Skip to main content

tv   American Bar Association Hosts Security Law Conference - Surveillance  CSPAN  November 19, 2018 2:34pm-4:10pm EST

2:34 pm
c-span was created as a public service by america's cable television companies. we continue to bring unfiltered coverage of congress, the white house and public policy events in washington dc and around the country. c-span has brought to you by your cable or satellite provider. the national security agency is the general counsel and speaks at the american bar association national security conference. after his remarks they have the challenges facing the u.s. >> am m and have a very short introduction because i think everybody in the community knows them. i think the commitment to public service is leaving in
2:35 pm
private practice to come and first work. it's the type of service that it is famous for. it works with all ins and all parties. provides professional advice. thank you very much harvey for your introduction. it's just turned terrific to be here to you today. i see a lot of friends and colleagues in the national security sector and its great on a personal level for me to see some of you folks for my own agency. thank you this is a terrific conference at a great a great day and a half in front of
2:36 pm
us. and i would like to express my gratitude to the standing committee. i very much appreciate that. i was concerned about my speech and how it would be received today. they are of a size that can be thrown. i just went to say how much i enjoy being here. starting my remarks today with a short quotation with a hearing before the u.s. senate giving the fact that we are at a legal conference. they are changing our lives faster than any other invention in our history. our society is becoming increasingly dependent on technologies which are changing in amazing rate. they have the fact that information systems are being connected together around the world without regard to geographic boundaries.
2:37 pm
among them of vulnerabilities which represent severe security claws. with the public safety and personal privacy. more than 20 years ago. while before the invention of the iphone were youtube and just at the dawn of the e-mail. the hearing actually the first ever congressional hearing on cyber security features some hackers who gave the senators a clear and simple message. our communities, -- computers are dangerously insecure. it would take decades for our nation to have the cyber threat. it is not that surprising that they have testified and it was a testimony that was not appreciated for the dire warning that it represented.
2:38 pm
we can now realize that perhaps as the internet was taking off we missed an opportunity to chart the different course as to the cyber security. we stand in an analogous moment in history if 20 years ago represented a tipping point of sorts. then we are now at or even past the comparable broader tipping point as to the overall digital revolution. as commentator recently put it. the world sits at the dawn of a new age. and technological advances are set to make that. when we, or our robot descendents write the history of this revolution. so maybe it's no surprise that we are missing this tipping point to.
2:39 pm
in the very concepts of profound change that we hear from technologists. our mind numbing. are you missing another opportunity here. challenging as though it may be. we can examine and prepare for some aspects of this. that revolution well had one particular consequence that will impact everyone of us personal and far-reaching ways. one has special meaning for us as lawyers. i'm speaking of the effect on her privacy. we continue to forge ahead in the adoption of new technologies we simply had not confronted as a u.s. society what privacy means in the digital age. if you look at the advent of other technologies from the automobile to electricity regulations lagged but we did not let the technology get too far out before our laws caught up.
2:40 pm
but not so today. has there ever been a time where a technological change has been this rapid it, this, this ubiquitous in this impactful. it's no wonder that our norms and legal structures especially in the area of privacy have failed to keep pace. is worth examining those gaps. given the vantage point. i will focus on how the federal government affects the privacy rights. i will move on to implication while what are responsibilities are in this area. at least relative to the federal government. it is a notion that has as been rooted in the fourth
2:41 pm
amendment. perhaps that comes as no surprise given how our country is said formed. it has been the scope of government involvement in our society. you may recall that the text of the fourth amendment makes no mention of the word privacy and nowhere else in the constitution or the bill of rights as a general right to privacy expressed. this is understandable that when you consider that state of technology at the time and the fact that the fourth amendment grew out of the experiences of the colonist who resented the ground use. to force entry into their homes. i didn't mention privacy then because protecting one's physical property was sufficient. it also explains why if you had reviewed the first 100 years worth of the supreme court's many are many occasions you would've found cases focusing on physical intrusion and property rights.
2:42 pm
nor was there a decision when the technology later developed that electronic surveillance qualified as a search or seizure for that amendment. it appears in the writings of justice lewis bring bart. it is famous and farsighted in the dissent in the 1920 the supreme court's case. it has proposed to separate the content. you would have to wait until 1967 for the supreme court in cats versus united states to adopt that contact writing for the majority justice and the
2:43 pm
test for identifying a reasonable expectation of privacy. this test was then further defined throughout the 1970s. where they held that there is no reasonable explanation of privacy from bank records to telephone numbers. given to others such as bank employees or the telephone company. the fourth amendment continue to develop in this matter. with them largely focusing on the type of surveillance taking place based on the fact of each particular case to determine whether a protected privacy interest was implicated. i might add that almost nowhere in the case law is the real focus on the actual content of the communication. as if we needed any further evidence of this very case specific approach from the development of our privacy the supreme court just a few months ago gave us what the court itself branded as a narrow decision. i am whether the at fourth
2:44 pm
fourth amendment could be violated. it violated a legitimate expectation of privacy. in coming to that conclusion and apart from disconnecting a phone from a network entirely. then the bank record or phone numbers. and in no meaningful sentence. that they voluntarily assumed the risk of turning over what the court called a comprehensive dossier of the physical movements. as we stand here today it's
2:45 pm
too early to be able to discern the full ramifications but one point is clear the carpenter case serves to highlight one of the major challenges in applying our fourth amendment in this digital age. but the very nature which does not allow for advisory opinions our courts are necessarily confined to the base on the specific facts where the or the technologies with which they are presented. these decisions are therefore backward looking. it feels like the wrong approach when addressing rapidly developing technology. the tort law principles can be extended to facts beyond the case at issue because the concepts can be intuitively applied to a wide range of facts in situations. not so where the very legal principle is rooted in. i am not in any way been critical of our judiciary.
2:46 pm
i'm simply pointing out that the limitations and imitations of our scheme can result in a patchwork quilt of legal precedent that takes into account the particular technology in each case which in turn leads to decisions that are sometimes hard to reconcile or distinguishable only by factors that seem to be his significance. indeed the very fact that the nine justices generated five distinct opinions makes clear that even the best legal minds are divided over the right approach. and this was in a relatively straightforward case. with fairly well-established technology where there already was ample supreme court cases. in its use of technology to track a person's physical movements. our experience tells us that if we want to be forward-looking to embrace future technologies the legislative branch also has an role to play which i would
2:47 pm
like to turn to now. they had established the outer bounds. within those amendments it has been congress that has enacted strong private seat protection but only in specific areas. most significantly where congress has chosen to act it has also been to address specific problems about which there was a widespread consensus. these issues are complex to begin with and we all know that political court can be difficult to achieve and less in many cases given the pace of technology we been left with niger -- either aging or no laws at all. they try to address new technology back in the 1980s. at the time, the law focused mostly on privacy protections related to telephone calls and it was said to be hopelessly out of date. particular concern for congress at the time. it was a supreme court's decision in the increasing adoption of both e-mail and computerized robert --
2:48 pm
recordkeeping programs. it had been conveyed to a third-party this suggested under prevailing doctrine that has no constitutional protection. congress passed the electronics communications act. which establish a new framework that provided a very requirements for law enforcement to compel the disclosure of the content of communications. for those communications that have been in storage for less than 180 days the search warrant based on probable cause is required. for those of you had been in storage over 180 days. only a court order showing relevance is required. the rationale for this distinction was a state of technology at the time. most electronic communication systems including the e-mail services did not retain electronic records for longer than six months. as a result they concluded that to the extent that the record is kept beyond that point it's closer to a regular
2:49 pm
business maintained by a third party and therefore deserving of a different standard of protection. regardless of how you feel about where congress drew this line there can be no debate that due to subsequent developments in technology the environment in which this framework was adopted differs from today. we now conduct most of our affairs online. and as many had pointed out. the fact that we choose to keep that longer. to suggest that they are deserving of more protection not less. it also raises a larger question of where the this regime so make sense given these new realities. in the decades of following in this. they have considered a but not approved legislative updates to the statue although it did pass the cloud act earlier this year to address a different related issue revolving with the law enforcement active as it mentioned earlier though.
2:50 pm
much like other times when they had acted in the privacy arena. there's only a very specific problem in which there was widespread consensus. in my view, no matter how highly we think of congress efforts to handcrafted a solutions like the cloud act as a political matter simply to time and labor intensive to meet our needs in this age of rapidly developing technology. the situation is not all that different in the privacy. has many of you are well familiar to provide the executive branch with a court authorized process. with the foreign powers or their agents. operating inside the united states.
2:51 pm
it remains basically unchanged even as technology has gone ahead. and part of a pfizer amendment act. it is based on the original definition. it hinges on part with the type of collection.
2:52 pm
it is becoming in the global dispersion of computer servers in data storage. i mentioned that some of the deficiencies today not because i'm calling for any particular set of changes or improvements rather i believe they are implementing about how the changes can drive the need to update statutory framework and they demonstrate the shortcomings of how we had attempted to address these issues in the past. these shortcomings become even more noticeable when you consider how our privacy laws pay -- regulate the private sector. the notions of privacy here in america are mostly focused on curtailing government by contrast, we have largely led market forces which is to say no regulation establish whatever individual rights we may have in this area relative
2:53 pm
to corporations and other businesses. true, the private sectors collection and use of our personal data are in some areas subject to a state statute. with that financial and health insulation. they yes -- the rest are just broad consumer protections. immediately they are benefits to this approach. it reduces the risk. on the other hand, state rather than national level solutions raise the specter. it is regulated in europe. the concept of privacy is the dignity of the person and very much extends to private-sector activity.
2:54 pm
much stricter and more comprehensive laws about data protection. they have a new set of wife -- wide ranging organizations. and companies around the globe. europe is far from being alone. according to one estimate some 40 other countries had pending legislation or initiatives in the works. this is not to say that there had not been attempts here in the u.s. to strengthen and standardize our laws.
2:55 pm
before the u.s. senate and the federal trade commission. in recent months. the national institute for standards and technology has begun looking at the issue with the goal of issuing a privacy framework in the same as they have wildly heralded. no matter how you view these efforts. on the facebook issue. as a left illustrative of the issue. with them pushing ever more aggressive laws.
2:56 pm
if we want to play a role in shaping those policies. we need new comprehensive requirements. or perhaps we don't need any government regulations. they may be sufficient. voluntary industry regulated approaches. i'm not here to advocate any of these or potential approaches but rather my point is that we must have a societal dialogue about how we would want to confront the problem. even more broadly though. we need to be asking ourselves more fundamental question
2:57 pm
about what privacy really means to us in the u.s. as it relates to our interactions. with the private sector. on our current legal framework. the same piece of it could be disseminated used or sold by a private company if they reflected on whether that is actually the best approach. when we consider the forthcoming digital revolution. the confluence of the internet of things. knowing that there is a ways the possibility. looking for a terrorist e-mail even though it is all done without human intervention.
2:58 pm
my private e-mail provider already reads all of my e-mails looking for spam. to be sure, the social media company can put you on trial or in jail but considering how much information these companies actually know about you everything from the mundane to some of your most personal intimate and potentially even unconscious interest in habits this is fascinating that we had reached a point where arguably in and how we pause to account for that have we reached a point where we have come to accept the status quo the concept of privacy is so muddled. and so influx that we are not quite sure anymore what it is or how much of it we really want. i would submit that a natural and appropriate place would be
2:59 pm
that. in lieu of evaluating the reasonable expectation of privacy as a threshold. by means of a functional approach. this would place the mocha forecasts. of the sensitivity and how it is protected including considering whether one truly shares the information with any third parties. the means by which it was collected. or the location of its collection. it might also result in stricter controls on information and lesser protection for information such as the time, date and duration of a telephone conversation. and just to be clear i'm not seeking any privacy to facilitate that. i think approach to this issue in this topic could strengthen
3:00 pm
our privacy in many respects. i would also caution and having these sorts of discussions we must avoid the temptation to view things in absolutes and label ideas as anti- privacy anti- security or even unconstitutional just because we think they should be. this would be important when addressing politically and emotionally charged topics like encryption which undoubtedly will continue to play a significant part of the privacy conversation in the years to come. rather than simply asserting that any of those legal, technical or otherwise is inherently bad and then off the table for discussion we need to be intellectually honest about what interest we are trained to protect, what harms may generally occur and how we should balance these against other potential benefits such as increased safety or convenience.
3:01 pm
.. .. lawyers have been the leaders in our society helping people wrestle with these issues and forge a consensus on what is best for our country. in the national security route we are in the vanguard thing about busy in this digital age and that is why every response ability to use her knowledge and skills to help lead a constructive dialogue without better shaping our legal framework in the years to come. let's not miss this opportunity and let's not let this election point pass us by. i hope to my remarks today i contributed in a small part to the process and i thank you for your attention this afternoon.
3:02 pm
[applause] >> thank you. i think you've helped set the table for next panel coming up. as a token of our appreciation i like to give you our coin which from a military perspective has magical qualities. we also like to give you although i know you have reading in your current job the ach cyber security of the condition [inaudible] is having trouble sleeping this might be the ticket. [laughter] [applause] >> everyone stay in place will have the panelists join us in. please come up.
3:03 pm
>> if i can get your attentio attention -- please, if i could get your attention. please take a break but we will do this a little differently. we set the table for this issue and ironically enough our panel
3:04 pm
is important -- [inaudible] what we will do is again i will dispense with introduction and the playbook and i think these are pretty well-known individuals in the community and what we will do is go down the road and have panelists respond to challenges in the paper he just gave and to a cogent analysis of being intellectually honest as we can start the dialogue that invited us to do. coming from the congress how do you see the issues that glenn has laid down and your initial reaction? >> he put a lot on the table [inaudible] glenn noted that he wants to see more of analysis on
3:05 pm
the information that is collected and intimacy and sensitivity and how it shared a protected and he wants the deemphasis and the type of medication means the location and other things that are statutory framework is built around especially to fight the statutory framework. i do believe he's such a beautiful ideal and i think it will be challenging to achieve that. again, even when we were working on section zero two to fight the authorization of it which happened in january of this year when we were doing the requirement with the content of the indications what categories and information for which a warrant would be required it was a difficult to enumerate all
3:06 pm
this individual areas. when he says he wants to see more of an emphasis on the type of information collected statutorily that is a challenge because we always worry about something slipping through the cracks and that's important. with respect to pfizer i agree with glenn that the statutory framework of fisa which was passed in 1978 has been incredibly resilient and it wasn't until after the revelation of the president para- surveillance program that we really did the most, i think, the most significant change to pfizer which was a lousy visor to cover those foreign medications. when we do that i think we were very focused on injuring that
3:07 pm
never again could surveillance happen outside of title iii and outside of fisa. it was critical. also, in noting that we authorized by the sheer when we talked about the procedures that would be set up for querying information that all the things be done consistent with the fourth amendment. nonetheless, developing new statutory frameworks and for the challenges ahead we want our statutory framework to endure in the same way that fisa has adored and with technology we have to be mindful of that as we move forward. it is challenging but can be done. >> did you know we have two efforts at the conference -- [inaudible] we are happy to have your what is your reaction to
3:08 pm
the challenges -- >> i think wendy is right which is glenn has laid out a strong challenge in interesting challenge with great concepts. it will be difficult to do but doesn't mean we should not attempt it doesn't mean the things are impossible but it will be to be sure a challenge and these are things if you for one of the things that makes it hard is we've only dealt with by the in times of essentially crisis by that was born out of the crisis of the [inaudible] commissions and the revelations of the nixon efforts. the amendment to pfizer 702, the major change in pfizer was born out of crisis that came from 911 and the president response to it and what we cannot talk about with a win program and the decin
3:09 pm
to bring that program under fisa court and at the beginning of 2007 and the challenge the government -based try to cram this program and technological changes between 1939 and 2001 into that technologically based very carefully crafted framework of the definitions in the statutes. a set of definitions designed intentionally by congress to carve out a significant amount of the federal government known surveillance at the time. congress that will get back to it but when they did that they knew what they were doing and carving out the bulk of the way the federal government conducted the surveillance. when we try to cram that program and do it through the surveillance program and try to cram it into the technologically based where the communicants were and whether the results to
3:10 pm
privacy with a significant challenge got one judge to buy into it the next judge hit it harder and increasing their environment and wendy and the team at the house and senate was under pressure to do something. that's how we ended up with the protect america act for six months and working with both sides of the aisle with house and senate got to a consensus and that consensus over time with the pressure and the impetus of 911 ready-to-wear and as we saw with reauthorization increasing efforts to be made to reclaim the space that was given to the executive branch back in 1929 based on endorsed by congress and the fisa act in 2007 and then we have seen increasing encroachment and limitations. and no other context is it worth noting that the government encumbered once it's lawfully
3:11 pm
collected data to utilize it for any purpose. it's a non- concert we now put in place since must generate where we impose additional requirements upon the government used otherwise lawfully collected data. there may be good or bad reasons to do that but it is unusual and unique important part out of the decision we made back in 1979 to craft a framework based in technology and braced in location and paste and other things that what glenn laid out for glenn would take this new construct of fisa. as we look forward and try to take on this bold challenge it is important to notice that statue be enduring and taxable and recognize the innovation that takes place in the minority leader or speaker on home district and homestay. to innovate rapidly and things
3:12 pm
happen in the rapid member and to the extent we cram [inaudible] around the construct we will create darkly the problem in 911 in exactly the causes we deal with to fix the challenges in 702 whether you think the reauthorization was the right way to do it or not and it's born out of the wait list both the statute back in my night. that's the hard part on a bipartisan basis in both chambers to figure out how to do the thing and if we do it for real. >> you can her with the previous speaker? >> or a different perspective of what the best way is to respond to client? >> i concur to the extent i think all this is challenging. i absolutely concur. but i want to emphasize how
3:13 pm
exciting and important it is that glenn spent his talk talking about privacy. i will reiterate what some of what he said because in sport and that it bears repeating. what is said as you know in the united states or rules with respect to lot for smit access are robust and more robust than any other country around our world despite improvement. this has come at the expense of a focus on consumer privacy and this is something the us is largely seated to the eu and other countries increasingly mimicking the eu and newly adopted general protection. this is a huge mistake that we need to understand consumer privacy and law-enforcement access as completely intertwin intertwined. as was pointed out private actors cannot put people in jail or lock them up but consumer
3:14 pm
private collections had personal security and personal privacy and it affects has a huge effect on dignity but affects housing and ability to get loans and affects ability to get jobs. a huge effect on individuals as a result of the ways in which private actors correct and use data about all of us. importantly, for those of us concerned about punishment access there's an incredible inter- linkage between private actors and what the government or what's available for the government for collection. i share the concern that the us has spoken or seated too much concessions on consumer privacy to other nations and deal with it in a secretarial approach rather than an overarching approach. i think it's essential that the us is part of the conversation
3:15 pm
and things that the us could say substantively that would be an improvement on the approaches that are being pushed for. one of the [inaudible] is focused on this idea of putting the user in consent and notification. this is all really important but for all of us including me who accesses all kinds of apps and services and clicks without reading that is most of us. we realize all of us realize consents is not really valuable when so much of everything we do digitalized and interconnected and even for those who want to be in control and want to trap what happens with our data it really is a full-time job plus. you need an army of people to know is having. there needs to be a focus on consumer privacy that focuses on rules governing corporate actors and fiduciary responsibly of all
3:16 pm
our data and not just focusing on consumer consent and notification. that's one point. the other piece of it i want to return again to this relationship between long for smit access and private collections. the case of carpenter was mentioned already and it's an important case because it the supreme court rightly organize the just because data turned over to third parties doesn't mean individuals lose or should be understood as losing a reasonable expedition privacy in that data. the case really needs open as many questions, if not more questions, then it answers. it answers the narrow question about historical information for seven days or more. even the lines in the case of self why that deserves protection banking records and credit card records don't even make sense within the framework of the decision itself.
3:17 pm
it seems that in addition to the conversation about fisa there's a real need an opportunity for congress and others to engage in thinking through new regulations and new statutes to deal with on access as well. here i want to disagree with what was said is that i think to date most of our focus with respect to lot with an access has been focused exclusively on the point of collection and there's been almost always said with respect to how data is collected and used. everything from questions about how data should be secured and what are the security requirements for store data who can access it and when can it be disseminated and what must it be deleted. these are critically important issues when we think about the possibility of law enforcement accessing such vast quantities of information about all of us
3:18 pm
and having the capacity to store it potentially is definitely these are questions that need to be part of the conversation as well. >> you are a survivor of 702 debates but now you're in the private sector and bit of a different perspective. i'm curious if your sense -- you understand how it's creating how we should be creating a policy framework from where you asset where you used to set. >> from the private sector i favor lots of complex regulatory rules that require a lot of lack of clarity in multifactor tests. i'm very -- i want to make sure i'm clear on my position just be clear i don't speak for the us government or anyone else. i can speak freely. >> speak for yourself. [laughter] >> site.
3:19 pm
to be more serious from the perspective of the country and where we are right now and the challenge that glenn has set forth a couple of points. first, no one is going to touch fisa in any significant way or government access to this information for security purposes absent an extremely persuasive case study that will explain why first, senior members of the greater the branch are going to spend their time waiting into what will be inevitably a difficult debate. second, absolutely congress will not address it unless they are presented with an absolute pressing need for why we need to change it and we all know how difficult legislation is and once you get beyond the idea that we have these challenges that fisa was passed in 1978
3:20 pm
there were in a different type of environment for information were it to spread across the world and moving to a very concentrated cloud department type of situation. we will have artificial intelligence out there and algorithms and coming into play and what is the intelligence national security reason for touching the statutes and so the question then comes what exactly are we missing and what is it we need to get and how is that harming our national security and without very clear answers to those questions we are not going to be moving forward on these points. and so, let me offer a few observations on those points about where we may be headed. clearly, if you will wade into
3:21 pm
the changing the definition when you think through access and thank you the factors are we going to talk about the contents of the definition of content in the statute that are out there right now. are we knowing to allow the government to judge information without court orders and specific cause whether that is probable cause or bleeding someone an agent of foreign person and very unclear that there will be appetite to those things. one final observation there may be two possibilities were that had it. one in the cyber security realm we are running international empirical experiment and i know we need a public-private partnership in cyber and we all every commission the results we need a public private partnership and not sure entirely what that means but
3:22 pm
what you have right now is everyone knows is 95% critical infrastructure or whatever percentage want to put in private hands and much of the defense of the systems is up for the private sector in dhs and others are making heroic efforts to share information to work with the private sector to fight off the many actors that are out there. at the same time what you hear from the government is we have capabilities, authorities to do things that you can do and we can talk about offense of fiber and those type of things. of course, the government because of fisa and other things is very constrained determined to access information and relies on voluntary cooperation of the private sector. everyone talks about a cyber pearl harbor and maybe will be
3:23 pm
in this low-grade cyber kind of situation but i would hope that if the government is truly constrained from protecting us from two cyber threats that are out there against our power grid or transmission grid or financial sector but the government would come forth and say we need to do these additional things to protect the sectors and congress, here are the authorities that need to change. i'm just not seeing that appetite and that reflects a couple of things. either government things without the authority and that is the work it would be sufficient and that in fact, cyber threats are in the slope meeting grade we will not have a pearl harbor and everyone will have regimes of the power grid will reboot and it will be fine or third, in fact we are going to have a very severe attack which, like 911, will expose huge gaps in our
3:24 pm
intelligence capability and have to debate frankly as we usually do too late and wade into these kinds of things that people really will not waiting to accept in a time of crisis as camille outlined. >> and you. as you know our committee has published a 600 page book on public-private relationships which i encourage you all to think about as a stocking stuffers for christmas. we lay out all the models -- well, we are a big committee s so -- when you are hearing this next tuesday this may be more than an act of question depending on what happens in is it true that [inaudible] congress is not going to be able to think through what the
3:25 pm
possible legislation might be required in order to make sure that we don't respond till after the crisis but before the crisis and have you had individuals come to the hill asking for certain changes in order for us to be able to be more leaning forward in the space of surveillance either from the intelligence community or the community. >> so, after we got over this 702 reauthorization which was collocated by the revelation in april 2017 that nsa had engaged in a collection related to upstream collection under 702 and there was a pause to be quite right but at the same time there was also the uptick in
3:26 pm
press. by the private sector and press by european counterparts high-level european officials and bite the executive branch to pass the kodak. and so we were then forced to look at that so in congress and irrespective what happened i believe members of congress will be looking at implementation of the fisa amendment reauthorization act of 2018 and also be looking at the cloud act or a closely and glenn mentioned speaking about contact that he thought that it was a waste of time and said something like two time intensive and basically but we agree. it requires that there be agreements executed between the united states and perhaps individual nations with respect to exchange of data for law
3:27 pm
enforcement purposes directly from companies. outside of the traditional process. and so while we agreed that it is going to be time and labor intensive after the huge lobbying push from these different elements congress passed it a part now quite frankly it's on the executive branch. we will be closely monitoring the implementation but with respect to fisa it's a gift that keeps on giving. in some sense. [inaudible] we have a whole host of different contacts with different bicep position so we had the sunset that happened in december 2017 looking at 702 we have another son that coming up in 2019 which is we will reopen fisa and look at section 215
3:28 pm
which originally was called the provision and business records provision and then that was modified by us a freedom act riveting fall collection so look at that and look at the fisa loan provision that was passed also in the wake of 911 allowg applications to be targeted against loans suspected terrorists and also looking at fisa taps where the execu requested but back to fisa but did not get the authority to do it until that watershed moment of 911. we will look at that so there will be no irrespective of what happened next year. there will be hearings and briefings on fisa -related matters and so does provide the opportunity to open up the
3:29 pm
aperture even further. another point i wanted to mak make -- while we talked about the supreme court cases and legislation i cannot -underscore enough the importance of the role of the national institute of standards and technology. especially in the wake of the passage of the eu regulations and the health of your privacy laws and other privacy laws being passed around the world in here within the united states and local jurisdictions. as general counsel mention this is already issued a cyber security framework and they are working on a privacy framework and if you talk to people in the private sector in silicon valley and then represent some of those guys they crave some sort of standard to be set by the united states. this plays an important role but to their looking at congress to perhaps help along in that area
3:30 pm
so we might be seen some legislative initiative there, as well. >> what was typically said was my view no matter how high we think of congress efforts one solution like the clouds are simply to time and labor intensive to meter eight needs in this age of rapidly developing technology. then he raised the serving court so in the paradigm case of this concurrence he set the standard of reasonable expectations of privacy and those of us who teach that area know it has both subjective test and objective test as to whether or not your expectation is reasonable. but however, as the justice used to say the majority of the most important concept on the serving court is the term five because i have four other votes i write the majority.
3:31 pm
so, is our expectation that is reasonable turning on this concept of five justices agreeing as to whether or not that expectation is reasonable and have we seen in carpenter there seems to be all over the map once the court actually confronts the classic third-party doctrine as to whether or not they think it requires a subpoena or a warrant or maybe just a letter. as a panelist, is that something that we should feel comfortable with as to that is where the definition of privacy is turning on? >> i think the answer is no. part of the challenge with the court today and more generally that we see the court setting the policy for the nation and see the court assessing this privacy reasonable is there an objective reasonableness or subjective reasonableness.
3:32 pm
crazy to be doing. that's the job of our legislator and java congress working within the executive branch bicameralism and this is not the job of the courts but yet we have the courts do it all the time. not the first time the court stepped in the face. this concurrence has been around a long time. the reason it's a product because we don't expect nine individuals nominated by the president to be setting this policy. we looked at congress as political leaders to set policy and that the only role of the courts to measure that decision as to the constitution. and determine whether those laws remain in yet this is why our debates are the whether they should be confirmed are so profit the court set policy every day. if judges, whether judges of district courts or courts of appeals were serving court are doing their job which is
3:33 pm
interpreting a lot not writing it including the fourth amendment face we have a lot less space but who's on the court and not. [inaudible] whether they should remain in office or place at the four year mark or anywhere else along the way. that's the challenge we face and body have these huge debate and where congress leaves things open and does not act or ask away that there's room for interpretation or forced to do the job and we got another -- part of the challenge is it's true on the road inside the democratic side and we got to use to when we don't like what we get out of congress or the president or work together we went to the courts. as a population and as a community begun to use to that. that's why we have the challenge today. it is our execution that
3:34 pm
congress does not get right or does not do it sharply that someone will fill in whether it's executive branch or realtor process or courts to their action. got to get out of the mode and circle hold our political leaders are credible and that's when these problems will follow a. >> i assume you concur with those comments came. >> i concur with a lot of what was said. the concept of a reasonable expectation of privacy becomes increasingly circular and that we left it in this is not new in american criminal procedural history in the united states has always backed off on statutory rules governing searches and seizures left most of the decision-making up to the courts with a few minor exceptions. in that -- as a result we got
3:35 pm
relatively stable rules of searches at home and searches of people what's a permissible certain rest and there's been a titanic shift in the last decade or so with a rise of digital information and the role of both the rise of digital information and the role of third-party private players. these require a whole host of really come gated and important policy decisions about what we as a society think should be protected and how it should be protected and how should our data be used in what two corporations should do with it what should the government be able to access, what are the limitations and these are not decisions that we can relegate to the courts. it's not appropriate. it is absolutely an era where i agree where congress can and should get involved by is challenging and come gated as it is and as long as it takes to get someplace that makes a subset of outlets for good but the ultimate outcome it is
3:36 pm
absolutely essential. >> i'm a bit of use because i remember when archibald cox used to teach constitutional law used to begin by taking a dogeared copy of the hopefuls on democracy and turn to page 70 and say in america all political questions eventually become legal issues. that is our tradition historically that in the 19th century it was seeing. one of the issues is where you set we understand why it's difficult for congress to act and there's a sense of envisioning the problem but california has moved out in california is that we will not wait for the congress but will pass our own understanding of what to do in privacy and the european has fill the space that will have the gcb are so if america does not act are these other actors going to fill the space that is defining what the
3:37 pm
privacy framework is and how we understand surveillance domestically or internationally given what the entities will say and what is required for bad attention or what can you look back and what is your sense of what will happen. >> yes, so there are answers yes. they are moving out we could have a separate panel discussing what the reasons are for that and that would be somewhat of a country by country analysis. you could mention data localization which, of course, really is something that is a growing trend and we will see where that goes but that is a trend where we've seen those types of laws and really good have an impact. unclear what the impact of the will be whether national security and defense purposes will still continue to so much
3:38 pm
in part. i see bob here and he certainly bears the scars of this with europe and other places around national security and defense collection falls into things like the dpr, safety shield, other programs and much of that deals with consumer collection and what consumer privacy and consent means that outlined here in great detail. one issue i thought was interesting is what will happen with lawful access to data. clearly, the bite but out a very interesting statement basically somewhat surprisingly taking the position that they want lawful access to data and fairly aggressively which is should
3:39 pm
governments continue to encounter impediments to lawful access information necessary to aid the protection of the citizens of our country and we may pursue technological and legislative other measures to achieve lawful access solutions. for everyone here knows but when referring to are the five eyes of the us united kingdom, canada, australia, new zealand and that was a law-enforcement state but not an intelligent statement. it remains missing or will happen from an actual legislative perspective so while here in the 93 now there does not seem to be much appetite in terms of any changes in terms of lawful access clearly the debate has not gone away whether or not the us moves moves on that and what will happen internationally certainly remains other. >> we have had our but even patients in their listening to
3:40 pm
two presentations but does someone have any particular question they like to pose to the panel at this moment? i see someone over there. great. why don't you wait for michael. state who you are who you are with. please. >> you obviously worked on and is not reauthorization but authorization of faa and you advised clients of national security matters and curious what you would say to a client who asked you if title vii applies to data that is stored overseas split this is pro bono. [laughter] >> asking about 702 applies o or -- >> yes. >> so when i get a call at a base for game from a client who interpret f2 or fisa or what applies to overseas who say i'm
3:41 pm
in the game i found that giving an off-the-cuff answer or something like that usually gets me in big trouble and hot water. by its terms of course what 702 took off the table was to put the emphasis in the technology neutral manner and the focus on the target of the surveillance so, as you know, everyone in the audience probably knows the issue was we were providing essentially provides a protection and amendment protections to non- us persons located outside the united states. what i would say is a general framework matter of course is that 702 took off the table essentially the location of the collection and put the focus on
3:42 pm
the target is what i would say to them and then you get into the issues from the private sector in your standard analysis and custody or control of the data as the government is asking you to turn over data from a us perspective. that's a long answer to your question but you really do have to get into those issues in terms of doing the analysis of what we look at is if the government is asking for data do have possession custody or control of the data and if it's overseas and you don't have possession, custody or control of it and as i clear you would be able to comply with any lawful order. >> maybe you could have wilmer do a short memo for us. i know the nsa would like that answer.
3:43 pm
>> any other questions in the audience before i pose other questions? there we go. great. thank you. >> thank you. is this on? can you hear me? there we go. my question has to do with the -- please say who you are. >> my name is carmen carter, a lawyer at the coast guard. my question has to do with the subjective reasonable expectation of privacy considering our digital age and it is certainly much lower than it was in justice harlan's day and would you say the objective reasonable expedition privacy is almost [inaudible] and isn't that what were talking about?
3:44 pm
let me set this way. what were talking about now is rejectable, reasonable reason to privacy. >> let me add to that as a family amendment. one of the issues that has come up in my world is that if you don't encrypt your message you are potentially singling for lack of expectation of your message being private. as you know, a phrase used by glenn was ubiquitous encryption so i asked the panel if i subjectively start encouraging everything and there's a new piece i just saw that there's a new app that allowing you to also encrypt your metadata which really undermined the economic model of most social media companies and if we start saying
3:45 pm
my subjective expectation is not only do i want the content protected but also what i data included is that a signal to the marketplace of our subjectivity and based on what then read from the five eyes to that topic helped focus on encryption that the five eyes were addressing where do we go with that aspect and that is put the sharp point to your question. when we go down the road and see what the panel was a would say. >> look, obviously it's pretty clear if you talk to my students at george mason they don't expect privacy in their e-mails and understand that when they log into gmail google is reading their e-mails and pushed ads and parts based on those e-mails.
3:46 pm
they have a different expectation that comes to government and that there is that between will be expect private companies and government and that is that in europe which is why we see fisa in the right states and europe has limited protection when it comes to surveillance by government and the rule is generally in the united states but that being said you are exactly right that even though we are putting more and more data into the systems more more personal data and private data in our communities and are becoming more and more rapid and critical that we expect privacy around those respect privacy we take measures to protect the privacy and encryption we don't take measures it may be reasonable to assume we are not that concern concerned. whether that is true or not is a hard question.
3:47 pm
whether that is an accurate perception of how individuals feel it's part of why this subjective texture of this concurrence -- if you remember it was about -- did mr. katz closed the door in the phone booth. he was trying to evade fbi surveillance. did he close the door and that was [inaudible] if i know google is reading my e-mails but don't expect the nsa to read them right given out next rotation for privacy [inaudible] these are come to the questions that i think at the end of the day don't matter because what matters is what it that we expect to protect it and how do we get our elected leaders to protect it. need to stop worrying about what the court think in these nine old, little younger, people on this report thing about you saw
3:48 pm
the debate in congress about twitter and the russian -- these are members of congress who are not that old compared relatively speaking to the civil court and yet they faced challenges dealing with these issues. it's hard to imagine how you can expect congress or the courts to deal effectively with things like encryption and things like cyber security and it bears saying we talk about cyber security -- and no other context to be expect private companies to defend themselves against patients and actors. we don't expect target of walmart to have search to air missiles on the wrist protect against russian bear bombers and yet today in cyberspace we expect target, walmart, exxon to defend its [inaudible] all the way through the collector to a nationstate. it makes no sense. and yet congress is not the
3:49 pm
project and they say they're here to defend the nation and does not have authority or resources or rules of engagement to that and yet if and when we have that so-called cyber pearl harbor which i'm skeptical will have, but if we do, america will ask what is the government doi doing. >> could you define script kitty for us. [laughter] >> i mean -- [inaudible] >> is an important question about what is this objection to privacy in in a world where so much a shared with third-party providers and access to it and absent the use of increasingly litigated encryption. highlights the problem for the test itself. particularly everything about how we understand privacy we
3:50 pm
understand it in a relationship contact. the spring court recognizes the carpenter when it started to walk back from this broad application of third-party just because we share information with one corporation does not meet the ceiling that we subjectively intended to or wanted to or thought that information should be shared with everybody. up until carpenter is not something to be in court grappled with. now we see they grapple with it but back to the diatribe that gmail has been saying this is not something we can or should leave up to the court. it's something that policymakers and us as a public need to engage in in order to push a policymakers to make the right choices or engage on these issues. >> what i would say some of this debate highlights where i was getting from this panel. i was thinking it is going to be hard to be a national security lawyer in this uncertain context and just where we go from carpenter whether or not is that
3:51 pm
considered a one-off special case and we go along with the 30 party doctrine and other things so whatever collection capabilities are out there and all that will stand future proposals will continue to be analyzed where they were analyzed before because however difficult the situation was we had fairly stable lines third-party doctrine so if you're asked about the type of capability and their third-party doctrine you go to the conditions act as they did in carpenter or maybe you do not fall under the sword committee should act so there's a whole body of national security law much of which may or may not be public that i don't know exactly where it will go necessarily under carpenter. were up your talking about congress needed to grapple with this and justice kennedy says it points out in carpenter in court we always point to congress
3:52 pm
saying this is hard we should not be the ones necessarily determining these expectations of privacy and kennedy points out that yeah, he touches 273d to his opinion and says congress said here's the type of showing the needs we made here is the statutory framework which was obeyed in carpenter and the court said yeah, we don't agree because we consider the intimacy conference in this expense and voluntariness of the information and this went too far but conventional security techniques don't go too far like security cameras and other collection methods. as a national security lawyer i think it's difficult as technology changes it has made the job for national security lawyer and the government if we
3:53 pm
doctrines of remarks that are out there and justice kennedy puts plainly that we put the wall on a new unstable foundation so we will just remain to be seen where carpenter goes and are we going to be in this world where lawyers are now judging objective versus reasonable expectations that other factors are laid out before we had guideposts and we had to make judgments and multi factor test but with third-party doctrine and had the exception of the court has laid out. is all of that now little bit more or is carpenter one of those clearly went too far and is a one off. how this will apply to third-party records, financial records, all those types of issues will be very interesting
3:54 pm
someday to see how that is applied in the total salinity and generally all of that is unfortunately judged in site after something bad happens and everyone says oh my gosh, how can you apply it that way. i will say i don't envy your jobs or these proposals as they come as your agencies grapple undoubtedly with changing technology and deal with the statutes as a stand. >> thankfully, jamie in your friday afternoon presentation will answer that question. the ethical there's a question right there for you. i know you have the appropriate answer for and i look forward to it. >> the issues we have is based on your questions how many people in this room either use signal or wicker in their communication scheme? to people. how many people's room know when they're committed getting on
3:55 pm
their private computers, not government computers, that their vacations are clearly encrypted? raise her hand. there is your answer. some of the most sophisticated attorneys in the country and their expectation and their private communications at home apparently is not encrypting the messages. i think it's a chilly moment for the room. we know the chinese love reading them. any other questions? yes, ma'am. >> [inaudible] >> could you say who you are? >> jamie pfeiffer with dod.
3:56 pm
in the theme of whether or not these are legal decisions in the typical place of lawyers one of the things i thought about was how agencies have continued to grow civil liberties, officers and offices separate from the legal office. formally otcs would tend to opine the most honest of issues but recognizing the political policy elements to privacy effort from the law agencies have these separate privacy advocates and i'm wondering if it's good development or if further on this theme. >> in the wake of 911 the passage of the terrorist and prevention act we mandated privacy and civil liberties officers and i think it can be a good thing if it works properly. but they have to be part of the operational and legal infrastructure of the entity. they can play an important role
3:57 pm
just in the privacy and civil liberties oversight board and i think they actually played a important role as we looked at our fisa architecture or surveillance architecture. so, yes, but is it working right or working as effectively as it can and should be? you tell us. because i know congress would probably like to have feedback in respect to that. >> one more question here. >> this is more of a comment. it's disguised as a question. >> you might say who you are. >> i will. i wanted to alert you so that i be permitted to continue to stand. [laughter] >> that's why we have marines in the room. >> i made peaceful person, richard, dear friend of harvard
3:58 pm
and a admirer of his. >> do you have a question? >> you mentioned wicker and wicker is great and i do a lot of international work in the middle east and in europe. i prefer a trust call and accuse that both in text and for voice. wicker is limited right now to text only. >> if you are served with an appropriate warrant would you believe you have to have that information up? >> i would check with my lawyer. [laughter] >> good answer. more questions. >> u.s. navy. i'd be curious to hear pro and con perspective on why there should be an option of right to privacy in reasonable expectation of privacy is to communications about me by other
3:59 pm
people. how does that write extend to what other people may say about me? >> are you particularly concerned about that? [laughter] >> not personally. >> under current law you have no rights with respect so current doctrine is that you have no fourth amendment interest and there's no statutory right either to control what other people say about you and you have no statutory interest if the government collects information and medication by another person that also reveals information about you or talks about you or includes an attachment you previously sent. in terms of what the current doctrine and that has been current long-standing docket under standing on. >> question over here.
4:00 pm
>> hello, my name is michael geoffroy and i'm here as a private citizen. given the comments about no other areas to have private entities to defend himself against actions and agencies and the fact that roughly 85, 90% of our critical introduction or is in private hands how do you square the disconnect between non- privacy regimes that are popping up like [inaudible] to the private sector response ability to share information to protect itself whether in the area sharing a cyber security threat or sharing financial information and insight monetary laundering or finance contacts? thank you. >> thank you. ...
4:01 pm
notwithstanding any other law. you can take certain actions with regard to monitoring your systems sharing cyber security indicators with the government in a vital overlook provision. the most important provisions of that law got little notice at the time that you don't lose any legal privileges or other privileges even have by sharing information on cyber security threats and indicators with the u.s. government. it's vastly more important than the specific set up for the sharing of the indicators. there are the issues with the press around gdp our.
4:02 pm
and what's i can do for the other we will do the security here in the united states of the network. as it is with gdp our. there has been a lot of literature about that. whether that is going to be security.
4:03 pm
in dhs in particular. i thought she -- day dhs gave the safe harbor. two different pieces that's helpful. i don't know if anybody could identify actual case for me where someone has been sued for a piece of malware. it's helpful. it is a separate issue. it is an important piece. the other pieces that i mentioned this morning if you are sharing with the fbi and the time sensitive law enforcement manner if you're
4:04 pm
doing things to monitor your network there was concern around state laws and other things that really presented people from taking the actions. i will give them the last question. and what when you use the opportunity we will let each of you some up responding in general to the panel. susanna spalding. you have talked about the challenges of legislative action in congress and i wanted to ask about the oversight function of congress we all in this room understand that intelligence activities reside was some tension in the democracy with its imperative for transparency.
4:05 pm
it does so because we have effective oversight and public confidence in the effectiveness of that oversight. and i'm wondering if you agree that that has been severely challenged certainly in the last year maybe longer. even extending to traditional support around fisa and where you see this going. how can we restore public confidence. with the oversight of our intelligence opportunities. >> let's go down the row. thank you so much for underscoring the importance of oversight. in the national security arena legislative efforts are only a part of what it does.
4:06 pm
and in the intelligence can't text so much of it goes on behind closed doors. it has led to a lot of people ask. the natural community.
4:07 pm
with the revelation for instance of carter page. and related to the integrity of the process. many of us know that a lot of the things are held so sacred we have a lot of our national security officers there today. i know. you're working really hard to make sure there is compliance in the strict adherence to the law. with respect of the carpenter case. inevitably our departments and agencies are going to come to congress at some point. and talk to us about challenges related to they are
4:08 pm
experiencing. as we deal with this change. and further oversight. congress will be as transparent as possible while protecting as we move forward. i have just been given the hook because it is at 2:30. let me be very blunt and a very short amount of time. it is under continuous assault today. it is this during in our structure. at the same time her own
4:09 pm
congressional oversight. we are under attack from foreign nation states. instead we are arguing about whether democrats and republicans are right. without bipartisanship. it needs to stop. we need to get together and understood dan that we are under assault from russia. we have bipartisanship. we need to get backed up for that. jamal, thank you. the longest ten seconds of my life. holly has just come up. if you have any more questions.
4:10 pm
[applause]. [inaudible conversations] [inaudible conversations]. >> think you for the introduction. thank you for the kind comments about the committee. we look pretty good compared to the common petition.

46 Views

info Stream Only

Uploaded by TV Archive on