Skip to main content

tv   Encryption Technology and Terrorism  CSPAN  March 31, 2017 3:59pm-5:37pm EDT

3:59 pm
in california yet. and we're the number one state in the nation in terms of agriculture. and there's 23 campuses but only four of them have agriculture. and chico essentially represents the northern part of the state. but we draw students from all over california to get experience in agriculture itself. >> and we'll also go inside the chico museum to see the historic chinese alter from the 1880 chico chinese temple. watch c-span cities tour of chico, california, to day at noon eastern and sunday at 2:00 p.m. on american history tv on c-span3, working with our cable affiliates and visiting cities across the country. >> next, technology experts and government officials on countering online radicalization and extremism. they look at incription technologies and the challenges they pose to law enforcement and counter-terrorism operations.
4:00 pm
>> good afternoon, everybody. thank you for being here. i'm shane harris with the "wall street journal." and very happy to be talking about this panel on the challenge of emerging incription technologies. since i both use incription technologies and feel challenged by them on a regular basis, i'm going to introduce our panel here starting to my left. we're going to open with letting each of these gentlemen here who are experts in this field give opening remarks on really how their approaching this question of the challenge of emerging technologies. after i introduce each of them, i think you'll see how they come at it from their own perspective. then we'll have a discussion here on the stage which i'll
4:01 pm
lead. you'll see people with name tags with red bands on them. if you spot them, raise your hand and they'll bring a microphone you to. to my left is james baker. you are totally not busy right now. thank you for taking time to be us with. the european commission and at the end of the panel here, the senior council for the compute eastern communications industry association. i want to jump into this and ask mr. baker to lead us off. certainly the fbi has had a lot to say today about the challenges of incription. i know you think a lot about it. please, kick us off. >> thank you very much. thank you for doing this. i appreciate it.
4:02 pm
we really appreciate it. we're eager to talk about this topic as much as possible to get out the information that the public needs to be able to understand the issue, to understand the complexities and subtleties. and for us to contribute to what we hope is a more informed, educated debate and discussion about these topics because they're important to all of us f i can just sort goff through the issues and the perspective and set the table with respect to how we're con front be incription. we con front incription a lot of ways. as i said, as i think the director said multiple times, the fbi supports strong incription. incription has very significant benefits for society across a whole range of issues, across a whole range of protections of the data that we all care about, our personally identifiable information about us. our financial information,
4:03 pm
commercial transactions that facilitates and enables. it protects our health data and a whole range of very important data that is essential for us to function as a society and to have a functioning economy. my sense is we're beginning to acknowledge as a society that incription also has costs. what we're experiencing in the public safety sector is that incription has costs for us, for the public safety for shows involved in the public safety with appropriate legal process and adhering to the constitution and laufz the united states. what i mean is in certain circumstances, incription has costs for our investigative efforts and variety of different ways. in some cases, in some instances that information or evidence simply will be unavailable.
4:04 pm
it is incrypted in motion or it is incrypted on a device and we don't have a key to get into that information and, therefore, gist not going to be available to us. we'll pursue intrepid and creative and figure out ways to solve problems if con fronted with a problem. it will then, because they might not be able to use sort of a electronic surveillance an search means, they will do other things. and those other things have costs. we might have to use a source, a confidential source or undercover agent to go into a situation including circumstances where there may be physical dafrpg torte agent or to the source. and so that is risky. that is just risky. doing all these things poses
4:05 pm
risk to the integrity of the investigation as well. so that is really what we're trying to say. that incription is good. incription has huge benefits. but it is not cost free. and we have to figure out as society how we want to deal with that. historically we have thought in the united states that the balance between sort of privacy and security, if you will, or security and security however you want to frame the discussion was settled more than 200 years ago by the fourth amendment which talks about reasonable expectations of privacy and allowing the government to have access to certain materials if we go through a process and if we adhere to the fourth amendment and certain circumstances, get a warrant to have access with approval by a judge to the evidence to the material. so that's how we have done that, how we have set thald balance for more than 200 years. so incription is creating, however you want to phrase it, it is changing that balance.
4:06 pm
it is making things harder for us and information unavailable to us. all of the devices brought to the fbi technical experts to be open whether they came from federal, state, local authorities, we could not open -- we could not access 40% of them. so that's a significant number of device that's we are unable to open. >> the ones brought to us by some law enforcement agency. >> state, local, federal? >> or the fbi itself. we could not get into 40% of those. that information that, data on the devices is simply not available us to. we are -- we don't have a solution to this problem. we the fbi. we don't have a solution to this problem. we're not trying to impose a
4:07 pm
solution on the united states or on any part of the world. we are not advocating a back door or a golden key. what i mean by that is we're not trying -- we don't want a solution or a solution that somehow in a significant way undermines cybersecurity and undermines the security of our devices and communications is therefore not a solution. any solution that we come up with has to appropriately in my mind balance the needs of public safety folks but also protect our privacy, protect cybersecurity, protect the right to free expression, free association, encourage our companies to be innovative and competitive in a global marketplace where we have competitors, users and regulators around the world. we have to make sure this is a global -- it is addressed in a global way. and where encryption is available in a global way. the genie is out of the bottle. it's not going back in, we know. that so any solution has to
4:08 pm
perfectly balance all the things. corporations in america, for example, sol of this problem every day in a way they feel comfortable with. they maintain access to the e-mails of their employees for a variety of different purposes. so they've been able to figure out a balance that is acceptable to them, taking on some cybersecurity risk but then -- but having access to data and protecting it in a meaningful way. there are other proposals out. there we can talk about maybe down the road. that may -- that may be fruitful. at the end of the day, we think about it is the fbi works for the american people. and you've given us responsibilities to protect you from a variety of threats and to do it simultaneously across the board. a lot of different threats that we face on any given day. but you want us to do it in a certain way consistent with obvious lit constitutional laws of the united states but you
4:09 pm
want us to do it, you know, with certain tools available to us. and you give those to us. you give those to us by law and by regulation and by funding and we'll make full use of them. the question is in confronting this problem, what tools do you want us to have available tous? what tools do you want us to have available to utilize in order to protect you? we will do what you want us to do. i hope you think it's incumbent upon us to make sure you understand our current situation. i'll pause there. >> okay. great. you make your opening remarks and you're coming at this obviously from the point of view of european perspective. i'll ask you to try to speak entirely on behalf of all european views on this. but why don't you give us your introduction to just how you approach this challenge.
4:10 pm
>> thank you, shane. let me thank you gw for the invitation. t it's a privilege to me to speak on behalf of the european union and i subscribe almost everything that james just said. two couldn't nents but the same problem. incription is good. it is considered good for cybersecurity. it's good for privacy. it's good for economy. it's good for the users. it's a key feature of the general protection regulation that will apply by next year may 2018 to 28 member states. it's a key feature of our e-privacy frameworkhere confidentiality of communication is the most important.
4:11 pm
but as james said in, particular, i have to say lik they said, before the situation in europe is the one that you know and the debate is eating up on the need for law enforcement and other authorities to perform the duties. there is organized crime and all around the state and encounter a problem with encryption in the investigation and those communication leader. we have 27 in europe encrypted. 47 here in the u.s. use encryption. so are we going back as somebody has said? i don't know. probably certainly not. but the reason i need to study options and james will think
4:12 pm
there are option that's are being assessed, developed further interception requirement that goes back to the ordinary mobile communication and out with these so-called ott, over the top providers. what we have done is when they move from access to design to privacy by design with the end of encryption. the approach of the european union and european commission is an inclusive one. we don't have solution coming from one earlier because others are involved. intelligence cannot solve the problem. privacy advocates cannot solve
4:13 pm
the problem. law enforcement and industry cannot solve the problem alone. so we have in place a mechl nick that will allow us to have all different stake holders. first of all to define the problem. because as has been said, we have to understand what we can do white house compromising privacy and allowing law enforcement to move forward. and we have to assess the option in a way that necessity of proportion alt of infringement or is respected. we have to ensure that member states, law enforcement can access to data when they need. and we have to say because we have many companies aren't table. companies need to do their part. they have to take up their
4:14 pm
social responsibility and understand they contribute to the final good which is to ensure the security of the citizens. so we have a setup in 2015 a specific structure which is called the eu internet forum. but as mentioned, this brings together all the law enforcement and public authorities of the member states. the major social media companies, some of them are present here and they can come back on this. and clearly our own agency and we are trying to identify a solution. it takes time. we avoid calling for back door from the front door. because we have to find a solution and allow us to enter from the front door. and there are challenges.
4:15 pm
we are a continent. we are working to create an environment in 28, then we are only one part of the whole geographic world. so we have a challenge of enforcement of the law. balance was saying that several member states are putting up laws at a national level. how do we enforce this law? so fate law has always given law enforcement the ability to instruct the order and provides the only territory. but how do we do with the internet which is borderless? and how do we do a concept of localization of data? that's another big issue that we need to discuss. and that's also challenging. do we need an international
4:16 pm
framework? do we need to make sure that all states share the same instrument. at the moment we don't have solution because we don't want solution today. we want a solution tomorrow knowing encryption is a word at second best solution. >> you can't agree with both of the guys. >> i can agree with one statement. thank you once again for having us. that should be the take away. history and law enforcement on the same page. feel free to go home now. i think many people in this room, show of hands, have been to a panel on incription in the last three yea -- encryption in the last three years? it became publicly available
4:17 pm
to -- throughout the united states and worldwide? but i think what industry perspective is that we regularly have the solution -- this conversation around solutions and we, i think the american public, users generally come to the same conclusion that weighing the cost of encryption with the benefits, the cost to law enforcement investigations and public access and the costs of sort of scaling potential solutions to the encryption problem across what is now a global internet, the ultimate answer is that the question is
4:18 pm
answered. the costs are too great. scaling those -- scaling second best solution to encryption across the internet puts too many users at risk either from a financial inspective that, you know, perhaps on a one off instance may be appropriate. i think in aggregate makes it a very tough second best solution to put forward. that's where they approach it from. on the user side of it, as i said this is not some -- i think remarks have been made in the past that the characterized, the industry perspective on encryption is one of business practices. this can help us sell phones or get more users ton ott platforms or social media. i don't think -- i don't think
4:19 pm
anyone realic tickly believes they're doing that. they're under pressure from users and regulatory authorities to provide the best possible protection for privacy and security as possible. encryption is difficult to design at scale. they're incredibly difficult to design, you know, os burden to os versions. and so i think the industry is that rather than looking to technical solutions and i understand the no technical solutions are provided from industry or law enforcement, we should look to ways to aid law enforcement, counsel ducting their investigations. see what we can do to improve use of the tools. there has to be recognition from both sides that there is not going to be a perfect solution.
4:20 pm
to cracking the indication of encryption. it may be that we have to live with the cost of encryption because benefits are too great and to the extent that internet users and public are able to help the government recognize that, i think that's where we would like to go going forward. >> if you watched "6 o minutes" last night, you saw a smart terrorism analyst. you saw him standing in front of a bulletin board with his great diagram of terrorist faces and lines going between them, somethin you would see in "home land." and there were two very interesting take aways from that. one is he talked about terrorists including one that's were monitoring and isis who were in communications with people in the united states using encrypted apps and talking to the individuals by
4:21 pm
encryption. it seems they have adopted these and must be frustrating to law enforcement. it is also the case there is a pretty sophisticated diagram and somehow even despite the use of encryption, we were able to understand it seems a fair amount about who the people are and how they're communicating. so i wonder if we can take this example this real world example, if we know terrorists groups are clearly uing this technology to communicate that, has challenges to law enforcement intelligence. but it seems to me somewhat surmountable at least in some instances. i wonder if i could provoke with you that idea. mr. baker, let's start with you. it seems so obviously fall and directly into your lane. talk about that challenge. because obviously terrorists are using this stuff. but we're finding out ways to understand how they're connecting with each other. can you give us some insight into what that really looks like on the ground when you grapple with the cases?
4:22 pm
>> so i saw that starry last night. you think about the diagram and the connections and the network, the social network if you will. you can look at the internet connections to understand what that network looks like, who they're in contact with and how often. it doesn't tell you about the plans, intentions that, kind of thing. you don't understand what the intent is. and that is, you know, understanding that robust picture is critically important. we need to go into court, frafrm, afrafror
4:23 pm
example, and have evidence of intent n that particular case, for example, so even to the extent that we understood what the network looked like, we did not know and this is what we said in the -- >> there is the garland shooting. >> yes, the gar land shooting or the nonshooting that was stopped by law enforcement officers. they were intent on killing a lot of people. so in that particular instance, we talked publicly before about the fact that the fbi had surveillance, electronic surveillance of those folks and we knew, we were able to see that they were having over 100 communications directly from the person who showed up in gar land, texas, and foreign terrorist operatives overseas. part of an organization with whom we are add war, right, and who are trying to inspire and provoke people in the united states to kill other people in
4:24 pm
the united states. to use the incryptencrypted mes. so we couldn't see what it was that they were going to do. we could seat network and where they were, perhaps. but you didn't have -- we didn't have an understanding of exactly what it was they were planning. and that's the gap. so that's the cost. i don't think it's -- so this is something -- these are cost that's society is going to have to bear. the families sh the cmunity and so on and so who is assessing that? society is moving along and choices are being made by default, by just letting things happen. if that's what the american people want, then that's what they'll get. it's incumbent upon us as i said
4:25 pm
earlier to make sure they understand the choices. it's not for the fbi to be deciding what kind of country we're going to live n but frankly, it's not for companies to decide that either. >> all right. would you tlik get in on this? >> i would like to comment even if i was on the plane dwroed come here so i didn't see the broadcast last night. but i can probably mention another case that actually the secretary mentioned himself following the london attack. she mentioned it and that's why i can mention it, just two minutes before driving on the westminster bridge saw a message, what's up? we don't know to who and we don't know and the uk intelligence don't know what was the content.
4:26 pm
so she clearly mentioned this and inviting yesterday to take up the responsibility to cooperate in this context. and that's exactly as jane just said. there is a social responsibility of the company to contribute. it's very relevant to allow intelligent service and law enforcement to have the means to assess and, therefore, make an
4:27 pm
anysis. >> before i move on real quick, in both of you essentially said we need to find a way to do this. but it's ultimately the job of legislatures to do that. i mean going back to what director comey introduced this phrase going dark. he didn't marry that with a legislative proposal. just if i can press you on that a little bit, we're a couple years into this as a policy issue right now. where are you looking for this solution to come from? we'll talk about what the solutions might be in a few minutes. but where is that going to come from if not from the people who are grappling with this problem
4:28 pm
and seem to be con fronting it on daily basis? >> the obama administration decided not no pursue legislation on this topic. some say they don't see a legislative solution to it right now. we're not putting forward a legislative proposal ourselves. weryin're t to make sure that debate remains alive, that it remains current but because the problem is current and the implications for us are significant. >> we'll keep talking about it. we're here. we want to engage in robust, honestiscussion about this.
4:29 pm
>> the fact that the encryption conversation is sort of part of a wider conversation. it's not just the issue in encryption, right? it is always shifting. which parts are filled in by technology and which aren't? and so i think appreciating
4:30 pm
that, you know, in the -- in the last few years we noticed that -- i mean we had disclosed to us that law enforcement's sort of filling in the lines ability is now greater than it has ever been before. some of is surveillance and i'm sure you read that paper. it means there are other tools in the toolbox of law enforcement that don't necessarily provide all of the intent that perhaps content data would but can provide additional context that in many cases -- that years ago back when we were not living in a totally digital world we didn't have. so there is, i think -- there are tradffs of encryption and tradeoffs of everyone having network devices.
4:31 pm
the connections are being made that simply weren't before. so that is disorder. and for intent to be informed from other mechanisms. you know, this person talked to this person. this person's roll is he's previously been a runner for some purposes. there is information that can be iner iffed. so that is one piece that diagram sort of shows you. this isn't just a conversation about encryption. but it's a piece -- it's part of a whole. i think responding to one thing that mr. baker said about legislation, i think -- i
4:32 pm
sympathize with them. the proposal is a difficult one to make. because encryption is not just, i mean, we have panelists from -- we have transatlantic panelists. encryption is not something that eu or its member states or the u.s. congress or state legislatures can address because the internet is global. companies operate globally. internet users use platforms from every corner of the world. and so legislating a solution which no one has proposed on this panel is a difficult one. that's why there hasn't been that kind of successful proposal. if it existed, i'm sure director comey would have accepted it. >> any legitimate proposal would be left to be seen why the context. you are here in the u.s.
4:33 pm
the internet major company are build here. but you should look at the same situation from the european perspective. the legislation should we do that, we will face the problem of jurisdiction. this is outside the jurisdiction on the specific judicial order. this is a major issue. that is why we are convinced that we have to look into other
4:34 pm
options. this is where the companies should help us if the best way forward. >> go ahead. >> i'm wonldering what sort of front door instruments that you can -- you might have in mind. >> you know, there are options. options are being assessed. it is premature to mention it. but somebody talk about resipgs 2.0 to make sure that some instrumentsre made available. or announced. so that tl is judicial oversight. this needs to be further assessed to get to th company. but what we know from our discussions with all the constituencies is the amount of the solution will be fully
4:35 pm
satisfactory for the full benefit of law enforcement. they're probably encrypted while they're on a server. but somebody has a key. so if you have an insider threat problem or you -- somebody is ill, kunyou can't access the da yachlt they want to access their own corporate e-mails, they have a way to do that. so corporations around the world have made a decision that balance between security of that data and the need to have access, they can figure it out.
4:36 pm
they can talk to their business in a sensible way. that's one possibility. i don't know whether that would work on a scale with consumers and so on. the point, is i guess, we're making choices. but we're doing it in a sort of default kind of way. encryption is just spreading. encryption by default is growing and spreading across the sort of technology ecosystem. and it's becoming more and more easily available to consumers who are law abiding. it is also becoming more easily available to criminals and to terrorists.
4:37 pm
high quality american companies do it for you that know what they're doing, you'll have success using it as well. >> following on that point, certainly sl are companies that can secure the data in such a way that somebody effect live has the master key. but correct me if i'm wrong, but most of the popular encryption technology that's we're talking about that people are using, certainly the ones i gravitate towards as a journalist, one by which the company does not have the ability to unlock it. what we're talking about is coming up with some solution that might look like that is possible solution. does that mean that passing a law that says can you not build incription systems that way. it seems like we had a debate way back in the 90s with the clipper chip and key escrow. it's what we're daunsing around here saying if will is a legislative solution to this, might it look like saying there are certain kinds of encryption designs can you do and certain signs that are going to say can you not do?
4:38 pm
isn't that what we're -- we're going to confront that eventually? >> maybe. you want to do it in a way that doesn't destroy the benefits gf encryption. that's why -- i don't have the technical answer how to roll this out across the economy today sitting here. they have valid points and populated by good citizens that don't want bad guys using the systems. we know. that it's not a question of anybody on this panel, you know, good or evil or anything like that. it is the bad people that we all collectively agree want to, we don't want them to use it. we do want to protect the data and privacy of law abiding americans and other people around the world. >> can either of you imagine? putting you on the spot here, but maybe you saw this the system in which you have that balance. maybe it is something like a key escrow kind of system or requiring they must have a way to unlock the data. is that going to work.
4:39 pm
>> let's say we define that. is that a system that companies are going to agree to? is apple going to say sounds great? >> i mean, it will be good and global marketplace. they sudly discover that we're not quite as competitive elsewhere as we are here. i think that's a sk, right? the same problem that is a result -- that we haven't had legislative proposal made is that anything that sort of in imposed way there is encryption or for domestic products necessarily makes them less appealing to consumers here and then elsewhere. and so sort of but having, you
4:40 pm
ow, having experience recently in 2014 with the revelation, yeah, 2014 -- 2013, '13, we are aware that any sort of even patina of sort of these are law enforcement -- companies cooperate regardless of what engineers think. but, you know, any patina, companies being, you know, law enforcement without, you know, considered discussion has been -- is going to affect the prospect internationally. i mean it hasn't affected them
4:41 pm
and affected them to privately shield or safe harbor and in and out privacy shield. there are consequence that's we will have to deal with that f. we decide to go down in a road. >> can you pick up on this too? from the european perspective, i mean open markets, competition. these are still things that most european countries are agreeing on. if a company is working and going to have to giv away information that, is going to make another company's products more effective. we could outlaw strong encryption in the united states. someone is just going to do it in switzerland. and i'm going to get it from them. >> absolutely. >> this is not the way forward. it is not to impose companies to
4:42 pm
void encryption that we solve the problem. there is an ability to run the market. we have to find a way. that is not satisfactory to work with the company to allow law enforcement to have the ability to identify information they need. we help law enforcement to announce their ability to exploiting the vulnerabilities that still exist in the system even if for zero days. because then immediately the company stepped in. but there is no -- i repeat, it
4:43 pm
is probably repetition. there is no solution, one exclusion to this problem and certainly we do not advocate a legislation that impose impose incripon. >> there probably is not one solution for all the different problems. the issues confronted with data in motion. they're very different fm when you have data rest. so maybe anything too is to take one part of that aeven focus our efforts on that. let's say data at rest on devices that the government has lawful possession of pursuant to a warrant. so take that, for example, and try to work through scenarios, s technical scenario that's would require some changes to law and see if we can build a consensus around those -- around some part of this. because trying to figure it all out,t's too complicad, all the different parts of it and try to come up with a solution to deal with everything is
4:44 pm
probably -- is probabl too much. so that is a potential way forward to pick one part of the landscape, focus on that and see what we can do. and quite frankly, we want to do this now. we want to do this now. we don't want to do this in the aftermath of some serious event. right? when we're going to be under pressure to make decisions and we might not make does decision that's appropriatebly balance all the different irrelevant and valuable equities that we talked about here. we want to get this right. we don't want to do it in a hasty way. we need to stay focused on it in a sustained way. >> i want to pick up on this idea that you're getting out and this notion of lawful hacking. a couple weeks ago we saw wikileaks dumb thp tragic information that it claims our hacking tools essentially, call it the hacking arsenal that the cia uses to break into electronic devices. i don't think it comes to a surprise to anyone that they try to find ways to access
4:45 pm
technology that is legally trying to gather information from. but one thing that struck me in this was this might be a fairly vivid illustration of all the ways that an intelligence agency has to try to find to get around encryption. find ways to get on to penetrate the operating system of ahone so that they can see what someone is typing and to what is telegram rather than trying to break encryption on the telegram. and it shouldn't be surprising at all that as we're seeing the rise of strong encryption you are going to see a con current rise in very dedicated, deliberate well funneledded eff to get around it and find at way to skin the cat. how comfortable is industry with that which seems to be an undeniable consequence? you press on this one side of encryption. you're going to get more hacking
4:46 pm
by the intelligence agencies. >> i think industry recognizes that sort of, you know, the reaflt building a complex system. no implementation is ever going to be perfect. so i mean advising against any sort of law enforcement hacking is not -- it would be remisto s -- remiss to say that is off the table entirely. we want them to have the tools that they need and to the extent that encryption because it is more funneldamental to embedded systems and other systems and on device systems that are already deployed worldwide. to the extent that there are chifrpgs chifr chinks to that armor that they're able to exploit. if that is done in a way that is managed by appropriate legal process, appropriate disclosure
4:47 pm
requirements, appropriate notice, i think there is at least some solution. there is not a perfect solution, viously. but part of the some of all perfect solutions is there, i think. >> it see unrealistic to expect you're going to have a system that is lawful, regulated, errs on the side of disclosure and the intelligence agency standpoint, they want it to be lawful and regulated. they're not interested in disclosure. they're interested in finding eventualer in anlts can you exploit before can you fix them. now they have to get over this giant encryption idea s it not in your customer's interests to find a compromise on encryption rather than creating this massive motivation for the cia and fbi? >> i think given different law enforcement.
4:48 pm
>> i think the ability to abide by lawful and if you are at risk of fight something key encryption compromise, that affects all user worldwide as opposed to where lawful hacking can be deployed by intelligence agencies. i think the tradeoff is probably a better one there. at least from the perspective of the companies. >> if i may. we talk about investigation and not surveillance. when i was mentioning lawful hacking, ways referring to investigatns, criminal investigations and specific case. that's what we're aiming at. national security is not a part of the european union. it is in our member states. so when we train and help law
4:49 pm
enforcement to train the abilities, it's in order to have a lawful hacking under a specific investigation, under a specific judicial order and oversight, i want to clarify this. >> sure. but i mean to be able to have the capabilities, they need to be developed. >> yeah. >> basically sitting upn the shelf for when you might have to use them. for you a little bit on the spot with. this the apple -- the san bernardino case, right? you had a warrant, absolutely. and what was undeniably an act of terrorism and pertinent to a relevant investigation of one. you face the challenge of saying can't we find a way to work it out? and then at least reportedly, i think the director may confirm this you found a way around it. which i think everyone takes to mean you found a way to hack the
4:50 pm
phone and get what you needed. reflect on that experience. that is the most public one that we have and it seems to sort of, you know, kind of encase all o the dilemmas
4:51 pm
4:52 pm
test. test. test. test. >> that we need to be public about it and tell the company that's the vulnerability exists and to fix it. so it's a very uncomfortable and challenging dilemma. so we engage in lawful hacking. i would say we don't relish it or like it. it's a very -- it's not as useful as you would think and it poses some other dilemmas. >> to the extent the bureau is involve, there is a process that is designed to the review the vulnerabilities that the government is aware of, and when to disclose and notify the manufacturers of and the users of the products. can you talk about whether that process works? >> well, we do. it rks. is it satisfactory? these are challenging decisions
4:53 pm
that people can disagree on. people in the government are doing their level best. but you can have a debate. >> wou you have an idea of how you're doing it in the u.s. or european context? are we trying to have an even balance or is it too early to try to make a determination. >> the industry has navigated how this works and it's associated with national security. i think it's something to be said because it's an informal process within the executive branch having that codified in some way, but we saw a bill that came out last week from the senator strauss's office that looks at taking the existing vulnerabilities, ensuring that the appropriate stakeholders, the representatives from the department of commerce and state, but also equallyalanced on the law enforcement side.
4:54 pm
the eni, nsa representative, and ensuring that conversation when it does happen there may be a presumption that happens, but ensuring that the equities are properly addressed. the ste department has long vocated for ensuring that their voices are being heard as part of the process is very important to us. >> don't to respond. >> well, very simply, how long we are going to wait? we need to -- time to find one solution or another solution. we're giving ourselves the time for this inclusive process, and we hopefully -- we want to share this with our partners because we have to be clear about it. we cannot solve the problem in our own jurisdiction. we have to find a way to work with our partners, and the first
4:55 pm
one is, of course, the u.s. government. but at the same time law enforcement intnceellige services locally they face an issue, and this will continue to do what they can in order to get the information. at the moment, the only possibility is another something like a system where you announce your ability to local hacking and you try to overcome the problem. but the -- we need to find a spectrum of solution that allows us in the median term to identify the best way forward. >> james alluded to this. in the case of the san bernardino case, we had an investigation, ultimately an entity as you said, came forward to the fbi with a solution. are you finding more entities coming forward with more solutions to problems that you think you have? >> a lot of people want to sell
4:56 pm
us stuff, yeah. for sure. we're -- i don't want to say too much about this. but, you know, we -- we have technologists that we have inside the government that are focused on ts kind of issue, and there is a -- there are groups of people and corporations on the outside that are invested in this too. corporations are themselves trying to figure out the vulnerabilities on their systems. so it's a very active environment. the thing i worry about a bit in terms of thinking about this process and how we're going to handle it in terms of evaluating th vulnerabilities is is this stuf is moving very rapidly. tenology is changing constantly. things are being updated. the updated technologists have vulnerabilities. and they're detected by the government and malicious hackers and they exploit that.
4:57 pm
and anytime you have a process that -- i'm worried about any process that's too bureaucratic in trying to make these assessments. the american people have to think about that because this process is moving at a very rapid pace. >> to that point, we're talking about this environment and it's easy to forget this is a relatively new environment. i don't think that two orhree years ago i had too many encrypted apps on my smartphones and today i have nine for various reasons. and this is a foundational question that we might have started with. but why did this happen? why did we suddenly go from an environment where most people were not probably familiar at all with these technologies to be able to download from the app store and use them in any way that you want. is this the snowden revelations? is it a fundamental mistrust?
4:58 pm
why are people putting signal on their phone and i know more people thanust engaged in my profession are doing it now. why now? what unleashed it? sn i don't want to say the den relation was the cause of it. that might have precipitated a conversation. and people who are in government access and who might be interested in reading what you're writing or look at what you're purchasing. i don't think that whatever, you know -- i don't think that the precipitating event. i think just a larger sort of recognition of the regularity of breaches going on. you know, they happened before snowden, they have happened since. i think the sort of -- the recognition on our sort of individual basis that you're not as secure on the internet as you
4:59 pm
thought you were has nothing to do with snowden'sevelations about the government and just a wider understanding by the population that we didn't know -- the internet is designed to be secure and connected folks, and the idea of protecting yourself is incumbent upon yourself. that's what i think you're seeing it. >> joel. >> only one comment. all of us have discovered the internet and the beauty of internet what you call the best guys have dis -- the bad guys haveiscovered the internet and the ability to collect. in europe the social media are being exploited quite exponentially more and more and therefore the need to for the corporation and the users to
5:00 pm
protect themselves also from these -- there are a series of issues that bring us to this. >> i think it was -- it was happening anyway and the snowden revelations accelerated it. i think that's the basic answer. and then layer on top of that i think concerns that people have about their government. 've said before, you know, you shouldn't trust the fbi. you should be accountable. that makes sense. so anyway, i thinkhat's the basic explanation. >> do you think we've reached the point if companies aren't offering encryption that their customers are going to think they're irresponsible if they're not leading that? to put that out there like a good housekeeping seal of approval now? >> i don't know that the customers. but it is -- best practices to s.e.c. act so companies are always looking to be as
5:01 pm
compliant as they can be with regulatory authorities that are interested in data security, and they're also interested in -- i don't think it's an advertising tool. it's something that users are coming to expect on the part of the companies. so not having it makes you circumspect. >> there is a lot that makes you seem -- i'll make an exaggerated statement but just for the fact -- that you're a stooge of the government. when apple and the fbi were trading the briefs in the case, there was an acknowledgement by apple's lawyers that if we give into the fbi it's going to be hurting our market. we can't be seen as giving an inch there. >> i think they were making a first amendment argument than one directly about marketing. >> i would say marketing. they left it out in the subsequent briefs, but it was in the first one. >> certain companies might treat
5:02 pm
it as a marketing employ. i can't speak on their behalf. but interactions with other companies suggest to me that it's either an issue of users wanting to trust the company that they're choosing to provide them with services, or it's an issue of, you know, basic optimized security. you don't want to be offering products to customers that are eventually going to break or eventually going to leave them vulnerable. that's not a good way of doing business here or anywhere else in the world. >> just being seens a responsibility to make safe products. why don't we turn to the questions from the audience right now. so please put up your hand if you have a question. i'll come down to the two people here in the first couple of rows. wait for the microphone to come
5:03 pm
down to you. there you go. let's go here. yes, thk. >> i'm mike nelson and i've been working on encryption policy for 25 years since i was a white house co-chair to find out how it works. it didn't because people didn't adopt it. i think we all agree that technology has to be something that both industry and customer want. and i represent now a west coast-based web security firm. so let me share our thoughts from the west coast. our first thought is that, if there is this magic technology, it would have been invented five or ten years ago, and somebody would have made billions of dollars off it. all the technologists say there is no way to build a back door or a front door that people are going to trust and that aren't going to introduce new problems. so we have to look at what really will work.
5:04 pm
and it seems to me that the scenario that none of you mentioned is a scenario where we have the government doing things to make sure we have strong encryption rather than undermining it. and you've already mentioned the cases where various leaks exposed efforts by the government to promulgate ineffective encryption. if we had instead strong inkrepi encryption a thousand times more data to go after the bad guys. we have the technology where everybody could practice self-surveillance. i could have technology in my home that could focus on everything that happened there. a hundred million homes had that crime would be a lot more difficult. there are ways to deploy stronger technology if
5:05 pm
individuals had control of the data, and that data could then be used to fight crime and used on the streets, in banks, all the places it could be used. but it will only be used if we trust it. and right now, we have no reason to trust it. so my question really is, how can we have a higher level of transparency and trust? how can governments actually reveal the vulnerability dollars so that the industry can deploy the internet of things, the cloudless things, self-surveillance, all these things which would give you data to prevent crime -- and prevent millions of crime, rather than giving you the data you need to investigate a few hundred crimes? >> isn't that the billion dollar idea, though? >> yeah. strong encryption is
5:06 pm
$100 billion. >> i don't understand it. i'm not sure what data you're talking about. sound like metadata. >> talking about a system in my own home where i record everything that happens. i have my own surveillance system, closed circuit tv. anything that happens in my home, i know what happens. >> so with a wrant that we can come in and have access to the data. it wouldn't be encrypted but with a key that you maintain, right? >> yes. >> how do i deal with an operate of isis let's say, who is communicating usi encryption overseas. >> you'll have a lot more data of what that person is doing in the real wld rather than what they're doing. >> i don't know where that data -- >> they have to get it. and with this internet we're
5:07 pm
going to have a lot more data than we have today and you'll be able to get that data from law-abiding citizens -- >> i disagree with you. if you have two isil operatives in syria talking to each other using an american system, american messaging app that's end encrypted they're going to take on communications and plot whatever they're plating and we won't be able to see that. that data will not exist -- if the company doesn't have a key, the two communint have a key, they're not about to give it to us. >> you're focusing on 1% of the problem. the new data you're going to have to determine -- >> the american people want to make an a choice and how much law enforcement has to it. i'm not going to preach at this entire country. what we're trying to say is
5:08 pm
there is data that will be available. your kind of system will have cost as well, right? if every single utterance, every single activity is recorded in your home, the american people will have to decide. >> it's only available if the individual wants it. >> if somebody gets in and steels the key because grandma left it on a note -- i get your point. there is a lot of data available, and we try to make use of it in legal means. i disagree. i don't think what you're dealing with is a solution because we have to deal with the global threat. >> that's the poi. we're not going to have the way to find. david brin wrote a wonderful book where everybody watches
5:09 pm
everybody and at the end of the day you have control of it. we all focus on the isis person talking to the other isis person. >> because i at the fbi have to deal with that. i have to deal with people trying to kill other people. i get your point. and we have to deal with the other scenario, and it's another scenario. >> if you build the infrastructure for that scenario, you miss the 99% -- >> we're not sitting here with a solution we're trying to impose to anybody. >> there is a question, actually, behind you. david gern from new america. the question is with regard to the particular threat you're talking about and what you need material difference and how
5:10 pm
deadly or how attacks or attack plots inside the u.s. have you seen because of communications back to syria. is that actually increasing death toll? is it in -- in europe and elsewhere we've seen cases where it mobilizes existing network that do seem to provide arms, et cetera. in the u.s. do we really have that problem now? are you looking forward? is it already here? thanks. >> the problem has been here for some time in terms of, again, it's -- it's operatives inside the u.s. communicating with people outside and having communications about whatever it is ty're talking about and we can't see it. that has been an increasing problem over time. look, there are examples that we are able to talk about, the
5:11 pm
garland,texas, one is the one we figured that we can talking about. there are other matters that we don't talk about because they might be under investigation, and we can't talk about that. which is a problem. the government needs to be tran transparent, i agree with that. but we need to control it so the bad guys don't know what we're capable of and not capable. but it is a real problem today. it's going to increase as we expect over time. but it's a real problem today and we saw it over the next several years. >> sir, in front of you. the gentleman in the beard here, first. >> my name is john meredith. i was surprised you mentioned you have no proposals from the fbi as far as legislation. how are we going to go forward if you don't make a formal
5:12 pm
request expressing what your requirements are to the appropriate committees in congress? >> there are a lot of legislative proposals but the executive branch is whether there will be a proposal put forward. this is not so hard that you can't write in a concise way a legislative proposal. the challenge is getting a legislative proposal -- writing a law that achieves what you want to achieve. that's the hard thing. so we as a society, i think, have not figured out what we want to achieve. once we figure that out, balancing all these different he can quits we've been talking about, we don't agree how to balance of the different equits,
5:13 pm
and we are trying to figure it out. but once we come to some consensus, the writing on the page is not that hard. >> just to follow up really quick. can you imagine a world in which we don't bother with a law but the industry forms certain standards and say under certain circumstances we will cooperate with law enforcement if the following criteria are met, major terrorist attempt, preventing loss of life, something like that. the theme is we're not getting a law anytime soon. they can't even get a republican congress to agree on health care. we're not going to move on to encryption anytime soon. can you imagine a situation where we bypass the law and come to some sort of ethical conduct or something like that? >> the industry cooperates to the extent it can.
5:14 pm
you've seen it through transparency reporting. there is a trend to cooperate. sometimes to user chagrin, i think, with law enforcement investigation. whether a consortium would come together to create an ethical conduct to decide when to provide access to encrypted systems, i can't imagine that being -- just because we run into the same problems that we now have a consortium of companies that far selling products that are less good than other products of the companies that are not under consortium. there are market pressures, i think. >> i think your -- your question is very interesting because we are still seeing within the european union in our nation to
5:15 pm
the social media company exactly this kind of thread. we are engaged in the internet forum to regard to removal of terrorist content on the platform, inviting them to consult together and create a consortium so as to remove the terrorist content, calling to the terms and conditions. and some of the companies, i will not name which ones, even changed the terms of condition in order to make sure that the referral process from the internet referral unit or with a word or in particular in europe is immediately taken down. so the concept is the same. the public is discussing with the companies, inviting them to take up their own social responsibility and changing the
5:16 pm
framework or adapting the framework in which they work so under the voluntarily initiative they will make sure to intervene when is necessary, affecting themselves only their own terms and conditions when to do it. it's something that we are exploring as well in europe. >> thank you. my name is -- >> i think your mic is off, maybe? >> thank you. my name is ali shiraz. i come from a nation where tens of thousands of our people have been massacred by the taliban and we have considered the daesh with a beast inside the middle east. i appreciate the fact that you
5:17 pm
are all going to the tactical -- finding a solution for encryption. even if you are to resolve the encryption problem you're not going to stop these people from killing and doing what their intending on doing. why doesn't the world concentrate who the mother -- the queen bee that is funding the operation? the person who comes and does the killings in the united states or afs ghanistan supported by someone by him and then above him. alb al-baghdadi is funding this, and then there is somebody above who is funding him. why don't we go after the people who fund this, and if we cut off the funding, they won't have the opportunity to pay the suicide -- they have to pay any suici
5:18 pm
suicide bomber, $5,000 and $15,000 -- >> let's give a chance to respond which is outside of the scope. >> i think there is a con severitied effort to try to take out the people funnelediding th groups. >> the united states is trying to weed out all the threats of isis, there's no doubt, trying to influence the funding sources. they're very highly funded and i agree that cutting the funding is a significant way to damage the organization, and we aggressively do this, but it's hard. >> people on the side. i have a question from you, ma'am. i want to make sure people are taken into account. raise your hand if you have one. we'll go to you next.
5:19 pm
>> my name is didi cutler. do you have a time frame to solve the encryption problem? >> that's the question. >> you're the expert. >> that's a very reasonable question, and there is a lot of assumptions embedded in this discussion that this is intractable, right? but, i mean, is there a time horizon on something like that? are we near it or is it frankly going to take a catastrophe that focuses the mind, to james' earlier point, it's not a great time to come up with policy solutions? >> let's hope that's not the case, obviously. >> sure. >> no is the direct answer to your question. i think that -- i know -- i don't know when this will be
5:20 pm
resolved. as i suggested earlier, i think a way to perceive is to focus on a part of the problem such as the data on devices or you can pick another part of the problem and try to focus on that and have a robust discussion, and as the gentleman was saying earlier, trying to sit down with the technical experts, if we did this, what is the cost, what is the trade-off? i guess i don't agree that technologists don't think that it can't be done. i've talked to them and they think it can be done. their risks that we have today. and the systems that we have today is not perfect. they're filled with vulnerabilities. you have data that is acquired about us by lots of different companies and we have no clue where it is, what's happening to it. it's opaque, and there is a risk
5:21 pm
as well. risks abound. and focusing our efforts on the one part of the problem may be a way forward to try to see if we can build consensus that does require folks to acknowledge that the law enforcement faces a problem, that the other alternatives available to us are insufficient, such as metadata and lawful hacking. they are insufficient. and then we can move with the dialogue. >> luigi, you want to respond? >> as i told you last year, we have launched this kind of debate. and we are putting together technical people, the lawyers, the civil society, the politicians to have this discussion. we are planning to exhaust our
5:22 pm
preparation until the end of this year. but then we will put up option for a political debate. as james said already before, society needs to decide where is the balance. and through the political representative that will be elected in our country, we the civil society, the company, have a discussion and then a collective decision where to put exactly the demarcaon line, how far we want to go the discussion between security and nonsecurity. >> i don't bet on a march madness school. so no odds for me. as far as coming to a solution, so i think, you know, it's not going to happen in the immediate term but more an a long term conversation. and god forbid, if there is an
5:23 pm
attack in the interim there, but if i were to, you know, put -- put money down on something i think the solution in the end to be some sort of recognition by access to public conversation and looks at technical balances and looking at the insufficiency of metadata and that is insufficient for the american people and worldwide. >> you have a question here. put your hand up so they can see you with the mic. there you go. >> thank you. my name is elizabeth mcorder. i'm with the senate security committee. my question is for mr. baker. i get that you don't want to advertise capability gaps to the bad guys. but the challenge for policy makers is that transparency
5:24 pm
helps provide legitimacy to provide will for action, and i think we're lacking that transparency. and i know the fbi used to produce publicly available reports on the domestic terrorism situation annually until it ended in 2005. i know g.w. university and shamus has provided reports and access. and i am glad to see that the fbi is more willing to talk about garland and investigations like that and why you are limitations, but moving forward it would be nice from a policy maker's perspective to have more transparency and coordination and i'd like to know how the fbi plans to do that. >> so we -- with respect to
5:25 pm
trying to collect data. that's how i was taking your question, data to explain what the problem is so people can have a sense. it's a totally legitimate point and we're trying to collect data. we looked at different time periods but the one i have clear in my mind is from the last three months of last year, where we had, let's say, around 2,500 i think devices that were brought to the fbi from around the country for analysis, and we could not open about 40% of those. we had no technical means to open those. what kind of cases? i think we have the data to sort of a degree. one of the challenges that we face is that law enforcement officers and the intelligence officials who are busy and doing investigations quickly figure out what types of platforms they can get access to and which ones
5:26 pm
they can't. and they're not going to waste their time seeking a title 3 order or a fisa on the intelligence side. these are labor intensive processes to get those surveillances. they won't waste the time if they know the thing is encrypted anyway so why do i bother. that is one of the most significant problem, is people saying i'm not going to waste my time. it's a data point that's missing that therefore any data that is going to come forward doesn't really reflect the true nature of the problem because people are self-sensoring out in the field, they're not out bothering about it. they never make it to the justice department or the fbi. it's an incomplete picture. we're struggling with that and that's why we sort of -- not sort of. we have focused on this one
5:27 pm
point of collection data that we know is available to us. we have people actively thinking about how to do that. because you're right, we need to back this up with data. i agree with you. >> maybe not from a industry perspective, but a curious person perspective. what is for the fbi agent still manages to practice absent the encryption being done. the 43% of devices that we can't access, but what percentage of those cases were they able to move forward to a prosecution or close investigations? >> we keep moving all cases because we're not going to stop because of these devices. we never give up. it may take longer. it may be riskier. you may have to put a human source or fbi agent in harm's way in order to get the data. so that's -- it's more expensive
5:28 pm
and risk to the integrity of the investigation. all of those costs add to it even at the end of the day we're able to solve it. notwithstanding encryption. >> the gentleman in the third row. last question. >> my name is brian. i'm a student here at g.w. law. i want to talk about two groups that have been underrepresented, but it's been a great conversation nonetheless. it's consumers who might need encryption and other policy to prevent hacks by terrorists or cyber access and they're not usually adequately represented at conferences like this. and the human rights and civil society rights activists overseas, many of whom face
5:29 pm
autocratic governments and passing the right legislative policy solutions within the u.k., and the u.s., or the eu but the issues that happen is these get demanded by the governments overseas and if u.s. government especially would have cooperated in the local governments and here and in the eu then cooperate with foreign governments as well. we should have a more autocratic stance. i wanted to ask what moves are you taking to ensure that the consumers and civil society activists are adequately represented? >> okay. i can jump in. on the representation issue it turns out there is a conference in brussels happening this week. you should -- there may be some live streams. most of the human rights and
5:30 pm
privacy rights representatives are there. but when it comes to sort of the -- the collaboration with these organizations i know industry, me in particular, i have robust relationships with folks in the human rights community, the private community, representing consumers' rights, and i'm sure the fbi and -- and eu have similar interactions, i think, in your -- i'll let you respond. >> definitely to assure you, the consumers and when we call -- what we call in europe the civil society, including the ngos where they sit and they present the views and they are followed and a deposition is there. to respond to the question how
5:31 pm
do you deal with the potential ability that other foreign governments will use the that ability. that is something that we discuss and are potentially concerned about. that's why the point and jurisdiction is so important, in my opinion. we have to be very careful to talk about legislative proposal that would then push the companies to make available not only to ourself or but to other foreign countries the ability to decrypt those systems. so that's something that we really take care of, and it's part of the discussion that we have. >> james, last word. >> sure. we're hopeful for a solution to this problem. but a solution that results in more people's data being vulnerable and more cybersecurity threats and more
5:32 pm
consumers being exploited is not a solution. if we -- if it does that, then it's not a solution. if it does not protect innocent people from abuse by oppressive golfs overseas, then it's not a solution. we agree with that, we know that, and what we hope for is some type of solution that appropriately balances all these things in the right way, that protects innocent people, that enables law enforcement to do what it needs to do, that allows companies to be innovative and competitive in the market system. otherwise it's not a solution. and it won't be acceptable to society. and there will be no solution if not people deal with it. >> i think the host will have last words. i want to thank the panel very much for being here for a great discussion. thank you, all. thank you for your questions.
5:33 pm
[ applause ] >> i thank the panelists. it's been a absolutely great conversation. if i were to think of the three words that i've heard consistently from all of the speakers and from the barnones before that, is balance and discussion. i'll be brief. just a note, we're going to be starting again tomorrow at 9:00, we have coffee outside, and then 9:45, we'll have a keynote by doctor from the ue. i thank you for being here today. this was a fantastic appetizer, and i cannot think of a better one, one of more substance to the larger conversation we'll have tomorrow. we'll be speaking again about encryption, privacy, a lot about countermessaging. so i look forward to seeing you
5:34 pm
tomorrow. and i want to thank you again for coming tonight. thank you. [ applause ] this weekend on american history tv, on c-span 3. saturday at 6:45 p.m. eastern,
5:35 pm
james haily, author of "captive paradise, a history of hawaii" talks about the last queen of the kingdom of hawaii. >> she had been secretly been working on a new constitution that would restore her royal powers. from this pro session she went to the palace and announced her constitution and that was the beginning of the overthrow. at 9:00 historianian about 20th century presidents. >> how weak the american presidency was in the late 19th century and how powerful it was when theodore roosevelt sur renders power. sunday at 4:00 p.m. eastern on real america, the 1961
5:36 pm
documentary ordeal of woodrow wilson. >> these delegates were determined not to let idealism stand in their way and for their own purposes and desires. for our complete american history schedule go to president trump's calls for large cuts to research programs. a mother whose young son died of a brain tumor testified about research in tumors and clinical trials to minorities and how the cuts would impact future


info Stream Only

Uploaded by TV Archive on