Skip to main content

tv   Politics and Public Policy Today  CSPAN  March 1, 2016 4:00pm-7:01pm EST

4:00 pm
testimony. and when the light turns red, that's it. your time is up. we begin with you, mr. sewell. welcome. >> thank you very much, mr. chairman. >> make sure that microphone is on and pulled close. >> thank you for that technology hint. thank you, mr. chairman. it's my pleasure to appear before you and the committee today on behalf of apple. we appreciate your invitation and the opportunity to be part of the discussion on this important issue, which centers on the civil liberties at the foundation of our country. i want to repeat something we've said since the beginning. that the vekts and the families of the san bernardino attacks have our deepest sympathies. we strongly agree that justice should be served and apple has no sympathy for terrorists. we have the utmost respect for law enforcement and share their goal of creating a safer world. we have a team of dedicated professionals on call 24 horse a day, seven days a week, 365 day
4:01 pm
ace year to assist law enforcement. when the fbi came to us in the immediate aftermath of the san bernardino attacks, we gave them all the information we had related to their investigation. we went beyond that by making apple engineers available to advise the fbi on a number of investigative alternatives. now we find ourselves at the center of a very extraordinary circumstance. the fbi has asked a court to order us to give them something that we don't have, to create an operating system that does not exist. the reason it doesn't exist is because it would be too dangerous. they are asking for a backdoor into the iphone. specifically, to build a software tool that can break the encryption system, which protects personal information on every iphone. as we have told them, and as we told the american public, building that software tool would not affect just one iphone. it would weaken the security for all of them.
4:02 pm
in fact, just last week, director comey agreed, and i think we heard the same here today, that the approximate fbi would lakely use this as precedent for other cases involving other phones. we heard from district attorney vance who says he absolutely plans to use this tool on over 175 phones he has in his possession. we can all agree this is not about access to one iphone. the fbi is asking apple to weaken the security of our products. hackers and cyber criminals could use this to wreak havoc on our privacy and personal safety. it would set a dangerous precedent for ingovernment intrusion into the privacy and safety of citizens. hundreds of millions of law-abiding citizens trust apple products with the most intimate details of their daily lives. information about a user's location and the location of that user's family and friends. some of you may have an iphone in your pocket right now.
4:03 pm
if you think about it, there's probably more information stored on that device than a thief could steal by breaking into your house. the only way we know to protect that data is through strong encryption. every day, over a trillion transactions occur safely over the internet as a result of encrypted communications. these range from online banking, credit card transactions to the exchange of health care records, ideas that will change the world for the better and communications between loved ones. the u.s. government has spent tens of millions of dollars through the open technology fund and other u.s. government programs to fund strong encryption. the review group on intelligence and communications technology convened by president obama urged the u.s. government to fully support and not, in any way, subvert, weaken or make vulnerable software. encryption is a good thing. we need it to make people safe.
4:04 pm
we've been using it in our products for over a decade. as our data become more sophisticated, tools to defend against them need to get stronger, too. weakening an encryption would only hurt consumers and well-meaning users who rely on companies like apple. balancing america's security and privacy. we believe we can and we must have both. protecting our data with encryption and other methods preserves our privacy and keeps people safe. the american people deserve an honest conversation around the important questions stemming from the fbi's current demand. do we want to put a limit on the technology ta protects our data and, therefore, our privacy and safety in the face of increasingly sophisticated cyber attacks? should the fbi be allowed to stop apple or any company from offering the american people the safest and most secure products it can make? should the fbi have the right to compel a company to produce a product it doesn't already make
4:05 pm
to the fbi's exact specifications and for the fbi's use? we believe that each of these questions deserves a healthy discussion and any decision should only be made after a thoughtful and honest consideration of the facts. most importantly, the decision should be made by you and your colleagues as representatives of the people rather than a warrant request based on a 220-year-old statute. as the judge concluded yesterday granting the fbi's request would thoroughly undermine principles of the constitution. at apple we're ready to have this conversation. feedback and support we're hearing indicate to us the american people, too. their friends infarction families and neighbors will be better protected from thieves if we can protect their data and freedoms and liberties we all cherish will be more secure. thank you for your time. i look forward to your question. >> thank you, mr. sewell. ms. landow, welcome. >> thank you for the opportunity
4:06 pm
to testify today. fbi has pitch this had battle as one of security versus privacy. a number of members have already observed it's really about security versus security. we have a national security threat going on and we haven't solved the problem at all. if wha have smart phones got to do with it? absolutely everything. photos, music, notes and calendars. much of that information sensitive, especially the photos. smart phones are increasingly wallets and they give us access to all sorts of accounts. bank accounts, drop box and so on. many people store propietry business information on their smart phones, personal smart phones even though they know they shouldn't. now, nsa will tell you that stealing log-in credentials is the most effective way into a system. in fact, tailored access operation said so in a public talk a month ago. here is where smart phones are extremely important. they are poised to become
4:07 pm
authenticators to a wide variety of services. they're already being used that way, including at some high-place government agencies. district attorney vance has said that large-scale data breaches have nothing to do with smart phone encryption. that's not true. look at today's "new york times." there's a story about the attack on the ukrainian power grid. how did it start? it started by the theft of log-in credentials, of system operators. we've got to solve the log-in authentication problem. smart phones are our best way forward to do it, but not if it's easy to get into the data of the smart phones. now, the committee has already observed that there are many phones that will be -- that will go through the process of being unlocked, not just the one in san bernardino. what that means for apple, they're going to have to develop a routine to do so. what happens when you sign a
4:08 pm
piece of code where you do it once, you do it occasionally? it's a whole ritual. what happens is you develop a routine. get a web page, low-level employee to supervise it. then it becomes a process that's easy to subvert. i have lots of respect for apple security, but not when it becomes a routine process to build an update for a phone. what will happen is organized crime or nation state will do so, using an update to then hack into the phone, maybe the phone of the secretary of the chief of the federal reserve, maybe the phone of an hvac employee who is going to service a power plant. what we're going to do is decrease our security. that's the security risk that's coming from the requests. i get law enforcement wants access during legal authorization. an nsa colleague once remarked that while his agency had the right to break into certain
4:09 pm
systems, no one ever guaranteed that that right would be easy to do so. problem is, when you build a way in for someone who isn't the owner to get at the data, you built a way for someone else to, also. if you ask the intelligence people there are many ways for nefarious sorts to be able to take advantage of the opening offered by law enforcement. instead of embracing the device security we so badly need, law enforcement has been pressing to preserve 20th century investigative techniques. meanwhile, our enemies are using 21st technologies against us. the fbi needs to take a page from the nsa. you may recall in the late 1990s, nsa complained it was going deaf from encrypted calls. obviously they've improved their technology a great deal. according to mike mcconnell, they had better than any time in
4:10 pm
history. we need law enforcement to develop 21st century capabilities for conducting electronic surveillance. they already have excellent people and expertise but fbi investment and capacity is not at the scale and level necessary. rather than asking industry to weaken protections, law enforcement must instead develop the capability for developing sophisticated investigations themselves. congress can help. the fbi needs an investigative center with agents with deep, technical understanding of telecommunications technology and also, because all phones are computer, modern computer -- deep expert in computer science. teams of researchers, who will understand various types of devices. they'll need to know where technology is, where it will be in six months or two to five years, communications technology in two to five years so they can develop the surveillance technologies themselves. expertise need not be in house. the fbi could pursue a solution where they develop some of their own expertise and closely manage
4:11 pm
contractors to do some of the work. however the bureau pursues the solution, it must develop modern state of the art capabilities. it must do so rather than trying to get industry to weaken security. your job is to help the fbi build such capabilities, determine the most efficient and effective way that such capabilities could be utilize and also fund the capabilities. that's the way forward that does not put our national security at risk, enabling law enforcement investigations while encouraging industry to do all it can do to develop better technologies for securing data technologies. that's a win/win and where we should be going. >> thank you, ms. landau. >> good afternoon ranking member con dltsyers. i'm testifying as a district attorney but on behalf of the national district attorneys
4:12 pm
association. i'm very grateful for you giving us the opportunity to be here. much of the discussion in the prior panel, in the comments by the other speakers here has been about the federal government and about the issue of security and cyber crime in the federal conte context. it's important for us to recognize that state and local law enforcement agencies handle around the country. we have a deep interest in this hearing today. thank you for allowing us to participate. apple and google's decision to engineer their mobile devices to, in essence, be warrant proof has had a real effect on the traditional balance of public safety versus privacy under our fourth amendment juris prudence. i agree with the comments, i think, of everyone here, shall cling the many members of the house. we really need congress to help solve this problem for us. that's why it's so important
4:13 pm
that you're undertaking this effort. i think in look at this issue, there are basic facts from the state law perspective that are very important in this debate but are not in dispute. number one, as tim cook said in his open letter to his customers of apple, smart phones, led by iphone, have become an essential part of our lives. nothing could be more true. we are all using our cell phones for every aspect of our lives. number two is that smart phones are also essential to criminals. our office investigates and prosecutes a huge variety of cases from homicide to sex crimes, from international financial crime and including terrorism cases. and criminals in each of those cases use smart phones to share information, to plan and to commit crimes, whether it's through text messages, photographs or videos. number three, criminals know that the ios 8 operating system
4:14 pm
is warrant proof. criminals understand that this new operating system provides them with a cloak of secrecy. and they are, ladies and gentlemen, quite literally, laughing at us. and they are astounded that they have a means of communication totally secure from government reach. and i don't ask you to take my word for it. in one lawfully recorded phone conversation from rikers island in new york, an inmate talking about the ios default device encryption called it, and i'm quoting, a gift from god. number four, the encryption apple provided on its mobile devices prior to ios 8 -- that is, before october 2014, was represented to be both secure for its customers and, importantly, was amenable to court authorized searches. we know this, because apple told us this. apple characterized its ios 7 operating system as the ultimate
4:15 pm
in privacy. it touted its proven encryption methods and assured its users that it could be used with confidence in any personal or corporate environment. during the time ios 7 was the operating system, apple also acknowledged its responsibility to help, again in apple's own words, police investigating robberies and other crimes, searching for missing children, trying to locate a alzheimer's patient. so it's not mutually exclusive. default device encryption. iphones from which we were locked out, having obtained
4:16 pm
search warrants for those iphones. the number was 175. today it is 205, which represent s more than one out of four apple devices analyzed by our office's own cyber lab since the development of ios 8. that problem isn't just in manhattan. prosecutors have been locked out of more than 100 iphones, 46 in connecticut, 36 since january. and those are from the thousands of phones taken into custody. jurs prudence have held no item, phone, cabinet, safe or even cell phone is beyond a reach of a court order search warrant. the warranty proof encryption today gives two very large companies, we believe, functional control over the path to justice for victims of crime.
4:17 pm
including who could be prosecuted and who may be exonerated. we believe this line being drawn is extremely important. it's affecting our lives and constituents lives and we believe that you should be drawing t we ask to you to address this problem quickly. time is not a luxury for state and local l. kroim victims or communities can afford. our laws require speedy trials. criminals have to be held accountable and victims are, as we speak, and we know in this audience, asking for justice. >> thank you, mr. vance. questioning of witnesses in the five-minute rule. i'll begin by recognizing myself. director comey created a dichotomy between this being a technology problem or business model problem and said that apple was addressing this as a business model problem.
4:18 pm
is that a fair contrast or is this something else? >> it's by no means a fair contrast, mr. chairman. i heard this raised before. it was raised in new york and in san bernardino. and every time i hear this, my blood boils. this is not a marketing issue. we don't take out ads that market our encryption. we're doing this because we think that protecting the security and privacy of hundreds of millions of iphone users is the right thing to do. that's the reason we're doing this. to say it's a marketing ploy or somehow it's about pr really diminishes what should be a serious conversation. just with respect to new york case, taking on this issue head
4:19 pm
on, in footnote 14 on page 40, he said i reject the government's claim, find apple's activities and position they're taking conscientious. >> director comey and mr. vance seem to suggest that the security provided by encryption on prior devices is fine. but advancing encryption technology is a problem. what do you think about that? >> we haven't started on a path of changing our technology. apple began in 2009 with our encryption of face time and i message.
4:20 pm
used within the software and hardware of the phone to provide a more secure solution. >> we are moving to end to end encryption on many devices and apps, not just apple iphones. why is that happening? >> i think it's a combination of things, from our perspective at apple, it's because we see ourselves as being in an arms race. in an arms race with criminals, cyber terrorists, hackers. we're trying to provide a safe and security place for the users of our devices, to be assured that their information cannot be accessed, so that end to end encryption move is an effort to improve the safety and security of our phones.
4:21 pm
from the terrorist perspective, i think it's an effort to communicate in ways that cannot be detected. but the terrorists are doing this independently of the issues that we're discussing here today. >> now, if the fbi succeeds in getting the order that is in zut, that apple has appeal ed b the way, all of us here, we can't turn that off. >> we can show you how to do that. >> but inside our firewall, we can't do that. we understand the reason. that creates a separate vulnerability, does it not?
4:22 pm
they could willfully try ten times and erase what hasn't been backed up on the device. be that ewzñ it may, if they w to get you to develop that code and apply it and then to crack the four-digit code to get into the device, once they get in there, they could find all kinds of restrictions that apple has no control over, right, with regard to apps on the phone, various other communications features that the consumer may have chosen to put on there. is that correct? >> absolutely right, mr. chairman. one of the most pernicious apps we see in the terrorist space is something called telegraph. it can reside on any phone. it has nothing to do with apple. it could be loaded either on the internet or outside of the country.
4:23 pm
in phones belonging to tens or hundreds of millions of innocent people, it will weak en our safety and security. >> mr. conyers is recognized for five minutes. >> thank you, mr. chairman. welcome the witnesses. director comey has just testified that until the invention of the smart phone, there was no closet, no room, no basement in america that the fbi could enter. did encryption exist before the invention of the iphone? >> it's existed for decades, for
4:24 pm
centuries. in the '70s, about publication. in the '80s about whether nsa would control the development of encryption for nonnational use. strong encryption on devices and applications and the technologist's response to apple is, what took you guys so long? how in the face of all the cyber security problems we've had did it take industry so very long to do this? >> as our technical expert, let me ask you this. is there any functional difference between asking apple
4:25 pm
and what the fbi has demanded in california? >> i'm sorry. asking apple to break -- i don't quite understand the question. it's not breaking the encryption. >> what the fbi has demanded in california. >> what it's demanded in california is that apple subvert its own security controls. what is the functional difference between ordering apple to break its encryption and ordering apple to bypass its security so the fbi can break
4:26 pm
the encryption? >> thank you, ranking member. the passcode is an inherent and integrated part of the encryption algorithm. if you can get access to the pass code, it will effect the encryption process itself. we're being asked to develop in california a tool that does not exist at this time that would facilitate. essentially, we are throwing open the doors and allowing the very act of decryption to take place.
4:27 pm
you no longer respond to legal process when investigators need your assistance. is that accurate? >> it is absolutely false. we care deeply about the same motivations that motivate law enforcement. the relationship with l falls within my job at apple. the people that we have, who assist apple. as we get a call, as we discussed earlier with director comey -- >> i want to squeeze in one more question before my time runs out. >> i'll try to be very quick. we do everything we can to
4:28 pm
assist law enforcement, we have a dedicated team available 24/7 to do that. >> why is apple taking this stand? what exactly is at stake in the san bernardino case? >> this is not about the san berne dino case this is about every apple iphone. there's no distinction between a 5c and 6 in this context. the tool we're being asked to create will work on any iphone in use today. it is extensible. it is common. principles are the same.
4:29 pm
>> the chair recognizes the senator from wisconsin. >> thank you very much, mr. sewell. i have been one of the privacy hawks on this committee. the whole debate. here, the fbi has done that. you said rather than a warrant based on a 220-year-old statute, i point out the bill of rights is about the same age. the fbi is attempting to enforce the lawful court order. apple has every right to challenge that order, as you
4:30 pm
have done. why is congress the best place and not the court? >> we find ourselves in a court in california because the fbi chose to pursue we view that as a way to cut off the debate. we would be forced to do the very thing which we think is at issue and should be decided by the american people. we would be forced to create. >> what's your proposed legislative response? do you have a bill for us to consider? >> i do not have a bill for to you consider. >> thank you. that answers that.
4:31 pm
to ensure that you can access encrypted data with a warrant. you don't like what the fbi said. what's your specific response? >> what we're asking for, congressman, is a debate on this. i don't have a proposal. i don't have a solution for it. one wha i think we need to do is to give this an appropriate and fair hearing at this body, which exists to decide important legislative issues. we need to get the right stakeholders in the room. this is not a security versus privacy issue. this is a security versus security issue. that balance should be struck, we think, by congress. >> well, you know, let me make this observation, having dealt with the fallout of the snowden revelations, in the drafting and garnering support of usa freedom act. i can tell you, i don't think
4:32 pm
you're going to like what comes out of congress. >> we will follow the law that comes out of this process. we certainly understand. >> okay. the thing is, i don't understand. you don't like what's being done with an lawfully issued warrant. law enforcement submits an affidavit before the magistrate or judge and the judge determines whether the allegations are sufficient for the warrant to issue. you're operating in a vacuum. you told us what you don't like. when are we going to hear what you do like so apple has a positive solution to what you're complaining about? you said it's congress' job to do t we won't shirk from that. this hearing is part of the
4:33 pm
debate. the fbi has provided some policy suggestion suggestions on that. all you've been saying is no, no, no, no. as we did with the freedom act and as we're doing with the privacy act update is to balance our belief of people who are not guilty or suspected of terrorist activity and there should be judicial process, which there has been positive.
4:34 pm
you are leaving us to our own devices, which we will willing to do but you won't like. >> you know, the thing is, you've asked congress to do something. and i asked you what congress should do. you said, we have nothing. then i said the fbi has provided specific policy proposals to ensure l is able to get this information. now here we're talking about the iphone of a dead terrorist that won't owned by the terrorist. it was owned by san bernardino county. i have my own iphone, which i use extensively. the terrorist had a government iphone, which belonged to the government. i think the government, san bernardino county specifically, would like to get to the bottom of this. and you're resisting it.
4:35 pm
i said my piece. >> the time of the gentleman has expired. >> thank you, mr. chairman. let me begin by welcoming my constituent mr. vance and say i appreciate his enlightenment of the district attorneys' views of this dilemma we all face. let me also suggest in i assume apple may have legislative suggestions for us after the court comes out with their determinations, at which point apple and a lot of other people and institutions, i assume, will decide on specific legislative proposals and it may very well be that this congress will wait to see what the courts do. but we will see.
4:36 pm
running this particular software in this one case. now, i gather that you have mentioned you have over 200 phones faced with a similar problem. >> yes. >> that you don't really think that this case will be limited to the one device. obviously it will set a precedent, maybe not the only precedent, including the ones you're interested in. >> there may well be an overlap between action in federal court where the fbi is in litigation, and in state court. i do believe that what we should be seeking is not phone by phone by phone. we should be creating a framework in which there are standards that are required for a court to authorize access to a
4:37 pm
device and it's not based upon litigation as to whether you can get west coast phone or east coast phone. >> i assume that eventually either the court also set one standard or congress will. >> right. >> have to consider it. >> right. >> professor landau, several colleagues published results of a survey -- this is similar to a question i asked director come dlcomey. 600 encryption results available online. more than 400 of these products are open sourced or made or owned by foreign entities. if congress were to pass a law or, for that matter, if the courts were impose a requirement forcing u.s. companies to provide law enforcement with access to encrypted systems, would that law stop bad actors from using encryption from open sources or foreign sources? >> absolutely not. absolutely not. and what apple's product does is it makes encryption easy by
4:38 pm
default. so it means that, as i said, the secretary to the chair of the federal reserve, the hvac employee, the regular person using the phone has the phone secured. what the change -- if congress were to pass a law, prohibiting use of encryption on apple phones or whoever -- you wouldn't say just for apple. what it would do, it would weaken us, but not change it for the bad guys. >> and if someone purchased a foreign phone -- >> somebody could just download the app from abroad. they don't have to buy a foreign phone. they can download the app from anywhere. >> prohibit purchase of foreign encryption systems is there any practical way to enforce that? >> no. you would have to start
4:39 pm
inspecting so much as it comes over the internet that it becomes an intrusive -- >> so what you're saying is that we are really debating something that's undoable? >> that's right. we were there 20 years ago. the open source issue is part of the reason for the change in epport controls, which is part of what enabled -- >> let me ask two very quick questions before my time runs out. mr. sewell, the eastern district court in its ruling that's been referred to cited no legal authority as a reason to deny the order. is there a limiting principle in the san bernardino case? >> absolutely none, congressman. >> none. so it can be expanded indefinitely. finally, mr. sewell, apple's brief to the court lays out several constitutional concerns, right of the first amendment, fifth amendment. let me just ask, what are the first and fifth amendment case questions does this case raise?
4:40 pm
we've been talking about statute. let's ask about first and fifth amendment questions. >> good question, congressman. bear in mind what we're being asked to do is write a brand new computer code. bear in mind this is speech that apple does not want to make. this is our position. the issue is encryption, forced activity, forced labor. >> does anybody else on the panel want to comment on that question thank you. mr. time has expired, mr. chairman. >> the gentleman from california is recognized for five minute. >> thank you, mr. chairman. i'll pick up where you left off on forced labor. do you know of any place in our history, in which -- except in time of war when things are command eared and people are
4:41 pm
told, do that, or when people were forced -- >> i don't except during world war. >> i understand different time and different set of circumstances. miss landau, i'm going to come to you first. your expertise is encryption. you were probably very young. you remember 20 years ago the argument. wasn't it the fbi and then the late mike oxley and others, that were championing that if we allowed more than 256 bid encryption, the fbi couldn't easily decode it and that would be the ruin of their investigations? >> right. and what you get instead is over the last 20 years, the nsa has increasingly supported the
4:42 pm
security technologies for private sector communications infrastructure, this happens to be a patent that's already in the record. it's a patent on self destructing the contents inside if someone tries to open it. i've been looking back decades and decades. even more punitive, if you will, responses inside when we wanted to secure it. it's not a new technology. there's a new twist on it. in the sense aren't we saying you can make something that destroys the documents but then you have to tell us how to defeat it? >> that's exactly right. >> then i'm looking and saying there's no history on that. we've had plain safes for a
4:43 pm
very, very long time. this isn't new. do you know of any shredder company that's been told that they have to show you how to reassemble what they've shredded? >> i don't study shredding companies but would be very surprised if they were. >> have you ever ordered a shredding company to put the paper back together? >> of course i haven't, congressman. >> okay. so you're ask iing for someone create a product. apple gets its people from stanford, m.i.t. and other great universities. right? >> yes, we do. >> you don't get all the graduates, right? >> no, we don't. we wish we did. >> i was talking to the director and saying, if you take -- it's hypothetical. my level of knowledge is way less than any of your folks and probably the fbi's. if you take this solid state
4:44 pm
hard drive, pull it apart. he even used the word mirroring. obviously he had some discussion to some point. you make as many images as you want. then you have a true original that even if the self destruct occurs, that part of what you're asking them to do, they can do themselves and pull the chip out anding is it imaged. we're not saying for sure, but they haven't checked it. that's a possibility, right? >> we believe so. we don't know what the condition of the phone is. >> sure. we're not talking about one phone. we're talking about thousands of phones. the technology used in your chip, you have burnable traces in your chips. randomly, you burn traces which create the transcription algorithm. that chip, when interfacing with an image, you keep giving it new
4:45 pm
images, that he the part that changes. isn't it at least conceivable that, as to that phone and perhaps the 175 in new york and others, that the fbi or nsa could, in fact, come up with an elegant, brute force attack that would work on your phones and also would work on hundreds of other types of phones around the world and that that technology with, if you will, from m.i.t., stanford and kent state, my alma mater, they would have control over and be able to make it more universal than just trying to go through your source code which, is it correct, they've never asked for. is that right? >> we've never been asked for our source code. >> if ninlts want to opine on it, i would ask that you be able to. >> thank you very much.
4:46 pm
i think this hearing is very helpful. just to get it on the record, mr. sewell, you're not objecting -- let me step back. if you have something and you are served with a warrant, you give that something up. is that correct? >> absolutely correct. >> the issue here is, you don't have it. you've got no way to get it. therefore, you can't give it. right? >> that's correct. >> if it were possible to do something that would get just this one thing, without opening the door to everybody else's stuff, would you have a problem with that? >> let me -- >> let me rephrase that, because you're in court. >> sure. >> that would be a different issue than breaking encryption generally. wouldn't it be?
4:47 pm
>> the best analogy i' can come up with -- and i've been struggling with the analogy. if apple had a box somewhere that we could guarantee, we could assure 100% certainty that anything put in that box was not susceptible to thievery, attack, corruption, if we had such a place in the world, we wouldn't be here today. >> right. >> what we would have done is gone to our customers and said, give us your passwords. we can absolutely -- >> correct. >> -- 100% correct them. if you lose your phone or need our help we can give you the pass code. >> but you didn't do that, because you can't guarantee that which is why you encrypted this phone? >> exactly right. now the bizarre situation is essentially the fbi is saying we all realize it's silly that the fbi would give you your password. instead we want you to build a tool to get those passwords and
4:48 pm
put it in the box that doesn't exist. >> is it possible, theoretically, to create code that would preclude you from creating a system that would allow you to defeat the ten try erase function? >> we could write a program that could suppress that function. >> so you couldn't do what you're being asked to do? >> we're become asked to do three things. the erase function, which i neglected to do before the hearing. as you go forward, people are insecure about what's safe. >> absolutely. >> and, for example, you don't
4:49 pm
have -- and i think for good reason -- >> we have encrypted the icloud data. it's encrypted in a more secure way. >> right. but you can still provide access to that. >> it is encrypted in a different way. >> but you could change that, if you wished? >> yes. >> let me ask you, miss landau -- you were involved with that paper published last year. thank you. it was an excellent paper. i had to read some pages two or three times to understand it. i would ask unanimous consent to put that paper in the record from the cryptographers. >> without objection, it will be made part of the record. >> if you go to the questions at the end you can see it's a fool's error and will never be able to do what's being asked by the fbi. as a practical matter, it's just not achievable. i'm interested in your take on
4:50 pm
director comey said they don't want the master key. they just want the one bypass. isn't that exactly the same? >> it's wrong and just once they've built that software, that software works for other phones. of course, it has to have the serial number of the particular phone so apple has to sign -- you know, has to take the software and put in a new serial number and sign it so a new phone accepts it and that's where all the security risks come in because it becomes a routine process and as i mentioned during my remarks, routine processes get subverted. >> i'll ask my final question. it was asked earlier by my colleague mr. richmond, about whether these other countries have better security than we do. if i take my phone, my iphone, with the current operating system to russia or china, can they break into it? >> with respect to the phone itself, we believe that the encryption we provided in ios-8
4:51 pm
makes that effectively impossible. with respect to the things that are going on at the internet level, there are very sophisticated techniques that could be used by malicious actors who have access to the internet itself. there are ways to fool the internet into thinking that something is what it isn't. and so i think there is a vulnerability still in that regard, but on the phone what we've tried to do is to remove that possibility with ios-8 and 9. >> thank you very much for all of you for your testimony. >> the chair thanks the jantle woman and recognizes the gentleman from texas, mr. poe, for five minutes. >> thank you, mr. chairman. thank you all for being here. fascinating, important discussion on this issue of as you say security and security. as you know, i'm a former prosecutor and former judge and dealt with warrants for 30 years either requesting them or signing them.
4:52 pm
and this particular case i think we're really talking about two cases now. we're not talking just about the san bernardino case but the new york case as well. different facts. different issues. fourth amendment we have discussed. fourth amendment doesn't really apply too much to this situation because the possession of the item is already -- is lawful in the possession of government. i do think it's ironic, however, we talking about privacy, united states is supposed to lead on the issue i think on the issue of privacy. we're the only one that has a fourth amendment, but we see that other countries seem to have more concern about privacy in their technology than maybe we do. i find that somewhat ironic. let me ask -- let me ask you a couple of questions. you discussed the idea of
4:53 pm
constitutional right, right of privacy, but in one of your testimonies -- i think it was mr. nadler from new york, he and i have a language barrier problem, so i'm not sure i understood his question. you mentioned the first amendment and the fifth amendment, is that correct? >> i did, that's correct. >> briefly explain how you see this is a first amendment issue as well as a fifth amendment issue. we don't need to talk about the fourth amendment. we've discussed that. >> the fifth amendment issue derives from the fact that we're being asked to write code and code is speech and the supreme court has held that speech is protectable. so, we're being asked to speak by the government. that speech is not speech that we want to make. and the first amendment provides us with protections against being compelled to speak by the government. so, that would be the first amendment argument in a nutshell. the fifth amendment provides us with protection from conscription. protection from being forced into labor at the governments will except under the most
4:54 pm
extraordinary of circumstances which i discussed with congressman issa. but that's the fifth amendment issue. >> all right. thank you. what this request, the results of the request, how would that affect apple worldwide in other countries? >> there are a number of parts of that congressman, so thank you. the way that this would affect apple is that it would affect our customers. it would affect everyone who owns an iphone and it would create a risk for everyone who owns a phone that their data could be compromised if their security could be compromised. with respect to the international question, i agree with you. i think america should be leading on this issue, and i think that the world is watching what happens right now in our government and what happens even today with respect to this particular debate. our ability to maintain a consistent position around the world, our ability to say that
4:55 pm
we will not compromise the safety and security of any of our users anywhere in world is substantially weakened if we are forced to make that compromise here in our own country. so, i urge this congress, and i urge the government generally to understand and to take a leadership role. give us the strong support that we need to resist any effort by other governments to weaken security and privacy. >> one of the questions that was asked was talking about what is your solution. and i actually agree with mr. nadler, i know this is going to bother him a little bit, that there may be after all this litigation, then there may be a solution that we haven't thought of yet. but would not one option be congress taking the position that prohibits the back door key security system, the viper system, as i call it, from -- >> thank you, mr. poe. >> i said that earlier but you stepped out. the viper system from being imposed, required, prohibit that
4:56 pm
from government requiring that type of system in specific technology like an iphone. >> i think that is certainly one possibility, yes. >> prohibit the key. let me consider -- ask you something else. if courts rule that you're required to develop the technology, develop the software, would that have -- would that software be able to be used on all those other hundreds of phones that are out there that the government lawfully has in their possession but they can't get into? >> absolutely. there is nothing to preclude it from being used on any iphone that is in use today. >> and my last question, would other countries, then, if we -- u.s. takes the position thou shalt give government the key, what will other countries like china require or request or demand of apple? >> to date we have not had demands like that from any other
4:57 pm
country. the only place that we're having this debate is in our own country. but i -- as i said before, i think if we are ordered to do this, it will be a hot minute before we get those requests from other places. >> all right. thank you, mr. chairman. i yield back. >> the chair thanks the gentleman and recognizes the gentleman from georgia mr. johnson for five minutes. >> thank you, and thank the witnesses for being here. mr. vance, what's the difference between a company bei ining ord to use its best efforts -- i think the language is -- let's see. reasonable -- an order -- a court order requiring reasonable technical assistance, what's the difference between a court order requiring reasonable technical
4:58 pm
assistance to accomplish the bypassing or disabling of the auto erase function versus a civil subpoena or a court order pursuant to a subpoena, motion to compel, the delivery of information under that person's custody and control? is there a difference? >> i'm not sure, congressman, there is a difference. they're both court orders that are directing an end result. one may be in a civil context, one in a criminal context. but i would say that in this discussion it's very much a part of our history in america that when companies produce items or objects or commerce becomes ubiquitous in a particular area,
4:59 pm
that the company has to have the realization that part of the group of people who are using its products are using it to commit criminal purposes. take a look at banking system. currency transaction reports. so, we -- once it became obvious that criminals were moving cash through the banks, the response was you have to -- you have to create and file transaction reports when cash is moved. so, when a company -- when two companies like these two hugely successful and important companies own 96.7% of the world's smartphone market and we know that criminals -- we know that criminals are using the devices to commit crimes. we've heard some of those stories. i don't think that it is new in american history or in the context of business ethics or oversight for companies to have to adapt to the realities of the
5:00 pm
product they've created. >> because they are the only ones that can -- a bank that receive the cash would be the only entity in a position to submit a currency transaction report. >> it would be the only one required to. if someone else had information about it, they could submit it. but it would be the only one who had firsthand knowledge. >> okay. now, mrs. landau, is it your opinion that the government should not have the ability to compel apple to use its best efforts to accomplish a technical feat? is that your opinion? >> so, there are two answers to that. if you're asking me as a lawyer question, then i'm not a lawyer and i'll dodge. but if you're asking me as a technologist, i will say that it's a security mistake. it's a security mistake because
5:01 pm
that code -- >> because what apple would do would inherently cause an insecurity in their system. >> that's right. and it will be the target of organized crime and nation-states because it will be very valuable for somebody who puts a phone down as they go through customs, for somebody who goes to a business meeting and they're not allowed to bring their phone in because it's a meeting under a nondisclosure and the phone is sitting outside for a few hours, all sorts of situation, the phone will be very interesting and if there's code that can get into the data that phone will become the target of nation-states -- >> once apple makes the code then it makes it susceptible to being stolen and misused. >> that's right. >> therefore, apple should not be required to comply with the court order. >> i'm not answering the legal question. i'm answering the security question. the security question, it makes a real mistake. >> okay, and mr. sewell, you
5:02 pm
would agree with that? >> i would agree if we're forced to create this tool that it reduces the safety and security, not within our own systems -- >> well, now, let me ask you a question. what about the security and safety of those whose liberty can be taken and lives can be taken due to an ongoing security situation which the fbi is seeking to get access to information about? do those -- is there an interest in the public security that we're talking about here? >> congressman, that's what -- >> the time of the gentleman has expired, but mr. sewell may ages t answer the question. >> that's what makes it a very hard issue. we're balancing two very different issues, private security, the security of people who use the iphones, the location of your children, the ability to prevent your children from being kidnapped or harmed
5:03 pm
versus the security that's inherent in being able to solve crimes. so, it's about how do we balance these security needs. how do we develop the best security for the united states. if you read the statements by general -- any of the encryption specialists today will say that defeat turing or debilitating encryption makes our society less safe overall. and so that's what we're balancing. is it the right thing to make our society overall less safe in order to solve crime? that's the issue that we're wrestling with. >> thank you. i yield back. >> the chair recognizes the gentleman from south carolina, mr. gowdy, for five minutes. >> thank you, mr. chairman. mr. sewell, you just mentioned a balancing. can you give me a fact pattern where apple would consent to the madgistrate judge's order in
5:04 pm
california? >> congressman, we'll follow the law if we're ordered -- >> i'm asking for a fact pattern. you mentioned balancing. i want you to imagine a fact pattern where you balance the interests in favor of what the bauer row is asking you to do as opposed to your current position. give me a fact pattern. >> congressman what i said was we have to balance what is the best security for the country. not balance when we should give law enforcement what they're asking, but balance what's the best security for the country. >> i thought that's what we were balancing is public safety versus privacy. you also mentioned the first and fifth amendment. can you give me a fact pattern where apple would consent to the order of the magistrate judge? >> congressman, what i said was, privacy, security, personal safety. >> perhaps i'm being ambiguous in my asking of the question. can you give me a fact pattern where you would agree to do what
5:05 pm
the bureau is asking you to do in california? whether it be nuclear weaponry, whether it be a terrorist plot, can you imagine ad(ó#e fact pat where you would do what the bureau is asking? >> where we would create a tool that doesn't exist -- >> yes. >> -- in order to reduce the security and safety -- >> yes. >> -- of our users? >> yes. >> i'm not aware of a fact pattern. >> so, there is no balancing to be done. you've already concluded that you are not going to do it. >> i said we will follow the law, if a balance is struck, if there is an order to comply with, we will -- >> there is an order. >> that order is being challenged at the moment as we speak. there's an order in new york that says -- >> i'm glad you mentioned the -- i'm glad you mentioned the order in new york. that's a drug case. you would agree with me the analysis in drug cases is very different in the analysis of national security cases. even if you didn't agree with that, you would agree that in footnote 41 the magistrate judge
5:06 pm
in new york invited this conversation about a legislative remedy, which brings me back to chairman sensenbrenner's question, where is your proposed legislative remedy? >> we don't have legislation to propose today, congressman. >> how will we know whether or not you think it strikes the right balance if you don't tell us what you think? >> congressman, when we get to the point where it's appropriate for us to propose legislation, not just apple, but the other stakeholders that engaged in this process, i'm sure there will be legislation -- >> well, let the record reflect, i'm asking you for it now. i would like you to tell us what legislative remedy you could agree with. >> i don't have an answer for you today. no one's had an answer to that. >> can you give me one? i don't know whether apple has lobbyists. i suspect you may have a government relations department. possibly. can you submit legislation to chairman sensenbrenner's
5:07 pm
question that you could wholeheartedly support and lobby for that resolves this conundrum between you and the bureau? >> it is my firm belief that such legislation can be drafted. i do not have language for you today, congressman. >> see, mr. sewell, we draft it and then your army of government relations folks opposes it. so, i'm just trying to save us time. the judge in new york talked about a lengthy conversation. sometimes circumstances are exigent where we don't have time for a lengthy conversation. so, why don't we just save the lobbying and the opposing of whatever, cedric richmond or hakim or luis and i come up with, why don't you propose it. tell us what you could agree to. >> congressman, we're willing to and we've offered to engage in that process. >> the legislative process or with the debate process? >> both, of course. >> will you submit legislation to us that you could live with
5:08 pm
and agree with? >> if after we have the debate to determine what the right balance is, then i think that's a natural outcome. >> well, how long is the debate going to last? >> i can't anticipate that, congressman. >> well, let me ask you this. you mentioned the first amendment which i found interesting. are you familiar with voice exemplars? >> i'm sorry, is that a case, congressman? >> no, voice exemplars are ordered by courts and judges for witnesses or defendants to actually have to speak. so, a witness can see whether or not that was the voice that they heard during a robbery, for instance. how about -- because you mentioned you have a first amendment right to not speak. what about those who have been immunized and still refuse to cooperate with a grand jury and they are held in contempt and imprisoned? so, there are lines of cases where you can be forced to speak. >> congressman, we've made an argument, a constitutional argument, if the courts determine that that argument is
5:09 pm
infirm, then we will -- >> i'm asking you whether or not you agree there are exceptions. >> you've given me two examples i've not heard of before. >> how about back to the fifth amendment because i'm out of time. the fifth amendment you say you are being conscripted to do something. but there's also a line of cases where folks are conscripted to perform surgical procedures or cavity searches or other things i won't go into in mixed company where they are looking for contraband, so that's a nurse or a doctor or an anesthesiologist that is conscripted by the government. you would agree. >> i'm not familiar with these cases. >> here's what i'll do -- i'm out of time. i'll get you the cases i'm relying on if you'll help me with the legislative remedy. deal? >> i look forward to the cases. >> deal. >> the time of the gentleman has expired. the chair recognizes the gentleman from florida, mr. deutsch, for five minutes. >> thank you, mr. chairman. i would start by saying i
5:10 pm
don't -- this is really hard. i'm not looking to -- i'm not looking to apple to write the legislation to balance these very difficult issues between privacy and public safety. i don't expect you to do it. i expect us to grapple with it and that's what we're trying to do here today. and i -- and i had raised this point earlier, but it's a perfect lead-in to the questions i want to ask. this focus on surgical procedures and we can force the government can force a surgical procedure to be done sounds like it's -- it's somehow equivalent, well, certainly if we can do that, then we can require that a company create a way in to its phone. except as i said earlier with director comey, that surgical procedure's going to be done by the person that the government says should do it and there is no one from around the world who from their remote location is
5:11 pm
going to be able to figure out how to conduct surgery on that individual. yet in this case -- and this is why this is so hard for me. in this case there are people all over america and around the world who will be trying to figure out how to utilize whatever it is that's created here, if this is where this goes, to access the phone. and director comey earlier, mr. sewell, director comey said it's a three-step process that they're asking. can you just speak to that process? >> i absolutely can, thank you, congressman. first, i agree with you that this is not a problem which -- there are people that are trying to break into these systems, there are people who are trying to steal this information if it existed and their capabilities are increasing every day. so, this is not a threat which is static. this is a threat which is increasing. the three parts that we're being asked to develop are, first, a
5:12 pm
method to suppress the data deletion after ten failed attempts. the second thing that we're being asked to suppress is the time delay between successive attempts. both of these are specifically tailored to deal with the situation where your phone is stolen, where some bad person is trying to break into it, and it's specifically designed to defeat the brute force attack. >> right. >> the third piece is interesting, because the third piece is the government asking for us to rewrite the code that controls the touch screen and allow them to put a probe into the phone and to bypass the need to enter numeric digits through the touch screen. the only reason that that makes sense, congressman, is if you anticipate that this is going to be technology used on other phones and other phones that likely have more complicated pass codes. >> all right.
5:13 pm
so, that's the question. and, mr. sewell, it's a question for you and, mr. vance, it's a question for you. and i -- this is -- this is one where if i -- if i believed -- if i understand that what's being asked of you is to create this way in to this one phone, then i want you to do it. i do. and i can get past a lot of these -- these privacy issues if i believe that it's once and then can then be disposed of, destroyed and that will be the end of it. the question is, is that the case? and when you create it for this one, is it something that can be used on other phones? director comey i don't think was clear about that, so i'd ask you that question, and, mr. vance, i'd ask you the same question. >> if i can -- >> please. >> -- actually the doctor's own paper, you need the phone physically at cupertino to open it.
5:14 pm
and i refer you to her -- >> i don't have much time. i'm not sure i understand what that means. i just want to know, cutting to the chase, i just want to understand if this is created, is it something that not just -- that could be used by you in the pursuit of justice, but by the criminal cyberterrorist hackers and really dangerous people who are looking to do bad things every day of the year going forward? >> congressman, my point is simply that if this code is created, and you were looking at the risk to other devices, other apple phones in the world, those phones are going to have to come to soup cupertino to be opened. this is -- >> let me ask mr. sewell -- i only have a couple seconds. left. >> he's incorrect. >> but the question is even if that's correct, i'd like you to speak to it. is it -- is it true that the hackers of the world, that there
5:15 pm
will be those that try to find a way to get around having to take the phone to cupertino in order to conduct whatever operation is necessary to break in? >> unquestionably, congressman, and that's exactly the risk and the danger that we foresee. with respect to the comment that mr. vance just made, in fact, the request that we got from the government in this case was that we should take this tool and piece -- put it on a hard drive and send the hard drive to the fbi. the fbi would then load that hard drive into a computer, hook the phone up to the computer, and they would perform the entire operation. so, that this whole tool is transportable on a hard drive. so, this is -- this is a very real possibility. >> should we be concerned, mr. vance? look, i want to get into this phone, but shouldn't we be concerned if that's accurate that there's something that's being created that's transported on a hard drive that winds up on another computer that there is at least the risk that that gets stolen and suddenly you -- there
5:16 pm
is -- that not just a bad person and these terrorists that we desperately want to get and get this information, but suddenly all the rest of us who are trying to protect ourselves from the bad people and who are trying to protect our kids from these bad people are potentially at risk, too? >> congressman, i respectfully disagree with the colleague from apple, but i will confess that i -- you know, in his knowledge of the company is great. apple has created a technology which is default disk encryption. it didn't exist before. it exists now. apple is now claiming a right of privacy about a technology that it just created that right of privacy didn't exist before apple created the technology. number one. number two, i can't answer how likely it is that if the federal government is given a source code to get through the front
5:17 pm
door of the phone, that is at risk of going viral. i think it may be overstated to suggest that. but i can tell you this, if there's an incremental risk that providing the source code creates a vulnerability, what is that risk. don't tell us just millions of phones might be affected. tell us -- i think we can do better than just giving us broad generalizations without specifics. but i can tell you this, the consequence -- the other side of the weight, the consequence is in cases all over the country right now in my jurisdiction, your jurisdiction, everywhere, families like the mills family, are not getting justice. and the direct consequence of this disk encryption is that innocent victims all over the country are not getting their cases solved, prosecutors are
5:18 pm
not doing the job that they have been elected and sworn to do, and there is a significant consequence to default disk encryption that i think needs to be balanced against a speculative claim of increased insecurity. >> i'd like to just add a couple of comments. this is not about a new right of privacy. it's about a new form of security. and if we think about how the phones are used and increasingly how the phones are used, i certainly have two factor authentication i use through my phone but there are ways of using the phone as the original authentication device and if you make the phone itself insecure, which is what is being asked for by law enforcement, you preclude that and that is the best way to prevent the stealing of lock-in credentials, the use of a phone as a authenticator. in terms of the risk of the disk and so on, it's not the risk of the disk going out because the disk is tied to a particular phone. the risk is that somebody will
5:19 pm
come into apple and provide a rogue certificate that, you know, they're from law enforcement or wherever and will get the ability to decrypt a phone that should not be decrypted whether it's the chinese government or an organized crime group or whatever, that's the risk we're facing. >> may i, congressman, with the chairman's permission? >> my time is up. the chairman has been generous. >> well beyond the time, but briefly. >> the professor has not answered what about the people, the residents, the citizens, the victims, whose cases are being put on the side and not addressed while we have an academic discussion, an important one -- >> well, it's an important academic discussion because before these phones existed, the evidence that you're talking about didn't exist in the form that you've had access to.
5:20 pm
now the technology is moving to a new generation and we're going to have to figure out a different way to help law enforcement but i don't think we say we're not going to ignore these vulnerabilities that exist in order to not change the fact that law enforcement is going to have to change the way it investigates and gathers evidence. the time of the gentleman has expired. the chair recognizes the gentleman from illinois, mr. gutierrez. >> thank you, mr. chairman. first of all, i'd like to ask through the chair if congressman lofgren has a need for any time, i'd like to yield to her first before mine. >> i thank you very much. you know, i don't know you, mr. vance, i'm sure you're a great prosecutor. i do know mr. sewell, he's a great general counsel, but the person that really knows technology on the panel is dr. landau. and i'm interested in your comments about the vulnerabilities that would be created by complying with the magistrate's order.
5:21 pm
and some have suggested that it's speculative and, you know, academic and the like. but is that what your take on this is? >> absolutely not. >> the theory -- i mean, we're moving to a world where everything is going to be digital. and you could keep track of, you know, my, you know, when i'm walking around the house i'm in, my temperature, opening the refrigerator, driving my car, and if that all is open to a legitimate warrant -- i'm not downplaying the problem that prosecutors have, but this is evidence you currently don't have access to. how vulnerable is -- are -- is our country going to be? that's the question for you. >> extremely vulnerable. david sanger's article in today's "new york times" about the ukraine power grid says that they got in as i mentioned earlier through the login
5:22 pm
credentials. it's based on a dhs memorandum that talks about locking down various systems. i served for a number of years on nist's information security and advisory -- security privacy advisory board and we used to talk to people from the power grid, it's okay, our systems aren't connected to the internet. well, they were fully connected. we are, whether you're talking about the power grid, the water supply, whatever, we're connected in all sorts of disastrously unsafe ways. and as i mentioned earlier, the best way to get at those systems is through login credentials. phones will provide the best way to secure ourselves. this is not just about the personal safety of the data you have on your phone and it's not just about the location of where your family is, and it's not just about the business credentials, but it's really about the, as you say, congressman lofgren, it's really about the way that we are going to secure ourselves in the future. and what law enforcement is asking for is going to preclude those strong security solutions.
5:23 pm
it also is a very much a 20th century way of looking at a 21st century problem. and i didn't get a chance to answer congressman gowdy, but the fbi although it has excellent people, it hasn't put in the investment. so director comey said, we talked to everyone who will talk to us, but i was at a meeting -- i briefed at fcc a couple years ago and some senior people from doj were there and i said, well, you know, nsa has scale "x" and "y" and doj said they won't share it with the fbi except in exceptional circumstances. law enforcement needs to develop the skills up by themselves and you ask about what it is this committee can do. it's -- it's thinking about the right way for law enforcement to develop those capabilities, the right level of funding, the funding is well below it should be, but they also don't have the skills. >> thank you. so, i'm happy i yielded the time
5:24 pm
to you. i always know it's one of the smartest things i do is work with congresswoman lofgren on this committee. but i just want to share with you, look, i understand the competing interests here. but i think, mr. sewell, you should understand that i love your products, you know, i used to think, you know, house, then a car, now i think technology between what they charge me for the internet, all the stuff i buy, just to get information every day, it's -- but don't worry, i can afford it. i'm not going into the poorhouse because of it, so i'm excited about all of the new things that i get to and how it improves my life. and so i'm thankful to men and women in technology for doing that. but a lot of times in this place, there's adversarial positions taken and i would hope simply that we would look for a way in which we put the safety interests of the american people.
5:25 pm
i understand that you think that if we find a back door that that causes all kinds of insecurities. but in this committee, i'm going to work with congresswoman lofgren, but i'm also going to work with trey gowdy. we're going to work a lot of time bipartisanship in this place is many times promoted but very, very rarely rewarded in this place because everybody is, oh, you should take one position or another. i'm going to take a position for the american people. while you might dispute, i kind of look at apple as an american company. i look at toyota as a japanese company, i look at you as an american company. you may dispute that. you may look at yourself as an international entity, but i also look at you as a pride. when i make this phone to china, the intelligence community of the united states, the first thing before i get off that plane, is they take it away from me.
5:26 pm
so, there are bad actors out there already intervening with your products or i don't think the fine people of the intelligence community would take away one of the things i need the most in my life. so, having said that, i hope we might find a way so that we could balance the security needs and the safety needs of the people of the united states and their right to privacy. i think it's essential and important. i want to thank you guys for coming and talking to us and let's try to figure it out all together. thanks. >> thank you, congressman. and i absolutely -- i agree with what you said, and i think that -- i am proud to work for apple and i think apple embodies so many of the most -- the most valuable characteristics that make up america, make america a great place. we stand for innovation. we stand for entrepreneurship, we stand for empathy. we stand for all boats rising. so, i'm very proud. and we are an american company and we're very, very proud of that. the point about security outside
5:27 pm
of the united states is exactly the point that drives us. we are on a path to try to create the very best, most secure and most private phones that we can. that's a path that will probably never end because the people that we're competing with, the bad guys not just in the united states but all over the world, are on an equally aggressive path to defeat everything that we put into the phone. so, we will continue from generation to generation to improve the technology, to provide our users with a safer experience. >> thank you, mr. chairman. >> the gentleman from louisiana, mr. richmond, is recognized for five minutes. >> >> and i'm happy to follow luis, because i guess we're going to start -- i'll start where he left off, and i think about a 9-year-old girl who asked why can't we open the phone to find out who killed my mother because
5:28 pm
i was there and heard it happen. so, let me start with this. if the fbi developed the ability to brute force open a phone, would you have a position on that? >> without involving apple, without having apple -- >> yes. >> -- complicit in that. i don't think we have a position to object or not object to that. i think if the fbi has a method to brute force a phone, we have no ability to stop them. >> but are you okay with that? >> well, i think that privacy and security are vitally important national interests. i think that if you weaken the encryption on the phone, then you compromise those vital interests. >> i'm not asking you about the encryption. if they could brute force open a phone, do you have a problem with that? it's -- i think that's just an easy question. >> then, i'm sorry, perhaps i'm misunderstanding. if the fbi had the ability to brute force a phone, i would suggest that that's a security vulnerability in the phone.
5:29 pm
so, i would have a problem with it, yes. >> let me ask you another question, because i see you're a lawyer, i'm a lawyer. i would feel awful if i didn't ask this -- >> can i just say something for a second? >> in a second. let me get through this question. brittany mills had a 5-s phone operating on an 8 -- with 8.2 ios. does apple, any employee, subcontractor, subsidiary, or anyone that you know of possess the knowledge or the ability to open that phone? or unlock that phone. >> we don't. i am glad that you asked about the mills case because i think it's instructive about the way that we do work together cooperatively. i know that we met with members of your staff -- >> look, i'm not suggesting that you all don't. but i just want to -- i want to know does anybody have the ability to unlock the phone, first. and if you tell me no, then i get a no in public on the record and i feel a lot better about
5:30 pm
what i'm doing. >> let me be clear. we have not said that we cannot create the tool that the fbi has asked us to create. >> right. no, i'm not asking about creating anything. i'm asking does it exist now, do you know anybody, or does anyone have the ability of doing it right now? >> short of creating nothing new, no. >> now, in a -- oh, i'm sorry, i promised to let you answer. >> i just wanted to add in security we have an arms race. people build good products. somebody finds a vulnerability. it could be the fbi. it could be -- now, the fbi may not tell anybody about the vulnerability, but we have this arms race where as soon as somebody finds a problem, the next roll of technology comes out and that's the way we do things. >> so, what would be your feeling if the fbi developed the technology that they can plug something into the iphone -- >> i think that the fbi should be developing the skills and capabilities to do those kinds of investigations.
5:31 pm
i think it's absolutely crucial. and i think that they -- they have some expertise but it's not at the level that they ought to have and i think we're having this conversation exactly because they are -- they are really using techniques from -- they're using a mindset from long ago, from 20 years ago rather than the present. >> so they're antiquated? >> will the gentleman yield? >> they did not say authorized to a court order warrant. you are not suggesting they develop the technology and do what they think is best, they have to do it subject to a warrant. >> of course, thank you. >> i am glad you cleared that up. i don't think any of this should happen without a court order. now, you know, maybe i watch too many movies and maybe i listen to trey gowdy too much, some people would suggest if i listen to him at all that's too much. but in the instance that there's a terrorist that has put the
5:32 pm
location of a nuclear bomb on the phone and he dies, how long would it take apple to develop the technology to tell us where that nuclear bomb was? or would apple not be able to develop that technology to tell us in a short period of time? >> the first thing we would do is to try to look at all of the data that surrounds that phone. there is an enormous change in the landscape over the last 25 years with respect to what law enforcement has access to. so, when we have an emergency situation like that, whether it be a lost child or the airplane, when the malaysia airline went down, within one hour of that plane being declared missing, we had apple operators cooperating with telephone providers all over the world with the airlines and with local -- well, with the fbi to try to find a ping, to try to find some way that we could locate where that plane
5:33 pm
was. so, the very first thing that we would do in this situation is to bring to bear all of the emergency procedures that we have available at apple to try to find it. >> thank you. mr. chairman, can i just clarify, because i don't want anyone to leave out of here thinking that apple has not been cooperative with our district attorney in the effort to access the data. and, in fact, they came up with new suggestions. but my questions are just about the government's ability to just brute open a phone at any point with a court order. so, i don't want to suggest that apple has not been working diligently with my d.a. who has also been working diligently, thank you, mr. chairman. i yield back. >> i appreciate that, mr. congressman. >> the chair recognizes the gentle woman from washington state for five minutes. >> thank you, mr. chairman. thank you all for being here and
5:34 pm
enduring this for a while. it's very, very important. in the earlier part of the hearing director comey said that it is not a company's job to worry about public safety, and i think that that is -- would be very concerning for a company to send that message, given that we have technologies that impact people's everyday lives in so many ways and i assume you agree with that, mr. sewell? >> i absolutely do. i do not subscribe to the position articulated by mr. com comey. >> i worked at two silicon valley companies, sun microsystems and google and that's certainly not what i saw in either of them. >> in the brooklyn case the judge stated the world of the internet of things the government's arguments would lead quickly to a world of virtual limitless surveillance and intrusions on personal privacy so i'd like to explore the encryption of the internet of things a little bit. we often talk about security by design when it comes to the
5:35 pm
internet of things and i'm sure we can all imagine the horror stories of insecure internet of things types of devices like appliances being hacked to cause a fire or spying through baby monitors, hacking into a car or tampering with a home security system. so, i'm wondering, dr. landau, i'm wondering if you could comment on what it means in the encryption context and whether directives we've heard from the ftc, for example, to adopt security by design in the interest of protecting consumers from malicious actors is inherently incompatible with what you might call insecurity by design should that be mandated by the courts? >> well, here you're in a situation where the companies often want to collect the data. so, for example, if you're using smart meters, the company wants the data. the electric company wants the data to tell your dishwasher, don't turn on at 4:00 in the afternoon when air-conditioning
5:36 pm
requirements are high in silicon valley right now, turn it on at 8:00 at night or 2:00 a.m., in fact, it wants the individualized data and if it has the individualized data then it can certainly share it with law enforcement under court order. the security by design is often in the internet of things, securing the data on the device and securing the transmission of the data elsewhere. the issue in the apple phone is the data stays on the device and that's the conflict that we're having. for the internet of things, it's most useful if the data goes off the device to somewhere elsewhere it can be used in a certain way. >> and, mr. sewell, could companies open themselves up to liability if vulnerabilities for law enforcement end up being exploited by a bad actor? >> i think that's absolutely true. somewhat ironically i suppose we have the ftc at this point actively policing the way in which technology companies deal with these issues and we can be liable under the section 5 or
5:37 pm
under the authority of the ftc if we fail to close a known vulnerability. >> and, ms. landau, you talked about the question of security versus -- or the issue of security versus security. and that this really is a debate about security versus security. could you explain a little bit more why -- >> sure. >> -- our national security and cybersecurity incompatible in your opinion? >> so, what we really have here over the last 20 years as i mentioned earlier is you see the nsa and snowden revelations aside, we don't have time for me to describe all of the subtle points there, but you really see the nsa working to secure private sector telecommunications infrastructure, many, many examples. we have moved to a world of electronic devices, you talk about the internet of things, that leak all sorts of data. and in order to protect ourselves, whether ourselves, our health data, our bank data,
5:38 pm
the locations of our children and so on, we need -- we need encryption and so on. but if you think more broadly about the risks that our nation faces, and the risks of people coming in and attacking the power grid, people coming in and stealing data from whatever company and stealing patented information and so on, you see a massive national security risk. and you've been hearing it from general keith alexander, we've been hearing it from hayden, we've been hearing it from mike mcconnell, we've been hearing it from chertoff, all the people who have been involved on the dhs and nsa side. the only thing that can secure that is security everywhere and the move that apple makes to secure the phones is one of the many steps we need in that direction. >> thank you. my time's expired. i yield back, mr. chair. >> thank you. i now am going to recognize myself for some questioning, so welcome in.
5:39 pm
i'm sorry, mr. sewell, pronowpsing that name correctly? >> you are. >> i have some questions for you concerning china. in 2014 you moved your -- what's referred to as your chinese cloud to china, is that correct? >> that is correct. >> okay. and can you -- can you tell me who's data is stored in that chinese cloud? is it just people in china? is my data stored in that cloud as well? >> your data is not stored in that cloud. >> is it strictly limited to chinese people? >> there are a number of things that in the cloud, so i should probably be clear about what's there. >> okay. >> with respect to personal data, no personal data is there unless the individual's data -- the individual himself has registered as having a chinese address and having a chinese access point. in addition, we have other data which has to do with film
5:40 pm
content, movies, books, itunes, music. the reason we do that is because of something called latency. if you're streaming across the internet and you have to bring the data from the united states to china, there's a lag time. there's a latency piece, whereas if we move that data closer to china either hong kong or main land china, then we can provide a much better service to our customers. >> okay. can you tell me what was the cost in the ballpark figure in the time to make the move to -- from the united states to move chinese information over to china and their cloud? >> i'm sorry, did you say in time? >> cost and time. >> so, the time -- the cost is building the facilities. i don't have a number for that. it's certainly not something that i'm aware of, although, of course, the company has that information. in terms of the time, once the
5:41 pm
server exists, once there is a receptacle for the data in theory it's instantaneous. >> you may or may not know but i was a prosecutor for a while both at the state and federal leveller er level. and we prosecutors are focused on the case and the crime concerned and we want to get our hands on anything we can. to see that justice is served. but on the other side of this, too, we're talking about privacy issues. and i'm very concerned about to what extent if for some reason you were to change your mind about working with the fbi or the court ordered that, what does that mean to our privacy? >> i think it means that we have put our privacy at risk.
5:42 pm
the tool that we're being asked to prepare is something which could be used to defeat both the safety and the privacy aspects of the -- >> let me get this clear, because there are many rumors flying around, and you probably answered this a couple times, and i apologize, i had to run and do something else. are you saying that there is no method that exists now that you could unlock that phone and let the fbi know what is in there? >> short of creating the tool that they have asked us to -- >> right. >> -- we are not aware of such a method, no. >> now, you talk about the cost is an unreasonable burden and the time involved. that's why i asked you what did it cost to move the cloud, what was the time, and you're the expert. i'm not. >> congressman, to be fair, we
5:43 pm
haven't claimed that the time that it would take to create the tool is the undue burden. our claim is that the undue burden is to compromise the safety and security of all of our customers. >> so, it's your position that if you do what the fbi wants to one phone, could you elaborate on that in the 33 seconds i have left as to why that would be an undue burden, keeping in mind that i'm very critical about our privacy. >> congressman, the answer is very simple. we don't believe this is a one-phone issue. we don't believe it can be contained to one phone or that it would be contained to one phone. >> okay. i see that my time is just about run out, so i'm going to yield back and who's next? mr. jeffries, congressman jeffries, is next. >> thank my good friend from pennsylvania for yielding. i want to thank all the witnesses for your presence here
5:44 pm
today. it's been very informative discussion. in particular i want to thank mr. vance for your presence and certainly for the many progressive and innovative programs that you have in manhattan proving you can be both tough and fair as a prosecutor and that has not gone unnoticed. let me start with mr. sewell, there's an extensive record of cooperation that apple has with law enforcement in this san bernardino case, isn't that fair to say? >> that's correct. for over 75 days we've been working with the fbi to try to get more information to help try to solve this crime. >> i think it's useful to put some of this on the record. on december 5th the apple emergency 24/7 call center received a call concerning the san bernardino shooting, is that right? >> that's right. in fact, the call came in to us at 2:47 a.m. on a saturday morning. we have a hotline that exists. we have people that are manning that hotline. >> and you responded with two document productions, is that correct? >> by 2:48 that morning we were working on the case and we responded by giving the fbi all
5:45 pm
of the information that we could immediately pull from our sources and then we continued to respond to subpoenas and to work directly with the fbi on a daily basis. >> in fact, the next day i believe apple received a search warrant for information relating to at least three e-mail accounts, is that correct? >> that's correct. >> you did comply with that request? >> we did comply with that request and subsequent requests. >> on january 22 ction you received another search warrant for icloud records? >> in the intervening stage we had sent technicians to work with fbi technicians in washington, d.c., and cupertino and we provided a set of alternatives or options that we thought should be tried by the fbi to see if there might be some possibility that we could get into this phone without having to do the tool that we're now being asked to create. >> the issue here is not really about cooperation as i understand it. apple has clearly cooperated in
5:46 pm
an extensive fashion as it relates to all of the information that you possess. the question i think that we all on the judiciary committee and beyond have to consider is the notion of you being asked as a private company to create anti-encryption technology that currently does not exist and could jeopardize the privacy and security of presumably hundreds of millions of iphone users throughout the country and the world, is that right? >> we're being asked to create a method to hack our own phones. >> now, mr. vance, are you familiar with the arizona v hicks supreme court case? from the late '80s. >> if you give me the facts, i'm sure i will have read it. >> okay. well, the supreme court held the police conducted an unconstitutional search of evidence that was not in plain view. it was a decision that was written by justice antonin scalia and the most important point that i want you to reflect upon is he stated, in authoring
5:47 pm
the majority opinion, that there is nothing new about the realization that the constitution sometimes insulates the criminality of the few in order to protect the privacy of us all. do you agree that embedded in the fabric of our constitution, the fourth amendment and beyond, is the notion that we value the privacy rights of americans so deeply that at times it is something that will trump law enforcement convenience? >> congressman, i do sincerely believe that. what concerns me about the picture we are seeing from the state perspective is that apple has decided that it's going to strike that balance now with no access by law enforcement for full disencrypted devices even with a warrant. so, they have created their own balance.
5:48 pm
they now have decided what the rules are. and that changes radically the balance that existed previously. and it was done unilaterally so this could be -- >> well, i think -- if i could just interject. i think that that's a balance that ultimately the congress is going to have to work out and also the article three court systems certainly beyond an individual magistrate who is not even appointed for lifetime tenure is going to have to work itself through the court system a district court judge and maybe the ninth circuit and ultimately the supreme court. the company exercising its right in an adversarial system to have all facts being aired on both sides of the debate is very consistent in my view with american democracy and jurisprudence. just one last question that i wanted to ask as my time is expiring because you raised an interesting point earlier in your testimony about an individual who is a suspected criminal who claimed that the
5:49 pm
encryption technology was a gift from god. but i also noted, i think, in your testimony that this individual communicated that in an intercepted phone conversation that presumably your office or others were wiretapping. is that right? >> no. it's not right. all phone calls from prison, out of rikers, are recorded. >> right. >> there's a sign when you pick up the phone if you are in rikers island that this is happening. so, there's a tape. and ultimately that tape was subpoenaed, and it's from that tape that that conversation w was -- was transcribed. >> and if i could just -- in conclusion, i appreciate the chair's indulgence. i think that illustrates the point. presumably that it's fair to say that in most instances bad actors will make a mistake. and at the same time that he's heralding the availability of
5:50 pm
encryption technology to shield his activity from law enforcement surveillance and engagement, he's ignoring a plain view sign that these conversations are being recorde ignoring a plain-view sign that these conversations are recorded and subjecting himself to unfettered performance. i have the faith in your ability and fbi's ability ultimately to outsmart the criminals and bad actors without jeopardizing the privacy and security of the american people. >> and in this case, our challenge is because of our inability to access the phone, our inability to investigate further any evidence of sex trafficking, is not made available to us. so yes, he did something that was not smart. but the greater harm is the inability, in my opinion, of getting to the true facts which
5:51 pm
in fact are extremely important as matter of public safety to get access to. >> my time is expired. thank you. >> i thank the gentleman from new york and the chair recognized now the gentleman from rhode island, congressman. >> thank you. there are few be a so lbe be a in the law. there are risks with an ability to access criminal investigation. so my first question is, many people who agree that apple or any other company should not be required, and there's no authorization to require them, to produce a product that doesn't exist or to develop a property that doesn't exist, many people who think that
5:52 pm
that's correct wonder whether apple has considered in limited circumstances and maybe a standard you would set internally, if it in fact is a situation that would prevent immediate death or serious bodily injury. coupled with a consent of the person or lack of objection. in this case, this person is deceased, where there is no privacy claim asserted, in some narrow category, whether or not there are a set of protocols you might voluntarily adopt to provide that information or software with instructions that it be immediately destroyed or done in a skiff and say, is that practical? something like that? should that be part of this discussion that we keep hoping that industry and justice department will have in trying to develop something or is that fraught with so many problems that it's -- >> congressman, we have, and
5:53 pm
spend a lot of time thinking about, how we can assist our customers in the event that they have a problem, if they've lost a phone. if they are in a situation where they are trying to recover data. we have a number of mechanisms to do that and we will continue to improve the mechanisms as we move forward. it is very important to us that we try to think about the consequences of the devices that we create. in this particular case, the pass code unlock is not something that we think lends itself to a small usage. the problem with this particular issue is that once you take that step, once you create the mechanism to unlock the phone, then you have created a back door and we cannot think of a way to create a back door that can only be used ben officially and not be used by -- >> so you have in fact already contemplated other ways in which you could make this information available in this case that would not have those sorts of
5:54 pm
broader implications. >> and we have provided information in this case. we have provided logs. icloud backup. all the things at our disposal. >> you say in your written testimony, in your written testimony, the point is that solutions to accessing the data already exist with the forensic analysis community. we would probably limit our question too narrowly because we ask about the intelligence communities of the united states. it sounds like you're suggesting that there may be capabilities outside the united states government that the justice department or the fbi could contract with that are capable of doing what it is they are asking a court to order apple to do. >> i noticed when director comey answered the question, and we talk to everyone you talk us to, as i mentioned earlier, i don't know if you were here at that point, i had a conversation with some senior doj people years ago
5:55 pm
about using nsa tools in law enforcement and they say nsa is loenl to share because if you share a tool it can get into a court case and then the tool is exposed. and so i don't know in the -- we talked with everyone who will talk with us, how much nsa revealed about what they know and what they can do. that the first place i would ask. now aphrased that incorrectly. that the first place that has tools for exactly this problem. but yes, there were discussions last week in silicon valley, discussions with colleagues, where congressman issa gave solutions where there is way to break in to the phone. there is a risk that data might be destroyed. but i have described both in my written and verbal testimony, the fbi has not tried to develop this level of expertise, and it should. >> it seems as if we're contemplating whether or not congress should take some action
5:56 pm
to either grant this authority and figure out what is the appropriate standard and test et cetera, sounds as if you think that is problematic and that in fact the real answer is a substantial increase investment in the intelligence capability and law enforcement capability that keeps pace with the advances that come. like apple are making. but that the best protection in terms of both law enforcement and long-term security in the united states. >> that's right. i don't think there needs to be more authority but more view of how it needs to be done. there is authority in terms of how do you handle it for state and local but state and local do not have the resources. there is some sort of sharing in tools and that is a jurisdictional issue and also, you know, an issue between bureaucracies that have to work out and work out before law and policy. in terms of creating the authority, the fbi has that authority. but it useets it at a much lower level than it should and fund it
5:57 pm
at a much lower level and they need to move from the situation they're in to dealing with the 21st century technologies in the appropriate way. >> thank you, mr. chairman. i yield back. >> you bet. chair recognizes -- >> could i ask just one quick question, mr. sewell. i forgot when it was my turn. someone asked mr. comby about the changing of the pass word of apparently the county did at the request of the fbi. what did that do? can you explain that? >> sure. the phone in san bernardino, what the fbi is struggling with is the time of the last backup and the horrific incident in san bernardino. if the phone would back up, that evidence, that information would
5:58 pm
become available to the fbi. the way we can back these phones up in an automatic way is we connect them to a known wifi source. a source that the phone has connected to before and recognizes. if you plug the phone in and you connect it to a known wifi source, it will, in certain circumstances, auto backup. so the information that fbi is seeking would have been available and we could have pulled it down from the cloud. by changing the pass word, this is different from the pass code, by changing the pass word, it was no longer possible for that phone to auto backup. >> thank you, mr. chairman, for letting me get that information out. >> mr. sewell, i have one more question for you. >> does the chinese government have access to the cloud or is there any indication that they've tried to hack the cloud in china to get information on the chinese people? >> let me be clear about the question. the chinese undoubtedly have the
5:59 pm
ability to access their own cloud. >> yes. >> but with respect to the u.s. cloud, we believe that -- again, i'm struggling because of the words. the cloud is a synonym for the internet. so of course chinese people have access to the internet. are we aware aftof a chinese ha through apple? that, i can't say. >> you answered my question. thank you. that concludes today's hearing. thank you for being here. without objection, we have five legislative days to submit additional questions for the witnesses or additional materials for the record. the hearing is adjourned. >> mr. sewell, good to see you. >> nice to see you.
6:00 pm
6:01 pm
>>. a nearly five-hour hearing wrapping up on the house side of the u.s. capital. house looking in particular at the fbi's request to unlock the smart phone used by the san bernardino terrorists. the justice department argued that request is limited in scope and that is necessary because it's been unable to unlock the phone used by farook, who along with list wife, killed 14 people and injured nearly two dozen in a shooting rampage in december in san bernardino. i want to let you know that we will reair this entire hearing tonight beginning at 9:15 eastern on our companion network c-span 2. you can also find it on-line any
6:02 pm
time at while it is super tuesday, primaries and caucuses across the country in 12 states with results beginning at about 7:00 in states like virginia and our coverage will get under way of results and speeches by the candidate. at 7:00 eastern on c-span this evening. up next, we will take you back to the beginning of today's house judiciary committee hearing as they started the day today hearing from the chair and ranking member of the committee and also from fbi director james comey.
6:03 pm
6:04 pm
results and speeches by the come we ask all the members the media that are taking thousands of pictures here, i'm sure they got some excellent ones of the director, but we ask you to please clear aside so we can begin the hearing. the judiciary committee will come to order and without objection the chair is authorize recess of the committee at any time. we welcome everyone to this afternoon's hearing on the encryption tight rope, balancing american security and privacy. and i will begin by recognizing myself for an opening statement. we welcome everyone today to this timely and important hearing on encryption. encryption is a good thing. it prevents crime. it prevents terrorist attacks. it keeps our most valuable information safe, yet it is not used as effectively today as is
6:05 pm
necessary to protect against the ever increasing sophistication of foreign governments, criminal enterprises and just plain hackers. we see this manifest almost every week in the reports of losses of massive amounts of our most valuable information from government agencies, retailers, financial institutions and average americans. from identity theft to the compromising of our infrastructure to our economic and military security, encryption must play an ever increasing role, and the companies that develop it must be encouraged to increase its effectiveness. encryption is a topic that may sound arcane or only the province of techies, but in fact it's a subject whose solutions will have far reaching and lasting consequences. the judiciary committee is a particularly appropriate forum for this congressional debate to occur. as the committee of exclusive jurisdiction over the united
6:06 pm
states constitution, the bill of rights and the federal criminal laws and procedures, we are well versed in the perennial struggle between protecting americans' privacy and enabling robust public safety. this committee is accustom to addressing many of the significant legal questions arising from laws that govern surveillance and government access to communications, particularly the wiretap act, the electronic communications privacy act, the foreign intelligence surveillance act and the communications assistance to law enforcement act, otherwise known as calea. today's hearing is a continuation of the committee's work on encryption, work that congress is best suited to resolve. as the hearing title indicates, society has been walking a tight rope for generations in attempting to balance the security and privacy of americans' communications with the needs of our law enforcement and intelligence agencies. in fact, the entire world now faces a similar predicament
6:07 pm
particularly as our commerce and communications bleed over international boundaries on a daily basis. encryption in securing data in motion and in storage is a valuable technological tool that enhances americans' privacy, protects our personal safety and national security, and ensures the free flow of our nation's commerce. nevertheless as encryption has increasingly become a ubiquitous technique to secure communications among consumers, industries and governments, a national debate has arisen concerning the positive and negative implications for public safety and national security. this growing use of encryption presents new challenges for law enforcement seeking to obtain information during the course of its investigations, and even more foundationally tests the basic framework that our nation has historically used to ensure a fair and impartial evaluation of legal process used to obtain
6:08 pm
evidence of a crime. we must answer this question, how do we deploy ever stronger, more effective encryption without undually preventing lawful access to communications of criminals and terrorists intent on doing us harm. this now seems like a perennial question that has challenged us for years. in fact, over 15 years ago i led congressional efforts to ensure strong encryption technologies and to ensure that the government could not automatically demand a back door key to encryption technologies. this enabled the u.s. encryption market to thrive and produce effective encryption technologies for legitimate actors rather than see the market head completely overseas to companies that do not have to comply with basic protections. it is true this technology has been a devious tool of malefactors. here is where our concern lies, adoption of new communications
6:09 pm
technologies by those intending harm to the american people is outpacing law enforcement's technological capability to access those communications in legitimate criminal and national security investigations. following the december 15 terrorist attack in san bernardino, california, investigators recovered a cell phone owned by the county government but used by one of the terrorists responsible for the attack. after the fbi was unable to unlock the phone and contents a federal judge ordered apple to provide assistance in obtaining access to the data on the device citing the all writs act as authority to compel. apple has challenged the court order arguing that its encryption technology is necessary to protect its customers' communications,
6:10 pm
security and privacy and raising both constitutional and statutory objections to the magistrate's order. this particular case has some very unique factors involved and as such may not be an ideal case upon which to set precedent. and it is not the only case in which this issue is being litigated. just yesterday a magistrate judge in the eastern district of new york ruled that the government cannot compel apple to unlock an iphone pursuant to the all writs act. it is clear that these cases illustrate the competing interests that play in this dynamic policy question, a question that is too complex to be left to the courts and must be answered by congress. americans surely expect that their private communications are protected, similarly law enforcement's sworn duty is to ensure that public safety and national security are not jeopardized if possible solutions exist within their control. this body as well holds its own constitutional prerogatives and duties. congress has a central role to ensure that technology advances
6:11 pm
so as to protect our privacy, help keep us safe and prevent crime and terrorist attacks. congress must also continue to find new ways to bring to justice criminals and terrorists. we must find a way for physical security not to be at odds with information security. law enforcement must be able to fight crime and keep us safe and this country's innovative companies must at the same time have the opportunity to offer secure services so keep their customers safe.yso keep their customers safe.tyo keep their customers safe. the question for americans and lawmakers is not whether or not encryption is essential, it is. but instead whether law enforcement should be granted access to encrypted communications when enforcing the law and pursuing their objectives to keep our citizens safe. i look forward to hearing from our distinguished witnesses today as the committee continues its oversight of this real life dilemma facing real people all over the globe. it's now my pleasure to recognize the ranking member of
6:12 pm
the committee, the gentleman from michigan, mr. conyers, for his opening statement. >> thank you, chairman goodlatte. members of the committee and our distinguished guests, i want to associate myself with your comments about our jurisdiction. it is not an accident that the house judiciary committee is the committee of primary jurisdiction with respect to the legal architecture of government surveillance. in times of heightened tension some of our colleagues will rush to do something, anything, to get out in front of an issue. we welcome their voices in the debate, but it is here in this
6:13 pm
committee room that the house begins to make decisions about the tools and methods available to law enforcement. i believe that it is important to stay up front before we get into the details of the apple case that strong encryption keeps us safe. former national security director michael hayden said only last week that america is more secure with unbreakable end-to-end encryption. in this room just last thursday former secretary of homeland security michael chertoff testified that in his experience strong encryption laws help law
6:14 pm
enforcement more than it hinders any agency in any given case. the national security council has concluded that the benefits to privacy, civil liberties and cyber security gained from encryption outweigh the broader risk created by weakening encryption. and director comey himself has put it very plainly, universal strong encryption will protect all of us, our innovation, our private thoughts and so many other things of value. from thieves of all kinds. we will all have lock boxes in our lives that only we can open and in which we can store all that is valuable to us. there are lots of good things about this.
6:15 pm
now for years despite what we know about the benefits of encryption, the department of justice and the federal bureau of investigation have urged this committee to give them the authority to mandate that companies create back doors into their secure products. i've been reluctant to support this idea for a number of reasons. the technical experts have warned us that it is impossible to intentionally introduce flaws into secure products, often called back doors, that only law enforcement can exploit to the exclusion of terrorists and cyber criminals. the tech companies have warned
6:16 pm
us that it would cost millions of dollars to implement and would place them at a competitive disadvantage around the world. the national security experts have warned us that terrorists and other criminals will simply resort to other tools entirely outside the reach of our law enforcement and intelligence agencies. and i accept that reasonable people can disagree with me on each of these points. but what concerns me, mr. chairman, is that in the middle of an ongoing congressional debate on this subject, the federal bureau of investigation would ask a federal magistrate to give them the special access to secure products that this committee, this congress and the administration have so far refused to provide. why has the government taken
6:17 pm
this step and force this issue? i suspect that part of the answer lies in an e-mail obtained by "the washington post" and reported to the public last september. in it a senior person in the law enforcement community writes, although is hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement. in turn keeping value open in such important situatioaimport .
6:18 pm
i'm deeply concerned by this cynical mindset. and i would be deeply disappointed if it turns out that the government is found to be exploiting a national tragedy to pursue a change in the law. i also have doubts about the wisdom of applying the all writs act, enacted in 1789, codified in 1911 and last applied to a communications provider by the supreme court in 1977 to a profound question about privacy in modern 201co2016m2016p2016u . i fear pursuing the serious and complex issue to the awkward use of an inept statute was not and is not the best course of action. and i'm not alone in this view.
6:19 pm
yesterday in the eastern district of new york a federal judge denied a motion to order apple to unlock an iphone under circumstances similar to those in san bernardino. the act construed to the government, and overbroad authority to override individual autonomy. however, nothing in the government's argument suggests any principle limit on how far a court may go in requiring a person or company to violate the deeply rooted values. we could say the same thing about the request in california.
6:20 pm
this is without limiting principle and likely to have sweepi sweeping consequences whether we pretend that the request is limited to justice device or just this one case. even if the dialogue does not -- in the law enforcement community. i'm grateful that we are having this conversation today back in the form in which the house judiciary committee. so i thank the chairman very much. and i yield back. >> thank you, mr. con years. statements will be made a part of the record. we welcome our distinguished witness of today's first panel.
6:21 pm
if you will please rise, i will begin by swearing you in. you swear that testimony to you are about to give will be the truth, the whole truth and not but the truth so help you god? >> i do. >> thank you. please be seated. i will now begin by introducing our first distinguished witness today, james comey of the federal bureau of investigation. general comey began as an assistant united states attorney for both the southern district of new york and eastern district of virginia after the 9/11 terrorist attacks, director comey returned to new york to become the united states attorney for the southern district of new york. in 2003 he was apointed deputy attorney general under the united states attorney general john ashcroft. director comey is a director of the college william and mary and university of chicago law school. director, welcome. your entire written statement will be made part of the record. i ask that you summarize your
6:22 pm
testimony in five minutes and we have the timing light that you are well familiar with on the table. again, welcome, we're pleased that you are here and you may begin your testimony. >> thank you, thank you for hosting this conversation. and for helping us all talk about an issue that i believe is the hardest i have confronted in government, which is how to balance the privacy we so treasure that comes to us through the technology that we love and also achieve public safety h we all very much treasure. i worry that we have been talking past each other when it comes to this question of encryption that we call going dark. i would like to take three or four minutes and try to frame how i think about it in a way i think is fair, fair-minded, and if not, i hope you will poke at me and tell me where it's not. this is what i believe to be first, that logic of encryption
6:23 pm
will bring us to a place where all of our conversations and all of our papers and effects are entirely private. no one can read our texts, no one can read our e-mails, unless we say so. no one can read our documents that are filed away without agreement. that's the first thing i believe. as you said, there's a lot of good about this. a lot of benefits about this. all of us will keep private and keep things from thieves that matter most to us. ideas, secret thoughts, hopes, dreams. there's a lot to love about this. we will all have storage spaces in our life that nobody else can get into. the third thing i believe is that there are many costs to this. for the last two centuries,
6:24 pm
depending on large measure, on law enforcement going to courts and obtaining warrants to look in storage areas, departments, listen with oversight to conversations. that's the way in which law enforcement brings us public safety. it is very, very important and it's been part of the balance in ordered liberty. sometimes people's stuff can be looked at but only with predcation and only with oversight approval by a dependent judiciary. increasingly international security work and in law enforcement work generally across the country. we see it obviously in isil's efforts to reach into this country and using mobile messaging apps that are end to end encrypted, task people to kill innocent people of the united states. that is a huge feature of our national security work and a major impediment to our counterterrorism work. even with a court order, what we get is unreadable.
6:25 pm
to use a technical term, it's gobably gook, right, we can't uncover what is strong encryption. we also see it in criminal work across the country. see tragically last year in baton rouge where a pregnant woman, 8 months pregnant, killed by someone she open had the door too. she kept a diary but it is on the phone which is locked. so the case is uninvolved. most prominently, as both mr. conyers and chairman mentioned, we see it in san bernardino. where two terrorists in the name of isil killed 14 people and wounded 22 others at an office gathering and left behind three phones. two of which cheap are models they smashed beyond use and third was left locked. in any investigation done kpet tently the fbi would try to get access to that phone. it is important that is a live
6:26 pm
ongoing terrorism investigation, but an investigator would try it use all lawful tools to get inside that device. and that's is what you see in san bernardino. the san bernardino case is about that case. it highlights the broader issue and is looked upon by other judges and litigants but it is about the case and trying to do a competent job of understanding, is there somebody else? are there clues to what else might have began on here? that is our job. the fifth thng i believe is that democracy revolves this robust debate. we have two jobs. the first is to investigate cases like san bernardino and to use tools that are lawful and appropriate. the second thing bb it is our job to tell the american people the tools you are counting on us to use to keep you safe are becoming less and less effective. it is not our job to tell the american people how to resolve that problem. the fbi is not some alien force on america from mars.
6:27 pm
we only use the tools given us to under the law. and so our job is simply to tell people there is a problem. everybody should care about it. everybody should want to understand if there are warrant proof spaces in american life. what does that mean? and what are the costs of that and how do we think about that? i don't know what the answer is. it may be the american people through congress and courts decide. it is too hard to solve. or law enforcement can do its job well enough with strong encryption covering our communications in our papers and effects or that it something we have it find a way it fix or achieve beater balance. i don't know. my job is to try to offer thoughtful explanations about the tools the fb i has and to bring them to the attention of the american people and answer questions about that. so i'm very, very grateful for this forum. very, very grateful for this conversation. there are no demons in this debate. the company's not evil. the government's not evil. you have a whole lot of good people who see the world through different lenses, who care about
6:28 pm
things. all care about the same things in my view. . companies care about public safety. fbi cares about innovation and privacy. we devote our lives to stop people from stealing our innovation, secrets and hacking into our devices. we care about the same things which should make this an easier conversation which i very much look forward to. thank you. >> thank you, director comey. we will now proceed under the five-minute rule with questions for the witness and i begin by recognizing myself. director, there has been quite a bit of debate about the government's reliance on the all writs act which most people had never heard of until the last week or so. that is being used in this case it try to compel apple to bypass the auto erase functions on the phone. it has been characterized as an antiquated statute dating back to 1789. that was never intended to power the courts to require a third party to develop new technology.
6:29 pm
how do you respond to that characterization? has the fbi relied on in the past to gain access to iphones or similar devices and is the act limited to the circumstances in which congress has already imposed a statutory duty on a third party to provide assistance? >> thank you, mr. chairman. i smile a little bit when i hear that because old doesn't mean bad, at least i hope it doesn't because i'm rapidly approaching that point. the constitution is as old or older than the all writs act and i think that's still a pretty useful document. it's a tool that i used. i think there are some members of the committee or former federal prosecutors, every assistant u.s. attorney knows it. i used it in 1987. it is an act that congress passed when the constitution was a baby so there was a vehicle for judges to get their orders complied with. and it's been use many, many, many times and interpreted by courts. i understand what is the reach of the all writs act? still good law but how far does it extend? especially given how technology
6:30 pm
changed. i think courts will sort that out. there was a decision yesterday in new york. there will be a decision in california. this is a problem law enforcement is seeing all over the country. >> let me ask you about that decision in new york. in its brief, in the california case, apple argues a provision of calea, prohibits the magistrate from ordering it to design a means to override the auto erase functions on the phone. just yesterday, a magistrate in new york upheld that argument. can you comment on that? >> not in an intelligent way because i haven't read the decision out of new york. i understand the basic contours of the argument. i don't fully get it, honestly. calea is about data in motion. this is about data at rest. i also think this is the kind of thing judges do tp take acts of congress and try to understand. what does it mean? especially given changing circumstances. i expect it will be bumpy. lots of lawyers paid for lots of hours of work. but the courts will have an understanding of its reach.
6:31 pm
>> if the fbi is successful in requiring app tole to unlock th phone, that won't be a one-time request, correct? >> the issue of locked phone, certainly not. it's become a -- >> it will set a precedent for other questions from the federal bureau of investigation and any other law enforcement agency to seek the same assistance in many, many, many other cases. >> sure. potentially. because any decision of a court about a matter is potentially useful to other courts which is what a precedent is. i happen to think that having talked to experts, there are technical limitations to how useful this particular san bernardino technique will be, given how the phones have changed. but sure, other courts, other prosecutors, other lawyers for companies will look to that for guidance or to try and distinguish it. >> that technology, once developed, which i presume they could destroy again but then would have to recreate hundreds of times, how competent are you, whichever procedure apple decides, how confident are you
6:32 pm
that what you are requesting, which is the creation effectively of a key, a code, how confident are you that that will remain secure and allow all of the other kust customers of apple, and other technologies as well, how confident are you that it won't fall into the wrong handses and keep everything from being secure. >> we talk about keys and back doors and i don't see that this way. there are issues of back doors. there is already a fen on this iphone. we are taking apple, take the vicious guard dog away, let us pick the lock. later phones as i understand, the 6 and after, there aren't doors. so there isn't going to be, can you take the guard dog away and let us pick the lock. look, i have a lot of faith. and maybe i don't know them well enough in the companies to
6:33 pm
secure their information. icloud for example, isn't encrypted. i'm not worrying at night whether they are able to protect the content of icloud. no thing is for certain but i think these folks are pros. >> thank you very much. >> chair recognizes that ranking mr., mr. conyers for his questions. >> thank you chairman goodlatte. and welcome again to our forum here, very regular visitor to the judiciary committee. director comey, it's been suggested that apple has no interest in helping law enforcement in any criminal case and that the company cares more about marketing than about investigating a terrorist attack. in your view, are companies like apple generally cooperative? when the fbi asks for assistance, a company by
6:34 pm
appropriate legal process, did apple assist with this particular investigation? >> i think in general all-american companies, and i can't think of an exception sitting here, would want to be helpful, especially when it comes to public safety. they have families and children, just as we do. that's the attitude we're met with. in this particular case, as many others, apple was helpful to us. we had lots of good conversations about what we might be able to do to get this device open. we got to a place where they said, and i don't question their motive, we aren't willing to go further. and the government said we still have an avenue to pursue with the judge, and we will go to the judge. but i don't question their motives. >> thank you. >> i sense that you're still reluctant to speak about how your success in this case might set a precedent for future access. you indicated last week that this litigation may guide how other courts handle similar requests.
6:35 pm
could you elaborate on that, please? >> sure. >> there's no, first of all, let me say this, i've been trying to explain to people, this case in san bernardino is about this case. the reason i'm trying to say that so much publicly is i worry very much about the pain to the victims in this case. when they see this matter that is so important to them becoming a vehicle for a broader conversation. so i want it make sure everybody, especially the fbi, reminds grounded. my wife has a great expression she uses to help me be a better person, which is, it's not about you, dear. this case is not about the fbi. not about apple. not about congress. it is not anything other than trying to do a competent investigation in an ongoing active case. that being said, of course, any decision by a judge in my forum will be potentially presidential in some other form. not binding, but guidance. either positive or against. the government lost a case yesterday in brooklyn.
6:36 pm
we could use the case in san bernardino and it'll be used as precedent against the government. that's the way the law works, which i think is a good thing. >> thank you. if you succeed in this case, will the fbi return to the courts in future cases to demand that apple and other private companies assist you in unlocking secured devices? >> potentially, yes. if the all writs act is available us to and the relief under the all writs act as explained by the courts fits this powers of the statute, of course. >> finally, i think we can acknowledge then that this case will set some precedent. and if you succeed, you will have won the authority to access encrypted devices. at least for now. given that you've asked us to provide you with that authority,
6:37 pm
since taking your position at the bureau and given that congress has explicitly denied you that authority so far, can you appreciate our frustration that this case appears to be a little more than an enron around this committee? >> i really can't, mr. conyers. >> first of all, i can't recall a time when i've asked for a legislative fix. they are not seeking legislative at this time. but i also -- we're investigating a horrific terrorist attack at san bernardino. there's a phone that's unlocked that belonged to one of the killers. the all writs act has been used since i was a boy. we think there is a reasonable argument to have the court use the all writs to direct the company to open that phone. that's what this is about. if i didn't do that, i aught to be fired, honestly. i could also understand your frustration at the broader conversation. it goes way beyond this case. this case will be resolved by the courts.
6:38 pm
it does not solve the problem we are all here wrestling with. >> i thank the director and yield back any unused time. >> thank you, and the chair recognizes the gentlemen from ohio, mr. shab ats. >> i have a document to be included into the record. >> that will be included. >> i happen to be a graduate from william and mary so i will start off with a tough question. anything nice would you like to say about the college william and mary? >> i could tell there is a glow coming from your seat. as a member of the tribe. i met my wife there, that's the best thing that happened to me. second best is that i was there. >> excellent. yes it was a great place to go. there are current members currently, miss titus of nevada is also a graduate. now this hearing is about electronic data -- >> happy it extend additional
6:39 pm
time to the gentleman for recognizing an importantedati educational institution. >> thank you. appreciate the gentleman. ? this is about data security or as you described it keeping our stuff on-line private. i would like to ask you, and it may seem a little off topic, but i don't think it is, a few weeks back the fbi's general council james backer acknowledged that fbi is quote working on matters related to former secretary of state hillary clinton's use after private e-mail server, unquote. then the white house press secretary josh earnest stated that quote some officials over there, referring to the fbi, had said that hillary clinton is not a target of this investigation and that it is not training in that direction, unquote. and the president then weighed in, even though he apparently had never been briefed on the matter, commenting he didn't see any national security implications in hillary's e-mail
6:40 pm
answers obviously this is a matter of considerable import. is there anything you can tell us as to when this matter might be wrapped up one way or the other? >> i can't. congressman, as you know, we don't talk about our investigationes. what i can assure you is that i am very clos close to that investigation and that it will be done the way the fbi tries to do all of its work. independently, confidently, and promptly. that's our goal and i'm confident it is being done that way. i can't give you any more details beyond that. >> i certainly understand and appreciate it. i thought you might say that, but you can't blame me for t tryi trying. let me move on. if apple chose to comply with the government's demand, maybe it does have the technical expertise and finances to create a vulnerability so we can get that information. but let me ask you, what about a small business? i happen to be a chairman of the
6:41 pm
house small business committee. wouldn't such a mandate to say a small company, start-up say with four or five, six employees, wouldn't that be a huge burden on a small business to have to comply with this sort of thing? >> i think it might be. that's one of the factors, as i understand it, courts consider in passing on all all writs act request, the burden to the private actor, how much would it cost them. how much time and effort. and apple says it would take time and money to do it and that's one of the reasons we shouldn't do it. that's built in the interpretations of the act. >> as chair of the committee we ask you to consider how this could affect 7 out of 10 new jobs created in economy or small business folks. half of the people employed in this country in the private sector are small businesses. i think we should always consider them. let me move on to something else. in his testimony from our december 2015 hearing about hr 699, e-mail privacy act, richard
6:42 pm
littlehail, assistant special agent in charge of criminal investigation division of the tennessee burrow of investigations, voiced a frustration with the increasing technological capabilities of criminals and noncriminals. will rather than arguably infringing on the fifth amendment rights of all-americans, wouldn't it be better to keep up and change with the world today? >> there is no doubt we have to continue to invest in training so all of our folks are digitally literate and able to investigate today. the problem is all of our lives are on these devices. which is why it is so important to be private. that also means pedophiles and criminals are using these devices. if a judge can't order the
6:43 pm
opening of the device, that is a problem. i don't care how good of a cop or agent they are, this is a problem. >> let me conclude with go tribe. thank you. >> chair, thankses the gentleman. recognizing the gentleman from new york. >> thank you. since we are a little far afield, let me do so very briefly to point out among others thomas jefferson who among his minor accomplishments founder of the democratic party was also a graduate of william and mary. mr. comey -- director comey, the -- we're all certainly very condemning of the terrorist attack in san bernardino. and we all our hearts go out to the families of the victims and i commend the fbi you've done everything to investigate this matter. now, the two terrorists are dead and another co-conspirator, the neighbor, is in jail. you've used the usa freedom act to trash track their phone calls and investigate everyone they
6:44 pm
spoke to on that phone.rash tra and investigate everyone they spoke to on that phone.ash trac and investigate everyone they spoke to on that track and investigate everyone they spoke to on that phone.h track d investigate everyone they spoke to on that phone. track their p investigate everyone they spoke to on that phone.track their ph investigate everyone they spoke to on that phone. the fbi has done a great job already. now let me ask you a few questions. it's my understanding that we have found that the attack in san bernardino was not in any way planned or coordinated by isis, is that correct? it may have been inspired by but not directly planned -- >> so far as we know, correct. >> have you eliminated any connection between the two suspects and any overseas terrorist organization? >> eliminated any? >> have you seen any evidence of any, better way of putting it. >> we have not seen any evidence of that. >> okay. now, given those facts there's no evidence of coordination with anybody else, it's the two home grown self-motivated, perhaps inspired by isis, terrorists. now, the investigators seize the iphone in question on december 3rd. the fbi reached out to apple for assistance on december 5th. apple started providing the fbi with information i gather the same day.
6:45 pm
but then the next day on december 6th at the instruction of the fbi san bernardino county changed the password to the icloud account associated with that device, they did so without consulting apple at the instruction or suggestion of the fbi. and changing that password foreclosed the possibility of a backup that would allow apple to give you this information without bypassing its own security and thus in the first place the application to the court that you made and that we're discussing today. in other words, if the fbi hadn't instructed san bernardino county to change the password to the icloud account, all this wouldn't have been -- would have been unnecessary and you would have had that information. my question is why did the fbi do that? >> i have to -- first of all, i want to choose my words very, very carefully. i said there is no evidence of direction from overseas terrorist organizations. this is a live investigation, and i can't say much more beyond that. this investigation is not over.
6:46 pm
and i worry that embedded in your question was that you understood me to be saying that. second, i do think as i understand from the experts there was a mistake made in the 24 hours after the attack where the county at the fbi's request took steps that made it hard -- impossible later to cause the phone to backup again to the icloud. the experts have told me i'd still be sitting here -- i was going to say unfortunately -- fortunately, i'm glad i'm here, but we would still be in litigation because the experts tell me there's no way we would have gotten everything off the phone from a backup. i have to take them at their word, but either that part or premise of your question is accurate. >> okay. so second part of my question -- excuse me. second part of my question is, it wasn't until almost 50 days later, on january 22nd, when you served the warrant. given the allegedly critical nature of this information, why did it take the fbi 50 days to go to court?
6:47 pm
>> i think there were a whole lot of conversations going on in that interim with companies, with other parts of the government, with other resources to figure out if there was a way to do it short of having to go to court. >> okay. thank you. now, getting off this specific case because i do think we all understand it's not just a specific case it will have widespread implications in law, and however the courts resolve this, which is essentially a statutory interpretation case, the buck is going to stop here at some point. we're going to be asked to change the law. so encryption software's free open source and widely available, if congress were to pass the law forcing u.s. companies to provide law enforcement with access to encrypted systems, would that law stop bad actors from using their own encryption? >> it would not. >> it would not. so the bad actors would just get around it. >> sure. encryption's always been available to bad actors -- >> so if we were to pass a law saying that apple and whoever else had to put back doors or whatever you want to call them into their systems, the bad actors -- and with all the appropriate -- with all the --
6:48 pm
not appropriate, all the concommatent, the bad actors could easily get around that by making their own encryption systems? >> the reason i'm hesitating is i think we're mixing together two things, data in motion and data at rest. the bad guys couldn't make their own phones, but the bad guys could always try and find a device that was strongly encrypted. the big change happened in the fall of 2014 when the companies flipped from available encryption to default. that's a shadow of going dark -- >> but couldn't foreign companies and bad actors do that, whatever we said? >> sure, potentially people could say i love this american device but because i worry about a judge ordering access to it i'm going to buy this phone from a nordic country -- it could happen. i have a hard time seeing it happen a lot. but it could happen.
6:49 pm
>> thank you. my time expired. thank you. >> i would like to have documents given at this time. >> i would like to ask unanimous consent that patent number 024704302. >> without objection. >> additionally 27353. another patent. additionally a copy of the usa today entitled ex nsa chief backs apple on iphone. additionally from science and technology, an article that says department of homeland security awards $2.2 million to malibu, california company for mobile security research and in other words an encryption proof unbreakable phone. additionally and lastly, the article in politico today on the new york judge's ruling in favor of apple. >> without objection they will all be made a part of the record.
6:50 pm
>> thank you, mr. chairman. >> gentleman is recognized for five minutes. minutes. >> thank you. yus tis scalia said it's -- said best what i'm going to quote. almost 30 years ago in arizona v hicks in which he said there's nothing new in the realization that the constitution sometimes insulates the criminality of a few in order to protect the privacy of all of us. i think that stands as a viewpoint that i have to balance when asking you questions. as i understand the case, and there's a lot of very brilliant lawyers and experienced people that know about the act but as i understand is you in the case of apple in california are demanding through a court order that apple invent something. fair to say? that they have to create
6:51 pm
something. and if that's true, then my first question to you is, the fbi is the premier law enforcement organization with laboratory that is are second to none in the world. are you testifying today that you and or contractors that you employ could not achieve this without demanding an unwilling partner do it? >> correct. >> and you do so because you have researched this extensively? >> yes. we have worked very, very hard on this. we're never going to give up but we have worked very, very hard. >> did you get the source code from ap snl. >> did we ask -- not that i'm aware of. >> okay. so you couldn't actually hand a software person the source code and say, can you modify this to do what we want if you didn't have the source code so who did you go to if you can tell us that you consider an expert on
6:52 pm
writing source code changes that you want apple to do for you? you want them to invent it but who would you go to? >> not sure i'm following the question. >> well, you know, i'm going to assume that the burden of apple is "x." but before you get to the burden of apple doing something it doesn't want to do because it's not in its economic best interest and they have said that they have real ethical beliefs that you're asking them to do something wrong, sort of their moral fiber, but you are asking them to do something and there's a burden. no question at all. there's a burden. they have to invent it. i'm asking you, have you fully viewed the burden to the government? we spent $4.2 trillion every year. you have a multi-billion dollar budget. is the burden so high on you that you could not defeat this product either through getting the source code and changing it or other means? >> i see. we wouldn't be litigating if we
6:53 pm
could. we have engaged all parts of the u.s. government. short of ap toll do it, with a 5c running ios 9 to do that. we do not. >> okay. well, let's go through the 5c running ios 9. does the 5c have a nonvolatile memory of the data and selection switches for the phone settings are all located in that encrypted data? >> i don't know. >> well, it does. and take my word for it for now. so that means that you can, in fact, remove from the phone all of its memory, all of its nonvolatile memory if you will and set it over here and have a true copy of it that you could conduct infinite number of attacks on. let's assume that you can make an infinite number of copies once you make one copy. right? >> i have no idea. >> well, let's go through what you asked. i'm doing this because i came out of the security business and this befuddles me that you haven't looked at the source
6:54 pm
code and you don't really understand the disk drive at least to answer my rather, you know, dumb questions, if you will. if there's only a memory and that memory, that nonvolatile memory sits here and there's a chip and the chip does have an encryption code burned into it, and you can make 10,000 copies of this chip, this nonvolatile memory hard drive, then you can perform as many attacks as you want on it. now, you have asked sesk cli apple to defeat the finger code to attack it automatically. you have asked them to eliminate the 10 and destroy. but you haven't sfarsz i know asked them, okay, if we make 1,000 copies or 2,000 copies of this, and we put it with the chip and we run 5 tries, 00 through 04 and then throw that image away an put another one in and do that 2,000 times, won't
6:55 pm
we have tried with a nonchanging chip and encryption chip duplicated 20,000, tried all 10,000 combinations in a matter of hours? the question is, how can you come before the committee and a federal judge and demand that somebody else invent something if you can't answer the questions that your people have tried this? >> first, i'm the director of the fbi. if i could answer that question, there would be something dysfunctional in my leadership. >> i asked if your people had done you. i didn't ask if that would work. i asked you who did you go to? did you get the source code? have you asked the questions? you're expecting somebody to obey an order to do something they don't want to do and you haven't figured out whether or not you could do it yourself. you told us we can't do it. you didn't ask for the source code and didn't ask the questions i asked here today an i'm a guy -- >> the director's permitted to
6:56 pm
answer the question. >> i did not ask the questions you're asking me here today. i'm not sure i fully even understand the questions. i have reasonable confidence, i have high confidence all elements of the u.s. government focused on the problem and i have had great conversations with apple. apple never suggested another way there's another way to do. maybe you'll ask him. i don't think so. but i'm totally open to suggestions. lots of people e-mailed ideas. i've heard about mirroring and maybe this is what you're talking about. we haven't figured it out. i hope my folks are watching it an we'll jump on it and let you know. >> thank you. >> chair recognizes the gentle lady from california for five minutes. >> thank you, mr. chairman. and thank you, director comb my, for your service to our country and your efforts to keep us safe. it's appreciated by member of this committee along with your entire agency.
6:57 pm
we do value your service and appreciate it. i remember in law school the phrase, bad cases make bad law. i'm sure we all heard that. and i think this might be a prime example of that rule. we can't think of anything worse than what happened in san bernardino. two terrorists murdering innocent people. it's outrageous. it sickens us. and it sickens the country. but the question really has to be, what the s the rule of law here? where are we going with this? and as i was hearing your opening statement, talking about a world where everything is private, it may be that the alternative is a world where nothing is private because once you have holes in encryption, the rule is it's not a question of if but when those holes will be exploited and everything that
6:58 pm
you thought was protected will be revealed. now, the united states law often tends to set international norms, especially when it comes to technology policy. in fact, china removed provisions that require back doors from its counterterrorism law passed in december because of the strong international norm against creating cyber weaknesses but last night i heard a report that the ambassadors from america, the united states, canada, germany and japan sent a joint letter to china because they're now thinking about putting a hole in encryption in their new policy. did you think about the implication for foreign policy, what china might do when you filed the motion in san bernardino or was that not part of the equation? >> yeah. i don't think -- i don't remember thinking about it in
6:59 pm
the context of this particular investigation. but i think about it a whole lot broadly which is one of the things that makes it so hard. there's undoubtedly international implications. more to the data emotion question. but yeah. i have no doubt there's international implications. i don't have good visibility of what the chinese require of people that sell devices in their country. i know it's an important topic. >> mr. chairman, i'd like to ask consent to put in an op-ed printed today in "los angeles times" authored by myself and mr. issa on this subject. >> how could anyone object to that being part of the record? >> i just note that in terms of the -- you mentioned that the code apple, they have done a pretty good job of protecting their code and you didn't remember anything getting out loose. but i do think, you know, if you take a look, for example, at the
7:00 pm
situation with juniper networks where they had -- their job is cyber security, really. and they felt that they had strong encryption and yet there was a vulnerableabili nenerabil were hacked and put the data including the data of the u.s., i mean, the fbi and the state department of and department of justice at risk and we still don't know what was taken by our enemies. did you think about the juniper networks issue when you filed the all writs ask report, you know, remedy in san bernardino? >> no. but i think about that in a lot of similar intrusions and hacks all day long because it's the fbi's job to investigate those and stop those. >> i was struck by your comment that apple hadn't been hacked but, in fact, i cloud accounts


info Stream Only

Uploaded by TV Archive on