>> you're here with pasco, the modern field guide to digital privacy. we're so happy that you could be here. we'd like to start with a few thanks, dell, the internet society and c-span, our friends that are bringing this to you live online. the st. regis hotel and our friends move on to the keynote interview and then we'll go to a great panel with ciar rag from the department of justice.

just a quick bit on passcode. we launched in february of this year. we bring some of the biggest issues facing the internet. if you were here this morning, you'll agree this is one of them. we hope you'll come to more of them, especially in october where we have a full slate of them here in d.c. we hope you'll listen to our podcast. subscribe to our newsletter. this is clearly an issue where it seems like there's this immovable force about national needs and law enforcement being -- i'm sorry, immovable

object, unstoppable forceover technology and business. we're here to figure out how to move this ahead. how to move this discussion passed what seems like the past. so let me welcome in brett hanson from dell. bret is the executive director of dell data security. is your mic on? sounds good. >> it's on. >> it's on. >> um-hmm. >> is it going? >> good, good.

>> you guys provide a sweet of conduct. little devices, cloud, everything in between. channel functions in the software industry. so we've had, in this town, we're very aware of big breeches recently. can you talk a little bit about mallware tactics? >> well, like you said, the number has certainly increased as well as the effectiveness of this. what is often overlooked, at almost every one of these major breeches, it comes down to individual. the end users, people like ourselves, are the focal point of the attacks. the reason why, technology can do a lot of great things. we can do a lot of improvements. as long as there's a human being at the end point, that's where the target is. they're the one who is are going to be curious and click on the

picture of the pretty kitten and want to find out more about how to buy that. >> it has to be more thoughtful than empowering users. raise the fact that they're going to have multiple devicesment let's do so in a way that allows me to manage -- and that's if they step up. that's a change in the strategy that we need to itch leapt. >> so, given that, how do you get them?

>> there's going to be a combination. cyber security contains lots of different parts. j there's not one silver bullet. i think that's important for everyone to understand. there isn't a silver bullet. it's going to require -- it's going to require advanced policy and advances in education. however, we're seeing a lot of really strong advances in the last few years. indefinite user security is increased significantly. and that's providing new technology with access today that and networks to better protect. so in the mobile work force, obviously, nations that do that

and still stay secure. is that a viable approach? >> it leads the combination above policy. and it needs to be involving the employees thems to make sure that they're in. but for too long you think about data at the end point. pcs, mobile devices, public clouds. that's more of an after thought. providing i.t. and the chief security officer the full visibility they need.

>> can you truly be protected from that? >> there's a lot of noise out there about if you're going to be breeched,it's about when. we started off 5:00nologying the fact that they're difficult to stop. we shouldn't giver up on stopping it at the input.

it can't just be about the technology. for many years, we depended on tradition fall signature-based antimalware. and then saying okay, is that a good or bad executable. clearly, that approach is no longer working. their approaches are containerized. they're going to keep all the untrusted data, your browser and e-mail attaches in a sand box arena that sprats it from your work flow.

so, yes, the challenge is significant. yes, we are challenged nearby. there's a lot of companies out there that employees can utilize. >> let's just pause there. any question frs the audience? anyone like to jump in here? >> if you had a greater ability of data, what would that change? is there that opportunity on the horizon? better visibility around your data forthcoming? >> so, answer the first part of the question is if you had better visibility or data? absolutely.

if you take that to the physical world, companies know where their physical assets are. so sf you're able to understand where my data is going, you should be able to

detect if a breech has occurred. companies have to be thinking about their data as an asset. encrypting it. ensmuring that there's true access control. and mitigating risks going forward. >> one last one, millenials in the workplace. et's a very unique issue for companies. how do you kpent on that?

>> it is not just millenials. most of us have accepted the fact that you're going to have your work p.c. what we need to do is acknowledge that the work force has changed. how people access data has e volg ved tremendously. trying to be regressive and say i'm going to lock you down certainly will work for a select number of organizations.

so we need to be thinking about, again, how do i protect the assets and data itself? but that's where we need to go. i think there's a question. >> hold on just one second. we'll get you a mic here. we want everyone on c-span to hear you, too. >> hi, i'll put my coffee down. i have a question. i took my child on a disney baltic cruise. and i actually had to get a dod-compliant wipe on my come pulter. and now i don't want to restore my come pulter. a lot of that data, i don't need. just information that we don't want out.

there are people carrying around stuff. their laptops. and i carry two laptops. but when i got that dod wipe, i felt so refreshed. i would really like one formula.

>> i will say that there's an opportunity around data of what you're creating and what you're putting in the marketplace. the whole concept of creating data that if it's launched into cyber space and can be used against you is something that we should be aware of. it is a growing need to be thoughtful of what am i putting out there? >> any questions? sure, one right here. go ahead. >> how about pronlsing technologies and the appeal of them. how do you prevent or break the psychology of companies wanting to invest and then becoming so reliant that they don't continue to invest in new ones. it seems to be a common trap. what can your do to break that

psychology? >> that's good news for me. i think enr education is actually foremost. there is at this stage, a lot of excitement in the marketplace around cyber security. and i talked to customers, large and small every day, about how to improve their cyber security. what i stress to them is this is not a sprint. this is a marathon. this is going to take time. and then, to be really effective with cyber security, you need to stop thinking it as a -- as an end goal of itsds own and start to bring it as part of your business goals and your business objectives. so as you're considering where your business is going, you need to be thinking about cyber security. as an example. i was talking to a company that is increasingly out-sourcing the production. that is creating opportunities to be more efficient. however, it's also creating new risk, as they're having to put

more of their i.p into the hands of their partners. there need to be cyber security strategy. i think that's the change that we need to help drive. rather than getting caught and just embracing it and being done, it's how does the technology enable you business strategy and so much is cyber security strategy, as well. that ae that's a change in the mind set, but it's absolutely critical. >> so my question is the solution that is you've focused on, the end users, the devices and how do we sort of secure those items.

at a communications network level. what can be done there on that front to ensure cyber security? >> my name is andy from g data software. you mentioned the end user's perspective. other than a slap on the wrist or you're fired, how do you manage accountability. what is your idea? >> network management. >> i obviously work for dell. we do have a big focus around the end user security. i think that's been a neglected part of the security environm t environment. security security,as i mentioned earlier, is all about solutions. it's the ability of different

pieces to talk to each other. so as i'm collecting information around the attacks and the threat service at the end point, my threat is going to enhance its security and vice versa. increasely wharks you're going to see are these different assets starting to communicate with one another and through that communication, be more e fiblgtive in terms of both addressing threats as well as being proactive and permitting them in the first place. that's a journey we're working on. del has a great asset which we work very closely with. so we're going to be taking those steps ourselves to really further integrate the two offerings to in realtime to make them more effective as a team. both offered as a team together. second question, accountability. that's a tough question to answer. there's a lot of different discussions about how to encourage work force. .

a lot of what i've seen successful is the care and approa approach. >> thinking about how they can be safe. those who go a certain amount of time about how to reach a violation, either receive an award or recognition. there's also those companies focused on a shachling approach. using a little bit of, okay, john's been reached five time ins the last month. john, you're a bad guy. and that's obviously a little more draconian. it's probably in the car rot and stick approach. but, certainly, at this stage, there is a low-level appreciation for work force employee acountability. i think the carrot is a great way to go. notify worker who is's doing well. give kudos. acknowledge the fact that.

affecting data and addressing to protect or advance persistent threats. we're going to need to be much more effective in the long haul. >> thank you, director. thanks for coming. [ applause ] so, first, we have amy hess. she is the executive assistant

director of the f.b.i. science and technology branch. criminal justice operational technology divisions and the f.b.i. lab. she'll keep a few remarks and get to questions and i do want to get to audience questions, as well. >> great, thank you, sir. appreciate the invitation to talk about this very important topic this morning. so the f.b.i. really used the going dark issue as having been a concern for us for a number of years. it's well beyond encrimination. it basically summarizes the issue we have with the proliferation of technology over the years. and how that might be impacting our ability to do our job. our ability to get information, evidence or leads in criminal investigations or national security investigations. and so as we see this

proliferation of technology, we see that case accelerating. and, so, to that point, we have actually been more and more vocal about the issues we're seeing, the concerns we're having, the challenges that we're encountering with respected to be able to do our job. so, as i said, the going dark problem is more than just encrimination. when we're going dark, we're referring to encrimination for, example, data in motion. data that's transported across networks. realtime electronic surveillance that we must do in the course of our investigations. we also view it as a challenge with encrimination on data at rest. stored data. we also view it as a challenge when it comes to mobility. so people will bounce back and forth between, for example, cellular service, wifi service back and forth. and that presents a challenge to us, adds well.

and then anonimty is another challenge. and then, in addition to that, we see, for example, foreign companies. that presents a challenge to us. we see a challenge where it will disappear as soon as you send a message. and that presents a challenge to us. all of those things factor in to what we refer to as the going dark problem.

at the same time, the nafgs we used to keep in our homes are more and more on our electronic devices. and the same goes for bad guys. in trying to prevent those threats from happening or to bring those people to justice. that's where we live as a society. we also have the foreign intelligence surveillance act. it does the same thing with national security investigations.

search warrants. all of those orders signed by a judge that enables us to get access or at least authorizes us to get access. unfortunately, unable to execute more and more because of increasing problems and issue. not proposing a solution to that. from the government's pore spektive, we really need the companies to try to come up with a solution. to try to build the most secure systems. yet, at the same and present an ord i with the search warnt or signed by a judge that we're able to get the information that we're seeking. the evidence, the data in

readable texts. to start, let's go with encrimination. so strong, they say the company itself can't get access to the data. let's distill what we're talking about. that's actually a back door. this is a bimt-in weakness. what is the problem as the f.b.i. views it and the proposals that have been flying around washington.

>> sure. >> i think the ability for us to prevent an attack or to bring someone to justice, that's the piece that's at issue. and for the encrimination piece of the discussion that we've been having, the issue comes down to whether or not the company is talking about realtime communications or stored communications, data at rest, it comes down to being able to access that. so in order to access that information, the question is how are we able to do that in the most secure way. i think starting with the premise that in the society we currently live in, currently to

be able to get that information for some other consumer-based need. at the same time, the question comes down to whether or not the government should be proposing those type of solutions. they're able to build build in some type of accessibility. >> what is the specific problem.

what happens in that process that is holdsing up law enforcement from getting that app? >>. >> sure, when it comes today that at rest, we see the issue and we've presented a number of examples in the past. be i'll start with a passive example. for example, we had a case involving a child pornographer who eventually was communicating with individuals. based on a photograph, question got access to that person's iphone.

and then that investigation led us to eventually identify additional victims that that person had molested. all of these individuals, these children, were under the age of 8 years old. but without that information, we might not be able to do that. we have homicide investigation where an individual is shot and killed answering the door.

now there's no one to serve the warrant on. the police were unable to access to try to find clues as to who might have been responsible for her murder. >> so how big of a scale it shall what's the scale at this point. you have a new york district attorney who's saying that, in 80% of the cases, involving iphones running ios 8, law enforcement was unable to access that data. that's over the course of the example. >> i will be the first person to tell you that we've done a really bad job of collecting empirical data. we need to do a better job of that.

one, for example, we can refer to the annual wiretap report. the problem is, to get it title free, to get a wiretap, it's a very prolonged, dlib rat process. so in order to do that, not to mention the level of f.b.i. headquarters authorities that we

have to go through. an ajoent is not going to pursue all of those things. we have that same problem when it comes to, obviously, what we're seeing across the board. we are seeing an increasing problem. we need to do better at capturing the data. obviously, things like the annual wiretap report kind of presents the problem. our investigators aren't going to pursue something that's that. >> there are some who say that there's actually more law enforcement available than ever before.

that law enforcement, for instance, could collect met data which includes telephone recorders and location data. but aren't these tools enough? >> that's a great question. i think that, personally, i've had discussions with all of the f.b.i. field offices to have enough knowledge of how we investigate and, of course, having been in those field offices myself, and having investigated a number of different violations, agents will always try to get the information they need. so they're going to try everything possible. in some cases, if we're stymied by the inability to get information in, really, the most effective way of being able to directly access a device or access of realtime communication, we're going to

try to find a way around it. sometimes the problem is if we can get to it, we'll have lots of examples where we could have got the information if we had the capableties. >> what about creting teams to break into the data once it's been collected. >> certainly, that's an issue too consider to discuss. we need to prove to a judge that we have exhausted all lesser means. to me, hacking sounds like a

pretty intrusive means to be able to get the information. but on top of that, if they change that device, or if they upgrade to the latest upgrading system, they decide they don't like that anymore, it's very fragile. it may not be timely. >> yeah, especially for the state and locals. we have a lot of really, really smart technologists who can help think through these problems and

challenges. we communicate with our law enforcement partners on a daily basis. but the problem is, fechb we might be able to solve a specific problem, even though it might take us a while to get there, the state or local police departments may never be able to have that luxury to have those types of people employed or available to them to be able to do the same thing. >> so tim cook, earlier this summer, said that he's a ceo of apple. and he said if you put a key under the mat for the cops, a particularer can find it, too. >> i'm worried about security risks in general. the f.b.i. supporting strong encrimination. clearly, we also have the remit for when it comes to bringing people to justice. that includes cyber threats.

at the same time, how do we get the evidence we need when served with a warrant, signed by a neutral judge, to a company. to try to come up with the best, most secure motion to do that. >> you bring up a good point. both the government and the private sector encrimination is seen as the best practice. so do you see the -- how do you see the relationship between

what you're asking for and the need to protect data. do you see that at all? >> certainly, to protect people's communications. i any that goes back to just our first premise. we want people to be secure in those systems, for all the reasons i previously stated. but we also want to be able to get to the information with a warrant. when we do that, how do we get information that we need, but, yet, make sure that nobody else or at least people who build these systems can make it as secure as possible so that it limbs -- there will always be a risk. and i will readily admit that. there will always be a risk when someone other than the sender and the receiver can get that information.

at the same time, how can we minimize that risk? >> what are your relationships like with skoourt secretary. if they can modify it someway, it can hurt them. >> yeah, and we talk to the companies all of the time. matter of fact, we have conversations to try to figure out the best way to get the information that we need in the course of an investigation. certainly, why they're conce concerned, and, clearly, they have legitimate concerns. y glvrjts if we build this capableblety in, how do we minimize that risk? it is a concern to them. at the same time, what we've been trying to do is to balance the discussion to say here are

the two things at play. and what is the american public confidentble with when it comes to either going far perhaps one way or too far perhaps the other way when it comes to being able to access data presenting some risk inherent with that. >> and do you think if there is some kind of channelled access data as other countries are going to want the same thing that the u.s. government is wanting now? >> i think that's always a concern. that's part of our constant, daily discussions. we've had a lot of conversations with other countries, who clearly want that information. our allies in other countries certainly have the same concerns concern and they want access to that data. the question is how do you differentiate what presents good human rights records are and country that is perhaps don't have those good human rights

records, for example. and then, at the same time, if your u.s. companies, what are the obligations versus the. you have to give other countries nanding that access if they do and if this policy goes into effect. and let's say you'll like to have similar access for china. and are you sympathetic that this might put them in more of a political or diplomatic role. >> i think it's a very political discussion. the question is how might we enable law enforcement to do its job. they want to try to do their job, too. that is a huge policy discussion. how are we able to limit that?

that brings up how we might see ourselves in the future. by doing business in this country, does that mean that you're subject to certain rules and laws? >> are you concerned if they do, they can affect people's overall ability to communicate securely? >> sure. i think any country with poor human rights records that's why we have the laws in place that protects from that.

but that is certainly a concern. and, again, it goes back to the policy discussion about how are we able to discern between countries with poor human rights records and countries who don't have thattish sue. and who will be subject to what laws. >> i do just want to ask you one more question. you mentioned how the number of devices is overshrill increasing. so walk me through what is happening now as you're investigating a terrorist. >> what we're seeing is mr and more individuals associated with isil. to be able to recruit individuals. who will use open social media

platforms. but after seeing that that person might be more receptive, they'll try to move them to other platforms that we are unable to access. so what we see there is this going dark issue. how do we get passed that? if it doesn't work, what would? maybe physical surveillance. the problem is, kwhiel we're trying to figure that out, obviously, we're wasting time. and we're using more resources to get that information, which may never come to fruition. and so our concern and our fear and what keeps us up at night, you may not know who's

communicating in that fashion. we don't know how many more people were there. >> i do want to turn it over to the audience for questions. remember to say your name and where you're from. >> i just wanted to get you're views particularly to what's out and how easy it's been for making android users to use this kind of encryptic space. >> and do you think some of the terrorist groups are taking advantage of the technology. >> i do think those who pose a threat to us are taking advantage. but they know and it's been well publicized as to what communication methods we were able to access.

i can't speak to specific capableties or companies. but at the same time, we do see that in the course of our regular investigations chlts we do see those type of investigations, as well. yes, it is a concern. >> in the front? >>. >> how would you address -- sorry, alyss sarks, wait for the mike? >> my name is alyssa vhavinsky. i wrote an article. how would you respond to the concerns raised by alex damos that special keys how do we

grant them only to the united states and also to our other corporate friends. we do business in china and russia. clooerly it's against national security interests. >> i washt to clarify again, one size fits all solution. the government is not promoting a folding key that will be the solution for all companies. that's why i think it would be up to each individual provider to come up with what is the most secure solution for them that still achieves the end result. which is just to get usdatdata. with that said, the larger part of the discussion is how do we

make sure that u.s. companies, and u.s. data a, subject to do that type of access. same time, considering what other countries may ask for, how do you factor it in to the larger policy discussion. it's a source of going debate. >> yes? >> it's not here and now. when and when do you foresee that larger conversation taking place? >> about the access issues? >> about the larger policy question that you reference ad. >> there's daily discussions going on about that type of thing. we are concerned about it. certainly is here in washington, we had a number of discussions, with a number of different

agencies. while we don't have the answers, discussions are occurring. >> usa today, congressman, having experience on the incryption issue, would you like to see them get involved with the issue or would that do more harm than good? >> the discussions we have been having, is that we want to bring the jobs to the fore. to also, not take it off the table. i think that right now the, the idea and our goal is to ensure everybody understands what is at stake. for risks on both sides. and the equities on both sides. and so, currently, that is our goal without declaring whether or not we are seeking or pursuing or need that additional

legislation. >> you said that you talk to the companies daily about the best ways to get information and the fbi has been talking about it for a year and you keep saying that you want to have this discussion out there to the forefront, and if you are talking to the companies, daily, i'm wondering, your opinion to reaction that you get from the companies, when you say that you need to be able to get around their incryption? >> the answer is, it depends. it depends on the company. clearly. some companies, some companies may not are have, some are not subject to mandates. they don't have to build in the, those, that type of access.

they have, of course, most companies want to help. they want to stop a threat or bring somebody to justice. but if they are not mandated to do it, the question comes down to a, do they need to take the resources and divert them to build in access? or at the same time, do we have companies that really would not be part of their market plan to do that? and even if they want to cooperate, it could take years to be able to build in some type of access. so, all of those dynamics are built in, most companies will try to help us with whatever information we can provide. it may not be test. test. right here. then we will go to -- yes. >> russell shea i'm a law student here in d.c., my question is about, in the

context of law enforcement cooperation, in a scenario where data may be stored, physically outside of the united states, the, some tech companies some tech companies argue we should pursue this data through mutual assistance treaties. could you comment on the efficacy of what the process is like and there have been calls that it needs to be updated were reformed, what do you think is the approach to this issue? >> clearly we have challenges with the ability to get information on a timely fashion. sometimes those processes may take months if not years. sometimes they're just ineffective. sometimes they're effective. but that seems to be more on the rarity side. so i do think this presents that challenge for us as to if it's

u.s. data in the course of a u.s. investigation and we're seeking u.s. data in furtherance of an authorized investigation pursuant to a warrant signed by a judge, then what is the discussion from? what is the appetite, if you will, by the american public to say that the companies should have to provide that information? and really that's the debate we're having at the moment, the discussion we're having at the moment to find out what is the right balance and how do we get that information? what is the right mechanism to get that information? >> so, julie, the third or fourth row here. >> hi, dave from politico. so chinese firms zte are persona non grata over concerns they can access what's transmitting.

if it becomes apparent u.s. firms are offering these same ability to u.s. authorities iri irrespective if the chinese can have them, what impact will that have on the u.s. industry? >> again, i think that's a great question. how do we in the course of a u.s. investigation with u.s. company, u.s. data, strictly limit ourselves to it all being about u.s. investigations and what the u.s. needs access to? because the question naturally comes up as to other countries wanting that data, too, and how do you differentiate between when you have, for example, an investigation in the u.k. that presents a legitimate need in the course of a national security investigation or law enforcement investigation versus another country who we may not have the same type of relationship or same type of, again, human rights record or

whatever it might be with respect to what they're going to do with that type of information. that is the larger policy discussion in this and how do we think about that? do we -- and this point, again, i think that we need to have that more open discussion. what's the right solution? we don't have that solution right now. we don't have the right solution for what should be mandated, should it even be mandated? are we comfortable with the place we're in now where the pendulum, i think, has swung so far post-snowden that we've come to a place where we're continuing to see at least from a law enforcement perspective, we're continuing to see society as a whole go to a place where more and more people are going to be botch the law. and if that's the case, are we comfortable with that as a society? that's the larger question. and then the second question is what do we do about it if we're not comfortable? >> and we have time for, i think, a few more questions right here, julie.

>> hi. i'm jana mclaughlin with the intercept. i'm curious if the fbi is concerned if these companies if you get them to agree to some sort of back door to build in some sort of capability, are you concerned that other companies may leave darker companies, criminal entities, might provide these end-to-end encryption and it will primarily be the average american user that loses out and no longer can protect their communications while criminals still might find access to these things? >> i think that -- and really the experience that we've had in this is if companies can build in such a way -- and that's why, again, i go back to the -- it shouldn't be the government that's proposing the solutions. really the companies know their systems better than anybody. and so, in our opinion, really it should be the requirements should come from the government. look, this is what we're trying to accomplish, but really the

companies to be able to build in the most secure systems, to be able to build the most secure systems to be able to do that. with that said, i think, yeah, the very tech savvy people that are out there are going to figure out ways to take advantage of any vulnerability as they do today currently. we currently live in a society where clearly that happens on a regular basis. how do we protect against that? but, again, to say that i think service providers today are 100% secure is a little bit of a misconception as well. and when we're moving toward this world, how do we identify the best way to really attribute those types of attacks or those types of, i guess, protections, if you will, depending on the perspective that the hackers, the criminal element might be trying to move people towards. and we have our job to try to

identify and rout out those individuals. i'm thinking in my head about one of the conversations we have on a regular basis is about with respect to access to stored communications. well, with, for example, a communication device like a smartphone, people will ask us on a regular basis, well, yeah, but that person backs up to the cloud. the problem with that is what we found in our investigations is that most people don't do that regularly. most people don't do that on a regular basis. they may not do it at all. you can clearly turn that feature off. at the same time we also see in the course of investigations that the very tech savvy criminal also can find out if automatic backups are occurring or if for some reason that information is being diverted in some way off of a particular device. and so we have to be able to, i think, account for that as well in the course of our

investigations. >> and last question we have -- yes? >> i have a question from twitter. >> great. >> from a good friend of the fbi at the aclu. i'm going to paraphrase what came in here so it comes out in a family friendly manner. no, i'm just kidding. this question is effectively does the fbi use encryption on its own on classified e-mails sent to other organizations? and how can the fbi engage this conversation with tech companies if they, themselves, are not operating at a very high level of technical sophistication. and i might add how do you think the federal government is doing in raising its own game to join this conversation with tech companies in a way that showing we, too, are doing our own good cyber hygiene? >> we need our information enkrift e encrypted the same way as the american consumer does, as

companies do in the country. clearly you've seen as a result of recent breaches, recent hacks, we continue to focus on that. i'm not obviously going to comment on what type of encryption is employed at what level and what systems but at the same time i think we as a government need to do clearly a much better job of that, and that goes back to my original point which was we support strong encryption. as i've said several times today. we support strong encryption, to be able to protect data, communications, to protect conversations. but the challenge for us is, again, just to tee up the issue, what is the american public's appetite for if we go to 17% secure systems that nobody can access ever. are we comfortable with that, even in the course of an authorized investigation in the course of trying to protect

public safety or in order to prevent an attack, are we comfortable with that? and that's really the, i think, underlying question. >> okay. and that's a great place to end on. thank you so much for joining us. >> thank you. [ applause ]

now for round two. we've just had a conversation about the law enforcement's views on the encryption debate, and now we will include some other views as well into the conversation. we have next to me matt blaise, one of the leading cryptographers out of the university of pennsylvania. we have jon callas, chief

technology office at silent circle, an encrypted communications firm. and we have kiran raj, senior counsell to the deputy attorney general at the u.s. department of justice. so thanks to you all for joining me. we will, again, have some questions. we will open up to the audience for your questions as well. so just to start, why don't we -- i have a question for each of you actually. so what do you see as the benefit to society to having strong encryption and do you see those benefits outweighing or falling second to national security concerns about getting access to encrypted data? so, matt, let's start with you. >> okay. so it's really easy to frame this as a debate with a tradeoff between national security and law enforcement on one side and privacy and strong encryption on the other side and, you know, we -- everybody participating in this debate for the last two

decades easily falls into this. because it's an easy way of reducing this to a simple principle, but i think that's completely wrong. this is a question of increasing national security and law enforcement on and having encryption and decreasing national security and our ability to prevent crime by having weaker encryption. we're both on the said side of want iing to prevent crime and both on the same side for wanting to make the country more robust against national security threats and, unfortunately, it's a battle we're losing by not doing things like putting in strong encryption everywhere we can. so i would love to stop having this debate and get back to

work. >> so, jon, what do you think? >> i think that this has brought up the central issue. this is a policy question. it really is a policy question. it's not a technology question. those of us who are in business are already international. my company is a swiss company. we're not a u.s. company. we don't have a technical way to make it so we can provide access to the good guys and not to the bad guys. it's hard to know what's going on. they were saying it's extraordinarily hard to get a warrant. that what they need are neck nichls that can go beyond getting a warrant and that is a policy issue of what gets pr

protected from a legal aspect of it. and we're in a situation where we are forced to build devices in countries that are not particularly always friendly and yesterday we have to be immune from blackmail to them, that if they decide people in friendly countries have done something like not hand their data over because, you know, that they just happen to be in other countries, how do we handle this? what is the policy of juggling and deciding who is following what paperwork and who hasn't followed other paperwork? >> and, kiran, what are your thoughts? >> ensuring that we have strong public safety and strong national security and it's a tool to do that. we do that within our strong commitment to the rule of law. as you heard amy and others talk

about, it's important because it helps secure our commerce, it helps freedom of expression, our data security. i think the rubber really hits the road for us when we design systems using strong encryption in a manner that they become warrant proof. that means the system is designed so only the end users can access the information. when we think about what those shared values are, how do we maximize both public safety and our nation security interests. and that's when we talk about the conversation, the debate of what we're talking about. >> so, matt, you are a veteran of the crypto wars. those that took place in the 1990s. how does the debate going on now

compare to the debates back then? >> it's been a long time and we keep fighting the same battles. the main difference between this discussion in the 1990s and today is that in the 1990s a lot of this was hypothetical. we were saying this internet thing is going to be important some day. and we're depending on computers and depending on this network infrastructure for an increasingly part of our daily lives and being able to secure it is going to be really important really soon. i believed that it was going to be as important as it ultimately became. every aspect utterly depend on a secure network infrastructure and on being able to secure end points.

this is so integrated into our daily lives. we can't even identify where. i think the stakes have gone up enormously since the last time around. >> you were the one who discovered a flaw in the clipper encryption system that had been proposed as a way for the public to allow access for law enforcement. as times have changed and technology becomes more integrated into people's lives as you were mentioning, do you think that it is possible from a technical perspective now to create a solution like some of the ones national security officials are proposing? >> one of the fallacies, i think, of this debate is that it's often framed as we've solved so many hard technical problems. look at all the wonderful things we've done. surely if we can put a man on the moon, we can design a secure back door encryption system. unfortunately, it's not so simple.

when i hear if we can put a man on the moon, we can do this, i'm hearing an analogy almost as if we're saying if we can put a man on the moon, surely we can put a man on the sun. you know, this is an enormously hard problem, and it's not even a new problem. ultimately we're talking about a set of requirements that somewhere along the lines involve making a relatively simple problem of encryption between two parties who know who each other are and can identify each other and only they can get access. it's a relatively simple conceptual problem. turning that into a very complex problem. and securing systems with complex requirements and building systems of that level of interaction that work reliably and as we intend them to do has been a problem that's

been around since the beginning of software and computing. and we don't know how to solve it. >> so you don't think that it's technically possible to do this and still have systems be secure? >> a shorter version of my answer is no. >> so, kiran, what do you think? do you think that's true that it's impossible to do this? >> well, i guess it's a puzzling argument in some ways because when we look out empirically at what companies are doing today, we see that there are large companies, for example, some of the commercial e-mail providers where they use strong encryption to protect the e-mails while they're in transit, strong encryption when the e-mails are at rest on the servers, but for their own business purposes they have to be able to access the underlying content and one is for potentially to serve you advertisements and the other is data security so they can scan malware, scan for spam and things of that nature. we also see in the corporate environment as well where when

corporations give laptops or phones to their employees they want to make sure that the employee leaves the phone in the taxi that someone is not going to be able to look at the information because it's sensitive information so that information is generally protected with strong encryption yet the corporation also for insider threat purposes, for data backup purpose and the like will also be able to have access to that information. and so when we look out and we see that there are companies now who have been able to figure out how to do that balance, how to ensure they have strong protections and security for their data but also have access to it, it's difficult when we hear that, oh, it's technically impossible to do this. and so, again, i think we have to have that discussion about do we want to really encourage situations where we are building systems that are providing safe zones for criminal activity or do we want to have the larger discussion and say, hey, there are companies that do it today. can't we do that as well? >> but going back to some points that we heard from amy, too,

there doesn't seem to be one unified proposal, technical or otherwise, proposed by the u.s. government. so why is that? do you expect that the u.s. government will, in fact, put forward something more concrete? >> so i think the reason why you don't see a single solution because it just doesn't make sense given the industry today. each company knows their products and systems so much better than the government does or, frankly, anybody else does. and so when we think about this, it really is about how does a company respond to a warrant or court order? they are the ones who are going to be in the best position to figure that out, so it doesn't make sense for the government to mandate some type of golden key. it just doesn't, in the world we live in today, that situation doesn't really make sense. it's what's much better and frankly, i think, all of us would agree the government has to go to a company with a court order and the company provides the information. and that's why in the debate today we see a lot of articles that say the government is demanding actual access to the

databases of companies and that's not the case. there's not going to be one solution that fits every single company. some companies will do this. some companies will do that, and that's, frankly, the way they do it even today. one e-mail provider might have a different way of accessing content than another e-mail provider. the same thing with the corporate environment. >> you don't necessarily see the government as having a role in the system for some companies they might but for others they might not? >> yeah, again, i think the main point for the government is congress and the american people have given the government certain authorities, the wiretap act, search warrants and the like. and when we have those authorities and we go to the companies and we serve them with an order, we just want the information that the order says that we can get. and how the company does that is their business. we want to work cooperatively with them. some companies can do it on their own and that's why when we talk about how there's no one size fits all, that's what we're talking about. >> jon, what do you think about

this? i mean, kiran is saying there's no one size fits all. >> and they do ultimately boil down to policy questions. now to matt's thing, there is a traditional way to land a man on the sun and that is hadthat you at night. i feel that's what we're being asked to do is to come up with a way to land on the sun at night. the theme you're talking about with corporate access is the problem and there are present solutions to that. however, when you have, for example, an e-mail provider that is holding other companies' e-mails and i shut down an e-mail system precisely because we were a provider that was using an encryption system that i built that was designed for an enterprise that doesn't really work in a model of third parties

where i become the weakness that my customers have. and in that environment where there are cloud services, it's very difficult to know who it is that you go to. there is a case that's going on now which is the microsoft case where microsoft has literally e-mails that they are dealing with in a cross jurisdictional boundaries and we're having discussions just like this one with the tech companies saying if they put their things in other countries, then it's in another country and my biggest fear as an american who has formed in switzerland, we're going to be needing and it sounds like you're saying we need to take our cops out of the u.s. that this wouldn't be a problem

if, say, apple were a european country because they would not be subject to the u.s. things. you would have to get a warrant. >> just to pick up on that, you didn't actually leave the u.s. for the switzerland. >> when we first incarpeted and created black phone we incorporated in switzerland because it was a joint venture between us and a spanish company. and then we moved to switzerland. >> if such a policy went into effect, how would it affect your business, your north american business now that you are a swiss company? >> it depends on what's going on. again, this is not a technical problem. if i am a swiss company that has servers in switzerland and someone who is not an american,

how does u.s. regulation law affect that? if i have an american customer, how does that do? if i have a customer that the chinese want something, how do i handle that? these are the policy questions and it becomes a much harder problem even for the larger companies. >> for an apple, what would this do from the business side to their operations? >> would they have to be putting a back door in something? if they put a back door into phones which some of the encryption in there now is designed to stop crime, that two or three years ago mayor bloomberg said a third of all new york city street crime was

people stealing idevices. you cannot get into a phone without the owner's consent because they were being stolen and sold at a markup. that these are anti-theft mechanisms. the things we are doing for counter espionage is what my whole company has revolved around. it is a huge wild west out there where anybody can get any information is doing so. so how do we adjudicate this two and three dimensional issue of where the customer is, where the warrant is coming from and where we are and what we want to do because we do want to get rid of the bad guys. >> what role do you see

companies protecting security and privacy? >> i want to start with a confession here. we really don't know what we're doing. we've been fighting a losing battle to build strong, secure, complex systems for longer than the crypto wars since before i was even alive. and we are actually getting worse at it as time goes by. and the reason is that we have computer systems that can be large err and do more things. we have two things that work and they don't work universally well but these are the two techniques so far that my field has come up

with to mitigate our inability to build large systems. one is crypto because that lets you not just more components of the systems. you don't have to trust storage to the same extent. the second is make the system as simple as possible. what we say when, you know, when we're asked to put on our secure hats and evaluate a large system is how do i make it more secure? make it as simple as you can, reduce the things it does and use encryption wherever you can. the back door requirements work against both of those things. and that's what worries me. >> i do want to ask you another perhaps more personal question as a cryptographer.

their whole job is -- and lifestyle in a way is to make these systems more secure as possible. do you think that plays into why this debate has become in some cases so polarized? >> i think the polarization is so harmful. it's so easy to turn this into evil government people who want to spy versus people who want personal privacy. i think in terms of the end goals there's more common ground here than maybe the debate lets on. i think the how we get there is where we differ from the fbi's proposal. the goal of strengthening national security and preventing crime is pretty well shared by almost everyone. >> so, kiran, i see you nodding.

what do you think about this? >> i think it's an important point. when we start with here are the shared values we all agree with and there could be disagreement about how we best effectuate those shared values and talk about this as a discussion, as an open and informed discussion devoid of some of the more terms and venom that has been a part of this debate. the policy points jon brought up from economic issues, competitive disadvantage, how do we ensure our companies remain the strongest in the world, those are all valid issues that we have to talk through and we have to understand what the implications of any decisions are. how do we do that balance. we all have shared value, improving and maximizing public

safety, we have strong privacy and civil liberties. that's a great start and how we go from there is how we move down on the discussion. edward snowden and the leaks that happened two summers ago. do you think some of the encryption debate is getting -- security agency was revealed to be doing and has this made your conversations with companies or even this case to the american public harder? >> sure. i think it certainly has affected some of the discussions and one of the things we tried to emphasize that going dark. number one, i think we can all agree that reasonable minds may

disagree on where the line is for lawful government but that's not the issue. congress and the american people have given to us and the wiretap act, the search warrants and the like. so the issue here is when we already have that lawful authority, we already have a court order for a wiretap order, for example, and then we provide and the provider says we can't comply. that's an issue of capabilities and not authorities. it was really a question of what authority should government have? it's a very different debate from that perspective. i think the important piece here, too, when we talk about the capabilities is what that really means in practice is no matter how serious the crime is, no matter the fact that a judge made a determination there's probable cause or criminal activity afoot, we are unable to get the information. and that's a very different

issue than the nsa issue. >> right. and so, jon, to pick up on that, do you think that if there's a warrant they should try or have access through the court access. do you think it's reasonable to ask companies to redesign their systems to make these warrants happen? >> we don't do that in any part of our society. a warrant is not a right that the government has to get data. it is a right to perform a search and to attempt to get the data and there may be a lot of reasons why they can't get to it. this is part of the u.s. part of the policy issue. back again to where technology and policy need is that we don't

have a way to code intent. we do not have a way to code good guy into things. if i am makinging a system that will protect people in business against not only semifriendly countries but intramural stuff that goes on because we know that most countries are, in fact, spying on each other. and the country is specifically using its intelligence mechanisms to help the businesses in the country. in the u.s. it's one of the few countries where we have, i will say, anti-bribery. there's the foreign corrupt

practices act and so on. it is actually illegal for law enforcement and intelligence to help u.s. business. there's plenty of allegations that's going on, but at least it's illegal. in many countries it's not only legal but stated policy. so if we make a system that works in one place it works in another. we're having to lash ourselves to the mast. if we yield to one, we have to yield to all. and the policy issue that would need to come up would be a way that we would have an international, reasonable way to do things. if we had that where the u.n. could say that's a reasonable request, you could talk about having a simple technical thing

where, you know, the keys are also held by the u.n. >> interesting. so walk me through if something like this went into effect and the u.s. government gets a channel to access it and then the u.k., which is a close ally, also wants to have its own system and china wants to have its own system, walk me through the position this would place companies in, american companies. >> a single organization can manage all of its encrypted data, all of its encrypted communications in a way that it can do oversight on itself. however, once you get into things like multitenanting, having cloud services, have any of these things like a provider that provides e-mail to multiple

other countries then the policy issue comes up of who gets to say to the provider i'm not getting satisfaction from your customer so i need to go to you. >> and so, matt, what do you think? >> i want to disagree with something that jon said. this is a policy question and i agree that it's a policy question. it's also more than a policy question. so you've described the be a tract problems that you get if you could build something like this perfectly. but what you also get at the same time is making our whole infrastructure vulnerable to more of the opm attacks, more of the ashley madison, more of the breach du jour. >> there's a thing that you can go after.

that's why our best decision is to make it so nobody other than the end user can get there. >> a fundamental problem is that if a company builds in a back door or an ability to provide access to mass market products that are used by companies and individuals and by government, that company suddenly becomes an extremely attractive foreign intelligence target. >> absolutely. >> and extremely attractive organized crime target and an extremely attractive drooling teenagers in the basement target. and we've seen all three of those attackers receive wildly in recent years. and we're going to see more of it on the requirements that would be very, very interesting to have for nefarious purposes. >> this is the lash yourself to

the mast thing that i was saying. the only real solution we have to protecting our customers and ourselves is, in fact, to make it so we are not a target. >> kiran, what do you make of this and what's at stake, too, if law enforcement doesn't get the access it needs? >> the idea companies will go where only the end users is not compatible to what we have today. companies need to have access to data for their own business purposes. whether in the consumer market but there are certain types of systems where they have a design where only the end user has access to it. the important thing for folks to know is that those are the systems where even with the warrant, even with the court order, the government will not be able to obtain the information and so from the threat perspective, amy talked a

lot about that. it has real effects on real investigations and it's important for folks to understand that almost every investigation we do at the department and state and local level involves electronic information. and so if we are really creating a class of information in a digital safe zone for criminal activity, that's a problem and a problem we want to highlight for folks because they need to know as technology advances -- it's the fundamental question is do we want to have technology drive that or should we drive it from a policy perspective? and so that's really what is this discussion is about. i don't see a world where companies will not have access to information for their own business purposes. the real question is what happens with those specific platforms, certain applications, certain devices where there is a

choice you could make to design it so it's warrant proof so only the end user or so the company retains access and the ability to respond to a court order and a warrant. >> so i do want to open up to the audience. >> say your name and where you're from. up in the front here. >> thank you. eric geller from the daily dot. i wrote a feature on the crypto wars and all the experts said the government keeps saying we want to have this debate, to bring this out into the public but we've been doing that since the crypto wars yet the government says let's have this conversation. let's listen to the tech companies. what would you say to the idea that this is settled, that they don't want to do this and that they can't see a way to do it securely? >> i guess a couple points, one, and matt talked about this

earlier, we're in a much different world than we were two decades ago with the proliferation of the digital information everywhere. they are much different than before. number two, back in the two decades ago the government was asking for something different. there was an idea there would be a split key that one government agency would hold it and another would hold another key and that, again, is not what we are asking for today. we go to companies with a court order or warrant, they're unable to comply. we would like them to comply with the court orders. how they do it is up to them, based on their own system and their own designs. they know their systems best. we've been having discussions and back to the shared values, we all have those same shared values and so the more we can do to figure out how do we maximize

the public safety and the national security and also these important privacy similarities, data security, we're in a different world now than we were two decades ago and i think a lot of the companies and even te technologists would agree. >> another question up in the front. >> sharon, voice of the moderate. i would like to ask about the issue with trust and the american people. i think that a lot of people see the selective prosecutions. let's use the ones of the whistleblowers that their data was looked at and i guess with the fisa goes overseas so it can automatically get collected and we're seeing some people that are higher up that might be like general petraeus got a slap on the wrist, leon panetta. a lot of people in the intelligence community leak. it happens all the time. some people get prosecuted. others don't. i think the encryption issue stems from the lack of trust in government because of some of the selective prosecutions. and how do you see addressing

that issue because i think once we all trust each other then it will be easier to go forward. thank you. >> i think most people would agree our country has one of the strongest commitments to the rule of law in the world and it's something that we at the department of justice and, frankly, the whole administration, thinks is very important and so we try every day to ensure that we're building trust and maintaining trust with the american public because that's what the rule of law is based on, trusting the folks that are carrying out investigations, prosecutions and the like. so it is an important value to us and something that we strive every day to earn the trust of the american people. >> any other questions? yes? >> russell, a law student. my question is from the government official. the issue is about conflict of

law and the situation where some tech companies may find themselves when they have to comply with a foreign law to hand over data, but that would bring them into conflict with u.s. laws that basically would make them liable for crimes, for u.s. laws. tech companies are doing businesses globally and have to comply with multiple standards in laws and how does the doj address this issue? what are your views on that at least? >> yeah, no, it's a really good question and it's a question that companies are facing more and more every day. i guess the point i would make just generally on that issue is that that's much broader than encryption or even going dark, our companies today face those choice of law conflicts whenever or in many cases when they're operating in a foreign jurisdiction. and so the companies work through those issues. sometimes they have to do something specific to a particular company. it's really just going to depend

on the specifics laws, the specific facts and circumstances. it is a growing problem in our global economy, absolutely. >> and so just to loop you into this discussion as well, we had a question earlier for amy hess about what would happen if this policy goes into effect and the perception of american businesses abroad. this plays into that a little bit. maybe you both could take a stab at answering what would happen at least from a perception that companies are working with the government or giving data to the government kind of formally. >> so i'll not even speculate on what that would do to trust in u.s. products abroad, but, you know, there's also the issue of making our infrastructure less secure and i think we'll see a real tangible effect of the horrible security crisis that

we're in today becoming measurably more horrible because tools for securing it become less robust and less available and, you know, that would be horrible. >> jon? >> i agree with matt on that, that it does make it less secure. it rules the security that we're building into things and i'm going to disagree with him that i think we're making progress. >> did i say we were making progress? >> see? i think we're making progress. >> oh. >> but it would ruin the reputation of all of these companies worldwide because you know if there is a master key that it is only a matter of time to it gets leaked. it gets stolen. it gets misused. i mean, we have seen all across the board, whenever there is one of these databases, one of these central repos tories for

information, that people use it to check up on their ex. they use it to find out what their neighbor's really doing. and the fact that that would happen would ruin the reputation and it would also ruin the reality. the reputation would be ruined for real reasons because it really would be weaker. >> jon is making progress. no one else is. >> two points. one is, again, when we hear master key, golden back door, we have to be clear that no one is asking for that. number two, when you hear sort of arguments that companies' reputations are going to be ruined, it's a puzzling argument because today we have large companies that can respond to court orders and warrants. we have billions of users around the globe who use their services, and we're not seeing some of those issues. and so, again, i think it's

important to understand what we are, in fact, asking for which is that we don't want situations where there's warrant proof encryption which is different than securing data, to secure your i.t. infrastructure, because that is something that we really value because of our mission in the in the cyber sec area, cyber crime area. >> it is only accessible. >> except for all the companies who do it today for all the business purposes. we have companies who can respond to court orders today. there is no magic key, no golden uniform. they are able to do it. >> it is the companies that are putting in security that you're getting upset about. i mean the thing that has happened, i was agreeing with what you were saying before. that we have the shared values.

we have all of this, but we're putting in encryption precisely to stop crime. and the reason why apple, google, others are putting device security into the device is so that the system is there so that when you have exactly what you're asking for, but now that we're doing it we're being criticized for doing it. >> again, this is -- i think it's important because this really is an important point that i think is lost in the discussion. we want strong encryption. we want those devices to be secure. the question is, is the only way to secure it a manner where there is warrant proof encryption. there are a lot of companies today that disagree with that. they have built that system.

if the answer is there is no way to do it. if they really believe it and they have tried super hard. they might answer. that is something that the american public and folks should understand. people need to know that. and that again that is the discussion that we have to have. >> i will admit that i'm flattered by the fbi's stake in my ability and my field's ability to produce these super secure products that you are worried will be warrant-proof, but frankly i'm puzzled by the underlying assumption that we have any chance of actually doing that and that the internet that we have today is adequately

secure for just about any purpose you could imagine. i mean, i think we're in a national security and public safety crisis as we rely on this horribly fragile, horribly weak infrastructure. the problem that we're facing and i think it's pretty close to an emergency. >> we do have another audience question. on the side here.

and now my question. it's one thing that is often missed in the debate is that assuming that everything was encrypted, meta data will still be available to law enforcement when they serve companies a lawful order.

>> it is showing that it is committing federal felony and the phone facility that we want to target is being used as part of that crime but we also have to show necessity. so that means we have done -- we have tried to do -- less intrusive techniques have failed. some are physical surveillance, using an informant, records are considered meta data and someone has to write up.

and those things sometimes run hundreds of pages. hugs afidavits. it these be reviewed by the supervisor. operations oeo in the criminal division that is then signed off by a high level criminal level official. at that point it goes to a federal judge who does his own so it isn't the first thing that we do. when we have that order, we have already had enormous amount of internal review. we have an internal judge and only then do we go to the company and say can we have the content of communications.

i think it's important to understand that in context. this is not something that just happens right away. there's a huge amount of resources. >> we have time for one more question. >> just hearing from you about all of the methods that we use prior to asking for content, i'm curious if the doj or fbi will provide numbers of how many times this actually happens. it feels like it's such an extreme situation. will that data be available to the public? >> we do need to do better and get better data on that. one of the hard issues is that investigators, when they hit a

wall they don't stop. i do want to reiterate that. it is an important point that we make, we have to make an important sense of the scale. >> anyone else have any questions? i will ask one more of each of you. i knew it would get heated at some point. just to try to bridge some of the differences there. what do you think is the biggest thing that tech companies or security pros or just americans in general might be missing in the national securities arguments? >> i think that the most important thing is to start with when we talk about this issue, we really do have shared values. that is one of the important

points. we want to figure out what best way to maximize the values. but if we're all trying to get to the same end goal, it is important. >> what do you think the ugs government needs to do? >> part of it, we have to be clear about what the issues are, providing important data to folks as part of this discussion is helpful. that's part of why we do the events so people can hear directly from us what we're asking for and what we're telling the american public.

>> to fund people like me to think about more. but i won't pretend that it's a brand new problem but it's one that i think is increasing national priority but it's one we don't know how to solve.

>> we are in a multicountry world where there are values that are not shared across the countries. i'm in a situation where i worry about what happens when a warrant comes in from another country where they say that even though this person wasn't even born there, their grandparent s were so they have a right to certain data. i worry about the costs of how those of us who build this would be able to do this. and that it effectively turns us into something that we don't want to be which is a super government authority that decides who's information which

often is who lives and who dies goes out. and it isn't a matter of, we are only in one area where we have shared values. we are in a huge hostile world where there is information warfare going on or economic reasons for things that are theft and the techniques that we have that are as good as we are at them, i think that part after the reason this debate has come up again is that we are actually starting to make progress. and there is a very difficult problem in those of us who are international versus.

>> all right. that's all the time we have. >> thank you everyone for coming. thank you dell for sponsoring us today. thank you to the department of justice and the fbi for sending out their good folks to talk to us. we would love to see you very soon. take care. now today i'm a reporter for nbc. is this marion barry's place? i went back to the office and called me up and i said i have just been to club 55. don't you realize your people are watching where you do and where you go and you sit there all the time and watch naked dancing girls. there was a pause on the phone and he says it's nice, isn't it?

>> he signed a letter and said what he did was politics and not bribery. he should have reported the gifts and that might be a crime but he didn't report the gifts. $15,000 for a child's wedding. $70,000 loan. bob mcdonald has been considered a vice presidential candidate. was in over his head when he got into the government's office. this is another case where you're a public figure and you let your messy private life combine together. it's the first time a pope has done this and this is the scene.

you can watch our live coverage on c-span or online at c-span.org. >> and back here, u.s. cyber command head and nsa director will testify before the senate intelligence committee today. he will brief the community on threats to the nation. you can see it right here on c-span 3. it starts at 2:30 eastern. and now ftc commissioner discuss the two main recommendations for how to best proceed in dealing with open internet rules on assuring consumer choice prooifty and trance parency.