 Good. Hi. Welcome to CSIS. My name is Jim Lewis. I work here Today we're going to talk about MLAT reform, which is a topic that is Near and dear to my heart and I expect to all the panelists as well We have their bios on our website, so I won't go through them But what we will do today is the following I'm going to say welcome to CSIS Then I'm going to turn it over to David Sullivan to make some introductory remarks Then we'll have Andrew Woods present on the report and then we'll have a panel discussion that I hope can be interactive So feel free to ask any questions that might come up. I'll each each of the panelists to speak briefly Five minutes max on the subject and then we'll open it up to a back-and-forth. So with that, let me turn it over to David Good afternoon, everyone. Welcome. We're delighted you could join us today for the release of our new report data beyond borders mutual legal assistance in the Internet era and before we get started I just wanted to say a few words about the global network initiative So GNI brings together leading ICT companies with human rights organizations socially responsible Investors and academics around a set of principles on freedom of expression and privacy Grounded in international human rights standards We provide guidance for the companies that are on the receiving end of government requests that may impact the privacy or freedom of expression rights of their users and we have an independent assessment process that sort of Takes a look under the hood at how our member companies are actually implementing those principles and guidelines in practice equally important GNI brings together that diverse Membership to engage in shared learning and collaboration on policy engagement, and that's really why we're here today improving the legal frameworks that Govern requests for data across jurisdictions is a key priority That's really emerged out of our shared learning and we believe that Andrew's report Really off provides a promising basis for policy reforms And a mutually beneficial approach to mutual legal assistance reform So big thanks to Andrew for all the work that he's done putting this report together and for everyone who Worked with him on it, and I just wanted to thank Jim and the strategic technologies program At CSIS for hosting us today and without further ado. I'll turn things over to Andrew. Thanks Great, thanks David for the introduction and thanks Jim and CSIS for hosting us and thanks to all of you for being here to discuss The oh, so sexy topic of mutual legal assistance treaties I do think it's hard to imagine that if we had this panel 10 or 20 years ago that As many people would be in the room, so I'm glad to see that you're here I think it speaks to the timeliness of the topic I'm especially heartened that you came here given all of the other competing cyber events that are going on today I'm wonder if maybe the coffee is better at CSIS or you just wanted to check out the new building But I don't care why you're here. I'm glad you're here I want to leave the bulk of the time to get some feedback on the report and and to hear from you about your questions or comments on That on the topic, but I do want to make a few points and as a newly minted law professor I feel compelled to make exactly three points So the first that I'll address is why this topic now So I'll say just a bit about why we felt it was important to address the question of mLATs in 2015 Second I'll say a bit about the reports findings and its scope And then I want to end by just noting some of the things that are left out of the report that I think require further research and attention Okay, so why does this matter? Why mLATs in 2015? If you were a law enforcement officer in India or Brazil 50 or even 30 years ago, you could have done your job effectively without ever leaving the state's borders That's really not true anymore As we increasingly lives our live our lives online with data scattered across different jurisdictions Law enforcement as Gail. I think will probably tell us increasingly needs to cross Striction boundaries to get access lawful access to data to pursue and prosecute routine crimes The question how you get access in this in a lawful manner without stepping on another state's jurisdictional toes is the subject of the report and and the the view of the report is that the mutual legal assistance process offers a legitimate and Promising approach to dealing with these cross jurisdictional requests for data The gov the mutual legal assistance process is largely governed by a patchwork of bilateral and in some cases multilateral agreements between states that are known as mLATs or mutual legal assistance treaties But the regime that's made up of these agreements is as my economists my economist friends say suboptimal it's extremely slow requests can take months and in some freak scenarios even years to come through and There are a number of problems associated with the requests. They're often badly formatted or badly processed by the intaking state You might think that this is ultimately a good thing if you care about privacy You might think oh this means that states are not getting access to personal data and since you don't want states to get access To personal data, that's a good thing But that's a very naive view of the world right we know now that that mLATs are not the only way that governments can get access To data and in fact when the mLA process does not work Well, governments resorts to other tactics often less savory tactics So for example governments may attempt to apply their laws extra territorially In an effort to avoid having to go through the mLA process They might demand data localization storing some data within their borders so that they can More easily surveil it or take it And they may even resort to surveillance surveillance is not just a tool for governments to get access to things That they don't think they lawfully have access to it's also a tool that governments can sometimes use When they are just frustrated by the means of getting access to the data lawfully A few months ago. I was at a conference and I spoke to someone at an unnamed company That sells a tool that governments can use they buy the software off the rack for intercepting communications So I asked the guy have you ever heard of mutual legal assistance treaties and this big smile shows up on his face And he says I love mLATs because states are so frustrated with the mLA process They buy my software to get access to the data that they would otherwise have to Request through mLA and wait nine months for That to me is a terrifying prospect right not that the state is using surveillance to get access to stuff They shouldn't have access to but they're just frustrated enough with the legitimate means for getting access to data that they might do something like surveillance So the the key point there is to see that there's this hydraulic relationship between some of the deepest challenges to internet governance like debates over jurisdiction and debates over data localization and the the smooth functioning of the mLA regime So that's why we thought this would be a timely report What is the report aimed to do? The report to prepare the report. I'll just say a bit about the methodology. I spoke with The my co-panelists and I spoke with dozens of people at the law and policy teams at dozens of telecommunications companies internet companies That operate around the world I spoke to members of civil society groups in the global north and the global south Spoke to law enforcement agents at dozens of countries and a number of diplomatic officers And the report tries to take what is a very complex issue and identify some of the simplest things That seem to be wrong with it that we could address with simple tools So the report first identifies key principles that we think ought to inform Any reform effort and then identifies what are the lowest hanging fruit reforms that could be implemented by a government that that wants to take steps to reform the mLA process The key principles I won't go into these in any detail, but just so you know what they are The key principles are there are five Justified and proportional access governments ought to have access to data that they are that that is proportional to how much interest they have in the data and if the the The government's request for the data is in fact justified. So it's not enough to say We really want that data. It has to also you have to also make out the case for something like probable cause Another key principle is human rights protections Which have to be baked into the mLA process so that when the country requests data from another country They they are making guarantees that the data will not be used in a way that would be Violative of human rights the process needs to be more transparent than it is currently the process needs to be many more times more efficient and Just as important as increasing its efficiency The process needs to be scalable because I think we all agree That the number of requests for government to government assist us in in pursuance of personal data In connection with criminal matters is going to rise exponentially. I mean if the curve is like this I think we're right here and the the mountain is um is soon to to hit Okay, so these are some of the key principles. What are the key reforms? The easiest reforms the reforms that I think are Uncontroversial that can be implemented by governments starting tomorrow are the following three The first is to make this process largely electronic Which means using forms for uniform requesting format provisioning of evidence in a digital format Much of this stuff already exists, but only in certain One-off scenarios So one trusted member of one government working with another trusted member of another government might create a smooth pathway But there is in no way a uniform and consistent way for for managing mla requests in electronic way electronically the second thing that needs to happen is we need considerably more Manpower more manpower dealing with mla so better staffing and this is something that any of you who work in doj know well Right, there's just there are not enough people Managing the incoming requests to process them efficiently The last thing that needs to happen is mla training and this is true for both countries that request mutual legal assistance And the countries that receive incoming requests for mutual legal assistance, right better training would make the process go Much more smoothly better training meaning when you make a request for data from another government Make sure that you have stated for example that you have probable cause if you're asking for data If you're asking the united states government to compel a company that's in the united states to produce data You need to not only articulate why you want the data, but also that you have probable cause for the data Lots of requests get kicked back or are delayed needlessly because the people who make the request Or the people who process the request just haven't had adequate training to to To make the process function smoothly Okay, so this is what this is the largely the contribution I think the report makes is to identify these very simple and uncontroversial reforms to the mla process Reforms that i'm sure some of you in the room already are aware of There are a number of things that the report leaves out and I just want to highlight these before I turn to my co-panelist for feedback Um, it's hard to know even where to begin what the report leads out because this is such a huge and complicated topic And in many tapes take in many respects. This was a simple take on a relatively complex topic Um, but let me just say two things that are mentioned in the top in the report But which I think deserve more attention then i'll just discuss two things that are not at all in the report But are merit further attention The first thing the report touches on but doesn't spend enough time dealing with is international agreements To guide this process right the the mla process is the largely result of mutual legal assistance treaties international agreements And those agreements could be reformed in a number of fruitful ways That reform may take a while which is it's just not the lowest hanging fruit Which is why the report doesn't spend as much time on it as the reforms. I just described but Implementing mutual legal assistance treaties where they don't exist and reforming them where they do exist is a is a critical project that merits further attention The second thing that I think merits further attention is the devising of plural lateral or multilateral treaties to address Sharing of the government to government requests for personal data This is something microsoft has pushed for it's a very ambitious project to think about what a global or regional agreement Or regime would look like for managing these requests And there are costs associated with it, but I think it's worth thinking ambitiously about what such a regime would look like Both of them those these things are mentioned in the report, but not fully fleshed out Two things the report leaves out completely, but I think are critical to this conversation are jurisdiction the state's jurisdiction over what kinds of data it can compel and Dual criminality or conflicts of laws So jurisdiction the report really only focuses on what happens once you decide that a state must ask another state for Assistance to compel data. It doesn't tell you What are the boundaries of a state's authority to compel the data directly, right? That is a huge open question about which lots of people disagree the report doesn't touch it in many respects It's the elephant in the room. I don't expect it to be resolved anytime soon I think we could have a fruitful conversation about the smooth functioning of mla Assuming that mla needs to happen because we're talking about government to government interactions But this question of jurisdiction is a big one and it's worth spending a lot of time thinking about The second thing the report doesn't talk about but which I think needs to be a great deal of research needs to be done on Is the deeper question of dual criminality or conflicts of laws So the the deepest most intractable problem of mutual legal assistance in many ways is when two countries just disagree about What's illegal, right? So if for example a french government the french government asks the us to compel Ask the us to compel a company to release data in connection with speech. That is a hate crime Punishable in france, but not in the united states. How do you resolve that tension? How do you create a regime that resolves that tension in a way that is Satisfactory to the values of the united states and the values of the french That is a deep intractable problem that this report doesn't doesn't attempt to solve and I think Merits for their attention But those deeper problems we can set aside for now and one of the one of the compelling things to me about this report is that There are so many Non-controversial non intractable immediately actionable things associated with mla that we can all agree on that we could implement tomorrow And i'm hopeful that we'll we'll get some feedback on on what it would look like to implement those tomorrow From the panelists. Thank you Great, thank you andrew I'm going to moderate what i'll do is quickly Introduce the panelists I'll note a couple of things that might be worth bearing in mind when you talk about this and I think andrew touched on them There's this concept called sovereign equality, which is basically that we're talking about sovereigns cooperating with each other And under international law sovereigns are equal, so you can't compel people to do things You can't compel them if you want to invade them or coerce them or stuff like that But we're not going to be doing that for amlats You have the tension between sovereignty and universal rights One of the big changes and this is where we're interested at csis is In the last couple of years countries have discovered sovereignty and how it applies to cyberspace or the internet or whatever and countries are looking for ways to Extend sovereignty But what we don't have is good ways for sovereigns to cooperate and this is a Premier example, even though we have things like the budapest convention Um, which some countries like and others don't We have the alleged shanghai cooperation organization and they have an agreement So there's multiple models out here for how to do this, right? And hopefully we can get into some of that because I think at the end of the day It is how you're going to accommodate Sovereignty on a global network And at the same time take universal values into account that will be so important when we don't have political agreement And I think that just touched on in the report, but that's one of the fundamental things here We don't have political agreement on how this new thing should be governed how sovereigns should cooperate We have four respondents Um, not in order on my sheet, but uh, I'll read it anyhow We have gail kent from the uk national crime agency. She'll be giving an international perspective We have, uh, nicole jones from google who of course has a big interest in this stuff sarah sink vinson from cdt the center for democracy and technology um, my favorite, uh, privacy organization and probably Probably one of the best if not the best And then frank tories from microsoft who will talk about their views. So we've got two companies, uh, one government And one, uh, civil society responded to make it easy. Why don't we just go down in a row and start with, uh, sarah And that way it'll be easier to keep track. So sarah if you could talk for a few minutes and then we'll go down Sure, um, I would like to echo what andrew said that as an international lawyer It just makes my heart glad to see this many people in a room to talk about treaties Um, although one thing I want to stress from the start is it's what we're not talking what we're talking about is really not Treaties we're going to talk about individual rights and I think that's really key to keep in mind as we proceed Um, but first I want to say congratulations to both andrew and gni on an excellent report if you haven't read it I would strongly recommend it. It's very clear very well done and as andrew has highlighted It really pulls out a couple of Not easy but straightforward doable reforms that could be done within a year that we think are are quite Not simple, but as I said certainly doable and extremely important Uh, we were part of the consultation process that led to the report and that was really a privilege Just as it's a privilege to be here today Uh, I should say that I think like many in civil society as of about maybe seven or eight months ago Mlats weren't really on our radar yet. Um, in fact, my colleague greg nojime and I looked at each other as we were doing some strategic planning And we said Mlats we wrote it down with the question mark because we didn't really know what they were why they were important We had heard of them. We understood that they might be significant in some respect But as we started to study the problem, we realized just how important it was And I think we weren't alone in civil society in coming to realize That these are really key to guaranteeing individual rights and that the problems that arise Because of the broken nature of the system are really pretty severe Um And so I think one of the things that really kicked this off for us and helped us to understand the import of this issue Was the microsoft ireland case, which i'm sure others will talk about for anybody who's not familiar that case involves A us effort to have a us warrant reach into ireland to get data stored on microsoft servers in ireland So basically an attempt to issue an extraterritorial warrant Um, so that along with the gni consultation really Kick started us helped us understand how important this issue is in a world where as andrew has said In his report evidence is basically internationalized This is just where we are today Fortunately as we started to look into this and really to work with it We discovered that mlats and the problems that are arising from them are not that difficult to understand Um, here's this process. I mean, it's one that does have a number of shortcomings Which i'll get to in a moment, but it provides a lawful way for states to obtain evidence from one another. There's a clear agreement It's written down. It's published. You can look at it very transparent Um And it does so in a way that has full respect for binding laws of state sovereignty Which is really the bedrock of the entire international legal order and incredibly important Um, and I think mlats are also key to advancing a set of human The set of human rights that we in the u.s. Think of as due process and then europe tend to be more described as fair trials say I So I want to be clear that we think that in accordance with international law us warrants Don't and shouldn't have extraterritorial reach. So we think going through the mlats process is really The only way to go. Um And this is one reason both the microsoft arial in case and the mlats issue in general are very important to us I of course when we went out and spoke to people in the industry and to doj and to other Society groups we quickly learned that mlats as this report highlights are urgently in need of certain reforms in order to be effective in a world where requests for electronic data, especially electronic data stored in the u.s Are just ballooning and accordingly the work for for doj and other entities that handles handle these requests is ballooning Um, and we think the gni report highlights the most important of these reforms very effectively Especially when it comes to need for basic things like an electronic request system a tracking system So law enforcement in various countries can see what happens to their request after they've made it A standardized form available in the six u.n languages at least all these things that kind of seem Intuitive, but haven't been done yet and also. I think the report is right and highlighting greater transparency across the board I think that will help everyone including individual users to have more confidence in what's going on I I do want to point out that the mlats process is not available to defendants It's only available to the prosecution and that is a really serious shortcoming of the system And I think the The report is also correct to point out that if we can manage to get new or revised mlats or an updated process It needs to include human rights protections explicitly Some of the mlats some of the treaties when you look at them They do have some protections that are implicit for example I think there are some treaties that deal with the type of scenario Where a country is requesting materials that in the u.s for first amendment reasons We might not disclose But there's a whole range of human rights protections that relate to prosecutions and trials that really ought to be In these treaties or in the relevant agreements And then I think we would add also that we support a warrant requirement for mlats requests No matter That reach the u.s Or sorry that originate in the u.s as well So right now if you have a request coming into the u.s from another country A warrant has to be obtained from a u.s court But if you have u.s authorities requesting data from another country They don't have to go to u.s court and get a warrant first and we think that they really ought to have to do that So again, we think warrants are a wonderful tool and really a necessary one And to add to that we support a warrant requirement for all third party disclosures of electronic data So i'll just say that this is something that's coming up in relation to a bill called the leads act It stands for law enforcement access to data stored abroad Senators hatch coons and heller have proposed that And the bill would do that it would it would basically require Require companies to require a warrant before they disclose data to any law enforcement authorities to any for any reason And we think that's Something that everyone should strongly support So I know I've highlighted a few shortcomings of mlats as they're currently written But we agree with gni that ultimately everyone benefits from a strong human rights protecting mlats system As I'm sure someone else will highlight at some stage This is really a rule of law issue and as I said really an individual rights issue all states benefit all users benefit and that's really key So when we were doing our own consultations on this issue and as I said we spoke to People from private companies we spoke to doj. We spoke to other civil society organizations We found almost universal agreement that the current process for handling mlats requests in the u.s Is subject to huge delays. I saw something about an average of 10 months for a response And that it's not really that it's anybody's fault, but it seriously risks undermining the whole enterprise And so we have doj has asked for extra funding for this process and we strongly support that call for extra funding We've written to congress and led a coalition of ngo's In calling on congress to provide that extra funding. It's not just for doj But it's also for some associated entities that tend to wind up handling this request and we think that's really key And I want to mention we're also concerned about the risk of data localization That might arise from the current inefficiencies in the process in other words one of the Things that countries might do So if we don't have a well-functioning mlats process and they're facing huge delays in getting data Including from the u.s. We're worried that those countries some of them may just turn around and require the data be stored in their own borders And that certain internet processes take place within their own borders and we think that that would be hugely complicating for one not very human rights promoting either and not something that we want to see Uh, I know the gni report has highlighted this problem. And I think it was absolutely correct to do so I and maybe I'll end by saying that we're very happy to see that human rights are actually very central to what the report says Because we agree that these things are critical not only for ensuring fair trial rights, but also for protecting free expression freedom of association The right to privacy all of that from start to end of this process And so we were glad to see the report say that any reform that doesn't comply with human rights won't be adequate because we fully agree With that with that idea So i'm looking forward to responding to questions, but thank you. Thanks, sir Since we're going down the line. Do I get to critique my own report? I was thinking about that and you could but maybe we'll save that for the uh, how about it for Nicole goes I would hope you would applaud that Thank you very much. Uh, my name is Nicole Jones and I work for google and i'm law enforcement and security council And that is sort of a split role where I deal both with incoming requests for the disclosure of data via lawful legal process As well as protecting google And the privacy and security of our users data and corporate data And in those roles the imlat issue it comes up really on sort of both sides And as others have mentioned it's very exciting to be in a room and in a time where People are starting to look at imlat and care about it because this has been an issue for the providers like google for years We've been dealing with the situation with imlat and the responses we get when we tell requesting jurisdictions that they need to use the Imlat to obtain data and it puts providers in a difficult position and so we support The findings in andrew's report that countries need to work together to improve the imlat regime so very thankful that that andrew did this report and that g and i is publishing it and Hopefully that's going to start a dialogue and as andrew mentioned Several of the things in the report are common sense easy Things to accomplish low hanging fruit that hopefully this conversation is going to get some of those things started One of the the points that andrew made in his report that i i'll start with is It's it's sometimes easy to to think you know data disclosure is always bad and should be prevented But we can ignore that there are legitimate government interests for legitimate criminal investigations and public safety That are going to require the disclosure of data sort of cross jurisdictions But the thing is we can have that and we can also have a regime that respects that various countries can have Interests to varying degrees in the same data that need to be recognized and honored And that we need to consider user privacy and human rights all at the same time And i think that the report shows that this is something that can be accomplished We just have to be thinking about them holistically The providers uh the companies like google and microsoft We're definitely part of the equation. We're holding the data that is often that issue in these cases So we're part of it But we're stuck in the middle. We are not governments. We do not sign on to treaties We can't force other countries to comply with their treaties obligations So we're stuck in the middle and That's why the companies and google are very much in favor of reform or improving the imlat regime And making some of these fixes come come into order so that the process has a framework and clear guidelines and transparency So that everybody knows what's going on Um The white house is actually committed to improving Imlat from the united states perspective and we applaud that and think that's great Some of the things that have been mentioned is expediting the reviews because if you ever talk to anybody Who's involved in the imlat process the the very first reaction they will have is Oh it takes forever And the belief then is that it's a waste of time to even try And that needs to be resolved and the imlat procedure For a lot of countries is still back in the era of ribbons and almost like blood seals and definitely andrew's focus on On sort of using new technologies and electronic forms would go a long way and then finally trainings OIA and doj are working on sort of going out and having outreach to countries about how to do a proper imlat So that it doesn't get bogged down in the process And we definitely support that and hope that other countries will also prioritize that as well I think we would also say though that the so the us is hopefully going to be leading by example in in the imlat improvements But also needs to be leading by example in reforming surveillance laws So akba right now it has but reforming akba has bipartisan support Hopefully we're going to get it across the finish line this year. That would be it's it's huge reforming national security laws like the usa freedom act Those types of things are really important and I bring them up in this context Because it does have a relationship It is not at all true that google has given the us government or any government direct access to data All data disclosure requests are handled individually on their own merits But the misperception That the united states government has some sort of unfettered access to data is leading other countries to feel Well, they need that too and to pass ill advised laws of their own That are broad surveillance and moving us backwards from where we need to be with reforming these laws and not enacting new ones That are just going to cause more conflicts of laws. So hopefully One of the results of this will also be reform of the us laws I think the One thing that that people ask me is Why do you support improving the imlat regime? Because as a result of that it's possible that more data is going to be disclosed And that is true But our belief and I think sarah and andrew have both touched on this is that Improving the the imlat regime is really in the end. It's pro user It's better for everybody to have a clear process clear rules Transparency about what's happening so that everybody knows what's going on and we can all have a like informed educated conversation about it And the the things that happen when you don't have a functioning imlat regime They've been mentioned so I won't go over them again But you know data localization Laws are a huge problem Laws that are purport to have extraterritorial reach. We're seeing that from a number of jurisdictions You can also have the complete opposite blocking statutes where countries actually want to block any any disclosure of data which leads to more conflicts And one it's something that I don't think andrew or sarah touched on in addition to also more aggressive attempts to access Data covertly which is definitely not good for any of the parties involved Is there's also increases pressure on the companies? So we definitely feel strong pressure sometimes from governments for a data disclosure And the companies get stuck between a rock and a hard place where we have to comply With us law, but then there's conflicting laws and it's very difficult for us and countries sometimes respond by trying to block our services by threatening in-country employees with things like arrest or detention and Those types of results aren't good for the companies. They're not good for users They're really not good for anybody involved and all of these things right now are happening to a certain degree And so that's one of the reasons we really support the concept of Improving the imlat regime to hopefully hopefully stem the tide of that and start moving in a more positive direction Thank you nicole Thanks, Jim. Um, so my name's gale kent. I come from the national crime agency in the united kingdom So I'm a law enforcement officer and I've worked in uk law enforcement for 15 years Specializing in organized crime in a particular in International crime So first of all congratulations to g and i on this report I think anything that gets imlat to be discussed is a fantastic thing and also congratulations on getting a first panel that's half men and half women Because I haven't been in one of those before And so what I was quickly going to do was talk about the problem from a law enforcement perspective And then mention a couple of solutions and then lastly say Probably most controversially why I think we also need to go past the imlat. It's not just the only solution I mean the first thing to say is that you know, we have to recognize the law enforcement and state access to Internet data is part of a much wider debate About how we use the internet about government control of the internet, etc So it's very much fits into that Into that framework and I think we have to all recognize that including law enforcement in terms of having the debate and the second thing That andrew sort of mentioned Is just about the way that crime looks nowadays now. I say I've focused on international and organized crime for 15 years But actually all crime is now international because it has an electronic element And that can be everything from cyber crime where the event where the the crime is absolutely just taking place on the internet To where you have crime where the evidence is being transferred on the internet and that can be email instant messenger on social network Whichever way and and that can be a variety of different types of evidence from i'm going to kill him to The fact that two criminals are in In correspondence with each other and then lastly you have crimes where the individual And that might also be the victim has a digital profile and also that and often that digital profile particularly if you're looking at victims of abuse whether that's domestic violence or Child sexual abuse or people that have gone missing that digital profile is really important because of that digital element of all crime Basically, you're now talking about all crime having an international element because that data is not stored Within the jurisdiction where that individual is and that is causing us a huge amount of problem so if you look at The amount of requests that the uk makes for communications data generally annually it's law enforcement We make half a million requests Every year and the vast majority of those are for crimes that are Or not even crimes they're for identifying where missing people are we're vulnerable missing people are where people are Victims of abuse and that can be child sexual abuse or it can be things like cyber stalking We like most countries have had an increase also in cyber bullying where the police are being asked to being involved but it can go up to Those requests will also cover more serious crimes like rape like murder and up to terrorism and the organized crime that the I look at And doing some quick maths on the but on the back of Of notepad only 1% Of the requests that we make for communications data are actually for that level of terrorism and serious organized crime the vast majority are for For public safety or for the more generic crimes that you'd expect your local law enforcement to be looking into And I think in in looking at this debate. We absolutely need to to recognize that as well And and whilst there is undoubtedly more data There's a greater supply of data I think also when people know that that data is available so they know that their child has been on the internet talking to somebody Then they also expect That data to be used in terms of resolving that crime and that is part of the problem that that we are undoubtedly facing So I think in terms of like the solution absolutely and As andrew said he talked to all the panelists Before writing his report There are some very low hanging fruit and there's much that we are doing and that we can do in terms of speeding up the process Recognizing that m lat was Written for a much slower age when things had to be done by post And certainly in the uk. It's one of the things that we're looking at. How can we have an electronic m lat? system Equally, you know education is a really important part of it. We train our officers in our own legislation We don't train them in recognizing what probable cause is and there are whilst I think in in In countries that um, they have a very clear Human rights framework and very clear rule of law That probable cause exists in some sort of format How you write a request that covers probable cause compared to necessary and proportionate which is our Framework is slightly different and that does mean that you hit Barriers when you're trying to make when you're making a request for mutual legal assistance And equally I think staffing is is a big issue because if you look at the number of requests that the uk makes of Of the companies outside of m lat so for for basic subscriber information That's about 30 000 a year if you're going to then increase that number and expect to be looking at A request for content then Undoubtedly you need to have the staff that can support that and I know that as nicole said that's something that That the white house and the department of justice has asked for funding for and is doing But I think we also need and and you touch in this report as well We also need greater transparency for what you can get outside of m lat because m lat isn't the only solution All of the companies do most of the companies do provide Some non content out of Outside of m lat and I think that's really important when you're looking at the sort of crimes I touched upon because you wouldn't expect if there is a missing child or you're dealing with child sexual exploitation or there's an imminent Terrorist threat to have to go through mutual legal assistance Nor I think would you expect to use the the full weight and administrative process For mutual legal assistance for something that doesn't have the same weight as as content And I think one of the things and you do mention this in In the section on improving m le is getting absolute transparency so that law enforcement does know what it can get under its own legislation By talking directly to the companies and I think that level of clarity is is really Is really important And then sort of but lastly I said I think we have to go past mutual legal assistance And I think we have to look at what an international framework would look like And an absolutely one that that complies with with all the principles That you've talked about in the in the report, but I think that's really important for For two reasons and one is you know, if I send a message to To my husband and using this device I have five different ways I can do it I can send him a hangout message I can send it via scape chat I message all of them or I can just send him a normal text message Now if I'm a criminal doing the same thing And in the UK if I use that text message I can go to my court and I can get a warrant to ask the company for that content of that text message Assuming that I am that I've gone through the I've proved that it's necessary and proportionate, etc Why do I have to get a US court to agree the same for a different For exactly the same Content because it's used a different medium That is you know, that is one of the sort of like the strangest concepts that I can see within within law enforcement It's not to say that international human rights shouldn't be the absolutely most important thing And I completely agree with that and it's what I live and use every day But I should have a process that that respects my legislation, especially when that legislation Had you know has Is up to those international standards of human rights? And I think we have to get to the stage that we're not trying to debate where the data is No, and it's not where the data is based on where the company is Is incorporated it's not where the data is because of where it's stored It's not where the data is because the terms of reference It's having a framework that that recognizes that governments and and andrew says this in his report Government do have a legitimate interest in data of their own citizens Committing crimes in their own country against against other citizens of that country and where that that data can be obtained in a much simpler and more straightforward process Thank you Thank you Frank Good afternoon. My name is Frank Taurus and I'm a senior policy counsel with microsoft I came to the company working on privacy issues and in the aftermath of the snowden disclosures Kind of got pulled into the government surveillance issue And so all of these things start to to come together First of all, I really want to thank jim and csis for hosting us today and to david and G and i the global network initiative for really bringing us together around this important issue And thank you andrew for your work on on an excellent report I think it will be instrumental in helping to get more attention to the issue and provide us with a Strong framework for for moving forward. It certainly lays out the challenges It makes the case for for modernization as well as providing that that course of action And I think I'll join the course of a voices that you heard up here I would say is as long as two years ago if you were to ask ask me if I'd be working on Looking at how to improve the mlatt process. My first question would be mlats What the heck is that? um And it's still interesting to see how people try to Come up with what the acronym actually stands for You know, I'll get a mail. Oh frank. Are you working on that? You know mutual legal aid? stuff So, uh, you know, but look at where we are today and kind of look at how we got here I'm certainly the internet. I think has surpassed all of our expectations and into how people In this now network society Kind of rely on it as as an instrumental tool as part of their lives And certainly part of how business gets conducted now no longer within countries but around the world And You know as we talk to more people about the issues. It's it's It's somewhat fascinating to see You know companies both big and small Become very interested in kind of the government surveillance issues and what it all means Because even if you are a small company now Your goal your aspirations is is to have an international reach or you already have one You know, that's the power of the internet and that's that the beauty of in what we all get get excited about and want to improve upon and so you know that then we look at over the past 24 months and and The situations that have occurred kind of the acceleration of events that touch on the safety aspects the privacy aspects The free expression aspects of the internet from the snowden disclosures to the cyber attacks on sony To the recent tragic events in in paris And what these events, you know highlight is, you know, both You know how we should be looking at this issue from a public safety national security perspective But also from a civil liberties in privacy perspective And and how do we bring these two together? Um, you know, what it shows us we think is the need to Look at the laws the existing laws and and perhaps adapt them to the technology that exists today Including modernizing existing processes like that of the mlats You know the legislation and legal process has not matched really the pace of the technological change And so that's why we joined a group of companies including google and yahoo And facebook around what we call the reform government surveillance coalition That is calling for a change and a modernization of some of the Existing laws around government surveillance and one of the proposals that we put on the table and the principles that helped kind of Form the bedrock of this group is improving the amlap process Which kind of recognizes the need for a rule of law that governs You know how law enforcement agencies and governments Around the world Can do their job and collect the data That they need to do their job, but let's have a rule of law. And so that's what we think You know all this work kind of really makes clear Is that we need solutions that will enable the rule of law to work well And more routinely across national borders and I think all of the the respondents today have touched upon different aspects of that Um because companies shouldn't find themselves in the middle of this debate This is the time for dialogue the time for discussion the time for governments and the public And and the interested stakeholders like companies to come together to to sort out What's the path forward in this new kind of global digital age? Um So we need to make the current processes work better and we have that opportunities With the mlats and as the report calls out kind of the the notion of modernizing the mlats That the why's in the house and and what we need to do to make that happen um, and so that's why we you know support what Support the report and its findings. Um, it's certainly consistent with what we have others have called for And it will help move the mlap process into an era of electronic communications. Heck, we use it for everything else. Um, you know my my That that that that that that that's that I used to take my dog to you know are all electronic They're all very efficient if we can do it for that Um, you know very important thing for those of us that have pets. Um, why shouldn't we have the same sort of process? Processes and use utilizing technology in all the right ways for something as important and as vital as um the mlap process um So we agree with all of that and I won't repeat what what's in the report We certainly agree with all of that. Um, but we also agree with The comments that that gill made that you know, perhaps we also ought to think about you know going beyond just the mlats And the report lays out, you know, some of the rationale for taking a look at An international treaty or convention. Um, you know that that might be uh, you know kind of a long term A solution that will help Drive a public dialogue and create even greater uniformity and address some of the issues That that are currently on the table or our general council brad smith spoke about this last week in brussels And I would recommend his remarks to you they can be found And I'll just do a plug here for um where you can find it because I do Recommend them to you. It's just that you know at our microsoft on the issues blogs. It's blogs dot microsoft dot com Whack on dash the dash issues um, and he talks about You know the importance of Public safety and personal privacy And forging, uh, perhaps to begin with a new transatlantic Set of legal rules that would better You know help with defining the rules Of law for law enforcement with the appropriate safeguards to obtain the information needed for lawful investigations across borders And you just outline some different aspects of this You know being able to provide a mechanism for Directing legal service on on data center operators Then having a nexus between the country issuing the order and the sort of information that they're looking for A clear standard for issuing that order here in the united states certainly rely on the probable cause standard Making sure that there's transparency oversight and accountability And um as other folks have commented, you know the need for the respect of human rights And that needs to be part of this process as well So, you know, we think that you know that there are some um, you know, this isn't An easy process we we recognize that when it comes to international conventions, but If smart people come to the table and start to work through these issues that while difficult, we think these challenges aren't insurmountable Again, thank you CSIS and g and i for this opportunity and look forward to the discussion. Thanks. Great. Thank you frank Uh, andrew this is your chance for some brief. Uh, it's hard to see what you're going to disagree with Yeah, give it a try Um I jeez. I know I was expecting much more pushback. Um, I guess I'm I'll embrace your embrace. Um I do think it's it's I'll just reiterate what I said at the end. I mean, I really think that the challenge here is There are two challenges one is implementing the stuff that we all it's just obvious how much we agree Which I think is quite surprising given the different perspectives that we have on these issues Um, you know going from a white paper I was joking with a friend that this is such an important issue. So what we did was we wrote a white paper Um Going from that white paper to actually implementing it is actually going to be tricky, right? That's going to require leadership the expenditure of political capital Um, the incentives the states that there is this problem of misalignment of incentives with states that Need to implement for example on incoming an intake process for managing mla requests May not have the incentive to make that process run terribly smoothly, right? It's the states that request mla that are requesting state assistants that really want the us to have an efficient system Aligning those incentives those incentives or recognizing that in the long term We are going as at the united states going to be Needing to request mla as much or more than we currently receive mla requests Um, which I think requires some some leadership and some poor sight is going to be critical to implementing some of this low hanging fruit The second thing I would say is just that beyond implementation I still think there's a great deal of work to be done in thinking through Beyond, you know, all of us said, um Human rights matter, right? But we what we haven't figured out as As a matter of international law as a matter of scholarship We have not figured out what we're supposed to do when it comes to regulating the internet and One set of human rights values conflicts with another or one group's interpretation of what human rights mean Directly conflicts with another group's interpretation of human rights These kinds of these kinds of conflicts of values that manifest themselves in conflicts of laws are deeper problems yet to be resolved that I think merit further attention Okay, um Hmm So I was thinking while you were all talking I mean one of the first things I did when I worked at the state department was I got to deliver Uh, what they call a letter rogatory, which is between courts, but it's similar to this I was really pleased because I'd never seen a document written on parchment before This was about 20 years ago, but I know it's still pending But yeah, exactly Yeah, uh But I learned a couple things when I had to do that and the in some ways Sovereigns are very jealous of their prerogatives and they don't give them up freely And even little countries. I mean, I always I hear this from people. We are the hegemon You should just be able to make countries do what you want. No, it doesn't work that way Right, and so little countries particularly like switzerland. They can be very stubborn You know and They are jealous of their prerogatives. So something that we're asking them to do here is give up Some of their prerogatives and sovereigns don't do that They don't do that unless there's a quid in it for them. So maybe the M lats are a way to balance the the the You know manage the balance between sovereignty where they're very jealous And extra territoriality where they'd like someone else to do something Maybe you could I'll talk for a minute and we'll throw it open to you What's the quid here that will make people want to do this? What's the thing that they're going to get out of it? And and I'm going to take one off the table. Don't say efficiency Right, because sometimes sovereigns like being inefficient Right, what's a good way for me to guard my prerogative? I'll just take 200 years to answer your request. So what is what is the quid here? Ready I can go to another question. Let me just I I'll just give I'll say one more word about what I was What I meant by a vision or long-term thinking on this question You know the the vast majority of their quest that gale makes are to the united states because the vast majority of internet products The biggest customer base is in the united states, right? How How exotic is it that the idea that we might all start to have an app on our phone? That was developed by a company that is not based in the united states or does not store its data in the united states, right? It doesn't seem very far-fetched Many of you probably have a ways on your phone ways now as a google product, but it was an Israeli company originally, right? It seems inevitable that in the next few years there will be a The market will take be taken by storm by some app that wasn't or product that was not developed in the united states And the data for which happens to be beyond the reach of the united states government and the united states government Will have a couple of options, right? One would be to do what they're doing in the microsoft case and say Our laws apply wherever you are which strike a lot of us as Overreach or they might find themselves in the unenviable position of a requester for mutual legal assistance If you think that we are going to need to ask other states for mutual legal assistance It might be helpful for those states to feel like we treat them well when they ask us for mutual legal assistance That seems to me like a really Not so exotic idea that that would be smart for us to have to develop a process that pleases Other people when they request information because it is inevitable that we are going to need to ask them for information How much is this a us problem? I mean, I think your point is a good one and eventually We know there's chinese companies that are trembling on the urge of they want to go global There's a few other places that want to go global. And so we will have a Whether it's korean or chinese We're going to have some sort of foreign app, but how much of this right now? It goes into it. How much of this is just a us problem? The fact that the big internet companies service providers are mainly us Putting aside the telcos How much of this is just us and does that impose special requirements on the us? please When I first started looking at this, I also had exactly the same perspective as andrew that this is an international problem um But ultimately if you if you if you're just looking at normal communications data, so forget Looking at cybercrime where you are looking at where data is flowing in a variety of different ways and could go through a variety of different servers If you're looking at who's communicating with whom when they're doing it where they are and what they're saying Then the vast majority is still In the u.s. So that does mean that there is there is a the balance isn't there at the moment um, I think I think that um To to sort of think about your question I don't I I genuinely don't know the answer to like what is the benefit because you you ruled out efficiency for law enforcement, it is efficiency Okay, well, but efficiency is really important because the the the people that I've found Consistently absent in this or the stakeholder are the victims So there are cases and and probably child sexual exploitation Which is a huge issue in in the uk at the moment and cybercrime are the two cases where the victims are notably absent because we are We are not able to resolve issues as quickly as we can and that's not that's not about the company's not helping us Because the companies do a lot to help us, but just where the internet provides Provides a problem where we don't where we don't investigate cases where we can't get the data Um, so I think that efficiency will make a difference to which cases we investigate which will ultimately Help the victims But I also understand the difficulty of of countries who are trying to balance The need to protect Companies that are in their jurisdiction and making sure that those companies are complying with human rights With requests that are coming in for from foreign governments Because if the u.s. Government was to suddenly say oh actually google It's up to you to decide who you give data to or microsoft who you give data to Then what sort of position or google or microsoft then when you get companies that don't have the same human rights? Records as perhaps, you know european countries in making that Decision so I think the only sort of real benefit is the one that andrew's talking about is sort of looking much longer term For the for the u.s. Government of when the when the internet is more global How can there be a how there can there be a treaty or a Framework that enables them to get data as quickly I think the interesting thing in the in the microsoft arland case and I generally don't know the answer to it but I don't know if where they the crime took place or where the victim and the And the criminal or or the the the person whose data has been requested are Because I think that would make a big difference in terms of how I would understand the case Let me just add to that that it's not just Even if you even if you're only looking at right now Um, there is you know the bulk of the requests are coming to the united states So just in a volumetric basis the united states is the core of the problem But every country is dealing with this. I mean when I spoke to people at un odc and people at interpol They said we field on a daily basis. We field requests from Guatemala They they want to get access to data that happens to be stored in venezuela How the hell do they do that? They have no idea and they want guidance So they're you know, so and un odc and interpol both have their own training documents In addition to the the training that exists that the united states government does that That some that some companies do but there is a There's an m lat problem In every country in the world You might think it's bigger or smaller depending on The markets, but it's a problem that applies I think everywhere So, um One of the things I was thinking about I like the report a lot and one of the recommendations that was in there that I thought was really interesting with the idea of some multilateral approach because that is more efficient and it does Work in other areas Um, but who owns the amlet problem? Is it un odc? Is it interpol? Is it the g7? I mean who does anyone own it because if you're going to get a multilateral agreement someone has to own the problem anyone Yes, no, maybe Microsoft should take this I'm not sure why Microsoft should take it Um, you know look, you know, I think ultimately it's a government to government issue, right? I mean, it's it's you know, how do you get the right people in the administration? Um, you know, which probably reaches You know doj as well as those at state and and you know, perhaps You know, even at the white house level Engaged and interested, you know, certainly this is something that the president has already talked about A january or two ago when he laid out his kind of vision and framework for reforming the government surveillance laws here in the united states, so you know my I think the notion in people's minds is you know, it's it's the administration doj state department working with their counterparts abroad, um, you know in the right You know law enforcement and and regulatory bodies In the other countries, but you're absolutely right, you know at some point somebody's got to say, okay Let's do this and kind of send out the notices for I mean, let's you know if you're talking about logistics here It's you know, who sends out the notice for the first meeting to say this is an important issue Let's kind of bring it to the table and I think you know What one view is that you know, perhaps this is something that the that the u.s. Government should get Uh started and and we hope that since the president has already talked about it, you know, congress is already looking at increasing appropriations for Uh, the department of justice, um to improve and make the m lab process more efficient Um That you know, I don't know of anybody who's who's stood up and said oh no no no let's not do this So then you're I think that's exactly the right question like Let's let's get it started and who who you know who sends out the meeting invite. I guess that's what we're after Yeah, I think if you're if you're looking at who owns the If we put aside the the solutions which um, which andrew has suggested the low hanging fruit, which I think um There are a variety of different people working on if you're looking at who owns the whole problem It's a really difficult one practically because if you look at um, if you give it to the un Then we have consistently the uk and the us government rightly fought against a un control of the internet So, you know, are we going to then suddenly say well actually un you can't control it in this way But you can control this bit and I don't think we're going to do that if you go to um sort of like some natural Partners if you look at something like the five eyes then yes that that might work But you've got then you're not really dealing with some of the more difficult problems So the question is absolutely who do you go and I think it's been it's been discussed in all of these fora and I think my hope um And it was the next Microsoft person that that said this to me is that if you are having several conversations about this Then just like the internet came from several conversations and sort of fed together Then there will build enough body of steam that we will get to some sort of solution, but it'll be much more um It will not be a sort of like a top-down solution that comes about it'll be one that is much more evolutionary And similar to the way that the internet itself was created So on on this question I just to be clear the reason I threw this to frank is because you know as he mentioned brad smith the general council Microsoft has been I think admirably pushing for an ambitious vision for a global agreement And it is true as as you say that it is more likely to get Multilateral or plural out of agreements among a group of like-minded countries like the five eyes It is also true. However, that the five eyes have are in a political situation at the moment where trust in The five eyes views about government access to data is not especially high You know the report because I wanted to focus on things that I thought were tangible in a in a pretty complex Scenario the the report looked first at things that could be implemented Unilaterally and and for the most part and without legal change Um, then I looked to things that would require bilateral legal reform like reforming the existing agreements And then finally, I think the the fruit that's Least ripe and most the highest up on the tree Worth reaching for but it's going to take a while is something like a regional or multilateral or global agreement Sorry, I misunderstood and I thought you were talking about specifically about improving the amlats, which is one thing but certainly You know our general council has talked about an international convention for for quite some time again most recently Last week and that's certainly important and that's one That you know will require you know kind of the government to government the discussions and dialogues and and You know, we hope that kick starts and but to gales point, you know, I think absolutely right I mean that the way that happens is we discuss it here There's some more forms around it some people smarter than I at least kind of really start to think okay What would this thing look like again? You know, we certainly know that it's it's their challenges You know just in getting something like that going I remember when I first started kind of talking to people here About that idea you get kind of the eye roll like oh my gosh, okay How did you play the last time we did one of these things? You know, but but that shouldn't deter us, you know The the internet's a profound thing and you know the idea of kind of crowdsourcing and getting that the right experts Kind of talking about this. It's it's definitely a worthy idea And we shouldn't let the challenges deter us. It's really again something that's definitely surmountable If we put if we put our minds to it So I'm going to ask one more question that I'm going to force you guys to ask questions I don't know how I'll do that, but I'll figure out some way This question's a little harder and there's a benefit to doing this bilaterally And there might be a benefit to doing it on a like-minded basis But if you're talking about a global treaty having Been in some a couple global negotiations on this stuff You're going to run into a couple problems and the problems you're going to run into are How do you prioritize what you want right and in particular if you want a global treaty You're going to have to ask yourself What's the balance between human rights and reform? Where do we draw the The balance here because there are countries globally big countries who probably will be Important players in the global it industry who don't share our views on information technology and on human rights How do you make that balance? What would you think of the u.s? Should think about so i'm not asking you to say Human rights is good and it should always take precedence. You can say that if you want What i'm asking you to say is what is it? We should think about if we approach a negotiation either bilaterally or multilaterally How is it we want to prioritize things? Where are the things we're willing to trade or be flexible? And i'm going to go down the row and that one we'll start with frank sure Well, I might frame up that question Slightly differently. I think at the get-go it may not be a question of getting everyone every country on board It may be a question of getting Like-minded countries on board that have the you know, it's the same or similar view Around the importance of human rights and the role that that Plays here and the need to be respectful and mindful and the need to have that as part of A vital part of the discussion and how this comes about So you might not get everybody at the table, but that may be okay to start out with And then and then you can start to work on the others once once things start to to happen So so that's how I would I would frame that up Thank you Yeah, I would I would agree with that and I think also that um, we probably aren't looking for a one-track system So you might have a system where you absolutely agree and it's quite clear and that doesn't need to go through Mlatt But you might then have a fallback system where something is more difficult more um contentious Um, and that would go through through a mutual legal assistance um Treaty process and then you've also got the option as andrew's pointed out in the last page of his report or something like an independent clearing house Something like the model that I can is has gone to for for its um for resolving its issues Nicole, what do you think about clearing house in these issues? Go ahead, please um I actually I think I agree with with both frank and gale on on this particular point that We could reframe the question of it. I don't think Balance is is necessarily the word I would use that we have to give On the privacy or human rights side necessarily or or that we need to prioritize one thing above the other I do believe that you can have a system that respects both without needing to have A balancing that that removes on one side of the scale or the other and I think one of the ways to do that is with what gale mentioned is You can have different tracks for things that are more Difficult or that are more contentious and start with the things that we can all agree on that we all Agree that are crimes and agree are the types of things that are legitimate For investigation get those into a framework and all of the countries have that is a benefit to everybody To have at least something where they have nothing right now So that'll bring people to the table and then once that starts to work go to the tougher issues Yeah, so I I'm gonna Agree with everything that's been said that so that they're in in many ways I reject the frame of the question. It's not a zero-sum game, right? You don't you don't have to necessarily trade off privacy for reform But I think to embrace the question there is a way in which I am I would love to be wrong about this, but I am Nervous and reluctant to full-throatedly embrace a global first approach to this issue Because my fear is that their incentives are just so Or the interests just are so different That there's a risk that this ends up looking like other debates about internet governance where countries interests and incentives are Just lead them to a very different place and it might not be best to have a big A single conversation that is big and contentious and public Rather than negotiating on a bilateral basis For the you know for the the best system we can get So I have to speak from the perspective of an institution that I don't think we have an institutional position as to whether we Would like to see a big multilateral treaty. I think that it could certainly have benefits I also I want to agree with you Andrew that it's not a zero-sum game And I think part of what we're saying here all of us is that greater efficiency Could benefit human rights in that you know Certain states would not then or perhaps be less tempted to engage in sort of strong arming practices to get what they want So I think that it's not necessarily the case that there's a trade-off between efficiency and human rights I think I My hesitations would come from The general climate that we're in right now I think that states right now are likely to be overwhelmingly advocating for law enforcement interests rather than say individual rights necessarily Especially looking at data retention proposals that are coming out of various states Including the five eyes states. There's a huge state interest in getting as much data as possible and sometimes for legitimate reasons That's more in the national security context than the law enforcement context per se But I I think that we would have reason to be nervous about Negotiating something in this particular moment having said that We could really benefit from a process that has a truly multistakeholder model. So as I mentioned the state Defendants have to rely on those letters of arbitrary which are From what I understand I've never dealt with one but incredibly slow very uncertain You're not guaranteed to get one. You basically have to ask the judge for one and And hope that he or she agrees. Um, but if we had a Consultative process that was truly multistakeholder where law enforcement members are presented where Defendants were represented where the human rights community is represented states all of that Then we might be able to see a process that that struck the balance well So although I don't know how to strike that balance myself and I don't know that cdt does either I think that having a mix of voices is key to getting it right I just would honor the caution that having actually negotiated some of these things Don't pretend you're not going to be able to avoid trade-offs So but that's ways I also agree that I wouldn't take a global approach because You know With that said I have loads of questions, but it would be nice to hear from you out in there in the Audience We have a we have a microphone I'm tony radkowski and I've got some good news bad news I spend most of my time dealing with these kinds of issues outside of the us And indeed found out about andrew because one of the Participants in that dialogue globally Made me aware that he existed in the us and was engaged in this activity So the good news is for the last probably eight years The technical mechanisms for doing this have been underway Uh, in fact, I was the raptor in the international group for coming up with the initial technical report to implement it The general problem is electronic warrants and the subset is mlats In fact, there's an mlats use case in the report the ongoing specification to To implement it uh has been underway for the last year Uh, that is being led by one of gale's counterpart organization affectionately known as n-tack And it has buy-in from Basically law enforcement people Providers around the world And there's a meeting actually in Two weeks if anyone wants to go to the next iteration they occur about every six weeks what's been noticed noticeably acts absent however is What I would call most of the us providers Google doesn't ever show up microsoft doesn't ever show up Not withstanding the fact that i've actually tried to make that happen There isn't been a lot of interest in the us There is an enormous interest worldwide. I've got the indian government Engaged in this activity. They want to basically implement the capabilities indonesia, you know, you can sort of run down the line So that's the bad news is The players in some ways that have an interest certainly in The the initiative that's underway have simply not been participating In the ongoing activities to make this happen at the technical level I'm both the engineer and the lawyer I put my lawyer hat on and I Like jim have dealt with the treaty treaty instruments for years. That's probably that's that may be intractable But certainly that on the technical side the mechanisms for doing this are underway and I think there are options that include the use of clearinghouses and I represent one of those clearinghouses actually and we got running code to do this And then last but not least I would point out And jim will probably appreciate this in many respects. This is not a new problem. There are transnational providers that have been around For a couple decades. They're called global satellite providers They've had to deal with this problem And there are a lot of solutions that have been worked out in those venues that are applicable here too so I guess my plea here is for additional resources for the ongoing activities Any reaction from the group? Sorry after the panel's done, I'd like to get more information just to follow up with you. I'm not quite sure why we're not participating You know, it could be a lot of different reasons. So I won't even speculate but um, but I'd like to find out more and Try to see what we can do I'm rich will helm. I recently retired from Booz Allen Hamilton where I led all of our business with the intelligence agencies and To answer your question. Yes, Ed Snowden did work for me and No, I'm not Gonna go into a whole lot of detail about that today, but prior prior to Joining Booz Allen, I had a lot of experience inside the government as an intelligence officer including Um being the White House's point man on an issue that Was very similar to this one clipper chip which Jim, I know you Aren't very familiar with though Um I'm struck. Uh, I'd like to get a sense of the panel that um, you know in today's Sort of technological world at the point of collection. You don't know whether it's a good dot or a bad dot I mean you you mean generally that's Generally, that's true And that seems to me to present a real dilemma and when I hear um I know no more about what I read in the press. Um that This uh person in france who went off to syria hi at when we did 500 phone calls to the wife of One of the shooters And charlie abdow sort of And I don't know whether they discovered that after the fact or whether they were tracking that or whatever but Is it a sense that uh the ideal solution would be perfect protection of privacy and Allowing law enforcement and intelligence to have access to this sort of thing I agree with everything you're saying is that we should try our best to balance the things But is there a sense that there is going to be in this technological age? Is the balance going to fall in a way that you know That there will be some Uh Giving up on the part of privacy in order to make this whole thing work relative to what certain constituencies would want to have and you know You know as a lifelong intelligence officer, I believe in Privacy, but I you know, I remember what diffie when he was Testifying before congress On privacy and we talked about this ideal solution. He said to the senators He said what makes you think that perfect privacy and Perfect law enforcement are Compatible that you know that these are competing things and that you're going to have to find Some new balance And I don't think we found it yet. I think we're exploring it. I think all the efforts to do it I'd just like to get a sense of some of the panel So we've got a really strong view on this And that's that basically law enforcement comes down to public consent and it's for the public to through their Elective representatives to to look at what actually that means in reality um So what we are trying to do in in the uk is very much encourage an open and balanced debate And so we don't think it's for us to come up with what the solution is but to provide some of the problems that we're facing Um, so I don't know what the I like even within our own agency. We have Cybercrime is one of our responsibilities and obviously encryption plays a big role in preventing cybercrime But at the same time you have use of encryption which stops us accessing The details of some of our other or targets So the three problems that we're facing are encryption I mentioned just the number of different devices the number of different media that you can you can communicate over Then lastly the international issue and we think that those three things have to be part of this debate about How do you get that? privacy and security Coming together and what actually the security in the case of like a charlie Hebdo attack look like and you know How does that look compared to like the need for for privacy? But absolutely that has to be done that has to be a debate and an informed debate that takes place with our elected representatives Sure, so if I understand your your question correctly and you can correct me if i'm wrong, um, but it's it's essentially Are we necessarily going to have to trade away some of our Privacy or privacy rights in order to achieve the level of security that we want in order to basically enjoy our rights But some Right, I so Right, so I think a couple of Points I would make in response to that and these are things that I also raised at a conference in brussels last week it's interesting that Yeah, so the right to privacy. I mean privacy inherently is something that is not absolute But one thing I would point out is that in europe and under the international human rights system Privacy is a much stronger value than perhaps it is here I think the the pride of place that we give to the first amendment is the pride of place that they Tend to give to privacy and that the human rights system also often gives to privacy um, and so I think we need to really be mindful of that and to think about the fact that In many ways these challenges are not new we've dealt with Serious security threats before in the u.s. And in europe I mean starting from a more than a hundred years ago obviously and we've dealt with questions of Surveillance of data collection of getting access to information like this before maybe it didn't look exactly the way it does now courts have Courts have faced these questions in particular I'm thinking of the european court of human rights, which has dealt with cases arising from the irish irish troubles Arising from struggles in in the two germanies way back when arising from the situation in russia All sorts of things and has consistently really come down in favor of individual privacy rights So to the extent that we think this is new or different I would maybe ask us to consider why it is that that we think the balance needs to be struck differently this time and to really be cautious about letting ourselves be pulled in by the sheer horror of some of the things that have happened this month and realize that you know Things of things of that sheer horror have also happened in the past and so are we prepared To make the trade off differently than we have before and I as a final point. I I want to suggest that Privacy is not the only right that we need to Think about this in respect of I mean we all know that Surveillance or law enforcement ability to get at Data or communications or other things can burn the right to free expression as well So especially as americans who hold free expression very dear To the extent that we think we're willing to trade away some of our privacy We have to ask ourselves whether we're willing to trade away our freedom of expression as well And I would really really prod all of us to think about that Let me just say I'm always wary when questions about privacy and national security begin with the description of a terrorist act Um, I just don't think it's a useful way of thinking about these problems But it is a serious it's a serious question and a serious problem if I were based on the conversations I had with people In preparing this report if I were looking at every single instance of whether or not we grant government access to user data In some instances, I would flip the lever to increase access and in some instances I would flip the lever such so as to reduce access Now does that Flipping all of my switches does it net out to granting government more access to user data than the government currently has It's really hard to know because it's hard to know how much data the government actually has. I mean it's just Um, it strikes me that what gale said is absolutely true that user trust Citizen trust is critical to the conversation over How how to strike the right balance between privacy and security? But there's not a lot of trust in the system Currently and that's partly that's partly government's fault. I mean governments that wants to have the conversation about moving You know opening up a conversation about how to strike this balance correctly have shot themselves in the foot by Not inviting that conversation sooner And that's a Really good point. I mean your question goes to kind of some of the the fundamental values of You know, at least our democratic society and where to strike the right balance between, you know, our liberties, but also National security concerns, especially in today's environment and You know, I'll go back to the snowden revelations about Some things that the government was doing and reports coming out and kind of the aftermath of those revelations about You know Tapping right into, you know, the lines of some companies I'm kind of going around due process And it was things like that that I think went beyond the pale for many of our companies As well as the the the public so You know trust is a huge issue and and you know, it's created a You know at a company level a deficit for us not just with the public but You know with with our customers both here and abroad about you kind of what's you know What are you letting law enforcement in and as Nicole said earlier, you know, the perception is oh, you know You're just allowing government unfettered access. So we we need to kind of get Back to You know kind of the the rule of law and establish the right process and procedure and I would You know Are you that that's you know While we're here today talking about the inlet process is kind of one piece of that to to kind of help Restore that trust in order by setting out that the rules of the road and in the case of the inlats where You know, the process might not be as efficient as it could be or as good as it could be You know, how to how do we get that kind of on track? Just as a footnote one of the I thought this earlier in the conversation too is One of the problems we have is that very often people think that the u.s. government acts like their own government And rich knows this very well and many of the major european countries The level of surveillance is overwhelming and the level of oversight legislative oversight Or legal rights is underwhelming And so one of the dilemmas we have here that we haven't talked about Is a reciprocity to some extent I mean I one of the last things I had to negotiate was Of what we used to call awful access to communications And I never found the european country that did not surveil its own stuff now They may not say that in public But one of the things that's troubled me in this debate and I don't pay any attention to the e-state Even the europeans tell me not to pay attention to the european court Because they don't have oversight over security matters and so that goes behind the cloud How do we deal with that I mean it would be nice If there was an internal debate in the u.s. At the start of this known thing Should we tell the rest of the world what we know about their surveillance activities? And that was decided against and I'm kind of regretting it now Sorry, could I just say one thing the european court of human rights does have oversight over surveillance Or sort of national security matters. It's the the EU the court of justice of the EU Technically national security is outside of the scope of what it's supposed to cover I'm not I'm not sure I'd hold europe up as a precedent, but europe has a better record than most places So that's that's one of the dilemmas we're going to wrestle with here. I think and mlets are limited in a way because people want them to be limited And so how do we get through that mlets are inefficient because people want them to be inefficient How do we get through that I would say there's some evidence to support that it's not conclusive Tom goldberg and one of the founders of lineage who make secure IT hardware Just three comments and then a request if I could andrew I would not blame the government for the use of data Any more so than I would facebook for mining it and monetizing it in almost the same way Purposes being different outcomes being the same and in the days of data mashing with palantir and things of that nature Creating mosaics about individuals that are better in clarity than people themselves know about themselves Frank let me just say thank you accountability is probably the single most important element With regard to this because at the end of the day It's the integrity of the data that's being shared. Everybody's important as the method by which it's shared And I think accountability there and building it in to this process It really has to dovetail in this process or the sharing Has marginal value and we actually have some ongoing usuropole interpole friction over That because of the equipment that is being used by our counterparts on the continent Gail, thank you. Thank you. I'll never ever text again while in the uk So i'm in your debt for that. So again, let me just come back to my Can only get it if you're actually committing a criminal offense and I can prove that to a judge I We're not I mean it's one of the sort of like the misconceptions. I think that um The law enforcement has access to absolutely everything. It's not quite That simple nor would I want it to be Having also come out of government and intel type of activities some of my relations I'm never quite sure whether I am a criminal or not, but in any case. Thank you. I will avoid using That for purposes, but the again the request here. There are an awful lot of activities going on transatlantically at least That really you're trying to get at the fundamental question of how to share machine machine correspondence and and interactions I take this gentleman's comment about the satellite industry being very effective in having done that There are some very good lessons learned there. I think the inlet process should dovetail again here Pick up the good lessons learned be careful though that you build in This one last thing this is being my request The speed with which we are marching technologically and I think frank you mentioned that I I'm going to give you credit In any case is eclipsing our ability to manage it So I think you have to build that in and I think there has to be a mechanism In these debates and in any negotiation that attempts to create a framework Where we sanctify certain principles, maybe it is privacy, maybe it's sovereignty, maybe it's individual rights and liberties But it has to be built in and in a much more fundamental way And and this gets to ways in today's paper. It turns out the la police chief wants ways to take down the ability of people to Identify where police are located and that's a debate illustration It's the content as well as it's integrity and you have to begin to be Cognizant of that and build it into your inlet process. Thanks While we're waiting for the microphone to pass around, let me ask a question out of that, which is maybe for our private sector representatives What are company responsibilities when it comes to this kind of data? What would make it easier for companies to deal with? I mean, how when you think about these problems What is it you would want to see the report is good? So but when you think about Microsoft google whoever what is it you feel like you have to do and how do you balance? How do you internally make the decisions on how you balance? competing national laws On privacy on data sharing on law enforcement Well, I don't think again that it's necessarily At least currently a balance where a us company a law abiding us company and we comply with with us law We also one of the reasons we're so supportive of Improving in lad is our clear understanding that there are other countries in any given request or piece of data There can be multiple countries that have a sovereign interest of some form In the request and that that also needs to be considered and part of the process But I think one of the biggest things for us on the company side is the transparency aspect The vast vast majority of our users Including probably almost everyone in this room are law abiding citizens Properly using our products and services to go about their days And we can't forget that when you have, you know, tiny pockets that are misusing The system and you can throw out the parade of horribles and suddenly say we should have a surveillance state That isn't the right way to approach this from our perspective and I think what we want is a situation where You know like gail mentioned before it's really a societal decision Where how to strike the balance between security and privacy and what we want as companies is to make sure that we protect the expectations of our users And that we can be transparent with our users about The data disclosure request that we receive and what's going on so that everybody knows and can have an informed conversation Andrew mentioned sort of the the levers and I think Yes, there are levers involved here But we need to know what those levers are as a society before we can make The the decisions about how we want our laws to be to protect both the security Of our countries as well as our individual privacy interests and to say that we can't know anything that's going on behind the scenes And the companies can't be transparent about these requests is not going to help that conversation I love the google report and I love it even more when countries scream about it. So it's really been a great I don't know did frank and then I don't know if sarah andrew want to try man So I I think we would we would uh concur with with everything that that nicole said I think the way that you know, we've really started to frame this up is You know, let's follow a rule of law and where there is no rule of law. Let's clarify it. Let's you know update eqba You know, let's look at surveillance reform You know, so take those steps so that it's clear To our customers to the public You know, hopefully through a lot of government a lot of public debate and discussion About what the expectations are of companies don't put us in a position of having to figure out When you know different requests come in, you know, whose country's laws are we going to violate today to fulfill this request? You know, I really respect and admire the folks in our company Who are you know, or nicole's role of having to feel the requests coming in? Trust me, none of them would look good in prison orange They just won't and so you know help us, you know, help us government sort sort sort this out Um, my name is talents happen from the embassy of estonia Um, and and I I'm not a lawyer. I'm not a law enforcement officer. So, um, please bear with me But um, I was just wondering and absolutely agreeing with jim on them on the notion that it's very difficult to To get some countries on board in any kind of kind of development on him lads and and The question that I'm wondering is whether Uh, we also have any kind of information how the current omelettes have been implemented Um, especially with countries like, uh, china Russia uh, because uh, at least for our experience in our experience shows that Sometimes bigger bigger neighbors, and I'm not talking about latvia Um tend not to fulfill this This agreements and and special for political reasons. Thanks Let me just say and one of the things one of the reasons we highlighted transparency is because It's not just because it's a value unto itself, right? It's an it's absolutely critical I think with any process if you if you're thinking about it sensibly you need to be able to evaluate it, right? Whether you're a citizen or a corporate manager, you need to be able to evaluate it That requires metrics that requires information And we just don't have enough information I mean I spent months on this report and it was hard to get a sense from some governments how they managed the mla process Um, so one of so one of the reasons for the call for more transparency is just that and I I would just add to Just to link these two pieces that the discussion I'm a big fan of the corporate transparency reports that I think fill an important gap in how much we know about where our data goes But they when it comes to mlats, they have a particular problem, right? So they report us in their us numbers us government requests for information Those include requests for information that actually originated in a different country But came through the us via the mlat process Yeah, so, um It is not always the case, but it is yeah Because I know a couple of companies that A couple of companies have come back come back and said they've specifically and I don't know about google makes it But they've specific specifically loot to try and work out which of the mlat requests Well, they would love to be able to work it out But but into their I mean to their credit they would love to be able to work it out But it does sometimes it arrives in a package that says this came via mlat And sometimes it's just a local law enforcement request and they don't know where it comes from so Um more transparency at every step of this process would be useful to understand for for everyone I think I'm just on how you implement mlats So the a mutual legal assistance treaty is just a framework Usually I know a lot more about uk mlats than obviously any other country But it has a a clause that says if you don't if this goes against anything that your country isn't comfortable with I'm paraphrasing, but then you don't need to to comply with it And the reality is that countries use their own legislation Um, you know the mlats sort of provides the bridge, but you use your own legislation At um the sort of the start and the finish of it. So you think it's it's most clear in the in the us Case because it's a us court order that then gets served on on the companies But certainly when we're looking at it, we use our Crime international cooperation act that then allows us to do the start part of it and the mlat just provides the framework So in itself, it doesn't you know, it doesn't compel The country to do anything it's a bit of paper like any sort of international paper And it's really up to the countries to decide how they then go about interpreting them and implementing them Thank you Thank you I'm Jorge Carrera justice counselor at the spanish embassy This question would be addressed to nicole You mentioned an initiative a white house initiative on on ml a Could you please elaborate a little bit more about it, please? Yeah, you mentioned you mentioned an initiative a white house initiative on ml a Could you please elaborate a little bit more about it, please? so my understanding and and from the the company's perspective and what's been Announced publicly was that this is a priority for the current administration to and a priority they're seeking funding for which is to improve the technologies that are involved in the processing of The mutual legal assistance requests. So right now it's still It's crazy to think that it's still a very paper-driven process, but it but it is Another aspect of that is Training so one of the big problems that we hear when we we hear from other countries and I I think everyone can understand is That the law enforcement out in the field Don't necessarily know all the steps and what they have to go through to get the imlat And it's easy to sort of it's easy to sort of blame the u.s. Government for being slow But I think as gale will tell you there are Multiple steps on the countryside that also slow it down and I think one of the problems is Getting the local law enforcement who are actually the ones that have the request and the incentive to push it through Make sure they know how to do it and how to do it properly so that it can go through all of the systems without being kicked back out For not having the the right information So I think one of the initiatives that the doj is working on now that we support is Actually sending a delegation to these countries to do training to the law enforcement on the ground About how to write an imlat that's going to actually get all the way from start to finish Two last questions and then we're going to wrap it up. We got one in the back and then one in the front Hi, I'm sarah cortez. I'm a researcher from northeastern university in computer science and routing network paths Routing internet packets and path selection algorithms And so i'm interested in the effect of emlats on Certain aspects that we study incorporating in our network path selection algorithms And i'm interested in knowing whether you have any metrics on the size of the issue And I know that google and yahoo and a lot of other people have transparency reports And I know in your report andrew that you noted that you know Many warrants come through to google and yahoo that you don't even know whether they're related to emlats or not And that's part of the problem But i'm just interested in knowing if you have any metrics right now on the number of requests and the backlog at oia I don't have information on on any backlog that might be at oia I know from the the company perspective when we do recognize that a request is emlats and like andrew said we don't always know Oia if a lot of times we'll try to make it clear that it is in fact an emlats request And one of the reasons for that is the companies understand that if it's gotten all the way to us An emlats request that there's been months of work Leading up to that and so we try to prioritize those requests when we do get them so that we are not the backlog And that we are not part of the the problem in terms of the efficiency of the system But i It's like andrew said it's hard to have good metrics because there's no requirement That we are told that it's an emlats and Search warrant that is from an emlats looks exactly the same as a search warrant. That's purely domestic So we we have struggles with being Transparent as we would want to be about the emlats request because we just we don't know what we don't know Not only do we not know how many requests are in the system We don't know how many requests the more important number. I think is how many are in the system For a needlessly long period of time, right? There are requests that came in yesterday That ought to be there and if they could be processed efficiently It doesn't matter if it was five requests or five thousand or five hundred thousand. That's fine It's it's the the question has to be how many are there that could have been processed had we had better training a more an electronic system better intake management That are sitting there and languishing and that's just you know, we don't have I don't think anyone knows the exact number Last question Hey, uh, joe marx from politico. I have two questions for nicole The first is whether does google Agree with the position in the microsoft case that when data is stored Solely abroad it should only be accessed through an mlata then secondly Sort of same question, but specific to the wiki leaks emails that were talked about earlier this week I've been trying for a couple of days now to find out whether that data was stored in us servers And if not whether Mlatt was part of the process to acquire and i'm hoping you can either Answer that now or if you don't know the answer if you can kick the right doors for me I'm glad to see that you saved the easy questions for last And for me if I had known I would have cut it off So I guess there's there's two questions there. I'll I'll take them in order I'm sure that I won't be able to satisfy you fully on on either of them But regarding the the microsoft Ireland case, obviously we're watching it very carefully It's it's a very interesting case From what we've seen it's been briefed very well And we are watching that to see how it turns out One thing to keep in mind just when you're evaluating that type of situation is that different companies have different architectures and infrastructure so what might make sense and Apply to one company in one situation may not apply at all To the way another company is set up in terms of their infrastructure Or in terms of their actual architecture about how and where Data flows or in terms of your terms of service So I think there are a lot of things to unpack there Which is one of the reasons that andre's report didn't actually answer the overriding question of how do we decide Jurisdiction because there are so many different competing models and the companies are so different But we are watching it and and are hopeful that Regardless of how that particular case turns out that the conversation that that case has started amongst the companies And the country is about potential legislation to address the concerns maybe about The reach of us legal process Regarding the wiki leaks case that I mean that's very difficult for me to talk about because we don't talk about on ongoing cases and I you know, I wouldn't tell you if I knew But I also can't tell you the answer to your question because I don't know But also for the security of any user I wouldn't answer that question to anybody to tell you where it is exactly That google is storing your data so that there's a map for somebody to target to try to access it I mean from a security point of view that that is not Something that I think anyone would actually want And something to keep in mind when you're thinking about data location issues But what we've what we have done on the wiki leaks case that you know is now public is Our policy is when we can to give notice to our users about these requests Unfortunately in a lot of these cases we're not allowed to because the legal process comes with gag orders Now in the wiki leaks case We have challenged many of the orders that we've received and fought to be able to give notice And you're seeing the results of that now and You know, I It's a good thing. Maybe it maybe it doesn't seem like that sometimes When when we're in the middle of the swirl But this is what we want right the discussion about it so that everybody knows that it happened and we fought for that so yeah, yes, but So I just want hopefully people can keep that in mind and we're continuing to Fight to unseal more of the related pleadings to hopefully answer Some of these questions and you know, obviously we continue to Argue for surveillance reform of the us laws that are related to all of this So that's about all I can say Can I just say one thing because this we're at a panel about not about microsoft ireland But about mutual legal assistance if you're writing an article about microsoft ireland Mention mutual legal assistance because it just it's it's it's there in the briefing But when you look at news articles about the case it ends up Discussing this question of whose definition of jurisdiction should win should the united states government be able to claim this extraterritoriality Lurking in the shadows is this underlying question of whether or not we do have or should have an efficient and fair system for Sharing information from government to government the united states government tells other governments Hey use mla When the united states government wants information from microsoft that's stored in ireland ireland says hey use mla and the united states government says why would we want to do that Well, that's a good note to close on david. I don't know if you wanted to say anything at the conclusion You should step up to the step up to the plate Uh, no really just to say thanks everyone again You know, I think it's a it's this is a A milestone to get folks in the room for a public discussion about mla reform putting this on the agenda Looking forward to working with everyone here to take it forward And big thanks to uh to the art to our panelists today. Uh, so thank you very much Thank you for coming