 So hi everybody and everyone who's online. That's that we were just talking about the joys of a tech crowd We've got is a big crowd online So I'm Ann Marie Slaughter the president of New America And this is our panel on the costs of the NSA surveillance on America the American economy, but also foreign policy and really the internet itself so here at New America, we've been doing work on Surveillance on the NSA surveillance from the perspective of our national security program I was just at a conference in Munich where someone asked the German head of intelligence and one of the American participants about the paper that New America put out showing that in 250 odd cases of Suits or prosecutions of terrorists. These are public NSA Intelligence was de minimis now obviously there are cases we don't know about but in the cases We do we were able to go through each one look at all the evidence and say, you know really These people were apprehended by much more traditional methods and The conclusions of that paper were endorsed by the president's own NSA review group On and also on the privacy and civil liberties oversight board So today we're moving from the straight national security Perspective to the costs of NSA surveillance much more broadly So there's the cost to every individual taxpayer which some people have estimated is $500 per year As we're approaching April. That's quite a lot It's also clear that big American businesses like Cisco or HP or Qualcomm or and actually even Boeing Are experiencing really significant fallout from the Snowden revelations and there are some experts one of whom is on our panel today Who have estimated that the NSA scandal could ultimately cost the American Internet industry? Tens or even hundreds of billion dollars a year In the next few years So there's the straight economic costs, but our panel today will also be talking about the foreign policy costs And here I have to say I have a direct stake In the sense of our overall foreign policy goals one of the things we did When I was working in the State Department for Secretary Clinton was to advance an internet freedom agenda talking about the right to connect The freedom to connect as a fundamental human right that was the week We announced her speech was the week after Google left China to avoid Chinese surveillance Obviously these revelations put us in a rather difficult position advancing that agenda but equally importantly in terms of thinking about internet internet governance and We have all been thinking about the implications of the Balkanization of the internet if Brazil or Germany or other countries decide We are going to regulate our own internet and that seems unthinkable to many of us But sadly history tends to show that things that were initially free I mean we have the freedom of the seas, but even the freedom of the seas is then encroached on by individual countries for for a range of territory and Finally, there's the cost to the internet itself to the the danger that the NSA is acted in ways that weaken internet security standards and that create or exploit a whole range of vulnerabilities In a in internet services and products and that that then will change The basic or threaten the basic open architecture of the free and open and secure internet that we have been all of us everybody in this room has been working to build So today's panel brings together experts who will talk about both the economic and foreign policy implications of the issue This is also the beginning of new America's deeper dive Into the costs and the benefits of the intelligence communities Conduct and a broader inquiry into how we preserve basic American Values and our interests in a period of this kind of deep and rapid technological change So to moderate our panel I want to introduce Kevin Bankston who's I'm still proud to say our new policy director at the open Technology Institute here at New America. I'm going to embarrass him a little bit just to say When he was a younger civil liberties attorney, although to me it's hard to imagine he was younger But in his previous life as senior counsel at the elect as the EFF the electronic frontier foundation He actually filed his first lawsuit over NSA bulk surveillance over eight years ago Which is really before it was cool So he he brings a wealth of experience to this issue and it's my pleasure to introduce him to moderate the panel. Thank you Thank You Anne Marie. Thanks to everyone in the audience both in real life and online and thanks especially to the excellent Group of panelists experts who will be walking us through the Snowden effect on the US economy and foreign relations And on the openness and security of the internet Last week some of you were here for an event We did on the cost of surveillance from a different perspective talking about how cheap surveillance is how changing technologies is actually making it very Inexpensive to conduct more and more surveillance on more and more people But this week we're talking more about the other cost of surveillance the cost to us and to us as a society of these surveillance programs so The program as it were each of these panelists is going to spend about five minutes Giving their perspective on the issue give or take then I'll be asking questions for a bit And then you'll be asking questions for a bit and then we'll end with a small reception And I apologize to those online who we can't give wine to But so let me introduce you to our panelists Those of you at home Please be ready at Google to at the Google bar to search for the things that I'm going to mention because I'm going to Mention a few pieces of writing that several of these folks have done First off Daniel Castro He's a senior analyst at the Information Technology and Innovation Foundation or ITIF and these the author of the very off-cited Study how much will prism cost the US cloud industry? I'll give you one guess as to what he's going to talk about money money money money The straight economic costs of the NSA programs We have Ross Shulman senior analyst I'm sorry public policy council at CCIA, which is the computer and communications industry association which by its name you could guess is a trade association Representing a wide variety of internet and communications companies He's gonna be talking mostly about the impact of the Snowden revelations on Ongoing debates about the future of the internet not only How it is to be governed but how it should be designed and built out Will the snowden effect turn our internet into a splinter net Ross will tell us Richard Fontaine President of the Center for a New American Security His team recently wrote a great Reuters opinion piece on the fallout from Snowden called NSA revelations fallout conserve our nation He's gonna focus mostly on how the Snowden effect has disrupted the US government's foreign relations. I'm sorry He's gonna I'm sorry He's actually gonna focus on how the Snowden revelations have disrupted the US government's international internet freedom agenda that Anne Marie mentioned What the future of internet freedom looks like in a post Snowden world? Micae O. Yang is the director of the national security program at Third Way She's written a couple of great pieces recently One for the Boston Globe to judge NSA reforms look to the tech industry and a Forbes piece NSA snooping's negative impact on business would have the founding fathers aghast She's gonna talk about one other cost, which is the cost to our diplomacy and our foreign relations And she's also gonna talk based on her experience her longtime experience Working the intelligence beat on the hill about the failure of policymakers and the intelligence community to consider all of these ranges of costs When actually developing policy On that note, I'm going to actually give a shout out to a friend and colleague Alan Friedman Who's currently a GW visiting scholar on cyber security. He wrote a great piece for the Atlantic on this same topic called Why wasn't the NSA prepared? i.e. Why weren't they prepared for this kind of fallout? Speaking of folks from local universities our fifth and final panelist Micah sure Is an assistant professor of computer science at Georgetown University? He with 46 other technologists recently signed on to comments to the president's review group on the NSA's activities Raising concerns about NSA's impact on internet security and non security standards Like those comments Micah today is going to focus mostly on the cost to everyone's security of the NSA undermining encryption standards and otherwise planting or exploiting security vulnerabilities in everyday devices and software so With no further introduction because there's been a lot of that Let's get started Daniel Thanks Kevin and thanks for doing this event. I think it's It's sadly still timely even though it's been so many months I think it's you know important to kind of take a moment and reflect back Where we were a year ago A year ago if you were to ask anyone really anywhere in the world who the leaders were in cloud computing The answer would absolutely be the United States In fact people did ask this question and they didn't answer that And if you asked who was likely to be the leader in the future They would have also said the United States I think if you ask that same question today by and large you will find people saying you know I really don't know maybe you're up Maybe a lot in America You know we don't know and the reason we don't know of course is because everything that's transpired over the past eight months You know when prison came on the scene it was this you know big news story I mean I remember where I was when I first started you know seeing all the headlights trickle in and You know we knew immediately that this was going to have an economic impact We didn't know what it would be but we knew there was gonna be an impact and we knew this for a few reasons one Everyone was angry and they had a right to be angry And two we'd already seen that Europe and Latin America and Asia a lot of these regions were competing very hard For cloud computing and kind of what the next wave of tech was going to be if you look at the you know all the Estimates of where the growth was going to be if you look at tech overall It was like you know two percent or three percent a year if you look at cloud computing It was gonna be a hundred percent I mean it was this this huge you know disparity between where the growth was going to be and where it wasn't and US was the leader in that US was ready to capture it In 2008 or 2009 excuse me it had four-fifths of the market Globally right okay, so you know then the revelations come and people start saying well what's gonna happen? Everyone's angry. They start saying you know can we trust the United States? Can we trust the United States with our data? We've had these conversations before Especially around the Patriot Act We knew the other countries have been using this argument for a long time But suddenly they had a trump card suddenly that has something very clear to point to and say you know This is why you shouldn't You know use Google this is why you shouldn't use whatever any US company You know insert the name there and and so you know we started to say okay What might the economic impact be so we tried to do it's not a prediction What we tried to say is if we see a loss in the foreign market share What would that translate to in dollars? So we looked at two scenarios one a kind of You know more conservative and I want a little bit higher so The two estimates were if we saw up to a 10% loss in foreign market share So assuming none of the US growth was lost it was only in the foreign market share And that would be accelerating not 10% in the first year But you know starting small and moving up to 10% for three years that'd be 22 billion if we went up to 20% That would be 35 billion the kind of basis for those numbers was that the cloud security alliance Which is that a professional association of security professionals did a survey of their members? This was in July of last year kind of late July the early August Asking both US and non US professionals How this knows and revelations impacted their decision? So 10% of non US respondents said they had canceled projects already. This was in the first month 56% said that they were less likely to use US products again of foreign Respondents of the US respondents 36% said that yes, this would definitely make it harder for them to sell their products And this was in the first month this woman people were still trying to figure out what was going on So, you know our estimate was kind of on the 10 to 20% side again over three years We felt this was very conservative of course cloud security alliance I mean this was not a scientific survey and these are of people who are you know kind of paid to be paranoid But you know, I think this is kind of within the realm of reality So then you know the kind of the question is well, you know, what's transpired since then? Part of the reason we wrote this paper was because we wanted this to be a wake-up call to say look This will have a serious economic consequence if the US doesn't respond and and we know other countries are going to One, you know take certain actions, and they're gonna be scared away just in terms of buying these products But two lots of countries are gonna use this as leverage to block out US companies And the US needs to respond the US needs to have a forceful response I don't think we've seen that we can talk about that if anyone else thinks we have seen that from this administration But I don't think we've seen that yet. I think repeatedly we see companies saying we're the ones out on the front lines defending this And you know the reality is the companies can't change the situation there and You know look at a situation like target that's hit by this big situation You know big kind of external event they can kind of control that right? I mean they could have had better security Responding going forward they can say we're gonna implement these controls US companies can't solve this problem And that's you know, that's the biggest challenge right now the people who are suffering the companies that are suffering They don't have the capability to change it So I don't want to drive this out too much longer, but just in terms of you know, have we seen more of this? Yes, we have so I think you know this was mentioned Boeing cancelled a four and a half billion dollar contract with Brazil for fighter jets as a kind of direct result of this With Boeing. Yes. Yeah The Cisco CEO this was last quarter talked about lower quarterly earnings in China again He said this was a direct result of this you see kind of signals on the other side SAP which is a German company has talked about higher than expected returns on their cloud computing business in the last quarter There's a Swiss company that again cloud computing talked about 45 percent higher Earnings and this was in the first months after that and I mean I've heard from You know just since writing this paper from companies kind of all over the world I have heard from a number outside of the United States that say yeah, we are already seeing this You know advantage our companies. We're using this to market our products and we're getting more business than we expected So I know that the challenges we don't have more data yet And that's what we're gonna be looking forward to in the I think months ahead But we are seeing evidence already Great mind if I ask you a couple of questions and pepper between questions between folks So you did this study which has been cited everywhere And there was the forester wrote about your study and projected it might be even higher for a variety of reasons But other than that we haven't yet seen a lot of studies on This issue in terms of projecting or trying to gauge the loss we did see a really neat study that wasn't much reported on from peer one which is a Cloud host in Canada and they did a survey that found that of UK and Canadian customers 25% of them were already planning on moving their data out of US providers, but I'm curious Why haven't we seen more studies and how can we get more studies or what would those studies look at? I'm you know looking at say Brazil and one could imagine they are using this as an excuse to go with another vendor or you Can look at Cisco and it may be that they're using this as an excuse for why their their sales are dropping How can we actually more accurately gauge? This Snowden effect and put it into dollars. Is that even possible right now? Or is the fact that companies are hesitant to you know be very direct about what their losses are too big of a hindrance right now? Yeah, I think there's a few problems one certainly, you know no company and this is I think a Seer shall is not just kind of academically to understand the size of the problem companies don't want to be out there saying hey You know we're taking a hit. It's not good for you know their stock prices, but the problem is that creates the you know This political vacuum where the groups that we need to have out there pushing this forward I mean if you look back at you know the clippership the reason that that was politically successful in getting this shut down I think was because we had the entire tech industry saying One it wasn't something they were selling yet So they weren't saying we are losing this market They're saying we can't go into that market and they were the ones that lobbied and got that shut down We don't see that now because companies can't be out there because of the dynamics So we don't see we don't see that you know the second part of this is that you know I did the study was originally looking at just cloud computing because that's where we have the data And that's where we would likely see the big impact of what we knew at the time Of course since then we've seen a lot more as Michael talked about I mean you know so much on on the security side where it's implicated the entire tech industry So this was just looking at at you know cloud computing, but it's really now you know any any American tech company that's selling a product you know from from keyboards to you know storage They've been implicated this and a foreign buyer is going to you know Take a second look about whether they can buy that from another supplier Simply because of everything that's come out about what the NSA has done or might have done or could be doing in the future But there's a little bit of risk there and uncertainty and that uncertainty you know clouds everything that happens Also a bunch of the big American companies are not yet willing to say we're losing X amount of dollars about this But they are starting to get engaged in the reform Process and debate particularly eight of the big companies including Google and Microsoft and Facebook in an effort called reform government surveillance Many of those companies are also members of the CCIA represented here today by Ross Shulman So Daniel gave a great overview. I think of sort of like dollars and cents kind of Talk and and I wanted to kind of build on that a little bit to talk about one aspect that you didn't necessarily touch on But that's related to sort of the actual money and then and then I also want to talk about sort of You know what we call it CCI the soft power problems, but But the the economic issue is actually is trade and it kind of wraps up into what you're saying But but I wanted to put a pin in the in the idea that This is having an absolutely an adverse effect on the trade efforts that the USTR is Engaging in abroad and so CCI has offices in Geneva where we do a lot of work on trade and And so I just want to kind of talk a little bit about that So the Boston Consulting Group Predicted that across the G20 the internet will contribute 4.2 trillion dollars to GDP in the year 2016 So in a couple years and and kind of in McKinsey has pointed out that of that economic value 75% actually accrues to What you might call old-school enterprise brick-and-mortar just the the efficiencies that the internet trade brings along create GDP Benefits and that's you know across again the G20, but you know, this is this is also a worldwide phenomenon however All of that benefit is really rooted in a question of trust and actually the White House recognized this all the way back in 1997 they put out a report kind of the first report on internet commerce and there are pages and one particular kind of paragraph that we like to talk about talks about the the root of internet commerce as being a trust issue and It's not too much to say that the NSA's programs and the NSA's and the revelations about those programs have absolutely struck at that root of trust particularly with US programs Sorry, particularly with US companies, but I actually think that it's safe to say that there are problems Along these lines with governments around the world and that US companies are not going to be the only companies that are kind of implicated by this So that trust is absolutely harming trade as well The US obviously has a huge amount of exports in sort of the digital services realm And we're now seeing countries basically trying to use the trade structure to combat that superiority as much as they possibly can they're doing it in by by fighting back against free-flow Arguments we're seeing Brazil do this with local hosting requirements. I think you're talking about that a little bit But there's there's definite sort of trade impacts there And those trade and those and those trade impacts are also are also fighting back It's sort of the end-to-end nature of the internet local hosting requirements will do this routing requirements, you know Brazil Basically trying to create internet routes that are least are less efficient, but do not traverse US links And also creates problems with kind of end-to-end Structure the internet so just a little kind of note on on trade as a part of the dollars and cents argument But I also want to talk about the sort of non non monetary Issues that the that these revelations have had and they they accrue in a sort of in a constellation of Effects that we're sort of talking about as us soft power problems so the the US's ability abroad to influence diplomatically issues Having to do with the internet right so emory you talked a little bit about Sort of the open internet that you efforts that you guys ran while you were at the State Department Immensely helpful at the same time that you were working on those there were immensely important internet governance questions happening as well that Some of the same offices there were working on so For a long time the US was a leader of us of a coalition of countries around the world that were fighting against Government control over internet governance and fighting for the multi-stakeholder model that has up to now really kind of dominated how the internet ran itself to a large degree and the US had a lot of partners in this most of Western Europe large portions of Latin America portions of Africa as well and We're fighting against a number of authoritarian mostly authoritarian regimes Russia China Iran were kind of the big three, but they had friends as well And those countries would much rather see governments basically run the internet On their own accord and this all sort of came to a head in December of 2012 When which is when most of the rest of the world sort of woke up the State Department had been watching this for quite a bit longer But with the with the wicket or the world conference on international telecommunications that happened in Dubai in December 2012 I was I was there as a sort of a member of the US delegation on behalf of CCIA and We saw a real schism between that those Western countries that I talked about and the sort of this other block of nations that Would prefer to see governments run the internet and this was basically the end the question Ended up being you know is the is the multi-stakeholder model going to continue to be the operating The operating model or are we going to move to something much more like the international telecommunications Union? Which is a multilateral government approach that likes to pretend that it's multi-stakeholder, but doesn't do a very good job of it frankly and so up and through June of last year the US had a excellent hold on the leadership of this sort of of this conglomerate of nations but since then we've seen a real fracturing in that sort of Unified front and we're seeing a lot of Western Europe pushing back against the US Not in saying that they want governments to control the internet because that that's not really what they want But we're seeing them take the approach that they can no longer really work with the US and therefore our unified front is has been compromised to a certain degree and then we're seeing Regions of the world that used to at least be willing to hear us such as Latin America such as Africa and be willing in Portions such as Brazil to really kind of hear what we're saying now now turning away from us and and the The work that we had been doing up through 2012 and up through just last year has really been set back by quite a bit because of These revelations of what the NSA is doing. So that's you know another area We're really we're really sort of trying to claw back the the good work that we had been doing and and you know We're gonna see next not no not next month in April in Brazil for the net Mundial meeting that Dilma Rousseff has has called, you know, what the new state of play is but But we are definitely have some harder work ahead of us to do Thanks, Ross. So I mean listening to that and and It seems that in many ways the NSA programs are actually leading to negative impacts on the idea of a free and open internet in at least Three ways that I can count like first off. There's There's the impact on the internet governance debate to the extent that what we have done is now Undermind our position in terms of preserving a more open multi-stakeholder process for governing the internet And then second the sort of technical level of that which is governments wanting to enforce sovereignty over their internet whether through requiring local data storage or hosting or Re-architecting the actual infrastructure Which are actually we've seen a lot of proposals of the that kind prior to Snowden and Often it was for the express purpose of enabling government surveillance, you know, for example around Blackberry and India Enabling government censorship because data that is stored locally is easier to block and Then and then third we're also seeing the undermining of our position in the sense of remember the old Drug commercial not commercial for drugs, but anti drug commercial. I learned it by watching you You know, there's this I think this problem of now countries can actually look to our practice and say well Look the United States this the paragon supposedly of rights and internet freedom is actually, you know engaging in massive surveillance Why can we not do the same? within our own borders But that's all leading up to a question which is We're seeing a number of different proposals in response to the Snowden Revelations in terms of the architecture of the internet, but I'm trying to figure out How do we judge which of them actually makes sense and are good and which of them are problematic? So for example Brazil we have Brazil one in its Marco Seville proposing data Requiring by law local data hosting which we are concerned about from a free flow of information point of view And yet we also have the announcement yesterday of a new cable between Brazil and Germany Which actually seems to some extent a good thing. It's building out the internet It doesn't it enables, you know instead of all the South and Central America traffic having to go through Miami You know it allows a direct connection. How do we distinguish between what is good building out of the internet? And what is bad restricting or re-architecting of the internet? so It's an issue question, and I'm not sure that I have a hundred percent answer one interesting thing that I think One interesting point is that the Example you gave for the what might be a good thing has actually been in the works for a very long time The Brazil Europe cable, and I think it actually will touch Africa as well Has been in the works for a long time, and it's been I think maybe some thing happened this week I am honestly not sure what it was to bring it back into the news now, and it's been framed as a reaction to the Snowden revelations, but It is inherently a good thing to like Brazil the transatlantic cable across the southern portion of the of the ocean is a great idea And it should absolutely be done. And so, you know, I guess one question is, you know, if you take away The rationale that the reactionary rationale is it's still a good idea That's one way that you can look at it, and that's and that's not a bad idea I think the other the other question is that You know if you on the surface of it will it break the internet so local hosting requirements to a certain extent break the internet and You know a new cable from Europe to Brazil doesn't break the internet makes the internet more robust It's a good thing. It's more makes it more resilient and so Even if the only reason that Brazil was trying to land a cable from there to Europe was to avoid landing in Miami That would still be a Net result good thing for the internet In terms of resiliency in terms of robustness the same thing goes for, you know Look building local internet exchange points in countries even if they're only doing that So the reason that a lot of traffic goes through Miami and then back to of Latin America is because the Latin America American countries up until recently did not have their own internet exchange points where the ISPs within the country could Peer with one another they had to go to Miami to peer with one another So traffic would leave the country go to Miami and then come right back to the same country if you were trying to go from one ISP to another now that they're building local exchange points They might be doing it so that they don't have to go to Miami and try to transit the US But even if that's the only reason they're doing it It's still a good thing because IXPs are inherently good things So I think that that's at least one way to analyze it. Thanks. That's really interesting Next up Richard Thank you, and thanks for having me here today I'm going to talk a little bit about the internet freedom agenda that the United States government Began to put in the into place starting with the Bush administration But really accelerating when Hillary Clinton was Secretary of State in the Obama administration Which I think for a variety of reasons one of which is the the Snowden revelations has has really taken a back seat too In comparison with what we as a government have tried to do before This panel is about the cost of surveillance whether it's data localization or the internet freedom agenda or privacy or International relationships and so forth. I should make clear that I believe that there are some benefits of surveillance as well And I think it's it it has to do with Counterterrorism operations, but it's not only that and I think it's been something of a mistake to frame the benefits of surveillance only in the counterterrorism framework Surveillance and the information that is collected through surveillance as with the intelligence collected through other means improves Or at least has a potential to improve the quality of national security decision-making and foreign policy decision-making whether it's on trade or or Interstate relations or any manner of national security decisions The question now I think is how do we balance the benefits that surveillance brings Against the costs once those programs become public as they have done in such a in such a dramatic fashion And to think back on the internet freedom agenda just a couple of years ago We as a government were in a position where Secretary of State Hillary Clinton gave four speeches while she was Secretary of State on internet freedom and its importance in US Foreign policy she really elevated the cause of Promoting the free and flow the free flow of information online to be a key element of US foreign policy She compared the freedom to connect to FDRs for freedoms and added a fifth saying that this was you know So in the pantheon of freedoms, this was an important thing the The House of Representatives and the Senate both established global internet freedom caucuses to try to promote this thing And there was a several pieces of legislation pursuant to this effort The State Department the Broadcasting Board of Governors was funding to the tunes of several tens of millions of dollars per year circumvention technologies encryption technologies to allow dissidents and others to communicate effectively and and outside the the watchful eye of foreign governments And as was just mentioned before it places like the ITU and other places United States had a very forward-leaning role to try to keep the state hand off of the the governance of the internet in order to preserve Again this the multi stakeholder model, which would enable the free flow of information online I'm afraid that since NSA revelations much of this is has essentially gone off the rails Secretary Kerry at least of my knowledge has given no speeches on internet freedom The one of the technologies that was being funded by the US government was tour Which would allow people to communicate in encryption using encryption It came out that while part of our government was funding tour the NSA was trying to crack tour So you had sort of two efforts going on at the same time It has been reported that efforts within the UN General Assembly to Pass a resolution that would enshrine the right to data privacy has been opposed by the US government although To my knowledge the government has not actually made an affirmative case for if that is the position of the US government If so why and how this fits in and more than anything else and as folks have alluded to before I think we've sort We've really lost the narrative here The United States Was in a position before of pointing to the Russia's and the China's and the Iran's as the bad actors And now we're having this thrown back at us We're in a position of saying well It's illegitimate for the Chinese government to surveil Chinese citizens, but it's legitimate for the US government to surveil Chinese citizens discuss It's it's it's a you know and and actually you know and to be clear I think that there are ways of Parsing this and there's logic behind some of this but as a narrative. It's an extremely difficult Thing when when you're engaging is primarily a diplomatic enterprise aimed at persuading people that they should embrace A model that that promotes a free flow of information online So we're seeing this sort of pushback against the United States and and and frankly some Inactivity by the US government which on the one hand is understandable if you're an advisor to Secretary Kerry Probably the best way of getting thrown out of his office is to suggest he go give a speech on internet freedom right now But by the same token and as I'll discuss in just a second actually think that that's the kind of thing that we need to be doing more Of not less. I'll offer just a couple of points for where we go from here And I think that the starting point of departure Needs to be that surveillance is going to continue in many of the forms in which it takes place today and being Be more tailored there may be more oversight by the Congress or others there may be more Transparent, but I think in Barack Obama you have the president in at least recent memory who is the most likely to find ways to tailor surveillance programs and I think you're not going to see a president Republican or Democrat Give up these surveillance from the bulk collection issue is sort of a separate one, but certainly the surveillance of foreign nationals So if you start from the point of departure that surveillance is going to continue as as governments do although it may change and Then you have to stipulate that this is going to be an extremely difficult enterprise Given all to sort of push the internet freedom agenda forward given the challenges and the loss of the narrative that I Described I think that one Starting point would be for senior US officials to begin explaining the US government's approach To internet freedom and how all of these things at least conceptually fit together So why or how is the US actually tailing or modifying at surveillance programs? And how does that actually fit with a vision of where the internet is going and the free flow of information online, where does the United States come down on International privacy rights as such things exist. Where do we think about these things? Well, the United States continue to use various instruments, whether it's technology Provision diplomacy trade agreements public pressure to advocate for free and an open internet and fundamentally Is this still a US foreign policy priority? We there was as I said, there was so much talk about this I just a couple of years ago and and there's very little of it today and then and then finally I would just say that I Think within the government, there's a real need to Unify decision-making that in in which Choice is about surveillance on the one hand or the future of the internet whether it's internet governance or these kind of broader Internet freedom issues on the other where these decisions are being made It's my sense that they're all they're often being made without Any unifying vision of what this is actually going to do in aggregate? So for example, if you're making the decision a crack tour while you're making the decision a fun tour Is that actually a decision that the government made or was it decision that two parts of the government made totally independently? and maybe didn't even know that the other one was necessarily doing this and You know, so if you're going to make decisions about surveillance and you want to take into account the true costs Benefits and how this is going to influence decisions made on the internet freedom agenda And I think both people both sets of people have to be at the table at the same time You have to unify that decision making in a way that hasn't been the case thus far So a few thoughts on the internet freedom agenda. Thanks Richard And I'm glad you brought up the example of tour because it's a very clear example of We are funding tools for internet freedom while at the same time funding breaking those tools for internet freedom And actually my friends back at EFF have a great graphic showing like a terrorist using tour and an activist using tour And they're basically just wearing different hats But I have a question for you that was prompted by your comments, but I'm actually going to want to everybody's input on that So I'm going to ask that question when we go to full panel Mika Euyang from third way. Yes, so I want to talk about one of the other costs to the US as a result of these Snowden revelations And then I want to talk about why these costs aren't considered in the process and maybe how they should be in part to answer Richard's suggestion One of the other costs that we see as a result of snowden revelations is they increase difficulty the United States in conducting diplomacy Not only on the trade front on the internet freedom front, but generally we had as a result of the Snowden revelations that we had been tapping the cell phones of current Foreign leaders the cancellation of a state dinner, which is a rare thing in a Important bilateral relationship building tool between the US and Brazil We had outrage from a very important partner at NATO in the form of Angela Merkel being upset about what she was talking That her phones had been tapped and you see quieter less noticeable outrage from other European countries Some of that outrage is real and we'll have short term cause short term difficulties for the United States in the conduct of its foreign policy and its ability To get other leaders to do things the United States might want them to do and then you have Long-term implications for what it means for the United States Which is seen as a beacon of freedom and not conducting business the way that Russia and China do As conducting surveillance on foreign nationals You will have a generational problem where we have will have lost the moral high ground And that is something that we are going to have to deal with with diplomats from many generations to come that we don't have the same Cache in the world We are not the same beacon of freedom that we once were before these these revelations and that's in part because we have conducted surveillance internationally in a way that is seen as Overbroad I think everyone in the world benefits from United States surveillance efforts our surveillance efforts to catch Terrorists around the world have led to the disruption of plots on every single continent with the exception of Antarctica Many people benefit from the tips that are generated from our surveillance a lot of commerce benefits from that too you've heard our Seen reports of you know disrupted package bombings well those companies really benefit from American efforts to disrupt those programs those those efforts but At the end of the day you have this outrage in part because of domestic political concerns in places like a unified Germany where the East Germans had conducted surveillance of their own people the sensitivity to surveillance is much higher in places like Brazil that don't have the same aggressive international espionage efforts you see Real outrage there because they don't do it to other people So why would people do it to them? That's a real challenge for us, especially with Brazil because of its increasing influence in international debates So we are really going to see challenges with that over the medium term Long term we'll have to deal with it an image problem Now I wanted to talk about why it is the United States government is so bad at taking all of these costs into account and both on the executive branch side and in Congress Starting with the executive branch side when you have the United States government looking at decisions like Cracking tour and funding tour part of the problem with the intelligence community is that it conducts itself So much behind the walls of secrecy that it does not want to discuss with anyone who is not Appropriately cleared what they are doing and that throws huge swaths of policymakers out of the room when they are making Decisions about what kind of intelligence collection they are going to do and so one of the recommendations that the president's review group said Was that you've got to bring policymakers into that conversation now? This cuts the grant against the grain for the intelligence community who's fundamentally paranoid about the more people who know the more people who might leak Given the kind of leaks they've had now perhaps They should just assume that things will eventually leak and they should get the policymakers in the room to have that conversation on the front But it is a real challenge for them because they are hindered by the secrecy The other problem that you have with the policymakers is that they are often not technical experts The conversation that we have had here in many ways goes over the heads of a lot of policy experts They don't understand the architecture of the internet. They don't understand the way that encryption technologies work They don't understand it well enough to make Informed decisions about what it will mean to the internet and internet growth you see this in Indeed in some of the ways that even inside the US government They have explained the way these NSA surveillance programs work to each other Oftentimes you have legal experts making calls on whether or not a surveillance program bulk collection or not is the right thing to do and consistent with the law as A lawyer myself it doesn't mean that you have any special technical expertise and understanding The vast quantities of data are coming in the filtering mechanisms or any of the rest of that You're really ill prepared for that unless you have a strong technical background And so a lot of times people are talking past each other in those discussions It's a real challenge and if you think that the challenge on technical understanding is big in the executive branch It is even worse when you get to Congress Former Congresswoman Jane Harmon said most members of Congress only encounter technology through their children They barely know how to use their blackberries when I was on the intelligence committee I had to try and explain to members of Congress what a botnet was it was like the attacks are coming from inside your computer Like they just didn't understand How these things work and so getting members of Congress who are on average quite old Not part of an internet generation To understand the way the technology works and the way that in which it's evolving to make rules To set oversight guidance for the intelligence community is very difficult And then in addition to that the members of Congress have an imbalance of information with the executive branch They don't the intelligence community doesn't like to share with Congress They play a little bit of a game of 20 questions. You know, is it bigger than the bread box? If you don't ask exactly the right question, you may not get an answer that will allow you to fully understand What's going on with the program and you've seen that in some of the ways that Congress has Offered legislation and the ways in which that has been interpreted and the ways that some members of Congress who passed things like the FISA amendments after the Patriot Act are now saying that's not what I thought you would do with it Part of that is the imbalance of information between the executive branch and Congress in understanding these programs The other thing is that in intelligence unlike any other area Congress doesn't have the benefit of outside experts People don't know and can't comment write-off ads reports like the ones at New America or at CNS about What's going on in on intelligence programs? And you have that in every other area where the best minds and the expertise of the entire field are brought to bear on this on Intelligence you don't know we particularly ran into this problem in dealing with cyber security We desk we wanted to go and talk to industry and we went around to try and find people in industry who understood what the government was doing about cybersecurity initiatives and It was incredibly difficult to find people in industry who even had the requisite Clearances to understand what the government was talking about and in cybersecurity initiatives and then knowing the level of information that the government was Giving them they didn't feel really comfortable Judging those initiatives and they said look we have technological fixes that we would recommend in ways that we would engage It's debate, but we just don't feel like we have enough information here to advise you well That would never happen in the judiciary committee on the science committee and ways and means on taxes or any of these other things But this imbalance of information means that you don't necessarily have the best quality debate on intelligence because it's just the members and the Executive branch inside a closed room In addition to that you have jurisdictional problems The executive branch will narrowly say These two fifteen programs on the Patriot Act were only talking to the judiciary committee about them Even though they're being conducted by the NSA or these overseas collection programs We're only going to talk to the intelligence committee about them and not the foreign affairs committee about them Because they're the only ones read in so you have a bifurcation of the Understanding within Congress and a bifurcation of the expertise Amongst the committee staff and how they're going to approach these issues So unless we're going to talk about some very serious reforms where people are more willing to share which the intelligence community hates you're going to continue to have this problem of Balkanization of oversight Which leads you to a worse policy outcome Thank you for an incredibly depressing and cogent criticism of the state of affairs a Question in regard to the first half of your comments about the impact on foreign relations You know one one point that's been raised and certainly I know that this is a feeling inside of the administration right now is Likening the people who are complaining about surveillance of their leaders To like the captain in Casablanca who comes in and goes like I'm just shocked shocked that there's gambling in here Like when really everyone is is doing it or trying to do it like does that should that impact the debate? Or is it frankly beside the point considering where we are? I think that it They have a point right like the conversation that was leaked between our ambassador to the EU and our ambassador to Poland about how she really feels about the EU That was not done by us obviously There are other countries out there that have the ability to tap phones and put those conversations out there into the world in a way That is damaging to diplomatic relations We're not the only ones who are listening to people's phones So there is a little bit of everybody does it the challenge for us is that we are perceived as holding ourselves to a higher moral standard And so when we do it people are more upset people expected of the Russians. They expected of the Chinese I don't think they expected of the United States, so we should be honored that they're that angry actually It's also worth adding that So we're hold of held a higher standard and I think it's also partly that we're actually phenomenally better at it than most of us the world too Both through accidents of history and also through kind of our drive to make it happen But I mean, you know just by accident a lot of the traffic of the internet routes through the US because we did it first Arpa was the one who kind of put it all together to begin with so that gives us a Leg up over, you know the Ukrainians if they wanted to try to build it an in the second There is an element of jealousy in this right we spend more than any other country on surveillance our capabilities are better on Than everyone else in surveillance. There's a little bit of like maybe if they could they would too Well, I mean, I also think there is an irony you know I have a map in my office of where all the capils are that was left by my predecessor and There's just like a solid red of pipes going through the US There's nothing like that anywhere else on the planet, but I think that in part because of this you're gonna see That changing a lot and in many ways, you know going back to Richard and talk about the value of intelligence We might have a situation where we're By trying to over exploit our privileged position We're gonna be killing the goose that lays the golden eggs and we're gonna see a lot of people routing around the US in a way That ultimately degrades our intelligence capability, but You raised a couple of other really incredible points I really like the idea of needing to probably just assume that things are gonna leak either, you know 510 15 years from now maybe faster and having contingency plans ready for that In terms of the difficulty of keeping secrets in the age of the computer I highly recommend a book Mostly about wiki leaks by Andy Greenberg called at Forbes called this machine kills secrets the machine simply being computers It's really a great book You also, you know talk about something that a lot of folks in DC are thinking about right now including here at New America, which is how do we build and maintain a pipeline of actual meaningful technical expertise in the policy-making process? When we're basically we're on the wrong coast and we don't pay enough and we're not sexy like Facebook And it's an incredibly difficult problem getting you know The you know the tech expertise in the room, which is why I'm so happy to have Micah here To bring some tech expertise into the room Thank you for including a technologist on this panel, and hopefully this won't be the last time that you do that So I'm going to talk today about the implications to internet security as a whole due to the The Snowden leaks and one of the points I wanted to make from the get-go was there's this Tremendous push both both publicly and privately from the federal government over the last 10 years or so to really strengthen their cyber infrastructure And one of the largest surprises to me is someone who studies computer security on a daily basis from the Snowden leaks was how much of our infrastructure relies on Systems that have been purposely backdoored by our own governments at the same time We're trying to make those systems more secure and that that that frightens me as an academic and as someone who uses these Systems on a daily basis So our infrastructure relies on these systems that we know have backdoors and I think that there's been a lot of attention to kind of the Sexier aspects of the Snowden leaks, but there's been too little attention to what's been going on In the crypto community or what the implications are to the crypto community because it's a little bit dry But I think it's incredibly important So one of the programs that's been exposed is bull run and it's part of the bull run project It's really the NSA has been trying to purposefully weaken encryption standards And they've done this they've done this successfully a case in point is the is a pseudo random number Generator, please don't fall asleep quite yet called a dual EC and this is why this is important I promise I won't make this into computer science lecture In a in if you're encrypting if two parties are encrypting They need to come up with a good key and if you have that key then you can decrypt the conversation So the security of the system depends entirely on how good that key is. It's just like a door lock if you have a lousy key Then then the door won't fun. The lock won't be all that All that useful So by back-during a random number generator and these are the tools that are used to produce these keys What happens is we have very poor keys So if you use this particular random number generator So in other words you have the world's best lock But the locksmith keeps on giving you the same key over and over again and gives that key to everybody Which means that effectively you have no security. So this is what the NSA did in a particular pseudo random number generator called dual EC It wasn't viewed as well This wasn't a particularly popular random number generator It was known to be flawed both in terms of its security and its performance It was recommended as back as 2004 2007 to give me to not be used But it turns out through the through the Snowden documents That or it came to attention I should say that RSA in their be safe library used it as the default pseudo random number generator generator so what this means Stepping back is that any system software or hardware that uses this particular flawed backdoor piece of math Is effectively Vulnerable to wiretapping or surveillance. So it doesn't matter What the system does if it uses it then it's flawed and this has implications doesn't Throughout our internet in terms of our routers and our softwares and the systems that we use Because of the popularity of these systems that depend on these floods these flawed Generators The NSA has come out or not come out It's been revealed I should say that they regularly have the capability to break to break SSL and TLS This is the protocol that secures the web anytime you type in HTTPS on your browser You're using SSL or TLS. They have some capability to reverse that so e-commerce banking encrypted chat Virtual private networks encrypted VoIP systems presumably like Skype and they do so by doing things like forging digital Certificates and again, I won't go into the technical details, but this is problematic because at the same time academia and just security experts in general are really trying to move companies towards using crypto because we view it is important You know things like HTTPS everywhere is a wonderful project that the EFF runs Trying to get sites to adopt SSL so that you know when you enter your username and password, it's you know secure in theory These systems rely in the very systems that NSA are purposefully and successfully trying to To back door and that's problematic both from a technical standpoint And from the standpoint of just weakening confidence in these systems There's also an effort to not just attack the crypto but to attack the systems themselves so programs like prism that taps into data centers run by Google and Facebook systems are programs like muscular that taps lines between data centers This is problematic because it creates an architecture where surveillance is part of the system by design And that just means that our communication or architecture is much more Complex than it needs to be because we have all these additional interfaces We have the problem of not just securing communication between two parties Now we have to secure communication most of the time except when some other person comes in and taps and that's okay if they're the right person and getting just getting Alice and Bob or the two parties to talk to each other securely is hard enough and We barely know how to do that when you add the complexities of adding Surveillance capabilities to these systems You introduce by necessity vulnerabilities because what you're doing by definition by definition is Introducing back doors and and this isn't just a Hypothetical problem. We've seen these systems fail like the Greek for example the Greek wire tappings scandal in 2004 where using Attackers were able to leverage Law enforcement wire tap capabilities and vote a phone grease to wire tap on the on the Greek Prime Minister for a number of years Yesterday it came out that in Turkey this widespread wire tap abuse by the police They are again wire tapping on their Prime Minister again using these interfaces that are built in for the purposes of conducting The always air quotes legally authorized surveillance. I'm not a lawyer so someone could tell me whether those are appropriate air quotes, so I'll sum up by saying that as a as someone who teaches computer security And as a computer security person, we're not very good at our jobs We have plenty of mistakes you can read and every day you can open the paper and read it about the next target the next vulnerability We're getting better. We're building more secure systems and We're coming up with architectures that are inherently more secure, but at the same time if our efforts are undermined by By introducing back doors into crypto standards or introducing additional interfaces that Weren't originally in spec that just leads to a much less secure communication architecture And so if we're going to really be Achieving our goal of making the internet a much more secure place What we don't want to do is we don't want to make it surveillance friendly because that is Kind of the polar opposite in terms of security what we want to do is we want to be contributing to the to the research and to the systems that make these architectures more secure Great, thank you Micah. I I mean this sort of goes back to what Ross was saying about the the root of trust In the internet and when you undermine the security of the internet you're undermining trust That the internet will actually securely transmit what you want to transmit But we've also seen a degrading of trust between Because of these interventions by the intelligence community between the companies and the government, you know and muscular is a good example This was the program to tap the data centers tap the lines between the data centers of Google and Yahoo outside of the country And that was when the companies really got publicly angry in combination with a few exploits of Apple products where you had Microsoft basically calling the NSA an advanced persistent threat usually a term reserved for like China or other other state hackers you know Apple Apple basically calling the NSA malicious hackers and some Not publicly sanctioned Google engineers basically saying F you NSA for tapping our stuff We saw also seen a degradation of trust in the security community this week is RSA The conference of RSA that that security organization and a lot of people have boycotted the conference or are attending a counter-conference In response to RSA's role in using this default number default compromised number random number generator and This is an issue that hasn't been gotten hasn't got a lot of attention even though the NSA review group brought it up in a couple of recommendations actually Because I'm a nerd when I read the report. I then tweeted these two are my favorite recommendations What are yours and they were 29 and 30 which were all about the importance of encryption the importance of not undermining encryption the importance of not allowing the government to mandate Backdoors into products and finally the importance of the government disclosing the vulnerabilities it finds something something that's often called a zero-day A term for an exploit that has been discovered but not reported or that has not been widely discovered So that's actually my question for you and not to put you on the spot And if you don't have a great answer, that's fine, but I'm curious What your thinking is on how the government should respond when it discovers vulnerabilities or purchases vulnerabilities on this? Gray or black market for vulnerabilities should the government be doing that? What should the government be doing with that knowledge if it has a hacker squad that's discovering vulnerabilities? How long is it okay for them to keep that a secret or should they just disclose it to the vendor immediately so that we can patch our stuff? Right, so that's a great question. There's a wonderful study by Mandiant on that the APT group and APT-1 the group in China That is doing something similar so we know that other other governments and this is you know should surprise no one are building Repositories or building up databases of attacks. So one of the least surprising things to me That the NSA was doing was assembling these different particularly, you know tailored targeted attacks. I'm actually You know that that doesn't keep me up so much because those aren't Those aren't persistent or those aren't ingrained in our in our architecture. These are tailored attacks for a particular system They're not backdoors into Some crypto system that's used everywhere instead. It's you know this particular flavor of some application We know how to target that so I think that there need there should be a balance as the keyword, you know there should be a balance of Whether it it strengthens strengthens our ability to withstand attacks from from outsiders by disclosing These vulnerabilities when they're discovered to to vendors versus keeping a few of them as You know weapons if you will and I don't know exactly where that balance lies But I think that where where there's a solid line is when you start Purposefully introducing either by Either by interfering with the standards processes that happened with the groups like at nest when they come up with new crypto protocols or when we Build particular pieces of Crypto or internet architecture and deploy them elsewhere Those things that are that are ubiquitous and widespread I think are certainly well above the line of you know causing more harm and more danger to our networks Then they help Thanks, so now we're gonna I'm gonna address a few questions to the entire panel and whoever wants to answer has a good answer throw it out there, and I think the The first and most important question is what do we do about this like what's what's the appropriate policy response by government? What's the appropriate response by business and on the policy response by government side of things I you know an additional question. We've seen a lot of reforms proposed. They may or may not go anywhere Reforms proposed by the president reforms proposed by the Hill. They all are mostly focused on the bulk records collection That is mostly impacting Americans privacy and don't do very much in regards to the so-called 702 authority regarding wiretapping that impacts people outside the country and Does absolutely nothing regarding the government's conduct outside of the country like you know under under executive order that happens Without statutory authorization or with FISA court approval Is that gonna be enough to address the trust gap that we're talking about and if not what would? Transparency reporting like what what is gonna get us there? Well, or we just are we just screwed? I'd actually like to take issue with something you said about 702 collection Which is that the president has made a very significant change to 702 collection, which has gotten completely missed in the press Which is that the kind of minimization protection of privacy that we have for American citizens He has said he would like to extend that to foreign collection And what that means is that for people who are not bad guys We are going to take steps to try and protect your privacy That is a major step forward and everyone seems to have missed that in part because no one knows what minimization is in the Domestic context right because it's all secret, but it is actually trying to say look we can't do everything We're not going to extend to you the same protections as we have under the american constitution But we are going to do something for foreigners That so we are trying to do something But because and this is another problem Because we can't talk about the protections that we will put in place going forward because everything's secret It is very hard to resolve the trust gap even if they were going to change what they were doing on encryption on zero-day exploits on Other kinds of covert programs conducted under other authorities He couldn't come out and say I'm going to stop doing the following covert things And even if he did no one would believe him because the whole point of the intelligence community is to like do stuff That's illegal in the country where it's being done. So you will have a persistent trust gap I I think that that's probably true I think the u.s. Government could personally give every child around the world a puppy and there would still be a trust gap Going forward but I think that that doesn't mean that the government needs to be doing Some things to address address the situation. Um, and I think sort of I think that anyone who says that anyone answer is a silver bullet is probably trying to sell you something um, I think that going forward we're going to need a huge combination of you know lobbying Congress lobbying the executive branch to change policies Getting companies to implement secure reliable crypto systems wherever is appropriate and and getting average users to understand their their own security online and educate people as to how to use programs like pgp and and or htp everywhere htps everywhere In in order to kind of get get the most out of the security online that they can get But I think it's got to be a multi pronged Effort there's not going to be any one action that you're like yep, we're done go home I agree with mika's Comments about you have a real problem because you can't be transparent about anything that you do to you know change You can't be very transparent anyway about What you do to change certainly the surveillance of foreigners and then even if you were Is that believable so let's take a Ridiculous hypothetical. I mean as the president said all right from now on I will surveil no more than 50 Germans And all of those Germans have to be directly connected to al-qaeda, right? So no merkel Nobody works for merkel nobody in the government no random Germans Would that stop the germans? political system from the data localization pressures or for the activism they're doing in the eu parliament Or for you know the the idea that there is still out there The big american brother that's that has the capacity to look over the shoulder at anything anybody's doing online or over the phone You know I just I think to some degree the cat is out of the bag here And we have to deal with the fallout as it is and there's I mean we can affect some of the fallout on the margins But when you're talking about the effect on foreigners and policy changes that we can make with respect to surveillance of foreigners That would then affect their response. I think it's very limited so I I agree with much of that. I would say you know the way I would think about that question would be You know, what would it take to get someone to say? Yeah, I want to store data in the united states Like I think that's a really good idea because I think that's what you know, basically we had before and Um, I I agree. There's no silver bullet. I do think there are some things we could do I mean, I think Kevin those are my favorite recommendations as well from the report. I think getting Um, the u.s. Government meant to be absolutely unequivocal that you know, the policy is we support security We don't degrade security. We don't you know stick back doors in we don't promote bad protocols One loss that we haven't really talked about is the really the loss that us companies have in the sense that they Don't have experts to go to you know, these nsa experts in in cryptography and security They can't tap that resource For two reasons one because they're at odds with what they're trying to do but two now they can't go to them because You know, you don't want to be affiliated with that organization. It looks bad for your company to go there So that's kind of a huge loss. The second area is You know, really the idea of uh, digital free trade You know, you talked about this quite a bit. I mean, this is ultimately the goal When europe talks about creating a german or a french cloud or a european cloud I mean, that's basically, you know, digital free trade, but just for europe We want that for everyone. We want to be able to say and I think it's reasonable to say even if we still have surveillance We have surveillance at the same level as the germans and and the brits and The french so you can if you're concerned about where you store your data You can at least store it with any of us because we're all gonna You know have the government surveil you in the same way And and the third is is the structural reform. Um, I think uh, mika I think your point's probably one of the most important that if we don't have this kind of structural change They were talking about where you know in the future Any decision that's being made about this is being made purely from the intelligence side and not from what's the economic impact You know Going forward. We're gonna find ourselves here. You know 10 20 years from now and that's what nobody wants. So How you change that actual part I think is actually very difficult But if you don't get the structural reform, you're not going to have any, you know lasting impact The best possible answer to your to your question is like, how do we how do we get back that trust is go back 10 years and do it better? It's like Absolutely all of all of mika's talk about the structural reform is necessary And the fact that the intel people were the only people in the room making this decision I mean it seems obvious in retrospect that nobody else had any impact on that Um is is the reason that we're here right now. I mean if if they had just thought about it harder 10 years ago, we might not be here One of the things that they could do to restore trust is the recommendation actually the president didn't take out of the review commission And that's separating offense and defense. Yeah, we have nsa and cyber commands Cyber command which is responsible for defense Together in the same organization with the nsa and so companies that want to work on securing the internet and making things better Are working with the exact same people who are on the other hand Trying to find exploits and trying to undermine the security of the internet For very strong national security reasons, but they are the best at breaking in and then they're also working on securing So it puts companies who want to cooperate with the government in an awkward position To separate offense and defense would make it very clear to companies who wanted to cooperate with the government We're not working with the offensive people. We're only working with the defense people So I think I think this issue has hit Security researchers particularly hard this this trust issue. So nist for for several years have run Cryptographic competitions where anybody from the world can come in and propose a cryptographic algorithm It's openly reviewed There's input from the nsa or any really anybody who wants to To provide input and then kind of in this open discussion A standard is elected and then people can trust the standard because it's been so well scrutinized And what's happened recently is We've gone back and we've looked at some of these standards conversations and we've seen that well, you know this this Sino random number generator that I you know harped too much about Has been biased. There's other things that have been gone on with this If you followed it this shaw three Hash discussion is to you know, whether these last minute changes have been, you know Influenced by the the nsa and really the problem comes down to trust because you have so much expertise in cryptography Coming from the nsa in academics and security researchers researchers in general how to rely on an expertise to to To really well analyze a Cryptographic protocol we can no longer well It's more difficult to trust that expertise when we now know that they're funded The tune of 250 million dollars a year to purposefully weaken the cryptographic Standards that we have so how how you how you repair that is something that you know as an academic And I follow this I follow this pretty closely Is an extremely difficult problem and it really just deal, you know, the the best solution has just been making this more open and there's been Pushes to move some of the standards work to europe, which is probably not a good idea Certainly not from the us's perspective But to figure out how we can do this in a more open standard and get some of the get the trust back from all this expertise That that we have at the nsa you mentioned kind of in your early remarks that most of the technical expertise In the countries in the west coast i'd agree with that except for the crypto expertise, which I think is square They placed in fort me I have one more question then we'll go to the audience and it was actually a sub part question Which is a good example of why you shouldn't ask multi-part questions We've talked a lot about what the government should do the companies. We've seen a lot of movement from the companies. We've seen unprecedented things we've we've seen apple microsoft and google sitting down in a room together and agreeing to do something together With five other major companies in the in the form of this reform government surveillance dot com effort where they've put forward a bunch of Storylines reform principles and they've now hired a joint lobbyist from the monument group To help visit on the hill and supporting the usa freedom act They've been aggressively pursuing transparency reporting in an attempt to restore trust We've seen a number of them acting very quickly to encrypt their their uh Data links many companies that had not had hctps turned on before are now finally turning it on What else should they be doing and do we think that what they're doing now is is the effective path forward Uh, they seem to be definitely trying hard to do whatever they can to restore the trust gap that that's that's arisen But i'm curious if there are any other ideas about you know, what should they be doing? So good, I was just gonna say I mean, I think it's also important So they're certainly doing all the things that that you mentioned. Um, I think that's a that's a pretty comprehensive approach and but You know, I do know that that they don't think they're done either And that the the the reform government surveillance group that you talked about is Um ongoing it's it's growing. They're adding companies. I think um, they added one just last week if i'm remembering correctly, but But uh, but and they're looking for kind of other ways to be effective too. So I don't think they're sort of washing their hands and saying, oh, well, we did our part. Let's go home Um, and so but as to as to what else they could be doing i'm i'll have to think about that I was gonna say I I think that the particular group of companies that you've talked about has been very silicon valley focused and Congresswoman anna ashu who I've worked for Has been very engaged in the debate and has been concerned about tech's impact In these debates for a very long time when she was on the intelligence committee and was been very aggressive about that But she's been a lonely voice silicon valley's had a very standoffish attitude towards washington And part of it is engaging with washington to explain what they do But then this is also beyond silicon valley. I don't know how many of you saw the new york times article earlier It was in january where they were talking about radio transmitters and placed into computers And it was interesting one of the things they said was they are sometimes inserted aftermarket Sometimes unwittingly and sometimes with a part of on the with the help of a manufacturer Any company who is thinking about cooperating directly with the intelligence community On a particular program needs to pass the front or think about the front page test Which the review group talked about what does it mean for their stock price and their shareholders? If it winds up on the front page of the new york times or some other paper that they were in bed with the intelligence community To do this no american company wants to be in the category of huawei And so from a company's perspective as much money as the united states government might dangle in front of you You need to think very carefully about what it means if that program were to become public So I think the that's that's a really good point and and you talk about the money And I think it's really interesting to think about not just the carrot But also the stick that the government probably comes to these companies, which is you know, we don't have Right now a terribly good sense of what the law permits the government to demand of a company Visa v inserting back doors inserting, you know, here's a chip. Don't ask any questions Um, you know don't tell anybody that I was here kind of meetings, right? So There's a huge Vague area in the law right there that I don't think anybody has an answer to right now And I'm sure the NSA is exploiting the uncertainty around that in some of those meetings probably And that I mean that points to one thing we can add to the list, which is litigate more Um, you know, we know now that yahoo challenged The faiza amendments act predecessor statute to protect america act in front of the faiza court We've seen other companies Including yahoo fight back on law enforcement stuff like access to email without warrants and the like and so And we've now heard twitter somewhat somewhat rattling its saber about the possibility of bringing its own case about transparency reporting and their first amendment writes Presumably, hopefully not in the faiza court again But Anyone else I just had on the internet freedom front. Um, I think the companies clearly have Have played in the past and have a role to play in the future. It's very important whether it's to the global the global network initiative or our other private sector efforts But even more than that, I think the companies have a role to play in pushing the government Out of its defensive crouch which has been in on the internet freedom Front for a while and it can't remain in forever if you actually think this stuff is important As a foreign policy measure then there has to be They have to work uh to To bridge what's going on between the government and the private sector in order to elevate this In the sort of pantheon of foreign policy issues that are that the government Officials care about and that we're promoting abroad and then figure out what role they can best play through stuff like g and i and other And other efforts like that I just said, um, you know, there's I think the companies can also Work to remind those outside the country of of the impact of some of the policies being put forth. So, you know, for example, uh, e you companies, you know, the the tension here is that You know, so a dutch telecom. I mean they might benefit from a data localization policy, right? But every other company in germany that you know manufacturers or that exports and wants access to the best technology They suffer because they have to pay more and you're reminding that there's these trade-offs So when brazil has you know, again, you know a data center localization So they're maybe getting construction jobs. Well, who's not getting them. It's their neighbors, right? And so reminding that there are these consequences I think is useful that it's not this kind of static system This this dynamic system and if you make one move someone else will make another and let's play out what the consequences will be Great. Um, are there any any questions from the audience? Quite a few. All right. We've got a gentleman with a mic who will uh Please Thank you for this Thank you for this discussion. Um, I have a quick comment and then a question Both of which are addressing the notion of adding cost to the discussion of the revelations one is The initial comment that you're surprised that more people haven't Commented on the costs before If you look back at things like data breach laws And economic analysis short term and long term often a very high economic impact long term Tends out to be nothing I'm sorry short term turns out to be nothing in the long term So for instance a stock price might drop but over time it gets back to where it was before So it may simply be that the economists are waiting a while to see What the long term implications are before they they do their analysis My question is that I haven't heard you discuss anything about The revelations in terms of the volume of data that the nsa is now looking at And the costs to individuals in the sense that The number of false positives and negatives of their predictive analytics Means that far more Orders of magnitude more People are getting caught in a net. They don't even know exists and it may be preventing them from doing things That they need to do Because of this increase in volume Yeah, that's absolutely. I actually read an article two weeks ago maybe about a woman from Malaysia, I believe it was who was inadvertently put on the tsa no fly list Just someone take the wrong box One point back in the you know, 10 years ago or whatever and she had to sue the government and went through You know months and months and months of litigation and who knows how many dollars to get off that list and And finally be able to fly again And and all just because of a clerical error that the government refused to cop to And so you're absolutely that's yes, there's absolute costs that come from just inadvertent mistakes when you deal with that much information And also the simple cost of that massive massive data center in utah that they just built Mr. Elman right here Henry Farrell, george washington university I wanted to ask a question about a train wreck, which is maybe coming Which is maybe visible at the moment, which is the european privacy directive, which is currently under negotiation Originally, there was a clause which was going to provide us companies with some protection if they gave information to the u.s. Government for Security reasons that clause was removed after the snowden revelations Now the current text that has been prepared by the parliament suggests that us companies could be fined up to 100 million Dollars are five percent of their global are 100 million euro or five percent of their global turnover By a european data protection officials for failing to comply with european data privacy law Which presumably would be the case if they did provide information to The u.s. Government what kinds of options does the u.s. Have or do u.s. Business have Faced with this potential threat if we see Maybe 18 months two years from now the directive goes through and the worst case scenario for the u.s. At least is realized Someone speak to the eu data protection debate Sure I think the answer to that is that We will we'll have to wait and see what the european justice ministers of the individual countries End up saying to their commission counterparts in their parliament european parliament counterparts I I have a very hard time believing that that provision Will not be reinserted into the final draft. It's such a fundamental piece of data protection and privacy law that When a government arrives with a legitimate order a warrant signed off on by a judge that the company is is absolved of civil penalties for turning that over to the government And so I would be astounded if If that wasn't reinserted and if it isn't reinserted it'll be it will be ignored I think i'm a real cost to europe of actually instituting that provision One of the things that you could see is american companies say okay I'm not going to share the information if I go into compliance. I'm not going to collect this information I don't share with u.s. Government if it turns out that an american company had access to information about a terrorist plot And they didn't share it with the american government They didn't share it with anyone and people died Then I think the european privacy commissioners are going to say at what price privacy And you see this debate happening all the time in the united states at what point are we willing to give up Some of our privacy in the interest of security and american intelligence Helps people around the world's disrupt plot So I think they're going to have to figure out a way of getting around that because the intelligence services and the host nations Are not going to want the flow of data to stop Next question Hi, um, david sterman a research assistant here. I'm interested in whether Whether there's any potential for increased transparency on the question of What's the plots that have been prevented abroad are And whether that would make any difference to the economic impact the plots that have been referenced in terms of the 215 collections seem to have been Overall debunked by a multitude of reports And there are lingering questions raised by some reporting on evens of 702 And broader question of whether plots were prevented by that um Is that Are those questions affecting investment and can that be changed? Yeah, I'll um Take a crack at that. I mean the To repeat something I said at the beginning. I I think the to frame it uh to frame our surveillance programs solely in As a counterterrorism measure is the wrong way to think about it And it doesn't reflect the reality of why we do the vast majority of our surveillance efforts I mean counterterrorism is an extremely important Motivation for surveillance and surveillance whether it's been The u.s. Or past the other um governments has uh Has resulted in disrupted terrorist plots, but lots of the intelligence that we collect through a variety of means including through electronic surveillance is Not aimed at terrorism. It's aimed at all kinds of other things preventing non proliferation improving um our knowledge of uh political and economic affairs in a particular country Gaining insights into the decision making of foreign governments multinational crime I mean There's a whole variety of reasons why the united states like every other country in the world engages in intelligence collection activities And terrorism is just one of them. So I actually think You know in so far as the administration wants to frame this as we we do this so that we can stop terrorism it's going to be a losing argument because you know some of the stuff's going to be debunked or People are going to say well, do you really need you know to you know build this data center In utah and maintain telecommunications records until the end of time that every american every every text message I sent to my wife, you know everything all of this is all about terrorism I just don't think it's going to it's just not going to line up In the right way a follow-up question on that. I mean I take your point that number of attacks prevented is not The ultimate judge of the utility of you know signals intelligence There are a lot of a lot of reasons to do signals intelligence and a lot of benefits that can come from it But at the same time Isn't terrorism the justification for the changes in the law that have allowed these programs I mean the patriot act was a direct response to a terrorist attack on american soil Indeed, you know the the program that prompted the passage of the faa the faiza amendments act The president called it the terrorist surveillance program. I mean aren't these programs being justified Based on the supposed utility Encountering terrorism. Well, I mean I think you have to disagree what's happening at home and what's happening overseas I mean that is not true of what's happening overseas surveillance overseas has been fair game You know forever And and we assume that the same thing is true With respect to other governments surveilling americans of interest to them And that was what I was thinking of more. I mean the the To justify The surveillance programs, particularly of the overseas surveillance on terrorist grounds that that is what I think is You know, essentially a losing argument It's a different question when you're talking about the bulk collection at home and the programs that have That have come into into life since 9 11, which yeah, you're right We're fundamentally rooted in in the in the aim of disrupting terrorist plots But I didn't get it just sort of disaggregate those two things 702 actually has three purposes for which surveillance is permitted. One is for an intelligence collection One is terrorism and one is wmd Proof prevention So they do talk about all those three and then one of the other purposes for which, you know Other countries are seeking information on the surveillance from us all the time And we'd seek this kind of data from american companies is for legal purposes If a country is going to try and prosecute some of its own citizens They think oh We want to get the gmail accounts of these These folks who are running an organized crime ring in sicily or something like that They're going to come to google and there's a m lat process by which they can ask for those Those requests but to the extent that they make it more difficult for american companies to collect that And make it more difficult for them to share that with our government What is the process for those Countries when they want to go and prosecute their own people There's a whole question about m lat reform that we haven't even touched on David Sullivan with the global network initiative Thanks, richard for the shout out to our work which brings together Tech companies with ngos and investors and academics working on freedom of expression and privacy online I also have a comment and a question My comment is in response to the question of what more companies can do and just to say that I think The more that the companies particularly the reform government surveillance A coalition is that's moving forward can also work together with civil society and the strong grass roots kind of Movements that we've seen in reaction to the nsa surveillance The more effective they can be both on the hill and in the international debates on these issues My question though, which builds a little bit on the most recent comments Relates to the fact that most of the substantive proposals for reform that are being discussed here in the us right now really relate to those programs concerning the bulk collection of us metadata and the questions around the constitutionality of programs Surveiling us persons But the bulk of the worldwide concern and indeed the economic Kind of questions for the companies we're talking about today relate to the surveillance of non us persons abroad And my question for the panel is how do we stitch those two things together? And how do we start to address those international concerns in the discussions that are going on here about what to do next So first intelligence officials need to stop saying the constitution ends at the water's edge, right? Like that's it may be legally true But it's not a helpful thing to say in the context of this debate Um, and I think people need to talk more about what the president has proposed on 702 minimization That we will extend similar privacy protections to people outside the united states as we do inside the united states Because we believe in the values of privacy the right to be left alone Um people don't talk about that enough because in the american media It's much easier to talk about bulk collection and the rights of american citizens because frankly foreigners are not buying american papers Or clicking on american websites or whatever that now the newspapers are dying um But I think that we need to talk more about what it means As we conduct these activities overseas and there hasn't been a lot of ink I think while it's time at this point in the panel for somebody to disagree with someone else I think I'll give it Well, maybe we'll disagree from different perspectives. I'll give it a shot. Anyway, um I think that there's some danger in mixing the uh, the The the so-called rights that that foreigners uh have Sometimes invoke since the snowden stuff happened against surveillance by the united states and the rights that actually do exist In america for people protected by the constitution When you start to mix the language the way you talk about these things, you know, I was in uh, germany a couple weeks ago and and Guy uh said, you know, everybody in the united states is focused on whether the bulk collection of the united states Is an infringement on the rights that americans have To not be surveilled by their government. Um, and you know, we foreigners have rights, too Well, where are those rights enshrined like what document actually says that I as an american Have a right not to be surveilled by the government of china. I mean, is there an international cover? I mean last time I checked there was Says that you can't be surveilled by the government of china Not in that many words, but well, but I mean espionage is a internationally accepted International practice which has been conducted by nation states Well, just because it's beginning of time. Well, yes, that that is true But that doesn't mean that it's an it's set depressed in fact, it's against the law in every country No Well, it is against the law if you find that the surveillance I mean american surveillance of chinese is against the law in china because the surveillance But that's the same way if we caught if we caught a chinese citizen here We're not going to pat him on the head and say oh, well, I guess that's okay. Thanks Right, but we we don't we don't believe that we have Some right that we are we should be free as you know government our government officials should be free Of our art must be free of surveillance by foreign governments In fact, our government officials believe that they're being surveilled all the time by foreign government Well, but this is a difference of legality and policy, right? It's not in the constitution that the foreigners have rights But the united states is a leader in the world holds itself to a certain standard and says we believe these rights are universal And we think that people should they should be extended to others and therefore as a matter of policy We will extend certain protections not all of them to people that doesn't mean that that A german citizen could come to united states and sue and say you did not properly minimize collection against me under 702 They wouldn't have a right to do that But it is a matter of the way that we lead the world to say to people We were not going to do certain things against you I think is something that this this country should do as a global leader Do you think that foreigners have a right to not be surveilled by the u.s. government? I don't know. I don't think what do you mean by a right because people to mean I don't know and I don't believe there is one. I didn't hear and well, but so there's inherent human rights. There are Written out constitutional rights that the you know, the government shall not blah blah blah And those are two very different things. I think the second one. You're probably correct that, you know People foreigners do not at least under current constitutional supreme court interpretation foreigners do not have a fourth amendment Right, but that doesn't mean that they don't have the first one necessarily I'm not saying that they do but you need to but we needed to find but if there but if there's a human right not to Be surveilled then we should stop our surveillance practices Well, I mean the question is how do you define surveillance at this point? I'll go ahead and I successfully disagree All right There is actually a document that was published shortly after the snowden affair But that that was being prepared before that called the international principles on the application of human rights to communication surveillance That was developed by international civil society to make the case and to articulate human rights-based principles around Surveillance regardless of where you are or what nationality or And basically reaching the conclusion and you can find that at necessary and proportionate.org because a couple of the foundational concepts And human rights around surveillance is that it needs to be necessary and proportionate And the basic gist of I think their argument and and mine and perhaps Ross's is that bulk surveillance of anyone is not necessary or proportionate regardless of whether you're in america or outside of america, but um There's a wide wide variety of opinion on that and uh Maybe we'll discuss it over a beer Well, it seems to me this is a part of a broader discussion that you haven't even raised here that the government surveillance as as encapsulated in the NSA's activities as part of the erosion of the privacy rights both in the united states and abroad By all sorts of organizations particularly in the commercial sector where enormous amounts of information is now being pulled into databases and analyzed and And I think the electronic research information center has talked about this privacy international Which is based in london has talked about this Happening worldwide to what extent do you think? the Feeling that I think many people have now that privacy is slipping away in all sorts of forms has laid the Fertile ground in which the NSA's activities could take place and even be exposed without An enormous sense of outrage by the public in general I know there's been outrage expressed but by the public in general has been surprisingly It seems to me surprisingly accepted You thought you made reference to oh, it's in order for us to have security. We have to we have to give up certain privacy rights So there is there I've had a conversation just last night with someone who actually said that to me Well, I had some family who were in in the twin towers She said and you know we have to give up some of our privacy rights in order to be secure and I think this is Goes to if you want to download the apple app you've got to sign the I agree to that About 50 page list of fine print To what extent do you think we're we as a country are now prepared to sort of give up much of our sense of privacy Both to security and to convenience for all sorts of online activity So can I add a is it permitted to add a question to the question because I mean, this is a really Important question. I think and Part of it and and I don't have the answer which is but everybody else probably does Which is you know, we give up our privacy obviously not just to the government but to corporations all the time and so when it comes to things like the bulk collection one of the Proposals for reform that has been put out there as well. The government won't hold onto the data than you know AT&T or Verizon or whoever will hold on to the data and the government could subpoena the And get this And to me this seems you know, I don't know if that's a perfect answer for a variety of reasons. I mean one at least in theory Uh, the government is accountable, right? It's accountable to the congress and to the the law and if you don't like the governing changed every four years And and you know you have an oversight mechanism Which could be improved or whatever with with private companies None of those sort of build-in things and if in the fundamental accountabilities to the shareholders So Do we want uh private companies to be the repositories of an indefinite amount of data going forward forever? That is then available for Someone else's use and I think that this sort of dovetails with the question This gentleman posed because I think you know, we we look at privacy both from the government's perspective and from the corporate's Pregnant and I don't have the answer to that, but I know you guys Okay, yeah, maybe I I definitely think uh It is not preferable to have the I mean, we do not want the government bulk collecting this data We also do not want the government requiring the companies to store Data that they would not have otherwise stored what is often called mandatory data retention Which is something that there was debate on long before This happened and a debate that we thought had essentially ended In favor of not requiring companies to store data for a long period of time on the off chance that the government may want to come calling for it Um, and so I do think that The nsa using appropriate legal process and I think that's a big debate about what the standards appropriate standards are Uh to obtain specific records in specific investigations From the records that the companies would be holding anyway is much preferable to the to the current status quo and Knock on wood. Hopefully will be the recommendation that the transition group that is studying how to transition away from bulk data Collection is is going to recommend because if they recommend mandatory data retention They're going to have a huge fight on the hill about it because the tech industry and civil society And many leaders in congress are are dead set against it and have been for over a decade I actually think that some of these consumer privacy questions are a red herring in the context of this nsa debate I mean a lot of people get really upset like why is Google reading my email to put banner ads on the side and It's a free service right if you're not paying for the service You are not in fact the customer you are the products And so if you don't want that then perhaps you should pay for an email service where you are in fact The customer there are very separate questions about what a company does and what their business model is for information That people voluntarily share with those companies and what the company can do with that versus what the government can do with that information A company is going to try and sell you some things right they're going to show you some ads You click on or don't click on And that's it and you can choose to buy it or not The united states government with that information can stop you from getting on a plane Can put you into detention or potentially could kill you with a drone Those are very different consequences than what Google or Facebook would do with your data You can also you know go to facebook and look at their acceptable use policy or You know in theory You can you can read this information. I hear a lot from from People that privacy is dead. So, you know, why why does this matter? I think this kind of goes to the the crux of your question And I think that there's a you know, I would agree with you that there's a there's a huge difference between Facebook is dead because privacy has all because facebook has all of my information Versus, you know, there's widespread surveillance bulk scale on the internet architecture And I think in the first case, you know, there has been concerted media campaigns to educate people particularly youths On you know exposing too much information on social networking sites And you know to some degree I can you know, I can cross my fingers and say, okay Hopefully I can educate my daughter that when she goes online, you know These are the types of information you don't want to share with people or you don't want to share online But what I don't have any faith in is understanding You know, what's been hijacked in the internet architecture? So when the government does bulk surveillance the way that it's currently Been revealed to do this is to you know, backdoor systems across the internet as a whole and so In doing this and you know, the only reason we know about this is because of this noted revelations. So How we actually I think the privacy risks from These commercial systems which you can understand and you know, there there is some level of exposure to some Worldwide surveillance system, which we don't understand and we don't really know exactly what the capabilities are I think those are two very different things I would also I think I have at least a hope that the premise of your question is not actually correct and Backed up by I think it was a Pew study from about a month ago that showed that for the first time since 9 11 2001 a majority of the Americans are actually believed that we need to rebalance in favor of privacy over security. So I just wanted to add. I mean, I think the government response to your point has been very misleading. I mean, you know, the president mentioned the state of the union Big data and in the context of you know, does it relate to say and I I think that's It's intentionally misleading because it's conflating two issues that are separate. I mean the You know, the government's basically saying we got our hand caught in the cookie jar Nobody can eat cookies ever again. That's the you know, that's the solution It's not that we keep our hand out of the cookie jar. It's that nobody you know And and so I think you know when we're talking about going forward It's it's fair if you have, you know privacy concerns But what the private sector does and the you know, the rules and laws that it's held accountable for are, you know, different than the government, unfortunately and So this gentleman has been waiting for a while and but that's gonna I'm afraid that'll have to be our last question and then Then we'll be done Robert Treta, I'm president of international investor. We've actually spent the last couple of months interviewing hundreds of boards of directors and Security officials and others because we do think this issue of quantifying the economic cost of this is very important We're not sure we're right, but we we have Release the report we our initial report is proprietary, but next week we're making much of it available publicly Could you say the name of your organization again? That sounds very international investor international investor and In short, we think there has been some irreparable harm here And I just want to touch very lightly on on one or two other things because I know time's short When we interview these people As you know, a lot of the boards of directors are international now. There are no Set loyalties to the United States when they're discussing putting their next r&d centers They're now looking at international sites with some of these Questions in mind law firms that we're talking to now are very concerned about these issues And what's driving all this is not not their internal decision making But their clients their customers are demanding That they find a location where these very secretive Issues and talks regarding their technologies their research their legal advice Is is really kept secret as it should be And I can tell you that you're going to see the economic repercussions for this unfold So I would say that one of the questions is not just how much privacy will we give up in the name of security? But how much security will we give up in the name of the economy? And on that note Perfect perfect closing to an event that went frankly longer than I expected but Was full of great content in my opinion So thank you everyone for coming. Thanks to everyone online for watching And see you next time