Absolutely superb and it is a privilege both to be here and i really want to applaud the board for taking up this, i think, really difficult but fundamental issue about what is privacy and how in practice might we go about protecting it within the private and public sectors. I want to really just offer observations as oppose to any specific if you will recommendations or conclusions. This touched some of the last panel. I think the fips are frankly not interest mendously useful. Im not suggesting abandoning them which is a big change for me. Ten years ago, a chapter called the death of fips but unfortunately ive gained a little bit of college here but i think we used them almost, like we can roll out these eight principles or depending on which list of fips you use or that will get us somewhere. And that far too frequently both in the private and in the public soerkt they really dont get us anywhere. What we end up is we end up just like talking about in the last panel looking for substitutes for the fips. We cant have consent, what could we have. Rather than asking what is the purpose to be served in the first plis and maybe no longer rel havent as tool to achieve that purpose, rather what are we trying to do here and really the question youve been asking all day, what are we trying to protect, what do we think protecting privacy really means. I say this by the way about the fips in part because im not sure that they have ever worked terribly well and certainly in the environment where they are largely noticed and im not sure that they work well in a world of massive data whether we call it big data or just high volume data. But the notion of a sort of fips like approach particularly with the focus on the individual when the broader issues are frankly societal. Maybe the impact on the Civil Liberties. Not of one person but everybody. I dont know that the fips help focus on the way and frankly the fips led to some silly results. I would just mention ive been surprised by example by the department of Homeland Security privacy Impact Assessment on border searches of electronic devices. Which focus a lot on notice adds Privacy Protection. At the point that your device has been seized from you and its contents cop ooed, it is difficult to think that notice is meaningful protection. It may be necessary but whether its protection or not, i think its not. Second point, one of the things we are seeing emerging in the debate in the private sector and we see this especially in europe and the context of discussing the general Data Protection regulation there is greater focus on Risk Management or Risk Assessment and Risk Management. I dont mean to use this because it is the jargon of the day but rather because Risk Management is an incredibly valuable tool that in the private sector we are far behind on. We have a clear idea what it means. Part of the reason is we dont know what risk were guarding against. We are very unclear what are the harms, what are the impacts, what are the negative effects we think we are balancing, if you will, of what are the positive outcomes of the use of data or what have you. One reason i think the Risk Management approach offers value in both the public and private sector is it makes us stop and say what is it we are trying to accomplish. What are the positive benefits and negative impacts not measured in terms of fips but measured in terms of actual impact on individual or on society or on the economy. As we think about it. When using Risk Management or if you hate Risk Management, in either case, third point, i think theres a lot of reason to focus more attention on use of data. And this has been a real weakness of the u. S. Legal system. Those of you who have suffered through law school know that Fourth Amendment has almost nothing to say about use of data whatsoever. You can have illegally seized data that the court acknowledges is illegally seized. There would be no disincentive for the collection only the collection of the Fourth Amendment in Supreme Court juris prude yens has been focused on. And for this reason i think we really would be better to think more about reasonable and effective limits on use. And i think thats what the public most commonly cares about. And one of the practical reasons is there is almost always a legitimate reason to collect the data. Always some employment reason or security reason. There is some private sector reason. You know, verizon had a reason to collect the data. And then the question was who could access it and how could it be used. But our legal system is focused enormous attention on collection and once the data are in the governments store house then we feel that the data are more commonly out of control and i think that is a critical area to focus on as well. Fourth, as i mentioned, i think the Fourth Amendment while a critical legal limit and i certainly incur thats yellow, right . For the rest of you, you will know, i just got a yellow card. I think the Fourth Amendment is critical legal limit and we must of course observe it. It is not a very useful guide for telling you what to do in the future. For a positive analysis of privacy issues. And i think we should again be careful about that. Too often in our rhetoric we say, its permitted under the Fourth Amendment, as if that tells us anything. Other than it is not illegal under the Fourth Amendment but doesnt tell us anything under the ethics or desirability or what have you of doing it. And fifth, i would just say, it almost all of these areas, and i understand in National Security this is particularly odd, i think redress is something we need to continue to focus on. We see many uses of data in the government setting and in private sector. Which are done without regard to redress. With just sort of well, if it affects the person inaccurately every now and then, what does it really matter . We will deny boarding to people on airplanes or provide extra security for the wrong people. This is not an efficient use of government resources. And it is not a good way to think about privacy. And i think we should be very clear in those rare exceptions where we say, there might be no redress available here for the individual in which case we now have to provide it through other means inspector generals or the other ways of approaching it. But at all times we should think about redress, not just because of the rights of the individual but because of the interest in insuring that the system works as advertised and as it should. Thank you very much. Henry giegler focused on civil liberty, computer crime and cybersecurity. Thank you for being here. Members of the privacy and oversight board, thank you for inviting me to speak at your meeting today. Thank you for your excellent work for ensuring protection for privacy, Civil Liberties and terrorism programs and congratulations on having one of the best acronyms in town. When it comes to evaluating Privacy Protection, the center for democracy and technology believes that fair information practice principles are a very important framework for both government and the private sector. Now you can add other privacy frame works on top of that. We do not disagree with professor kate that societal impact is in use and protection focuses on the purpose of Data Collection are also useful but we view the fips as indispencible framework for evaluating privacy collection for Data Collection practices. The individual principles as you know are overlapping and mutually dependent on one another. It is a framework. An smorgasbord that you can choose and pick. And there is obviously some discussion in the private sector about doing away with Data Collection limitations or the data minimization principle of the fips seeing as how we are in an age of big data. But in the time you have given me, i want to address this head on in the context of government surveillance. First, cdt believes that there still should be collection limitations on private sector Data Collection. And that data minimization principle of the fips should apply to the private sector. Second the government should not take its cues entirely from the private sector when it comes to noogs national surveillance. It is fundamentally different from National Security surveillance and therefore even if the private sector were to collect data in some other man fer an alternate universe, then they should not follow suit. National security arms are not as transparent or responsive and are not likely to be. Major companies in addition allow or are required to allow the collection of information about them. More and more services are differentiating themselves on the basis of strong Privacy Protection and of course individuals can choose ton participate in a commercial service as a means of limiting direct Data Collection about them. But Data Collection for National Security purposes does not permit any meaningful choice. So this is not to law the private sector Data Collection practices because cdt does view them as generally inif you fishant protection of privacy. Buzz of the differences i just broefly listed and other reasons, even if the private sector fails to robustly apply the fips, government amg encys should not follow suit. If anything, because of the differences government should strive for more strict and consistent application of the fips than that of private sector date why collection. So i have a small set of broad recommendationes it make. First, the government should place greater emphasis on implying the data of the fips. Back in to minimization procedures alone are not sufficient. Front end is also critical. Trust is breached at the point of collection. Once the government collects information nonstatutory internal restraints on access and use can fall away like sand castles on a beach. We saw this happen with the 702 loophole. So surveillance should be restricted at the front end by narrowly limiting to what is directly needed to accomplish a specific purpose. Date why should then be retained only as long as necessary to fulfill that purpose. And the data should be destroyed unless a determination is made that the data are needed to accomplish the specific purpose. Specified purpose of Data Collection itself should be subject to meaningful restriction. For example, limiting the scope of what is relevant under section 215 or definition of foreign intelligence and executive order 12333. So goal should be overall to move from mass Data Collection to targeted Data Collection of both u. S. And nonu. S. Persons. A fair reading of the statute does not seem to grant them with this authority. So with order or when necessary summaries of opinions would substantially boost transparency. We should not be a nation of secret laws. Third the government should have scope and request for data under National Security authorities. The government should authorized the private secretarier to make similar reports. Information is power and privacy is control of information. And entity possessing information about an individual has power over that individual. Large scale government collection of information about individuals threatens the relationship between citizens and the state because it upsets the balance of power that supposedly exists in democratic society. Therefore, cdt urges to recommend that the government recommit to robust application of fair information practice principles as well as other considerations regardless of what the private sector does. With much more targeted Data Collection and greater transparency. Thank you. Thank you. Our next panelist is john grant. Mr. Grant is a Civil Liberties engineer and he previously served on the staff of the senate Homeland Security committee where among other things he oversaw the department of Homeland Security. Thank you for being here. Thank you for the invitation to speak today. As i never tire of telling people, i was a staffer on the greeting club. So i take a parent of the board and im sure it is every parents dream to one day testify in front of their children. I will spare everybody the commercial, just suffice it to say, building a data platform, that works with data, starting with the Law Enforcement intelligence space and extended to deployment around the world and in a variety of context and the Financial Sector and elsewhere. Our technology isnt successful if in the course of achieving an organization we are not able to be deployed in a way that protects privacy. That is something that founders of the company instilled from day one and that is why my job exists a Civil Liberties engineer. One thng i learned, and this is different from the hill certainly, when you walk into a room and say to engineers, im worried about this thing youre building. It creates a privacy problem. The response is oh, okay, how do i fix it. Which is not often what you get when you ray these things other places. So it is our job as an Engineering Team to come up with suggestions for how to fix it. Im a lawyer. As you may have guessed. So i do not necessarily possess a lot of technical skill. So the main role for us is to translate between the lawyers and engineers. So what i want to focus on today a little bit is some of the technology at a high level and then i had actually suggestions for moving forward that i think are actually fairly low hanging fruit. So just briefly to provide context, as i said, Data Management and data analytics. Were not dealing with the collection of data. This gets more to professor kates point about the use of data. And we have two sort of high level categories of technology that deal with manage willing or protecting privacy with the oou use of data. There is Access Control and oversight mechanisms. I want to start by pointing out and this is something to keep m mind just as technology expanded, power of surveillance and the amount of data collec d collected, it is also significantly expanding the leflt of Privacy Protection that isvilleable at the agencies. If you imagine 50 years ago if there was an fbi file, this is probably pieces of paper in a red well, sitting on a desk somewhere or maybe locked in a desk drawer. Hopefully locked. Or maybe in a dusty basement archive or Something Like that. And there is probably limited tracking of where the log book was. And anyone accessing the file can see whatever is in the red well. You can just rifle through it and you can see everything even if it isnt directly relevant to what you need. It o would be nonexistents you couldnt see who added information to the file. Who deleted informing from the file. And deletion is hopefully burn bag or shredder. Probably just crumb pling it up in the trash. Or a black magic marker redacting a few points of information. Today we do a lot more management data and oversight. And management at a grander level. Thats what axis control point. Which you can now build axis controls to manage data very prenicely on data point by data point basis. Can you do it in a more nuanced way. You dont have to choose between access or not access. Can you make the Access Controls dynamic and so there is a lot of options and sort of the way the many options you have to configure the Access Controls give you a near infinite variety options in how to manage data. Who can see the data and what they can do with the data. The other point is oversight pecknisms. And this is really you think a lot about audit logging and also using technological electronic work flows to control exactly how data flows around an organization and who can see data and what kind of analysis they can do with it. Or hard wiring an approval chain for use of data and things like that. And these can be very detailed. So the or the hard wired approval process and things like that. That can be very complex and involve multiple actors. And then the auditing of how data used it self can be incredibly granular and incredibly detailed. And i want to get to other point. Just these two capabilities are a significant improvement of what existed before and can get us a long way. And there are things that exist today. Now im obligated to say that poll intier does this best but this is not exclusive to poll intier and they can be deployed and can be used in a lot of different context. So what is the problem today . Why arent these capabilities being used more . A couple things. One, issue and technical awareness. Lawyers dont know technology and engineers dont know law. And you need people who know both of these things to be able to make the decisions as how to use these technologies. How to incorporate them into programs. Lack of resources. You need people who can actually manage the data. You talked about this in earlier panel. Alex joel has a very small staff. Erica has a very small stafkcaa. They need resources and infrastructure do this. Resource is hard. How do you use an audit log. How do you use it effectively. How do you Access Controls especially when you are dealing with massive amounts of data. The last one is death by anecdote. The debate, cost benefit analysis, tends to be the National Security soerkt saying one time we caught this bad guy using this information and this community saying one time this unjust thing happened to a person because of this program. There needs to actually be a much more you cant just make this argument on anecdote. You have to look at date why and can find that more specifically how these programs are working, how effective they are. So solutions suggest some of the solutions in listing problems. Education. I think and poll intier sponsors scholarships. To make sure lawyers can Learn Technology and engineers can learn law. It should be a requirement to have an ethics program. They will build technology that will hit the streets and is going to months or years before the law catches up. So shuouldnt engineers catch o what they are building is affecting privacy and they should think about these things. Infrastructure. An important value for us as society then we need to invest in infrastructure to support it. Cop photo goidance we actually need go beyond just systems should have use limitation. We need to tell people, how are you going to do that . I can dig into that more when people have questions. But really specific guidance rather than just the, you need to have notice and consent, you should think about use limitation and things like that. And last, everything in the world can be datafide these days. Including how effective they are. Becan do analysis and start analyzing data and figure out, is this effective, is this not effective. Is this having negative effects. Is this creating bias in the analysis. Thanks very much. Thank you. Our next panelist is chris, venture partner at palton group. I spend most of my time teaching at the naval academy. I, like the other panelists, are grateful you established this venue for what i think is important dialogue. I would like to make four quick point, then get to question and answer. First and foremost, i absolutely agree with the premise which that the framers of the constitution did not intend for security and privacy to be in mort al combat and we try to figure out how do we achieve both. It may very well be we cannot trade one for the other. I think thats right. But we have to work harder to achieve both. I think technology and practice from the private sector can be helpful there. Two, i agree that government is different. Not simply in the powers, toops it might bring to bear on a citizenry or others. And therefore, therefore should be con trained. But the government alone has the requirement to essentially meet standard of the first, fourth and tenth amendments within the constitution and from my nsa experience, the most significant of those which essentially says, unless you have the dhothe authority to do something, you should not. The back door search is from 215 or nsa interpretation, both were specifically permitted underneath, under Court Approved procedures and specifically where interpretations of the law that went through three branches of government. I think thats right and proper. That doesnt necessarily justify them. It may be bad policy at the end of the day but rule of law has to pertain to how the government gets things done. Point three, i would say that largely agree with what john had to say. I holy agree with what john had to say. Wholy agree with what jod to say. That aspects and law are at odds with each other, because they are perceived as independent bias on any particular solution. I would add a third which is that what typically plays out in any one of these systems is that you are trying to effect technology, law and operational practice of those that make sense of the technology and surprising result is that because they do not change at the same rate, they essentially change at very different rates. Keeping them reconciled or synchronized from moment to moment is really hard. Therefore mechanisms or oermg things are not likely to satisfy the need what you need are threads or Systemic Solutions that you pull through and you take both art and science process to essentially try to figure out how to make some solution here. I will wholly agree with john that education is absolutely essential. At nsa when we found ourselves at compliance incidents, which no one intentionally made a mistake, we had to sit down and figure out, how do you find a horizontal joint between all who were trying to achieve something slightly different but ultimately invested in the same problem. Last point i would mike is i do believe there is a role for big data. Sometimes called mass collection. There is a role for big data. But the principles should be the same as surgical data. Which is necessity and proportion ality. The government should be able to justify on what basis this is necessary. Such that it could then argue not for on encroachment upon civil liberty or privacy but how do we work harder to achieve sustainment and it should only achieve that in proportion to that need. Therefore, i think that all those comments aside, i would say that the private sector probably has a lot of experience in this regard that the government can take advantage of. My own sense is that government collects far less information than is perceived by the public and certainly far less information than the private sector does. I dont excuse the government for that. They should be held for account but they can bring technologies in that might well scale quite well for the governments purposes. Because it would have to scale them down as oppose to scale them up. Im open to any questions you might have. Thank you. Just a reminder to the audience, that there are stoppers in the back with cards and if you would like to direct a written question to the panelist, hold up your hand, find one of them, and write down your question. And for the benefit of the audience and the cameras, for the panelist when youre answering a question, if you wouldnt mind moving the mic back and forth. Im sorry, we dont have as many mics as we probably should. I would like to start with asking about oversight. And i would like mr. Grant to direct this question to you first. Both in your oral statement and in the written statement that you submitted to us, you talked about a wide range of mechanisms. Paper trails and electronic work flows and things like that. Frankly, when i read the written statement it seems like an overwhelming array of different ways to engage an oversight. I think for a couple of reasons you need to choose your oversight mechanism. One is that the agency will have limited resources to dedicate and secondly as i mention a Previous Panel there may come a point where there are diminishing returns joefon oversight. You need to leave the agency to do their job and not have mechanisms all day long. So have you given some thought to what constitutes an effective oversight mechanism . How do you rank different mechanisms in terms of their effectiveness . Yeah. So i think we should actually think about oversight as a big data problem. And apply the same thinking to it that we would try to analyze intelligence and try to analyze huge amounts of transactional data for marketing. Its a similar issue. Have you a huge amount of data. There are massive amounts of audit logs for example in an organization like the nsa. And thats a lot of information. But you can use technology and analystic tools to mick sense of that information. And drive the insights that youre looking for. So at the part of the issue is, a, you need to do it. You need someone so we see this all the time and i know other organizations see this as well, which is everybody checks the box for audit logs. Weve got audit logs and we will go through an enormous number of hoops to make sure it is logging exactly the information that it is supposed to. We get fewer requests to actually look at the audit logs once the auditing mechanisms are logged on. There arent many laws i can tell that tell anyone they have to look at audit logs. It is the seinfeld joke about renting a car. Everyone can take the reservation. But to hold the reservation, to use the information. So i think, to me, thats how make oversight more effective. You use these techniques. And thats another thing. Oversight people and the Information Security people and things like that, they should be as good as your analysts and you need to have good people who are also doing analysis and connecting oversight. So to get to your last question, which is the most effective, i think it is using that auditing data. Using the big data that youve got and having a team of people that can proactively comb through it. Not only are you looking for people doing something wrong but you can also ask questions such as, is the Data Retention policy make sense . Can you look at data and say, it turns out we is data set for five years. No one uses it older than three years so lets change the policy to change with the use of data. Okay. I would especially like to get your thoughts from your time in government. What did you view as an effective oversight mechanism. First and for most, if there is an authority granted or burden thats imposed and they come hand in glove, thats not a onetime thing. And there cannot be a repurposing somewhere later or have gotten past that threshold. Events might be collection, processing of data, analysis of data, dissemination of that data and burden imposed at every step according to the authorities that were granted for the acquiring of that data, acquisition of that data in the first place. What he with found to achieve that, data is is aggravated, synthesized, we take the iconic analytic effort, doesnt simply use data from one source, they use date wa from many sources. If there is different expectations to keep it straight in your head as to what youre going do about that. So the focus has to be, how do you find the attributes for particular data element at the moment that it comes into being. Could you pull the mic a little closer . At the moment, you collect a piece of data, how do you bind attributes to tho that data, wht is the authority under which that data was collected, what are the burdens, constraints that come along with that. What are the prescriptions if any that come with that and that should be bound through that data through its life. Throughity life of collection, process, analysis and dissemination. Now at some point there is a second order use of that data where someone reads a broad swath of material synthesizes that in their head and constructs a document across an air gap. That gets hard. But at least in that primary use, if you have a systemic view from start to finish, you make the auditors job or compliance oversight much, much easier. And you therefore in your system in your technology, essentially impose a constraint or check every time something exercises privilege again that data. Whether it is at collection, analysis, processing or in dissemination, that makes the auditors job much easier and frankly has a nice deterrant effect because they know at every moment they are held to account. But at my experience in government it is not so much the deterrent in government as the very rule ladened environment. Typical counterterrorism analyst at nsa would often deal with hundreds of constraints on the data sets that are available to them. Because various orders of the court, interpretations of the court sharing arrangements with various others nations would all come along with their independent assessments of how the data can or should be used. So bottom line is the technology can help us by essentially doing an atomic bind. Meaning it issor beganic to the data itself of what is it prominence. That should never be lost through the history of that system. Thank you. I would like to turn to fips and mr. Goiger, i was happy that you recognized those and professor kate as well. So i would like to direct this question at first to the two of you. So mr. Geiger, i notice that in the written statement that you sent us to you talked about the fips but you didnt really talk about the individual participation fip. And i guess when i talk about the fips, im referring it primarily to the dhs version. You said in your oral statement just now that the fips are not a smorgasbord, they are a framework. You cant just pick and choose between them. If you have to employ the fip, how can that work in a surveillance context in. Thats the tough toastest thats the tough toaste to a this this context. One way to do it, which is not viable or good policy, is bring suit for violations of law. But my, i think more reasoned answer, is if the fip is lacking in the National Security context, then the rest of the framework has to work overtime to compensate and that includes data minimization, which is why i emphasize Data Collection and transparency. As well as the rest of the framework. I absolutely recognize challenges in participation but this is one area again where government is different from private sector and i think that difference should express itself in particular in the data minimization principle. Professor kate, do you have thoughts on that . I would ask also, theres a lot of a lot written and said in public recently about how perhaps the consent and individual notice fip really doesnt work well in the private sector because nobody really understands what they are consenting to. They have to consent to get service and it is a meaningless exercise. Do you have thoughts on that and whether the individual can work in this process . Thank you. I have thoughts. Especially with one of the people who have written some of that. I think the challenge of the fip says that they often lead us in the wrong direction. And i think this is a real challenge. Im not in any way trying to make it sound easier or make it sound like there is a simple answer here. But for example, if we think of fips and classic 1980 fips, we are talking about consent, use limitation, to the purpose specified and then we add things like data minimization and individual participation and frankly almost all of these seem claeled in a modern data environment. Private sector or public sector. In other words, how does that really work . You know, there are 60 people in the room. They all have cell phones, recording devoices, video, audio. I dont have a statement from any of them. I dont know about my individual participation rights. I suspect they would look down on me wanting to interview each of them about it. The issue is an important one, which is how to protect privacy but shifting the burden to the individual which is what fips have the large effect of doing is a very difficult way to approach that. I think it is an important way to approach it in the public soerkt environment. But it also may lead to completely wrong results. In other words, one of the surprising things to me, and i cant believe im saying this in a place thats recorded, but that the about section 215 is that nsa collected all this data and did so little with it. It was astonishing. So you would like to say, when people talk about atomically binding limits and what you can do with the data with the data, something knew we might do with the data that might have a major effect on National Security, we would have a process for some sort of risk analysis. Whats the benefit. Whats the risk p. What are the processes in place to protect it. Now lets do that thing. And data has real value. It does in the National Security environment and private environment. I think we need to think about approaches here that arent boinding everyone to some mythical transaction that took place that which in the fips world we say the individual agreed to this even though i cant think of a case in which the individual actually agreed to it or it was meaningful consent. And in the National Security world we just overlook thap. Well we think it was important without again doing a clear and welldocumented type of Risk Assessment. Using clearly are a tech lated benefits and harms. Te a tech la benefits and harms. Ie a tech lad benefits and harms. Ce a tech lated benefits and harms. Ue a t lated benefits and harms. A tec lated benefits and harms. A techd benefits and harms. Tech lated benefits and harms. Tech lated benefits and harms. Ech lated benefits and harms. Ch lated benefits and harms. H lated benefits and harms. Lated benefits and harms. Lated benefits and harms. So it does sometimes lead programs in the wrong direction. It is a useful framework for evaluating Privacy Protection but the application of the fips, what you are actually doing with the program, you may pass muster under your privacy Impact Assessment but the way the program is impacted on the grounds may not be privacy protected. So i dont think that fips are a silver bullet. But the principles themselves i think are very useful for the evaluation of the program. Second, its been a long standing controversy about notice and consent being inadequate. But that is why i said at the outset that the fips is a framework. Each principle is dependent on the other. This came up clearly in the health context. People dont know what they are consenting to when they receive a notice from their doctor. They dont know what the Privacy Notice says or means or what hippa does. Which is why there has to be a lot of additional Privacy Protections in place actually meaningfully protect that individuals privacy. Then lastly, fips are not the only framework. I this i it is useful. Indespencible framework. But there are other frame works that can be applied and should be applied to Data Collection at large. Though this is the subject of the first pab el and not this panel, but i want to ask anyway. I apologize if im springing this on you. I want you to say what is privacy. You i assume you spent time thinking about how to protect privacy and Civil Liberties. What does that mean . What interest were you trying to protect . I would sigh i dont think that has changed over time. The fundamental question, always comes back to, two things. One, with respect to the perspective of the individual is there a reasonable expectation of privacy for fill in the blank what that information might be. Thats the stuff of great legal debate but operators think about that as well. Particularly operators inside the government because they are con train strained by the tenth amendment to think, what else is there do. But the second way to think about the issue of privacy, is then what might you learn if you take these discreet data sets and combine them in a way that might then give you some insight into things that were not self evident from any one of the discreet data sets. And you have to think about aggravation, synthesis, down stream. Again you might have thresholds that you have to think your way through and you have to go beyond that particular point in time. I would tell that you at the National Security agency, ethos is as important as compliance rules, fips mechanism and things of that sort. Science will lead you astray. Science alone cannot lep you. So essentially navigate the clael. The question of how do you achieve both security and privacy in a world where they are massively converged in a place called the internet. Professor kate, do you have a thought on the nature of privacy. Running out of time before you got to me on this. This is an area where i think public versus private sector is an important distinction. I think it has to be kept clearly in mind. In the private sector i think of privacy mainly in terms of if harms or impacts on individuals or groups of individuals. So whether that is it the way we think about it in the fair credit reporting act like higher price for creditor denying someone a benefit or whether it is some other way in which we think about an individual being manipulated or higher price. In the public soerkector i thin that is also true. I think there is something more in the public secretary popper which is privacy i think from the very beginning of the constitutional debate was seen as something about the balance of power between the individuals an their government. Between the citizenry and the government. And that there is something quite strike aeng this i completely agree with harley about the more the government knows about individuals, the greater the risk that that information will be used in way that that alters that balance of power. That makes the government more powerful and makes the individual less powerful and you know, a widely served but ironic twist as weve got under the 21st isntry we are less transparency to the citizen about the government and more transparency about the citizen to the government. And that is a clearer alteration in that relationship. That power relationship or that oversight relationship. And so in that sense, thats why again, focussing on collection or use, it may be a not so significant matter. But i at the end of the day, it is use that matters p. It is knowing how can the government use this information in a way that might effect me as opposed to o is the information out there, which seems to be always the answer is yes now. Mr. Grant . I dont have necessarily an answer. But i think i have sort after framework for thinking about tp prsitp prsiytp prstp prsittp prs prsitpthink about it in social. Younger people are viewing privacy. If you ask, most engineers appear to be about 14. And if we had discussion internally and should we look at linkedin, face book, and look at it as part of the ways to defirdetect phishing and things of this. Boo it as part of the ways to detect phishing and things of this. They vigorously and they say, you tweeted that. Which means people are going read that. It is a tool for communication to the world. And they still felt yeah, it is publicly available. Anybody can google it. But they still have an object to government collecting it or government reading it. Or their employer reading it. Things like that. I dont know what that means in terms of coming up with a final definition of privacy but suggests that people there is a different view of it. And that even Public Information, there is still privacy inherent in Public Information somehow. Like i said, i think talking through sort of attitudes towards social media and understanding that could help us figure out what is the newer conception of privacy in this technological age. Do you have something to say, mr. Geiger . Sure. I said most of it in my opening remark. I view it as an individuals ability to control information about herself, but then also the control that the entity Holding Information can exercise over individuals. And i think that it is very important not to just look at privacy harms or privacy interest o are the extent that privacy can control over an individual or their decisions in the context of todays technology. I think it is important to look out the next couple of decades and see what is coming down the pike and there are very pervasive, very privacy Intrusive Technology that we will see in hoirms or in ourselves in our lifetimes and certainly our childrens life times. The laws havent kept pace without a change in the law. Again i reiterate that internal pro tetection on use and access while important be is not sufficient. Because they can change. They have changed. When we talk about protecting privacy, i think we should look as i said just to what we are protecting several generations down the loiioinnoineoininn. Professor kate, theyve been talking about that throughout. And for focussing on how the private sector might have solutions that the government might learn from, private companies are obviously doing something to control use of information they collect. They have to. They have a Privacy Policy that says what they will do with your information. They have to comply with it. There are organisms that they can use for forcing limitations that are effective that the government might leash from . Mr. Grant, do have you a view on that in. So we see this a lot. Our customers dont hold data. And honestly, actually, they use the same basic pecknisms i described in my testimony and often the same basic weaknesses. And do they have the infrastructure to manage Access Control . A lot of them do not. And it costs money and takes time. Are they conducting oversight of data . Probably so more than some people, and again because of limited resources but they are probably still not doing it at the level that you would hope. And one thung i notice is that a lot of them, there is, even in europe, where you have more commercial privacy law and more commercial privacy compliance requirement, a lot of times its best guess. For example, one we have been running into recently now, is looking into cybersecurity and Information Security data ex filtration risk in the private sector. And these giant companies are trying to deal with privacy laws that are all over the map. They are asking questions like if a german employee sends an email to a u. S. Employee, what privacy rules apply to the c conteco content of that email. In germany, you have to tell people, im going to monitor your email. In the united states, they can basically do what they want. There are terms in what the privacy is try doing but i think you are facing a lot of similar problems that related to scale, related to lack of understanding of what the rules should be as the government. So there is probably a lot of Great Technology out there that can be use b used but any techn can fuel into the wrong hands without the right process. The following process might be to consider, that first and foremost before you acquire any capability, within if the government, within the private sector, you think of the po portionality situation and is this necessary and have i done this only to the degree it is necessary. And what we are trying to achieve is not simply the balance of privacy but traps transparency and you dont often believe they achieve the balance of the first two. That derives the possibility in the government. The need to essentially acquire explicit that comes with constraint. Constraints are bound to that and some measure of accountability for those constraints. And the process elements that then are essentially implemented to pull that off, i think should have the aspect of continuous compliant. Not discreet compliance but continuous compliance. You think about it all the time. First, middle and last. A stretched analogy as port of the problem of cybersecurity. And you think of that as a bolt on some will such tomb we operate systems continuously with that foremost in miend as primary attribute that will break our heart. The next is an external component. Internal component, you have to hold people accountable internally of system. You can wined up with mismatched expectations or the system might in fact go rogue. And then three, there has to be at various phase point required importing that ch is important because that is synthesis and retrospective that says how do wing we wing a reget aggregate our experience. Do we need to invest time and energy in the process itself and absent that, you find that youre the frog in the beeker and it is just getting a degree hotter moment by moment all of a sudden youre the boiled frog. And you didnt realize you step back and take a hard look and you got off course a little bit. Time to go. Thank you. I think my time is up. We will go to mr. Dempsey and go on down the row. Thank you. Thank you members of the panel for giving us your time today. In a way, building off of something that chris said or at left what i heard, you are saying that we need the technology controls. We need to build the technology in a way that implements the controls but at the same time you need the policies that surround it. You need the legal rules et cetera. I think john, my first question was to you, you talked a lot about the potential of the technology in terms of tagging information and audit controls and permission controls but just to state the obvious, thats an substitute for legal rules and policies. Absolutely not. We try to say, even when we talk about privacy and capabilities, if you think youre buying a switch that you can flick that protects privacy, it is not going to happen. It not possible. You have to be able you have to respond dynamically to changing situations. You have to be able to make human driven nuance decisions. About data and how it is oeused used appropriately. That is just not something that machines cant do. And you cant find a terrorist button. You nodeeed a human at the top the analysis clanalysis chain. So dont worry about it, weve got privacy covered. So what the goal should be for technologist says what kinds of tools do policy makers need and the oversight boards and Civil Liberties protection officers, what do they need and what makes their job easier or possible especially when you are dealing with data at scale. And you know, so easy example is theres a lot of work, a lot of Research Going into improving Access Control inner face. When youre dealing withtera bites of information on the cybersecurity space, how can you create technological short cuts to allow a human to make the designificants about how to manage that data. And that is how you do it. You think about how do you support the policy. Not how do you replace the policy. Let me go to fred kate. Fred, totally accepting your point about the limitations of the fips and totally accepting your point about the importance of focussing on risk and focussing on use, youre not saying, that collection is irrelevant, that obviously the Fourth Amendment is in some way a collection limitation, and that, you know, in the commercial context that company that had the flash light app that was at collecting data from the nobody even got to the harms analysis Debt Collection was inappropriate in and of itself. Right. You are absolutely right. And i agree completely. In other words, im not suggesting collections irrelevant. We make collection to the end of the story so once you cross the you know, like a spill way at a dam. Once youre over the collection limit then anything else goes. The ironic thing is that at nsa, as chris english said, their view is they never thought of it that way, that they thought that you have your collection authorization which is critical, your retention, your use, your dissemination. Your retention limit. That each one of those if i can just respond to that, i think theres something of a mismatch here and im not in any way doubting either of what nsa is doing or what chris is saying. But one of the astonishing things for example, when i read the section 215 report that came out from the nsa, Civil Liberties office, well written report, it was full of all of the limits on what they were doing and the incredible, what can only be described as bureaucracy and what struck the American People is how is the authorization obtained in the first place. We add law that said relevant to specific investigation. The 99 out of 100 people thought it might be focus owned specific individuals. Apparently the 1 out of 100 that didnt was a fisa judge and had other members along with him, members of congress. So i think one of the Critical Issues when thinking about going forward, is this were private sector, there would have been immediate and you know that policy that says we will collect information for limited purposes, that means we will collect everything. Then there is customer reaction p. What can we create that will mimic that in the clsfide environment. Maybe thats the maybe thats you literally having outside of the agency but focused on privacy and Civil Liberties that says we understand the challenge but we think you have got the wrong end of the stick. But i think it has been overly focused on the Fourth Amendment that creates this problem. As you well know, the fis just dismissed it by saying third party doctrine, no problem at all, lets go ahead. Someone should have said, wait, you are talking about collecting data on everybody. And that would have focused the discussion under way that all of the technological controls and all of the bureaucratic controls now well documented in the agency somehow never did. I dont want to thats very helpful. I dont want to further rehash 215 and history of 215. And anyhow, i have a red card. So i guess thats the end. Thank you. So let me just follow up quickly on that point, maybe what we need do is supplement the fips with the omg standard. Which is you know, private practice, i could have a client and i say, everything you propose to do is perfectly legal but are you nuts . How do we imbed that in stepping back and saying okay lawyers have technically signed off. Everyone technically signed off. But this is a crazy thing to be doing. One positive step is adding someone like richards aep an office to support her within the agency. I think thats one way. So you have people not just thinking about the law but people who say understand legal clearance is taken care of but i still have the oh, my god response. Are you allowed to refer to god at a hearing prfree speech. Can you say what you want. Nervous about that. So the club, there are rules not necessarily identical but outside of the agency, there is where i would say, though this may reflect my naivete, we would have secret law. So if one thing is interpreted to mean the opposite that someone would feel the need to signal that as opposed to going out of their by and say no it doesnt mean what we think it means. It means only what you think it means so we would build in avenues for transparency about the law. So that at least we all knew what the rules were going into it. And i think thats a huge problem when the law itself is effectively classified because of the way this which the interpretive process works. Im sure jorge posada, can just jump under on that. Hrge po just jump under on that. Nrge po just jump under on that. Ge posa just jump under on that. E posad just jump under on that. Osada, jump under on that. Sada, can ju jump under on that. Ada, can jus jump under on that. Da, can just jump under on that. A, can just p under on that. , can just jump under on that. Engineers and technologies thinks of things, as does it work or not work. Not because they care about the Civil Liberties, they live in the world they create