>> discussion on nsa surveillance, cybersecurity and internet freedom. we will hear from bruce schneider who is a mother and security technologist. earlier this year he wrote an essay for the atlantic titled how the nsa threatens national security. this event was hosted by the new america foundation. >> we are going to go ahead and get started folks. hi and welcome to new america a nonprofit civic enterprise

dedicated to preserving foundational american values in a time of rapid technological change. i am kevin bankston the policy director of the open technology institute which is the tech policy and technical modeling of new america where we are focused on building a stronger and more open internet for a stronger and more open society. i want to thank you for all coming here today and braving the heat or for tuning in via the webcast or c-span for today's panel event national insecurity agency, how the nsa surveillance programs undermined internet security. since they first note and lakes all the controversy around the nsa has been focused on its programs to collect phone records under section 215 of the patriot act and its moderating of internet under section 202 under the fisa amended that been focused on the debate over how to reform the surveillance statutes. yet the nsa is also engaged in a wide variety of conduct that in

our view is fundamentally threatening the basic security of the internet. secretly undermining essential encryption codes and standards inserting backdoors into widely used products stockpiling vulnerabilities in commercial software that we use everyday rather than making sure the security clause gets fixed building a vast network of spyware inserting in the computer's routers around the world including impersonating popular sites like facebook and linkedin -- linkedin and google and yahoo!'s data. family congress is starting to pay attention to how the nsa is threatening not just our privacy but cybersecurity itself and in june last month the house overwhelmingly voted to approve to administer the defense appropriations bill that would defund nsa's attempts to undermine encryption standards and to insert backdoors for surveillance communications technologies we rely him. does the memos were sponsored by

zoe lofgren and alan grayson and backed by a broad bipartisan coalition. today after prerecorded introductions from -- flying back from their july 4 vacations we want fourth vacations we want to focus on these issues which have until recently been mostly ignored by policymakers even though they were a central focus of the recommendations from the presence on review group in december. this discussion focusing on the costs of the nsa programs for our overall internet security is a follow-up to our panel discussion earlier in the spring about the economic foreign-policy cost of the program's overall and previews the release of our paper later this month surveillance cost the nsa's impact on the economy information security and internet freedom. so with that cue the representatives please. >> hi i am congressman zoe

lofgren. thank you for inviting me to be part of today's session paragraph that can't be with you to talk about this important issue that i -- the house took a big step towards shoving the backdoor on unwarranted government surveillance by her massive bipartisan 293-190 -- 123 prevents the government from searching americans dedication data and from acquiring device manufactures to create backdoors in their products and services for surveillance instances. as many of you know and as we are discussing today when an individual or organization builds a backdoor to electronic surveillance into their product or service they place the security of every business average. the backdoors are created for --

it's only a matter of time until hacker exploits it. in fact we have seen it happen more than one occasion. for example in may of 2014 it was reported that a major security flaw was found in software used by law enforcement to intercept communications to allow the hacker to listen into any call recorded by the system. fortunately the amendment passed by the house was a worthwhile step forward and will make a meaningful difference but our work is not done. this amendment in june was the first time that congress had the opportunity to debate and vote on the distinct issue of the fourth amendment and the nsa. we need to continue pushing to protect information and data security and we need to have the senate follow suit. because when the house of representatives had the opportunity finally to vote on it the result was overwhelming. the house set up for the

american people in the constitution. that is something we can all celebrate. we sent a strong signal that if the government wants to collect information on u.s. citizens get a warrant. thank you for your hard work on this important issue and i look forward to working together with each of you to keep pushing for a safer more secure internet. >> thank you congresswoman lofgren and next up alan grayson representative alan grayson. >> i am congressman alan grayson. thank you for inviting me to share this panel on the nsa and thank you for all the good work you do to protect privacy and security in america and throughout the world. listen to me. if the chinese government had proposed to put in a backdoor into our computers and then paid a company $10 million to make that the standard we would be furious.

we would be angry and we would do something about it but what about the current government that does back? that's exactly what the nsa has become the best hacker in the entire world and when they put in a weakness in the architecture of the software that everyone uses what they are doing is making it not just for their benefit for benefit of anyone and that's a crying shame. we are entitled to our privacy's. many of our economic activities cannot be done unless they can be done with some degree of security and safety. the protection that the nsa is reporting to provide is being undermined by the nsa itself. that has to end. that's why i'm happy that many of you joined me in passing two amendments recently with representative -- representing first ability to insinuate itself into her our software for improper purposes. one listener science and technology committee amendment that said that this no longer

has to be a short order and the other was a parallel amendment on the floor of the house which passed unanimously by democrats and republicans are the same purpose. these are the first steps that were taken to take back our privacy, take back our own security take back our freedom and i welcome your help in doing that. it's one of the greatest endeavors of modern life to make sure that we can preserve modern life against the encroachments of big brother and i am congressman alan grayson. thanks again. >> thank you to both representatives for taking the time to take those messages and also to start it too much delayed conversation about the nsa and security to a conversation we are going to continue today. i would like to invite the panel is to please come on that. if you are wondering what representative grayson was referring to about $10 million being paid to someone to

undermine security we will explain what he was talking about. >> joining me on the stage are joe hall who is the chief technologist at the center for democracy and technology and i was lucky enough to work with while i was at the organization. daniel keel policy and author of our upcoming paper on the cost of innocent programs including security. david liebert was a privacy policy council for goals in washington d.c.. bruce schnier fellow at oti and amongst his many books and articles including one you can find outside he has done some of the original reporting based on the snowden documents about the nsa's impact on security while working with the guardian. and finally we have amy stepanovich who is the senior policy counsel here in d.c. working on several of these issues. we are going to break out to

tell you where we are going with this. we will break up a conversation talk talk about four sets of things that the nsa has been up to along the lines of our upcoming paper and along the lines of the handout that those in the room might have picked up in the front. first we are going to talk about the undermining of crypto standards and surveillance of backdoors in products and services third the united united states stockpiling of polar abilities and stock -- software and the range of offensive tactics the nsa is using taking advantage of several tools we have spoken about. after spending about an hour on this issues we will spend a few minutes batting cleanup talking about issues or policy recommendations we missed and then we will turn it over to you guys for some questions. starting with the issue undermining encryption tools and standards. there has been some reporting about the nsa taking steps to weaken encryption that when businesses use on line to keep

our communications to care. representative grayson made reference to doubt as to the present review group and its recommendation number 29 talking about the importance of encryption to ensuring the security of recommendations on line and the continued health of the american economy. so i'm going to i think star with amy to explain what the heck happened? what did the nsa do with who or what was missed and why did this come out? >> the nsa and the people don't know actually has two very different missions. the first as signals intelligence. this is an initiative that most people are aware under which they conduct all of their surveillance operations you have been hearing about pretty much at nazi nottingham for the last year however the second is called information insurance. this is a solution under which the nsa is supposed to be promoting security standards encryption protocols ready much making sure all of the

communication stay stay secure. center the information assurance commission that the nsa communicates with nest the national institute of standards and technologies. best are those of us in d.c. who love acronyms deals with many things. they set standards across-the-board and in so many different types of businesses, jobs not only encryption but it sets encryption standards and under an act passed in the 1980s they coordinate with the nsa and the nsa technologist and they are encryption standards however the security act which was actually very well-crafted and made after a lot of collaboration between security experts and the formative days of the internet was preempted by a law that was passed in 2002

that being a really key data and surveillance laws because was post-9/11. in 2002 the federal information number -- back in the line had language that allowed the nsa or allows nsa if you look at it closely to comment and to undermine the encryption standards anyway it weren't able to our probably weren't able to under the previous language. under this sloppy nist is required to consult with the nsa on all encryption standards. the amendment that representative grayson alluded to earlier that passed out of the house in the first act this is primarily an act that funds science and technology research has not made it to the senate yet but in that bill it was then on into the committee that says that nist is no longer required to consult with the nsa on standards. they are still able to and this

is in recognition that nsa has a lot of funding and a lot of experts in really smart people who do this work and they shouldn't be prevented from being able to help to assist. they are no longer required to consult with the nsa on standards which means there's going to be a lot more accountability at those encryption standards get undermine. later on as part of the defense appropriations act a 2nd amendment again alluded to by representative grayson actually is supposed to prevent any data from being used by the nsa to undermine encryption standards. not only will nist not be required to consult with nsa but when they do consult with nsa the nsa cannot act to make us less secure. >> perhaps bruce can make plain to us why these lawmakers are seeking to reduce the nsa's influence over what nist is doing. can you talk about how they were

porting reports the undermining that nist was reporting. >> nsa does a lot of undermining the fundamental technology. the mathematics to intercepting cisco equipment being shipped from cisco to the customer. undermining happens through the process. what we are looking at here is what happens as products are being filled and as standards and protocols things that affect every example of the product. it's encryption standards, it's that the implementation of software and all of these examples of the nsa going in and deliberately breaching security of things that we use so they can eavesdrop on particular targets. we have one example in a nist

standard that was modified by the nsa with a backdoor. there's a lot of standards were didn't happen and it's a risky place to do it because this actually was discovered in 2006. we didn't know who did it and we had some suspicions. it wasn't until the snowden documents that we have the story. more likely you are going to see nsa backdoors in places you can actually see them so you might imagine an operating system computer and found that hasn't encryption product that you use that is somehow modified if not as good as we think it is. it will be much harder to find, much harder to find out who did it and we will sign off -- find all sorts of bugs. it could be enemy action by the u.s.. it could be enemy action by someone else. we don't know which program did what so this very active

undermining not only undermines our security but undermines their fundamental trust in the things we used to achieve security and it's very toxic. >> it would seem undermining the standards not only undermines the standards help but undermines trust in the process. i'm curious if someone could speak to the issue -- so we are talking about this random number generator is a code that is part of many products used widely across the internet by civilians like us. can someone speak to the issue of rsa and its role in the $10 million that representative grayson mentioned? >> this gets a little complicated as well. >> the subtitle of the panel is it's complicated. >> this flaw in the random

number generator is extremely important in encryption which is us in the late complicated math to make things totally unreadable. you have to generate very big numbers that no one else can generate. if you have old flaw that means someone may be able to predict to keep essentially being able to without without much work decide here's the shape of the key to your house and break into your home. the nsa apparently did this specifically with one particular random number generator. it was very hard at first to tell what the extent of this would be. we knew the random number generator had been used in popular products and not only that but incorporated in a piece of software and other products en masse use. one of the unfortunate things we found out and a lot of the snowden stuff we are really glad we know this stuff. they are better for having known

it. we learned that there was a contract signed between a popular piece of software. rsa and acronym at some point. >> like kfc. >> the nsa pay them $10 million to make the choice. you can be gracious and say the nsa was tired of figuring the numbers of millions of computers and wanted it to be setup out of the box but it was set across the whole product line that would use this law of random numbers. now as far as i can tell i saw a report recently that very few products out there at least the ones you can measure using web servers and things like that don't use -- like they use other

sources of random number devices. from a point which we learned about this until now this is one thing that if you don't know photographers like bruce you learn quickly that they are some of the most paranoid people in the world and security people are a little less paranoid. apparently many of them have moved to change the technologies they use away from one's that have this unfortunate flaw and don't believe that flaws in them. it has hosted the time against people banging away at it. >> thanks joe. i want to turn to david from google and talk about what you think this activity by the nsa means from a company or user perspective and also what you think it means about that the government's perspective is on the use of encryption. >> thanks kevin. i think what has been true is the extent of the efforts to circumvent and/or undermine

encryption. the fact that those efforts were undertaken is a little bit less surprising given the nsa's mission but i think it's important to step back and from a broader context understand what the government's current view is about users use of encryption. there are minimization procedures under section 702 and what those minimization procedures they is notwithstanding a requirement to destroy domestic communications that encrypted communications within a used by u.s. persons are non-u.s. persons can be retained indefinitely by the nsa director. i think it sends unfortunate message that the use of encryption is inherently suspect particularly in the aftermath of what we have seen with large-scale data breaches. that is not a positive moment

for users or for companies and i think it has the potential not just in encryption that the security tools that we offer and other software. i don't know that users commonly distinguish necessarily between encryption and other security tools so encryption tools might be difficult to use by ordinary users there are other things that companies do. for example we do if the perception is if these tools are ultimately exploitable but think that creates disincentives for users to take advantage and avail themselves of those tools. as a result bears the potential to exact greater harm than there would be if users were paying attention and being more cautious about how they interact with products and services.

>> also i'm curious moving forward what are the policy options and prescriptions we have seen so far and how to deal with this issue in encrypting standards. >> representative grayson talk about this. one of the things is this relationship between nist and the nsa. this is maintaining the statutory requirement that nist consult with the nsa and the nsa taken advantage of that to undermine standards is very dangerous because the standards themselves are used by developers in moscow commercial products. it's not just taking a particular product and inserting a backdoor into it but actually standards that are used in a variety of things and is also a reputation as a standard setter which is something the u.s. has been a leader on for many years. i guess i should say since the

beginning of the internet. part of it is making sure that there is not a requirement in our law that allows the nsa to take advantage of nist and on the other side nist is the body that needs to rebuild its credibility. they started reviewing their own policies and guidelines to know what was happening in 2006 when this compromised standard was issued. they are now looking for all of these things because they are facing a trust deficit right now. they need to rebuild us of the u.s. can be a leader in standards so developers and ordinary users can trust. >> i saw that bruce has something to say. >> it's a fundamental issue and we will hear it again and again over next couple of hours. the issue is not the nsa is spying on whoever that guy is that they want to spy on. issue is that they are to liberally weakening the security of everybody else in the world

in order to make that easy. when we look at solutions to solutions are always going to be on the order of force that targeted and not do the broad attack. a broad attack is what hurts everybody. as i think representative lofgren said once you build a weekend anything you can't guarantee you are the only person to take advantage of it and want to do any kind of broad surveillance and you suddenly start losing control over what you are doing it's not the target, it's the fact that it happens abroad. >> bruce you also mentioned you actually wrote about it and i think one of your thesis about us policy solution to this issue reset to break up the nsa. can you talk about what he meant by that? >> the nsa right now has two missions banded into one agency.

there is the attack them in the defend us and those were pretty complementary missions all through the cold war because you have the same basic information at their stuff in our stuff for different. tapping a soviet undersea naval cable have no effect on u.s. communications. you're able to keep those two missions under one roof because they were physically separate when they did and what is changed with the internet is that everyone uses the same stuff. you can't hack the soviet -- without affecting all of us. those missions now collide and that is where the problem is. so when i view how to go forward i think we need a much more formal break down of the security mission and the insurance mission which protects

communications data is a suburban protect standards and makes us safer from all the attackers out there from the targeted espionage missions surveillance missions going after the bad guys. additionally and then you get into more complication that espionage mission is now too complicated because it has two components as well now. during the cold war it was very simple. we would spy on any government intrusions. agents of a foreign power we would -- might that change after september 11 and now the surveillance is against pretty much everybody. we get all of the telephone calls going in and out of bermuda. not just government once, everyone. we get phonecall metadata of every american so these broad surveillance measures, government on population surveillance, i think are much more law enforcement and

government on government espionage the cold war old there is a military mission. government on population surveillance much more of a lawn for submission i think the lungs and a lot of force and agency not a military agency. that's probably the way i want to divide things up to be more in line with what we imagine the rules and regulations be. >> the president agrees with you on many of those points. i was hoping joe could take us on a brief history lesson because it seems when it comes to backdoors and encrypt that we have this debate in the 90s. what they called at the crypto wars. the government wanted to have something called the clipper chip and secure devices so everyone could have the lawful

access to the data that was encrypted and eventually that didn't happen. could you talk a little bit about that because it seems that they won the crypto wars but they have nsa kept fighting them in secret for years. >> for the longest time it used to be entirely the purview of the u.s. military and under the nsa. so one of the crazy things that happen in our history as people started to learn about an independent discovery and fundamental cryptographic message that it meant discovered a decade before by other people working in the military. now you have academics and other people discovering these things and realizing oh gee we are going to have networked future we might want to have privacy and confidentiality and security associated with that. we need to have these kinds of methods outside of pure military control and civilian so there's

this tension going on. what the administration at the time proposed was essentially a chip that had an encryption key on it for that key key was escrowed with the idea of being it was cut into pieces and there would be two parts of the u.s. government that would have that and then if you were doing something bad or it was suspected were doing something bad they would get a warrant and if they have probable cause get a warrant if you did something bad and listen and on your encrypted communications. it would be like white noise. it would go with this key and because they then have this access to data. i believe bruce was on this. the risks of the escrow people i believe this amazing group of experts one of which is up here right now rove is extremely

compelling paper that basically said luck here are the problems technically with copies of keys around that you think only the government can have access to the minute back it commissioned and built a cracker for it they clipper chip. i think i'm getting things mixed up but whatever. we were able to argue that look this is not a good idea is not going to work. there other ways to access this stuff and in fact if you ever want to check out a cool book crypto talks about this back-and-forth war between applicants of complicated math and in the civilian sector in people that thought that was only going to make the world a horrible place because the bad guys will be able to hide stuff from the u.s. government and its the duty to oversee the entire

world. now what it turns out we won the crypto wars not only on the key escrow front but also on the export front. the u.s. government would not let you export very strong encryption technologies for many years and after a bunch of widely encoders in deep thinkers essentially put a bunch of very secured crypto code on newsgroups and if you don't know to newsgroup is you'll have to look it up later because it may be under time if you are young. when that happened there was no sort of vision that we could put this within u.s. borders. there was no assurance that would happen anymore. so essentially that were stopped because one side stop fighting and we were happy to move on to other battles but what seems to be happening is they decided well we are finding a way that

they will never know. we are finding way to intercept rockers on the way to the customers and they're they're not even messing with the math. they are missing with physically soldered hardware components. it turns out they have been doing massive amounts of things that they don't describe in detail. >> well, i mean it seems that in the arguments, when it comes to arguments against the clipper chip and for allowing export of strong crypto, there was a trust argument that if we are going to be transitions to these networks and want to have confidence in our transaction and grow the economy we need to to be secure. that is the same argument that many have been making in response to what we are learning about the nsa's exertion

backdoors in a variety of services and i was hoping danielle can introduce us to watt we have been learning about those backdoors. >> and joe described the public attempt to insert it into and have the key to the private efforts. so they said let's figure out a way to develop relationships and product design to convince them to let the nsa get access and the idea was only the nsa would have access. what we learned in the past year is the nsa spends $250 million a year on a program called signal enabling and it is one of multiple programs that have been revealed, but they look to leverage these relationships

with companies and develop relationships and i think the words are to shape the global technology market place and facilitate the collection. the idea they can convince the companies to make it easier for them to get access to their products. this is inserting backdoors into commercial it systems and into encryption and you know end user devices and 4-g technology. the goals of this product are wide ranging and getting access in as many different ways as possible. this is a private and sensitive way to get the companies on their tide side. we know they are doing that and one of the other things is it isn't with the knowledge of the company they are inserting backdoors. joe mentioned intercepting foreign bound network routers.

we learned they are intercepting cisco routers and this is the tip of the iceberg that they need commercial products but these are the products we all use every day for our communications and various different activities online. they want to insert a backdoor only they compo know about so they can insert malware or whatever they want.

>> there has been discussion in the past few there has been discussion the past two years of expanding that to on line services and products. joe can you talk to us about that debate and whether some of the arguments were that the security security world had to get that proposal? >> up until june 5 at last year which is when the first snowden tape the fbi had been pushing strongly internally into the obama administration for essentially this argument they made was they are going dark. the fbi is going dark at what that means is back in the day all they had to do was get a warrant and use telephonic wiretapping. it used to be as easy as attaching a couple of alligator clips to the phone line and listening in on the call. it got complicated over the years with circuit switching and

packet switching and all sorts of stuff. got to the point where they pass a law that would call the wiretap law. communications assistance for law enforcement act of centanni provider of services of telephone service is essentially must a way to wiretap people and must be able to respond to a law enforcement request to wiretap trade the fbi has been saying we don't use phones as much anymore. i play clash of clients and talk to people and there are variety of ways we can communicate. over two years the fbi have been arguing we need some sort of fix. we need some way to make us, to make these things a little more bright and getting brighter for them so they could get access to this stuff. it was essentially a proposal to wiretap all software and

essentially we never actually know or saw the proposal except from a couple reporters. it basically said the fbi could calm to you as a maker of piece of software for with something called of illegal wiretapping system but you have to see the law to understand what it was and they would say look we need to get access to the stuff. if you said the product is not going to do that and it will take us a us a while that it's a-ok make make sure in the future when we come to you you can turn on the wiretap. it's sort of a way of putting you on notice that you need to build a backdoor. unfortunately for them this got leaked to the press and the very same ways for proposals like when you get services order you are notice that you need a wiretap for your users. if you don't do it will get $10,000 a day doubled every day

which if you use the basic math all the money the world within three or four weeks. it's totally ridiculous and that's pretty strong. cdt organized group of experts who wrote these papers that i can point you to. >> caller: leah to, the risks of wiretapping and point or something like that. they made a really compelling argument. the first was this is a bad idea are putting backdoors and products is like fundamental and aligning the structure of the universe and a physical reality sense. what i mean by that, well everything you do on line involves communication and to the extent you want integrity to know that it hasn't changed you are going to be using products encryption or other security features. that's not going to work anymore because they have these backdoors for no one can prove

it would be used by good guys. and then the most profound argument was it's not going to work. all the things that you seem to wire -- want to wiretap these days like the crown browser these are the things were the source code is available. if they put in a backdoor asseesi to cut back code out and recompile it to an executable software without the backdoor and borrow for you can't do that in the u.s. because that means office secured products go to other countries and we lose out on all that capability. you can't suddenly erect a wiretap for communications all the time. >> yeah i am reminded of a particular example in the telecom context where in the mid-2000 like the u.s. greece had systems for lawfully intercepting their phone system and they eventually discovered that some unknown adversary

rumored to be the cia, rumored. had actually compromised for lawful intercept systems there and have been using them for long. not the time to actually spy on the highest echelons of the greek government and its prime minister or president so the good object lesson on how these backdoors can actually backfire. any other thoughts about the security provisions of backdoo backdoors? >> again. >> versus written an essay on almost every single thing. >> the other issue again is should we compromise the security of everybody in order to access the data and in order to believe that is a good idea you have to believe that one, only you can use that compromise path and if in some way no one

else can use it. for example i'm an example where that is the case. so it. so a locker and mentioned another example that lots of examples where this local compromise is used by other people than you expect to weaken security. and you also have to believe it's a good idea that the value of this path to the few outweighs the security of the network. and you have to believe that. i think that security in our data and our information is vitally important to all of us. there is a wide for writing of threats out there, government threats, governmental threats foreign threats and security is one of the ways we protect ourselves and with the fbi and the nsa are asking is our mission trumps that.

we want access to that person so badly that none of your security matters. but to really talk about how the nsa armed security they harm security because they believe their need for access to the few jumps the needs for security for everybody. that story from greece was a u.s. product and the future of the lawful access was just in the code so it happened to be there. the product wasn't turned turned on and someone snuck in and turned it on and used it and here's the government having their government communications breached because the backdoor made it even -- about the kind of thing we have to worry about. if you put it back or in three

years now -- from now the criminals are using it and now why? i don't think this is a difficult trade-off to make. the problem is nsa is not as quick to make it. it has to be made in public at higher levels. that is why i like seeing some of these bills being proposed that actually has congress making these decisions because we have a chance of them recognizing that security trumps surveillance. >> so we do have the presidents review group and recommendation 292 i have favorites and 29 and 30 or them urging the u.s. government to make clear that nsa won't mandate the new products changed or the new product doesn't have to change the product to undermine the security enabled surveillance. the lofgren amendment cosponsored by representative massie and a pretty broad bipartisan coalition of votes

went even further than that and what it said the nsa could not mandate or even request that a product under service provider weaken their product to enabled surveillance. that amendment was locally supported by google amongst a variety of other companies and civil society groups including my own but i was curious they would if you could talk about why google chose to support than what your concerns about that? >> that particular amendment addressed to backdoors one with respect to requiring companies to essentially build on those security vulnerabilities in their products in the second was with respect to backdoor searches. it was an important perhaps perhaps overlooked component of the usa freedom act introduced by senator leahy and representative sensenbrenner and really quickly on the backdoor search section 702 enables the intelligence community to,

prohibits the intelligence agency from targeting to medications of u.s. persons or people in the u.s.. what it doesn't speak to us what happens when the communications of u.s. persons are incidentally collected and we learned a bit more about that from a "washington post" article that appeared yesterday about just how sense of that collection is and it just reinforces the importance of the amendment. because under current law in the intelligence community can turn a blind eye to the fact that there is a large cache of u.s. can medications that are being collected and that are being searched without the protections the fourth amendment would normally afford. this is something that has been core to google's app that's been in washington for quite some time come that there should be an ironclad warrant for content warrant. that's something that the supreme court at the least in some of the dicta in the riley opinions a couple of weeks ago.

>> searching of cell phones. >> searching cell phones. we felt this was a welcomed unexpected opportunity to weigh in support on both the backdoor search will pull component but also to prohibit the use of funds albeit for just one year to require companies to build these sorts of backdoors. it would seem maybe a year ago this language might not seem necessary but now it's actually important to restore trust. these sorts of things are not being requested and required companies i think it's a positive step but obviously there's more to be done. this is an appropriations bill. there's an them. there's not much of the bill and it's unclear whether it will survive the appropriations process. >> i commend you if you haven't read yet the story in the

"washington post" yesterday on sunday. i think it's going to get them their next pulitzer on this topic. any other comments or thoughts about the backdoor issue before you move on to the issue of stockpiling? >> one more thing about trust. we talked about trust and how this destroys the trust. it's worth talking about exactly what the trust was. it's not that we in the tech world trusted that these products were secure. they were brunnell pro-and they didn't have capabilities that allow hackers and printing of security is hard in boulder police are everywhere but we did trust that the secure technologies products would rise and fall on their own merits. that they would be what they were advertised. not that there was some government hand secretly sneaking in and twiddling with the knobs. that's the failure of trust and it's a big one. and it's something that we in the united states have to deal

with in trying to sell our products overseas. other countries are saying the nsa is probably into it and you are lying to me when you say you have been forced to make changes and you're not allowed to talk about it. we know this has happened. we know this happened with microsoft. we know that microsoft has made some unknown changes to skype to make it easier to eavesdrop. we don't know what they are. we don't know how they were done. we know that they happened. how is that going to play in the international market? germany recently kicked for ricin out of a large contract because they didn't trust that verizon was behaving in a customer's interests. they didn't trust that the nsa didn't come in and force them to do something and lives glides to a customer about it. that's the betrayal and it's a big one because we as technologists like to believe

that the technology rises and falls on it. >> bruce alluded earlier to the broad targeting of everybody to the more targeted. the limiting backdoors in trying to make it so the nsa can serve products and services isn't going to get rid of the targeted surveillance they are trying to collect. we have talked about many ways the nsa has a legitimate targets that's been able to prove probably as foreign intelligence information. this eliminates their ability by everybody anytime which is what we are trying to continually do to take it away from everybody is a target to looking at what the real targets are. >> or perhaps make them as another commentator has said it makes you fish with a poll pole rather than a net if you work.

most software does have flaws and it, bugs and vulnerabilities and these things called zero days. what we learned in december in a great exposé which some of us are starting to wonder where that came from a source other than snowden we learned of nsa's massive catalog of vulnerability in a wide variety of widely used products hardware and software and basically they can pick and choose and uh-oh company the target as that? here's the vulnerability for that. bruce can you help us out with where did those come from and what the heck is zero day anyway and where can i buy one? >> let's talk about software for a second. software is incredibly complicated everywhere and we as scientists we as a community we as technologists do not know how to write a secure code.

all software contains bugs and vulnerabilities. we know every month you get a dozen or so updates to your microsoft operating system. those are all fixing bugs in closing vulnerabilities. those vulnerabilities can be used to attack systems. remember earlier talked about the nsa's -- don't get me started with that. the nsa's dual missions protections and attacks. when vulnerabilities can be used for both. if you discover a vulnerability you call microsoft and microsoft fixes that we are now -- nobody else can use that vulnerability. to discover that vulnerability and you call the come on say hey look what i found that vulnerability is used for attack to steal money still passwords. we in the security community recognized the way to improve security is by continually

researching finding and fixing vulnerabilities. the nsa can play either. they have two missions. they can play defense and use those vulnerabilities to make things more secure or they can play offense to keep those vulnerabilities in their back pockets and use them to attack the system. remember target versus broad those from the phillies effective rebut a. they are in an operating system. they are on the internet. now we have this question. what should the nsa to? there has been debate about this. should they afford them to attack the bad guys or use them to fire cyberweapons and all these reasons why you might want to keep them but by keeping as vulnerabilities we are now foldable to them or should they fix them? if you fix them you fix the good guys and the bad guys. if you were and use them to attack the good guys and the bad guys that's the fundamental

debate. again the progression comes down to what's more important security or surveillance vexes that the surveillance of the few that means the security of the money or is it the other way around? >> so we have learned that the nsa has a very large catalog of these vulnerabilities that could stockpiling and using it for its own foreign intelligence purposes. or something in between that. dani danielle, you have done research on this. what have you seen in terms of how should the nsa handle this? >> this comes up in the president's review group report but it has come up many times before and there is a great paper about the idea of lawful hacking by steven belvin and matt blaze and a couple other folks. and they talk about this challenge of the best and most

ethical way to get access to communications for lawful purposes. one of the big challenges is zero days you will always find and vulnerabilities as well. and when there is tension between the defensive capabilities might be to stop them and say we might need all of these. and that ignores the fact since you will keep finding security holes you will continue to come up with an ever longer and growing list of these holes. so what they talk about is the what a responsible practice likes like and if you find a vulnerability you disclose it immediately unless you have a compelling and immediate need to use it. if you are looking for something specifically and it is high national security, you might be able to use that vulnerability

and then once you used it, disclose it to the package so the ordinary users who are open to attack because of that can have their products patched. the other thing they point out is patching isn't immediate. so when you find a vulnerability you disclose it and exploit it for a short period of time until you run out and then you go look for another way to get in. it is a complicated issue because there is something strange about the idea of exploiting vulnerabilities to get access to information but it is the idea this is going to happen and we need to figure out a way to deal with the problem while recognizing there maybe legit law enforcement or security needs. the president's security group says the default should be disclosure of vulnerabilities. immediate and then only for a compelling reason following a

senior review process the nsa might be able to withhold vulnerability. what they should not be doing is holding on to them and accumulating an arsenal and not letting the companies know because that means general security is weakened just in case the nsa might need that at some point for a target they have access to it. it is this all or nothing approach where there is no recognition of the fact it is bad for everyone that the holes are out there and the flaws are not being disclosed and not telling the company so they can patch it. and the companies are looking for those so they can patch them but it is saying we have this information and this came up in the vulnerabilities and the question is did the nsa know about this and if the nsa did why didn't they disclose it. was it because they have been looking for ways to exploit the

protocol so they can get access to things? that is a serious allegations and challenge and they talked about disclosure process they have but didn't say much about the details. >> so there was this story that was denied that nsa new about heart bleed and it seems that is not true but in response the whitehouse said by the way, though, we actually do have an interagency process to decide when to disclose this and we have had it for rears years and we are in the midst of revising it. i am curious what do we know, amy, about the equity process?

>> we know the nsa has a stockpile of vulnerabilities and we know the u.s. vulnerabilities is one of the main drivers of null vulnerabilities and raises the price of them because the u.s. is willing to pay good money for things they can exploit. heart bleed -- people think we knew about it what can we do. let's dust off this old thing we haven't been using and say this is going to be the process by which we figure out if we are going to reveal vulnerabilities so they can be patched. it was a multi level weighing process where they look at whether or not you are vulnerable versus their own security needs. coming back to the nsa's dual functions and we see over and over again whenever they weigh against surveillance this side

wins. so it is very unclear how this process is going to play out. and one of the reasons is because there is no transparency built into it. i think one of the key things week talk about is the need for greater transparency and howt howthithowth howthi -- how things are applied -- they have not talked about who is going to be aware of vulnerabilities and how many days they keep things back. so these are core questions that need to be answered. things that can be made public and numbers that can be made public without great risk to national security, if any risk at all, and it isn't built into this process that is tilted in one direction because the nsa values their security mission so high. >> bruce?

>> we have not touched on the international nature of this. there are lots of countries looking for vulnerabilities. the government of china is doing the same thing. there is a hacking team in italy that sells software to break into system with governments like kazakhstan and governments you don't want breaking into the communication of their citizens. so as we look at the vulnerabilities, find and fix them, we are not just making security better for us but making it better for people that need security to stay alive and out of jail. the international nature of this makes it very subtle. you will hear a lot of arguments that we have to hoard vulnerabilities because if we don't china will win. that is an arms race argument. it fails to recognize that ever

vulnerability we allow to remain is a chink in our armor. and as long as we are connected and computerized and internet enabled society we are at a greater risk than the government of china is. the government of north korea as well. and that defense is important to us specifically because of this international nature. >> i wanted to add i think it is encouraging the administration is taking up the vulnerabilities equ equity process. this is one of my favorites. number one. there are differences and if nothing else talking about the meaning of what the intelligence community is saying based on the written word. and the review groups

recommendation in this regard was to disclose unless there was an urgent national security interest. and the nation exploited the heart bleed they had said that there was a strong bias toward disclosure unless there was a clear national security or law enforcement interest. those are two different standards. so what would help to inspire confidence there is a strong bias of disclosure is having more transparency because this is quantifiable on being disclosed or temporarily stockpiled and used. there is a lot to be done on this front. it is encouraging the administration is under taking this vulnerabilities equity prosand did so before being

accused of exploiting the heart bleed. butt at the same time there are a lot of questions that remain about what the standard means in practice. >> correct me if i am wrong, but the review group says they should be used rarely. that is the word they used. >> and immediate disclosure. >> do you know if google has received disclosures under the process? >> not that i know of but the sharing has been difficult. >> mark up tomorrow. senate intelligence committee of the cyber bill. bruce anticipated by closing question which was how do you counter the argument that this is like unileterally disarming but the answer is you blow up the bomb, you cannot use it again.

you disclose the vulnerability and you get attacked and no one can use it. moving on to the catch all category. the nsa weakened encryption and has backdoors in the a variety of products and has a bunch of vulnerabilities into other products -- what are they doing with all of that? it seems they are building a large network of computers and networks that are compromised and they can use that to conduct surveillance. a big part of this seems to be called quantum and i didn't understand the quantum stuff and bruce has done a lot of reporting on this. but i didn't understand it until joe explained it. so i am hoping joe can explain what the quantum base is. >> i did my job well then because my number one job is

explaining things to people so they can understand. quantum is this scary thing. it is scary and complicated so it is easy to be like i am going to fall asleep. quantum appears to be the u.s.-government can respond quicker than any website you go visit for example. your browser says i want to go to cnn.com they have stuff in the internet that can respond faster than cnn can. that is called a race where the nsa is trying to beat the response from the actual thing you want to get access to with their stuff. this is where surveillance gets strange. you thing of it as i am watching a bunch of stuff float by, i

will jot down notes about what this person said. this is active surveillance. they are changing communication to do this. one example is if you use a tore browser and that is a tool you should all look into it. if you use it and you go some place they have stuff, and it is hard to know what the stuff is because the documents don't describe that because maybe that is too sensitive to write down, but if you use the browser that is an indication you maybe a bad guy and you maybe looking up contraception in a place that doesn't allow that -- >> but you are a bad guy. >> they can respond and poke a hole in the your browser. they have weaponized this category. it isn't just a database of

vulnerabilities but they have established tools that can establish a beach head on your computer and do things right then or later. if you just happen to type the wrong thing in or have the wrong book report assignment you may get a hole poked into your system by this set of infrastructuretures the nsa has using the set of vulnerabilities in a clever awesome network technique. the internet is complicated. but in order to have this global reach into what people are doing -- and it isn't everything but it is a substantial chunk of what people are doing on the internet -- and that is remarkable. engineers think of this i am designing this thing to make your communications private between here and here, there maybe a bad guy listening, but we will design it with the bad

guy in mind so we thwart him. but we don't think about the bad guy that has endless money and global insight into what is happening. >> so, let me try to sum this up. the nsa compromised a bunch of routers and isp and it is watching for targets whether it is someone using the torah browser or using a particular thing or particular isp or has a particular cookie and it jumps out in front of that person's communication, pretends to be the site they are looking for and uses that opportunity to inject malware into their computer. is that right? >> yeah. >> joe described this to me as crazy silo stuff. some of them are major

companies. linked-in. facebook. they attempted to spoof google. how do you feel about that, david? >> it is one of these things that doesn't inspire confidence in the use of products and services. when people use a product like facebook or google or another service they expect that is going to be legitimate and these reports are baffleling and disconcerting. i think it came -- because it came in the sequencing of rev playi ilations i think they were no longer a surprise to people which shows how far we have come in terms of under standing about surveillance programs and how they work. ...

that watches everything go by and when it sees something that triggers and it could be anything, they will use quantum to inject data into the stream. i think it's one example we are talking about it injects data in

such a way it allows the nsa to take over the computer so it is a targeted attack made possible by this broad surveillance system. there are a good dozen different quantum programs that do different things but it's all, we are monitoring everything looking for specific things. now this is something the nsa can do because they have an agreement with at&t to put this computer between the user and google. and it doesn't always win but once in a while it can respond and fool the user. now this is not -- not the nsa can do this. we can't but actually we can. this is not a new trick. this is a hacker tool you can download. it's called air pond. you ask again get a privileged position but it's the exact same

thing. this is a way hackers have of taking over your computer when you are on the wireless of this institution. so we have a choice here. we can build the internet to make this attack not work. we can do it. it isn't hard. we have to do it. it make so safe. hackers are criminals of a foreign government or anyone who might use this. or we can leave this massive vulnerability open and allow the nsa to use the surveillance to attack legitimate targets while at the same time leaving us more vulnerable. >> so it's this kind of behavior that has led a lot of u.s. internet industry representatives to express some concern and dismay and to be worried about especially the impact on the trust of

consumers. you have marked zuckerberg personally calling president obama to complain and after meeting with the president complaining they are not doing enough to reform these process processes. microsoft likened to the nsa to an advanced persistent threat, a security term that's usually reserved for chinese military hackers or russian mafia. and then of course there was google for a couple of the engineers there after learning about how the nsa was attacking google specifically said and i don't think there's a delay on c-span so i won't say the word itself. he basically said f the nsa on goggle +. it wasn't an official google statement that they were ticked off. what were they ticked off about? >> e so this is the washington post reported they were tapping our data centers and i think we express our rate about it i think on this continuum of

likely too unlikely in terms of this happening and they thought it was less likely. we have been working pretty seriously now to ensure that the traffic between our data centers is encrypted and i can say we are pretty much all the way there. you can never say you are 100% of the way there but we have been working pretty aggressively and i think the post article noted that even before the post reported that particular revelation that we were working to encrypt the trafficking between our data centers. but that was a particularly troubling and disconcerting revelation because there are mechanisms including those that congress authorized in the fisa amendments act of 2008 then enabled the intelligence community to seek information to the front door and to do so in ways that just work -- weren't countenanced by previous types of fisa surveillance.

so to see the extent of their efforts to go and to tap the link between our data centers to obtain traffic in ways that wasn't targeted and swept up hundreds of millions of communications i think just sort of reinforced our responsibility to redouble our efforts and to do as much as we can on the security side notwithstanding anything congress might do to limit the ways the nsa can conduct surveillance. >> it seems beyond policy response is one of the other key responses is armoring out than trying to put the security of your services to counter these threats. amen know you have been working on a project in regard to that. can you tell us more about what we should expect companies to be doing at this point? >> sure, when i came to ask as we talked about transparency reporting in and how absolutely important transparency reporting is. one of the reasons for that is that we have now this window

into the nsa's activities provided in large part by rick snowden but it's time-limited. we only know what we know from the documents he was able to provide to us while he was there. they're not going to know what's happening next month, next year, five years from now. we need ways in the future to keep it open as possible so we can continue to have this dialogue in this conversation about the extent of nsa authority. but that's not enough because transparency reporting actually really only provides you with numbers based on when the government goes to official judicial processes to get information. how many times they ask the court to provide them with information on their users or their accounts. so what we are looking at is all of the different times the government doesn't go through the initial process and actually taps into the fiber of the internet and tries to get communications that way. what needs to happen to make sure that all of your inner room

all of your communications are protected. so we have put forth forth what we are calling the security action plan that has been signed by lot of forward thinkers, internet companies including twitter and we have a big announcement coming tomorrow, a teaser alert. it's also been signed by society society groups oti comest cvt the electronic computer foundation the liberty coalition and a broad range of groups saying that there are seven things companies can do if they are going to collect information on people on each of you in order to make sure that information is properly protected. unauthorized users foreign governments, the nsa bad actors criminals cannot get ahold a hold of it. so it includes things like encrypting data when it goes between data centers and when it's flowing over the internet. making sure your passwords are strong and that you are moving

towards a mitigation system. really poor things, really common sense pieces and activities where companies across-the-board aren't engaging in and if we think if the seven things can become a floor on internet security that you can then start moving forward. here's the minimum, the bare minimum that was accepted. now protect people's information even brought more robustly and think of new ways to protect it. if you register that aimed at encrypt all the things.net is where we have listings located and we are trying to promulgate that and to keep it moving. >> so it seems there is a lot of things frankly that you need to encrypt if you actually want -- he need to encrypt all things though you need to do an encrypted between you and the web site and you and your e-mail server. you want e-mail servers to encrypt between each other which

google released a report showing all the servers who are not doing that and turning that encryption on. there's also an stew and encryption and google recently put out a plug-in to enable and encryption for your e-mail webmail. bruce or -- and you talk more about putting aside what companies can be doing what we as users can or should be doing to protect our own privacy against the nsa or anyone else? >> again talking about bulk versus focus. if the nsa and fbi and the chinese military wants to get into your personal computer they are probably going to. almost certainly. we have security people cannot defend against a well-funded well targeted sophisticated attack on the system. we are not able to do that. that is really not what we are trying to do then begins here.

what we are trying to defend against is both surveillance, is that canned the nsa, the chinese, the criminals get into everybody's computers? can they do a bulk and do it efficiently? can they do it on a broadscale? bears there's a lot we can do. we talked about encryption. that will protect your data as it's flowing from one place to another. there are going to be ways to get added if the fbi gets a lot more complicated than the normal case of both surveillance that doesn't happen. there's going to be if it's easy to grab and if it's not it won't. they're things you can do there. they're things you can do to protect anonymity. the issue is going to be that a lot of the data that is being collected is not able to be protected in this matter. it is what is being called edited.

editing is stated that the system needs in order to operate. you can encrypt your e-mail but the tube line time of day in crippling you could have a secure voice conversation but who's talking? how long they are talking and when they are talking cannot be encrypted. your location and your cell phone tracking device. if we can secure that but then you can't receive phonecalls. the system has to know where you are so this data cannot be protected by actions we take. when i talk about what you do to protect yourself the single most important thing you can do is agitate for political change. there are a lot of tech solutions and we'll talk about them but they are fundamentally around the edges. this is a political issue and the solutions will be political. so that is the most important thing you can do and with that we can talk about the

technology. >> i can't say enough. laws and policy move very slowly but it's a critical component of fixing this in the longer-term. standards, people who decide how your computers work and how things were coming internet is just a little bit faster than laws for something we are doing and aclu is doing as well as making sure we are present in the conversations and internet engineers are involved in saying look, it's not just a spoof thing. it's not just an not just in the industry think of something regular people have an interest in. but getting to the tax specifically i like to think of this in terms of hygiene. caring about it or whatever and you might be more sensitive to those kinds of social norms. it's a little different in the

internet talking about digital hygiene. what things can you do to keep your your house and ordered your house in order that digital since? there are a variety of things that i will mention a few in passing. a vpn, three letters that stand for something more complicated but essentially if you have one of these pieces of software and turn it on all all the local stuff that's happening outside of your computer is sending signals that is encrypted. if you go coffee shop or airport you often see free wi-fi. it won't have a little lock next to it like you do at home which means even though you have to sort of click on some terms of service or pay a little bit of money or whatever all all the communications you send from your computer aren't encrypted. if you use a vpn at least all the communications i'll i'll write there locally or encrypted out to some other thing and it looks like it came from new york city or something like that. it protects you only from people that might be trying to subvert you in a local coffee shop or

airport. some of these sound like they are maybe not nsa protections but they all sort of add it to making you less in your digital life so to speak and another is the password benefit. i have my now three passwords and i only need to know one that i have 1200. some of those i have is a many years but they are all completely randomly generated and i don't have to think about them. my password manager has a bunch of tools that manages that. the eff makes a handy plug-in called https. https everywhere. that means if you see the lock on your browser the url line will go from https to https and that s made secure. this plug-in from electronic -- is dynamic technology.

make sure if there is an often if they know about it make sure there's an option to have an encrypted connection use the encrypted connection. there's a variety of fees and we can talk about them and i will show them. >> they are important things and we talked about a variety of technical solutions in a variety of policy solutions. i have one more policy and i will look to you guys for any closing thoughts and we will open it up for questions. one issue we didn't talk about is the policy sense for the hacking by the nsa. we are having an above board for the first time in years conversation about what should the rules for the rugby when the government has to hack into computer? right now we have a computer crime law that has a pretty broad carve out for lump or cement security and we are only now starting to see a few decisions about when is it okay

for law enforcement to use full mobility to break into your computer remotely and we are starting to see a discussion on the advisory committee of the u.s. courts that discusses what warren should look like if you are going to use a warrant to break into computer but we haven't in the context of the nsa discussion had a debate about what the rules should be if the intelligence community wants to break into a computer. falling short of making a policy recommendation i would say that's a discussion that we need to have. it hasn't yet begun except in the law enforcement contacts. aclu amongst others has done great work on that issue. on that i will leave it to you guys if you have any other ideas, thoughts or policy recommendations for closing sentiments before we open it up to questions. >> thanks for coming and the fact that you came means you care. if you don't understand it asked as we will explain it.

>> it's very complicated. >> questions and do we have someone with a mic? right there, front row. we know this guy. >> hi. i work with the aclu. a lot of a lot of the assistance for a lot of the surveillance you describe relies on the assistance of the companies and when companies are forced to use security of users. the quantum stuff that you describe describe for example supports our security but probably relies on a voluntary assistance of phone companies. it's tough to imagine a court order for at&t to install them on their network particularly they wouldn't be able to probe for specific targeted computers. they put them there and use them on an ongoing basis. the subversion security that troubles me the most is when companies support the user voluntarily. we have heard a lot about how companies have use security last

year and google in particular is really beef things up. in some places you are providing voluntary assistance and weakening the security for users. the one example i want to highlight here is that please get a warrant and he sees a cell phone they can go to google and google will unlock that phone. to google's credit they insist on a warrant when other companies might do it with less but there's no law requiring you to have the ability to unlock phones or to circumvent the lock feature on the screen and i'm wondering a year after snowden if you are now thinking about whether that's a feature that should still exist or whether you should be taking it away. i think many of your users to enable that lock phone do so with the expectation that only they be able to remove that and the fact that the police can get a warrant to remove it may surprise and anger some users. >> my responses brief because i

don't server in a compliance world but i actually hadn't heard about that before about having to take that back to law enforcement and asked that question. >> i would be happy to say i think this level of encryption is the key to technology in enabling this level of encryption into phones is the kind of thing that would make me very happy to see. absolutely. -somethings are encrypted and-somethings aren't. i know if there's practical problems it takes a long time to do certain things but it would be nice if you had to clean that off. i am not a product guy. i'm just a nerd. >> first of all a lot of really cool cloak and dagger stuff he here.

thanks for that. i'm going to go and watch sneakers when i get home. with respect to what's going on joe you make a great point about the password managers and authentication. if a lot of people in the room and at home argues that type of stuff. what type of activities and steps have the companies themselves taken post-snowden revelations to make our communications more secure and i'd be remiss in not asking you for joe r. kevin to also discuss reform. after 180 days or electronic communication protection significantly decrease as well so is hoping you could address those two issues. >> i will say quickly certainly we have seen more encryption on the web. we are seeing what is called -- there has to be a better word for this thing. i don't want to use the nerd words or whatever so i will call it a femoral cryptography the idea being often when you're using encryption you use the

same forever in some cases but web platforms have been moving and google is often the lead. they're using a model of encryption where you have one key per session so you come back tomorrow and start up in a web browser and encrypted stuff is not the same as the one yesterday. it requires a little bit more work on the side of the companies. as you may know carl but is worth it and is often not that more expensive than other kinds of stuff and i will shut up. >> the place to look is if they have a good scorecard of the major internet companies in seven or eight things they should be doing to encrypt the web to protect their users and who is doing what. that's the place to look. it's completely updated so you can see who's doing what and then you can look at the history read that's a good way to get a handle on what companies doing what things to check the

security of their users. >> i would be remiss if i didn't add that a certain civil society technologists is offering personal incentives to types of organizations as they move to encryption by default in the ssl. >> it's a good incentive to do it. >> in response to reform very briefly because it is an important issue electronic communications privacy act in 1986 was our first digital privacy law but it's so broken at this point because it was based on a lot of assumptions about how technology works such that the e-mails that you have that are less than 180 days old require a warrant based on probable cause. but e-mails older than that require only a subpoena written off by a prosecutor and in fact under the doj's reading of the law they don't even need a warrant for your e-mail even if it's less than 180 days old if you have open or your drafts

folder or your sent folder so the incredible take away from that under current law the most protected e-mail and your e-mail account is everything that it is spam because you have not open it. >> even stuff you have not read. don't read your e-mails. >> one practical tip of things to do. don't read your e-mail. glad we were here for this. >> so many of us lead the coalition effort called digital due process, it coalition of companies that have been trying to reform it starting with a clear world if you want somebody's content for e-mail content with a provider you need a warrant. we think this follows the brace -- basic principle in the digital age we think what you stored in a job box or gmail or whatever should receive the same protection as the files to

keep at home. right now we are in a frustrating place where we have a bill in the house sponsored by mr. yoder and polis that has a majority of the house sponsored a bill of this point. whatever the magic number is 218 plus whatever and it's still not needed. we are in from my perspective someone who has been working on these issues in law enforcement for a long time in a weird bizarre world where it seems nsa has more heat than what should be a really uncontroversial fix to the long force not digital privacy law. the momentum is still building. at some point the leadership in the community leadership are going to have to move this bill because the tide is unstoppable, knock on wood. >> i think reform is the lowest hanging fruit on the surveillance jury and there's a reason why there's a majority of congress that supports the bill

and it enjoys broad bipartisan support both from republicans and democrats. i will point again to the riley decision from a couple of weeks ago where there was a passage saying that some users aren't familiar with the date of the face door on their cell phone. it stored locally or remotely and they said it really doesn't make any difference for fourth amendment purposes. it was unanimous in the supreme court so you know it is a fait accompli but is not a fait accompli. the supreme court is sending signals to the extent that type of case comes affordable whole that, that there should be an ironclad warrant for content requirement. i think what we are singing a different context with debates around the limits that might be imposed on the nsa is that maybe that warrant requirement isn't so ironclad and maybe there are circumstances where the nsa should be allowed to search communications that they have are to collect it. if the data is lawfully collected the argument goes you shouldn't be restrictions on the

ability to query it. that skips the step and analysis because it focuses on what happens the day after it's been collected. it's a significant and constitutional moment in the data collected. that's really important. one thing kevin i should mention in case my overseers are following me the plug that you referred to release source code which is going to be hopefully is going to be a browser extension for crumb that if it works right will enable end-to-end encryption using an open-ended pgp. we are not there will yet and we are kicking the tires and encouraging people. security researchers are discovering vulnerability problems with the source code. >> nsa pays -- [inaudible] >> one less thing to add is a lot of the things we have talked

about today are security reasons people have known or suspected for a long time so i do things the things in the past year is that this is news coming out for meaningful public discourse which creates a much greater opportunity for what bruce highlighted which is political change. it's very clear now but a lot of these laws are outdated and is very clear that these are things that affect real users and as we keep getting more stories like the one on sunday there's a lot of collection happening that makes people uncomfortable and want change and they can talk about it in a well-informed way. that's very positive in the political process moving forward for seeing reform underway for the tissues. kevin has said this before, this is the beginning this year for all the many gears with the fights on a lot of these issues and that doesn't mean it will be easier but the changes are always going to be ones that people especially in the

advocacy community loved. a lot of these conversations are happening. >> it's kind of like the tinfoil hat crowd. people around their cell phones nodding their heads. >> i come at this from experience of the volunteer foundation and whistleblower evidence from 2006 that the nsa was sitting on at&t's network and up everything in filtering the things out that they thought they wanted and being looked at like we were crazy. it's certainly been validating to have an all the papers of record and finally at this point admit that yes the nsa is sitting on our domestic backbone and we can do something about it. >> hi. first of all thank you so much for this. it's been very interesting. my name is katie mcauliffe and i'm what americans for tax reform.

this is the week for ecpa. there are two other events one on the hill on thursday but i have a question for you that i have written down because it is indeed complicated. what i wanted to ask is how this nsa target bad actors and any kind of weakening or strengthening of security affects the entire world? it's been said that the nsa has the ability to target government espionage but it was also said we don't know which programmer is the underminer of encryption and then how do we question the nsa find foreigner criminal bad actors? does this also mean you don't know who is -- in our different browsers so really how does the nsa target and when i say how do we find out who is week? >> yes. let me ask a quick clarifying question. do you mean how do they do it now or how would they do it if

we encrypted everything? >> so it would be great if we could do both of those. i guess what i'm curious is seawall said the nsa does have ways besides getting everyone's information to everything and i was wondering what those ways are to actually target bad actors and bad government actors? >> you break into a network and the criminals want to get appropriation and get credit card numbers. they break into network theory partner. they use standard hacking techniques and gather data and left. that is what the chinese government did a couple of months ago. we invited five chinese military officers to do exactly that same thing u.s. corporations dealing data from the u.s. government. this is something we believe the nsa does. if you want to target north korea give head into their

computers. there's lots of targeting techniques for targeting targets that everyone uses and we can talk about the technology of those but that is what is done and that is what is differently than targeting and going after everybody. you ask what does the nsa do in nearest we can tell there's a series of filters. the nsa will put a computer on the internet backbone and this is not something, this is nothing the chinese don't two men on country. it's not nsa specific. don't think of this as magic nsa technology. this is what many well-funded governments are going to do in russia does the same thing. we will do a broad collection of everything and then very quickly based on names, based on keywords, based on topics called out that they don't care about. watching cat videos, you don't care, get rid of that to focus on things they are interested

in. you are going to get things you don't care about in a loose things you care about but the hope is that you do pretty well. last weekend we had a very interesting story in the "washington post" and the end result of that entire final were reports given to nsa panelists. here are communications that have passed all of these filters and there on bad topics from bad people whatever. here it is. but we have learned is 90% of that stuff is about innocents including americans. the filters actually don't work all that well even with all of that filtering. not that answers the question but that's basically the process. [inaudible] >> we actually find targets. >> the way you look at our successes of law enforcement and terrorism they don't stem from looking around saying they're

someone suspicious. they stem from following the leads, the kind of police and intelligence stuff you see in movies and on television. we are going to go after that guy. who is he talking to? what is he doing? the things you don't need broad surveillance board. normal investigative procedures that start with a target and figure out what's going on. we see this from review groups that have looked at these broad surveillance programs. actually isn't a lot of value from looking at everything, looking for someone saying the word and i just made this up. it's probably true. everyone is saying the word bomb and if you say the work i'm going to start watching you. that has extraordinary low value because random people say bomb all the time and people that -- things don't say bomb it all.

these bulk systems don't work and they are incredibly costly. the big discussion here we didn't talk about ineffectiveness. what we talked about was the cost. the cost of securing for the rest of us to enable broad surveillance programs. no one is arguing here that there isn't a valid intelligence mission and a valid espionage mission a targeted warrant by the fbi isn't a great idea for what we want is transparency over accountability and presumption of innocence and for the ability of foss to protect ourselves from all threats. >> did i sum up well? >> i think so. i will just add a think in a way part of what we are debating and what bruce goes back to is the link used to live in a world of retail surveillance. he would pick a target based on some sorts this -- suspicion and then you would surveilled that target.

now we have reversed it into wholesale surveillance where you collect on everybody and then you decide who you will target. ultimately that changed the law happened without us having a discussion about whether that shift in the way we investigate people made sense in terms of the trade-offs and it's the discussion we are finally starting to have now far too late. >> i'm a former member of the british parliament. we did abolish slavery more quickly than you did but i'm not going to talk about that norm i going to complain. please start paying tax united kingdom. we are in deep trouble and we would like you to pay actually tax towards this for all of the money you owe us for keeping out

of the country. but the serious part i was on the defense committee for 30 years. i chaired it for eight years. i was moving up the hierarchy for a long long time. i learned morality and politics is important but not too important. what you have to do is to protect your society and if you are being confronted by evil people who are using every trick available to make life difficult for us, extorting money, putting us in danger, the idea of first bonding to that with an excess of morality seems to me as we would say in the u.k. stupid

beyond words. it's difficult to say that. when i was on the defense committee we knew who the enemy was. they were plain nasty and if we didn't play nasty we would be absolutely pilloried and we did not do that. somebody does a perspective that's not a very nice perspective but it is a realistic perspective. you have had your pick and create what some of you think hasn't been good enough. you know that your intelligence services played 30 games. thank god they do because if they did not play dirty as the other side did it in a bigger problem you would have would be exploitation on the possibility of political and economic disaster. so if i do hear a little bit off message it's based on 30 years of experience.

i had election observation missions for the os cd on 25 occasions. russia, evil countries, not evil people, evil countries and they knew first-hand 36 years in and three months in parliament it was fighting dangers of our country and our lives. i am glad to hear that we have a strong degree of realism. there should be a greater degree of realism. i'm not defending every nasty thing that your government has done. i'm certainly not defending your mr. snowden whose -- that great democracy in the world russia although i'd call a sovereign union. if we have to play 3030 don't admit it but we have to play

dirty because i'm absolutely certain that consequence of playing decently as though your think football not that the english are good at that but that you are playing with the u.s. getting farther than we did which wasn't very difficult but frankly i have no doubt that if you have to play dirty then you have to do it. a question? alaki tolerated me for speaking so long first off? >> i did want to allow you to finish because one is not an uncommon perspective but also i wanted to hear it all so i could fully comprehend exactly why he withdrew a revolution. [laughter] but i do want to reflect on what you said about making arguments about morality. in fact i think much of this discussion and the discussion we have been having and which is

the focus of our paper is stepping away from a moral argument or civil liberties argument even though it it's this civil libertarian as the one that most motivates me and to talk clearheaded linker sidedly about all of the various costs of these programs we are not talking about. the cost to our economy the cost to our foreign relations in other respects the cost to our internet freedom agenda around the world. there are a whole raft of reasons to be concerned about these programs completely separate from concerns about civil liberties are the moralities of those who are engaged in it. that's my answer to that question. >> that argument is fundamentally your argument and i can summarize it in one sentence. terrorist -- we must do all these awful things otherwise terrorists will kill your children. its enactment that shuts down debate and you are right it's an

argument that went over every other possible argument. they can't be argued with. the problem here is that argument short circuits in a discussion of are the things we are doing actually effective? do they do any good? we are making an efficacy argument. we are making a cost argument. yes there is a threat. there's a threat that the bad guys in the bad guys don't play the rules and that's fine but what does that mean? there are many threats in society. we have been talking about the threat of government overreach. actually a very serious threat. in the united states uart 10 times more likely to be killed by -- than the terrorists. i can list dozens and dozens of threats and we are trying to balance that. we balance them by looking at cost benefits. up here we have talked about the

cost. if the cost of broad surveillance are greater than the benefits we don't do that. even if the bad guys are bad guys. they aren't going to go away. the question is what is the best way to deal with them? >> arguments we are making is that there are more effective ways to deal with them. not that we are going to lose and they are going to win. that's and that makes no sense. if the question is what is the efficacy of the various tactics, what are the variety of threats and what are the best ways that we as a society can deal with that and in order to get this argument you have to -- because once someone says the terrorists will kill your children all the discussion goes away. no congressman will vote against something that someone says if you don't do this at terrorists will kill your children. there will be blood on your hands if you don't vote for this. that is never explained. it's never justified but as soon

as it said the fear sets in. what i migrate worries right now but reformed is that if we ask congress to oversee the nsa we look at it more permissive set because right now congress is scared. not as scared of the terrorists, scared of being blamed if something happens. getting beyond the sphere is the single most important thing we can do to move society forward and honestly this might take a generation. you and i might have to die before more sensible people take over government. >> was simply can't be terrorized and that is exactly process explain. we have to be able to stand up to in some cases large political pressures in the case of low probability and you can argue soberly that that's not worth it. >> this gentleman right here has been raising his hand very

highly for several moments. >> i am a correspondent for euro politics newspaper newspaper. i was just wondering has the issue of encryption and internet security aspect more than the surveillance because this appeared on the radar of other countries around the world like for example in europe which is considering its whole data privacy framework at the time and a follow-on to that it seems to me that the reason the nsa can do this look sensibly is because all of the companies involved their us-based. you know it does this create an incentive for more european companies to develop software that has encryption and it that cannot be hacked into by the nsa because they are not subject to u.s.? >> so i think first of all some of the stories we have talked about not just the u.s. intelligence agents but others

including the british have been doing this but it's most certainly one thing we have learned and when you look at the economic cost to the united states we have seen a huge rise in the competitive advantage from foreign companies in europe and elsewhere claiming to have more secure products or they have products that haven't been tampered with and they are using this as a way to get to lure business which is incredibly profitable. i think the broader thing we talked today about the cost to internet security specifically and how and his attempt to protect security we are weakening security and we are also doing it to a cybercrime costs and the amount of money we are spending on these programs to weaken our security. also it's what we are doing to the american public and that's a serious from a purely u.s. focused problem because we are sort of driving customers away

from the united states. that doesn't always mean we are driving them to more secure alternatives. we are just driving them to what we believe are more secure alternatives. just because it's not a u.s. product doesn't mean it's more secure but if you believe the u.s. government is interfering with u.s. products you may be more than likely to try it elsewhere. >> i think we have time for one more question right there. >> hi. matt soler with congressman grayson's office. a couple of weeks ago the eaa systems a representative went on cnbc and said there was a cyberattack on a hedge fund and their stock pots by roughly 2% and they formed, the fbi formed a partnership with the think tank called the center for financial stability and there

was a lot of discussion about cyberattacks in the financial space. i think it was last week via ae system said that in fact they made a mistake, there was no cyberattack on a hedge fund. it was a training exercise which they confused and thought there had been an attack but essentially it was their own training exercise. >> it's complicated, we told you. >> that probably helped their business. i don't know what happened but there is a lot of money in saying cybersecurity is this big problem and if you don't know anything about technology and i don't really know that much about it, give now how much of the fear of the cyberattacks, how much of that is just profitable for entities to push for their own security businesses? how much of it is legitimate?

how well is the nsa doing in terms of defending the country from this kind, these kinds of attacks and how do you measure these risks and these other risks, climate change, nuclear terrorism and so on and support so forth? i don't have a framework for how to think about this so when i'm thinking about political action and we are thinking about policy questions you can certainly say let's have war ends. that tends to be a good idea and has been ever since the magna carta but how do you think about these new really novel institutional tracks? >> in 30 seconds. go ahead. >> it's complicated. there's a lot going on. yes there's a lot of profit motive than a lot of profit-making and a lot of fear-mongering. we tend to overexaggerate the terrorist threat and under exaggerate the political effect so you will find discontinuities on both ends.