I will get started in encourage everyone to congregate again. Thanks to those who stuck with us, at the 2016 cato institute. This is going to focus on the intelligence aspects. We tend to focus on the Fourth Amendment and do medicinmestic. This is really global in scale and so as a result it has implications for the human rights of people around the world but also for our political and diplomatic and economic relationships with other countries, in particular the economic interest of u. S. Businesses who hope to do business around the world. We have allen butler who will talk about the sh rerems case. And talk about cross data, in figuring out what kind of jurisdiction applies with regard to Law Enforcement. Thanks for having me. Im happy to be here today to speak with you about a new International Dimension over this u. S. Surveillance authorities, many of you probably know about the sh rere decision, it was used by businesses to transfer personal data between the u. S. And the European Union also led to a mandate of privacy agreement between the two governments and open up new challenges to surveillance activities, historically the movement has applied to statutory when you think about the there have been groups engaged and vocal on these issues, but these International Issues havent necessarily played a major role on policy making in surveillance but that all changed after 2013 and the snowden revelations, especially in the eu for surveillance abctivities, in th eu in particular theres a strong independent Enforcement Authority by regulators in each of the membered countries and traditionally these data authorities have focus on the action on private companies but the Prison Program provided for the European Court a clear link between the actions of companies that collect and transfer personal data and the surveillance activities of the u. S. Government and didnt help under section 702 ignores the privacy interest of foreign citizens in the u. S. But at the time prior to the sh re shrems case what leverage it would have to push back on this broader sense it was being revealed. Then an individual mark sh rere filed a suit. And exposed him to these surveillance activities through facebo facebook. They have Major Business productions, and they had authority to bring it for the eu charter. The eu privacy directive specifically applies tony company that is processes personal data in europe and limits the ability to transfer that data to other countries in particular when those countries do not provide adequate protection for that data or equivalent protection to that data relative to whats provided the eu. So that transfer of personal data between the eu and the u. S. Specifically has historically been authorized that the go governments entered into called the safe harbor agreement that they could sign on and agree to and therefore transfer data freely the between the two countries without the fear of violating the directive or eu law and this was called into question on the sh reremshrems they argued it was exposing him to u. S. Surveillance, the Protection Agency in ireland couldnt find an action against facebook because they were through safe harbor, a question was sent up to the highest court in the eu, and it was whether that safe harbor agreement was valid or whether that violated the fundamental rights and the eu privacy directive and ultimately the court of justice found it was invalid. It was held in 2015 and sort of the bombshell that dropped on the privacy world last year around central to this case was the surveillance alleged in mr. Sh rerem s case. And ultimately what the court of justice found was that the safe harbor agreement was nothing essentially more than an agreement that didnt provide under the directive. Its hard to under state how much of a fundamental shift this has caused between the u. S. And the eu as julian alluded to before. This has really created an entirely new dimension to the debate over surveillance activities in that now there are all of these companies that engage in these transfers of data every day. Lots of money at stake, and by knocking out safe harbor the court of justice really put a lot of uncertainty and a lot of risk for Companies Transferring data that are concerned now there will be major enforce. Actions brought against them suits against them for violating the directive and the deal thats been negotiated in the time since the sh rrem decision came down called Privacy Shield it is not at all clear it will be upheld by the court of justice either because again the court of justice ultimately focused on both the limited scope of u. S. Privacy protections and limited readdress for eu citizens for u. S. Surveillance activities and so with those two sort of looming questions there is now a new case being brought again in ireland again related to a complaint by mr. Sh rereshrems. And this case likely to go back up to the European Court of justice has to do with the only alternative mechanism at the moment before a Privacy Shield was put into place to transfer data and these are contractual agreements between the eu and the u. S. Also provided as a mechanism under the directive so here the companies essentially enter into a private agreement defined by the European Commission as adequately conducting personal data, but the same question is at issue which is if it is transferring personal data to the u. S. Are they exposing the eu individuals to the u. S. Government without providing for adequate redress, so it puts money in the stake over the debate over the scope of these surveillance protections and i think it raises a lot of fund mental questions about how privacy law will be structured in the u. S. One issue thats going to be coming up for the next 12 months is the renewal of the 702 authorities themselves. The next issue were going to see in the next few months and certainly the next 12 months is whether a new administration will Carry Forward some of the privacy provisions adopted by the Obama Administration and you know people have different views about how protective or not those provisions may be, but one of the fundamental flaws that the European Court is likely to recognize is relying on executive orders is that they can be resistecindrescinded. They dont exist in law. It will be a test in these cases and whats happening in a new administration for the courts to be able to watch as privacy law changes in realtime in the u. S. And react to that. And thats really this new dimension is to have an outside view of whats happening with u. S. Surveillance authorities Going Forward. So, thats the short 15minute version of the sh rrem s case. These cases are going to continue to raise really fundamental issues about how the u. S. Structures, its privacy protections to nonu. S. Persons abroad. So thank you. [ applause ] so, first a huge thanks to cato for putting on this terrific conference and for julian to inviting me to speak here today. I see two sides of the coins, data thats outside the territorial boundary outside of the United States and data that happens to be within the United States. In my view the current set of rules are enforcing arbitrary limits on where that data is held. It blaitly its divisaabili y divisaability these make increa increasingly arbitrary basis. They under cut privacy as well as security and Economic Growth and invasionovationinnovation. This was the issue that was decided this summer by the Second Circuit known as the microsoft ireland case, i assume everyone is familiar with it. It started back in december of 2013 when the u. S. Government served a warrant pursuant to the privacy, associated with a particular account. Microsoft turned over the noncontent data, things like name, ip address, but refused to turn over information that was over in ireland and therefore the warrant was invalid. This was not a traditional search warrant that involved u. S. Law enforcement officials crossing over into ireland territory and seizing property there, rather it was directed at microsoft requiring that microsoft disclose sought after communications, yes, the data was in ireland, but people in washington could access the data from the United States. It came to a compelled disclosure order pursuant to a second subpoena. Concluding that the relevant statute is about privacy not disclosure that it was an extra territorial search and the u. S. Pursuant to akba this case since the ruling has been sdw b described as a privacy wing be many. Im not so sure this is true. First remember the government got a warrant based on probable cause. It had not been able to access it had it been located in the United States and no privacy violation assuming that everything was fine with the warn warrant. It doesnt become a privacy thinks that any obstacle in the way of u. S. Law enforcement is a good thing. The end result means that if the United StatesLaw Enforcement officials seek data that happens to be outside our borders, it needs to now make a mutual Legal Assistance request for that data, and then the Foreign Government should it choose to respond access that data according to its own standards. In my would say, in most situations, those standards are lower, theyre less protective than a warrant based on probable cause overseeing by an independent magistrate or judge. And second, even if this case is about privacy, it is not at all obvious that as a Second Circuit concluded that the privacy intrusion occurs in ireland. Remember, microsoft already has access to this data as a caretaker. And in fact moves it around without notice to or consent by the user. Any additional privacy intrusion it seems takes place not when microsoft moves the data which it does anyway, but when that data is turned over to the u. S. Government. That happens in the United States. Not ireland. This ruling also has a number of potentially significant Practical Implications for the u. S. Ability to access data lawfully, even when the targets u. S. Based, u. S. Citizen and the government has probable cause to access that data because of where it is held. This happens for three reasons, first, the slowness of the mutual Legal Assistance process, it can be too long to be useful. Second, the United States only has mutual Legal Assistance treaties with about a third of the worlds countries, it may not have a workable means of accessing sought after data, and, third, not all companies are structured like microsoft which has a relatively location driven approach to how it stores and accesses data. Companies like google and facebook, for example, are constantly moving data around in ways that can make it sometimes hard to even ascertain where particular data is located at the particular moment that a warrant is served. But more importantly, a company like google, for example, has structured its operations so that its data can only be accessed by Law Enforcement teams that are located in the United States. Now, lets assume that the United States government serves a warrant on google for data associated with a particular account. If some or all of that data is outside the United States, google cant lawfully respond under the Second Circuit ruling. If the u. S. Government goes to that foreign jurisdiction, the Foreign Government says we would love to help you, but we cant. We dont have jurisdiction over the people who can actually access that data, you do. And the practical result is that it means there is no way for Law Enforcement to access that data, even pursuant to a warrant based on probable cause. Now, a big company like google obviously can restructure to resolve these problems, but at least in the short term this is a situation were in. And i think that this result has two concerning side effects. First, it encourages data location mandates as a means of ensuring access to data. Now, this isnt so much a trend in the United States, but rulings like the microsoft ireland case further incentivize foreign jurisdictions to mandate that data is held there in part to protect against what is often perceived as the big bad reach of the u. S. Law enforcement. The reality is, however, as i already stated, that in many cases the standards at those Foreign Governments will apply will be less protective of privacy rights than the standards that apply in the United States. And second, i think the reality is that powerful governments will find a way to access data if there is a sufficient need. And my fear is that a ruling like this shifts surveillance efforts into less transparent, less accountable, more surreptitious means of accessing data than a government like the United States might seek to access without independent review and oversight by a judge. Now, the governments appealing this ruling, i also think that there is problems with the governments position as well. And that the better ideal solution is for congress to step in and get involved. I encourage edge to read judge lynchs incredible concurring opinion in the Second Circuit on this point. In my view, and i deal on amendment, would permit the United States to access the Communications Content of its targets pursuant to a warrant, in investigations overserious crime, without regard to location of data. But also require the government and the reviewing court to take into account counterveiling factors like the nationality and location of the target, like the nature of the crime, like the laws of other nations that might preclude access and the potential conflict for with foreign nations. So as to help protect against the situation in which the United States claims access to data anywhere and everywhere without regard to the sovereign interests of other states. So now ill briefly turn to the converse problem, Foreign Governments seeking access to data located within the United States borders. So the same statute that is at issue in the microsoft ireland case also precludes u. S. Companies from turning over data to foreignbased providers, content of communications. So think about the same problem from the Foreign Government perspective. Uk Law Enforcement is investigating a london murder, the target, the witness and the victim are all in london. If they if the alleged perpetrator were using a ukbased provider, the uk could go the uk government, the Law Enforcement, could go to that provider and get access to that data within days, if not sooner. If instead the alleged perpetrator is using gmail and uk Law Enforcement officials go to google, google says, go through the mutual Legal Assistance treaty process, it takes an average of ten months for a response to be sent back to the uk, and just as u. S. Law enforcement officials are frustrated by the microsoft ireland decision, so too are Foreign Governments as a result of the inability to access data that happens to be u. S. Controlled. This is also in my view leading to a number of concerning responses, again, further encouraging data localization mandates, which i said permit governments to access data according to their own standards, often less privacy protective than the standards that exist in the United States. These kinds of mandates are also costly, they undercut the growth and efficiency of the internet and potentially shut out small startups from entering into the market because they simply cant comply with the cost of holding data in multiple jurisdictions. Were also seeing governments increasingly assert extra territorial jurisdiction without the regard to conflict of laws that ensues. This is not an academic hypothetical problem. In january 2015, there was a microsoft employee executive arrested in brazil, facebook facing similar problems as well. And as i already said, these kinds of restrictions also further incentivize and encourage surreptitious means of accessing data. So as with the microsoft ireland case, we need a solution. And i think we have a chance to design a solution that yields a race to the top, or at least the raising of baseline substantive and procedural protections across the board, rather than a race to the bottom where every nation is seeking access to data based on their own rules without regard to things like the nationality and location of the target and many rules many cases based on rules not particularly privacy protective. So recognizing this problem, the department of justice submitted legislation in the spring that would lift the blocking provision in certain circumstances. Specifically it would allow the executive branch to enter into executive agreements with other governments, allowing those governments to directly access content of communications from u. S. Providers so long as they were not accessing data of u. S. Citizens or persons in the United States in order to be able to enter into this these types of agreements. The attorney general and secretary of state would have to certify that the country metro robust substantive and procedural protections for Civil Liberties. And the request would also have to meet a number of requirements including the fact they were particularized, time limited, that they were reviewed or overseen by a judge or independent authority, that the information was not used to infringe on freedom of speech, subject to minimization requirements, periodic compliance reviews by the United States. And these agreements would also have to be reciprocal meaning that the Foreign Government would have to commit to allow the United States to make direct requests to foreignbased providers for u. S. Citizens, data or data of persons located in the United States. Now, we can debate the specifics of these kinds of proposals and i think there is areas where i would suggest changes. But i would suggest that this is the right approach and one that would, if adopted, raise baseline privacy protections as compared to the Current Situation where governments are increasingly being incentivized to pass things like mandatory data localization requirements. Such an approach also reflects the general premise that the United States has a legitimate interest in setting the specific substantive and procedural rules that govern access to data for citizens and residents, but does not have a similar justification in imposing the specific rules of a warrant based on probable cause when a Foreign Government seeking to access data of its citizens outside the United States, so long as certain baseline protections are in place. Now, notably the u. S. And uk have a Draft Agreement that would allow uk Law Enforcement officials to do exactly what im talking about, directly compel the production of Communications Content from u. S. Based providers in certain circumstances. But this cant happen without legislation. I know it is a hard time to predict what is going to happen in congress over the next few years, but i would say that i think this is and should be an issue that crosses party lines and congress has an important chance to design a rational and comprehensive approach to the question of Law Enforcement access to data across borders, addressing both the question of u. S. Government reach and also amending the laws to allow Foreign Governments increased access to u. S. Held data according to baseline privacy protections when certain conditions are met. In my view, these jurisdictional rules should focus on things like the location and the nationality of the target, rather than the location of the data, and that failure to take these steps will have negative consequences for our security, our economy, and our privacy. Thanks. [ applause ] thanks so much. I absolutely urge everyone later as you head to the reception to grab a copy of her excellent paper on this topic. I want to invite our final panel of discussants to the stage. Last year we started a new tradition at the cato surveillance conference by having a prominent civil libertarian, in that case, curt from the frontier foundation, an extended debate, dialogue with an official from the Intelligence Community in this case, in that case it was Becky Richardson of nsa and that yielded such interesting results that why not repeat the experiment. See what happens when you get two people who care deeply about privacy, one to simply an external critic, one working within the Intelligence Community and see what they think are the important issues to talk about. And of course to introduce our discussants and moderate that conversation, we have another cato surveillance conference tradition of sorts, hes been, i think, at each of these since even before it was called the surveillance conference and we did our first postsnowden full Day Conference on the National Security agency, Pulitzer Prize winner Charlie Savage, who is National Security reporter for the New York Times is absolutely essential to understand what is going on in the intelligence world. And whose book power wars, an absolutely invaluable guide, most thorough and comprehensive and thoughtful analysis of what intelligence and Security Policy under the Obama Administration has emerged to be. I will turn it over to charlies capable hands. Thank you, julian. Can everyone hear me all right . So, here we are at the end of the conference and three years, three and a half years now into the post snowden era. We have been living under the usa freedom act for 18 months now. Heading into another reauthorization year for the fisa Amendment Act. And it is a great time to wrap up the day and the year to some extent with an overview of where we are and where we might be going across three or four different cuts in the surveillance world. To help me do that with you today, i have two great guests, one is alex joel to my right here, the chief of the office of Civil Liberties, privacy and transparency at the office of director of National Intelligence. He played that role since 2005 when the office was set up. And hes also the chief transparency officer. And after getting out of he began his career as a jag attorney in the army, after getting out of military, he worked as a Technology Attorney in the private sector. After 9 11, he decided to rejoin the government in the cias office of general counsel before he moved to odni in 2005. I think we were talking in the green room before, we came out here, i asked alex to tell me something about him that people in the room didnt know, something that wasnt his resume item. And what is it you told me . I swim every single day. How do you have time . We have to wake up very early in the morning. How early . About 5 30. Youve been up since 5 30. And where do you swim . A couple of different locations. Primarily the Sport Health Club in mcqueen. Why do you swim every day . It is good to stay in shape. I have found that actually the secret to keeping swimming the swimming is a tremendous exercise, i already had this conversation about swimming. Just briefly. The key is audio books. If you listen if you have a waterproof ipod and listen while youre swimming, the laps go by. I understand also youre the last person standing in odni who has been in that role the entire time. I think so. I havent done a full audit, but i believe so. All right. My other guest is Jennifer Granick, director of Civil Liberties at Stanfords Center for internet and society. Teaches internet law at stanford law school. She also served as the Civil Liberties director at the Electronic Frontier foundation from 07 to 09 or 10. 2010, sorry. Youre the author of a forth coming book from Cambridge University press called american spies modern surveillance, why you should care and what to do about it. Sounds like the audience might be interested. When is that book coming out . It is going to be out in the beginning of january, surveillance law and policy written for a general audience. In an effort to be understandable, and accurate, and give people kind of a framework for thinking about the surveillance policy debate with a definite Civil Liberties bent. When i asked you something about yourself, you said youre a enthusiast for something called tech and five. What is that . One of those hand to hand combat video games and in japan, downtown san francisco, there is a video arcade that has only video games that have been imported directly from japan. My daughter really likes it because there is a character that is a kangaroo, so she is always the kangaroo and then the kangaroo and i beat each other up. It is good therapy and a nice past time. What character do you play . I just go around, you know. I try to i can tell you that my other daughter was playing her and she got this one character and my daughter said to her, you know, the women are always skimpily dressed and the men look like demigods and my daughter beat the computer playing the really masculine looking guy and my other daughter said, youre so good, you beat that guy and youre barely even wearing a shirt. All right. Lets get into it. I think part of what this audience wants to be to walk away from this conference was, of course, deep dives into all kinds of different weeds. But one of the reasons were able to do these deep dives in a way that we werent before 2013, you can have an annual conference at surveillance and a lot to talk about is because we know so much more about what the government is capable of doing what the rules are for that, whether those rules are being obeyed and so forth, than we did before the snowden leaks. How from your vantage point, chief transparency officer, i think a role that didnt exist before a year or two ago, you know, how has the odni and cia and nsa changed in terms of its ability to or willingness to or seeing the value of talking to the public about what it does . Right, so i have been in a community which values secrecy and were built for secrecy, we hire people based on, in part, based on our perception of their ability to maintain the confidentiality of the information inside the government. We have secure facilities, secure systems, we do a lot of training around keeping secrets and thats important in our business because, of course, as i said, in other context, a fully transparent and Intelligence Service would be fully ineffective. Our effectiveness to a large degree depends on the people, the adversary, not knowing how it is that were using different techniques and sources to discover them and detect their activities. So when you come from that culture it very difficult to sort of get people thinking about being more open and public and transparent. Ive been doing this, as you pointed out, since 2005. And never before have i experienced a community that is as engaging with the public as we are now. We still have a ways to go. I think one of the lessons that certainly i learned and a lot of folks learned in the last three years is that you can have as much oversight as you can you can design and put in place. We have all kinds of different oversight structures that can be rather complicated. I called it a system of many layers with many players. We have inspectors general, lawyers, my kinds of offices, we also have oversight committees and we have the Foreign Intelligence Court, the intelligence oversight board, all the entities have clear personnel that can see information in a classified environment. Which is critical, i think, for our democracy to have people who have who are in an oversight capacity to have the clearance to see the things that were doing in a classified manner. You can have these rules, have oversight and thats necessary but not sufficient. One of the lessons we learned in the last three years is you need an additional element, which is transparency. And it is not easy for the Intelligence Community to do it. It takes a lot of time, effort and attention. But i believe that this is an enduring value that we have learned in the last three years. You have to find ways to be more open about what you do. Let me follow up on that briefly. I certainly as a reporter who was covering these things and asking questions and filing freedom of information act lawsuits and so forth noticed that the nsa and odni as the controlling entity for how the response to snowden would play out became gradually more willing to affirmatively say this is whats going on, not to fight the foia case but say you have the documents, give us time to redact them and i appreciated that very much. Im not sure that moment is going to endure the way you just suggested that it would. I certainly think other parts of the correct me if you disagree, other parts of the Intelligence Community that were not forcibly exposed like the surveillance world was, such as the Central Intelligence agency, i think never went through that cultural change. And i one thing ive been thinking of lately is that the usa freedom act, one of its provisions was that the intelligence court, the fisa court, had to make public when it has made its novel and significant interpretations of surveillance law. And the provision doesnt say Going Forward. It is ambiguous, the government shall make public these things. It raised a question about whether fisa Court Opinions that are novel and significant, enacted between 1979 and 2015 must also now be made public at least in summarized form. The Obama Administration has taken the position in court that, no, it only applies Going Forward. If this is a new culture of transparency, what is the justification of the rational for not just saying, yes, here is an important opinion from 1988, you can have it. Here is an important opinion from 2003, you can have it. I wont get into the legal discussions regarding the interpretation of that particular clause and the context of whatever wherever it is that is being discussed at the moment. I can just say more generally it is our intent to go back and look at all the significant opinions. So thats something that is happening. Whether or not it is a statutory requirement, it is something that is trained right now. One of the points that i was making at a Different Forum is when you look at transparency, there are Different Reasons to provide information to the public. Some of those are in response to mandatory legal requirements. You mentioned the usa freedom act. We must comply with the usa freedom act and that acts as a prioritization mechanism on what it is we do. Another one is freedom of information act. Once a freedom of information act goes into litigation, you have to follow the course of that litigation and there are going to be Court Deadlines and court orders that you have to comply with. And then under the executive order for classification, for National Security information and the u. S. Government, there are various processes that also require us to review tranches of classified information, for example, the 25year automatic review, classification challenges and mandatory declassification reviews that are filed. All of these external these hard requirements, legal requirements necessarily drive a lot of the machinery that has to be put in place to provide the transparency. It can be very painstaking. Have to go line by line to determine what can safely be released and if there is a risk to National Security what that risk is, bringing the experts, et cetera. Part of what were doing in the transparency world is not only looking at that responding to the mandatory declassification and disclosure requirements, but also looking to be more proactive. To say what is it that we can do to better explain ourselves to the public. And in that regard, we have been engaging with Civil Society, getting their idea, requests, trying to figure out what is in the public interest, what we can do to better inform public discussion on important issues. I dont think i do think thats enduring. Thats something no matter what agency you are, we all experienced the last three years, we all experienced the very significant and vibrant discussion and debate about the legitimacy of certain intelligence activities and i think intelligence agencies have gotten the message we have to figure out a way to be more proactive and strategic Going Forward about the information we provide the public. Let me turn to jennifer then, think about Going Forward, so the most significant event that we can see on the horizon for the world of surveillance is the scheduled exploration of the fisa amendments act and the end of 2017. Of course, no expectation that it will not be renewed. But it is an opportunity for amendment and extra provisions. What are the sort of three big issues in take away that people should watch for as that debate unfolds . So one big issue and directly in response to alexs comments is about, you know, transparency, but i would put it a little more broadly, accountability. Right. And i think that while the Intelligence Community has come a long way from where it once was, it has not come nearly far enough in terms of revealing information to the public. There are secret legal interpretations of very important key terms in intelligence law that the public doesnt really know what they mean or how theyre being interpreted and it hinders our ability to understand what kinds of surveillance are being conducted. And whether we support that kind of surveillance and whether the safeguards are adequate. You see an opportunity in the fisa amendments act reauthorization bill to do what . So, you know, everything is up for negotiation, once the bill is going to expire. It is going to be gone and we can ask for more things. Releasing fisa Court Opinions, particularly i think people rant to know what the definition of key surveillance terms are. What is facility . What does it mean to target . What is the interpretation of u. S. Person . What kinds of materials, importantly, does the government treat as protected by a reasonable expectation of privacy . Because all of the fisa electronic surveillance definitions depend upon collecting information to which there is a reasonable expectation of privacy. And we have this ongoing debate about very sensitive personal, private information where the public doesnt really know exactly how the government treats it and if they treat it as an expectation of privacy or not. If there is no expectation of privacy, either another statute has to protect it or it is not subject to fisa because it falls outside the definition of electronic surveillance. Just examples. Email, with we still dont really know 100 for sure that email is protected by the Fourth Amendment or what about documents that are stored in the cloud . So noncommunication. Better information that could come out secrecy. Understand its powers and that could enable change to the rules. What is a substantive change to the rule that reformers want specifically that also could be part of this bill . Yeah, so i think there is two big things that are under discussion. One is scope and the other is usage. So scope, section 702 of the fisa amendments act allows targeting of foreign or overseas for any foreign intelligence information. Without a warrant. Without a warrant. Warrantless surveillance for of any foreign intelligence purpose. And that is a very, very broad category, well beyond National Security and counterterrorism to anything we might be interested as a country. So what that means is two things. Number one, it means when americans talk to foreigners who are of interest in these categories, our communications are wiretapped as well. And it means that foreigners who may be targets or talking about targets, they get picked up for the very broad category also. And thats causing immense amount of international consternation as people realize our law is collecting on them as targets without a warrant in this very broad way, well beyond what their National Laws with allow our human rights laws necessary and proportionate test for whether the surveillance meets the human rights standard. To be clear for people, were only talking about collection inside the United States here. This is when the u. S. Government goes to gmail or to at t and wants to look out in the world. Without fisa regulations. But this is where they go to u. S. Companies, or doing surveillance on the internet backbone and saying to these beloved brand names, give us information about your users, and there is the economic problem is obvious, which is that people dont want to use companies that are have to give over their information without a warrant to the u. S. Government. But the problem for u. S. For americans is broad as well. We learned there is a vast amount of americans, private information, that ends up in these databases. You would like to see the allowable scope of surveillance under this law be constrained in some way to what . What is the delta . National security counterterrorism. Not economic. Right. You see that as politically possible . I dont know. You know, i dont live here in d. C. I live in san francisco. So it is, like, a whole different world out there. And i think that there is people tell me that there is less of a chance in some ways for surveillance reform now with republican in control of both houses of congress. I find that hard to believe. I think now is a time where people who are paying attention are thinking actually quite the opposite this is a time to restrain government discretion and to make sure that robust rules and checks and balances are in place, you know, more than ever before. I think it is possible. The other theme you mentioned was usage. People hear about the back door search loophole. What is that and how does that intersect with this . Once information is collected, under section 702 from the companies, so under this section that is expiring from the companies. Without a warrant. Without a warrant, that warrantless collection goes into a database and the fbi, a Law Enforcement and domestic security agency, has access to the raw data in that database. And what they are allowed to do is to search, they call it query, search is a constitutional term, is to search that database for information and including looking for information about americans for criminal purposes. And this is called the back door search loophole because to get access to that information you have to go to a court, show probable cause, get a warrant, execute the warrant through the regular criminal procedures, give notice and all of that. What is happening here is by creating this vast database of information of Americans Communications with foreigners, then you have this vast database that the fbi is allowed to go to and query. The usage restriction would be either dont allow it at all, we collected this information, and in the name of counterterrorism and National Security, use it in that name and dont, you know, do an end run around it or at the very least you have to go to court and get a warrant and show you have problem cause to look for this information as opposed to the way it is now, which the fbi can access it for assessments, basically fact free. So let me turn back to alex. Not to put you on the spot as a person, but is the governments representative, can you articulate the rebuttal, why has the government resisted the idea that if at least in the criminal investigative world if an fbi agent wants to look in this database to see if a criminal ordinary criminal suspects private messages have already been collected, the government the fbi agent ought to be getting a warrant before trying to pull that message up and read it. So i have to take a step back and address this more broadly, i think. First of all, i certainly agree with some of the points youre making about the transparency of legal rulings and legal definitions. I think thats a priority of ours, we have to be more transparent about that. In terms of the scope, the scope is is foreign intelligence as defined in the foreign Intelligence Surveillance act, the actual conduct of the targeting of foreign intelligence, for intelligence purposes under section 702 is subject to a rigorous process. We have something called the National Intelligence priorities framework. But lets assume i was communicating with a legitimate, followed all the procedures, not a terrorist, just someone who knew about the thing, and my email is not targeting you, youre targeting that person. Why should the fbi have to get a warrant to read my private message if im the one hes interested in and im the one hes querying. We believe the original collection is targeted. So the original collection is targeted at a legitimate foreign intelligence target. Were not getting all of your email. Thats right. Were only getting the email communications of you and this carefully focussed foreign intelligence target. If there is a Fast Breaking situation, where we need to find out whether or not an american that has been involved potentially in a terrorist incident inside the United States is in communication with somebody that we already have collected on, thats the rational. You need to move quickly, you need to identify whether we currently hold the Communications Information that could help us prevent something from happening in the future. Now that sounds like youre searching in the name of the terrorist who just committed the attack. Not searching on the name of the american it could be an american who is involved in some terrorist incident inside the United States and we want to see if hes getting instructions from abroad. You think the government could live with a warrant requirement as long as there is an exclusion for a fast moving National Security crisis . The governments position has been no on that point. Im wondering, is there some snappy because or why should we constrain our powers . There never has been a inhibition on using data lawfully gathered and so, no. It is essentially because you dont know when you might need to get the data quickly and we dont want to constrain the Intelligence Services from being able to do that. From a Civil Liberties and privacy perspective, i understand the concerns. We do try to put in place checks and policies regarding oversight, documenting these queries, the reason for the queries, providing oversight for the department of justice and odni on the queries and reporting any incidents to the board. I understand the concerns. We feel the current structure is sufficient to address those concerns. Lets move on to the i can Say Something about that. Sure. Until we know how many of these back door searches the fbi conducts and how the volume of information they pull out of this, there is really no way if thats like an internal assessment, but the public and lawmakers need to know that answer to say we like this or dont like this. It is not just an emergency. What would be the answer . Ise wont tell us. The Intelligence Community wont tell us, they wont count. And Congress Asked many times how much american information is in here, how much back door searches are you is the fbi conducting and they and we dont know. The information is kept, the information they get from the company is kept for five years. And there is not, you know, any there is no documented there is no facts that need to be shown to a judge in order to get it. It is really it is really kind of, like, taking advantage. Nsa and cia are required to we publish those statistics of the number of queries they do. The systems arent set up for that. We understand that that has been a request from the hill as well as from the Civil Society organizations that we deal with. And fbi is still trying to figure out how to do that. My understanding about why the fbi cant do it is that when youre an agent and youre saying im interested in Charlie Savage and put in you do a database search on Charlie Savage, it is a fed rated search that hits all the databases in the fbis collection. And brings back results as they are. But that means that there is not a what does that mean, that means every single search by an fbi agent at all times, in some ways count as a back door search, even if 99. 9 of them never bring back anything from the right. A misleading number. Only certain fbi agents are allowed to see the result if it comes from a 702. Without getting permission. Permission to see the result. Do you know if agents asked permission and never been denied . Were working to release that. The court, if you look at the opinion from on the november 2015, i think it is, the foreign Intelligence SurveillanceCourt Opinion on fbi minimization procedures posted on the record, address that issue, there was an amicus who argued that the fbi query process was inconsistent with the statute, inconsistent with the constitution, the court held that it was consistent with the statute and the constitution, but decided to order fbi to count the number of times a return resulted in a nonfi query situation. So fbi has been implementing that order and we are thats one of the things were working on. Youre going to try to classify. Do you think thats imminent before the Administration Leaves . I hope so, yes. If it is all the back door searches just the one that the Court Ordered to be disclosed. That the study that the Court Ordered. I dont know the internal architecture of how you have of how the fbi has its systems, but database experts said it is not a big Computer Science hurdle to say, you know, there were this many queries where data came out of this particular database, data has to be treated in a certain way, it is segregated. Have you seen that data . Can you talk about it . I have. Will people find it surprising when it comes out . I wont speculate. All right. Lets move on to the world of executive order 12333 is the internal executive branch rules for surveillance that is not regulated by the foreign Intelligence Surveillance act. Fisa regulates only collection from a wire on domestic soil, where at least one end of the communication is domestic. So it doesnt cover sucking up data from satellite transmissions, doesnt cover intercepting stuff from fiberoptic cables abroad, doesnt cover foreign to Foreign Communications intercepted as a transit to the United States. Huge swaths of what the nsa does is not covered by fisa. This raised the reason for that architecture it was designed in the 70s for phone systems in which that happened here stayed here, what happened there stayed there. And, of course, now in the internet era, just as jen daskal was explaining in the last session, stuff that happens here is found there all the time. Stuff that happens there is found here all the time. Thats one of the reasons for the why the fisa Amendment Act allows collection here of foreigners data without a warrant, a reform that came out of pressures that arose because of the rise of the internet. So keeping the theme with alex here for a minute. One of the wrinkles arising out of our greater understanding of 12333 and fisa has been an awareness that agencies have increasingly since 9 11 been engaged in sharing raw data with each other. That is to say unminimized data, data that has not had privacy protections put on it yet to screen out the names and irrelevant personal details, americans. So used to be that the nsa only would have this or the fbi only would have it and to disseminate that information elsewhere in the government, they would have to process it as a protection measure. After 9 11, there was a desire to tear down the barriers, maybe someone at the cia would see the clue that would have been redacted because the nsa person didnt know it was a clue. So there was in the world of fisa a great effort to share raw Data Collected under fisa, now goes at least known to go to four agencies. The fbi, the cia, the National Counterterrorism center and the nsa. And bob litt, general counsel where you and i work, has talked publicly about how there is also an effort, which has been lasting eight years now, to develop procedures that will allow data that was collected under 12333 rules also to be shared with the cia and the fbi. And we dont know what the rules or limits on those things are going to be yet, but this has been in the works for eight years. Bob said in february that it was imminent. Where are those procedures . Imminent. Imminent. Whats the problem . You think it is going to happen before this Administration Leave or is it in collapse . No, i think it will i think were on the road to getting something finalized and released soon. Obviously government takes time. Has there been some substantive issue and if so, what has held it up . The government takes time. Just to give the context for this, under section 2. 3 of 12333 it talks about protections for disseminating, collecting, disseminating u. S. Personal information and says intelligence agencies can share that u. S. Personal information with each other because everybody has guidelines designed to protect that u. S. Personal information. The change was that in 2008, they added a change so from 1981, it said except for signals intelligence information cannot be shared. They would retain it until deciding to retain it in a report. In 2008 a report was made that for that kind of signals intelligence information, that could be shared pursuant to procedures established by the dni and approved by attorney general in coordination with the secretary of defense. Thats what you have been talking about that has been in works for a large number of years. Its not like right when they signed it we, went to the attacked 2. 3, but yes its been going, as i like to say, at the speed of government. So we are, i think so the basic structure will be that signals intelligence information can be shared pursuant to an elaborate process where there has to be a determination at requesting agency. Has everything. Has a need for the information and has put in place structures and processes that essentially will give the protection, same protection to the information that nsa provides under their rules. So the big difference, big difference, between surveillance and fisa surveillance whether fisa with or without warrant is that fisa surveillance has to be targeted. You are looking at one specific person for one specific reason and if someone is communicating with that person okay it does communications as well. 12333 vacuums up the whole pipe. Again it is supposed to be happening abroad even for foreign intelligence purposes. As you were saying earlier when we were talking about the back door search, loophole, in terms of fisa, not like they would get all of my communication, just the email i get to that foreign intelligence target. That reassuring constraint would not exist if peoples information was vacuumed up into 12333 surveillance. Can you tell us, preview the big question which would be will these procedures let the fbi query u. S. Person data for criminal purposes once they get access to 12333 bulk collection. Just to clarify what you are saying about 12333, if we target any american no matter where in the world we are required to get an individual court rule. Were talk ing about bulk collection that targets no one and gets a million people. To the extent that collection is not as not target so this is where i wanted to step back and talk about the way we do targeting. Targeting is something that is specifically been described for section 702 but also happens for 12333. There is a process by which intelligence agencies go through and to the extent that targeting can happen, all map basis, thats what happens. If we can get the information individually targeting a communication overseas, thats what happens. Under president ial policy directive 28, we put in place a process for limiting the use of information thats collected in bulk. And basically there we are saying, we have to tailor our collection to the extent feasible. If it is not feasible to tailor the collection and still obtain the National Security information, we can do things in bulk. For u. S. Person information, nsa still operates under ucid 18. Which is the detail requirements of executive 12333. And under that use of that United States singles intelligence directive they are also supposed to narrow as much as they can when they think theres going to be significant amounts of u. S. Person information involved. There is a narrowing. Under ucid 18, if they do a query of a u. S. Person they must get attorney general approval based on probable cause. There is a specific limitation for querying. I wont comment specifically on one agency or another but broadly speaking what we do with 2. 3 procedures is try to make other agencies protection comparable. I think i heard you Say Something that also went directly to what im saying which is under the president ial policy directive that handles bulk collection, it is only permitted to be used for one of these six purposes and some of those purposes may be criminal but they are criminal as a Super National level. They are not not like this guy attacks right. We will see if he has information. Right. Let me turn back to 20 minutes, all right. Let me turn back to jennifer. You want to critique anything he said. One of the things that we know about targets gives us great pause, right . Because you know, targets can be, you know, we are thinking, a lot of people think about targeting as a particular bad guy. But targets can be the french government. Or targets can be, and we have seen documents from targets, are doctors without borders. Even organizations that are not american are targets. Lots of people that is legitimate . Why is it legitimate . It collects a lot of american information because people that are not foreign intelligence interest end up being part of the take there. And the rules we have dont adequately protect people when the targets are of that nature. Because the collection ends up being so broad. And so, you know, i think we have a lot of reason, even under title 1 fisa where you have to show probable cause, we have seen the heads of prominent groups like care, targets for which there is supposedly probable cause. There is a lot of reasons to be concerned about the way targeting is happening now. But i think one of the things to be extra concerned about is that we are about to have a change in administration and these rules are executive branch formulated rules. So executive orders can be changed. They dont require you to go to congress. And executive orders can be kept secret. Targeting provisions needs, we didnt know what they were until snowden leaked them. But they need targeting provisions for 702 and for regular fisa have to go to the fisa court but fisa courts ability to oversee it is statutorily limited. So we have this problem that things could be changed. Let me ask, before we turn to looking forward okay. Lets stick with the theme of part of your critique is a lot of american stuff gets sucked in as well. But it is also a nationalistic frame. We care if our stuff is collected but maybe we dont if someone elses stuff is collected. Lets crop that frame and think of it from a more Global Human Rights perspective. Nonamericans abroad. Think they have privacy rights, even if it doesnt come from our constitution, we mentioned earlier, ppd 28 will. President ial policy directive 28. Can you lay out the ground work of what that was and sort of what it means, not from an American Perspective but from a global perspective. Yes. After the snowden revelations, as i said, there was this International Outcry from people who are not americans who were beginning to get a sense of the scope of u. S. Surveillance directed at them or opportunistically gathering their data. So one of the postsnowden reforms and people feel this is a positive result of the disclosures was ppd 288. So president ial policy directive. And it does a couple of things. One thing it does is limit use to which can you put collective bulk signals into six major categories. What are examples . Counterterrorism. Weapons proliferation. Big stuff. And still remains this question of what does it mean in bulk . If your target is yemen and you collect everything you can that comes in or out of, or inside of yemen, is that bulk or is that targeted and the target is yemen . So there are still questions about how that is interpreted that we know and what that means. It does say to people if your stuff is opportunistically collected in this way we will use it for these big National Security things and not just for anything why was that a big deal . What was unprecedented about ppd . Before ppd 28, that information collected in bulk about nonamericans can be used for whatever. There is a sense that nonamericans have privacy interest that needs to be protected by rule. Yeah. And not just privacy interest but Free Expression interest. Right to gather politically. Freedom of religion. So all of these other interests that statutorily may have been protected or policy wise may have been protected for americans. There was nothing for foreigners. This was an effort to say to foreigners, you know, if we use your stuff, then its going to be for a good reason. Or if we get your stuff yeah. Let me turn to alex. You live in this world. Right. Since we have been under ppd 28 for almost two years now, do you detect disgruntlement like in the world of drones, i know the agency and military chafes under the president ial policy guidance that limits their ability to fire outside of hot battle fields and wanting to get out from under that. I dont know actually the answer to this. Is ppd 28 will propose did you know the answers to the other questions youve been asking . Well does the Surveillance Community chafe under ppd 28 or are the six categories broad enough that basically it is fine . I want to make clear it is more than just the bulk collection. There are two other critical sections to ppd 28. They are safeguarding personal information. So information that is that the basic without getting into the details, basic directive there is that agencies have to apply comparable protections when they retain and disseminate nonu. S. Person information as they would to u. S. Person information. And we have to put in place policies and procedures to make that happen. We have published those policies and procedures. There is another one that requires policy makers to be involved in the signals intelligence Decision Making process to make sure that we are taking into account all of the risks involved in this. Relations with Foreign Governments. Privacy risks. Other similar kind of risks that previously were not part of this formal structured review. If you target Angela Merkels cell phone dont just do it at a when level. And as part of that review process, we could expect to see human right organizations come up in terms of that. That would be something we would weigh in on as being a problem if it were to come up for example. Something that might be targeted. And we have talked to human rights organizations about what our general views are on that. Have you seen signs of friction . It is fine. It is internalized. Any Intelligence Service around the world, the natural way to constrain an Intelligence Service, the main concern is that the Intelligence Service not turnity focus inward. Thats why jennifer and colleagues and others have been focused on what are we doing with these powerful tools and authorities regarding our own citizenry and democratic process. Are we interfering somehow with the function of our democracy . One of the lessons we learned from the hearings in the 1970s is it is important to stay turned outward. So the culture and in the Intelligence Community has been, be very careful of what you are doing in the United States and what you are doing with u. S. Persons and focussing on foreign intelligence. Unless you fit a narrow category or constraint and go through the legal procedures. I do think it was to some degree a change in thinking to say now, while youre turning outward these protections we put in place for u. S. Persons for all of the reasons i just said is lessons from the church and Pike Community hearings we have to start about thinking about requiring that to everybody regardless of nationality. That is a change, at the same time, it hasnt been, you know, if you read how its written and how we try to design it, we try to design it so it fits within the natural course of business foreign Intelligence Services so it is nothing they would view as extraordinarily burdensome or Something Like that. Some of it is new. But i think it is working very well, myself. Okay. One last question on the topic of foreigners. One of the great dilemmas is also reflects what jen was just talking about is that on the Internet Data is everywhere but law regulating data happens on specific chunks of the planet which may have different regimes that conflict with each other. Which raises dilemmas when you have robust democracies with different rules trying to share data with each other across International Lines where one system doesnt line up well with the other one. So there was a great effort this year and a deal struck with the European Union trying to resolve this issue called Privacy Shield. What is the oneminute take away of what that does and why its important . So the European Union has a Data Protection regime and under that regime they regulate the data flows that leave the european Member States to other countries. And basically it requires that the other country have adequate protections for privacy that are comparable to what european Data Protection regulation requires. Since 2000, United States have negotiated an arrangement with a European Union so that American Companies could bring data out of europe into the United States. It was called the safe harbor. More recently the European Court of justice took a look at what European Commission negotiated in 2000 for safe harbor and found it wanting and basically overturned it, requiring European Commission to reenter into a review and discussion period with the United States government to come up with some arrangement for the companies to bring data into the United States by adhering to some sort of best practice principles that are all outlined in what is now called the Privacy Shield. Thats in a nutshell what thats about. We lean forward in providing information and european negotiators. One thing that i think is important to understand is that European Union very complicated situation. They are 28Member States. For now, right . And they form the European Union in the treaties and retain for themselves authority over their own National Security. So the European Union privacy rules do not apply don directly apply to Member StatesNational Security activity. What you see going on within the European UnionMember States, they each have their own way of intelligence oversight and restricting intelligence activity. Or not. Or not. There are points of comparison between what we do and what they do. That is not part of the Privacy Shield. Privacy shield is us explaining to them our protections under our various instruments and of Course Department of commerce had other documents as part of the package. Can i Say Something about privacy . One of the civil issues under the 12333 collection is why should i as an american get less Civil Liberties if my data is overseas. One of the issues that they have with the Privacy Shield is why is my data subject to warrantless wiretapping under section 702 when i do business with these internet giant that are all located here in the u. S. And the reason why the safe harbor was struck down was because the European Court of justice, c. J. Eu, said that section 702 does not comply with european standard or human rights law because it allows this warrantless collection of europeans data for these broad foreign intelligence reasons and that that is not necessary and appropriate under their law. Foreign intelligence reasons and that that is not necessary and appropriate under their law. And so it was struck down and now negotiators have come up with the Privacy Shield. And Privacy Shield itself will be reviewed by the cjeu and c. J. Eu will make a decision as to whether it fixes the problem. Take a look at the Privacy Shield and see the decision, it is very clear there is a mismatch there. Privacy shield has all of these additional procedural things about where somebody who happens to learn that they are aggrieved by having their information mishandled can go through this ombudsman process and that kind of thing but if the court was serious that the problem is the standard for accessing European Data under 702 falls short under human right standard, Privacy Shield does nothing to address that. That is something something we need to consider in upcoming 70 2. It is very important we have these data exchanges because lots of American Companies customers come from the eu and we use services in the u. S. So we need to this this trade. A lot of people depend on it. But if they take itself, its own opinion seriously it will stretch down Privacy Shield and be saying basically you need to give european citizens substantive assurance that they will not be warrantlessly wiretapped without good cause beyond the United States had a foreign interest in it. We will have time for a question or two. Think about putting your hand up and i think a microphone will be brought to you. Lightning round for us here before we go into that. Looking forward to a Trump Administration, assuming you stay in your position now for a third presidency. A fifth director of National Intelligence. What are you watching for in the first year . I think with any new administration, there is a period of time to understand and learn what it is we do and value we add and how we conduct ourselves. I think a lot of changes we have been talking about here do have enduring value. The reason we put the changes in place and are doing the things we are doing now is because of conditions of the global environment, public expectations and those arent going to change. Those arent going away. In order for us to be effective i think we have to be committed to the kind of transparency initiatives we have been talking about to engaging with folks here and with Civil Society generally and our friend in europe to understand their concerns and see how we can best address those concerns. So i think the kinds of things that we have been talking about are really part of the ethic and culture of what it means to be an effective intelligence professional and that will remain the case regardless of administration. So National Security deep state will endure and sometimes that might be happy from a libertarian perspective . I dont know what you mean by National Security deep state. Bureaucracy of National Security officials who have embodied the learned values which may include we should be more transparent. Right. And things that people dont like as well. We published two separate sets of principles that i think embody what i think we are as an Intelligence Community. One is professional ethics. Those came out in 2012. They talk about lawfulness, truth, democracy, stewardship. Excellence. These are Core Principles that i think em body who we are as intelligence. And then what i think is just a fact of life these days, you have to find ways to be engaging with the public on these issues. And in 30 seconds, what are you thinking about with trump . Fisa passed in 1976. The trance 1978. Transparency stuff that alex has been working on is something that happened over the past, you know, couple of years. If you look at history of Intelligence Surveillance, it is a history of political abuse. What you see is all there is but thats not actually true. Our experience is in this moment in time. Right . But in the story of surveillance is a story of overcollection and political abuse. And so i think, im not optimistic that, you know, things arent going to change. Weve had problems. And those problems could get worse. And one of the problems and kind of things we rely on for accountability and fairness, that are discretionary within the executive branch and secret. And as long as we rely on those discretionary rights, we are in a hell of a lot of trouble under the Trump Administration. All right. Who has a question . Ill let the people with the microphones decide who to pick. Gareth porter, investigative journalist. I would like to pose the question or problem of incentives that are built into can you speak a little closer to the microphone . Sorry, yes. I would like to pose the question of incentives built into the problem of accountability and transparency and other values discussed here. The assumption implicitly, and im not being critical, is that the cia and nsa are disinterested parties. That the reality i would suggest is that there are two incentives built into the problem that perhaps disturb that picture. One is the fact that theres a power equation here. That more bulk collection of intelligence that impinges on personal freedoms and so forth gives greater power to high ranking officials. Whats your question, sir . And the other one is potential conflict of interest in terms of profit. We know that senior officials of the cia and nsa particularly in the cia have gone back and forth between public positions and private concerns which have interest in particularly technology. So i have to cut you off. Do you have a question . The question is, is it not the case that there is a conflict of interest here. Built into the situation where senior officials have an interest in technology which does tend to be in fact collecting bulk is there a conflict of interest with senior surveillance officials who also go to private sector and want to have a more spending and power on surveillance . No, i havent seen any hint of that myself. I think the people ive been dealing with are very focused on mission. That a critical part of why they come to work and put up with what they put up with. I have not, myself, seen evidence of that. One last question from anyone else. Thank you. I appreciate the information. May name is don ellison. One question i do have is ive been hearing all day about how fisa court is the oversight on what is taking place inside the collections. Do you think the judges have a level of the understanding of the technology and methods that allow them to make a fair decision on what is being done . Good question. Youre a lawyer and a yeah. Do the judges on the fisa court, are they qualified even to understand what they are looking at . You know, this is one of the problems the one thing is we dont know. We dont see their opinions. We dont the Court Hearings arent open. Some of the technology thats used is very complicated. But from the stuff we see, we see that fisa court is misunderstood or misapprehended programs it approved. In 2011, eventually we saw this opinion, there was about 702, the court was surprised to learn that the way that the government was conducting the collection ended up grabbing wholly irrelevant communication as well as domestic communication which was about the foreign intelligence selector and the court hadnt known that before. Its understanding of the program was different. And in fact the program was so complicated that people inside the government even once they learned this was the case never told the people who knew they needed to tell the fisa court. We also have seen some fisa Court Opinions that just as a purely legal matter are sub par as in terms of legal reasoning. We have seen ways in which fisa Court Approved things even without bothering to write an opinion or explain its Decision Making. The fisa court is of real concern. That one of the reasons i think in usa freedom there was prevision for legal advocate but i think one of the reforms that people are pressing for is to not only provide an alternative legal argument for the court to consider issues better but also for technological expertise. So much of what ends up happening in surveillance is technology. Can i quickly defend the court . Yes. The court consists of 11 Federal District court judges. They serve on a rotating basis. In my experience they take their job seriously. We are looking to public additional opinion possess. They do hold the government to account. They have appointed amici. They have appointed legal advisers. And we have released some of that already. Is each individual fully conversant with technology . I cant speak to that. Technology moves quickly and it is very complicate end hard to keep up with. And Even Technology adviser that person would have a bunch of stuff to keep up with but they take their jobs seriously and perform duties professionally in my opinion. We are out of time. Thank you both very much for getting this wideranging discussion. I hope you enjoyed your broader day here at the cato surveillance conference. We will turn it back over to julian here to send us to the exit. Thank you to charlie and our discussants. Our final speaker before we release you to the world and or happy hour and drinks, is sort of the dr. Who of intelligence. Or surveillance law. Digital surveillance law. Look at over history these crisis points and pivotal moments somehow mysteriously he is there. The doctor showing up in the whole photo from the titanic and the battle of bull run. He was there at Justice Department as prosecutor in the 90s as courts were beginning to tame the wild west of cyber space by interpreting law in this new domain. And in 2008 when the predecessor of the fisa in section 702 forced yahoo to begin turning over information about clients and in response to what some might call general warrants. Mark was there. And as far as we know remains the only attorney to argue in front of the secretive Foreign Intelligence Court and most recently when fbi and apple got into a tussle over their attempt to incrypt iphone drives, mark was there and called apples secret weapon. Excellent profile in the guardian. He is, again, very much like dr. Who. He has been at all these points, win or lose. The founder of zwillgen. A fascinating perspective. And now Going Forward will continue in front of the intelligence court as one of the amici created by the usa freedom act. Please join me in welcoming marc zwillinger. [ applause ] thanks, julian. I appreciate the dr. Who reference. I was afraid you were going with the forest gump reference. Thank you for having me here. Its been an interesting day. Its been interesting to talk about surveillance issues through the prism of the upcoming Trump Administration and thats an intentional pun. Im glad im delivering Closing Remarks because there are a lot of people in this room that i want to thank and that the Program Follows the rule of law. And this is even more important in upcoming years. My remarks are totally my individual capacity. Im not speaking on behalf of any Technology Client or the fisa court. There are restrictions on what i can discuss but i will do the best i can. For those of you who werent paying attention to juliens detailed introduction, i have argued in front of the court of review twice. First time representing yahoo in the constitutionality of the protect america act, which is the precursor to 702. Second time in earlier this year. First amici before the court of review, challenging the constitutionality of capturing of post cut through dial digit. The digit you dial after a phone call is complete. Even to make a second call or to enter in some banking information or personal information and the government was collecting that under the authority of pin register statute and i was arguing against that. So the bad news is of course im 02. The good news is, no one can claim a better record. But ive done other things as julian pointed out. I argued for transparency and reporting on National Security process. I have challenged gag orders in the district of maryland for providers who have had nsls and wanted to talk about them. And not the only time i have fought with the government in secret. Apple cases were really about efforts to make sure that providers and Device Manufacturers arent going to become agents of the government in helping turn peoples devices against them. That is something im worried about happening over the course of the next four years. But i want to start with a positive note which is that the vast majority of the work that i do for my provider client is behind the scenes. It is not fighting with the governments in the courts. But counseling client on how to matchup the complicated provisions of the Electronic Communications privacy act or the fisa statute or nsls or 702s and match data they have with the type of process the government needs to get it. On this work i represent literally dozens of providers. And this is crucial work. Not high profile. Not things you read about in the paper. But the vast majority is routine process. They are serving correctly. Not controversial. Calls for proper data. But providers need to understand exactly what data they can give back when they receive search warrants and fbi does not do a good job of explaining it. And the fbi doesnt come in and say by the way here are options of challenging this. If you want to challenge it. Except where they do it under the statute for nsls. Bulk of my work in my career has been figuring out exactly what government is entitled to get and helping providers give it to them. The reason i mention this is for balance. Providers are gate keepers for a wealth of consumer data. It is imperative the government follow their procedures to order to get data and follow proper discussion in disclosing it. This ties in a lot to what julian asked me to talk about today. He said, talk a little bit about why you spent so much of your career working on these cases. Why have you made privacy and consumer data center piece of your law practice. And why did you build zwillgen and have 25 lawyers who deal with it . That a good question. You dont stop and think about it everyday when youre doing it. And the simple answer and probably the answer for most in this room, is we all want to do something that matters. I always thought this mattered. I still believe that. I believe that more today even more than i did maybe one month ago. Because being a gate keeper for consumer for Technology Companies is somewhat ironic for know play that role. I started my role as a prosecutor for the department of justice and i spent a lot of time teaching fbi agent on how to gather evidence and use existing authorities in the telephone world to get Data Available in the internet world. And what i saw was that there were very few lawyers that the isps and Internet Companies could turn to to get advice. Either when their systems were hacked or asked to turn over data. There are many lawyers on the government side trying to figure out how to get it but very few advising on what to do when they receive the requests. For a brief aside i never told people, this part of my practice started in 2002. I met a lawyer from yahoo at a conference. I said to her if you ever need advice on figuring out what to do when the government comes calling let me know. About six months later, two hours after my son was born while at the hospital she gave me a call. And she said, the yahoo is being ill describe in my own terms, but essentially bullied by the federal government in a child pornography case. The very kind of case the Companies Want no part of and most lawyers want to stay away from. In this case the fbi submitted an affidavit that turned out to be false as to what information yahoo members got when they joined the group. A lot of prosecutions and guilty pleas had been based on this affidavit. And yahoo was trying to help the government get it right. That is figure out exactly what information people did get. The government didnt really want to listen. It would jeopardize the guilty pleas that already happened. They didnt want to listen because in part they didnt believe yahoo because they believed their fbi agent. So yahoo turned to me for help. And the government was powerful. Right . And the consequences of this fight helping potential child pornographers avoid conviction was not a welcome consequence. But for them the truth is important. And standing up to the bullying of the government even though a very difficult place for anybody to be fighting with the u. S. Government usually is, especially in a way that can end up freeing bad people is difficult. But they wanted to have that fight. And thats how i got started. And realizing that the government was taking some liberties in what they are doing to secure convictions on the internet. Thats not the doj i had been part of. Okay. So with that personal bio, what is it like now . Its still difficult to be in the center of these fight. On any given week my client can be criticized for not helping the government. Even though doing so would be an extraordinary measure, as in the San Bernardino case, and looking under any real rock when there is no expectation of finding something or criticized for helping the government too much like yahoo was in a case recently of a threat of harm when yahoo was asked to do something they didnt feel would undermine the privacy of legitimate users in the same way. When clients do fight when providers do challenge these orders they are often not able to talk about it. I wasnt able to talk about the fight and certainly yahoo wasnt able to talk about the fight they had in fisa court in 2008 will until after 2013, until after disclosures from snowden and they were accused of rolling over and giving government their data when they fought at every level to not do so. This is a nowin area of operations for them. So with that background and things ive done and seen and as we close todays conference i thought i would talk for a few minutes about the things that i most hopeful about and most worried about for next four years on surveillance law and policy. Ill start with what im most hopeful about because its shorter. In the years after the snowden disclosures we have made progress on a lot of fronts. Much of it with regard to transparency and procedural aspects of litigating in front of the Foreign Intelligence Court. In the past, before passing the usa freedom, testifying in front of the oversight board, that it is a lot like sending a letter to santa claus. You gave a document to somebody. Didnt know what happened to it. Didnt know where it went. Something came back and you didnt see the whole process, you just had to believe it is working. We are in a very different world right now. There is a public docket. Happily this year for the court of review. There is access to president ial review to the report because of declassification and usa freedom. There was one decision in a case that was declassified and published and that was it. No rules to follow. Now both courts have published rules and procedures. There is physical space for the court to meet when i argued in 2008. Borrowed courtroom in rhode island and a court for the fisc and fiscer. There is an ability for the group appointed under usa freedom to do research and be there at the court and write briefs and its not nearly the mysterious process it was before and of course theres me. And four people appointed. Now five. To serve as amicis. The court is not just tolerating it. The court is actively using it. Two people were appointed this year to argue cases in front of the court of review. There is more transparency because there is reporting now. At least in bands by Service Providers and to challenge gag orders on National Security levels. That has been a lot of progress and progress that is consistent direction and progress thats hard to undue because the court are involved, judges are involved in the fisa court. And the question was asked before about judges on the fisa court. There are problems with judges Understanding Technology but the same problems in all of the federal judiciary. I argued a case in the first circuit. One of the judges was justice suitor in the first circuit. Not the draw you want when you are arguing about a case of Video Surveillance and Supreme Court justices. He doesnt have email. Im trying to explain to him how an app works and he hasnt started using email for professional or maybe even personal use. While there are problems with judges, i dont think the problems with the judges in fisa are different or unique and it is a problem of applying law to technology and technology in some places is hard to understand. I dont attribute this all to snowden exposure, but to people with key roles in the department of justice and other in the last administration. I do believe people were trying to do the right thing on the transparency side and make it a place where there is another side to be heard. But the change takes me to the four things im most worried about. And here they are. One, i think it is possible for the time of meaningful positive surveillance reform may be over. We will effectively have to shift in Civil Society and shift from playing offense to good defense. The past several years many of us have been working to ensure there are meaningful checks and balances for executive branch and carrying out domestic and to some extent Foreign Surveillance and a difficult fight but we made progress but now is when the value of those checks and balances will be tested. And i have to say, i was a little bit satisfied and a little bit disturbed in this mornings session is hear my old adversary matt olson say when he was in the government he couldnt imagine the government ever led by president trump. And he suggested that had he been able to imagine it he might have used discretion differently. I was satisfied because i come around to what i always say but im disappointed with his failure of imagination. President nixon was not that long ago. How soon we forget and those failures of imagination can be costly. We will find out the next four years how costly they were. Whether we got enough reform such that the key institutions that we put into place will save us from really bad outcomes over the next four years. Or whether we are left in a position where the appointment of a few trump loyalists and key government positions specifically in General Council ranks will remove the discretion or checks and balances that we got and return us to an area of unfettered executive discretion. I dont know if we made enough progress but im worried we didnt and im worried about the people responsible which they could go back and do it differently. And i wanted to comment on something said this morning, a waste of time to fight 702 reauthorization because it is one of the most regulated areas of government surveillance. And Jennifer Granick said in the last panel that there is still a fight to be had on 702. I probably agree more with keri on this one. Society has to change its pivot on it. Rather than focus on improving places where there is already institutional oversight like fisa court. We have to put into judges and appointees who we know will uphold the rule of law and be more vigilant in the areas where there is unfettered discretion like 12333 and so we have to not we have to recognize we wont get everything we want on 702 reform but we are pretty good there and in dangerous places elsewhere. That said i do have comments about the fisa court and this is the second thing im worried about. Relying on minimization and use restrictions as a solution for everything. Generally the court does not see a problem with overcollection as long as minimization and use restrictions follow. The touch stone seems to be reasonableness and case law developing suggest they are not sympathetic for prior judicial review by a detached judicial magistrate. So we collect everything, and so we figure out the rules for it later and if the rules are reasonable its okay. I think the job for advocates over the next couple years is to point out problems with this approach. Collecting and maintaining vast quantity of Data Collected outside the traditional framework of the amendment but is too tempting a resource for government to dip into whenever they want. The solicitorgeneral stood and when asked by the court what the harm was if nothing bad happened to them, the solicitor general said thats right, theres no database for collected information. They are not maintaining a database of collected information. Whether that was true at the time we know it is not at this time. There were 94,000 targets of 702 orders according to the dni report and if each one of those people were talking to 10 people in the United States, probably conservative estimate, there is 1 million sitting in one year the government can query. This is a job for Civil Liberties more than the companies. The Companies Want to make sure the data doesnt leave their doors when it shouldnt. Once it goes out the further use of that information is not really a fight the companies can and have taken on and they lose the unique standing they have once they collected and produced it. Its for the Civil Liberties community to focus on. Two more things im worried about. Then ill pause for questions. Im worried encryption is being viewed as part of the problem rather than part of the solution. During the russian hacking of the dnc when all the plain text email came out what didnt we see . Didnt see end to End Communications or imessages or signal messages. This should be the wakeup call to point out for all the claims the encryption is taking for the government for the bad guys thats actually quite good for communication between the good guys. A key message from these russian hacks should be end to end encryption is important to keep our country safe not just protect the privacy of information between individuals but to keep our country safe we need secure communications. Im not sure thats going to be the take away but i think it should be. It really drives home the point a lot of the Technology Companies have made and like matt blaze have made its not technology against security, or security against security, two different types of security. I think to think of this as cameras and locks. If we know someone is threatening to steal something valuable we put it behind a locked door and try secure it. We dont just send a lot of cameras to watch it. All that will do is tell us who took it but wont keep it safe. Encryption will keep the communication safe. We wont have as great visibility, the cameras wont work as well but it will secure the communication infrastructure. I think the russian hacks are a real wakeup call for that. All of the hacks seen were generally failing on protection side. Were not failing so much on catch the bad guys side. The choice were faced with, do we want to have better secured systems the bad guys can use and catch them some other way or want less secure systems but better visibility. As i said as matt blaise said before we cant have it both ways. As my friend, Jennifer Granick pointed out, the last administration said we dont really believe you, there has to be another way. This is the problem we will face over the next four years. The new administration shows a propensity to not believe science at all, dont believe Climate Change and dont believe russian involvement in hacking and probably wont believe the back door is weakened. And theyve shown and early disdain for evidencebased Decision Making. That makes me very worried when this Society Stops listening to scientists and ignores evidence its in trouble. I hope my concerned about this are overblown. Finally, im worried the government will work to turn the ubiquity of technology from u. S. Citizens. Five years ago, it was whether they could surreptitiously turn on the laptops and spy on us, when posed to director comey, he said its a good idea to put tape over the webcam when its not in use. As a society weve moved well past tape over the webcam. Our houses are filled with an internet of things. Internet thermostats and dropped cams and ring doorbells and we drive connected cars and if the early sales for black friday and cyber monday are to believed everyone will have an amazon echo or google or cortana in our house. And those used to activate these devices are just as unclear as email and Text Messages in 2001 when i left doj. If theres one thing i intend to work on in the next four years working with the providers of these technologies to set clear rules what they will and wont do when faced with Third Party Requests so our Consumer Technology is not turned against us as a new vehicle for government surveillance. All right. Was that depressing enough . Let me close with one final perverse note of hope. It goes back to the first panel in the morning. In the fight apple had with the fbi over unlocking phones, a lot of the public sentiment was pretty split. People think the u. S. Government should be entitled to get whatever it needed with a warrant but understood it was a problem if a foreign autocratic regime or leader could force apple to turn data over to them. It was inconceivable to most people except of course to the europeans that the u. S. Government itself should be locked out of the data for fear it would use it improperly. People forget it was the surveillance abuses of the intelligence apparatus in the United States under president johnson and nixon in the late 70s and findings of the Church Committee that brought about the need for reform for fisa in the first instances. Given the rhetoric of president elect trump and some of the potential cabinet appointees its no longer farfetched that citizens need to be protected from abuse from the u. S. Government and not just Foreign Governments. That atmospheric difference you heard in the first panel of the day may end up making somewhat of a difference in the surveillance debate in congress and the courts. For the sake of all the people in this room and the sake of the rule of law, lets hope so. [ applause ] because were really up against the time limits, i will suggest folks here that want to ask mark questions take the opportunity to do so while we go to the atrium for some snacks and some drinks. Folks watching us either on our website or via cspan, im afraid you have to supply your own alcohol but welcome to join us in spirit. Thank you all and please thank all our speakers once again as well as i should add our conference staff and Keonna Graham and those who did all the actual hard work while i stand up here and take credit for organizing this, join me in thanking them again and please join us outside. We take you live to the capital hilton in the nations capital. All other sorts of gatherings including u. S. Conference of mayors. Their annual winter meeting happening, just getting under way today, as matter of fact. And Vice President elect mike pe pence will be speaking shortly to u. S. Mayors about how the Trump Administration plans to work with cities. We will have live coverage for you here on cspan 3. Itll be a few minutes likely before the Vice President elect speaks. So while we wait we will look at preparations for the inauguration, now three days away. Preparations for the 58th president ial inauguration are well under way in washington. Chair of the president ial inaugural committee spoke with reporters at trump tower in new york city. And gave details on how plans for the inauguration are shaping up. The inauguration is going to be amazing. And what we are doing is trying to orient it towards the greatest tribute to america. The only peace time transition of partisan power that ever happens this way. So the focus for this president elect, since he is a celebrity, is really on the place, on the people, on history, on tradition. So it starts monday, Martin Luther king, jr. Day is monday, a great epic start and great epic verbiage for what all this means. And there will be a series of events leading up to thursday. Thursday is the kickoff of it all. Thursday is candle light dinner, which is tradition. And each of the dinners and each of the venues is really oriented to just allow people to greet the place, rather than the actors on the stage. It is about the stage. So thursday and friday are the two big days, swearing in, the capital staff is amazing at how they planned it. So it will be a commemorative moment, thoughtful. You talk about actors. If you can tell us, how concerned are you, you have enough performers, people to do readings. Songs. All of that. Are you satisfied that youve got what you need to fill the day, as it were, on a typical Inauguration Day . Yeah. Overwhelmed. Were fortunate in that i feel we have the greatest celebrity in the world, which is the president elect. And side by side with that is the current president. Also a great support. So what we are doing in surrounding it with what people say are alisters, we will surround it with the soft he is not shoe alieb sensuality of th. This is like a cord nation. Thats what the president elect wanted. It will be a tribute. Itll be beautiful. But the cadence of it will be, let me get back it work, because the people im presiding with in america are back to work. You talk about what he