Learned shane harris with the wall street journal. Very happy to be talking to this panel about the emergence of Encryption Technology because i am both challenged by them and i use them. I will let introduce the panel starting to my left. We will let each of these gentlemen who are experts in this field give opening remarks on how they are approaching this question on the challenge of ierging technology and after introduce each one you will see how they come out and buy their unique perspective. Questions fromke you at the end. Be thinking about question she want to ask and when we get to that time, you will see people with nametags. Stop one and frazier hand. They will bring a microphone to you. First is james baker. You are totally not busy right now so thank you for taking the time to be with us. Then, the director for internal security at the european commission. Senior counsel for the computer and communication industry association. I want to jump right into this and asked mr. Baker to lead us off. Certainly the fbi has had a lot to say about the challenges of encryption. When will you take some time to help set the table for us about how you think of this challenge from a legal standpoint, policy, operational. Please, kick us off. Mr. Baker thank you. Thank you to g w posting this. Thise eager to talk about as much as possible to help the public understand the issue, understanding complexity and subtleties and for us to contribute to what we hope is a more informed, educated debate and discussion about these topics because they are important to all of us. So if i could just go through the issues from our perspective a as you say, set the table as to how we are confronting encryption. We confront encryption every day in a lot of different ways. As i have said, as i think the director is that multiple times, the agency supports strong encryption. Strong encryption has very significant benefits for society across a whole range of issues and across a whole range of protections of the data we all care about. Personally identifiable information about us. Commercial transactions that facilitate and an able. It protects our health data. It protects a whole range of very important data that is essential for us to function as a society and to have a functioning economy. It is really important. We are beginning to acknowledge as a society that encryption also has costs and what we are experiencing in the most pronounced way being in the Public Safety sector is that encryption has costs for Public Safety for those involved in trying to protect the Public Safety with appropriate Legal Process and adhering to the laws of the constitutional United States at all time and what i mean by that is in certain circumstances, encryption has cost for our investigative effort in paper iv of ways. In particular, it means in some cases, and some instances, that information or evidence simply will be available. It is encrypted in motion or it is on a device that we do not have a key to get into that information and therefore it is just not going to be available to us. That does not stop us from conducting an investigation. We will still pursue. Fbi investigators are intrepid uncreative and they will figure out ways to solve problems if they are confronted with a problem. So it might not be convention of an electronic surveillance or electronic search means. They will do other things and those things will have costs. They can slow them down, make them more complicated, make them more risky. For example we might have to use a confidential source or an undercover agent to go into a situation including circumstances where there might be physical danger to the agent or to the source. So that is risky. That is just risky. And doing all of these things poses risks to the integrity of the investigation as well. So that is really what we are trying to say. That encryption is good, encryption has skewed benefits, but encryption is not cost three. We have to figure out as a withty how we have to deal that. Historically we have thought in the United States at the balance between sort of privacy and security, if you will, or security and security, however you want to frame the discussion, was settled or that 200 years ago by the Fourth Amendment which discusses reasonable expectations of privacy. And if we go through processes and adhere to the Fourth Amendment and get a warrant to have access with approval by judge to the evidence for the material. So that is how we have done that, how we have settled that balance for more than 200 euros. So encryption is creating, however you want to phrase it, it is changing that balance. Making things harder for us. Making information unavailable to us and so we have to think about what we want to do in those circumstances. Laws an issue across enforcement. But, state, local. Across the intelligence community. It impacts us in different ways. Until december of leicester, all of the devices that were brought to the f ei open,chnical experts to whether they came from authorities, federal, state, or local, we could not open rx is 40 of them. So a significant number of devices. Are those brought to by Law Enforcement . Is to baker some were brought by state and local agencies, the fbi. We could not get into about 40 of them. So that is an issue. The data on those devices is simply not available to us. We do not have a solution to this problem. Were not trying to impose a solution on the United States or any part of the world. We are not advocating a backdoor or a golden key. What i mean by that is we do not want a solution or a solution that somehow in a significant way undermines Cyber Security and undermines the security of our devices and our communications is therefore not a solution. Any solution we come up with us do appropriately in my mind, balance the needs of Public Safety folks, but also protect our privacy and protect Cyber Security and protect the right to expression, free association, encourage our companies to be innovative and competitive in a Global Marketplace where they have competitors, users, and regulators from the world that we have to make sure this is addressed in a global way in and where encryption is available in a global way. The genie is out of the bottle, and is not going back in. We know that. Were well aware of that. So any solution has to balance all of these things. Corporations in america for example solve this problem of the day in way they feel comfortable with because they maintain access to the emails of their employees for a variety of different purposes. Internal, monitoring what is going on, being able to reconstruct things if an employee leaves. They have been able to figure out a balance acceptable to them taking on some Cyber Security risk but having access today and providing protection and a meaningful way. That may be fruitful down the road. At the end of the day, the fda works for the fbi works for the American People to protect them from a variety of threats and to do it simultaneously across the board. A lot of threats we face on any given day. You want us to do it in a certain way, obviously consistent with the laws of the United States, but with certain tools available to us. You give those to us by law and by regulation and my finding and we will make full use of them. The question is, in confronting this problem what tools do want us to have available to us. What tools do you want us to have available to utilize in order to protect you . We will do what you want us to do yet what we feel is incumbent upon us to make sure you understand our current situation. So you are not caught by you can put it through appropriate democratic means to figure out what it is we should have. So, we work for you. The question is, what you want us to do . I will pause there. Host you were coming out this obviously from the point of view of european perspective. I wont ask you to try and speak entirely on behalf of european views on this but one are you give us your introduction and how you approach this challenge. Thank you shane. Let me thank you also, and gw. It is a privilege for me to speak on behalf of the European Union, specifically the european commission. What james just said, two continents but the same problem. Encryption is good. Considered good for Cyber Security. Good for privacy. Good for the economy. Good for the users. It is a key feature of the general Data Protection regulation that will apply starting like next year to the 28 Member States. It is a key feature of our eight e privacy framework, where confidentiality of communication is the most important objective. But, as james said, any particular like was said before, the situation in europe, it is the one that you know. And the debate is easing up on the need for Law Enforcement and other authorities to perform duties against terrorists and Serious Organized Crime to counter a problem with encryption and the congress of criminal investigation both and stored in communication data. The encryption is on the rise. We have 27 of the smartphones in europe encrypted. 47 here in the United States use encryption. So, are we going dark, as someone has said . I certainly hope not. I do not know. There is a need to study options. James was saying there are options being assessed or developed through the interception requirement that goes back to the ordinary mobile communication, now to extend to the ott or over the top providers. What we have to do with encryption has moved the debate from access by design to privacy by design. With the endtoended encryption. The approach of the European Union, of the european commission, is an inclusive one. We have created a phone and we dont have a solution coming from one only of the constituents. The intelligence says we cannot solve alone the problem. The privacy advocates cannot solve the problem. Law enforcement industry cannot solve the problem alone. So we have put in place a mechanism that allows us to assess with all the different stakeholders, first of all to define the problem. Because as has been said, we have to understand what we can do without compromising privacy and allowing line enforcement to move forward. And, we have to assess the option in a way that necessity of proportion has it. The under mental rights are to make sure fundamental rights are respected. We have to ensure Member States have access to data they need. Companies have to do their part. They have to pick up the social responsibility. Understand that it is important that they contribute to the final good, which is to ensure the security of the citizens. In 2015vent set up this specific structure called the youinternet phone. This brings together all of the Law Enforcement and probably Member States. Social media companies. Some of them are present here for this. An come back and clearly our own agency. In we are trying to identify a solution. It takes time. We all speak about time necessary to avoid coming from the back door. To enter from the front door. Because we have to find a solution that will allow us to enter from the front door. And there are challenges. We are a continent. To create an environment for 28. But we are only one part of the entire geographic port. So we have the challenge of the enforcement of the law. Someone was saying that several memberstates are putting up at national level, laws. How do we enforce these laws . How do we address the jurors diction. So far, the law has always given Law Enforcement the ability to instruct judicial order. But how do we do it with the internet, which is borderless. And how did we do the concept of localization . That is another big issue we need to discuss. Challenge, also a that could be counterproductive also for the economy. We do we need an International Framework question mark to we need to ensure that all states share the same instruments and how to make this possible. So, this is the approach. An inclusive approach which at the moment does not have a solution because we do not have a solution today. But we want the solution tomorrow. Knowing and encryption is a world of secondbest solutions. Host you cant agree with both of these guys. Thatthink we can all agree we need encryption. Thank you again for having us. That should be the takeaway, industry and Law Enforcement on the same page. Feel free to go home now. [laughter] i think many people in this room have been to a panel on encryption in the last three years, maybe in the last 35 years, when encryption became publicly available to the United States. And worldwide. Vu foray feel like deja all of you. Especially for members on this panel. Not for me, i am really young. But i think what industrys perspective is, is that we regularly have the solutions, the conversation around solution, and i think we, the american public, users worldwide, regularly come to the same conclusion. That weighing the cost of encryption with the benefit, the cost of Law Enforcement investigations and Public Access , and the cost of sort of scaling potential solutions to the encryption solution across ,hat is now a Global Internet the ultimate to i think answer from the perspective of the at least Internet Users, is that that question has been answered. Because start to great. Scaling those secondbest solutions to encryption across the internet puts too many users at risk either from a financial perspective, from an expression perspective, from a freedom of association perspective, that mights a oneup instance be necessary but i think it makes it a secondbest solution to put forward. So that is where industry approaches that from. From a users right perspective and from a technological perspective. I think the remark is been made in the past, its been characterize that the industry perspective on encryption is one of marketing or business practices. That this is something that can help us cell phones or get more users on to key platforms are social media. I do not think anyone realistically believes that is the case for industry. Industry is in this because they are under pressure but from users and regulatory authorities to provide the best appropriate and possible protection for users of Cyber Security. In encryption is the Gold Standard in this regard. It is not perfect. Implementations of encryption are incredibly difficult to scale. And difficult to design. Design osicult to versionto os version. So i think the perspective from industry is that rather then, you know, looking to Technical Solutions and i understand that no Technical Solutions have been suggested from industry or Law Enforcement, we should look at how we can help Law Enforcement was investigation. See what they have no toolbox now and see what we can do to facilitate additional tools, use of those totals, there has to be recognition from both sides that there is not going to be a perfect solution to cracking the case of encryption. It may be that we have to live with encryption because the benefits are too great and to the extent that Internet Users and the public are able to help the government recognize that, i think that is where we would like to go moving forward. Host so if you watched 60 minutes last night, you saw a really smart terrorism analyst from a place you may be familiar with. You saw Shamus Hughes standing in front of a Bulletin Board with this great diagram of terrorist faces and lines drawn between them, looking very much like something you would see in homeland. Right . There were two interesting takeaways. One was that he talked about terrorists, one that we were was ining and one who touch with isis, talking to them by encryption. It would seem that clearly these groups of adopted this is a communication channel which must be very frustrating to Law Enforcement intelligence. It was also the cases was a pretty sophisticated diagram and even despite their use of encryption we were able to understand a fair amount of who these people were and how they are communicating. I wonder if we can take this realworld example. If we know terrorist groups are clearly using this to communicate, that has challenges to Law Enforcement intelligence but it seems there are surmountable and some instances, problems. I wonder if we can provoke each of you with that idea. Mr. Baker, maybe we will start with you because think so obviously fall into your lane. Talk about that challenge. Obviously, terrorist are using the stuff that were finding out ways to know how they are connecting with each other. Can you give us some insight into how that looks when you are grappling with these cases. Mr. Baker i saw that story as well. You think about the diagrams and social network, if you will. You can see that network through a variety of means. Talking to people, having sources, understanding what is going on. You can look at the metadata, the dialing data between people to try to understand what that network looks like. Who they are in touch with the end how often. And importantly, does not tell you what they are planning to do. It does not totally what they are thinking. It does not tell you about their capabilities or activities, plans, intentions, that kind of thing. You do not understand what the intent is. Understanding that robust picture is critically important from both a foreign intelligence perspective as well as a Law Enforcement perspective. We need to go into court and have evidence of intent of what people were doing. Their mental state and so on. Even to the extent we understood what the network looked like, we did not know, as we said in the garland shooting, the nonshooting, it was stopped by Law Enforcement officers. The terror suspects arriving at the scene clearly intent on killing a lot of people. In that particular instance, we have talked publicly before, about if the fbi had public electronic surveillance of those homes, and we knew, we were able to see they were having, i think the number was over 100 communications directly from the person who showed up in garland, texas, and foreign terror operatives overseas. Withof an organization whom we are at war, right . Who are trying to provoke and inspire people in the United States to kill other people in the United States, right . That is there a of operation. 100 or so messages were encrypted so we could not tell what they were saying. We can see the network, but we did not have an understanding of what they were planning. That is the gap. That is the cost of encryption. That is what we are talking about. And so, that is the cost. So, these are costs that society is going to have to bear those terrorists were successful, that would be borne by the victims of that attack. The community, the families, and so on. So who is assessing that . What concerns me is that society is sort of moving along and decisions are being made, choices are being made, all by default. Just letting things happen. If that is what the American People want that is what the American People will get. It is incumbent upon us, as i said earlier, to make sure they understand those issues. It is not for the fbi to be deciding what kind of country, you know, were going to be living in. And frankly, do stuff for it is not for companies to decide that either. It is for the American People to decide that through their representatives. Host would you like to get in on that . I could probably mention another case following the london attack. She mentioned it, that is why i myself can. Put a message on whatsapp [indiscernible] she clearly mentioned this in writing yesterday. The company as a whole to take up the responsibility to cooperate in this context. So that is exactly as jane just said. The responsibility of the company to contribute to identify where the trend of the the use of the device by the terrorist is going. It is very relevant to allow the intelligence, the law to have the means to assess and make analogies and analysis of where the terrorists are going and unfortunately why we know some companies are cooperating and we know they are and we are grateful to them, others are not and we have to make sure in a balanced way we are able, the Law Enforcement and authorities are able to decrypt the direction that is being taken by the terrorist through using the device. Host both of you have essentially said we need to find a way to do this but it is ultimately the job of legislature to do that. Going back to what director comey introduced this phrase going dark, he did not marry that with a legislative proposal to do anything. So wheres the energy for doing that coming from . It seems to me and does not necessarily going to come from companies, it will have to come to you all. We are a couple of years into this is a policy issue right now. Where you looking for the solution to come from . We will talk about what the solutions might be in a few minutes but where is that going to come from if not from the people who are grappling with this problem that seem to be confronting it on a daily basis . I am not here to make policy. And i dont make policy. Not to pursue legislation some members of Congress Said they do not legislative solution to it right now in so, you know, were not putting forward a legislative proposal ourselves. We are trying to make sure that the debate remains alive. It remains current. Because the problem is current and the implications for us are significant. In other words, i do not have a proposal for you. Host do you think director comey has said all he is going to say on this topic . Mr. Baker the topic comes up everywhere he goes so he will kee andp him talking about it. We want robust, honest intellectual discussion about this in a cooperative and constructive way so well keep doing it. Shane we saw a vivid example i think in the 60 minutes brief last night. Obviously, the obstacles but the way you can overcome it seems to me with being able to analyze terrorist groups just by their using encryption. Him mr. Madhani i think specific entity is a good example of the fact that this encryption conversation as part of a wider conversation. It is not just the issue of encryption, right . We appreciate there are apps that are sort of unfilled gaps that are sort of unfilled and we cannot access in the course of the investigation. The today all of the interactions from metadata simply did not exist before. So the picture is never going to be whole for Law Enforcement and seems to me but it is always shifting. Which parts of it are being filled in by new technology and which are not. So i think appreciating that, you know, in the last few years we have noticed that and we have had disclosed to us that Law Enforcement sort of filling in those lines ability is greater now than it has ever been before. Someone described it as the golden age of surveillance. I am sure you all read that paper. It is sort of a it is not a zerosum game of more encryption unless Law Enforcement. It means there are other tools in the old box of Law Enforcement the do not necessarily provide all the content dataerhaps would, but it can provide additional context that in many cases that years ago back when were not living in a total digital world, we just did not have. So there is i think tradeoffs to encryption and tradeoffs on those connections that are being made that simply were not before and i think the recognition of that as part of this conversation on Law Enforcement access and supporting investigations and wanting the companies to help us important because companies are also cooperating with Law Enforcement the law iwth the authority to allow those connections to be made so that wider web effort and intent. This person talk to this person and this persons role is he has previously been a runner for some purposes or he worked for some different groups. There is information that can be inferred that does not necessarily come from the content of munication. So that is one fees the diagram sort of shares you. Not just a conversation about encryption but a part of a whole. I think responding to one thing that mr. Akers said about it, i baker thing that mr. Said about legislation. Him. Pathize with because the proposal here is a difficult one to make it has encryption is not just i mean, we have panelists who say encryption is not something that the e. U. Or its Member States or the u. S. Congress or state legislatures can address because the internet is global. Companies operate globally. Internet operators use platforms from every corner of the world. So legislating on this panel is difficult. That is why there has not been that kind of successful proposal. I mean, if we did, i am sure it. Ctor comey would have mr. Soreca any proposal would have to be seen in a wider context. You are here in the u. S. The internet Major Companies are here at you should look at the same situation from the european perspective. Lets assume, and we dont, we are not planning to do that but if we did we would face the problem of jurisdiction. How do we enforce a jurisdiction from rome while the location of the data is outside the jurisdiction of that specific judicial area should the judicial area be for the whole European Union . This is why we are convinced we have to look into other options where the availability of other instruments to tender from the front door and that is where the companies should help us, is the best way forward. Host go ahead. I was wondering what sort of front door instruments you might have been mind. Well, you know there are options being assessed. Too early to mention it. But somebody talked about lawful interception 2. 0 to make sure that some instruments are made available. So, again, in specific cases under judicial order and therefore judicial oversight. This needs to be further assist with the company but what we know from our discussion with all the constituencies is that none of these solutions will be fully satisfactory for the full benefit of Law Enforcement and that is why i mentioned this is in many cases the secondbest solution. So, most corporations in america i would expect want to be able to access their own employees emails. They most likely have emails encrypted while they are in transit. They are probably encrypted on a server somewhere. But somebody has a key. So if you have an Insider Threat problem or somebody is l or cannot access the data or if for whatever reason they want to mail to access their own corporate emails, they need to be able to do that. They need to make sure the balance between security of that data. I dont know. If that would work on scale with consumers and so on. But the point is, we are making choices. Were balancing Different Things against each other. But we are doing it and kind of a default way. Excellent encryption by default is growing and spreading across sort of the Technology Ecosystem in becoming more and more available to consumers who are law abiding and more easily available to criminals and terrorists and people like that. Use of it. Make encryption is hard to implement, to do it right yourself but when highquality American Companies do it for you who really know what they are doing, then you will have success as well. Surely there are companies that can secure data in such a way that somebody affect the play has the master key. But most of the popular Encryption Technologies were talking about right now, sort of the ones i gravitate towards as a journalist who can be subpoenaed as one that by design, they do not have the ability to unlock. Then passing aan law that says you cannot build encryption systems that way. And it seems like we kind of had a little bit of this debate way back in the 1990s and what were kind of dancing around here is saying if there is a legislative solution might it look like saying there are certain kinds of encryption designs you can do and certain kinds well simply say you cannot do . I mean, isnt that what we are we are going to confront that eventually . At maybe. Or you want to do it in way that does not destroy the benefits of good encryption. I do not have the technical answer of how to roll this across the country sitting here. But that is what we have to try to figure out together. Together, right . Reparations have valid points. There populated by good guys who dont want guys using their systems. We know that. It is not a question of anyone on this panel, good or evil or anything like that. It is the bad people we all collectively agree we dont want them to use it but we want to protect the data and privacy of lawabiding americans and other people around the world. Maybe youve already thought of this. A system in which you have that balance. Maybe it is Something Like a key escrow system or requiring the companies to have a way to unlock the data. Is that going to work . It depends what we define as a risk. Is that a system the companies are going to agree to . Is apple going to say, sounds great . Well, i mean, as good in the Global Market place as slapping an f. B. I. Certified or n. S. A. Certified sticker on an iphone and sending it out to the rest of the world and suddenly discovering were not quite as competitive as we are here. Its a risk, right . The same problem that is a result, that we havent had a legislative proposal made is that anything domestically or for a domestic product, necessarily makes them less appealing and so if were willing to have the competitiveness of American Technology companies then that is the conversation we have to have. Right . Obviously industry comes from one perspective. We deal not just with the United States as a marketplace but everywhere else in the world. So, you know, having experiences in 2014 or 2013 with the revelation, we are aware that, you know, any sort of patina of sort of, these are Law Enforcement stooges, our Company Cooperates regardless of what engineers think but any companies being Law Enforcement stooges without, you know, a considerable discussions going to affect the prospect internationally. It has affected them internationally and with the privacy shield. Or safe harbor and now the privacy shield. So, there are consequences we have to deal with if we decide to go that route. Luigi, can you pick up on this, too. From the european perspective, open markets, competition, if a company is known to be operating in a company in which it has to give over access to data and its information it is going to make another countrys product potentially more effective. It seems one reason why from my perspective solving the problem is so hard is we could outlaw strong encryption in the United States. Someone is going to do it in switzerland and ill get it from them. Absolutely. This is exactly the same kind of thinking we had in europe. It is not the way forward, not by imposing to companies to void encryption that we solve the problem. This is clearly coming out from our debate in europe. There is a strong sense of the companies, we want to inspect their ability to run the market but we have to find a way, and i know it is not satisfactory to work with a company to allow Law Enforcement to have the ability to identify the information they need. For example in the context of our Internet Forum we have Law Enforcement to announce their ability to exploit the abilities that still exist in the system even for zero days because then immediately the company step in. But there is no, i repeat, probably a repetition. There is no solution or one solution to this problem and certainly we do not advocate legislation that imposed on companies to avoid encryption. There is probably not one solution for all these problems. The issues with data in motion are very different than data at rest. Maybe a thing to do is take one part of that and focus our efforts on that. Lets say data at rest on devices that the government has lawful possession of pursuant to a warrant or some other sort of the San Bernadino case. Something like that. Take that for example and try to work through scenarios, technical scenarios that would have legal implications or perhaps require some changes to law and see if we can build a consensus around those around some part of this because trying to figure it all out is just too complicated. All of the different parts of it and one solution to deal with everything is probably too much. So that is a potential way forward to pick one part of the landscape, focus on that, and see what we can do. Quite frankly we want to do this now. We dont want to do this in the aftermath of some serious event. Right . When well be under pressure to make decisions and might not make perfect decisions of very important and relevant equities. We want to get this right and we dont want to do it in a hasty way. We need to stay focused in a sustained way. I want to pick up on this idea, this notion of lawful hacking. A couple weeks ago we saw wikileaks dumped information that it claims are packing tools essentially it called it the hacking arsenal that the c. I. A. Uses to break into electronic devices. I dont think it comes as a surprise to anyone that an Intelligence Agency tries to find ways to Access Technology that it is presumably legally trying to gather information from. One thing that struck me in this is this might be a fairly vivid illustration of all the ways that an Intelligence Agency has to try to find to get around encryption to find ways to get on to penetrate the operating system of a phone so they can see what someone is typing rather than trying to break encryption. And it shouldnt be surprising at all that as we see the rise of encryption youll see a concurrent rise in very dedicated, deliberate, wellfunded efforts by the intelligence communities around the world. To get around to find another way to skin the cat. For this to be is that how comfortable is industry with that, which seems to be an undeniable consequence . You press on the one side of encryption and youll get more hacking by the intelligence agencies. I think industry realizes the reality of building a complex system with no implementation of encryption is ever perfect. And so advising against any sort of lawful hacking would be we would be remiss to say that is just off the table entirely. We want Law Enforcement to have the tools that they need. And to the extent encryption, it is more fundamental to vet systems and systems that are already deployed worldwide, to the extent that there are chinks in the armor that Law Enforcement agencies are able to exploit, if that is done in a way that is managed by appropriate Legal Process, appropriate disclosure requirements, appropriate notice, i think there is at least some solution, not a perfect solution obviously but part of the sum of all Perfect Solutions is there. Is it unrealistic to expect a system that is lawful, errs on the side of disclosure. From the Intelligence Agency standpoint they want it lawful and regulated. They arent interested in disclosure but in finding vulnerabilities they can exploit before you guys can fix them because now they have to get over the giant encryption mountain. Is it actually not more in your customers interest to find a compromise on encryption rather than creating this massive motivation for the c. I. A. And the f. B. I. To find ways to hack your products . I think given the sort of different Law Enforcement agencies, taking criminal equities, and i think the ability for certain classes of investigation to be facilitated by lawful hacking, i think, if you wave the larger youre at risk of finding some compromise on encryption, that affects all users worldwide as opposed to those where lawful hacking can be employed by intelligence agencies, i think the tradeoff is probably a better one there at least from the perspective of the company. If i may, because we talk about investigation and when i was mentioning this i was referring to criminal investigations, specifically, a specific case. And thats what we are aiming at. National security, the European Union, our Member States, so when we train, help Law Enforcement to train the abilities in order to have what is necessary for a specific investigation under a specific judicial order and oversight, i want to clarify this. Sure. To be able to have those capabilities they need to be developed. Whenng up on the shelf for them. Ght need to use to put you a little bit on the spot, the San Bernadino case, you had a physical device lawfully in the possession of Law Enforcement. You faced exactly for which we had a warrant. Absolutely. You found a way to get exactly what you need it. Tore are a lot of points make on this. An entity came to us with a solution and so we used, with the appropriate legal authority, we used lawful hacking. Situation, it was slow. It took a long time for it to happen. It is expensive. It is very fragile because if we find a vulnerability in at and x, depending what kind of vulnerability it is, it gets fixed with the next software upgrade, then thats gone, right . Just not a method we can use anywhere. Any time again. And so theyre highly unreliable is the point with respect to these things. I do your question is a thought provoking one. I believe that for companies to think about whether the world they exist in with the lawful hacking that goes on or the unlawful hacking that goes on, is better than trying to figure out some way forward that raises the security level in a good way of all these devices. Look, i mean, these are challenging dilemmas also. Because if we do find a vulnerability, weve got to we are in a bit of a pickle, too. We want to protect the devices, right . Because the f. B. I. In particular is in the business of investigating cyber hacking by bad people and trying to prevent it and working with the victims. We do this every day across the country. And so if we find vulnerabilities, its a difficult choice to decide whether to exploit that, because we can use it in certain circumstances to find information about what terrorists are doing or something. Or does this pose a threat to the ecosystem, itself that is so great we need to be public about it and tell the companies this vulnerability exists and so to fix it . So it is a very uncomfortable and challenging dilemma. We engage in lawful hacking. I would say we dont relish it. We dont like it. It is a very it is not as useful as you would think and it poses the other dilemmas. There is a process, the vulnerabilities equities process, that is designed to essentially review what these vulnerabilities and technology are that the government is aware of and make a decision on when to disclose and notify the manufacturers and the users ultimately of those products versus to keep that. Can you talk about whether that process is working in a satisfactory way . Well, it works. We do it. But is it satisfactory . I dont know. I think these are challenging decisions that people, reasonable people could disagree about. And that, you know, people inside the government are doing their level best to get it right. You can have a debate about that. Do you all have any thoughts on how you see that playing out whether it be in the u. S. Or maybe the european context . Are we getting that balance right . Or is it just still, are we too early in trying to make those calculations to know if its working . The industry has sort of limited insight into how the process works. Which in some ways is right because it is one that is National Security but we, i think there is something to be said for it, because it is sort of an informal process within the executive branch having that codified in some way might be good. We have no position on the legislation but we saw a bill that came out last week from, with the Senators Office that looks at sort of taking the existing vulnerabilities equities process and ensuring all of the appropriate stake holders, the representatives from the department of commerce and state but also equally balanced and ensuring that conversation when it does happen, you know, there may be a presumption but ensuring Law Enforcement equities are fairly voiced. And the foreign power equities are fairly voiced which we also have, you know, concerns about the state department has long advocated for secure Communication Technologies ensuring their voice is being heard as part of the process and its very important to us. Very simply, how long are we going to wait . We need time to find one solution, a different solution. We are giving ourselves to the time of this inclusive process. We hopefully, we want to share this with our partners because we have to be clear about it. We cannot solve the problem. We have to find a way to Work Together with our partners and the first ones are of course the u. S. Colleagues. At the same time Law Enforcement intelligence services, locally they face an issue and would continue to do what they can in order to get the information. At the moment the only possibility, where you announce your ability and you try to overcome the problem. But we need to find a spectrum of solutions that allows us in the medium term to identify the best way forward. James alluded to this. In the case of the San Bernadino case, in that investigation, ultimately an entity as you said came forward to the f. B. I. Came forward to the fbi with a solution. Are you finding more entities coming forward with more solutions to problems they think you might have . A lot of people want to sell us stuff, yeah. For sure. I think were i dont want to say too much about this. But we, you know, we have technologists inside the government focused on this issue and there are groups of people and corporations on the outside that are invested in this, too. Corporations themselves are trying to figure out what the what the vulnerabilities are in their own systems. They have a range of people out there looking for this. It is a very active environment. The thing i worry about a bit in terms of thinking about this pros answer how well handle it in this process and how well handle it is this stuff is moving very quickly. Technology is changing constantly. Things are being updated. Those are detected by governments and also detected by malicious actors and exploits are developed and theres a lot of them. And so any time you have a process that gets, you know, im worried about any process that is too bureaucrat in terms of making these assessments. The American People have to think about that because this stuff is moving at a very, very rapid pace. To that point were sitting and talking about this environment in which we find ourselves and it is easy to forget this is a relatively new environment. I dont think that two or three years ago i had many any encrypted apps on my smartphone. Today i have nine for various purposes and various forms of communication. This is a foundational question we might even have started with. But why did this happen . I mean, why did we suddenly go from an environment in which i think most people were probably not as familiar at all with these kinds of technologies to being able to down load them from the app store and use them in any way that you want . Is it the snowden revelation . Is it a fundamental breakdown in trust . I mean, why are so many people putting signal on their phone . I know why people i talk to are but presumably a lot more people than just those engaged in the profession i am are doing this. Why is this happening now . What unleashed this . I dont want to say the snowden revelation was the sole cause. That might have precipitated a larger conversation and folks are more aware because of access and not just government access but whoever might be interested in reading what youre writing or looking at what youre purchasing or whatever. I dont think that is whatever, you know, i dont think that is the precipitating event. I think just a larger recognition of sort of the regularity of breaches going on. They have been sent. I think the sort of recognition, the individual basis youre not as secure on the internet as you thought you were has nothing to do with, you know, snowdens revelations, just a wider understanding by the population that the internet wasnt designed to be secure but to connect folks and so protecting yourself on that environment is sort of incumbent upon yourself. Thats why youre seeing it i think. What do you all think . Only one comment. All of us discovered the internet and the beauty of the internet, hopefully what you have called the bad guys they have discovered the internet and the ability to collect. In europe we have clearly this problem where the social media are being exploited more and more and therefore the need to, for the corporation and for the users to protect themselves also from this, there are a series of issues that bring us to this. I think it was happening anyway. And the snowden revelations accelerated it. That is the basic answer. And then layer on top of that i think concerns that people have about their government. Weve said before you shouldnt talk, trust the fbi. That makes sense. So, anyway. I think thats the basic explanation. We think weve reached a point where if companies arent offering encryption their customers are somehow going to think theyre irresponsible if theyre not leading. Having to sort of put that out there like a Good Housekeeping seal of approval now. I dont know that necessarily theyre customers but it is a reasonable best practice under section 5 of the s. E. C. Act. So companies are always looking to be as compliant as they can be with regulatory authorities that are interested and theyre also interested in i dont think it is sort of an advertising tool but it is something that users have come to expect on the part of the companies. It is not something also that make it seem lake, im going to make an exaggerated statement here for the purpose of effect, that youre somehow a stooge of the government. I think back to when apple and the f. B. I. Were trading various briefs in that case and the first one that was written there was an acknowledgment by apples lawyers that if we give into the f. B. I. On this it is going to hurt our marketing. We cant be seen as giving an inch on this. I think they were making a personal argument rather than one directly about marketing. It was in the first brief. They left it out of subsequent briefs. Certain Companies Might treat it as a marketing ploy. Apple is not a p. C. I. Member so i cant speak on their behalf. My Member Companies suggest to me that it is either an issue of users want tog trust the company that theyre choosing to provide them with services or its an issue of basic security. You dont want to be offering products to customers that are eventually going to break. Or eventually going to leave them vulnerable. Thats not, you know, a good way of doing business. Here or anywhere else in the world. Just being seen as a responsibility to make Safe Products at this point, too. Why dont we turn to questions from the audience right now . Please put up your hand if you have a question. I will come down the first row, two people in the first couple rows. Wait for the microphone to come down to you. There you go. Lets go here. Yes. Thanks. Im mike nelson. Ive been working on encryption policy for about 25 years since i was at the white house cochairing the Interagency Group trying to figure out how it could work. It didnt because people didnt adopt it. I think we all agree technology has to be something that both industry and customers want. And i represent now a west coast based web security firm. So let me share our thoughts from the west coast. Our thought is there is this magic technology, it would have been invented five or 10 years ago and somebody would have made billions of dollars off of it. All the technologists say there is no way to build a back door or a front door that people are going to trust and that arent going to introduce new problems. So we have to look at what really will work. And it seems to me that the sken the scenario none of you have mentioned is where we have the government doing things to make sure we have strong encryption rather than undermining it and youve already mentioned the cases where various leaks exposed efforts by the government to promulgate ineffect of encryption. If instead we have strong encryption you would have a thousand times more data to use to go after the bad guys. Today we have the technology where everybody could practice selfsurveillance. I could have a device in my home that recorded everything that happened there and i would do that if i knew that data stayed under my control. A hundred million homes could have that. Crime would be a lot more difficult. Theres all these ways in which we could be deploying stronger technology. Stronger technology if individuals have control over the data. That data could then be used to fight crime. It can be used on streets, banks, all these places. But it will only be used if we trust it. Right now, we have no reason to trust it. My question is, how can we have a higher level of transparency and trust . How can government actually reveal the vulnerabilities so that the industry can deploy the internet of things, the cloud of things, self surveillance, all these ways we could give you data to prevent crime, and prevent millions of crimes rather than give you the data you need to investigate if you hundred crimes . Isnt that the billiondollar idea. I am not sure what type of data you are talking about. It sounds like you are talking about meta data. Audience member im talking about setting up a system in my own home where i record everything that happens. I have my own surveillance system, closed circuit tv. Warrant, we could come and have access to that data is what youre saying . So it is not being encrypted, but it is encrypted with a key that you maintain . What about an operative of isis using and two and encryption overseas . Audience member they have to do things. This internet of things, we will have 1000 times more data. You will be able to get that data if you have two isil operatives in syria to each other using unamerican messaging app, they will be able to carry on those communications and plot whenever they are plotting, and we will not be able to the that. The data will not exist. If the company does not have a key, they are not about to give it to us, and we are not going to tell them we are looking at them. Audience member there is a huge amount of new data you are going to have. The American People have to make a choice about how much data they want generated about themselves. Im not going to try to preach about that across the entire country at this particular moment. We are trying to say that there is data that will be available. Your system will have costs as well. Every single activity within our homes is recorded and is available to Law Enforcement, the American People want to think about it they want to live in that kind of world . Audience member it is only available if the individual who owns the house makes it available. How do you remember the 50,000 passwords you have to remember . I think your point, there is a lot of data available. I disagree. I dont think what you are talking about is a solution because we have to deal with global threats. Audience member that is the point. There is no way we are going to have global government. There is a book that describes a world where everybody can watch everybody, but in the end you have the control over your own data. It is the scenario no one talks about. We all talk about the one used case about the isis person talking to the other isis person. I work at the fbi so i had to think about that. I had to about people killing other people. That is the scenario that we are dealing with, the dangerous scenario. Audience member if you build the infrastructure to deal with that scenario, you miss the 99 you could have if you trust the ecosystem. We are not sitting here with a technical solution. There is a question right behind you. Audience member from new america. My question regards the particular threat you are talking about. What unique material how deadly or how organized attack plot inside the u. S. Have you seen because of communications . Is that increasing . Is it in europe and elsewhere where they are mobilizing existing networks. Do we really have that problem now . Are you looking forward or is it already here . The problem is it has been here for some time. Operatives outside of the United States directing people inside the United States to move to unencrypted messaging platform and then having communications about whatever it is they are talking about and we cannot did. We cannot see it. This is been an increasing problem overtime. There are examples that we are able to talk about. There are other examples that have been on a regular basis that we do not talk about, because those matters might still be under investigation or under investigation. I take the point about transparency and that the government needs to be transparent so the government knows what is going on. We are trying to figure out the balance of that we do not tell the bad guys what it is we are capable of and what we are not capable of. It is a real problem today. It is going to increase over time, but it is a real problem today and has been for several years. You in the blue shirt. The gentleman with the beard first. Audience member my name is john. I was surprised you mentioned no proposals from the fbi in terms of legislation. How are we going to go forward if you do not make a formal request expressing what your requirements are to the appropriate committees in congress . There are a lot of legislative proposals i could give you. The way it works is that the fbi is part of the executive branch. We are determining whether the executive branch will put forward a legislative proposal. There are a variety of different ways you can go about dealing with this problem. This is not so hard that you cannot write a legislative proposal. The challenge is getting a legislative proposal writing a law that achieves what you want to achieve. That is a hard thing. We have to as a society figure out what we want to achieve. Once we have figured that out, then writing the words on the page is not that hard. We do not agree on how to balance all of these different equities. You can see reasonable people are appear discussing it and do not have the same view. Reasonable people out in society do not agree on this. We are trying to figure it out. When we come to a consensus, the writing of the words on the page is not that hard. Can you imagine a world in which we dont even bother with a law, but the industry develops certain standards and codes of conduct and says under certain circumstances, we will cooperate with Law Enforcement if the set of circumstances, true, like terrorist attack etc. Republicans cannot get health care right, we cannot move to encryption. Imagine trying to bypass the law in trying to come up with an ethical code of conduct. Industry collaborates as much as it can with National Security. Theres a previous predisposition in industry to cooperate. Sometimes they disagree with Law Enforcement investigations. Whether companies would get together and develop a code of conduct to decide when to provide local access to a groups system, i cannot imagine. We would run into the same problem. Now we have a bunch of companies that are selling products that are less good than the other products. Market pressures would prevent that i think. I think your question is very interesting. We are experiencing within the European Union in our relation to the social media exactly is kind of framework. We had engaged when it comes to removal of terrorist content on the platform. As to remove the terrorist content according to the terms of condition. Some of the companies, i will not name them, have changed the terms of condition in order to make sure that the process coming from the referral unit is immediately taken down. The concept is the same. The authorities discussing with the companies inviting them to take up their own social responsibility in changing the flagler in which they work. Under the voluntary initiative, they will make sure to intervene when is next area, assessing themselves under their own terms and conditions. It is something that we are exploring in europe. Thank you. I think your microphone is off. We will get you a new one. There you go. Audience member im the president of National Dialogue in afghanistan. I come from the nation where tens of thousands of people have been massacred. We afghans consider daesh as beasts. I cant appreciate the fact that you are going through the technical thing about finding a solution for encryption. Even if you do resolve the encryption problems, you will not that these people from killing and doing what they are planning on doing. Why doesnt the world concentrate on the people funding the operation. The person that comes and does the killing in the United States is being supported by somebody above him who is being supported by somebody above him. There are many steps that have been taken above known terrorists that are funding this. Why dont we go after those people who are planning the operation and cut off their funding . If we cut off their funding, they will not have the opportunity to create the suicide bombers and they have to pay suicide bombers. They paid him 20,000. This is a bit outside the scope. If anybody wants to tackle the large question. There is a concerted effort to take out the people funding these groups. The United States government is using all implements of National Power to try to deal with the threat posed by isis. There is no doubt, including trying to deal with their finances. There are aggressive, creative, and have a lot of funding sources. I agree that cutting off the funding is a significant way we can damage the organization. We aggressively do that, it is just hard. A question over here . I want to major people on this side are taken into account. Raise your hand on the side if you have one. Audience member i have a simple question. Do you have any estimated time of arrival when you might solve this encryption problem . [laughter] that is the big question. Audience member you are the experts. That is a reasonable question. There are a lot of assumptions embedded in this discussion. Is there a time horizon on Something Like this . Or is it going to take Something Else . No is the direct answer. I dont know when this will be resolved. As i suggested earlier, a way to proceed might be to focus on a part of the problem, such as the data on devices for example. And then, try to focus efforts on that and have a robust technical discussion trying to actually sit down with Technology Experts and say, if we did this, what are the costs. If we did back, what are the cost, whether the tradeoffs, how do we think about that . I do not agree that all technologists think this cannot be done. There are risks in everything that you do. There are risks in the systems that we had today. The systems that we have today are not perfect by any stretch of the imagination. They are filled with polar abilities. You have data that is acquired out of lots of different companies. We have no clue where it is or what is happening to it. Risks abound in this area. Focusing on one part of the problem may be a way forward to see if we can build consensus. It does require Law Enforcement to acknowledge and move forward with a dialogue to see if something can be done. The want to lay odds on etas for solving the problems . We launched this debate last year. We are putting together the technical people, the lawyers, the Civil Society, and politicians to have a discussion. We are planning to exhaust our preparation until the end of this year. Then we will pick up the option for debate. As james said already before, Society Needs to decide where is the balance. Through the political representative democratically elected in our society, there must be a discussion about where to put the demarcation line. How far we want to go between National Security and privacy, or security versus security. No odds from me. As far as coming to a solution, i think it is not going to happen in the near term. It will probably be a medium to longer term conversation. If i were to put money down on something, i think the solution would be a recognition that looks at these technical problems and balances equities. It may be that the insufficiency of metadata might affect the public. We have a question right here. Put your hand up so we can see you with a microphone. There you go. Audience member my question is for mr. Baker. I guess you do not want to advertise capability gaps to the bad guys, but the challenge for policy makers is that transparency helps provide legitimacy to provide political will towards action. I think we are lacking that transparency. I know the fbi used to produce publicly available reports on the domestic terrorism situation annually until 2005. That data is hard to come by these days. Gw university has been great in providing a lot of publicly available analysis on this issue. Im glad to hear that the fbi is more willing to talk about investigations like that. Moving forward, it would be nice from a policy makers perspective to have a bit more transparency or coordination. I would like to know how the fbi plans to do that . With respect to trying to collect data about this to explain what the problem is so that people can have a sense of what it is, it is a totally legitimate point. We are trying to collect data that is meaningful and reflects the problem. The listed earlier, we look at different time periods. We had 2500 devices brought to the fbi from around the country for analysis. We could not open 40 of those. We had no technical means to deal with those. What kinds of cases those were . We have the data on that too to a sort of a degree. One of the challenges is that Law Enforcement officers and Intelligence Officers are busy doing investigations. They quickly figure out what type of phones they can access in which kinds they cannot. They do not waste their time seeking a title iii order for a fisa on the intelligence side. Those are laborintensive processes. They will not waste their time if they know the thing is encrypted anyway, why do i bother . That is one of the most significant dilemmas we have had in terms of trying to count the when people are not going to waste their time with that. It is a data point that is missing. Any data that will not go forward does not reflect the true nature of the problem because people are still censoring out in the field. They are not bothering. Those cases never make it to headquarters. They never make it to the Justice Department across the street from the fbi. It is an incomplete picture. We are struggling with that. That is why we have focused on this one collection point in terms of data that we know is available to us. Were going to try to collect more data. We have people actively thinking about how we are going to do that. From the curious persons perspective, whether the cases out there that would attract an fbi agent . The ones with 40 of devices. What percent of those cases were able to move forward to a prosecution or investigation . We keep moving forward. Were not going to give up. The issue is what is the cost . It might be risky or dependent an agent in harms way to get the data. It is more expensive. All of the costs go along with it, even at the end of the day if we are able to solve it. The gentleman in the third row. This will be the last question. Audience member i wanted to reflect on views that have been underrepresented so far. But it has been a great conversation nevertheless. The first group is consumers that might need encryption to keep their data from being hacked by malicious actors like criminals, terrorists, cyber actors. They have not been adequately represented at conferences like this. The other set of views is we need the human rights activists overseas who face autocratic governments. We have to have discussions about democratic deliberations within the u. K. , u. S. , antie. U. , but the issue is that these views get demanded by the governments overseas. If u. S. Companies have cooperated with local Government Agencies in the u. S. And the eu, then the issue becomes should they also cooperate with foreign governments as well. I wanted to ask, what measures are you taking in each of your legislative policy conversations to make sure the views of consumers, human rights activist, and Civil Society activists are actively represented . It turns out there is a conference in brussels that is happening this week. There may be some live streams. Most of the human rights d. C. And brussels are there. They were invited but could not make it because they are on planes right now. When it comes to the collaboration with those organizations, i know our industries have robust relationships with folks in the human rights and Consumer Rights communities. Im sure the fbi and eu have similar interactions. To reassure you, the Civil Society are part of our discussion with us it in the present the views. There was also another point on how we deal with the possibility that other Foreign Countries would use the abilities. That is something that we discussed. We are potentially can earn potentially concerned about. That is why the point in jurisdiction is so relevant. We have to be very careful to talk about legislative proposals that will push the companies to make available, not only to ourselves, but to other Foreign Countries the ability to decrypt those systems. That is something that we really take care of. It is a part of the discussion we have. Last word . We are hopeful to a solution to this problem. A solution that results in more peoples data being vulnerable and more Cyber Security threats and more consumers being exploited is not a solution. If it does that, then it is not a solution. If it does not protect innocent people from abuse by repressive governments, that it is not a solution and we agree with that and we know that. What we hope for some type of solution that appropriately balances all of these things in the right way. That protects innocent people and enables Law Enforcement to do what they need to do. That allows companies to be innovative and competitive in a Global Marketplace. We have to try to get all those together, or it is not a solution. It will not be acceptable to society. There will never be a visa legislation that moves forward unless you can get enough people behind it. And youre not going to if you cannot deal with all of these things simultaneously. I want to thank the panel for being here for a great discussion. Thank you all. Great questions. [applause] thank you very much. Absolutely great conversation. I cannot think of a better way to kick off this event. If i would think of the three words i have heard consistently, dilemma, balance, and discussion. I think those will be the three themes we will be exploring tomorrow. I will be brief. Just a note, we will be starting again tomorrow morning at 9 00. We have coffee outside. At 9 45, we will have a keynote by a professor from the eu. I look forward to seeing you tomorrow. This was the fantastic appetizer to the larger conversation we will have tomorrow. We will be speaking again about encryption and privacy. We will be talking about counter messaging. I look forward to seeing you tomorrow. I want to thank you for coming tonight. Thank you. [applause] a senate panel will look at the sexual assaults of Young Athletes are investigated. Witnesses include several former gymnasts and a representative from the olympic midi. Olympic committee. You can watch online at cspan. Org or listen on the free cspan radio app. Later, a House Committee considers legislation that will require the treasury secretary to provide some tax returns and other Financial Information from 2006 to 2015. That is live from the house ways and Means Committee on cspan3. Cspans voices from the road. We visited 17 historically black colleges and universities, asking students what issue would you Like Congress or the administration to address in the first 100 days . Hello, i am a student at North Carolina central. I would love for trump to grasp an understanding that although we do not all vote for him we are represented under him. I would like for him to building and maintaining those relationships with other countries that we have developed over the years. I missing here at gramlich state. Ist i would like to see taking care of our schools, education. I would like to see in the first 100 days better medicare. And as a black man, i would like to see that it hello, i am a senior pr major here at howard university. In the first 100 days, i would like for him and congress to address the issues with federal funding toward womens services. That affects people like myself and lowerclass people. Hi. I am a junior here. For the first 100 days, i believe that trump should improve his immigration policy. For one, the muslim ban i dont agree with it because i and a friend who is muslim not all muslims are terrorists. For the wall policy, i dont think it is want to work either that i believe that illegal immigration it is an issue, but building a wall is not going to help. I am a communications major. My message to donald trump, i know a lot of candidates make a lot of armistice when they are running for president. I would like for him to lower the rate of unemployment. Voices from the road on cspan. Coming up, nikki haley and House Speaker paul ryan address aipac. Speaker ryan spoke about the importance of the u. S. Israel relationship. These days, it is a rare sight to see a democrat and a republican standing next to each other, let alone sharing the stage. [applause]