Congress. For example, the usa freedom act and similar initiatives. You have as part of that also the proposal to create an advocate of some kind,e. Here again, an attempt to influence or affect what are the rules that the intelligence agencies are expected to follow. And then a different part of that question is, what oversight mechani mechanisms, what assurances do we have that the agencies are following the rules . And you are part of that. I mentioned the congressional committees, and then all the layers within the executive blanche itself. So i think i hope that the public discussion has been shifting a bit from whether or not were following the rules i think what i perceived in the public discussion is a greater acceptance that where he in fact trying our best to follow the rules. Were not perfect and we make mistakes. But were trying to follow the rules as best we can. And now that the discussion has been shifting to what should those rules be . What are the rules . And what should those rules be . I think we can and must provide Greater Transparency into both sides of that equation and were working on that. I would also say that another thing that i know the board has been pursuing, which is the recommendation that the board made in the 702 report regarding efficacy. To what extent are the programs effective and to what affect do they provide value is a key part of the transparency equation. We have to figure out ways to identify the specific value associated with particular programs and activities and then be more transparent so the American People can render a judgement on the need or desifo. The Intelligence Community is not built for transparency. Its built for the opposite, of course. We train, provide policies and systems and reminders to our work force of the importance of maintaining secrets the sources and methods that the Intelligence Community uses. And this is vital. We have to do that. Were reminded of that need all the time. But at the same time, we have to find ways to enhance transparency. Its going to involve some changes in culture, training, a look at policies and processes within the Intelligence Community. I know you may want to ask questions about that. I look forward to that discussion. Thank you again. I appreciate it. Turning now to erika brownlee. Shes the chief privacy and Civil Liberties officer of the department of justice. In that capacity, she is the principal adviser to the attorney general on privacy and Civil Liberties matters affecting the departments missions and operations. As part of the office of Deputy Attorney general, miss brownlee oversees the departments privacy and civil liberty programs implemented by Department Components and component privacy and civil liberty officials. She reviews and evaluates Department Programs and initiatives and provides departmentwide legal advise and guidance to ensure compliance with applicable privacy laws and policies including the privacy act. Thank you for coming. Thank you. Thank you to the board for inviting me here to talk about what is a very important topic. You asked about private sector experience and other government experience. I also come from the federal trade commission, which in particular the division of privacy and identity protection, which the federal trade commission is a very different orientation toward the commercial side of privacy but nonetheless an important perspective and an interesting one to bring this to position. Counterterrorism is significant part of the departments mission. Since my colleagues on the diaz will be talking from more of an intelligence lens, i thought i would orient my remarks towards the departments efforts to fight terrorism from within the criminal Law Enforcement context. The department has an elaborate architecture that protects privacy in our counterterrorism work. Since i only have a few minutes, i will focus on the lead agency and those efforts, which is the fbi and focus in a little bit more on the efforts with their counterterrorism activities. But stepping back for a minute, of course, as we know, off 9 11, it was recognized that in order to address the current threat environment f bis functions needed to be expanded. But it was not intended that the expansions would come at a cost of Civil Liberties. So in 2008, the department issued the attorney general guidelines for domestic fbi operations and later that year issued the domestic investigations Operations Manual and combined those two documents provide significant guidance for fbi activities. But what i wanted to talk to on i know i dont have enough time to get too far into the weeds is just to explain how privacy sort of is imbedded throughout the stages of an investigation from the initial phase throughout the process. So, for example, one of the key tenants of both documents is the least intrusive method. So in other words, in any activity that the fbi engages, thats the baseline. Within the counterterrorism context, its calibrated against the threat to National Security in which case more intrusive methods would be used. But in terms of a little bit a little bit more detail from an operational context, when an fbi conducts an assessment, for example, which necessarily not necessarily, but often times is proactive, that would involve doesnt require a factual pred i indication but it does require a clearly defined objective. The least intrusive methods in that context would be even starting with publically available information to voluntarily provided information in that perspective. And then moving up from there, with regard to predicated investigations, which, of course, by which implies their title. They requires a factual pred indication to open that investigation but that has to have supervisory approval. And both types of investigative activities, whether assessment or predicated investigations, require or are subject to oversight. Alex mentioned doj oversight on the intelligence side but also on the Law Enforcement siede fo counterterrorism. The National Security division has Oversight Authority for those kinds of activities. Now, beth mentioned and asked us to talk about or think about how this apply. If you are looking for the acronym, there are lots of them in documents. Its not actually in the aggdom or the diog. They are imbedded throughout the principals. If you think about even just from a transparency perspective all that im discussing with regard to the diog, all 700 pages of it for Light Reading for anyone interested, its on the web with certain redactions. But also we have privacy Impact Assessments that are available. One that i wanted to mention in particular regards is the e guardian system because that is a specific system or Incident Reporting system that is designed as a platform to share terrorismrelated information across Law Enforcement, federal, state, local, tribal, territorial jurisdictions. So eguardian. I dont have time to go into much detail about it. But it has an entire architecture Privacy Protection regarding how things are shared across entities, how it is stored and how its retained. Individual participation, thats more of a challenge in a Law Enforcement context. Its not realistic to be able to obtain individual consent for in order to pursue criminal investigations. But nonetheless, the privacy act provides some measure of review in the sense that if access or amendment to records is denied, there is judicial review of an agencys decision and subject to court order records may be amended or access may be granted. On the minimization side, i mentioned the least intrusive means already. Theres also a prescriptive measure in the diog with regard to evidence collected, that if the evidence collected through an assessment or through a predicated investigation has no foreseeable future evidentiary or intelligence value, it should be returned and destroyed and then marked in the file. In terms of the disposition of that piece of evidence. Otherwise, information is retained according to the schedule set by nara, the National Archives records administration. And it proved through which department of justice would seek approval for. With regard to use, i think thats also a challenge. On the criminal side, of course, willful disclosure of protected information under the privacy act are not something that any agency can exempt themselves from. And to the extent that information is released thats not subject to a routine use or other permitted disclosure, and, of course, routine uses are subject to a compatability standard that tracks language. If the information is disclosed or even shared in violation of that, thats potentially a wrongful disclosure subject to not only civil damaged but criminal penalties. And then as in terms after count built, i mentioned oversight from the National Security division but also the fbi has the National Security review National Security law branch which conducts National Security reviews. And thats a significant review process in that they go out to all of the field offices and review the investigative activities i mentioned, the assessments, the predicated investigations and look to see whether, in fact, supervisor approval was obtained, whether there was a clearly defined objective for the assessment. And its written up into a report. That report actually comes through fbi channels, of course, but then also comes for review by the chief privacy and Civil Liberties officer. And i look at those, obviously, through a privacy and Civil Liberties lens. As alex was mentioning, theres lots of layers that are applicable. I know i dont have much time remaining. In my in conclusion i guess i would like to leave you with a couple of take aways. One is that fips quite to the cop trarry of certain statements is not dead. Its just imbedded. I would also say that the processes can always be improved. Certainly, i work with the components d s there are ove in doj. Each has a senior component official for privacy. I host regular meetings. Were having a Privacy Forum next week that will cover privacy related activities focusing on Law Enforcement but other components as well, activities common privacy issues across components. It is internal. None of you are actually invited unless you happen to get a job by monday. At the doj. Thats also something that is a way to improve i would also say that while privacy Impact Assessments are very important and a critical part of a program because theyre this tangible proof that we actually evaluate privacy, that we mitigate the risks that we take into account security and accountability, they really only form a part of the architecture for the department of justices Privacy Program. I welcome your comments. Thank you, erika, for that nice education about the fbis operations. Becky richards is the National Security agencys Civil LibertiesPrivacy Officer in this relatively new role. I think its fair to say. She provides expert advise to the director of nsa on all issues pertaining to privacy and Civil Liberties protections. She conducted oversight of nsas Civil Liberties and privacy activities. She developed america you are se security. She worked as the senior director for privacy compliance at the department of Homeland Security. Thank you. Thank you for hosting us. I am very honored to have been selected to be the first nsa civil liberty and Privacy Officer. This is an exciting member to be a member of the civil leb irties privacy community. O our community is growing and evolving. Changes in the nature of the threat to our National Security alongside Rapid Advances of technology as was discussed earlier make my job both interesting and challenging. Technology provides is us with both opportunities and challenges but ultimately we must guide and shape its use to ensure the fundamental rights we hold deer ar as a nation are maintains. I would like to describe our programs both in of the past, present and a few thoughts on the future. Part of nsas mission is obtain foreign intelligence worth knowing derives from Foreign Communications in response to requirements and priorities validated and levies important us by the executive branch. One is counterterrorism, but there are other threats to nation as the spread of nuclear, chemical or biological weapons or cyber attacks. Nsa works directly with and supports our troops and allies by providing foreign intelligence for military operation operation abroad. Its important to think about how the threat technological and society landscape in which nsa conducts its mission has changed. First, the threat has changed. Nsa previously operated in a coldwar era when the focus of collection was directed as nation states, structures military units and foreign intelligence services. Threats remain from nation states, they now also come from nonstate actors, which require nsa to look at more smaller and decentralized targets to protect the nation. The technology has changed. Nsa previously operated in an environment where the communications between foreign intelligence targets were conducted over isolated governmentowned and operated Communication Channels and equipment. Now foreign target communications are interest spersed with commercial and personal communication. Additionally, the volume and ability to analyze and manipulate big data, which occurred as a result of significant advanced in information technology, can expose information of a personal nature that may not have been previously discoverable and may not be of any interest. Third, how society thinks about Civil Liberties and privacy have changed. We have come a long way in thinking about what ought to be private. Personally identifiable information was not a mainstream issue 25 years ago. For example, Social Security cards numbers were put on student i. D. Cards. There was no thought of hipaa. Executive order 1233, foreign Intelligence Surveillance act, this is a natural framed nsas Protection Program by asking where and how the data was collected, usually overseas, and the status the individual or entity being targeted, is it a u. S. Person or not. Nsa is consistently conducted legal analysis as it considers new types of collection answering these types of questions. It has built a Strong Compliance Program based on these with compliance activities imbedded in our technologies and systems. As i have learned more about nsa and its compliance, it became clear while this is one way to address privacy concerns, it is somewhat different from how privacy concerns are addressed outside of nsa. Over the last 15 years, congress has passed a variety of laws to pretekt privacy and other parts of government in the commercial sector. These policies and laws focus more on the nature and content of the data, not where it was the nature and content of the data and where it is used not where it was collectioned or the citizenship of the individual. I believe we have an opportunity to bring together nsas current Civil Liberties and privacy analysis. This supports the president s ppd28 mandate to recognize our intelligence activities must take into account all should be treated with respect. To address a broader set of Civil Liberties and privacy interesting, im testing an assessment process to include consideration of frameworks the private sector and nonintelligence element of the government use. For the first time in its history, nsa is using the fair information practice principals for considering civil liberty and privacy. It can analyze protechs they have in place for personal information. While traditional nsa Civil Liberties and privacy questions center or citizenship and location of foreign intelligence targets as well as collection techniques, questions boil down to follow the data, data means privacy officials ask a different set of questions. What is it being collected and how will be ee used . We have designed a standardized template. We will refine the questions and process to ensure we are building a repeatable, meaningful and helpful process to identify and mitigate Civil Liberties and privacy risks. A critical part is to make sure were not merely checking off boxes but weighing the risks associated with the activity to form a holistic proposition. In essence, were ask, should nsa conduct a certain activity . As part of the assessment process, nsa is documents standard protections and control on ywho has access as well as tools to protect Civil Liberties and privacy. Much like in the private sector and the government, we are using this as a basis for analyzing what protechs are in place. As we look to the future, i want to think i would like to spend time talking about blending the art and science of privacy. Historically, privacy tends to be an art form. Several of us standard and think about how were going to do the analysis. This can be difficult whether were beginning to think about big data and the complexity being discussed this morning. Nsa is a Technology Centric organization. We have and will continue to contribute to advancing the discussion and research of protecting sifl liberties and privacy. The science of privacy has made it strides that include developing technology and tool that provide privacy. Great work is being developed on coding privacy policies such that Technology Supports all specific uses. Civil liberties and Privacy Protection need to blend art and science of privacy if were going to harness the potential of technology. Despite significant progress in privacy technology, basic pry have a is principals founded in strong scientific basis have been elusive. If we can better understand what constitutes personal information and how it is used, we believe it will be possible to develop to determine whether we can develop more practical approaches to evaluationing the risk of privacy to the individual. To that end, our initial thoughts are develop a five sequential Building Blocks. To introduce the concept of some very difficult math into what is otherwise a very nice liberal arts discussion of privacy, the first one is to categorize personal information. We would like to determine if its possible to identify and categorize different personal information and what that risk is to privacy. We have heard different discussions today. We want to push folks to think about certain type of data more risky to privacy, health data, than other information, say your address and can we think about those risks . If we can do that, then next we would like to determine if its possible to identify and categorize different times of use. If we take both of these together, its possible to develop a categorization of personal information and uses of the personal information. It should be possible to develop a scientific process to assess risk. This process could evaluate the risk of individual personal information for different uses. With these three Building Blocks being more of the scientific aspect, i would now suggest we would move to an art form that looks as how we build that to identify what needs to have additional privacy analysis so were looking at that across the board. With all four of these, we would look to see if we could build a responsible use framework that holds clektsers and users accountable for how they manage data. Building a technical means based on principal scientific methodologies to support the identification of Civil Liberties and privacy risks can help us protect it in a fluid world of big data. Success is dependent upon input from a variety of disciplines, ranging from technologists, social scientist, toeshs and computer scientists to name a few. He would would welcome the opportunity to discuss this in more detail and greater Technical Depth at a later date. I thank you for the opportunity and im happy to answer what im sure are a couple of questions. Thank you all for your opening remarks. Becky, i want to stick with you for a second. When we go and meet with you and when we talk to you, there is frequently someone from the general Councils Office, from the compliance office, someone from your office. What are you doing that is different than the general Councils Office and a compliance shop. Thats a great question. The Civil Liberties and Privacy Office is the focus point. It has been brought to a Senior Leadership position to focus on those efforts. Generally speaking, our general counsel will answer the legal questions. Is this legally permissible . They will often work with compliance for what are the rules. We havent had a person asking some of the more difficult questions of should we be doing this. Frequently our oversight folks, whether od fl a and donw playing that role. I dont want to take away the idea that those questions werent asked. But its really important to have that type of a role inside the building where you are working with the operators and the technologists and could spend a great deal of time understanding what were trying to do and bring to bear those questions. Erika, similar question for you. Fbi, for example, has its own Privacy Officer, has iths own general counsel, has its owe compliance shop. What is your relationship and what is your ability to provide recommendations or to actually impose requirements on the fbi . So also a very interesting question. My role and position is departmentwide. So, of course, i have oversight over the compliance for doj as a hole. Even component has the senior official for privacy but in addition has general counsel office. So at fbi they have their privacy and Civil Liberties unit headed by a chief. I work quite significantly with that person in that office to specifically address compliance issues, to specifically address privacy initiatives that i feel are important for the bureau to consider. Ultimately, it is somewhat of a reporting structure. In other words, if theres a recommendation or a particular policy or statutory obligation, fbi has the responsibility to comply. But part of what my job is to advocate and make sure that that is occurring on a regular basis and that there is and that looking for ways i can improve the process. I talked about privacy Impact Assessment. Some of that was if you look at the government act, its written broadly. I take a particularly broad view of what i think should have assessments as part of compliance there. So thats what i work in particular with fbi on. Alex, a related but different question for you. How do you ensure that you have how do you ensure that you have access to what various agencies are doing, or do you find yourself reading about new programs alleged new programs on the front page of the New York Times . Im surprised by that question. Information sharing is perfect everywhere in government. Im seeking free advice. One of our Biggest Challenges is going to be knowing what the agencies are doing. Cant conduct oversight of something you dont know is happening. Right. I think that is a major challenge for all of us. I know as you said its something you are focused on. I know its a challenge for everybody. Its a matter of how first of all, understanding the information flows within your own agency and trying to put in place markers for where its important for you to be consulted. The main way that i have practically done it since i have been didding this for a decade and when i first started it was me and then we built a small staff over time, has been to form trusted relationships inside the Intelligence Community. And to make sure that the people that im working with and that are in positions of influence and authority to make decisions on programs and activities understand the importance of consulting with Civil Liberties and privacy professionals. My own personal experience working within the Intelligence Community when first joined i was surprised people were so focused on compliance, on protecting privacy and receive imliberties, doing the right thing, following the right directives and even when they might fear legally permitted to do something, they still gave voice to their own doubts as to whether they should do it. I did not experience an uphill battle in trying to persuade intel genls officers, its important for to you Pay Attention to Civil Liberties. It was the opposite where many felt it was their job. You mentioned Office General counsel. I was at an office of general counsel before coming it this job. We felt when i was there that was part of our job. We needed to look out for privacy and Civil Liberties. What should we be doing in the light . I didnt want to take away that sense of responsibility from anybody inside the Intelligence Community. My approach had always been, its all ofjobs, its part of our oath to support the constitution. There are intelligence oversight offices. There are now we are creating Civil Liberties and Privacy Offices. Its our job to focus on Civil Liberties and privacy so we bring an external perspective. We have experience that we can bring to bear. We become a voice, an internal advocate for Civil Liberties and privacy. I dont have i think different agencies will find different ways of doing it. Odni is a small organization. It has mechanisms for understanding whats going on across the Intelligence Community. When a particular program or activity bubbles up to the point of a decision, either it comes automatically through my office or somebody will understand that i need to see it and route it to me. A followup particularly to you, alex, and erika, but both of you have fairly small staffs considering the breadth of your responsibles. We talked this morning about the increasing technological complexity of what you are assessing. Do you have the technological resources to understand what systems are actually doing . I think that is both in terms of assessing on the front end whether systems or programs should go live or to the extent that there are restrictions, for example, if they put a restriction on a particular program ensuring that those restrictions are actually functioning. I think its a good point. As i mentioned earlier, oversight is there are a variety of roles in the department that have oversight with particularly with regard to counterterrorism. My office is fairly small in the sense that given the large footprint of the department of justice. But they work incredibly hard to ensure compliance. We rely quite a bit on internal component work that is done to produce information about what the privacy compliance is and then also with regard to auditing and making sure that the privacy activities are actually effective. But i would also say that some of the oversight to stress that some of the oversight isnt just through my office. Its National Security division and fbi also has their branch. So we work very collaboratively. Like alex, i have found that within the department there are a lot of people who care very deeply about these issues. Its not specifically in a privacy role with as a title. But they have oversight and i think meaningful insight as to what how the activities should consider and be consistent with privacy initiatives. It is something that i take into account. Thats part of the reason why we have these internal conferences and whatnot that im trying to do to build upon that. Alex, what do you do to make sure the old adage is trust but verify . What do do you to make sure you actually understand the programs and the systems . Right. So its a variety of things. One is i although im not a technologyist, i have been dealing with Technology Law and legal issues and privacy issues with technology for much of my professional career. At marriott, i was a lawyer there. And then before that, i was at a law firm in d. C. Focused on largescale technology transactions. That doesnt make me a specialist in technology. It does enable me to ask the right questions and make sure that if information is explained to me, i dont have the Staff Resources to engage a fulltime technologist. I think that would be helpful. I do think that you have to be a little bit careful with that, because what you really want in essence is a technology generalist. There are so many different aspects to technology as you know. Thats just a word that almost lacks meaning these days, because we use it so frequently. What nsa does for one particular type of activity will differ significantly from what fbi does, will receive ediffer from agencies. You have database issues. You have surveillance technology, Understanding Communications technologies, understanding all kinds of different aspects to that issue. And then, of course, the engineers and technologists as we know speak a different language from lawyers. So sometimes its hard to for everyone to speak to each other. What i have been doing is making sure that the information is clearly presented, that i see the documentation, that i personally understand it, that i trust the people who are providing me that information are giving me a complete picture and then i leverage technical experts in the field that we have access to within odnio through the agency. If something comes up that we dont understand, we can reach out to somebody to help have them help us understand t. With a larger staff, i would try to have more fulltime technical expertise. You mentioned you have a couple of experiments going. You mentioned new technologies that may or may not be available. How are you working with the private sector to leverage what great thinking is going on and is privacy a part of the procurement process, for example . Has consideration been given to that, that if we really want privacy to be from the ground up, should it be one of the procurement factors . I will start with the proc e procureme procurement. I started with that because thats how we were doing things at dhs. It turns out nsa is a technology company. It has a huge research portion. Also has a Huge Technology division. Its two parts. I have a technical director on staff who is here. He and i have been working through sort of how do we think about the how do we look at both whats out in the world. So were working with several different grews within nsa to do an initial review of what is out there right now. And they are conducting that right now so we could get a sense of both from a policy and technical perspective whats going on as opposed to things we may know from knowing different people whether its activities going on at mit or okay ncarneg mellon. So they are doing that. We are working on that. Then where he working with research folks and trying to leave ranch those things. I think thats each agency has its own culture and its own aspects. So a lot of what have i been doing is taking the learning and sort of shifting it to make sure that building the Program Within nsa works for how nsa works. So that doesnt that means that our Privacy Program is going to look different than fbis or others. Its based on how the organization functions and where the key decisions are being made. So were working through that. But it turns out procurement isnt the right place. Were looking through in terms of technology and Research Director and others to make sure we understand where those touch points are. Thats why were beta testing the processes. I think i have time for one last question before i turn it over to my fellow Board Members. Alex, this is for you. You pointed to congressional oversight as one of the things that the American People should be aware of that this is happening, its robust, its real. A previous panelist pointed out that there is potentially one significant flaw or challenge with congressional oversight, and thats the lack of cleared staff. What is your perception . Has congress im going to ask to you opine on congress. Whether consideration should be given to broadening the range of individuals . I think theres some Comfort Level with someone called it delegated oversight within the congress. But when some significant majority of Decision Makers in a Representative Democracy dont have cleared staff, how is the oversight nonetheless sufficiently robust . The intelligence oversight committees have very substantial cleared staff. They have, of course, have secure compartmented areas. We have meetings, briefings and reports with our committees. My First Response is as a matter of principal, yes, congress should have the degree of staff cleared it needs to assist it to perform its oversight functions. I think the Intelligence Community assumption had been by clearing staff of the oversight committees that that was that function was being fulfilled. I think some Staff Members are cleared for some of the other committees. I dont have all of that information in front of me. I believe judiciary has cleared staffers. Whether or not thats enough staff to be cleared, i dont know. I think congress it would be, from my personal perspective it would be helpful if congress figured out for itself which committees are per following which function and which Staff Members need to be cleared to oversee our activities. I would support a desire to make sure that there are enough cleared staff to perform oversight. Absolutely. Transitioning to the member questions. While this is happening, a reminder there are folks with cards, if you have questions that you would like to submit from the public. To keep everyone on their toes, this time im going to start with pat. You may be sorry about that choice. I might not be. They might be. This is somewhat of a loaded question. Its one thats sort of in the backdrop of so much of the work we have done and will continue to do. I laude all of your attempts to inject privacy into all the vario vario various phases of intelligence. But drawing upon what some of the people in the first panel said this morning, let me just pose sort of a question that, for instance, several of the Panel Members thought collection was a primary focus of trying to enhance privacy interests by limiting collections somewhat and leaving apart any debate about whether collection by itself is can be thats a collection might also when you get another expert talked about the risks to privacy from aggregating data. We found out in the 702 report we did, we got to retention of data. The analysts might look at it and say, i dont see any foreign intelligence purpose to this piece of data that came from an innocent person who is not the target. But its conceivable there might be one down the line or some other person i dont know about. So, therefore, ive got to bend to make sure that the security it seems to me one of the basic problems here will be whats the Tipping Point . In other words, assuming good faith on both sides, there is a National Security issue when you have to make a choice between privacy and National Security. The real question is how much and at what point . When we were doing 215, we were told many times we need a big haystack in order to find the needle. The bigger the haystack, the more likely we are to find the needle. But, of course, a policy judgement has to be made at some point. At this point, yes, were going to lose some National Security things, but privacy is more important. I want to know what your thoughts about how that fits its basic policy. But it comes up in every program that we look at. How its made or how it should be made, even at the most general level. You can all take i will start. I will offer some general observations. I think on the collection and use and retention point, i would say that its very important to look at each phase of that. Thats how the Intelligence Community structures its determinations in many ways. Its collection and retention and dissemination. On the collection point and aggregation. So theres no question if your concern is to protect privacy, the better way to do it you are worried about what the government is going to with your data. Its better for the government not to have the data. Thats the best protection. If the government doesnt have the data, there is no risk to privacy from the government because they dont actually have it. Thats why i think its appropriate to focus on collection. Once a determination is made that the government really needs this data in order to carry out an important function, then your shift is to retention. Let me interrupt you. Im sorry to do t. Its an old habit of mine. Yes, your honor. When you say really needs, thats where we where it hits the road. Sure, its going to be useful. So where the line is between something thats useful to you. But more of a privacy risk and this is really necessary because we know its in different situations. Thats what it always seems to sort of come down to. Im wondering if you have thoughts about how that which is a i would this is where before we you used the term Tipping Point, which i think is a very helpful term and sometimes people think of this as a balance or a scale. The way that i think of the balance met for as it might apply here is not that you are saying, well, that tips it over here, so therefore, were going to do it. To some extent, that happens. The way that i think of it is that if you are going to do something new, a new or different collection program, you ask the following questions, is it lawful . It has to be lawful. Is it justified . What is the purpose . Going to a whats the purpose for it . Is this collection focused on a valid purpose that we feel should be pursued . Is it important to be pursued, whatever the phrasing must be . Is your activity tailored to that purpose . Are there less intrusive ways of doing it . Is this the appropriate way to go about doing it in terms of obtaining this information . And then what are the risks to that sort of going to the other side of the scale . And i think if how do you guard against those risk snz how do you mitigate those risks . This is the way that i have always thought of it. It fits into some models. It fits into privacy impact models. If you look at that overall picture, you can then it helps inform you. You have the art or science side. Becky can tell us which one that is. It helps inform the decision about whether this is the right thing to do. You have to look at that tot totali totality. If you do one program while its lawful and we think we need it, now you cant figure out there are risks, but you cant figure out how to mitigate those risks, it will tell about you the overall risk of doing the activity. Alex, were im sorry. Is there something specific you want to say . We have been asking some different questions to try and tease out this conversation as we go through different programs. The questions we have been circling around, which are a little bit different than is it lawful, is more is what is the type of data . How intrusive is the data . How broad is the collection . In other words, am i obtaining a lot of people who are sort of an ins dental collection . What are future uses . Weve been using those three questions. To get an overall risk is we to want start the government from doing bad things to good people. And so, you sort of looking through those different lenses, it helps us do that analysis. So thank you. David oh, im sorry. Just because you wanted i know. I was just going to sort of follow up on the comments in that. That i think forcing mechanism of trying to do, of having ongoing vetting and ongoing evaluation by the right people is where to go because youre looking for sort of, you know, the meaningful relationships and developing those as opposed to, you know, retaining the isolated pieces. So i would just say trying to force that mechanism of ongoing vetting is really important. One of the reasons for having the forum today is to get a understanding of what privacy interests are being protected by your offices and our agency. And alex and erica both have been in either the private sector or ftc at a private sector focus. How would you compare the privacy interests were were trying to protect with prior interests with respect to now . What are the similarities and what are the differences . I actually think there are a lot of similarities. But there of course important differences as well. On the similarity side, i think, and i think Privacy Officers and people in all kinds of organizations be they private sector or other Government Agencies share a similar challenge or problem set which is your organization wants to do something either for a Business Purpose or for an authorized statutory purpose. In order to do that you need information. And for businesses typically information about customers or potential customers, and then you want to do something with that information to carry out your lawful activity. So, its, its a given that your organization will be obtaining and using personal information in many cases. And so the Privacy Officers challenge is making sure that that activity is conducted in a way that maintains your key trust relationships. There are different ways of framing it, but i think thats generally speaking what happens. And so for a business perspective, what you want to make sure youre doing is delivering value to your customer and that youre not using that information for inappropriate means or ways that are going to essentially get your customer upset and have your customer take his business elsewhere. I think for the, and so a lot of those things are similar, i think that the key to sanction for a business is of course that, it has the ability to disclose a lot about what its doing in terms of obtaining that information, and the value that its providing, is also something that gets immediately, should be immediately apparent to the customer. To the extent that the value is further down the chain and the customer doesnt see it that much, but is aware its being collected. That impacts the trust the customer has with the business. I think from an Intelligence Community perspective, its hard to demonstrate the value. What are we doing with the information . And so as a result when people are worried about information being obtained by the Intelligence Community, they dont, the value to them seems inchoate, but the risks seem real. My freedom could be impacted if the government misuses this information. We can ensure people, we are making sure that the information will not be misused, but i think we need to do o a better job of that, but i think the other side of that equation that we have to show what were doing with the information. And of course for intelligence agencies, some of the most tightly held secrets are the Successful Use of intelligence. Because we dont want adversaries to know that that method was successful. So just to quickly answer your questions, i was also in the private sector at a law firm and practicing privacy, but heres where theyre similar. Whether its clients or even from a government perspective, people tend to be reactive to privacy. And one of the things that i find the biggest challenge is to be proactive. And it means sometimes taking on popular positions, whether its with clients or internally within my organization. And but sort of having principle reasons for doing that and if not forcing putting, you know, very strong arguments to do what you think is the right thing, i think, is where its similar and where its hard, but interesting. Becky, you talked about categorizing information as being sensitive. In our prior morning discussion, there was talk about the mosaic theory where there may be individual bits of information that are innocuous in their face, but in combination they present a profile or someones activities, thoughts and so forth. How do you, how do you do you lose something if you focus on what seems to be Sensitive Information and not take into account that the potential combinations of information . So actually the goal is to take into all those combinations. The idea and where weve been looking at is its very difficult. You know, we want to push folks, and i will say that this is an uncomfortable place to be as a privacy person. This is where im like it itll depend, but if we look at where big data is today. There is a lot of data, and its very voluminous and there are a lot of discrepancies. If we can start to define which is what we heard in the second panel. And this is where i think were going to try to push nsa is if we can start to define and put mathematics behind it so that if for example you have, vaguely anonymous or slightly data over here and over here, and the computers start too put them together, we would want the system to then pop something to say hey, look at this before you decide to go forward. So the idea is technology is supporting the privacy analysis but looking at whether or not the map underneath it can work. So youre going to have to make hard choices. Do i think health data is more risky to privacy than my address . Then you have the violent, you have the violence against women or something along those lines, but at some level, if we deal with only those edge cases, were not going to move forward, and i think that the value that we will be losing some of the value both from a privacy perspective as well as from a technical perspective because were sort of in this art form of looking at each individual case, which i recognize at nsa, im not going to look at every single little thing. We want a system to be able to identify the things that need additional analysis and 23450ed that need that additional judgment, but what i dont to want have happen is where the system is doing things that we will find unacceptable because we didnt build something in to help with that. Thank you. Thank you, rachel. Thank you all for lets see here. Thank you all for being here. For those of you who have been here all day, youll know that this is a little bit of a hobby horse of mine. But i want to ask about the phipps, and why you are reporting to apply them although you cant apply them. I gather and miss richards, this is directed to you initially. And i commend you for publishing the paper on targeted collection under 12333 and you said that you were applying the fips, and i gather you were talking about the 2008 etteration of the fips, but then you said, for example, the individual participation fip cant really apply to your activities, and the transparency one can apply in a very limited way. I guess, im wondering whether it doesnt make sense to come up with a new set of principles that applies to surveillance of the government . Because if you look at dhs fips, the transparency cannot apply because its talking about providing notice to the individual, regarding collection. Thats obviously not going to take place. Individual participation cant apply at all. Correct. Some are very, very important. Specification is important, minimization is important, some are important, but, yet, this doesnt at all address things like fresh holds, everybody den sherry for collection, which are required obviously by law, but if youre talking about those that are supposed to sit on top of the legal requirements, you should talk about thresholds, and there are other principles that dont come into play here. Id be interested in knowing why you decided to apply the fips and if youve given some thought to come up with new principles. I dont mean to criticize this for dhss purposes, because dha has voluntary interaction with the government where this makes a lot of sense. But youre in a different position than that, obviously. So i think its i guess what i would say, its a beginning place. And ive stated that a couple of different times, because i wanted to start with something. And so, from my perspective, i guess i want to take the parts that work well which would be basically the bottom six of the dhs ones, and then look at how we can work those through. What i would say, sometimes theres analysis that needs to be done at an enterprise level. So its useful for me walking into the agency, which may become, be readily apparent, but it was useful to go through the process and say hey, here is one framework that we think about for privacy, and as an enterprise, we dont do the first two, one of the questions that led know ask and some of the conversations ive had with academics and advocates is we dont do transparency in the traditional sense, and we dont do individual participation. Is there some proxy . Is there some additional thing that we should be doing given that . And i think that gets to your question of well are there other things underpinning these . And thats where were working through the questions. And so i think it was very beneficial to start with that as the beginning one. And then use the question, use the remains six principles as the basis for in of these questions. Part of the problem thoughly tell you with the fips is they dont give you a judgment. This is good enough or thats bad enough. Thats to your evidentiary purpose, and thats the place we are trying, then to look at the data. What are the risks to the data . We spend time talking about what the exact risk to the program to privacy and Civil Liberties . Were still working through those, and having a lot of really fun and intellectually stimulating conversations about what are the right questions and how do we do that for an Intelligence Agency . At nsa. I would just say for us it was a beginning place. I dont think that its necessarily the ending place. But it was a place to start. I didnt want to throw everything out and start with, i dont know, you know, you have to start somewhere. Okay. Did the other panelists want to say anything else about that . Can i would just add that even though the first two do not directly apply, certainly not as written by dhs, they provide useful measures for us to determine to what extent does this raise privacy issues and in what areas . I think thats very helpful to use as a guide in the way that becky has been using nsa. I like the idea of developing a statement of principles that would apply to the Intelligence Community. So ill take that back. I think i probably dont have time for another question, but i would just suggest if youre going to engage in that exercise, that you look at the threshold question, and you also look at oversight, because these, you know, they talked about accountability and auditing, creating a paper trail is not the same thing and obviously as i said in the previous panel, its extremely important in this context, just food for thought. I think its important that you dont have a check box. I mean, part of the, part of the problem i think with the fips also is it leads itself to a check box statement. Yep, privacy statement. Okay, am i doing everything, okay, i can do that. As opposed to questions like, should i be doing that . Thats where having a individual at the agency whose focal point is this benefits the agency because it can quickly devolve into, i checked it off. Im good. You have no privacy. But im good. And i would just say that oversight perspective has to also be changing because i think as Technology Allows us to, you know, collect more data in different ways and different data points that the oversight of it is well, has less meaning if youre not also adapting on that side as fast as we are adapting to the technological changes. Did you have questions . I would have some, thank you to the members of the panel. I would have questions that i want to ask, but there were a lot of audience questions and was there one or two that stood out particularly . Technically we only have five more minutes to only have five more minutes left on the its one thing to build a server that resides where you have full control over the actual device. This draws on the previous panel. Why cant the ic inform the American People about how many phone records were collected pursuant to section 215 . And make similar Public Disclosures regarding the breadth of u. S. Person collection under 702 and eo 12333 . So the executive order. Understanding that youre not targeting necessarily u. S. Persons, but the u. S. Person incidental collection . So thats a good question. I dont want to duck it. I will say, im going to in a certain way. But, no, i dont want to i guess im not getting into the specifics of like 215 or 702 et cetera. What i will say is there are two challenges. I understand the interest and i understand the importance. One is technical capability. Can you in fact count it . And for some things, some activities, you should be able to count. But for other ones, they inherently involve challenges, and i know that one of the peak law recommendations in the 702 report was in fact the account of some of the 702 collection that involves u. S. Persons. There are inherent challenges in doing that. From a National Security perspective, what ill say is what i have heard internally as we have pursued these kinds of questions is that providing that kind of information can in fact put at risk some kinds of collection because especially if you track it over time. An adversary can put the information together in terms of a volume of collection in one particular area and draw conclusions about what specifically is being obtained. What are the specific channels that are being watched and therefore change behavior. So our job from a transparency perspective is to continue to discuss that internally and see well, are there ways of mitigating that . What can we in fact disclose because of the strong interest . So eric, ill direct this next one to you because you mentioned that part of the Civil Liberties and Privacy Protections are consequences for wrongdoing. So the question is in the case of privacy violation sufficient remedial measures are critical. What, if anything, do you think needs to be done either statutorily or administratively to strengthen existing remeetial schemes . So, yeah. I do think that the remedies for privacy act violations or for, you know, privacy violations are you know, as i said in my remarks, everything could be examined and looked at for approval. I was focussing my remarks on fbi. So, of course, they have their own investigative unit. That reviews. So if there is any particular activity for that an agent engages in for example, that is, you know, collecting information in violation or specifically because the First Amendment purposes, thats subject to review and disciplinary action. With regard to individuals, i agree. We talked about how the fips doesnt really have as meaningful of really a guide for Law Enforcement either. I think it is not something that i can do but certainly it is has been attempted before to remedy the privacy act or to amend it. The administration is looking to expand judicial redress for nonu. S. Persons and dhs as a policy of doing so administratively, but i think statutorily it is a hurdle and it is something i would be willing to have a conversation to further that. Just to keep this even across the board. Becky, this one is for you. I think implicit in this question is a very interesting premise. Do you anticipate the wide swats of data will no longer be collected now that you are asking questions about whether they are really needed and the Civil Liberties down sides . So i would say the premise is that it is your job to shut it down. Which i think is a widely shared premise, and i think the basic question is, do you think youre effective . So i think that also starts with a premise that the collection were doing currently is that starting with a premise that were collecting too much information today. And i think what i would say is that what were working on is sort after premise so if nsa is filled with a lot of people who do math for a living, were in the process of third grade math which folks need to show what their work is. So they need to show why theyre doing what theyre doing so we can then have those conversations. I dont want to presuppose we will do more or less or either way of those. But i do think that what we havent done well is explain what were doing. And if you sort of consider the nsa has a long history of saying absolutely nothing to anyone and in the last year and half, weve had to create a voice for , and in the last year and half, weve had to create a voice for ourselves to explain what it is we do, and recognize that most people, there are a lost ph. Ds in math at nsa who dont necessarily take well to speaking in public, its a work in progress. And so, my hope here is not that not to be judged by how much we turn on or turn off but by demonstrating what the value is to the country in terms of what were doing and demonstrating that were protecting Civil Liberties and privacy. So thank you all for your remarks and your active back and forth on the questions. And well be taking a 10 or 15minute break. At 2 45 will reresume with the private sectors views on these issues. Thanks. Thank you. Thank you. Earlier this year, q a talked with evan alsnos, won for his book age of ambition krrs chasing fortune, truth and faith in the new chynna explaining the conflict kpleen the vand the chinese government. He spent eight years living in china as a correspondent for the new yorker. Starting at 8 00 p. M. Eastern on cspan2. Next week, cspan will air interviews with retiring members of congress. Monday at 8 00 p. M. Talk with Wisconsin Republican tom petri and new york democrat carolyn mccarthy. Comments an the house leadership elections. We have a lot of talented younger members, and its not just by thepa pelosi, shes been a great leader and great at running money. Thats not one of my fortes. I was never good at that, but they have to start training younger people and bring younger people into the caucus, to become, hopefully, the future leaders. One of the things that i certainly believe with all my heart and soul, you have to know when to leave, and nancy obviously does not feel that this is the time to leave. Many of us thought that she might stay for, you know, maybe this coming year, and hopefully turn the reins over to someone else, but when i look around, is anybody really ready to replace her . I mean, its a hard job. And i give her a lot of credit for what shes been able to do, bu but i think its time that the leaders, you know, start looking at whos going to fill my spot . Were all replaceable. There might be some bumps in the road, but i do always believe that its time for younger people to take our spots with fresh ideas and new ways of doing things. I see nothing wrong with that. Thats a progression. Thats a normal progression. Interviews with retiring members of congress. Monday at 8 00 p. M. , with Wisconsin Republican tom petri, and new york democrat karen mccarthy. Carolyn mccarthy. Back now to the privacy and Civil LibertiesOversight Board with recommendations for oversight and technology for private companies in the federal government. Followed by a final panel on protecting individual privacy. Good afternoon. Thanks for everyones endurance whos been here all or most of the day. This is our final panel today, an Important Panel on, what the private sector learning about privacy and how that might relate to the considerations we go into with the National Security issues. And moderating, do you want to use that mike . Yes. Okay. All right. Thank you, david, and thank you to all of our panelists for being here. The way weve sort of structured the day is that the first panel this morning had to do with the theoretical privacy and what interests underlie privacy. The second panel had to do with technology, third panel the Government Panel and this last panel is supposed to be focused on solutions and particularly solutions that folks in the private sector might be able to suggest. So what well do here logistically is each panelist will start with up to seven mithts of remarks and for the panelists benefit, sam kaplan in the front row with yellow and red cards. When you hold up the yellow card, two minutes left, Pay Attention, and the red card meaners that your time is up. That point as moderator, i will ask about 20 minutes of questions and each of my fellow Board Members will have five minutes of questions. And then we will open it up to questions from the audience and as with the previous panels, when i start to ask questions, some of our Staff Members will stand up in the back and prim will stand up and hold up cards and you can get yourself a card. Write down a question and then the staff will pass it up here. So we will just go down the row and start with professor kate. Im not going go into length on the biographies because i think they are all available to you. Professor kate is a professor at university of Indiana School of law, and hes been on a number of previous board and commissions on privacy and so professor kate, we will start with you. Thank you very much. This is the time i think to say that im color blind. So i will have no idea what cards are held up. Perhaps you will wave them in a definitive way and i will Pay Attention. So let me just first of all, im sorry not to be here this morning, but the last panel was absolutely superb and it is a privilege both to be here and i really want to applaud the board for taking up this, i think, really difficult but fundamental issue about what is privacy and how in practice might we go about protecting it within the private and Public Sectors. I want to really just offer some observations, as opposed to any specific, if you will, recommendations or conclusions. One, and this touched some of the last panel, i think the fips were frankly not tremendously useful. Im not suggesting abandoning them which is a big change for me. Ten years ago, a chapter called the death of fips, but unfortunately ive gained a bill lit of knowledge here, but i think we used them almost like we can roll out these eight principles of depending on which list of fips you use or that will get us somewhere. And that far too frequently both in the private and in the Public Sector they really dont get us anywhere. What we end up is we end up just like talking about in the last panel looking for substitutes for the fips. We cant have consent, what could we have . Rather than asking what is the purpose to be served in the first place and maybe no longer relevant as tool to achieve that purpose. Rather, what are we trying to do here . Really, the question youve been asking all day. What are we trying to protect, what do we think protecting privacy really means . I say this by the way about the fips in part because im not sure that they have ever worked terribly well and certainly in the environment where they are largely noticed and im not sure that they work well in a world of massive data whether we call it big data or just high volume data. But the notion of a sort of fips like approach particularly with the focus on the individual when the broader issues are frankly societal. They maybe the impact on the economy. May be the impact on the Civil Liberties. Not of one person but everybody. I dont know that the fips help focus on the way and frankly the fips led to some silly results. I would just mention ive been surprised by example by the department of Homeland Security privacy Impact Assessment on border searches of electronic devices. Which focus a lot on notice adds Privacy Protection. At the point that your device has been seized from you and its contents copied, it is difficult to think that notice is meaningful protection. It may be necessary but whether its protection or not, i think its not. Second point, one of the things we are seeing emerging in the debate in the private sector and we see this especially in europe and the context of discussing the general Data Protection regulation there is greater focus on Risk Management or Risk Assessment and Risk Management. I dont mean to use this because it is the jargon of the day but rather because Risk Management is an incredibly valuable tool that in the private sector we are far behind on. We have a clear idea what it means. Part of the reason is we dont know what risk were guarding against. We are very unclear what are the harms, what are the impacts, what are the negative effects we think we are balancing, if you will, of what are the positive outcomes of the use of data or what have you. One reason i think the Risk Management approach offers value in both the public and private sector is it makes us stop and say what is it we are trying to accomplish . What are the positive benefits and what are the potential negative impacts, not measured in terms of fips but measured in terms of actual impact on individuals or on society or on the economy as we think about it. When using Risk Management or if you hate Risk Management, in either case, third point, i think theres a lot of reason to focus more attention on use of data. And this has been a real weakness of the u. S. Legal system. Those of you who have suffered through law school know that Fourth Amendment has almost nothing to say about use of data whatsoever. In fact, you can have a legally seized data the court acknowledges is illegally seized, there would be no disincentive for the collection only the collection of the Fourth Amendment in Supreme Court juris jurisprudence has been focused on, and for this reason i think we really would be better to think more about reasonable and effective limits on its use. And i think thats what the public most commonly cares about. And one of the practical reasons is there is almost always a legitimate reason to collect the data. Theres always some employment reason or security reason. There is some private sector reason. You know, verizon had a reason to collect the data. And then the question was who could access it and how could it be used . But our legal system is focused enormous attention on collection and once the data are in the governments storehouse, then we feel that the data are more commonly out of control, and i think that is a critical area to focus on as well. Fourth, as i mentioned, i think the Fourth Amendment while a critical legal limit and i certainly incur thats yellow, right . Yes. Thank you. For the rest of you, you will know, i just got a yellow card. I think the Fourth Amendment is of course a critical legal limit and we must, of course, observe it. It is not a very useful guide for telling you what to do in the future. For a positive analysis of privacy issues. And i think we should again be careful about that. Too often in our rhetoric we say, its permitted under the Fourth Amendment, as if that tells us anything. Other than it is not illegal under the Fourth Amendment but it doesnt tell us anything about either the ethics or desirability or what have you of doing it. And fifth, i would just say, it almost all of these areas, and i understand in National Security this is particularly odd, i think redress is something we need to continue to focus on. We see many uses of data in the government setting and in private sector, which are done without regard to redress. With just sort of well, if it affects the person inaccurately every now and then, what does it really matter . We will deny boarding to people on airplanes or provide extra security for the wrong people. This is not an efficient use of government resources. And it is not a good way to think about privacy. And i think we should be very clear in those rare exceptions where we say, there might be no redress available here for the individual in which case we now have to provide it through other means inspector generals or the other ways of approaching it. But at all times we should think about redress, not just because of the rights of the individual but because of the interest in insuring that the system works as advertised and as it should. Thank you very much. Okay. Thank you very much. Our next panelist is harley geiger. She advocacy director for the center of technology and focuses on issues represented to civil liberty, computer crime and cybersecurity. Thank you for being here. Members of the privacy and Oversight Board, thank you for inviting me to speak at your meeting today. Thank you for your excellent work for ensuring protection for privacy, Civil Liberties and terrorism programs and congratulations on having one of the best acronyms in town. When it comes to evaluating Privacy Protection, the center for democracy and technology believes that fair information practice principles are a very important framework for both government and the private sector. Now you can add other privacy frameworks on top of that. We do not disagree with professor kate that societal impact is in use and protection focuses on the purpose of Data Collection are also useful but we view the fips as indispensable framework for evaluating privacy collection for Data Collection practices. The individual principles as you know are overlapping and mutually dependent on one another. It is a framework. An smorgasbord that you can choose and pick. At least not unless you dont want robust Privacy Protection, and there is some discussion in the private sector about doing away with Data Collection limitations or the data minimization principle of the fips seeing as how we are in an age of big data. But in the time you have given me i want to address this headon in the context of government surveillance. First, cdt believes that there still should be collection limitations on private sector Data Collection. And that data minimization principle of the fips should apply to the private sector. Second, the government should not take its cues entirely from the private secretary whir it comes to national surveillance. It is fundamentally different from National Security surveillance, and, therefore, even if the private sector were to collect data in some other manner for an alternate universe, then they should not follow suit. National security arms are not as transparent or responsive and are not likely to be. Major companies in addition allow or are required to allow the collection of information about them. Several major private Sector Companies repeatedly responded to public outcry over privacy with enhanced transparency and privacy controls. The National Security arms of government are not as transparent or responsive and not likely to be. Many Major Companies in addition allow or are required by law to allow consumers to limit the collection of information about them. They can choose not to participate as a means of collecting data about them. Data collection for National Security purposes does not permit meaningful choice. They view them as generally insufficient protection of privacy. Because of these reasons, even if the private sector fails to robustly apply the fips, Government Agencies should not follow suit. If nianything because ftof thes differences, other than that Data Collection. A small set of broad recommend acheses to make. First, the government should place greater emphasis on applying the data minimization principle of the fips. Back end minimization procedures alone are not sufficient. Front end is critical. Trust breached at the point of collection. Once the government collects information nonstatutory internal restraints on access and use can fall away, like sand castles on a beach. We saw this happen with the 702 back door search loophole. Restricted at the front enarrowy limiting the purpose. Data retained only as long ass they to fulfill that purpose and data destroyed unless a determination is made that the data are needed to accomplish the specific purpose. The specified purpose of Data Collection itself should be subject to meaningful restriction. For example, limiting the scope of what is relevant under section 215, or definition of foreign intelligence, 12333. The goal overall, move from mass Data Collection to targeting collection of both u. S. And nonu. S. Persons. Second, the government should provide much Greater Transparency regarding the interpretation of surveillance laws. Section 215 of the patriot act exemplifies this. Nobody was surprised that the nsa is collecting phone records. Surprising was that the nsa has secretly interpreted section 215 to allow for the collection of all phone records in the entire country. This is bad data minimization. Yet a fair reading of the statute does not seem to grant them with this authority. So declassification of fisa court orders or when necessary summaries of opinions would boost transparency. We should not be a nation of secret laws. Third, the government should provide Greater Transparency around the extent and the scope of requests for data under National Security authorities. This includes government reporting about its National Security surveillance activities like how much requests were made, under which surveillance authorities and for what type of data as well as how many u. S. And nonu. S. Persons were affected . Authorize the government sector for similar reports. Information is power and privacy is control of information. An entity possessing information about an individual has power over that individual. Large scale government collection of information about individuals threatens the relationship between citizens and the state, because it upsets the balance of power that supposedly exists in democratic society. Therefore, cdt urges to regloit a robust application of the fair information practice principles as well as other considerations regardless of what the private sector does. With much more targeted Data Collection and Greater Transparency pip thank you. Thank you. Our next panelist is john grant. Mr. Grant is a Civil Liberties engineer and he previously served on the staff of the senate Homeland Security committee where among other things he oversaw the department of Homeland Security. Thank you for being here. Thank you very much, and thank you for the invitation to speak today, as i never tire of telling people i was congressional staffer on the greeting club. So i take a parent of the board and im sure it is every parents dream to one day testify in front of their children. I will spare everybody the extended commercial, suffice to say building a Data Platform that works with data. We started in the Law Enforcement intelligence space and have expanded to deployments around the world and in a variety of context and the Financial Sector and medicine and elsewhere. Our technology isnt successful if in the course of achieving an organizations analytic mission were not also able to deploy in a way that protects privacy. That is something that founders of the company instilled from day one, and why my job exists a Civil Liberties engineer. One thing i learned, and this is different from the hill certainly, is when you walk in a room and say to engineers, im worried about this thing youre building. It creates a privacy problem. The response is oh, okay, how do i fix it . Which is not often what you get sometimes when you raise these things in other places. So it is our job as an Engineering Team to come up with suggestions for how to fix it. Im a lawyer. As you may have guessed. So i do not necessarily possess a lot of technical skill. So the main role for us is to translate between the lawyers and the engineers and back. So what i want to focus on today a little bit is some of the technology at a high level and then i had actually suggestions for moving forward that i think are actually fairly low hanging fruit. So just briefly to provide a little context. As i said, Data Management and data analytics. Were not dealing with the collection of data. This gets more to professor kates point about the use of data. And we have two sort of high level categories of technology that deal with managing or protecting privacy with the use of data, and thats Access Controls and oversight mechanisms. I want to start by pointing out and this is something to keep in mind just as technology has expanded, the power of surveillance and the amount of data collected, its also significantly expanding the rest of Privacy Protection that is available at the agencies. If you imagine 50 years ago if there was an fbi file, this is probably pieces of paper in a red well, sitting on a desk somewhere, or maybe locked in a desk drawer. Hopefully locked. Or maybe in a dusty basement archive or Something Like that. And there is probably limited tracking of where the log book was. Who has the record . Who knows. And anyone accessing the file can see whatever is in the red well. You can just rifle through it and you can see everything even if it isnt directly relevant to what you needed. Oversight into how the file would be used would really be nonexist. You wouldnt see who added information to the file, who deleted information froms file, and deletion hopefully a burn bag or shremembereds crumpling it up and throwing in the trash, more precise a black magic marker, redacting a few points of information. Today we do a lot more management data and oversight. And management at a grander level. Thats what Access Control point which is you can now build Access Controls to manage data very precisely, on data point by data point basis, and you can do it in a more nuanced way. You dont have to choose between access or not access. Can you make the Access Controls dynamic and so there is a lot of options and sort of the way the main options to figure those configurers of Access Controls give you a near infinite variety options in how to manage data. Who can see the data and what they can do with the data. The other point is oversight mechanisms, and this it really thinking a lot about audit logs and also using technological Electronics Work flows to control exactly how data flows around an organization and who can see data and what kind of analysis they can do with it. Even awed mating or at least hardwiring in and approval chain for use of data and things like that, and these can be very detailed. So the or the hard wired approval process and things like that. That can be very complex and can involve multiple actors, and can involve multiple stakeholders, and then the auditing of how data is used itself can be incredibly granular and incredibly detailed. And i want to get to other point. This is a lot here. Just these two capabilities are a significant improvement of what existed before and can get us a long way. And there are things that exist today. Now im obligated to say that of course, this is done the best, but not exclusive to pollentier, and they can be deployed and can be used in a lot of different context. So what is the problem today . Why arent these capabilities being used more . Than they could be, and at the levels we think they should be. One, issue and technical awareness. Lawyers dont know technology and engineers dont know law. And you need people who know both of these things to be able to make the decisions as how to use these technologies. How to incorporate them into effectively into programs. Lack of resources. You need people who can actually manage the data. We talked about this in the earlier panel. Alex joel has a very small staff. Erika has a very small staff. And theyre managing huge amount of data and huge organizations, and they need infrastructure to do this. Resource is hard. How do you use an audit log . How do you use it effectively . How do you Access Controls, especially when you are dealing with mattive amounts of data . The last one is death by anecdote. The debate, cost benefit analysis, tends to be the National Security sector saying one time we caught this bad guy using this information and this community saying one time this unjust thing happened to a person because of this program. There needs to actually be a much more you cant just make this argument on anecdote grounds. You have to lookality the data and find out why and find that more specifically how these programs are working, how effective they are. So solutions suggest some of the solutions in listing problems. Education. I think and pollintier sponsors scholarships. To make sure lawyers can Learn Technology and engineers can learn law. Nears engineers do have to be lawyers, but it should be a requirement to have an ethics program. They will build technology that will hit the streets and is going to months or years before the law catches up. So shouldnt engineers catch how what theyre building is going to affect privacy and be able to start thinking about these things . Infrastructure. If privacy is an important value for urs as a society then we need to invest in in fra structure to support it. Concrete guidance . We actually need go beyond just systems should have used limitation. We need to tell people, how are you going to do that . I can dig into that more when people have questions. But really specific guidance rather than just the, you need to have notice and consent, you should think about use limitation and things like that. And last, everything in the world can be datafide these days. Including how the systems are working and how effective they are. We can do analysis and start analyzing data and figure out, is this effective, is this not effective . Is this having negative effects . Is this creating bias in the analysis . Thanks very much. Thank you. Our next panelist is chris, venture partner at palton group. Former deputy of the nsa. Thank you. I spend most of my time teaching at the naval academy. In Cyber Operations department. First, i, like the other panelists, are grateful for you establishing this venue for what i think is important dialogue. I would like to make four quick point, then get to question and answer. First and foremost, i absolutely agree with the premise which that the framers of the constitution did not intend for security and privacy to be in mortal combat and we are, therefore, trying to figure out how to achieve both. It may very well be we cannot trade one for the other. I think thats right. But we have to work harder to achieve both. I think technology and practice from the private sector can be helpful there. Two, i agree that government is different. Not simply in the powers or tools it might bring to bear on its citizenry and others, and there are, should be constrained. But the government alone has the requirement to essentially meet standard of the first, fourth and tenth amendments within the constitution and from my nsa experience, the tenth amendment was most significant of those which essentially says, unless you have the authority to do something, you should not. Its a thats whats been said the back door search is from 215 or nsa interpretation, both were specifically permitted underneath, under Court Approved procedures and specifically where interpretations of the law that went through three branches of government. I think thats right and proper. That doesnt necessarily justify them. It may be bad policy at the end of the day but rule of law has to pertain in terms of how the government gets things done. Point three, i would say that i largely agree with what john had to say. In fact, i wholly agree with what john had to say. That aspects and law are at odds with each other, not because they are perceived as independent bias on any particular solution. I would add a third which is that what typically plays out in any one of these systems is that you are trying to effect technology, law and operational practice of those that make use of the technology, and the surprising result is that because they do not change at the same rate, they essentially change at very different rates. Keeping them reconciled or synchronized from moment to moment is really hard. Therefore, mechanisms, or other things are not likely to satisfy the need. What you need are threads or Systemic Solutions that you pull through and you take both art and science process to essentially try to figure out how to make some solution here. I will wholly agree with john that education is absolutely essential. At nsa, ultimately when we found ourselves in the mifts compliance incidents, for which no one intentionally made a mistake, we actually had to sit down and say, how do you figure out a horizontal joint between all who were trying to achieve something slightly different, but ultimately invested in the same problem . Last point i would mike is i do believe there is a role for big data. What is sometimes called mass collection. There is a role for big data. But the principles should be the same as surgical data. Which is necessity and proportionality. The government should be able to justify on what basis this is necessary. Such that it could then argue not for an encroachment upon civil liberty or privacy but how do we work harder to achieve sustain civil liberty and privacy, and it should only achieve that in proportion to that need. Therefore, i think that all those comments aside, i would say that the private sector probably has a lot of experience in this regard that the government can take advantage of. My own sense is that government collects far less information than is perceived by the public and certainly far less information than the private sector does. Again, i dont excuse the government for that. The government should be held to account, but the government can in fact bring technologies in that might well scale quite well for the governments purposes, because it would have to scale them down as oppose to scale them up. Im open to any questions you might have. Thank you. Just a reminder to the audience, that there are pclb stoppers in the back with cards, and if youd like to direct a written question to the panelist, hold up your hand. Find one of them, and then write down your question. And for the benefit of the audience and the cameras, for the panelist when youre answering a question, if you wouldnt mind moving the mic back and forth. Im sorry. We dont have as many mics as we probably should. I would like to start with asking about oversight. And i would like mr. Grant to direct this question to you first. Both in your oral statement and in the written statement that you submitted to us, you talked about a wide range of mechanisms. Paper trails and electronic work flows and things like that. Frankly, when i read the written statement it seems like an overwhelming array of different ways to engage an oversight. I think for a couple of reasons you need to choose your oversight mechanism. One is that any agency is going have limited resources to dedicate, and secondly, as i mentioned at a previous panel, there may come a point where there are diminishing returns on oversight. You need to leave the agency to do their job and not have mechanisms all day long. So have you given some thought to what constitutes an effective oversight mechanism . How do you rank different mechanisms in terms of their effectiveness . Yeah. So i think we should actually think about oversight as a big data problem. And apply the same thinking to it that we would try to analyze signals intelligence and trying to analyze hup amounts of transactional data for marketing. Its a similar issue. Have you a huge amount of data. There are massive amounts of audit logs for example in an organization like the nsa. And thats a lot of information. But you can use technology and analytic tools to make sense of that information. And drive the insights that youre looking for. So at the part of the issue is, a, you need to do it. You need someone so we see this all the time an palintier, and i know other organizations see this as well, which is everybody checks the box for audit logs. Weve got audit logs and we will go through an enormous number of hoops to make sure it is logging exactly the information that it is supposed to. We get fewer requests to actually look at the audit logs once the auditing mechanisms are turned on. Looking back to my congressional experience, there arent many laws that tell you, that tell anyone they have to look at the audit logs. Its the seinfeld joke about renting a car. Everyone can take the reservation. But to hold the reservation, to use the information. So i think, to me, thats how make oversight more effective. You use these techniques. And thats another thing. Oversight people and the Information Security people and things like that, they should be as good as your analysts and you need to have good people who are also doing analysis and connecting oversight. And not only are you going to look for people doing something wrong, but you can also ask questions, such as, you know, is our data does our Data Retention policy make sense . Look at the data and say turns out we keep data this data set for five years. Nobody ever uses the data older than three years in that data set. Lets change the data recension foes fit with the actual usage of the data. Mr. Inglis i would especially like to get your thoughts from your time in government, what did you view as an effective oversight mechanism . So first and foremost, if there is an authority granded or burden thats imposed and they come hand in glove, thats not a onetime thing. And there cannot be a repurposing somewhere later or have gotten past that threshold. Events might be collection, processing of data, analysis of data, dissemination of that data and the burden was imposed at every step accordsing to whatever the authorities were that were granted for the acquiring of that data, the acisition of that data in the first place, and what we ultimately found to achieve that data is aggravated, synthesized, we take the iconic analytic effort, doesnt simply use data from one source, they use data from many sources. At that point it is really hard, there are different expectations of the different data sets to keep it straight in your head as to what youre going do about that. So the focus has to be, how do you find the attributes for particular data element at the moment that it comes into being . Could you pull the mic a little closer . At the moment, you collect a piece of data, how do you bind attributes to that data, what is including of other things, what was the authority under which that data was collecteded . What are the burdens . What are the constraints that come along with that . What are the prescriptions if any associated with that . And that should be through its life of collection, processes, analysis and dissemination. Now at some point there is a second order use of that data where someone reads a broad swath of material, synthesizes that in their head and constructs a document across an air gap, and that gets hard, but at least in that primary use, if you have a systemic view from start to finish, you make the auditors job or compliance oversight much, much easier. And you therefore in your system in your technology, essentially impose a constraint or check every time something exercises privilege against that data. Whether it is at collection, analysis, processing or in dissemination, that makes the auditors job much easier and frankly has a nice deterrent effect on those inside the system, because they know at every moment they are held to account. But at my experience in government it is not so much the detersant as the asafety. In other words, very, very ruleladen environment. Typical counterterrorism analyst at nsa would often deal with hundreds of constraints on the data sets that are available to them. Because various orders of the court, interpretations of the court, kind of sharing arrangements with various others nations would all come along with their independent assessments of how the data can or should be used. So bottom line is the technology can help us by essentially doing an atomic bind. Right . Meaning it is organic to the data itself of what is it prominence. That should never be lost through the history of that system. Thank you. I would like to turn to the fips and mr. Geiger, i was happy that you recognized those and professor kate as well. So i would like to direct this question at first to the two of you. So mr. Geiger, i notice that in the written statement that you sent us to you talked about the fips but you didnt really talk about the individual participation fip. And i guess when i talk about the fips, im referring it primarily to the dhs version. You said in your oral statement just now that the fips are not a smorgasbord. They are a framework. You cant just pick and choose between them. If thats the case, and if you have to employ the fip, how can that work in a surveillance context . Thats the toughest to apply this context. Absolutely. One way to do it, which is not viable or good policy, is bring suit for violations of law. But my i think more reasoned answer is that, if the individual participation fichlt p is lacking in the National Security context, then the rest of the framework has to work overtime to expensate compensate, and that includes data minimization, which is why i emphasize Data Collection and transparency. As well as the rest of the framework. I absolutely recognize challenges in applying individual participation, but this is one area again where government is different than the pri private sector, and i think that difference should express itself in particular in the data minimization principle. Professor kate, do you have thoughts on that . I would ask also, theres a lot of a lot written and said in public forum recently about perhaps the consent and individual notice fip really doesnt work well in the private sector because nobody really understands what they are consenting to. They have to consent to get service and it is a meaningless exercise. Do you have thoughts on that and whether the individual can work in this process . Thank you. Very much. I do have thoughts on that. Especially with one of the people who have written some of that. I think the challenge of the fips is that they often lead us in the wrong direction. And i think this is a real challenge. Im not in any way trying to make it sound easier or make it sound like there is a simple answer here. But for example, if we think of fips and classic 1980 fips, we oecd fips, were talking about consent, use limitation to the purpose specified and then we add things like minimization. Participation and thats in that environment. In other words, how does that really work . There 60 people in the room and they have recording devices and video and audio. They dont have a statement for any of them. They dont know about any of the rights and i suspect they would want to interview them about it. Its not a meaningful way to import the issue. They have the larger effect of doing. It is a very difficult way to approach that and an impossible way to approach it in the Public Sector environment. It may lead to completely wrong results. In other words, if one of the surprising things to me and cant believe im going to say this in a place that is being recorded, about section 215, the nsa connected this and did so little with it. It was astonishing. You would like to say when people talk about the limits on what you can do with the data, if we thought of something new that might really have a major effect on National Security. We would have a process of risk analysis. How to do that. It was data with a real value. I think you need to be thinking about approaches here that are behind the transactions that took place that in the phipps world that they agreed to this. The National Security world overlooked that. We agreed for the individuals and we think it was important without doing a clear and well documented type of Risk Assessment using clearly articulated values and benefits and harms. Just three additional comments. It does sometimes lead in the wrong direction. You are actually doing the program. You may pass under your assessment, but the way it is assessed may not be privacy protected. Second, it has been a long standing controversy about noticing consent being inadequate. Its a framework. They are dependent on the other. This claim up clearly in the health care context. People dont know what they are consenting to when they receive notice from their doctor. They dont know what they say or mean and there has to be a lot of Privacy Protections in place. Meaningfully protect the privacy and lastly, phipps are not the only framework. Its useful and indispensable, but others can be implied and should be applied to the evaluation of security or Data Collection programs at large. The subject of the first panel, i would like to give you all a chance to give any views you might have on the privacy, what is privacy. The nature of the underlying. I assume you spent your time in Civil Liberties. What did you think that meant . It has changed overtime. The scope and scale. The fundamental question that comes back with respect to the perspective of the individual. There reasonable expectations of privacy for what that information might be. Thats the stuff that great legislation is made of. The government is constrained to think about what they are authorized to do. The second way to think about the issue of privacy is what might you learn if you take these and confine them in a way that gives you things that were not selfevident. You have to think your way through. The mechanisms. The science will lead you astray. The challenge and how you achieve both security and privacy in a world where they are massively converged to a place called the internet. Two things. This is an area where the public versus the private sector is important. It has to be kept in terms of if you have harms or impacts on individuals or groups of individuals. So whether thats the way we think about it in the fair reporting act or the higher price or denying someone the benefit. Whether its some other way in which we think about an individual being manipulated or being driven to pay a higher price. The Public Sector, i think that is also true. All of the impacts are not limited to physical and financial harms are present as well. There is more in the Public Sector. There is something quite striking, but its about the more the government knows about individuals, the greater the risk that that information will be used in a way that alters that power. That makes the defense more powerful or less powerful. We in many ways have gotten less transparency tow citizenship about the government. More to the government. That is a clearer alteration in that relationship, that power relationship or that oversight relationship. In that sense, thats why again whether one focuses on collection or use may be a not so significant matter. At the end of the day, it is use that matters. How can the government use this information that might affect this as opposed to is the information out there . You treated that. People are going to read that. It is a tool for communications. They still have an objection of collecting it or their employer reading and things like that. That suggests that there is a different view of it and even public information. There is still privacy somehow. I think talk through attitudes towards social media can help us figure out the newer conception of privacy in this technological age. I view privacy in the lens of control. An individuals ability to control and also controls that the entity holding the information and exercise over the individuals. It is very important not to just look at privacy or the extent that they are trying to control the decisions in the context of todays technology. It is important to look out the whole decades to see what is coming down the pike. There pervasive and privacyintrusive technologies that i think we will see in our homes and maybe even ourselves. In our lifetimes and certainly our childrens lifetimes. The internal protections while important are not sufficient. They can change. They have changed. They talk about protecting privacy. As i said, to what we are protecting several generations down the line. To the panel again, we have been talking about that throughout. Focusing on how the private sector might have solution that is the government might learn from, the private companies are obviously doing something to control the informa t