overseas cloud data storage with help in investigations. this hour-long global privacy event was held in washington, d.c. >> welcome to all of you for what's turned out to be a particularly timely session on surveillance issues, what with the passage of the cloud act last week as well as the ongoing percolating issues in the courts and policy-making circles. we are honored to be joined by two senior doj officials, and i'll let them introduce themselves in a moment to really just talk about, you know, doj's perspectives on some of these surveillance issues, as well as the newly passed cloud act. just briefly on the format, what we'll do is for the first 40 or 45 minutes, i will be basically be questioning them, and walking through some of the issues, getting their perspectives, and then we'll leave the last 15, 20 minutes for folks in the audience to ask them whatever questions either on issues we didn't cover or other related

issues. so the format i'll keep simple to let me start by asking richard and others to introduce themselves. >> good afternoon, my name is sujet rahman i work for the attorney general, i help oversee cyber investigations answer prosecutions in the department and oversee our policy development, and so great pleasure to be here today. >> my name is richard downing. i am, i have a long and unfortunatelily long title, acting assistant attorney -- geez, acting deputy assistant attorney general, anyway i'm in the criminal division of the department of justice, i work on electronic evidence issues and i oversigh child exploitation and obscenities election. >> i'm a partner at a privacy and cyber section, used to be senior director for cyber on the national security council at the white house and.

so welcome to all of you and i think we'll go ahead and dive in. where we'll start as many of you know, there was the supreme court recently heard arguments in microsoft, and we plan to talk a little bit about the legal with congress having passed the cloud act, and the cloud act being the clarified overseas use of data act. that act basically has two parts, one of which addresses the main issue that was presented in microsoft. but before diving into the cloud act, just to give us a little bit of concrete facts to be thinking about. i might ask one of you just to talk briefly about what were the basic facts in the microsoft case? what was the basic issue there. >> the microsoft case involved a challenge to a warrant that was issued under the stored communications act by a u.s. court. microsoft challenged the order, saying that the evidence that was at issue here, the data in the account, the content of communications, was being stored at its ireland data center.

this was information that microsoft had chosen for its business purposes to store there, and it argued in the case that -- or is arguing -- the case has not yet been fully completed -- that the stored communications act warrant in that case should not apply to data that is stored outside of the united states, arguing that the warrant is limited to the territory of the united states. the government's position was the contrary. we believed and continue to assert that congress intended that these warrants cover such data. any data that is in the possession, custody or control of a u.s. provider needs to be disclosed when a u.s. court process is issued to that provider. >> i was going to say, you can see why the decision that came out of the second circuit was deeply damaging to the government's interest, because essentially it's a u.s. crime, u.s. perpetrator, as far as we know. there are some issues about that. but because a u.s. provider had chosen to store the data abroad,

we were basically powerless to get access to that evidence. again, you can see the wide implication of a ruling like that. so many data service providers split up data all around the world. if it's a situation where it's a u.s. crime, a u.s. judge, a u.s. perpetrator, and yet we're not able to access that evidence because that evidence just happens to have been stored abroad through a business decision that a company has chosen to make, it was having a very serious impact on our ability to prosecute those cases. richard testified on the hill last year about how child exploitation cases were being affected because the actual pornography, the material that we needed to prosecute the case, we could not get our hands on it even though we had a lawful warrant, because it happened to have been stored outside the united states. so it was a tremendous priority for us to get that decision reversed. that's why the government sought

certiorari items from the supreme court. we cannot comment on the pending case. it is still pending, actually. but this legislation, at least going forward, in our view, has resolved that basic issue. >> how do you think the cloud act resolve the issue, just briefly? >> sure. the cloud act has a provision in it that, in our view, clarifies what we always thought the case was, which is that the stored communications act does cover data that is stored by a u.s. provider outside the united states. so it's a very simple, one-paragraph switch that says, nope, this is what we meant and it's crystal clear now. one thing i wanted to emphasize, too, is sujit's comment about a lawful warrant. what was not at issue was whether we had met the constitutional standards, whether the warrant was properly issued, any of those issues. in our view this is not a question of privacy. we've met all of the constitutional rules and had an independent magistrate examine that warrant and all the bells

and whistles that are attendant on that. this was more of a question of application of the law at the standard question of whether this statute applied to data stored outside the u.s. >> in the cloud act now, the standard is whether or not the provider has possession, custody or control over the data. that's a standard that actually has some roots in u.s. law, right? describe sort of where that comes from. >> i'm not sure i can point you to the case or the doctrine itself, but the basic notion is very similar to the way that we would expect subpoenas to be treated. if you receive a subpoena from a grand jury, you are required to disclose documents in your possession if they are in your possession, custody or control. it's not a defense to a subpoena to say, well, i chose to store my data inside a safe in my house, and therefore the fourth amendment applies or something. it's not a defense to say, i've chosen to store the data outside the u.s. that's not, you know, going to

be sufficient to get you out of complying if you have possession, custody or control over that information or that document or that physical thing. >> just to follow up on that, there has been a long line of cases, particularly in a bank records context, where banks might be foreign chartered but they have a presence in the united states. going back really 30 years, there is a long established line of cases holding that as long as there is a presence in the united states and it's a robust enough presence, if we serve that entity with a u.s. subpoena, that entity is required to comply with the process. so we've always seen the microsoft case as an extension of that traditional doctrine, which is why for us the second circuit's decision was actually quite shocking because, at least from our perspective, it seemed to append the traditional power that law enforcement had with respect to serving process. it's another reason why this legislation is really a game changer to the extent it restores things back to the beginning. it's important to point out this

legislation was bipartisan, had strong support from both sides of the aisle and the tech industry was also very much on board. so microsoft, our adversary in the supreme court, was very much our ally in this legislation. and there are reasons why we can talk about sort of going forward why it brought together really a unique cast of characters. that's one of the reasons why it passed, because there is strong bipartisan support for this legislation. >> now, the act does provide -- does allow for a provider to object, to file a motion to object in certain circumstances. describe briefly, what are the circumstances or how is that cabined? >> so there is this larger question of conflicts of law. that is, what happens if there is a situation where a provider is issued legal process that compels them to disclose information in the united states, the legal process is issued, but that there is a foreign law that bars them from

disclosing that information. this is kind of what sujit was referring to with bank records because we've had this issue where a subpoena in the united states is issued to a bank, but the bank laws in the cayman islands is involved, and how do we resolve that question. here the conflicts of law question is raised in the legislation and created is a new section that addresses a fairly narrow set of situations, but nevertheless is clearly set out in the legislation. it's sometimes called a commity analysis because it involves the comity that one continue -- country offers to another. in a narrative situation where there is an executive agreement between the united states and the foreign country where that law might be violated, where that other country offers reciprocal rights for the provider to challenge, and where there is an actual conflict,

then that set of rules in the cloud act would be triggered. if that's the case, then the provider is empowered to come to court and say, i shouldn't have to comply with this u.s. warrant because it violates the law of zimbabwe, and then the court would then have a balancing test based on factors again set out in the statute. so it is an idea of an escape valve to try to address the possibility of a conflict of laws happening. i want to be clear, too, we have not yet seen any u.s. provider come forward and allege an actual conflict between a u.s. legal process and a foreign law, not even in the microsoft case was that alleged, and it's an interesting thing when the european commission filed a brief, amicus brief in the supreme court. my reading of it is they did not feel that gpr was going to create such a conflict in the future, either. this is, to some degree, a bit

of a hypothetical, but the statute is trying to think ahead and be forward-looking about when that kind of a conflict might happen. and as we'll get into a little further when we talk about the executive agreements, hopefully that will be a strong force against creating these conflicts as well. >> sujit, you alluded when you talked about the microsoft case that in that case there was a u.s. subscriber. does the act deal with u.s. subscribers versus non-u.s. subscribers? >> one important aspect is how it deals with u.s. persons, so one very important point to keep in mind is we have made it very clear as part of this legislation that u.s. persons cannot be targeted as part of this legislation. in other words, if we negotiate an execty agreement with a foreign country, they can't use that agreement to essentially seek process on u.s. persons, right? so that's something that's very important to keep in mind as we

sort of go forward. there are interesting implications for how the statute applies to u.s. persons or persons residing in the united states. richard, i don't know if you want to talk a little bit more about exactly the contours of that. >> in the microsoft context first. >> so one thing that -- i mean, i think what you're driving at is this idea that this comity analysis would not be available if the subscriber is a u.s. person. that is u.s. process against u.s. companies involving u.s. account holders, there shouldn't be an issue even frankly that would come up in that situation. so having a conflict of law analysis apply doesn't make any sense. other than that, though, i think that's the only one i can think of in this context. >> right. and i know it's only been a few days literally since the act has passed, but just as you're thinking through the practical implications of how doj is going to use this act, to what degree will these kind of factors you're talking about such as

comity and those kinds of issues sort of shape when you will use process under the cloud act versus trying to negotiate with the provider versus asking them to litigate. how will those factors figure into the practical use of this? >> just to feed off the point richard just made, when it comes to u.s. investigations, in our view this legislation restores the status quo. we would serve process in the way we always have and traditionally always have with respect to crimes we're investigating under violations of u.s. law. where things get interesting, and this is sort of the second half of the statute, is the bilateral agreements that we can negotiate with foreign governments because that's something that didn't exist before, right? at least in theory, what we were hearing from some of the providers is there is a potential for a conflict of law where if they were to be served by a foreign government, they wouldn't be able to produce because of u.s. law, right? u.s. law has a blocking statute that doesn't permit foreign providers to provide information

to foreign governments, right? it's a violation of the foreign communications act. what this statute does is essentially allow the lifting of that statute in appropriate cases. i guess the point is it helps our partners, those foreign governments that meet very rigorous standards about rule of law, respect for rule of law, respect for privacy that as long as the attorney general can certify that these foreign governments meet certain criteria, and again, it's very rigorous, those governments can now, going forward, once we've negotiated these agreements, be in a position to serve providers directly. so what you don't have the problem going forward is, using the u.k. as an example. the problem the british were having is they're investigating a british murder on british soil involving a british perpetrator but the person happened to use gmail. so when the brits wanted to get information from gmail, the

they were running into the u.s. blocking statute. so this allows foreign governments that meet very rigorous critericriteria, goingd it creates a framework pr those governments to be able to get access to the information they need. so in terms of the u.s. sort of side of it, i think we've restored our traditional ability to investigate and prosecute crimes. the real upshot for our foreign partners is they now have access to the evidence that they need, again, so long as they meet certain criteria. the broader point in this is to avoid data localization, right? if we weren't able to negotiate this type of framework, what would eventually happen is foreign governments would require u.s. providers to store data concerning their citizens in their countries so they would

have territorial access to it. that's not good from a foreign policy perspective, from a business perspective. it's really not in the american national interest for data localization to occur. so part of what's motivating, i think, all of us as we think about this is ensuring that we have a free, open internet, and ideally this legislation will get us moving in that direction. >> i want to explore the executive agreement side a little more in a moment, but sort of aligning both sides of the cloud act is existent treaties and whether or not microsoft -- one of the arguments made is the government should rely on emlats. why weren't they an alternative here? >> emlats are a very useful tool, but they're something that i think of as a 20th century tool. they are slow and difficult to use, especially in an age where

we have so much crime that so rapidly crosses our borders because it involves evidence on the internet or crimes committed over the internet. so what i see of the problems that we have had with emlats are a range of things. we don't have mutual legal assistance treaties with every country in the world. they are bilateral and they're with something like half the countries in the world. when we do have a legal assistance treaty with another country, they're usually slow. when i say slow, really slow for purposes of investigations. ireland, for example, told us they generally have a turnaround time for request of evidence from the united states of 14 to 18 months. so when you think about the situation where we have, say, evidence to believe that american children are being abused as part of a sexual exploitation ring and we go to ireland and say, we need this evidence because we need to figure out who the other players are and identify the children,

and they say, no problem, we'll get back to you, and then 14 months later we get some answer from them -- i'm not saying ireland especially in this regard, it's unfortunately commonly true. >> there are no emergency provisions in the emlat? >> there is the possibility of moving us up in the queue if we pound the table and get angry, but this is not the thing. in many cases, it's not an emergency. it's real serious but there's no imminent loss of life available. so the basic thing i want to cap it is that there are some providers such as google that move their data around. and, in fact, take a single account and split it up between different countries. and, in fact, don't make that data accessible to anyone in the foreign country. it's absolutely impossible to chase it around with a long, slow, deliberative process where

we go to malaysia today and they say three months later, that data's not here anymore. it's been moved to ireland. okay, we'll go to ireland. it's not here anymore. that's not going to work. i'm not saying emlat is completely out the door. i think we are going to continue to have to rely on it in many types of situations. it's sort of a fact of life. what the legislation, though, is trying to do is reduce the number of situations where emlat applies, because orders can be served more directly, and to assure that we have the authority to compel companies like google to disclose the information and hopefully will reduce the stress on the emlat system so that, in fact, countries are able to comply much more quickly than they have in the past. >> so returning to the executive agreements, there are really requirements on two levels for executive agreements. there are general requirements about what the laws should do in that country, then there are requirements for sort of the

criteria of which orders are issued as well. sort of break that down a little bit, how the two levels -- >> sure. there are a set of criteria that a foreign country's legal system must meet in order to be eligible for an agreement under the cloud act. and the rules are set out to indicate that that other legal system is, indeed, a sort of like-minded law-abiding protective type of legal system. so the criteria, for example, are that the legal system protects from arbitrary and unlawful interference with privacy, assures fair trial rights, assures freedom of expression association of peaceful assembly, so the kinds of things we would expect for rights respecting law-abiding countries.

in order to meet those rules, then, the attorney general in consultation with the secretary of state would be able to enter into that agreement assuring that each has access to the other countries' providers in the appropriate circumstances, which we can also address now. >> if i would just follow up on that, the attorney general essentially has to certify and provide a public explanation for the fact that this foreign government, this foreign country, meets these various standards. so as richard was saying, we would have to certify that the domestic law of the foreign government affords robust, substantive and procedural protections for privacy and civil liberties in light of the data collection activities of the foreign government, and there are a number of factors that we have to certify essentially that the foreign government's own legal system meets. respect for the rule of law, adheres to national applicable

human rights, human interference, fair trial rights, and the list goes on. it's very significant to understand that we won't be allowing u.s. providers to turn over data to totalitarian regimes. to even qualify for this framework, you have to be certified to meet these very high standards, and the reality is our closest partners, the british, have themselves yet to fully comply. in fact, they've adjusted their own domestic legislation in preparation for these kinds of agreements. so it's a very important point to understand, is that this is privacy lifting, this is privacy protecting. the whole point of this legislation is if foreign governments want access to data that is stored or owned by u.s. providers, they have to meet very rigorous standards, and this is one way for us, in a soft kind of way, to ensure that rule of law principles, that privacy principles, are extended beyond our borders.

>> do you have a sense of sort of how fast these agreements are likely to come into effect, what countries might be next? do you have any plans on that? >> the u.k. was the one that approached us with this idea, so they will very likely be the first in line, and we've already begun to explore what a text might look like. we're very interested in moving towards having other countries participate in this framework. i think it is a powerful idea and we've begun to see interest by other governments in participating. but we don't have a rollout schedule, nor do we have a list of who is second and third. these are all questions that are under consideration and will be thinking about them and finding our way forward.

>> and as the legislation makes clear, any such agreement would be subject to rigorous congressional review. the public would have a right to see these. there is a whole process here that ensures that countries that qualify, it's a sober and rational and thought-through process. nobody is going to be rushing into any kind of agreements of the. >> in addition to the criteria for agreements themselves, there is certain criteria about the orders issued under the agreement, like particularity and things like that. describe briefly what those are. >> the idea behind the listing of criteria is to make sure that orders under foreign law meet a really robust criteria. the words "probable cause" do not appear in the agreement. that's a very american concept or at least american phrasing of an idea. but the basic notion, though, is to emulate these kinds of ideas in other foreign legal systems which perhaps use slightly different safeguards to accomplish very much the same thing.

so amongst the rules that are listed, it talks about the foreign court has to have articulable and credible facts, particularity and regularity, for example, and review and oversight by a judge. someone said it sounds like you have to get a warrant. that's probably pretty equivalent, but it's written in a way to make sure other countries' legal systems -- it's flexible enough that it can take into account their ideas, they're safeguards, the way they do business at least to a fair degree. if we insisted that everybody do it exactly the way we do it, i suspect we will have zero partners able to enter into an agreement with us. i think what we tried to do is hit a sweet spot that is, in fact, quite strong and privacy protecting, and hopefully -- but flexible enough we would be able to extend this framework to a number of our close allies and partners and others who view these kinds of protection in a similar way that we do. >> to be clear, this statute

authorize not only access to stored communications but live interceptions, is that correct? >> that's true. >> so in theory, the government could force a provider to an interception under criteria of the wire tap act, for example? >> there are rules for the provision of foreign wire taps. it's sort of an interesting question because there are commentators or academics out there who have said why should u.s. law apply at all to this activity? remember, the paradigm here is the murder that's happened in london and the offender is believed to be british and the victim is british and everything is going on in england, why should u.s. law have anything to say about that just because the pure happenstance that the provider or the place where one can do an intercept is in the united states? an interesting point that one could debate. we said, look, we're not sure we're quite comfortable to mover

-- move all that way. i think we need to make sure things are in place to make sure other countries are following robust rules. i think understanding that kind of way of looking at the world, they're not targeting u.s. persons. that's a requirement in the agreement. and so u.s. persons, i think, would give the united states much higher sovereignty interests in protecting our own citizens from wire taps that don't perhaps meet the same set of rules that we have. but if there is no u.s. person involved, well, then, why shouldn't we at least reduce the level of our sovereignty interests and reduce through this kind of an agreement the kinds of rules that would apply in that situation. >> but a u.s. person could be involved in the sense that even if they're targeting a foreign person, if that foreign person is engaged in a communication with the u.s. person, you would still be involved in the u.s.

communication as well, correct? >> that's possible, yes. and there are efforts to try to take that into account as well, so there are rules about minimization. that is if they ended up targeting a u.s. citizen inadvertently, maybe they didn't realize it was a u.s. person when they started and then figured it out, they would minimization and try to use public rules. there is also something about sending a person back to the u.s. if the u.k. is looking at a group of terrorists that they believe might be bombing the u.s. subway and they're also planning to bomb the new york subway, you can believe we need that information in order to protect people. so there is balancing all the interests involved, knowing there will be some circumstances in which a u.s. person could be intercepted or whose data could be obtained. let me also say there is a provision in there for a audit of the foreign government's activities, so we intend to be

making efforts to check to make sure they're following through on their obligations, and there is a required five-year review of the agreement to make sure they're doing their thing. so there is always going to be hiding in the back there, if they are not following through on their obligations, we will cut off our agreement with them, likely to their detriment. i think there are a number of steps that are tried to be built in to address these very concerns and to make sure we are not going to have u.s. persons' data be unfairly targeted or disclosed willy-nilly. >> so i think we could spend the whole session on the cloud act, but since our time is limited, i do want to move to a couple other topics. one that's been in the news for a number of years again this weekend is encryption. let's start at the beginning. from law enforcement's

perspective, that term often gets used as going dark. what is the going dark problem from law enforcement's perspective? >> i think going dark transcends actually a number of different categories. in basic terms it relates to the government's inability, even despite having lawful process, to get access to electronic evidence for various reasons. whether it's, as in the microsoft situation, because it was stored abroad so we actually physically can't get to it. whether it's because providers have chosen not to retain certain kinds of data, so even though it was created at some point, by the time we serve the process, it's no longer there. or in the context that i think a lot of people think about it is in the context of encryption

technologies, or automization technologies, that it's encrypted or scrambled in a way that we can't have access to the plain text. >> and there is a difference between data at rest and data in motion, right? >> data at rest is something found on your device, so the device itself is encrypted so you can't access the information on it. data in motion would be communications between two people. if i'm sending i.m.s to my friend, as long as we meet the very rigorous requirements of the wire tap act, we should have the ability to intercept those communications. but increasingly, the way technologies have evolved, that capability has been engineered away so that even if you have a valid wire tap order and you've got evidence that a particular person is using a particular technology, and there's probable cause that that technology is furthering criminal activity, we're not able to intercept

because of the way the technology has been created. so there are sort of two sides of a common problem. they do pose different technological problems, but they're all part of a broader concern that we have, that even with lawful process, even having satisfied all of the requirements of the fourth amendment, investigators are still not able to get access to the evidence that they need.

so how many investigations were really stymied because -- versus there were other alternatives where you got what you needed? >> the effort to try to answer that question is ongoing. we in the law enforcement community have been trying to do a better job of figuring out how many devices and how many cases are affected. it's certainly true that when police officers or special agents encounter an encryption roadblock, they'll do their best to find some other way around it and solve the case. they're also not very good about making notes about the cases they weren't able to solve or to try to take -- keep statistics about the situations where that was a problem, especially in those situations where some other solution was there. so 7800, that is -- that should be taken as a rough number to give a sense of scale but it's

by no means definitive partly for the reasons you say but also because it represents some devices that law enforcement encounters. it's one law enforcement agency, not every of the 16000 police departments across the country it's important to understand and there are anecdotes and anecdotes are not the same as statistics but it's important to understand this problem affects all sorts of different kinds of cases across the investigations that we do. it affects child exploitation crimes, computer hacking, cases involving weapons of mass destruction. this is a universal problem that if you talk to police officers or prosecutors that they see more and more and across the board across all different types of investigations. is it useful to give an example? >> sure. >> one of the things i prosecuted investigated a case involving two young men who decided that they were going to rape their -- this teen of their

acquaintance and they used a messaging service back and forth where they basically laid out the plan for the crime where they were going to get her drunk until she passed out and -- and they did, indeed, rape her in the back of one of their cars. what would we have if we didn't have the content of those communications, which clearly laid out their intent? we would have two people, perhaps the metadata would show they were talking to each other but, of course, two friends talking to each other is not even that exceptional and the victim, of course, would have a hard time, would be describing what happened because she was, of course, intoxicated at the hands of these two people and doesn't remember what happened in the back of the car. so, i don't mean to spring, oh, the scary case on you. there's just endless cases where this type of situation is going to come up. it's going to affect all sorts

of things but sometimes giving a real example helps us think through the question in a much less academic way of saying this is affecting public safety and if it were to happen to someone that you know, it's very different feeling than you get to talk about this in terms of do i like the fact that the government can surveil me. it's like -- i like to say it's like the question of do you like taxes. no, i don't like taxes, i don't want to pay taxes but do we like the idea of taxes? of course, yes. taxes provide for schools and roads and national defense. these are important things. so how you ask the question and how you think about the issue is very important in trying to come up with a good and fair policy solution. >> one of the pushbacks -- there were a number, and we'll talk to a couple but one pushback is that even if the u.s. two pass a law mandating access or mandating providers have a

method of access that any criminal could download an application that was overseas or something like that and evade the mandatory access prohibition so that with all the disadvantages which we can talk about, you wouldn't even solve the problem. >> there are a couple different points. your point about international law is interesting samir because we've started to see some of our foreign partners and some countries that are not our foreign partners start moving in this area. the united kingdom has enacted legislation in this area. australia publicly announced they're thinking seriously and there will probably be movement over the next few months. the chinese government asserted authorities in this area so i don't think it's a fair characterization to say that we're kind of at the cutting edge of this. in fact many countries have started moving in this area and we're in danger of falling

behind because of the developments we've seen around the world. the other point is the reality of network effects. people tend to use communications platforms that their friends use, that their colleagues use so the reality is people tend to use the systems that other people are using. that's what we're most interested in. we're not mosted interested in shutting down innovation, people working out of their garage. we're focused on people using mass-market devices that encrypt by default because that's ultimately what most people are using and those are the kinds of devices that we need access to. so these are not insignificant points. we are focused on ensuring american businesses stay competitive but we also have a duty to public safety and what we want to avoid is a situation where we are sacrificing corporate dollars for people being safe, for people -- for us to investigate crimes and ensure

that the individuals that richard described are brought to justice. it's a fine balancing act but we're not doing our jobs unless we keep that ultimate public safety rationale in mind. >> on the public safety rationale, i think a lot of critics would say that mandatory access prohibition undermines safety because it will decrease the security of encryption and make all devices more vulnerable to cyber attacks and the like. >> i think department leadership -- the department of justice has been very vocal about this. certainly the federal bureau of investigation has been vocal. my boss, the deputy attorney general has made speeches in recent months. he's emphasized we don't want to hurt cyber security. we are content for providers to come up with their own solutions for this problem so the government doesn't want the keys. we don't want to be the ones managing this process. we want to ensure that we have access to the information in the

same way we did as recently as two or three years ago. >> i think that argument is even though it's the proers are doing it, the very act of doing it will result in a weakened security system. >> it's fair to say absolute secrecy is not a value that we would uphold. there has to be some balance. there has to be some striking of a balance between the private/of your communications and law enforcement's availability with a warrant to access it. so if there are marginal tradeoffs to be made, that's a policy decision but we've certainly -- in our society we've never had a situation where absolute privacy or absolute secrecy has trumped every other value so that would be my answer is unfortunately we're moving in that direction and if we end up there, that's one thing but that's something as a community, as a society, we need to have the conversation. it shouldn't be technology

providers drawing that balance for us. >> what do you see as the next step? this discussion has been ongoing for several years and isn't moving much further. is there going to be legislation? what do you see as the next step? >> raising public consciousness is an important part of this so that's why from the department of justice's perspective we've been vocal. our leadership has been out front on this making sure that the public is aware of the stakes here. that's one of the reasons why the statistics are important. as time goes on my hunch is that we'll see a greater number of devices we can't access, at least that's how the trend is going. so people need to be aware of

that. and if as a society we make the decision that we're able and willing to put up with that kind of a situation, that's where we are. but that public consciousness is very important. that's why the department is going to keep on top of this issue because it's something for those of us who have sworn an oath to uphold the constitution and make sure society remains as safe as we can keep it, we have an obligation to make sure that people are aware of what's at stake. >> i want to spend a couple minutes and then open it up to questions on carpenter, which was the other supreme court case that this is a big term in the supreme court for surveillance-related issues. again, recognizing it's pending so there are caveats on how much you can say, describe briefly what basically is "carpenter" about. >> i can say in basic terms and i'm sure richard can say more, it gets back samir to the point you made earlier about metadata.

carpenter is a case that deals with historical cell location information. many of you are familiar with the fact that every time you make a phone call or send a text message your provider for its own business purposes will maintain a record of that. there are reasons why. they want to make sure they're giving you the best service because every time your phone bounces off a cell tower that's record sod that the company knows where its customers are moving. it can make sure that it routes resources to where cell towers are. so there are business reasons why providers maintain that information. now under the historic communications act -- and richard is the expert -- under traditional subpoena principles, this historical information maintained by a thirty party typically just requires a relevance standard. if an investigation is under taking an investigation, issues a subpoena, that should be

enough. when congress enacted the historic communications act, it raised the bar such that it wasn't enough just under a general relevant standard but the government had to show -- i forget, reasonable and -- >> specific and articulable. >> yes, it raised the bar from a generalstop a higher standard. so long as an investigator could swear that i need this data because it meet this is standard, we could secure that information from a provider. the reason why this case is so interesting is the defendant in that case committed i think a number of armed robberies and so the government in trying to recreate his steps and figure out how many robberies this guy committed essentially requested cell location information, historical information going back a span a number of months. and the argument now that the defendant raised is that well that violated my fourth amendment rights because under

his argument the government was tracking me or surveilling me and if it will do that it needs a warrant. so that's the issue before the supreme court right now. extremely important. we won't comment about the specific facts because the case is pending but it is a very important case because it goes what's called the third party doctrine. it's been in effect since the 1970s which basically says if a third party has control of the records like what we were talking about earlier, it's their records, if the individual has no privacy interest in a third party's records and so that's a key issue because if the court rules differently it could have tremendous implications on how we conduct investigations. >> the push back is that particularly if the government collects months or years of potentially location information that that is different in kind in terms of the amount of information and privacy invasion

that occurs in that context. >> perhaps. i think there are two responses to that. the cell location information was not granular. so when you get a location of where the it's pinging off of -- >> well, but that could change. >> yes but we can only deal with the information in the case. think about your phone records, your land line records. this was late gaited in the supreme court in the 1970s, your land line records are more granular than your general historical cell location. when i make a phone call from my house sitting in my bedroom, the person, the investigators who subpoena my records knows exactly where i was at that moment, at that time and for how long i was on the phone. everyone acknowledges there's no time limitation ask on investigators' ability to subpoena your day to day telephone records. so that's where i think some of the difficulties are and the most interesting aspects of the

case are is under traditional fourth amendment doctrine this is almost an easy case but the digital nature of the evidence, the fact that there is location information involved, some of the issues that you've raised that as technology gets more particularized what implications does it have? i think it makes a case more interesting but what's very interesting is there was no circuit split when the case went to the supreme court. so in other words all of the circuit courts of appeals ruled in favor of the government so it will be interesting to see where the court ends up. >> we have 10 or 20 minutes left and i want to leave time for questions. >>. [ inaudible question ] it's very interesting and clear and thank you for listening and coming from the reading, i had a question about realtime intercepts. [ inaudible question ] i was wondering if you could talk about incidental collection and other things in the u.s.

statute. because the five a cases where there was targeting of nine u.s. persons but there was incidental collection about the communications of a few u.s. persons. and the court turned out to be skeptical about that program and said there's constitution constitutional interest and we shouldn't continue with the program that way. can you give us a sense of how you talk with the british about doing wiretaps in the u.s. that collect incidentally about u.s. persons when they don't have the probable cause, et cetera, warrant we've always had? >> this is an interesting question so thank you for raising it. one important question that in order for the fourth amendment to apply at all is whether there has been state action. is the u.s. government involved and so i think the baseline against which we have to begin this analysis is that this is a crime outside the united states being investigated by someone

who isn't the u.s. government getting orders in their courts against the -- they would proceed and ten years ago they may well intercept u.s. persons communications because they're calling phones in the uk at the time and there would be zero applicability of the fourth amendment to that situation. the other thing that's important to know is that agreements are required to state that the u.s. government may not ask the foreign government to do some wiretapping on our behalf or, frankly, anyone is not permitted so this is very much intended to be a fire break against the idea that people are going to use this as an end-around to get to something they couldn't get themselves. so at bottom it's an interesting question. it will be interesting to see whether it comes up. whether it would be an odd situation, most reasonably come up in a criminal investigation where the evidence was passed

back and used in the united states. i don't know how often that will happen, it may be quite rare indeed. >> i have a question about the -- so if you have these agreements would be the most advantageous, right? and so you go through this process where you have the requirements and you get the agreement but those are with countries that have similar values. so my question is how effective is how effective is it going to be? a lot of cyber criminals are in countries that don't have those values that we're not going to have an agreement with. so how do you see this working there? could you go ahead and use the cloud act and say to microsoft so you have data stored in russia, in china for example. you still have it under your possession and custody and control so you have to produce it. what's the difference? if you don't have that agreement, how does that impact what you can do? >> i think it's important to understand there are two pieces

to the cloud act. one is if you like clarifying u.s. law for u.s. warrants that if you think of it being outbound to data stored outside the united states and the second part, somewhat unrelated, has to do with the executive agreements where we would be serving them on foreign providers or foreign countries would be serving their legal process on u.s. providers. your scenario where what if the data stored in russia by microsoft, in that situation it's the first of those two things. the executive agreement doesn't get involved. we serve our legal process on microsoft and they comply because now the law is clear that they must if it's within their possession, custody and control. >> the russian courts just required telegram to turn over the encryption keys for that particular service. do you see a situation where a foreign government would be able to use the cloud act to perhaps

require a u.s. company to turn over private keys or any hardware encryption in connection with that service? >> the answer is the cloud act does nothing to change the situation with respect to foreign legal process. there's an explicit provision that says these agreements may not enhance the authority or detract, it's neutral and that was made explicit. it's important to understand these executive agreements are designed to lower u.s. blocking statutes in a -- that rare situation when it's happening. it doesn't grant new authority to the united states government. the agreements don't grant new authority and the agreements don't grant new authority to the foreign governments. it reduces our blocking statute in that rare -- not rare but certainly rare to begin with situation where the agreement is in place and the bells and whistles have been met. and i think the cloud has a specific provision saying it's

not authorizing decryption on the part of the government. >> it's part of the agreements. >> a general question about the clive act. how do you think as a practical matter what executive agreement impact a company subject to a cfius agreement? that is a company subject to the committee on foreign investment in the u.s. and as controlled by a foreign investor is limited in extent to which it can provide governments outside the u.s. with information or stored information there? so foreign government demands have to be approved before they can be complied with, even if there's a subsidiary or supplier outside the u.s. there could be a practical impact where the company says i'm entitled to this, recipient says but i'm subject to this other agreement with the department and then more generally if the executive agreement framework works out do you see the cfius process increasing some flexibility or

greater distinctions between companies controlled by investors in china, versus companies controlled by investors in germany to pick one. >> so that's a very interesting question but i have not encountered it before so thank you for raising it. i think the answer, though, is fairly clear. that is that the executive agreements and the lowering of those barriers only applies to the stored communications act. it's essentially a provision that is saying the rules that apply in this particular situation will be dropped, it doesn't say all rules everywhere will be dropped so if there were other restrictions that applied i don't think this would serve to lower those differently so if there were requirements under cfius or some other thing i don't think this would affect that. >> in the back there. >> [ inaudible question ] >> could you speak louder? >> sure, i was wondering if you

can comment on which devices have been proven more challenging to access? whether it's android phones or apple phones, if you could give insight on which has been a little bit more troubling? >> i would hesitate to break it down that way. i think the we're facing transcends all types of smartphones, particularly the most recent operating systems. is that a fair assessment? >> yup. >> i'm curious, it's not clearly specified in the cloud act what countries standards of free expression would necessarily apply or how someone who is responding to a request coming through would judge whether a particular case is affecting free expression or not and i'm curious if you could comment on how that should be evaluated. >> it's something that experts would analyze or we'd bring in people from all different walks of life who are expert in civil liberties and privacy issues. they are part of the certification process.

>> he was mentioning the other legal system has to respect free speech, so there's that. and then in addition, a specific obligation in the agreement would be that you cannot use this to infringe freedom of speech so that also goes to your question. as you may know, the united states is on the spectrum of free speech protections at the extreme end and so i think it is interesting to think about how we will interact with foreign countries that maybe are quite protective of freedom of speech but not quite at the end of the spectrum as we are. the way that i would see this particular provision working, though, in a particular case would be if on the one hand the provider believes that it is merely intended to violate freedom of speech and they could raise it with the united states government and say we think this

as you may know, the united states is on the spectrum of free speech protections at the extreme end and so i think it is interesting to think about how we will interact with foreign countries that maybe are quite protective of freedom of speech but not quite at the end of the spectrum as we are. the way that i would see this particular provision working, though, in a particular case would be if on the one hand the provider believes that it is

merely intended to violate freedom of speech and they could raise it with the united states government and say we think this is merely going after political dissidents or whatever and there is a provision in the agreement that's required where it's an escape valve. we, the united states government, reserve the right to veto any foreign order if we believe it does not fit within the scope of the agreement. so i would like to think those things would come up and it would be a question we would be evaluating when we audit the foreign government's compliance and think about whether to renew agreements to the degree to which they've been compliance with this rule. >> just to clarify, the u.s. government isn't going to serve with these orders, right? it would take a provider to come to the u.s. government? >> that's true. the idea would be to not have the u.s. government in the middle between the provider and the foreign government, that's an mlat, we've seen why that has

unfortunate difficulties in the modern age. >> time for one more question in the back. >> i have a bizarre question kind of backtracking to the discussion talking about deencryption. in the event let's say the government is like okay, manufacturers, provide a de encryption key for your devices. i feel like it's inevitable for other companies outside of the manufacturer to create such technology itself. so what will happen in the event that one entity decides to assert its ip rights against someone else trying to create that de-encryption data, patent rights, copyrights, potential trade secrets, even though i know that's not a federal set of laws. i foresee that becoming kind of messy a little later down the road. >> let me see if i understand the question correctly. a situation where one company is providing a decryption solution to law enforcement, another company is doing the same

business and somehow gets ahold of the trade secret, if you like, that was being used by the first company, to conduct the decrypting of the devices? >> is that fair? >> let's say microsoft, the de-encryption is for their device. another company pops up and creates its own de-encryption mechanism for that specific device. what will happen if microsoft decides to exercise its ip rights against that second company? i just foresee that getting hazy if the overall goal is to deencrypt or provide a method to have access or for the government to have access to such information. >> it's an interesting question. i don't know if we've thought about all that. if we end up in that situation, perhaps we're in a good place because we've solved the problem we've been seeking to solve, we can deal with it as we go forward. it's a very good question. i don't think my thinking has gone that far. >> with that, let me thank richard and sujit for taking the time and explaining their perspective. thank you very much.

[ applause ] [ inaudible conversation ]

prime time tonight on on the president's 2019 budget request for the research centers. they testified before a senate appropriations subcommittee. and on c-span 2, transportation security agency officials on the agency's precheck program and airport wait times and a house subcommittee hearing at 10:00 p.m. eastern. sunday night on "afterwards" barba barbara ehrenreich. interviewed by "new york times" science reporter natalie anger. >> that's one of the jobs being old is passing the torch.

taking what you know and have done or accomplished or want done and passing it on to younger hands. >> wax "after words" sunday night on c-span. two former dea agents who inspired the netflix series "narcos" participated in an event on counterfeit medicines and illegally imported fentanyl. this is about an hour. >> welcome, everyone, i'll do it my home state way, texas, how y'all doing this morning? it makes me feel a little more at home. my name is marv shepard, i'm the president of the board of directors for the partnership for safe