[applause] [inaudible conversations] >> you are some of the programs you will find this week and on the c-span networks.

>> next come a look at whether e-mails are protected under the fourth amendment. the director of the european cybercrime unit spoke at the justice department georgetown university law school. this is 40 minute. [inaudible conversations] >> i would like to welcome everybody back. i hope you enjoyed your lunches. i have the honor this afternoon at introducing troels orting, assistant director and head of the european cybercrime center ortiz e3. he began with the danish police in 1980 and served in a number of leadership positions within the danish master the police,

interpol and organizations with in your poll, which is the european police organization. in 2009, troels orting now served as head of ec three and as the interim head of the counterterrorist intelligence committee. i know from personal experience working within how committed he is to the fight against criminality committed online, the global fight of criminality online. the department of justice is fortunate to have him as a partner and we are both lucky and both lucky not to have been today as the keynote speaker. [applause] >> you should wait and see if there's anything to clap for later. i am not so sure. thank you so much for inviting me first of all. it is an honor and privilege. i've been a georgetown university couple times.

the last time was actually with general alexander in a more prominent place in the north building. i was very impressed by it. i am the director of the european cybercrime center. for those of you who were not familiar with the european union, it is 505 million people, 28 independent nationstates, 24 different languages and heavily acquired internet. it has been interesting me this morning to ascend from the cyberexpert then again also from the judges. it was also interesting to see the variety of views that we also shared in europe and what is privacy. i think one of the things that always strikes me about the discussion about privacy is that if you go online, and there seems to various link between privacy and anonymity, which i don't think is right.

everybody has the right to privacy. we have this in the online world and we also have it in the offline world. the offline world for instance, u. of privacy, but we can take away your privacy if we suspected to be a criminal. if you're a drug dealer, we can tap your phone or whatever. i think that should be the same also online. this is the third discussion we need to have is that privacy online also has anonymity. law enforcement has any way lost the battle of encryption. it is much cheaper to encrypt and to decrypt. i don't think that there should be a reversible encryption, but this is all about trust and lots go back to. for now i first will give you -- [inaudible] that's very interesting. i think i'll do that later.

so instead, i will go down here. because i cannot begin a thing on my screen and then move forward hopefully and let's see if anything happens here. it actually does. let's see. i'm always the trusty guy, even with technology. this is an agency of the hayes, netherlands, not all of them in the cybercrime center, but we have agents for approximately 40 different countries and some of that work in the european cybercrime center. what is the digital age? this is a picture of the internet taken any given sunday. you can see the more internet use and you can also see areas which are very, very dark because only 2.9 billion people online are on the internet right

now. this'll be change. we will have 4,000,000,003 to five years of the chinese are rolling out broadband in africa and they will probably even skip to pc and go directly to mobile and smartphones just like the one i have here. so this is a prediction. you ain't seen nothing yet. you know, what we have on the internet i was astonished readers though discussing intercepted e-mails. i don't know why criminals who use e-mail. they communicated district and some odd e-mail location-based trackers. my smartphone has just sent me a mailer. you are the wrong place. you need to go to dulles. it knows where i am. it tells they went to the location. what is the first thing when you download an application? can i have access to your agenda, photos, location?

yes, yes, yes, yes. it is what all of us does. and then we think we are in business because we got a free application. do we think there's anything that is free? if you disagree, you are the product. if they are criminal, they want your information to steal. this is the income distribution worldwide. the more blue, the more money. no criminal, so where do you think the majority of cyberattacks will continue to be in the next couple of years? it will be where the blue areas. it is unfortunately where i come from. look at the development. again, any given sunday, this is what is going on the internet. while we have a good time here and need a roast beef sandwich, this is the activity. this is the everyday attack. i told you africa was not really utilized on the internet right now. you will see now that it will change. look at the activity and nigeria

and you'll see that there are cybercriminals already moved to africa because they have good infrastructure. they have a very weak government infrastructure and that will also help them in their ability to do crime. have they done anything wrong here? this is the visible west, the one that you see. this is actually 4% of the internet. this is where we normally go and google and look at. this is the area i am in ms is down here and this is below the surface then this is the deep net. the deep net covers 96% of the internet and every day, 2.8 billion terabytes are added to the internet volume and then we have the dark knight, which

is the areas they cannot intercept and cannot create any attribution. so what is going on on these internet sites? you can see here a lot of statistics and i will share with you the last statistic, which tells you every day there's 9.7 million new attacks. what is the difference between the normal crime and the internet crime? the challenges we face is that we have two types of cybercrime. we have the traditional crime that can only be connected at a computer and then you have the cyberfacilitated crime, which is crime that normally is taking place in the physical world, but now is enabled in the online world. the assistant attorney general talked about the atm scams the 45 million. this is another good example of

exploitation. use the internet to distribute it. you also now use it to stream, lifestream. so if you don't travel and you don't want to travel to a country for various reasons, but you still want to enjoy a subset of a 2-year-old baby and you would pay back the $80 then you get 20 minutes where you can see two men rape a 2-year-old boy and they can also be that the kid afterwords. this is live streaming. he tested his life, there is no trace of the crime afterwards because it is not actually downloaded. this'll be one of the challenges in the future. another facilitated crime is a recent crime and anchor of harbor. one of the biggest harbors in the e.u. a drug cartel from columbia smuggled to europe here they did

it in containers. 1.2, 1.8 times and it always arrive to the harbor. in the service times, you have a combined database between the shipping companies and the customs. so what they did is they put on a key lock. they got the password from the shipping company and then they could follow their computer -- their container. when it arrived, they made sure was parked close to the exit and they went into the customs database and check out physically inspected already so customs would never touch this and inoperative ac curator commodity. this is used every day. i will give you some other examples. we see extremist sect dvd every day. neo-nazis are very act that the internet. this is not an area i am doing that much about. terrorist related back to beauty, yes. we haven't seen any terrorist that using the internet to conduct a cyberattack that is

terrorist related. the terrorists use the internet to recruit, medical, facilitate and steal money. i will not exclude in the future they will also do other things that the internet and we have to keep a tight i hear. and we have state-sponsored activity. the best hackers in the world our government. when they have launched some kind of an espionage tool, we can only see that there is a connection between the use by state and organized crime with the delay of approximately one year. so if we know what the government if we note the governments are up to, we can prepare what will happen with prime later. normally states do it for three purposes. they spy like everybody spies and we had done that's since the middle age. will continue to do this until the end of the world. then they still intellectual property and they prepare for war. when they prepare for war, that

is what they do with dragonfly, now where another things. they look at our control centers, the press, everything. so with there will be a war, they can close that all these power stations, control stations and the soldiers with the boots phalanger. and then they steal intellectual property everyday. why should a country invests 500 million euros in three years of research and development if they can steal it in two minutes? they do this that we have to do something about this also. but this is what i mostly occupied with. this is organized crime and they do all that you see here. the problem i see is the magnitude of the crime is so incredibly big and what i'm really concerned about is the impact of the scale and i will come back to this now. so what is the difference in the way these criminals operate?

there are many theories and you have heard some of them here. what if this is organized crime, what is there? i think it is the next boat here and we've seen organized criminal groups like the traditional criminal groups here. this is a high profit, low risk area. no organized criminal group will ever let this alone. thomas lennon gave some of these guys and offer they cannot refuse and pay 20% of their income to organized crime. but this is what is happening right now. you have a rather small group of now where producers. they produce now where. they anorak with another group to test them out where against all 72 known antivirus viruses we have. they say this will penetrate the most, but not all if you tweet in this way or whatever and they will send it back. now they have a product that they want to sell.

normally these gangsters don't do the cybercrime themselves, but they sell it to other ones who will do it. so you go to the deep lawyer, not the dark knight. this is on peer-to-peer service. you serve them out where. so you don't need to be a cyberexpert to be a cybercriminal. if you want to take over a facebook account or penetrate your wife skype account, and you go here, download it, you pay, get a service-level agreement and my experts tell me if you are short of money, give me 3000 months. this is how easy it is. this is where you can find this and i can give you all the links to all of the various websites where you can download them out where. the other part of it is also moving into cybercrime. if you need two grams of cocaine

for you to buy a gun or stolen identities, you know where to go in d.c. i don't know, but i could probably find a place. but why should you do this if you can do it online? if you can do it on a chore server where you cannot be revealed, the buyer and the seller, they need me. so there is a service here. so what you actually want? the service provider in the middle actually provides this facility. you are the seller, you are the buyer, you have a combined interest here. he used his platform, he takes a cut. you want it any thought at mailman will deliver in the future. if you buy at now, because why should i go physically if i can send some sheen to deliver. so here we see that all normal crime moves in to this area. you will of course like i've said i cannot reveal who the buyer and seller is because it's

on a chore server, then you can cheat each other. you want to buy five grams of cocaine. u.k., but she sent you five grams of weed. how do you then manage? you are actually assessing your service. you can have a five star service provider you can have it one star service provider and then you can go to the right ones and this is how it is structured. in the future, a lot of this normal commodity crime will actually move. the second thing is what we see is a shift in downloading games to streaming things as the criminals use bulletproof cloud providers, which will not be the ipod or amazon cloud or the other services we talked about here that we can maybe get a subpoena, but cloud services in countries we cannot reach. if i get a subpoena there, they will say unfortunately we didn't do our governments right. i cannot tell you who is behind

this ip address for this ip address. but a retribution, no criminal score. this is what you then see that this them out where and they put it on the internet in the various organized criminal groups in various parts are downloaded. what is the difference now from organized crime in the physical world and organized crime online where and here is i think much bigger problems than the problems we just discussed now with the surveillance society. it is just turning a bit around, but it will come back. no, it will not. you'll bear with me. it will calm. we have to go through a bit of the pages of medical calm. here we are. here we go. the coders are the one i am

interested in. this is where the majority of the countries had their interests. we actually have a possibility to make a lasting impact to begin take out the coders. i don't believe that there are so many good coders. we have taken out fbi and other ones have taken the russian coders that we can make a difference. so 85% of all my cases are russian speaking organized criminal cases. so i hire russian speakers because this is what i need in order to look into this crime. but because the crime is not committed from inside the e.u., then they are out of reach and this is what i am trying to acquire in the next couple of slides. first, the location. in the physical world, there is a proximity between a crime and the perpetrator. if i were to kill somebody or

robs somebody, i have to be here. this is why you've decided to have a geographical jurisdiction and jurisdiction is clear. in cyberspace, nobody travels one-inch. they will attack you and they will steal your money, your ideas unlock your computer and it will never be from inside the u.s. some in the e.u., 85% is attacking us from outside. so i have no jurisdiction here and my jurisdiction stops where the u.s. jurisdiction will start. so what is the alternative? you have criminal gangs operating from very carefully not repression federations, the russian speaking because of a number of countries. what is the alternative not to cooperate with russia are russian speaking countries? and that is why i think it is so important that we make a distinction between fighting national security interests and

normal crime. because i cannot work with these countries where they operate from, we will be ripped off of all of our values without making any impact on the criminals. and right now, it is very, very high profit and very low risk area because they attacked us from the outside. the second thing that is the difference is the scale of stability. the normal criminal set up, we are not all criminals, right? normally 3% of the population is criminals. yet everybody can be a cybercriminal because you can download your tools. i also think there is a different way of conducting crime in cyberspace. i don't think the psychological impact on the perpetrator is the same as if you have to not done a person to steal. here you do it on a machine. you don't see the agony.

you don't see the impact that you do and that is why you might get away with it in your own mindset and that is also why we see people who will normally not be normal crime criminals conduct cybercrime. this is again a huge problem and the scalability and impact. here in the normal world, i will probably still only purple one set a time. in cyberspace, you can attack 1 million computers in 20 countries and 20 seconds because the machine will do the work. so now you have a criminal group operating from out tidier jurist diction in countries which is difficult for us to work with. utilizing criminals who would normally never be able to do criminality because they can download the software. and then, the ability to scale up the number of attacks.

this is a very toxic for law enforcement and we have enough to do in order to mitigate this and i don't think that there is any time to waste. there's other things and i think it is also difficult. we always talk about everything as traceable on the internet. i don't come from a security intelligence agency anymore. i need to prove without any reasonable doubt that you were behind the computer, do you do the crime. for this i need attribution and evidence and i need to present this to the judges here, which i've not had the biggest expert knowledge based on a legal system that was invented a hundred years ago and was very good and probably catching chickadees, but now we are not catching chickadees anymore. we are trying to catch criminals across borders and i think that

this is one of the challenges that we also face. this is exactly about evidence. it is very, very difficult. did you know that would more operating from version four do not version six, we get from 4.7 billion internet at assisted 2.8 billion, billion, billion? this can technically not be coped with by the isps, so they sometimes part 50000 ip addresses. you think that makes it easier or more difficult to identify without reasonable doubt that you did it? it's very difficult. and also because we move away from downloading things to streaming. i would guess this'll be an empty shelf in a couple of years. i will not have anything here. we will all be based on applications and cloud. i am a computer nerd, so i like

to have loads of applications as you see. this machine does everything about me of course and i am not afraid. i will survive. but police normally uses for evidence gathering. we as a laptop or server and put a caisson and then we actually make a forensic report. in the future, the criminals will not download anything and they will operate from cloud services. how do i obtain evidence in a cloud service that is registered in another country? how will i actually achieve this? this would be another added challenge to law enforcement. but of course, my enforcement is not sitting on their hands to do nothing and we are actually scrambling very, very fast to do some in. i will give you a short overview on what we do. in a cybercrime center, where he

had the privilege to serve 2.9 million police officers and protect 500 million people who have more smartphones than citizens in the e.u., just like u.s., we will continue to be more online. remember the old days when we arrived to a working space, got a cup of coffee while it has he been out and back and operated and then we came back, turned it off. we are always online. the internet will make so many endpoints that will be very difficult to protect us. so i work in cyberintelligence. from all kinds of sources and i will come back to the sources, we get all kinds of information in order to steer the boat. then we look at intrusion and online fraud and then child exploitation. these are the areas. secondly, we work in three areas. first of all, we look at our reach and support.

i see microsoft here in the next panel, a good friend from ec you , and microsoft where mckeown has signed an ammo you, a very close corporation. this is what we have to do. police have been. eric and in the old days. we want people to come to us. now i think it is a two-way street. the majority of the private companies will say police always want everything for free and they cannot get it for free. they want all the information on us just like a bermuda triangle. we receive everything and nothing comes back. this is also what we have to try to change. this is capacity building. this is training for first responders inside the e.u., outside the e.u. and target countries that we need to do. by the way, how much education have your kids got in using a

smartphone during thanksgiving in their black friday or whatever, you buy a cheap one and give it to your kids. in europe, they don't care one second. they don't get any education in how to act, react and interact on a smartphone. is that really good? is that how you want to introduce young people to the internet? by giving and learn by doing quite a download everything. if it is free, they downloaded. what is the first application? can i get access? this is probably not very clever, so we do this in development. we try to initiate training programs and then we have forensic expertise. we don't have the same forensic expertise as the fbi, but we are scrambling. i just got 400 yen euros to research and develop new tools.

instead of 20 countries, we get all of the requirements and then make research and development and give it away again. and then i'm very proud of this joint action cybercrime task force. this is one of the best things we have done. this is 2.0 of international police corporations. ..

these are the areas of competence. all, it should have gone back. well, that's not really functioning good, this one. we are back again. very good. normally you have it in front of you but not today. so we will take a very quick tour again and we will bear with me that i have to operate it here from a distance here. in the meantime what i can tell you is that the joint cybercrime action task force, the dominant role, for the first time to work

with private companies in a much more aggressive way that we normally do. we have invited everybody on board and this is what i would show you here, if i could go was all the various partners that we have that this crappy system didn't prevent me. i'm not blaming of course university in any way. it could also be presentation. but let's see if we did it here. they are we are. i'm confident now. never lose faith. look, we have 28 member states providing to put the financial sector. we have companies, ma private sector, retail. we have the public sector. we have universities, many, many universities and we have the cybercrime units. we also give something back. first for the first am we deliver something back. we've had a number of their very good operations are we're able to call in banks and other once

before they escape at any cybercrime. we can tell them they will be hit in a couple of days. then we have a number of operations. here are the latest one which was online for use by credit card thieves to steal your credentials in the clout. you still have your credit card onto but they by a first class ticket. we actually use and lose 1.7 euros in europe just on this scam. last week we arrested -- just sent out a signal we can make a difference. secondly we were together with the fpi on takedown of the services but everybody thinks that the case is over. it's not. it's just starting his we're getting all the 418 service and their volunteers to analyze all that and now we're trying to identify the buyers and sellers on the services. hopefully there'll be some of

these persons we will hear a knock at the door. this will not be santa claus. this will be the police that will arrive to arrest them for the they have conducted on the server. and then a very good case unbank malware, malware those able to steal money and also locked computer to grow up more of these operations in the years to come. >> so what is those that we try to work with? industry, all the financial institutions, european banking federation everybody else. down here with mcafee, with microsoft come with everybody else. actually direct adviser to the european cybercrime center. not added system. we decide to m.o.u.s with two university groups. loads of information we can make

use of in european cybercrime center. here is what we build up now. european union cyber crime task force, i'm chairman for the 20th member states. we also european cybercrime training and education group. now we create the same training and all the 20 countries so don't do different chain but we use the same tools and the same way doing it. we do exactly the same on crime prevention. last but not least on forensics. otherwise if you make a forensic evidence in one case, you were a swedish police also we cannot use any german court. if it was not done in the same way. so we need to create standards and will seek great these standards abroad and outside of the u.s. then we have an industry cross sector development and in cyprus ecology. how much will we as human beings change will go online? what is it that happens to us? what is our way of reacting?

franklin is there a difference in impact on a computer or in the physical world? in the physical world if you see someone do you have a bystander effect or get reaction to passion. but is this the same online as it is off-line? board with other reactions? i think we need to a bit more so we have filed up with a number of psychologists in order to do so. so what are the next steps? there are no substitute for hard work. first of all i think we've only seen the tip of the iceberg. we will see more. we are 4 billion people online, online always 24/7 and all the appliances will be online. there will be so many endpoints, and will be so big and attack surface we cannot just protect but it requires woody moore in prevention, which is educating our kids, our youngsters come into this online. the second thing is that we need

to do and invest much more in production. this is also what the guy from palo alto said. we need to protect more. we need to build in security by design. do we need to have rules for applications ?-que?-que x right now, can you see the difference? i cannot. if you download it you don't know what's behind. it. how do you assess an application? we will use so many applications. don't when you just like when you go on european supermarket i can see if we had 21% fat and bread come mexico wherever. if it's biodynamic i have a choice. on application, i have nothing. nobody is doing anything. i think there must be a minimum standard. and then last but not least we also need to identify and hunt down the walls. we cannot -- if we forget that part, i think we have lost. i think that we need to realize that we live in a new global reality where this is not the

u.s., this is not the uk, this is not europe or russia and china. russia is very, very depend on the internet. the russians they know very, very well that they are also becoming a victim of internet crime. the chinese spent 2 billion u.s. dollars in the 21st hours other single state buying online. i also know that there will be a victim. we are already a victim and so is the united states of america. this problem cannot be dealt with by the u.s. alone and by the congress and by all your might and money. this needs a very, very close cooperation with the rest of the world and that is why we need to create friends, norms and understanding. and this is what i think we need, instead of scramble, immediately every time there is something happening, we need to maintain and ability to work on crime because otherwise the

criminals, they will when and we will lose. and if you do not empower the police, the democratic police to have adequate tools to do targeted investigation based on suspicion, who will then protect the 4 billion people online with a 99.9% are not technical experts, but just average users? and will we then instead of enhancing the internet, which is to give us prosperity and growth, we instead and make it more difficult for the internet to develop? that is why i think you need to find a trade off between security and freedom. and there is no full freedom. because there will be no -- there's no full security because we don't want no freedom but we have to find a balance. i don't think that after this

revelation that we found this balance completely. i also think that the normal police always accused of being part of a snooping society. we don't want to snoop on anybody. we want to respect privacy and we want to fight for privacy. because i actually think we have a right to privacy. but if you break your contract with your society, if you don't apply to the rules in the off-line world we can take away your privacy. we will also do so online. and if we don't do this, we will leave the internet to the strongest and we will just empower a digital blackwater company for those who can pay, and the rest, they will be left in the wild west and hope that they will find friends. i think that humanity will survive the internet. it will be a bumpy road, very popular but the question is will the internet survive humanity? we are here to defend it, and i will do our heavy lifting and

i'm very, very grateful for the great cooperation we have with the fpi, the department of justice and ice and the american companies, because 80% of all the companies in the u.s., at least still, this will also change, and we already see this scrambling in europe. we have a combined cost, ladies and gentlemen, and nobody can stamp out from this discussion but we have to find a way where we balance that. i'm actually depending on your support. thank you very much for listening to me. [applause] >> today house democratic leader nancy pelosi briefed reporters on democratic priorities for the end of the year and into the one and into the 113th congress. live coverage at 11 a.m. eastern on c-span2.

>> decease bands see the tour takes to the road come to your cities to learn about the history and literary life. this weekend we a partner with time warner cable for a visit to waco, texas,. >> as we begin to receive the final to be digitized, to be saved, we began turning over the b sides of the 45 so we receive. first off gospel music was not widely heard in the white community. what was it would only be the hits, if that. but the flipside would be heard even less. what we discovered it quickly was how many of the b sides songs were directly related to the civil rights movement. since there were very few databases and none of them complete on all gospel music, we did know that. we did know the sheer number of songs that have very overt songs like there ain't no segregation in heaven type songs.

possessing one of those songs much less sing it was a very dangerous thing in the deep south. you could do a lot of things in a deep south but to sing that so-so outlaw, that's a risk. >> the texas ranger hall of fame was set up in 19,764,175th anniversary of the rangers. and honors at this .30 rangers who made major contributions to the service or gave their lives under a rock circumstances. we had paintings or portraits of all those rangers. they really begin with stephen f. austin. austin was very successful with his rangers. they thought not only, managed to make the area reasonably safe for settlement from indian raids, but when the texas war for independence broke out, the rangers played a major role in texas gaining its independence by staving off the mexican army long enough to allow the colonists to build their own army and develop a strategy.

and as a result texas became its own independent nation, the republic of texas for about 10 years. >> watch all of our events from waco saturday at noon eastern on booktv and sunny afternoon at two on american history tv on c-span3. >> x., legal scholars discuss the challenges faced by congress, legislating future cyber crimes. this discussion is about an hour and a half. >> so our goal is to be as provocative and as entertaining as the second panel. it's a high bar. that's not anywhere to take away anything from the first panel. so one of the things i'm going to do with my advanced apology to a really wonderful group of

panelists is you all have their bios, so i encourage you to read them because that is probably better for all of you answered for panelists were them to have more time, particularly since we're running late, but just briefly we really have a great group to follow up on the second panel, in particular judge posner's comments about there really is a small role for the courts. and so this panel is about, well, what should we be looking for and expecting to see come hoping to see from the legislature. so if a great group to sort of my furthest, my left and my right we have kevin and lee who are really steep for many, many years in protecting all of us in terms of the sort of privacy side of the house in terms of

what technology means in terms of an erosion of privacy. they spent many, many years thinking about that. to my immediate left, richard is going to be our sole government representative although i suspect i will not be able to help myself and will chime in as i put on my former hat as doj lawyer, and have worked with richard when i was at the fpi. we were really lucky to have him, just an extraordinarily talented lawyer. and to my immediate right we probably have the best subject matter expert, because we have sam who just recently left working on the hill. so we'll be able to get some insight from him about what -- we might all have our wish list of what we want, but you will of course pour cold water on what we might actually be able to get from congress.

so with that let me, for three particular things about technology, and then tee up some specific topics that we're going to address, emblematic of the particular tensions that the advent of technology has created. so to sort of take up some scenes from this morning, we have seen that technology has led to an extraordinary increase in the amount of data that we all put in the hands of a third party, whether it be google or apple or your favorite internet service provider. there's just much, much more that we are not keeping exclusively to ourselves and how the law will deal with it and whether it's bill under a katz framework or whether it's adult a faceless friend analogy in the

fourth amendment is really remains to be seen. second we are seeing an enormous increase in international communications in that so much used to happen domestically is now crossing the border. so we're going to be focusing on domestic law that we really are dealing with an international problem in that we have domestic legal regimes will give international criminals. and then third we're dealing with an issue of encryption, and while we haven't -- have an explosion of how much data there is and how much is in third party hands, we're also seeing in reference to the iphone six most recently being emblematic of this, an increase interest in having some of the completely unbreakable encryption system.

so what that means is there's pressure both from law enforcement immunity for tools as to how to fight criminals who are using all of these different attributes of technology, and they're understandably is also an increased demand for tools to protect our privacy's. those are things that, while not completely antithetical, there are ways that are tensions between those two. and to address that we're going to talk about some specific things that raise the attention. so we're going to talk an issue after we get a certain overview of about congress and we think it might, we're going to talk about the most recent microsoft case in the second circuit had a proposed amendment to rule 41

which both of those topics will raise the international problem of how to do with, how should domestically change with respect to international problems. and then we will turn to a proposed law called errands law and other revisions. i know back in washington so i can use acronyms with abandon. and so it's nice to no longer be at nyu which, of course, itself is an acronym but everything that you can't use acronyms at all because they don't understand them. and then we will end if we have time with the problem of going dark and sort of the iphone six issues. but with that as an introduction i think the best way to start is to turn it over to sam to get a sense of, is it really realistic to think that we can do anything

from congress? we've heard from judge posner, don't expect the courts to do this and we shouldn't expect the courts to do this, but in my time here in washington, i didn't have a real great experience in seeing a lot of action happening on the hill, but what is it that we might expect to see in the new congress speak of well, first of all, i'm glad to be here. i won't speak for anybody on house judiciary and other members, certainly not chairman goodlatte. i would also like to say before judge posner ruined it before i was about to say why can't the courts handle this? [laughter] what are you all looking at congress for? when it comes to this issue, there was an onion article that circulated around the staff. i can tell you that much. and it really captures i think how a tremendous number of the staff members feel to it was an

onion article, and the headline was cia's invention of facebook saved hundreds of millions of dollars in surveillance costs. [laughter] whenever we talk about private information, one of the things that the members at the very, very conscious of is that, and this isn't information that's not as private as you might be saying that it is. because if you put on facebook, perfect example, not to make this to time sensitive, but house staffer just recently posted some critique of the obama's and daughters to her facebook page, and a day later her job was gone. so the question is should her comments about presidents daughters have been private? know. i mean, she shouted her opinions in a gathering of her friends, people that she knew that she invited to be in that room. and so she got attention for those comments.

so the question is, how private is private? how public is public? what do you expect congress to do about it? where this really hits, where the rubber meets the road, remembering that the legislature is now concerned with is the conflict between national security, crime prevention and personal privacy. that line and where it's drawn is where congress is most concerned. and the problem is, not a problem actually. it's an opportunity. one of the interesting things about this issue is that it does not cut across the normal party lines that you might expect all other issues do. all of the topics seem to have somehow sifted out as if in a gold is sifting device into one party or the other, but cyber strangely enough actually straddles both worlds, presents unique problems for the legislature, and unique opportunities for the

legislature. from my experience from what i was able to see, it seems to shake out that the far left has described in terms of liberal and the far right, described as libertarians come have very similar views regarding privacy being paramount, where as the great middle, both democrat and republican, take more of a national security/a crime prevention view of this. and that's where i think you see the debate sort of shaking out when it comes to these areas in terms of where are we going to legislate. you can of democrats and republicans agree that there needs to be criminal penalties that really bite for cybercriminals, people aren't intruding on systems, and then you'll have a lot of people from the right, from the very far right and people from the very far left star racing first amendment concerns, privacy concerns, the fourth amendment

concerns, and then the entire exercise starts to blog down. and a lot of progress sort of slows and the next thing you know there's another incident in the media that takes over concerned. and all of a sudden they're not talk to a cyber. all of a sudden a cyber photos put off to the site and we have another portfolio that is more important. there's a cliché i think among people to work in this area regarding cybersecurity law, national security law, and i haven't heard it here yet which is interesting, is that it's going to take a cyber 9/11 in order to move any legislation in this area. i'm afraid that that may be true. i hope, i really hope that it's not but it may be that it's not until a cyberintrusion takes out a nuclear power plant or some other kind of critical infrastructure that you're going to see people all of the sudden

demand some kind of action because the cause for cybersecurity intrusion and cyber crime is increasing. there was a 60 minutes report on it just this weekend about and they're calling 2014 the year of the data breach. i haven't seen that on my chinese restaurant menus, but my concern is that we will be too reactive when a disaster does occur and will end up in a situation where we are writing outlaw any her the so it's very good to have these kind of conferences, very good have these kind of discussions, have these people here who are here talk about and hope we can move forward. i do think, i'm positive that there will be some progress in the 114th congress regarding cyber. it may be that it's just on the margins. for examplefor example, there ss in the nba regarding cyber and our ability to compete in the defense sphere -- ndaa.

joint intelligence being worked on. new cyber training, facilities are being created. that's all well and good but in terms of where can the government stepped in, give information, that's the big question. i'm not sure whether we'll be able to do that one in the 114th. >> so obviously every day you pick up any major newspaper and see a new intrusion. you would think that would put pressure on congress, if not from the sort of rank-and-file, people like us, but at least the companies that are bearing the brunt of that. they have a lot of political clout. and to what extent do you think that would substitute for a cyber 9/11, sufficient private

sector, corporate influenced? >> it's true, it's become a pressure point for businesses and pressure points for businesses become a pressure point for politicians almost inevitably. it works and legislatures come legislators on both sides, both democrat and republican fight are responsive to business concerns. the thing is though data breach which is what i think we're talking about here when we talk about the cybersecurity situation regarding businesses, has almost been, it's been factored in as a cost of doing business. you can get data breach insurance. you can have data breach experts, the value of ceos and cios is going through the roof. wall street now, every from has to happen. it's become a cost of doing business and businesses have adapted to that environment. the thing is ordinary citizens who don't like the reports of these data breaches feel uncomfortable when you see all

these reports and all this information is taken. one of the earlier speakers made this point, it's true, it doesn't cost them any money. if somebody goes out and buys a toyota highlight with your stolen visa card. you are not paying. it will be the bank or the sale will be voided. so where consumers are not losing anything, it comes another one of those issues that just simmers below the surface that the world is not like him that things are out of control, that nothing is safe, your phone or television or computer is not safe. anybody can get anything. you can get some expert the coming. my kids like to joke. one of them says, daddy, watch this. i'm a computer scientist. okay, i mean. i'm refiguring the nukes now. people have this feeling that we can get into, computer scientist can get into any system at anytime but they factored in and won't be into anything really bad happens that happens that

you will see the push. >> let me give you one thing that i think companies are interested in, which is, reportedly are doing even though not allowed under current law which is hacking back, something that normally is left to richard to do. you would think there might be more of an effort to see if there could be some protections for companies to do that. is their -- you think that is in the let's? >> i think that's a real interesting theory. i've been working on and nobody mentioned it yet either. i love science fiction. i always have and one of the reasons is everything we're going through now, some science fiction writer wrote about 50 or 60 years ago. what we are writing about knows what would have to deal with in 2020. one of the things people not talk about it that is when the

governmengovernment and courts n have this cyber hacking, this kind of cyber activity, what you're going to have his cyber offensive capabilities that people will want to take to defend themselves. that going to want to take action. the question is are they allowed to do that? somebody once asked me does the second amendment protect the right to have cyber arms? can't i have a program on my computer that whenever somebody does a sea of a violation, my computer will reach out and destroy the bios at the computer. am i allowed to have the? i think rich will say hell no, i'm not allowed to do. but the question is does the second amendment allow me to have that? should individuals be allowed to have that? spent and is the corporation a person -- apparently they are a person for all purposes other than for -- >> let's not go there.

yeah, it's an excellent question, can a corporation actually take that step. i got the idea when it's at a house judiciary committee hearing, and it was on drones. representative gomer, waiting patiently for his turn. we're all talking about the legality, fourth amendment legality of drones whether they can view fy around people's backyards and can we do this come with it aal outcome is good? and then former judge courses i've one question to my allowed to shoot a drone? and he meant it. and i allowed to shoot one? so that got a lot of us think and if you have a cyber problem are you proud to shoot it? the reason why i'm raising these issues because of the congress look at this come to look out for, when they say that, they go back in time, they argue by

analogy, congress is looking way back to the founding, looking at the constitution. the question is, how would the framers have handled this problem? how much freedom are we going to allow in this area before we act? and at what point is tasha security concern and criminal concerns so great that we had to step in? i think the apple iphone example that you just gave, i think it's a gang changer, really. and if anything is going to push the next congress to do something, it's going to be that. because of every organization starts equipping its salesmen with apple iphone's and the police can't get in at all and if there's a bomb is hidden on a train somewhere and we can get into that apple iphone, there's going to be demand that come and it may come from a magistrate saying i'm ordering apple to unlock the phone come hell or high water. you figure it out.

so if anything the amount of damage that society is going to suffer because of this is going to be the key factor that pushes congress. >> i want to ask one provocative and ask richard one question i had not planned on asking, but just so we get the doj position on the question which is did the framers intend that we be allowed to shoot down drones? [laughter] i think that's the question but i just, what is the doj and to do the? but more seriously that really is this issue of hacking back which i think -- >> i think shooting down drones is probably just outside the zone of my normal day-to-day job. >> you're going to put that to the nsc spent i suspect destroying someone's property is likely to be illegal in any

event. i think it's important to understand there's really a range of different things that people talk about when they say hack back. there certain lots of perfect defense actions you can take to protect your network if you're at home. their service some that are going to be violent at the computer fraud and abuse act, the private statute that regulates damage and access to other networks and computers. so yes, a tool that reaches out and fries they can get at the other end of an attack would certainly be in violation of the computer fraud and abuse act. and so that would certainly be a position we would take on that. there some good reasons why that is good policy, not to mention the fact that it is the law at the moment. things like how do you know who is at the other end of the computer line? if the person is using a proxy,

making the attack not directed from his own computer but through another computer, a hack back may destroy some other innocent persons server and that's hardly fair and not something we want to encourage, sort of wild west vigilante is in the. there's also a big problem with our you anything with law enforcement when i shall security investigation that's going on. maybe law-enforcement officers already investigating the very attack or series of attacks or the attacker. and if you do this are you tipping them off? are you into going with a lawful investigation that might in fact be successful? >> couldn't a company though at least obviate that by checking with you before they do the hack back? >> if you talk to most people or people don't with the fpi, you will find that they're reluctant to be explaining exactly what they're doing and there are good reasons for the.

you need to have operational security if you're going to be effective. i doubt it's going to be very likely that if you like maybe you shouldn't be doing that one. but to bring back to our original question here for the panel, should it be legislation in this area and for the excellent i think it's probably not a good idea that ultimately even if we were to change the computer fraud and abuse act to permit something like that, in this country, it's not going to be the case in every other country where this hack back if it is happening. and so i'm not sure that is really a productive line of effort, given that if you affore to choose to go on vacation to another country and you wind up in jail in foreign country, that's probably not the place you want to end up. so i think legislation in this area seems unlikely. i think a much better answer is to improve law enforcement activity and improve cooperation with security researchers and security defense to make this a more effective effort in getting

back to people who are doing this to us. >> i just wanted to react very quickly to sam's invocation of sort of the second amendment logic. because if you have, you are, around the crypto wars for a little bit longer you will recall that back in the day a lot of encryption technology was on the munitions. and controlled under the 80 farms control export act. even in the '70s and 80s, we had polls on more of the libertarian side. saying wait a minute, if the governments calling this crypto technology a defensive crypto technology, something -- and dozens -- doesn't the second amendment protect my righteous crypto as a defensive? i think when you put those things together, what people are saying right now in a world

where w we're much because of te cybersecurity compared to the '70s and '80s when most people didn't even understand what crypto was, but we were looking for ways to have private communications and even though i think digital rights management is the main problem of crypto these days. it ends up, you end up saying that encryption is really playing both sides of the fence but it is both at the same time a powerful enabler of congress, a powerful enabler for you to defend yourself. it's also something that the government at the same time has a lot of incentives to want to mess around with. the thing that concerns me is it's so easy for the discussion today to move into this more offensive kind of mode, where what we're thinking about from a

public policy perspective is the ability of law enforcement or a national security to penetrate these defenses, or the ability of private entities to try to use countermeasures but i think wind from the first panel for those of you who were here then, we had rick howard at palo alto network make it very, very cler empirical point that the biggest problem that he saw with security out there is that people have their security tools and resources but they do not configure them properly. they do not have the training to actually use it. and so millions of dollars are not actually being used properly. this is not so much -- this is a different kind of family. similarly, what are they going to do to try to -- what should we be doing as a policy matter, and he says one of the things we

should be doing, collecting less information, not aggregating it so much, reducing, basic reducing the value of targets. there's always a defensive side to cybersecurity which i think this was rick's point, that people sort of have this mentality that they can always get through. and so, therefore, we are not actually paying attention enough to target. so i think that can lead you to a question why is the security on the networks not as good as we would like? is there a market failure in the provision of security in first place? and maybe that ought to be one of the primary focuses of cybersecurity policy, and not treating it as a cybercrime problem. >> let me turn to instances that keep us for the moment on sort

of often subside and away from the defensive side for a moment, which is the microsoft case in the second circuit and the proposed rule change which i think was sparked by department of justice to rule 41. so, lee, you want to give us a brief overview of just the microsoft issues and then your perspective on it? kevin, do you want to do same with respect to rule 41 issue, then we will have a discussion because i'm sure it will spark disagreement, which is always helpful. helpful. >> sure. i'll try to be super -- is easy for me to be over simplistic so i would just do the. the microsoft case, a lot of people have written about and talked about it, but basically it's a question about what does a u.s. provider do, or what can the government do with respect to a u.s. provider who is

storing customer data, that is, the content in the e-mail account, oversees the? the primary legal regime in the united states for access to destroy data on the government side is the commute nations act. that actor uses, has a warrant provision in it and refers that weren't provision to federal rule, rule 41. doesn't say anything about -- it seems to be, you can read that whole statute and just think of it in terms of yeah, congress was writing about how you do things with respect to data and providers in the united states. but microsoft, its normal business practice globally is

that it asks or it ascertained that a particulaparticula r user, say storing e-mail, where are you or who is, what is your country? and if it is ireland, then they will be storing the actual content in a data center in ireland. so the government wanted to get at that -- access to all the records of this particular user, and they obtained a warrant under the stored commute nations act and served on microsoft and microsoft turn over business records, but they alleged were business records of microsoft with respect to top subscriber information, that sort of, metadata stuff to that was being kept in the united states house that was microsoft's practice. but at the same time they refused to turn over the content

of the user's actual e-mail account, which was housed in ireland. and so the government did not like that, and we have both a magistrate judge decision that upheld the government's position, saying that the stored communications act does not raise any issues of extraterritorial applications because the relevant event would be in the united states when the government actually got the data and microsoft understand has been arguing, and that holding by the was essentially affirmed by the district court and it's now being, now being briefed in the second circuit with a number of organizations. we have been in favor of

microsoft on this, fleischer said that right now. and so then microsoft argument was that wait a minute, the stored commute nations act should not be treated as, though it has extraterritorial applications because there's a gentle, strong presumption that congress has not expressly said so. these things have on domestic effect. and the only way you could sort of read this statute to permit this was by saying that the government action actually didn't occur overseas, that it occurred in the united states. that hides a number of the cyber issues, but that was a long description. >> let me ask you a question maybe of kevin and lee, just highlight, there were a number of issues in that case. to what extent, let's assume

that the next case brought is a case where there's a victim with respect to a general motors car which hypothetically had a mission and brake system that were not working correctly and someone is killed. state brings an action and gm says, well, these documents are overseas. they are in ireland. so we can't produce those. so we sort of take the government out of the equation. is the argument here really about a statutory issue? is it just generally saying no, you can't get documents overseas? he doesn't think the normal role would be for subpoena if it's on your possession or control project to produce a.

iif the parent is here and the sub is overseas, the parent commit to solve all. i think you'd have a real issue if it was the other way around, but what would your view be if we took the government out of it and it was just sort of a normal tort suit were remarkably sympathetic to the plaintiffs? >> so the funny thing is that the answer, this is a fascinating case because practically everything in it is really hard to separate out which part of it is a constitutional question, which part of it is a statutory construction. but certainly, i will take one iteration of your hypo. if it was the government ever going after the we would, my position would be, and i know if this is microsoft's, my position would be way to minute, there's a difference between the business records of the corporation of gm come in this case. because of gm is the actor that

you're actually interested in. and so they are, gm is not as microsoft is in this case, microsoft is simply an intermediary that happens to be the provider of e-mail service to the user, which is different from the business records of microsoft itself but so that's the kind of distinction that i think we would point to in the situation you're talking about. once you get into government situation, once you get into that sort of civil litigation issue, then you have again i think the same sort of equity which is microsoft, or gm in this case, is the target of litigant, of the litigation. note under the stored communications director right now if you're talking about doing civil discovery with respect to come in a case and you're going after and pcs

provider or an rcs provider, the scope of civil discovery with respect to the content of the eno, there's already very limited. so we have come outside that situation in a case where you're in a provider situation. think the big difference intermediary provider and the actual of alleged. >> so to step back for a second term eventually get to answer your question i think, first i think it's worth noting this issue of government access to data that is stored extraterritorially is very important for law enforcement in all countries come and we're dealing with an and national criminal environment. figure out how to square this as a policy problem, not just a legal issue is important. i think you can divide the legal issue a false issue. on the legal issue i think it is clear that where you copy the

data is where the privacy moment happens to that's what the search and seizure happens, otherwise the government can basically click all the did it once and it would only count when the government looks at it. it's on that kind of logic that you end up, for example, having the nsa collect all of our records which would have this perspective is a poor result. so you combined effect victim is attempting to get this material with a warrant and you have a rule 41 and the statute neither of which provide for extraterritorially warrants go i think the answer is clear that you can't actually get this data without warrant. however, there's a question of whether that make sense as a policy matter. first there's the result to thank andrew's question gets too, which is that traditionally if i subpoena you for your records, it doesn't matter where you store them so long as your possession or control of those records. you have to give them to me. it seems kind of weird that the government coming to come in with even stronger process, a

warrant, could be said no to. so that's kind of strange. it also leads to a policy situation where a criminal could very easily evade a u.s. investigation simply by claiming for microsoft when they signed up to enough that they live in ireland. and so although i think legally microsoft wins in this case, i'm not necessary predicting that they will win in this case but i believe they have the correct argument, i think as a policy but it's not clear what the best answer is. although i have a couple thoughts on that. one is, in the most would agree with this come is the idea that assuming that you can use a word to get data stored extraterritorially by a u.s. company, that that warrant should be able to be used if it actually conflicts with the law of the country where the server is. like if the copy complaint with the work would require them to break the law of ireland, for

example, that ward should be modified or set aside. i say that in part because i think we want other countries to do the same. we would not want other countries to be able to serve companies that have the servers here and require them to hand over data stored in the u.s. in a way that violates our privacy statutes. secondly, i think it's very important that four of those instances where a war and could not lawfully obtained the data stored outside the country, we are these things called mutual legal resistant trees by which law enforcement cooperation internationally. however, it's inevitably slow and burdensome process and so i think that with privacy advocates and law enforcement can actively do agree that when it comes to that process we need better funding for the process. we need a more streamlined process when did more treaties in place with more countries so when the government does need dated a legitimate crime investigation there's a clear

path for them to get it. spent let me follow up on one of your comments speak and just one thing. there's a bill that would do some of these things called believes act which also some of the public aspects which we can taltalk of a free of time spenti want to follow on sort of the constitutional issues that you raised this issue of where a search and seizure happens to and i think there's an issue in the microsoft case that very fact specific which is in the microsoft case you've got something that was described as a hybrid which i think is probably technically wrong which is the order that was issued with something that just like a subpoena said mike assad come you're ordered to turn over abc and the. as you mentioned, it gets that order, the government had to give predication but for normal subpoena you don't need any

predication. it's not being protected. but here there was additional predication that was needed. so i warrant was issued by the research were. in other words, this is not a case where the government was authorized the internet to show that the documents are in a particular location to it wasn't asking to get access, unilateral access to go do a search. it simple like a subpoena as understand it is just saying you microsoft to turn over these documents. and a subpoena context, is that the fourth amendment? my understanding is that there's a big differencdifferenc e in american laws to have searches are treated and how subpoena star trek. this issue, that may be wrong in terms of what we think the law should be but from a search versus a subpoena perspective, is there even a fourth in an

event for a subpoena? >> i think -- on sort. is there a fourth amendment for subpoena or for a compelled search? first off subpoenas to have to comply with the fourth amendment. had to be reasonable but to the extent what i but a warrant or eno, that is what operates like a spin and that is compelling someone to disclose something as opposed to barge in and take it. according to the sixth circuit ungraceful expectation of privacy in a cloud sort enough, that is a fourth amendment event when the companies forced to hand over stored content which is sort of foreshadowing our discussion. >> i would also add, in the statute, in the statute it's very clear that congress speaks about warrants that are to be issued consistent with rule 41. i think there's really no question that it is supposed to be treated like a traditional

ward. and a visit with the issues that microsoft adverted to was the lack of particularity, they focus more on particularity but i do think there's also particularly with respect to the things being seized. is aspects of a process used in the case that also problematic. just from a statutory interpretation perspective. >> richard, you must disagree because i think you were on the other side of this. spit out some of the these are not normal warrants. the wording of the store documentation act, and it says that as andrew was alluding to come it says if we can compel the disclosure from the provider. that's absolutely not a regular warrant. and the way you used in practice is identical to subpoenas. that is, they are prepared. the judge signs the effects off

to the provider. the provider gathers the information. we have no idea where the information is and we have national we'll have to provide the court which server, which the server farm in which state or whatever it is. so this is i think effectively a subpoena with probable cause. kevin was pointing out, we would want to create a different rule whether government actually is providing much more information in order to obtain this kind of special subpoena in order to be able to get the information that is needed for the criminal investigation. i would also disagree that there is a search occurring outside of the united states. subpoenas under the long line of cases to you with bank of nova scotia in the 11th circuit say no, this is a compelled disclosure. it is perfectly proper and constitutional. i do think there is a constitutional question, but it's not that subpoenas violate

the constitution because they don't require a board and probable cause. they comply. there are different standards and different circumstances, and in the context of a compelled disclosure which is supervised by the court which is a recipient of the legal process and has a chance to object which do not involve the coercive interaction between the police and homeowner or whatever it might be. in that situation it's just a different fourth amendment moment and they can be perfectly reasonable to use in forms of compelled process in order to have the disclosure of the information, where if you don't have those things where it is compelled, forcible action by police, that's a different fourth amendment moment and it requires a warrant. ..

so how is it any more privacy protected to do it one way versus the other which ascend to say the procedural issue isn't important to the site but it's a big picture matter what is the effect on privacy.

>> the answer is a very practical one. of those looking may think that it's all easy to do in do and smooth and wonderful. let me tell you from a practical perspective, it is exceedingly difficult. it is very time-consuming. a matter of months. it is a huge victory because to get information back quickly and it could be six months or a year before you get information back. think about having to do an investigation involving an internet crime that takes months and months to get the next step back in the chain of investigation but have been hit it on the head. we don't have the legal assistance treaties with all the countries in the world. in fact not by a longshot, so what long shot, so what do we do when we don't have that treaty the fallback on even more called letters where the courts asked for help from one to another.

so that's not a productive way to succeed. and there are even interesting technological issues. the internet and cloud computing doesn't require that information be stored in any one particular place. so what happens when the data is moved in the months while you're waiting for the other country to act there is no reason microsoft couldn't for low end of this idea we are going to shift it over to the u.s. now or if we are talking about microsoft upstanding corporate citizen of the united states what about if the company decided wants to invade law enforcement and presents that as a tool for its users but we will keep your data out of the hands of any government to justify moving it

around. and we have providers that do exactly that. they are often times referred to as bulletproof hosting and they don't keep records in a way that would be helpful for investigators. there are a lot of practical reasons why. that is not a good avenue if we can help it. so for a very practical law enforcement perspective this is a stumbling block. >> i would say the existence of the practical problems into the inconvenience from the law-enforcement idea is not a good reason to sort of abandoned the attempt to actually try to square the statute and our understanding of the differences to think about how to calibrate the fourth amendment process or the international economy. because we keep coming back to

this. i agree that the bilateral things exacerbate the international privacy arbitrage when there are inconsistent standards, but that's actually sort of the call to say we need to actually do that because otherwise there's always going to be an excuse or argument for gun to practicality about the difficulty of doing things that is going to compete in this and in my view that's not the right way to approach the problem. you have this problem that needs to be solved. >> it used to practical concerns

and the reason why they talk about the actual target not where the material is being stored its where is the person and not where did he hide the stuff and that supports the idea hispanic i just want to say to practical problems are a good reason to work on solving practical problems and i think it's one of the places the privacy advocates can find a common cause when they ask for more money to make the process better we want them to have that. as far as the privacy question we are not the only people that

deserve privacy. they are very often the customers of u.s. companies and so i think if it is only going to be okay and through the old channels that are consistent with your countries lost and i don't think that is unreasonable to express the same in other countries but i think the privacy interest is of those that live in other countries whose law may protect them against access. >> but in microsoft that is true for some of the people that could be affected but what if the account holder is a u.s. citizen blacks >> they get the standard of the foreign country. it's an interesting point you

should have your own country standard but the reality is the standard is among the highest in the world. that is what gets lost in the privacy debate a lot of people and a lot of people like to bash the united states for having weak privacy laws in this area. no other country requires standards of that magnitude to get access to the data. i do think the privacy issue is something we are missing and i think the focus is does microsoft or the company have a right to shift the data to improve its ability to gain customers. >> so this issue how do you deal with international boundaries and domestic law comes up in the

search warrant will and the department of justice about a year ago information in connection with cyber amendments to rule 41 that happened that made it easier to get the national security warren and he wouldn't have to worry about what district something was happening in. >> do you want to key team up with the general background is in your view of whether this is good or a problematic proposal packs mixes the topic is legislation, the bill that we were talking about, yeah just a

few weeks ago over half a dozen privacy organization, basically all of us were in the federal union testifying on the criminal rules and procedure in the hearings are typically there is usually no or very few people testifying and you may ask why are we all doing that. it was out of concern over the proposed rule by the department of justice in the search warrant will and the reason we are concerned about that rule is that what for the first would for the first time explicitly blessed the idea of what the rule would call a remote access search of electronic media. the government hacking into computers remotely and in secret and this is to address the

particular law enforcement problem that the one case about remote access search is a couple of years ago. the judge in houston. the government had applied for a remote access search so they could hack into the suspect's computer using some sort of proxy to hide the location in order to identify the location of the subject. the fact is there's been very little reporting on this practice although it's been happening for over a decade now. it's a shadowy area we don't know what types of tools they use and how they deliver them whether it was an e-mail that pretended to be on myspace. we don't know what they did to obtain information they should obtain intimate sure they are not harming the target system and to ensure the malware

doesn't spread to other computers but so the judge denied the request saying as you stated we don't know where this computer is. it may or may not be in my district and rule 41 doesn't allow me to issue an extraterritorial outside of my district for rent in this type of case. it's not a terrorism case and it doesn't fit the other exceptions, so i'm going to deny it and that is what prompted the justice department to ask for the rule change that created a new exception to the territoriality requirement and said in the case where a computer location has been concealed by technological means the government can use a remote access search to cease or access the data on that computer so to address their problem that we've

been doing these searches and all we really want is an answer to the question of what court do we go to work and we go to if we don't know where the computer is which i understand that as a practical concern. my concern and the concern of others in the community is we've not actually have any kind of meaningful policy debate about this practice of the government hacking into computers and i think that if you analyze it to say that more advanced types of surveillance in the past say the electronic eavesdropping consider that led to title iii for wiretapping or if you look at the video surveillance cases which apply those requirements to video surveillance it would seem to us that if you were secretly breaking into a

computer that can store so much data and in the words of judge roberts to search with the more privacy violated them the most exhaustive search in your home and you are doing so in a way that might damage the computer. it would seem that you probably want the constitution would require the same protections that are required in the electronic surveillance cases yet here they are not supposed to make the judgments authorizing this search that we've never really talked about and have very little information about. and so can our position into the position of most of the groups in the room is that this was actually a substantial policy decision in the right place to be discussing it is not in this process but in congress were also published court decisions so we can grapple with the constitutionality of this

practice. >> so you can respond with me just ask you is the department of justice seeking a rule change that is just jurisdictional in other words it is a voice of contents concerned saying your issue is a separate debate we can have. we are just talking about where do we go. or are you also seeking authorization that does raise the issue indirectly? a >> having been in the department of justice for 16 years that with the department is asking for is to answer the venue question of what court do you go to to seek a warrant. we want to get the border and in these cases. we don't want to act on the

basis to avoid legal review to these things. we want to be able to go to the court and we are asking for permission to have that decided. let me give you an example of how this comes up. somebody is sending e-mails threatening that tomorrow they are going to go to the xyz school in small-town minnesota and shoot everyone there. how do you react to that? we try to trace back where is the e-mail coming from and we find that we cannot identify the subject that sent the e-mail because they are behind a proxy or a computer that is anonymizing their activities so we need to try to identify where it is so that we can prevent serious crimes. right now there is a doubt about what court to go to and that's why we are asking for this clarification. what it doesn't do is say anything about what's legal process is required. that's going to be decided by the courts on a case-by-case

basis of the facts presented and it will be reviewed later. we are not saying you don't have to have probable cause or provide a notice or that you don't have to meet particular the requirements. we have to do all of those things and if we can't then we won't be applying for the warrant and the courts are not going to grant it and if they did it with the suppressed later so these are questions that can be and will be settled in the ordinary course. it's not something that needs to be debated right now especially the request to have it settled in the tantamount to saying we don't want it to happen for a long time. [laughter] >> can i just do a little experiment. we are talking about an execution of a warrant. so if i may i'm going to to give you two scenarios and i want you

to think about which one of those you would rather have happen to you. okay, number one you wake up up at 5:30 in the morning when officers break the door down on your house and come into your room yelling at police. they go through all of your belongings in the sock drawer and kitchen sink, papers and filing cabinet and see the entirety of your computer and a sometime late in the afternoon they give you >> scenario number two you wake up and a little thing pops up on your screen and says here's the pdf here is the pdf of the warrant executed on your house.

he gives the information for the copy of your computer. there is an interesting question there is this idea of a factor but i think that it forgets the scope. i want to ask a question when i lay that out. how many prefer a, please raise your hand. how many prefer be? >> i'm not sure that this is going to be now. one of the things that skews the hypothetical is the question of notice. in the physical world is

populated a search that is highly interested in seems abusive but at least you know what happened. that's going to happen in a physical world almost always. the electronic world let's just get real you're not going to get a notice for quite some time. the rule doesn't require -- you could have an electronic search where basically how many of you preferred that if there was a search and you don't know about it and it took the same amount of data. >> the whole problem of an outlet shies in the old physical searches to electronic era. >> looking at it from a political perspective when they

talk to the representatives about this i think that they feel that there is a big difference even if they noticed the same. assembling the transport bands and physical search and being able to search one computer and the effect when people think of this politically they think about the ease which the state can carry out. >> they didn't specifically talk about the facts of the more sophisticated technology. >> this is something i've written about how to make sense

which uses the example of an exponential drop in cost of tracking someone from following them on foot to following them into dvds and the basic thrust of the argument was as those constraints you need to see the legal doctrine strengthened to keep up with that and maintain equilibrium so it's important to think of the scale and the quantity of the search is available in the context in fact there is an effort to the rule that he didn't mention where in addition to the cases where the identity in any case they want to access more than five computers that have been damaged

they can sometimes include hundreds, thousands or hundreds of thousands of computers. they may have malware on the computer of everyone that visits a particular site or domain. so they talk about potentially hundreds of thousands or millions which would be physically impossible in the real world. >> i understand it might be legitimate to say we want to make life harder for the department's

>> what if the government just says more than five are happening in five different states we want to be able to go to one judge. what is the theoretical argument speak of a concern is the rule allowed by the fourth amendment and i know richard can say this is a procedural rule that the practical impact is going to be many more of the searches and that is a technology that was being done done and started to fall apart and we didn't know that that was happening for about a decade because it was all happening at the magistrate level and it wasn't coming out

in the prosecutions and that is what would happen here. we are going to look back and have a decade of established practice without the protections that i think are required if you analogize to the case of the video surveillance. >> if you are confident with what the court is applying. >> one comes after another. >> i'm sympathetic to the concerns. it highlights the challenges that come. we do want to look at the rights respecting solutions.

>> affair could be decades worth of the lorenz without anyone knowing about it if the government ever wants to use it in a criminal case it will be made public and there will be told to go full challenges in court so i don't think this is quite the same situation. >> this rule it is clear you are required to leave a copy of the inventory in a place that was searched. here for this type of search you are only required to make reasonable efforts to give notice and it isn't clear why that is necessary or appropriate if as richard described it could and should be simple if it can break into your computer and

print software that says your computer has been searched. so the fact that it contemplates the possibility that you won't get noticed is another reason. >> let me throw a proposal that i heard about several years ago as another way to deal with the problem of domestic law and the international crime. we talked about the case. what if the border was an electronic border that we are constantly analyzing between the two why isn't there an electronic border exception and under that rule it would be

monitoring the border electronically is that another way to deal with these issues? >> that would be a horrifying result. my e-mail in this room might actually leave the country. that would mean we can never expect privacy that takes them most direct path between you and me. >> that is into the theory of the department. >> from the legal perspective is that useful if we had a way of blocking malicious software if it had only one purpose in the

border interception that looked at nothing else but simply the analogy comes up and looks at something that only can be used for illegal uses and blocks that communication from entering the united states would that be a problem? it's an interesting question. it's not something i think they are considering. hispanic if you want to read the analysis why it doesn't work you can read my draft article when the robot eyes are watching. >> it is with respect to say that it's okay under the machine special needs to seize and filter all communications that are coming in from overseas.

the government isn't using the border. they are using a rationale. >> let me return to a topic that's gotten a lot of attention why don't you give people a sense of what it would do as a reaction. >> so it is the basic statute that prohibits activities with respect to computers at the federal level so it includes the alien in your privacy. it's rich in first back in 1984 but it's been amended over the years and i think it is time for us to consider it again. there are some shortcomings in the law that have arisen since

it was last amended. there are a couple of different ways that the criminal use of stripped of the ability of the criminal law to address it. so if you can put that into the hands of people that wouldn't have the technical capability to do it for themselves. there is an area that needs some attention and that is that the statute has been criticized for the reading that allows the trivial violations of things like website terms of services services into the department believes the congress needs to step up to address this problem. let me see if i can frame the issue. outsiders were breaking into computers but it also has a