 Hi everyone. So we're going to get started. We have a lot of great speakers today and I want to make sure we have enough time for them to share their wisdom and also for you to ask questions. So there is going to be Q&A at the end of the fireside chat as well at the end of our panel that follows. So if you have questions, hold on and we will pass around a mic so you can ask. We will not be live streaming today's event. We are having technical difficulties at the Open Technology Institute, but it will be recorded and available on our website later. So hello everyone and welcome to New America. Thank you so much for coming to today's event. I hope that you all got some lunch and you are ready to hear from our guests. My name is Andy and I'm a senior policy analyst at the Open Technology Institute. OTI has been deeply involved in the fight to predict strong encryption as well as the fight to ensure consumer privacy in all technologies. Both of these vibrant debates are taking place on a variety of fronts and we are happy that we are able to bring together experts from the various important stakeholders in this event. Encryption is crucial to protect the privacy and security of everyone who uses the internet, including individuals, companies and governments. It allows us to do things like safely file taxes, conduct internet banking, shop on our favorite sites, exchange sensitive health information and communicate online. Many actors are part of the discussion surrounding encryption and consumer privacy. Today we have experts representing some of those constituencies including regulators like those at the Federal Trade Commission, companies, Congress, consumer protection organizations and technologists who can help shed some light on these debates. I am thrilled to announce, introduce Commissioner Rohit Chopra from the Federal Trade Commission for our opening fireside chat. Commissioner Chopra was sworn in as a Federal Trade Commissioner on May 2, 2018. He has actively advocated to promote a fair and fully functioning marketplace through vigorous agency enforcement that protects families and honest companies from those who break the law. During his tenure at the FTC, he has pushed for aggressive remedies against law-breaking companies, especially repeat offenders and has worked to reverse the FTC's reliance on no money, no fault settlements. He holds a BA from Harvard University and an MBA from the Wharton School at the University of Pennsylvania. He was also a recipient of the Fulbright Fellowship. Alexandra Levine, our moderator, is joining us to interview Commissioner Chopra as well as moderate the panel that will follow this conversation. Alex is a reporter covering the intersection of technology, government and public policy and she is the author of Politico's popular daily newsletter Morning Tech, which I'm sure most of the people in this room see in their inboxes every morning. Thank you, Alex, and I'll turn this over to you. Chopra, thank you so much for being here on what is a crazy day and has been a crazy 24 hours. So we have heard a lot about encryption lately from the Justice Department and the Commerce Department, but less so from the FTC. So how does the FTC's work fit into the encryption debate and how do you see your agency's potential role here? Sure, so you know, I think there's a lot of views on encryption and where I come down on it is I totally get when law enforcers are frustrated that they can't always get the information they want to decode the messages they want when they're doing investigations, but here's how I see it. I see encryption as hand in hand now with national security. If you think about all of the breaches, all of the interceptions of our personal data, increasingly they are coming from foreign state actors, the OPM hack. You know, the Secretary of State told us that Marriott was connected to China. Many of these are connected to China and others who wish to do our country harm maybe. And so I think it is short-sighted to believe that being able to, you know, have a backdoor into encrypted communications, it's going to make us safer. Here's what I think is going to happen. Criminals and crooks are going to use encrypted communications somewhere, and the rest of us could be left vulnerable. So a backdoor for law enforcement may be a backdoor for those who wish to do us harm. And I see the FTC's role as, in fact, much of the FTC's work is actually pushes to promote encryption. Our latest proposed rule, the safeguards rule, talks about encryption. We've done enforcement actions that, when companies are lying about encryption. So I think what you're seeing is a greater awareness that big companies in our country are mining massive amounts of data on us. And people know who wish to do us harm, that they can use that data against us to divide us and cause us harm. And we need to look at encryption as a way to safeguard against some of those risks. And how would you say that position might have evolved from the former FTC under Obama? Well, I can't speak for how that FTC thought about things. I think the more we've seen these major breaches, and of course the Equifax breach, many of these breaches I think have been a reminder, that this is not a mistake or this is not just a few people seeking maybe to steal someone's identity. This is a concerted effort, I think, by many institutions outside of the borders of our country often, that are trying to do really what Facebook and Google are doing on us, creating detailed dossiers on each of us so that they can manipulate us, or they can cause us harm. And so, you know, I think we are now, it used to be national security versus encryption. Now I just see encryption as hand in hand with us being safe and secure. So you've said already how the FTC cares a lot about data security and encryption, as you've said, is one way to really strengthen that. I want to talk about the DOJ's approach to this. Is the Trump administration taking the right approach and pointing to encryption as an example of tech malfeasance or a tool to protect bad actors? Well, again, I understand I have been part of many investigations at several agencies where you get to look at the emails or the text messages and you can really see how criminals and bad actors are colluding. I get that. But again, I just want to underscore this. If those bad actors will migrate to encrypted communication elsewhere, we have now seen in many OECD countries, those countries promoting the use of encryption, in some cases countries are making available means to promote encryption. So I just don't see how we will figure this out where bad actors are just going to stay on these messaging services and other platforms that law enforcement can tap into. We already know that many of these criminals and bad actors are using the dark web, using ways to remain undetected. So to me, I see the balance as the criminals are always going to be able to get their hands on encrypted, you know, ways to use encrypted communications. And then what does that mean for the rest of the public who are using widely available commercial services? Are we then more of a target, again, for foreign actors to do what Google and Facebook are doing to us, which is making us less secure by having boatloads of detailed information on us? So if the DOJ does get its way on weakening encryption, do you think that would create an environment that makes it harder or that prevents tech companies from doing the things that currently the FTC expects them to do on the data security front? Well, to be clear, the FTC has not put into place economy-wide data security rules. There has been enforcement actions. There's been particular rules that affect specific industries, but that's not something the FTC has done, and I think we should really think about doing that because we can't necessarily wait, you know, for someone else to solve that problem for us. So look, I'm not sure what the DOJ's or any particular law enforcement agency's specific proposal is. If they are telling firms, we don't want you to create end-to-end encryption, again, what is the natural response going to be from others who wish to do harm? They will just not use those channels. So again, I don't know if we have a full-fledged proposal, and in fact, if they, we've gone through this debate 20-some years ago. We had the government propose the clipper chip. We went through all this. We saw from many individuals that there was vulnerabilities on it. We've heard proposals about, you know, third-party custodians of encryption keys. We now see that that might become an even bigger target for hacking. So I'm not actually sure what the specific proposal is other than telling certain firms to slow down on end-to-end. The Justice Department, what is your feedback on the encryption debate happening on the Hill? Well, I think it's probably recycling some older arguments and that it may not fully be taking into account how unencrypted communications may actually be a risk to the public. And look, I don't think, I think you're going to see a lot of big tech companies wanting to present them themselves as we're trying to protect consumers and the government is not, you know, we need to be very suspicious of these big tech companies motives too. I am sure they are figuring out ways to monetize this and profit from it in their own way. I have my own concerns about what metadata is being collected, even if the actual message is encrypted, what are they able to find out. So I don't think this is a bad, I'm sure there are many of them want to promote this image that they're the ones championing consumers when they are not disclosing fully all of the range of data that they are mining about us. And I want to come back to the tech company piece of this in just a moment. I also wanted to ask though, do you see any court or legislative action on the horizon? Well, I mean, we've been hearing about legislative action on privacy legislation for a while and I haven't, you know, we're waiting and waiting. So I take, my point of view is I think the regulators, we all need to do everything we can to make sure there is not mass surveillance in our society by big firms. We also need to make sure that data that does need to be transferred is protected. And again, you see regulator after regulator move toward encryption, you know, in health privacy, there's actually a safe harbor that you may not even need to disclose to patients. If the intercepted data was encrypted, you see in financial services, there's a big push on all sorts of banking transactions to be fully encrypted, even in the FTC's own proposed rule, there's a shift toward encryption in our proposed safeguards rule. So again, I think in some ways the train has left the station on moving more toward secure communications. And on the privacy legislation piece of this, if the government were again successful in its demands to have tech companies weak in encryption, how do you think that would affect federal privacy legislation and what sort of precedent do you think it might set for other consumer privacy concerns? Yeah, I'm not sure. I've thought about it a little bit more in terms of what precedent does it set for other governments around the world who point to the United States and use it as an excuse to potentially engage in deeper surveillance over their own citizens. So we've seen a lot of misuse of that information about what is the US's point of view. And for me, again, from a national security perspective, a human rights perspective, I think the US actually should be promoting this in all global fora. And again, I just want to hit this over and over again, bad actors will go and find methods to engage in encrypted communication. Returning to the tech company piece of this, I want to talk about Facebook. So as the FTC is investigating Facebook, I'm curious how you view the company's commitment to privacy. Is Facebook's pledge to implement end-to-end encryption across all of its platforms? Do you think that is actually synonymous with protecting data? Because Facebook is doing this in the face of a lot of criticism. Will this actually help Facebook build a reputation as a company that cares a lot about privacy? Well, I think we have to start and just be honest with ourselves. Facebook clearly does not demonstrate loyalty to any particular country. I don't think we should consider Facebook owing special duties to us, because we've seen they've been willing to violate the law, get caught violating the law, and then repeatedly violate the law afterward with a very clear established order. And the FTC's resolution in that matter, they pay to find, they'll do some things here and there. I don't think that, everyone I think is converging that it is not clearly going to change the culture of that firm. We just saw another major enforcement action regarding Illinois's biometric law, another $550 million settlement. I'm not sure these monetary fines are going to fix some of the privacy issues with that firm. And look, I look forward to seeing what they come up with. But at the end of the day, I'm not sure that the American public is going to really be able to trust them, given this behavioral advertising business model that they have, that they will always have a thirst for more and more and more data. And you know, many people suspect that the reason they want to move to end-to-end encryption is because they have their own incentives of perhaps wanting to promote Libra or other sort of digital currency. So we need to scrutinize carefully all of their motives, because I think we have not seen a very good track record in terms of their practices on privacy. So on balance, would you say the move to end-to-end encrypt on Facebook is better for individual security or worse for individual security? Well, I would love to, obviously, I think generally, not Facebook in particular, but all messaging and communications that moves to end-to-end encryption, you know, consumers can get value out of it. We can protect ourselves more. Again, I want to know the details about how they plan to monetize that, because depending on what other information they may be able to collect, you know, we can't really have a verdict on that. With that, I want to open it up to questions. I think there's a mic coming around. Thanks so much for your clear take on this. And I was wondering, so it seems like one of the fundamental issues is that, going back multiple rounds of this debate, clearly like some people, technical experts make the argument that it's not really possible to create a backdoor for good actors without also leaving it at least sort of cracked open for bad actors. And then people who, people find that hard to believe, you know, like it's, well, you're just sort of appealing to this technical argument. You're just telling me that I just can't do this thing, but it seems like it should be possible. So I was wondering if, you know, of any attempts to sort of demonstrate more technically that this is not possible to sort of move the conversation forward, because it seems like there's a lot of people who, from my perspective, sort of have their heads in the sand about it and are unwilling to accept this technical reality. Well, look, I'm open to the idea always that if there are technological solutions to, you know, issues we should evaluate them, I think what you hear from a lot of security researchers is that if there is a proposal on how this would be done, it needs to be vetted by the security research community. And what they find with many of these proposals is that there are significant vulnerabilities. In fact, we saw, you know, Professor Matt Blaise at Georgetown, you know, I think over 20 years ago exposed some of these vulnerabilities with the government's clipper chip proposal. So again, I think we should be willing to have the debate, but many of the proposals that have been put forward have been soundly demolished as exposing us to greater vulnerability. And again, I think we also heard this proposal some time ago about, you know, third-party custodians of keys. Isn't that just going to make them a larger hacking target? I mean, the more that we concentrate and create new targets, I think that's really where we expose ourselves to risk. So again, I'm totally open to it, but I think it needs to be vetted really by technical experts, technologists, and security researchers who know, who can play with it and see where the problems might be. Yeah, thanks. Thanks for coming. So one of the things that you hit on was kind of the false choice that's being made between, you know, security and privacy. One of the key goals of the FTC is consumer protection. The chief complaint every year with the bullet is identity theft and stuff like that. With the DOJ going down this row, which seems mutually exclusive to the role of the FTC, how is the FTC engaging with the Department of Justice as they pursue something that seems antithetical to the mission of the FTC? Well, I'll say this. The FTC does not have a specific policy statement on encryption and encrypted communications. I'm speaking for myself. I think generally speaking, a lot of the discussion that you hear from the Department of Justice does relate to its authority to, you know, investigate and enforce criminal law. The FTC is not a criminal law enforcement agency, but I think we do have some, at least several of us, do feel that there is increasingly this false choice doesn't reflect today's market realities about why is it that firms or state and non-state actors are seeking to collect this information. I don't know if there's a full appreciation for why is it that foreign actors are seeking to know such detailed information about each and every single one of us. We have theses about, are they doing it to interfere with elections? Are they doing it to divide us? We have all sorts of hypotheses, but again, I think that's something that many criminal law enforcers, you hear it from other jurisdictions too, so I hope that sort of sheds light on really maybe some of the differences. But, you know, if there's going to be a debate again that we recycle from 20 years ago, you know, all of us should be part of that. Good afternoon. Day prayer from Emlex. Thanks so much for taking my question. I have a two-parter. I'm wondering if you can comment on some of the rhetoric that's been coming out of the Justice Department for the reasons for a backdoor. It's shifted from terrorism to child exploitation. So can you comment on the substance of the DOJ concerns regarding NTN encryption, preventing investigation of child exploitation, and also on this apparent shift of rhetoric invoking child exploitation? You know, thanks for the question. I can't speak to, you know, the rationale for why it's being done. I think, you know, look, it's important to engage with advocates in the communities that are concerned about child exploitation and, you know, crimes that go online. And I do think it's important. We should be honest with ourselves that maybe some of these investigations are tougher. But again, the solution of making communications, you know, unencrypted, I don't, again, I don't know if that helps them. And in fact, there's been several studies about what are the impediments to sometimes unearth some of these, where are the challenges in these investigations. And also, they often are outside of actually determining and decoding individual messages. But, you know, I can't speak to the DOJ's thinking on this. This is a technical question, and I'm not technical. So, pardon me, but I think I had read somewhere that there's a theoretical limit in terms of encryption, based on really big numbers that were originally presumed to be too big for computers to crack. And that presumption is no longer current. Can you comment on that? Yeah, I mean, my understanding is that the history of encryption is all based in, you know, cryptography. And it would require certain amounts of time or computing power to crack or decode messages. And as you have advances in computing power, it is possible that, you know, some things that were encrypted using an old type of cryptography may be able to. My understanding, and I'm not a mathematician or a cryptologist, my understanding is that while there has been advancements, ultimately encryption will have sort of a time tested ability to move to more bits or longer strings so that it can reach those technical limitations. But I may not be the best person to answer. Any other questions? Commissioner Chopra, thank you so much. Thanks so much, Alex. All right. I want to thank the commissioner again for sharing some great insight into his position on encryption. And I'm very excited to continue talking through some of those threads with our fantastic panel, representing really all sides of the encryption debate. We have from the Hill Assad Ramzanali. He is legislative director for the office of Congresswoman Anna Eshoo. She is a California Democrat who represents parts of Silicon Valley. And she has also been outspoken in challenging Attorney General Bill Barr's recent push against war and proof encryption. We have Kun Kim. He is senior managing council of digital solutions for MasterCard. Katie McKinnis, policy council for consumer reports. And Hannah Quay-Dileve, senior technologist at the Center for Democracy and Technology. Thank you all so much for joining today. So one of the things that came up in our chat with commissioner Chopra is he mentioned, you know, this idea of a recycled debate from decades ago. So we know that debates on encryption are not new. They really date back to the 1990s. And Hannah, I was wondering if you could give us sort of the 10,000 foot view on how that debate took shape in the 90s and how it has evolved into the Trump era conversations that we're having. And the commissioner spoke about a bunch of this, so I will try not to rehash too much territory. But essentially, you know, it's quite similar to the debate we see today. There were discussions about, you know, as more and more of our lives sort of move into this online space, law enforcement is quite concerned about losing access to evidence that they would need. And so they really pushed both for back doors and for just limitation of the adoption of encryption more generally, right? And that took the form in a lot of cases of export controls and classifying encryption even as munitions was actually something that we saw in that time as well. And there was a push to have either escrow or some sort of form of back door. And so that is what led to the introduction of the clipper chip, which is another thing that the commissioner mentioned. And what the clipper chip was, the chip designed by the NSA, that would essentially allow law enforcement to maintain keys and have access to this. And what ultimately happened with that was there was a lot of pushback against it just for civil liberties reasons, for security reasons. But the sort of death knell of the clipper chip really came when Matt Blaise just discovered that it would have been quite easily exploitable. And so consequently, it really did undermine the security of the devices that it would have been embedded in. And so what we actually saw was a sort of compromise here in the form of what's called CLIA, the communication, nope, not going to remember what that acronym stands for. It's very embarrassing, but essentially it was a law that ensured that law enforcement would still have some access to the digital communications that were starting to become so predominant. And that required that telecommunications providers, so phone, could still use encryption, but they had to have some form of access for law enforcement. And CLIA has stood, it was amended in 2005 to incorporate email, but explicitly excluded this idea of information services. And then one other thing I would comment on in terms of the evolution of the debate is for a very long time the debate essentially said, well we want back doors, law enforcement position was largely, we want back doors, but not at the expense of the overall security of the system. And that really gave rise to the security community, academics in the space, cryptographers saying, no can do, like that's simply not possible. And one evolution that I think is interesting is now it's much more a discussion of well what level of security are we willing to sacrifice in order to have this backdoor access, which on its face seems like a good evolution. Now we're starting to talk about a balancing act. And part of the pushback and the concern there is sort of like, well there isn't really a way, like the sort of fundamental aspect of is this technically feasible still exists, right? There's not actually really a way to get 95% crypto or 98% crypto. It's a little bit of an all or nothing situation. So the rhetoric has evolved in some ways, but the actual sort of underlying technical questions haven't really. So it has come up a lot in the news recently, as someone mentioned this in their question during the chat. It's come up a lot in the news recently for a couple of different reasons that we keep hearing about. One of them has been the administration pressuring Apple to give federal officials access to locked phones or to help them unscramble encrypted communications, especially after the recent mass shooting in Florida in December. Another thing we've been hearing about a lot is about Facebook's Facebook standing firm on its plans to end to end encrypt its platforms, which the Justice Department has said will hamper its efforts to fight crimes like child sexual abuse. But I want to move sort of outside of those hot button issues that we keep hearing about in the news and look at how society more broadly relies on encryption. Katie, can you talk about how encryption applies to all consumers? How we use it in our day-to-day lives? Yeah, so most of you use encryption when you do some kind of protected messaging either through your iPhone's message system or signal telegram WhatsApp. So you're already very much aware of it, but one area where it affects consumers a lot and they don't really think about is with security updates to make sure that not only the security updates are validated and coming from the right sender, but also that the your device is also recognizing that they're from the right sender. So that's a huge issue and not only making sure that your device is protected now, but making sure that you're protected against future problems. And another emerging issue with encrypted communications and encrypted services generally is with connected cars. Our connected car system or whether it's autonomous or partially autonomous is going to deal and depend a lot on encrypted services to make sure that not only kind of what I was just talking about with security updates that those to and from messages are validated, but also that your communications within the car and your data that's stored on the car is encrypted also. But we depend on encrypted services all the time for most of our consumer products, which is one thing that comes up a lot in these right-to-repair conversations. We have a lot of connected products in our homes, they're aging. Some of you guys might have seen the Sonos news story about their legacy Sonos products and how they're ending some services for them and then they later retracted that stance. But whether or not you actually own your product and for how long you own this product and how long it will work is dependent on whether or not those encrypted software updates will continue coming through. And I want to bring in Conan this one too. Can you talk about how encryption plays a role in online transactions? So I want to make sure I unpack and kind of talk a little bit about the scope in the context that I'm talking about when I say digitally. There's of course the traditional sort of e-commerce when you shop online, shop by something at Amazon. That's a digital transaction from our perspective. I bought a plane ticket online to come down to DC for this event so that's an e-commerce digital transaction. When I arrived at DCA, I hailed a cab with Lyft even though the experience is completely in person, not face-to-face with the cab driver and he's taking me physically from the airport to the hotel. That's also a digital transaction because they're using a credential that they've stored online within their own environments and using that to conduct the payment experience. Last week I was driving around and kind of hitting the bottom of the barrel in the gas tank and I had forgotten my wallet. Luckily I was able to download, it was a little bit of a cumbersome experience because it was my first time doing it, but I downloaded the Exxon mobile app. I linked it with Apple Pay. I had my card on there and I was able to authorize the pump and transact and buy gas from my mechanical car digitally. If you're unfamiliar with payments, in every step of that transaction, there's a lot of entities sort of playing a role in order to facilitate the consumer being able to walk away from the transaction. There's the merchant, there's the issuer that's paying, that's issued your card. The merchant has its own bank, there are terminal providers. The bank will have authentication, fraud monitoring services on the back end systems and of course there's network involved in every step of the way. As payments move digitally, there are even more stakeholders that are kind of involved in the process. There's a digital wallet where you've stored your credential, there are card on file assistance providers, there are checkout facilitators and from our perspective, from MasterCard's perspective, it's kind of our responsibility to ensure that the consumer experience is going to be secure. It's not only convenient and easy, but it's happening in a secure way and every step of the journey, wherever that credential is sort of within the participant systems as well as when it's traveling between the systems that it's happening in an encrypted and insecure manner. I think if I could just kind of give a little bit of a one example of how encryption has kind of evolved from in a payments perspective. Everybody used to have the magnetic stripe card and you would just swipe it at the terminal for the insecure. Payments systems evolve that to chip cards to stick a chip in the terminal. That transaction is more, it uses encryption, it's encrypted, it's secure when it's on the card, it's also secure when it's being transmitted for payments in the transaction flow. We also then used contactless technology so that you can transmit a secure payment, encrypted payment from a card to the terminal in a secure manner and hopefully a better user experience rather than in the card into the slot and waiting for the approval. Then we were able to use things like contactless to work with partners like Google and Apple and enable the amazing consumer experiences paying with your watch, paying with your phone, paying with the wearable, in again the secure manner. Then on top of all of that we have something called tokenization that we use that's also an encrypted technology that's based on an industry standard and we use that technology to store it securely within the digital wallet environment and facilitate a consumer transaction. That sort of evolution of how we've used encryption and contactless sort of hand in hand I think is a way of how security and convenience have sort of go hand in hand. Now that we have set the stage on some of these broader uses I want to get your reactions to something that the president told, I want to get your reactions to something that the president told CNBC just a couple weeks ago, here's what he said. If you're dealing with drug lords, if you're dealing with terrorists, and if you're dealing with murderers I don't care we have to find out what's going on. Where do each of you and your communities or organizations come down on this and how do you view the line between individuals privacy and digital security on one side and national security and public safety on the other and I thought we can start with you. Yeah so I appreciate in the intro you said my boss has long been an advocate for strong encryption and has fought against the idea of government backdoors. The analysis for her starts with these are questions of security and privacy first and foremost. I am not a computer scientist very few people on the hill are so that's where we should turn for the expertise and it does seem like most of that community as has been said has articulated that there's not a way to do a backdoor without weakening security for everybody and so that's the frame within which we should start that analysis of how should we react to a comment like that or any other that that raise the question of encryption and how we view government backdoors. To us everybody's security of communications and everybody's privacy is a big deal we should care about that we should advocate for stronger privacy and stronger cybersecurity so that tradeoff as commissioner Chopra I think articulated really well that tradeoff is something that we have to continue to monitor but until we can get to a spot where we realize there's just not a way to do it where okay fine only in this instance will we allow for backdoors if we can't do that then it's not a viable solution. Yeah so that may be one way of framing the conversation another is to talk about local and state governments who lack the sufficient cyber security to protect their own systems from criminals who want to do ransomware attacks or other attacks that not only compromise our own data as citizens or residents of that area or state but also can disable an entire medical facility or a city governance system for days or weeks at a time so making sure that states and governments have the sufficient cyber security first of all to protect against those kinds of attacks I think it's really paramount and to that end there's a IoT cybersecurity bill of 2019 which is about government procurement of connected products and services and making sure that they are secure enough for use by the government so I think before looking to making our communication systems a little more insecure we should be making sure that our government's communication services are secure in the first place and then talk about how best to go after individuals or bad actors who may be doing these kinds of acts but one great way of talking about encryption about doors is comparing it to a locked physical door if my own door is locked and I forgot my keys that's easy I can go get a locksmith and now I have new keys for my door but encryption about doors is like creating one key for everyone's door which we don't even do with our physical doors much less our connected products which are much easier to get access to from one from behind my desk which is going to every single person's home or device so I think that the conversation there is unfortunately wrongly framed and I also end up on the side of Commissioner Chopra thinking that they're going to be finding different ways of communicating anyways without our help and that we shouldn't make our own security systems more insecure so I think from a private sector perspective we would like to see this happen however it nets out in a way that fosters innovation and competition the it's it's I think I think more and more as consumers get better educated about privacy encryption and how it impacts their personal security they're looking for this in in the companies and in the in the services that they interact with so it's from a from a private sector perspective it's becoming a point of innovation around how you kind of manage privacy and personal information how you secure it how you convey that experience to the consumers and and really build trust with the consumers and earn their trust at the same time I also it the bad guys the fraudsters in the payments experiences but um terrorists and whomever they're they're like insanely sophisticated they whatever whatever technology whether there's a back door or not they find ways to pinpoint the vulnerabilities find the weakest link and really just um just attack it with with with incredible precision so it's important I think to allow room for innovation because companies have to be able to continue to improve and and find new ways of encrypting and and bringing data ethics and and security into how they deliver their products and solutions to consumers and if you if you kind of over rotate on the national security issue um and and create a kind of legacy sort of compatibility and things like that it would it would be uh I wouldn't want to see that kind of hamper the way that companies move forward and and keep America uh at the innovative forefront at the forefront of innovation yeah so I in addition to agreeing with everything the other panelists have said I would also say that I think this framing of the debate that we have between you know privacy on one hand and national security and physical safety on the other hand is not it's not the right framing right um national security certainly relies heavily on encryption right I mean we we know that uh military officers use signal right uh they're not building in-house tools for a lot of this right so the national security community hasn't been particularly um pushing for for exceptional access mechanisms and certainly physical safety you know is that is something that encryption can hugely impact right I mean people keep themselves safe in the real world also by keeping themselves safe online right communicating safely with people uh knowing that if you send your address to your best friend so they can find your house that's not gonna end up you're not gonna end up getting docs online by whatever the hate group of the day is targeting you so even just the framing of privacy on one side and safety on the other just isn't it doesn't hold up um encryption is a critical safety tool for a large number of communities and Hannah I know this already came up uh briefly this idea that weakening encryption in one case might actually uh be problematic for you know other other cases as well can you talk a little bit more about that from a technical perspective and whether there is a clear viable technical solution yeah so um but I think what people generally mean when they're talking about that is sort of the same fundamental algorithms underlie a lot of these systems they're sort of it's two main classes of encryption we talk about they're sort of um on device encryption which is you know when you walk your iPhone it's encrypted until you enter the password and then there's a sort of in transit encryption which is if I send you a text message nobody along the way is going to be able to read it um and the the algorithms that underlie those are are pretty universal right I mean your bank is using a very similar in transit algorithm to your your text messages right and you know there's a sort of a finite number of these algorithms that we've acknowledged are sufficiently strong sufficiently secure um and so introducing a vulnerability into one of those systems is going to propagate into all the other systems that are using the same technology um and your question had a second half if there is a clear viable right um and I think the answer to that right now is no um and you can you know one of the the questions for the commissioner was you know like is there is there proof of that and I think sort of the best proof of that is people have been trying right like this conversation has been going on for almost 30 years um and you know the NSA which is an incredibly well resourced both monetarily and uh in terms of you know bright minds tried to do this and failed right um and I and I think that there's this this sense that you know the academic community the technological community just isn't trying right they just dug their heels in and that's not actually the reality the reality is people have really tried and it just we have yet to come up with a solution that has stood up to technical scrutiny so um currently I think no right there just isn't a technical solution that provides us with the security that we would expect and we can of course acknowledge that many of these law enforcement requests are perfectly legitimate and often really time sensitive so kona I was wondering if you could speak briefly about what sorts of processes are in place at a private company for example that allow a private entity to aid law enforcement when those legal requests are made try um so so within our company at mastercard um I even before you get to the the point of like having to interact with law enforcement um we we're we're investing we have invested a lot in making sure that we're able to number one identify um identify and authenticate legitimate users as well as illegitimate users um and then we invest in AI and other technologies to be able to detect some bad events from happening even before they start to happen kind of you know looking at um being able to sift through the data and and um identify identify some events that might occur before they arise when we do get a law enforcement request um I think that not to kind of belabor the point but I think this is another point of innovation that companies have to continue to work on um as as cyber security becomes a hotter topic and debate nationally um we we've kind of transformed the way that we've we address uh cyber security events uh it's not in a siloed way it cuts across the organization the between the law department the technology department the product department the customer facing the uh the relationship managers um privacy data teams um and then and then sort of a framework for open uh and and we we work on kind of the hill and and the other areas from a policy perspective to um have ways of having open dialogue and and transparency with law enforcement so that we're able to share information share information between companies as well with our issuers and our merchants to identify precisely where the where the weak link in the chain is um and identify where the point of point of vulnerability was um and I want to actually switch gears now to talk about the hill um so other parts of the world already have robust laws uh in this area in place and that has definitely turned the turned the heat up on congress to do the same can you give us a sense for how the encryption debate is shaking out on the hill um and how you are seeing members of congress engage on the topic yeah um so I think so first I'll start with kind of the context within which a lot of this policy debate is happening uh there's two parts to it one which has been talked about is this is not a new debate uh some members of congress have positions that they've held in the past uh my boss included but the other other trend going on here is there's a broader tech clash there's a broader discussion about the role of technology companies and technology and society and how policy should and should not be reacting to some of the harms that we see uh my what one of the top priorities for my boss this year is privacy uh she has a privacy bill with uh representative loftgren um and we didn't you know we didn't try to do the minimum viable we thought there's kind of a bigger need here uh the reason for that a lot of the parts of this tech clash privacy is one part of it um we think they're pushing towards a world in which technology is less trusted and that's problematic uh technology can be a good vector for society uh tech can do a lot of good uh but when people stop to trust it it becomes problematic and so that that's where encryption to us also plays an important role it is kind of fascinating to see how much tech policy has gone from something people don't really discuss and is kind of a cousin to telecom policy uh to front and center like the the presidential nominees are talking about tech policy uh so so it is that that evolution is important and a lot of the problems being discussed as part of that discussion we should pay attention to we should look for policy solutions but that doesn't mean that uh every single part of it uh every single part of the discussion on here's a problem in tech is one where we should react in the way that the kind of populace is saying and this debate around encryption of we need government backdoors seems like one of those where you can have emotions riled up and a quick reaction but we'd rather step back and say what's the right answer here and beyond your office and beyond congress what other parts of the government have mistaken this and how are their reactions or their positions on encryption varied I mean I think we've talked about a lot of them uh the DOJ certainly uh law enforcement um the intelligence community and national security a lot of former heads of and leadership of the of the agencies have actually come out and said we're in favor of end to encryption we don't think a backdoor works here in fact last year I'm forgetting the name of the official but it was a senior official from ODNI who said government officials should use end to end encrypted communications for unclassified communications that's me texting other colleagues of mine right and that they're they're telling us this is important yet on the other hand another part of government is saying is kind of taking a shot at encryption beyond that there's a consumer protection angle which commissioner troper talked about NIST plays an important role in the foundation of what what the protocols look like and how and the evolution of encryption algorithms themselves so there's it's kind of a broad response but where there's a security or a privacy nexus I think there's some relationship to encryption and you brought up the election briefly um and I wanted to get whoever wants to jump in on this one um what do you think is the significance of encryption getting this heightened focus in an election year and how would you say that this toggle actually you're talking about this heightened scrutiny of the tech industry is shaping or fitting into the encryption debate I I I can start I um so one angle is within the context of a move towards privacy legislation I'm hopeful that there is a move towards getting a privacy bill signed into law um in that context encryption does play a role in our bill we call it specific areas where encryption has important roles to play we try to incentivize companies using more encryption not less so that's kind of one niche part of it where privacy is probably an important part of the tech policy conversation and encryption's one subset of that more broadly I think it will become I I think it will continue to rise up as we have instances like the DOJ calling for Facebook to stop encrypting it's moving towards encryption of messaging services like the Apple scenario so I hope it's not turned into like a hot button thing to toss around where every time there's an issue it turns into the proposed solution yeah I think the conversations we've been having over the past few years about encryption and privacy and security have all been about very flashy topics here at the federal level but we're seeing the states really act on um security in ways that the federal government has not been able to we saw now all 50 states have data data breach protection laws uh data breach notification laws which the federal government has failed to do but uh your states in the meantime are working hard on your behalf and even though that's not necessarily about encryption that is one part of a data breach response and so that's great to see and then you're also seeing I mean we're talking about a tech last year which we're thinking about the big four or five tech companies but I think a lot of people felt really really really burned by the aquifax data breach and just feel a lot of fatigue that their their information has been breached here again and again again we're seeing identity theft numbers are causing our economy lots of uh lots of money taking individuals lots of time to protect themselves and they're also using products on the market that may or may not be helpful at all um as we had saw with the conversations around uh credit credit notification services as part of the response to data breach so I think that consumers are generally feeling a lot of um a lot of anger about how these products are not safe when they're on the market at all just the way your proposal shouldn't set your house on fire the services you shouldn't expose your data to the public either so I think that even though we're having these very exciting conversations here I think for the average everyday consumer they understand that my data got out in the world when it shouldn't have or someone's looking at my kids in my home because the camera I'm using is insecure and they don't really care about how that is done whether it's encryption or some other method another thing that sorry another thing that couldn't and Assad have um both brought up uh is is trust and transparency and Hannah I want to I want to hear from you about what role you think that trust and transparency play in this from a technical perspective um yeah so I think trust is sort of a funny question right like because we want to be able to use our technical services Facebook Mastercard whatever but that does involve an incredible amount of trust which I think is you know Katie's talking about is people are getting fatigued with the fact that like there's really no option right like trust is usually a thing that you can choose to trust or not and that's not really the situation we're in we're sort of like if you want to live in this world you're going to cede control to entities that you don't necessarily trust um and so what I'm hopeful is that the debate the encryption debate will begin to incorporate some of this idea that encryption is actually a technology that takes trust out of that equation a little bit um so you know for instance the the whole concept of end-to-end encryption right like is essentially that I don't have to trust that WhatsApp isn't going to do look at my messages I don't have to trust that they're gonna do the right thing and not go snooping I just know that they can't um so I I think that um I'm hopeful that we will start to to use this language about just like what can we do to lay a foundation so that we're not living in this world where like the power is sort of all in one place and the people who have to engage with the services aren't in a position to decide they trust or don't and they aren't in a position to decide I use it or I don't um yeah so I want to go down the line again and ask what is an ideal policy framework for encryption that would balance all these different things and if there's not one how do we move in a direction towards one so I don't I don't know the answer to that uh to that question but I will say where we are right now based on what security experts are telling us based on what privacy advocates are telling us it does not seem to me that the higher level talking points of we need exceptional access when you government backdoors um that doesn't seem like a good idea so it's easy of course it's easier to criticize rather than suggest that the path forward here right but um what's being put in front of us it's easier to kind of say no that doesn't we we should fight against that and that's kind of where my boss and senator widen wrote to attorney general bar in October saying your push to stop facebook from encrypting uh facebook messenger and instagram that's not good that's not going to help us that's not in the public interest um so yeah it's a it's an easier answer to say here's what's not a good idea but I don't know that there is a great solving all problems or a silver bullet but that's often true in public policy yeah I like ways don't have a perfect uh proposal um do in part because my job is to actually think about you and everyone else who are just using products every day um and not to figure out how to stop crime um but I do think that right anything that makes us all safer as a community should be preserved um and I also think that you know the last this current administration has a big focus on America first we're the hub of innovation we have all these amazing tech companies that's what makes us special and wonderful I think that if we do have this kind of uh encryption backdoor that's enforced on American companies we're going to see that consumers go to foreign based companies more often um as a response to that I don't think that's necessarily what uh the administration would want and I also don't think that it's what we as consumers would want right like I know where Apple's headquarters are I see them in our congressional hearings Facebook already doesn't go to hearings in other countries where they've been requested but they come to ours at least um so I think there's an important balancing act that has to happen here too with our our tech companies and what we think uh US consumers should be looking towards um I think I think privacy and encryption obviously go hand in hand uh encryption would encryption would kind of ask you how do you protect how are you protecting the information that you've collected of me privacy a privacy framework would kind of ask you um do you even need the information that you're collecting from me what's the purpose of the information that you're collecting from me um and I think we would like to see from a from a private sector perspective um I think there are four things uh and a lot of it is addressed in in congressman issues bill as well um we're looking for from a from a private sector perspective um a national standard um not kind of state by state uh it's or or even industry by industry sector by sector a national standard um that kind of lays the raises the baseline a little bit raises the sea level for minimum amount of security how things might be addressed in a principled way so that companies can apply those principles um that'll be specific to their individual sectors and and develop solutions that are going to be protective and security solutions that are going to address the specific use cases that they have in mind um another one I've said this before is is just it has to balance uh it has to foster innovation and competition something that's technology neutral doesn't really uh it's it's not about kind of addressing companies that operate in a specific kind of space or use a certain kind of technology would have been kind of going back to the national standard enabling enabling the private sector to innovate on on kind of a develop creating a baseline for for innovation to happen on top of that um from a privacy perspective uh as a as a company we we've kind of embraced the gdpr like model where where we say as a consumer um you own your data you control your data um we're going to develop solutions to benefit you and we're going to protect it uh I guess to protect that last point is where encryption would come in um and I think going back to the trust point from earlier uh as companies try companies that are I agree with you people will people have a hard time kind of um there there is I think a sense that you have to use some of these products and services in order to live in today's world and maybe they might not trust the entities that they're they're working with I think that we're going to continue to see a lot of a lot more innovation in this space a lot more thought leadership um and and hopefully hopefully technology companies will begin to earn that trust back from consumers the last point I think is interoperability from a from a framework perspective um enabling for both privacy and encryption sides of the debate uh um just just enabling enabling uh uh sorry lost my train of thought enabling the uses and and protection of data in an interoperable way so that if something bad does happen companies will be able to address it regardless of what sector they're in um and then and then you look at the issue across not just from a US perspective but how do you work with companies and and law enforcement and government agencies and and others NGOs etc who are not operating in the United States and in Europe or Latin America or elsewhere again I agree with everything that the panel has said already um another just from a sort of a policy question of what balance do we want to strike here I guess is the question we've been asking a lot and I would really love a little bit more focus on like if we were to take encryption as sort of like we're not touching it right which is like obviously what I would like please leave it alone um what what would we do then right like at that point how would we support law enforcement how would we support other arms of the government in continuing to do all the things that they need to do that fall in their mandate um and and I think that there's space there right I think a lot of companies do really excellent work about um making what they can make accessible to law enforcement accessible right how are they what kind of technical assistance are they providing what does that process look like I think the more that um we can enable law enforcement to access what they have what they can access so they have a legal right to access the better I think there's also room to you know there've been uh pushes to to sort of revive the office of technical support for congress so that they can have a better concept of what they're working with what are the you know side effects of these policy decisions we're discussing what are the knock-on effects ten years down the road sort of like really making sure we are resourcing that kind of support um appropriately so that as the the tech becomes ever more a part of our lives our our congresspeople are are able to legislate around that effectively and appropriately and in a way that doesn't have unintended consequences so I would like to see us think more about beyond encryption what are the ways that we can support um a better framework for our government as far as technology goes and I want to circle back and then we can go we can go to some audience questions I want to circle back on privacy legislation since you've all brought that up um hopefully this is something that uh congress will make headway on this year if the DOJ uh the administration make headway on weakening encryption anytime for privacy legislation were to take effect um could be in the distant future um how would that affect like how how would that affect privacy legislation and what sort of precedent um would that set for other consumer and privacy issues and I know um commissioner show up our touch briefly on this uh but would love to get your perspective as well as on um so in the debate around privacy legislation and what provisions are going to be in uh specific bills or what provisions people are going to fight for encryption hasn't been a huge part of that conversation um it has been kind of subsection c2 roman numeral one of that debate and that's unfortunate but that might be an okay outcome for the conversation itself um if the DOJ is able to go forward I I think they'd probably need congressional action for the kinds of things they're demanding to happen in a broader societal way uh but but if something like that was to go forward then I think we've got a new set of policy problems right I think it's yes we need federal privacy uh legislation but we also need to figure out a more sound way of dealing with encryption I mean really the policy outcome here should be encouraging more encryption right it shouldn't just be stopping like the the hammer on bad uses of backdoor suggestions uh but uh advancing that is it's it's harder to do but that's where my mind goes and if anything addressing encryption remains really just a small footnote in larger privacy legislation which you said could be a win in some way um if it remains though a footnote like that do you foresee any separate legislative action on encryption outside of federal privacy legislation yeah I mean there's rumors that there's bills floating around that deal with encryption um uh in ways that I think could be problematic right that that we we may not uh want to support but um I will be watching those closely and and certainly you know my boss's views on encryption have been long held and and I have not heard from her that she's changing her position on that anytime soon so we would continue to advocate for uh spreading more encryption right and with that I would love to hear if anyone has any questions yes in the back thanks a quick question um as far as going to trade shows if any of you do that have you found that there have been more new encryption software being introduced than prior or have you covered most of the bases of things that can be done and trying to work in reverse because I've heard that encryption software in general can be a big pain but if you don't know what you're doing try there's there's certainly encryption more and more encryption technologies that are coming out um and and in some ways it's it's using existing encryption technologies for you new use cases um transporting things from one industry to another uh and in other ways um it's it's you sort of see I can't speak to any specifics but I know that we are seeing some um part of the ongoing kind of development and the evolution in the space is companies trying to find new ways of encrypting and and securing consumer information in a way that's innovative in a way that um maybe looks at things a little bit differently than they have been blockchain is is an area where I think encryption um we saw a lot of stuff about blockchain in the news and and coverage that media coverage last year and and that's an area where encryption is a little bit more um it's probably a more at the forefront than it has been in in other technologies so companies are and private sectors and NGOs and policymakers are kind of thinking about encryption and security um and how it relates to new new technologies and and and consumer use cases um specific one or a new product but like Firefox for instance is now looking to encrypt the traffic to their DNS servers and so encrypting some of the infrastructure on our internet outside of just HTTPS and encrypting certain web pages I think is a step forward uh those of you who engage on broadband privacy will remember that there was a cybersecurity component of that broadband privacy rule that was rolled back um so what's greatest that we're seeing industry try to patch some of those uh insecurities in their own systems as a way of making sure that consumers and also all traffic in general um are more protected but on the consumer front we're seeing more interest in password managers and more engagement on the use of password managers and other tools to make sure that your own accounts are uh better protected but also just encrypting more of your private information um and so that's one thing that we've seen and I think that the um the market for privacy protecting components like password managers is only going to increase especially if we have a continued tech lash or continued distrust with the tech system generally and and the one thing I'll add so similarly no I'm not as up to date on the latest uh vendors or specific software tools but another area where like I was saying earlier we're trying to say there's need for more encryption is within telecommunications uh especially at the standards level as 5g the the panacea for all of society's problems um as that kind of rolls out um there is a lot of discussion at the standards level of how encryption works within that now we should also say we need to do more about 4g 3g and 2g and everywhere else your text messages and phone calls are going but uh it's important that that discussion is happening at the standards level hi uh so I know there's been some discussion of encryption as a foreign policy issue and keeping American consumers on American tech platforms I was wondering if the panel could speak to situations in which American consumers end up on foreign tech platforms so two examples just last year uh the viral face app um the FBI said it's a possible Russian counterintelligence threat and then you also have an app like tiktok which is massively popular and as far as we know at best the Chinese government has a backdoor and at worst they have a backdoor and they're maybe censoring what Americans see on that platform so what can or should be done with regards to encryption in those situations when they're not even American companies but there's a lot of American consumers on the platform we's a lot of this a little bit to say that you know I think to some degree there is concern about you know you know restricting American companies technology to restricting American companies capability to really build out secure technology um has a sort of twofold effect right I mean the first one is this concern that you are going to get driven to platforms in other countries which probably we're already seeing just because people like that app better um which is the case that you're talking about but the way that I think it affects what you're talking about a little bit more is it does set a bit of a standard right um so the more I think that we normalize this idea that even in functioning democracies the government should have access to basically whatever it wants like that is a concerning norm to raise and I think very much undercuts you know the United States ability to talk about what it means for a regime like China to have a backdoor into everything right to be able to really stand at a place where we can say we think that's repressive we think that that uh you know it's bad for democracy like I think that as if we continue down this road of saying like in a in a democracy that's allowed then we really lose the ability to argue against it in places where it has much more dire consequences um and so I think that that enables things like tiktok to sort of not be such a big deal right and I think that's very concerning and the other thing also is especially on the same as you gave but encryption is one part of a broader kind of we need to be paying more attention to what's going on with tech especially kids use of tech um so when I look at that there's a number of kind of core consumer protection issues that are raised uh that that we need more information that we need to be uh studying more closely privacy among them so to me there's a number of questions there that we should be paying attention to and and we shouldn't just jump to like is encryption the issue in that particular instance it may well be but my starting point would be elsewhere probably and I was just making about um the use of well the fact that we might be setting a norm and putting ourselves in a bad position because it seems like it's not just related to um you know more authoritarian regimes that are going down this road we've seen laws in the UK and Australia and proposals in India and seeing some conversation coming out of Europe about exceptional access as well so I'm curious to know what the panel's thoughts are on you know when our allies and people that are more um aligned with us from a philosophical and political standpoint are going down this road does that also contribute to that dynamic of establishing a negative norm and I guess my next question would also be I think the commissioner touched upon the difference between encryption for content versus metadata and I'm just curious in the conversations that you guys are having is that a distinction that's really uh making its way into the the discussion because there seems to be a distinction between law enforcement access to metadata um or encrypted metadata versus access to encrypted content to the first point like yeah I think absolutely um other sort of our allies also kind of going down this path I think exacerbates that issue of just like this really is a norm that we're establishing in a way that I think is really is really harmful um I think the question of metadata versus content um to me a little bit ties in to I don't think it's worked its way into the debate so much because it is a little bit of a like wonky delineation because I think that there's this there is a question of like what metadata like I think that's another question that I I would like to discuss a little bit more publicly about like what do we consider metadata and what metadata are we comfortable with being accessible to law enforcement or accessible to you know data sharing partners or whatever that may be but I do think um there's a little bit and Katie may be able to speak more to this but like a a general consumer concept of the difference between like metadata and content right I think that is a line where actually most people have a pretty good intuitive sense of what that delineation means and so to that sense I think yeah that would be a helpful thing to push a little bit more on in the discussion I think on the the the first point um we are we are seeing nationalism come up in a lot of different countries around the world it manifests in sort of different ways sometimes it's about data sometimes it's about just literally favoring the local local players in the local markets um I I think that from from my perspective it it's short-sighted um the consumers customers are everybody's customers travel globally they transact globally we socialize globally um and maybe maybe more importantly the point is the bad guys also work globally um and to kind of keep things siloed up in a in in sort of national uh single companies or or like national regimes that aren't able to interoperate with one another really limits everyone's ability to kind of fight against terrorism by identify security threats whether it's fraud or terrorism or other security threats um and I'm not sure that if consumers have a good idea of what meta metadata is outside of like the serial context where they're like oh I do know that my phone's peaking off of different towers and that's some sort of data about my location at any point um but I do think that right companies are viewing some of these exceptional access requests as different than others right like if I want to get metadata from someone's android phone that's going to probably require a lot of money on uh google or whatever companies behalf to get all the information together for law enforcement so I think the the shifting of the burden by who's putting together the evidence also will be I think a helpful framing conversation and maybe enable more company pushback on national security or law enforcement requests for exceptional um access but I think consumers more and more are realizing that any kind of data around them even if it's anonymized or a meta can say a lot about their personal activities more more information about their activities than perhaps their spouse or children or partner knows um so I think that consumers are catching up much faster than we generally give them credit for um especially when you know we can put it easily in context of like we saw that your phone was at 14th and K earlier today because he went to work um so uh thanks so much for joining us I know that everyone is in this room because we think this is really current and important and I'm wondering as a question for all the panelists if you might be able to tell us something you find really concerning right now in the encryption debate and maybe something that you find hopeful so my concerning concern is um the life the lifetime of all the connected products and services that we've introduced into our lives and attached to our homes and made part of our cars um things like thermostats in your home used to not be replaced ever maybe when you sold the home or something like that and then now it's going to maybe you know maybe nest will uh in services for some legacy products in like five years and that's going to participate precipitate a lot of recognition of device support periods but every connected device you have has an expiration date you just don't know it um and the security of the content on that uh devices go in hand in hand with whether or not there's security updates in the future so that's my concern but my hope is uh connected to that too because we had um a few presidential candidates actually speak on this issue partially things to Iowa thank you Iowa because farmers are very very upset that they can't repair uh their tractors that was a endlessly repairable item for generations just like your car and then now there's uh there's you know contracts and uh you know companies that limits and whether or not you can repair this item that you bought you own and was more expensive than before and yet now you can't repair it so I'm excited to this entering entering the conversation we also have like 20 plus states who are looking at right to repair laws so um hopefully we can start to change the attitudes and the um the content around this um yeah I so first I'll add that that was the first non-ironic uh thank you Iowa I've heard at least 24 hours um the uh the concern I have is the reason uh this conversation keeps coming up periodically is poorly thought through ideas uh in this case from the DOJ are put forth and there's kind of a and I appreciate the work of new america and consumer reports everybody here of saying no we need to convene and talk about this again that that's a useful reaction uh but it seems like this is just a repetitive debate over time um so in a way that that's frustrating um I'm hopeful that or what gives me some degree of hope is that there are companies that are pushing forward on their own firefox is a good example uh of dns over https um facebook rolling out uh encryption to its messaging apps I think commissioner troper is right to say we should interrogate the motives and uh what the implications for their business models might be that might have other harms uh for competition or consumers but these are in and of themselves good moves uh that I think are good for consumers um I think maybe more a point of frustration rather than concern is um the the conversation often tends to be about like specific actors or bad actors um and and you focus on a particular company or a particular technology and it sort of clouds the issue in my mind um I think encryption a robust sort of cyber security privacy encryption framework could do a lot of good for uh to bring like social improvement economic development um it helps the national security from from a national security perspective but kind of focusing on on just um specific use cases uh we tend to just kind of talk about things that have gone wrong rather than about how we can fix it I think a point of hope is maybe that um companies are taking the initiative as Asa just mentioned some companies are taking the initiative to to maybe rise above the fray be more ethical about their data usage um and and be be more uh upfront and even transparent to consumers about about not just not not just how they what data they collect and how they use it but how they protect it so that consumers can make informed choices I think so a point of concern is maybe a deeper version of the the sort of muddling of the debate of it generally gets talked about in very extreme ways about you know bad actors and and I think also just a um I think that the debate is often happening without all of the contacts and facts that we would like to have behind it right so I think you know particularly there's been a lot of frustration with the DOJ um you're not willing to talk about the number of phones that they're actually having trouble with and not willing to expose like how how do these encrypted communications impact your investigations right which I think just makes it you know we're having a discussion with half the information on the table and that I don't think that that's a recipe for a really effective viable solution so that's something I would really like to see change I think something I'm hopeful about is that you know yeah I think a lot more people are coming to the table to talk about this like and I think we're seeing that in the way that presidential candidates are discussing it and that you know there is a push to move it into different different areas of discussion right we're talking about you know the security of you using the internet generally the ability to repair your tractor um you know the ability for marginalized groups to stay safe in the real world like these are all voices that weren't necessarily as present as we would have liked in the debate that are really starting to rise up and engage and talk about how this really is bedrock technology um as reported by politico and and a couple others uh there's bill on the hill right now from senator graham some are calling it uh tech room called it a back door to a back door and the argument is rather than having the government saying you may not use encryption or you must create a back door they're saying if you have encryption and bad stuff happens you're liable are you is that kind of just the same thing in different phrasing or are you seeing a fundamental difference between the government saying you must do this or you will be liable if you encrypt and bad stuff happens i think it's the same thing i don't think that's an appreciable difference and that you know it cbt has has written about about the grand bill and made our feelings on it quite clear but i yeah i think it it's not helpful to say well you don't have to follow these rules we'll just make you criminally liable if you don't like that is that's legal action hi thanks um so i think you all have made a lot of really good points with respect to the state of things which is it's kind of muddy um you have very polarized issues at least people's views on them um it's also really confusing for consumers and for companies who want to do the right thing it's kind of this push pull it's like you you want to do the right thing and protect people's privacy but as soon as you do that you get banged on the head by by law enforcement um as you said law enforcement has been kind of beating this horse for many many many years their motivation might change whether it's terrorism whether it's you know child protection um but it while i really like what you're saying hannah in terms of like there's a lot more people having the conversation but at the same time it still feels really zero-sum still um so how can we create an environment where um we can bring entities like doj to the table um bring privacy advocates to the table um bring encryption advocates to the table and actually try and work towards um the same goal maybe not necessarily giving up something that is important to you but being able to actually be constructive in a conversation because there's lots of indications that people want to do that but not a whole lot of action to actually show that that's the case you guys are asking such good question um i think that at least sort of my feeling about it is that i think part of it is going to be just raising the issue up the flagpole in enough places that all of the people all of the parties with different incentives have sufficient incentive to come to the table and i don't know that that's quite happened yet because i think you know there there is still very much a sense that we talk about encryption as people have mentioned in the context of terrorism child exploitation bad actors doing bad things and while that is still the primary date the loudest discussion we hear there's just not a good way to have the conversation when you're only looking at this very narrow part of it um so i i guess i think an instrumental part of bringing enough people to like an actual discussion table as opposed to a sort of like media conversation table will be just putting out more viewpoints broader viewpoints viewpoints from different people that make the debate nuanced enough that people are incentivized to actually come to more of a negotiating table i don't have a great path to how that happens but that's sort of my my long-term kind of sky feelings about it the one thing i add to that i think all of that i'd focus on especially the problem side of the equation it feels like sometimes there is a here's a solution and how do we motivate out the best possible hook to get at government backdoors whatever problem sets there are that we want to grapple with and all the ones we've talked about are critical they're extremely important we should start with what's the problem space what are the policy solutions is this the one that makes most sense rather than jumping to here's a specific idea and then reasoning out to what's it seems at times what's going on is reasoning out to what's a hook that'll get people to pay attention i just have a quick question how much is the how much influence is the facebook oversight committee going to have over facebook and what's that they're rolling that out in a couple weeks so you mean the the facebook oversight board that will play a role in their content moderation decisions okay i'm mostly familiar with it as far as the content moderation aspect goes which i think is a little less impacted by the encryption debate um just because it's largely dealing with public or semi-public content uh but i don't know that's my understanding as well okay yeah um so in that sense it's a slightly different issue but um yeah they end up dealing with metadata that will be a very interesting evolution of that discussion hi um i wanted to jump back as uh asad and katie are here that um kind of tangentially related to encryption but came up um tiktok uh the face apps that are from other governments i guess my concern is that people don't care like the encryption community cares and and the privacy advocates care and you know the the national security folks care but the average consumer would rather have the face app than worry about where is my face going what database is my face going into like should we be doing something about is there anything we can be doing about that do you have any thoughts on should we make them care or should we just protect the average consumer from it or so i i think that's part of the job of a policymaker right is to think about the areas where a consumer decision may not weigh in all of the risks associated um i mean that is an example of a market failure right where a consumer may not be deciding on that variable but it is in fact an important one um a prime example that my boss recently worked on is youtube channels that advertise uh specific commercial things to children without disclosing or following all the existing laws and regulations around that um certainly kids watching these channels are not going to complain that they didn't know that the youtube star was getting paid off of it but we do know that that's an important consumer function of just disclosure and knowing where the dollars are moving um so i'd argue that that you're i think you're right that most people using tiktok are not sitting there thinking about geopolitics and the national security implications uh but that's our job yeah my my basic perspective is that the consumer should be protected even if they're going to be reckless in their use of the product um just like when you drive a car should fc belts and airbags just in case you ram into a wall um so should apps be protected against you uploading your face to whatever app you recently downloaded and didn't look at any reviews or the privacy policy or anyone else's articles on it um but i think this is another great reason to go back to a point that i saw made earlier is that this is an area where we look to parents for a lot of oversight for children and their use of this apps obviously tiktok is a huge huge children's use product um and i think that that's also a a hard thing for us to square going forward right because parents increasingly don't have the timer bandwidth to look at every youtube video that their kid is watching um and yet that's the way we've structured um a lot of our a lot of the the copper the copper rules is that it's based on parents and the companies are also looking at parents to report um instead of using increased oversight on their own behalf um so i'd like to companies that i looked regulators to protect children and consumers first and then we can look to educating them or informing them about other issues i'd like to thank the panel for being here um because this conversation has been kind of kept at the law enforcement and bad foreign government level um i think there has been you know the standards bodies have been moving in certain directions because of that over the last 20 years um so that's led to some unintended consequences that are affecting private companies uh who have you know especially those with custodial duties to customer data uh they were they should be protecting that data they want to protect that data um but because of the standard bodies moving in particular direction it makes it harder for companies to have visibility on their own networks at certain moments i mean we've been saying for a long time that if you're either a company that uh has been hacked or you don't know you've been hacked and so there's you know bad actors who are moving around these networks laterally uh whether they're going after customer data whether they're trying to turn off the electrical grid whatever they're trying to do they're trying to do it in ways where they can't be caught and when there's a lack of visibility inside of your network you have you know there's they're going bad actors are going to exploit that um so i you know it's not really a question but you know i just have this concern because it's been kept at this bad bad foreign government law enforcement level that we're kind of you know missing some of the real risks that you know that are going to be outcomes of this if you know there isn't a right a right balance struck here um which we had 20 years ago but with like tls 1.3 um where forward secrecy is imposed on you you don't have a choice about it you don't really have the ability to kind of tweak the controls as what's appropriate for the risk within your networking environment hey um so gun rights activists have been arguing for years that you can't ban guns or we can't make access to guns harder because you're only going to negatively affect the uh like good guy gun owner and you're just and bad guys will always find ways to get access to guns why is this similar argument with encryption not catching on as much which is we've already heard before you know bad guys will still know how to encrypt their content um and you're only going to affect negatively the like good guy citizen who is trying to protect themselves against the government i would say one reason is a little bit of the power of the pulpit right uh you have a huge uh voice talking about how encryption is preventing them from getting those bad guys um and so i think that that's one one method for the framing i also think that we have the blessing of living in a country that we see as non-authoritarian and so we haven't been looking to our government as the barrier to our access of necessary human rights or resources uh the way you might in another country where you need a VPN to access some of those issues some of those uh necessary services or to connect with the community that's interested in um activism within your country um so i think that's one reason um but another i think another reason is is that those conversations as we've been talking about i've been going on for 30 years and so therefore a little antiquated uh we're talking about encryption is a way of letting or allowing criminals to get away with conspiring or coming up with a crime but we're not talking about how encryption is necessary so i know that you eric texted me today and not some other person telling me to come outside right now right like that's a physical safety issue that we're not talking about just because that's what one on one issue and also that's just people don't see that as encryption because they're not aware of the backend services on their devices i think we have time for one more yeah so this question is mainly for Assad uh you were talking about in the context of consumer privacy legislation how you know encryption could be relevant but it's not really part of the the real conversation or the legislation but when i think about it further i mean the kind of we want to promote strong encryption that's one of the ways that companies can protect their consumers data but what we're really talking about in terms of legislation is you know avoiding a mandate for encryption backdoors so i don't know were you thinking that there might be a role to affirmatively say you can't have a mandate for encryption backdoors there have been bills you know separate free standing bills introduced to do that or did you have further thoughts on something separate apart from the politics of whether it would sink the legislation of what might be an appropriate inclusion in the consumer privacy context on encryption yeah um where encryption plays a role in our privacy bill and i won't speak for the myriad others but um in ours we recognize the real limitations that companies might have with encrypted data so there's kind of a broad agreement that a consumer's right to correct data should be part of privacy legislation we have that as part of our bill that becomes hard if the data itself is encrypted in a way that the company can't decrypt and so we recognize that limitation in other parts of the bill we do encourage that companies do encrypt in a way that they themselves can't decrypt and we have other we've defined as kind of privacy preserving technologies encryption is one part of that we try to incent that by saying okay if you're doing that then you have a different standard for notice and consent so we try to encourage it we don't get into the question of backdoors and specific and i don't know that others have um i don't think anyone else is but that's how we approach it is encryption is actually linked to privacy in our minds it's just we haven't seen that in the debate that's not part of the the top level conversation folks are having about it all right and with that i want to thank you all for coming today thank our wonderful panelists and thank you america