Julian welcome back to the Cato Institute for the 2019 cato surveillance conference. I remain senior fellow julian sanchez. Thank you to those present and those watching at home for joining us. As i mentioned at the start of the conference, we focused on issues of surveillance oversight at this years conference. This morning, you heard about an array of institutions that work to oversee the secret you seven the secret use of intelligence collection ranging from the fisa court to the inspectors general to the Government Accountability office to the Intelligence Committee of congress and one of the newer and in many ways most publicly useful entities overseeing the Intelligence Community is the privacy and Civil Liberties oversight, which has produced a number of valuable reports that have given us unique insight into some of the programs that were discussed earlier, like section 215, the authority used for the phone records collection. What im sure will be a fascinating discussion, i will pass off to our accomplished moderator. Jennifer thank you, julian, and thank you all for being here and to those watching online. It is an honor and a pleasure to be a part of the conversation with the members. We have three of the five members with us today. Two had conflicts and were not able to attend. I am going to basically do something nontraditional and allow them to introduce themselves. Ive seen this done a few times and have found it more interesting than hearing me speak. I will start with adam. Thank you. Adam we are a nontraditional agency so it is good we are taking a nontraditional approach. I am adam klein, the chairman of the board and only fulltime member. We have four parttime members, which is a unique feature. Before taking this, i was at a think tank where i worked on issues comparable to the boards mandate, the intersection of National Security, law, and emerging technologies. We should all throw out an interesting fact of why we got into this work. Before becoming a lawyer, i worked for the members of the 9 11 commission on their post governmental efforts to enact a 41 9 11 Commission Recommendations and one of those recommendations was this board. This is an issue i have been tracking going back to 2004 when i started doing that work and advocating over the years for the creation of the board and for the stocking of the board with members, and to make sure to have Adequate Research and authorities, so it is nice to finally be there to see the board come to fruition with the Previous Group of ward members who did good work. We have the former executive director here and that is nice for us to see and to continue to push the work forward now. Thank you so much for having yesterday. As one of the parttime members of the board, we are very lucky to have a technologist this time around, a fellow who cannot be with us today but he has been inordinately helpful as we dive into the more technical aspects of the program to conduct effective oversight. Prior to joining the board, i was working on a book on the rule of law but spent a decade in government, about half in the executive and half in the judicial branch. In the executive branch, i worked at the office of legal counsel. In terms of my interest in these issues, it is longstanding. My parents fled from behind the iron curtain so i grew up with a t happens when the breakdown between bounds of National Security and privacy falls away. Im really thrilled to be here, thank you. Thanks, jan and thanks for hosting us. In my other life, im a professor at the university of Virginia School of law where i teach, among other things, computer crime. A course that addresses some of the issues we deal with in the surveillance area on the board and my path to the board and this set of issues is immediately before i was in academia at the university of virginia, i worked at the department of justice in the same part of it that jane also worked at before i was there and i was not appellate attorney at n appellates a attorney at the National Security division and joined the National Security division in march of 2013, which was moments before a set of disclosures occurred that prompted a lot of the work the board did in its previous iteration with 215, so that was my entree into this area and i was able to work on sub cases working on surveillance, and that spurred an interest in this whole area. Before that, i was in the office of legal counsel, as well, and had some interaction with National Security issues. Really happy to be here. You obviously mentioned already that you worked on the 9 11 Commission Report where the intellectual origins of the board started, but can you tell us about the purpose and mission of the board and how it is structured and how it relates to the many other oversight agencies entities within the executive branch . Adam as a good lawyer, i want to offer technical clarification. I did not work immediately on the 9 11 staff. I joined an ngo created called the 9 11 discourse project that no longer exists. It educated congress had the executive branch under the public about the recommendations. Segueing into your question, commission had 41 recommendations pursuant to its mandate to investigate the cause of the attacks and make resin recommendations to ensure things like that wouldnt occur again. Many of those recommendations are generalizing, have the tendency of centralizing power within the Intelligence Community, the Homeland Security apparatus, so some of those are creating a director of national intelligence, a National Counterterrorism center, improving information center. Among the intelligence agencies, using biometrics to track travel in and out of the United States. The tendency of all these things is more information, more centralization, more information sharing. On the other side of the balance, the commissioner recognized if you are going to create this new centralized power, you need an increase in oversight powers. Many of those oversight recommendations focused on congress, but they also looked at oversight within the executive branch and proposed there be a board within the executive branch to conduct that type of oversight of efforts to protect the nation against terrorism. That is the genesis of our board. It was initially constituted within the white house and in 2007, congress established the board as an independent executive Branch Agency with a confirmed set of numbers. Jennifer how does your work ordinate with the work of the inspectors general and the other entities . Within the executive branch that are doing some of the related work on a daytoday basis . Adam inspectors general, to paint with a broad brush, tends to focus on individualized reports of waste, fraud, or abuse. That is not our mandate. Ours is more programmatic. If there are individualized abuses we learn about, we would take action and inform the officials. This could be informative for our programmatic oversight because if something goes wrong on a case, that might suggest programmatic improvements are needed, but our focus is at a higher level of generality. Is this wise, necessary, are there safeguards built in . Are the right people making the decisions given the stakes at play . What are the future implications, and so forth . Jennifer how do you decide what programs to work on, where to focus your efforts . Obviously, there are a ton out there so how do you make the choices that need to be made about where to focus . Jane we are a bipartisan board, in terms of what types of projects we want to take on, i think we will look to for instance, if there if something is being reauthorized, we will be issuing a report on new products in the next month or two and we think will be a benefit to congress and the public of having Greater Transparency into how programs are operating. You can add value of looking at implications of the program, some thoughts on whether or not the program should be modified, if it is reauthorized, things of that sort. We will look to emerging technology, one of the things we talked about in our Strategic Plan to see if there are programs in that space which would be useful for the board to offer their insight on. There is a broad array of factors we look to when deciding what projects to take on. Aditya i was the last one to join, at which point the report jane just mentioned, it was already in progress. I can step back to think about how we would select projects. It just so happens that before a joint, the board had put out a it just so happens that i joined, the board had put out a list of projects we intend to work on and those all made sense to me, and i think it is one of those situations where we should just think what does the value add to the congress, the american public, the executive branch . We all bring different skill sets. As jane mentioned, one of our colleagues is a computer scientist, not a lawyer. We are all lawyers. On a personal level, what you are doing is an enormous amount of work. How do you balance this with your regular jobs . It has been a good amount of work, absolutely, and just do the best i can. We have great staff and they put together great drafts, but i make every effort to read every line we put out, and so i think we just have to strike that balance. This is a thought people might have about what is the benefit of having a board structured as it is right now with one fulltime member and four parttime members . I actually think that is a benefit in the sense that the independence of the board is enhanced by having people i have other things to do, and really, i am at liberty to say what i feel is best in the boards reports, and so i think that is kind of the Balance Congress struck and it is incumbent on us to make it work. Jane part of the idea is the parttime Board Members is to have geographic diversity on the board because it is helpful not only to have people working at other jobs and bring other conversations to bear on our work, but have people surrounded by different geographic conversations that take place. Jennifer lets talk a little about some of the work that is done. As you have mentioned, there is a 215 report that the rest of us are eagerly awaiting. I understand issue is a classification issue that remains an ongoing challenge. A couple of questions about one, whether you can provide any information about whether or not you expect the report to be made public before the extension in the 215 program expires. Secondly, at what high a level can you talk about with respect to the report . Adam im happy to go ahead on this one. To fill in the background, so everyone is as deep in the wii does we are, one of the things revealed by the leaks in 2013 was the large scale or bulk collection of telephone call metadata. What number called what number, for how long, and so forth, but not what was said on the calls. Our board with the previous membership did a significant landmark report on this program, and after that report, recommendations from other governmental bodies, congress decided to trim back the reports of the government can collect the records in fairly large numbers as is disclosed in public transparency reports, but not to the extent it did before this law passed in 2015, so the government has had for years implemented years implement in that law, it is coming up for sunset, so we have undertaken a deep dive into how the government implemented that new authority to collect telephone call records since it was enacted in 2015. That has been a lot of work for our staff and gave cover the confident that they have mastered the details to a granular extent of how this worked. We cant get into the details at this point because there is a classification review process where we have to put that work product through and that is where we are now. I dont want to imply there is a problem with that process. The Intelligence Community is working hard to work with us to move that forward expeditiously. It is a big task, complex material. There is a lot of it and a lot of people everyone has a lot on their plate but we believe we are receiving cooperation in good faith and are quite hopeful there will be something the public can look at relatively soon in the new year. Jennifer i know you have testified about this to some extent. I dont know that everyone here has had the benefit of your testimony on this issue adam it was pretty short, if anyone is concerned about that. Jennifer it would be great to hear your perspective about if in you are a lot of this remains under classification review, provide some thoughts about the program and its implementation. Adam at a very high level, there were public transparency reports that put hard numbers out there that was a great thing that we as americans have access to. Citizens of other countries do not have access to from their intelligence agencies and those reports show the number of records, while not perhaps bulk collection in the way the Previous Program was, are still quite large. Hundreds of millions of records over a relatively small number of years, and that was predicated on a very low number of orders. I think it was 14 orders related to 11 targets last year. This is all in the Public Disclosures and i see some of those people involved in the audience have done a good job of putting out. Then there are questions about how the authority was then there are questions about how the authority was implemented. We look at the challenges that nsa publicly disclosed in the experience of implementing the authority, we found the challenges were inadvertent and not the result of abuse or malfeasance. At the same time, this is my individual judgment as a member of the board. Ill have more information about our collective views when the report is released, but my judgment is the agency made the right decision choosing to suspend the program. That is the level of depth we can safely go to until the report is out and we are confident there will be some more declassified information that will inform the basis for these judgments. Jennifer there was a period at which the program was suspended because of these questions about how the information was being handled and as we move forward and talk about reauthorization, are you able to talk about the intelligence . Is there an ongoing intelligence need to continue this program or would we be ok if it were suspended indefinitely . The counterterrorism aid from the metadata generally . Jane at a high level, one of the benefits this program allow for was allowing the Intelligence Community to not reach only one telephone number away from who you are calling, but another house away from that. This is a change from back in the day, disclosures where the programs back then allowed for three. General Intelligence Community to from a National Security perspective, we think the question we confronted in this program was, given the limitation of this particular program was the intelligence value that was being obtained, Cost Effective in this case . Was it balance with private issues at stakes . The compliance issues being confronted . In general, if you step back and look at too hot metadata programs, again, there are limitations to this program of what type of metadata could be collected. An expert talked about the ways in which terrorists are shifting their modes of communication so questions of whether or not this program was reaching the ways it communicates, questions of whether new authorities may need to be brought to bear to reach these new modalities in how terrorists communicate. These are questions that were confronted in looking at the value of those programs. Aditya until the report is out, ill just say i agree with adam and his testimony that the concerns that the nsa had that prompted it to shut down the program were inadvertent. They werent the result of abuse of authority and at the same time, the decision to shut down the program, suspend the program, was justified and made sense, so i think hopefully that is helpful for present purposes, and stepping back, if you can understand difficulties with technical issues, it just goes to show how we as a society, government need to bring all of our resources to bear to ensure that we are getting these programs technically right and we are hitting the right balance between obtaining the type of information that the government should get in order to secure the country while at the same time not intruding too much on peoples privacy. It is an extremely hard balance to hit both from the conceptual level, legal standpoint, and from the technical standpoint. That is something ive learned a lot about through working on this report. Jennifer staying on the topic of prior work youve done before we move into what is next, one of the things i think has been remarkable about the pclob is this comprehensive prior 215 report and the 702 report, which sharon gets credit for, one of the questions is a member of the public very interested in these issues is the question about the triple three program, about which there is less public information. Curious as to what extent the internal work you have done on the 12 333 program could be available. Adam a pedantic micro correction, 12333 is an executive order. That structures into the exercise of authorities by the Intelligence Community, so it assigns responsibility and has Different Community elements, and so with the board undertook and sharon is free to jump out of the audience and slap me if i am wrong, because she took it, was counterterrorism activities conducted pursuant to executive order 12333. One of those deep dive examinations was completed before the three of us showed up and we inherited the rest is open projects. What we said when we came on board was we were going to look at the work that had been done and continue the work and bring each project to an appropriate conclusion. We are continuing to do that, the file remains open. Those are big bites to chew, frankly and we have a lot of things to chew with a small staff. We are taking Network Seriously and will push forward toward an appropriate conclusion. Our goal is always to have the maximum transparency possible result from every project. Sometimes that means declassified, we always push for the greatest declassification within each course that report that we can but sometimes that will run some reports remain classified and part of the reason is we are not an original classifier within the government. We dont have the authority to designate topsecret, classified, so forth. We have to abide by the classification decisions made by the entities that originally classify the information. They owned that information. We will have. A back and forth with them, pushing in the direction of transparency but at the end of the day, our statute requires us to undertake our Transparency Mission with concern for the protection of classified information and we do that. Jennifer that can turn out to some of the work plan you have going forward. One of the things i love to talk about aviation security, facial recognition. A very hot topic, the question of facial recognition where we have a range of these being expressed publicly, we should ban all facial recognition to let use it use it a lot to protect our security. Curious as to both the scope of the program and your thoughts about how it is being used in the United States and whether it is being used consistently, effectively and consistent with private Civil Liberties . Adam im happy to take this one. I spoke about this yesterday so it is fresh in my mind. We launched this project on the use of facial recognition and other Biometric Technologies to verify identity in the context of aviation security. I think all of those little caveats are important, because facial recognition on the Street Corner is different than used by a commercial actor for its own marketing or other purposes, different than use by the government in a specific operational context for a specific purpose. In a specific physical context, lighting and so forth. All of these things go into how the technology is going to be deployed, the privacy of Civil Liberties implications it raises and so forth, so we are working on this operational context for various reasons. The government is moving forward pretty fast deploying facial recognition in cooperation with Industry Partners in the air force. Second, frankly it is something people are interested in because it touches them in their daily lives. They go to an airport and see their photo may be used for a purpose and that raises questions. We think the department has done some good things to explain what it is doing. Thats not to say they cant do more and this project is to make sure there is full transparency about the sound the hard questions are being asked before we are 100 miles down the road deploying this technology. Jennifer that raises an interesting question that cross cuts these areas, how technology is changing our idea of privacy and particularly if you look at the way we have historically thought about this, weve mostly focused on the point of collection. The issue is to some extent the point of collection, but also what happens with the data once it is collected . How long is it retained, who is it shared with . Curious about your thoughts as to the way in which technology is reshaping our perceptions of privacy and where the gaps are in terms of our legal understanding and that policy . Jane in the last two years, youve seen from a legal standpoint from the Fourth Amendment standpoint, there is increasing concern, did you get a warrant to get this, but more programmatic questions . In this program, what are the holistic protections that tend to show reasonable or not reasonable . They will look at back and protections of how long is it stored, who is it being shared with, how is it being used . You see it in the legal area but also the policy area. Some of the security requirements demand large points of data being collected. Millions and millions of records. When you are talking about those types of records, what type of suspicion, what level of suspicion is policy requiring but at the back end, there is a lot of understandable public concern, appropriately so, on what is happening with the data at that point. How long is the government retaining it for . Who is it being shared with . How is it being used . Some of that goes to a level of comfort with what the programs scope is currently or trusting the government at a particular moment in time, but some concern the data is not being deleted so what will happen 20 years down the line . I think you are right and we are seeing is the courts are evolving and the policy side, as well. Aditya this is one of the big issues of we all have to confront. Within the corporate and policy context, trends in technology, we are experiencing trends of governments and private parties to collect information. That and societal expectations. People are now more aware of the types of information they share and exactly how to measure societal expectations. It is difficult to get your hands around. They want their privacy to be protected so understanding societal expectations and how they should influence policy is important. The technical aspect of your question about point of collection versus Lifecycle Data is interesting and to speak for our audience, when you think about the Fourth Amendment, which is written in a way suggesting its protections are triggered when a search or seizure has occurred, thereby suggesting a search or seizure has not occurred, the Fourth Amendment does not protect any of that collection of information. The way it is written, it is natural to read the provision to apply only to the point of collection, and we now have in the last few decades a body of case law regulating through the Fourth Amendment aspect of government interaction data that is not just you collect something and this was most apparent in the 215 program, something the audience will be familiar with, the authorization of the collection of this information and through the reasonable requirement, imposed restrictions on the usage of that information. Exactly how the Fourth Amendment is going to apply on top of point of collection is to be determined and it is actually a way in which i feel one way to think about it is, we shouldnt let the Fourth Amendment to the extent it only applies at the point of collection necessarily hamstring us when we think about policy because the Fourth Amendment hypothetically may only apply at point of collection, but that is not the way we should think about it with respect to policy because we have other policy considerations that might be beyond the scope of the Fourth Amendment. That, and i think a second way in which this question intersects with the work that we do is that it is understandable for courts to approach the Fourth Amendment or legal questions about point of collection, it is the mire to them and allows them to address questions on casebycase basis. Courts are casebycase adjudicators, whereas programmatic questions about whether this collection, this type of data on a larger scale is a good or bad idea, i feel that is where the board fits in and where we can add value. While we see declassified pfizer court opinions, we have seen things like that. It doesnt feel natural for a court to conduct that analysis. It feels more natural for another agency with the authority to probe behind questions or assertions and briefs to have that kind of ability to speak to those issues. Adam i agree with every my colleagues had. Said. To add to their points, i strongly agree with the implied premise that the Fourth Amendment doesnt need to be refashioned into an instrument to answer every privacy question. It does what it does and says what it says. That is not the only tool we have. We have congress, state legislatures, other regulatory organs. Those entities are not bound by the specific parameters of the Fourth Amendment. Congress can exceed floor in terms of the rights of governments to access data, so i would be delighted to see the energies of people concerned about these things focused on developing statutory schemes that reflect world world conditions rather than necessarily trying to cram everything into Fourth Amendment doctrine where it might be an awkward fit. In terms of going back to the question, i agree with the implied premise, which is we as lawyers look to the point of collection because that is where the legal rules apply, but that may not be the only important place to look anymore and that is true as the volume of data created by the digitized lifestyles expand so much. No longer need to go into someones house or affects or other constitutionally protected area to learn a ton of stuff about that person. The point of collection may not be good enough as a safeguard anymore. When we go do our work, looking at collection programs like call records, things like facial recognition in the airports for example, there are questions in my mind and all of our minds that we ask, how . Long are you keeping these data . . Why do you need to keep it . What other systems will you plug this into . Who has access and how are you controlling it . Are you checking to make sure that access was only for authorized mission purposes, etc. , etc. . This is what i call the back end questions. Those are increasingly important as the volume and sensitivity of data you can get without fourth in the midsearch expands. Amendment search expands. Jennifer a big piece of what we see publicly are the reports but some of the work is doing policy advising behind the scenes. I wonder both what percentage of your work approximately is that, and how receptive do you find your audiences in terms of come are you brought in at the point of time where you can make a difference in the crafting of policies and programs along the way . Aditya in some sense, the three of us, i would be interested in hearing my colleagues answer the question in a good way, because ive been a member for about four months now, and it is hard for me to put percentages on it, but when i joined, we had the usa freedom act report in full flow and i feel ive spent a lot of my time on that issue. It is just hard for me to put percentages on it and i havent seen enough of the lifecycle of policy advising to give you a sense of whether and how that really works. Jane it is a little hard for me to put percentages on it, as well, but that doesnt mean we also have other advice projects happening. In terms of when we come in on the lifecycle, during the advice project, unlike oversight, the agency will come to us and ask we prefer to come in as early as possible because it is always easier to change course at an earlier stage, so that is our preference. We talked to the agencies about, but when they are coming to us, they are seeking advice. It has been generally collaborative. Jennifer going back to the set of policy amendment related questions, in addition to thinking about what happens to data after the fact, even in those questions and responses, weve talked about points of collection and programs, but have various databases intersect with one another and how much can be gleaned about individuals from the intersection of different databases. Im wondering to what extent that is an issue you all have thought about and are taking on and thinking through . Adam definitely something we think about. If i control out a judgment here, it is that agencies dont always know when they start what the destination is in terms of what they are going to connect to other systems, what data they will integrate, what datasets, so i think that becomes more conscious of the fact that agencies are not always fully aware of their future intentions. We perhaps are becoming more vigilant about the limits of our ability to know now what will be done in the future, so asking those questions now in light of that future uncertainty, because we know that what you might do in the future with this data raises future questions of intrusion the program my face. Facial recognition is another example. You are getting all these photos. What are you going to do with them . The department has are ready come out and said we are deleting u. S. Person photographs when taken on the jetway at the 18 air airports where they are doing this. They are reducing the number of hours they retain that photo four. There is transparency about that but that is one example. Once you have that system built, there are other things you can plug into it, transforming a simple Identity Verification transaction into something qualitatively different and that potentially shaves more toward a surveillance transaction, so we are very conscious of that. Jennifer as you done this work, what do you see as examples that other governments are doing well, that we might learn from as we move forward in this space and thinking through the ways in which technology and quantity of information shapes surveillance policy and privacy expectations . Jane generally, we are u. S. Focused. I dont know we have a whole lot of expertise or insight into the details of other governments. I will say that as adam alluded to earlier, the u. S. Is at the forefront of quite expansive oversight of the National Security apparatus and has transparency measures in place that are quite unique compared to other countries. I think looking to what other countries are doing and having that discussion with other countries is instructive and valuable, and we always should be open to learning from other countries. At the same time, we have our own values we adhere to in this country, a set of constitutions and laws, so looking to other countries can only go so far. I dont know if my colleagues have anything to add to that. Adam this comparative angle is of interest to mind to keep abreast interest of mine to keep abreast and see if there are things we can take back, but i will say i agree with jane that the u. S. Is in the forefront in terms of oversight and transparency. Obviously, this is not the end of the adventure. We are still at the beginning of the adventure as technology begins to exponentially expand the capabilities of these agencies, but we should give credit where it is due and acknowledge some things have gone right, particularly in recent years. To list a few examples, we now have a mandate for declassification, pfizer court opinions. There were reports recently about how data was collected. That is a significant transparency that did not exist before. If you go on the website, you can see exactly how many orders were issued under title i of pfizer, electronic fisa. You can see how many targets there were under section 702. You can see how many call records were collected under the usa freedom act we were talking about. Im not aware of any country that has statistical transparency like that. It is important to say we have gone pretty far compared to anyone else and to give credit to the people who are working in the institutions every day, advocating for that, persuading their callings that is an ok thing to do and putting in the hours to develop Technical Methods and analytical approaches to developing these metrics and things like that. This might be a some of what my colleagues have said, but i feel we live in a country that has a unique set of capabilities on the National Security context and the unique set of values. I think that is the challenge that other members within the executive branch, within congress, should seek to preserve. Jennifer this is my last question and i will open it up to the audience. What do you see as the big trend moving forward . What are the things that keep you up at night when you think about the future and what is coming next . Where does your head go . I think there are so many and weve touched upon some of them at this point, but part of it is the technical aspects. The ability of governments, the private entities to collect information. One example would be facial recognition. That is one example, but there are so many at this point. The technical changes occurring, the societal changes occurring in terms of what people expect, what people want from their government and the privately entered private entities with which they interact. Finally, Fourth Amendment jurisprudence, where it is going in the future, how it is going to interact with a set of programs that we as a board deal with. That is really interesting and will be challenging in years to come. Jane the only thing i would add, the Fourth Amendment is a matter of great interest to me. We are seeing a continued diversity of views, but some of the justices really trying to ask questions is the fourth mma jurisprudence as it currently is constructed consistent with the understanding of the Fourth Amendment . Is that the right place to be . The only other thing i would say is i think with the new technologies coming, there is often times talk of the privacy implications that will accompany that. Facial recognition, but we also have to think about how can new technologies actually help protect privacy . We are seeing that in the programs that we are looking into now where technology is helping control access, use, and other things of that sort. There are two sides of the coin with technology in that space and that is something we think about. Adam technology, and what are other countries that dont share our values doing with this technology . Not that we have oversight over the chinese government, but a fact that 1 5 of the worlds population is being subjected to an unprecedented experiment in comprehensive surveillance and, frankly, thought control is pretty scary, so watching that evolved is a dystopian experiment that should be bracing for all of us. Jennifer questions . Sharon. Sharon thanks for the shout outs. I do want to pick up on the reference to the continued examination under executive order 12333. First of all, thank you very much for in the summer putting out publicly the list of current oversight projects. I hope youll keep that updated, but i wanted to ask with regard to that, the prior iteration of the board had undertaken to do the public report that went into highlevel or maybe dig deeper explained to the public in an unclassified report what 12333 is, how it operates different agencies, what some of these privacy protective rules were. To what extent is that an ongoing project, as well in addition to continuing toward the deep dives. I used to always get asked when that would be coming out to the extent that is something you are undertaking, if you have any projection at all about where that falls in the timeline . Adam can i answer this one with an extended metaphor . When we came on, the board had been without a quorum for a year plus, a year and half. Without a chairman for two years. It was like inheriting a house from your beloved aunt whose house was stocked with wonderful books and mementos and other things, and that is great and you pick up great things you can take and give new life to, but it also takes you a lot of time to go through the library and see what you have and clean up the closets and every thing else. We inherited a lot of Great Projects from the prior board. We are moving all of them forward and will bring them to an appropriate conclusion determined by the current Board Members but at this point, we cant give more information about when that will happen. We are taking it seriously and know it is an important project. Thanks to all of you for coming out. Im one of the Research Fellows at cato. I want to go back to followup on something sharon talked about, which is the issue of 12333. I want to start with a more basic question. Two questions wrote quick. Do you consider your product, something you own . Your observations, your conclusions, and your recommendations . Do you consider yourselves to be in full ownership of that . Adam i think what you are alluding to is whether other agencies have a say over whether work product can be discussed if i the classified . Declassified . From a statutory standpoint, im looking for the language that says that you cant desegregate anything here, for more to the point, based on the response in the agency in essence. Let me tell you the deep concern i have with that. Right now, im in litigation with the department of defense and the National Security agency over their attempts at essentially to suppress the department of defense Inspector General report on an nsa program you may have heard of called trailblazer. The largest programmatic failure in nsa history and a major contributor to the 9 11 intelligence disaster. What mcfadden had rejected in the case is the reference of dod and nsa essentially to try to excise anything that would be embarrassing or otherwise problematic for nsa. I wont bore you with the details, but the concern i have is if you let an agency, whether my former employer the Central Intelligence agency or any of the 17 agencies in the Intelligence Community dictate what you can say with respect to your conclusions, your recommendations and observations, respectfully i have to say i think it if this rates the boards ability to function properly. Ill echo what i think is sharons clean, plea, you go back to the agency in question and say we will Say Something publicly to the effect that there is nothing to be concerned about or there may be some things to be concerned about and we have notified the communities of jurisdiction. Can we get a pledge from you on that today . Adam i can say more than that. When we complete classified reports, those reports go to the hill, because there are people there who have the clearances to read them. They would receive the entire report in that case. Zooming out a little bit, we are an administrative agency. That means we are a creature of the statute that created us and only have the authorities in the statute. Our statute says we should make reports public today extent of classified information. We always push to get the maximum transparency. Thats why we release the inventory of active oversight project, which i think is the first time the agency has done that because we want to present the greatest transparency possible. Perhaps you could tweet out a link to that so people can access it. The other half is important, too. The protection of private information. We are not an original classification authority. That means the agencies that classified information are the ones who determine and control the classification of that stuff. We engage in a backandforth with them to get more moved into the declassified and released category, but ultimately, we have to go through that process. It is our statutory obligation to protect that information and that means when there are requests, it is our statutory obligation to refer to the agencies that on that information. On that information. Own that information. Things are connected and we always push to get the most of any document we can declassified. It is important and part of our statutory mission, but that is the balance it has to have. Jennifer yes, sir . Very excited to hear that you have a report on 215 in the next couple of weeks and i will read that as soon as it is out. We have a little more time now in the wake of the extension congress granted, but the original deadline for that program and presumably Action Congress would have needed to take in up until that extension was just nine days from now so i was hoping you could talk about before the shortterm extension what efforts were being made to ensure that the information and recommendations you presumably are including in the report would be released in a timely manner so they could be part of the public debate in the event that a reauthorization was going to be passed this month. I dont know how interesting or how deeply you want to get into our internal mechanics, but we are cognizant of legislative deadlines. We work to ensure that what we do will be useful to the public, to congress, and it other stakeholders. I was able to testify in the Senate Judiciary committee recently and that testimony is public and available. The back and forth with the senators, if anyone is interested, but we are cognizant of that and the legislative calendar and do everything we can to make sure our work will be available and useful. Thank you for the work you are doing, the work that pclob has done to declassify information has been valuable. On facial recognition, a bill was produced to require a warrant for three or more days of ongoing surveillance of a person in Public Places using facial recognition. We are having a debate about whether those circumstances ever pertain right now under current fact. Is there a use scenario that you have seen through your work that would involve the ongoing surveillance of a person over three or more days involving facial recognition . Is that actually happening . Theres the link which of the bill. The utilization of race facial Recognition Technology to engaged in a sustained effort to track physical movements of an identified individual through Public Places over a period of time greater than 72 hours whether in real time to store information. Is that happening . Adam our project is pretty tightly focused on Identity Verification in airports, and it doesnt seem like that would be the place where sustained surveillance would be taking place, given people pastor airports in a short period of time, but if i can respond to the idea. To me, without commenting on whether i think that is the right legislation, it is exciting those conversations are happening because that is the type of line drawing exercise that legislatures are uniquely suited to undertake. I think it is constructive that legislators and people coming up with proposed legislation are thinking exactly about where the balance should be drawn because when youre not dealing with the strictures of constitutional doctrine, you have the freedom to do what feels right. I think that is all to the good. I truly dont have much to add and cant answer directly. My answer would be the same. This is an important conversation for society to have. Its interesting and useful for congress and members of the public to think about the appropriate balance. I would like to ask about the use of facial recognition in airports. If you get a hit, what databases are you using . What action might be taken . Would you simply monitor the Persons Movement . Would someone be authorized to interact with this person, to ask him, to detain the person . What would happen when you have a hit . I think so i can speak in generalities. It depends on the type of program we are thinking about. We might have certain programs in which what the computer is doing is recognizing your face and your drivers license to make sure the drivers license and the face match up one another. That is what an agent might do when you reach an airport and the idea behind this program is that it is a one to one match. It is faster and more efficient than having a person make that match. We might have other programs where we have a match where the computer is matching a face to a number of faces stored in the computer. I think that is what your question was alluding to, why you might want to have that feature which would be verifying this person is in fact not somebody who has that license, but is the person. Or if youre using it to screen out through the computer. There are different ways in which the facial recognition programs can work. We are figuring that out. On any platform, airports or elsewhere. Can i follow on that with factual background about what customs and Border Protection is doing in the airports right now . Congress, this is another recommendation, mandated dhs use biometrics to confirm entry into the United States and exit from the United States to make sure people who have overstayed their visa left on time. It has taken a long time to figure out a way to use biometrics to do this as opposed to your name and birthday. These are complicated. How do you get people to provide biometrics without creating a massive impact . Facial recognition is what they have struck on. What they are doing now, customs and Border Protection, at the airports, gradually increasing the numbers as the month goes by, they are using facial recognition to compare it to a gallery of the passport photos. It is a match. That confirms that person has left the United States. It is still in the pilot phase. It is pretty widely deployed. In atlanta they have partnered to build that out through the traveler experience starting at the checkin point and outbound flight. It is just Identity Verification that you are the right person who is scheduled to be on that flight that day. The one thing we are conscience of is once you have built this backbone, you could plug other systems into it. It is an Identity Verification system to facilitate this exit requirement, people confirming people leave the United States and for still is stating and facilitating other facets. We are cognizant it can have an uncertain future. Please join me in thanking the panelists for their work and for being here today. Thank you. A minor schedule change. There was a speaker who was supposed to be delivering a short talk. He is unable to speak today. He was not able to make it. We are going to hang out for one second while we transition into our final panel. I think we have someone who can get our next speakers micd. Thanks. This will just take a moment. I can set up the title is the return of the crypto wars. You will be familiar with what is sometimes called the going dark at the pervasive growth of encryption presents an obstacle to Law Enforcement, especially as it has gone from a technology that is the province of people with advanced understanding to use difficult commandline tools to something that is baked into userfriendly technology in a way that does not require much identification at all. You probably use it daily without recognizing it by didnt of using a smartphone or browser. As increasingly this encryption is not just between endusers and central entities, but encrypted between users without access by an intermediary, that is causing a certain amount of nerves by agencies. In the past it has been framed in terms of the threat of terrorism. There was a dustup involving an iphone used by the San Bernardino shooter. More recently with the announcement facebook is intending to deploy encryption on its services, there are concerns this will and the scanning of messages for Child Exploitation imagery. Cut off one significant point of access for Law Enforcement to go after child predators. We have an excellent panel arranged here. We have matt blaze, he is down with the flu and unable to join us. We still have a phenomenal panel. Before was a fulltime policy nerd, i was a journalist nerd. One of my previous hats was the washington editor of ars techina where you could dive into technical questions. Sometimes legal questions written to be generally accessible without leaving out the nuances and details that might be interesting to someone with a knowledge base. I was pleased we had Sean Gallagher to act as moderator for this panel. As soon as everyone is wired up, sean will introduce our panelists. Sean good afternoon. All right. We have awake people. My name is Sean Gallagher and im here today with robyn greene with facebook, jim baker of r street and, i just met him. Brad wiegmann of the department of justice. The topic is encryption. This was going back to decades, encryption was something that was fought over and mostly settled. There was a chip that was supposed to be implanted to devices that the government had presented as a standard. It was fought against and eventually ignored by industry and proven to be vulnerable by matt blaze, among others. Pretty much it was decided that your the idea of a backdoor was a bad idea. Now, for some time, the fbi has pressed the case for some limit on encryption and as director comey put it, communications have become much more common than they were in the 1990s. To prevent criminals from going dark, evading surveillance. The latest version of this argument, the ever increasing incidence of online Child Sexual Exploitation as a reason to raise the demand again. And has asked facebook in a letter he signed to not deploy encryption across all of their products for messaging by default. Out of fear they would allow pedophiles to go dark. They said facebook was a major source of information about child. 80 of the cases of pornographic information came from facebook in 2018. They are seeking to ask facebook to not deploy encryption until they can provide some way for legal warned today access to communications. Experts have argued any backdoor weakens encryption and provides everyone because it would make encryption fragile. The question is is there a way to have secure communication for the masses to protect themselves against criminals and have legal access under warranty . Where do the constitution and the laws of physics come to equilibrium on this . Can companies aid in the fight of child pornography and provide secure communications for the rest of us . I will allow our panelists to open with that. We will have each panelist talked briefly about it. And then we will bring it to audience questions. Robyn thank you for inviting me to speak today at this important event. I want to talk about why facebook is moving our messages services to encryption. I started at facebook in february and before that i worked in Civil Society on many of the same issues. Starting in february and having the announcement we are shifting to an to end encryption was exciting. Its really important to think about why this is happening. Facebook has been committed to helping build communities, having voices heard. Many of our services, we think of as a public square. We are seeing people want to have more private communications. They want to have small group communications. They are conscious of the private information they are sharing because they are having more personal communications online, sharing stories or personal information about your life and photos. Or transacting business. People want to be sure their communications are secure. Secure from facebook, secure from external threats like hackers and any other unintended recipient, including the government. It is important to make sure people can have that kind of control and confidence in their communication to know they have the security needed given how much data is getting shared and how sensitive those data are. We want to make sure we do this right. We are not just for a switch. There are a lot of technical challenges we are addressing to make sure we do it in a way that is good for users and that we are providing them with the encryption so you can have a more streamlined and simplified experience across our services. We want to make sure we get the privacy part right. Beyond that, we have been Industry Leaders when it comes to safety. A large portion of the information of missing children comes from facebook because we are proactive. Safety is one of our top priorities. We will continue to do that. Our methods will have to be different. We are thinking about how to be the leader in industry on safety while making sure people have that same and to end encryption where only they and intended recipients can see the information. Brad, go ahead. Brad thanks for having me today to talk about these issues. We in government and as a society are confronting an epidemic of Child Exploitation and abuse facilitated by Online Platforms through which creditors are grooming their victims and sharing images of their acts. This includes sexual abuse of children and toddlers. The numbers are staggering. In 2018 facebook made 16. 8 million reports to the National Center for missing and exploited children. 12 million from Facebook Messenger alone. We are grateful. Facebook does an outstanding job of reporting this abuse. We are grateful for the outstanding cooperation we get from facebook. We rely on facebook and other companies. As do other governments around the world. Thousands of children have been safeguarded as a result of these reports. In march facebook announced it plans to implement and to end encryption across its messaging services so they will not be able to see the content of messages on those platforms, these images. The ceo of facebook acknowledged there are safety concerns to address associated with the shift and that we have a responsibility to work with Law Enforcement to prevent the use of facebook of Child Exploitation and organize crime, fraud, and other social ills. He said after the change we will never find all the potential harm we do today when our system can see the messages itself. In response to this, the governments of the United States, United Kingdom and facebook noted implement end to end encryption without ensuring there is no reduction in user safety and a means for lawful access. This is something that we as Public Officials have an obligation to do. Do. We have not received a response. I have suggested that we can identify exploitation and other harms. We are skeptical this can occur. There is no substitute for seeing the content. You cant investigate and have evidence without the content. I do not see a way to do it. We are interested in hearing more about that. Its interesting to compare facebook with apple. Apple has long been encrypted. In the same year facebook received 12 million reports, we received 43 from apple. That might give you some idea of what we are skeptical of. To be clear, the Government Supports encryption. We understand and we use encryption. We are responsible for cybersecurity. That is our responsibility. We understand the commerce is dependent on it and society is. What we oppose is end to end encryption that does not provide lawful access. The concern has been it cant be done safely. Facebook messenger is not end to end encrypted. I dont think people think it is not safe. Online banking, no one says it is not safe. The cloud is not encrypted. No one says information in the cloud is not safe. We think a solution can be found. Thats it. Jim im looking forward to a discussion about these issues. I worked on the encryption issue for a long time. This has been a personal journey for me. At the Justice Department and the private sector, and the fbi and since i left the fbi. I take with great seriousness the comments brad has made about the victims. There are real victims. Encryption does inhibit and slow down and makes Law Enforcement less efficient. In the San Bernardino case, i thought we had a serious and solemn obligation to the victims of the terrorist attack to do everything we could to run down every investigative lead. Having in our possession one of the phones of one of the perpetrators and having consent from the city and having a warrant to get into it, we thought it was logical to get access to that information. Apple disagreed. We ended up in court. That dispute fizzled because a third party explained they had a way to enable us to get into the phone. There was no judicial resolution of the matter. Because the case was moot at that point. I have several concerns about the governments approach. Ive had to rethink my own approach, which was in favor of finding a way to enable the government to get access. A couple of things have driven my thinking on this. The problem, this is a legal problem. It is not a technical problem. These companies can write software to give access to the government. The question is, the technical reality is, it cant be done in a way that provides a substantial amount of cybersecurity the same way the systems we have today do. You can rewrite the software. It is not going to be as secure. The problem is not technical in that sense, like it could be done, but with significant risk attached to it. It is not the Fourth Amendment because the government can get whatever warrant they want under the various legal regimes that might apply. Theres no clear Legal Mechanism under federal law or state law to force companies to rewrite their software. The various Legal Provisions simply dont empower the government to get a court order to force companies to do with what the government wants them to do. To me the government, Law Enforcement agencies, weve been telling the public about this for years. Nothing has happened. Congress has failed to act. Theres reasons about why that is. Thats like dealing with reality. Congress has not acted. I dont foresee them acting in the future. The administration has revived this issue. Theres a hearing next week in front of the Senate Judiciary committee. That is one reality. I dont see Congress Giving the Administration Legal tools it needs. The second reality, in my view, the country faces a threat with respect to cybersecurity and malicious actors. Our cybersecurity is that bad. It is subpar. It is poor. Encryption, basically spreading the use of encryption wherever we can in the complex Digital Ecosystem we rely on to conduct our most essential services and businesses as a society, encryption is a way, it is not the only way, but is a way we can use to protect ourselves from the very significant existential cybersecurity threats we face. What im urging lawenforcement to do is to rethink their approach to encryption. Because they are stewards of Public Safety, they need to rethink their approach to encryption and embrace it. The right thing to do is embrace it, and what brad says is true. There are victims of crime. They will suffer because encryption will inhibit the ability of the government to do its job. It doesnt stop them. They keep going. I just think its time for the government to rethink its approach and embrace it instead of trying to find ways to undermine it. A couple of questions. I want to give everybody a chance to respond and add that theres a couple of concerns. What is driving the demand for endtoend encryption on facebook right now . And other platforms as well is a feeling of lack of privacy because of a loss of trust in the platform providers. Things like the Cambridge Analytica scandal and the spreading of personal information through various means, admittedly throughout the rhythms. There is still concern about conversations being cached for long periods of time. The other side of the coin, asking facebook to not use endtoend encryption, doesnt that push the people who would use encryption off to other platforms . There are a number of platforms that offer it that have features similar to facebook, so why would you specifically go after facebook in this case . I understand they are a major contributor to reports, but doesnt that create a situation where people who are perpetrators move into another place where they can go dark . On your question if people move platforms, we have not seen that to date. People are using Facebook Messenger today. We have not seen that. Second point, we do not intend to single out facebook. Facebook has been a good citizen to date. Our concern is the shift where we will no longer get reports like we get today. We would like these rules to provide lawful access. Not just facebook. Robyn we will continue to be good citizens after we moved to end to end encryption. Safety is one of our top priorities. We are taking our time to build these tools in a way where we can be confident we are addressing the legitimate concerns of Law Enforcement and of ourselves and the public. Nobody wants to use platforms that have harmful activity on them. We are committed to a program of prevent, detect, and respond. We are looking for ways to identify how our bad actors are getting in touch with each other, finding victims, so we can prevent those connections from happening. We are looking to detect that activity. We will have to change our methods. We will find what that bad activity looks like so we can take action on it. We want to respond and make sure people can report bad activity when it is happening. If you receive a harmful message, you can do a report on facebook. You can share with us that harmful activity in which case we could share it with the authorities. Things will change. That is for certain. We are engaging in a robust process where we have conversations with governments about the kinds of signals you see that are helpful so we can figure out ways to identify some of these problems. We are talking to Public Safety experts to make sure we are getting all of the information we need to build a safe product. We are having conversations with privacy experts. None of this works if people dont feel like they have control. We are seeing a shift. 85 of messages are sent encrypted worldwide. This is what people expect. That is why we are looking to provide it. The way they are using their services demands it because of the kind of threats you mentioned. People are having private communications they want to keep between themselves. They are so they are also doing business, sharing financial information. They share medical information. We do most of our conversing over messaging services. We have to make sure they are secure. The one other thing is when we think about safety, that was a stark statistic about apple. There are ways to make sure you can report. I will share that whatsapp takes down many accounts because of harmful activity every month. We are able to find harmful activity even when we dont have access to content. We will continue to do so. Because we have leaned into safety. Is that because of user reporting . Robyn some of it is. A lot of the reports we will continue to do scans for abusive content on our public platforms. Nothing changes. We are still going to look for abusive content on facebook and instagram. There are some public parts of the matches using spaces. Profile photos, group names can be public. If you use exploit eight of industry exploitive content, we would be able to identify that account and send that information and then of course take down the account. Have you done analysis to see whether the reports, there wont be a drop off . You have to knowledge there will be a diminution of reporting. Robyn i cant speak to the percentage. We think they reporting will change. It wont be the same images. We are consulting to find out how we can make or identify useful information for you that is not content based. As far as other ways to go after this content and pursue people, what type of techniques have you seen that could go after these problems that dont require a man in the middle back door . Jim number one is, let me back up and talk about this issue. Societys failure to protect children is colossal and profound. Everybody shares blame for that. Everybody. We have not done what we need to do to protect children. Even with the current systems we have, we have thousands of children saved. I was worried of giving facts and figures because they turned out to be wrong. Even by that, thousands of children are being abused and society is failing them now. The failure is systemic and it has to do with way more than encrypted communications. Its the inability of government to absorb this material, the technical systems to deal with this material in these perpetrators. Its a systematic failure across to provide better tools, more failure across many dimensions and Society Needs to provide better tools, more money to the investigators and centers trying to do with this. To think about a better job, that leads into something ive been thinking about, rethinking encryption and its investigations and how it does them. Just embracing the reality that the systems are there, encryption is outofthebox and will be used in the United States and other platforms. People are going to gravitate toward it. Lawful actors are going to gravitate toward it. They are going to find ways to communicate. Government needs to adapt to the world we have today and not go back to the past where they had all this access. They need to figure out how to analyze data, doing deep analytics with respect to finding the bad guys and the victims. They could invest much more in that. Industry could could assist Law Enforcement with that. Something we might have to change some laws. Doing more data analytics, making more use of open Source Information and also reinvigorating governments ability to use informants, undercover operations. The government has to do that. Those are the investigations that are most effective when you have good human sources in the places where they need to be. It is harder today. It is expensive and timeconsuming. Brad i take your point. An investigation, there is no substitute for having the access to the images of the child who has been exploited. You might have a toddler in the individual abusing that top layer. There was no other way to get that information. If that person is disseminating those images, there is no other way to get that information. That is what i would say. The other point, we are not trying to go back. We are trying to update laws from the past two today. Weve had telephones forever. The phone companies have been required to cooperate. We are asking for updated laws so we meet the same requirements phone companies have had for decades. Wiretaps are something we need to do. Why is it different on the internet . The Digital Ecosystem has changed. The volume and variety and velocity of the communications, it is just a different world than it was five years ago, 10 years ago. You have the same communication over the internet as the telephone line. I see no legal or moyle or justification moral justification. Then go to congress. My point is there are victims, the children. And other people, theres a whole range of victims who exist and who will exist and who will suffer as a result of crimes my Law Enforcement proceeding and the way it does today cannot solve as quickly as it might otherwise. Theres also substantial risks with respect to our failure to build a Digital Ecosystem that is secure. We dont have that. We are more dependent on that than we have in the past. If we have a significant failure, i am worried about our ability to function effectively. I think people will be harmed and die if we have a failure like that. With victims on one side and the other, how do we sort this out . The risk from doing something that would interfere with the ability to have encrypted communications, Congress Needs to resolve that and balance that and step up to the plate and pass a law and change the landscape, or not. I dont think its up to the private sector to sort that out. Companies will follow the law, whatever it is. Congress needs to act. So far they have failed to persuade to have congress act. That is where the focus should be. I agree 100 . Any questions . We have a microphone. I dont think we do. Sir . I will project. Im a retired Foreign Service officer. I just have a comment. A few comments on what you folks said and i would appreciate your reaction to it. My assumption is the vast majority of people in this room is against exploitation of children. I think it is a red herring to use that. The Law Enforcement authorities were dealing with this problem and other problems before we have the technology we are talking about. There are other techniques. End to end encryption have legitimate uses. They protect dissidents in third world countries, business here, etc. Technology, you cant make it disappear. If you for bid facebook from providing something, i will be able to get it in one way or the other. Its not really feasible to even do what you are talking about. When the attorney general talks about a back to work, frankly he showing he doesnt understand the technology involved. Ive had conversations with the former cia director who says it is not possible to do what youre describing. Thank you for your comments and i would appreciate what you have to say. That brings up a number of issues. Experts in the field have said if you put a backdoor into a system regardless of how you approach it, theres room for abuse. There is the concern that what can be warranted can be abused in terms of access. We have seen cases where legal access has been abused in the past. I understand they are not the majority. But they happen. Given the weaknesses you would introduce, what is your response . Legislation has to decide. From a mathematical perspective, there is no way and a lot of people have tried to build a backdoor into things that only allows for warranted access. It would only work if there was a man in the middle arrangement where everything flows through the Service Provider and they give access. And they can be compromised. How do we deal with the laws of physics and mathematics . I can say people in the government that have experts in cryptography think it is doable. Bill gates has says it is not a question of ability. It is a question of will. A number of governments have said this is doable. Lets not assume it is not doable. The system today is not encrypted. Theres three of them i can identify that are available where companies have decided to maintain access to the information. If they can because they needed to sell advertising, why cant they do that for Law Enforcement . Why can apple maintain a key to send updates it has a key, right . They have that key at apple. It would be a huge security incident to lose that key. They maintain that key because they need it. All they are asking is there is a key for my enforcement. Are you looking at a solution similar to what australia has legislated where Law Enforcement can require a Software Provider to make a modification to allow access . Any solution to ensure we have lawful access. We dont care which method they use. We have a list of what we think is most effective. We are investigating those same crimes. We think it can be done. These are the most Innovative Companies in the world. The idea they cant come up with solutions is not credible. We have another question. Start off in the back. Last year we heard talk about provisions for group messaging. Even the doj does not support that. Why hasnt the doj put together a technical solution . Absent that a lot of people in this room are debating something that is a hypothetical. We talk about different options. We think all the companies have different services. Some of them make communication systems. They need to come up with their technology while providing the access we want as opposed to a government solution. The worst would be for us to say this must be the solution you adopt. I am confident if you go through the archives you will find a clip of me saying what brad has been saying. I understood the problem the way he is articulating. Just having spent years working on this, my understanding is also there is no technical solution that adequately protects cybersecurity and provides the government access. It doesnt exist. And so yes, the companies have different systems, different choices and they have decided to use encryption. Again, given the fact there is no system that actually provide cybersecurity, strong encryption and the government with access, that does not exist. If youre going to introduce some risk into a system, that is a Call Congress has to make. I come back to that. Theyve got to legislate if they want that to happen. And they take the risk that some bad person or organization, is going to figure out a way to disrupt all of the communications that we think are encrypted. Society will bear that burden. Congress has to make that call. What has facebook done as far as alternatives . Has there been ways to do this sort of backdoor you look at and what have been the results . Robyn technologists have said it is not possible to build an encrypted system with access and have there not be a potential dangerous vulnerability that can be exploited. It is not possible. We havent invested in trying to build any such system. We wont be investing in that in the future. Thank you very much. I work for an organization that defends the right the Church Committee cites the fbi against our organization as an example of an abuse of power. What is concerning to me is the Chilling Effect putting in this backdoor could have on free speech. Up until two or three years ago, thanks to a Supreme Court ruling, the socialist Workers Party was immune from filing decisions. By disclosing the name of their donors, they would make them liable to Law Enforcement abuse. Given there are instances where the government has been the malicious actor, including against my organization. Do you worry about putting this backdoor and it will have a Chilling Effect on speech . My answer to that is we have to depend on our laws. We are talking about court authorized access. Today we can wiretap your phone. We can search your home. Your car. We can do all of those things when a judge has decided we have probable cause you have engaged in criminal activity. That has been our standard since the founding of the country. We have to be able to do that to protect people, to search their homes. We have new technology. Should we have that same ability to protect our First Amendment rights or will we have a space immune from that which is a closed environment . If your kid disappears in a house, there is no way to get them back. No way to search the house. You cant find the child, the same way you cant get communications online. Robyn theres a distinction because what you are talking about is the Legal Standard when you get a warrant you should be able to execute your search. It is not just only Law Enforcement would be able to Access Communications if there was exceptional access. The problem is the front door for the government is a backdoor for malicious actors. Endtoend encryption means only you and your intended recipients are able to see the communication. Theres no secure way to build in that access for the government alone. That is where we disagree. Apple has a key to access all the phones. Why cant we have that for the government . Today facebook has that access, and government has access. It has not been a problem to date. Robyn our users are demanding a more secure system. Im saying it has not been a problem to date. Thanks for being here today. I wonder if you could speak to the situation we have, the disagreement between facebook and the department of justice. Can we interpret it as a preemption to possible legislation . Does the department of justice have plans to use this moment to put Silicon Valley on notice that amendments may be coming . We dont have an answer on that at this time. In terms of speaking to chilling speech, if end to end encryption is delayed or not allowed, what can you say to what this would do to the market in terms of your ability to access encrypted conversations if they take them to other markets not in the u. S. . We want to work with other foreign governments so we have solutions for their foreign competitors as well. Brad, question for you. You said there would be a court order. Is that always the case . If exceptional access was built in, are you telling us an essay nsa would not be able to exploit that exceptional access given to the fbi and they would never be the use of section 702 or executive order to Access Communications through this exceptional process . The proposal would involve court authorized access. The nsa has worked to break encryptions. That doesnt mean it would exclude them from using that capability to go after foreign intelligence targets. That is what the nsa does. Its interesting because people are saying, why dont you try to break into the system. That is a better model . We cannot tell anyone and have the vulnerability be out there. Why is that a better model . Is that better for anyone . There is no perfect security. Even with this system, there are ways to break in. Theres no way that will have perfect security. Theres no perfect security. Theres always a balance we regulate contacts for automobiles. We say, ok. Youve got to have your emission standards, right . We know for certainty your car is going to be less safe if youre going to have a car thats not going to be as big and as heavy and it can result in more fatalities. But we make a decision as a society that we these goals and we want to have these emission standards to have a safer planet. Were willing take on that cost. Theres no car immune from these things. And i agree with jim that ultimately, these are things that congress should be tackling. They have not tackling over the last several days. They shouldnt be a decision thats made unilaterally by the companies. But let members of Congress Cast a vote when everybody is telling them the result of that vote will be less Cyber Security, less security for the American People in the Digital Ecosystem. Let them cast that vote. Let them associate their name with that. And more security for all the exploitation victims and other people that are being exploited. Maybe, but their failure to children exist today. The horrible world that youre describing exists today. We are able to save those victims because of this. How many victims are there still . Lets go to the audience. My question is also for brad. Jim baker alluded to this issue a little earlier about going throughout with numbers that might not be correct. So in june of 2018, if im remembering the month correctly, it came out that the d. O. J. Was unable to access due to encryption. The number was 7,800. And they said actually the number might be closer to 1,000, but were working on it. Subsequently they put up a lot of asterisks on prior speeches saying this number is wrong. Im wondering if you can give us any update as you seen to have this conversation as that the tent to this problem really is . So i dont have an update on that. I know that youre absolutely right, the number was erroneous. Its a very large number. Maybe not be 7,800. But im sure its over 1,000 phones. Thats only a piece of the problem. Its only the devices that we have in Law Enforcement and custody. Did we have a new updated number . I would have to check with f. B. I. They may have one. I dont personally know. We have time for one or two more questions. Youre going there. I can make a point about these damn numbers . The government wants to persuade the government to do something, its got to do a better job of counting. I know firsthand know how hard it is. They got to do a better job otherwise theyre not going to prevail. Mr. Barker, why in the world would we trust the u. S. Government, the top terrorist on the planet that the f. B. I. Has had information on sex trafficker Jeffrey Epstein for more than a decade and has done nothing to incarcerate or investigate the perpetrators of people who have exexploited children and girls from all turnover world and all over the country and from new york city public schools. I dont know the details about the epstein case, but it is still being activately investigated. That the u. S. Southern officers are still working on it. I cant believe exactly whats happening with that i will tell you that i could not disagree more with respect to your statement about the new jersey government being a terrorist. Thats preposterous. But with respect to the other matters, youre going to have to ask the government about that. Thank you. My name is anne virural. My understanding is that without getting too technical, that we have people saying its technically not feasible. On the other hand we talk about google. I know they have two different methods. For example when youre going to the cloud, and when theres a gap between switching from the one modal to the other, thats where google goes in to get data that they use for marketing purposes, etc. My intuition is that as a point of fact the f. B. I. Does have access when it wants to from the technical perspective. But the issue is that then the d. O. J. Cant quite use that information because its sort of its, you know, fruit of the poison tree so is in this a legal matter. Sounds like its a legal matter going back to your congress point. But technically even already what we call end to end has numerous snap points where entities either malfactors or the f. B. I. , the government said they can get in. Thats really not issue. I would be interested on your thoughts like that. To interject a little bit. When its end to end, the end points are themselves a point of access. So but whether the end be the stories on one end or the other [inaudible] so that happens in software. It would depend on the software and the provider. There has to be some sort of interjection of logic in the software that picks up on the data. So that would be exploiting the software that the vender provides. I dont believe facebook is looking at doing it. Theres a number of steps where it can happen. I asked nate cardoza. Couldnt you have where the receiver gets the message and you can process it like its harmful . It requires too much overhead in different places. It totally breaks the whole idea. It ends the privacy. So, you know, it is a good question whether in terms of that sort of surveillance is a solution from the from the department of justices perspective thats something do not require the change in software. Shes asking so the way encryption over the wire works is its encrypted in one form. But when its stored, you get it encrypted in another way. With google it is encrypted by user credentials. Its a totally different type of encryption and story. To get the information as passing over and process it for security i dont have the answer to that technical question. But the questioners made a point, ive seen on both sides of the debate. Some companies will address it. Look you have says to all these categories of information. You get these things. So isnt that good enough for the government . If we should get access to these other things, why cant we get access to this . Youve made Business Decisions to maintain lawful access. You dont say they are secure. Its impossible to do this. Very Sensitive Data on these other platforms but. But were going to maintain access for these systems. Were allowing you to have these others ones. If you can allow access of ease, why not these others ones . Because it exists today. And every company here represented or otherwise will tell you there are plenty of systems that are secure. And theyre going to maintain access. But theyre not going to go to end to end encryption. If youd like to respond to that in any way . Well, its apples and oranges. Its up to the user to decide how much risk theyre going to take on. So if youre using an email system where when i send you an email its encrypted while its traveling, but the company can look at it, we know that. And we can make a risk base assessment and whether we trust the company. In certain circumstance, however, we dont want to deepen in doing that. I want to send you a message. And i want it to be the case that only the two of you can read it. Thats all its about. For whatever reason thats the risk we want to take or dont want to take. And so yes, in certain circumstances the Companies MakeBusiness Choice and the customers should make choices or they accept the rising or whatever. This is multifaceted world today. Encryption is out of the box. The cat is out of the bag. And its not coming back in. Its the world we have to figure out how to do well. Its been business reasons. But it is policy reasons. We care about our users privacy. We care about making sure that they can have Sensitive Communications in a way they dont have to worry about it being exploited. Because there are many, many Cyber Security threats and so whether its store data and the billions and billions of records that are the subject of data breaches every single year or other forms of exploitation. What jim is saying is right. The worlds dangerous when it comes to Cyber Security. But you know, youre also extremely points about the importance of that we provides strong encryption and find other noncontact base waves to address the safety issues because we are committed to safety. We are exited to continuing to be the Industry Leader in the space. And we really value and are appreciative of the incredible work Law Enforcement does to keep the public safe. Were doing our part. Thanks to the three of you for this. And we could go on for hours, im sure. I know many of you still have questions. But lets take them off stage. So thank you all for coming. Thanks for watching and thank you for being here to talk about this. Very important topic. Thank you. [applause] thank you again. And thank all of you. Both here and at home for tuning into the 2019 cato surveillance conference. Usually i end these days sobered and horrified by the amazing range of ways that were observed. Thinking about the number of people that im thinking about. How to insure that they are kept in their proper place. I just do want to one more time thank not only all our speakser but diana graham. Shes done all of the hard work. While i get to stand up here and look very clever for having assembled all this. Everything that actually makes this conference come together and work so smoothly is to her credit. Please join me applauding her. [applause] rather than stretch out the closing remarks, im going to invite everyone because for those at home im sorry why you attend in person . To join us for some beer and win doeurves. S [captions Copyright National cable satellite corp. 2019] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] cspans washington journal, African American studies professor Carol Anderson discusses her book one person no vote. Washington examiner editorinchief will be on to talk about conservatives and the trump presidency. Be sure to watch washington journal live at 7 00 eastern this morning. Be sure to watch authors week all this week starting at 8 00 a. M. Eastern. Congress returns from work the first week of january. Here is what ahead. The house needs to decide on impeachment managers and send articles of impeachment over to the senate. We expect the senate to take up the u. S. Mexicocanada trade agreement known as usmca. Congress will hear President Trump deliver the state of the Union Address on february 4. Watch the house live on cspan and the senate on cspan two. The house will be in order. For 40 years, cspan has been providing america unfiltered coverage of congress, the white house, the Supreme Court, and Public Policy events from washington, d. C. , and around the country. Cspan by cable in 1979, is brought to you by your local cable or satellite provider. Cspan, your unfiltered view of government. Constitutional litigator Justin Pearson talks about licensing requirements. Next, he discusses the cases and the work of the institute of justice at a Federalist Society event in montgomery, alabama. This is just over an hour. Good morning. Welcome to the montgomery Federalist Society. Im president of the montgomery chapter of the Federalist Society. Im excited to have you here today for our topic on occupational life insurance. Occupational licensing. Occupational licensing l