Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  April 6, 2016 8:07am-10:01am EDT

8:07 am
don't be, don't be lazy. we laughed. so i, i do scold people but very, very seldom. i think my role is much more to be, a place where people feel safe to come, safe to be able to say whatever is on their heart. sometimes i have answers sometimes for your questions but, they feel sometimes that they have been hurt. that is my role, not more than that. >> you have been first lady now for -- >> 18 months. >> 18 months. you have taught a lot of afghans. if you had to identify one thing that the government, i don't want to get you in trouble, that the government needs to do -- >> won't get me in trouble. >> to pay attention to in terms of empowerment of women, what would that be?
8:08 am
and i will ask a second question because this will be concluding, what is your message for the united states? you've had a very, thanks to you, a very positive conversation, uniquely positive today. >> thank you. >> and what would, what would you, your message be to the united states if we could conclude on that? >> as i said in my speech there is still a lot to do for women but we are in the, we're going in the right direction. that's what i feel. i think it's probably very difficult for people outside of the government to understand how much work is ongoing within the government. it's, i don't get to see my husband very often. leaves usually early in the
8:09 am
morning and comes back sometimes at 10:00, 10:30, 11. but, and he has all the people around him. i mean the, it's really very interesting because the pps, the guards within the, within the presidential palace, have had to change their shifts because he starts very early and is still up very late. so instead of having two shifts now, they have three shifts so they can cover him. but anyway, i think the government is trying very hard and whenever i see a, a key -- detail, i see like affirmative action and i raise it and i see whether they do something or not. so, yes, there will always be room for improvement, especially has been only now, it is only been one year because it took
8:10 am
six months to get the government. only being one year of functioning and think for one year we've done quite a lot. and as far as the message to the american public, i'm very tempted to say, don't believe what they say in the newspapers. [laughter] >> there is a lot of skepticism throughout the media in american body politic. >> this audience i at least can feel it but the administration itself knows what my husband is doing, so i don't need to tell the administration anything but the american public, just remember, that we are people like any other people. they have dreams and maybe their dream is to be able to live in a country where there is peace.
8:11 am
i just have been in morocco a few days ago and i have been in morocco and i was in my mid 20s. morocco at the lebanon, i didn't know of afghanistan, morocco and lebanon were at the same level. i was pleasantly surprised by also very sad when i went to morocco. i was only there three days but i could tell how much morocco had developed. how, how much life was pleasant in morocco. how people seemed at ease and pursuing their own goals, their own dreams. their ministers were outspoken and very well-read and well-trained. everybody was very happy, very hospitable.
8:12 am
and i thought, my god, this is exactly what lebanon had been had we not had the war. so i really, maybe this is what i'm feeling these days. i really understand the cost of war. war destroys. and then it's very difficult and it takes very time-consuming to build again but the people of afghanistan want that peace. they want to be able to live in their villages, to be able to live in their cities. they want to be able to have good schools. they have the same aspiration as people everywhere in the world. and i do hope that we'll be able to give it to them. thank you. >> thank you very much. the time is up. that was an excellent conversation, very positive, engaging conversation. please join me in thanking the first lady of afghanistan. [applause]
8:13 am
[inaudible conversations]. [inaudible conversations].
8:14 am
♪ >> our c-span 2016 campaign bus continues to go around the country, winning winners of the studentcam contest. we went to phoenix. david: arizona for the first prize video, rethinking reform, prisons in america. their classmates, catherine and christian payne and alexander walter, won second prize on gender wage inhe can get in the work place. 2016 stop in los angeles for third prize winner jerry sun and rockland, california, to present winners in those areas with awards. c-span extends a special thanks to our cable partners, cox, time warner cable, and comcast for
8:15 am
help coordinates our studentcam visits in the community. watch one of the 21 winning entries at 6:00 a.m. eastern before "washington journal." >> despite a decision by republican leadership in the senate, not to hold confirmation hearings, supreme court nominee merrick garland has been meeting with senators from both parties. on capitol hill he met with senator jeanne shaheen, senator susan collins and senator joe manchin. let's take a look. [inaudible]
8:16 am
>> welcome. [inaudible]. >> i'm greatful for your -- [inaudible] >> thank you. thank you. folks, back out of the room. >> looking forward to sitting down with you and having an in depth discussion. it should be very interesting. thank you, everybody.
8:17 am
>> i can only say i'm starting this process the same as i have done for six years as a senator. and that is basically meeting with the nominee. we have our discussion. we go into everything from our children to our family, a little bit of our background. and then the job specificallied. and then from there, i, i'm hopeful that it moves into the hearing, committee hearing where i think more detail comes out. for me to be able to make a judgment whether i will be supportive or not. but based on all the facts coming out and then it goes to the floor. i hope we proceed to that pathway and what the outcome will be. happy to have you. >> look forward to talking with you. >> it's a pleasure. with that, we'll take a few questions. >> senator manchin, your leadership is putting, making a big effort to pressure republicans to change course.
8:18 am
as somebody who works across the aisle, a lot and -- meeting with republicans regularly, what is your sense whether or not the democrat strategy can suck eid? >> i think you can watched me for the last six years. i'm not -- on anybody. i find it hard to believe all of sudden we're changing our mode of on randy. as you know i was very much opposed to the fda nominee coming from the democratic president. it was not personal. he came from the pharma industry, which we need a kilt ral change at fda. all of sudden that gets fast-tracked. he gets on. i'm trying to slow it down i want to make sure this country knows of the opioid epidemic we have destroying all of this country. i was not successful in that but it went through the process. that is only been a month ago.
8:19 am
how can the process work that way, expediently and comes to a halt now? it just doesn't make sense. i'm pretty practical. i go back home, i can't explain why i'm not able to have the same process with judge garland as i had with dr. caleb. >> do you think republicans will eventually concede on this point and be open to hearings? >> i would sure hope so. really, that is my -- for the sake, what is unprecedented, these are all my friends, as you know, democrats, everybody. i consider all 99 as my friends. they know i don't go out and campaign against them. i don't try to defeat anybody. i don't create money against a sitting colleague. i don't do that. create as bad atmosphere. this set as precedent of who we are not as a country or as a senate. the body should be at higher level, i'm sorry that --
8:20 am
[inaudible] i can't comprehend that. i can't process that. >> are you talking directly to your republican colleagues in an appeal to try to move the nomination of judge garland? >> i think as body as senators, once you develop relationships and friendships you never try to say how come you're wrong and i'm right? that is not the dialogue. the dialogue, give me some understanding of the position. so i could better understand. i wish i to understand the other person's position. i might not agree with it but i respect the position. i'm getting along those lines why again, we have become such a divided country we still can't be civil. >> senator, among democrat senators you're known as supporter of gun rights. can you talk about how that issue will play in your decision? >> that is the process we're
8:21 am
going to be talking about. there is a lot of accusations out there, i just don't know. i have read and study and been briefed up on this and we'll have a discussion on a a lost issues. >> west virginia -- come out against the nomination. regulations on environmental law -- >> we'll talk about all the things concerning my constituents in my home state, but our nation as a whole. so i think. this is the process. to my friend who have a, haven't shown a desire to talk to judge garland. i can't answer the questions you're asking me until i, we talked about it. that is what i can't comprehend why. why not? this is, this is who we are and i appreciate you your good name out there and your lifetime
8:22 am
experience. okay? thank you all. really appreciate you, okay? thank y'all. >> okay. [inaudible conversations]. let's go. >> transportation security administrator peter nefinger visits capitol hill this morning briefing members of the senate commerce, science and transportation committee on tsa security operations. live coverage at 10:00 a.m. eastern on c-span. >> nato secretary-general jen stoltenberg talks about nato
8:23 am
challenges at the atlantic council. 4:00 p.m. on c-span. republican presidential candidate and ohio governor john kasich gives the annual state of the state address from marietta, ohio, live tonight. we'll take you there live at 7:00 p.m. iron on c-span. next, public policy, criminal justice and computer science experts on encryption issues and policy. from the information technology and innovation foundation in washington this is about an hour 35 minutes. >> good morning, everyone. we'll get started. my name is danielle castro. i'm vice president of. itf. information, technology foundation. we are a non-profit, monday partisan think tank that focuses on public policy. encoding the encryption dilemma.
8:24 am
conversation on backdoors going dark and cybersecurity. the goal of today's event is to explore the ongoing debate about cripping tography how to find the right balance between needs of government to prevent crime and stop terrorism. and on the other side, desire of private companies and citizens to protect their data. so a few logistics before we get started. first the event is being recorded. it is also being live streamed. if you're remotely using hashtag, decoding encryption. we'll have time at the end to ask questions of the panelists. if you participate remotely, you can use the hashtag, decreditting encryption. as well in the room we'll have mics here. to begin i i want to kick off te discussion by providing an overview of an itif report we released information security and the role of law. in this report tries to set the
8:25 am
debate in context by providing overview of some of the different flashpoints in past debates over encryption. in the report we drill down also into the various arguments put forth by the law enforcement and the intelligence community on why enrip shun should be weakened or limited so the government can have access to the plain text of encrypted data. then we provide a response to these different arguments. but i want to start with a quick history of how encryption has changed over time in the response to new technologies and business models. the modern era of commercial cripping tography really started in the 1960s. when we had the original mainframe computers. we had large commercial databases and companies wanted to protect the data. they began using what is called metric encryption. you have the same key used to both encrypt and descript the data. you know, they were using this
8:26 am
to store the data securely. many companies worked in industry they didn't who wanted to share data. financial institutions want to share data. in order to do they needed inneroperability of these standards. we had creation of first government-backed encryption standards to facilitate this exchange of data. the next kind of big change when we had the rise of personal computers and networks and the internet and the need to desirely communicate with a wide variety of users who really had no other way of forming a connection. these were often times anonymous parties. so the biggest problem you have with symmetric encryption is key exchange. there is this question how you actually securely share a key with somebody else if you think about it, this makes sense. if you can share a key securely you wouldn't need encryption in the first place, right? this led to the development of public key encryption. public key encryption is
8:27 am
asymmetric. a one key to encrypt. a different key to descript. we have didn't exchanges of different parties with no connection to each other. next we had cloud computing t was completely controlled by the customer but now users were sharing their data and storing it with a third party. this created kind of an inherent security vulnerability because the cloud provider had access to previously encrypted data. many cloud computing providers have been actively working to address this issue by providing client side encryption or end encryption taking themselves out of that loop. more recently we had the rise of mobile devices where we had lots of users storing large amounts of data on a device, someone could walk away with.
8:28 am
there is a big move as well in encryption space. how do you enable things like full disk encryption? you have strong security on local storage. finally we have the rise of the internet of things. all connected device, many of them in the home. users want to be sure these devices are secure and researchers are still experimenting a lot of different solutions to address unique needs when we have encrypted device. mite have less band wit and processing power and energy needs and you have to figure out how to deal with that. first i think when you look back at this history you see a few things. first what you see, there has been a steady stream of innovation information security over the past decades in response to new technologies and business models. this isn't the private sector not locking out anyone wells else. making computers more desire. second while the use of encryption is much more prevalent today the debate about
8:29 am
government access to encrypted data is not new. at each of the stages the government pushed back against these advances. in the earliest years we saw various government stakeholders were working behind the scenes to weaken the encryption standard. in the 1970s, law enforcement and intelligence community tried to sue academic who is tried to publish research on cripping to if i. -- cripping tography. we've seen more recent objections to full disk encryption. third point here is that as far as back as the 1960s it, was possible for a user to encrypt data a way government could not get access to it because user was only one with a key.
8:30 am
other thanly recent move to cloud computing that broke this model for many users. in an effort to repair the security weakness companies are being cast as doing something an affront to law enforcement. i think we have to department all of that history in mind as we approach today's debate. so moving to the arguments that we're seeing today, there are really five arguments that law enforcement and intelligence community make why policymakers should weaken or limit encryption. first they say companies should not offer technology that circumvents established legal process and encryption. this interferes with law enforcement's longstanding ability to conduct lawful searches. i will pause and mention in the report which is in the back and also on our website, what we try to do with each of these arguments lay out in the words of people making these arguments exactly what they're saying. our goal is not to paint straw managerments but really show the strength of both side where these arguments are.
8:31 am
but what we argue in this report while certainly the scale of encryption is much greater today the phenomenon itself, inability of law enforcement to access encrypted data when the user controls the key is fundamentally not new. so the second argument we hear is that without, that government will not stop crime or terrorism. and so this is true. our report is not at all trying to deny the fact that the rise of pervasive encryption may have a negative impact on law enforcement. in fact, we readily acknowledge it will likely make it more difficult to prevent and investigate crimes of terrorism. and these problems will be exacerbated if the government doesn't come up with new tools and techniques so they can function in an era of pervasive encryption. what we say in the report unlocking encryption or encrypted data is the wrong solution because it is creating systemic vulnerabilities.
8:32 am
moreover, it is not the only way you can investigate crime or terrorism. in addition, regardless of what policies the united states puts in place, it can't actually stop terrorists with sophisticated criminals from encrypting data anyway. so terrorists don't have to rely on the private sector to build tools to store data securely. they're already building their own tools. we talk about a lot of tools out there already. moreover the u.s. doesn't have any kind of monopoly on this kind of talent. some of the best cripping to graphers, that they are working. they create secure communication tools. all these are completely outside of the jurisdiction of the united states. so if their argument we hear companies stopped retaining copy of customer encryption keys for business reasons alone.
8:33 am
this is simply not true. as we show in the report, research remembers steadily closing security vulnerabilities for deck cats. the move to give consumers back control of their keys is simply next step in a move to create secure cloud computing. controlling their own key allows you to better manage risk for themselves and improve security. fourth argument we hear, technologists could fix the problem with they study it harder or form a commission. encryption is not based on magic. no way to provide third party access to the government without introducing vulnerabilities that can be used by others. finally argument that companies should help law law enforcementk into the products they sell to government can gain access to encrypted data. if this technique were abused law-abiding users would likely begin to mistrust the companies
8:34 am
and not use their products. there is competitive factor we need to continue. companies should provide to law enforcement to the extent they are able. they should knot restrict companies from designing security features that can't be defeated by a third party including the company that made the product itself. the government as we know has a basic right to search but it doesn't have a basic right to find. that is important distinction we have to keep in mind. so in short here, we're concluding that cost of to consumers of a policy that would weaken or limit encryption would be misguided, it would have little impact keeping the technology out of hands of criminals and terrorists, it would reduce overall security for law abesideing citizens and businesses and make it difficult for u.s. companies to complete globally, and limit advancement in information security and limit information aboard to develop policies for sigher
8:35 am
about security which is really needed. we're in the middle of this debate, where do we go from here? we outline the report a number of recommendations how policymakers promote trust in the u.s. tech sector for strong security practice, how to provide law enforcement with new tools to uphold the law and support efforts to improve information security globally. so first, congress should ban the nsa from intentionally weakening encryption standards. if the nsa has some of the best cryptographic talent in the world and should be used for making encryption more secure, not less secure. there is definite lack of trust in post-snowden era after revealed nsa used it is influence to weaken some of the government-promoted standards. we need to draw a clear line in the sand ad say that can't be crossed in the future. second, congress should pass legislation to ban all government efforts to install backdoors into company products or services. in addition the government
8:36 am
shouldn't be allowed to require companies to facilitate government access by altering their designs. and since we see states thinking about making laws in this area we should make sure that congress preempts any state activity. third, congress should pass legislation requiring all federal agencies to discover security vulnerabilities and open source products and services disclose them and timely and responsible manner, and work with the private second to fix that. it get basque to what is the role of government. will it be about improving security or not? forth, congress should examine u.s. courts better balance interests of individual in the states by allowing to hold suspects in contempt of court for failing to disclose encrypted data in limited circumstances? this is issue we'll talk more about on the panel and definitely get into in the report. if you look back at the history
8:37 am
of this, keys were treated two different ways. physical keys were treated as something government could search and disclose as well as biometric password. the government can compel me to disclose my fingerprint but can't compel to disclose a alphanumeric pass code. this made sense in the physical world of locks but doesn't make sense now. congress should explore to give more more power to law enforcement that doesn't weaken security for everyone else. fifth, congress should provide resources to federal, state and local law enforcement for cyber forensics to investigate digital evidence that can be used in court. local law enforcement will not have the right kind of skillset to deal with more complex cases. we need to make sure we're providing resources that law enforcement is not left behind in the skillset they need. sixth, congress should provide clear rules how law enforcement
8:38 am
can hack into private systems and compel companies to participate in investigations. right now there is so much gray area here and we need a lot of transparency into this process and how we create it. seventh u.s. trade negotiators should actively imposed foreign government efforts to introduce backdoors in software or weaken encryption, including resisting any rules to require companies to sell products with weaken crip shun. finally the u.s. government should be promoting cybersecurity around the world by championing strong encryption and global internet technology forums. so again fundamentally this comes back to the position of the u.s. government should be to promote information security and not weaken it and it should make this the cornerstone of both its domestic and foreign cyber policy. so, we have a really fantastic set of panelists today who i've asked to provide their reaction to the report as well as help us
8:39 am
kind of dig into these bigger issues in the crypto debate we've seen play out past weeks and years. let me briefly introduce everyone and i asked them to make brief opening remarks. we to my least, jules polonetsky. next to him, we david bit cower. departmentdepartment of justice. we have chris calabrese, vice president of center for democracy and technology policy. bruce heiman, practice ace area leader of polly and regulatory practice. morgan reed, director of association of competitive technology, the app association. and ryan hagemann, policy analyst at niskanen center. so thanks to all of you for being here.
8:40 am
jules, why don't we start with you? >> thanks and i will be brief because i'm confident dan and crew invited before they invited this lineup of leaders in the debate so i will speak with some humility and set a little bit after opening tone. rare for those of you who know me rare to speak for ability in the think tank business. don't laugh that much. when you're in the think tank business you're business is to think, more you think with loud and strident views better you are apparently but i'm really humbled by this issue frankly. although we've written in support of strong krypto and insuring strong protection barring backdoors, i will tell you this is issue i'm truly humbled by. i hope we figure out the right answers frankly but i'm certainly confident that the right answers are how we can fight terror and how we can strengthen law enforcement without creating many of the
8:41 am
concerns that are created by some of the challenges that we seem to want to create for strong crypto. i was on other side of law enforcement requests during my days at double click or aol. we certainly had some strange requests over the years but we had a lost requests that i understood we were cooperating with to save lives and i felt it was my duty, we were proud that we cooperated and we mocked and sneeret at those who didn't have systems in order, couldn't assist and were bad actors allowing bad things to happen on the internet but the other day i was watching an episode of "the americans." those who follow, know there is russian scientist forced to invent a new solution that the soviets can use to better defend against the americans. they have all kinds of hooks over him and his family. he is sort of forced into this intellectual, you know, exercise
8:42 am
and i just couldn't help think that the conclusion of what we're asking for a company or a scientist or researchers to invent and conclusions that that goes, that's just not a way i think any of us can support intellectual freedom developing. you can imagine areas it might be useful to invent all sort of valuable things and just the compelled notion doing new intellectual work at the direction of the government is so frightening, make like many of you, my phone is probably more an extension of my brain, as we have other pieces of technology that are going to be integrated in our brains, our bodies, i assume eventually i will control things with my brain and therefore you scan my brain. therefore why do we need any of this waterboarding, mr. trump? we'll be able to garner the information. so is it acceptable that as the
8:43 am
technical capabilities become so intimate in knew bodies we don't sit and say no, this is different. this is subject to an incredible level of personal protection where we, sorry, we are going to let you hide what is in your heart because that's a zone of humanity that ought not to be interrupted even if there are technical and feasible ways to do it. i was looking at statistics of phone thefts dropping after technical measures were taken in number of cities, 40%, 50%. although they may be one step removed from the specific sort of debate here but the whole notion this doesn't really immediately make a difference to the average person getting pushed, mugged knocked over is something we need to consider. leaving the krypto side. for a second, you're allowing six-character passwords. you must have longer passwords
8:44 am
and have to be alphanumeric and have special characters. i looked at it, lori, sent out email, ftc chief technology different noting our advice of complex passwords was leaving people completely befuddled, managed, change the passwords. the better solutions are sophisticated things done on back end to have simpler password. rate limiting, maximum attempts. that piece of this i think is incredible part. today we're still going to have a password and if my password has to be so complex that it is befuddled by frankly having respect having notion rate-limiting piece of this which is essentially piece, they completely missed and understood. and so i'll close with that and look forward to continuing the conversation. >> thank you. david. >> thank you, daniel.
8:45 am
thanks to the itf for having me here. i'm not sure which is worse, hearing jules remarks being compared to kgb or getting spoilers for sears son 2 of "the americans." i will balance the two harms. i think it is important to have different views and i appreciate the opportunity to speak on behalf of doj on a panel of people who are experts on field which positions range extremely opposed to government's position and extremely opposed to the government es position. so i will do my best. >> fairly balanced. >> i feel like john snow before the end of -- >> missed "mr. robot." >> but so i did want to talk about the report, that, daniel just spoke about for a few minutes and, talk about things that i actually thought were helpful in the report. and thanks that i think are a little less helpful and room for
8:46 am
improvement as the debate continues. i want to highlight a couple things that are helpful and things able to be talked about on the panel and start other discussions. on page one, it was great to see on page one a recognition this is hard issue which entails tradeoffs. so the report at very beginning that encryption improves security for customers and businesses and makes it harder for government to protect them from other threats. there is no way to square this circle. any choice will come with tradeoffs. that is essential way to think about this problem and other problems posed by certain implementations of encryption. sometimes in the debate you see assertions that there are no tradeoffs to be made. every increasing restrictions of government to obtain evidence or fight crime or terrorism both enhance privacy but also enhance our physical security. i think we've seen some of that in discussions about dropping of phone thefts in the like but there is a certain wishful thinking we can have it every
8:47 am
which way and there is no tradeoff to be had when you implement certain fiber-optic type of encryption certain measures to protect security. i think it is important to recognize there are tradeoffs to be had and at end of the day those are public policy choice and ought to be made in democratic society the way we make other policy choice. they are not purely technological questions and you can't always have your cake and eat it too. the sort of obvious framework one draws from page one of this report the way to approach the problem is look at incremental benefits that come from certain implementations of encrypt shin and compare those to incremental costs imposed on society as a whole, crime victims and rest of us from those implementation. we can't compare things that are alike to things not a like. we have to compare things that a alike to things that are alike. we have to look at cost of society to crime, shouldn't look at cost of every crime. we should look at costs from crimes we'll be hopefully able
8:48 am
to solve or prevent based on access to this type of evidence. by same token you look at harms to data security woe can't look at all harms to data security imaginable in every circumstance. look at implementation harms from one implementation of encryption to another form of implementation of encryption and i look to the report recognizing that on page one. second thing worth come end inning the paper make as very strong effort to define its terms, particularly to define the term backdoor. we hear that word a lot in this debate and daniel's paper on page 16 defines backdoor to include at least two features, one direct access to communications and one lack of transparency f you apply that definition that is absolutely not what law law enforcement has called for. it is that contrary to what law enforcement called for in terms of any type of theoretical mandate or legislative solution. others in the debate use that term very loosely.
8:49 am
some people use the term backdoor to refer to any system whereby a provider has the ability to comply with a warrant. when just talks about prior work for communications service provider to comply with warrants i don't think he would say that service had a backdoor. they had access solutions and key management solutions consistent with encryption of management of data and compliance with warrants. make sure we use those terms precisely. if we compare increemental risks to implementations we have to being specific what implementtation we're talking about. one risk to one implementtation you might call backdoor. there might be different risks, lower risks different implementation of encryption to protect data and leave room for access by a provider or company either for own business purposes or pursuant to a warrant. we see similar lack of precision in this debate about the use of the word strong encryption. some people use strong encryption to refer to key
8:50 am
length and things like that. other people use strong encryption to mean warrantless encryption. we need a rational discussion what that term means. if you don't define terms and use it way extremely broad it is hard to have rational conversation about costs and benefits. particularly hard when you use the term backdoor to mean one thing referring to potential government access but have totally definition of backdoor referring to corporate access to its own, to the information they process on their own. so, those are i think helpful things in this, in this paper and i think it would be helpful in this give-and-take here, i think people make clear up front what tradeoffs they would apply and what framework they would use to weigh cost and benefits. by the same token, when using terms like backdoor to be specific what do they mean. and how that applies across a variety of different contexts. there are areas where i think this area could be improved. i think there are areas where we
8:51 am
could disagree with what is in the paper. in part those areas result from failure to apply frameworks consistently from definition of terms through the augmentation and recommendations. primarily that has to do how you weigh tradeoffs and benefits of implementation of encryption. in part tendency in this paper and elsewhere to understate risks to public safety from the implementation of warrant-proven crip shun. won't spend too much time on that. one example, this report like nearly every report on to pop i can quotes wiretap report why there is not significant barrier to live intercepts resulting from encryption. i pointed out on multiple panels and appointed by others frequently but never seems to be grappled with any paper citing opposite point of view, report how many times actually implemented wiretaps confront
8:52 am
encrypt shun is not particularly good measure barriers encryption has to live intercept. agents will typically not go through significant effort required under the law to establish the predication to seek and obtain a wiretap if they know ahead of time the provider not likely to be able to comply. in part the failure to grapple seriously with tradeoffs comes from overstatement of the security of certain antenna encryption regimes. i appreciate the paper acknowledged even antenna encrypt shin can be vulnerable, particularly antenna encryption systems that rely on centralized key management. there are vulnerabilities to the system. we're not weighing perfect security on win hand to absolute non-security on the other. we're weighing security against each other and that is more complex tradeoff people give credit for in this debate. failure to grapple seriously with tradeoff come from
8:53 am
incomplete and ultimately persuasive risks inherent in systems other than end to end or warrant-proven crip shun systems. this this paper claims that key management systems are less secure. daniel says there is no way to provide third party access without issuing a vulnerability and i think that description is overinclusive and incomplete in the sense that possibly the most widespread use of encryption for data in motion at least is the encryption used transit level encryption used for web mail and that involves typically key management systems where provider uses encryption to protect data from server to server on data rests on server but maintain access to the data for variety of purposes through key management and does not use warrant less encryption.
8:54 am
there is no provided desire benefits and tradeoff made in web mail every single day. remains hard for me to understand how we grapple risks without acknowledging there is implementation of encryption that might be one of the most widespread implementations present today. web mail providers inlewd concluding one jules used to work for and other i assume are clients for folks on this panel access communications content for variety of reasons. targeted advertising which is probably just another way of lower cost to customers. search functionality. data recovery functions, and they do it also to enhance data security through spam and malware scanning of content of communications. so those providers and their customers to a degray made a judgment although there are incremental risks posed by not using end to end warrant encryption those end to end
8:55 am
risks are justified by other benefits to the user and perhaps to society in general. and that's, that's the framework we ought to be using as opposed to an absolutist view there is only end to end encryption or nothing at all. that is due for data rests as well. many device manufacturers or cloud storage providers maintain provider accessible storage for a variety of reasons. it may introduce a hypothetical vulnerability but may be outweighed by the benefits that data recovery, searchability, portability, all of the reasons why people in this room put things in the cloud even though it is theoretically accessible by their provider. difficult to imagine a business scenario where a large business that maintains cloud storage, or provides email or communications functionality to its employees that does not maintain access at some level to the information being designed by its employees.
8:56 am
businesses do not give their employees sole control over access to their proprietary information. it is extremely rare. would be interested to hear examples. that is not default we use. to the contrary businesses that care a lot about data security on the whole, made a judgment worth whatever incremental risk imposed by third party access solutions to get the benefit of that third party access solution. if our employee is hit by bus you don't want that to be last copy of research they were doing. if your employee is in repressive country with your trade secrets you want access to it and their email accounts as well. even when you get to areas like outsourcing to a third party cloud provider i think people made the judgment across a wide variety of contexts third party access, even third party key management is in fact justified by a variety of different benefits. we talked about data recovery. we can talk about physician cool security of the key may be easier for a provider to maintain physical security of
8:57 am
your keys than for you to do so yourself. expertise comes with a professional security provider. economies of scale present when providers manage key recovery or ability to do threat scanning. i'm just looking from, i saw a brochure from very prominent cloud service provider which referred to their feature of data loss prevention. our data loss prevention service helps organizations identify, monitor, sensitive information through deep content analysis. deep content analysis scan emails for financial information and intellectual property data blocking data internally should email found to be contained matching content. guarded by it other and inner perimeters to security at each level. putting perimeter fencing security officers, 24/7 and so on. the ultimate appointment is it is very important when we're having conversation about risks and benefits look at those risks
8:58 am
an we'll look at those benefits and how people balance two things in everyday context, instead of pretending there is magical distinction between absolute security on one hand and absolute vulnerability on the other hand. and so if we have to look at this framework and decide, are the benefit of maintaining system where the government can access data worth the tradeoffs, let's look at benefits honesty. look at tradeoffs honestly. we can have honest public policy debate about which world we would rather live in. >> thank you, david. chris? >> so acknowledging that there's a long string of people who also will also sort of poke at you i will try to be very short and in what i say and just hit a couple of points. i mean, i do want to respond a little bit though -- i did have, i had my three. i was like -- i think that as just sort of a initial matter,
8:59 am
i'm not sure that the takeaway that there is information that companies can access and choose to not encrypt is takeaway from that should be, therefore the government should decide security measures and how and when vulnerabilities should be created. i mean this is pretty much the keys to the kingdom when it comes to me personally and my thoughts and the things that i care about from a privacy point of view, but also from a security point of view, if i, god forbid, was the i.t. manager of a nuclear power plant, odds are i could access my systems from this device, right? odds are it wouldn't be a special magic device. it would be iphone 6 or something else, right? so it is commercial encryption we're using to protect our mobile devices that is also protecting our security. so if a company is saying the best way for us to do that kind of protection is to have encryption that does not have a
9:00 am
vulnerability we know about, because that protect this is vital information, i think to have the government sort of second-guess that, no, well, i think, really does go directly to the concern that i think cdt has, this is not a security versus privacy issue. it is a security versus security issue. we need to really think about it in those terms. honestly case has not been made, this is my second point, there aren't lots of and lots of ways to access information now. the list of cloud service providers that companies still have access to information is incredibly long. it is, we are now putting more and more information into the cloud. we are connecting more and more devices. we mentioned briefly the internet of things but that is exploding around us, right? unfortunately the reality is the internet of things by and large is not encrypted. information collected from those censors is relatively insecure
9:01 am
and easily inaccessible. i think alternate is true. we're not seeing world where information in is increasingly hidden behind encryption. we're seeing a world where information is pushed out to third parties or being collected in ways still not as secure we like them to be. companies are struggling. struggling to find a way to solve that problem. . .
9:02 am
it is not insubstantial updated since which means for many communications the content communications held by third parties under the law as written now you do not need a search warrant. you can access that under a much lower standard. we can have the encryption debate and we should and that's what we are here for i think it's worth acknowledging the are of the underlying legal issues aat play, a very big role in ths conversation. we also need to think at the same time we are seeing with the government access should be, thinking legal rules and predicate should be. that continues to be a problem and an active discussion in congress. >> as we move down the panel, cannot to be repetitive but do want to make a couple points. i want to thank daniel m. allen for the contributions. i support the basic conclusion about not restricting the development, deployment, the use
9:03 am
of encryption. i want to add a few points. so david was, i think it's important to keep the encryption issue in perspective and over all debate about law enforcement and security and privacy. david said you can't have your cake and eat it, too. too. i think become household banquet before. the problem is not what they say quote going dark so much is going blindingly bright. the real question is that they are all washed information and they can't process it. it. that's less in between is a nine 9/11 or the belgian the bombings. you don't know how to pull together and act on it. when you think that all the information that they have, whether video footage, travel information, human intelligence or the increasingly billions of digital footprints, that's even before we get to the internet of things and network centers. so i think it is important to do that. second, as daniels said, a
9:04 am
search warrant as a search warrant. it is not a find warrant. talking about terms tha but i dt think it's particularly helpful to talk about warrant prove encryption. you have a search warrant to search. as david pointed out, it is, in fact, lots of unencrypted information out there. in many respects you go and find it and help move things along. it is also absolutely difficult to do good encryption and what is the underlying algorithm, implementation come with its the key generator or team management, good encryption is hard. and so but i think there's a huge difference between the government been able to take advantage of the world as it finds it and basically preventing the use of strong encryption for those who want to do. at the same time although it is up to the government to find
9:05 am
this information i think we, in fact, should be making it easier for the government to do so, strengthen the government's capabilities. the report talks about this a little bit. i think we need to strengthen the fbi's crypto analysis capabilities, build up a national center, traynor fbi personnel on this. we need to make that technical capability and expertise available instantly to field offices and many together we had to make it available to state and local law enforcement as well. who want to be more controversial we can visit when and under what circumstances should nsa's technical capabilities the double for domestic crimes on a technical basis. i think we need forget how to exploit the issuance and execution of warrants before evidence grows cold or lead to disappear. it's just insane in today's
9:06 am
electronic era some difficulties that law enforcement actually encountered. and i very much like the report's suggestion that we clarify the laws regarding when government can basically hacked phones. technologically there's no problem. government can capture your phone. they can turn into a recording device, turn on its video feature, keystroke loggers have been used were a long time. stingrays deployed. the real question and i personally have no problem with that assuming it's done under a warrant come with judicial approval but i think simplification on that probably would be useful. i want to talk just a minute about the apple case. what i find perhaps most troubling about it, let's a member of the apple case is about counterterrorism case. so in this situation the fbi in fact has available the nsa's technical resources.
9:07 am
and yet it's really hard for me to believe that the nsa could not practice known from the get-go. and yet director comey testified before the house judiciary committee in response to three different questions three different times that he consulted with all of the government agencies and they said they couldn't do. that suggest either the fbi us to the wrong part of nsa. maybe nsa didn't tell him what he wanted to hear, or the fbi sort of equivocated at best with congress. and the question is why would they do that? i think because they had an exceedingly attractive legal case in this situation in which to establish the precedent that infect companies had to do something out of the conference consistent to go after and we can security. it wasn't an attempt into specific they just want a fair chance to get out the encryption. so then what happened? we all know that doj has withdrawn the case and that
9:08 am
allegedly this israeli company -- so the question do they just appear and one of the nsa call the fbi's block? maybe. was there some communication in the dorothea got oppressed their losing the pr war in this case, pull back and try again? maybe. i think there's a lot of questions that have not been answered. >> first of all, again, thank you, daniel and alan. were joking before the panel that history lesson at the beginning of this paper something went to cut paste wholesale out into a book or up to wikipedia or something because it's a really, and well articulated lesson on how we've gotten to this stage. and i want to keep loaded with flavor of company about the paper first before i joined what was the progression from opposed to extremely opposed. i want to say there's one thing brought up at the end of the.
9:09 am
that's important to remember at the front end and sunday mentioned briefly in your comments, which is this is math. there's this feeling out there that encryption some kind of magic power or fairy dust. it's math. it turns out people other than americans can do math. into one of the problems with this lesson that we keep having and we hear from doj as these trade-offs need to be done in a post about american companies in such a such a fashion. it relies the truth that the our 7 billion people in the world now and more than just americans are good at math and more than just americans are good at doing that kind of math that allow for algorithmic developments and encryption. in fact, those of us who lived through both to leave also -- clear and the sense that one of 28 encryption was ammunition company with a famous t-shirt you were to get on the airplane that you could cross the border
9:10 am
would actually make is only guilty of transporting munitions. it turns out the indians and the germans and israelis and other countries were more than happy to build encryption modules that attach to use company products to be sold overseas. why? because they could do math. ultimately, we are once again revisiting the question becomes the rules that david is talking about will not be imposed on companies outside of the united states. these trade-offs, restrictions are strictly for companies that are under the guise of u.s. law enforcement. the second thing that i think i am concerned all of it about is i feel as though department of justice. machine must a field test of the term weren't proof because it keeps coming up -- warned predict that doesn't mean what you think it means. the warrant can be issued in a sense that you said i think bruce said it best when he said that it's a warrant to search,
9:11 am
not a warrant to find i think to myself what other devices in our lives are also quote warrant proof? which won the likely result in more lost evidence anything else was a flushed toilet. we all accept indoor plumbing yet everyday evidence is lost to law enforcement. it is warrant proof. it is gone and yet we still of indoor plumbing. shredders, fire results in lost information. so when we ask ourselves what is warrant proof works it is what is accessible. initially i thought bruce and the paper made good point about strengthening the fbi's ability to figure how to break into things. those of us who follow this space know that the nsa has probably broken a couple of key prime numbers that are used in something called super nerdy element. they spend about $100 billion a
9:12 am
year to break a prime and sluggish with the nsa is working through to allow for what amounts to pass the breaking of encryption. the question is are we giving the fbi and others enough resources to do so what types of activities? the paper argues we are to get some sleep boost would agree and so what i. i don't have a problem with the fbi upping their game so to speak, but that brings me to the part i am most concerned about in the debate. and that is a decision by the department of justice instead of upping their own gain to require companies to alter their products. it's interesting so much of the press around the case, it's just as one vote and we to do this small thing. we filed an amicus brief in the appliques, and the reason that we did was page 15 of their motion. and in it lie nine for those of you following at home, the department of justice lays out the case it is not an undue burden for any company who's in the business of writing software to be requested to and have to
9:13 am
modify their software. full stop it is as it's not an undue burden it is an undue burden for apple or exigent circumstances i think it just says it's not an undue burden. now on the bottom it also says it is not an undue burden in the cases at her, not encryption features that you responsible for writing as assist begin with would not be unduly burdensome. 's what they're saying is law enforcement can come to you and say hey, we need you to modify your software. for data at rest may be to open phone that has been locked but there's nothing in it that doesn't, that precludes law enforcement for doing the same thing for dat data in motion a a in motion. there's an element that means if a software developer, one of our companies and say we believe that there's a guy we want to follow that is a big fan of your app, we want you to click the location information actively on this person. according to the motion they
9:14 am
requested that something they believe they should be allowed to do. line nine of the motion says it's not an undue burden. but the follow on from that, the extreme economic but also relative that is something else that happens. a good defense attorney, bruce come if i collected that led law-enforcement results stand up in court as i want to see access to the source code i want to see how did you do that. i want to verify that the way this small company and this app was used to collect this information was accurate. i want you to provide that to a third party for them to review your code. who goes to court and defense that? who defends what they do? the app maker. to get to go to court, take time away from the world -- by the way most of these companies are 10 people. they have no general counsel's office. they have no office of compliance forget to go to court and defend how they change their software in order to meet the disappointment.
9:15 am
in fact, expose their code to possibly competitors, third parties. and by the way, there's nothing wrong with that defense attorney making that request. so not only is law enforcement for going what i believe they should be doing which is spending their own resources to find solutions. they're putting the burden on the business side of the world and saying you do. and get we know because it suggests math that country outside of the united states will not have to bear the burden, will not be in a situation that we will not do anything to alter the landscape. i think as were looking at this and the trade-offs is important never it's not just apple. it's not just google. it's hundreds of thousands of apps that might be collecting information, might be holding insecurely. all of which under the government's motion would be required to modify their software to meet and lawful order. that's a whole lot bigger than the kind of minor trade-offs that david and others were
9:16 am
describing. >> one of my concerns about coalesce with i figured that all the previous panelist would actually get to all the issues that i wanted to talk about before i did. thank you for that. some of david's criticisms about the paper has sort of taken center stage. i think so my colleagues have addressed most of those concerns but i will address one at the into my opening statement but i wanted to focus a little bit more narrowly back onto the actual paper itself. in general, daniel, alan come to itif, i think this is a fantastic paper for the history of the development of encryption and data encryption standard that idea and suggested back in the 1970s through the modern an ongoing second crypto war in which we currently find ourselves embroiled big fish is great. assessing objectively the arguments currently at play in this debate was also exceptionally well done.
9:17 am
the recommendations in particular i think are by and large fantastic. i have a few quibbles with the two of them but i will get to in a second. wanted to make one general criticism of the paper, the only one i have, and that is that i think even though there's a great deal of focus in the paper on innovation and the trust that is engendered in the online ecosystem angel of the use and implementation of encryption protocols i would like to see a little bit more of focused on the economic benefits and costs of social with encryption. i'm going to be shamefully plugging myself because i focus primer on economic cost-benefit calculations but the niskanen center released a paper -- the american economy and individual little of use of encryption this past november and dan and alan very lovingly cited as in the paper which, thank you very much by would have liked to see more
9:18 am
discussion on that because i think that's what the dimension of this debate that really hasn't had a whole lot of focus was on a. we focus very much on the civil liberties implications of not just breaking encryption but weakening it. we focus a lot on the global applications of weakening encryption we focus on the human rights implications, not just in this country but around the globe of allowing state actors that easier access to the otherwise private communications of individuals. that having been said the papers great. i love. in terms of recommendations, the first recommendation we have in this paper i think is also another element of the product encryption-based that hasn't been focus on persons alan grayson introduced anonymity make this law back in 2014. that is revoking the statutory mandate that the national isn't a standard and technology has to consult with the nsa on setting domestic encryption standards. in fact, in the wake of the
9:19 am
kerfuffle that came to light after the snow to revelations that which was very clear the nsa had actually knowingly contributed to a weak encryption standards that would been promulgated by nist, they couldn't focus on this data because they were so reliant on the nsa for the information. that is troubling. i think a better approach would be to actually allocate and appropriate money for nist of its own independent team of cryptographers so it doesn't have to consult with the nsa. that brings a lot a lot of troubles the little because the nsa i think most people agree at some of the preeminent hackers in the world. let's be honest, if you are really top of your field had an innocent wants to recruit you into going to give you essentially carte blanche to engage in illegal hacking sans any sort of pesky work requirements, you'll probably
9:20 am
want to do that because your the type of person who likes to penetrate systems and kind of poke around and see where the flaws are and how you can exploit them. alternatively if you can offer for national institute of standards and technologies to do far less interesting work, it's going to be far less attractive. that's a hurdle i think needs to be overcome in order to make this type of recommendation actualize double. that having been said i think it's great this paper mentions it because i visited a whole lot of people discussing this ever since the grace of the amendment failed. the second recommendation that congress should pass a distillation so much of the secure data active essentially ban the government from installing backdoors, yeah, yeah, absolutely agree. part of that is we need to also we focus this debate at the federal level, which i think is a good reason for people too seriously consider supporting representative ted lieu and others encrypt act which would
9:21 am
essentially use the commerce clause to federally preempt states from mandating the installation of backdoors or weakening security protocols. so great, i agree. for the most part i don't have a whole lot of beef with anything in the requisition such. the only thing i'm little tempestuous about is the recommendation that congress ought to offer additional resources to stay on the law enforcement for cyber forensics. the trouble i think we were going to come into with this discussion is assessing how big of a problem it actually is for a place like middle of nowhere possum trot, arkansas, please for static type of cyberforensic skills would expect a larger municipality like cook county have. perhaps these details can be worked out. i'm a little less enthused i guess about this particular approach but, of course, i have no alternative on hand to offer
9:22 am
and so i think it's worth considering but i think we need to tread very lightly and carefully when we start to discuss appropriate funds for local and municipal law enforcement that would mimic a lot of the types of functionalities would like to see the fbi beef up together thing i wanted to mention in the recommendation section is a section that advocates for establishing fair rules for government hacking. this is another issue at play in this debate isn't really getting a lot of attention. while i'm not going to come out in support of any sort of lawful system access or legal hacking regime, i do think that this is vitally important that we bring to the forefront in terms of the policy debate. this writer could be potentially a solution that status as all parties involved on the one hand the fbi and federal law enforcement officers get their ability to access data in phones under lawfully issued warrant
9:23 am
and to cross requirements. and privacy advocates get their share of the pie and wicked to keep strong encryption going to i think it's worth having a conversation about this publicly and openly, kind of bringing all sides together to the table, all but let's take table, all the stakeholders were talking through what i wish he might look like and how it is that we can move in with the fbi has admittedly been doing in this space which is very much an illegal great to bring more into the light as for bringing accountability and transparency and oversight to this process. so all that having been said, i would just conclude by commenting on one thing that david said that i very strongly disagree with. and that is that this paper understates the risks to public security and public safety as a result of the implementation of encryption. if anything, i would argue the contrary, which is the fbi seems
9:24 am
to be overstating the risks to public safety and public security. in the use of federal courts issues and i are -- annual wiretap order every year. the last time i checked the available data to a total of dirty 554 total wiretap orders issued by state and federal judges. in only 22 of those cases was encryption even encountered and in only four of those cases was encryption found to be a great of a. number one, a legal and lawful region could help us with those last four marginal cases. but number two, the point i want to hammer home, if, indeed, this going dark and going to use of that very, very broadly just to discuss that side of the contours of this debate, if this is, if this problem of going dark is indeed a problem of magnitude that director comey and others have claimed it is, the available data, the data available to the public and i've been able to find, does not
9:25 am
confirm that stated. so if, indeed, director comey has information that suggests that the problem of, again i'm mixing my terms given what everyone else seems to have everything trepidations to what they mean, but workprint communications, going but workprint communications component.com if this entire debate that law enforcement has been stoking is indeed as big of him indeed as big a part as the clematis event i think we need to see speak as an economist to speak estimates are focused on numbers i think we need to see that data. because until we see at all i am hearing is a lot of pr nonsense that is about it getting to the heart of the debate at hand which is whether or not law enforcement has the tools it needs in the digital age to conduct investigations and see through the administration of justice. if you have the data, great. i would love to see. and thought they would need to
9:26 am
start rethinking exactly where we all stand on this issue. >> thanks to all of you for comment. what i would like to do is have a number of questions i wanted it in some of these issues. as david noted, the panel it love it imbalance. i want to give you some extra time to make sure we can get all perspectives. to start with, let me start with you. i'd like you to respond to some of which were in particular would be useless maybe if we can start with this issue of how much impact would a lack of access have on public safety? when we were researching this report, this is what are the hardest problems in terms of trying to quantify. we haven't seen anything. we've seen a lot of examples, in testimony law enforcement or intelligence community officials point to cases where it helped a case but it's hard to say something could not have happened with the alternative.
9:27 am
this broader question we have of getting back to the fundamentals, it's very easy for us to envision a policy that would prevent the average american from having access to encryption, or provide government access. it's really hard to envision how that could be any policy that would have an impact on terrorists abroad or anyone who chooses to use of foreign service provider, which is a comment most of the panelist made. when we are talking about trade-offs it seems like we have and that the actual impact but with the context of that people are still going to go out and do it and you can really only create laws for the good people. i'd like you to start with that. >> thanks and appreciate the comments but all the panelists on some the points i raised and some of the points i could have a chance to raise about the paper. this scale question is an important one and which is whatt always talk about how we measure of what are the framework will use to decide this policy
9:28 am
question. that is, is there an empirical balance or more along the way christmas and it isn't a question of principle and should 50 private space with the government should not have access no matter what the risks and benefits might be courts should there be a secure eyed case, whether the phone, whether it's within your heart or whether it's your entire house. i think it's important separate those principled questions from the empirical or trade off questions because when you mix them up in argumentation it's hard to know what people are talking about. it's very hard to decide what the right policy framework is when you shift from distinguishing the right to search and the right to find the latest same sins say you have enough already and don't need to find anything more but those are very different arguments. some of them are ones that are policy choices or democratically governed society make and some
9:29 am
of those are actual questions that are either true or not true. we have to make sure we know which ones were talking about at which time. entrance to the skill of law enforcement, i think it is correct that law enforcement needs to do a good job and i think it's important we do a better job than we have done in identifying the scale of that harm. and one is recently for trouble as you said, daniel, it's hard to prove a negative, hard to prove a case that you were not able to prove and say i would've been able to prove it if i did something i don't know what the thing is. it's a very hard proposition to me. the way we've got to go about it is by looking at cases where in, say, a couple of years ago we're able to prove this case but the technology has been more prevalent we like would not have been able to prove the case. we talked about examples of cases like that. those are ways of envisioning
9:30 am
what the scale of bomb might look like when we talk about is the scale of communication services that market themselves as being to end and they cannot comply with ward. if you look back four or five years ago i think the scale of communication like that was minimal or negligible. and today you see literally tens of billions of to communications every single day going across those services. so when you look at the types of wiretaps were able to do in the past, now there are tens of billions every single day we probably could not effectuate those wiretaps. the wireta wiretap report, i woe charged as a response to the argument i made earlier asked why that's not a very good measure of harm to law-enforcement. but when you look at examples, it might be easier because we know when it gathered if we can't open it and you've seen a number of examples come up where
9:31 am
law enforcement gets the phone but can't get into it despite a judge think there is probable cause there's relevant to a crime. we seem states confer with the scale larger than what the federal government will have as well. i think those are valuable points at a don't think some the panelists disagree i think the position. they said it is, in fact, a real, there is a real distraction to the build of law enforcement to access data. we look at the impact, similar and empirical question is the claim would be whatever you do domestic will have no effect on the ultimate law-enforcement problem because criminals will migrate to foreign products. to me that's not a principle claim. it's empirical. if people stayed using his searches which acts as if it's true it's a more persuasive argument unilateral american action will be particularly effective.
9:32 am
so how to answer the question what is it you criminal terrorist will always migrate from services that are accessible to law enforcement in principle to ones that are not accessible? that's not an abstract question and think if we look historically, at least based on pashtun is not persuasive argued that happens. we that wiretapping capabilities for over 50 years and yet every day we are still going wiretap gathering from sophisticated criminal networks who know as a matter of fact, that those are generally capable of being wiretap but nonetheless use into the silicon because they're useful to facilitate crime and they don't think he'll get caught. so let's take that to the information services context. for many years really up until last couple of years most american-made information services have been present been accessible to law-enforcement in the sense the future and work on the provider they could comply. that is still the case with as i
9:33 am
mentioned most webmail in many enterprise solutions as well. have we seen a massive flight from those services to foreign services or to even americans is that were prove? i don't think the evidence bears that out. in fact, the massive growth in american dominance of the of the medications markets to place large in an era where these invisible those of us were accessible to law enforcement. you can look at the same sort of stats that comes to data at rest. we had a natural experiment in this a couple of years ago where one major manufacturer of smartphones announced that henceforth do because they could not access. we now know that's not exactly true at least they would not want access to try to avoid accessing. whereas a competing mobile operating system maker has not been able to implement that same restriction on access by the provider or by law enforcement. so if your hypothesis is correct that people will then flee to
9:34 am
the service that is warrant proof, you would've expected to see i think arguably at least some massive shift in people from one type of service to another in fact we did not see the. the data not do that. if there's other data that industry has that the issue is a logical place to go, i think we expect to see them putting that data for dividing fact i don't think it squares with what we've seen. i think people choose products and services for a wide right reason. criminals and terrorists generally think they will not get caught and so they choose services that are accessible, convenient, effective. and transport abilities may be one factor. i think some criminals and terrorists will migrate to those systems but others will not. this scene in the wiretap counted, we said over and over again. that goes back over talking principles or empirics. let's talk about it but we shouldn't afford a bumper sticker that says criminals will always go to -- therefore
9:35 am
anything in america's you suspect the last point i would make is i think it's also mistake to think the u.s. will be the only actor in this space. i don't think we're looking forward to a world where only one country is affected through as law enforcement and national secret functions but it's this type of encryption. i think other countries will act as one the question is how do those work together? together? it's not a case where think you'll have just one country that's affected and one take action. so can women look at the pluses and minuses and the costs and benefits, you can't hold everything constant pain when everything you look at the changes. you have to look at the dynamic system. >> just because my name was invoked -- >> i will let you reply. what i want to do, we have a lot of people on the panel. were going to do is keep it to to disagreements.
9:36 am
[laughter] whoever that person might be, i'm not pointing fingers. one of the goals is have a dialogue on this. >> just real quickly. one can we don't leave the phone should never be accessible. i want a bigger clip is not like a principle that says that the government shouldn't be up to look at your phone and we've never said that. but i think what i think is the focus and could be sensitive. it is perhaps one of the most private spaces that exist today and is really ever existed in terms of the amount of information about us that adults. therefore, deserves a commensurate high level of security and we need really good arguments for why the security should be breached. that leads me to my second argument which is it's fine to say that there's a burden to create and empirical record for why we should have strong encryption, but i think it's worth noting that the people are
9:37 am
carrying the burden on encryption are working really hard to keep us secure. they are working really hard to make all the system stronger and better. and so seems to me it's actually the law enforcement burden to carry why they should pull back from those he pretty measures, why they should do less for security in order to do something which honestly is not yet in my mind concrete. it is an articulation of a concerned rather than a discrete. phone operating systems should have the following accessibility functions, and that's a concrete discussion we could have. right now we are having a general discussion. i would just leave it at those two points. >> does anybody else want to take this? >> i will use my disagreements your spin you can have more than to disagreements. i just don't want more than two people disagreeing. >> i find it fascinating, the
9:38 am
comment about wielding bumper sticker, which keep using the term warrant proof when effect we know that's not, in fact, have a legal standard works. a warrant is issued. the mere fact that you're not able to break into it doesn't invalidate the issuance of the war. so warrant proof is one of the biggest bumper sticker can suffer because it doesn't fit the legal framework which brings up the other concern i have what kind of a mixing of things that you said people use all these services like e-mail, people willing to share that, and criminals use it as well. that's exactly right to give access to all of this other information but i think it's worth noting that u.s. law enforcement has, in fact, muddied the waters as well when data is outside the united states i in either case the unid states is asking for a company who is doing data on a foreign citizen in a foreign country to provide that data. and as chris had i want to go his sentiment, what, i'm not too concerned, i know we'll find
9:39 am
some solutions hopefully out of there but we are now preaching the legal framework that we all exist under. ecpa reform needs to be done. we need cross data. we need to know how to provide a in u.s. law enforcement comes to use to assess provides on a foreign nation when the data is stored in a foreign country or data stored on a foreign national spread across multiple coaches because we do something called data charting and we need to do -- this is a warrant proof. we have no framework. in a case of ecpa we have the sixth circuit which is what standard would also note that's not come it doesn't apply national. it's awkward to say 50 to comply with the love and, in fact, don't know what the law is get back into cases result and appliques and in the ireland case kinds of is trying to establish what amounts to a legal precedent that absolutely explodes the basic premise of
9:40 am
the citizenship and where data is stored i think it's hard to argue especially in the ireland case that we have a clear framework for what it means. i want to agree with chris on the fact provided some good legal framework so we understand when we had to comply and how we do it and then i will that ryan talk about the economic aspect. one last little tweak is we have an mlat process can we have a framework, we have a framework for doing it and get u.s. law enforcement says it's too burdensome to just give us the data. please don't ask us to do something or our own laws or possibly contrary or confusing to what you are requesting. those are two active cases that are currently ongoing. >> do you want to respond to that? >> i want to say, kessler for two hours in front of congress and a happy do it again. not to congress but to you guys.
9:41 am
i guess just the medevac publisher why you think the foreign citizen case that i think he should take a look at the present decorations because no company i'm aware of secretary gates the database at the national of the citizen. take another look at the declaration. i think you should take -- >> are you saying that -- >> i'm just saying if you're going to take proposition templates get the actual facts right and argue on that basis instead of speed so it is a u.s. citizen speak with what i'm saying -- >> i think it's not clear what would you in that case. >> so i can that's a whole other topic and i think it's one that is what takes off public. i'm happy to talk about it but i don't think we should spend the time i to talk about encryption here. i will take up on the board topic. the reason we use the phrase warrant proof is because he of the descriptions are not satisfactory to describe the type of thing that concerns us.
9:42 am
to use more words that would fit on a bumper sticker the type of limitations that concern us on the type where provider windsurfer toward cannot comply. however you want to call that can gradually matter as long as you're consistent with the terminology across. i wouldn't call that a backdoor. we haven't heard much use of the word back to suppress you guys agree. that would be great i think if we can do this debate that's backdoor not backdoor in tort situation where provides can comply, that would be helpful. [inaudible] >> on that point, we've been debating encryption. so another way of securing information historically is, the equivalent of your loss of the innocent, you hit it in your backyard or you have these images and jeff tiny small writing embedded in the image.
9:43 am
undetected level this is very different. it's just well hidden. it is not one person could you, you can get a warrant to do it but to your definition, something and provided could turn over come it would fit that. this is moving away from it. of the philosophical question but i'd be curious to reaction to that shouldn't be any restrictions on how well people can hide their data? >> lelet me also abstract out al of it and me also abstract out all of it and come back to the history point that you made that is to look at this debate as phase two of the crypto wars or a replay of some we've seen before. that's one way to describe it. another way to describe it is when you look at the effects of free market forces on how people use technology and effect that has on other people and the trade-offs that creates, is notable for certain responsible
9:44 am
regulation on the forces of the free market to understand why if you are representing the market or the industry to answer would be no. what is good for industry is good for america. but then i think i also understand from the perspective of citizen that there is ample for regulation to prevent externalities on the citizen as a whole. and so look at the history of the crypto wars u.s.a. let's look at the history of other industries that have in the past impose extra nose under the citizen and as the regular city have about industries act. i think framed that way most people do most americans would agree there is some role for regulation when uses of technology negative impact of the citizens. that's to integrate what we are seeing here. and so that's the philosophical but rather than empirical but one that frames the way we look at these questions as a whole.
9:45 am
should the market decide who can use what technology when and how or is there a role to say it that the issues of technology address is outside impact on us or class of people who should look at what restrictions are possible? in other contexts i have no doubt that if we did not regulate at all any other entity that those industries could be more profitable, that the death of accept overseas markets but those are not decisions we make. we have environmental regulations, child labor regulations lots of regulation would recognize the unrestricted forces of free market may be great. and may prove wonderful innovations that we all share in but by the same token there several to think about it. of what extra nose because it is her sensible way for government to respond. respond. >> i think that that's a tremendous disservice to those who oppose the government's position come to postulate this is simply a matter of profit versus security really does a disservice. this is security versus
9:46 am
security. and by weakening encryption with the government is asking for the you put at risk tremendous, both national security, america's technological leadership, the dod and evidence relies on as well as competitiveness in american industry. but to citizen it is profit for security i think completely mistakes the process. government would do well to a lot more encryption. maybe if government paid more attention to itself confronting the date it had we wouldn't have 23 million dossiers in chinese hands right now. >> i guess i'm not sure how come in what fashion you are disagree with you on xanga security forces secure the. not profit. you are going to say just profit and i think speed i disagree. you disagree with the until one could imagine technology that although it is a particular corporation to produce the market might have negative effects under the people out with the benefits and, therefore, regulations the appropriate. do you disagree with the principal? >> you are dismissing the
9:47 am
benefits. you are dismissing this entity benefits of that same technology. >> to the contrary. i am saying that our trade-offs to be have picked our benefits and/or drawbacks, the role of government and the role of the policy discussion with experts in this field and identify the benefit edited by the drawback. the role and status on every single vector the answer points in a row leading coverage with what to do. back to the first but i made which is this needs to be seen in t to be seen in a broader context. i articulate several ways in which i should strengthen governments ability to go after the bad guys without at the same time weakening the fundamental encryption that protects the good guys. >> we have a full room. i know some of you have questions. we would do kind of a rapid round of quick questions and hopefully some quick responses. >> sorry, we will bring a mic it to you and could you identify yourself before you ask the question. thank you. >> i'd like to know what the government's role is
9:48 am
intimidating with the press about information that they have. do they have rules -- certain things can be disclosed to the public versus certain things that should be kept within the confines of the legal process? >> yes. use. i could certain things. certain things that we prefer particular matters like this which are of great public interest and great public concern and we tried in forums like this and others express our views to make sure we understand make sure people know what we're asking for. the more we can do without the better. >> i know we've been talking larger questions but in the applique, there are some people are saying the government should to apple exactly how they get into the phone because of a pledge to reveal vulnerabilities
9:49 am
that might undermine security. can you comment on that? >> i can't comment on any particular case on a particular vulnerability, and i was not going to do that. i do think there is an important question that is at the heart of that. important policy question. maybe four of the panelists argued that there ought to be a role for either current or even more unilateral government access without the intervention of the provider. that there's more role for what has been called got been hacking and i might use a different term for it certainly. so i think that raises a lot of interesting questions and because i think to the heart of the trade off question. i understand from the perspective of a companywide want to absent themselves from the transaction to understand that when it comes to describing their customers what they do it comes to describing the governments in foreign markets with 50.
9:50 am
i do get that impulse and why they don't want to be part of the transaction. on the other that i do think it to i do think it to director retrospective at risk for files in both world. you could have the world where the government has access primarily through service of process on a provider which maintains its own system designed to its own specification for how to access that data. that's a world we lived in for a long time, the world we still live in. i think i get the most webmail and most enterprise systems. or you could have a world where you increasingly close off access and holy to law enforcement constant, that means you go more choices with the has unilateral direct access to vulnerabilities and the like. again i think it a look at risks and trade-offs. that second world carries different risk. the paper does a good job identified what some of those are. if you drive the government to a world where there's a greater need to take advantage of vulnerabilities rather than disclose them, that carries a risk and risk as well.
9:51 am
the are pluses and minus but i think that's a key point of let's look at the actual costs and benefits of each world and decide which one is better. >> i think i'm going to help david. my view is the government should not be compelled in every instance to share a vulnerability is discovered with a private company. i would much rather have a discussion and debate be about balancing those equities and there's a process to that than have it be about the government intentionally compelling private companies to weaken their products. >> we don't want a big universe situation or others, it appears the israeli company as a state of company whatever they found the released and have not released a publicly. but if you find it and our hundred others as a look at it and where are they providing? i agree the real discussion is how do we make sure that we have removed some liability for competition of information between companies but also to share with law enforcement? i think they'll be an ongoing discussion and that's one where
9:52 am
we can come to some conclusion that doesn't involve regulating math. i would agree that something where we need to look more at how we define that come how we allow for data sharing in an appropriate fashion. >> thanks for the paper. i don't know, but one of the things that seems to come across, and chris you hit on this come is the narrow versus general. maybe dan and allen, for your next challenge, maybe bifurcating all of the difference mayors and other men should be addressed individually. so you've got terrorism versus local on enforcement. you've got data on the device, data in the cloud and encryption your paper should look at matrix of this difference mayors rather than just saying as a general come is a good or bad. that's maybe just food for thought for your next awesome paper. with respect to the panel, one
9:53 am
of the things that was hit upon is the beginning of foreign countries to engage on this debate. we know that england has passed a law mandating kind of access to law enforcement. france is considering such legislation. can you discuss how that is going to impact us here in america? not only on the policy discussion but also with respect to the device, manufacturers and developers side? >> i just come i got, i drew the straw. i don't know if it's a short or long. you raised a really good point which is a united states position on this that i think it's interesting we have use of the term backdoor and we've been careful about the effect it was director comey himself at a panel at brookings is out of what a backdoor. i want a front door. it was at that event where,
9:54 am
forgive me because i know that greg is probably watching this, commemorative those greg or some houses that have been said director, you know that could have significant economic impact. and his response to one of the two of them was, well, they are american companies. they should just take the economic it. i think what's interesting about that is the point you're raising which is these other countries do it, i think the question we're going to fight is what are the economic consequences of having multiple nations with multiple versions of what they require companies to do and i think it's very important remember that we saw with china with some standard settings and a lot of instances these cases have the veneer of a law-enforcement effort. wheels up to watch out for countries that are using it for competitive advantages. and so we've seen that in several places where you get a
9:55 am
by my country type of think of it enacted a law enforcement implementation that would best in the but a local provider and squeezes out others. what we could run into is a uk law that violates the united states requirements on some of these things, or probably not the uk as a strong ally but other countries may load of other laws to do the exact same thing. in same thing. been noted tomato sauce we had to violate u.s. laws. think about hipaa and encryption around hypocrite if a foreign country were to say we want access in a unique patient identifier for the information for our health information, a u.s. company will have to reconfigure the system and by the way, i'm not doing this at david at all. our u.s. law enforcement is careful about the handling of patient data and health records. so that's something we worked out a way to do when another
9:56 am
country uses that for competitive advantages? you're right, a patchwork of multiple laws around the world is problematic. >> will begin with the challenges adobe harder and harder to influence the human rights versus law enforcement balance around the world. but despite the criticism over snowden at nsa, we have a world leading set of structures of oversight and transparency as well as strong limits and oversight for law enforcement. we need to figure out the right balance come and as much as we can make it something we stand by and influence the rest of the world, even though the our societies that will take a different path. if we are able to support companies who are based here and although they are global, at least have some argument in some broadway to ensure that the products they're rolling out globally are as reflective of those western democratic values. that's what we need to be doing so i think this is a very, this will be the first of many, many debates as we see many, many
9:57 am
tools that make our life all sorts of fun but also make it easier and easier for all sorts of criminals to misuse them. what's the percentage of criminals that need to be doing what sort of bad thing with a particular tool for us to say weight, have limits on this. that was probably the early part of the crypto war debate back then and what is going to be crypto or just vanishing snapchat's or hidden messages or whatever the fun, cute new tool that lets the bad guy do that in countries around the world you've got to building things that let law enforcement slow your car, stop your car. is that something we want your? why is it just an amber alert? it out to be the amber turn your car off. we will be having this debate to the extent where able to do it in a global transparently, hopefully we'll be influencing the technical infrastructure
9:58 am
over the world. >> i think that's a good place to end. i just want to make one final note, if that's what i was describing kind of the history of the crypto debate, our paper gets into more depth on this but it just want to be clear. certainly in the government, while there has been this flashpoints also is been a very valuable partner in working with the private sector and the academic community. i don't want my remarks to be cast as painting government, you know, kind of a bogeyman role. but what would be very important in this conversation is that we don't end up on these entrenched sides with this kind of law enforcement versus the tech sector or researchers and with how we can come back to the collaborative environment that we had before that was actually very successful areas of the element. i think that's something we can all think about kind of going forward. so please join me in thanking our panelists. [applause]
9:59 am
>> what i tuned in on the weekends to visit its authors sherry their new releases. >> watching the nonfiction authors on booktv is the best television for serious readers. >> on c-span they can have a longer conversation and delve into their subjects. >> booktv weekends, they bring you author after author after author that spotlights the work of fascinating people. >> i love booktv and i am a c-span fan. >> transportation security administrator visits capitol hill this morning reading members of the senate commerce, science and transportation committee on tsa security operations. live coverage at 10 a.m. eastern on c-span. >> the u.s. senate is about to convene on this wednesday morning. in about one hour from the senators vote on whether to advance long-term federal
10:00 am
aviation administration funding through september of next year. the bill authorizes just over $33 billion for faa programs and policies that includes new consumer protections for airline passengers and federal regulations for drones. last week president obama signed a short-term extension that would last until july 2016. live coverage by the senate now on c-span c-span2. the chaplain: let us pray. gracious god, each blessing we receive is a gift from you. thank you for the blessings of life, liberty, and love. thank you also for the blessing of salvation that we receive by grace through faith.

7 Views

info Stream Only

Uploaded by TV Archive on