 Good morning everyone. Welcome to New America for today's event. I'm glad you all managed to row your arcs in this direction today. We appreciate it. Today's event is a Crypto Wars 2.0, although I think you could probably bump that number. You know maybe we're at 4.5, I don't know. But we're talking today about the European front. I'm Ross Shulman. I'm with the Open Technology Institute here at New America. I'm also co-director of our cybersecurity initiative at New America. At OTI we work on sort of internet policy and tech development and we're focused on ensuring universal access to internet that's both open and secure, which means we really have a special interest in defending the right to use strong encryption. I'm sure a lot of you are probably familiar with the debate on strong encryption here in the United States. Encrypted smartphones and to end encrypted messaging such as WhatsApp or iMessage, this debate has been raging in the United States for a long time going back to perhaps even Everett Snowden, but really since Apple introduced the first iPhone with default encrypted storage in 2014 and really brought into the national consciousness during the FBI's legal fight with Apple last year over the San Bernardino shooter's iPhone which was locked. And sometimes we call this the Crypto War 2.0 or 4.5 if you're like me. It's a repeat of the original crypto wars which raged here in the US in policy circles in the 1980s and 90s. As recently as March of this year, before he was removed, FBI Director Comey in a number of public speeches once again started beating the drum pressing for action either you know by the government or sort of voluntarily by the companies to make sure that encrypted data wasn't sort of outside the reach of investigators who were investigating crime. At the same time sort of a united front of tech companies, privacy advocates like ourselves, security experts like ourselves, were saying that basically any undermining of encryption whether it was voluntary or mandatory by law would basically be dangerous for civil liberties, for privacy, for cybersecurity and also for general commerce. At the same time it would completely not have the effect of keeping encryption out of the hands of bad guys and if you're curious about that see our paper the Crypto Cat is out of the bag from last year I think might be 2015. But less often discussed here in the US is the fact that these same debates are happening in a number of different European countries as well as around the world with varying results from country to country. This has prompted us here at OTI to start doing some research about the state of the debate in three of the biggest Western European democracies the UK, France and Germany. To see what lessons we can learn and what we might be able to apply in the terms of rhetoric or tactics here in the United States and also vice versa what can we sort of export. That research is coming out in the form of a number of papers over the next month the first one next week and in the meantime we wanted to hold an event on the topic though to basically bring in additional experts on the European situation although despite my many furious emails and phone calls we couldn't actually get someone from the EU to fly to DC and sit on this stage for an hour surprisingly. So no actual Europeans joining us today but the people we do have on the on the stage are quite knowledgeable and so with that said and to introduce those fine folks I'm going to turn it over to our moderator OTI policy analyst Andy Wilson. Hi everybody thank you so much for coming on this very wet morning. We very much appreciate your attention and your interest in this issue which we see is extremely important and one of the big things that OTI is working to focus on over the next few months. I'd like to introduce our panelists this is professor Ashley Deeks the assistant professor of law at University of Virginia Law School. Kevin Bankston which was my boss and the director of New America's Open Technology Institute. Bijan Madhani senior policy counsel at the computer and communications industry association and Amy Sipamovich US policy manager and global policy council at AFTES now. We're going to ask a lot of questions and have sort of a very flexible dialogue hoping to give you guys both more information on the broader components of this debate and also nuance into some of the more complicated yet very interesting thorny problems that we're facing in Europe. So professor Deeks could we start you've written an excellent paper for the Hoover institution that sort of covers broader dynamics of encryption in the international debate. Would you be able to give us a bit of an overview to help us get started in this conversation. Yep sure thank you very much for the invitation. I'm looking forward to engaging in the in the discussion. As Andy mentioned I'm actually an international lawyer not so much an encryption specialist but somebody had asked me to take a crack at writing an encryption paper and so my thought immediately turned to the question about well what has been happening on the multilateral international stage at large. As I know debates were occurring in the particular individual countries domestically I was curious which issues had kind of percolated up to an international level for discussion. And as I researched it it occurred to me that there are actually it's a little bit of a Rashomon problem. I don't know if you guys have seen that the famous movie that tells a story from four or five different perspectives and each story is quite different. I think similarly we could think about encryption as having a kind of Rashomon element to it. I think there are at least four and maybe five different lenses international lenses through which we could view the question. So one lens is human rights another lens is law enforcement a third lens is intelligence a fourth lens is trade and commercial and then a fifth lens is export controls. So I think one of the points I want to make today is the forum in which encryption questions percolate up is going to help dictate the outcome of the debates. I think if we see the most robust discussion about encryption in a human rights forum internationally that will correlate to the kinds of outcomes we might see or likewise if the commercial lens dominates then we might expect a different or maybe the same kind of outcome and I think we can see this fragmentation in thinking about who has the lead even in the leaked National Security Council paper that came out I think maybe about a year and a half ago where internal to the US you could see different agencies having various different views about whether we should favor strong encryption or weak encryption right with state the State Department the Commerce Department US Trade Representative favoring one outcome the FBI favoring a more law enforcement protective outcome and interestingly I think the intelligence agencies a little bit divided because of their dual mission I'll say a little bit more about that in a sec but just a very quickly kind of say a little bit about each of those four or five lenses to get us thinking about maybe that the country specific perspectives that we will hear a little bit about so in terms of human rights the activity we've seen to date through that lens actually has been through a UN special rapporteur named David Kay who's a special rapporteur for freedom of opinion and expression he's written a paper that's very pro strong encryption I think a new human rights like treaty on this topic is very unlikely but I think we could see potentially some action in the UN General Assembly we saw a resolution a couple of years ago about the right to privacy in the digital world we might see similar interest focusing on encryption although I should say I'm not really sure if you if you pulled the General Assembly which direction they would go in terms of law enforcement I think there's actually been not much international discussion within the group of actors from the various states who represent law enforcement I suspect there have been sort of discrete conversations bilaterally among say the US and the UK or the US and Germany but I don't know that there has been a kind of robust multilateral conversation about law enforcement intelligence I think we will probably not see much of a public multilateral conversation on intelligence because we never do the exception may be being the five eyes you guys probably know that it's five states the US UK Canada Australia at New Zealand coming together and having conversations I expect that encryption has been part of those conversations as well and it might be that the states are talking about sharing hacking techniques or other interception techniques related to this question in the commerce frame there actually has been a little bit of international work here there have been trade treaties TTIP and the TPP both contained provisions that talked about encryption but they were addressed somewhat ambiguously so it wasn't quite sure not quite clear what the treaties were and weren't requiring I noticed that a number of international companies have flagged potential problems with some of the Chinese legislation and threatened potentially to bring China to the WTO so that's another international forum and export control I think there is a something called the boss on our arrangement which regulates encryption I think this is a forum in which it will just follow whatever policies are chosen in the other areas so I think just to close up I think where you sit is where you stand on this different domestic agencies obviously have different missions so which agency has the international lead will help I think predict the direction this conversation goes some groups have more powerful constituencies than others and they also produce different kinds of international law so trade discussions often end up in a binding international agreement human rights discussions often end up with a much softer form of international law I think we've seen limited international action largely because states themselves are still fighting internally about what their policies should be but I think this opens an opportunity for the United States to be strategic in figuring out which forum it wants to or for it wants to have these discussions in to help drive the outcome that was really helpful I think for a lot of people who are sort of new to this issue I'm going to ask before I move on do you see any opportunities for the US to help shape international discussions here absolutely I mean I guess it will require the United States to decide which foot it wants to put forward but the US is is very good at negotiating with other states setting the stage for persuading other states to go a particular direction I think as we all know there are some countries that will not necessarily follow our lead right China and Russia will be hard to persuade in any forum but that's sort of my final point in my comments was I trying to indicate that I think the US could be smart about coordinating a cross-for and choosing a particular forum in which to push the conversation that can help predict which outcome we're going to see so I think people with in the government it would be useful for them to think strategically about which which agencies of ours to empower in that conversation so basically if we can decide within the US what we want and if the government can come to some sort of consensus either way the name might be able to play a significant role and really move the global conversation that's right that it also requires a certain level of foresight we're good at responding to emergencies and that may well be what ultimately forces us to make a we're gonna decide pro-crypto anti-crypto but I think they could do something more proactive and decide we are ultimately going to favor strong encryption so that means we're going to dispatch people to the UN to see if we can drum up energy in the general assembly or we're going to send our US trade representative to have bilateral conversations about new trade treaties that involve encryption and so on great so as Roth said OTI is working on a set of three papers three European countries UK France and Germany and specifically the encryption debates there the laws that are new or old things that affect encryption and which actors are having the most impact Kevin would you be able to give a little bit of feedback and sort of what those papers are looking like and how they're going sure I'd be happy to talk about that thanks and thanks everybody for coming so we are we are doing this research with an approach a comparative approach because we want to compare the debates that are happening in Europe to the debate that is happening in the US which leads to the question well wait what is the debate actually about and I think at its basic level our FBI and in particular our former FBI director Jim Comey has been over the past few years making very clear that from a law enforcement perspective he does not believe that providers should be able to deploy encryption where only the users have the keys and the provider does not because that means that the government cannot go to the provider to get necessary data and so whether this means that companies should voluntarily not deploy these products or whether this needs a policy response from the government he's been somewhat reticent in part because he was held back a bit by the Obama administration but but basically in the US you had a debate that broke down between the FBI and to some extent the DOJ a broader DOJ on one hand and a united very large and influential tech industry that was making very strong arguments about how not deploying this technology or being mandated not to deploy it or to have backdoors into it would be very bad for cybersecurity and for the economy that industry was tightly allied with a very large and relatively well resourced set of civil society organizations concerned about privacy and security and human rights making similar arguments as well as a very well-developed information security culture in the US making very strong security arguments as well as as Professor Deeks made clear elements within the government that were pushing back on the FBI whether it was the State Department and its concern for human rights around the world FTC and its concern about consumer privacy and security Commerce Department its concern about ensuring security for commerce and a variety of other stakeholders including elements of the intelligence community responsible for securing our networks indeed I've never seen an issue where so many former intelligence and Homeland Security officials were on the other side of a national security debate with the FBI saying that backdoors or not calling this technology be a bad thing also importantly there haven't been many major terrorist incidents in the US in the past decade or so and all this added up to the Obama administration punting on the issue deciding not to seek legislation on the issue and a bill that was introduced by Senator Spine sign and Burr that would have sort of bluntly required that all encrypted things be decryptable by the provider was pretty universally tanned and didn't go anywhere this all culminated at the end of last year with a report from the House Judiciary and Commerce Committees that have been charged at looking at this issue and looking at it from a variety of directions and taking a bunch of stakeholder input they ultimately concluded basically we're not doing backdoors how else can we help you or in other words undermining security is not in the best interests of the United States and especially it's cyber and economic security we need to be looking at other ways to ensure that law enforcement can do with job in the 21st century whether that's better utilizing the data that is not encrypted using hacking as an alternative investigative technique looking into how do we mandate disclosure of fees by our targets etc etc and so Comey did come back out swinging this spring with a couple of speeches in March raising the issue again in the context of a new administration but then he lost his job and so we're in the midst of a kind of uneasy piece that will likely be broken as soon as the FBI figures out what it's doing and or if and when there's another major security incident there is no such uneasy piece in Europe in no small part because of a steady rhythm of terror attacks that is placing a lot of political pressure on this issue and so there are a few other general contours of the debate in Europe that basically apply to all three of the countries we're talking about I'm talking about first off there is not a huge domestic European Internet industry a big internet giants that consumers know and love and trust mostly that has a lot of political sway in Europe if anything the US companies being the biggest people arguing on this issue in Europe can and in some cases especially in France has been somewhat counterproductive where the issue is viewed through the lens of tech imperialist US companies imposing their own policy judgments on Europe and disregarding its terror troubles in favor of their business models which I don't think is a particularly accurate frame but it is one that is clearly in place in Europe especially in France meanwhile civil society that is especially internet policy domestic policy focused civil society organizations that ecosystem is about a decade behind where we are in the US it's not as large is not as varied it is not it does not have the same amount of resources nor is it as on issues such as this tightly aligned with domestic or foreign tech industry meanwhile there is not as large as a or as vocal of an information security community engaged in these debates unlike here in the US where you had a ISAC community that had already been through a crypto war already and knew what this kind of fight looked like and was eager to engage Germany is a big exception there's a big hacktivism community there that's played a big role in these discussions there but all in all the pro encryption camp as it were has been pretty seriously outmatched rhetorically and politically in Europe in most countries and things have been pretty broad so I'll quickly quickly walk through what's going on in the UK France and Germany and then we can move on to talk about what's been happening in the EU in the UK they've already passed a law that might address this issue they passed something called the investigatory powers act last year which is a broad surveillance law that did a whole wide range of things amongst other things it authorized these technical capability notices to be issued by ministers to companies demanding that they maintain or develop certain capabilities to assist in lawful surveillance by the government whether or not these capability notices could be for example served on an end-to-end encryption provider and require that provider to no longer offer end-to-end encryption by say developing a key escrow system to unlock messages for the government is unclear these notices are supposed to be in human rights parlance necessary and proportionate they need to be technically feasible they need to be reasonable and practical or reasonably practical I'm not sure which however none of these terms are really defined and there was a lot of back-and-forth in the parliamentary debate about clarifying whether or not this actually in practice would ban or allow the banning through these notices of end-to-end encryption the government repeatedly said hey no this doesn't require backdoors or ban end-to-end encryption we simply want targeted access to that data which we have a legal right to access which is kind of a non answer answer and some language was proposed to clarify that that that in the case of end-to-end encryption a demand that you make stuff decryptable would not be technically feasible that did not make it into law so right now there's grave concern that this vaguely drafted authority could be used could be used to require back doors or or the rolling back of encryption features this took on new heat just this morning when we saw a story in the Sun indicating that ministers were intending or were being pressured to soon after the upcoming elections to begin issuing notices to services like WhatsApp to have the capability to provide unencrypted content so we're gonna see how that goes part of the problem is these are secret notices and the companies that receive them are not supposed to talk about them or what capabilities they develop the response then then again one it would be very hard for say a company that explicitly says in all its materials that it is end-to-end encrypted to stop being that and not also tell consumers that could cause it a lot of different legal problems also if as perhaps indicated by the story if and when the British government goes after these services they're gonna want to crow about it for political reasons and say hey we're smiting the big US companies that are you know something their noses at us with their with their encryption it may be pretty hard not to talk about it because they'll be inviting that discussion so so we have a really unclear fraught situation in the UK right now France we have a similar situation in some ways less fraught in the sense of there is a existing surveillance assistance authority it is also unclear exactly how far it reaches but it probably does not reach so far as to refire the redesign of an encrypted system however there was really spirited debate around our recent national security law around increasing the penalties around this assistance provision to really stick it to those US companies and although the most aggressive version of that did not pass a fairly aggressive version did and so whatever these assistance provisions require if companies do not comply they could get stuck with some really serious fines and other other penalties meanwhile sort of supporting the argument that the current assistance provisions don't require redesigning the products there was a specific proposal targeted at require very explicitly requiring backdoors into encrypted hardware systems like an iPhone that ultimately was withdrawn cooler heads prevailed but but speaking generally I would say overall France is the most concerned for obvious reasons about terrorism it is most hostile overtly to American companies and use this as an American companies imposing their will issue politically but and meanwhile you have the interior minister sort of like our Attorney General teaming up with the interior minister of Germany to make public calls for legal change at the EU level on this issue of the European Commission which brings us to Germany finally which will be very brief Germany's an interesting case sort of like Jim Comey and the FBI which kind of went off the reservation in terms of what US policy was you similarly seem to have a really aggressive German interior minister activating agitating on this issue even though broader German government policy appears to be very pro encryption and there are a variety of reasons for this first off Germany is very mindful of its past including the Nazis and the Stasi when it comes to how they think about privacy and security they're very conscious of their role as an economic a global economic leader both in industry and digitally their positions have been very heavily influenced sort of like the different stakeholders in the US government by their data protection officials who have consistently supported the need for strong encryption and they reacted pretty strongly to the Snowden revelations about NSA spying on Germans including Angela Merkel so much so that you have the German government strongly endorsing strong encryption and even strongly endorsing a particular national end-to-end encrypted email product called email and so in Germany despite the aggressive push by its interior minister with the French Interior Minister you have an overall pro encryption government that has instead doubled down on hacking as a way to address encryption and try and access the data that it needs which is arguably good in some ways targeted hacking of bad guys devices is better than forced introduction of vulnerability into all our devices but at the same time raises a broad range of other privacy and human rights and accountability concerns but but we do see a similar move in much of the American discussion toward away from backdoors and toward exploiting the vulnerabilities that already exist in a targeted way but we need to have a much more sustained conversation about what a legal framework for that would look like and how to do it in a way that doesn't fundamentally undermine security or human rights but putting aside that kind of worms which is probably beyond the scope of the discussion here we can perhaps move on to talk about the EU although I also I'm speaking of the Hoover Institution I also wanted to flag another paper issued through the Hoover Institution about the encryption debate in Europe I believe called the encryption debate in Europe which addresses several of the countries we've talked we're talking about today as well as several others is an organization with global reach in unlike many other organizations working on this so you guys have a lot of expertise including an office in the EU right could you give us a little bit of information about how this is this debate is playing out at the EU level sure you know I think about this issue like I think about a lot of things through a sci-fi lens and so there's this book called the fifth season by N.K. Jameson and in the book most of the time everything happens is normal and there's a winter and a summer and a fall and every now and then they have what they call a fifth season where basically the entire world is thrown into turmoil and a lot of people die and it's a horrible time and that's really kind of how the encryption debate comes up not only in the US but all over the world every now like it's always kind of there in the background the possibility but we don't really talk about it for long periods of time and then all of a sudden it's all anybody can talk about and it's world-changing and life-ending and it's just there in front of you and we've been dealing with this as Kevin said in the US since I believe the 1970s and so we have a really robust history to draw from on encryption in the US in the EU it's been going on for a long time but not quite that long and so the the history of the debate is a little bit shorter access now is international and we come at the encryption issue from an international framing and we have ten locations all over the world including in office in Brussels and so we noticed probably about two years ago that on top of the very public debates that are happening on encryption the US that this issue was increasingly being brought up in places all over the world and so we launched a website called secure the internet dot org that had when it launched over 200 signers organizations from more than 40 countries signing on to speak with one voice saying we support strong encryption and that has been the centerpiece of a lot of our work on this issue pointing out the benefits of encryption and the reasons that it shouldn't be undermined so if we look at that specifically in the EU I think there was a big turning point we saw around July of last year and that's when Europol issued a report that seemed to say we no longer think we should undermine encryption and seem to in our mind indicate that they were going to get to these much bigger broader harder questions behind the topic of encryption like when and if government should hack into devices the question data localization data retention these things that governments really want that are potentially incredibly harmful for human rights and conversations that haven't been happening as much or as vocally because organizations have been putting many of their resources into fighting this encryption battle which doesn't leave a lot of air in the room for these other conversations so we thought in July that we would be moving on from the encryption debate in the EU but again lessons learned from the US that never as easy as that and by the time the end of the year rolled around what we had seen was that they were the EU was putting out these questionnaires to member states and they wanted to know how member state governments were encountering encryption and what laws they had that they thought dealt with encryption and so they were asking questions and we could see the questions but the responses were not public so along with some of our EU partners we started supporting the filing of FOIA request or the EU equivalent of FOIA request Freedom of Information Act to the various governments asking for them to make their answers public and eventually received I believe all of the answers to the questionnaires or at least a good majority of them and we're able to tell from that that this is a very very live issue in every single member state it is something that they are thinking about it's something that they are talking about and it is something that they see as a hindrance to law enforcement investigation they say that they come up and almost every questionnaire they say that they encounter encryption frequently if not all of the time in investigations and that it it blocks them from being able to have access to information which we thought was very interesting around the same time that this questionnaire is going around and we were getting responses back friends in Germany sent this letter to the EU with really positive language on encryption but bringing the framing back to the issue of encryption and so like I said we thought we'd get in past that we thought we were able to have these other conversations and then the framing came back around to know let's focus on encryption again now that could be talking about government hacking and data retention and all of these other issues but putting it in the encryption framing once again brought that issue back to the center of the conversation and the question of if the answer was going to be back doors or mandate back into the conversation this year in the wake of having gotten those responses we're seeing that conversation open back up again but still in that encryption frame the EU has launched a round table it is largely seen to be centered around this paper that was co-written by Bruce Schneier and Oren Kerr on encryption workarounds again these are not ways to undermine encryption these are not blanket back doors but they are using that encryption framing let's keep encryption for the conversation let's not remove that which is what we think really needs to happen it's not assume strong encryption let's keep it there which continues this possibility that we could go back to these conversations about mandates on encryption things that companies should be forced to do instead of moving past that in the meantime just two members state developments that I think are particularly relevant that Kevin didn't mention from his three reports one is that the Netherlands has really come out as the leader to date in support of encryption from a government perspective they issued the strongest statement I've ever seen from a government on the topic of encryption still not a what we would call you know a great statement but a really solid good statement basically saying we think this is important to contribute to the economy and we don't want to undermine it right now which is good but that means that there's still this gaping hole globally for a leader to step in on encryption and really support and foster encryption robustly from an international perspective a lot of times with human rights issues the US or other Western democracy democracies will step in to that leadership role but no country has yet so we have the Netherlands almost there but otherwise it's a it's a hole left open the other side of this in Italy what we saw earlier this year is actually a legal proposal a draft of a bill on government hacking which is quite interesting because a it shows that Italy has decided to focus on government hacking as a alternative to focusing on encryption and b it was revolutionary from a legal framework hacking perspective and that it was really trying to make rights central to that conversation and whereas access now has said publicly that we don't necessarily think hacking by governments is good for human rights that this is something that is going on it is happening all over the world is happening in an increasing manner and we're not talking about it and we're not providing safeguards for it so in a world where the Italian government is going to conduct hacking operations at least having this legal framework in place that is quite positive and robust we think is a good thing and so we have those two states doing I think pretty interesting things away from the back-douring encryption world that I find fascinating first you know sort of going off the the French and Germany letter that said really nice things about encryption while at the same time attacking encryption this is actually a rhetorical mode we were seeing a lot my favorite most recent example was Jim Comey in his last speech saying I love love love love love encryption and I am not advocating for back doors no matter what all those journalists are saying while at the same time saying there absolutely must not be any spaces where there's encrypted data that we can't get at which either means not deploying that encryption or introducing a backdoor i.e. some sort of key escrow system where not only the user holds the keys so that the government can get it and in fact just as he's saying I love love love encryption and I don't want backdoors or I'm not asking for backdoors he then cites as an example of what he'd like to see the management the device management system used by the FBI such that all of its admins can access all of its agent's phones which is sort of a paradigmatic backdoor and and if you want to you know understand the security concerns here like imagine the complexity and difficulty of doing that and doing that securely for every phone on the planet Jim Comey didn't seem to actually understand that there was a significant difference in those two things the other thing was in terms of who's who are the leaders going to be the ideal situation here would be if the US and Germany could team up like crypto super friends and be the guys who really stood up on this issue as a security and a commerce issue in the face of the increasing pressure from the UK and France including at the level and there are some transatlantic dialogue efforts to sort of build that kind of relationship but with our FBI and their interior ministry sort of as free radicals in the system that's going to be a real challenge. Thanks Kevin. Now is the love love love love a direct quote or are you paraphrasing here? I mean I think there were at least four loves there were a lot of loves. Yeah. So everyone has talked about the role of the company Zijian and the dramatic reaction that some of them have had first in the US to the request to decrypt the San Bernardino iPhone but also to the Vessitory Powers Act in their written testimony many companies had really committed even though you know they are US companies international companies to saying this is very concerning to us. What reaction have you seen from companies you work with to this type of encryption provisions or limitations? Actually I just wanted to jump in on one thing that Kevin said before that. I think maybe Komi's perspective might be more informed now that he's no longer at the FBI given that he might want to secure some memos that might be accessible to other other folks at the FBI. So maybe maybe he has a different perspective now. But I mean the perspective of industry on both sides of the Atlantic is largely the same. You know in the US you saw Apple and Google and a lot of really large companies informing the debate aligning really strongly with the privacy community here with the Info Security community here with commercial and trade aspects of the government to really beat back the FBI's efforts to undermine encryption or to have the debate sort of framed in a way that would lead to a result that undermined encryption. And largely we've been doing that in Europe but I think to a degree have been less effective because of things that are very particular to Europe. The industry perspective there is again one that is from the US and so that means that there is I guess sort of a negative tint to that advocacy on the part of US industry. Of course as Kevin said you know US industry wouldn't want to cooperate with European law enforcement they're here imposing their you know particular business practices their particular philosophical whims on us. And second it's informed I think by the fact that the EU is able to act in a way that allows member states to go off on their own in the way that say you know US states aren't able to do. You're able to see some active it you have to fight all the fights in 27 28 different member states where we don't have to do that here in the US and so our effectiveness is sort of diluted. The companies have to engage both at the EC level and with all the interior ministries and at every member state and with the DPAs of which there are many across the EU. And so that means that that the effectiveness of our arguments is sort of blunted by the fact that we have to frame them for the varying laws in various member states and at the European Commission level. But philosophically we're approaching this from the same perspective. Our member come our users privacy and security is incredibly important just not just to you know our business practices and to making sales and and and providing services to European users but also to our internal philosophical the company's internal sort of philosophical perspective. There are a lot of engineers in the companies who feel very strongly about these issues and it's not going to change as they build systems across across the world in the US or in the UK or in the wider EU. And that's also for technical reasons. Building a system that is sort of cloud supported is very complex. It's very hard. Building it securely is even harder and building it securely in a way that responds to the law enforcement needs of 29 different member states and the European Commission is not impossible. And so it makes most sense to do that in a secure way while also without without providing those backdoors in a way that might be different for every particular member state. And so you know it's it's it's a business issue is an inherent philosophical issue but our effectiveness is I think wanted by the fact that the EU is a very different place. Thank you. I'm going to start a more open question with you. So the Investory Powers Act is basically the best example we have of new legislation within Europe because it is clearly defined and has this big provisions that could apply to encryption. Also US companies were targeted directly during discussions about the Investory Powers Act with WhatsApp and Apple and Facebook being some of the companies that were brought up early on when Cameron was talking about reasons that we might need access to this type of information. Now this week we have these technical capability notices that look like they will be coming into effect shortly after the election. This statement from the Sun UK newspaper which has not been there is no citation but it was picked up by many other media sources saying that as soon as what right after the election which is in early June the technical capability notices which require companies to provide access to information that could have been encrypted. Again the provisions to sort of regulate or limit encryption in the Investory Powers Act haven't been used yet. We aren't quite clear on how they work but these could significantly impact US companies. Do you think that there's going to be some sort of crypto tipping point for companies when either they're asked to build in back doors too many requests are needed where they will buck European governments? We won't do this statement. I mean I think that's historically proven to be the trend for all companies even in the US. You saw it with these sort of Apple San Bernardino case that ended up being the sort of larger I guess flashpoint culturally here and it may be the case that when there is a request pursuant to a technical capability notice and they assess that it is technically feasible to build one of these back doors roll back and to end just for I guess the UK arm of this particular provider services or for this particular case that you might find that perhaps not at that specific moment because it is as Kevin said of the nature of these requests to be secret and the responses to those requests to be secret. It may be that you'll see a wider conversation happen when the government sort of pros about the fact that they have started sending these requests out and haven't received any public opposition to that and then of course you'll find companies that are philosophically very opposed to this sort of back door access then say hey actually no we received these requests to the extent they can or we haven't received these requests but we have problems with them and then that wider conversation will then happen. I'm not sure that it'll happen in the same way that there was sort of litigation over it here but there will be sort of a push back as they receive something from one of the secretaries of states or the judicial officers they now have there. It's interesting you raise the litigation point because I was going to ask whether we know precisely or can envision how that might ultimately play out if there were an interest in litigation. My understanding is there's a sort of quasi-executive actor who oversees these requests but surely there is ultimately some way to litigate whether it's in the European Court of Justice maybe even the the ECHR and whether you guys have thought about that at all and write in the paper. Obviously that's something we're trying to figure out exactly what the pathway through the British courts would look like. I mean it could be resort to the European Court of Human Rights until the UK has disentangled itself from the EU there could be resort to the European Court of Justice but in terms of I mean there is no there doesn't appear to be any explicit appeal path provided in the statute. Meanwhile there is this sort of consultation process that's supposed to happen with the companies prior to the issuance of the notices to try and game out what is technically feasible or not. I understand that those consultations which are not open to the public but but do welcome public comment have closed now and we don't actually know exactly what the results of those are although hopefully we will and that may provide the fodder for at least public debate over over what they can and can't do and whether it makes sense or not whether it's technically feasible or not. One they're issued the technical capability notices are issued by a Secretary of State which in the UK is different it's an executive branch officer but more like a prosecutor than an international diplomat we have here and the Secretary of State is answerable to Parliament and so there is sort of a congressional or I guess a sort of legislative check there but I'm unclear on how if the companies are unsatisfied with one of the notices they can sort of take one of the notices back to the first the technical advisory board that informed it and then go from there to the Parliament but I imagine they have a secret proceeding that that allows for at least an initial line of review there beyond that I imagine it would have to go to the CJU. Before I move on to more international issues I just to continue on the UK the fact that this is aggressively coming up right now like at this moment is kind of is troubling but also kind of confusing to me in the sense of to back up a little bit a lot of the discussion about encryption as already has been indicated ends up being about safety valves of like what are the other things we can do to address law enforcement needs other than back doors. One of the biggest conversations we've been having over the past couple of years is how do we address the need of law enforcement for data across borders and this is especially acute with the UK which has made this a big issue where it needs and its domestic investigations like the emails of a UK suspect in a UK crime but they have to go through the rather slow and arduous mutual legal assistance treaty process to get the data which they resent both because it takes a long time and it requires them to meet our legal standards for a purely domestic crime. There's been discussion about how do we address that problem. There have been some proposals that would allow them to go directly to the US companies without going through MLAT which we and other civil society groups have voiced some concerns about. I gather there was a hearing yesterday on the Hill to talk about this issue I did not have a chance to watch it but it seems really funny to me that in the midst of the UK trying to negotiate an answer to this question which would basically require buy-in from the US buy-in from the US companies that at the same time they're trying to have their kumbaya moment on that issue they're going to be overtly attacking the US companies on a related issue and I would think or indeed kind of hope that if they do that that's gonna blow up this other thing. Hope is a strong word. I just I mean certainly I would rather have a civilized negotiation about how to deal with cross border data rather than a war over encryption but it just it just seems I'm not sure if the left hand knows what the right hand is doing or whether this is part of a strategy or if they're just flailing around but if I were them I would probably not be taking this particular moment to aggressively go after US companies on this angle. But yet I mean I see how they're deeply intertwined right because if the US companies from which they are trying to seek information are very pro encryption then the amount of information that they might be able to obtain through the either the mutual legal assistance process or this new potential statutory that is gonna be quite limited so I mean I understand that that it creates a sort of unpleasant dynamic between the European countries and the companies but it does seem from a policy matter they're pulling the same direction in terms of the goals I mean they both serve in terms of what they want they serve in the same direction but it's more of a political question of like while you're trying to make a deal on this I mean they may think that by putting pressure on this issue they're turning up the pressure on the need to make that deal but at the same time if if they're making clear that we're gonna go forward and screw you on this encryption thing no matter what you do over here like they're pulling on the lever so hard that they might break it. But really from their perspective I think the rationale is the same like here are these monolithic US companies that are disrespecting our law you brought this up early on and the desire to undermine encryption of monolithic US companies and the desire to put them at the mercy of the foreign legal systems and make them respond directly to the legal process both respond to this perception that companies do not want to respect the laws of the foreign country and this is not only happening in the UK it's not only happening in Europe it's happening globally and I think a lot of these other responses we're seeing are further evidence of that the idea that countries want to apply their law extraterritorially the idea that they want to require data to be localized within their jurisdiction these are all responses to that same thing and if you don't have that conversation about all of these things together you're really ignoring the fact that they're all systemic of the same problem. I think you're seeing that that relationship between the cross-border issue and encryption more explicitly even at the European Commission level because honestly it's a Brussels is a very small place and the people who engage on both those issues are basically the same and you're in fact the round table that are happening on encryption are actually proceeded in the same day and the same location by round tables on e-evidence and so the same people will have this conversation about e-evidence then suddenly wipe their minds and have a conversation about encryption and pretend that they're unrelated but from the perspective of the companies I know they're not entirely unrelated and in fact they there's sort of this expectation that if progress has made in sort of facilitating cross-border access to evidence for EU law enforcement either through sort of procedural fixes for MLATs or sort of bilateral agreements with the US or sort of just other sort of technical fixes having you know a single you know a unified portal for for law enforcement to reach out to a single point of contact that'll sort of presumably lessen the pressure on the encryption political debate that is so ongoing at the EC level there's that expectation I don't know that it'll happen and maybe perhaps industry is getting its hopes up that that having a fix here will will sort of staunch the bleeding in another area but that is a hope of industry I think and engaging in this process there I think we came in with the expectation that that those two things would be explicitly related and implicitly the same people in the room having the same conversation so we hope they respect that expectation talking about sort of that level do you guys think that there's any opportunity for sort of international alliances on countries that you know think the same we've already seen Germany and France speak publicly together in your ministers about these issues but you know an EU US backdoor mandate or you know companies with more support for encryption coming together to speak publicly or protect encryption do you guys see any sort of international cooperation I mean I certainly fear an EU wide mandate I think it's within the realm of possibility the existence of that I think would reflect back very strongly on the state of the debate in the US yet at the same time and this was referred to a bit earlier it wouldn't actually solve their problem which I think is still kind of primarily the biggest argument against it which is fine you can have a mandate that applies to all the companies that operate in the EU first off this technology isn't just in the hands of companies a lot of it is open source you don't even need a company to be behind it you don't need servers behind it you just need people installing the stuff and being able to publish the stuff and unless you're gonna be able to you know enable some sort of worldwide censorship of all encryption code which you're not anyone who actually stops to think gee I'd like to communicate with encryption will easily be able to do that no matter what some segment of the globe decides to do so I think it is possible these countries could align themselves to try and address this problem through wrong-headed technical mandates I don't think it'll actually get them what they want while it will I think significantly hurt their own cybersecurity and their economies this hurts me to say a little bit but I think the lack of international agreement on these issues is a bigger problem because instead you have China taking one approach Kazakhstan taking one approach Russia taking one UK taking one possibly the US taking one which means companies are having to deal with five different approaches to undermining encryption and that makes for a really weak product and maybe some larger companies will be able to do different ones in different regions but smaller companies are never going to be able to implement five different backdoors and five different products and so then you're just having the bottom falling out because things are so weak the fact that I'm like hoping beyond hope that we can make a like a US-Germany alliance happen in the face of EU pressure what we actually need is all of Europe and the US uniting to combat what China and Russia and to some extent Brazil want to do to the internet in terms of asserting their basically their geographic borders under the internet being able to surveillance sensor everything not having any encryption they can't break like we're actually in a fight over the global internet and right now we can't even get on the same page amongst Western democracies and that's kind of horrifying within or yeah it seems to me so that I am nervous about saying this in a new America setting that is so sort of pro encryption and human rights but I can imagine that a decent outcome would be having a bunch of like-minded states that include the United States NATO allies some others agree to a strong pro encryption world and yet on an intelligence level agree to share hacking techniques that help mitigate some of the law enforcement and intelligence challenges posed by that that might be not a perfect outcome but maybe a sort of second best outcome I mean I think that's likely to happen no matter what and I mean although I think there are a lot of people in civil society who are concerned about human rights and hacking and how we mitigate that I don't think there's much expectation that it's not going to happen right and in fact I recently wrote a piece for lawfare that would be published by now if they weren't busy bearing witness to the crumbling of our republic that basically lays out that they're like there are three really hard conversations that we need to have instead of the encryption debate in order to deal with the encryption debate those are one hacking and how do we how do we regulate it in a way that that protects rights but still allows the government to operate in the 21st century how do we ensure that the government is well trained in how to leverage the data that does exist and you know and to have access to do that which also includes I think a level of transparency from the companies that we're not getting right now about what they actually have which frankly consumers could use as well and then third and finally I'm trying to address this cross-border question and those are all questions that for a variety of reasons it's really hard for civil society to really like say yeah let's talk about those things but that's actually kind of what we need to do right now especially but then again as Bajon says we may be fooling ourselves that dealing with any of that will actually let the pressure off. So I have one more question before we move on to comments Amy, do you have something you want to say? As one of the people who might be concerned as Kevin puts it about human rights and hacking first I'm not just worried I actually like have written a report about how human rights has a major has may is majorly interfered with by government hacking and there's a huge impact on global internet security by government hacking but we've also been trying to put out frameworks and like what needs to be in place in law on this issue so I think civil society is engaging on this they are coming to the table they're willing to talk about it it is a hard question I actually see it as possibly a area where global civil society is going to come to odds with one another at some point over the next year but I think a lot of groups are already and out there to have that conversation and as I started with unable to because we keep having to fight about encryption. So you just gave me my perfect window for this question one of the most important things we're talking about in our set of papers is sort of lessons learned for how civil society actors can do better at the European debate in the states you know groups of coalitions of companies civil society academic have really managed to make an impact or at least manage to speak with strong voices in a way that doesn't seem to be happening in European countries how would you guys think these external actors from the US but also within can manage to influence these debates in a way that is more similar that they have than they have in the US. Support local partners yeah I think you groups don't have a don't have the same funding ecosystem that US groups have and I think it's a constant struggle for them to get the resources to be able to engage in this and I think rather than this approach where you try to take US values and assert them in the EU in a context in which they don't apply you need to work with the groups there who understand the context to understand their own system of government and try to provide the support to them to be able to fight these fights because they could use it. First on the front end about sort of supporting your local groups you know in the US you can basically have civil society in DC and largely affect US wide policy you can't do that in Europe you have to have everybody in every member state capital and you have to have both in Brussels and so in a lot of ways you know civil society groups that might be quite effective here have one person or two people in Brussels and you know somebody else covering every other member state and you know that's not a recipe for success. Separately I think one thing that needs to be you can't come in with US values in fact the most successful we've been at at sort of protecting encryption in the EU has been by sort of thinking about European values on privacy and confidentiality and applying them to things that are coming out of the commission so one thing one recent regulation out of the commission is the privacy regulation and there was a which which historically has applied to telecoms and ISPs it was expanded this at the end of last year I guess early this year to apply to what we would call Edge providers or OTT services and there was a provision in there that is sort of mimics RCLIA which is basically facilitated access to technologies for law enforcement purposes and there and the industry the internet industry in particular was very concerned for the particular provision in the E privacy regulation would we didn't we didn't say you know oh it's an undermining encryption and you know that's an effect for First Amendment and freedom of expression in the US we actually framed it as actually no this is really problematic for the fundamental rights and privacy and confidentiality under the EU's charters on those issues and and as a result we got a we got a actually press statement out of the commission that said no no no this provision is not meant to suggest that there shouldn't be strong encryption and backdoors in fact those things are essential to protect those rights so this provision is just more of a conversation starter about how you how you treat those issues and since this is a commercial law the regulation is meant to regulate sort of commercial handling of data it was in fact said outright you know don't do anything on encryption because of what this thing says. So does anyone have one final thought before I open for questions? I mean to answer your question a few a few thoughts what is and I think this is true in the US as well and you could view this as pessimistic or simply pragmatic but you know especially like folks like me and Amy you know civil society we are arguing from a principled position the principled arguments are not what convince policy makers what convinces policy makers is self-interest what convinces policy makers is you think this is going to help you it's not going to help you that much and it's going to hurt you in these ways in terms of security in terms of your bottom line that's how we win fights that's how we won SOPA like you can talk about free expression all you want what won SOPA ultimately was concerned about the security of the DNS system and how SOPA would undermine it you know it's those kinds of arguments that really convince most and yet those are the arguments that at least based on what I've seen European civil society is making least instead relying more on on the fundamental right to privacy and those types of arguments which I agree with and I actually are the reason why I care about this issue but they're not you know telling telling the MPs in the UK that hey you're you're you're just like Putin and North Korea if you do this that may be right but it's not going to win the argument I would also say I do have this pipe dream of like Tim Cook and Larry and Sergey and Mark getting together and starting a big foundation to fund work in this area globally because we need it really badly there is not enough money and at this point there's not enough you know in terms of supporting local partners there's not enough resources or coordination with industry which ultimately I think is necessary to win this fight like an old adage of one of my mentors on these issues has always been when it comes to civil society you win when it's civil society and the company's teaming up against the government or civil society in the government teaming up against the company you know civil society and the companies teaming up against the government right here we haven't seen the development we've seen the development of that teaming up on this issue here in the US we don't have that strong of an alliance in the Europe in part because we don't have strong enough local partners because they don't have the resources so money would actually solve that problem to some extent it just on that last point it sounds like though there were you would want to do it in a way that hides the hand of the companies right so one of the pervasive theme seems to be the skepticism about US companies sort of importing their profit goals onto European values so it seems like you would have to do it with a light touch and I also think though maybe paradoxically if the US government came out and said we are pro strong encryption and here are the following six reasons why that gives foreign governments useful talking points where they can say look another country that has very serious security problems has articulated why on balance it's going with strong encryption that might help some of the government's internally thank you so much all of our speakers I'd like our audience to ask questions so we have a microphone please wait for the microphone so that everyone and also people watching at home can hear the question I'm Mike Nelson with Cloudflare web security firm maybe it's because I've been working on this issue for 25 years since the crypto wars 1.0 but I'm incredibly skeptical about the idea that there will be some kind of international answer to this I chaired the first OECD meeting on crypto guidelines in 1994 and we came up with a pretty specific set of provisions and the OECD is now revisiting those but that was for those people who care about business that was as you said the Rashomon problem three months after I chaired that meeting I went to Bonn got to spend Thanksgiving with a bunch of law enforcement people from Europe now they had a totally different idea and they were gonna go home and they were gonna do that I think the fact that we don't have a agreement within the nations means that we're not going to get international agreement and I think we probably this is where I would disagree with Amy which I almost never do if we actually got international agreement among the right thinking countries it probably would be for some kind of backdoor mechanisms it would be for much less security than we have today because at the end of the day the prime minister or the president has to have an answer when something really really bad happens and thousands of people die and encryption was used and saying that there's an OECD guideline that said it was okay or even having a U.S. proposal listing all the good reasons to have encryption I really it's it this is an intractable problem and I don't see any place where we get all the right players together at the international level to fix it it may very well be that Kevin's got the right answer which is this stuff is just gonna go out there and governments are not gonna have control over it it may be that they're able to control one or two aspects of it maybe they're gonna be able to force certain types of cell phones to have some kind of backdoor but the idea that you're gonna be able to listen in on every bit that goes across the internet that seems to be a fallacy so I'd be interested if anybody thinks that anybody thinks we actually can see some kind of international agreement on the use of strong crypto points first the OECD guidelines are being revisited but in my interaction on that it's going to be a light touch and it's probably they're not gonna change at all if it second I will the reason I said I didn't want to say the point about the international agreement is because I didn't want people to interpret it that way and so I want to say that's not what I meant I don't necessarily think international agreement is a good thing what I was trying to say is lack of international agreement is causing more problems so an international agreement could be horrible and we wouldn't support it and anything with the backdoor we would absolutely oppose but the fact that this piecemeal approach with you know lots of different approaches to this issue is how it's happening is is somehow worse and I at that point it's marginal but I did want to kind of call out the fact that there are a lot of different approaches and that's creating different problems I mean but at the end of the day you know China possibly has a ban on end-to-end encryption depending on how you read their new law but they haven't really enforced it as far as we know if they were to enforce it they have a a fine with no maximum limit for a serious violation of that law so I feel like we would know if they were to enforce it because that could be a big problem but we don't even know if they're going to use it so it's on the books Columbia also has a ban on encryption outright except for high-ranking government officials which have to have encryption provided to them under the law also not enforced though the encryption ban so it's it's interesting to see what is in the law of these countries but also interesting to see how they apply speaking of hiring officials using encryption we are seeing a trend of people in the US government at high levels part some of them may be talking about banning it or requiring backdoors but a bunch of them are starting to use it now after the Podesta hacks and other hacks both at the White House and you know we just saw this urgent at Arbs and the Senate has approved signal for official Senate use similarly Macron you know the winner of the recent French election who you know there was that big hack and release of documents right before the election this is not he had said some very worrisome things about there should be no safe spaces for terrorists online which is code for no unbreakable encryption but what his key digital advisor on the campaign was actually saying and the party Twitter feed tweeted it that actually in light of the hacks we really need to foster a culture of encryption so it may be that these these increasing hacks are finally you know now that it's very personalized to these people that oh I could actually use strong end-to-end encryption to better secure my own data against people trying to hack me might actually have an impact on the day any other question just wait for the microphone I was wondering if someone could speak to Senator Wyden's promotion of multi-party computation and differential privacy it seems like Wyden thinks that a lot of the technologies we could be using and are using an industry just haven't been adopted in government can someone talk about what multi-party computation and differential privacy is and how far away we might be from adopting these and whether folks like Amy would support them because anyone have an answer to that question I'm not quite sure exactly what I mean differential privacy I am not a scientist and so it's kind of hard for me to explain it but it's basically a way of doing operations on large sets of data without actually while still maintaining the security of that data and the anonymity of that data I don't think that that directly speaks to the issue we're discussing today which is more about whether or not that encryption should be breakable but I know that Apple has taken great strides in regard to differential privacy so that for example they can better learn how to understand your voice or better guess how you're gonna you know it for word completion by gathering tons and tons of data on tons of tons of people but in a relatively secure and non-identifiable way which is something speaking generally we're supportive of but beyond that I'm not sure I have much comment on that I think the big thing here is that privacy and security are becoming things that companies are competing on which is a shift that we've seen I think mostly post-snowden companies want to say we are the most secure we're offering the most privacy protective certain services some of these different aspects have become a part of that and we think that's really good we've been longtime supporters of privacy and security by design and think that the fact that innovation is happening in the privacy field and in the security field is really a good thing in regard to this debate in particular Senator Wyden is probably our strongest ally in the Senate which is much appreciated and he also is attempting to thoughtfully address the issue of government hacking and has talked about the possibility of a bill to try and address that he's not a fan of it but he also wants it to be clearly and well regulated so my name is Jack Kropansky unaffiliated I just wanted to get like a clarification on some of the terminology so I thought I used to know what a backdoor was and I didn't think it was the same as a key escrow but are they being used synonymously so I mean in other words when someone says there will be no backdoors they mean no key escrow as well or is that a separate concept and that's one of the kind of frustrating things of this debate is that people are using this term fairly vaguely throwing it around it's vague enough that that you know coming can say I don't want backdoors I just want all encryption to be breakable but I mean speaking generally if we are talking about having an end to end encrypted system or a locked device that basically maintains a structure of only the user has the key except in exceptional circumstances that's going to require someone else storing a key somewhere which is basically you were holding keys and so I think speaking generally if you're talking about backdoors in the context of encryption you are talking about the alternative is or you can just not deploy that and I think part of the rhetorical trick that the government is using is they're like we're not saying we want backdoor we don't care how you guarantee that we can get the data we just want to always be able to get the data that could also mean just not doing end to end encryption and having you know just encrypted connections between servers and you being able to access stuff at the server which is not in the end does that is the problem and so I could say no escrow no backdoors no mandates no but that's a lot of words there are classic Kazakhstan has incorporated a classic backdoor you install something in your end user device and it gives the government access to everything on that device that is like the classic definition of a backdoor so those are still being talked about but there's so many different proposals it's just hard to name them I mean so like we would typically not refer to the security update channel on our devices or in our OSes as a backdoor if it were subverted to install government malware or you know we would probably call that a backdoor even though that's not yes grow there is a rhetorical advantage to calling things backdoors that they already have sort of a negative connotation so we we haven't necessarily in part of this debate sort of tried to draw the line very neatly it's sometimes it's helpful to us to be able to call things backdoors and necessarily they might not be but meanwhile meanwhile Jim coming to once a front door whatever whatever that means yeah I mean similarly we've had trouble describing what is the thing that they are worried about or that is being targeted like one of the more common phrases now is talking about user the problem of user controlled encryption to mean like encryption where only the user and not the provider has the key but but there's this constant problem of terminology which actually we're struggling with drafting our papers right now like we have time for one more hey I guess I I want to pick up on the point of talking about the lack of coordination we have on encryption but also about where data falls within what jurisdictions and because of this is there for those of us who are proponents of encryption in civil society thinking about is there worthwhile putting you know a strategy of just as you have tax havens you have crypto havens of countries that are possibly very microscopic and very small geographically but are connected to the internet and can have a server that therefore kind of creates these spaces that undermine what these larger countries are trying to do in eliminating these spaces and then kind of coming back to your point of you know there will always be spaces that can't be covered of why start going down this road when you're going to have these others crypto havens as an example I don't think you need to advocate for it I think you just need to highlight that that's going to happen like almost no matter what anyone does even if you try and you know yeah okay we're gonna you know we're gonna be really aggressive and get this data you know you know out of Facebook or Google or whoever anyone who actually wants to maintain the privacy of their data will be able to resort to dodgy folks in you know the payments or whatever or in Russia for that matter or but even like right now telegram telegram is the focus of so much of this agitas around encryption and technically it's a German company but it's actually run by a couple of Russian expats brothers one of who's the business guy one of who's the coder based mostly on open-source code and the dude lives in I forget which kind of under-regulated island nation in the Caribbean good luck enforcing a mandate on them like and if you do one just like them is gonna spring up in some other place between the lines so but I don't think I don't think you need to advocate for crypto havens and in fact I think if you do you'll probably be undermining your other arguments because you're basically advocating for lawlessness but but I think you can highlight that it's gonna happen regardless and that therefore the benefit that countries would be getting out of these mandates are probably outweighed by the many costs because those companies will exist the people who are using them are going to be the criminal and the people who know they exist are technically proficient enough to know they exist the rest of us are going to be on the weak backdoor stuff that the government has put into place so they're not getting at the information they want to get at they're just making the rest of us a lot weaker and so if I can if I'm smart enough to know to use the company that nobody can get to then I'm fine but if I'm everybody else then I'm in a lot of trouble I mean do adopt an argument for movement but I don't necessarily agree with if you outlaw encryption only outlaws will use encryption oh yeah I mean you don't you don't need a few land or some sort of weird oil platform in the middle of the Pacific even though that's really cool it is I mean it's super cool but in fact it's it's sort of lent itself to the idea of like localized servers that are in some way controllable the advantage of the internet is that you know see landed everywhere there they're always going to be people who have sort of the capability to provide these technologies to you or you can develop them yourself although you know don't roll your own crypto unless you really have to right but but that's a thing like you will eventually be able to you know start up your own sea land or you can start up your own sea land so there's no reason to to designate one particular area is that crypto haven in fact that's where we can the the argument behind having encryption in fact it sort of centralizes the problem okay I think that's all the time we have so thank you so much for coming on this rainy rainy day and I'd like to thank our speakers