Skip to main content

tv   Discussion on Encryption Technology  CSPAN  March 3, 2016 8:03pm-9:27pm EST

8:03 pm
columnist e.j. dionne discussing "why the right went wrong." he's interviewed by juan williams, co-host of fox news channel "the five." and jane mayer's most recent book is called "dark money." join in the conversation. we'll be taking your phone calls and tweets and e-mails from noon until 3:00 p.m. eastern. television for serious readers. california congressman ted lieu says it's crucial for the public to engage and debate the issues surrounding the fbi versus apple case involving unlocking the iphone of one of the san bernardino attackers. he participated in a panel discussion on smartphone
8:04 pm
encryption at the wilson center in washington, d.c. this is just under an hour and a half. good afternoon, everyone, who is physically here or watching. i'm jane harmon, the president and ceo of the wilson center, recovering politician. my role in congress, for most of my nine terms, overlapped the subject that we are dealing with today and it is my great pleasure to welcome good friends on this panel. but first, a shoutout to my congressman and good friend, ted lieu, for joining us. ted literally is my congressman. i am still a resident of venice beach, california, which i represented all those years. and ted represents venice beach,
8:05 pm
california, and other parts. and again, ted, 20 years later, thanks for looking out for what was then my young son dan while you were a member of i guess the state assembly. or maybe the torrance city council. we go way back. encryption is timely. it's important. and ted is one of the only members who actually understands the bits and the bites, thanks to a bachelor's degree in computer science from stanford. no one here has missed the showdown between apple and the fbi. jim c ochl mey says he needs apple's help for breaking into the san bernardino attacker's phone. apple says it would american data everywhere. we should all care how this ends. we're in unchartered territory. the fbi wants tim cook to build a new operating system. critics call it gov os or fbi os. that's easier for the bureau --
8:06 pm
an operating system that would be easier for the bureau to open and search. some call it a golden key or a back door. director comey says it's a front door. a lawful search for leads from a dead homegrown terrorist. either way, it's a battle over much more than one phone. manhattan's district attorney sy vance says he has phones in a locker that he can't unlock. apple has already flagged more than a dozen cases across the united states where the fbi wants to crack it is own security systems. if apple unlocks one device, where will the line be drawn? the end game, whatever it is, will impact your phone, my phone and millions of others. it could have huge consequences for american tech firms, american cops and spies and every american and probably
8:07 pm
every world citizen's cybersecurity. as i mentioned, this is an area i know something about. i was a senior member of the house intelligence committee on 9/11. i was briefed as part of the so-called gang of eight on what was then called stellar wind, which was the preoccur son to the bulk telephone metadata program. i insisted then and believe now that security and liberty are not a zero sum game. you get more of both or you get neither. two former congressional colleagues of mine, ted's colleague, zolof and darrell issa, a republican, wrote an op-ed yesterday for the los angeles times, my home town paper. they say the debate is too big for one courtroom. the conversation belongs to congress. and so here, at the wilson center today, we want to kickstart that dialogue. we have a rock star program starting with congressman ted
8:08 pm
lieu, a leader on these issues and one of congress' few genuine tech keys. we're also pleased to welcome another good friend, kate martin, senior fellow and former long-time director at the center for national security studies and someone i consulted regularly trying to wrap my old brain around these very tough issues. we also have susan hennessey. is she here? >> yes. >> there she is. i can't see her. managing editor of lawfare and lawyer. and dave pererra, reporter for politico pro. so one more shoutout and that's to meg king in the blue sweater who would be hiding in the back if she could. meg directs our digital futures program. i think everyone would agree
8:09 pm
that she has brought incredible tech expertise to the wilson center. i don't know how she learned all of this stuff. again, the world wasn't like this and that's the point. the world is evolving minute by minute. we're going to stay on top or ahead of this at the wilson center and it is really good news that a few people in congress are paying attention. so now, please welcome, our panel and our moderator. [ applause ] >> thank you so much for coming. we've already done introductions. ted has a few things to say at the top and then we'll dive into the conversation. and just so you know, we will be taking questions from the audience after i've had a chance to exercise my ego a little bit and ask the panel some questions. so -- >> sure. thank you. it's such an honor to be here
8:10 pm
and let me thank jane harmon and the wilson center for hosting this event. it was really an honor for me to grow up watching jane harmon. i learned so much from her. i saw how she worked on a bipartisan basis to get things done in congress and i saw her amazing leadership on national security. and back then, as i say now, i went to sleep at night perfectly fine because she was my congresswoman. thank you, jane, for all that you did for our country. i really appreciate it. i'm really honored to be here with this terrific panel. as congresswoman harmon said, i'm a recovering computer science manager. i know a little about cs issues. i'm still in the reserves and when it comes to terrorists, i believe we should hunt them down and kill them. government's first priority is public safety and that's why i support apple's position. because strong encryption is a u.s. national security priority. and i'm going to make just three brief points. i believe the fbi intentionally
8:11 pm
is trying to frame this issue as one of privacy versus national security. that is the wrong frame. the actual frame should be making some law enforcement investigations easier versus national security. and if you look at our national security leaders, none of them are saying, yes, let's weaken encryption. let's put in back doors. in fact, they are saying the opposite and it's quite extra ordinary. you now have the secretary of defense saying that strong encryption is a u.s. priority. he's against back doors and he also says we shouldn't do things based on moments of anger and grief. he's directly undercutting the fbi's message. you also have michael hayden saying, basically, i support apple's position, strong encryption is a u.s. national security priority. so that should be the right frame. do we want to make law enforcement's job easier and then weaken our national
8:12 pm
security? that's the debate. second point is, you layer on top of that all of these important issues, such as privacy, such as a relationship between our government and you, right, how much do you want our government to be able to compel you to take extraordinary actions to assist law enforcement? let's say the apple team that develops the smartphone left, went to google, could the fbi then compel google to do extraordinary actions to break into an apple iphone? at what limit do we have? at what end do we want? do we want our government to be able to compel people to take actions to help law enforcement? and then on top of that we have effects on u.s. businesses abroad and this is now going to affect smartphones here and businesses here but countries around the world. and then the final point is, because of how important these issues are, we really shouldn't let precedent be set and these issues be decided by unelected judges interpreting an 18th sent
8:13 pm
tree statute. and that's what the fbi and department of justice is trying to do. something that passed in 1789 and they are trying to use that to set precedent in this case and i believe that's wrong. it should be something that congress decides. so once again, it's an honor to be here and i look forward to answering questions and listening to my panel members. >> thank you so much. so that sets the stage a fair amount. in order to tackle this issue, it's pretty complex. there's a lot of moving parts. we decided we're going to divvy it up into a tale of three iphones. so we have the first iphone in the context of apple and the government trying to get special access to an apple device. and that is an iphone that's at the center or periphery, rather,
8:14 pm
of a methamphetamine case in new york city. susan, quickly tell us what is going on there. >> right. this is the case that you might have heard of over the past couple of days of a new york judge says fbi can't force apple to unlock an iphone. you might be sort of confused that there are multiple cases going on. this is a case in new york in the eastern district. what's really important to understand about that case is it is an ios 7. the difference is there's a number of detailed, technical differences in terms of how the device is created. the important thing to understand is that apple has the capacity to not unlock the phone but to bypass the lock capability and extract the data. they have provided that assistance to the fbi about 70
8:15 pm
times in the past and declined to do so in this case and so they are challenging the use of the act to compel the kind of assistance at question. it's important to sort of understand where we are, sort of the questions about compelling them to write new codes, those arise in california some months later. so a magistrate judge in new york has said that this is an improper application of the act. the department of justice has already appealed that decision. it will certainly go up to the district court if not the circuit court level within the next couple of weeks. >> kate, should the -- should apple -- it has done it 70 times before at the very least, unlock that iphone? it doesn't require it to code a special operating system which is what the fbi is asking for in the case of the san bernardino shooter's county-issued iphone. it wasn't his own phone. should they do it in brooklyn?
8:16 pm
>> so rather than directly answer your difficult question, i'm going to lay out what i think the issues are. first of all, it's really important to note that this case and the san bernardino case are cases where the government, law enforcement has a warrant to get the information that it's seeking on the phone. and when you step back and we talk more broadly about the encryption debate, one of the things i think we have to keep in mind is that when law enforcement says, well, we only want to get access to information for which we have a warrant, that, in fact, that's not completely true. that there are many instances in which they want access to information and in which they don't have a warrant. and so that's an important backdrop. so here they have a warrant, which means that there is no fundamental fourth amendment
8:17 pm
problem in getting access to the information on the phone. and the case really does revolve around the application of this statute, the al ritz act. what is -- the way that the all ritz act comes up is in wiretapping cases more generally, the congress has already required the telephone companies, for example, to provide technical assistance to law enforcement when they want to conduct a lawful wiretap with a warrant. >> through callia? >> no. through -- sometimes through callia but callia does something kind of different. there are several provisions of the wiretap act. directly require the telephone companies to give assistance in carrying out wiretaps. then we have callia, which was a
8:18 pm
statute that said they have to build the telephone systems in a way that they will be wiretap accessible but we leave the details of that up to the telephone companies. none of those statutes which specifically require companies to help the government in carrying out warrants apply to apple in this situation or to the iphone. and so the government is relying on the all ritz act as a statute to say, you have an om gags to help obligation to help law enforcement in this specific search. >> can you voice an opinion, is apple doing the correct thing by -- specifically in brooklyn,
8:19 pm
sus susan has noted is different in the san bernardino case. >> i think the fbi is correct in issuing a rule rather than turning over information in response to a court order. i think it's more -- i'm now going to state an unpopular opinion. i think it's more questionable whether or not it's such a slam dunk one way or the other. i think -- in some ways, i'm not sure that i agree that we want congress to take this particular issue up right away. one of the things this particular issue -- one of the things that the court can do, which the congress is not so great at, is look at the specific operating system, the specific ways in which apple would have to take steps to unlock that operating system, the specific reasons why the
8:20 pm
government needs the information and what the warrant is for the information. and the all ritz act, in some ways, says to the court, look at all of those factors, balance them and come to a conclusion about whether or not the court is going to compel apple to give assistance in this particular case. so i'm not going to express a view about that particular case. i do think that there might be some utility for those of us who care about privacy who recognize that the all ritz act could have a useful role to play because it requires the involvement of a judge and it requires a particular showing by the government before it can invoke that assistance. >> ted? >> i actually don't disagree with you, that congress
8:21 pm
shouldn't take this up right away. which is why i'm a co-author of legislation that sherman mccaul and senator warren introduced which put together an expert panel of very, very smart people to look at this issue, provide recommendations to congress. something that congress can do and courts can't, how does this affect society as a whole and have lots of hearings, have lots of very intelligent experts, have people from the wilson center weigh in and then we can craft policy. so i do believe we need to take time on this. this is very complicated. but on the new york case, i'll give you my answer. i support apple's position as does a judge in this case, judge or rin stein, who wrote an opinion -- a pretty good opinion. he writes in there that he doesn't believe that the folks who passed the all ritz act in 1789 intended to solve that debate and end it there. we're in a whole new world in
8:22 pm
the 21st century and applying an 18th century statute to a 21st century problem is not going to give us the results. i would note that the fbi director wrote an open letter recently. how many times has an fbi director ever done that? he could have done that in this case, which is much earlier than the san bernardino case. but they realized, right, having making prosecution of a drug dealer versus privacy, that was not a very good frame for them. so i do think that there is some intentionality for the fbi to pick this case and that is inappropriate. >> i will give you an answer. i do think apple -- the first thing to note is there is nothing unpatriotic about apple challenging a court order. that's the right of an american company and if the company believes there's a defective
8:23 pm
process, it's their right to have a judge take up the issue. that said, judge or ren stein's opinion which will go up on appeal and we'll get the ultimate answer on that, regarding the applicability of the all ritz bill, we still think that is pretty good law. so the notion that laws sort of die of old age just doesn't hold. that's sort of -- i think another way to refer to those laws would be bedrock principles, a foundation of united states jurisprudence. there's a lot of ways to look at these things. the important thing about the apple case is that there are no security concerns there. apple has the software in question. they voluntarily engineered it. they protect it. there's been no intimation that
8:24 pm
there was a compromise. there's a warrant. i think it's important to discuss about whether congress has a role to speak here. in terms of what apple is asserting in the eastern district of new york, it's not asserting security concerns. it's asserting reputation nal harm. there are rules under 1997 supreme court case that says a court can compel this type of third-party assistance under limited circumstances. again, it's for a federal judge to decide if the facts in a particular case and i think it's appropriate for a federal judge to make those determinations and they are better situated, often. that said, what apple is asserting that all ritz is not an appropriate application because it's supposed to be a gap-filling statute. really, this is a matter for congress to decide. congress should decide here.
8:25 pm
we're scoping all ritz beyond what feels comfortable to us. that might not be wrong. it's possible that a judge might say, well, you know, that might be true but this is an appropriate application. but actually apple itself is starting to assert these sort of concerns about congress speaking in this area and actually as a defense to being compelled to do something. so i think when sort of all sides are saying it's time for congress to speak, you know, it's important to -- to sort of recognize the way that the role of congress is really being raised in the court process now that it's getting harder and harder to separate the two out. >> judge or rin stein, the judge in the eastern district of new york, otherwise known as brooklyn, suggested in his ruling that congress has spoken. congress spoke through two ways. through callia. it ruled out the kind of technical thing that the government is asking apple to do. it considered it and it rejected
8:26 pm
it explicitly through culia because culia says you do not have to dekript communications on the government's command and classified apple as an information service and information services are excluded from the scope of culia. there are a number of reasons why that does not apply. the judge has also said -- and this may be the weaker of his arguments -- that congress has already debated when it -- >> right. to sort of put or ren stein's decision in an appropriate context, this is the next decision in what has been termed the revolt of the magistrates. it's very unusual for a magistrate judge to issue an opinion at all. or rin stein has issued a 50-page opinion in this case. ultimately, a district judge will decide whether or not these
8:27 pm
somewhat novel legal are valid. the understanding of culia, again, a judge might decide otherwise and or rin stein will decide otherwise, that it's an interception statute and what's at issue here is not implicated. sort of the larger issue of what congress says when congress says nothing is a difficult one to reconcile. so even with his opinion, he cites the case precedent which says when congress doesn't say anything, you can draw two equally tenable explanations for that. right? either congress affirmatively endorses the status quo or congress really wants to change things in an aggressive way and doesn't see -- >> ted, say nothing if you agree with susan. >> keep on. >> just the notion that you can't sort of draw a conclusion whenever congress has not
8:28 pm
spoken. and so that sort of teasing out that those are the two separate arguments that he's asserting there. >> i think it's important to understand the context in which this is happening. so i believe congress did speak, right? the fbi tried to get this proposal through last year and they couldn't get a single member of congress to carry a bill that would do that. so my view is, congress spoke by not accepting what the fbi and doj wanted to have happen. there's another element here to consider, which is, courts interpret laws. courts don't have an independent authority to make people do stuff. they can't compel you to take actions. they need a source of authority, which is a law. and in this case, they are citing this all ritz act and what the judge is saying is, i don't think that law was meant to apply in this situation. so if congress is just silent, the courts can't come up with its own authority to make you do
8:29 pm
something. they actually need some sort of a statutory basis to compel action and so if congress is silent, i think that silence speaks volumes. >> so let's move on to the second iphone in our tale of three iphones and that's the one in san bernardino. kate, do you want to do the press heat? >> sure. probably most of you know, so i'll try to be short but specific. the fbi has the iphone that was used by one of the dead terrorists in san bernardino. that iphone belonged to his employer. so it has a warrant to access the information on that iphone but it can't do so because the information on the iphone is protected by a passcode and it has taken steps to get whatever
8:30 pm
information was on the iphone and also in the icloud, they have gotten. so this is information that doesn't exist anyplace else, if it exists at all, but potentially on the iphone of this -- of the dead killer. in order for that information to be accessed, what the fbi has proposed to the court and -- is the following. there are three mechanisms that apple has put in the operating system of that phone so that someone can't use what's called brute force, which is running every conceivable combination to find the passcode to break into the phone.
8:31 pm
and those features are -- they are quite clever, actually, i think. one is that if someone makes ten wrong tries, the phone just blows itself up. no. it erases all of the information on the phone. the second one is that if you want to try multiple times to get into the phone, you have to wait between each time so the fbi says that if that feature wasn't disabled, they would -- it would take them 26 years to try all of the different possible passcodes. but if the third feature was disabled, which requires the passcode to be typed in, you know, manually by some finger and instead it was -- the phone was configured so that the fbi
8:32 pm
could use an automated way of typing in the passcodes, it would be able -- the fbi would be able, using brute force, to get access to the information on the phone in 26 minutes. so what the fbi has done is asked the court to use the all ritz act to order apple to write the software that would disable those three particular features on this particular phone. and there's a lot of back and forth about how that would be done. would they give the phone to apple? would, you know -- which we can talk about, which kind of goes to some of apple's objections to being ordered to do that. >> so, susan, in this case, apple's being asked not to just break into one of it is products but to actually affirmatively do something no tech company has ever done and that is write custom software for the federal
8:33 pm
government that breaks its own product. all ritz act really applies here? >> right. so we're now getting into kind of the hard territory, at least to my mind. yeah. right. this would be a novel application of the all ritz. i think it's important to understand the choice that's being made here and why. the government isn't saying that they don't have the capacity to write the code. it might be harder for them, it might have unintended consequences, certainly apple is going to be better. the problem is, the way apple has created their devices, they only run software that has been signed by apple's special signing key and there's been in this larger debate about encryption, there's been notions about key escrow and the tech community has asserted very strongly and really rather reasonably that these are the keys to their kingdom, the u.s. government cannot be -- >> by key escrow, just to jump
8:34 pm
in, you're talking about the conflict whereby the companies would store their keys with a third party for special circumstances such as this? >> right. that a company would be required to put its signing key somewhere else. and so essentially what has happened is the government has said, okay, we believe you. we don't trust ourselves with this key. we buy that we should not be messing with sort of encryption. we also believe this is really important equity to protect. the problem is that if you don't give us the key, you have to write the software because we can't sign the software in question. and so i think in sort of that context, while certainly a judge is going to have to decide, is this an appropriate application of the law, it's important to understand what the tradeoffs, why the government thinks that it might be reasonable to ask this kind of heightened assistance because, of course, as with all laws, as technologies changed, the
8:35 pm
laws -- we reinterpret the laws and see whether they can be stretched. i think this is starting to raise questions of was this intention -- was this the intention of sort of the all ritz gap, is there really a gap here, you know, we're starting to get into the realm of really substantive law where we would expect to see statutes on the matter. there are certainly difficult legal questions in california. that said, no matter what happens in california, we're all collectively going to have to decide what we want the future to look like and, to my mind, what's really at stake in california is whether or not we want the scope of government access, of lawful government access to be dictated by our laws, by the fourth amendment, by courts, by warrants, by a neutral magistrate or if we want the scope of that access to be dictated by technology. reasonable minds can differ and
8:36 pm
there are all sorts of really complex equities on either side but when you get down to the core values choice here, i think that's when you're seeing two sides that are really having difficulty sort of reconciling what are very deeply held notions. >> ted, are their constitutional issues at play here? >> absolutely. i think it is unprecedented for a court to compel a private sector company to take extraordinary actions which is to create software that they do not have to weaken their own product and that is simply the issue that -- >> but not just under the all ritz act. perhaps fifth amendment or first amendment -- >> apple raises first and fifth amendment issues. they do say, writing computer code is equivalent to freedom of speech and they shouldn't be compelled to do that speech. not sure what i think of that. i think their stronger act is
8:37 pm
that the all ritz act does not apply in this case, particularly when the government, the fbi tried to get this through congress and congress rejected it. i think it is helpful to take a step back and think about not just apple. it's not just about this company. if this had to have been a microsoft product, same thing would have happened. microsoft is about to write a legal brief in support of apple. you have the american library association come in and support apple. why are they involved? they don't see any limits to this. if the court compels this kind of action, what's to keep a court from telling amazon, hey, you create software to identify for us people we think are suspicious based on the books that they order and you send that to the fbi. you can imagine all sorts of actions the government can compel you to do to assist law enforcement and my view is that a private individuals and private sector companies are not an arm of law enforcement and i think this case raises very
8:38 pm
troubling issues from our government to you. >> so i would just add that susan and congressman raised the kind of larger policy questions is that i think there is a risk here in connection with the approach that apple is taking, which is that if you step back for a moment and ask the question, well, who's going to decide or who's going to have access to information that's been encrypted and when is the government, if ever, going to have access to information that's been encrypted and how are we going to decide that? so that's a very large question that has many subparts depending on what kind of devices you're talking about, what kind of information you're talking about, which part of the government, what kind of process, are they going to have a warrant? are they going to have something
8:39 pm
else? if you step back and go, well, this particular case where the government has a warrant, there is no privacy interest at stake in connection with the data on the phone, do we have a real problem in compelling a company to help decrypt this information? so the problem as i see it is whether or not congress has in fact already given the judge the power to order that kind of compulsion, as you said, congressman, in the all ritz act. but if you step back and say, wow, as a society, do we want a judge to have that kind of power, i think the answer might well be, yes, in this particular situation. and what i am very concerned about is that apple and some of
8:40 pm
the other industries' position is, okay, we're going to find this in court. if they lose in court, it will give the fbi much greater ability to come to congress to ask for the kind of law that the all ritz act is not. but that in asking for those changes in the law, law enforcement and the intelligence community are likely to ask for much broader powers and are likely to ask for the power to access information when they don't have a warrant but they just have a national security letter or many of the other kinds of authorities that gives the government access and that's
8:41 pm
the danger that we run when -- with all due respect, at the moment, doesn't seem to me that we have the political context in which we will end up with the wisest decision-making process. all right. should i just say it? on this kind of problem. >> just to push back on that a little bit, i think that one way to sort of describe it is to you don't think you'll get the law that you think is ideal. traditionally we understand that we express those values by voting for elected representatives. i think it's important to note here that congress is not obligated to pass a law that apple and all companies shall compel. they could repeal culia, the scope of what congress is empowered to do on our behalf is essentially limitless. only the constitution is the
8:42 pm
limiting factor there. and so i think it's important to realize whenever we see these polls that say 49% or 51%, sort of who cares which side is which, it's a roughly divided country on these issues at this point, you know, the way we traditionally resolve these kinds of really difficult value decisions is we elect members to congress and they vote and they vote on behalf of their constituents in a way that they think are a noble discharge to that service. i'm always a little suspicious of the notion of, well, we want a law and we don't want to use the gap. i agree that there should be a careful consideration here that the going in principle should be first do no harm. that said, i think that i'm
8:43 pm
always suspicious of stall tactics, honestly, because i think the fundamental process here is we have opinions and you guys vote. >> so i've got a really cool law to tell you about. i work on a bipartisan basis. a couple weeks ago i introduced a law that states cannot mandate encryption back doors in consumer products. because you have california and new york with state legislators introducing bills that were going to require companies like google and apple and so on, to put back doors into their products and that made no sense because you can't have, you know, google make a smartphone just for california and not for kansas.
8:44 pm
so your notion -- yes, there is a risk that we can get a for president. there's all sorts of risks. i think what is more important to note is in this san bernardino case, when you talk about apple fighting the court, they didn't pick this fight. if you read what happened according to apple, they read about the court filing in the newspapers. they were working with the fbi. they provided a huge amount of assistance. they provided their engineers, all sorts of advice. and i think the fbi saw an opportunity to try and frame this issue in a very particular way to try to get the american public on their side. and again, when is the last time you saw the fbi write an open letter? it wasn't just to the judge. it wasn't just concerning this case. it was an open letter to influence.
8:45 pm
>> he published that letter and actually did write a piece back in july sort of putting out the enjipgs challenge, talking about what law enforcement was asking for ideas and support and partnership and engagement. so i think, one, he actually has written sort of specifically the open letter in the past and i do think that law enforcement has at least attempted to be sort of open with their equities here. >> i want to ask a question about the all ritz act just to take us back there a little bit because it's the law that is sort of at the crux of all of this and the supreme court, as i understood it, established as you said, susan, there's three basic tests. proximity to the issue at hand, would it be an undue burden and is there any necessity. let's talk about necessity. is there -- does that iphone, anybody actually think have any evidence on it that the fbi
8:46 pm
truly has a compelling urgent need to get at, especially given the wealth of metadata that the fbi already has been able to extract? he knows who he's called, who farook has called, they know the contents of the messages and what apps he's downloaded and has a backup copy of the iphone albeit back to october 19th but we're not talking about a huge gap. isn't it really just an opportunity for the fbi to make a point rather than to actually gather evidence? >> so look, i have sort of two reactions because this has been raised quite a bit. we don't want certain laws for when law enforcement really, really wants evidence and when they kind of want evidence. the rule is supposed to be set whether or not a judge says they can get it and that's the rule. a little bit i think while
8:47 pm
certainly, you know, the facts might be more friendly in one case or another or more or less useful in terms of the public conversation, it's important to understand that we're attempting to develop neutral here. >> the law goes to necessity. >> and that's whether the government can do it themselves. it's the assistance in question is necessary. so kind of the necessity you're talking about is whether or not law enforcement needs access. that certainly goes to, you know, kind of how we all balance. so it's totally reasonable that the american people decide, you know, this technology is really important to our lives. the cybersecurity threat is massive, you know, and we think that we are willing to accept the fbi not having access to some amount of information. you know, my personal sense and also put on my former ic hat for this, you know, this is sort of a weird terrorist event, for lack of a better word.
8:48 pm
it's kind of a workplace shooting, kind of a terrorist event. it's really important that the fbi understand what happened, why it happened. you know, there was allegedly sort of a fight at a party. were they planning this terrorist event for long periods of time? was this always the intended target? these are important things to which the phone would certainly have some value and so i think the right question to be asking is not do they expect to find the sleeper cell on his work phone? no, probably not. but this is a meaningful investigative lead. it's as important a lead kind of as any, at least conceptually. this is the kinds of investigative work we would expect from law enforcement. we expect them to be investigating these crimes. that includes looking at the phone. and so i'm not sure. i'm always sort of suspicious of this question of how valuable is it. the question is, if it's of any value, then the larger
8:49 pm
discussion just becomes one of whether or not the law applies or not. >> kate, you look like you have something to say. >> well, i'm more skeptical of what the fbi was doing. if you go back a couple of months, there was an internal process inside the administration about whether or not the administration and the white house would go to congress and ask for new laws to deal with the new encryption capabilities. and the administration decided not to and i think we have to remember why and one of the reasons is because, as the secretary of defense and everyone up and below him to the president, et cetera, has acknowledged, strong encryption is essential to maintain the security or to create more security in the internet and the internet is an essential
8:50 pm
component of our security. and it's made and secure and the companies who are working on encryption are making it more secure. so they decided not to congress, that the tradeoff did not require a new law. then we have san bernardino. now we have an investigation which is an important investigation, but we don't have simply one little, you know, part of the investigation. we all of a sudden have an enormous public controversy created by the fbi on you can't really believe that encryption should prevent us from getting access to the phone of this dead terrorist. so i think that the question of whether or not there's anything really useful or necessary on that phone does go to what is the fbi trying to do here and you know, it's quite legitimate
8:51 pm
for them to try to influence the public debate on encryption, but let's be clear that that's what they're doing more than trying to get the information on this particular phone. >> so i agree that the san bernardino case has sort of a particular emotional resonance. that's actually not the case jim comey has been sort of yelling about on the hill. he testified just two or three weeks ago at this point and yes, he mentioned the san bernardino case but he actually mentioned another case. an ios 9, a woman eight months pregnant heopens her door and i murdered. no leads, no idea who did it. the family gave consent to open the phone. she has a detailed diary on the phone. the fbi is certain there is some evidence of what she planned to do that day on that phone and the fbi can't unlock it. i don't think this is a case of the fbi just trying to use kind of the most dramatic set of
8:52 pm
facts. whenever i sort of personally think about well, how do i come down on these issues and where do my -- >> that's the second most dramatic set of facts, the dead woman. right? >> right, but these are all real things. i think it's reasonable to decide another value is more important but it's not reasonable to pretend as though people don't really care about investigating terrorist attacks. it's not reasonable to pretend like people really aren't murdered in this country. the biggest problem with data encryption is child pornography. a lot of people say that's fearmongering. that's reality. we might decide that as a nation, our online security values, where we think the future is going, the way we want our relationship to our government to look like, that that all means that we don't expect companies to provide this kind of assistance. but we have to do that eyes open and understanding what the tradeoffs could potentially be.
8:53 pm
>> let's talk about the third iphone. this is a hypothetical iphone. this is an iphone that apple could make that would actually make this argument about san bernardino moot. it could put security features in a next generation of iphone that would make it impossible for anybody to get in. there are some technical details about how we would do so, it would make the secure enclave, it would make one of the chips on the inside of the i fop muip much more harder to update. we don't have to get into the technical details. is there anybody going to say that apple shouldn't do that, that there actually should be a law preventing apple from making the iphone so secure that not even it can get into it? >> if they did that, maybe we should ask apple to protect our national security secrets, right? i was oversight committee last year having hearing after
8:54 pm
hearing of massive breaches in our federal government. for example -- >> have a warehouse of iphones. >> the security clearance hack of 20 some million records affected me personally, foreign government now has my most sensitive information as well as my spouse's, and it was because of a lack of encryption and other strong cybersecurity fences. we need to upgrade encryption and cybersecurity in both the private and public sector, and keep in mind that virtually every federal employee has a smartphone of some sort, whether it's government issued or your personal one. they keep huge amounts of information on that phone. do you really want to make it easier for foreign adversaries to hack those phones? you don't. that's why our national security establishment has largely come out saying strong encryption is a national security priority. we don't want to weaken that or create vulnerabilities. i would be completely fine with
8:55 pm
the future iphone that you describe. >> so i might actually surprise you on this. i'm sure there are some people that will say no apple shouldn't be able to create that phone. no, i actually think apple should be able to create that phone. i think it would be a roeal mistake to try to dictate laws trying to tell people how to build their products. apple has the obligation to make the most safest, security phones they possibly can weighing all their various business equities along the way. i think that with all, you know, even though the congressman is one of i think four people who have a computer science degree, sometimes congress wades into technical issues, some of your colleagues have less of a gentle touch so i actually think that kind of law probably ends up doing more harm than good. what i would think would be useful and clarifying law, useful and clarifying no matter where it comes down, is a law that explains to companies exactly what the scope of their obligation looks like.
8:56 pm
coming from my background, i'm very skeptical of the notion that there is such a thing as a phone you can't get into. so i think that while certainly we are all going to have to accept the fact that there is certain information law enforcement isn't going to be able to see in the future, there are other places where there might be methods to fill in those gaps. those are going to create a whole other set of problems, right, who can spy on you through your refrigerator and waffle maker and all these things. they are already thinking about this. so the vulnerabilities are going to continue to exist. so really, with the issue in new york, with the issue in california, is not an issue of encryption. it's an issue of lawful hacking, of device hacking. this is where sort of it can be difficult to frame. while i 100% agree with every statement both of you have made on encryption, i also think that it would be a terrible mistake to sort of put in genuine back doors or force people to alter cryptologic standards.
8:57 pm
that all seems really problematic to me. the sort of limited scope, the limited ability to access device hacking, you know, requesting that companies pursuant to the law provide some level of assistance, i think that level of assistance should probably be dictated by congress. whether or not the law might apply i think ultimately whenever we get there, that's probably the right solution. you know, i think there is a way to sort of find our way through this. i don't think it has to be kind of it's 2016 and we're going to decide what the future looks like and off we go. i think we can sort of, we can take one step of it at a time. we can certainly sort of lower the tone of the rhetoric. i think things like, you know, federal preemption laws, that sort of stake out the territory so these sort of issues are a good idea, i'm skeptical of commissions but hopeful. so i think there is sort of a way to be collaborative, to be creative and to kind of take one step at a time here.
8:58 pm
>> i want to make sure we have time for audience questions. sir? >> i'm joel mulhouser. i have no personal involvement in any of this, and no knowledge. i'm just the average american citizen. first of all, i think you made a very good point and i may have missed this in the media but i don't remember anywhere people talking about all these other cases. it sounded to me like it was one case and maybe apple could just do it one time and that was the end of it. but clearly it's nowhere near that. again, i didn't know that and maybe the rest of the public is smarter than i am and they knew that, but i missed it. but my question is i'm not sure i understood what you all said because i'm not an expert in this. if there were 60 cases in new york where apple or someone agreed to let them have the information, why are they denying it on the 61st?
8:59 pm
if they have agreed 60 times before, what about this -- that case is different or do they just change their mind or is it a different legal issue? i'm not clear about that. >> so the san bernardino case is different. >> i was referring to the first case. the brooklyn case. >> so there are two sort of questions in the eastern district case. the first is whether or not this is an appropriate use of the all writs act so the judge determined that it's not, that will go up on appeal. this is something that paapple basically hadn't thought of the notion before. they assumed the all writs applied. at the request of a judge they took a hard look at the law and said on second thought, maybe we can't be compelled to do this. so that's within their rights and that will go through the court. they have an alternative argument and the alternative argument they are saying on the record in the eastern district of new york is that under the burden analysis, so this is that no one can be compelled to do that which is overly burdensome i think is the language, they
9:00 pm
are saying it would be a reputational harm, that if apple were to comply with the court order in that case, they would suffer economic damage to their reputation in the long term. that implicates some sort of core understandings about civic duty, multi-national american corporations that have multi-national markets. it's a very complex issue but there's no security sort of concern there. they are saying it's a financial and reputational issue. >> essentially apple has changed its mind at this point as opposed to [ inaudible ]. >> i think it's fair to say that they have changed their mind but i don't think it should be characterized necessarily as apple is bad. i think that they have changed their understanding of the operation of the law. but not based on the technology changes.
9:01 pm
>> hi. jane harmon again. i thought this panel was great or i think this panel is great, and one of the reasons i think it is great is that it's a discussion in public about a assist of complex issues. so my question is this. after 9/11 when all of us thought we might be attacked again, the bush administration, bush 43, term one, took most of its actions to thwart the threat by executive order. it turned out that memos were written in the justice department at the office of legal counsel justifying a lot of this and congress was cut out. my question, and congress caught up in the second term of bush. there were a lot of actions in congress. my question is this. how important is the public debate? at this point when there are such complex issues should the
9:02 pm
public be brought in and help determine the set of answers that our country will give to technology and to the need i think everyone would agree with this, the need if possible consistent with our constitution to find out what bad guys are plotting before they hurt us. >> i think public debate is critical and thank you again, congresswoman harmon, for having this event. i reallien joy enjoyed it and i learned a lot myself. because the issues here are so monumental, they deal with privacy, with national security, with law enforcement, we all want crimes to be solved and people not to be injured or harmed, so these are really large issues and the public needs a way in because it's going to affect the public for years and years to come. how congress acts, if congress acts, or if the courts act and how they act. i think the public needs a way
9:03 pm
in. don't don't know what the public's going to say. you look at the polls, depending how ask you the question you will get a different answer and the public itself is somewhat conflicted on the issue because these are very complicated issues and they do often raise conflicts that are not easy to solve. >> i would just add that whenever you are having a public debate that's highly technical, that's always hard to have in a sophisticated sort of informed way. i certainly hope that the technology community can also sort of take some leadership on really making sure that people understand the technical issues at play. i also think, though, it's important to not dismiss people who disagree with sort of the technical mindset. i think there is a little bit of i don't know, sort of a temptation to say if you have a different value or come down differently, you don't get it, if you knew math like we did, you just don't understand.
9:04 pm
i think it's just important not that it's indicative of the right or wrong answer but it's important to sort of understand that it's possible for people to have sort of different values here and to make sure we are being kind of respectful about all those values in the conversation. >> so i just want to second all of that but also point out that without a public debate, where weened up with is the national security bureaucracy makes the decision, they do it in secret and it turns out and i think the snowden disclosures and where we are today illustrate that that's not only bad for human rights, civil liberties and democratic government, it's bad for the intelligence community because the apple's resistance and the technology companies' resistance to government access and insistence on the importance of
9:05 pm
encryption is, i believe, in large part a measure of the american public coming to understand that its intelligence agencies were accessing so much more of americans' communications than we had any idea. and so we are still seeing the results of that. so what i would say is that in this debate when the law enforcement says we want access when we have a warrant, that's one question. but we need to have in the debate what about when you don't have a warrant but you have some other authority that's going to allow you at the moment to get access in secret, are you still asking then for encryption to be broken and that we have complete and candid answers to those questions from the national security side.
9:06 pm
>> i'm with the voice of america. can you address the international implication issues if governments like china ask apple to do the same thing, would apple do it? >> so this is actually a really complex question. i think there is a little bit of a tendency to say well, apple's going to be able to create the technical conditions and therefore that will allow them to say no to other countries. it's not -- nobody except for apple and the chinese government know what apple's relationship with china is like. what the apple general counsel did testify yesterday that apple has complied with chinese data localization laws, so that means that all data is stored within chinese servers, it's commonly understood that the chinese government maintains access to all data within china. the google, for example, rather than complying with data localization laws elected to withdraw from that market.
9:07 pm
so while it's difficult to know, it's not -- it's apples and oranges because the relationship to the data in question is very different. that said, certainly china is looking to what the united states is saying. certainly this operates, this alters u.s. companies' abilities to negotiate with chinese government as sort of, they tend to promulgate regulations that leave a lot of discretion. it's very important and at the same time, not quite as dispositive i think as sometimes people believe it can be. >> i went to china last year on a congressional delegation and one of the issues we raised was allowing more access for american businesses to the chinese market, because they banned facebook, they banned much of google because these u.s. companies would not agree to some of the very intrusive demands of the chinese government. our embassy continues to make
9:08 pm
arguments of the chinese government saying please allow more access to our u.s. businesses. it does somewhat undercut our ability to do that if here in the u.s., we then have our own government going and taking back doors, back door ways to try to access smartphones. so i think this does have an effect how this is decided not just in the u.s. but also how our businesses compete worldwide. >> and the other international aspect, of course, is that encryption is extremely, it's critically important to centers, human rights activists around the world who live in repressive regimes. sometimes it's a matter of life and death that they have access to encrypted communications. >> my name is david.
9:09 pm
i'm working here at the wilson center. i'm an intern. this is sort of a tangential issues to the san bernardino case and other cases. how does this discussion change when you are talking about open source encryption? there's no apple, they have a certain ability to break into it when they want to or are demanded to by the government but with open source encryption which i understand there has been some hostility towards it in general by some people in the community. can you speak to that? >> if i understand your question correctly, right now, two people can go on the internet, encrypt their communications and the fbi cannot access it. that sort of leads to a broader point where if you look at what the fbi and department of justice say is they say look, there is all these dark spaces now that we can't access. my view of that is well, when america, it's intentional we have a lot of dark spaces.
9:10 pm
you have bad room as a dark space. you don't want the fbi listening in there. your home is a badark space. in the san bernardino case, it's likely they planned a lot of this by talking to each other in their home. dark spaces. with encryption right now, you don't need a smartphone. you can just encrypt with another person. fbi can't access it. and that does at some level, maybe it's going to make it easier for some criminals and terrorists to take certain actions but also, it does a lot to protect not just people's privacies but companies' private situates and strong encryption is good for u.s. business, consumers and national security. >> let's get somebody from the back. in the blue tie. >> thank you.
9:11 pm
two questions. one that hasn't really been addressed is if you look at san bernardino and the attack, is it really an existential threat? i would argue that it's not. we have 14 dead people which is horrible but it's not an existential threat to the country. discussing this big an issue in the context of that one case might be the fbi taking things far out of proportion. secondly, we have only touched on apple but let's say apple were compelled to do this. run off to and you will get something that's a lot harder to crack than an iphone. so we are just moving the goal posts. there is no end in sight. >> so i think two things. one, certainly it's not an existential threat. we shouldn't be making policy decisions out of places of fear or terror, right. that said, we all sort of have collective understandings about what our expectations of law enforcement are like.
9:12 pm
their ability to investigate, prosecute and prevent crimes. we are allowed to change our minds. that's why this is sort of the beauty of the system. we get to pick kind of where we want all these things to fall. and in terms of sort of the notion of moving the goalpost, sure, there's always going to be a more secure phone, there's always going to be third person apps, there is always going to be the ability for two smart committed bad guys to speak in a way that the government can't access. the question here is how big that space should be. and sort of how manageable sort of the problem is. so i think that it's important to understand that there's no such thing as absolutes on either side. we are never going to get absolute cybersecurity. we are never going to get absolute physical security. it's a balance of how we sort of, how we want these all to fall. >> i largely agree with that but i think something to consider is it's easy to sort of point out hey, a bad thing happened.
9:13 pm
but i think it's important to understand that lots of bad things happen when you don't have strong encryption. so we have been repeatedly harmed, the united states, from weak encryption and weak cybersecurity defenses. millions of security clearance records stolen. we have had businesses, anthem blue cross, target, home depot, hacked. we have suffered huge amounts of economic damages, national security risks. american lives are now at risk because of that hack at opm last year. so i think it's more to put on a scale that weak encryption has caused harm, will continue to cause harm. that's just something people need to think about as they think about these issues. >> hi. meg king with the wilson center. thanks so much for doing this. before my question, shameless plug for the wilson center cybersecurity lab. one of the reasons that we did that for hill staff is to make
9:14 pm
sure that everyone has access to the technological information, how technology works, how smartphones work, what do networks mean, who are the bad actors so members of the congressional offices can have the best information possible. so my question is really about unintended consequences. let's say a decision goes forward in one of these cases like the san bernardino case and somehow apple agrees or is compelled to write new software or this happens in some other case. we have seen incidents where that kind of a situation can actually, it's out in the open internet. somebody will find it. there's a mistake somewhere because humans are still writing code. so how did we need to think about that from the legal perspective, the privacy perspective and how is u.s. congress thinking about that issue? >> so i think it's really important to sort of be honest about the various risks on all sides. so the government would be very foolish to dismiss apple's very
9:15 pm
sincere and genuine concerns. one of the concerns is that apple will not be able to maintain the software securely, it will inevitably get stolen or they will have to use it so man times that it's going to compromise their ability to secure their keys. it's really important to sort of take those head on and decide kind of what the actual risk is. whenever i sort of think -- i think it's really important to take the facts as they come. it's easy to kind of spin up into this back doors into encryption when there's really complex technical issues, i think it's important to take the technology as it is before the court as it is sort of before the case at issue. look, i'm sure there are a great many number of technologists that will disagree, maybe even the congressman himself. whenever i think about sort of the risk scenario here i think okay, sure, if the software is stolen, apple has an impressive history of being able to secure things up until this point.
9:16 pm
they had essentially identical software technologically different but software is software. they were able to secure it for many, many years. okay. maybe this is different and now this software will be stolen. okay, who has the capacity to steal it. who has the capacity to use it or repurpose it if they were to steal it. okay, like so that's not just nation state actors but it's like probably more than your ordinary thug so we probably don't need to worry about people grabbing iphones out of one another's hands. sort of all right, that's what that group looks like. okay, so then whenever you have this code you actually need the device in question. so from sort of an intelligence perspective, i think while it's always better to get -- to find an [ inaudible ] where the person doesn't know so they keep producing intelligence. stealing someone's iphone is low on the list. i sort of think all right, who would want to do it, how hard would it be, how would you secure the phone. i kind of come down to well, like a sloppy intelligence officer, that would be a real
9:17 pm
problem. corporate espionage would be a problem. potentially some border issues, things like that. i think that those are all real threats. we -- have yyou have to really about it but you have to push the technologists and tech companies past the initial representation of this is not safe because they're right, in a theoretical sense if you create this code, something existed before, something exists now that didn't exist before. i think it's really important for even those of us who are not technologists to not be afraid of looking stupid to say okay, what does that mean, what would happen next so that we can get to the end and make a decision really based off of kind of the facts on the ground instead of sort of just being afraid of ever sort of messing with anything or taking sort of the first representation of a corporation that of course has, you know, corporate obligations that are about maximizing value to shareholders and not sort of about protecting our civil liberties. >> so in addition to being a
9:18 pm
recovering computer science major, i'm also a recovering lawyer. so i want to talk about some of the legal risks. because i think this should be settled by the american people with stake holders in congress, i do think the fbi should withdraw their case against apple. i don't think they are going to do that. if they don't, what will happen is this case will keep on being appealed and one of the legal issues will be can the government compel a private individual company to write software they do not have. to create something they don't. and let's say that gets to the ninth circuit court of appeals, a huge region and they decide that and say yes, government can do that. then you have a principle here that you wonder how will it be applied in the future. what else can government force you to do in terms of creating new things you don't have. so there are legal risks to what's going on here and so i think it's something we just need to think about as these cases move through the courts. >> just to note certainly the precedent here is important.
9:19 pm
anyone who says like it's really just this one phone, it is kind of just this one phone, but there is certainly precedent here. i always caution against the slippery slope which is illogical fallacy from your early days of law school, that's sort of this notion of courts apply the law as it is. they are supposed to sort of divine it from on high but it's supposed to be an objective standard so a little bit the fear of if the law is correctly applied in this case it would also be correctly applied in another case and therefore it's not correctly applied in this case. i think that that speaks to a need to change the law, a need to have real clarification about what sort of the scoping is and maybe not necessarily a need to misapply the law to the extent a court believes it's a proper application. >> does the panel have time for one last question? because we are a little over. thank you. i appreciate it. >> a fellow at gmf. i ready jim comey's piece in
9:20 pm
lawfar ec lawfare and i think it's impossible to get anyone to pay attention to anything today. i think on a personal level, even just this case, just the debate it's created is valuable for our society. but so one thing, i'm thinking about this from more of an international security perspective, and i'm trying to sort of for the sake of public debate and norms and laws to try to conceptualize and think about the difference between, because in the computer science sense, data flowing through networks is all the same, it's all data packets but there is data that can become information for the purposes of situational awareness, coordinating activity and you know, basically for human consumption but then there's data that has kinetic effects that destroys critical infrastructure and so what role does encryption play in protecting those systems because to me, that's one of the biggest concerns, our electric grid, all these things, it's not the
9:21 pm
information we care about because it's more machine to machine communication. is this a useful way to think about it and what role does encryption play on that? thanks. >> well, you know that the president just announced a major cybersecurity initiative that's aimed at making the grid much more secure, at increasing the number of technologists in the country, et cetera, et cetera, but as part of that, they recognize that encryption is a key part of securing the grid and the rest of it. >> i think it's important to note, yes, everybody i probably can't say everybody but most responsible voices believe strong encryption standards are absolutely critical to securing all kinds of critical infrastructure. i do think it's important to note that the california smart grid is not defended by the mechanisms at issue in the apple
9:22 pm
case so sort of it's really important to understand the difference between the kinds of encryptions they're talking there and its connection and in some cases lack of connection to what's being requested sort of in an instant case. >> i'm going to scare you. when i talk about driverless cars, i believe that it's going to happen sooner rather than later and the full vision of driverless cars is you got a bunch of these cars on the highway that are driverless. last year, a car got hacked remotely. they took control of a jeep and controlled it. so imagine if you don't have strong encryption and strong cybersecurity, a hacker taking control of a car on a highway and then slamming on the brakes when you're going 50 miles per hour. not good. or if a hacker took control of a car and ran it into a school. or what if a hacker because of weaken encryption installed a virus that said on january 1st, 2025, all cars are going to accelerate 100 miles per hour. these are just very scary things
9:23 pm
i want you to think about. that has to do if you don't have strong cybersecurity, strong encryption. these are important issues to consider. >> on that note, i often say that politicians are analog and the problems are digital and i think that is true. one politician is digital and maybe he can educate us, others. the wilson center is educating congressional staff including andrew lackman, who works for ted lieu who will now be as smart as ted lieu, we hope. but the point is that without a public discussion of these issues, i think we are all lost and wouldn't it be nice to have that public discussion take place in a congressional hearing room or think bigger or maybe smaller, in this year, wouldn't it be nice to have that discussion take place in a presidential debate, maybe in the fall general election presidential debate. >> cybersecurity is going to be
9:24 pm
huge. it's huge. >> all right. certainly politico is now better informed about this. i want to thank a very educated audience for tuning in but i also want to make one last shameless self-promotion plug and that is that places like the wilson center are going to have this conversation and we are hopeful that that conversation will ripple out and will be held in more important in the white house, in the congress, in the debates so that the public can see who is better qualified to be president. and we have to have those debates now, because as ted says, something bad could happen any time and something bad could happen tomorrow and if we don't have that debate, if we really believe, and i do, that security and liberty are not a zero sum game, if we don't have that debate we can repeat some of the mistakes and they were not all mistakes but some of the
9:25 pm
mistakes we made after 9/11 when we overreacted and did things in secret that we should have debated in public. so thank you all for coming and thank this wonderful panel. gregory treverton will talk about the work of the council and the counter terrorism challenges they face in a speech friday at the center for strategic and international studies live at 10:00 a.m. eastern on c-span 2.
9:26 pm
the american conservative union hosts its annual conservative political action conference. our three-day cpac coverage continues live friday afternoon at 1:15 eastern with speeches by republican presidential candidates, john kasich and ted cruz. also, dr. ben carson. then on saturday morning at 10:00, our coverage continues with donald trump and live at 11:35 a.m. eastern with florida senator marco rubio. we will also bring you the results of the 2016 cpac straw poll. for our complete schedule, go to president obama was in milwaukee thursday to promote his health care law. he said 20 million people have gained coverage since he signed it back in 2010. the president was introduced by a wisconsin resident who credits the health care law with saving his life after being diagnosed with an autoimmune disease. this is half an hour.


info Stream Only

Uploaded by TV Archive on