Would be to fortify the protections, the Privacy Protections for americans in the law but the law has evolved and exactly the opposite direction and indeed since 9 11 there has been a sea change in the law. If you back up a few decades following the church committees revelations in 1970s there was a series of laws and policies put in place that establish a kind of golden rule. Intelligence agencies could not collect information on americans from within the United States without some individualized factbased suspicion of wrongdoing. Now the purpose and the effect of this rule was to constrain the abuses that had come before it. In the past 14 years a cardinal principle has been utterly jettisoned from the law. So lets talk about the three legal authorities that we know of under which mass surveillance is currently occurring. The first is section 215 of the patriot act. This is the provision that allows the government to get a fisa court order Compelling Companies to turn over Business Records in foreign intelligence investigations. And these are records like phone records, financial records, Hotel Records, and the like. Before 9 11, the government had to demonstrate to the fisa court that the subject of these records was a foreign power or an agent of a foreign power. That is defined in the case of an american in a way that necessarily involves some element of criminal activity. Congress amended the law through the patriot act so that the government doesnt have to show anything about the subject of the records, rather the government just has to show that the records themselves are relevant to the investigation. Now relevance as we all know is a very low standard. This still seems to preserve some level of individualized review. But in fact as we now know the fisa court interpreted this provision to allow the bulk collection of essentially all americans telephone records on the bizarre theory that millions and millions of totally irrelevant records can be considered relevant if there are some relevant records buried within them. Now this is a very dangerous interpretation because there are a lot of other Information Collection statutes out there that use the relevant standard. So who knows how theyre going to be interpreted in the future. With this program, we have moved from individualized suspicion of likely criminality to no individualized showing of anything. The Second Program is section 702 of the fisa amendments act which relates to the collection of communications content, phone calls and emails, between americans and foreigners overseas. Until quite recently, just a few years ago, if the government wanted to collect such communications, it had to show probable cause to the fisa court that the target of the communication im sorry, the target of the surveillance was a foreign power or its agent. And again if the target was an american, it had to involve some level of criminality. This was for surveillance occurring within the United States. Thats what the government had to show. In 2007 and again in 2008 congress amended the law to get rid of any requirement for an individualized court order when the government acting within the United States collects communications between an american and a foreign target for foreign intelligence purposes. Moreover the target no longer has to be a foreign power or an agent of a foreign power. The target only has to be any foreigner abroad. The role of the fisa court is limited to approving the broad procedures for targeting which is how the government figures out whether the target is actually a foreigner overseas. Not so easy in the digital era. And minimization. Which has been construed to mean that the information about the american on one end of the communication should be deleted or masked or thrown away after some period of time, which is usually five years. It could be more. And theres a laundry list of exceptions to allow information about americans to be retained and used. So again we have moved from essentially something that was very much like a warrant to a mass collection with no suspicion of wrongdoing. Finally there is the collection of signals intelligence. Thats communications and metadata that occurs from overseas under executive order 12333. This is by far the most expansive of the governments foreign Intelligence Surveillance authorities. Its also kind of a different bucket from the other two because there was never a golden rule here. There was never any individualized suspicion required because this was supposedly surveillance of foreigners overseas and these people supposedly have no Constitutional Rights so no court involvement. The executive order basically allowed agencies to collect foreign intelligence which was defined, which is defined as pretty much any information about any foreign person or any foreign entity and they can do so without any judicial involvement. There is a provision in the executive order for minimization of u. S. Person information. Again minimization means that, in theory, the information is disposed of in some way. In fact, it is kept for years or more, and theres a long list of exceptions for keeping and using this information. So the change in this area has been less about the legal constraints because they are for never that many constraints but more the practical constraints. Once upon a time there were limits on data storage and limits on analytical capacity, computer analytics such that you know, collecting all of the phone calls going in and out of a particular country and storing them for 30 days was neither possible nor really worthwhile because you couldnt analyze all that stuff. That is clearly no longer the case. It is happening. And then the other change in this area is that the distinction, this legal distinction between collecting information at home, and collecting information overseas has really become legal fiction given the way that digital data is transmitted and stored. This notion that americans have no constitutional interest at stake when the nsa taps into data centers in europe and therefore no court has to be involved, really doesnt make any sense anymore. So i think i will stop there. [ inaudible ] major technological changes and relaxation at the same time of some of the legal limitations in collection. I want to turn to eric and ask about the business implications. What are the resulting perceptions around the world . What are the implications for u. S. Business and what is the response then . And has it been adequate . Thank you. First off i wanted to note you can see in my bio, but i also have a background in government, and i worked at the state Attorney Generals Office in new york, the federal trade commission, and then at the computer crime section of the department of justice as a computer crime prosecutor so i have a pretty good background in the electronic surveillance laws, at least on the criminal side. But i also need to start out by coming back to the point that joseph was raising about the impact on companies and an example that pertained to my company. Clearly we are facing a difficult challenge with regard to striking the right balance with regard to the powers of the government has, the transparency around the use of those powers, being able to have a dialogue about what powers the government ought to have, really requires transparency as a starting point because if we dont know whats being done you cant effectively evaluate whether or not the powers have been granted properly, used properly. At cisco we dont view privacy and security as a zerosum game. They are clearly connected. At the same time we dont view Economic Growth as being something that is separate from National Security. They are intertwined. Economic growth should be a core value that is considered when we are figuring out what we want to be able to enable our government to do with regard to National Security and Economic Growth depends on trust. Its hard to quantify damage, but i think if you look at some of the examples that we have talked about that you see significant expenditures by u. S. Companies that can serve as a pretty good proxy for measuring the scope of the problem. You see litigation that has been brought by Companies Like twitter and yahoo to push back on surveillance requests. You see microsoft filing a lawsuit or engaging in litigation with the u. S. Attorneys office in new york over data thats stored in ireland. And you see a very large range of Companies Joining in to that litigation in support of the position, including not only cisco but ebay, hp, ibm, sales force, verizon, at t, the government of ireland. So that gives you a pretty good sense of the scope of the concerns. And then you also see Companies Making efforts to build data centers in a way that allow for localization putting data closer to their customers. Some of that may be based on performance but some of that is based on satisfying concerns that customers might have about where the data is stored and what laws are used to protect that data. That is all expensive. Trust has clearly been impacted for Companies Across the Technology Industry including cisco. We have dedicated engineers as joseph mentioned whose job it is to engineer our products and services with security in mind. And to build security in and to deliver those products in the way that we intend them. At some point there are things that we dont control. There are points where we deliver the product to our customers. The customers operate those products inside their networks. They have to maintain those things and so there are a number of different places where attacks can happen and we are talking essentially about nationstate to nationstate attacks. Those are highly sophisticated wellresourced, and in order to be able to address them and to figure out whether or not they are beyond the pale of what we as citizens are willing to accept, we really need as a dialogue that takes place between governments. We need to have some new rules of the road and we need to have a conversation between those governments about what normal behaviors are acceptable and which ones are not because the scope and the sophistication of the actors in the space are greater than the resources of any particular technology company. Thank you. I want to turn to catherine. We have been talking a lot about Foreign Surveillance. And these vast intelligence collection programs. But were also seeing some real significant changes in the realm of ordinary Law Enforcement. So, catherine, im hoping that you can talk to us a little bit about that, as well. Sure. First of all, thanks so much for having me. Im a huge fan of nacdl. When i was an aclu attorney the nacdl was a frequent comrade in arms working on many privacy issues. They were a client of mine, we represented them, challenging the governments policy of engaging in purely suspicionless searches of laptops and other devices at the international border. We cocounselled some cases together dealing with the Supreme Courts decision in United States versus jones, does attaching a gps device to a car require a warrant. So im particularly honored to be able to come here and speak at a conversation organized by people who are out there doing so much good work. So, yeah, weve heard a lot about these large National Security programs. But when i was at the aclu and now at berkeley one of my primary concerns is okay, right, most peoples everyday interactions with Law Enforcement actually happens at the local level, and so to what extent are National Security programs spilling over and affecting National Local policing, as well, which can happen in a number of ways. Sometimes individuals who are being prosecuted for say a drug crime may be have been incidentally swept up in one of the big National Security programs. But i think its important to remember another big post9 11 push that occurred. Which was there is a great emphasis on the need to focus on homegrown terrorism, and as a result to gather more information about what was happening at the local level. Weve seen the creation of very large pots of money that exists for the purpose of allowing local Law Enforcement agencies to acquire technologies at little or no cost. They have names like the Port SecurityGrant Program, operation stone garden. At first it might not be why something called the Port SecurityGrant Program would result in the expansion of, you know, why seattle, for instance, purchased this surveillance drone using money from the Port SecurityGrant Program. But it turns out that most urban areas are also the port areas similarly the operation stone garden, which is justified as a border program, you know, many states have borders and at least water borders. So a lot of these programs created post9 11 are used to purchase Surveillance Technology that gets upused in local policing. It happens for a second reason which is that the same technologies that may capture evidence of someone related to terrorism, are exactly the type of technologies that would be used in local Law Enforcement agencies. For more routine crimes. One of the things that was so striking recently was a story out of tacoma, washington, which acquired a stingray device, which is a technology that can be used, it replicates a cell phone tower and it can be used to track the location of a cell phone without having to go through the carrier. The way that device was presented to the city council was that as a device capable of locating improvised explosive devices. But when people filed foia public records requests to say how has this device actually been used it turned the it had never been used in such a way. It was primarily used in prosecuting drug crimes. So first of all the post9 11 pots of money are often fizzling surveillance at the local if. Second of all the same broad technological changes, the ability to collect, store, analyze and share information at unprecedented rates have also made surveillance at the local level more expansive. Im sure criminal defense lawyers see this all the time in their cases in some respects. Its pretty well understood that cell phone tracking is a common Law Enforcement technique. Its amazing to me today that there are still so few opinions on this point about whether the government needs a warrant based on probable cause to gather either realtime or historical cell tracking information. But at least we now know about the technique. Automatic license plate readers are common. Then theres technologies that are just around the corner, drones and increase expansion of facial recognition which i think people at the local level are also going to have to start dealing with and these things will crop up routinely in criminal investigations. So i want to allow for a more dynamic discussion, so i wont say too much else. But i think theres a double problem here, right . First of all, many of the use of these technologies have been shrouded in secrecy. Criminal Defense Attorneys cant file suppression motions when they dont know that the evidence was gathered in a way that might be amenable to that. A lot of the secrecy has been deliberate. The government made a strategic decision not to disclose that it was using stingrays and, instead, filed orders with courts, seeking authorization to use them in a less than probable cause standard in some cases, probable cause and others, that made them look like generic requests to use other surveillance technologies. So first of all, we have to find a way to combat the secrecy. And second of all, we have to come up with an organized strategy for sharing materials and briefs on how to actually craft arguments that judges will listen to about these technologies. Thank you. I want to come back to a talk about this whole conference is about the Fourth Amendment and we often turn to the Fourth Amendment as a way to regulate all of these Foreign Surveillance and the kind of surveillance techniques were seeing in ordinary Law Enforcement. So how effective is the Fourth Amendment in this area . What are the limits . I can talk about how effective it is in these nation foreign intelligence programs and maybe catherine has some thoughts about their effective with some of these local strategies. When it comes to the collection of communications, phone calls, emails and the like, there are a couple of potential limitations on the Fourth Amendment in this context. And why its not, i would say, sufficiently protective. The first is something called foreign intelligence exception. As all criminal attorneys know, the Fourth Amendment means that when the government conducts a search on an american it needs a warrant unless the search falls into one of several established exceptions to the warrant requirement. Such as for example a search incident to arrest. In the 1970s four circuit courts or appeals courts held that the government did not need a warrant to collect foreign intelligence information. But these courts but very strict limits on the exception. For example the target of the surveillance had to be a foreign power or its agent.