walt was referring to the gateway project which is sadly a lot more than $300 million. it's got about that amount roughly in the legislation. one thing that i would say and you have to look for the pearls amongst the swine in this situation, the research arm of congress are part of the library of congress and all of their reports were private to congress. they were not released to the public. issues what with the passage of the cloud act for the last week and the percolating issues in the courts and policymaking circles. we are honored to be joined by two senior doj officials and i will let them introduce themselves in a moment to really onk about doj's perspective some of these surveillance issues as well as the newly passed cloud act.

we will do iswhat for the first 40 or 45 minutes, i will basically be questioning them and walking through some of the issues getting their perspective. then we believe the last 15 to 20 minutes for folks in the to ask them whatever questions on issues we didn't cover or related issues. the format will keep pretty simple. let me start by asking them to introduce themselves. ahman.name is sujit r i helped oversee cyber investigations as well as policy development. it's a great pleasure to be here today. >> my name is richard downing. i have a unfortunately long title. acting assistant -- acting deputy assistant attorney general. i'm in the criminal division of the department of justice. i work on electronic evidence is

sous. and i oversee our child exploitation and obscenity section. the privacyrtner in and cyber section. used to be senior director for cyber on the national security council at the white house. prior to that i had sujit's position. i think where we will start, the supreme court recently heard arguments in microsoft. we plan to talk about the legal issues in that case. events have overtaken that a bit with congress having passed the clarifyingthe overseas use of data act. issue thats the main was presented in microsoft. give you concrete facts i might ask you to talk briefly about the basic facts in the microsoft case. what was the basic issue?

the microsoft case involved a challenge to a warrant that was issued under the stored communications act by a u.s. court. microsoft challenged the order saying that the evidence that was at issue here was being stored at its ireland data center. this was information that microsoft had chosen for its business purposes to store their -- a store there. -- store there. -- should not apply to data that is stored outside of the united war andarguing that the limited to the territory of the united states. the government's position was the contrary. we believe and continue to assert that congress can -- these warrants cover such data.

any -- needs to be disclosed when a u.s. court -- is issued to that provider. can see why the decision that came out of the second circuit was deeply damaging to the government's interest because essentially it's a u.s. crime and u.s. perpetrator as far as we know. because the u.s. provider had chosen to store the data abroad we were basically powerless to get access to that evidence. you can see the wide implication of a ruling like that. so many service providers split up date all around the world. if it's a situation where it's a u.s. crime and u.s. judge and perpetrator and yet we are not able to access the evidence because it happens to have been stored abroad through a business decision that a company has chosen to make it was having a very serious impact on our ability to prosecute these cases. richard testified on the hill about how child explication

cases were being affected because the actual material that we needed to prosecute the case we could not get our hands on it even though we had a lawful warrant because it happened to have been stored outside the united states. it was a tremendous priority for us to get that decision reversed. case was argued a few weeks ago. we can't comment on the pending case. legislation going forward in our view has resulted that basic issue. >> how do you think the cloud act resolves the issue? >> the cloud act has a provision in it that in our view clarifies what we have always thought the case was which is that the stored communications act does data that is stored by u.s. provider outside of the united states. it's a very simple one paragraph switch that says this is what we

meant data that is stored by u.s. provider outside of the united states. and it is crystal clear now. one thing i wanted to emphasize is sujit's comment about a lawful warrant. what was not at issue was whether the warrant was properly issued. in our view this is not a question of privacy. we have met all of the constitutional rules and had an independent magistrate examiner warrant and all of the bells and whistles that are attending on that. this was a question of application of the law and standard question of whether this applied to data stored outside the u.s. >> the standard is whether or not the provider has possession, custody or control of the data. that is a standard that has some roots in u.s. law. describe where that comes from. i'm not sure i can point you to the case or the doctrine itself. the basic notion is very similar to the way we would expect subpoenas to be treated. if you receive a subpoena from a

grand jury you are retired to disclose documents in your possession if they are in your possession. if not a defense to a subpoena to say i chose to store my data inside a safe in my house and therefore the fourth amendment applies. i is not a defense to say have chosen to store the data outside of the u.s. that is not going to be sufficient to get you out of complying if you have possession, custody or control of that. ofthere has been a long line cases where banks might be foreign chartered but they have a president in the united states. as long as there is a presence in the united states if we serve that entity with a u.s. subpoena that entity is required to comply with process. so we have always seen the microsoft case as an extension of that traditional doctrine. the secondy for us

circuit decision was actually quite shocking. because from our perspective it seems to avenge the traditional enforcement had with respect to serving process. another reason why this legislation is really a game changer to the extent that it restores things back to where they can our have been from the beginning. i would also say this legislation was bipartisan. it had strong support from both sides of the aisle and the tech industry was very much on board. microsoft was very much our ally in this legislation. there are reasons why we can why it brought together a unique cast of characters. that's one of the reasons why it passed. because there is strong partisan support for the legislation. >> the act does allow for a provider to object or file a motion to object in certain circumstances. provide briefly what are the circumstances.

there is a larger question of conflicts of law. what happens if there is a situation where a provider is issued legal process that compels them to disclose statestion in the united the legal process is issued but there is a foreign law which bars them from disclosing that information. this is kind of the idea that sujit was referring states to wh respect to bank records. we have had the issue for decades where a subpoena in the united states is issued to a bank but the bank secrecy laws of switzerland, cayman islands is involved and how do we resolve the question. law the conflicts of question is raised in the legislation and created is a new section that addresses a fairly narrow set of situations but nevertheless is clearly set out in the legislation. it is sometimes called a comedy

-- comity analysis. in a narrow set of cases where there is an executive agreement between the united states and that foreign country whose law might be violated where that other country offers reciprocal rights for the provider to challenge and where there is an actual conflict than that set of rules in the cloud act would be triggered. if that's the case then the provider is empowered to come to court and say i shouldn't have to comply with this warrant because it highlights the law of zimbabwe. then the court would have a balancing test based on factors set out in the statute. it is an idea of an escape valve to try and address the possibility of a conflict of laws happening. notnt to be clear we have yet seen any u.s. provider come forward and allege an actual conflict between a u.s. legal process and foreign law, not even in the microsoft case.

it's an interesting thing when the european commission filed an amicus brief in the supreme court. my reading of it is they did not r was going to create such a conflict in the future. this is to some degree of that of a hypothetical but the statute is trying to think ahead about when that kind of conflict might happen. into that will be a strong force against creating these conflicts as well. alluded that in the microsoft case there was a u.s. subscriber. does the act deal with u.s. subscribers versus non-us subscribers? >> one very important aspect is how it deals with u.s. persons. one very important point to keep in mind as we have made it very clear as part of the legislation

that u.s. persons cannot be targeted as part of this legislation. if we negotiate an executive agreement with a foreign country they can't use that agreement to seek process on u.s. persons. that is something very important to keep in mind as we go forward. their interesting implications for how the statute applies to u.s. persons or persons residing in the united states. i don't know if you want to talk more about the contours of that. in the microsoft context. i think what you are driving at is the idea that this comity analysis would not be available if the subscriber is a u.s. person. u.s. process against u.s. companies involving u.s. account holders, there shouldn't be an wouldeven frankly that

come up in that situation and so having a conflict of law analysis apply doesn't make any sense. other than that i think that's the only one i can think of in this context. know it has only been a few days since the act has passed. if you are thinking through the practical implications of how this, toing to use what degree would these kinds of factors sort of shape when you will use the process under the cloud act versus try to negotiate with the provider versus asking them to litigate? off the pointd richard just made at least when it comes to us investigations in her view this legislation restores the status quo. process in the way we always have and traditionally have always done with respect to crimes that we are investigating under violations of u.s. law. interesting ist the bilateral agreement that we can negotiate with foreign governments because that is

something that didn't exist before. at least in theory what we were hearing from some of the providers was there is potential for a conflict of law where if they were to be served by a foreign government they wouldn't be able to produce because of u.s. law it has a blocking statute that doesn't permit foreign providers to provide information to foreign governments. what this statute does is essentially allow the listing of that statute in appropriate cases. it helps our partners those foreign governments that meet rigorous standards about rule of law, respect for privacy. that as long as the attorney general can certify that these foreign governments meet certain criteria and again it's very canrous those governments now going forward once we have negotiated these agreements be

in a position to serve providers directly. what you don't have a problem going forward is using the u.k. as an example. the problem the british were having is investigating a soilsh murder on british involving a british perpetrator but the person was happening to use gmail and so when the brits wanted to use information from gmail soil involving a british they were re u.s. blocking statute because of google was barred from producing that information under u.s. law. at legislation does is allow for foreign governments that need very rigorous criteria and so far we have not yet negotiated any such agreement or . framework to get access to information they need pursuant to very rigorous criteria. in terms of the u.s. side of it i think we have restored our traditional ability to investigate and prosecute crimes. the real upshot for our foreign partners is they now have access

to the evidence that they need so long as they meet certain criteria. the broader point is all this cash in all of this is to avoid data localization. if we weren't able to negotiate this type of framework that would eventually happen is that foreign governments would require u.s. providers to store data in their countries so they would have territorial access to it. that's not good from a foreign policy perspective or business perspective. it's not an american national interest for data localization to occur. part of what's motivating all of us is ensuring that we have a ideallyn internet and this legislation will get us moving in that direction. sort of underlying both sides of the cloud act is whether or microsoft one of the agreements they made -- foreign

governments could rely on -- what is the role of -- why weren't they an adequate alternative? mlats are a very useful tool. they are what i tend to think of 20th century tool. they are slow and difficult to use. what i see in the problems that we have had with mlats are a range of things. we don't have legal assistance treaties with every country in the world. these are bilateral and with only something like half the countries in the world. even when we do have a mutual legal assistance treaty with another country they are slow. example told us they

generally have a turnaround time for requests for evidence from the united states of 14 to 18 months. so if you think about a situation where we have evidence to believe that american children are being abused as part of a sexual exploitation ring and we go to ireland and say we need this evidence because we need to figure out who the other players are and identify the children and than 14 months later we get some answer from them and i not saying ireland is special in this regard. >> further emergency provisions in mlats? >> there is a possibility of moving it up in the queue if we pound the table and get angry. in many cases it's not emergency. it's real serious but there is no imminent loss of life available. want toc thing i cap it dashcam it --

-- long slow deliberative mlat process where we go to malaysia and they say three months later, the data is not here anymore. it has been moved to ireland. not here anymore. that's not going to work. let me conclude by saying i am is saying that mlat completely out the door. i think we are going to continue to have to rely on it in many types of situations. it is sort of a fact of life. what the legislation is trying to do is reduce the number of situations where mlat applies because orders can be served more directly and assure that we have the authority to compel topanies like google

disclose information and hopefully reduce stress on the mlat system so companies are able to comply much more quickly than they have in the past. >> returning to the executive agreement. the requirements in the statute on two levels. are general requirements about what the law should do and then there are some requirements also about the criteria where borders are issued. there are a set of criteria that a foreign country's legal system must meet in order to be eligible for an agreement under the cloud act. and the rules are set out to indicate that that other legal system is indeed a sort of like-minded law abiding protective type of legal system. the criteria for example are that the legal system protects

from arbitrary and unlawful interference with privacy, assures fair trial rights, freedom of expression, association of peaceful assembly, prohibitions on arbitrary arrest and detention. , we would expect for rights respecting law-abiding countries. therder to meet those rules attorney general in consultation with the secretary of state would be able to enter into that agreement assuring that each has access to the other country's providers in the appropriate circumstances. if i would follow-up on that, the attorney general has to certify and provide a public explanation for the fact that this foreign government meets these various standards. we would have to that the domestic law of the foreign

government affords robust protections for privacy and civil liberties in light of the data collection activities of the foreign government and there are a number of factors that we have to certify essentially. that the foreign governments own legal system meets respect for the rule of law. rights to human obligations. protection from arbitrary and unlawful interference. fair trial rights. the list goes on. it is very significant to understand that we won't be allowing u.s. providers to turn over data to totalitarian regimes. to even qualify for this framework you have to be certified to meet these very high standards and the reality is our closest partners, the british have themselves yet to fully comply. they have adjusted their own domestic legislation in preparation for these kinds of agreements. it's a very important point to understand. lifting.rivacy

this is privacy protecting. the whole point of this legislation is if foreign governments want access to data that is stored or owned by u.s. providers they have to meet very rigorous standards and this is one way for us in a soft kind of way to ensure that rule of law principles and privacy principles are extended beyond their borders. >> you mentioned the u.k., do you have a sense of how fast these agreements are likely to come into effect? >> the u.k. was the one that soroached us with this idea they will very likely be the first in line and we have already begun to explore what a text might look like. we are very sensitive towards moving to have other countries participated in this framework. it is a powerful idea and we have begun to see interest by other governments in participating.

but we don't have a rollout schedule nor do we have a list of who is second and third. these are all questions that are under consideration. as the legislation makes clear any such agreement would be subject to rigorous review.ional obviously the public would have a right to see these. there is a whole process here rw that ensures that countries have qualified. it's a sober and rational and thought through process. nobody is going to be rushing into any kind of agreements. criteriaare certain about the orders that are issued under the agreements like particularly and things like that. the idea behind the listing of criteria is to make sure that orders under foreign law meet really robust criteria. the words probable cause do not appear in the agreement.

that is a very american concept or at least american phrasing of the idea. is to emulateon these kinds of ideas in other foreign legal systems which perhaps use slightly different safeguards to accomplish the same thing. among the rules that are listed it talks about that the foreign court has to have articulable and credible facts, foricularity and legality example and review and oversight by a judge. some people say that sounds exactly like what you need to get a warrant. it is probably pretty equivalent but it is written in a way to make sure that other countries legal systems -- it's flexible enough that it can take into account their safeguards the way they do business at least to a fair degree. insisted that everybody do

it exactly the way we do it i suspect we will have zero partners able to enter into an agreement with us. what we tried to do is hit a sweet spot that is in fact quite strong and privacy protecting and hopefully flexible enough that we will be able to extend this framework to a number of our close allies and partners and others who view these kinds of protections in a similar way that we do. statute authorizes not only access to stored medications but live intercepts >> that is true. >> in theory the government could force a provider to engage in interception under criteria that were less than what were required in the wiretap act read what's the rationale for that? >> there are additional rules in the provision for foreign wiretaps.

there are academics out there who have said why should u.s. law apply at all to this activity? is the murder that happened in london and the offender is believed to be british and the victim is british and everything is going on in england. why should u.s. law have anything to say about that just because of the pure happenstance that the provider is in the united states? couldsting point that one debate. we said we are not sure we are comfortable to move all that way. i think we need to make sure there are reasonable rules in place to make sure that other countries are following robust and appropriate rules. i think understanding that kind of way of looking at the world they are not targeting u.s. persons. that's a requirement in the agreement. and so u.s. persons i think would give the united states much higher sovereignty protecting our own

citizens from wiretaps that don't perhaps meet the same set of rules we have but if there is no u.s. person involved why shouldn't we at least reduce the level of our sovereignty interests and reduce through this kind of agreement kinds of rules that would apply in that situation. >> a u.s. person could be involved in the sense that even if they are targeting a foreign person if that person is engaging in communicating with a u.s. person you would still be intercepted their comedic asian as well. >> that's possible. -- there'stions efforts to take that into account as well. there are rules about minimization. if they end up targeting a u.s. person inadvertently. negative can realize it was a u.s. citizen when they started. and they have to use minimization which is the legal term for putting that stuff aside and not using it and making it public and whatnot.

there are also rules about whether they can send information back to the united states about a u.s. person. there is a little bit of a balance if the u.k. is looking at a group of terrorists they believe might be bombing the london subway and they discover they are also planning to bomb the new york subway you better believe we are going to need to orderhat information in to protect people. there's an effort to balance all of the interests involved knowing there will be some circumstances under which a u.s. person could be intercepted or whose data could be obtained. let me also say there is a provisn there for a audit of the foreign governments beivities so we tend to making efforts to check that they are following through on is a obligations and there required five-year review of the agreement to make sure they are doing their thing. is always going to be hiding in the back if they are not following through on their obligations we will cut off our agreement with them.

-- from law enforcement's perspective there is something that is called going dark. >> that transcends a number of different categories. in basic terms it relates to the government's inability even despite having lawful process to get access to electronic evidence for various reasons. whether in the microsoft situation because it was stored abroad and so we actually physically can't get to it.

whether providers have chosen not to retain certain kinds of data. even though it was created at some point by the time we surfed the process it is no longer there. or in the context that a lot ofd the process it is no longer there. people think about it is encryption technologies. in other words criminals who are communicating in a way that is orher end-to-end encrypted is scrambled in a way that we can't decrypt or we can have access to the plaintext. >> there is a division between data at rest and data in motion. >> data at rest is found on your device so the device itself is encrypted and you can't access the contents of what's on it. data in motion would be communications between two people. if i'm sending and i messaged my long as we meet the very rigorous requirements of the wiretap act we should have the ability to intercept those

communications but increasingly the way the technologies have evolved that capability has been engineered away. you have a valid wiretap order and you've got evidence that a person is using a technology and there's probable cause that technology is further and criminal activity we are not able to intercept because of the way the technology has been created. are two sides of a common problem. they are part of a rotor concern -- broader concern that we have that even with lawful process even having satisfied all of the requirements of the fourth amendment investigators were still not able to get access to the evidence they need. >> let's talk about the scope of the problem. the fbi and doj started to put numbers on this and our director has recently talked about how the fbi couldn't get access to

7800 devices in 2017. to whath that number degree a lot of critics will say -- there are alternatives. in some cases the data may be backed up. for example icloud or there is metadata available that you can use nonelectronic evidence. how many investigations were really stymied versus other alternatives where you got what you needed? the effort to try to answer that question is ongoing. we in the law enforcement community have been trying to do a better job of figuring out how many devices and how many cases are affected. it is certainly true that when police officers or special agents encounter and encryption roadblock they're going to do their best to find some other way around it and solve the case.

beryl's are not very good about making notes about the cases they weren't able to solve or to keep statistics about the situations where that was a problem especially in those situations where some other solution was there. 7800 should be taken as a rough problemnumber to give a sense oe but it is by no means definitive hardly for the reasons that you say but also because it only represents some of the devices that law enforcement encounters. it's one law enforcement agency. not every of the 16,000 police departments across the country. thereortant to understand are of course anecdotes and anecdotes are not the same thing as statistics. it's important to understand that this problem does affect all sorts of different kinds of cases across the investigations that we do. affects child exportation

crimes, computer hacking, cases involving weapons of mass distraction. this is a universal problem that if you talk to police officers or prosecutors that they see more and more across-the-board all different types of investigation. example?ful to give an prosecutedsections i investigated a case involving two young men who decided they were going to rape this teen of their acquaintance and they used a messaging service back and forth where they basically laid out the plan for the crime where they were going to get her drunk until she passed out and they did indeed rape her in the back of one of their cars. we did notwe have if have the content of those communications which clearly laid out their intent? have two people perhaps

the metadata which show that they were talking to each other but of course two friends talking to each other is not that exceptional and the victim of course would have a hard time and would be describing what happened because she of course was intoxicated at the hands of these people and doesn't remember exactly what happened the back of the car. i don't mean to spring the scary case on you. there is endless cases where this type of situation is going to come up for it is going to affect all sorts of things. a real exampleg helps us think through the question in a much less academic way. saying this is actually affecting public safety and if it were to happen to someone that you know it's a very different feeling that you get than to talk about this in terms of doing like the fact that the government can serve ailment. it's a little bit of the question of do you like taxes. i don't want to pay taxes but do

we like the idea of taxes, of course. they provide for schools and roads and national defense. ask the question and how you think about the issue is very important in trying to come up with a good and fair policy solution. backs is thatpush pass a the u.s. were to law mandating access that any criminal could download an application that was made overseas or something like that and invade the mandatory access prohibition so with all of the disadvantages you and even necessarily solve the problem. what is doj's response on that. >> your point about international law is interesting because actually we have started to see some of our foreign partners and some that are not our foreign partners.

the united kingdom has enacted legislation in this area. australia has probably announced that they are thinking very seriously and there is probably going to be some movement over the next few months. the chinese government has asserted authority in this area. i don't think it's a fair weracterization to say that are at the cutting edge of this. many countries have already started moving in this area. we are falling behind because of the developments we have seen in the world. the reality of network effects, people tend to use communications platforms that their friends use. that their colleagues use. is people tend to use the systems that other people are using and that's what primarily we are most interested in. we are not really interested in cutting down innovation. people working out of their garage's novel we are focused

on. we are focused on people using mass-market devices that encrypt by default because that is what most people are using and those are the kinds of devices that we need access to. these are not insignificant points. onare very much focused ensuring that american businesses stay competitive. also have a duty to public safety. what we certainly want to avoid is a situation where we are sacrificing corporate dollars for people being saved. for us to be able to investigate crimes and ensure that individuals that richard described are brought to justice. it's a fine balancing act. doing our jobs unless we keep that ultimate public safety rationale in mind. >> on the public safety rationale i think a lot of critics would say that your mandatory access provision actually undermines safety because it will decrease the security of encryption and make

all devices more vulnerable to cyber attack. >> the department of justice has been very vocal about this. certainly the federal bureau of investigation has been vocal on this. a number ofmade speeches in recent months about the sort of idea of responsible encryption. i think he would emphasize that we don't in any way want to hurt cyber security. we are content for the providers to come up with their own solutions for this problem. the government doesn't want the keys. we don't want to be the ones managing the whole process. we just want to ensure that we have access to the information in the same way we did two or three years ago. >> the argument is even if the providers are doing it the very act of doing it will inevitably result in a weaker security. >> it's fair to say that absolute secrecy is not a value that we would uphold. there has to be some striking of a balance between the privacy of

your communications and law enforcement's ability with a warrant to be able to access it. if there are some marginal trade-offs to be made that's a policy decision. in our societyly never had a situation where absolute privacy or absolute secrecy has trumped every other value. so i think that would be my answer is unfortunately we are moving in that direction and if we end up there that's one thing. but that is something as a community, as a society we need to have that conversation. it shouldn't be the technology provider drawing that balance for us. >> what do you see as the next step? this is a discussion that has been ongoing in public for years now and not moving much further than that. is there going to be legislation? think raising public consciousness is very important part of this and that's why we have been very vocal, our

leadership has been out front on this making sure that the public is aware of the stakes. that's one of the reasons why the statistics are important. my hunch is that we are going to see a greater number of devices that we can't access. that's the way the trend is going. people need to be aware of that. ultimately if we make the decision that we are able and willing to put up with that kind of situation and that's where we are. consciousness is very important. that's why the department is certainly going to keep on top of this issue because it is those of us that have sworn an oath to make sure society remains as safe as we can keep it. we have an obligation to make aware of people are

what's potentially at stake. >> just a couple minutes and i will open it up to questions on carpenter which was the other supreme court case for surveillance related issues. of what's potentially at stake. >>recognizing that it's ending d there are caveats on how much you can say. describe a sickly what carpenter is about. >> i'm sure richard can say more. it gets back to the point you made earlier about metadata. carpenter is a case that deals with historical cell location information. many of you are probably familiar with the fact that every time you make a phone call or send a text message or your provider for its own business purposes and maintain a record of that and there are reasons why. sure they areake giving you the best service because every time your phone bounces off a cell tower that is recorded so the company knows where its customers are moving. it routese sure that resources to where cell towers are. there are business readers why providers maintain that information. under the stored communications traditional subpoena

principles with historical information that is maintained by a third-party typically just requires a relevance standard. if an investigator is undertaking an investigation that should be enough. when congress enacted the stored communications act that raised the bar such that it wasn't enough under a general relevance standard. government had to show it is to show thatcts this data is relevant to an ongoing criminal investigation. it raised the bar from a very general subpoena to a higher standard. as long as an investigator could swear to a judge that i need this data because it meets this standard we could secure that information from a provider. the reason why this case is so interesting is the defendant in aat case committed i think

number of armed robberies and so the government in trying to re-create his steps and figure out how many robberies did this guy commit essentially requested cell location information and historical information going back a number of months and the argument that the defendant has raised is that file it is my fourth amendment rights because under his argument the government was somehow tracking me or surveilling me and if it's going to do that it needs a warrant. issue before the supreme court right now. extremely important. we are not going to comment about the specific facts because the case is pending. it really is a very important case because it goes to what's called the third-party doctrine. it has been in effect since at least the 1970's it basically says if a third party has it isl of the records their records. the individual has no privacy interest in a third-party's records.

because ify issue the court rules differently it could have tremendous applications the patients on how we conduct investigations. >> the pushback i think is that particularly if the government collects months or years of location information that is different in kind in terms of the amount of information and privacy invasion that occurs in that kind. >> there are two responses to that. cell location information was not granular. when you get information of where a particular: what cell tower it was pinging off of within six square miles. >> that may change with technology. >> we can only deal with the record that is actually in the case. think about your phone records. your landline records. this was litigated in the supreme court in the 1970's. your landline records are far more granular than your general

historical cell location. when i make a phone call from my house sitting in my bedroom the investigator who subpoenas my record knows exactly where i was at that moment at that time and for how long i was on the phone. and everyone at knowledge is there's no time limitation on investigators ability to subpoena your day-to-day telephone records. that's where i think some of the really some are and of the aspects of the case is under traditional fourth amendment doctrine this is almost an easy case. what makes it very interesting is the digital nature of the evidence. the fact that there is location information involved. as technology gets even more -- what's very interesting about this case is there wasn't a circuit split. all of circuit court of appeals had ruled in favor of the

government. it will be interesting to see where the court ends up. >> we do have 10 or 12 minutes left. i want to leave time for questions. [inaudible] there was incidental collection about the communications of a few u.s. persons in the court turned out to be quite skeptical about that program and said there is too much constitutional interference and you shouldn't continue with the program.

can you give us any sense of how you talked with the british u.s. doing wiretaps in the that collect incidentally about u.s. persons when they don't cause for abable warrant? >> i think this is an interesting question. question that in order for the fourth minute to apply at all is whether there has been state action. that is is the u.s. government involved. i think the baseline against which we have to begin this analysis is that this is a crime outside the united states being investigated by someone who isn't the u.s. government orders -- they courts against would proceed and if you think about it 10 years ago they might be intercepting u.s. persons communications because they are calling phones in the u.k. at the time and of course there would be zero applicability of

the fourth amendment to that situation. the other thing that's important to know is that the agreements are required to state that the u.s. government may not ask the foreign government to do some wiretapping on our behalf frankly anyone is not permitted. this is very much intended to be a firebreak against the idea that people are going to use this as an end around to get something they couldn't get themselves. it's anat bottom interesting question. it would be interesting to see whether it comes up. it would be a rare and odd situation for it to come up because it would have to most -- reasonablyup come up in a criminal investigation. i don't know how often that's going to happen. it may the quite rare indeed. i have a question about the

cloud act. if you have these agreements would be the most advantageous and so you go through this process where you have the requirements and you get the agreement. but those are with countries that have produced similar values. my question is how effective is it going to be. a lot of the cyber criminals are in countries that don't have those values and so we are probably not going to be able to have an agreement with. how do you see this working there? could you go ahead and use the cloud act and say microsoft you have data stored in russia and china for example. you still have it under your custody and control so you have to produce it. what's the difference? if you don't have the agreement how does it impact what you can do? important to's

understand there are two pieces to the cloud act. one is if you like clarifying u.s. law for u.s. warrants think of it as being outbound for data stored in the united states. it has to do with executive agreements where we would be serving them on foreign providers or foreign countries would be serving their process on u.s. providers. i think your scenario where what is the data stored in russia by microsoft in that situation it's the first of those things. the executive agreements doesn't get involved. we serve our legal process on microsoft and they comply because now the law is clear that they must if it's in their possession, custody or control. recently the russian courts just required telegram to turn over the encryption keys for that particular service. do you see a situation where a foreign government would be able to use the cloud act to perhaps

require a u.s. company to turn over private keys or any hardware encryption in connection with that service? acthe answer is the cloud does nothing to change the situation with respect to foreign legal process. in fact there's a very explicit provision that says these agreements may not enhance the authority or detract from the authority. it is neutral with respect to them and that was made explicit. important tok it's understand that these executive agreements are designed to lower in thatcking statutes rare situation where it's happening. it does not grant new authority to the knot states government. the agreements don't grant new authority and they don't grant new authority to the foreign governments. it simply reduces their blocking situation that rare where the agreement is in place and all the bells and whistles have been met.

>> the cloud act also has a specific provisions of saying it is not authorizing a requirement of decryption. >> general question about the cloud act. practical matter how would an executive agreement impact a company who is subject to the committee on foreign investment in the u.s. and as controlled by a foreign investor is limited in the extent to which it can provide government outside of or u.s. with information store information there. foreign government demands have to be approved before they can be complied with you if you have a subsidiary or supplier outside ae u.s. so there could be practical impact where a country says i am entitled to this under an executive agreement. and more generally if the executive agreement framework the process you see

also increasing flexibility or greater distinctions between companies controlled by investors in china versus companies controlled by investors in germany? it's a very interesting question that i have not encountered before so thank you for raising it. i think the answer is fairly ther and that is that executive agreements and the lowering of those barriers only applies to the stored to indications act. it is essentially a provision that is saying the rules that apply in this particular situation will be dropped. it doesn't say all rules everywhere will be dropped so if there are other restrictions that applied i don't think this would serve to lower those different things. if there were requirements i don't think this would affect

that. >> in the back. -- data wondering access whether it was for example android phones -- i was wondering if you can comment on which devices have proven more challenging to access whether it is android phones or apple phones if you could give any insight on which has been a little bit more troubling? problem that we are facing transcends all types of smartphones particularly the most recent operating systems. is that a fair assessment? >> yes. >> it is not clearly specified in the act what countries standards of free expression would necessarily apply or how someone who is responding to a request coming through would judge whether a particular case

is affecting free expression are not and i am curious if you could comment on how that should be evaluated. that expertsng would analyze. we would bring in people from all walks of life who are experts in civil liberties. they are part of the certification process. is two ways it comes up. the first is that the other legal system has to respect free speech so there's that. in addition a specific obligation in the agreement would be that you cannot use this to infringe freedom of speech so that also goes to your question. as you may know the united states is on the spectrum of free speech protections at the it ise end and so i think

interesting to think about how we will interact with foreign countries that may be are quite protective of freedom of speech but not quite at the end of the spectrum as we are. the way that i would see this handcular -- on the one the provider believes that it is merely intended to violate freedom of speech and they could raise it with the united states government and say we think this is merely going after political dissidents or whatever and there is a provision in the agreement that is required where it is sort of an escape valve. we reserve the right to veto any foreign law compliant for an order if we believe it does not fit within the scope of the agreement so i would like to think those things would come up in that way and it would also be a question we would be evaluating when we audit the foreign governments compliance and think about whether to renew agreements is the degree to which they have

would take at provider to come to u.s. government to respect and of objection. be not to haveld the u.s. government in the middle to be between the provider and a foreign government. has unfortunate difficulties in the modern age. >> we have time for one more question, all the way in the back. >> i have a bizarre question backtracking the discussion about encryption. in the event the government says that there is a encryption key for your devices, i think it is almost inevitable outside of the manufacturer great sex technologies itself. what -- such technologies itself. what happens if they tried to create that encryption data and

the copyright and patent rights and potential trade secrets even though i know it is not a federal set of laws. i perceive that being kind of messy down the road. understand the question correctly, the situation where one company is providing a decryption solution to law enforcement and another company is also in the same business and somehow gets a hold of the trade secret that was being used by the first company to conduct the decrypting of the devices? is that fair? thehe encryption for device, and another company pops up and creates its own encryption mechanism for that specific device. what will happen if one or microsoft besides the exercise its ip rights against that second company? i foresee that getting hazy if the overall goal is to provide a method to have access for the government that access to information. it is an interesting question

and i don't know if we thought about it. if we end up in that situation perhaps we are in a good place because we have solved the problem we are sitting to resolve and will deal with it as we move forward. i don't think my thinking has gone that far. thanked you for taking the time here to offer your perspectives. [applause] [captions copyright national cable satellite corp. 2018] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]

announcer: if you are watching this event heard people mention but how to act -- but without act, between president trump and theresa may of the u.k., and the prime minister may president trump fact the support in lotring the passage of the of overseeing data act, the cloud act, which will provide an important trope in that investigation of terrorists and other offenses in the u.k. and keep people living here savor. spokesperson on the phone call with prime minister theresa may and president trump. comingfe programming

later today, the helsinki commission also known as the commission on security and cooperation in europe. a panel on international organizations using the internet and postal service to get opioids into the u.s.. coverage begins in a little less than an hour on c-span. today join us for a testimony of cambridge analytica employee christopher wylie who appeared before the british house of commons yesterday. he said he believes the brexit vote was one through fraud and touches on the political data firm's work on the 2016 u.s. election. here is a preview. convincedsolutely there was a common plan and with veterans for britain. these companies somehow, for some reason,