 Good afternoon. My name is Jonathan Citrin, and I am so pleased to be talking with Brad Smith of Microsoft today. I want to say hello to everybody in the room munching on a burrito. Hello to everybody in our bizarro world mirror room in 3018, where they are also munching on burritos, and I think watching us with only a nanosecond delay. Not Howard Stern length, but just truly the electron getting there. And to those on the internet also watching our live stream. And for that, I should open with a warning that by now, and given our topic should be rote, you are being watched at all times, anything you say and will be used against you. But we welcome your participation once we get to the question and answer part. We have microphones for those in the room when we hit that part of things. For those not in the room, there is the hashtag trust in tech for Twitter, or whatever other instrumentality you might be using. And I think Shailen Thomas over here, Intrepid Research Associate, is ready to drive on the screen to anything that we might mention, and we're trusting in Shailen to do that right. In fact, I think in honor of Brad's visit, we're going to use Bing instead of... Forget the name of that other search engine. Yeah, that's right. We've been using Bing. So we're going to try that out and see what happens. And we should get right into it. So I should say, back in the earliest days, I was a Texas Instruments computer aficionado, because why not have your computer be the people that made your watch? But later on, I interned in the summer of 1990 at Microsoft, and those were the days Bill Gates was the richest man in the world with $4 billion. It doesn't seem like a lot these days somehow in the fortune rankings. And I guess the order of the day then was Windows 3.1, Office, that sort of thing. And Brad, you were there really from those early days. You started in 1993 at Microsoft. That's right. Is that right? Yes. I do remember I was possibly interested, given my enjoyment of computers, but also potentially of law, I said, well, could Microsoft put me through law school and in exchange I'll work for Microsoft? And the answer came back, we have two types of people at Microsoft, developers and support staff. Like, if you've got a code for us, great. If not, we don't want to talk to you. But things have changed since then? Well, first of all, that was clearly our loss. You'd be sitting here and I'd be interviewing you. But certainly things have changed. I've been at the company for 21 years. I've been in this job for a little over 12. And I think what is perhaps one of the really interesting things about the year 2014 is we're just seeing so many issues that really involve the intersection of technology and policy, technology and law, technology and regulation. We're seeing this in the United States. We're seeing this around the world. Lawyers have been playing an important role since, among other things, intellectual property and antitrust issues really exploded in the 1990s. But the range of issues today is just more varied than ever. So really today we're going to talk about the relationship between companies like Microsoft and governments around the world, first and foremost the US government. And I wonder if, along your tenure at Microsoft, was there a moment when it felt like a sea change in the reasons the government was knocking on Microsoft's door? Well, there have been many sea changes over the years. I think there was a sea change after 9-11. That's the first sea change that I think is relevant to this. As I mentioned, I started in this job in 2002. It was July of 2002. There's a lot of things that one cannot talk about because of national security obligations, but there are more things that one can talk about, frankly, because certain documents have become public over the last 18 months. You talk about the Snowden leaks. Yeah, exactly. One of the documents we have talked about publicly is an NSA Inspector General report that was published by The Guardian last year. And this recounts a voluntary program that the NSA had pursued after 9-11. It had gone out and basically asked telecommunications and internet companies in effect to provide voluntary bulk action. Is this the so-called PISM program you're talking about? The cab is so far out of the bag. To the best of my knowledge, PRISM is probably, I don't know for sure, I think PRISM is a name that the NSA used internally for its database. I don't think PRISM was the name for this, but as this... This is actually a really interesting point because as this stuff gets reported in the press, things get changed around. So, got it. And I think Shailen may be daring to look at... He may be able to find a Guardian story in 2013, I believe it was in July or August, that talks about an NSA, IG, or Inspector General report. This is also known as FAA 702. Is that the authority under which this program is done? It may be. The Inspector General report doesn't talk about the legal authority for it. In many ways, what this document says, this is where things can be happening behind me and I won't know it. But what the document says is that the NSA had gone out and asked companies on a voluntary basis, not pursuant to subpoena or court order, to provide access in bulk to communications records, including emails. And there's an appendix to this document when you get to it that talks about companies A through H. And the companies are not listed by name, but one could read through them. And there was one that was pretty clearly us, because it talked about the discussions that had taken place with the company's Department of Legal and Corporate Affairs. And to the best of my knowledge, we were the only company in our industry in 2002 that had a department by that name. LCA. Yeah. And basically what the report notes is that the request came to provide access in bulk, the lawyers got involved, and the company turned the government down. And that was an important moment. We all go to so many meetings over our lives that you don't remember most of them. I do remember a meeting in the fall of 2002 with our CEO. There were only three of us in the room. And we talked about what was the principle that was going to guide us. And there were two factors that were important then. They were important to me. They were important to the Microsoft, and I believe they remain important today. First, I thought we had to take a long view. It was easy in 2002 to say, wow, the heat of the moment, we have to do things that we wouldn't otherwise do. And so in that conversation with Steve Walmart, our CEO, I found myself talking about John Adams, about Franklin Roosevelt, about Abraham Lincoln. He was an intern in 91 at Microsoft? 81, yeah. He did shrink to fit on himself. And you just see, yeah. But the real lesson is over time, the pendulum swings, you've got to take the long view. And I think when you take the long view, the principle that it led us to is if we are legally obligated to do something, well, of course, we will comply. But if we are not, we won't. Because what we're dealing with here is the balance between public safety and personal privacy. And certainly in countries that have democratic governments, it just seemed right that the balance between privacy and safety should be struck by the government. And the right way for the government to strike the balance is through its democratic processes through Congress. And our basic message was if the government didn't feel the law went far enough, it shouldn't ask us to go beyond the law. It should go to Congress and ask Congress to change the law. So let me just test out this principle, and it's very clearly enunciated across a range of possibilities. I understand that Facebook appears to have a program by which it automatically scans and monitors internal Facebook messaging. And if the AI there determines that somebody is in the process of grooming a child on Facebook for potential abuse, it will then be referred to a human and potentially referred to the police. Would this principle apply differently to that kind of situation? Actually, it's interesting that you go there, Jonathan, because I do think that there is one area across the tech sector where people probably feel more comfortable and even more need to go farther. And that's the area of child pornography. And you can have a robust legal discussion about the extent of one's legal obligation. It's actually quite broad to turn over to the authorities for clear-cut evidence of child pornography. What it really then leads to is one going to look, because when one looks and one finds, you do often tend to trigger these obligations. And even on a global basis, child pornography is an issue that has focused more governments, more private sector NGOs, more tech companies on trying to come together just because, frankly, it's a problem that had almost been eradicated before the internet. The internet brought child pornography unfortunately back to life. Mostly I would say that the work is done consistently with the principle because laws are so far-reaching and the obligations they create on companies to turn over things that they are aware of. And in that meeting you were talking about with Balmer as you're considering the government's request for voluntary cooperation, the principle you offer is a prudential or values-based one. Were there countervading legal considerations about worrying that you'd be violating your own privacy policy, for example, if you voluntarily turned stuff over? You definitely could get, I'll just say, stuck in the mud in a variety of legal issues that would cut both ways. What are the issues with respect to your privacy policies if you turn things over? What are the issues under different other laws if you don't? But ultimately none of them were then, in my opinion, or really are now necessarily something that operates in such a way as to trump the basic principle. The right place for the balance to be struck is by governments themselves. So in this meeting in 2002, you articulated the principle, turned the government away from the request for voluntary cooperation. Did they return? Well, let me just say this. There have been lots of conversations with governments over the years, not just the U.S. government, but other governments as well. I believe the principle is one that we have and can apply in a very steadfast way. And I find, you know, in the U.C. of Satya Nadella, Satya very much is just what I call a principle leader. He wants to know when we're making tough calls what are the principles that are going to guide us. And we keep coming to this principle. Obviously if we're legally complied to do something, we need to do it. But if somebody is asking us to go beyond the law because they don't think the law goes far enough, then we say, look, you're in government, you're in a leadership position. Why don't you go change the law? Now I suppose the law is not always utterly clear cut or the administration or law enforcement will represent an authority. They'll issue the subpoena. In private cases, subpoenas can come off a little roll of subpoenas like deli tickets and hand it over. Then there's a question of, well, do we want to push back? Do we want the courts to weigh in? Does the principle help with those kinds of decisions? It generally does. It's like all principles in life. It doesn't answer every question that may arise. Going back to your question, they have sea changes. I'd say there was a sea change after 9-11. That's understandable. There was a sea change in the last 18 months after the documents were leaked by Edward Snowden. That created another sea change. People had to go back. We had to go back. Everybody had to go back. We were really comfortable with everything we're doing. How are we going to deal with this? Even to the extent that we felt we'd been making the right decisions, the public's trust on a global basis was changed. It's not the same in every country, but I've found in Germany, across Europe, in Brazil, I've been surprised in talking to large businesses in Japan. All of this is a question and a concern. There are ways, by the way, to measure that. I think maybe David Patrick who wrote a piece that was like, thanks, U.S. government, you've just destroyed Silicon Valley. I don't know. Is that overplayed a little bit? I was there two weeks ago. It hadn't been destroyed. But the basic point, I think, is nonetheless valid. We do certain testing ourselves. We do certain polling around the world on just people's attitudes on technology. We do it among consumers. We do it among people who are in government and academia and the like. And one of the things we ask is trust. And we ask about trust in technology. We ask about trust in different companies' technology. And what we found over the last year that I found most interesting was in Germany, in Brussels, in Brazil, we saw basically a 10 to 15 point decline in trust. And this is specific to American companies or just to technology generally? I think it is technology in general, but it's heavily focused on American companies. Because technology in general, the answer might be like, you'll be back. But American companies, it might mean they have a choice. Yeah, although so many of the leading technologies come from American companies that it's a little hard to tease that apart, although certainly one can. But going back to then your point, what does this mean for law, for lawyers? That kind of thing. When we sat down as a company last November and we were looking at what we were going to do, we did one thing that every company in the tech sector has done and I think it's a good and important thing and that's to strengthen encryption. We did another thing that no other company has done. And we said we'd use our legal resources. And specifically we would implement two contractual changes in our enterprise contracts, meaning contracts with businesses, governments, NGOs, Harvard and the like. We said that if the US government came and served a subpoena on us, seeking the email or other records of an enterprise customer, we would resist that, we would go to court, we would argue to a federal judge that that subpoena ought to be served on the customer, not on us. Second, we said that if the data in question were stored exclusively we would go to court and we would challenge the extraterritorial reach of the warrant that was being used, for example, to reach that. And so you want to talk about a sea change, I sort of spent my earlier years defending lawsuits brought by the government and over the last year we have brought three lawsuits against the government. First, seeking to publish more information about the kind of national security letters we were getting, FISA orders. There might be orders that carry with them an obligation not to tell anybody about it. They all had these kinds of obligations and we asserted a First Amendment right and Microsoft and Google really worked very closely. We sued within days of each other which was more coincidence, but once we got going we negotiated with the government together. The second lawsuit was to challenge an FBI subpoena that was issued late last year and the third lawsuit was the lawsuit that we filed in the southern district of New York that's going up to the second circuit that seeks email data that resides in our data center in Ireland. So we should walk through each of these. In the case of requests that bear with them insistence that you not tell anybody about it what's your instinct about the future of that kind of thing and has Microsoft experimented with such things as warrant canaries to, prior to receiving something announcing we haven't gotten anything and then once you get it you simply stop talking and the canary in the coal mine has expired. I don't know that we have thought about it quite that way there certainly are statements that we've made that I've made about certain things we've never received and the day that I stop saying that you're right the canary will be gone. That sounds a lot like a... Frankly that's not what has led us down that path. Anything you want to tell us today? Well sure, it actually relates to that second lawsuit. Challenging an FBI subpoena. I have said repeatedly and I can continue to say today that to this day we have never turned over or been forced to turn over the data of an enterprise customer without first notifying that enterprise customer legal department the opportunity to decide what it wanted to do and going to court and challenging it. The only case that's been public was the one that was brought last November it was brought in the western district of Washington and federal court in Seattle and to date what has been unsealed is the fact that we moved to quash the FBI subpoena and the FBI withdrew the subpoena. There are other aspects of the case that remain under seal. Can you share some of the dynamics in thinking between extending these sorts of commitments to enterprise customers versus what must be a quantum larger commitment to do to run of the mill consumers but could a consumer check a box and become an enterprise customer or what? Talk about the distinction there. Interestingly the case that we have data in the data center in Ireland does involve a consumer. I think that when you don't move to change your contracts for example until you know that you of course can comply with that contractual obligation so you've got to have the technical capability to decide for example where you're going to store something and then be able to implement that on a global basis. We've made clear that from an enterprise customer perspective we have that in Europe we're very close to having that worldwide basically what it means you need to do for example for let's just say Harvard University's email or let's call it Trinity College in Ireland you basically have to have two data centers in a certain region. One to store the email where it's going to be accessed by the customer and the other to back it up because we want to back up the customer's email as well. There are places to be somewhat geographically apart from each other. If there's an earthquake you don't want the two data centers to be across the street from each other. So for our European customers we operate the data center in Ireland we back it up in Amsterdam and so we can do that for example for enterprise customers in Europe there are many more customers were increasingly able to do it for one doesn't actually So I'm really eager to talk about that but I just wanted to close one open parenthesis back on just the notification of subpoenas and such if I'm a consumer and I say I'd like to be told if my data has been requested I'd like the company that I'm engaging with for cloud storage or something to tell the government they've got to come to me if they want it I'm just curious the dynamics of trying to extend the enterprise promise to the I think it's a really good and interesting question and I think that there may be areas where it can be done and there may be areas where it's much more difficult you can certainly think about it from a geographic standpoint you know can you offer the citizens of one country some assurance that governments in other countries are not going to be able to reach their email their text messages their photos and the like at the same time can you ever assure the residents of Massachusetts that they will be beyond the reach of law enforcement in Massachusetts no I mean that's just the law enforcement example what you're telling Harvard in Massachusetts is if law enforcement comes a knock in and Harvard is using SharePoint and a server at Microsoft you're going to try to direct the cops over to Microsoft and I think the distinction is this look everybody who goes to Harvard law school knows that corporations can engage in wrongdoing they can engage in criminal activity even but fundamentally when it comes to public safety when it comes to investigating violent crimes when it comes to investigating potential or actual acts of terrorism you are at the end of the day looking at the acts of individuals so it's not like there's a corporation on a rampage in Worcester we want to look at its email that's right and if you really want to you know keep peeling the layers of the onion you do get these questions about what happens if you quote get you know somebody sign up for an enterprise account that really is a criminal enterprise you know and that's why we've tried to confine it in a clear cut way to a set of contracts that legitimate businesses and NGOs are using great all right consider that parentheses close let's go back to the geographic case in the Ireland example does that mean enterprise customer can basically check a box and say I would like the data that I generate under this contract to be stored in Amsterdam wherever the company is could Harvard ask for an Amsterdam storage what we tend to do I actually don't know if Harvard could you know we basically you know say we're going to look at your nationality and what we do is we say you know if you say you're European I guess Harvard probably could not it has pretensions but it's basically what we allow people to do is choose their own country or their own region and you know obviously you've got to have a technical architecture and a data center set of investments that makes this feasible you know we've said in the lost in the court papers in New York that we now have over a hundred data centers in over 40 countries and you know we're moving towards a world where we can basically offer customers soon on a worldwide basis the opportunity the ability to store the data in their own country or region. Amazon's basically doing the same thing by the way so is the nut of the argument you're making in the case involving the data in Ireland maybe less about where the bits actually repose about the entity on whose behalf the bits are stored and the citizenship of that entity the business saying that that entity is far away you shouldn't be able to get to that in these data just because we happen to be an American company. I think there's something to what you're saying and I think these two concepts come together because if this were an exercise and people do sort of criticize our point of view sometimes by saying look you're enabling Americans to evade the law by pretending that they're Irish. What we're really trying to do is let people who live in a certain part of the world who live under the laws of that part of the world have their data and have their rights in effect governed by their own laws and their own government. So that would avoid the convergence that I assume the other side the government side would raise which is listen to Microsoft's argument then any enterprise customer can tick a box say I'm in Iceland and then suddenly it's Icelandic law all day long. You're saying that's not necessarily the case because if the enterprise is Harvard then maybe there wouldn't be as much cause to fight back against an American subpoena to Microsoft for Harvard's data in Iceland. I think a way to restate the question that you're getting at is for example when should the United States government be able to reach into another country into a data center built in another country to get the data inside and analogize back to sort of state laws tort laws minimum contacts et cetera you know one could understand a rule that would say that if you have an American citizen or resident that is storing data in another place you know one could imagine a public policy rationale that would enable the US government to serve a warrant and get that approved by a magistrate in the United States to reach that that stands in sharp contrast to the current position that the Department of Justice is taking in our lawsuit they're basically saying look if the data center was built or is operated by an American company they can reach anything inside and you know I just think that that really goes to the heart of sovereignty you know it basically means that whenever an American company builds a building in another country that suddenly that building is subject to the sovereign reach of the United States government and you know the UK government has followed this path the parliament amended its law in July to say that whenever a company that does business in the United Kingdom has data in another country the British government can issue a warrant and these things look one way I find when I'm talking to people in London or Washington DC and they're saying of course we want to reach other places and trust us we'll only do it when we really need it but Alibaba's going to build a data center in the United States isn't it everybody knows a year from now if somebody wants to buy eBay it might be possible to buy it if somebody wants to buy PayPal it might be possible to buy it there are technology companies around the world how will people in Washington DC feel if the Chinese government, the Russian government the Iranian government the North Korean government or pick the government of your choice decides simply to follow the principle that has been advocated by the US government suddenly the rights of Americans are no longer being protected by their own law they're subject to a whole bunch of other laws you can imagine the first thing if that were to come about Congress would probably happily do they'd break the gridlock for 10 minutes to do that which would be to say oh by the way if the Chinese government comes knocking you are not permitted to give data that is under US jurisdiction does that then put the company into a bind where you have two sovereigns with opposite requirements and you don't know what to do? I do think that this is where one creates a real risk of fostering chaos on the internet and you end up with these potential conflicts of laws conflicts between governments in the first instance technology companies will be put in the middle of an irreconcilable tension between two different governments but I think that frankly more important than what it means for technology companies is what it means for people are people going to continue to be able to have the confidence that their rights are going to be protected by their own constitution and by their own laws or is it going to be something that can be overridden by other governments and their laws well this starts to get at the reasons why the enterprise space must be so much easier to figure some of this stuff out in if you have a user using Outlook Live or something in order to figure out how to respond to a subpoena from a country about that person's email do you need to know where that person is where the person may not have specified the person may not have any identity offered up to Microsoft there and then does it somehow matter where again the data is stored where the email happens to be parked in this data center and therefore I think what you're taking us back to is sort of what are the factors that should be used to decide how far a government's jurisdiction can reach and you're basically pointing to two factors that are sort of well known nationality and location neither of which Hotpants15 at live.com has offered up no and both of which may be the data will be stored somewhere and the nationality may be discernible one way or another including oftentimes by people who come from a law enforcement agency it's not like the email address they come looking at necessarily comes out of the blue they may know exactly who that person is we have reason to think this person is located in the United States therefore cough it up versus we think this person is in Ireland please cough it up correct and if you look at the factual record in our case in New York which is now because it's up on appeal basically complete the US government has never once offered a point of view on where this individual resides or this person's nationality which I think one could reasonably infer probably means the person's not American and doesn't reside in the United States because those would be two very helpful facts for the US government's case seeking to apply jurisdiction and if the Irish then want with their process to get information about Hotpants15 and they is the idea is that they offer up evidence that the person I guess isn't Irish is in Ireland is physically in Ireland the data is in Ireland whether the person it goes back to one of those two factors location but that again that makes me wonder will we see in the future when I sign up for a free email account where would you like your data stored and you just check the box that says Ghana which is why I think one needs to think about two things one is is one comfortable with a government applying its own extra-territorial unilateral reach to get data of its own citizens I would recognize that there's a public policy rationale that tends to go in that direction this is something that's being discussed now by civil rights civil liberties groups in DC and others Senators Hatch and Coons and Heller have introduced legislation in the Senate that would largely affirm the approach we're taking in our lawsuit but give the US government the ability to reach unilaterally through a warrant for data of American citizens or residents so that's one piece of this but it also goes to something else that I just think is of paramount importance what we need is a new generation of international agreements between governments something to replace the letter's right now that Brazil has been asked to prepare at great expense if it wants to look up something in the company what one quickly finds when one gets into this realm of the discussion is that it leads one to these arcane terms letter's rogatory, you know, MLATS the mutual legal assistance treaties that mostly had their origins in the 1800s and they at one level serve a very valuable purpose it's one of the reasons we've relied on them and insisted that governments use them at times because basically a law enforcement agency to take advantage of it with the US has to take it to the US Embassy and the Justice Department looks at it and then decides whether it's going to get served on an American in the United States and it's a good filter, frankly, to protect human rights issues among other things but the criticism of it is it's slow and I think one needs to have a certain sympathy with the fact that we live in a world where law enforcement needs to move faster as well and what we need is if not a new generation of MLATS I think what we may need is simply a new legal tool that does not exist today and just think about the experiences that we've all had basically over the last 13 years there was a time after 9-11 when it took a long time to go through an airport security check and they managed to prevent something called pre-check look at what is being done when you come into the United States even now with global entry if we can figure out how to enable people to come across the border in a way that is both faster but ensures proper legal safeguards, can't we find a way to do this between governments when they are seeking information that is necessary? It's just so interesting that as you say, the law may differ between Palo Alto and Paris quite a lot and I know you've spoken on the desire that companies shouldn't be above the law, they need to exist within the law of the countries they choose to operate in and that's surely been illustrated in the conversation we've been having it is just interesting that that provides both some layer of protection that as an American citizen might prevent other countries from demanding information Microsoft has about me very easily and perhaps as an Irish citizen or non-American citizen prevents the American government from getting data particularly easily although we should explore that more it does though mean that more and more it might matter who is the person on whom the data is sought and what country are they in which is not something typically offered at least in the consumer space, right? You're right and I think it points to how this whole issue is evolving and certainly we've been trying to take steps to what I'll call stand up for people's rights, move quickly but at the same time move thoughtfully, which means address first something that can be done and then you move from that to the next issue and then what one finds is people conjure up all the problems MLATs won't work well we won't know who people are blah blah blah at the end of the day I think it goes back to one of the simplest things in life all problems are insurmountable if you don't try to solve them and no one's trying to solve the MLAT problem, the White House is not yet doing what I believe it needs to do to lead the government rather than delegate everything to the Department of Justice we need a White House that will lead the government's efforts to solve this problem across borders and the fact that certain things today are well known there are well established habits they may even work well and easily for law enforcement doesn't mean that the alternative needs to be hard it just means that one needs to focus on it and what we need to do from Palo Alto to DC to frankly Paris and Brussels is get people to talk together about how to solve some of these problems or two other areas before we open it up the first is probably best represented by Apple's heralded and made big news feature got Jim Comey director of the FBI upset feature where your four digit code protecting your iPhone will encrypt the data so that if it gets into the hands of law enforcement it's much harder for them to simply slurp the data out I'm curious your view on those sorts of solutions that offer promises whether to enterprise or consumer customers not about legal defenses that might be mounted but about innately working the technology so even if the warrant is served and the intermediary in this case Microsoft turns over the data good luck the data is encrypted I'm curious how much you're thinking about those sorts of solutions and what any company should be thinking about as it implements them well I think everybody in the tech sector is thinking about this a lot and you can see the logical sequence it starts with stronger encryption you focus on encryption for data at rest and for data in transit then the next step in that discussion is who has the keys to decrypt the content and what Apple said for the new iPhone or frankly what we've had for Windows BitLocker is that we don't need the keys you can have the keys and now of course today the thing that the iPhone and the BitLocker encryption have in common is its device side encryption that works as long as the content's not backed up in the cloud so if you're using an iPhone but you're backing things up in iCloud it still exists in a form that Apple can access it and be forced to access it pursuant to say and that might be because there's services that the company wants to offer around it because if there weren't but really just to back up the whole point would be it could be a copy of the encrypted phone and you'd be done or what I think it really does is it points to what's the next step that one will take if one's a technology company trying to give people the ability to protect their content from these kinds of legal warrants or subpoenas well you then have to figure out how to decrypt data in the data center in the cloud in a way where you don't have the keys to run a search on an encrypted corpus and have the results go back to the user but again not be helpful to the company or the individual might be able to decrypt their own data because they have the key what it really causes one to ask and think hard about is another element of this that I think has been underappreciated in the public discussion it's what's known as the fallacy of the last move lots of things in life make sense if you get to be the one to make the last move and the reason it's a fallacy of course is because the sun rises tomorrow every day so somebody else is always taking the next move so you can put all of this in this context so what are the second order effects that come from the companies doing all the encryption it's where Jim Comey was pointing you know basically pass a law so they can't I mean we've had a law let me say before we had a law the telephone system in the United States worked so there were party lines anybody could listen to anybody once that ceased to exist then the government needed to go get a wire tap order and in order to effectuate a wire tap order the government passed a law that said that if you were in the telephone business you had to have the technical means to implement a wire tap order it's a law that as I'm sure many of you are aware is called KALIA the communications assistance for law enforcement act basically for a number of years the FBI has been concerned that they were going to go dark the concern is that as communications moves from traditional telephony to digital content that there isn't a form of KALIA that reaches this next generation of content and what's your view on that argument well I think you'll see the tech sector resist that but I'll also tell you look the tech sector resisted amendments we argued against amendments in the British Parliament this July and the British Parliament strengthened law enforcement's capability there after debating the bill for like four days you know legislative gridlock does not exist in the British Parliament at least on those sets of issues so you know I think you have to expect that this tug of war between technology and government never quite ends unless and I think this is the unless we have to focus a little bit more on unless you can build a new you know at least consensus in the right quarters on how to strike the balance if you go back to the principle I articulated at the beginning that government should through their laws strike the balance well that's ultimately where all of this leads ultimately I think there's only two ways to better protect people's privacy stronger technology or better laws and you know government officials that are not engaging in the discussion about how to adopt better laws are then complaining when companies adopt stronger technology it's like look we need to have a broader discussion and it needs to bring everybody to the table so we can figure out how to strike the right balance I'm anxious to get questions in so let me just ask the last question which I'm sure is a real easy and short one let's talk about the right to be forgotten and it kind of follows on naturally because so far we've just been talking about surveillance and access to people's information something like the right to be forgotten is more about shaping the information that they see does your sort of thinking around jurisdiction and geographic sovereign systems provide some path on right to be forgotten I'm curious first how Microsoft has been handling it and second does it mean that a search performed in Berlin maybe will have rightly different results because of different government regimes than a search performed in New York that's certainly potentially the outcome I think that the right to be forgotten decision by the European Court of Justice is extraordinarily important but for frankly more reasons than most people are talking about today first of course it's important because of the substantive rule that is involved this tension between privacy and free expression the different cultural values that one encounters within different parts of the European Union our heart felt by the people involved I certainly appreciate that when I talk to people there and yes we are processing requests where we have a legal obligation to comply unfortunately there's just not as many people in Europe that know about Bing the reality is in the United States Google has about 70% share in Europe and has about 95% share so that just recast that aspect but there's two other aspects of this decision that I think will be more important from a longer term perspective the decision itself had two pieces one was about whether there was this right to be forgotten under European data protection laws enacted in Spain frankly the bigger issue really in the case was whether Google's search services were subject to Spanish law Google argued in the case that they were not subject to Spanish law because they did all of the data processing and they processed all the search results outside of Europe and even though we often process Bing results in a similar way frankly we never took the position that we were immune from European data protection law I didn't think it had legs legally frankly I thought it was going to create bad facts that would create bad law it didn't just seem like the right way if the European government's in a constructive manner but what happened is the European Court of Justice said that because Google has an establishment in Spain that markets its service in Spain the fact that it processes the search results outside of Spain or outside of Europe is not enough to keep it outside of the application of European law and anybody who knows how long arm statutes evolved in the United States in the 1900s the 1800s it's frankly a similar trend but there's another aspect of the case that I just think is really interesting generally if you look at technology and law over time and how they develop you will find that a pattern in that courts play a more activist role in periods of time when there was both rapid technological change and legislatures show that they're not able to move very quickly one I could point to episodes in the 1800s with Congress and the Supreme Court for example and what we're seeing of course right now is we're living in a time in the United States where one of the defining trends of our time polarization of politics is leading to a gridlocked Congress and to a lesser but still important extent one sees some of that in the European Parliament and the Parliament that just ended over the last five years there's lots of questions over the next five years will the European Parliament really be able to move legislation so what are the two biggest changes of the law in 2014 when it comes to technology I'd argue they both came from courts not legislatures one was the ECJ decision on the right to be forgotten and there's certainly discussion that you hear in certain quarters a sense that perhaps the just judges felt they needed to act because Parliament couldn't the other big decision it was the Supreme Court's decision in Riley v. California requiring unanimously that the police get a search warrant to search a file and what I find so interesting about Riley v. California is two things one in a term where there were so many split decisions that one was unanimous and second when you read that decision I think what one often finds we've had a couple of cases before the Supreme Court you have clerks who are so in touch with technology you have justices who have a huge amount of practical experience and great wisdom and they not have as much day-to-day experience with technology they have phones they do and phones have become ubiquitous and you see how sort of knowledge and wisdom came together in my opinion in that decision in a very profound way but what I think it stands for if you look at the next two years we'll see what happens in the elections today but in an era of gridlock we should probably expect more judicial activism got it Shailen anything interesting going on to characterize on the Twitter stream or is it uncharacterizable well lots of quotes you want to know where hot pants 15 is we cannot say I'm glad that wasn't that didn't make the webcast actually I think so very good all right let's take a couple in-room questions just Brevity is good Hi Jens Frankenleiter I'm an LLM student at the law school I have one question last month you have briefly touched on transparency last month Twitter filed suit against the government in federal court and what they basically want is they want to go beyond the terms of the settlement that you and other companies agree upon in a formal lawsuit what is your take on that do you think you now regret having settled for the terms you got back in January or do you think this is a Twitter thing they should go ahead it makes more sense for them what is your opinion I don't regret the terms in which we settle I understand and we're supportive of what Twitter is doing I think important not just to Twitter but I'd say it's important to other smaller companies just to give you the context it's this when we filed our lawsuit last year frankly one of the principal issues in the negotiation with the justice department concerned the range of these numeric buckets in other words we said we wanted to disclose the number of FISA orders in national security letters we were getting and what we ultimately settled on was buckets of a thousand every six months so we put out our report and we said that in the first half of 2014 the number that we had received had been between 18,000 and 18,999 and I think that if you're a consumer who is using a broad based well established service that comes from Microsoft or Google or Facebook we felt like that probably gave people enough to know the relative scale the smaller companies the start-ups are saying look just telling us to report that we're zero to 999 until suddenly someday we're a thousand doesn't really tell the public very much so they have believed that they want a different bucket that is sliced more precisely and I can understand where they're coming from and I think that's why you see the tech sector united among other places on Capitol Hill in advocating for some additional steps that go in that direction. It's also a struggle of course to make it apples to apples one request might be for a bunch of stuff while a number of requests might be for a little bit of stuff so it's we do try to capture how many user accounts are affected otherwise you're right. Great. Bruce Schneier So to me one of the very hard things here is what you can and can't say not you in particular what companies can and can't say. Comparing Stellar in which is the email program that you talked about to start for the email question of the NSA and something like PRISM which is going on today one case you were forced to comply by law the other case was a request and you decided not to comply in both cases you were able to say nothing to the world to the public and when we're looking at rebuilding trust and tech the hard part here is we don't know what you or anybody is saying in public that they are compelled to say so it could certainly be that there exist these four or five programs NSA, GCHQ, other countries that you have to comply with by law and you are compelled by law not to talk about them and I don't have an answer here what can we do to rebuild the trust where in fact the law undermines the tech in the earlier you said it's either fix the law or fix the tech you need that because either one can undermine the other and we're now in a world where the law can undermine the tech you can come up with this great tech bit locker and you could be compelled by law to make bit locker bad and then not tell us and we know that kind of thing has happened and it certainly could happen what are your thoughts on how we get beyond this first of all I think you raised a really good point your address is a really important issue and I'll say it's both harder and maybe on occasion easier than you described the good news is there's no law that compels us to say something affirmatively but there are definitely laws that prohibit us from saying things we would like to say so the gist of your point is spot one and frankly there's an aspect that's even more difficult than what your thought captured in that the way these things unfold in the press I have to say I've dealt with a lot of legal issues in the public sphere over the course of the last couple of decades and I've never seen anything like trying to respond to the disclosures of Snowden documents because you get a call from a reporter it says we have a PowerPoint slide that says such and such like we've never seen the slide you know the reporter can't talk to the person who created it you know we have to can we get the slide we go to the government and then we say we've seen the slide or maybe we go to the government and say can you show us the slide then we negotiate with the government we'd like to say A, B and C about this and the government may say yes the government may say no but in all probability it's going to take three days to get an answer and by then the story's been written and people are on to the next thing so having an intelligible conversation about this is tough I do think that there's another principle if you just try to discern this to certain principles you capture one that is just fundamental you cannot restore trust without greater transparency so then now the question is how counting a few to fight for yeah exactly right which is why you know the first lawsuit that we filed was about transparency you know it is frankly you know aspects of other issues where some things have been unsealed we need a vigorous press let me put it that way we need a vigorous media that also fights for this and goes and asks for the unsealing of documents I think this is something where we as a company and we as an industry are going to need to do more and we're going to need more help from others too it might ask whether for for intelligence gathering purposes of secrecy should be removed that if there's a program to do something maybe that should be known and yes it will mean that the people scrutinized by it are going to have a little bit more of an advantage just like a criminal has an advantage or would be criminal knowing the intricacies of Supreme Court jurisprudence on the glove compartment versus the trunk versus under the seat take away hint trunk best place to store something but we don't keep that kind of thing secret Bruce let me just this is why in my opinion the reform of the FISA court is so important and this is an issue that I think we should not allow to get lost in the public discussion Senator Leahy has embraced this there is an opportunity for Congress to move forward on this I just think if you even if we just recognize public safety is of course important but secret courts with secret decisions are not part of the American legal tradition we shouldn't we shouldn't accept that as an established part of what our constitution principles guarantee I guess at least we have the fact of the court now Bruce wants like a 10 second right post and then in the interest of a vigorous and aggressive press David Sanger had a question I think from the New York Times very quickly one way you can help with the transparency is to fight to tell us what happened between the NSA and Skype because we don't know and you take that back I'll take that back do you want to tell us what happened between the NSA and Skype we could go another half hour if you want not in the last three minutes David Sanger thanks very much it's been a fascinating conversation I wanted to take you back to Jonathan's questions about the routineized encryption that we saw with the new operating system for the iPhone 6 we've also seen with BitLocker and what you seem to suggest we'll eventually see when people figure it out how to do in the cloud so the head of one of the major US intelligence agencies said to me just a few days ago either we're going to work this out with the technology companies we're going to find in the next few years we are in an arms race with our own technology companies where they're routineizing encryption and the United States government is boosting its efforts which are already considerable to break that encryption at incredibly high speed so that this becomes more a speed bump to them than a real impediment is that where you think we are headed I mean is there give us a sense of both the legal race versus the technological race I think it's a great question and I would go one step forward you know in the tug of war between government and technology the arms race has already started it's not a question of whether we are going to have an arms race the arms race has begun one saw this last November went across the tech sector companies said that they were going to strengthen encryption that was the first theme we saw in 2013 2014 is we're seeing a step towards device side encryption and as long as the user community around the world wants more encryption I think one needs to expect that tech companies are going to respond the real issue is this now that we have an arms race will we also have some arms control discussions or are we just going to have a tug of war there is no effective broad base conversation today that is first of all even bringing together the different parts of the United States government with the US government is overdue for an interagency effort to look at the interests of the law enforcement intelligence agencies bring of course the justice departments considerations to the forefront but also hear from the commerce department and from the state department and others and I hope that once the midterm elections are over the White House can turn its attention to putting that kind of exercise in place and of course if the executive branch can talk among itself more cohesively you also create the foundation for a more cohesive conversation with the tech sector I will say I was at the White House last December when there were mostly CEOs but 19 tech executives meeting with President Obama I continue to believe that the person who understands the complexities of this issue as well or better than anyone else in the United States government at least in the executive branch is the president of the United States and the fact that we have a president right now who is a constitutional law professor is a great asset to the country when it comes to addressing this issue but we do need more focus on this we need to come together because in the absence of any real discussion we're just going to have an arms race in perpetuity and I'm not at all convinced that that is going to serve anybody in the best possible way it's interesting that if it is an arms race it may be less an arms race on the cutting edge you know we'll go from 256 bit to 512 bit encryption or something and more an arms race about the average in the middle as my friend Larry Lessig likes to say small fences can keep in large mammals and the kind of default configuration when I walk up and establish an email account or sign up on a social network may govern freedom a lot more than when I'm really feeling paranoid and wanting to lock everything down it also of course calls to mind the idea how much of this arms race will be software versus hardware I think the minute it's hardware it may be now you've got a place to regulate because that's a physical object that's going to be shaped and can moved if it's all software it's the kind of old 1990 Microsoft operating system that says anybody can write anything and you're entitled to double click on it that calls to mind a form of both innovation and chaos that we see maybe less and less these days anyway we're at time right now please join me Harvard Law School the Journal on Law and Technology in the Birkeland Center in thanking Brad Smith for spending the past hour thank you