Skip to main content

tv   American Bar Association Hosts Security Law Conference - Surveillance  CSPAN  November 9, 2018 11:08am-12:35pm EST

11:08 am
"after words," republican senator ben sasse from nebraska talks about his book, "them: why we hate each other and and how to heal." he's interviewed by arthur brooks, president of the american enterprise institute. >> i don't think political tribalism is the story of our moment, i think political tribalism is filling the vacuum on declining local tribes. and the kinds of tribes that make people happy; family, deep friendship, long-term, shared vocations, local worshiping communities. all those things are being undermined by the moment we're at in technological history. >> watch this weekend on c-span2's booktv. up next on c-span2, a conversation from the american bar association's national security conference. we'll hear a group of attorneys discussing government surveillance and the fourth amendment's protections against unreasonable searching and seizure. >> i'm going to have a very short introduction for glenn,
11:09 am
because i think everyone in the community knows him, and the biographies are in the packets. but all i just would like to say is that i think glenn's commitment to public service, his leaving private practice to come and first work with mike rogers who -- and now with paula -- is the type of service that our committee and community is famous for, which is it works with all ends and all parties, and it provides professional advice. and glenn is sort of the consummate, emerging professional. so with that, glenn, can you come up and address the crowd. [applause] >> thank you very much, harvey, for your introduction, and it's just terrific to be here today.
11:10 am
i look out in the audience and see lots of friends and colleagues in the national security sector, and it's great, on a personal level, just for me to see so many folks from my own agency, so thank you. this is a terrific conference, terrific people, great day and a half in front of us, and i'd like to express my gratitude to the standing committee and to cindy and harvey for having me here. i very much appreciate it. i was a little concerned about how my speech would be received today, and i note that despite my specific request, the desserts are of a size that can be thrown. [laughter] so let me just say how much i enjoy being here. [laughter] starting my remarks today with a short quotation from a hearing before the u.s. senate seems fitting given that we're at a legal conference in washington. computers are changing our lives faster than any other invention in our history. our society is becoming
11:11 am
increasingly dependent on information technologies which are changing at an amazing rate. combine this rapid explosion in computing power with the fact that information systems are being connected together around the world without regard to geographic boundaries, this offers both opportunities and challenges, among them vulnerabilities which represent severe security flaws and risks to our nation's security, public safety and personal privacy. that quotation sounds like it might have come from a hearing earlier this year, but it was said by senator fred thompson more than 20 years ago, well before the invention of the iphone or youtube and just at the dawn of e-mail. the hearing, actually the first-ever congressional hearing on cybersecurity, featured some hackers who gave the senators a clear and simple message: our computers, networks and software are dangerously insecure. despite this, it would take decades for our nation to appreciate the cyber threat,
11:12 am
during which time we would see a steady accretion of malicious are cyber activity. inflection points often go unnoticed, and in retrospect it's really not that surprising that the hackers' testimony wasn't appreciated for the dire warning that it represented. looking back at the 1990s, we can now realize that perhaps as the internet was taking off, perhaps we missed an opportunity to chart a different course as to our cybersecurity. i bring this up today because we stand in an analogous moment in history. if 20 years ago represented a tipping point of sorts for the internet, then perhaps we are now at or even past a comparable, broader tipping point as to the overall digital revolution. the so-called fourth industrial revolution is upon us. as commentator kevin drum recently put it well in foreign affairs, the world sits at the dawn of a new age, and technological advances are set to make traditional forces of change no more than mere footnotes when we or our robot
11:13 am
descendants write the history of this digital revolution. so maybe it's no surprise that we're missing this tipping point too. both the statistics such as 20 billion connected devices and the very concepts of profound change that we hear from futurists and technologists are mind-numbing. of course, we aren't doomed to watch this wave of profound change wash over us without some consideration. challenging though it may be, we can examine and prepare for some aspects of this digital revolution that that will have s fundamental indications for us as the industrial revolution did. that revolution will have one particular consequence that will impact every one of us in personal and far-reaching ways, and it's one that has special meaning for us as lawyers. i'm speaking of the effect on our privacy. although we continue to forge ahead in the adoption of new technologies, we haven't, simply haven't confronted as a u.s.
11:14 am
society what privacy means in a digital age. if you look at the advent of other novel technologies from the automobile to lek are terrorist, regular -- electricity, regulations inevitably magged, but we -- lagged, but we didn't let it get too far in advance before societal norms and laws caught up. not so today. has there ever been a time where technological change has been this rapid, this ubiquitous and this impactful? it's no wonder that our legal structures especially in the area of privacy have failed to keep pace. it's worth examining those gaps so we can see where additional thinking and action will be required. given my vantage point at this occasion, i'll focus on how the federal government affects the privacy rights of the public. i'll start by looking at the approach taken by the judiciary in fashioning the scope of our privacy interests and then turn to some examples in the legislative arena. i'll move on to implications for the private sector and then conclude by suggesting what are our responsibilities as lawyers
11:15 am
in this critical area. so let's start our examination with an overview of how our judicial system has constructed our privacy regime at least relative to the federal government. as you all know, privacy in the u.s. is a notion that has traditionally been rooted in the fourth amendment. perhaps that comes as no surprise given how our country was formed and how one of the enduring debates has been the scope of government's involvement in our society. in any event, you may recall that that the text of the fourth amendment makes no mention of the word privacy, and nowhere else in the constitution or the bill of rights is a general right to privacy expressed. this is understandable though when you consider both the rudimentary state of technology at the time and the fact that the fourth amendment grew out of the experiences of the colonists who rented the british crown's use of writs of assistance to force entry into their homes. the fourth amendment didn't mention pryce then because protecting -- privacy then because protecting one's physical property from
11:16 am
unreasonable searches and seizures was sufficient. this also explains why, if you had reviewed the first hundred years' worth of the supreme court's many occasions to consider the fourth amendment, you would have found cases focusing on physical intrusion and property rights but not a word about privacy interests as such. nor was there a decision when the requisite technology later adopted that electronic surveillance itself qualified as a search or seizure for purposes of that amendment. the clearest expression of the need for a change in legal approach appears in the prescient writings of justice louis brandeis. in his seminal article with samuel warren and in his famous and far-sighted dissent in the case of olmstead v. united states, brandeis proposed to separate the concept of privacy from other legal principles and recognize it as something entirely distownship. but you would have had to wait until 1967 for the supreme court, in katz v. united states, to adopt that concept and
11:17 am
overturn the almost four-decades-old ruling in olmstead. writing for the majority, justice potter stewart held that the fourth amendment protects people, not places, and in his concurrence, justice harlan fleshed out a test for identifying a reasonable expectation of privacy. this test was then further defined throughout the 1970 in the united states very miller and smith v. maryland where the court held there's no reasonable expectation of privacy for information such as bank records or telephone numbers that's voluntarily given to others such as bank employees or the telephone company. in the years that fold, our fourth -- followed, our jurisprudence continued to develop in this matter with courts largely focusing on the type and location of surveillance, based upon the facts of each particular case to determine whether a protected privacy interest was implicated. i might add as an aside that almost nowhere in the case law is the real focus on the actual content of the communication. as if we needed any further
11:18 am
evidence of this very case-specific approach to development of our privacy and surveillance regime, the supreme court just a few months ago gave us what the court itself branded as a narrow decision. i am, of course, refersing to united states v. carpenter which addressed whether the fourth amendment could be violated by a warrantless search and seizure of historical telephone records, cell phone records that reveal the location and movement of the user. the court held that the government's acquisition of such records, or at least seven or more days of them, constituted a search under the fourth amendment which required a warrant because it violated a person's legitimate expectation of privacy in the record of his physical movements. in coming to that conclusion, the court noted that apart from disconnecting a phone from the a network entirely, there's almost no way of avoiding leaving behind an electronic trail of location data. to the court then, the location information was an entirely different species of record than, say, bank records or phone
11:19 am
numbers. and in no meaningful sense could it be said that the user voluntarily assume thed the risk of turning over a comprehensive dossier of his physical movements. so as we stand here today, it's too early to discern the full ramifications of carpenter, but one point is clear. the carpenter case serves to highlight one of the major challenges in applying our fourth amendment jurisprudence in this digital age. by the very nature of our judicial system, which does not allow for advisory opinions, our courts are necessarily confined to deciding cases based on the specific facts or the technologies with which they are presented. these decisions are, therefore, inherently backward-looking which feels like the wrong approach when addressing rapidly-developing technology. by contrast, tort law principles can be extended to facts beyond the case at issue because the concepts of negligence can be intuitively applied to a wide
11:20 am
range of facts and situations. not so where the very legal principle is rooted in and, indeed, expressed in terms of the precise technology before the court in the case. now, i'm not in any way being critical of our judiciary; rather, i'm simply pointing out that the limitations of our case for controversy scheme can result in a patchwork quilt of legal precedent that takes into account only the particular technology before the court in each case which in turn leads to decisions that are sometimes hard or to reconcile or are distinguishable only by factors that seem of dubious significance. indeed, the very fact that the nine justices generated five distinct opinions in carpenter itself makes clear that even the best legal minds are divided over the right approach. and this was in a relatively straightforward case involving fairly well established technology where there already was ample supreme court precedent about the government's access to other types of cell
11:21 am
phone information and its use of technology to track a person's physical movements. so our experience tells us that if we want to be forward looking to embrace future technologies and have more predictive legal principles, the legislative branch also has an important role to play, which i'd like to turn to now. while the courts have established the outer bounds of the fourth amendment, within those amendments it has been congress that has enacted relatively strong privacy protection but only in specific areas. most significantly, where congress has chosen to act it has often been to address only specific problems about which there was widespread consensus. these issues are technically complex to bin with, and is we all know that political accord can be difficult to achieve. and thus in many cases, given the pace of technology, we've been left with either aging or no laws at all. take, for example, how congress tried to address new technology back in the 1980s. at the time, the law focused mostly on privacy protections
11:22 am
related to telephone calls, and it was said to be hopelessly out of date. of particular concern to congress at the time was the supreme court's decision in miller and the increasing adoption of both e-mail and computerized recordkeeping systems. because this information had been voluntarily are conveyed to a third party, this suggested under prevailing doctrine that it was entitled to little or no constitutional protection. so in 1986 congress passed ecpa which established a new framework that provided varying requirements for law enforcement to compel the disclosure of the content of electronic communications, depending in part on how long they'd been in storage. for those communications that had been in storage for less than 180 days, a search warrant based on probable cause is required. in contrast, for those that have been in storage over 180 days, more than 180 days, only a court order showing relevance to an investigation is required. the rationale for this distinction was the state of technology at the time. in 1986 most electronic
11:23 am
communication systems, including nascent e-mail services, did not retain electronic records for longer than six months. as a result, congress concluded that, quote, to the extent that the record is kept beyond that point, it's closer to a regular business record maintained by a third party and, therefore, deserving of a different standard of protection. regardless of how you feel about where congress i drew this line, there can be no debate that due to subsequent developments in technology and commerce, the environment in which this framework was adopted differs markedly from today's. we now conduct most of our affairs online, we have access to virtually limitless electronic storage, and the fact that we keep to choose key electronic records longer suggests they are deferring of more protection, not less. it also raises a larger question of whether this regime still makes sense given these new realities. in the decades following ecpa's
11:24 am
enactment, congress has considered but not approved legislative updates to the statute although id admit pass the cloud act earlier this year to address a different, pressing ecpa-related issue involving law enforcement access to electronic communications stored abroad. as i mentioned earlier though, much like other times when congress has acted in the privacy arena, the cloud act serves to resolve only a very specific problem about which there was widespread consensus. in my view, no matter how highly we think of congress' efforts, one-off, hand-crafted solutions like the cloud act are, as a political matter, simply too time and labor-intensive to meet our needs in this age of rapidly developing technology. the situation isn't all that different with respect to privacy in the context of our national security laws, most notably the foreign intelligence surveillance act, or fisa. as many of you are well familiar, fisa was originally enacted in 1978 to provide the executive branch with a
11:25 am
court-authorized process for conducting electronic surveillance against foreign powers or their agents operating inside the united states. in creating such a system, congress sought to care friday balance and -- carefully balance and protect the privacy and civil liberties of all americans. and, indeed, the statute has done so admirably for more than four decades now. much like ecpa, however, fisa's structure has remained basically unchanged even as technology has zoomed ahead. admittedly, congress did respond to changing technology through the enactment of section 702 as part of the fisa amendments act of 2008 which is one of our most important foreign intelligence surveillance authorities. but taking a step back, we should recognize that this section represents only a small part of the larger fisa framework and it, again, addresses only a discreet technological problem. the rest of fisa is still based on its original definitions with the result, in my opinion, that we've wound up with a complex,
11:26 am
multi-agency statutory scheme that hims in the part on the type of collection and the location of collection as well as the purpose and use of collection and that doesn't specifically address such issues as ubiquitous encryption, web-based communications applications, the possibility of intelligence information becoming available through new technologies and the global dispersion of computer servers and data storage. i mention ecpa and fisa today not because i'm calling for any particular set of changes or improvements; rather, i believe they are emblematic of how technological changes can drive the need to update statutory frameworks, and they demonstrate the shortcomings of 40 we've addressed them in the past. these shortcomings become even more noticeable when you consider how our privacy laws regulate the private sector. as i noted earlier, the legal restrictions we put in place to
11:27 am
insure our privacy here in america are mostly focused on curtailing government. by contrast, we've largely let market forces -- which is to say no regulation -- establish whatever individual rights we have, may have in this area relative to corporations and other businesses. true, the private sector's collection and use of our personal data are in some areas subject to a complex assortment of federal and state statutes. but many of these statutes apply only to particular sectors or types of data, for example, your financial or health information about which there is a deep consensus on a heightened need for privacy. the rest provide only broad consumer protections and are really not focused on privacy, per se. admittedly, there are benefited to this approach which allows wide latitude for the state to legislate and reduces the risk there'll be the sorts of unintended consequences that often accompany broad, comprehensive legal regimes. on the other hand, state rather than national-level solutions raise the specter of inconsistency and complexity.
11:28 am
compare for just a minute the u.s. regime to how privacy is regulated in europe. there the concept of privacy focuses on the dignity of the person and very much extends to private sector activity of types. this approach has traditionally resulted in laxer regulation of government surveillance but much stricter and more comprehensive laws about, for example, data protection, credit reporting and workplace privacy. the general data protection regulation, or gdpr, which came into effect earlier this year throughout the e.u. is a perfect example. gdpr instituted a new set of wide-ranging and significant privacy protections and and applies broadly to all e.u. organizations and companies around the globe holding or processing the personal data of people in the e.u. europe is far from being alone in passing comprehensive privacy laws. according to one estimate, more than a hundred countries now have some form of privacy laws, and some 40 other cups have pending legislation -- countries have pending legislation or
11:29 am
initiatives in the works. this is not to say there haven't been attempts here in the u.s. to strengthen and standardize our privacy laws applicable to the private sector. various approaches have been the subject of widely publicized hearings before the u.s. senate and the federal trade commission in recent months. the national institute for standards in technology has also begun looking at the issue with the goal of issuing a privacy framework in the same vein as its wildly-heralded cybersecurity framework. and in part as a result of the federal government's failure to adapt -- to adopt a consumer privacy bill of rights, california recently enacted its own consumer privacy act which extends a broad range of new consumer privacy rights and data security protections. no matter how you view these efforts, it's clear that many in our society feel that the approach we've taken to regulating privacy in the private sector is increasingly problematic. the recent level of public and congressional attention to the
11:30 am
facebook/cambridge analytica issue is illustrative of that feeling w. the international community pushing ever more aggressive laws and the global nature of our digital society, the choice regarding how we address privacy here in the u.s. might soon be out of our hands. companies operating internationally are being forced to adapt to regulations implemented in foreign countries. if we want to play a role in shaping those policies to suit our own notions of privacy, we need to get engaged. this will require the public and private sectors to take a holistic approach to addressing privacy concerns associated with our increasing reliance on digital m technologies. ..
11:31 am
i'm not here to advocate in of these are other potential approaches but rather my point is we must have a societal dialogue about how we want to confront the problem. even more broadly we need to be asking ourselves a more fundamental question of what privacy remains to us in the u.s. as it relates to our interactions both with the government and with the private sector. under our current legal framework the same electronic information may be protected from interception or disclosure to the government but it could be disseminated, used or sold by private company with few if any restrictions. if we reflect on whether that's a best approach, moreover,, the confluence of the internet of things and increase monitoring for cybersecurity purposes and plant almost inconceivable level of knowledge of potential knowledge about an individual. what we feel comfortable that a machine will see, aggregate and
11:32 am
analyze this data is knowing there's always the possibility that humans could extract the resulting knowledge? some advocates have asserted a violation of privacy occurs when the government computers scan a citizen of the best looking for terrorist email even though it's all done without human intervention. at the same time my private email provider reads all my e-mails looking for spam. how do we reconcile this? to be sure a social media company or data broker can't put your trial or in jail but consider how much information these companies actually know about you, everything from the mundane like her contact information to some of your most personal intimate and potential even unconscious interest and habits. isn't it fascinating we reached a point where arguably the private sector now has an even greater impact on our privacy than the government? have we paused to consider to account for that? or perhaps have reached the point where we've come to accept
11:33 am
the status quo because to quote, our concept of privacy is so muddled, so situational and so influx that we're not quite sure anymore what it is or how much of it is we really want. i would submit a natural and appropriate place to begin these conversations would be to re-examine the supreme court's 1967 formulation of our privacy interest. in lieu of evaluating the expectation of privacy as a threshold and dispositive question, maybe we could implement it instead by means of a functional approach because the place of focus more on the type of information at issue, it's intimacy and sensitivity and how it is protected including considering whether one truly and voluntarily shares information with any third parties. while deemphasizing factors like the type of communication collected, the means by which it was collected or the location of its collection. it might result in stricter controls on information such as
11:34 am
medical records and less protection for information such as the time date and duration and identity of a telephone conversation. just to be clear i'm not seeking any diminution of of her privao facilitate surveillance powers. actually i think of coaching approach to this issue and this topic could strengthen our sense of privacy in many respects. finally i would caution in having these discussions we must avoid the temptation to do things in absolutes and reflexively labeled ideas as anti-privacy, anti-security or even unconstitutional just because we think they should be. this will be particularly important when addressing politically and emotionally charged topics like encryption which undoubtedly will continue to play significant part of the private conversation in the years to come. rather than simply asserting any potential weakening of privacy protections, legal, technical or otherwise is inherently bad and off the table for discussion we
11:35 am
need to be intellectually honest about what interest were trying to protect, what harms may occur and how we should balance these against other potential benefits such as increased safety or convenience. retreating into a traditional corners will only serve to stall this important debate. we should instead be looking to find consensus and principles we all agree upon. it's undeniable that these are extremely complicated issues with no clear for correct answers. throughout our nation's history lawyers have been the leaders in helping our society wrestle with these issues and forge a consensus on what's best for our country. so through our very work as lawyers and the national security realm we are in the vanguard in thinking about privacy in this digital age and that's why we have a responsibility to use our knowledge and our skills to help lead a constructive dialogue about how to better shape our
11:36 am
legal framework in the years to come. let's not miss this opportunity. let's not let this inflection point pass us by. i hope to my remarks today i've contributed a a small part to e process, and i thank you for your attention this afternoon. [applause] >> thank you, glenn. i think you help set the table for our next panel coming up ass a token of our appreciation i'd like to give you our coin, which you know is from another perspective you know has magical qualities. >> absolutely. >> we want to give, and i have a bit of reading in your current job, the cybersecurity recent second edition at a think it are having trouble sleeping, this might be the ticket. [laughing] >> thank you. [applause]
11:37 am
>> great. we will have the panels join us. then you please come up and take the dais for our panel. thank you. >> [inaudible conversations] >> [inaudible conversations] >> if i can get your attention. if i can please get your attention.
11:38 am
[inaudible conversations] >> if you have to take a break, please take a break. what we will do is a little different, is that we will set the table on this issue, and ironically enough our panel title is -- [inaudible] and what we're going to do is again i'm going to suspense with introductions because they're in the playbook and i think these are pretty well-known individuals in the community. what we're going to do is just go down the row and have each panelist respond to the challenges in the paper that he just gave. we are looking for i guess a cogent analysis in being intellectually honest so that we can start the societal dialogue that glenn has invited us to do that. so coming from the congress how do you see the issue that glenn
11:39 am
has laid down and your initial reaction? >> he put a lot on the table -- [inaudible] glenn noted that he wants to see more of an emphasis on the type of information that's collected, it's intimacy and sensitive and how it is shared and protected and he wants the deemphasis of the type of communications, the meat and location and other things that are statutory framework is built around especially the statutory framework. so i do believe that he is like set this beautiful ideal but i do think it will be also very challenging to achieve that. again, it's, even when we were working on section 702 and the reauthorization of it, which happen january of this year,
11:40 am
when we were doing the warrant requirement related to accessing the content of the communications and what categories of information would be, for which a what would be required, it was really a difficult task to enumerate all of the individual areas. and so when he says he wants to see more of an emphasis on the type of information collected, statutorily, that's the chunk because we always worry about something slipping through the cracks and that's important. also with respect to fisa, i agree with glenn that the statutory framework of fisa, fisa which was passed in 1978, has been an incredibly resilient. and it wasn't until after the revelation of the presidents terrorist surveillance program, the warrantless surveillance program, that we really most i think the most significant change to fisa, which was
11:41 am
allowing to cover those communications. when we did that i think we were very focused on ensuring that, that never again good surveillance happen outside of title iii and outside of fisa. and so it was critical. and also that, noting, , when we reauthorize fisa again this year, will he talked about the procedures that would be set up for querying information, that all those things be done consistent with the fourth amendment. nevertheless,, when we are devolving statutory frameworks for the challenges ahead, we what are statutory framework to endure and the same way that fisa has endured. and so with technology we have to be very mindful of that as we move forward. so it's challenging but it can
11:42 am
be done. >> jamil, we have two jamil jaffer at the conference. this is jamil with an eye. you are not only an academic but have he'll experience. so what is your reaction to the challenge that glenn has laid out? >> i think wyndee is exactly right which is glenn has laid out for his very strong challenge, a very interesting challenge, great concept that it would be difficult to do in the current statutory confides that it doesn't mean we should attempt to get it doesn't mean these things are impossible but it will be to be sure a challenge and he's of the things i think we live for. one of the things that makes this heart is we've only dealt with fisa in times of essentially crisis. fisa was born out of the crisis of the church and pike commissions, the nixon efforts.
11:43 am
the amendment to fisa come 702, the major as i agree with wyndee, , the major change was born out of the crisis that came from 9/11, the president's response to it and what we cannot talk about as stellar program. the decision to bring the program under fisa court authority, the content part of it at the beginning of 2007, and the challenges the company faced trying to cram this program at the technological changes took place between 1979-2001 into the technologically-based very carefully crafted framework of the definitions in the statutes. a set of definitions designed intentionally by congress to carve out a significant amount of the federal government known surveillance at the time. congress said at the time we will get back into with the later but when the data they knew what they were doing. they were carving out the bulk of the way the film, conducted
11:44 am
its foreign intelligence surveillance. when we tried to cram that program, which i do that program to the terrorist surveillance program at then tried to cram it into the structure of the fisa which was technologically-based and base over the communicants were and what they had reasonable expectation of privacy, we faced challenges and we get one judge to buy into the next judge made harder. the collection was going down and wyndee and the team in the house and the senate was under pressure to do something. that so it ended up with the protect america act for six months and ultimately working with both sides of the outcome house and senate, got to consensus agreement. that consensus over time with the pressure and impetus of 9/11 has started to worry. as you saw with the reauthorization, increasing efforts are made to reclaim some of the space that was given to the executive branch and to the
11:45 am
national community back in 1979, was re-endorsed by congress in the fisa amendments act of 2007, 2008. and then we've seen increasing encroachments and limitations,, how you can use that data. in other context it's worth noting is the government encumbered once it is lawfully to collect the data to use it for any purpose. it is a a non-construct we putn place just this last january when we impose additional requirements upon the governments use of otherwise lawfully collected it. there may be good or bad reasons but it's unusual and its unique and it's born in part out of this decision we made back in 1979 to craft a framework that was based in technology and that was braced in location and that was based in things other than what lynn laid out or what glenn i think would take this new sort of construct of fisa. as we look forward and as we do try to take on this very bold
11:46 am
challenge, i think it's important as wyndee said the statute be entering and that it be flexible and that it recognizes the rapid innovation that takes place in the minority leader perhaps soon to be speakers own home district and state. things happen in a rapid manner and that the extent we try to cram our surveillance rules about that technology construct, we will create exactly the problem after 9/11 and exactly problems were noted with trying to fix the challenges in 702, what you think the reauthorization was right wing o do it or not, it's born out of the way we booked that statute back in 1979. i think that's the hard part and the enduring challenge that on a by person basis and across both chambers went to figure before going to do this thing and do it for real. >> do you concur with the previous speaker? >> do have a different perspective of what the best way
11:47 am
is to respond? >> so i concur to the extent that i think all of this is challenging in that respect i absolutely concur. but i want to emphasize what, how exciting and important i think it is glenn spent his talk talking about privacy. the conversation we all need to be having. i'm going to end up reiterating somebody said because it's so important that it bears repeating. as was said and as we all know in the united states, our rules with respect to law enforcement access of data are relatively robust. that really more robust than any other country around the world despite some room for improvement. this has, at the expense of a focus on consumer privacy and this is something the u.s. has largely ceded to the eu and to other countries that are increasingly mimicking the eu and the newly adopted general
11:48 am
data protection regulation. this is a this is a think a hug. we need to understand consumer privacy and law enforcement access as completely intertwined. intertwined. true as a pointed out private actors cannot put people into or lock them up. but consumer private collection has a huge effect on personal security and personal privacy. it affects obvious he had has a huge effect on dignity and it also affects ability to get loans, and good to get jobs. there's a huge the fact on individuals as a result of the ways in which private actors collect and use data about all of us. and important for those of us who are concerned about law enforcement access there is obviously an incredible inter-linkage between what private actors collect and what is available to the government for collection. i share the concern that the u.s. has ceded too much on
11:49 am
consumer privacy to other nations and to deal with this in a very sectoral approach rather having an overarching approach to consumer privacy. i think it's essential yes is part of the conversation and i think there's things the u.s. could say substantively that would be an improvement over some of the approaches that are being pushed forward. one of the interesting aspects about the general data protection regulation in the eu is it's very focus on this idea of putting the user intent of the driver's seat. user notification. those are really important but for all of us including me who access all kinds of apps and other services and just clicks without reading, that's most of us, we realize editing all of us realize that consent is not believe that meaningful when so much of everything we do is digitalized and interconnect and controlled by private actors. and even for those of us who
11:50 am
want to be in control, the want to track what's happens with our dad data vickerman is a full-time job. he did in on the people to know what's happening. there needs to be a focus on consumer privacy that focuses on rules governing corporate actors and as fiduciary responsible, responsibly as fiduciaries of all of our data and not just focusing on consumer consent and notification. that's one point. the other piece of it i want to return again to the relationship between law enforcement access and private collection. the case of carpenter was mentioned already and it's a really important case because it's a supreme court rightly recognizing that just because data is turned over to third parties does it mean that individuals lose or should be understood as losing reasonable expectation of privacy in data. but the case really leaves open as many questions if not more questions than it actually answer to get answers there is no question about historical
11:51 am
self storage location for seven days or more. and even some of the lines in the case itself about why that deserves protection but information about banking records of credit card records don't. they don't even make sense within the framework of the decision itself. and so it seems in addition to the conversation about fisa there's a real need and an opportunity for congress and others to engage in thinking through new regulations and new statutes to do with law enforcement access as well. and here i want to disagree a little bit with what jamil said which i think to date most of a focus with respect to long for the axis the focus exclusively on the point of collection. what are the rules that govern collection? there's been almost nothing said about rules with respect to how data is collected is used for everything from questions about how data should be secured, what
11:52 am
are the security requirements for stored data? how long can it be retained? who can access a? a? when can it be disseminate? we must to be deleted? these are all important issues and would we think about the possibility of law enforcement, accessing such vast quantities of information about all of us and having the capacity to store it potentially definitely these are questions that also need to be part of the conversation as well. >> ben, you are sort of the survivor of 702 debates but now you and the private sector, with a bit of a different perspective. i'm curious about your sense of how you understand how we should -- how we should be creating a policy framework from where you know sit, , where used to sit. >> from the private sector i favor lots of complex regulatory rules that require a lot of, a
11:53 am
lack of clarity and multifactor tests. so that i'm very kabbalah to make sure i'm clear on my position that just because i don't speak the u.s. government or anyone else. i can speak freely, right? >> speak for yourself. >> that's right. so to be more serious though from the perspective of the country and where we are now in the challenge that glenn has set forth a couple of points. first, no one is going to judge fisa in any significant way or government access to this information for national security purposes, absent an extremely persuasive case study that will explain why, first, senior members of the executive branch are going to spend their time waiting into what will inevitably be a very difficult debate.
11:54 am
second, absolutely congress will not address it and lest unlesse presented with an absolute pressing need for what we need to change it. we all know how difficult legislation is. once you get beyond the idea that we have these challenges that fisa was passed in 1978, that we are in a different type of environment for information where spread across the world,, where we're moving to a very concentrated cloud environment type of situation, where we're going to have artificial intelligence out there right now but algorithms come into play, what is the intelligence and national security reason for touching these statutes? and so the question then comes, what exactly are we missing? what is it we need to get? how is that harm our national
11:55 am
security? without very clear answers to those questions, we are not going to be moving forward on these points. so let me offer a few observations though on those points about where we may be headed. clearly if you're going to wade into some of the changing of the definitions and when you think to think the access and think through the factors in carpenter, a few examples. are we going to talk about the contents and the definition of content in the statutes that are out there right now? are we going to allow the government to touch information without court orders and specific cause, whether that's probable cause, whether that is relieving someone who is a foreign agent. very unclear it would be any appetite to do those things. i will just offer one observation where that may be had. i think possibilities. one, in the cybersecurity realm,
11:56 am
we're running a national empirical experiment. i know we need a public-private partnership insider. we all, every commission coagulant says we need a public-private partnership. not sure and tell you what that means, but what you have now is everyone knows is of course 90, 95% critical infrastructure, whatever percentage want to put in private hands. much of the defense of the system of course is up to the private sector, the government, phs, others are making heroic efforts to share information come to work with the private sector to try to fight off the many actors that are out there. but yet at the same time what you hear from the government of course is we have capabilities, authorities to do things that you can't do. we can talk about hack back, talk about offensive cyber of those types of things. but, of course, the government because of fights and other
11:57 am
things, it is very constrained in terms of its ability to access information directly often and rely on the voluntary cooperation of the private sector. we will run an empirical experiment. we've not had a cyber pearl harbor. everyone talks about a cyber pearl harbor. maybe ruby and just this low-grade cyber kind of situation. but but i would hope that the government is truly constrained for protecting us from true cyber threats, that are out there against a power grid or transportation grid, our financial sector, that the government would come forth and say we need to do these additional things to protect the sectors, and congress, here are the authorities the need to change. i have just seen that type of appetite. that either reflects a couple of things to either the government thinks it has the authority right now and the work that it's doing with the private sector is sufficient, that, in fact, the cyber threats are kind of in
11:58 am
this low, beating great and we will not have a cyber pearl harbor and if you would just reboot the machines and the power grid will just reboot and we will be fine. or third, in fact, we going to have a very severe attack, which like 9/11 is going to expose huge gaps in our intelligence capabilities and then we'll have two debate frankel as we usually do, too late. then we will wade into these kinds of things that people really will not waiting to accept in a time of crisis as genial outlined. >> thank you, ben. as you know our team has published a 600 page book, public-private relationships so i encourage all of you to think about as a stocking stuffer for christmas we are a big committee. so when -- [inaudible]
11:59 am
hearing this, next tuesday this may be more than just an academic question depending on what happens, is it true that ben and jamil, your view, congress cannot come to be able to think through what you possible legislation might be required in order to make sure that we don't respond to after the crisis but before the crisis? and have you had individuals coming to fail asking for certain changes in order for us to be able to be more leaning forward in the space of surveillance either from the intelligence committee or the law enforcement community? >> so after we got over this 702 reauthorization, which was complicated by the revelation in april 2017, that nsa had engaged
12:00 pm
in collection related to upstream collection under 702, there was kind of a pause to be quite frank, but the same time there was also kind of the uptick and the press. the press by the private sector, the press by our european counterparts, high-level european officials and by the executive branch to pass the cloud act. ..
12:01 pm
i think you said something like two times, basically, but we agree. this cloud act requires that there be agreements executed between the united states and perhaps individual nations with respect to exchange of data for law enforcement purposes, directly from companies outside of the traditional process. so while we agree that it is going to be time and labor intensive, after this huge lobbying push by all these different elements, congress passed it, did our part, now quite frankly, it's on the executive branch. so we'll be closely monitoring that implementation. but also, with respect to fisa, it's the gift that keeps on giving. the sunsets, the gift that keeps on giving. we have a whole host of different sunsets associated with different fisa provisions.
12:02 pm
while we had a sunset that happened in december of 2017 forcing us to look at 702, we now have another sunset coming up in 2019 which is going to force us to reopen sites, then we're going to look at section 215 which originally was called the library provision, then the business record provision, then that was modified by the usa freedom act prohibiting bulk collection, so we will be looking at that. we are going to be looking at the fisa provision that was passed in the wake of 9/11 allowing applications to be targeted against lone wolf suspected terrorists, for instance. also, we will be looking at fisa roving wiretaps, something the executive branch long before 9/11 had requested with respect to fisa but they didn't get the authority to do it until that
12:03 pm
watershed moment of 9/11. so we'll be looking at that. irrespective of what happens next year, there will be hearings and briefings and -- on fisa related matters. so those provide the opportunity to open up the aperture even further. but also, another point i wanted to make, while we were talking about the supreme court cases and legislation, i cannot underscore enough the importance of the role of the national institute of standards and technology, especially in the wake of the passage of the eu regulations and the california privacy laws and the other kind of privacy laws that are being passed around the world and here what's in the united states and local jurisdictions. as general counsel mentioned, this is within the security framework and they are working on a privacy framework.
12:04 pm
if you talk to people in silicon valley, i guess ben represents some of those guys, they crave some sort of standards to be set by the united states. i think this plays an important role, but too, they are looking at congress to perhaps help in that area. so we might be seeing some legislative initiative there as well. >> so in my view, no matter how highly we think of congress's efforts, some acts are too time and labor intensive to meet our needs in this age of developing technology. you raised the supreme court so in this case, in the concurrence, he set the standard of reasonable expectations of privacy. those of us who teach that area know it has both a subjective
12:05 pm
test and an objective test as to whether or not your expectation is reasonable. however, judge brennan used to say a majority, the most important concept is to turn five so is our expectation that's reasonable turning on this concept of five justices agreeing as to whether or not that expectation is reasonable and as we have seen in carpenter, they seem to be all over the map once the court actually confronts the classic third party doctrine as to whether or not they think it requires a subpoena, requires a warrant, or maybe just a letter. so as a panelist, is that something we should feel comfortable with, that's where the definition of privacy is turning on? >> well, you know, i think the answer is no.
12:06 pm
part of the challenge with the court today and more generally is that we see the court first setting the policy for the nation. we see courts assessing, is this policy reasonable, is there an objective reasonableness here, is there subjective reasonableness. this is a crazy thing for courts to be doing. that is the job of our legislature, the job of congress working with the executive branch, bicameralism. that is not the job of courts yet courts do it all the time. this is not the first time the courts stepped into this space, just has harlan's concurrence has been around for a long time. the reason it's so fraught is we don't expect nine individuals nominated by the president, confirmed by the senate to life terms, to be making policy. we look to congress and politically accountable leaders to be setting that policy. and the only role of the courts is to measure that decision as against the constitution to determine whether those laws remain lawful and pertinent
12:07 pm
under the constitution. this is why our debates on the supreme court and who's nominated and whether they should be confirmed are so fraught. it's because the courts set policy every day. so if judges, whether they are judges of the district courts or courts of appeals or supreme court, got back to doing their job which is interpreting the law, not writing it, including in the fourth amendment space, we would have a lot less space to argue about who's on the court or not. we could argue about who's getting elected to congress which is the right argument to be having, and who's leading congress and who the president is and whether they should remain in office or replaced at the four-year mark or anywhere else along the way. but that's the challenge we face today. that's why we have these huge debates and at the end of the day, where congress leaves things open and doesn't act or acts in a way that there's a lot of room for interpretation, courts are forced to do that job. we've gotten too much -- the challenge, this is true on the republican side, on the democratic side, we have gotten too used to when we don't like
12:08 pm
what we get out of congress or the president or them working together, we run to the courts for our answer, for them to solve our problems. as a population, as a community, we have gotten too used to that problem. that's exactly why we have this challenge today. it's not the supreme court's fault alone. it's our collective expectation if congress doesn't get it right or do its job fully, that somebody will fill in, whether the executive branch of the regulatory process or the courts with their action. we have to get out of that mode, start holding political leaders accountable and that's when these things will start falling away. >> i assume you concur with those comments? >> so actually, i concur with a lot of what jamil just said. i think the concept of reasonable expectation of privacy becomes increasingly circular and we have left it and this is not new in american criminal procedural history, the united states has always kind of
12:09 pm
backed off on statutory rules governing searches and seizures and left most of the decision making up to the courts, with a few minor exceptions. and as a result, we got relatively stable rules about searches of homes and searches of people and when to search and when to arrest. there's been a tectonic shift in the last generation with the rise of digital information and also the role of these third party private players. these require a whole host of really complicated and important policy decisions about what we as society think should be protected, how it should be protected, how should our data be used, what should corporations be able to do with it, what should the government be able to access, what are the limitations, and these are not decisions that we can just relegate to the courts. it's not appropriate.
12:10 pm
it's absolutely an area where i agree with jamil where congress can and should get involved, as challenging as it is, as complicated as it is, as long and laborious it is to get to some sort of place that even makes some subset of us feel good about the ultimate outcome, it's absolutely essential. these are such critically important issues. >> so i'm a bit amused because i remember when archibald cox used to teach constitutional law. he would begin with a dog-eared copy of de toqueville and say in america, all political questions have actually become legal issues. that is our tradition historically, that de toqueville saw it literally in the 19th century. so ben, one of the issues is where you sit, we understand why this is very difficult for congress to act and there's a sense of admiring the problem but two entities who moved out rather aggressively, one is
12:11 pm
california. california said we're not going to wait for the congress. we are going to pass our own understanding of what to do with privacy. and the europeans have filled the space and said we're going to have the gtbr. if america doesn't act, are these other actors going to fill the space as to defining what a privacy framework is and how we understand surveillance domestically or internationally given what these entities are going to say what's required for data retention or what can be looked at? what's your sense of what's going to happen? >> yes, there are answers, yes, they are moving out. we could have a separate panel discussing what the reasons are for that and that would be somewhat of a country by country analysis. you mentioned data localization which of course really is something that is a growing trend and we will see where that
12:12 pm
goes. but that is a trend where we have seen those types of laws and really could have an impact. unclear what the impact of these will be, whether national security and defense purposes will still continue to somewhat stand apart. i see bob litt here. he certainly i think bears the scars of discussions with europe and other places around where national security and defense collection falls into things like the gdpr, safety shield, other programs. of course, much of that deals with consumer collection and what consumer privacy, what consent means, the types of things jennifer outlined here i think in great detail. one issue that i thought was interesting is what is going to happen with lawful access to
12:13 pm
da data. clearly, the five i put out a very interesting statement, basically somewhat surprisingly taking the position that they want lawful access to data fairly aggressively, right, which is should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our country, we may pursue technological enforcement, legislative or other measures to achieve lawful access solutions. everyone here knows what i'm referring to, the u.s., the united kingdom, canada, australia, new zealand, that was a law enforcement statement, not an intelligence statement. so remains to be seen what will happen from an actual legislative perspective. while here in the united states right now there does not seem to be much appetite in terms of any changes in terms of lawful access, clearly the encryption
12:14 pm
debate has not gone away and whether or not the u.s. moves on that, what is going to happen internationally, certainly remains out there. >> what i would like to do, we have about a half an hour. you guys have been very patiently sitting there listening to the presentations. does anyone have any particular questions they would like to pose to the panel? i see someone over there. just wait for the microphone. i think we have three microphones. just state who you are and who you're with. >> [ inaudible ]. you obviously worked on not reauthorization, but authorization and now you advise private clients on national security matters. i'm curious what you would say to a client who asks you if title vii applies to data that's stored overseas. >> this is pro bono.
12:15 pm
>> are you asking whether 702 applies to data overseas? >> yes. >> so when i get a call at a baseball game from a client to interpret fisa or what applies overseas, i typically say i'm at the game and i've found that giving an off-the-cuff answer on something like that usually gets me in big trouble and hot water. so by its terms, of course, what 702 took off the table was to put the emphasis in a technology-neutral manner, the focus on the target of the surveillance so as you know, everyone in the audience probably knows of course the issue was we were providing essentially full fisa protection and fourth amendment protections to not u.s. persons located
12:16 pm
outside the united states. so what i would say as a general framework matter, of course, is that 702 took off the table essentially the location of the collection and put the focus on the target, is what i would say to them. then you get into the issues of from the private sector, your standard analysis in terms of possession, custody or control of the data if the government is asking you to turn over data from a u.s. perspective. so that's a long answer to your question, but you really do have to get into those issues in terms of both doing the analysis of what we would look at, if the government is asking for data, do you have possession, custody or control of the data, if it's overseas and you do not have
12:17 pm
possession, custody or control of it, then it's not clear that you would be able to comply with any lawful order. >> maybe you could have him do a short memo for us and we will put it with our materials. i know the n,sa would like to hear that answer. any other questions from the audience before i pose other questions? there we go. great. thank you. >> thank you. is this on? can you hear me? can you hear me? yeah, there we go. my question has to do with -- >> can you say who you are? >> oh. my name is carmen carter. i'm a lawyer at the coast guard. u.s. coast guard, go! my question has to do with the subjective reasonable expectation of privacy
12:18 pm
considering our digital age now and it certainly is much lower than it was in justice harlan's day. would you say the subjective reasonable expectation of privacy is almost de minimis and isn't that what we're talking about? let me put it this way. what we're talking about now is an objective reasonable expectation of privacy. so that's my question. what do you think about that? >> let me just add to that as a friendly amendment. so one of the issues that come up in my world is that if you don't encrypt your message, you are sort of potentially signaling your lack of expectation of your message being private. but as you know, the phrase used by glenn was ubiquitous encryption. let me ask the panel. if i subjectively start encrypting everything and i
12:19 pm
think there's a new piece i just saw that there's a new app that's allowing you to also encrypt your meta data which really undermines the economic model of most social media companies, if we start saying my subjective expectation is not only do i want the contents encrypted but i also want my data encrypted, is that a signal to the marketplace of our subjectivity and based on what ben read, that topic was helping to focus on encryption that was addressed, where do we go with that aspect? that i think really puts a sharp point to your question. so let me go down the row and see what the panel is saying.
12:20 pm
>> so look, obviously i think that it's pretty clear, if you talk to my students at george mason, they don't expect a tremendous amount of privacy in their e-mail. they understand that when they log into g-mail, that google is reading their e-mails and pushing them ads in part based on those e-mails. i think they have a different expectation of privacy when it comes to the government and that there is this disconnect in the united states between what we expect of private companies and what we expect of the government, and that is flipped in europe. we see fisa in the united states and gdpr in europe. europe has very limited protection when it comes to surveillance by the europe, extensive protection when it comes to surveillance by private parties and the rule is generally flipped in the united states. that being said, i think you are exactly right that even though we are putting more and more data into these systems and more and more personal data, more and more private data, and our communications are becoming more and more rapid and more and more
12:21 pm
critical, that we expect less privacy around those, except we do expect privacy, we take measures to protect that privacy and encorruptiryption and when t take measures, it may be reasonable to assume we're not that concerned. whether that's true or not is a hard question. whether that's in fact an accurate description of how individuals feel, this is part of why this subjective texture of the concurrence makes little sense. if you remember, in cass it was about did he close the door behind him in the phone booth. he went into public phone booth, trying to evade surveillance, no, he was a bookie. did he close the door, was that enough for subjective expectation of privacy. if i know google is reading my e-mails but don't expect nsa to be reading them, do i demonstrate subjective expectation of privacy, if i know my e-mails are encrypted or google encrypts them, they could get them from google if they had an order. these are complicated questions that i think at the end of the day don't really matter because
12:22 pm
at the end of what matters is what is it that we expect to have protected and how can we get our elected leaders to protect it. i think jen is exactly right. we need to stop worrying about what do the courts think and what do these nine old, i guess a little bit younger people on the supreme court, think about, you know, look, when you saw the debate in congress about twitter and the russian bots and the like, these are members of congress who are not that old compared relatively speaking to the supreme court, yet they face challenges dealing with these issues. it's hard to imagine how you can expect congress or the courts to deal effectively with things like encryption and things like cybersecurity. it bears saying when it comes, talking about cybersecurity, there are a lot of cybercrime folks in the room, in no other context do we expect private companies to defend themselves against nation state actors. we don't expect target or walmart to have surface-to-air
12:23 pm
missiles on the roof to protect against russia's bombers. yet today, in cyberspace, we expect target, walmart, exxon, to defend against everybody all the way through the criminal actor to a nation state. it makes no sense. yet, congress isn't prepared to act. the national security community says we're ready to defend the nation, doesn't have the authority, the resources or the rules of engagement to do that, yet if and when we have that so-called cyber pearl harbor which i'm skeptical will happen, you can be sure the american people would look at the government and say what were they doing? >> you may have to define script kitty. >> well, i mean. >> so i think it's an important question about what is the test, this subjective expectation of privacy and what does it mean in a world where so much of what we do is shared, because it's shared with a third party
12:24 pm
provider that has access to it absent the use of increasingly sophisticated encryption. i think it highlights the problem for the test itself, particularly if we think about how we, i think most of us understand privacy, we understand it in a relational context. the supreme court recognizes this in carpenter, when it started to kind of walk back from this broad application of the third party doctrine just because we share information with one person or one corporation doesn't necessarily mean that we subjectively intended to or wanted to or thought that that information should be shared with everybody. and up until carpenter, that wasn't really something that the supreme court grappled with. now we are seeing the supreme court grapple with it but again, back to the kind of -- what people have been saying, this is not something we should leave up to the courts. it's absolutely something policy makers and us as the public need to engage in in order to push our policy makers to make the right choices or at least engage on these issues.
12:25 pm
>> what i would say is some of this debate highlights what i was getting from this panel, i was thinking it is going to be hard to be a national security lawyer in this uncertain context and just where we go from carpenter, and whether or not is that just considered kind of a one-off special case, then we'll go along with the third party doctrine and other things, so whatever collection, whatever capabilities are out there, all of that will stand, future proposals will continue to be analyzed where they were analyzed before, because for however difficult the situation was, we had some fairly stable lines. we had the third party doctrine, so if you were asked about some type of capability, if there was third party doctrine, you knew u go to the communications act as they did in carpenter, or maybe you didn't fall under the act so there's a whole body of national security law, much of which may
12:26 pm
or may not be public. i don't know exactly where it's going to go necessarily under carpenter. so we're up here talking about congress really needs to grapple with this. justice kennedy says and points out in carpenter, hey, court, you know, we always point to congress saying it's really hard, we shouldn't be the ones necessarily determining these expectations of privacy and justice kennedy does point out in carpenter yeah, he attaches 2703d to his opinion and says congress said here's the type of showing that needs to be made, here is the statutory framework which was obeyed in carpenter and the court said yeah, we don't agree because we consider the intimacy, comprehensiveness, expense, and voluntariness of the information and this went too far, but conventional security techniques don't go too far, like security cameras and
12:27 pm
other collection methods. so as a national security lawyer, i think it's difficult when you're faced with proposals from leadership who, as technology changes, i think it's just going to be even -- it's made the job of the national security lawyer in the government even that much harder when, if we more and more unhinge ourselves from kind of i think these doctrines and frameworks that are out there, justice kennedy puts it plainly that we put the wall perhaps on a new unstable foundation. it just remains to be seen where carpenter goes, are we going to be in this world where lawyers are now judging objective versus reasonable expectation, judging the factors i laid out, where before, we had some guideposts. yes, we had to make judgments and those type of things and multi-factor tests but we had third party doctrine, we had the exceptions the court has laid out.
12:28 pm
is that all that now a little more of a jump ball or is carpenter this clearly just went too far and is a one-off? how this applies in the bulk collection world, how this will apply to third party records, financial records, all those types of issues, it will be very interesting some day to see how that is applied in the intelligence community. of course, generally, all of that is unfortunately judged in hindsight after something bad happens and everyone says oh, my gosh, how could you apply it that way. but i will say i don't envy your jobs as these proposals come, as your agencies grapple undoubtedly with changing technology and trying to deal with the statutes as they stand. >> thankfully, jamie in your friday afternoon end of presentation, you will be able to answer that question for the national security law whan tand the ethical issues are. there's a question for you. i know you will have the appropriate answer. we look forward to it.
12:29 pm
the issue we have is based on your question, how many people in this room either use signal or wicker in their communications? two people. how many people in this room know when they are communicating on their private computers, not their government computers, that their communications are clearly encrypted? raise your hand. so there's your answer. you have some of the most sophisticated attorneys in the country and their expectation and their private communications at home apparently is not encrypting their messages. i think it's a chilling moment for the room. we know the chinese love reading them. any other questions? yes, ma'am.
12:30 pm
>> hi. jamie pfeiffer. to sort of drill down -- >> you did say who you are, right? >> jamie pfeiffer. ... separate privacy advocate and wondering if you thought that was a good development, if it's, just further on this team i guess. >> in the wake of 9/11 the passage of the intelligence reform and terrorism act. we mandated civil liberties officers.
12:31 pm
i think i can be a good thing if it works properly. but they have to be kind of part of the operational and legal infrastructure of the entity. i think they can play an important role just as the privacy and civil liberties oversight board here i think that they actually played the really important role as we looked at our fisa architecture, our surveillance architecture. so yes, yes. but isn't it working right? is it working as effectively as a can't and should be at all departments and agencies? you tell us. because i know that congress would probably like us some feedback with respect to that. >> we have one more question. >> this is more of a comment
12:32 pm
disguised as the question. >> you might say who you are. >> i will but i just wanted to alert you so that i be permitted to continue to stand. [laughing] >> that's what we have marines in the room. >> this history. i'm a very peaceful person, as you know. richard marshall. i'm a very dear friend of harvey and an admirer of his. i -- >> do you have a question? [laughing] >> you mentioned wicker. rigorous great. i do a lot of international work in the middle east and in europe. i prefer trust call and i use that both for text and for voice or as wicker is limited now to text only. >> if you assert with an appropriate warrant, would you believe you have to get that information up? >> i would check with my lawyer. [laughing] >> good answer. more questions?
12:33 pm
>> u.s. navy. i'd be curious to hear a pro, con perspective on why the ship and notion of a right to privacy regional expectation of privacy as the communications about me by other people. how does that extend what other people may be set about me? >> are you particularly concerned about that? [laughing] >> not personally. >> under current law you don't, you have no rights with respect. so the current doctrine is that you have no fourth amendment interest and is no statutory right either to control what other people say about you. you have no fourth amendment interest or statutory interest if the government collects information, communications by another person that also reveals
12:34 pm
information about you or talks about you or include an attachment that you had previously sent. that is a recent trends what the current doctrine, that's been current and long-standing doctrine under u.s. law. >> a question over here. >> my name is michael geoffroy. i'm here as as a private citiz. either question, given comments about, no other areas to expect private industries -- [inaudible] the fact roughly 85-95% for critical infrastructure 5% of our critical infrastructure is in private hands, how do you square the disconnect between the privacy regimes that are popping up like gdpr with the private sectors responsibility share information to protect itself, whether it be in the area of sharing a cybersecurity threat or sharing financial information, anti-money-laundering speedy you can see the rest of this on my at our website c-sor


info Stream Only

Uploaded by TV Archive on