telephone calls that are able to be intercepted and you imagine a world where all communications of emails and chat were end-to-end encrypted and Were as if it was on the tour I think we'd be far worse off and I it's hard to imagine that That anyone in law enforcement in the television community wouldn't say the same thing so I want to pick up on that and This is for Peter And I want to draw on something that Chief Justice Robert said in the recent Riley case So Riley was a Supreme Court case this year earlier this year that reviewed the limits of law enforcement Searches incident to arrest and the court held that law enforcement Had to generally has to get a warrant before searching the contents of A phone smartphone that it recovers from somebody an arrestee And in that case Justice Chief Justice Roberts Said and made a very bold statement. He said privacy comes at a cost and he recognized the Impact that the decision would have on law enforcement But said nonetheless the data that's on our phones today is so qualitatively and quantitatively different So uniquely personal and sensitive that law enforcement Must under the fourth minute get a warrant Before it can access The contents however, and this is I'll post this to Peter Chief Justice Roberts also went on to make clear that they're holding did not make the information immune from search so my question for you is Is apples and Google's policy doing just that? Well, first of all, I think that the Riley decision was a super important decision To for the court to recognize how sensitive the material is on our phones We have chief justices and justices who've now lived with a life of cell phones And they realize that getting into that and taking all of that just because I got arrested for going five miles too fast That's the wrong decision So it's a huge win But I think the privacy at a cost miss misses I think the stronger argument for That we're costing security if we break these Defenses and I'm just I haven't gone through the technical stuff months But let me just make a few of the points Some of these are from the I triple E USA has done a study that just really goes through for technical experts Why it's hard to build backdoors that will not turn out to be major points of vulnerability Among other things when you try to build the backdoors it gets much more complex to write the software Complex software is more easily broken software Another problem with the backdoors is that becomes the focus of attack for the next time And we have examples of that such as Google had a database of all the people under prism that it was keeping track of in the email And the Chinese hackers went in and got the database of who the terrorist suspects are. It's a honeypot It's a target. It's the thing that you go for once there's a backdoor system that backdoor system becomes the focus of attack There's a book by Susan Landau about surveillance versus security where she talks about what happened with vote of phone in Greece Their lawful intercept mechanism for the phone system got compromised like Google's database did and the Prime Minister and other major people in Greece were subject to massive wire taps Because the system that was supposed to be used for law enforcement access Became the system for compromise on a very large scale and there was an example in Italy as well So when you say privacy versus security then that's sort of tough view is well We want security the point here and the point made by pretty much every technologist who's written about this is that it's Surveillance versus security and security is being compromised by what director Comey was asking for Well, can I say I mean I think that it is right for technologists to focus on the issue of what would the cost be in terms of Cyber security if there was going to be a Intercept solution that was required by law I mean that's something that you in order to decide the normative issue of where do where should the line be it is totally appropriate to ask that question, but it's I think the What I've seen in the debate is that people say well just focus on wait a second if you require The ISP to have an intercept solution that will come make it the system more vulnerable Let's take that as a given Let's assume that everybody would agree to that I'm just going to assume that for the purposes of argument the issue is still a question of One how much so what are the best possible systems that you have to minimize that risk and Then is it worth it in other words? What are the other downsides? I mean you there that's just part of the issue. There are lots and lots of Interests here. There are civil liberties issues. There are cyber security issues There are law enforcement issues and a national security issues So it seems to me all of those players need to present what the harm is and also What is the best way to minimize that harm depending on so that you can decide? What is the correct line? My biggest issue here is that that sort of fleshing out of and really forcing everyone to come up with their best arguments and the best Ways in which they could mitigate the risk really is a job that Congress is supposed to be doing I mean that it's obviously a this is a town where it's easy to blame Congress But that is something that I just as a citizen think is needed That that is something where you want somebody to make that decision Consciously not just we're in a default System now and if nothing changes we sort of made the decision without actually really looking at the data and looking at it intelligently I know you put but so I'm I think Andrew makes the point that we want to know what the facts really are and Congress is the appropriate place to do a lot of those fact-finding But I'll make three quick points one is we had really long detailed arguments about the facts of encryption in the 1990s I lived through a lot of those meetings I was the chair of the White House working group on encryption in 1999 when the policy changed and So the you know in people who care about national security and law enforcement were in the rooms Then and we work through facts over a period of years second point is there's an astonishing imbalance in discussion on the technology all of the Technologists who are on that bibliography who have written are on the side of you must be nuts to have backdoors No technologists has come forward from the government or somewhere else and made the point about no is really not that bad And then the third point about having the backdoor is we talk as though It's going to be only the FBI with really good article three judges that are playing here But these devices are going to be used in China in Pakistan in Russia in whatever your least trusted country is around the world if the US creates a system of backdoors Those backdoors will be insisted upon in these other countries And they don't have the same article three judges and it will be used for a lot of other Purposes and it means if there's a way to grab your phone when somebody's visiting in that country then that government will have a Way in so we're protecting cyber security in a global way And these facts have been debated before my article on encryption and globalization I commend to you it's 80 pages long. It'll put you to sleep But but these these arguments have gone before and when this happened the technologists have ended up on one side of the argument so I just want to pick up a little bit on what I was talking about before with the in the Riley case how Chief Justice Roberts made very clear that the decision would not preclude the FBI from getting the information it needed And so I want to talk about whether apples and Google's policy does that aren't there other ways In which law enforcement could get access to the contents of a cell phone Other than go to Apple and Google. So I think that's a really good question. So I think that there are At least two ways that you can think of as being potential ways for the government to get that information That is what is the alternative source even if you had sort of pure and hand encryption? so one potential way is if the user backs up To a server where you can actually then serve process with whatever legal showing that needs to be made Is that a way that solves this issue? Meaning that well Apple might say don't worry. We can't Provide legally provide this in fact if it ends the server they can Or if somebody else has the server they can the other party can let's call that iCloud just as a And the other way is if you could go to the actual user who's Has the end-to-end encryption and say what's your password? That would be another way these are always to say you know what maybe it's not as is secured as apple sort of suggesting So here I see there's sort of two problems. So first. Let's take what I call the fifth amendment issue so the issue of going to the end user is So You know we're in America so let me just focus on the American system one you have to find the person So that may be a lot easier said than done You might know What account you want, but you don't know the actual? Name and location of the person and the person may not be in the United States So that they may not be subject to process so You can't just sort of say tell me you're your if they're in You know name your foreign country You can't just go to them and say tell me you'd have to actually serve a grand jury subpoena or some other type of Process so those are huge issues already you have to find the person they have to we within the reach of the United States Jurisdiction and then you have the issue of the fifth amendment now that is a I could bore you because there's law on both sides of that There is some messy language in the Hubble decision from the Supreme Court This is a funny issue because you find law enforcement saying yes There's a fifth amendment you find non-law enforcement people saying no there isn't which is sort of a reverse of what you might expect So in putting on my role as I am now an academic in Theory it is very very hard for me to understand why there isn't a fifth amendment This seems to be a classic act of production. You are producing something namely your password and the court has traditionally protected that active production that and and derivative use If it couldn't somehow incriminate you to me that seems clear, but admittedly there are There's law on both sides and as I said there's language in the Supreme Court case that would suggest you You may be able to get it at the very least there's going to be a lot of litigation about that issue So that falls into the category of that is not really a workable solution I would say for the main reason that you know you can't find the person or know that they're here But I also don't think that the fifth amendment issue is in any way clear The second issue is the backing up issue. So look if you're fortunate enough to have You know one we're talking about conversations that you want to get that are criminal because you've shown the necessary Probable cause so we're not concerned about innocent people Who are backing up so you know I back up because you know I don't want to lose all my data That's not exactly at least stars I know that's not something that the intelligence community or the FBI is particularly interested in what they're interested in is Criminals who are doing this so I think for some Unsophisticated criminals who are backing up. Yes, that is a potential way to get information is one way to solve this issue But if you're talking about terrorists or you know people who are in any way sophisticated You know if you're not in the business because you want to get caught the whole point is to do something So you don't get caught so the idea that you would be a terrorist who backs up to the cloud seems really unlikely As a potential solution to say well, don't worry. You can this is fully encrypted, but you can get it from my cloud So I don't think that's gonna be real solution for law enforcement or the intelligence community So a couple things that have we haven't said so one is I think what Andrew just said makes clear This is not just about Apple and Google this fall This is really a discussion more broadly about encryption and is and should the companies put it in in a lot of places Because when we arrest the person in their phone, we know where the person is typically most of the time when you get my phone You know where I am or you know, it's my phone. So he's going so it's broader than that second thing that hasn't come up enough in the debate is that a lot of law enforcement searches are towards enterprises they go to towards companies and That's important to know for white collar I mean maybe I mean you've done white collar a criminal thing if you go to prosecute Enron or whoever it is And you say we want this data the IT lead for Enron will produce the data or face contempt of court problems And so a very big fraction of devices and investigations are towards enterprises And I think the likelihood that you can get that enterprise to comply with the law is extremely high Do you have a different view on that for enterprises Andrew? No, but I don't think that's I mean I don't think this is going to be a particular issue for Prosecuting Enron. I mean I think that the kinds of examples that I think are animating the discussion have to do with on the law enforcement side things like kidnapping and on the terrorism side have to do with the things that really keep Good people up at night worrying about and I don't think you're going to have an issue of There's no corporate Fifth Amendment privilege for the Taliban But it's worth noticing and I think this hasn't been enough in the discussion that a great big amount of searches and seizures happen by going to organizations and We have little reason to think that's a problem here So we can always focus on what the problem is but part of the going dark thing is that you still get all of the other enterprise things another thing that we saw in the crypto debates in the 90s is That if we say in the United States, you can't do it or Apple won't do it Then the sophisticated criminals the one we're worried about Get their own software and hardware solutions in some other way in those days It was going to be Israel or some other country that would write the crypto in this era It might be an encryption app that you download from some other country that will turn out to encrypt the stuff on your phone And so these sophisticated people will have those kinds of resources the less Sophisticated people will make various mistakes, and I think that combination is part of why we've seen so few Instances that law enforcement can point to despite this debate going on for years where the frustration by crypto has really happened Just the last couple days about ISIS using encryption apps and other forms of encryption tools They weren't relying on Apple isn't that isn't the argument from that that you can There's no hundred percent solution, but if you can relegate the people you're most worried about to to a more limited sphere You you have a better way to target your law enforcement and intelligence community resources I mean you can't do everything through informants. You need to have The ability to intercept as well being able to target what you think are going to be the most likely locations for those Activities that you're most worried about it seems like a very good use of Resources as opposed to Now they can use any communication Meaning Google Apple name your resource because they are there's there's a finite number of resources There are thousands of leads that you have to cover And Americans expect that which is that if you have a lead that it that is potentially Let's take the worst-case scenario and terrorism lead that that is something that's going to be covered Being able to narrow that to a certain group is going to be extremely useful in order to accomplish that Pick up on something Andrew just that you just said and pose this to Peter So is there a tipping point a point at which encryption is so is so ubiquitous and Providers stop holding the key and it's there's end-to-end encryption encryption at rest and then transit that the balance starts tipping very noticeably toward law enforcement and and this Debate becomes very different. We're so far away from having super effective cyber security for everyone That I think we can we can relax on that one for quite some time that that's that's one answer That goes to your overall assessment of things Encryption has become prevalent in many ways that were opposed by law enforcement and national security in the 90s Your hardware chips have encryption multiple times inside the chip to do all sorts of authentication and signing and other things and We know when you're going across the insecure internet with the Wi-Fi hotspots and all the nodes that you don't know who they are If you're not encrypted in transit, you're leaving your stuff wide open So the shift to HTTPS to having encryption between me and my email server is Brain-dead obvious security and I think having millions and millions of devices is very clearly obvious security as well So we could and then your your but that doesn't answer the endpoint maybe we maybe the crypto warriors get everything they want and we have content wrapped up with encryption and then people become super sophisticated using Metadata screening using Tor and things we've never come close to imagining so you can't figure out the metadata At that point would there be reasons for government to fight back We are so far away from a world where the data is locked up like that You know with the commercial databases with the government ability to get to the cloud that it would take about 1500 of possible things before breakfast to really get there. So I'm not I'm not too worried about that I think there's a converse to that which is sort of to me, which is is there are there things that that law enforcement and the intelligence community would say, you know what you don't have to go that far in other words, what are the limits on both sides and This is an area where it gets incredibly complicated very quickly But I think the answer to that and again speaking for myself, but ultimately it'll be You know for the for the administration today to have a position on this But there are there are lots of issues that I think Could be grounds for compromise so for instance one of the key arguments is that is this going to stifle innovation and so having an exception for Startups, whether it's based on you know dollar amount time Number of participants would be one way to have a carve out that there's there's kind of companies wouldn't be covered You could have a Wi-Fi hotspot exception You could have private network exceptions So you know the university is running something or companies are running something for just internal purposes so there are lots of ways to try and Have something which is an absolute and I think there the argument for that is that this is not a there's no hundred percent solution I mean I just I unless you're an absolutist on either side There are going to be trade-offs and so you know it's not that you sit there and say oh this is great And there's no downside to it. It's a question of are you you know in a world of no good solutions? Are there areas where you can compromise? where you're not Really sacrificing safety and security Well what one area we haven't talked on and a reason to be cautious about compromise So I've made the arguments There's privacy and civil liberties reasons to be cautious that there's security reasons to be cautious because of cyber security There's also economic competitiveness reasons to be cautious And so let's imagine a regime in which the United States is regulating down on encryption so that we don't have as effective encryption in the products We have seen post-snowden and there's studies that show it in the tens of billions of dollars enormous hits to US economic actors What European government and their procurement wants to buy from the US if they think that's going to the NSA and and so part of the review groups message was Surveillance the internet is not there for surveillance We don't want to build the entire internet just so the NSA and the FBI have the best approaches That when you're making decisions on surveillance, you should have the economic agencies involved and it's been reported in the press For instance at the Commerce Department has consistently opposed Kalea to out of a view that it's a real harm to American commerce and economic competitiveness if we do if we Require holes in American products It creates room for the competitors overseas to fill that hole and to gain market share and to take a lot of the first Mover advantages we have and lose those And and I think it's a it's unfortunate that Apple made a bad messaging when they released this thing If I had been their advisor, I would not have let off with the fact that we can frustrate legitimate law enforcement Investigations, I don't think that's the way to lead off, but when you look at the facts, which is what we're looking at Having the effective encryption is part of the way American companies show to the world that you can trust our products We'd sure rather have that than have the rest of the world say they're not going to use US technology anymore So the one piece of that I just wanted to focus on which is the privacy and civil liberties concern Which I think is is certainly a valid concern, but the reason I don't think that it really comes Sort of theoretically into play here is that suppose you had a system where the courts were saying, you know What before we issue a warrant and allow electronic intercept We are going to require proof beyond a reasonable doubt In other words, it is the highest gold standard you could think of That I mean would any of us say okay, well wait a second. There's still a privacy and civil liberties concern. I mean that would be So much higher than what's currently Required and even that though is not going to be possible in a world where you have full and tanned encryption It doesn't matter what what whether you've shown it to a fairly well, you know Where there's not even, you know, it's beyond a reasonable doubt There's no doubt that you're still not going to get it. So the issue of Sort of what the legal standard is and how much you're protecting civil liberties and privacy seems to me to not be an issue here It would just be a separate debate about you know should the government have a different Showing that's required under title three, but that debate I think most people are satisfied that the normal debate For when you have to have electronic surveillance is is a good standard and it's fine So I don't view this as a principally a sort of civil liberties issue Because of that but it is a technology mandate to say that instead of having shades on your windows or locks on your doors Are you're safe or whatever? We're now going to say as a technology mandate that when you manufacture these things You have to manufacture holes in them. That's definitely true I mean, they're they're the government regulates in all sorts of ways and usually a lot of the people on the side of It's sort of the you know Apple Google side are usually the ones who are not Really worried about government regulation. We have health regulation. We have environmental regulation We have money laundering regulation Net neutrality it is regulation. I mean there there are numerous ways in which the government regulates It's not regulation per se. That's the issue Money laundering cost companies to have an anti-money laundering system Cost companies, you know millions and millions of dollars, but that's completely accepted as a way to not have companies participating either intentionally or unintentionally in money laundering operations Before we go to question just one quick note There was one of the readings in the bibliography It's from a professor of cyber security an engineer at Georgia Tech Annie Anton. I think so fabulous writer and One of the things she says is at a time when we're messaging cyber security and trying to teach to all our students and our Grad students and all the people in companies the absolute essentialness If that's a word of locking down our systems and being secure To have a message come from the highest levels of don't be too secure That that is going to blow Spock's mind that really is just not that it's not easy to explain that to the engineers Who are trying in a difficult world to handle the complexity and build good cyber security? That's awfully hard to do and it's a real bad message to come from the government All right, so we are going to open it up to the audience and Nancy is also available to comment in response to audience questions at this point, so Both gentlemen, we're not gonna cause Chris have the mic I'm Jason. I have a question about citizens if citizen have the ability to shred documents burn devices or Whisper in the presence of microphones. Why can't they have encryption? So there's no question that individuals can talk in code They can shred documents, but that in terms of the spectrum. That's because There's a big difference in terms of the effect on law enforcement and intelligence community between one person or several people doing something Particularly in a way if they if they just can do it on their own in terms of its effect on the ability to prevent some law enforcement or National security event. There's that's a huge difference from a company saying we are going to market on a general basis for everyone The ability to do something Well, just remember if you shred something they're shredding itself can be illegal There it depends on the circumstances of it Mr. Weissman, my name is Chris Siglian. I work for the ACLU So when you described the main two ways that the government could still get information encrypted on a device you Described going to a cloud provider for backups and you described going to the individual and compelling to disclose information The elephant in the room, of course, is there's a major third way which is hacking into the device The FBI has had a dedicated team of agents who do nothing but hacking people's devices Whether they're computers or mobile devices. They've had this team since 2001 Currently, it's called the remote operations unit. You know this team exists because ultimately, you know, the buck stopped at your desk The FBI has never gone to Congress and I've read your pieces Then you know what I'm gonna say right so the FBI has never once gone to Congress to seek explicit legislation permitting the use of malware and of the Court orders authorizing its use that have come to light. I've read every single one of them I've never seen the FBI tell a judge. We are gonna be hacking into this person's computer They say we have software that will reveal this. We wish to insert the software into a web page You on stage you talked about the important role of Congress and the important role of article 3 judges Yet when it comes to hacking which has been used for 15 years Law enforcement have never once gone to Congress publicly They haven't been forthright with the courts and on stage here. You're not even acknowledging that this capability exists So isn't it a bit disingenuous to not talk about hacking in the same in this conversation when you cannot separate hacking and encryption? so The issue of I mean, I think Apple actually addressed this which is is there a way to hack into their phones So just to keep it on on this subject And I according to them it was going to take five years to do that so Right, so look at In terms of technology if it as we said if there is a way that what Apple and Google and other companies are doing is Actually solvable with a court order that you can actually with a court order get into it In other words what Apple is saying is actually not true That it is something that with a court order you can get it then I would agree with you The issue is that that is not the world that I think is is the one that we would live in And it is what I understand Apple and Google are going to do So I guess we have a fundamental Disagreement in terms of I'm no longer the FBI general counsel I can tell you that my understanding having seen court orders is that The FBI is up front with courts about what it's doing Can I just respond on that part? So a version of what Chris said and Chris's article on privacy in the cloud is one of the places to read that Really goes into how the data in fact is handled in a lot of these backup situations But one way to one thing that Chris's Question raises is the issue of zero-day attacks, which is when there's a vulnerability It hasn't been used previously and the FBI or an intelligence agency or somebody has a way in and so in the review group There's it's been another source of controversy How much the US government should stockpile these zero-days and in what instances and our our recommendation was to lean towards defense that Tightening up cybersecurity in a wide range of places is the right way to go when it comes to these zero days There's an article in Wired Today that includes a long interview with Mitch Daniels cyber security lead at the White House That goes into a lot of detail on this issue If we think the right way to go is to have lots and lots of zero days for the FBI That would be counter to the sorts of approaches. We were saying in the review group Hello, okay. I know it's a little confused. Hi. I'm Jacqueline and I'm From nowhere in particular actually So from what I could hear of the debate it seemed like there's a strong emphasis on more of like a consequentialist approach Kind of like a cost-benefit analysis to how this is all working out and Even going apart from some of my issues with that Both both of you mentioned the difficulty like in regards to risks and international policy Kind of at both ends So I guess my question would be how do we ensure international? International norms and coordination, you know, whether we whether we're talking about building the backdoor or whether we're talking about the need to not build a backdoor and If it is actually impossible to ensure that coordination Would that change your cost benefit? To the point where the cost or the risk of public perception then outweighs the potential benefits Did you want to take a try? I don't know you haven't given you Well Consequentialist is usually opposed to a sort of human rights approach that would be that sort of other side and In debates about encryption and debates about government surveillance. There's lots and lots written about human rights There's a lot of discussion in Europe for instance about fundamental human rights and why privacy is invaded That hasn't stopped the European intelligence agencies. Perhaps sometimes we're doing the same things, but there's there's stuff in the law there in terms of international norms Richard Clark and others have written about the importance for cyber security of building up international norms the way we did with the nuclear Treaties over time leading to some successful reductions their intention And so confidence building measures step-by-step with some of the other major players such as China are good ideas And I think we should try to find ways to build that cooperation. There's international summits and stuff where that happens We shouldn't expect a huge progress in the short run But I think over a period of years, and I think the debates with China and the US on these issues as part of that That's clearly part of what the US diplomatic agenda should be It's simply not going to be the case in the in the next three or five years the Budapest Convention on cyber crime and convention was one step towards making cyber crime enforcement a workable But any expansion of that has been really fiercely resisted and it also has other problems on the civil liberty side to begin with So it would be great to find a detente in this area, but we're quite a ways away from it I think I guess this is the this is the aren't you being a bit disingenuous row My name is Dan from Connecticut with the intercept. I'm just wondering You know you you talk about how we shouldn't be absolutists you talk about how we should you know Find some middle ground. Is there a middle ground here? I mean, can you have little teeny tiny back doors? I mean, isn't it isn't this a a zero or one question and by saying well, let's put the difference you're you're being disingenuous Well, I just I think I don't see that. I mean There's there are all sorts of ways that I mean it so for instance, you know the most expansive view you could have is Oh, Kalia should be expanded to cover emails and Chat and it should apply, you know to any Any provider whether they're public or private in others you could have a very very expansive view But there's a lot of steps short of that That you could do so I just I guess I don't view it as something where There aren't intermediate steps Yes, if you have a view which is that any if you start with the proposition that anything that is regulation is bad Then maybe that that's just unacceptable then you that yes Then it would be a zero or one because you know you've opened the door to it But I think they're you know in the same way that Kalia was not an all or nothing It was it was as many that bills are it's it was a compromise. I Want to spin off that and pose a question to both of you Is this on Pose a question to both of you and push Peter a little on a question that he got earlier One can imagine a world where there is no strong encryption without Some notional golden key that only the authorities whoever the authorities are can use Golden key being the language used in a Washington Post editorial criticizing Apple and Google One can also imagine a world where everything is encrypted Everything in transit everything at rest only I have the keys to my data Even the data that's backed up Andrew, I'm wondering if you think that a world where there is no strong encryption But with a backdoor for the authorities with whatever legal authority a legal process is necessary Is that a good world and Peter? I asked the same of you like even if it would take 15,000 things before breakfast. Is that a good world or is that a scary world? So We're feeling guilty that sure haven't just um, so I'll take a crack at that. I mean I come at this Like everyone I could space on my experience which has been in law enforcement and intelligence community we Have been in a world under Kalea where there is that ability were to get an intercept and Having seen the advantages of it. I really say thank goodness. I live in New York I am aware that it is a target not only of sort of routine law enforcement criminal matters but in of national security it's a national security target and Electronic intercepts are absolutely critical. I think that's something that the intelligence community here and overseas would say is really necessary I Totally believe in getting things through a court order in being upfront with the court and meeting the legal standard and Being held to task law enforcement doesn't But I think that's a better world. I I mean to be very simplistic about it if I have to choose I Am more concerned about Sort of catastrophic Issues than I am about Being hacked and I don't mean to say that because I'm belittling the hacking problem It's just that life is full of very very difficult choices and so I will be the first to admit that I don't have the perfect line I have a lot of information that I would need to know exactly where that line should be where I think the costs and benefits are No longer require There to be an intercept solution but in the sort of like what world would I want to live in it? It would be in a world where I know that with the requisite court order law enforcement and intelligence community can Actually know what bad things are going on I want to compliment Kevin on an exquisitely balanced question that show you know both sides can go too far was sort of the text of the question But I think that's a misplaced equivalence and I think it's because of technology. So so let me try to back that up The idea of a world where only I have my keys That would mean by the way that the grandmother and the eight-year-old only have their keys. That's bad key management Don't do it. In fact, it's extremely risky and difficult for individuals to manage their keys So that nobody else in the world touches it because if you screw up your backup or you forget your past phrase You know then your phones turned into a brick So key management is very hard and encryption beyond that having spent time on encryption both before and after the review group Implementation of encryption systems is far more difficult than it is then is is often understood So the story that I heard from my tech friends was the crypto systems the algorithms We have a certain level of a confidence that they're hard to break a lot of really smart people have tried for a long time And they haven't been able to break it as you actually build each system Which is complicated in many many instances Bruce Schneier and others people will say there are ways to break the implementation and That can be done with court orders. It can be done with zero days. It can be done with the enterprise's permission There's an awful lot of ways that happens And so the fact that grandma can't control her key and that nobody builds implementation very well Means we're not going to get to that hyper encrypted world anytime soon We should be getting a whole lot closer to it because we have cyber security holes everywhere But we're not in danger of suddenly grandma and everybody else being perfect at encryption So both the FBI director and the attorney general have noted the possible need for Congressional action on this issue I'm curious what folks think might happen if this actually if any legislation comes forward You know a few notable data points There is an ongoing fight over NSA and surveillance Which is to some extent perhaps coming to a head tomorrow with a closure of it in the Senate on USA freedom There was also this amendment that passed as part of the appropriations bill in the house the Massey-Lofgren amendment that Actually would have forbid the intelligence community from using funds to request or require companies to build backdoors into their products and services and So I'm curious Reading the tea leaves. What do you think? What do you think the prospects for this kind of legislation would be in the next Congress? What do you think the battle lines would look like? Etc. I Wonder if Nancy is the Washington lawyer out of the three of us might take a shot at that sure happy to I would not be optimistic About and putting aside just the inability of Congress of late to get much done I mean, I just think the politics of this just cut across party lines in such a way that I think you'd have people on both sides lining up opposing legislation to Require backdoors. I think you'd even have You know, I think some of the folks that like Lee and Rand Paul and those the usual suspects would form a Coalition and I think that's a harder Thing I think that technology companies would lobby that incredibly Be very very strong and loving against that. I just don't see that moving forward particularly when I think I think if there were examples that were Did illustrate the the real problem and I think that has been one of the challenges is is Really showing that law enforcement doesn't have other ways in which it can get this information And whether this is just a case of making law enforcement's job a little bit less difficult And I don't need to minimize how difficult law enforcement's job is Or whether this really is truly a crisis for law enforcement I think until that becomes clear. I think it's a very hard thing to do So we have a few more minutes I'm Chris would like to ask another question of Andrew. So before we air before we air yet another family What a little disagreement between Andrew and Chris? I you know, I welcome questions to Peter pushing him on his arguments. I will throw one at you Peter Thanks. Yes, mr. Froomekin here has done a great story and the AP also did a good story Taking down director Comey's examples of cases that would have been hindered if this encryption had been in place and that Those examples kind of fell apart the cases looked like they could have prosecuted or gotten Pleased in those cases regardless of encryption What if that changed what if a year or two from now the FBI would have show up with a list of horrible crimes That they could not solve in specific instances kidnapping child porn etc. Etc Would that change your perspective? How would that change your so the rhetorical answer back is right now We have no shown lost to law enforcement versus a ton of bad consequences And that would shift to some harmed law enforcement versus a ton of harmful consequences and we'd have to do the factual discussion and I Believe that I would be very firmly on the same side of having good security in our communication structure because we depend on that So much for our survival as a society and an economy that that's a huge and overriding concern So so I I think five ten fifty cases Would not change my view on that it would make the discussion different in Congress, but I think that The the Riley quote from Chief Justice Roberts in the existence of the Fourth Amendment is that sometimes law enforcement doesn't get what it wants They don't get general warrants the Fourth Amendment stopped that Andrew and his in his blog post on this topic talked about Boyd, which we didn't get into today a 19th century case where the government was stopped very hard and getting at our papers and effects The Fourth Amendment reasons combined with the cyber security reasons Would take an enormous showing of actual harm that we just haven't seen and that's despite the crypto wars in the 90s and 15 years to build up examples since then I do commend Nancy. Oh no, I I was gonna just follow up on your question and To both to both Andrew and Peter wondering if there are different harms or concerns associated with law enforcement Or whether law enforcement has different concerns than the intelligence community or whether there are Similar concerns, and I know Peter just from your experience on the review group You might have seen things that were unique to the intelligence community With respect to encryption maybe that and the FBI is a anti terrorist group that does intelligence also correct so I mean the law enforcement community has has Different concerns and certainly at the state and local level and even some federal agencies where there wouldn't be necessarily the same kind of sharing that there would be on the intelligence side, so they're definitely distinct issues in terms of I think you'd have state and locals and certain sort of pure pure law enforcement agencies there are very vocal on The going dark issue I tend to in the this issue of sort of Has law enforcement and the intelligence community done a good job of coming up with examples And I think they need to do a better job. I mean there's no question that they're the they're you never can It's it's not a scientific experiment. You're not gonna have a pure Case where you can just say But for X we would not know why and there is no other possible alternative way because no one can ever know that there is no other Alternative way, but they definitely still could do a better job I do think that one to give People who are not within law enforcement and an intelligence community some insight into this I think if you look at the privacy and civil liberties oversight board report and compare Their analysis of the 215 program to their analysis of the 702 program I think that gives you some sense of sort of where I'm coming from when I talk about There is a big difference between metadata And knowing the content of communications. So 215 is metadata a 702 is content of communications and I'm a huge fan of the privacy and civil liberties oversight board. I think they're really serious and Asked ask some really good questions. I mean, you know, you don't have to agree with everything they come up with and You could still think that they're doing a really admirable job for the country and for law enforcement and for the intelligence community and asking those questions But if you look at what they said about the 702 program There wasn't a question that that type of data being able to intercept those kinds of calls was Absolutely critical to the intelligence community And keeping the country safe. And I think that gives you some Insight into what it is that when you hear from people in the intelligence community that it's not just People sort of over hyping that you do have some external body that has looked at this and understands that there is a real value to that type of electronic surveillance Just a way to tell that history slightly different is 215 the telephone calls of Americans to Americans was a bulk collection program government holding millions of phone records about millions of Americans 702 is specific targeting when you have a reason to go after a particular target somebody who's overseas Communicating perhaps with someone back home And so instead of it being data versus metadata I think it comes back to one of the big themes in the debate in the Senate this week which is a special caution around bulk collection that then is used in ways that are hard to know and control and much more favoritism towards specific traditional Collection and investigations which is what 702 offers but that could be that can be totally One can accept that but in terms of this discussion if you have and true and tanned encryption and no way to get at it It's going to eradicate Even the targeted approach that you say is can be useful So I mentioned all of your thoughts on this To pull it out a little bit more of a technical side The this this discussion of having every company who develops hardware and software building a backdoor seems Just crude and in elegant a solution and it also sort of seems And I'll give in the global nature of Development the state of cryptography even in the open source The richness of tools and people that develop apps and all and software and hardware Doesn't seem that likely to work. Is it So if you get the door open on an iPhone, you know, there's right now in this country silent circle And other times of programs like that. So I guess Is the intent to really just drive people away from mainstream Stuff to more, you know stuff that's developed overseas And it's easier to track the fewer number of people to do that Is that sort of the law enforcement intent or is this sort of just doing what we can on the law enforcement side? I don't mean that in normal ways. Yeah, I don't think it I would say it's their intent I would say that it may be a byproduct that's something that you have to deal with but the ability to if if you the inevitable byproduct is that you will have a certain percentage of people who go to Certain other types of providers at least that but can focus your resources It is a lot easier than if you end up saying, okay Well, you know, we haven't focused it and now I want to take our resources and you have to figure out Everybody on Apple everybody on Google And so again, it's not ideal. I agree with you that there is a problem posed by that but it becomes a more manageable program problem to deal with my question relates to the The the notion that there has, you know, we have basically article three court protections with respect to the use of the surveillance mechanism would If you were to insist upon a backdoor in technology, would you also insist that? Apple say and Google would be proscribed from sharing its backdoor with foreign countries that do not provide the same article three like protections So I think that's the I think a really hard issue If I was internal to a company is how to deal which I think they have to do now regardless of this issue is how to deal with regimes where You're concerned about their legal regime their human rights regime I don't think that's unique to this issue In other words, I think there you have this issue Right now for those companies and they have to deal with a very very difficult legal and ethical issues I don't think that this would measurably change that equation So that if you Have created a system where you have done that where you've created end-to-end encryption that if you're in an Impressive regime that that's going to be some kind of get out of jail free card I but I I mean I agree with you that there is a huge issue And I'm to quote from Peter I think that the one area of agreement is that there's a lot of work for the State Department I mean there's the how to deal with international cooperation in an area where you have a whole Array of countries facing me with very similar interests facing the same issues that we're facing and others which Don't Don't have the same legal and ethical Prescriptions. I don't have a really good answer there to that other than I think companies are facing it no matter what so Folks have sort of danced around this a little bit. I want to try and focus a little bit more closely on this point Many of the apps that people are using are made by companies and so Governments have the ability to coerce companies into doing things for them We can argue about whether that's right or not, but many of the most popular encryption apps are actually made by Non-profit collectives of individuals. They're not even there aren't even 513 C's in many cases These are just open-source groups individuals who get together. They write code. They compile code They put it online and people download it in in downloaded form Or in binary form that they've made available So I guess part one of the question is if many people I mean millions of people are using open-source encryption apps What do governments do if the communications shift to groups who cannot be coerced? You know you don't go to a single developer and if you know half the developers are in Germany and half the developers in the United States, you know, what do you do there and a second piece of that question is if Some of the apps are in the United States and some of the apps are from foreign companies It seems that the logical conclusion is not to require backdoors in the apps or We can encryption the apps it rather to require backdoors in the operating systems And the two most widely made operating systems in the world are by Google and Apple who coincidentally are the companies who are being Pointed out and uncalled out by the FBI And so I guess Andrew even though you're no longer working there to the extent that you're now thinking about this a bit More publicly. Do you think that there should be law enforcement backdoors and interfaces not in the communication services? Offered by these companies, but in the operating system so that regardless of which communications app people are using Governments can get into the operating system So let me just take issue with one thing before I answer your question, which is I think I don't know that the Department of Justice is calling out Google As opposed to let me just finish I think the thing that sparked or reignited the going dark debate I think was The Apple announcement and particularly the way it was phrased Because this issue had largely been dormant post Snowden I think probably for just very practical political reasons and You know, I think that if you phrase something as being done Because you want to thwart law enforcement. I think I mean that's something that for an American company Taking advantage of US laws seems striking as opposed to saying it's a byproduct of some other good And which I which is traditionally how it's been Thought of so I think that was sort of what got focused on I do think that in the nature of Silicon Valley that there's a certain amount that everyone needs to be at the same level Because they need to have not be this needs not be market differentiation on these issues So I think people quickly sort of fall in line So I don't think there's any effort to Single out anyone as opposed to There was a company because of the way they phrased it that sort of raised this issue anew. I Don't know the answer to that. I think that's going to be to me that is Again a difficult issue. I think that there I don't my sense is that there isn't a lot of appetite for Trying to have apps covered by Clea and that's that's my own Two cents. I think it that comes at a cost But I think that's I think there was a gentleman before who asked the question of like isn't this all or nothing And I think the answer is it isn't all or nothing? There are lots of issues about how to do something And I don't know the answer to your question about whether that would be worth it whether having that kind of regulation would be worth the cost So we're a little over time now, but I did want to give the Debaters an opportunity to give one last comment one or two minutes if they like You want to go? Okay. Is there one more question I can tell okay? Should I go okay, so I have three items each of which is short the first is that This debate happens as surveillance reform legislation is going through Congress and It's at least possible to think that part of the reason to bring back fears of going dark It's to take momentum out of the chances for reform those chances reform come fairly rarely And I hope that we'll move forward in Congress this year to get the USA Freedom Act passed But the by raising the specters of the loss of law enforcement activities, so I think that's a problem Second thing is I commend to you the internet architecture board announcement just this week About the importance of building encryption into protocols and other parts throughout the internet and it's consistent with Extremely widespread Technologist view of this matter about the importance of having effective cyber security as we build these communications structures And the third thing and this does not apply to the FBI today or when Andrew was general counsel But applies to the FBI of years gone by There's been a release of new details about the letter that was sent to Martin Luther King During the 1960s that was basically a blackmail note sent by FBI director Hoover urging King not to go except his Nobel Prize the history of surveillance is in part a history of potential abuses of power and sometimes actual abuses of power and So we try to create structures that in the long run will let democracy flourish and an economy flourish And when that happens, we're going to have many strong powers for law enforcement and national security But we also have to keep building in each generation a set of safeguards against overuse of those powers So in terms of government abuses So There's no question that it is healthy Whether I was in government or now I'm not in government For people to be skeptical of what government says and to say prove it We need to see it It's it's can be difficult in the going dark area because there's some part of the discussion that can't be public if you tell Really serious criminals exactly what you actually can and cannot monitor Obviously it gives them a roadmap But there there is no question that it's like it's totally fair to be Skeptical and to demand more information. It's also right to worry about all sorts of things whether it's Martin Luther King or Watergate or the church committee to worry about instances of the government having abused its power and That though is Not to say okay because I know that so we're just going to throw we're not going to actually deal with an issue The issue there is what are the safeguards? Is it is it necessary and what safeguards are there for the government in terms of what it's doing in This issue we're dealing with question of the government acting Pursuant to a court order And actually just with a question of whether that court order can be effectuated So I don't view that that specter as being something that's particularly relevant to this issue So I don't think it really helps inform the debate to me is there's I think Peter's comment that our Means of communication have really grown that there are certain types of data that the government can get through Lawful process that it couldn't get in 1994 it's true, but by the same token all of that metastasizing of modalities are also ways in which criminals Can operate and the issue is can law enforcement have the same kinds of tools that had in 1994 in order to We the court order track what it is that criminals are doing whether it be ordinary law enforcement targets or intelligence community targets I think this was I think Andrew and Peter did a wonderful job of showing both sides of the debate. I don't think it's going to be concluded anytime soon, but I Hope you'll all join me in thanking our panelists and I look forward to having this debate again in 2030 Thank you