appreciation for a phenomenal debate from these debaters. bravo. very well done. very well done. thank you. bravo. okay. let's take a look at where public opinion was at in this hall at the beginning of this evening. because all of you in the audience here are going to have the opportunity on your way out of the hall to vote again. so let's take a look at where audience was at the beginning of tonight. 77% of you agreeing with the motion. 23% opposed. then we asked you how many would be open to changing your mind to get a sense of the degree to which this debate was in play. 79% yes. so it's going to be fascinating to see how all of you decide based on what you've heard tonight, the arguments pro and

con, where you will come down on this debate. i just want to end by again thanking the oria foundation for staging these phenomenal debates. they're a great part of toronto, a great part of canada and this evening something that's been available to people from coast to coast in canada and across the continental united states. we're going to do this all again next autumn. but in the meantime, keep watching, keep learning, keep reading. thank you for joining us at the munk debates. [ applause ] ♪

♪ american history tv on c-span 3 this weekend. saturday night at 8:00 esche. on lectures in history. >> what we see is new factors making emancipation desirable. old kinds of obstacles falling by the wayside. with the result that by august if not earlier of 1862 lincoln has decided that when the time is right he will announce a new aim for the war effort that would add to union human freedom.

>> wheaton college history professor tracy mckenzie on the evolving war goals of the north during the civil war. and then at 10:00 on "real america" -- >> how was it possible for america to achieve such production and at the same time build an army? then the amazing reports came in from my agents in the united states. 20% of industrial american manpower was woman power. legions of american women were massing to stop my advance across the world. forsaking the round of revelry for the grim tasks of war. >> reporter: this 1944 war department film documents how women in world war ii helped the war effort, alluding that the hidden army of american women working in war manufacturing are a main reason germany lost the war. sunday evening at 6:00 on american artifacts, we visit the daughters of the american revolution museum to learn about an exhibit marking the 125th

anniversary of the organization founded in 1890. >> one thing that stands out at this time period is this creation of this image ry of the apoth yoesis. and the apoth yoesis is an old concept. it goes back to ancient times. where a warrior is made godlike by lifting him up and celebrating him. >> on the presidency at 8:00. >> though washington and jefferson are the two most prominent examples of slave owning and the presidency it is worth highlighting key assets of their successors who owned slaves, especially those who did so while occupying the white house. james madison who followed jefferson as the fourth president of the united states owned over 100 slaves, holding a large percentage while he occupied the white house. he is responsible for proposing and expanding the 3/5 compromise which guaranteed the south held a disproportionate influence

upon congress to preserve and uphold slave-owning interests. >> tyler perry, african-american studies professor at california state university fullerton, on the 12 american presidents who were slave owners. eight of them while in office. for the complete american history tv weekend schedule go to cspan.org. public policy, criminal justice, and computer security officials discuss encryption issues and policy and what federal officials and lawmakers can do to encourage continued technological advances while protect the rule of law. from the information technology and innovation foundation in washington, d.c., this is about an hour and 35 minutes. >> okay. good morning, everyone. we'll go ahead and get started. my name is daniel castro. i'm vice president of itif, the information technology

innovation foundation. itif is a non-profit non-partisan think tank that focuses on technological innovation in public policy. excuse me. i'd like to welcome you to today's event, decoding the encryption dilemma, a conversation on back doors, going dark, and cyber security. the goal of today's event is to explore the ongoing debate about cryptography and how to find the right balance between the needs of government to prevent crime and stop terrorism and on the other side the desire of private companies and citizens to protect their data. so a few logistics before we get started. first, the event is being recorded. it's also being live-streamed. if you're participating remotely, we're using the hashtag decoding encryption. we're going to have time at the end to ask questions of the panelists, and if you're participating remotely you can use that hashtag, decoding encryption, to ask questions, as well as if you're in the room we'll have mikes here. so to begin, i want to kick off

the discussion by providing an overview of an itif report we recently released titled unlocking encryption, information security and the rule of law. this report tries to set today's debate in context by providing an overview of some of the different flash points in past debates over encryption. in the report we drilled down also into the various arguments that have been put forth by the law enforcement and the intelligence community on why encryption should be weakened or limited so that the government can have access to the plain text of the encrypted data and we provide a response to these different arguments. but i want to start with a quick history of how encryption has changed over time in response to new technologies and business models. the modern era of commercial cryptography really started in the 1960s. this is when we had the original mainframe commuters. we had these large commercial data bases.

and companies wanted to protect this data. they began using what was -- what's called symmetric encryption. so you have the same key used to both encrypt and decrypt the data. and they were using this to store the data securely. of course many of these companies worked in industries where they wanted to then share this data. so you had financial institutions that wanted to share data. and of course to do this they needed to have interoperability between these standards. so we had the creation of the first kind of government-backed encryption standards to facilitate this exchange of data. the next kind of big change came when we had the rise of personal computers and networks and the internet and the need to securely communicate with a wide variety of users who really had no other way of forming a connection. these were oftentimes kind of anonymous parties. and so the biggest problem that you had with symmetric encryption is key exchange. there's this question of how do you actually securely share a key with somebody else?

if you think about it, this obviously makes sense that you could share a key securely, you wouldn't need encryption in the first place. so this led to the development of public key encryption. so public key encryption is asymmetric. you have one key to encrypt, a different key to decrypt. and we used this to create secure forms of key exchange between different parties that otherwise have no connection to each other. >> after this the next big development i think was cloud computing. so this was a big change because in the past all the data was scored locally on servers and pcs. and it was completely controlled by the customer. but now users were sharing their data and storing it with a third party. so this created kind of an inherent security vulnerability because the cloud provider now had access to previously encrypted data. and many cloud computing providers of course have been actively working to address this issue by providing customers with client-side encryption or end to end encryption so they are taking themselves out of

that loop. more recently we had kind of the rise of mobile devices where you had lots of users of course storing large amounts of data on a device that could literally, you know, someone could walk away with. so there's been a big move as well in the encryption space, how do you enable things like full disk encryption so you have very strong security on local storage. and finally we have the rise of the internet of things where all of these connected devices, many of them in the home, and users want to be sure that these devices are secure and researchers are still experimenting with a lot of different solutions to address the unique needs that come out when you have these connected devices. you might have less bandwidth, less processing power, less energy needs and you have to figure out how to deal with that. so first i think when you kind of look back at this history you see a few things. so first what you see is there's been a steady 12r5e78 of steady information security in the past decades in response to new technology and business models.

this isn't the private sector actively trying to lock out the government or anyone else. it's technology trying to make computers that are more secure. second, while the use of encryption is much more prevalent today, the debate about government access to encrypted data is not new. at each of these stages the government has pushed back against these advances. so you know, in the earliest years we saw that various stakeholders were working behind the scenes to weaken the desk encryption standard. and in the 1970s, you know, law enforcement and the intelligence community tried to sue academics who tried to public research on cryptography. in the '90s there was this big debate about the clifford chip which was about providing key escrow for secure voice communication and there was a significant resistance in some quarters to liberalizing export restrictions on cryptography. and then we've seen of course the more recent objections to end-to-end encryption and full disk encryption. third point here is that as far

back as the 1960s it was possible for a user to encrypt data in a way that the government could not get access to it because the user was the only one with the key. it's really only the recent move to cloud computing that broke this model for many users. and in an effort to repair the security weakness companies are now being cast as i think doing something that's an affront to law enforcement. so i think we have to keep all that history in mind as we approach today's debates. so moving to the arguments that we're seeing today there's really five arguments that law enforcement and the intelligence communicate make for with why policy makers should weaken or limit encryption. so first, they say that companies should not offer technology that circumvents established legal processes and that provide warrantproof encryption because this interferes with law enforcement's long-standinging ability to conduct lawful searches. and i'll just pause here and mention in the report, which is in the back and it's also on our

website, what we try to do with each one of these argue sxmts really lay out in the words of the people making these arguments exactly what they're saying. our goal is not to paint straw man arguments but really show the strength of both sides of where these arguments are. but what we argue in this report is that you know, while certainly the scale of encryption is much greater today the phenomenon itself, the inability of law enforcement to access encrypted data when the user controls the key, is fundamentally not new. so the second argument that we hear is that without access to encrypted data the government will be less able to stop or solve crime and terrorism. this is true. our report is not trying to deny the fact that the rise of pervasive encryption may have a negative impact on law enforce maniment. in fact, we acknowledge it will make it more difficult to prevent and investigate crimes of terrorism. and these problems will be exacerbated if the government doesn't come up with new tools and techniques so they can function in an era of pervasive

encryption. what we say in the report is unlocking encryption or encrypted data is the wrong solution because it's creating systemic vulnerabilities. and moreover it's not the only way that you can actually investigate crime or prevent terrorism. so in addition, kind of regardless of what policies the united states puts in place, it can't actually stop terrorists or sophisticated criminals fren crypting data anyway. so terrorists don't have to rely on the private sector to build tools to store data securely. they're already building their own tools. we talk about a lot of the tools that are out there already. moreover, the u.s. doesn't have any kind of monopoly on this kind of talent. some of the best cryptographers including the ones that created aes, the current standard that everyone uses, are not american. they're working abroad. moreover, there's a number of

companies like telegraph, a german software maker, those creating secured encryption tools. and all of those are completely outside the jurisdiction of the united states. so the third argument that we hear is that companies have decided to stop retaining a copy of customer's secured encryption keys for business reason as loan. this is simply not true. as we show in the report our researchers have been steadily closing security vulnerabilities for decades and the move to give consumers back control of their keys is simply the next step in the move to create secure cloud computing. controlling their own key allows users to better manage risk for themselves and improve security. the fourth argument that we hear is that technologists could fix this problem if they simply tried harder or study it longer or form a commission. encryption is based on math, not magic. there's no way to provide thi third-party access for the government without introducing vulnerabilities that can be abused by others. finally, the last argument that we've heard, obviously a lot in the recent weeks, is that companies should help law enforcement hack into the products they sell so that the

government can gain access to users' encrypted data. if this technique were abused, law-abiegd users would likely begin to distrust these companies and begin to use their problems. there's an important competitiveness effect that we have to consider. that said, companies should definitely be complying with lawful government requests to the extent that they're able. but we're very clear in this report that the government should not restrict companies from designing products with security features that cannot be defeated by a third party. including the company that made the product itself. the government, you know, as we know has a basic right to search but it doesn't have a basic right to find and that's an important distinction that we have to keep in mind. so in short here we're concluding that the cost to consumers and businesses of a policy that would limit or weaken encryption would be misguided because they would have limited impact on keeping the technology out of the hands of criminals and terrorists, it

would reduce overall security for law-abiding citizens and businesses, it would make it more difficult for u.s. companies to compete globally, it would limit advancements and information security and it would diminish u.s. leadership abroad in preventing policies to improve cybersecurity, which is greatly needed. so i think the question here is we're in the middle of this debate, where do we go from here. so we outline in this report a number of recommendations for how policy makers can promote trust in the u.s. tech sector through strong security practices, how they can provide law enforcement with new tools to uphold the law and support efforts to improve information security globally. so first congress should ban the nsa from intentionally weakening encryption standards. the nsa has some of the best cryptographic talent in the world and it should be used for make encryption more secure, not less secure. there's a definite last lack of trust in the post snowden era.

we need to draw a clear line in the sand and say that can't be crossed in the future. second, congress should pass legislation to ban all government efforts to install back doors into companies' products or services. in addition, the government shouldn't be allowed to lieu companies to facilitate government access by alter their designs. and since we see states make or thinking about making laws in this area we should make sure that congress preemts any state activity. third congress should pass legislation requiring all federal agencies that discover security vulnerabilities in commercial or open source products and services to disclose them in a timely and responsible manner and work with the private sector to fix them. again, this goes back to what's the role of government. is it going to be about improving security or not? fourth, congress should examine whether u.s. courts can better balance the interests of the individual and the state by allow judges to hold suspects 234 cin contempt of court for

failing to disclose enkrimted data under certain limited circumstances. this is an issue we'll hopefully talk more about in the panel and get into more in the report. but basically if you look back at kind of the history of this, keys were treated in two different ways. physical keys were treated as something the government could search and require someone to disclose as well as biometric passwords. the government with can compel me to disclose my fingerprint but right now it can't compel me to disclose an alphanumerratic pass code. this is a distinction that pronl doesn't make sense right now. we explore whether congress should be exploring the opportunity to give more power to law enforcement that doesn't weaken security for everyone else. fifth, congress should provide additional resources to federal state and local law enforcement for cyberforensics so they can investigate and analyze digital evidence that can be used in court. local law enforcement is not going to have the right kind of skill set to deal with some of these more complex cases. and we need to make sure we're

providing resources so that law enforcement isn't left behind in the skill set they need. six, congress should establish clear rules for how and when law enforcement can hack into private systems and how and when law enforcement can compel companies to assist in investigations. right now there's just so much gray area here. and we also need to allow transparency into this process, how it is that we create it. seventh, u.s. trade negotiators should actively oppose foreign government efforts to introduce back doors in software or weaken kripgs. including resisting any rules to require companies to sell products with weak encryption. and finally, the u.s. government should be promoting cybersecurity around the world by championing strong encryption and internet and global technology policy forums. fundamentally this comes back to the position of the u.s. government should be to promote information security and not weaken it. and it should make this the

cornerstone of both its domestic and foreign cyberpolicy. so we have a really fantastic set of panelists today who i've asked to provide their reaction to their report as well as help us dig into these bigger issues in the crypto debate that we've seen play out over the past few weeks and years. so let me just briefly introduce everyone. and i've asked them to make a brief three to five-minute opening remarks. then we'll dig into some questions. first to my left, jules polonetsky, who is executive director and co-chair of the future privacy forum. then next to him is david bitkower, principal deputy assistant attorney general in the criminal division of the department of justice. then we have chris calabrese, vice president of policy at the center for democracy and technology. bruce heiman, who is a practice area leader of k.l. and gates's policy and regulatory practice. morgan reed, executive director of the association for

competitive technology, the app association. and ryan hagemann, technology and civil liberties policy analyst at the niskanen center. thanks to all of you for being here. jules, why don't we start with you? >> thanks. and i'll be brief because i'm confident that dan and crew invited me before they were able to line up these people who are the leaders in this debate. so i'll speak with some humility and hopefully set a little bit of an opening tone. it's rare for those of you who know me to speak with humility. in the think tank business it's -- no, don't laugh that much. when you're in the think tank business your business is to think and the more you think with loud and strident, you know, views the better you are apparently. but i am really humbled by this issue frankly. and though we've written in support of strong crypto and ensuring strong protection and barring back doors, i will tell you this is an issue that i am

truly humbled by and i do hope that we'll figure out the right answers frankly. but i'm certainly confident the right answers are how we can fight terror and how wk strengthen law enforcement without creating many of the concerns that are created by some of the challenges that we seem to want to create for strong crypto. i was on the other side of law enforcement requests during my days at double click or aol. we certainly had some strange requests over the years. but we had a lot of requests that i understood that we were cooperating with to save lives, and i felt it was my duty. we were proud that we cooperated, and we mocked and sneered at those who didn't have their systems in order because of whatever practical issues, that they couldn't assist. they were the bad actors allowing bad things to happen on the internet. but the other day i was watching an episode of "the americans," and those of you who follow know there's this russian scientist who's being forced to invent

this new solution that the soviets can use to better defend against the americans and they have all kinds of hooks over him and his family and he's sort of forced into this intellectual, you know, exercise. and i just couldn't help think that the conclusion of what we're asking for a company or scientists or researchers to invent and the conclusion that's that goes, that's just not a way that i think any of us can support intellectual freedom developing. you can imagine the other areas where it might be really useful to invent all sorts of valuable things and just the compelled notion of doing new intellectual work at the direction of the government is so frightening. like many of you my phone is probably more an extension of my brain, and as we have other pieces of technology that are going to be integrated into our brains, our bodies, i assume eventually i'll control things

with my brain and therefore you'll scan my brain. therefore, why do we need any of this waterboarding, mr. trump? we will be able to garner this information. so is it acceptable that as the technical capabilities become so intimate into our bodies that we don't sit and say no, this is different, this is subject to an incredible level of personal protection where sorry, we are going to let you hide what is in your heart because that's a zone of humanity that ought not to be interrupted even if there are technical and feasible ways to do it. i was looking at the statistics of phone thefts dropping after technical measures were taken in a number of cities. 40%, 50%. and although they may be one step removed from the specific sort of debate here, the whole notion that this doesn't really immediately make a difference to the average person not getting pushed, mugged, or knocked over is something we really need to consider. leaving the crypto side for a second, you know, the kinneal

recently took action against facebook and they said you're allowing six-character passwords, you must have longer passwords and they have to be alpha numeric and i looked at it and laurie craner had just sent out an e-mail, the ftc chief technologist, noting our advice over the years of complex passwords was leaving people completely befuddled and unable to manage and change your passwords and that the better solutions frankly are sophisticated things did not on the back end so i can have a little bit more simpler password. but we got things like rate limiting, things like maximum attempts. that piece of this i think is an incredible part because at the end of the day we're still going to have a password and if my password has to be so complex that it's befuddled, by having a real respect for frankly protecting the notion that the rate limiting piece of this, which is really an essential piece, i think they really

missed and misunderstood. and so i'll close with that and look forward to continuing the conversation. >> thank you. david. >> thank you, daniel. thanks to the itf for having me here. thanks to jules and the other panelists. i do look forward to an interesting discussion here. i'm not sure which is worse after hearing jules's remarks, that is being compared to the 1980s kgb or getting spoilers for all of season 2 of "the americans." i'll have to balance those two i'll have to balance those two harms. captions copyright national cable satellite corp. 2008 captioning performed by vitac