tv Discussion Focuses on Government Surveillance and Privacy CSPAN January 7, 2017 12:03am-2:01am EST
essentially enter into a private agreement that is defined by a decision by the european commission as adequately protecting personal data, but the same fundamental question is at issue which is if a company in the eu is transferring all this either private communications, personal data to the u.s., are they, therefore,
exposing those eu vindividuals o surveillance activities of the u.s. government without providing adequate protection, without fro voproviding for ade redress? so really it puts real money at stake in this -- in the debate over the scope of the surveillance authorities and the surveillance protections and i think it raises a lot of fundamental questions about how privacy law will be structured in the u.s. one issue that's going to be coming up over the next 12 months is the renewal of the 702 authorities, themselves. another issue that we're going to see in the next few months and certainly within the next 12 months is whether a new administration will carry forward some of the privacy provisions that were adopted by the obama administration. and people have different views about how protective or not those provisions may be, but one of the fundamental flaws i think that european court is likely to recognize in relying on
executive orders, for example, is that they can be rescinded, they don't exist permanently or semi permanently in law, and so, you know, it will be a real test in these new cases and a real measurement of what's happening in a new administration for the european courts to be able to, you know, watch as privacy law changes in realtime in the u.s. and react to that. that's really the new dimension, is to have an outside view of what's happening with u.s. surveillance authorities going forward. so that's the short 15-minute version of the schrems case. there's obviously a lot more issues there, but i think going forward it's going to continue -- these cases, because there are several now -- are going to continue to raise really fundamental questions about how u.s. structures its privacy protections, especially whether -- to what extent it
grants protections to non u.s. persons abroad. so, thank you. >> thank you. we'll move to jen daskal. >> so first a huge thanks to cato for putting on this terrific conference and to julian for inviting me here to speak today. i want to talk about what i see as two sides of the same coin, which is u.s. data that happens to be located outside the territorial boundaries of the united states, and foreign governments' need to access data that happens to be within the territorial boundaries of the united states. and i'll give you the punch line from the outset. in my view the current set of rules are imposing arbitrary limits on law enforcement's ability to access data based on where that data happens to be held. it's been attempt, in my opinion, to kind of transpose rules that apply to other forms
of tangible property on to data without recognizing the unique and different features of data including its rapid mobility, divisibility and perhaps most importantly for these purposes the fact of third party control, the fact that companies like facebook, microsoft, google, could tend to control where our data is located without us as the users having any say in that fact. and these, together, make location an increasingly arbitrary and normatively unsound basis for limiting law enforcement jurisdiction. and while these limitations are often described as privacy protective, they actually undercut privacy as well as security and economic growth and innovation. so let me start with the problem of u.s. law enforcement access to data cross borders. this was the issue that was decided this summer by the 2nd certificate in what's known as the microsoft ireland case. i presume everyone is familiar with that case.
started in december of 2013, when the u.s. government served a warrant pursuant to the electronic communications electronic communications privacy act, which also call acba on microsoft seeking data associated with a particular account. microsoft turned over the nonconsent data, name, ip address, billing information, but refused to turn over the content of communications saying those were stored in dublin, ireland, that the united states warrants jurisdiction only extends to the territorial boundaries of the united states and, therefore, the warrant was invalid. the government fought back as the government put it, and two lower courts agreed. this was not a traditional search warrant that involved u.s. law enforcement officials crossing over into ireland territory and seizing property there. rather it was directed at microsoft requiring that microsoft disclose a sought after communications. yes, the data was in ireland, but microsoft employees sitting
in redmond, washington, could access the data without ever leaving the territory of the united states. so it was a territorial, not an extraterritorial search akin to a compelled disclosure order pursuant to a subpoena. they ultimately sided with microsoft and concluding the relevant statute is about privacy, not disclosure, that it was an extraterritorial search and the united states warranted authority pursuant extends only to data that's physically located within the united states' territory. this case has since and during litigation been -- the ruling has been described as a privacy wing by many. i'm not so sure that this is true. first, remember that here the government got a warrant based on probable cause. there is no question that it would have been able to access that data had the data been located within the united states, and there would be no privacy violation assuming that everything was fine with the
warrant. it doesn't become a privacy violation just because the data is moved outside of the territorial borders. in fact, this case is arguably bad for privacy unless one thinks that any obstacle in the way of u.s. law enforcement is a good thing. the end result means that if the united states law enforcement officials seek data that happens to be outside our borders, it needs to now make a mutual legal assistance request for that data, and then the foreign government should it choose to respond accesses that data according to its own standards. in many, i would say, most situations, those standards are lower, they're less protective than a warrant based on probable cause overseen by an independent imagi magistrate or judge. and second, even if this case is about privacy, it is not at all obvious that as the 2nd circuit concluded that the privacy intrusion occurs in ireland. remember, microsoft already has access to this data as a caretaker.
and, in fact, moves it around without notice to, or consent by, the user. any additional privacy intrusion it seems takes place not when microsoft moves the data which it does, anyway, but when that data is turned over to the u.s. government. that happens in the united states. not ireland. this ruling also has a number of potentially significant practical implications for the u.s.' ability to access data lawfully, even when the targets u.s. based, u.s. citizen and the government has probable cause to access that data because of where it's held. this happens for three reasons, first, the slowness of the mutual legal assistance process. it can be too long to be useful. second, the united states only has mutual legal assistance treaties with about a third of the world's countries, it may not have a workable means of accessing sought after data, and, third, not all companies are structured like microsoft which has a relatively location.
driven approach to how it stores and accesses data. companies like google and facebook, for example, are constantly moving data around in ways that can make it sometimes hard to even ascertain where particular data is located at the particular moment that a warrant is served. but more importantly, a company like google, for example, has structured its operations so that its data can only be accessed by law enforcement teams that are located in the united states. now let's assume that the united states government serves a warrant on google for data associated with a particular account. if some or all of that data is outside the united states, google can't lawfully respond under the 2nd certificate's ruling. if the u.s. government goes to that foreign jurisdiction, the foreign government says we'd love to help you but we can't, we don't have jurisdiction over the people who can actually access that data, you do. and the practical result is that it means there is no way for law enforcement to access that data, even pursuant to a warrant based on probable cause.
now, a big company like google obviously can restructure to resolve these problems, but at least in the short term this is a situation we're in. and i think that this result has two concerning side effects. first, it encourages data location mandates as a means of ensuring access to data. now, this isn't so much a trend in the united states, but rulings like the microsoft ireland case further incentivize foreign jurisdictions to mandate that data is held there in part to protect against what's often perceived as the big, bad reach of the u.s. law enforcement. the reality is, however, as i already stated, that in many cases the standards that those foreign governments will apply will be less protective of privacy rights than the standards that apply in the united states. and second, i think the reality is that powerful governments will find a way to access data if there is a sufficient need. and my fear is that a ruling
like this shifts surveillance efforts into less transparent, less accountable, more surreptitious means of accessing data than a government like the united states might seek to access without independent review and oversight by a judge. now, the government's appealing this ruling. i also think that there's problems with the government's position as well, and that the better, the ideal solution is for congress to step in and get involved. i encourage everyone to read judge lynch's incredible really excellent concurring opinion in the 2nd circuit on this point. in my view, ideal amendment, would permit the united states to access the communications content of its targets pursuant to a warrant, in investigations overserious crime, without regard to location of data. but also require the government and the reviewing court to take
into countervailing factors like the nationality and location of the target, like the nature of the crime, like the laws of other nations that might preclude access and the potential conflict for -- with foreign nations. so as to help protect against the situation in which the united states claims access to date to anywhere and everywhere without regard to the sovereign interests of other states. so now i'll briefly turn to the converse problem, foreign governments seeking access to data located within the united states borders. so the same statute that is at issue in the microsoft ireland case also precludes u.s. companies from turning over data to foreign-based providers, content of communications. so think about the same problem from the foreign government perspective. uk law enforcement is investigating a london murder, the target, the witness and the victim are all in london. if they -- if the alleged perpetrator were using a uk-based provider, the uk could go -- government, the uk law
enforcement could go to that provider and get access to that data probably within days, if not sooner. if, instead, the alleged perpetrator is using g-mail and uk law enforcement officials go to google, google says, go through that mutual legal assistance treaty process. it takes an average of ten months for a resoponse to be set back to the uk, and just as u.s. law enforcement officials are frustrated by the microsoft ireland decision, so, too, are foreign governments as a result of the inability to access data that happens to be u.s. controlled. this is also, in my view, leading to a number of concerning response. again, further encouraging data localization mandates which i've already said permits governments to access data according to their own standards often less privacy protective than the standards that exist in the united states. these kinds of mandates are also costly, they undercut the growth and efficiency of the internet and potentially shut out small startups from entering into the
market because they simply can't comply with the cost of holding data in multiple jurisdictions. we're also seeing governments increasingly assert extraterritorial jurisdiction without regard to the conflict of laws that ensues and this is not just an academic hypothetical problem. in january 2015, there was a microsoft employee, executive, who was arrested in brazil. facebook faced similar problems as well. and as i already said, these kinds of restrictions also further incentivize and encourage surreptitious means of accessing data. so as with the microsoft ireland case, we need a solution. and i think we have a chance to design a solution that yields a race to the top, or at least the raising of baseline substantive and procedural protections across the board, rather than a race to the bottom where every
nation is seeking access to data based on their own rules without regard to things like the nationality and location of the target and many rules -- many cases based on rules not particularly privacy protective. so recognizing this problem, the department of justice submitted legislation in the spring that would lift the blocking provision in certain circumstances. specifically, it would allow the executive branch to enter into executive agreements with other governments allowing those governments to directly access content of communications from u.s. providers so long as they were not accessing data of u.s. citizens or persons in the united states in order to be able to enter into this -- these types of agreements. the attorney general and secretary of state would have to certify that the country met robust substantive and procedural protections for privacy and civil liberties and the request would also have to meet a number of requirements, the fact they were particularized, that they were time limited, that they were reviewed or overseen by a judge
or independent authority, that the information was not used to infringe on freedom of speech, subject to minimization requirements, subject to carry out compliance reviews by the united states and these agreements would also have to be reciprocal meaning the foreign government would have to commit to allow the united states to make direct requests to foreign-based providers for u.s. citizen s citizens' data or data of persons located in the united states. now, we can debate the specifics of these kinds of proposals and i think there's areas where i would suggest changes but i would suggest that this is the right approach and one that would, if adopted, raise baseline privacy protections as compared to the current situation where governments are increasingly being incentivized to pass things like mandatory data localization requirements. such an approach also reflects the general premise that the united states has a legitimate interest in setting the specific substantive and procedural rules
that govern access to data for its citizens and residents but does not have a similar justification in imposing the specific rules of a warrant based on probable cause when a foreign government seeking to access data of its citizens outside the united states so long as certain baseline protections are in place. now, notably the u.s. and uk have a draft agreement that would allow uk law enforcement officials to do exactly what i'm talking about, directly compel the production of communications content from u.s.-based providers in certain circumstances but this can't happen without legislation. i know it's a hard time to predict what's going to happen in congress over the next few years but i would say i think this is, and should be, an issue that crosses party lines and congress has an important chance to design a rational and comprehensive approach to the question of law enforcement
access to data across borders, addressing both the question of u.s. government reach and also amending its laws to allow foreign governments increased access to u.s.-held data according to baseline privacy protections when certain conditions are met. in my view, these jurisdictional rules should focus on things like the location and the nationality of the target, rather than the location of the data, and that failure to take these steps will have negative consequences for our security, our economy, and our privacy. thanks. >> thanks so much. i absolutely urge everyone later as you're headed to the reception to grab a copy of her excellent paper on this topic. copies left there. i want to invite our final panel discussion to the stage. last year we started a new tradition at the cato surveillance conference by
having a prominent civil libertarian, in that case, curt from the frontier foundation, an extended debate, dialogue with an official from the intelligence community, in that case, becky richards of nsa. we thought that yielded such interesting results, why not repeat the experiment? see what happens when you get two people who care deeply about privacy, one to simplify an external critic, one working within the intelligence community, and see what they think are the important issues of the day to talk about. and of course, to introduce our discussants and moderate that conversation, we have another cato surveillance conference tradition of sorts. he's been, i think, at each of these since even before it was called the surveillance conference when we did our first post-snowden full-day conference
on the national security agency. pulitzer prize winner, charlie savage whose national security reporting to "the new york times" is absolutely essential to understand what's going on in the intelligence world and whose book "power wars" is an absolutely invaluable guide, most thorough and comprehensive and thoughtful analysis of what intelligence and security policy under the obama administration has emerged to be. i will turn it over to charlie's capable hands to introduce our panel. >> can everyone hear me all right? so here we are at the end of this conference and we're also 3 years, 3 1/2 years now into the post-snowden era. we have been living under the usa freedom act for 18 months now. we are heading into another reauthorization year for the fisa amendments act. and it's sort of a great time to
wrap up the day and the year, to some extent, with an overview of where we are, where we might be going across three or four different cuts of the surveillance world. to help me do that with you today, i have two great guests, one is alex joel to my right here, he's the chief of the office of civil liberties, privacy and transparency at the office of director of national intelligence. odni. he's played that role since 2005 when the office was set up. and he's also the chief transparency officer. and after getting out of -- he began his career as a jag attorney in the army, after getting out of military, he worked as a technology attorney in the private sector. after 9/11, he decided to rejoin the government in the cia's office of general counsel before he moved to odmi in 2005. i think we were talking in the greenroom before we came out here, i asked alex to tell me something about him that people in this room didn't know. something that wasn't his resume
item. and he told me -- what is it you told me? >> i swim every single day. >> every single day. how do you have time to swim a mile a day? >> we have to wake up very early in the morning. >> how url early do you get up? >> about 5:30. >> where do you swim? >> a couple of different locations. primarily the sport health club in mcqueen. >> why do you swim every day? every day? >> it's good to stay in shape. i've found that actually the secret to keeping swimming -- i mean, the swimming is tremendous exercise if we're going to have this conversation. >> just briefly. >> a one-word answer. >> the key is audiobooks. if you listen -- if you have a waterproof ipod, listen while you're swimming, the laps go by. >> i understand also you're the last person standing in odmi who has been in that role the entire time? >> i think so. i haven't done a full audit, but i believe so. >> all right. my other guest is jennifer granick, director of civil liberties at stanford's center for internet and society. teaches internet law at stanford
law school. she also served as the civil liberties director at the electronic frontier foundation from '07 to '09 or '10. 2010. sorry. and you're also the author of a forthcoming book from cambridge university press called "american spies: modern surveillance: why you should care and what to do about it" which sounds like this audience might be interested. when is that book coming out? >> it is going to be out in the beginning of january, surveillance law and policy written for a general audience. so an effort to both be understandable and accurate and give people kind of a framework for thinking about the surveillance policy debate with a definite civil liberties bent. >> all right. when i asked you something about yourself, you told me you're an enthusiast for something called tech in five? what's that? >> one of those hand-to-hand combat video games and in japan, downtown san francisco, there is a video arcade that has only video games that have been imported directly from japan. my daughter really likes it
because there is a character that's a kangaroo, so she's always the kangaroo and the kangaroo and i beat each other up. i think it's really good therapy probably as well as a nice pastime. >> what character do you play? >> i just go around, you know. i try to -- i can tell you that my other daughter was playing her and she got this one character and my daughter said to her, you know, the women are always skimpily dressed in these things and the men look like demigods and my daughter beat the computer that was playing the really masculine looking guy and my other daughter said to her, you are so good, you beat that guy and you're barely even wearing a shirt. so -- >> all right. let's get into it. i think part of what this audience wants to be -- to walk away from this conference was, of course, deep dives into all kinds of different weeds. but one of the reasons we're able to do these deep dives in a way that we weren't before 2013, you can have an annual conference about surveillance and there's a lot to talk about,
is because we know so much more about what the government is capable of doing, what the rules are for that, whether those rules are being obeyed and so forth, than we did before the snowden leaks. how, from your vantage point, especially chief transparency officer, i think a role that didn't exist before a year or two ago, how has the odni, cia, nsa, changed in terms of its ability to, or willingness to, or seeing the value of talking to the public about what it does? >> right. so i've been in a community which values secrecy and we're sort of built for secrecy. we hire people based on, in part, our perception of their ability to retain the confidentiality within the government. we have security systems, we do training around keeping secrets. that's important in our business because, of course, as i said in other context, a fully
transparent intelligence service would be fully ineffective. so our effectiveness to a large degree depends on the people, the adversary not knowing how it is we're using different techniques and sources to discover them and detect their activities. so when you come from that culture, it's very difficult to sort of get people thinking about being more open and public and transparent. i've been doing this, as you pointed out, since 2005. and never before have i experienced a community that is as engaging with the public as we are now. we still have a ways to go. i think one of the lessons that certainly i learned and a lot of folks learned in the last three years is that you can have as much oversight as you can -- you can design and put in place. we have all kinds of different oversight structures that can be rather complicated. i called it a system of many layers with many players. we have inspectors general, lawyers, my kinds of offices, we also have oversight committees and we have the foreign
intelligence surveillance court, the intelligence oversight board. all the entities have clear personnel that can see information in a classified environment. which is critical, i think, for our democracy to have people who have -- who are in an oversight capacity to have the clearance to see the things that we're doing in a classified manner. you can have these rules, have oversight and that's necessary but not sufficient. i think one of the lessons that we've learned in the last three years is you need to add an additional element which is transparency. and it's not easy for the intelligence community to do it. it takes a lot of time, effort and attention. but i believe that this is an enduring value that we have learned in the last three years. you have to find ways to be more open about what you do. >> let me follow up on that briefly. i certainly as a reporter who was covering these things and asking questions and filing freedom of information act lawsuits and so forth noticed
that nsa and really odni as the controlling entity for how the response to snowden was going to play out became gradually more willing to just affirmatively say this is what is going on, not to fight the foia case, but say you can have the documents, give us the time to redact them and i appreciated that very much. i'm not sure that moment is going to endure the way you just suggested that it would. i certainly think other parts of the -- correct me if you disagree -- that other parts of the intelligence community that were not forcibly exposed like the surveillance world was, such as the central intelligence agency, i think never went through that cultural change. and i -- one of the things i've been thinking about lately, the usa freedom act, one of its provisions was the intelligence court, fisa court, had to make public when it has made -- novel and significant interpretations
of surveillance law. and the provision doesn't say "going forward." it's ambiguous. just says the government shall make public these things. it raised a question about whether fisa court opinions that are novel and significant, enacted between 1979 and 2015 must also now be made public at least in summarized form. the obama administration has taken the position in court that, no, it only applies going forward. if this is a new culture of transparency, what's the justification or the rationale for not just saying, yes, here's an important opinion from 1988, you can have it, here's an important opinion from 2003, you can have it. >> i won't get into the legal discussions regarding the interpretation of that particular clause and the context of whatever -- wherever it is that's being discussed at the moment. i can just say more generally it is our intent to go back and look at all the significant opinions. so that's something that is happening. whether or not it's a statutory requirement, it is something
that's trained right now. one of the points that i was making at a different forum is when you look at transparency, there are different reasons to provide information to the public. some of those are in response to mandatory legal requirements. you mentioned the usa freedom act. we must comply with the usa freedom act and that acts as a prioritization mechanism on what it is we do. another one is freedom of information act. so especially once a freedom of information act goes into litigation, you u have to follow the course of that litigation and there are going to be court deadlines and court orders you have to comply with. and then under the executive order for classification, for national security information and the u.s. government, there are various processes that also require us to review tranches of classified information, for example, the 25-year automatic review, there are classification challenges and mandatory declassification reviews that are filed under that particular
executive order. so all of these external -- what i call these hard requirements, these legal requirements, necessarily drive a lot of the machinery that has to be put in place to provide transparency. a lot of the classification reviews which can be very painstaking. you have to go line by line across these documents to determine what can safely be released and if there is a risk to national security, what that risk is, bring in the experts, et cetera. part of what we're doing in the transparency world is not only looking at that -- responding to the mandatory declassification and disclosure requirements, but also looking to be more proactive. to say what is it that we can do to better explain ourselves to the public. you know, and in that regard, we have been engaging with civil society, getting their ideas, getting their requests. trying to figure out what's in the public interest, what we can do to better inform public discussion on important issues. i don't think -- i do think that's enduring. because i think that's a -- that's something no matter what
agency you are, we've all experienced the last three years. we've all experienced the very significant and vibrant discussion and debate about the legitimacy of certain intelligence activities and i think intelligence agencies have gotten the message we have to figure out a way to be more proactive and strategic going forward about the information we provide the public. >> all right. let me turn to jennifer then, think about going forward. so the most significant event that we can see on the horizon for the world of surveillance is the scheduled expiration of the fisa amendments act in the end of 2017. of course, no expectation that it will not be renewed. but it is an opportunity for amendment and extra provisions. what are the sort of three big issues in takeaway form that people should watch for as that debate unfolds? >> yeah, so one big issue, directly in response to alex's comments, is about, you know, transparency, but i would put it a little more broadly,
which is accountability, right? and, you know, i think that while the intelligence community has come a long way from where it once was, it has not come nearly far enough in terms of revealing information to the public. i mean, there are secret legal interpretations of very important key terms in intelligence law that the public doesn't really know what they mean or how they're being interpreted and it hinders our ability to understand what kinds of surveillance are being conducted. and whether we support that kind of surveillance and whether the safeguards are adequate. >> you see an opportunity in the fisa amendments act reauthorization bill to do what? to solve that problem. >> so, you know, everything's up for negotiation once the bill is going to expire. it's going to be gone and we can ask for more things. releasing fisa court opinions, particularly i think people rant to know what the definition of key surveillance terms are. what is facility? what does it mean to target?
what is the interpretation of u.s. person? what kinds of materials, importantly, does the government treat as protected by a reasonable expectation of privacy? because all of the fisa electronic surveillance definitions depend upon collecting information to which there's a reasonable expectation of privacy. and we have this ongoing debate about very sensitive personal, private information where the public doesn't really know exactly how the government treats it and if they treat it as having an expectation of privacy or not. if there is no expectation of privacy, either another statute has to protect it or it's not subject to fisa because it falls outside the definition of electronic surveillance. >> go ahead. >> just examples. e-mail, with we still don't really know 100% for sure that e-mail is protected by the 4th amendment or what about documents that are scored in the cloud? >> okay. >> so noncommunication. we got to know that. >> talking about here, better information that could come out --
>> less secrecy. >> -- about how the government understands its powers and could enable substantive change to the rules. >> right is what's a substantive change to the rule that reformers want specifically that also could be part of this bill? >> there are, there are two big things. scope and usage. the fisa amendment act allows targeting a foreigner overseas for any foreign fisa amendments act allows targeting of foreign or overseas for any foreign intelligence information. >> without a warrant. >> without a warrant. warrantless surveillance for -- of any foreign intelligence purpose. and that is a very, very broad category, well beyond national security and counterterrorism to anything we might be interested as a country. so what that means is two things.
number one, it means when americans talk to foreigners who are of interest in these categories, our communications are wiretapped as well. and it means that foreigners who may be targets or talking about targets, they get picked up for the very broad category also. and that's causing immense amount of international consternation as people realize our law is collecting on them as targets without a warrant in this very broad way, well beyond what their national laws with allow our human rights laws necessary and proportionate test for whether the surveillance meets the human rights standard. >> to be clear for people, we're only talking about collection inside the united states here. this is when the u.s. government goes to gmail or to at&t and wants to look out in the world. >> without fisa regulations. but this is where they go to u.s. companies, or doing surveillance on the internet backbone and saying to these beloved brand names, give us information about your users, and there is -- the economic problem is obvious, which is that people don't want to use companies that are -- have to
give over their information without a warrant to the u.s. government. but the problem for u.s. -- for americans is broad as well. we learned there is a vast amount of americans, private information, that ends up in these databases. >> you would like to see the allowable scope of surveillance under this law be constrained in some way to what? what is the delta? >> national security counterterrorism. >> not economic. >> right. >> you see that as politically possible? >> i don't know. you know, i don't live here in d.c. i live in san francisco. so it is, like, a whole different world out there. and i think that there is -- people tell me that there is less of a chance in some i was ways for surveillance reform now with republican in control of both houses of congress. i find that hard to believe.
i think now is a time where people who are paying attention are thinking actually quite the opposite this is a time to restrain government discretion and to make sure that robust rules and checks and balances are in place, you know, more than ever before. i think it is possible. >> the other theme you mentioned was usage. people hear about the back door search loophole. what is that and how does that intersect with this? >> once information is collected, under section 702 from the companies, so under this section that is expiring from the companies. >> without a warrant. >> without a warrant, that warrantless collection goes into a database and the fbi, a law enforcement and domestic security agency, has access to the raw data in that database. and what they are allowed to do is to search, they call it query, search is a constitutional term, is to search that database for information and including looking for information about americans for criminal purposes. and this is called the back door search loophole because to get
access to that information you have to go to a court, show probable cause, get a warrant, execute the warrant through the regular criminal procedures, give notice and all of that. what is happening here is by creating this vast database of information of americans communications with foreigners, then you have this vast database that the fbi is allowed to go to and query. the usage restriction would be either don't allow it at all, we collected this information, and in the name of counterterrorism and national security, use it in that name and don't, you know, do an end run around it or at the very least you have to go to court and get a warrant and show you have problem cause to look for this information as opposed to the way it is now, which the fbi can access it for assessments, basically fact free. >> so let me turn back to alex. not to put you on the spot as a person, but is the government's representative, can you articulate the rebuttal, why has the government resisted the idea that if -- at least in the
criminal investigative world if an fbi agent wants to look in this database to see if a criminal -- ordinary criminal suspect's private messages have already been collected, the government -- the fbi agent ought to be getting a warrant before trying to pull that message up and read it. >> so i have to take a step back and address this more broadly, i think. first of all, i certainly agree with some of the points you're making about the transparency of legal rulings and legal definitions. i think that's a priority of ours, we have to be more transparent about that. in terms of the scope, the scope is -- is foreign intelligence as defined in the foreign intelligence surveillance act, the actual conduct of the targeting of foreign intelligence, for intelligence purposes under section 702 is subject to a rigorous process. we have something called the national intelligence priorities framework.
>> but let's assume i was communicating with a legitimate, followed all the procedures, not a terrorist, just someone who knew about the thing, and my e-mail is -- not targeting you, you're targeting that person. why should the fbi have to get a warrant to read my private message if i'm the one he's interested in and i'm the one he's querying. >> we believe the original collection is targeted. so the original collection is targeted at a legitimate foreign intelligence target. we're not getting all of your e-mail. >> that's right. >> we're only getting the e-mail communications of you and this carefully focussed foreign intelligence target. if there is a fast breaking situation, where we need to find out whether or not an american that has been involved potentially in a terrorist incident inside the united states is in communication with somebody that we already have collected on, that's the rational. you need to move quickly, you need to identify whether we currently hold the communications information that could help us prevent something from happening in the future. now -- >> that sounds like you're
searching in the name of the terrorist who just committed the attack. not searching on the name of the american -- >> it could be an american who is involved in some terrorist incident inside the united states and we want to see if he's getting instructions from abroad. >> you think the government could live with a warrant requirement as long as there is an exclusion for a fast moving national security crisis? >> the government's position has been no on that point. >> i'm wondering, is there some snappy -- because -- or why should we constrain our powers? there never has been a inhibition on using data lawfully gathered and so, no. >> it is essentially because you don't know when you might need to get the data quickly and we don't want to constrain the intelligence services from being able to do that. from a civil liberties and privacy perspective, i understand the concerns.
we do try to put in place checks and policies regarding oversight, documenting these queries, the reason for the queries, providing oversight for the department of justice and odni on the queries and reporting any incidents to the board. i understand the concerns. we feel the current structure is sufficient to address those concerns. >> let's move on to the -- >> i can say something about that. >> sure. >> until we know how many of these back door searches the fbi conducts and how the volume of information they pull out of this, there is really no way if -- that's like an internal assessment, but the public and lawmakers need to know that answer to say we like this or don't like this. it is not just an emergency. >> what would be the answer? >> ise won't tell us. the intelligence community won't tell us, they won't count. and congress asked many times how much american information is in here, how much back door searches are you -- is the fbi conducting and they -- and we don't know. the information is kept, the information they get from the company is kept for five years.
and there is not, you know, any -- there is no documented -- there is no facts that need to be shown to a judge in order to get it. it is really -- it is really kind of, like, taking advantage. >> nsa and cia are required to -- we publish those statistics of the number of queries they do. the systems aren't set up for that. we understand that that has been a request from the hill as well as from the civil society organizations that we deal with. and fbi is still trying to figure out how to do that. >> my understanding about why the fbi can't do it is that when you're an agent and you're saying i'm interested in charlie savage and put in -- you do a database search on charlie savage, it is a fed rated search that hits all the databases in the fbi's collection. and brings back results as they are. but that means that there is not a -- what does that mean, that means every single search by an fbi agent at all times, in some ways count as a back door search, even if 99.9% of them never bring back anything from the -- >> right. >> a misleading number. >> only certain fbi agents are allowed to see the result if it comes from a 702.
>> without getting permission. >> permission to see the result. >> do you know if agents asked permission and never been denied? >> we're working to release that. the court, if you look at the opinion from -- on the november 2015, i think it is, the foreign intelligence surveillance court opinion on fbi minimization procedures posted on the record, address that issue, there was an amicus who argued that the fbi query process was inconsistent with the statute, inconsistent with the constitution, the court held that it was consistent with the statute and the constitution, but decided to order fbi to count the number of times a return resulted in a nonfi query situation. so fbi has been implementing that order and we are -- that's one of the things we're working on. >> you're going to try to classify. do you think that's imminent before the administration leaves? >> i hope so, yes. >> if it is all the back door searches -- >> just the one that the court ordered to be disclosed. that the study that the court ordered. >> i don't know the internal architecture of how you have -- of how the fbi has its systems, but database experts said it is
not a big computer science hurdle to say, you know, there were this many queries where data came out of this particular database, data has to be treated in a certain way, it is segregated. >> have you seen that data? can you talk about it? >> i have. >> will people find it surprising when it comes out? >> i won't speculate. >> all right. let's move on to the world of executive order 12333 is the internal executive branch rules for surveillance that is not regulated by the foreign intelligence surveillance act. fisa regulates only collection from a wire on domestic soil, where at least one end of the communication is domestic. so it doesn't cover sucking up data from satellite transmissions, doesn't cover intercepting stuff from fiber-optic cables abroad, doesn't cover foreign to foreign communications intercepted as a transit to the united states. huge swaths of what the nsa does
is not covered by fisa. this raised -- the reason for that architecture it was designed in the '70s for phone systems in which that happened here stayed here, what happened there stayed there. and, of course, now in the internet era, just as jen daskal was explaining in the last session, stuff that happens here is found there all the time. stuff that happens there is found here all the time. that's one of the reasons for the -- why the fisa amendment act allows collection here of foreigners' data without a warrant, a reform that came out of pressures that arose because of the rise of the internet. so keeping the theme with alex here for a minute. one of the wrinkles arising out of our greater understanding of 12333 and fisa has been an awareness that agencies have increasingly since 9/11 been engaged in sharing raw data with
each other. that is to say unminimized data, data that has not had privacy protections put on it yet to screen out the names and irrelevant personal details, americans. so used to be that the nsa only would have this -- or the fbi only would have it and to disseminate that information elsewhere in the government, they would have to process it as a protection measure. after 9/11, there was a desire to tear down the barriers, maybe someone at the cia would see the clue that would have been redacted because the nsa person didn't know it was a clue. so there was in the world of fisa a great effort to share raw data collected under fisa, now goes at least known to go to four agencies. the fbi, the cia, the national counterterrorism center and the nsa. and bob litt, general counsel where you and i work, has talked publicly about how there is also an effort, which has been lasting eight years now, to develop procedures that will allow data that was collected under 12333 rules also to be
shared with the cia and the fbi. and we don't know what the rules or lips of those things are going to be yet, but this has been in the works for eight years. bob said in february that it was imminent. where are those procedures? >> imminent. >> imminent. >> what's the problem? you think it is going to happen before this administration leaves or in collapse? >> no, i think it will -- i think we're on the road to getting something finalized and released soon. we don't know what the rules or limits will be yet but this has been in the works for eight years. bob said in february that it was imminent. where are those procedures? >> imminent? >> imminent. what's the problem. so you think it will happen before this administration leaves or is it in collapse? >> no. i think we're on the road to getting something finalized soon. >> honestly, government takes time. but is there some substantive issue or what is holding it up? >> primarily it takes time. 2.3 of executive order of 12 triple 3 talks about protections for retaining, disseminating
u.s. person information. and it says that intelligence agencies can share that u.s. person information with each other because everybody has guidelines designed to protect that u.s. person information. >> change the executive order put in in 2008? >> the change was that in 2008 they added a change. so from 1981, it said except for signals intelligence information cannot be shared. they would retain it until deciding to retain it in a report. in 2008 a report was made that for that kind of signals intelligence information, that could be shared pursuant to procedures established by the dni and approved by attorney general in coordination with the secretary of defense. that's what you have been talking about that has been in works for a large number of years. it's not like right when they signed it we, went to the attacked 2.3, but yes it's been going, as i like to say, at speed of government. so the basic structure will be that signals intelligence information can be shared pursuant to an elaborate process where there has to be a determination at requesting agency. has everything. has a need for the information and has put in place structures and processes that essentially will give the protection, same protection to the information
that nsa provides under their rules. >> so the big difference, big difference, between surveillance and fisa surveillance whether fisa with or without warrant is that fisa surveillance has to be targeted. you are looking at one specific person for one specific reason and if someone is communicating with that person okay it does communications as well. >> 12 triple 3 is vacuum up the whole pipe. again it is supposed to be happening abroad even for foreign intelligence purposes. as you were saying earlier when we were talking about the back door search, loophole, in terms of fisa, not like they would get all of my communication, just the e-mail i get to that foreign intelligence target. that reassuring constraint would not exist if people's information was vacuumed up into 12 triple 3 surveillance. can you tell us, preview the big question which would be will these procedures let the fbi query u.s. person data for criminal purposes once they get access to 12333 bulk collection. >> just to clarify what you are saying about 12333, if we target any american no matter where in the world we are required to get an individual court rule. >> targets no one that get a million people -- >> to the extent that collection is not as -- not target -- so this is where i wanted to step back and talk about the way we do targeting. targeting is something that is specifically been described for
section 702 but also happens for 12333. there is a process by which intelligence agencies go through and to the extent that targeting can happen, all map basis, that's what happens. if we can get the information individually targeting a communication overseas, that's what happens. under directive 28, the -- we put in place a process for limiting the use of information that's collected in bulk. and basically there we are saying, we have to tailor our collection to the extent feasible. if it is not tailored to the collection and still obtain the national security information, we can do things in bulk. for u.s. person information, nsa still operates under ucid 18. which is the detail requirements of executive 12333. and under that use of that united states singles intelligence directive they are
if we can get the information individually targeting a communication, that's what happens. under presidential policy directive 28, the, we put this place a process for limiting the use of information that's collected in bulk. and basically, there, we're saying we have to tailor our collection. if it's not feasible to tailor the collection, and still obtain a national security information, we can do things in bulk. for u.s. person information, nsa still operates under ucid 18. under that, they're supposed to narrow as much they can when they think there's going to be significant amounts of u.s. involved. there is a narrowing. under ucid 18, if they do a query of a u.s. person they must get attorney general approval based on probable cause. there is a specific limitation
for querying. i won't comment specifically on one agency or another but broadly speaking what we do with 2.3 procedures is try to make other agencies protection comparable. >> i think i heard you say something that also went directly to what i'm saying which is under the presidential policy directive that handles bulk collection, it is only permitted to be used for one of these six purposes and some of those purposes may be criminal but they are criminal as a super national level. they are not -- >> not like this guy attacks -- >> right. >> we will see if he has information. >> right. >> let me turn back to -- 20 minutes, all right. let me turn back to jennifer. you want to critique anything he said. >> one of the things that we know about targets gives us great pause, right? because you know, targets can
be, you know, we are thinking, a lot of people think about targeting as a particular bad guy. but targets can be the french government. or targets can be, and we have seen documents from targets, are doctors without borders. even organizations that are not american are targets. >> that is legitimate? why is it legitimate? >> it collects a lot of american information because people that are not foreign intelligence interest end up being part of the take there. and the rules we have don't adequately protect people when the targets are of that nature. because the collection ends up being so broad. and so, you know, i think we have a lot of reason, even under title 1 fisa where you have to show probable cause, we have seen the heads of prominent groups like care, targets for which there is supposedly probable cause. there is a lot of reasons to be concerned about the way
targeting is happening now. but i think one of the things to be extra concerned about is that we are about to have a change in administration and these rules are executive branch formulated rules. so executive orders can be changed. they don't require you to go to congress. and executive orders can be kept secret. targeting provisions needs, we didn't know what they were until snowden leaked them. but they need targeting provisions for 702 and for regular fisa have to go to the fisa court but fisa court's ability to oversee it is statutorily limited. so we have this problem that things could be changed.
>> let me ask, before we turn to looking forward -- >> okay. >> let's stick with the theme of -- part of your critique is a lot of american stuff gets sucked in as well. but it is also a nationalistic frame. we care if our stuff is collected but maybe we don't if someone else's stuff is collected. let's crop that frame and think of it from a more global human rights perspective. nonamericans abroad. think they have privacy rights, even if it doesn't come from our constitution, we mentioned earlier, ppd 28 will. presidential policy directive 28. can you lay out the ground work of what that was and sort of what it means, not from an american perspective but from a global perspective. >> yes. after the snowden revelations, as i said, there was this international outcry from people who are not americans who were beginning to get a sense of the scope of u.s. surveillance directed at them or opportunistically gathering their data. so one of the post note of reforms and people feel this is
a positive result of the disclosures was ppd 288. so presidential policy directive. and it does a couple of things. one thing it does is limit use to which can you put collective bulk signals into six major categories. >> what are examples? >> counterterrorism. weapons proliferation. big stuff. and still remains this question of what does it mean in bulk? if your target is yemen and you collect everything you can that comes in or out of, or inside of yemen, is that bulk or is that targeted and the target is yemen? so there are still questions about how that is interpreted that we know and what that means. it does say to people if your stuff is opportunistically collected in this way we will use it for these big national security things and not just for anything -- >> why was that a big deal? what was unprecedented about ppd? >> before ppd 28, that information collected in bulk
about nonamericans can be used for whatever. >> there is a sense that nonamericans have privacy interest that needs to be protected by rule. >> yeah. and not just privacy interest but free expression interest. right to gather politically. freedom of religion. so all of these other interests that statutorily may have been protected or policy wise may have been protected for americans. there was nothing for foreigners. this was an effort to say to foreigners, you know, if we use your stuff, then it's going to be for a good reason. >> or if we get your stuff -- >> yeah. >> let me turn to alex. you live in this world. >> right. >> since we have been under ppd 28 for almost two years now, do you detect disgruntlement -- like in the world of drones, i know the agency and military chafes under the presidential policy guidance that limits their ability to fire outside of hot battle fields and wanting to get out from under that. i don't know actually the answer to this. is ppd 28 will propose --
>> is that like other questions you've been asking? >> well -- does the surveillance community chafe under ppd 28 or are the six categories broad enough that basically it is fine? >> i want to make clear it is more than just the bulk collection. there are two other critical sections to ppd 28. they are safeguarding personal information. so information that is -- that the basic without getting into the details, basic directive there is that agencies have to apply comparable protections when they retain and disseminate nonu.s. person information as they would to u.s. person information. and we have to put in place policies and procedures to make that happen. we have published those policies and procedures. there is another one that
requires policy makers to be involved in the signals intelligence decision making process to make sure that we are taking into account all of the risks involved in this. relations with foreign governments. privacy risks. other similar kind of risks that previously were not -- part of this formal structured review. >> if you target angela merkel's cell phone -- don't just do it at a when level. >> and as part of that review process, we could expect to see human right organizations come up in terms of that. that would be something we would weigh in on as being a problem if it were to come up for example. something that might be targeted. and we have talked to human rights organizations about what our general views are on that. >> have you seen signs of friction? it is fine. it is internalized. >> any intelligence service around the world, the natural way to constrain an intelligence service, the main concern is
that the intelligence service not turnity focus inward. that's why jennifer and colleagues and others have been focused on what are we doing with these powerful tools and authorities regarding our own citizenry and democratic process. are we interfering somehow with the function of our democracy? one of the lessons we learned from the hearings in the 1970s is it is important to stay turned outward. so the culture and in the intelligence community has been, be very careful of what you are doing in the united states and what you are doing with u.s. persons and focussing on foreign intelligence. unless you fit a narrow category or constraint and go through the legal procedures. i do think it was to some degree a change in thinking to say now, while you're turning outward these protections we put in place for u.s. persons for all of the reasons i just said is lessons from the church and pike community hearings we have to start about thinking about
requiring that to everybody regardless of nationality. that is a change, at the same time, it hasn't been, you know, if you read how it's written and how we try to design it, we try to design it so it fits within the natural course of business foreign intelligence services so it is nothing they would view as extraordinarily burdensome or something like that. some of it is new. but i think it is working very well, myself. >> okay. one last question on the topic of foreigners. one of the great dilemmas is also reflects what jen was just talking about is that on the internet data is everywhere but law regulating data happens on specific chunks of the planet which may have different regimes that conflict with each other. which raises dilemmas when you have robust democracies with different rules trying to share data with each other across international lines where one system doesn't line up well with the other one. so there was a great effort this year and a deal struck with the european union trying to resolve this issue called privacy shield. what is the one-minute take away
of what that does and why it's important? >> there is a data protection regime and under that regime they regulate the data flows that leave the european member states to other countries. and basically it requires that the other country have adequate protections for privacy that are comparable to what european data protection regulation requires. since 2000, united states have negotiated an arrangement with a european union so that american companies could bring data out of europe into the united states. it was call the safe harbor. more recently the european court of justice took a look at what european commission negotiated in 2000 for safe harbor and found it wanting and basically overturned it, requiring
european commission to reenter into a review and discussion period with the united states government to come up with some arrangement for the companies to bring data into the united states by adhering to some sort of best practice principles that are all outlined in what is now called the privacy shield. that's in a nutshell what that's about. we lean forward in providing information and european negotiators. one thing that i think is important to understand is that european union very complicated situation. they are 28-member states. for now, right? and they form the european union in the treaties and retain for themselves authority over their own national security. so the european union privacy rules do not apply -- don directly apply to member states national security activity. what you see going on within the european member states they each have their own way of intelligence oversight and restricting intelligence activity. >> or not. >> or not. there is comparison between what
they do and what we do. that is not part of the privacy shield. privacy shield is us explaining to them our protections under our various instruments and of course department of commerce had other documents as part of the package. >> can i say something about privacy? one of the civil issues under the 12333 collection is why should i as an american get less civil liberties if my data is overseas. one of the issues that they have with the privacy shield is why is my data subject to warrantless wiretapping under section 702 when i do business with these internet giant that are all located here in the u.s. and the reason why the safe harbor was struck down was because the european court of justice, c.j. eu, said that section 702 does not comply with european standard or human rights law because it allows this warrantless collection of europeans data for these broad foreign intelligence reasons and that that is not necessary and appropriate under their law. and so it was struck down and now negotiators have come up with the privacy shield.
and privacy shield itself will be reviewed by the c.j. eu and c.j. eu will make a decision as to whether it fixes the problem. take a look at the privacy shield and see the decision, it is very clear there is a mismatch there. privacy shield has all of these additional procedural things about where somebody who happens to learn that they are aggrieved by having their information mishandled can go through this ombudsman process and that kind of thing but if the court was serious that the problem is the standard for accessing european data under 702 falls short under human right standard, privacy shield does nothing to address that. that is something something we need to consider in upcoming 70 it. it is very important we have these data exchanges because lots of american companies customers come from the eu and we use services in the u.s. so we need to this this trade. a lot of people depend on it. but if they take itself, its own opinion seriously it will
stretch down privacy shield and be saying basically you need to give european citizens substantive assurance that they will not be warrantlessly wiretapped without good cause beyond the united states had a foreign interest in it. >> we will have time for a question or two. think about putting your hand up and i think a microphone will be brought to you. lightning round for us here before we go into that. looking forward to a trump administration, assuming you stay in your position now for a third presidency. a fifth director of national intelligence. what are you watching for in the first year? >> i think with any new
administration, there is a period of time to understand and learn what it is we do and value we add and how we conduct ourselves. i think a lot of changes we have been talking about here do have enduring value. the reason we put the changes in place and are doing the things we are doing now is because of conditions of the global environment, public expectations and those aren't going to change. those aren't going away. in order for us to be effective i think we have to be committed to the kind of transparency initiatives we have been talking about to engaging with folks here and with civil society generally and our friend in europe to understand their concerns and see how we can best address those concerns. so i think the kinds of things that we have been talking about are really part of the ethic and culture of what it means to be an effective intelligence professional and that will remain the case regardless of
administration. >> so national security deep state will endure and sometimes that might be happy from a libertarian perspective? >> i don't know what you mean by national security deep state. >> bureaucracy of national security officials who have em bodies the learned values which may include we should be more transparent. >> right. >> and things that people don't like as well. >> we published two separate sets of principles that i think embody what i think we are as an intelligence community. one is professional ethics. those came out in 2012. they talk about lawfulness, truth, democracy, stewardship. excellence. these are core principles that i think em body who we are as intelligence. and then what i think is just a fact of life these days, you have to find ways to be engaging with the public on these issues. >> and in 30 seconds, what are you thinking about with trump? >> fisa passed in 1976. the trance -- 1978.
transparency stuff that alex has been working on is something that happened over the past, you know, couple of years. if you look at history of intelligence surveillance, it is a history of political abuse. what you see is all there is but that's not actually true. our experience is in this moment in time. right? but in the story of surveillance is a story of overcollection and political abuse. and so i think, i'm not optimistic that, you know, things aren't going to change. we've had problems. and those problems could get worse. and one of the problems and kind of things we rely on for accountability and fairness, that are discretionary within the executive branch and secret. and as long as we rely on those discretionary rights, we are in
a hell of a lot of trouble under the trump administration. >> all right. >> gareth porter, investigative journalist. i would like to pose the question or problem of incentives that are built into -- >> can you speak a little closer to the microphone? >> sorry, yes. i would like to pose the question of incentives built into the problem of accountability and transparency and other values discussed here. the assumption implicitly, and i'm not being critical, is that the cia is a disinterested party. the reality i would suggest is that there are two incentives built into the problem that perhaps disturb that picture. one is the fact that there's a
power equation here. that more bulk collection of intelligence that impinges on personal freedoms and so forth gives greater power to high ranking officials. >> what's your question, sir? >> and the other one is potential conflict of interest in terms of profit. we know that senior officials of the cia and nsa particularly in the cia have gone back and forth between public positions and private concerns which have interest in particularly technology. >> so i have to cut you off. do have you a question? >> the question is, is it not the case that there is a conflict of interest here. built into the situation where senior officials have an
interest in technology which does tend to be in fact collecting bulk -- >> is there a conflict of interest with senior surveillance officials who also go to private sector and want to have a more spending and power on surveillance? >> no, i haven't seen any hint of that myself. i think the people i've been dealing with are very focused on mission. that a critical part of why they come to work and put up with what they put up with. i have not, myself, seen evidence of that. >> one last question from anyone else. >> thank you. i appreciate the information. may name is don ellison. one question i do have is i've been hearing all day about how fisa court is the oversight on what is taking place inside the collections. do you think the judges have a
level of the understanding of the technology and methods that allow them to make a fair decision on what is being done? >> good question. you're a lawyer and a -- >> yeah. >> do the judges on the fisa court, are they qualified even to understand what they are looking at? >> you know, this is one of the problems -- the one thing is we don't know. we don't see their opinions. we don't -- the court hearings aren't open. some of the technology that's used is very complicated. but from the stuff we see, we see that fisa court is misunderstood or misapprehended programs it approved. in 2011, eventually we saw this opinion, there was a about 702, the court was surprised to learn that way that the government was conducting the collection ended up grabbing wholly irrelevant communication as well as domestic communication which was about the foreign intelligence selector and the court hadn't known that before. its understanding of the program was different.
and in fact the program was so complicated that people inside the government even once they learned this was the case never told the people who knew they needed to tell the fisa court. we also have seen some fisa court opinions that just as a purely legal matter are sub par as in terms of legal reasoning. behave seen ways in which fisa court approved things even without bothering to write an opinion or explain its decision making. the fisa court is of real concern. that one of the reasons i think in usa freedom there was prevision for legal advocate but i think one of the reforms that people are pressing for is to not only provide an alternative legal argument for the court to consider issues better but also for technological expertise. so much of what end up happening in surveillance is technology. >> can i quickly defend the court? >> yes. >> the court consist of 11 federal district court judges.
they serve on a rotating basis. in my experience they take their job seriously. we are looking to public additional opinion possess. they do hold the government to account. they have appointed amici. they have appointed legal advisers. and we have released some of that already. is each individual fully conversant with technology? i can't speak to that. technology moves quickly and it is very complicate end hard to keep up with. and even technology adviser that person would have a bunch of stuff to keep up with but they take their jobs seriously and perform duties professionally in my opinion. >> we are out of time. thank you both very much for getting this wide-ranging discussion. i hope you enjoyed your broader day here at the cato surveillance conference. we will turn it back over to julian here to send us to the exit. >> thank you to charlie and our discussants. our final speaker before we release you to the world and or happy hour and drinks, is sort of the dr. who of intelligence. or surveillance law. or surveillance law. somehow mysteriously he is
there. the doctor showing up in the whole photo from the "titanic" and the battle of bull run. he was there at justice department as prosecutor in the '90s as courts were beginning to tame the wild west of cyber space by interpreting law in this new domain. and in 2008 will when the predecessor of the fisa in section 702 forced yahoo! to begin turning over information about client and in response to what some might call general warrant. mark was there. and as far as we know remains the only attorney to argue in front of the secretive foreign intelligence court and most recently when fbi and apple got into a tussle over their attempt to incrypt iphone drives, mark
was there and called apple's secret weapon. excellent profile in the cardigan. he is again, i have much like dr. who. the founder of zwillgen. and now going forward the continue in front of the intelligence court as one of the amici created by the usa freedom act. please join me in welcoming marc zwillinger. >> thanks, julian. i appreciate the dr. who reference.
i was afraid you were going with the forest gump reference. thank you for having me here. it's been an interesting day. it's been interesting to talk about surveillance issues through the prism of the upcoming trump administration and that's an intentional pun. i'm glad i'm delivering closing remarks because there are a lot of people in this room that i want to thank and that the program follows the rule of law. and this is even more important in upcoming years. my remarks are totally my individual capacity. i'm not speaking on behalf of any technology client or the fisa court. there are restrictions on what i can discuss but i will do the best can i. for those of you who weren't paying attention to julien's detailed introduction, i have
argued in front of the court of review twice. first time representing yahoo! in the constitutionality of the precursor of 702. second time in earlier this year. first amici before the court of review, challenging the constitutionality of capturing of post cut through dial digit. the digit you dial after a phone call is complete. even to make a second call or to enter in some banking information or personal information and the government was collecting that under the authority of pin register statute and i was arguing against that. so the bad news is of course i'm 0-2. the good news is, no one can claim a better record. but i've done other things as julian pointed out. i argued for transparency and reporting on national security process. i have challenged gag order in the district of maryland for providers who have had nsls and wanted to talk about them. and not the only time i have
fought with the government in secret. apple cases were really about effort to make sure that providers and device manufacturers aren't going to become agent of the government in helping turn people's devices against them. that is something i'm worried about happening over the course of the next four years. but i want to start with a positive note which is that the vast majority of the work that i do for my provider client is behind the scenes. for it is not fighting with the governments in the courts. but counseling client on how to match-up the complicated provisions of the electronic communications privacy act or the fisa statute or nsls or 702s and match data they have with the type of process the government needs to get it. on this work i represent literally dozens of providers. and this is crucial work. not high profile. not things you real about in the paper.
but the vast majority is routine process. they are serving correctly. not controversial. calls for proper data. but providers need to understand exactly what data they can give back when they receive search warrant and fbi does not do a good job of explaining it. and the fbi doesn't come in and say by the way here are options of challenging this. if you want to challenge it. except where they do it under the statute for nsls. bulk of my work in my career has been figuring out exactly what government is entitled to get and helping providers give it to them. the reason i mention this is for balance. providers are gate keepers for weather of data. it is imperative the government follow their procedures to order to get data and follow proper discussion in disclosing it. he said, talk a little bit about why you spent so much of your career working on these cases. why have you made privacy and
consumer data center piece of your law practice. and why did you build zwillgen and have 25 leaders who deal with it? that a good question. you don't stop and think about it everyday when you're doing it. and the simple answer and probably the answer for most in this room, is we all want to do something that matters. i always thought this mattered. i still believe that. i believe that more today even than i did maybe one month ago. because being a gate keeper for consumer dwrat for technology companies is somewhat ironic for know play that role. i started my role as a prosecutor for the department of justice and i spent a lot of time teaching fbi agent on how to gather evidence and use existing authorities in the telephone world to get data available in the internet world. and what i saw was that there were very few lawyers that the isps and internet companies could turn to to get advice. either when their systems were hacked or asked to turn over data.
there are many lawyers on the government side trying to figure out how to get it but very few advising on what to do when they receive the requests. for a brief aside i never told people, this part of my practice started in 2002. i met a lawyer from yahoo! at a conference. i said to her if you ever need advice on figuring out what to do when the government comes calling let me know. about six months later, two hours after my son was born while at the hospital she gave me a call. and she said, the yahoo! is being -- i'll describe in my own terms, but essentially bullied by the federal government in a child pornography case. the very kind of case the companies want no part of and most lawyers want to stay away from.
in this case the fbi submitted an affidavit that turned out to be false as to what information yahoo! members got when they joined the group. a lot of prosecutions and guilty plays had been based on this affidavit. and yahoo! was trying to help the government get it right. that is figure out exactly what information people did get. but the information didn't really want to listen. it would jeopardize the guilty pleas that already happened. they didn't want to listen because in part they didn't believe yahoo! because they believed their fbi agent. so yahoo! turned to me for help. and the government was powerful. right? and the consequences of this fight helping potential child pornographers avoid conviction was an healthy consequence. but for them the truth is important.
and standing up to the bullying of the government even though a very difficult place for anybody to be fighting with the u.s. government usually is, especially in a way that can end up freeing bad people is difficult. but they wanted to have that fight. and that's how i got started. and realizing what the government was taking some liberties in what they are doing to secure convictions on the internet. that not the doj i had been part of. okay. so with that personal bio, what is it like now? it's still difficult to be in the sent of these fight. on any given week my client can be criticized for not helping the government. even though doing so would be an extraordinary measure, as in the san bernardino case, and looking under any real rock when there is no expectation of finding something or criticized for helping the government too much like yahoo! was in a case
recently of a threat of harm when yahoo! was asked to do something they didn't feel would undermine the privacy of legitimate users in the same way. when client do fight when providers do challenge these orders they are often not able to talk about it. i wasn't able to talk about the fight and certainly yahoo! wasn't able to talk about the fight they had in fisa court in 2008 will until after 2013, until after disclosures from snowden and they were accused of rolling over and giving government their data when they did not. this is a no-win area of operations for them. so with that background and thing i've done and seen and as we close today's conference i thought i would talk for a few minute about the things that i most hopeful about and most worried about for next four years on surveillance law and policy. i'll start with what i'm most hopeful about because it's shorter. in the years after the snowden disclosures we have made
progress on a lot of front. much of it with regard to transparency and procedural aspect of litigating in front of the foreign intelligence court. in the past, before passing the usa freedom, testifying in front of the oversight board, that it is a lot like sending a letter to santa claus. you gave a document to somebody. didn't know what happened to it. didn't know where it went. something came back and you didn't see the whole process, you just had to believe it is working. we are in a very different world right now. there is a public document. happily this year for the court of review. there access to presidential review to the report because of declassification and usa freedom. there was one decision in a case that was declassified and publish end that was it. no rules to follow. now both courts have published rules and procedures. there is physical space for the court to meet when i argued in 2008. borrowed courtroom in rhode island and new a court for the fisc and fiscer. there is an ability for the group appointed under usa
freedom to do research and be there at the court and write briefs and it's not nearly the mysterious process it was before and of course there's me. and four people appointed. now five. to serve as amicis. the court is actively using it. two people were appointed this year to argue cases in front of the court of review. there is more transparency because there is reporting now. at least in bands by service providers and to challenge gag orders on national security levels. that has been a lot of progress and progress that is consistent direction and progress that's hard to undue because the court are involved, judges are involved in the fisa court. and question was asked before about judges on the fisa court. there are problems with judges understanding technology but the same problems in all of the federal judiciary.
i argued a case in the first circuit. one of the judges was justice suitor in the first circuit. not the draw you want when you are arguing about a case of video surveillance and supreme court justices. he doesn't have e-mail. i'm trying to explain to him how an app works and he hasn't started using e-mail for professional or maybe even personal use. while there are problem with judges, i don't think the problems with the judges in fisa are different or unique and it is a problem of plying law to technology and technology in some places are is hard to understand. i don't attribute this all to snowden exposure, but to people with key roles in the department of justice and other in the last administration. i do believe people were trying to dot right thing on the transparency side and make it a place where there is another side to be heard. but the change takes me to the four things i'm most worried
about. one, i think it is possible for the time of meaningful positive surveillance reform may be over. we will effectively have to shift in civil society and shift from playing offense to good defense. the past several years many of us have been working to ensure there are meaningful checks and balances for executive branch and carrying out domestic and to some extent foreign surveillance and a difficult fight but we made progress but now is when the value of those checks and balances will be tested. and i have to say, i was a little bit satisfied and a little bit disturbed in this morning's session is hear my old adversary matt olson say when he was in the government he couldn't imagine the government ever led by president trump. and he suggested that had he
been a able to imagine he might have used discretion differently. i was satisfied because i come around to what i always say but i'm disappointed with his failure of imagination. president nixon was not that long ago. how soon we forget and those failures of imagination can be costly. we will find out the next four years how costly they were. whether we got enough reform such that the key institutions that we put into place will save us from really bad outcomes over the next four years. or whether we are left in a position where the appointment of a few trump loyalists and key government positions specifically in general council ranks will remove the discretion or checks and balances that we got and return us to an area of unfettered executive discretion. i don't know if we made enough progress but i'm worried we didn't and i'm worried about the people responsible which they
could go back and do it differently. and i wanted to comment on something said this morn, a waste of time to fight 702 reauthorization because it is one of the most regulated areas of government surveillance. and jennifer granick said in the last panel that there is still a fight on 702. i probably agree more with keri on this one. society has to change its pivot on it. there is already institutional oversight like fisa court. we have to put into judges and appointees who we know will uphold the rule of law and be more vigilant in the areas where there is unfettered discretion like 12333 and so we have to not -- we have to recognize we won't get everything in we want on 702 reform but we are pretty good there and in dangerous places elsewhere. that said i do have comment
about the fisa court and this is the second thing i'm worried about. relying on minimization and use restriction on everything. generally the court does not see a problem with overcollection as long as minimization and use follows. the touch stone seems to be reasonableness and case law developing suggest they are not sympathetic for prior judicial review by a detached judicial f prior judicial review for a detached magistrate. we're to overcollect and figure out the rules later and if the rules are reasonable it's okay. the job for advocates over the next few years is point out the problems for this approach. collecting and maintaining vast kwan thoifs data collected outside the traditional framework of the fourth amendment becomes too temperamenting temperamenting --temperament
-- temperatures for the government to dip into. the solicitor-general stood and when asked by the court what the harm was if nothing bad happened to them, the solicitor general said that's right, there's no database for collected information. they are not maintaining a database of collected information. whether that was true at the time we know it is not at this time. there were 94 targets of 702 orders according to the dni report and if each one of those people were talking to 10 people in the united states, probably conservative estimate, there is 1 million sitting in one year the government can query. this is a job for civil liber liberties than the companies. the companies want to make sure the data doesn't leave their doors when it shouldn't. once it goes out the further use of that information is not
really a fight the companies can and have taken on and they lose the unique standing they have once they collected and produced it. it's for the civil liberties community to work on. two more things i'm worried about. i'm worried encryption is being viewed as part of the problem rather than part of the solution. during the russian hacking of the dnc when all the plain te texted e-mail came out what didn't we see? didn't see end to end communications or i messages or signal messages. this should be the wake-up call to point out for all the claims the encryption is taking for the government for the bad guys that's actually quite good for communication between the good guys. a key message from these russian hacks should be end to end encryption is important to keep our country safe not just protect the privacy of information between individuals but to keep our country safe we need secure communications.
i'm not sure that's going to be the take away but i think it should be. it really drives home the point a lot of the technology companies have made and like matt blaze have made it's not technology against security, or security against security, two different types of security. if we know someone is threatening to steal something valuable we put it behind a l k locked door and try secure it. we don't just send a lot of cameras to watch it. all that will do is tell us who took it but won't keep it safe. encryption will keep the communication safe. we won't have as great visibility, the cameras won't work as well but it will secure the communication infrastructure. i think the russian hacks are a real wake-up call for that. all of the hacks see we're generally failing on protection side. we're not failing so much on catch the bad guys' side. the choice we're faced with, do
we want to have better secured systems the bad eyes can use and catch them some other way or want less secure systems but better visibility. as i said as matt blaise said before we can't have it both y ways. as my friend, jennifer granite pointed out, the last administration said we don't really believe you, there has to be another way. this is the problem we will face over the next four years. the new administration she's pro-penty to not believe science at all, don't believe climate change and don't believe russian involvement in hacking and probably won't believe the back door is weakened. and they've shown and early disdain for evidence-based decision making. that makes me very worried when this society stops listening to scientists and ignores evidence it's in trouble. i hope my concerned about this
are overblown. finally i'm worried the government will work to ton the ubiquity of technology from u.s. citiz citizens. five years ago, it was whether they could surreptitiously turn on the laptops and spy on us, when posed to director comey, he said it's good idea to put tape over the webcam when it's not in use. as a society we've moved well past tape over the webcam. our houses are filled of the internet of things. internet thermostats and dropped cams and ring doorbells and we drive connected cars and if the early sales for black friday and cyber monday are to believed everyone will have an amazon echo or google or cortana in our house. and those used to activate these devices are just as unclear as e-mail and text messages in 2001 when i left d. o.j. if there's one thing i intend to
work on in the next four years working with the providers of these technologies to set clear rules what they will and won't do when faced with third party requests so our consumer technology is not turned against us as a new vehicle for government surveillance. all right. was that depressing enough? let me close with one final perverse note of hope. it goes back to the first panel in the morning. in the fight apple had with the fbi over unlocking phones, a lot of the public sentiment was pretty split. people think the u.s. government should be entitled to get whatever it needed with a warrant but understood it was a problem if a foreign autocratic regime or leader could force apple to turn data over to them. it was inconceivable to most people except of course to the europeans that the u.s. government itself should be l k locked out of the data for fear it would use it improperly. people forget it was the surveillance abuses of the intelligence apparatus in the united states under president
johnson and nixon in the late '70s and findings of the church committee that brought out the need for reform for fisa in the first instances. given the rhetoric of president-elect trump and some of the potential cabinet appo t appointees it's no longer far-fetched citizens need to be protected from abuse from the u.s. government and not just foreign governments. that atmospheric difference you heard in the first panel of the day may end up making somewhat of a difference in the surveillance debate in congress and the courts. for the sake of all the people in this room and the sake of the rule of law, let's hope so. [ applause ] >> because we're really up against the time limits, i will suggest folks here that want to ask mark questions take the opportunity to do so while we go to the atrium for some snacks
and some drinks. folks watching us either on our website or via c-span, i'm afraid you have 0 supply your own alcohol but welcome to join us in spirit. thank you all and please thank all our speakers once again as well as i should add our conference staff and keonna graham and those who did all the actual hard work while i stand up here and take credit for organizing this, join me in thanking them again and please join us outside. on between the
u.s. and japan and later conference on u.s. foreign intelligence gathering. the presidential inauguration will be on january 20th. in a news conference on the inauguration, washington, d.c. mayor muriel bowser and law enforcement officials discuss their preparation for terrorist threats and 3,000 from other jurisdictions will assist. this is half an hour.