Test. Test. Test. Test. Captioning performed by vitac were going to transition into our final panel. I think we have someone who is able to get our next speakers micd. Thanks. Well just take a moment. In the meantime i can set up again, if youve been following privacy issues for a while, you will be familiar with what is sometimes called the going dark problem, a concern that the pervasive growth of strong encryption presents an obstacle to Law Enforcement agencies especially since its gone from a technology thats in the providence of people with distanced Technical Knowledge and understanding, able to used difficult tools to something that is baked into very userfriendly technology in a way that doesnt require much sophistication at all. You probably use encryption more or less daily without even recognizing just by using a smartphone or a standard web browser. And as increasingly this encryption is not just between end users and central identities that Law Enforcement can approach with a warrant but end to end, meaning encrypted between users without access by an intermediary entity like google or facebook. That is causing a certain amount of nerves by both Law Enforcement and intelligence agencies. In the past its been framed by the threat of terrorism. A couple years back, there was an iphone used by the San Bernardino shooter. More recently with the announcement that facebook is intending to deploy encryption, theyre concerned that this will end the automated scanning of messages for Child Exploitation imagery and other kinds of files. And so cut off one significant point of access for Law Enforcement prosecutors to go after child predators. We have an excellent panel arranged here. Unfortunately, it is the season of illness. Professor matt blaze is down with the flu and unable to join us. We have an absolutely phenomenal panel. Before i was a journalist nerd and one of my previous hats was the washington editor of a great techie news site. I was happy to work there because it was one of the handful of places where you could expect deep dives into technical questions and in my case, sometimes league questions, written to be accessible to a generally educated audience without but without leaving out, like, a lot of the nuance and details that might be interesting to someone with a little bit more of a knowledge based. I was pleased that we had Sean Gallagher who is the i. T. Editor to act as moderator for this panel. Sean will introduce the rest of our excellent panelists. Good afternoon. Were going to get a wake check here. We have awake people and i hope everybody at home is awake. My name is Sean Gallagher. Im the i. T. And National Security editor and im here today with robin green with facebook, with jim baker of our street, and with again, i just met him brad whitman. Brad whitman with the department of justice. And the topic at hand is encryption. This was going back two decades. Encryption was something that has been fought over and mostly been settled. There was a chip that was implanted in devices that were going to have encrypted communications over them, that the federal government had presented as a standard and it was fought against and it was eventually ignored by industry and proven to be vulnerable by our absent guest matt blaze, among t others, and it was decided that having a back door into encryption was a bad idea. For some time over the past decade, going back several administrations, the fbis leadership has pressed the case for some sort of limit on encryption and as former fbi director comey put it, they wanted a golden key to encrypted communications. Because encrypted communications become much more common than they were in the 1990s to prevent criminals from going dark. And the latest version of this argument, theyve used the incidence of online Child Sexual Exploitation as a reason to raise the demand again and asked facebook in a letter that he signed along with his officials from the United Kingdom and australia to not deploy endtoend encryption across all of their products for messing by default. And out of here it would allow p pedophiles to go dark. And they cited a reason as facebook being a major source of information about child pornography. About 80 of the cases of exchange of information came from facebook in 2018. So theyre seeking theyre seeking to ask facebook to not deploy endtoend encryption until the company could provide some way for legal, warranted access to communications. Technical experts have argued that any sort of back door weakens the protections it provides everyone in Legal Communications because it would make encryption more fragile. The question before the panel is, is there a way to have secure communication for the masses and encryption and have legal access under warrant . Where do the constitution and the laws of mathematics and physics come to equilibrium on this. Can facebook provide secure communications for the rest of us . I will allow our panelists to open with that. First ill let robin speak briefly about it and then as quickly as possible bring it out to audience questions. Thank you. Thank you for inviting me to speak today at this very important event. I want to first sort of start by talking about why is facebook moving our messaging services to endtoend encryption . I started at facebook in february. Before that i spent about eight years working in Civil Society on many of the same issues. Starting in february and having the messaging that were shifting our services was an exciting time to start. Its important to think about why this is happening. Ultimately facebook has always been committed to helping people build communities, having their voices heard, many of our services, facebook, instagram, we think of as the public square. But what were seeing increasingly is that people are wanting to have more private communications, wanting to have one on one or small group communications. Theyre more conscious of the private information theyre sharing with one another because theyre having more personal communications online, whether its sharing stories or personal information about your life and photos or transacting business, people want to be sure that the communications that theyre having over their messaging services are secure. And thats secure from facebook, thats secure from external threats like hackers and other malicious actors and thats secure from any other unintended recipient, including the government. We think its important to make sure that people can have that kind of control and confidence in their communications to know that they have the privacy and security thats needed given how much data is getting shared and how private and sensitive those data are. In addition to that, we want to make sure that we do this right. And so were not just flipping a switch. This is a long process. There are a lot of technical challenges that were addressing with doing this to make sure that we do it in a way that, you know, is good for users and make sure that were providing them with the endtoend encryption. And were making our services interoperable so we can have a more stream lined experience across all of our services. We want to make sure we get the privacy parts of that right as well. Beyond that, we have for years now been Industry Leaders when it comes to safety on your platform. As you mentioned, a large portion, you know, of the information that nicmic receives comes from facebook. Were going to continue to put safety first in an endtoend encryption space and were thinking hard about how to be the leader in industry in encrypted messaging on safety while making sure that people have that same strong endtoend encryption where only they and their intended recipient can see the information. Thank you. Jim . Brad, go ahead and kick off from your side. Let me thanks for having me here today to talk about these issues. We in government and i think we as a society are confronting an epidemic of Child Exploitation and abuse much of which is facilitated through Online Platforms and sharing images of their acts. This includes absolutely horrific sexual abuse of children and toddlers. The numbers are absolutely staggering. In 2018, facebook made 16. 8 million reports to the National Center for missing and exploited center. 12 million from Facebook Messenger alone. We are grateful for these reports and were grateful for the outstanding cooperation that we get from facebook. We rely on facebook and other companies as do other governments around the world. Thousands upon thousands of children have been safeguarded as a result of these reports. In march, as robin mentioned, facebook announced that it plans to implement endtoend encryption across its messaging services so it will no longer be able to see the content of those messages on the platforms. The ceo of facebook acknowledged frankly that there are real safety concerns to address associated with this shift and we have a responsibility to work with Law Enforcement to help prevent the use of facebook for Child Exploitation as well as other social ills, terrorism, organized crime and others. After the change, quote, we will never find all of the potential harm we do today when your Security Systems can see the messages themselves. So in response to this, the governments of not just the United States but of the United Kingdom and australia, written to the ceo of facebook in october of this year asking that he not implement the endtoend encryption without ensuring that theres no reduction in user safety, without including a means to lawful access to the communications. This is something that we charged with Public Safety and protecting your children and children around the world felt it was our obligation to do. We havent yet received a response and we havent been consulted. Its been suggested that pattern analysis of some kind can substitute for access to content to identify Child Sexual Exploitation or other harms. Were skeptical that this can occur. You cant investigate and have evidence to prosecute the pre perpetrator. Its interesting to compare facebook with apple. Apples instant messaging service has been endtoend encrypted. We receive only 43 from apple in the same period which is endtoend encrypted. Thats maybe some indication of what were spectacle of and concerned about. To be clear, the Government Supports encryption. Were not against encryption. We use encryption in the government. We are responsible also for Cyber Security and prosecuting cyber crime. Thats our responsibility. We rely on it, we understand that commerce is dependent on it and our society is going to be dependent on it. What we oppose is endtoend encryption that does not permit lawful access when necessary. We think it can be done safely. The concern has been it cant be done safely but, look, Facebook Messenger today is not endtoend encrypted and no one thinks its not safe. The cloud is by and large not encrypted as i understand it. No one says information stored in the cloud is not safe. We think solutions can be found and we want to work with companies to find solutions to this problem. Thats it. Jim . Im looking forward to having a discussion with these issues. I worked ongoing dark for a long, long time. And this has been a personal journey for me. Both at the justice department, in the private sector, at the fbi, and since ive left the fbi. And so i take with great seriousness the comments that brad has made about the victims. There are real victims because encryption does inhibit, it does slow down, it makes Law Enforcement less efficient and less effective. And in the San Bernardino case, when i was at the fbi, i was a general counsel there, and i thought we had a very serious and sol m obligation to the victims of the terrorist attack to do everything we could to run down every investigative lead. Having in our possession the one of the phones of one of the perpetrators and having consent from the city of San Bernardino that actually owned the phone because he was a city worker and having a warrant to get into it, we thought it was the logical thing to do to try to get access to that information. We apple disagreed. We ended up in court and that dispute that legal dispute fizzled because a third party came forward and explained they had a way to allow us to get into the phone and so there was no judicial resolution of the matter. And so because the case was moot there at that point because we had a way to get into the phone. But my concern i have several concerns about the governments current approach and ive had to rethink my own approach which was strongly in favor of trying to find a way to enable the government to get access to communications. A couple of thinks have driven my thinking on this. Number one is, the problem this at the end of the day is a legal problem. Its not a technical problem. The sophisticated companies can write software to give access to the government. That can be done. The question is or the technical reality is, but it cant be done in a way that provides a substantial amount of Cyber Security, the same way that the kind of encryption systems that we have today do, does. I lost my verb there. You can re write the software, but its not going to be as secure. Thats the basic idea. The problem to me is not technical in that sense, like it could be done but with significant risks attached to it. The problem is not the Fourth Amendment because the government can go and get whatever warrant they want for whatever device or system that they want to get under the various legal regimes that might apply, the problem is that theres no clear, Legal Mechanism to force companies to rewrite their software, to redesign their systems. The various legal provisions, they simply dont empower the government to get a court order to force companies to do what the government wants them today. That just doesnt exist. To me, the government, Law Enforcement agencies, myself, weve been telling the public about this for years, weve been telling congress about this for years and nothing has happened. Congress has failed to act. Theres a lot of reasons that we could go into about why that is, but they havent done it. To me, thats just like dealing with reality. The reality is congress has not acted and i dont foresee them acting in the future. The administration has revived this issue recently. Theres a hearing next week to discuss all this. Maybe that will start to have an impact. But honestly, i doubt it. Thats one reality. I dont see Congress Giving the administration the legal tools that it needs to force companies to do this. The second reality, i think, is that in my view, the country, the United States and its allies, face an existential threat with respect to Cyber Security, malicious actors, our cybersecurity is that bad. It is sub par, poor. I dont know how else you would to describe it. Encrypting stored data and spreading the use of encryption wherever we can in the very complex Digital Ecosystem that we all rely onto conduct our most essential services and Business Activities as a society, that is just encryption is a way its not the only way and its not a perfect way. But its a significant way that we can use to protect ourselves from the very, very significant, existential threats that we face. So what im urging Law Enforcement and what i did and what im urging Law Enforcement to do is to rethink their approach to encryption. Because they are stewards of Public Safety and they have to protect the most people from the worst harm, they need to, i think, rethink their approach to encryption and actually embrace it. I think the right thing to do is to embrace it. But recognizing, what brad says is true, there are real victims of crime because there are real victims of crimes who will suffer because encryption in certain circumstances will inhibit the ability of the government to do its job. It will slow them down, it will make them less efficient. They use other investigative means, but having said that all, i think its time for the government to rethink its approach to encryption and embrace it instead of trying to find ways to undermine it quite frankly. Thanks. A couple questions come to mind. First, i want to give everybody a chance to respond to each other. But also i want to add in that theres a couple of concerns that come up from everyones points here. What is driving the demand for endtoend encryption on facebook right now and on other platforms as well is a lot of it is a feeling of lack of privacy because of a loss of trust in some of the Platform Providers over the past few years, things like the Cambridge Analytica scandal and the spreading of personal information through various means, admittedly algorithmically and not necessarily by people, but theres still a lot of concern about conversations being cacheed for long periods of time. Asking facebook not to use endtoend encryption, doesnt that push people who would use endtoend encryption on their platform, off of the platforms . There are other platforms that are able to share with lots of people an endtoend encryption. So why would you specifically go after facebook in this case . I understand theyre the major contributor to reports, but doesnt that create a situation where people who are aware of this debate, perpetrators of those types of crimes move into another place where they can already go dark. First of all, on your question of whether people will move platforms over this issue, we havent seen this to date. Other platforms are available now. People are still using Facebook Messenger today. Its not endtoend encrypted. We havent seen that today is my point. Second point is, do not intend to single out facebook. Facebook has been a good citizen to date by all of the reports i mentioned. Our concern is the shift to a paradigm where were concerned were no longer getting the reports were getting today. We would like all of industry to cooperate with the government and provide lawful access, not just facebook, but the other companies as well. Robin. We will continue to be good citizens after we moved to endtoend encryption. Safety is one of the Top Priorities on our platform and were thinking very hard and taking our time to build these new tools in a way where we can be confident that were addressing the safety concerns not only of Law Enforcement and the department of justice but ourselves and of the public and our users. Nobody wants to be using platforms that have harmful activity on them and so were committed to a program basically of prevent, detect and respond. And so were going to prevent. Were looking for ways to identify how are bad actors getting in touch with each other, how are they, you know, finding victims, so that we can prevent those connections from happening in the first place. And then were looking to detect bad activity. No, we wont have the contents of information. Well have to change our methods. But were going to be able to find what that bad activity looks like so we can take action on it, on the platform. And then we want to be able to respond. We want to make sure that people have the ability to report bad activity when its happening. If you receive some kind of harmful message or aabusive message, you can do a report on facebook. If you do a report, you can consent to share with us that harmful or illegal activity in which case we will have access to the contents and could share it. Things will change. Thats for certain. But what we are doing is engaging in a robust process. Were having conversations with governments and Law Enforcement about what are the kinds of signals that you are seeing that are helpful that are not content based so we can figure out what are the ways to identify, you know, some of these problems. Were talking to Public Safety experts. Weve had consultations with dozens of experts to make sure that were getting all of the information that we need so that we can build a safe product. And similarly, were having conversations of privacy experts. None of this works if people dont feel like they have the control and privacy that they desire. We are seeing a significant shift to endtoend messaging. 85 of messages are sent over encrypted messaging services worldwide. This is what people expect and thats why were looking to provide it. The way that people are using their messaging services demands it because of the kind of Cyber Security threats youve mentioned. People are having private communications that they want to keep between themselves and their intended recipients but theyre also doing business. Theyre sharing intellectual property information, theyre sharing Financial Information and engaging in conversational commerce, they share medical information. And so we have to make sure that theyre security. The one other thing that ill just add is, you know, when were thinking about how to do safety right, you know, that was a stark statistic about apple, but there are ways you can continue reporting. I will, you know, share that whatsapp, for example, takes down 250,000 accounts because of harmful activity every month. We are able to find harmful activity even when we dont have access to content and were going to continue to do so and we think were well positioned to do this because we have spent so long leaning into safety on our services. Is that mostly because of user reporting on whatsapp . Some of it is user reporting. A lot of the reports, these are takedowns, i dont have that number off the top of my head, but we will still continue doing scans for abusive content on our public platforms. All the public spaces, nothing changes. Were still going to be looking for abuse of content on facebook and on instagram. Its the messaging spaces where that changes. But there are still some public parts of the messaging spaces, so, for example, Profile Photo and is group names can be public. If you wind up using exploitative imagery as your Profile Photo, this is a good indication that this is not an okay account. We would be able to identify that account because of the scanning. Send that information to nicmic and take down the account. Have you done any analysis whether the 17 million reports, is there going to be a drop off in the accounts that we get . Your ceo has acknowledged that i cant speak to the percentage of, you know, decline, but certainly, you know, we think the reporting will change, right . It wont be the same kinds of image hashes, but we are consulting with Law Enforcement to find out how can we make or identify useful information for you thats not contentbased and builds on the whatsapp privacy model when it comes to the data we have access to. Jim, as far as other ways to go after this content, to pursue people in an endtoend environment, what type of techniques have you seen that could aid in going after these types of problems that dont require a man in the middle, back door yeah, maybe a couple different observations along those lines. Number one is let me back up and talk about this issue a little bit more. Societys failure to protect children is profound and everybody in society shares a blame for that. Everybody because we have not done what we need to do to protect children, period, full stop. And so even as we have heard from bad, even with the current Communication Systems that we have, we still have thousands and thousands of children saved. I was always worried when i was with the government of actually giving any facts and figures because they often turned out to be wrong when they would send me out with these things in this sort of area. But thousands and thousands of children are being abused and society is failing them now. And the failure is systemic and it has to do with way more than encrypted communications. It has to do with the inability of government to absorb all this material. It has to do with the technical systems that government has to deal with this kind of material and to deal with these perpetrators. Its a systemic failure across a long across many dimensions and Society Needs to deal with it in part by providing better tools, more money to the investigators and the centers that are trying to deal with this. For example, to try to think about how to do a better job, i think that leads into something ive been thinking about a lot lately which is not only does government needs to rethink encryption, it needs to rethink its investigations and how it does investigations. Embracing reality. The reality is these systems are here, encryption is out of the box, the reality is, its going to be used either in the United States or on other platforms. People are going to gravitate towards it to protect their communications and unlawful actors are going to gravitate towards it and theyre going to find ways to communicate. Government needs to adapt to the world we have today, try to the to go back to the past, figure out how to do a better job of analyzing data, doing deep Data Analytics with respect to finding the bad guys and the victims. They could invest much more in that. Industry could assist Law Enforcement with that as well, something that might have to change some laws to be able to accomplish. But doing more Data Analytics, making more use of opensource information, and i think also reinvigorating governments ability to use human sources, informants in organizations, undercover operations. The government has to do a better job of doing that. In my experience, those are the kinds of investigations that are the most effective, when you have good human sources in the places where they need to be. Its harder to do, its more expensive, but its more effective. Well go to questions from the audience. I take jims point. Investigation in a Child Exploitation case, theres no substitute for having access to the images of the child whos been exploited. You might have a toddler and the individual whos abusing that toddler, theres no one else involved in that transaction, theres no only way to get that information. If that person is disseminating those images, theres no other way to get that information than to have access to the content of those photographs is what i would say. Okay. The other point i would say in response to jims point, were not trying to go back to the past here. Were trying to update laws from the past to today. Weve had telephones forever, right . And we have a law called the Communications AssistanceLaw Enforcement act in which the Telephone Companies have to work with the government. Were updating those laws so that a different means of communication today will meet the same requirements as phone companies have had to do for decades. Weve had wiretaps for decades. The wiretap is a fundamental tool that we need to be able to do. Why is it different on the internet . Because do you want me to the Digital Ecosystem has changed substantially and the volume, variety, and velocity of the communications is a different world than it was five years ago, ten years ago. Before the really advent of you can have the exact same Voice Communications via the internet as you can over a regular telephone lines. I see no legal or moral justification for that. So my point is, then go to congress. Absolutely. I agree with that. Congress so my point is, there are victims that weve been talking about here, the children are victims, and other people, kidnap victims, theres a whole range of victims who exist and who will suffer as a result of crimes that Law Enforcement proceeding in the way that it does today, cannot solve as quickly as it might otherwise, okay . There are victims there. Theres also, maybe there are also substantial risks to society with respect to our, again, societal failure to build a Digital Ecosystem that is secure. We dont have that. And we are more dependent on that than weve ever been in the past and if we have a significant, catastrophic failure for a period of time, im worried about societys ability to function effectively and i think people will be harmed, injured, die if we have a failure like that. So with victims on one side, victims on the other, how do we sort this out with the risk to the Digital Ecosystem from, you know, doing something that would interfere with the ability to have encrypted communications, Congress Needs to resolve that, the elected representatives of the people need to balance that, step up to the plate, pass a law and change the landscape or not. But its not i dont think its up to the private sector to sort that out. Companies in the United States, im quite confident, will follow the law, whatever it is. Congress needs to act. So far the government has failed to persuade congress to act. And i think thats where the focus should be. Thats the point i agree with you 100 on that point. Do we have any questions from the audience . We have a microphone. Lets start off with all right. I dont think we have a mic. Ill start up here. Sir . My name is steven. Im a retired Foreign Service officer and i also served two tours. I just have a few comments now we have a microphone for you. I just have a few comments on what you folks said and i would appreciate your reactions to it. First my assumption is that the vast majority of the people in this room, if not everyone, is against exploitation of children. Of course. And i think its a red herring to use that because the Law Enforcement authorities were dealing with this sort of problem and a whole range of other problems long before we had the technology that were talking about. So there are other techniques to deal with it. Endtoend encryption and all the other technologies were talking about have very legitimate uses. They help protect dissidents in third world countries, business here, et cetera, et cetera technology, you cant make it disappear. If you forbid facebook from providing something, ill be able to get it, other people will be able to get it, you know, in one way or the other. So i think its not really feasible to even do what youre trying to talk about when the attorney general talking about having a back door, quite frankly, hes just showing that he doesnt understand the technology thats involved. And ive had conversations with former cia directors and hes also of the opinion its not possible to do what youre describing. So, again, thank you for your comments and i would appreciate hearing what you have to say. Thank you. That does bring up a number of issues that ive got in mind and that is, weve experts in the field have said that if you put a back door into a system, regardless of how you approach it, theres room for abuse and theres room for breaking. Theres also the concern that what can be warranted can also be abused the terms of access. Weve seen a number of cases where legal access has been abused in the past and i understand theyre not the majority, but they happen. Given that and given the weaknesses that you would introduce into a system, what is the what is your response to that . This is something that legislation has to decide. But from the standpoint of a mathematical perspective, there is no known way and a lot of people have tried to build a back door into things that allows for only warranted access. The only way this access would work if there was a man in the middle type of arrangement where everything flows through the Service Provider and youre given access through the Service Provider. And the Service Provider can be compromised. How do we deal with the laws and physics and mathematics in this . Im not a crypting to fer, but the people at the nsa think the solution is doable. Bill gates has not said this is not a question of ability, its a question of will. A number of governments have said, australia, United Kingdom, United States, governments in europe, governments in other parts of the world have all said this is doable. Two former nsa directors has said it isnt. Lets talk about the systems that exist today, right . That exist today. Facebook has a system today, right, that is not endtoend encrypted. Maybe its not as safe as it will be with the endtoend encryption. Companies have made decisions for their own business reasons to maintain access to the information. If they can maintain access to sell advertising, why cant they do it . Apple has a key where they can do the Software Updates for those funs. They have that key at apple. They have to protect that key. It would would be a huge security asset if they lose that key. All were asking is that there be a key that we can get at for Law Enforcement. Are you looking at a solution similar to what australia has legislated, where a provider can make a modification to software against specific individuals to allow access to their accounts . Were looking to any solution that will allow us access. Were willing to have a discussion with the companies about what they think is most effective and address Cyber Security. Were investigating those same crimes. But we think this can be done consistent have Cyber Security. These are the most Innovative Companies in the world. I think its not credible. We have another question. Wheres the microphone . Theres several. Start off in the back, i guess. Last year we heard about a provision for Group Messaging and lawful access for Group Messaging and even the doj didnt support that publicly. My question is really, why hasnt the doj put together a technical solution that they think would work because absent that, i think a lot of the people in this room are debating something that is sort of a hypothetical. Weve talked about different options. Ive talked about a couple of them today. Our position has been we think all the companies have different platforms and services, some of them are device makers, some of them are making Communication Systems. They need to come up with their own methods that are is most consistent with their Business Needs and with their technology for providing the access that we want, as opposed to having a government topdown solution. Thats our philosophy. Can i jump in real quick . If you dig through the Video Archives you will find a clip of me saying what brad has been saying in the past. I understood the problem exactly the way that hes articulating it now. Having spent years and years working on this, my understanding is also that there actually is no technical solution that adequately in the sense of like perfectly, protects Cyber Security and provides the government access. It just didnt exist. Real quick, yes, the companies have different systems where theyve made different choices, where they dont use encryption, and theyve decided to use encryption, all these different things. But, again, given the fact that there is no system that actually provides Cyber Security, that provides strong encryption and provides the government with access, that thing does not exist. If youre going to introduce some Cyber Security risk into a system, then thats a call that congress has to make. I come back to that. Its not its the theyve got to legislate if they want that to happen and they then, on behalf of society, take the risk that some bad person, some bad organization, some bad Foreign Government is going to figure out a way to disrupt all the communications that we think today are encrypted when you change things in this way, theyre no longer going to be effectively encrypted and society is going to bear that burden and so congress has to make that call. Whats facebook done in this space force looking at alternatives . Has there been an examination of ways to do the backdoor . Technologists have said that its simply not possible to build an encrypted system with exceptional access and have there not be a potentially very dangerous vulnerability that can be exploited by malicious actors. Its just not something thats possible and so, you know, we havent, to my knowledge, invested in trying to build any such system and we certainly wont be investing and building any such system in the future. Another question up there and thank you very much. I work for defending rights which is an organization that defends the right to political expression. The Church Committee cites the fbis conduct against our organization as an example of an abuse of power. I guess whats concerning to me is the Chilling Effect that putting in this Law Enforcement back door to encryption could have on free speech. Up until two or three years ago, thanks to a Supreme Court ruling and the fec, the socialist Workers Party was immune from certain decisions on the basis but by disclosing the names of their donors, they would be making them potentially liable to Law Enforcement abuse based on a real history. So given that there are instances throughout our history with where the government has been the malicious actor, including when it was against my organization, do you worry about putting this Law Enforcement back door the encryption will have a chilling impact on speech or help to facilitate those types of abuses . So my answer to that is we have to depend on your laws and our federal courts. What were talking about here is only courtauthorized access. Today with that courtauthorized access we can wiretap your phone. We can search your home. We can search your car. We can do all of those things when an independent judge has decided that we have probable cause to believe that youve engaged in criminal activity. Thats been our standard since the founding of this country, right, that we can do that. We have to be able to do that to protect people, be able to search those peoples homes, cars, et cetera the question now is we have new technology. Should we be able to have that same ability with Court Approval to protect our privacy, civil liberties, First Amendment rights, et cetera, when theres a new space or are we going to have a new space thats enclosed from that. Its a house that your kids can go to down the street, and if your kid has disappeared, theres no way to get him back. You cant find that child. Were talking about a new technology, is it going to be immune from lawful access or not . You had a chance to that . I think theres a distinction because i think what youre talking about would be able to Access Communications if there was exceptional access. The problem with exceptional access is that the front door for the government is a back door for malicious actors. It means only you and your intended recipients are able to see the communications and theres just no security way to be able to build in that of exceptional access for the government alone. Thats where we disagree. We think companies have maintained that access for themselves. Like i mentioned earlier, apple can send software to the phones, why cant we have that access as a government . Facebook has that access today, right . And the government has access and thats been the case since facebook was created. Its not been a problem to date. Only its been a secure system today, right . Users are demanding more secure maybe, im just saying it hasnt been a problem. Got three people down there, so well start in the middle and work our way over. Hi everyone, thanks for being here. Im from cyber scoop. I wonder if you could speak to the situation we have here. Theres absolutely a difference between facebook and the department of justice on this issue. Can we interpret this as possible legislation . Does the department of justice have plans to use this moment to put sort of Silicon Valley on notice that amendments may be coming down the pike . So thats a broader discussion. Id like to follow up then with another question. In terms of speaking to chilling speech if end to end encryption is delayed or not allowed in a broader sense in Silicon Valley. What can you say to what this would do to the market in terms of your ability to access end to end encrypted conversations if they take them to other markets thats not in the u. S. , for example . Thank you. So we want to work with the Foreign Governments so we have solutions that are not applicable only to u. S. Companies but to their well im from the center of technology. Question for you. You said there would be a court order and lawful process. Is it really always the case, or if exceptional access was built in, are you telling us that nsa, for example, wouldnt be able to exploit that exceptional access that was given to the fbi in that the that there would never be the use, for example, of section 702 executive order 12333 to Access Communications through the exceptional process . Were talking about court authorized access. The nsa in the past has worked to break other encryptions for the purpose of surveillance so it doesnt mean that would exclude using that capability to go after foreign intelligence targets. Thats what nsa does, thats what we pay them for, to break encryption. What people are saying, a lot of people argue is why dont you just try to break into the system. Thats a better model than having lawful access. Im not sure why thats safer, why anyone think its safer for us to identify vulnerabilities and exploit in the system and not tell anybody about them. Why is that better . Why is that a better model . Jim well knows thats what the fbi spends a lot of time doing, trying to find those vulnerabilities. Why is that better for anyone . Why is that better protection . We all know, there is no perfect security. Theres always ways to break in. Theres no system, i agree theres no perfect security. Its always a balance. The way i think about it is, look, we regulate in other contexts for automobiles. We say, okay, youve got to have fuel emission standards. We know for a certainty your car is going to be less safe if you have a car thats big and heavy, and it can result in more fatalities, traffic injuries, right . We make a decision as a society that we have competing goals and we want to have emissions standards, clean air, safer planet. So were willing to accept that cost. I think its the same trade off were talking about here. There is no perfect security, the same way theres no perfect car that can be immune from any car accident whatsoever. We make these judgments as a society. I agree, ultimately these are things that congress should be tacking that have not tackled over the last several decades. They should be. There shouldnt be decisions made unilaterally by the let members of congress i agree. Let members of Congress Cast a vote when everybody is telling them the result of that vote will be less cybersecurity, less security for the american people. Let them cast that vote. Let them associate their name for that. More security for the Child Exploitation victims, all those out there who are being victimized by online activities. Maybe. The failures with respect to children exist today. The world that youre talking about, the horrible world that youre describing now exist today and government has failed. Were able to save many of those children because of the access we have how many victims are there still . How many unknown victims are there . Lets get another question from the audience while we still have time. Hi. My question is always for brad. Jim baker alluded to the issue earlier about going out there with numbers that might not be correct. In june of 2018, if im remembering the month correctly, it was it came out that doj and the fbi had been using an inaccurate figure on the number of locked phones that it was unable to access. The number was 7,800. And the news accounts said actually the number might be closer to 1,000, but were working on it. Subsequently doj said this number is wrong. Im wondering if you can give us any update or if doj is working to give more information as you seek to have the conversation on what the true extent of this problem is when you have cases that is thwarted by encryption preventing you from getting access to the phones. I dont have an update to that. Youre right the number was erroneous originally. Its still a large number. It might not be 7,800. Thats a piece of the pie. Thats device encryption and devices we have in Law Enforcement custody and so forth. To answer your question, we have a new updated number. I have to get back to you on that. May have one, i dont personally know. We have time for one or two more questions. Can i just make a point about the damn numbers . If government wants to persuade congress to do something, its got to do a better job of counting. I know how hard that is. Its very hard to do. Theyve got to do a better job otherwise theyre not going to prevail. Martin moulten, dclp, mr. Baker, why in the world would we trust the u. S. Government, the top terrorist on the planet, that the fbi has had information on sex trafficker Jeffrey Epstein for more than a decade and has done nothing to incarcerate or investigate the perpetrators of people who have exploited children and girls from all over the world and all over the country and from new york city Public Schools . I dont know the details about the epstein case, but my understanding is its still actively being investigated. That the u. S. Attorneys office in the Southern District of new york is working on it along with the fbi. Im not in the government anymore. I cant explain whats happening with that. I would tell you i could not disagree more with respect to your original statement about the United States government being terrorists. Thats preposterous. I dont go along with that. With respect to the other matters youre going to have to ask the government about that. Thank you. My understanding is without getting too technical, on the one hand you have people saying its not feasible to have a back door. On the other hand you talk about a google end to end encryption. I know they have two different encryption methods. One is for data and transit, the other is for data at rest. For example when youre to the cloud. When theres a gap between switching from the one modality to the other, thats where google goes in to get data that they use for marketing purposes, et cetera. So my intuition is that as a point of fact the fbi does have access when it wants to from the technical perspective. But the issue is that then the doj cant quite use that information because its sort of its, you know, fruit of the poisoned tree, its been improperly accessed. Is this a legal matter or technical matter . It sounds like its more of a legal matter going back to your congress point. But technically, even what we call end to end has numerous snap points where entities either malefactors or the fbi, for example, Government Entities can get in. Thats really not the issue. So i just would be interested in your thoughts on that. To interject a little bit here, so the point youre talking about is when its end to end, the end points are themselves a point of access. So but whether the end be the storage on one end or the other so in transit so that happens in software, right. It would depend upon the software and the provider. That means there has to be some sort of interjection of logic in the software that picks up on the data as its translated from receive to store. So that would be exploiting the software that the vendor provides. And i dont believe facebook is looking at doing it. Theres a number of steps where that could happen. I asked about this a while ago, couldnt you say have something in the client side where the receiver gets the message and you can process the image to see if its harmful . And thats not going to happen because it requires too much overhead in different places and its also totally breaks the whole idea of end to end. It ends the privacy. So but, you know, it is a good question in terms of whether that sort of surveillance is a solution from the department of justices perspective. Thats something that would have to be legislated to happen. Because it require as change in software. Im not sure what the question is. Shes asking so the way encryption over the wire works, its encrypted in one form and its received and unencrypted. When its stored, its encrypted in a different way. With google, its encrypted with user credentials. Its not encrypted in the Public Private key type of exchange that happens or the key thats used for the session. Totally different type of encryption and storage. Shes asking weighing the gap between the two to get the information thats passing over and processing for security purposes. I dont have the answer to that technical question. I think the comment is a good point, ive seen on both sides of this debate. Ive heard it from many of the companies. Look, you have access to all these categories, you dont get this. You can get these other three things. Isnt it good enough for the government . Right. We flip that around and say, well, if we can get access to these other things, why cant we get access to this . We have made decisions to maintain lawful access. All the things people have been talking about, its impossible to do this. Very Sensitive Data on these other platforms they say theyre own business reasons were going to maintain access to these systems, but not for these other ones. They argue, look, were allowing you to have these other ones. We the government is saying well turn that on the head, youre going to allow us access to these, why not . And because it exists today, many systems. Every company here represented or otherwise will tell you yeah, there are plenty of systems today that are secure. Theyre going to continue to maintain access but theyre not going to go to end to end encryption. Weve got about a minute left if you would like to respond to that in any way. Its just its apples and oranges. Because sometimes and its up to the user to decide how much risk they want to take on that the company or anybody else is going to look at hatheir communications. If youre using an email system where when i send you an email, its encrypted while its traveling. When it gets to me its unencrypted and also the company can look at it, we know that and we can make a risk based assessment about whether we want to communicate certain data over that and whether we trust the company. In certain circumstances, however we dont want the company to do that. I want to send you a message and i want it to be the case that only the two of us can read it. Thats what were talking about here with real end to end encryption. Thats what its all about. We make that assessment and for whatever reason thats the risk that we want to take or dont want to take. And so yes, in certain circumstances the Companies Make business choices and the customers make choices and they accept the risk or they dont or whatever. Thats the multifaceted world that we live in today. Encryption is out end to end encryption is out of the box. The cat is soout of the bag, whatever. Its not going back in. Its what we have to figure out how to deal with it. All we ask is that the public is let into the mix. Last word . I would say i would think its business reasons but its policy reasons. We care about our users privacy and the security of their data and making sure they can have Sensitive Communications in a way they dont have to worry about it being exploited. You know, there are many, many cybersecurity threats. Whether its stored data and the billions and billions of records that are, you know, the subject of data breaches every single year, or whether its other forms of exploitation. What jims saying is right. The world out there when it comes to cybersecurity is pretty dangerous. But, you know, youre also raising extremely important points about the importance of safety on our platforms. Were extremely committed to making sure that we get that balance right. That we provide strong end to end encryption and find other noncontent based ways to address the safety issues. Because were committed to safety, were committed to continuing to be the Industry Leader in the space. And we really value and are appreciative of the important work Law Enforcement does to keep the public safe. Were going to be doing our part. Id like to thank the three of you for this. We could go on for hours, im sure on this. I know many of you have questions you still have, but well have to take them off stage. Thank you for coming, thanks for watching and thank you for being here to talk about this very important topic. Thank you. Thank you again and thank all of you both here and at home for turning into the 2019 cato surveillance conference. Usually i can end these days horrified by the enormous range of ways that were observed. But weirdly somewhat more pertinent as this one draws to a close thinking about, you know, the number of people who are thinking about how to ensure these powers are kept in their proper place. They were for us rather than being tools to be used against us. I do want one more time thank not only all our speakers, but our wonderful, wonderful conference manager kiana graham who does all the actual hard work while i get to stand up here and looking clever for having assembled all this. Everything makes this conference come together and work so smoothly is to kianas credit. Join me in applauding her. And then rather than stretch out my Closing Remarks unnecessarily im going to invite everyone. For those at home, im sorry, why didnt you attend in person. Join us in the atrium for beer and wine and hors doeuvres. Thank you again. Now live to a House Oversight hearing on family and medical leave. This is live coverage on cspan 3