Will go back to the auditorium at the Cato Institute for the 2019 cato surveillance conference. Senior fellow, thank you both to those watching at home for joining us. As i mentioned at the start of the conference we focused on issues of surveillance oversight and this years conference or this morning you heard about an array of institutions and entities and persons who work to oversee the secret use of intelligence collection. This ranges from the pfizer court to the inspectors general to government, billy office to the Intelligence Committee of congress and one of the newer and in many ways most publicly useful entities overseen the Intelligence Committee is the piracy and Civil Liberties oversight board. Its a number of valuable reports that have given us unique insights into the programs weve heard discussed earlier such as section 702 and section 215 the authority used for the phone records collection program. Im sure it will be a fascinating discussion so i will pass it off to our extremely accomplished moderator, the professor of the Washington College of law at the american university. Thank you, julian. Thank you for being here and those who are watching online. Its an honor and pleasure to be here and a part part of this conversation with the members. We have three out of the five members here today and two head conflicts and so we are not able to attend unfortunately. I am going to briefly and basically im going to do something nontraditional and basically allow them to introduce themselves. Have seen this done a few times and find it way more interesting than hearing me speak. We have adam klein and i will start with adam. Thank you, jen. We are a nontraditional agency so good were taking a nontraditional approach to introductions rate on adam klein, chairman of the board and also the only fulltime member of the board. We have a fulltime chairman and four parttime members which is one of our unique features. Immediately before taking this position i was at a think tank for new American Security or worked on issues very comparable to the boards mandate of the intersection of National Security, law and emerging technologies and those are the things im generally interested in. I guess we should also throw out and its a shame fact about why we got into this work but before becoming a lawyer high worked for the members of the 911 commission on their post governmental efforts to enact the 41911 Commission Recommendations. One of those recommendations was the subordinate is an issue ive been tracking going back to 2004 when i started doing that work and advocating over the years for the creation of the board and then for the stocking of the board with members and to ensure that i had adequate resources and authorities and its nice to be there to see the board, to fruition with the Previous Group of Board Members who did great work and we have sharon bradford, former executive director here and its nice to see and to continue and push the work forward now. Thank you so much for having us today. Im one of four parttime Board Members and this iteration of the board were lucky we have a technologist but were sorry they cannot be here today pretty hes enormously humble as we take the more technical aspects of the program. [inaudible] i worked on the rule of law and before that i spent time in government and part of that about half of the executive branch and half in the judicial branch. I worked in the office of Legal Counsel at the deferment of justice and with National Security Interest Rate might interest in these issues is longstanding. My parents fled from behind the iron curtain and there were stories of what happened when the breakdown between balance of National Security and privacy falls away. Im thrilled to be here. Thank you. Thank you, jen in the queue for hosting us. So, my name is [inaudible] and im a professor at the university of virginia law where i teach computer crime, of course that addresses some of the issues we deal with in the surveillance area. My path to this board and this set of issues is immediately before i was in academia immediately before that i used to work at the and in the same part of it that i worked at before i was there and i was to determine the National Security division and i joined the National Security division in march of 2013 which was mere moments before a set of disclosures occurred that promulgated the work that the board did in his previous iterations and so that was my entry into this area and i was able to work on some cases involving surveillance and argue cases and until that spread an interest in before that i was in the office of Legal Counsel as well and i had some interaction with initial Security Issues but im happy to be here. Thank you. Ill start with you. You mentioned already you are part of the worked in the 911 Commission Report where the intellectual origins of the board started but could you tell us about the purpose and mission of the board and how it is structured and how it relates to the other oversight agencies entities within the executive branch as well. As a good lawyer i want to author technical clear vacations. After the report i left was working on capitol hill and joined an ngo that the tank measures created called the 911 Public Discourse product which no longer exists but it was a Great Organization that worked to educate congress and the executive branch and the public about their recommendations. Segueing into your question the question had 41 recommendations in its report pursuant to its mandate to investigate the causes of the attack and make recommendations to ensure things like that would not occur again. Many of those recommendations generalizing had the effect or the tendency of centralizing power within the Intelligence Community and within the Homeland Security apparatus and some of those are creating a director of National Intelligence in creating a National Counterterrorism center and improving information sharing and among the intelligence agencies using biometrics to track entry and exits into the United States and that originated in the 911 Commission Report to the tendency of these things as more information and more centralization and more information sharing. On the other side of the balance of the commission recognize that if you create all this new centralized power need to have an increase in oversight powers. Many of those oversight regulations focused on congress but they also looked at oversight within the executive branch and proposed that there be a board within the executive branch to conduct that oversight of effort to protect the nation against terrorism. Thats the genesis of a board and initially constituted within the white house and in 2070 congress shifted gears and established board as an independent executive Branch Agency within a confirmed memb member. How does your work coordinate with the work of the Inspector Generals and the other entities, privacy officers and other officers within the executor branch that are doing some of related work on a day to day basis as well . Sure. Inspector general, to paint a broad brush, focus on individualized reports of waste, fraud or abuse. That is not our mandate. Our mandate is more programmatic. If there are in divide individualized abuses we learn about of course we would take appropriate action and a form the appropriate officials and that could be informative for our oversight because if something goes wrong on the individual case that may suggest changes are improvements needed but our focus i would say is a higher level of generality and is it wise, necessary or their safeguards built in and on the right people making the decisions given the stakes that are play and future indications of a line the government to conduct this analysis and so forth. This is for any of you but how do you decide what programs to work on and where to focus your efforts . There is a ton out there so how do you make the choices that need to be made. Sure. First of all, [inaudible] in terms of thinking about what subject products we want to take on i think we look to for instance, if there are general if something is being reauthorized so we will be issuing a report on waste and fraud and that will hopefully, the next six month or two so we think that will be of benefit to congress and the public of having Greater Transparency in how the program has been operating and we think we can add value to the privacy applications of the program and some thoughts on whether or not the program should be modified and we will look to a version of technology and thats one thing we talked about with strategic plans and to see if theres any programs in that space if the board can offer their insight on and theres a broad array of factors as we look to deciding what projects we take on. The reason that begs the question is because amongst i was the last one to join at which point the report that was just mentioned was the freedom act and it was already in progress. I will step back to see how that project in it so happens that before i joined the board had put out a list of projects that we intend to work on and those made sense to me. I think that one of those situations where we should think through what is the value added to the congress and making public and executive branch and we offer different skill sets and one of our colleagues is a computer scientists not a lawyer. The three of us are lawyers. So it whatever we can do to be useful and thats what we should focus on. And a personal level what youre doing is an enormous amount of work so how do you balance this with your regular jobs . It has been a good amount of work. Absolutely. Just i do the best i can. You know, we have great staff and they put together great drafts but i take every effort to read through every line we put out in i think that we just have to strike that balance. You know, this is problem people may have about the benefit that way its structured right now and i think thats a benefit in the sense that the independence of the board is enhanced by having people who have other things to do and im at liberty to say what i feel is best and in the boards reports. I think that is the Balance Congress struck and its incumbent on us to make it work. I think having parttime Board Members you have a geographic diversity on the board because its helpful not only to people working it other jobs and bringing other conversations to bear on her work but have people surrounded by different geographic conversations that take place and so thats part of it. Lets talk about some of the work youve done. Obviously, as you mentioned there is 215 report that we are the rest of us are eagerly awaiting and my understanding is the issue is the classification issue that remains ongoing challenge so couple of questions about whether you can provide information about whether or not you expect the support to be made public before the extension and the 215 Program Expires and secondly, what highlevel you can talk about with respect to the report. Sure but im happy to go ahead on this one. Just to fill in the background. One of the things that was revealed by the leaks in 2013 was a largescale collection of telephone called metadata so what number called what number and for how long and the knot was on the calls. Our board with the previous membership with sharon working on this did a significant landmark report on this program and after that report a recommendation from other governmental bodies congress decided to turn back that Authority Stay in chile so the government can still collect those records in fairly large numbers as disclosed in public transparency reports but without not to the same extent as it did before this law passed in 2015. This is called the usa freedom act. The government has now had for years and lamenting that law and its coming up for sunset or reauthorization, as the case may be, we have undertaken a deep dive into how the government implement said that new authority to collect telephone call records since it was enacted in 2015. That has been a lot of work by our staff and im pretty confident in saying dave mastered the details to a very granularity extent of how this authority worked and we cant get into the details because, as you said, there is a classic agent process we have to put that product through and thats where we are now. I dont want to imply theres any problem with that process and i think the people in the Intelligence Committee are working hard to work with us to move that forward expeditiously. Its just a big task and very complex material and theres a lot of it and everyone has things on their plate but we do think were receiving good cooperation and completely good faith. Were quite oval there will be something that the public can look at relatively soon in the new year. Great. I know youve testified about this to some extent so i dont know everyone here has had the benefit of reading your testimony on this issue. It was pretty short anyway. [laughter] spirit but it would be great to hear your perspective about what is in your testimony and you are able to while this remains under classification you were able to provide thoughts about the program and its implantati implantation. Sure. Staying at a very high level but at a very high level there are public transparency reports the put hard numbers out there which i think is a pretty great thing that we, as americans, have access to that, by the way, citizens of other countries do not have access to from their intelligence agencies. Those reports show the number of records, while perhaps not bulk collection as they wait the Previous Program was, is still quite large. Hundreds of millions of records here over a relatively small number of years. That was predicated on a very low number of orders. I think it was 14 orders related to 11 targets last year all in the Public Disclosures that the Intelligence Committee and i see some of the people involved in that transparency work here in the audience have done a very good job putting out. That gives you a sense of what the stakes are for a program like this and then there are questions about how the authority was implanted and we looked at the challenges that nsa publicly disclosed in and plummeting the authority and what we found was that those challenges were inadvertent and not the result of any abuse or malfeasance but at the same time my individual judgment as member of the board we will have more information about our collective views when the report is released but my judgment is that the agency made the right decision based on the evidence before it and choosing to suspend the program. I dont want to go any further than that because thats the level of depth we can safely go to unfilled report is out and then were confident there will be some more declassified information that will inform the basis for these judgments. I think adam put this out already but there was a period of time where the program was suspended because of these questions about how the information was being handled and so the question is, as we move forward and talk about reauthorization are you able to talk about the intelligence and is there an ongoing intelligence need to continue this program or would we the okay if it were suspended indefinitely . Talk about the counterterrorism need of metadata analysis. Certainly its a quite high level but i think there is value to having too hot to program so one of the benefits that this Program Allows was to allow the Intelligence Community to reach, not just one telephone away from your calling, but another hopped from that. Its a change from back in the day privacy no disclosure or the program is operated back then [inaudible] its a general intelligence screen need and use for National Security perspective to reach out and i think the question we confront in this program is given the limitations of this particular program was the intelligence value that was being obtained costeffective in this case . Wasnt appropriately balanced with privacy at stake with compliancy issues being confronted and in a general if you step back and look at two hot metadata programs theres no not again there are limitations in this particular program of what metadata could be selected and theres experts talking about the ways in which terrorists are shifting those convocations so there are questions of whether or not this program was reaching all the ways terrorists now communicate and questions about whether the new authorities may need to be brought to bear to reach these new modalities and how they can mitigate and these were the questions confronted and looking at the value of the program. I will defer further discussion until the report is out. I will just say i agree with adam and his testimony that the concerns that the nsa had that prompted it to shut down the program were inadvertent and were not a result of abuse of authority. At the same time, the decision to shut down the program were suspended was backed up and made sense and so i think hopefully that is helpful for present purposes and stepping back, i think, you can understand difficulties with technical issues it just goes to show how we as a society and as a government need to bring all of our resources to bear to ensure that we are getting programs technically right and hitting the right balance between obtaining the type of information that the government should get in order to secure the country will not intrude on peoples privacies. Its externally hard to balance that both from the conceptual level and from a legal standpoint that we are so familiar with and a technical standpoint. That is something weve learned a lot about working with this report. Stain on the topic of prior work youve done we move into what is next in one of the things i think has been so remarkable about this incredibly comprehensive prior to teen report made public with sharon gets again an enormous amount of credit for but one of the questions at as a member of the public makes me interested in these issues is question about the people three program about which theres a lot less public available information and curious as to whether and to what extent any of the internal work that you all have done on the program would or could be made publicly available. If i could again start with the pedantic micro correction. Its an important one. Twelve tuple three is an executive order and jen is an expert but for the audience that structures into the exercise of authorities by the Intelligence Community. It assigns response bullies to different Intelligence Community elements and mandates certain privacy and civil liberty protections and so what the board undertook and sharon is free to jump out of the audience and slapped me if i get it wrong but is an examination of suture counterterrorism activities conducted pursuant to exec in order 12 triple three. One of those deep dive examinations was completed before the three of us showed up and we inherited the rest as open projects. What we said we came on board as we would look at the work that have been done and continue the work and bring its product to an appropriate conclusion and continue to do that. Those are big bites to chew frankly and we have a lot to to with a small staff but we are taking their work seriously and will continue to push forward towards an appropriate conclusion. Our goal is always to have things and to have the maximum transparency policy result from every projects. Sometimes that means one 100 unclassified and sometimes that means checkerboard reductions and some times will push for the greatest declassification in each report but unavoidably sometimes it will mean that reports remain classified. Part of the reason for that is we are not an original classifier within the government. We do not have the authority to designate someones information topsecret or unclassified and so forth. We have to abide by the classic asian decisions made by the entities that originally classified the information. They own that information. We will have a backandforth with them and encouraging them to move in the direction of transparency but at the end of the day our statute requires us to undertake our Transparency Mission with concern for the protection of classified information and we do that. If i could turn turn to the work plan you have Going Forward. One thing i love to talk about is the program on facial recognition and Aviation Security that is obviously a very hot topic in the question of face rational recognition where we have a range of use being expressed publicly from banning all facial recognition to lets use it and use it a lot to protect our security and curious as to both the scope of the program and your thoughts about how it is being used in the United States and whether its being used consistently or effectively and consistent with privacy for liberties . Okay. Im happy to take this and i just spoke about it yesterday so its fresh in my mind. We launched this project on the use of facial recognition and other Biometric Technologies to verify identity in the context of Aviation Security. All of those little caveats are important because facial recognition on the Street Corner is different than facial recognition used by a commercial actor for its own marketing or other purposes and its different than the use of the government in this verse specific operational contact for a specific purpose in a specific physical context with lighting and so forth and all these things go into how this technology is going to be deployed in the privacy and Civil Liberties indication that it raises and so forth. We are drilling and on the specific operational context for various reasons but one, the government is moving forward pretty fast to point facial recognition in cooperation with Industry Partners in the airport and second because frankly, some people are interested in because it touches them in their daily lives for the go to the airport and they see a camera and a dhs notice that their photo may be taken and used for a certain purpose and that naturally raises questions. That apartment has done good things to explain what it is doing and thats not to say they cannot do more and that is right were doing this project to make sure this full public transparency about this and that the hard questions are being asked before we are 100 miles down the road to point this technology. That makes an interesting question that cost cuts how technology is changing our response to privacy . We each have historically thought about this most focused on the points of collection but as you brought up the issue is to some extent the point of collection but also what happens with the data once it is collected and how long does it retain and how was it used and how or who is it shared with. Curious as to all your thoughts about the ways in which technology is reshaping our conceptions of privacy and what and where the gaps are in terms of our legal understanding and our policies. I will throw out a few thoughts. That is absolutely right in the scene in last few years both from a legal standpoint there seems to be increasing concern in our to the point of collection and did you get a warrant to get this and alter problems that in this program what are the holistic protections in place that tend to show reasonableness and a lot of times they look at protections of how long the data is being stored and is shared with and how is it being used and things of that sort. You definitely see it in the legal and policy area and its mostly in large part because National Security requirements demand large points of data being collected, not in bulk but still enormous with millions and millions of records so when you talk about those records collection is important and what type of suspicion and but then at the back end theres a lot of understandable public concern appropriately so of what is happening with the data at that point. How long is the government retaining its four . Who is it being shared with . How is it being used . Some of that, i think, goes to offset a level of comfort with what the Program Scope is currently or trust in the government at a particular point in time but there is some concern that that is now being deleted then what will happen in ten years, 15 years, 20 years down the line. I thank you are right and we are seeing it again both as the courts evolve in the statutes are evolving and what is also on the policy side as well. I think this is one of the big issues that we often confront in both the fourth a moment and policy Going Forward and trends in technology. Obviously, we are experiencing both trends in capability by private parties and averment to collect information and that something we grapple with and societal expectations and people are now more aware of what they share and exactly how to measure and its difficult to get your hands around it and people are sharing this information with all these providers but at the same time they want their privacy protected so understanding the societal expectations and how it should influence policy is important. The technical aspect i think is a really interesting one and to speak for audience when you think about the Fourth Amendment which is written in a way suggesting that its protections are triggered when a search for a seizure has occurred and thereby suggesting that if a search for seizure has not occurred the fourth a moment does not protect any of that collection of information. As a result its natural to read that provision to apply only to the point of collection and i think that we actually now have in the last two decades a body of case law regulating through the Fourth Amendment aspects of government interactions and data that is not just clinical but what is most apparent for example the 215 program something the audience will be familiar with which is that the pfizer court when authorized for the program authorize the collection of the information through the reasonable require of the fourth moment opposed certain restrictions of the usage of that in so exactly how the fourth a moment will apply is still to be determined and its a way in which, i feel, but one way to think about it is we shouldnt let the fourth a moment to the extent it only applies to the collection necessary when we think about policy because the Fourth Amendment hypothetically may imply but thats not the way we should think about it with respect to policy because we have other generations that may be the fourth a moment and that i think is the second way in which this question intersects for the work that we do is its understandable for courts to approach the Fourth Amendment or legal questions and it is what they are familiar with and it allows them to address questions on a casebycase basis. When you have problematic questions about whether this collection of this type of data on a larger scale is a good or bad idea and i feel that that is where the board kicks in and while [inaudible] at least to me but it doesnt feel natural for courts to be conducting that analysis and it feels more natural for some other agencies that have the authorities like questions or assertions in brief just to have that kind of facility. I agree with everything my colleague said and just to add a little bit to both of those points i strongly agree with the implied promise that the fourth moment is not necessarily needing to be refashioned into an instrument to answer every privacy question but the fourth a minute does what it does and im coming from a particular jurist school here but thats not the only tool we have. We have congress and state legislators and other regulatory organizations. Those entities are not bound by a specific parameters of the fourth moment. Congress can exceed the constitutional floor in terms of requirements for the government to access data held by private actors or third parties for example and so i would be delighted to give and see the energies of people concerned about these focus on a developing statutory scheme that reflects realworld commissions rather than necessarily trying to cram everything into fourth on the doctrine where that might be an awkward fit. In terms of going back to the question i completely agree with what i take to be the implied promise that we as lawyers look to the point of collection because that is where the legal rules apply but that may not be the only him and placed in thats true as the volume of data created by our digitized lifestyles expands so massively. You no longer need to go into some of house or someone papers or other constitutionally protected area to learn stuff about that person. The point of collection may not be good enough as a safeguard anymore. When we go into our work looking at collection programs like call records or facial recognition in the airport theres a series of questions in our minds and all in mind that we ask. How long are you keeping this data . Why do you need to keep it to connect one of their systems will you plug this into . With access to this data and how you controlled access . Are you checking to make sure that access was only for authorized mission purposes et cetera et cetera. This is what you may call the back and set of questions. Those questions are increasingly portent is a volume of data and sensitivity of data when you do a fourth moment search. Your last responses raise another question that i meant to ask which is a big piece of what we see probably are the reports that come out but a chunk of your work is policy advising find the scenes and wondering what percentage of the work approximately is that and how receptive do you find your audience in terms of are you at the point in time where you can make a difference in the crafting of policies and programs along the way. In some sense id be interested to hear my colleagues talk about to answer the question in a good way because ive been a member i guess for four months now and its hard to put a percentage on it but when i joined we had the freedom act report and in buffalo and i put a lot of time on that issue and its just hard for me to ive not seen enough of the lifecycle apology to give you a sense of whether and how that is its hard to put a percentage on it as well. It doesnt mean that we love our work [inaudible] we also have them member of a project happening but in terms of when we come in the lifecycle during that project a life Oversight Agency will come to us and asked us obviously would prefer to come in as early as possible because its easier to change course at an earlier stage and so that is our preference that we talk to the agencies about but i would say its generally we seek their advice and its generally been collaborative in each of the projects weve engaged in. Going back to the set of policy fourth a moment later questions in addition to thinking about what happens to data after the fact, even in the questions and responses we talked about points of question we talked about programs and one of the interesting questions is how various databases intersects with one another and how much can be gleaned with individuals from the intersection of different databases. Im wondering to what extent that is an issue that you all have thought about and are taking on and thinking through. Definitely something we think about. If i can throughout and offthecuff judgment is that agencies dont always know when they start what that destination is in terms of what they will connect to what other systems and what data they will integrate with other data sets and so i think as i become more conscious of the fact that agencies are not always fully aware of their own future intention we perhaps are becoming even more vigilant about the limits to nonno what is known down the future and in light of that future uncertainty because we know what you may do in the future with this data as jamie said earlier potentially raises future invocations that would qualitatively change this intrusion the program prevents. Facial recognition is another example of this. Youre getting all these photos so what will you do with them . To its credit dhs has come out and said we are deleting u. S. Persons photograph when theyre taken on the jetway in airport for example in the 18 where theyre doing this biometric pilot and even reduce the number of hours they are retaining those photos and there has been transparency about that but that is one example. Once you have that data set in that system built there are other things you could potentially plug into it transforming what is a simple Identity Verification transaction into something that is qualitatively different and that potentially could shave more toward a surveillance transaction so were conscious of that. As you have done this what do you see as examples of other governments are doing well that we may learn from as we are moving forward in this space and think through the Ways Technology and the big quantity of information about all of us shape surveillance policies and also privacy expectations as well. I would say generally we are u. S. Focused. I dont know that we have a whole lot of expertise or insight into the curtails of other governments but i will say that as adam alluded to earlier the u. S. Is at the forefront, i think, of quite extensive oversight of the National Security apparatus and transparency measures in place that are quite unique as compared to other countries. I think that looking to what other countries are doing and having those discussions with other countries is instructive and valuable and we should be open to learning from other countries and at the same time we have our own values we adhere to in our own sets of constitutions and laws and other countries can only sort of go so far but i dont know. This comparative angle is in particular interest are mine to keep abreast of what other countries are doing and how we stack up and whether there are Lessons Learned that we can take from other contacts and bring it back but will say that i agree with jamie that the u. S. Is in the forefront in terms of oversight and transparency. This is not the end of the avenger and we are still at the as technology begins to exponentially or potentially expand the capabilities of the agency but we should give credit where it is due and at least acknowledge that something is right, particularly in recent years. Just to list a few examples we now have a mandate for declassification of pfizer courts opinion and there were pretty important opinions that we are least recently about the fbi is using data under the authority thats known as 702 which is an important electronic surveillance authority. Thats a significant trans fancy mandate did not exist before. We have mandatory statistical transparency reporting so you can see how many orders were issued under title i of pfizer which is electronic surveillance agents of the foreign power in the United States and you can see exactly how many targets that were under section 702 which i alluded to earlier. You can see exactly how many call records were collected under the freedom act we talked about and im not aware of any country that has this transparency like that and we are looking for opportunities to push it forward but its important to say weve gone pretty far compared to anyone else and to give credit to the people working the institutions everyday advocating for that and persuading their colleagues that is an okay thing to do and putting in the hours to develop Technical Methods and analytical approaches to develop these metrics and things like that. I dont think i have too much more to add. I feel we live in the country that has many set of capabilities on the National Security as well as a set of values. I like both sides of that coin and think that is the challenge that other members when within the executive branch and within congress should try to seek to preserve. This is my last question and then i will open it up to the audience so start thinking of your questions. What is the big trends moving forward . What are the things that keep you up at night when you think about the future what is coming next . Where does your head go . I think there are so many we touched upon some of them but to the point that part of it is the technical aspects of the ability of government and private sectors to select information so one example is facial recognition and that is one example and there are so many at this point. The technical changes that are in the societal changes that are occurring in terms of what people can expect and what people want from the government and and finally we have a topic but jurisprudence where its going how it will interact with we as a board deal with and i think thats interesting and will challenge in years to come. The only thing i would add for the moment we are where is a matter of quite interested me and we are seen opinions that came out recently that not only does it continue the versions but some of the justices trying to ask questions is it jurisprudence as it currently is constructed and is not consistent with the for the moment and is at the right place to be now and thats for an interesting [inaudible] the other thing i would say is with the new technologies coming theres a lot of talk of the privacy implication that is facial recognition and the impact on them but we also think about the flip side which is how can new technologies actually help protect privacies and so we are seeing that in some of the programs that we are looking into now where that technology is helping troll access use and those are two flip side of the coin that we all have to think about. Technology and then i think something we have not mentioned yet but what are other countries that dont share our values doing with those technologies now that we have oversight over the Chinese Government but the fifth of the World Population is being subjected to an unprecedented experiment in comprehensive surveillance and frankly, thought control is scary. Watching that evolve is a dystopian experiment that i think should be bracing for all of us. Questions. Sharon. Hello, sharon, thank you for the panel and the shout outs. I feel like i have to ask a question. I do want to pick up on reference to the continued examination under executive order 12333. Thank you all very much for putting out publicly the list of current oversight of projects and i hope you will continue to keep it updated. With regard to that the prior iteration of the board had undertaken to do but also to do a public report that would at a high level or may be dig deeper explain to the public in an unclassified report what 12333 is and how it operates different agencies and the privacy protected or not sufficiently privately protected rules were and to what extent is that an ongoing project as well, in addition to continuing the deep dives and i used to always get asked when that would be coming out but to the extent that that is something you are undertaking if you have any kind of production at all about where that falls in the timely. Can i answer this one with an extended metaphor . When we came on the board had been without a quorum for one year plus, one year and half and without a chairman for two years so it was sort of like inheriting a house from your beloved aunt whose house was stocked with wonderful books and mementos and other things and that is great and you pick up all these great things that you can then take and give new life to but then it also takes you time to go through the library and see what you have and clean out the closets and everything else. We inherited a lot of Great Projects from the prior board and moving them forward and bring them to an appropriate conclusion that has been determined by the current Board Members but at this current time we can give information about when that will happen but we are taking it seriously and we know its an important project. Thank you. Thank you to all of you coming out. Im one of the Research Fellows here at cato. I want to go back quickly to follow up on something sharon talked about which is the sole issue of 12333. I want to start with a more basic question. Do you consider your work product something that you own . In other words, your observations, your conclusions and your recommendations, do you consider yourselves to be in full ownership of that . I think what you are alluding to is whether other agencies have a say over whether our work product can be declassified or released to the public. And let me them you the deep concern i have with that. Right now im in litigation with the department of defense and the National Security agency over their attempts essentially to suppress a department of Inspector General report on a nsa report you may have heard of, trail blazer. He largest programattic failure in nsa history and a major contributor to the 9 11 intelligence disaster and what the judge rejected its the effort of dod and nsa to excise anything. The concern i have is it you let an agency whether its my former employer. The Central Intelligence agency or any one of the 17 agencies of the isc. Dictate to you what you can say with respect to your conclusions, recommends and observations respectfully i have to say it vitiates the boards ability to function properly. Ill echo what i think is sharons plea here, which is that you bow back to the agenciy the and say were going to Say Something possibly to the effect theres nothing to be concern about or that may be some things to be concerned out here and we have notified the committees of jurisdiction to that effect. Can we get a pledge to you from that. I can say more than that when we complete classified overnight reports, those reports go to the hill because there are people there who have the clearances and the facilities to receive them and read them. The would receive the entire report. Zooming out a little bit, obviously were an administrative agency. That means were a credit tour over the statute that creates us and we have only those authorities in statute. What our statute says is we should make or reports public to the extent with classified information and thats important. So we always push to get the maximum transparency possible and release the inventory of active overnight project chez think is the first time the agency has done that because we want to give the greatest transparency, but the other half is important, to, the protection of classified information, and also i said before, we are not on original classification authority. Im few in the executive bland and had the learn the lingo. The appearing that produce and classify the information are the ones who determine and control the classification of that stuff. We engage in a back and forth with them to get moved into the he release category but we have to go through that process. Out our statutory obligation to protect that information, and that means when there are foia questions it us otherwise statutory obligation to refer things out to the agencies who originally created and own that information. But they dont own [inaudible] so all work product has to go through a declassifies process and thing are connected and always push to get the most of any document we took be declassified and thats a back and forth. Its part of our Statutory Mission but its a panel of two sides. Yes, sir. Hi, very excited to be hear you guys will have a report on 215 in the next several weeks and read that as soon as its out. I do want to since we have a little more time now in the wake of the extension that Congress Just granted, but the original deadline for that program and presumably action in congress would have taken until that shortterm extension was just nine days from now. So can you talk but how before the shortterm extension, what efforts were being made to ensure that the information and recommendations you presented, including the report, would be released so it could be part of the public debate in the event that a reauthorization would be passed this month. I dont know how deeply you want to get into our agency but were cognitive of legislative deadlines and work to ensure what we do will be useful to public, congress, and important stakeholders. I testified in the Senate Judiciary committee and that testimony is public and available, both the prepared statement and then the back and forth with the senators. But were cognizant of that and the always evolving legislative calendar and we do everything we took make sure our work will be available and useful. Thank you for the work youre doing, the work to declassify information that has been very valuable. On facial recognition, a bill was recently introduced to require a warrant for three or mother days of ongoing surveillance of a person in Public Places, using facial recognition. And were having a debate in the privacy Community Whether those circumstances ever pertain right now under current fact. Is there a use scenario that you have seen through your work that would involve the ongoing surveillance of a person over three or more days involving facial recognition . Is that actually happening . Heres the language of the bill out liz asia solve facial rebelling Mission Technology to engage a sustained effort to track physical movements of an identified individual through Public Places over a period of time of greater than 72 hours, whether in realtime or through application of such technology to stored information. Is that happening . Our project is, as i said, pretty tightly focused on Identity Verification in airports and doesnt would the place that sustained surveillance would be take playing given people pass through aways in a relatively short period of time. If i can respond to the idea there, without commenting whether thats the right legislation its exciting those kind of conversations are happening because that is the type of linedrawing exercise that legislatures are suited to undertake, so i think its cop instructive that legislators and people with proposed legislation are thinking where the balance should be drawn when whetdown are not dealing with the stricture of constitutional doctrine you can do what feels right and thats all to the good. I dont have much to add and cant answer the question directly. So regretly. I think my once would be the my answer is the say this is an important conversation for the society to have and its interesting and useful for congress and members of the welcome to think but what the appropriate balance is to strike both the collection and then also about usage once its been collected. Sir. Thank you. Im leon, retired member over foreign service. Like to ask you but the use of official recognition in airports. If you get a hit, id like to ask, pat is the database you use to get a hit and if you get a hit what action might be taken . Frame, would you simply proner to the persons movement, which flight is he or she on, with someone, be authorized interact with the person, to talk to them, detain the person, would they be able to question for any purpose . What would happen when you have a hit. I think so, i can speak just in generalities about something interested to hear what others have to say. Depends on the type of program were thinking about. So, for example, we might have certain types of facial recognition programs in which its essentially what the computer is doing is recognizing your face, and its recognizing your drivers license and ensure that that the drivers license and he face match up which is exactly what an agent might do when you reach an airport and the idea behind the program is that its a onetoone match of aern and and theirs drivers license, its faster, more efficient than a person making the match, perhaps even better and more accurate. Then we might have other programs where we have what we think of a onetoone matchup, onetoend match, the computer is matching a face to a number of other faces that have been stored in the commuter and we can think of other ropes and i think this is what your question was alluding to, why you might want to have a system of that nature which is that you would then be either either be verifying this person is in fact not simply somebody oh has that drivers license but is in fact the person who the persons presenting themselves to be, or alternatively, i if youre using it to screen out and do some sort of security type screening how to the computer program. So i think there are different ways in which the facial recognition programs can work and were still at the beginning stages of figuring out what might be deployed anywhere, on any platform, whether at airports or elsewhere within the economy. Can i just follow up on that a bit with at built of just specific factual background about what customs and Border Protection is doing in the airports. Congress after 9 11 another 9 11 Commission Recommendation mandated that dhs use biometrics to confirm entry and exit entry into the out and then exit from the United States. The purpose was to make sure that people who may if a overstayed their visas left on time and its taken a very long time for dhs to figure out how to use biometrics to do this as opposed to biographic information such as your name and date of birth. How so facial recognition is what they have struck on as a practical way to do this. What cbp is doing now, customs and Border Protection, at the airports, where theyre pilots this its in the 18 gradually increasing that number as the months go by is as people depart, board their Outgoing Flights they ache a picture and compare it to the gallery of passport photos on the flight and its a 1 to 150 or 200 or 300 match and that confirms the person has left the United States. Its still in the pilot fate but a widely deployed pilot at this point. In atlanta, cbp partner if we the Transportation Security Administration and Delta Airlines to build that out through the full fate of the traveler experience, starting at the checkin point, then through the tsa check point and then the out bound flight but at this point its just identify verification and theyre matching your face to your part photo but once you have built the backbone you could plug other systems into it but it an Identity Verification system to facilitate this biometric exit requirement, confirming people leave the United States and then piggy back on that to facilitate other stages stages stages stag. So its not the surveillance type matching or checking but were cognizant that technology, once created, can have an uncertain future. Thank you. And with that i would like you to please join me in thanking the panelists and for their work and transparency and being here today. Thank you. One of our theres a speaker who was supposed to be delivering a short talk between our final two panels. He is unable to speak, he is night, but wasnt able to make it and well hang out for one second while we quickly sip mics and transition directly into our final panel. I think we have someone who is able to get our next speakers micd. [inaudible conversations] i can set up the [inaudible] [inaudible conversations] the title the return of the wars. Youve have been following privacy issues you will be familiar with what is sometimes called the going dark problem, a concern that the pervasive growth of strong encryption presents an october stack kell to Law Enforcement and intelligence agenciesespecially as it has gone from a technology that is primarily the province of people with very advanced Technology Knowledge and the understanding and ability to use, very difficult command line tools, something that is baked into very User Friendly Technology in a way that doesnt require much sophistication at all. You use encryption more or less daily without even recognizing it by using a smartphone or standard web browser. And this increase is not just between end users and centralized identities that Law Enforcement can approach with a warrant, but end to end, meaning incorrected between users without access by like google or facebook. That insure the past thoughts have been framed the terms of the threat of terrorism, memorable dustup involving an iphone used by the San Bernardino shooter. There are concerns this will end the automated scanning of messages for Child Exploitation imagery and other kindses. Cut off one significant point of access or Law Enforcement and prosecutors to go after child predators. So, we have an excellent panel arranged here. Unfortunately mattblaze is down with the flu and unable to join is but we have an absolutely phenomenal panel. In my former life before i was a fulltime policy nerd, i was a journalist nerd, and one of my previous maces would the a great techy newssite. It was one of the handful of places where you could expect deep dives into technical questions and in my case sometimes legal questions, wherein to be accessible to generally educated audience without leaving out the nuance and details might be interesting to someone with a little bit more of a Knowledge Base if was very pleased we had sean gal her, who is the i. T. And imagine security editor to act as moderator for this panel. So as soon as everyone i wired up, sean will introduce the rest of our excellent panelists. Good afternoon. Get a we have awake panel and i hope everybody at home is awake eye. Sean fall her the i. T. National security yesterday for at ars technica and im here today with robyn greene with facebook, with jim baker, and with again, just met him because Brad Wiegmann of the department of justice and the topic at hand is enrings. This was going encryption. This is going back mostly been settled. There was the clipper chip, chip implanted supposed to be implanted in devices that would have encrypted communications over that the federal government presented as a standard and it was fought against, and it was eventually ignored by industry and proven to be vulnerable by our absent guest, matt blaze, amongsts and idea of having a back door into encringe was a bad idea, but now we are hear now, and for some time over the past decade, going back several administrations, the fbis leadership has pressed the case for some sort of limit on encryption, and as former fbi director comey put it, they wanted a golden key for lawful warranted access to encrypted communications bus encrypted communications become much more common than they were in the 1990s. To prevent criminals from going dark. Evading all forms of surveillance. And the latest version of this argue; attorney general william barr using the increasing incidence of online Child Sexual Exploitation as a rope to races the demand again. And has asked facebook in a letter that he signed along with his officials from the unite kim to not employ end to end equipment for messages by default and out of fear it would allow pedophiles to go dark, and they cited as a reason for this facebook being a major source of information about child pornography. 80 of the cases of exchange of child pornographic information kim from facebook in 2018. So, theyre seeking to ask facebook to not deploy an encryption until the company could provide some way for legal warranted access to communications. Technical experts have argued that any sort of backdoor end encryption significantly weakens inscription protections it provides everyone, in a legal communication, because it would make encryption more fragile. So, the question before the panel here is, there is a way to have secure communications for the masses and especially for people who need encryption protect themselves against criminals and hostile foreign power and have legal access under warrant. Where tuesday the constitution and laws of mathematics and physics come to equilibrium like. Can facebook provide security mentions for us. So i will allow our panelists to open with that. First, let robyn speak previously and then have each panelist speak and then out to the audience for questions. Thank you, julian for cato and inviting me to speak at this very important event. So, i want to first sort of start by talking about why is facebook moving our messaging services to endtoend encryption, and so i started at facebook in february, before that i spent about eight years working in civil sew t society issues and i lead our policy privacy around the world. So farring in february and having the announce. Were shifting our messaging service to endtoend encryption in march is an exciting time to start. Its really important to think about why this is happening. Ultimately facebook has always been committed to helping people build communes, having their vows heard maintenance of our services, facebook and instagram we think of as the Public Square become it what were seeing is people are wanting to have more private communications. They want to have oneonone or Small Group Communications and have efemoral communications. More pontius of the privity information theyre sharing because theyre having more personal communications online, whether its sharing stories or personal information but your life and photos, or transacting business. People want to be sure the communications theyre having over their messages services are secure. And thats secure from facebook, that is secure from external threats like hackersers and othr malicious actors and, thats secure from any other unintended recipient, including the government. So we think its critically important to make sure that people can have that kind of control and confidence in their communications to know they have the privacy and security that is needed, given how much data is getting shared and how private and sensitive those data are. But in addition to that, we want to make sure we too this right, and so were not just flipping a switch. This is actually a long process. A lot of technical challenges that were tracing with doing this to make sure we do it in a way that is good for users and makes sure were providing them with the endtoend encringe and also making our services interapproximately so you can have a more interoperable to have a streamlined experience across our service and we want to make sure we get the private part right as well. On that, we have for years now been Industry Leaders when it comes to safety on our platform. As you mentioned, large portion of the information that the National Center for committed children receive comes from facebook because wore proactive and put safety as a top priority on the platform. Well continue to do that in an endtoend encryptes space. Our methods have to be different and were thinking hard how to be the leader in industry, in encrypted message on safety and making sure people have the same strong endtoend encryption where only they and their intended recipient can see the information. Jim . Brad go ahead and tick off from your side. So, let me give you thank you for having me here today to talk about these issues and i appreciate rob robyns rocks. We in government and we as a society are confronting an absolute epidemic of Child Exploitation and abuse, 0 which facilitied boy Online Platforms through which predators groom their victims and then share victims. This includes horrific sexual abuse of children and toddlers. The numbers are absolutely staggering. In 2018, facebook made 16. 8 million reports to the National Center for missing and exploited children. 12 million from Facebook Messenger alone. Now, we are very grateful force these reports, facebook does an outstanding job of reporting the abuse online and we are grateful for the outstanding cooperation from facebook. We rely on facebook and other companies, as do other governments around the world, thousands upon thousands of children have been safe diddered safeguarded as a result. Facebook announced it plans to implement endtoenencryption in the Message Services so you will no long he be able to see the content of the messages of the platforms no longer be able to see the child sexual abuse images. The ceo of facebook aned that the are real safety concerns to address. Associated with the shift to endtoenend christmas and be have a responsibility to work with Law Enforcement to help prevent the use of facebook for Child Sexual Exploitation and other social sills up as terrorism, organized crime, afraid, Human Trafficking and other social ills. He also aned after the change, quote, we will never find all of the potential harm we do today when our Security Systems can see the messages themselves. So, in response to this, the governments of not just the out but the United Kingdom and australiatoronto ceo of facebook ask hem notice implement the end to end encryption without ensuring theres no reduction of user safety and theres no this is something that we as a Public Officials charged with Public Safety and protecting your children and children around the world, our obligation to do. We havent yet received a response and have not been consulted. It has been suggested that pattern analysis of some kind can substitute for access to content to identity sexual inspect addition. Were skeptical this can occur. Theres no substitute for seeing the content. Cant identify the children and cant investigate and have evidence to prosecute the perpetrator. Were interesting in hearing more about that. Its interesting to compare facebook with apple. Apple instant messaging service has long been end to end encrypted. When facebook reported 12 million reports of child explode addition 0 from februaries messenger received we received 43 from apple in the sale pert which is endtoenincrepted. Give you some type of idea. We cant predictable for sure but maybe some indication what we are concerned but. To be clear the Government Supports encryption. Were not against enchristmas. We use encringes in the government. Were responsible for Cyber Security and prosecuting cyber crimes. He understand congress is depitch dent on it and society is depep den on it. We oppose end tonight end encringe that does not permit lawful it cant our concern is Facebook Messenger today is not end to i end encrypts and i dont think people is not a safe plat. Online banking, no one says that ongoing banking is not safe. The cloud is by and large not encrypted and no one says information stored in the cloud is not safe weapon think the solutions can be found. And we want to help find these solutions. Theft it. Jim and. Im looking forward to having a discussion. I worked on going dark or the encryption issue for a long, long time and that hand been a personal journey for me, both at the Justice Department and the private sector, at the fbi, and since ive left the fbi, and so i take with great serious in the comments brad made about the victims. There are real victims because encryption does inhibit, it does slow down, it makes Law Enforcement less efficient and less effective, and in the San Bernardino case, when i was at the fbi, the general counsel there and i thought we had a very serious and solemn obligation to the victims of the terrorist attack to do everything we could to run down every investigative lead, and so having in our possession the one of the phones of one of the perpetrators, an iphone, and having consent from the city of San Bernardino that actually owned the phone because he was a city worker and then having a warrant, we thought it was the logical thing to do to try to get access to that information. We ash apple disagreed weapon ended up in court and that dispute or that legal excuse fizzled because a third party came forward and explain they had a way to enable to us technically get into the phone and there was no judicial resolution of the matter. And so the case was moot there at that point because we had way to get into the phone. So, my concern i have several concerns about the governments current approach and ive had to rethink my own approach, which was strongly in favor of trying to find a way to enable the government to get access to encrypted communications, and a couple of things have driven my thinking on this. Number one is, the problem this he end of the day is legal problem, not a technical problem the. The sophisticated companies can write software to give access to he government. The question the technical reality is, it cant be done in a way that provides a substantial amount of Cyber Security the same way that the kind of encryption systems we have today do does. I lost my verb. The you can rewrite the software but not as secure. The problem is not technical. The problem is not the Fourth Amendment because the government can get whatever warrant they want for whatever twice or system they want to get under the various legal regimes that might apply. The problem is there is no clear Legal Mechanism under nerd law of state law to force companies to rewrite their software to redesign their systems. The various legal provisions, they simply dont empower the government to get a court order to force companies to do what the government wants them to do. Just doesnt exist. To me the government, Law Enforcement agencies, myself, we have been telling the public about this for years, telling congress about this for years and nothing has happened. Congress has failed to act. Theres a lot of reasons we other could go into but that it havent tub it. So me thats just like dealing with reality. Thats just the reality. The reality is congress has not acted and i dont foresee them actioning if the administration has revived this issue. Theres aing her in front of the Senate Judiciary committee and maybe that will have an impact but i doubt it. Thats one reality if dont see Congress Giving the administration the legal tools it needs to force companies to do this. The second reality is in my view, the out and its alloys, face an existential threat with re suspect to Cyber Security malicious actors, vibeber security is that bad. Its subpar, poor. And so encringes, encrypting end tonight encommunications and encrypting stored data and spreading the use of encryption wherever we can in the very complex Digital Ecosystem we recall rely on to conduct our most essential services and business and activities as a society, that is just encryption is a way, not the only way and its not a perfect way, but is a significant way we can use to protect ourselves from the very, very significant existential in my view, Cyber Security threats. What im urging Law Enforcement to do is rethink their approach to encryption, because they are stewards of Public Safety and have to protect the moe people from the worst harm, they need rethink their approach to encryption and actually embrace it but recognizing what brad says is true there are real victims of crime because this real victims of crimes who will suffer because encryption in certain circumstances will inhibit the ability of the government to do its job. Slow them down, make them less efficient. They use other investigative means, but having said all that i just think its time for the government to rethink its approach to encryption and enbrace it instead of trying to fine ways to undermine it, quite frankly. A couple concerns, what is driving the demand for endtoend encryption or facebook right now and in other platforms as well, is a a lot is a feeling of lack of privacy because of a loss of trust in some of the Platform Providers of the past few years, like the Cambridge Analytica scandal and spreading information, algorithmically and theres concern but conversations been cast for long periods 0 time, other data being checked from years across different platforms and the other side of the coin from the standpoint of asking facebook to not use endtoenencryption, doesnt that just push the people who would use end to end encryption on facebook off to another 0 platforms, signal, key baste, that have features similar to facebook in terms of the ability to share a large number of people and end to end encringes capability so why encryption capable. I would would you specifically go after facebook and i understand theres a major contributor to reports to enmick, but done that creation a situation where people who are aware of this debate, in that perpetrators of those crimes move into another place where they can already go dark. If could i address that lost point first. On your question whether people move platforms, we obviously havent seep seen that today. People are still using facebook managed to. Its not endtoend encrypted so we have seen that today. Second point is, though i want to be very clear, not intending to single out facebook. Fake has been a good citizen to date. The fly side. The concern is the shift to a paradigm where we no longer get the reports we get today. So, i just want to say well continue be good citizens after we move to endtoend ebb cringes. Safety is a top priority on our platform and were thinking very hard and taking our time to build the new tool naz way where we can be confident that were addressing legitimate safety concerns in the department of justices and our ourselves and the public and users. Nobody wants to be using platforms that have harmful activity on them and were committed to a program basically of prevent, detect, and responsible. And so were going to prevent, looking for ways to identify how our bad actors getting in touch with each other, how i that are finding victims so that we can actually prevent the connections from happening in the first place. Then looking to detect bad activity. No, wont have the content of information. Well have to change our methods but were going to be able to find what that bad activity looks like so that we can take action on it on the platform. And then we want to be able to respond . We want to make sure that people have the possibility to report bad activity when its happening. Of you receive a harmful message or abusive message you can do a report on facebook, and if you do a report you can consent to share with us that harmful or potentially legal activity and we would have access to the content and share with the authorities. So things will change. That four certain. Were engaging in a robust con process, and we are having conversations with government what kind of signals youre seeing that are helpful that are knopp noncontent. Talking to Public Safety experts, consul takes with dozens of Public Safety experts to make sure we get all the information we need so we can build a safe product and having conversations with privacy expects because number of this works if people feel like they have control and proofs and 8 a of messages are sent over encrypted messaging services worldwild. This is what people expect and thats who is were looking to provide that and the way people are using their messaging Services Demand it because of the Cyber Security threats you mentioned. People having private communications they want to keep between themselves and their intended recipient or recipients and also doing business. Sharing intellectual propertyings in, financial information, and engaging in Conversational Commerce they share medical information. We now do most of our con verying over messaging services, and so we have to make sure theyre secure. One other thing ill just add is when were thinking about how to do safety right, that was a start about apple a stark statistic but apple but there are ways to make sure you can continue reporting. I will share that whats app takes out 250,000 accounts because of harmful activity every month. We are able to find harmful activity even when we dont have access to content and well continue to do so, we think we are wellpositioned to build the safest and most secure entoend Encryption Service because hey been leaning into safety on our services. Is that mostly because of user reporting on whats app. Some user reporting. A lot of the reports these are takedowns, and but we will still continue doing scans for abusive content, child sexual exploitative content. Were still going to be looking for abusive content, on facebook and on instagram, its the messaging spaces where that changes but there are still some public parts of the messaging spaces. Agreement, Profile Photos and group names can be public and if you wind up using exploit tatetive imagery as your Profile Photo thats a pretty good indication this is not an okay account, and so we would be able to identify that account because of the scanning. Send that information to the government and then of course take down the account. Have you done any analysis to see whether 17 million reports will there be drop offs . Theres going to be a significant diminution of the reporting we get. I cant i cant speak to the percentage of declines, but certainly we think the reporting will change. So, it wont be the same kind of image hashes but we are consulting with Law Enforcement to find out how can we make identify useful information for you that is noncontent based, and that builds upon the whats ape privacy mottle when it cams to the dat we have access to. As far as other ways to go after content pursue anymore end to end environment, what type of techniques have you seen that could aid in going after these types of problems that dont require a man in the middle sort of back door so, maybe a couple of different observations number one is, let me back up and talk about this issue a little bit more. Societys failure to protect children is colassal and profound, and everybody in society shares the blame for that. Everybody. Because we have not done what we need to do to protect children. Period, full stop. So, even as we have heard from brad, even with the Current Communications systems we have, we still have thousands and thousands, i think you said, of children saved. I was always worried when i was with the government of actually giving in facts and figure because they often turn out to be wrong, but in this sort of area, but in the event, thousands of children are being abused and society is failing them enough. And the failure is systemic, and it has to do with way more than encrypted communications. Has to do with the inability of government to absorb the material, has to do with the technical systems the government has to deal with this material and to do with these perpetrators. Its a systemic failure across a long many dimensions and Society Needs to deal with it in part by providing better tools, more money, to the investigators and the centers trying to deal with this. For example to try to think about how to perhaps do a better job leads into something that ive been think about a lot lately which is no another donnell government need to rethink encryptions and needs to rethink how it does investigations and just embracing reality. The reality is the systems are there the reality is encryption is out of the box. The reality is its going to be used either in the United States or other platforms. People are going to gravitate towards it to protect their communications, lawful actors and unlawful actors will gravitate toward it and find ways to communicate. So government needs to adapt to the world we have today, to not try to go back to the past where they have access of content of communications. Need to figure out how to do a better job of analyzing data with respect to finding the bad guys and victims and invest much more than. That industry could assist Law Enforcement with that as well. Something that might have to change some laws to accomplish. But doing more data analytics, making more use of open source information, and i think also reinvigorating governments ability to use human sources, informants, in organizations, undercover operations, the government has to i think do a better job of doing that. In my experience those are the investigation that are the most effective when you have good human sources in the places where they need to be. Theyre hard. Its more expensive and time consuming but more effective. Let brad answer that and then questions the audience. I take hi point but in the investigation you might hang in a Child Exploitation case there is absolutely no substitute for having the content, the access to the images of the child who has been committed and wont have human intel sources in that see marrow. Might have a toddler and the individual who is abusing that toddler. That is no one else involved in that transaction no would way to get that information and if that person is disseminating images online ask theres no other way to get the information than the access to content of photographs. The other point i would say, in response to jims point, were not trying to go back to the past here. Were trying to update laws from the past to today. We have had telephones forever, right . And we have a law call the communication askis stance to Law Enforcement where telephone companyes hand been required to provide assistance to government. Were asking for a new era to up date the laws so a different means of communication today that its much more pervasive will meet the same requirements of telephone companies. A fundamental tool, wire tapping. The question is why is it different on the internet . Because go ahead. The digital eco system has changed substantially and the volume, variety and velocity of the communications is just a different world than it was five years ago, ten years ago, before the really advent or. The exact Voice Communications via the spirit as of a regular telephone line and get the telephone line but we cant get the other one. I see no legal or moral justification for that. Actually secure. We dont have that and we are more dependent on that than we have ever been in the past and if we have a significant catastrophic failure for significant period of time, i am quite worried about societys ability to function effectively and people will be harmed, injured, die, if we have a failure like that. So, with victims on one side, victims on the other, how do we sort this out with the risk to the Digital Ecosystem from doing something that would interfere with the ability to have encrypted communications, Congress Needs to resolve that. The elected representatives of the people need balance that, step up to the plate, either pass a law and change the landscape or not, but its not i dont think its up to the private sector to sort that our. Companies in the United States, im quite confident, will follow the law so Congress Needs to act, and so far the government has failed to persuade congress to act and thats where the focus should be. Thats the point i agree with you 100 on that point. Any questions from the audience . We have a microphone. Start off with ill start up here. Sir. My name is [inaudible] also served two tours in just have now we have microphone. A due in comment a few comments on what you just said. First, my assumption is that the vast majority of the people in this room, if not everybody, is against exploitation of children. Of course. I think its a redding her red herring to use that because the Law Enforcement authorities were dealing with this sort of problem at and a whole range of other problems long before we had the technology were talking about so there oar techniques. Endtoend endescription other technologies were talking about have very legitimate uses. They help protect dissidents in third world countries. They help protect business here, et cetera, et cetera. Also, technology you cant make it disappear. If your forbid facebook from providing something, ill be able to get it other, people can get it. In one way or the other. So, i think its not really feasible to even do what youre trying to talk about when. Then attorney general talks about having a back door, he is just showing he doesnt understand the technology that is involved, and ive had conversations with former cia director hayden and he is also of the opinion its just not possible to do what you are describing. So, again, thank you for you comment and id appreciate hearing what you have so say. I. Thank you. That does bring up a number of issues i have in mind that is we experts in the field, cryptography have said that if you put a back door into a system, regardless how you approach it, theres room for abuse and theres room for breaking. Theres also the concern that what can be warranted can also be abused in terms of access. You have seen a number of cases where legal access has been abused in the past and i understand theyre not the majority but they happen. So, given that and given the weaknesses that you would introduce into the system, what is the what is your response to that . How do you again, this is something that obviously legislation has to decide but from the standpoint of a mathematical perspective there is no known way and a lot of people have tried, to build a cryptologic back door that allows for only warranted access. The only way to work if there was a man in the hidle arrangement, where everything knows through the Service Provider and youre given access through the Service Provider. So, the Service Provider can be compromised. So, how do we deal with the laws of physics and mathematics in that . Im not a cryptographer but the people never government at nsa and other agencies, the world residents leading experts think the solution is doable. No less than Technology Expert bill gates says this is not a question of able. Its a question of way. 0. Number of governmentsaustralia, United Kingdom, United States, governments in europe and other parts of the world have said this is doable. Two former nsa directors say its not doable. Lets talk but the systems that exist today. That exist today. Facebook has a system today. That is not endtoenencrypted. Theres a whole threw of them i can identify today that are available where Companies Made decisions to maintain access to things in. If they can maintain access because the need tote needed to self advertising why cant they do nat for Law Enforcement, why can apple obtain a key if it needs to send Software Updates it has a key. They had that key at apple but to protect that key would be a huge security incident if apple lost the key and someone could monkey with their software but they maintain the key to have access at the kim. Query asking there be a key we can get it for Law Enforcement. Are you looking at a solution similar to what australia has legislated, where Law Enforcement can require a Software Provider to make a modification to software in a warrant against specific individuals to allowing a so this accounts. Were looking for any solution which will ensure lawful access etch we dont want to dictate with the company, were willing to have a conversation with the companies. We are investigating those same crimes. Were interested in protecting dissidents but we think this can be consistent with Cyber Security. These are the most Innovative Companies in the world and they idea they cant cam up with solution. That prevent lawful access i think is not credible. Another question over here. Theres several. Start off in the back. Freddie from opening the government. Last year we heard talk but gchqs provision for Group Messaging and lawful access for Group Messaging and even the doj didnt support that publicly and i fess my question is really i guess my question is why hospital the doj put together a technical solution which could work because absent that a lot of people in this room are debating something that is hypothetical. We talk about different options. Talked about a couple of them today. Our position has been we think up the companies have different platforms, some of are devicemaker, some are communication systems. They need to comp up with their own myselfs consistent with their Business Needs and their technology for providing the access we want as opposed to having a governmenttop down solution. The worst from the companys perspective would be the legislators say this is the type of solution you must adopt. Im quite confident if you dig through the Video Archives you can find a clip of me saying exactly what brad has been saying in the past. I understood the problem exactly the way that he is articulating now. Just having spent years and years working on this, my understanding is also that there actually is no technical solution that adequately in the sense of perfectly protects Cyber Security and provides the government access. Just doesnt exist. But just real quick. So, yes, the companies have different systems where theyve made different choices, dont use encryption and so on and they decided to use encryption, but, again, given the fact there is no system that actually provides Cyber Security that provides strong encryption and provide the government with access, that does not exist. If you introduce some sign per Security Risk into a system, then that is a call that congress has to make. Its not it is the theyve got to legislate if they want that to happen and they then on behalf of society take the risk that some bad person, some bad organization, some bad Foreign Government is going to figure out a way to disrupt all the communications that we think today are encrypted when you change things this way theyre no longer going to be eek fiftily encrypted and society will bear the burden and congress has to make the call. Now its not possible so in the system with exceptional access and have their not be potentially very dangerous ability that can be exploited. Its just not something possible. We havent to my knowledge invested in trying to build a system and we certainly wont be investing or building any system in the future. Any other questions . I work for the defense from an organization that not only defend political expression but our own rights particle committee, conduct against the organization as an example. Guess whats really concerning to me, in this Law Enforcement and inhabit on free speech. Up until two or three years ago, the ftc, the socialist worker party was searching filing decisions on the basis but by disclosing the names of donors, they would be making them potentially liable to Law Enforcement abuse based on hearsay history. Given on history, what this government has been on including against my organization, do you worry about putting Law Enforcement back into encryption will have a chilling impact on speech or help facilitate these types of abuses . My answer to that is yes, it depends on the laws and federal court. Its only court access so today, with that access, we can search our own. When an independent federal judge, and we have believed to do that. Thats been our constitutional standard in the country. We can do that. You have to be or you have to protect that law. We have new technology. To have that same ability with approval, First Amendment rights and etc. , they have a space immune from that. Its what one cannot enter. If your kid disappears, theres no way you get them back because theres no way to fix that. You cant go in there. You cant find that child the same way you cant get communications online. Is it going to be immune for the access or not . I think theres a distinction. I think what you are talking about is a legal standard. You should be able to execute your search but its not just only Law Enforcement officials, the warrant would be able to Access Communications if there was exceptional access. The front door for the government in the back door for militia actors. Encryption is only you and your recipients are to be patient. Theres no way to be able to go into the Exceptional Office alone. We think the Companies Already have maintained that access. Apple had a key where they can access all the forms, why cant we have that same for the government . There is the access today. Government has access, it is not been a problem. Our users are demanding it. Maybe. We have three people right there. I wonder if you could speak to the situation you have here, a disagreement on this issue, is this, a preemption and can we interpret it as a preemption . Its been discussed in years past in 2010 and 13, they have planned to use this moment to put on notice that kolya may be coming down the pike. Thats a broader discussion. In terms of speaking to that speech, its not allowed or delayed, what can you say this will do to the market in your terms of being able to access conversations if they take them to other markets not in the u. S. . We want to work with other governments so we have solutions that add up to their competitors as well. You said there would be a court order and lawful process. Isnt that always the case . If exceptional access was builtin, are you telling us nsa wouldnt be able to exploit that exceptional abscess access given and there would never be the use of section 702 or executive order to Access Communications through this exceptional process . Depends on what we are talking about, court authorized access. In the past, its worked to break other encryptions so that doesnt mean it would exclude them from that capability. Thats the breaking encryption today. What people are saying, why dont you just try to break into the system . Is a better model, im not sure why that safer. They are not telling anyone about them, why is that better . Is try to find those abilities. Is it better for anyone . Why is that better protection . Sometimes theres no system, theres no access for perfect security. Security is a balance. For automobiles, we say okay, you have standards. Your car will be left safe. If you have a car thats not as big and heavy, it can result in more traffic fatalities. We make a decision as a society that we want to have a mission standards, clean air, saved her products. I think its the same tradeoff we are talking about here. Its no perfect car that can be immune from any car accident ever. They are all things that congress should be tackling that they have not over the last decade but they should be. But let members of Congress Cast a vote when everybody is telling them the result of that vote will be less cybersecurity, less security for the American People in the Digital Ecosystem. Let them associate their pain with that. Terrorists victims, everyone victimized by activity. Maybe but the failures with respect of children exist today, youre talking about the horrible world your describing not exist today and government has failed. We are able to save many of us children how many victims are out there still . Lets go to other questions. Jim baker alluded to this issue earlier about going out there with numbers that might not be correct. In june 2018, it came out that the d. O. J. And fbi had been using an incorrect figure on the number of locked phones, i was unable to access. The news accounts, that member might be closer to 1000 but we are working on it. The d. O. J. And fbi put them on asterix for entire speeches and said its wrong. I was wondering if you could give us any update or if they are working to provide more and if you seek to have this conversation what the true extent of what this problem really is where you have cases that are thwarted by inability, preventing you to get access to that kind of phone. I dont have an update on that. Youre right, the number was around there. Its a large number. Maybe not 7800 but im sure over 1000 phones. Its only a little piece of the puzzle. Its only the devices we have in Law Enforcement. Is there a new updated number . Ill have to get back to you on that. We have time for one or two more questions. The government wants to persuade congress to do something, it theyve got to do a better job. I know firsthand how hard it is. Its very hard to do but theyve got to do a better job otherwise, they are not going to prevail. Why would we trust u. S. Government to talk to them on the planet, to have information on Jeffrey Epstein for more than a decade and theres been nothing to incarcerate or investigate the perpetrators on people who have exploited children and girls from all over the world and country and from new york city Public Schools . I dont know the details about the epstein case but my understanding, it still being actively investigated. The u. S. Attorneys office was still working on it along with the fbi. Im not in the government anymore, i cant explain whats happening with that. I will tell you i could not disagree more with your original statement about the u. S. Government being terrorists. Thats preposterous. I dont go along with that at all. On the other matters, you will have to ask the government about that. My understanding without getting too technical, on the one hand technically not feasible but on the other hand, you talked about google, have two different encryption methods, one is for data and data rest. When there is a gap between switching from the one modality to the other, thats where google goes into get data they use for marketing purposes. My intuition is that the fact the fbi does have access when it wants to for the technical perspective, the issue is the d. O. J. Cant quite use that information because its been improperly accessed. Is this a legal or technical matter . s even what we call end to end has numerous snap points where malefactors or the fbi government can get in. Thats really not the issue. When its end to end, the endpoints are a point of access. Whether the end be the stories on one end or the other, its in transit, that happens in software. His introduction in software that picks up on the data is translated from received the store. I would be exploiting the software that provides. I dont believe facebook is looking at doing anything. Couldnt you say, have something in the client side where the receiver gets the message and you can process the image to see if it is harmful . Thats not going to happen. It requires too much overhead and its also totally breaks the whole idea. That sort of surveillance, using the introduction is a solution from the justices perspective and again, that something legislative. So the reception, how the law works is not encrypted in one way but then when it started, its encrypted in a different way. Thats not encrypted in the publicprivate key type of exchange that happens or the use for the section. Its a totally different type of encryption. The gaps between the two to get the information thats passing over and processing for security purposes. Ive seen this on both sides, companies will argue you have access to all these categories of information. Maintain awful access, you dont see the systems are insecure. Youre going to maintain access but not for these other ones. They can allow access because it gives them access that you cant do it. They will tell you what they say. They are not going to go into encryption. If youd like to respond to that in any way. Its apples and oranges because sometimes, its up to the user to decide how much risk they want to take on the company or anybody else will look at their litigations. If youre looking at it email system i send you an email, or its unencrypted when it gets to you and also the company to look at it, while we know that and we can make of risk based assessment and whether we trust the company. In certain circumstances we dont want the companies to do that. I want to send you a message and i wanted to be the case of only the two of us reading it. Thats what we are talking about here. We make the assessment and for whatever reason, thats the risk you want to take or dont take. They accept the risk or whatever but the multifaceted world that we live in today and the encryption is out and it is outofthebox or the cat is out of the bag or whatever and its not going back in. For business reasons, the decisions are made. It is business reasons but it is policy reasons. We care about the security of their data and making sure theres a sense of communication in a way where they dont have to worry about this. There are many cybersecurity threats and whether it stored data in billions of records that are the subject of data breaches every year, whether it other forms of exploitation, what joe is saying is right. Its pretty dangerous. Its extremely important, the importance of safety and we are extremely committed to making sure we get that balance right. We provide strong encryption and addressing the safety issues because we are committed to safety and continuing to be the industry in the space. We really value in our appreciate if all the work that Law Enforcement does to keep the public safe. We are doing our part. I like to think the three of you for this and we could go on for hours im sure. I dont many of you still have questions but will have to take them off the stage. Thank you all for coming. Thank you for being here to talk about this. [applause] thank all of you here and at home for tuning in to the 2019 surveillance conference. The ways that were observed, its more pertinent as they think about the number of people and how to ensure these hours are kept in their proper place rather than being tools used against us. I want to spend one more time thinking not only our speakers but are wonderful commentators, graham who does all of the actual hard work, thats why i could to stand up here and look clever. Ill take speakers and he makes everything in this conference come together. So please join me in applauding her. [applause] rather than stretching out, my closing remarks, im going to invite everyone to join up in the atrium for fear and wine. Thank you again. [inaudible conversations] week thanks this week, we are featuring book tv programs. Tonight we look at books on history. We begin with brian sam houston in the avengers. Then sarah on the book the cigarette on political history and davids heartbeat that wounded me. Thats book tv primetime this weekend all day every weekend here on cspan2. This month marks the beginning of the second session of the 116th congress. The house has yet to decide on impeachment managers sent the two articles of impeachment over to the senate. Eventually senators would sit as a jury to hear the case against trump. We also expect the senate to take a bike usmexico counter trade agreement, the usmca which the house approved before leaving for the holidays. Then congress will hear President Trump deliver the state of the Union Address on tuesday february 4. Watch the house live on cspan in the senate line on cspan2. The d. C. Circuit court of appeals is hearing two cases tomorrow. The first is whether former white House Counsel don began needs to comply with congressional subpoena to testify. The second case deals with congress is access to the mueller investigations grand jury
comparemela.com © 2020. All Rights Reserved.