Skip to main content

tv   Politics and Public Policy Today  CSPAN  December 14, 2016 10:31pm-11:50pm EST

10:31 pm
benefit from his national security and his intelligence briefings and that one would hope he would take advantage of this time before the inauguration to develop a relationship with the intelligence community and become better informed. oft speaks to the question how does he understand that the intelligence community is there to assist him in his decision-making process. can tailor the reports to areas that he wants to focus on and that is where we need to see some improvement in terms of him fleshing out who his senior leadership team is, who is going to give him the briefings. if it is true that he is receiving his briefings three times a week versus just a couple of -- since the election, that is an improvement. >> the problem is this is not about, that is good but this is
10:32 pm
not about how many times a week to get the briefing or whether it is the presidential daily brief that he reads and then gets briefed. presidents do this differently. in history and in my experience, president bush and president obama handled it differently. it does come back to how the world works and how the people make important decisions and they do not make decisions with the idea that something important happens, come tell me. that is absurd. somebody inthe way a leadership position who is responsible for putting american lives at risk all the time should be making decisions so the information that comes to the president if you think of this as a pyramid, at the base of the pyramid, there is the vast amount of intelligence that are collected by the intelligence community. it works its way up his pyramid to the top where senior level
10:33 pm
officials within the intelligence community with the best analyst are making what their most important customer needs to know, the president of the united states and that is at the top whether that isn't in here -- in person briefing and if the president is dismissive of receiving that information and is disdainful of fact in making those decisions, as we have seen, then we are in a very peerless moment when the decision, these are not -- the decision the president makes and is accountable for making, not the vice president, we elected to president to make these decisions are not decisions he makes once a month or even once a week. they are decisions that the president is called upon to make multiple times a week. on counterterrorism operations in particular that involve the deployment of u.s. military forces. and putting american lives at
10:34 pm
risk so the notion that we can a chief executive who is in the position to tell me something important happened is truly alarming. >> a quick follow up. that is exactly right and just to put a finer point on it, the liver -- the deliberate rejection of briefings should be viewed not as a benign, i am busy doing other things but as application -- abdication of responsibility. when a senior executive and government does not want to know what is in the briefing, that i think can be viewed through a should therefore, something happen as a result of the information that is in that briefing, they are not , weuntable and we have seen have experience, we have seen unfortunately some members of my can think of one member of congress who has done this and when they decline a briefing and
10:35 pm
therefore can speak publicly at will because they do not know, that is not a benign thing. that is a deliberate strategy. willfulee about bigrance and we had a debate about surveillance and privacy. i have made the point that you can simultaneously -- simultaneously believe there needs to be more controls on surveillance and because there is a lot of surveillance and data gathered by agencies that know what they are doing, they probably know a lot of stuff, those two things make sense. pushback orn some criticism saying, now you guys like the intelligence committee. i always liked the intelligence committee personally. that is the point. they gather information and they have it available to the president. --can debate 702 and whether
10:36 pm
it is valuable and provides all this information for the presidential daily brief. if the president is not reading it, what is the point? and carries point is well taken. a lack of competence or wanting to do other things that are less boring. it is a deliberate strategy. i agree with that. the people who push aside information are doing so because it pushes aside the responsibility. since i did not know that i can do what i like and that is very worrying. we have some time for audience questions. if there is something you would like to ask please raise your hand. when we go to the gentleman in the pink tie. please wait for the microphone to reach you so the online audience and everyone here can make it as well and do a comment and not a lecture. thank you. -- a question, not a lecture.
10:37 pm
woody kaplan, the civil liberties list. to this with a great fear of the imperial presidency. it started with lyndon baines johnson. i am taken by a lot of the comments. i love susan but it might be naive, you know more about it than i do. the u.s. attorneys with whom i have spoken have told me they can get away with virtually anything by creating probable -- probable cause and walking across the hall from the nsa to at&t or something and say we need these records. we need this information. having thedea of watchers watch themselves, those employees of the organization's
10:38 pm
because they are so full of goodwill, i am greatly skeptical of that. i am greatly skeptical of almost all of the internal oversights and i hope you guys would comment on that a little bit. ori just permit -- paranoid am i particularly paranoid? >> why should people believe people who are sitting appears saying trust us, these are rigorous with its of oversight that were put in place. >> a quick comment. i am wrong.le i have -- this boils down to i know this people and i do not think -- i think they would resign. that is not a formal institutional protection. this goes to what is the strength of our faith in the institutional protections and what does look like you when i look at get this with the history of the nsa and things that occurred before i was
10:39 pm
there, the president's surveillance program. the general counsel's office was not told. that is a real problem. the way the agency is constructed, that could not happen again. i do not believe that could happen again. existprograms could not without members of congress knowing. is true only because the bad thing happened and there was a response. there were probably lots of different pockets of the government in which that potential has not occurred yet so there has not been a response. the way to address this is not necessarily to attack the substantive, does this invade civil liberties, is there privacy, what is the substance but think about how do we get multiple branches of government involved in that oversight process. how do we build in technical
10:40 pm
compliance mechanisms and do as much as possible to make sure we have multiple eyes and it is not just the watchers watching themselves. >> anyone else want to briefly respond? x i largely agree with that but with the caveat that policies can be changed and that was appointed was trying to make about the power of the executive branch. the director of nsa works for the secretary of defense and the general counsel office advisors -- advises that director. if trump's attorney general says this is my opinion about what the law means in the constitution means and there is no court decision that the opinion is wrong. as a structural matter it does not matter with the general counsel thinks about that. whether he or she disagrees with that. we saw a little bit and that was the rationale for denying access . there is a broader point here. the president is -- has a lot of power.
10:41 pm
of thein charge executive branch. all of these mechanisms are important and i believe in them not just because i know a lot of these people and i was one of these people but they were well-designed in many cases. they are still nevertheless within an executive branch process and they rely on types of control and this is my biggest concern is not so much the calibration of how much or little you do and how close to that talk when you get but they rely on a president of the united states taking that in as a control on his behavior even though they work for him. of shame on a degree being required. that is true even if checks and balances for congress and the -- therea those are
10:42 pm
was a wonderful piece called libertarian panic, criticizing people he me saying that we are involved in a libertarian panic, not so much criticizing, he was praising us in a sort of odd way saying it is a good thing your -- you're panicking because that is the reason these abuses will not happen but it may be a bit of a panic. my -- part of my response was, that was the american revolution. was a libertarian panic. of look at that look at -- grievances in the declaration of independence and they are out there. they are not a fair description of what the british were actually doing. they were over the top. in a way, our country was founded on the basis of a libertarian panic but making the point that i think all the control jack was describing which come from his wonderful book "power and constraint" which i largely agree with work for different philosophies and
10:43 pm
political parties, but do they open -- work for trump? >> the gentleman in the middle in the fourth row with his hand up.
10:44 pm
10:45 pm
10:46 pm
10:47 pm
i have a lot of respect for your you.ective and in all of you talked about the fact that you think the greatest threat to civil liberties abuses is not from the surveillance side but other counterterrorism policies fbiyou mentioned the guidelines. what are some of the other counterterrorism areas where you feel like the potential for abuse is greatest and where some of us should be focusing on surveillance? >> this could be a long conversation. , we werek the focus on engaged in talking about 702 and trying to figure out where to draw the line in searching for information. that controversy, that debate had become focused on a very
10:48 pm
specific and narrow but important issues. beyond that now in terms of the things to be concerned about. i do think that the greatest area of risk from a civil liberties perspective is domestic law enforcement. scenario of the day after or the week after an attack. the wide discretion which we rightly give to the fbi and local police departments and law enforcement to investigate crimes and to preserve our safety domestically, there is the potential when the leadership of our country makes a statement that we talked about making in terms of the muslim community and how we should be reacting after a terrorist attack. the greatest fear and you are in a better position to think about how to constrain those activities but the idea of greater surveillance, it does not rise to the level of going to a judge, investigative powers
10:49 pm
that law enforcement and local police departments are going to have to basically be in a position to intrusively be involved in neighborhoods and communities in a way that is not american. placed on me in thanking this great panel for a really stimulating discussion. we have a 15 minute break. at 10:45econvene here a.m. when will take 10 -- we will take 10 minutes. , weave outside on the table have extended by other fees in a panel outside. those watching at home can go to find biographies
10:50 pm
there. please join us in a minute. welcome back to the morning session of the cato institute's 2016 surveillance conference. we heard a lot on our first panel about hacking by the but ourgovernment government to increasing the it necessary in an era where crimes may take place entirely in computere to engage in network exportation, hacking as a mechanism of conducting searches. ideally searches authorized by the fourth amendment. this raises a welter of questions. differentng via hack than condition of --
10:51 pm
conventional search or wiretap? is the recent change to grow 41 of criminal procedure bending the authority and using hacking techniques or is this something that congress should develop its on framework for. what should the posture of the intelligence committee toward --er ability discovered -- toward vulnerabilities that were not disclosed leaving routers vulnerable. and thess these difficult questions of how to regulate hacking by the government or for law enforcement or intelligence purposes. panel. a fantastic if you follow surveillance and intelligence and national , alan -- ssues at all
10:52 pm
then nakashima of washington post. my immediate right is kevin bankston, director of the open technology institute at new america think tank for the digital age. novich right is amy stepa at a human rights group. we have matt blaze. ofm the university pennsylvania and richard downing, acting assistant ag in charge of cybercrime investigations. i think we will dive right in take notes as we discussed.
10:53 pm
we will be leaving sometime at the end for your questions. julian mentioned earlier this month a new rule change took effect called change to rule 41 which allows a judge in one district to approve a warrant hackaw enforcement to computers outside the distant -- district. to identify ip addresses of computers whose locations are unknown and to identify the ip addresses of computers that have [indiscernible] government need this rule change and what kinds of investigation? >> the rule change was brought about by the advance of technology. this role was promulgated back 1917.70 teen --
10:54 pm
of governmentle searches of homes when there is probable cause and all the best -- bells and whistles that go along with our constitutional protection. in 1917, the rule makers thought rightfully at the time that the investigators would know what court to go to in the rule was if you want to search of property in a particular district, you go to the court in that district. the difficulty that has arisen is twofold and they are both problems that were created as technology has advanced. the first one is that we have near perfect anonymity systems that are now built that prevent law enforcement from being able to identify what the location of the computer is. the torwork such as
10:55 pm
network which creates an anonymous nation -- ano nymization. prevent law enforcement from knowing where his home is in order to get a warrant for it. andone primary mechanism this will change, all the rule changes say in those circumstances where the location duehe computer is obscured to technology, it is a very slim thing. in those cases you can go to any court that has, that relates to the crime that is under consideration. in 1917, that was not an issue. today it is an issue. the only change that is made is to allow investigators to know which court they go to to apply all the same rules that would
10:56 pm
normally apply under the circumstance. >> he says it is very narrow, very restrictive and only in these cases where the location of the computer is unknown. and someou say to that libertarians have raised concerns about the removal of the jurisdictional limits, why? >> the rule was one of the few practical limitations we had in place to broad government hacking. is congressroblems has never considered this and has never passed a law exclusively allowing it. the reason why that is important is because hacking raises all sorts of increased risks from other types of searches. wiretapping, storage munication that warrantngs have been used for. when you look back when the wiretap act was passed, it was
10:57 pm
particularly invasive. hacking can be even more invasive but we have no substantive authority which means we have no additional protections that we think we need in place. >> how can it be more invasive? >> any number of ways. matt may know more of the technical pieces. it is very hard to determine when you put malware or the government says this is not malware if they are using it. when you put something onto a computer, it is hard to figure interact withill the computer, even if you test it, even if you have some sort of understanding. about anelton talked update to ipad. apple tested the update. they knew what they were looking for. risking any number of devices when the update was pushed through. it ends up having a lot of
10:58 pm
unpredictable impacts are you -- impacts. >> important thing to keep in mind here is that all of the hacking or a large fraction of what we call government hacking and remote search has at its core taken advantage of some kind of flaw or software bug in they arem that searching. in some cases, that might be a relatively simple thing like convincing somebody to click on an emailing through something that is not efficiently authenticated. it might be a much more subtle, much more technical exportation of an unintended savior on the computer platform. first of all,s is we cannot predict with 100% certainty what the behavior is what the scope
10:59 pm
is going to be. we cannot be sure that it will out of control. we not -- cannot be sure it will not over collect. in some circumstances this may be an acceptable risk. that congress has never explicitly addressed. judges almost certainly do not understand when they're issuing onse warrants, and we are uncharted territory technically and legally. >> there is a broad concern to a tacitled approval by congress of remote access searches which they have never done before, which we have not had any meaningful policy conversation and know very little about.
11:00 pm
it has been done for 15 years. i also on the particular risks, there is also and in comparison to wiretaps there is a difference between me wiretapping you for 30 days or extensions and having access to the computer and the microphone and the accounts that might be accessible from it. recognizing the government does have a problem, how do we identify these people who are using proxies i would have been more understanding putting aside that broader question of tacit approval of a tactic we have never really talked about. i would have been more comfortable with a rule that said if they are in securing their location, you can do a remote access search to obtain their location and nothing else. and then go to the appropriate court if it is even in the u.s. and get a warrant to seize the computer but that is not what this did. >> you are saying there are not sufficient restrictions on the
11:01 pm
authority here. could you address that point? think the important thing to understand here which i alluded to at the beginning is that there are many rules that already apply every time that the government wants to use a warrant. we still have to comply with the wiretap act if indeed that would be part of what the execution would be. the fourth amendment has many different layers of protection. you would have to have a warrant that presents probable cause and particularity. you have to specify which computers you would be involved in. you have to go to a independent judge who reviews it and evaluates the facts and decides whether this is a justified search. is a fourthat there amendment requirement that the execution be reasonable. it cannot be overreaching and overbroad. there is many layers of safeguards and review after the fact. if there is any over collection, that is the kind of thing that
11:02 pm
our system is very good at ferreting out through the process of discovery and criminal prosecution where suppression would be a remedy is the fourth amendment has been filing did and the victims get to sue the government if there is a problem or a constitutional violation. what i am saying is there is a lot of roles that are involved here and in our view, those are the kinds of protections that are important in protecting our constitutional right. where open to discussion about additional rules might be useful but the important question to ask is what is it about the current system of robust safeguards, is it insufficient to address this kind of collection? safeguards dof you have in place to account for the technical issues that matt potential ofso the over collection, how do you notify victims? >> right. the question of is it possible the government's activity
11:03 pm
could damage a computer or do something inadvertent or inappropriate in the course of doing what was intended to do which is to collect evidence in the case. as searches happen in the real world, remote searches also have risks inherent. nothing will be perfectly risk-free. i would say in the majority, in the heartland of cases where a targeted remote search is done against a particular individual's computer, the potential harms are quite limited. the computer stops working, ok, that is bad. not something anyone would want but it is hardly a broad, systemic problem. the second piece of the rule is useful in the context where there are many computers perhaps that have been infected. malicious software has been installed, criminals are controlling those machines often
11:04 pm
from outside the u.s. and bad things are happening. the question is when, if and we have not done this, if there were an opportunity to do some searches of those computers to bot, ise the bought -- it possible you could have inadvertent results? it is possible. when we have done this sort of thing i'm a we have worked with computer security experts outside of the government and inside to make sure that whatever we are doing is going to do no harm and to our best -- do our best to do that for you -- that. record of doing this effectively. we want to make sure these tools are used appropriately. the key question i would have and i am interested to see if
11:05 pm
the panel has thoughts on this, at the same time that there is a potential risk of -- over here we have the real risk that is ongoing harm to the people who have those computers. when hospitals are having their bricked, we have to potential risk is balanced. >> when we just let me start by saying that i am not speaking from a position of being unconditionally opposed to remote searches. , we wrote aeagues paper on the technical preferably ofand
11:06 pm
searches. it is important not to be too well thesebout how tools work particularly as we scale up. first of all, for precisely the same reason you're able to do remote exportation of computers, software is hard. software is so hard that in general, we do not know how to build it correctly. software with security implications is particularly hard, particularly fragile. again, particularly when it is being installed on the computer whose configuration you might not actually be fully aware of. confidence with these tools -- that these tools are actually working as intended have to be
11:07 pm
understood in the context of hard problemust a but it is the fundamental problem of computer science which is that we do not know how to build in general reliable software at scale. working inare absolutely treacherous territory when you do this. what that means is the only thing we know that works is relentless scrutiny. of the legal system, a discovery process where the defense gets to apply scrutiny to that would be something that would be not just nice but probably essential. relentlessinds of scrutiny. the other problem is one a judges authorizing this, they are altering his -- authorizing
11:08 pm
tools that they very likely do not fully understand the scope of and the risks of. because this is largely new territory. when a judge authorizes a search warrant to physically break into a house with a no-knock warrant, a judge understands what that is and what can go wrong. it is very unlikely that a warrant for a specific house is going to end up inadvertently searching an entire neighborhood or an entire city. in the case of a remote computer search, the targeting, the scope of what is collected and the potential for collateral damage are really much more difficult to pin down. it is easy to say with the tool is intended to do. it is harder to say what the tool will actually do. this is very difficult for technical territory we are on. >> to we need a legislative framework to regulate these
11:09 pm
sorts of remote access searches? and how would you account for the technical difficulty in such legislation? is a big one. absolutely we need a legislative regime to govern this we have for wiretaps considering this raises all the same issues as a bunch of other unique ones. i am not certain how best to address the issue of minimizing the technical risk in the deployment of the tools. i appreciate whatever internal is engaging inj to try and quality assure that. that is one branch of our government. we need congress engaged in that discussion. we need the courts engaged in a .ay there are interesting transcripts from the cases where the judge was struggling to understand what the concept of,
11:10 pm
you send instructions to the computer, are you calling it, what do you mean by sending us actions? they are not necessarily install that you will software and they will send back this information. i take rich's point about the fourth amendment as the role but i like -- like in this too we have a problem of the surveillance system in terms of law enforcement and foreign intelligence being so secretive that it effectively prevents us from making good policy on them. one of the best examples is in 2005 when we finally learned in theto the one buck system magistrate that -- who published the opinion that the government has been using -- a tour he authority for stored records and we did not even know
11:11 pm
, there were not public discussions about this, they were not public court decisions, we had no idea what was happening. we see the same kind of ratcheting up going on. article calledar only the doj knows. just trust the fourth amendment and we and the courts will figure it it out when they have been doing this for a decade and a half and we are only now just talking about it rings kind of hollow. i also want to talk about the bot net provision. if we are investigating an unlawful access crime and the computers want to search warrant in five or more districts we can go to any one of those districts. it is not limited. ascould be used for example
11:12 pm
an alternative to busting in and grabbing the computers of a suspected hacker. let's just do it from her desktop and remotely search his computer before we announce ourselves by busting in and taking his computer but also in otnets, these are come -- innocent people who are having their computers access. that is a lot of innocent people. you might not -- say it is not at -- a big deal if someone's computer gets destroyed but it is kind of a big deal. non-function. al. doraises the question of how we handle those people because those people, they are likely
11:13 pm
never to learn, like see my refrigerator that has been part of a botnet get asked -- gets accessed and the government gets sensitive data about my diet. are never going to be prosecuted. i cannot think of any way you would notify that person. >> the mass hacking mission creep, notification, [inaudible] >> if i could respond to this question about -- , i have heardned richard and other people say this provision will help them go botnets. shut down i do not see how real 41 authorizes that beyond a search and seizure of data. that worries me.
11:14 pm
if we are turning the warrant into a stick that we can damage stuff with, that is a new development. >> i am not sure i can answer all the points made but i want to make a couple of points. on the question of secrecy and whether this could be done in the shadows and then we never know about it, that is one of the strengths of having this be part of rule 41. it is going to make sure that these things are brought to judges and approved and there will be clarity when these things come to court because that will be litigation around it and there will be suppression motions. the court system is pretty good answers.g out the as a result of the investigation service, adden website that involved the childge of images of sexual exportation by 100,000 users, this investigation resulted in a remote search.
11:15 pm
say is there are hundreds of these cases that will be brought across the country as these cases are being brought. we will see courts looking at these questions. this is exactly what we would want as far as transparency. on the question of whether the ex-wifetails of the should be disclosed to the defendant, that is an interesting question that we are beginning to see in the litigation around this, the question of discovery. how much does the defendant need to know? they are entitled to material that would help in their defense. thenced against that on other side is if you disclose this vulnerability or this method of entry into the l no longerhen it wil be useful. presumablyouted and systems will be patched and will no longer be useful for the purpose of the law enforcement activity.
11:16 pm
it is an interesting question because in many cases, the method by which the search happened is not terribly relevant to the defense. it does not go to the persons guilt or innocence, not creating evidence that is sitting on his computer. in many ways, it is like asking what is the rand of the sledgehammer that has been used to not down his front door? the important question is was the sledgehammer used? proper or reasonable, all those kinds of questions. does it matter the intimate details of how that entry was made? that will be one of the interesting questions that the courts will wrestle with. does this materially help the defense in some way or is the governments need to have under established doctrine secrecy about a particular tool and technique to my is that going to outweighed by the demands for disclosure?
11:17 pm
i will stop there and we can come back to some of the others as well. >> we talking now about disclosing to the defense the vulnerability used but if you will that out a little bit, one of the major issues is your disclosing to the provider, the person in control of the software the vulnerability that has been used. the sledgehammer in the front door example, if they have a sledgehammer that can knock down a front door and 50 million people have that same front door and use it every single day, should you tell the front door manufacturer, if there is a key that can open the door and that he can open all of them and of someone else opens the key they can open all of them as well, should all the other innocent people using that front door not know that they have a vulnerability in their front door that needs to be fixed? should the person who makes the front door be able to fix that? there is a process and government for this. reinvigorated after the
11:18 pm
hartley bug. ity were taking advantage of for intelligence matters. it for intelligence matters. this is called the vulnerabilities equities process. it is unclear to the extent it is being used for all of the bugs that are out there. they say it is being used but we know that the bug use in the apple case in san bernardino was not put through this process because they never took possession of it. it is supposed to cover every time the government discovers or comes into possession of a vulnerability. this was like a black's box -- a black box. it is also not codified. the first panel was talking about a lot of the uncertainty of the policies that are in place right now as opposed to the laws, whether or not they were -- will continue to the
11:19 pm
next administration. in addition to the fact it is unclear how often it is used, we do not know the state of it come january if that process will continue to operate. conflated two issues here when we talk about disclosure. the first is disclosure, when we analogy,sledgehammer that might be a nice simplifying analogy but unfortunately it glosses over one of the important parts which is that we do not know that it is only a sledgehammer. we know that it is being used with the intention of using it as a specific kind of tool but we do not know what else it does. only thus the only way we have of whatce of being sure its behavior is and even there, it is imperfect is relentless scrutiny and examination.
11:20 pm
the first problem is, we are not sure it is only a sledgehammer. he -- >> that interest in knowing whether or not it is just a sledgehammer or greater is for cyber security for the public, not for the defendant. might be relevant for the public and the defendant. it is relative to the defendant because the question of did this expose more data, did this only limit the search to what was specified in the warrant, you can only know that by looking at the tool itself. haven only know them i been other damage done to the computer that perhaps did not result in this going to the exposednt but my have information or damaged the computer in any -- in another way. the only way is to examine the tool in the context it was used preferably by an adversarial process that is given sufficient
11:21 pm
resources to look. even that is imperfect. the second problem and this is the much broader public problem is that these tools generally involve exploiting vulnerabilities that could be used not just by the government for lawful warrants and lawful searches but also by criminals and by foreign hostile nation states and so on. probably zero days are the most prominent. they expose our vulnerabilities but no one knows about them. be ownlso might abilities that are known and that are just being applied. vulnerabilities tends to have a fairly long tail before -- even after they have
11:22 pm
been disclosed. if there is the tool that the on anment is using based flaw that is not known to the vendor or was not known to the render to be exploitable, remotely, there is a risk that someone else will discover the same flaw. it for very bad purposes . potentially against the government itself. we do not really know very much how often that happens because these tools are shrouded in so much secrecy. >> that is where greater transit -- transparency is essential. this is an example of something that requires very subtle technical and very subtle policy judgment that really can
11:23 pm
only be achieved by more transparency that we have got. >> should that be a policy change or legislative change? >> we want congress to regulate this activity including enforcing a level of transparency at the very least similar to what we have in the wiretapping statute which would include data about how often this is done and how many people it impacts. opposed to such a requirement? are in a transitional time in the government so i cannot begin to predict what the next administration will do. what i can say is i would encourage you to take a look at the blog post from michael daniels who is the white house security adviser from a couple of years ago. what he says is that it lays out a solid argument that everyone
11:24 pm
across the country including the government relies on computer networks, disclosing vulnerabilities is going to make sense because that will provide protection and security for everyone. trade-offs.gitimate there are circumstances where there is a need for this tool. this undisclosed owner ability in order to solve some crucial intelligence problem and you can imagine all the kinds of things that come into that category, also public safety. trade secret theft or child sexual assault. building a stockpile of vulnerabilities that will harm her general security is not a decision.y that is not the same thing as saying we should never do it. that is why we have the vulnerability equities process and it does not create any hard or fast rules but it does lay out the kind of criteria that are going to be considered and
11:25 pm
make sure that those of the kinds of considerations, how significant is the risk, does it affect our critical infrastructures, is it attachable, is it likely to be discovered by someone else, what intelligence losses will occur if it becomes patched and unavailable? that is the kind of questions that could be asked. that is a good set of questions you would want the executive branch to make these decisions and do it in a appropriate and robust way. >> do you submit all the vulnerabilities that you used this process? >> i have exhausted the scope of heart -- how far i can go. the mainr about public. i am not entitled to talk further about what is going on
11:26 pm
behind the scenes. >> no one will know. >> this process itself as mentioned has been newly invigorated, it came about post-snowden, transparency reform, do you think this is bether thing that ought to codified, put in statute? how would you strengthen it if so? >> that is the conversation we want to have including hearings which we have not had. i do not want to jump in front and say this how you would draft -- a statute. we do not have a great deal of information about it. we appreciate the transparencies that the obama administration have engaged in to give us some idea of the criteria they are using but we do not really know who sits at the table, how often they meet the mother number of
11:27 pm
phones that have gone through the process, they have thrown around a vague number of 90 plus percent, ultimately get disclosed but out of how many, how long were those held onto before they were disclosed, were the exploited before they were disclosed, questions of that nature. you really do not have that kind of information. the first step here in deciding how to codify this process, i think some kind of version of this should be in law to protect us. the first step would be having hearings about it and having an engaged congress working on it and looking at it. thehis is an example where devil is entirely in the details. we can all agree on very high-level pentacles that no one would disagree with. there would be these cases on one end of the spectrum and on the other end. of the almost none
11:28 pm
cases. there is this large middle ground in making sensible judgment about the middle ground is going to require enormous both technical and policy expertise. path thatnontrivial whoever the arbiter on the vulnerability equities process boththey have to be technical and policy experts with access to a very deep set of detail about what is going on. this is not something that can simply be, a few people meet every quarter. allowedhat congress has the rule 41 changes to go into effect i not asking to -- acting to stop them, there are several measures introduced to postpone the changes to give them time to address what they should do in light of government hacking. i believe senator cordon is the
11:29 pm
one who blocked all those postponements from going into .ffect now they are going to enter 2017 and this should be at the top of their agenda. all of the issues we talked about here, the vulnerabilities equities process, the potential title iii or rules for warrants for government hacking, how, what transparency measures need to be in place, congress is putting it on themselves, the onus back on themselves that they need to be considering this or stand for most as we enter into the new year. because the -- this activity now basically -- they have allowed this argument of not acting, they have said this is ok and i am not sure a lot of them would agree with that area and that is going to be the argument in court now. about need for judges to also have greater technical expertise and understanding of issues that
11:30 pm
they are ruling on and also participants to have it. there a need for a special technical judicial advocate in the courts and special i wouldn't say how to actually structure it, but i would say almost all parts of this require a significant infusion of technical expertise at almost every level, that is not currently there routinely. certainly, in the case of a judge who is being asked to sign a warrant that isn't fully understood, there is room for judges to ask questions. there's room to appoint special masters. i can imagine mechanisms for doing this.
11:31 pm
i'm not going to say, be too prescriptive about what we should do, except to say that we really urgently need to do quite a bit, or this could have far-reaching unintended , consequences. >> i'm curious, judges have a bunch of young people working for them every year to two years, these law clerks. it would be great if they started favoring hiring young law students also have a tech background, or go ahead and hire some nonlawyers, who serve as clerks simply to assist with technical cases. i think that might be one of the easiest injection points of tech expertise into the bench. >> some law schools are starting to set up some joint programs with cybersecurity and computer science departments and law.
11:32 pm
>> i would agree absolutely to the idea that there should be greater technical understanding in our court system. i would moderate that a little bit by saying except that the courts, this is not a new problem. they have been dealing with technical issues extensively, and we have patent suits, all sorts of other kinds of suits in the courts that require technical understanding. my experience with federal judges is that they're not shrinking violets, and when they don't understand something, they will ask questions and get to the bottom of things. i don't want to undersell the idea that the courts actually are pretty good at food at -- pretty good at figuring out difficult questions, or getting special masters or resources, or briefings, or whenever it is to get to the point where they can make good decisions about these things. let me respond to the congress should act immediately question. i guess the alternative to at least, acting, with respect to whether we need new rules, is to
11:33 pm
say well, we have a bunch of safeguards and a greater clarity that is going to be coming. maybe we should wait and see whether the court system is able to deal with these questions, and whether these things will come to light. i think we're going to see a lot of activity in these cases that are coming up. and, of course, from the department's perspective we're partners to being good in figuring these things out, and being clear about what we're doing when we are using these tools, and under rule 41, going to the courts, and doing those things. it is an interesting question, but definitely one that will be interesting to see what the next congress and next administration wants to do with it. >> in terms of unintended consequences, i think there have been instances, or cases, where the law enforcement agency -- in fact, in 2013, the fbi obtained
11:34 pm
something like 300 individualized warrants to target specific users of an .nonymous email service the idea was to infect the computers of just these users, not all the other innocent users of this email. according to some press reports, apparently the way in which the fbi deploy the software, ended up infecting everybody who was logged in to the actual homepage. that even though that may not have been the intended consequence, it did end up infecting completely innocent people. i guess, richard, sometimes there are unintended consequences, right, that arise? without commenting on the specific case, but in general. >> as i have said before, no
11:35 pm
activity in human life is completely free of all chance of error or whatever. although, i would dispute the point that there's been some systemic problem or some greater issue that is going on. i think we've done a pretty good job so far in making sure the tools are acting in a way that they are. if you think about a situation where you know a particular defender is using them -- particularly male account, and you set up this remote search to affect only that person that's , actually a pretty targeted search and not an overbroad type. >> have you known that approach to actually work? you have used individualized warrants to target them and that has worked? >> absolutely, yes. there are situations where -- that is probably the more common case, not the idea of this message search that has attracted a lot of interest.
11:36 pm
if you have an individual who is threatening to kill a government official, and you have a pretty good reason to believe it is real, and you have a very short timeline to figure out who it is, you can imagine law enforcement will be trying to find a way to identify that individual, and it will be targeted and specific, because you have probable cause to do that. obviously, these will be case-by-case, and they have to be particular, and have probable cause. it has to be evaluated by judges, and all the built-in safeguards are there. if we mess it up we can get , sued. if it's overbroad, then the defendant can bring an suppression motion, and it will get worked out in the courts. i really think we do have a strong court system and a strong system that can be and will be applied to rule 41 warrant situations, the same as it has for the last 200 years. can't curious, maybe you say this, but were all these people notified that they were searched, such that they could
11:37 pm
challenge the fact that they had their inter-communications intercepted? >> that is another value of the rule 41 process. indeed, it requires the person be notified. course, it doesn't require completely and endlessly exhaustive efforts. it requires reasonable effort. you have to do your very best. it may vary and to be run by the judge before decisions are made. but yes, in the cases, for example, where people are using a child pornography website to exchange images, most often that's going to be followed up with a search of the persons 's residence to obtain evidence from their home that will be used in the trial to come. they are obviously going to be notified. rule 41 requires this. this is part of the transparency. what you don't want is at the stuff being done outside of the court system, or not with the review of the judges and not within the transparent and protected process we have built in the courts. >> ok. >> one quick reaction.
11:38 pm
you mentioned you think you are doing a pretty good job of making these tools robust and secure. i believe that's true, but i want to point out, microsoft and apple, and linux, and android, alsodobe, and so on, are doing a pretty good jobs of securing platforms, and we are in a terrible cyber security mess. the pretty good job that is is unfortunately still not so great. software is hard. really a mistake to get too overconfident that these terribly imperfect software development processes are always going to work the way we want them to. >> i'm not suggesting that we should be overconfident. i think we should be very
11:39 pm
careful, and as i mentioned before, we do look carefully and test, and validate our tools before we use them. i think it's a slightly different question of whether you can create a truly secure piece of software that will not let anyone in. obviously, it's a big problem. we have hackers were able to break in all the time, and is in -- isn't the government's activity pretty similar to the hackers? you don't need to do it in a perfect way, you just need one particularized vulnerability that will get the narrow piece of information you need. >> i just want to flag this tor mail example. this was basically a bunch of people, who i would say, suffered a fourth amendment level search or seizure of their data. ironically, because he were using a service to protect their thiscy, but basically, impacted everyone using the service at the time. an unintendedbeen consequence, which is worrisome,
11:40 pm
especially when you think of the other scenarios where unintentional consequences might impact hundreds or thousands of people. there's also a perhaps even more worrisome possibility that the doj, after getting this 300 individualized warrants, decided we think how we are technically this is the best and most reasonable way to do it, and we will incidentally be impacting these people but we will minimize out that data. based on likely some legal memo in the computer crimes and intellectual property section of this doj, that has never been in a brief in front of the court. that has not been tested. that goes back to my theme of this curious and worrisome ratcheting up of the authority , based on sometimes extreme legal theories that haven't been put to any test. test,y not be put to any unless and until someone moves to suppress in a criminal case. >> the reason i don't think that
11:41 pm
makes sense is, my understanding is, by depositing malware on the tor mail homepage, the government was unable to actually identify the ip addresses of the 300 individuals that they wanted. the efforty made pointless, which to me, doesn't make any sense. >> it would be a good question to answer, and yet because they don't want to talk about these details, it is hard to even have a conversation. >> i have to respond to that. i'm not not answering because i don't want to tell the public about this. it is an ongoing case. there is continuing investigation. we have a firm and reasonable policy that we can't talk about cases that are going on, out of fear we will jeopardize the investigation or all the other things going on. indicating mala intent. i'm just indicating the policy problems raised --
11:42 pm
>> and yet, they will be notified, because rule 41 requires it. and i would say these are all speculations -- >> so all the innocent users -- >> -- people who are dreaming up ideas of what might happen. >> all the innocent users will be notified as well? >> it requires you to notify the people, the owners of the property that were searched. >> now? are you talking about the amendment to rule 41? >> the amendments require reasonable efforts in certain circumstances, yes. but but reasonable effort is not no efforts. if we are able to identify the individual, that person will get noticed. i suppose it is possible that the tool didn't work, for example. we didn't actually do any searching. there's all sorts of rule 41ions here, but takes this into account and requires the kind of notice that
11:43 pm
is reasonable, and people will get notice if their property is search. where itis a reality, can happen, the police get it wrong and they searched the wrong house, they are across the street, thus a person whose house gets search notice? of course. that house is searched and, therefore, they will get , even though it was unintended or mistaken. >> i would like to switch over for a minute now, to encryption, and locked devices, and what matt brought up, something you said you advocate i think along with susan. this is one alternative to see decryption mandates mandate, exceptional access for backdoors into devices is to allow the government with a warrant to essentially hack the endpoint or create an exploit that will allow them to remove the -- remotely access the locked phone. tell us why you think that's a good idea.
11:44 pm
then i would like to get your responses. >> sure. we have been hearing a lot about the growing dark problem, and certainly a, or centerpiece of the solution that has been offered by the government, has involved some sort of built-in backdoors, or key escrow or design mandates to allow for lawful access. that, unfortunately, is a likely -- likely to make our currently horribly weak and fragile aker anducture much we much more fragile, discourage the use of tools like cryptography discourage the use , of good security practices and create centralized points of failure where none currently exist or need to exist.
11:45 pm
so, i think there are compelling to very strongly oppose any kinds of design mandates of the kinds that are being advocated for. by theid, as we can see expansion of rule 41, in many, and i would argue the majority of cases, search of the endpoint by exploitation of vulnerabilities and so forth is a viable alternative. we are seeing it done. it's happening. the legal rules for that are unclear. rule 41 changes the first sort of codified -- the rule 41 change is the first sort of we ared place, where seeing it addressed, and i think it really does need to be addressed by congress.
11:46 pm
i think this has been done for a while, and it is going to scale up. we need to confront, in law and policy, what the rules for that going forward are going to be as , it scales up. >> you can go ahead, i will follow. >> i don't think there are a lot of people in the private communities who are fans of but we alsoacking, -- if there is going to be a continuing increase in the deployment of strong encryption tools, which we are a fan of, and there's not some sort of mandate that that data be accessible by the government which we are not a fan of, there , will be more government hacking whether we like it or not. the question is what are the , rules for that activity? i just want to flag a bit concerned that sort of brings together both of these issues, and highlights the need for, amongst others, congressional
11:47 pm
is how they might implement that government hacking in a way that would basically be a back door and heard all of our digital health. that is subverting the software update systems, through which we receive all of our security updates from the companies. this is an idea that is occasionally tossed around as a potential way to deliver malware to access encrypted data. i think it would be an incredibly dangerous thing, yet, i also think our current technical assistance provisions around surveillance could be read potentially by a court to allow this sort of thing. why is this a bad idea? because we're basically in a digital public health crisis. we are facing many grave ills. the medicine that we get for
11:48 pm
that, the vaccines that we receive, come through these secure update channels from the companies. if and when it becomes public that the government has subverted that trusted channel to actually decrease our privacy and security, you will have a lot more people avoiding those is sort of like people who are not vaccinating against diseases. when they make that choice, they are making us all less safe, because they become hosts for the things that might infect us. i just want to put a strong stick in the ground to flag it, , this is a huge risk. it is a path we definitely don't want to take. from what it is worth, our host. it is a path we definitely don't want to take. from what it is worth, our host julian has written about this point, as well as several others. i think it's important. >> i just want to pull it back to the international perspective on this. we have to remember that the internet does not stop at the atlantic and pacific oceans on either side of the united states . it is used globally.
11:49 pm
there's the growing dark perspective. america's rhetoric on whether or not we are going to undermine encryption or whether not that is acceptable has provided a lot of wiggle room for other countries to pass laws or implement policies that do undermine encryption, either give them authority to outlaw and to end encryption from being used by companies -- in some cases, there are laws that require and uses to install backdoors on all of their devices within specific countries. while atthat element, the same time we are talking about government hacking without having rules for it. we are seeing other countries also pick up on that. in the u k, for example, we just received royal assent, the investigatory powers bill, -- the u.k.zes you government hacking authority, that might allow the uk government from an objective

9 Views

info Stream Only

Uploaded by TV Archive on