Skip to main content

We're fighting for the future of our library in court. Show your support now!

tv   Forum Focuses on Overseas Data Warrants and Social Media Privacy Concerns  CSPAN  July 11, 2017 2:00am-3:06am EDT

2:00 am
it may make sense to look at the democratic national committee coordinated opposition research. this is not an accusation. for anare looking example of a campaign award mating with a foreign country, dnc, no further than the who coordinated with the ukrainian embassy and nobody had a problem with that. the only thing inappropriate about the meeting was the people who leaked the information on the meeting. i would like to add that donald . on this and i am not going to add anything further. >> c-span, where history unfolds daily. c-span was created as a public service by american cable
2:01 am
companies and is brought to you by your cable or satellite provider. >> now, a look at proposed rules that would give foreign police quicker access to data on u.s. citizens and experts talk about the impact. this runs just over one hour. >> good afternoon. welcome to the briefing today. talking about fighting crimes while preserving privacy. this is hosted with the congressional internet caucus of this is with the support
2:02 am
andressman bob goodlatte john thune and patrick leahy. just a couple of housekeeping things before we begin. we are live streaming this event online. the audio and video will be available shortly after the event. don't forget to follow us on twitter and use the hashtag cross border warrants. warrants. before we begin, we will be having our next event balancing national security and privacy, a panel on fisa 702 this friday at noon in this room. we hope to see you all here this friday. without further adieu, i like to hand this over to cary.
2:03 am
she was formally at the department of justice. she'll be moderating this event today. thank you very much for joining us. carrie: thanks everyone for joining us today. we welcome our audience of staff members here with us today on capitol hill. thanks to c-span for bringing this discussion to a wider audience. the congressional internet caucus has assembled a panel of experts to discuss the legal, policy and privacy issues involving cross board data request and court orders. i will briefly introduce the panelists. they are full bios are on available on the congressional internet caucus website. each of them have experience in government, academia and civil society and issues related to capitol hill.
2:04 am
first to my left is richard downing, who is currently the deputy assistant attorney general in the criminal division of the united states department of justice. also to his left is jen dascal, who is an associate professor of law. next is the legislative council at the aclu. at the other end of the table is stephanie with reform government surveillance, a coalition of leading technology companies, so welcome all of you. thank you for being here today. i will give a couple of opening remarks, then we will proceed with our discussion. just to frame the conversation. , we are all aware of the interconnectedness of our global communication. the location of people, their communication and their stored data is no longer fixed. our focus of today's discussion, as the title indicates, data warrants come across the pond, fighting crime while preserving privacy. our legislative policy proposal
2:05 am
s exist to facilitate foreign governments obtaining a legal mechanism through which a foreign law enforcement agency can obtain stored data held by u.s. communications company. in other words, can a u.s. company help another government 's investigation and still adhere to u.s. law? currently, if a foreign law enforcement investigator identifies the subject is using a u.s. based provider, that government needs to work through the mutual legal treaty process. the law, including communications privacy act, precludes u.s. companies from handing over certain data to other countries. that limitation is grounded in protecting the privacy of users and customers who use those services.
2:06 am
the challenge of foreign government's ability to access data held by u.s. companies is one issue. what to do about the law lack of clarity and how the u.s. government can access data held by u.s. companies when that data is physically stored outside the united states is another related issue. that issue involves the modern interpretation of the 1986 stored communications act. which is working its way currently through the courts. a cases next stop in that was brought by microsoft and concerns data that is held in ireland is currently will be with the united states supreme court. there are equities on all sides of these issues, including how to ensure that law enforcement can do its job consistent with the fourth amendment, how do protect the privacy of global
2:07 am
users of a network communications infrastructure, and how to do right by private industry in a way that doesn't stifle innovation, lead to data localization, and respect the challenges faced by global communications companies that maybe caught between competing laws of different countries. that there are sides to this issue, probably all the participants in this discussion agree that these various challenges exist and concerns that are expressed are legitimate. the question then is what comes next in terms of how to address these issues. what changes, if any, needs to be made to the united states law in order to accommodate these varying principles and objectives, and what would those legislative changes look like. before we get the discussions here,d, with my panel i will invite up for a few
2:08 am
minutes chris randall and judd smith. mr. randall is the legislative director and counsel for representative hakeem jefferies from new york. judd smith is the legislative council for tom marino of pennsylvania. they will speak for a few minutes to describe the legislative efforts that their members are engaged in. [indiscernible] [no audio] >> sorry about that. for the past two congresses, my bosses been working to find a solution for the legal questions raised by law enforcement access. the current legal framework provided, or the electronic communications privacy act was enacted in over 30 years ago, 1986.
2:09 am
when congress debated in acting this legislation, the internet was in its infancy. technology clearly left the law behind. it is time to bring the outdated law to address 21st century problems. until we address it, this issue will continue to rise in the last year's decision from the courts with growing frequency. last year's decision from the second circuit in the microsoft case laid out a clear directive for congress to act. he understands the needs of law enforcement to obtain evidence in a timely and efficient manner. at the same time, he recognizes the importance of following the rule of law and preserving privacy. in the 114th congress he introduced international as anications privacy act first of towards finding a legislative solution. in the 115th congress, we were excited to working with congressman jefferies to improve this bill. we have also been working with senator hatch and senator coons.
2:10 am
this is true bipartisan effort. it is important that all parties , including privacy advocates, the d.o.j. and industry stakeholders have voice in this discussion. our goal is to find a solution that aligns these interests. the second circuit celebrity, congress needs to act in order to clarify and update the law. i look forward to hearing the insights from the panel today. good morning everybody. thank you for having us. as my colleague just said icpa , come to us in 1986. over 30 years ago. needless to say, there is a lot that has changed in telecommunications law since. what we have is a scenario where tech companies are in a place why they have to figure out whether or not they are going to adhere to certain privacy protections or others. they have to make these difficult choices. foreign consumers are wondering whether or not tech companies
2:11 am
are going to be able to adequately protect their privacy interests. theress has the role, responsibility as we did in 1986 to decide where the law goes under the circumstances. recently, the microsoft case decided that it cannot be used to permit territorial search warrant spirit our colleagues at the d.o.j. are seeking to get the supreme court's take on that decision, which is their prerogative. regardless of the higher court decision, it is our role here in congress to decide what the law is and how we're going to make this work for law enforcement for tech communities and for privacy. so with that said, you have representative hakeem jefferies from new york working with congressman marino from pennsylvania and colleagues over in the senate, senator hatch and coons, to find a solution that will reflect today's realities
2:12 am
, that will balance our fundamental privacy rights and our law enforcement needs. so with that, we look forward to lively discussion and we will take back all that is discussed here to our bosses. we hope soon that we will have a product that we can move that will make sense for everybody. >> thank you. thank you both for your remarks. we're going to turn now to our panel of experts. i'm going to start by asking richard downing from the justice department. richard, could you first describe starting with the issue of that have been of interest to the united states and united kingdom on foreign government and foreign company cooperation. first, what is the issue from the perspective from the justice department from a law enforcement perspective? what is the problem that you're trying to fix? and then two, what is the current status of the justice
2:13 am
department's efforts to move this issue forward? >> sure. i think it's important to start with the problem as you point out. the paradigm case that i think we should be thinking about is a situation where there is very serious crime imminent or has happened in a foreign country. let's say that u.k. in this case, and they are trying to solve that crime. it is a murderer. scotland yard opens an investigation. they search house and question witnesses. they seize a cell phones. they're and to do all the investigation except there's a chunk of their case that is not located in the u.k. instead, it is located in the united states because it is a social media account or e-mail account or whatever it might be. in that situation, they would normally go through the process m-lap process.
2:14 am
that process is universal that's being too slow and not up to the needs of speedy and important investigations that are going on. the providers are also in a jam. they see the u.k. needing this data. the u.k. could issue their own legal process and direct providers to comply. the u.s. providers are worried that if they did that for data stored in the united states, it would be in violation of u.s. law to disclose it. yet it is a very weird situation. why should u.s. law be controlling in this situation? it is her happenstance that data is stored in the united states. some have suggested that we bar awayke that fa and let u.k. law control completely and not worry about the location of the data. we've taken slightly different approach. the providers came to us some time ago during the last the providers came to us some time ago during the last administration and asked if we would work with them to come up
2:15 am
with some sort of an arrangement where the blocking statute, the u.s. law that prevents the provider would be lifted in certain circumstances and certain countries. that's the genesis of this u.s., u.k. arrangement. in order for that to be need to havewe congressional action to change the law. you'll see that idea was spawned in the last administration and now in this administration it has been taken up again. last year, we released a proposal and almost identical proposal released this year by this administration because it is practical, useful thing. it which has a number of important benefits. it helps our foreign partners, it's important that we support the needs of the u.k. and protecting his public safety. it supports the providers. it gets them out of this position being in between two countries laws, reduces the incentives for data localization. because countries that would
2:16 am
like to sign up, would have to meet a series of robust privacy protections, it has the effect of raising privacy ideas across the world. it has also reciprocal benefits for the united states in those situations where data maybe stored in the u.k. >> what are the two parts of the proposal? there's an agreement that have to take place between the two countries, then there is the legislative component. can you explain -- this isn't just a matter of congress passing law, there's different pieces that has to fit together. >> the idea is that in order for this to be worked out in a sort of way that does respect the need for a robust set of privacy safeguards and for robust civil liberties and what not protection, there has got to be a system for evaluating which countries would be appropriate for this. so the mechanism that we proposed there would be a bilateral agreement between the
2:17 am
united states and that foreign country, and we would work out the terms of that. in order to have that happen, there has to be legislation that lifts the blocking that is in current law. what the basic legalization says, if there is a bilateral agreement and it meets a set of really robust standards, in that situation, providers are entitled to disclose information in response to foreign court orders. those requirements are actually fairly stringent. it requires that orders for example, be individualized. there's no bulk collection. it requires that orders be based on credible facts and particularity so they are specific to individuals and there is a real basis for them. they are not allowed to target u.s. persons. this is about solving foreign crimes. it's not about targeting u.s. persons. u.s.ey want to target persons, then they have to use
2:18 am
the existing legal process. it's a lot of stuff designed to make sure countries qualify for this and we entered in the agreements with our ones that we share basic baseline civil liberties and legal systems that we can respect and agree with. professorlet me ask dascal. gaskel if you're looking for background reading, she has done lot of academic work, including long and on thees website. professor, can you then professor, can you then take what richard has described and explain for our audience what he just described sounds perfectly reasonable. to the initial server, what are
2:19 am
they sticky issues come the points whereg there are areas that still need to be worked through in order for congress to feel comfortable passing some type of legislation on this issue? >> thank you. i agree that this a very reasonable proposal. i think that it does mediate between the various privacy and security and sovereignty concerns. it is an approach that ought to be endorsed. there are critiques of it. i'll talk about those in a second. why do i say that? i say that for some of the reasons that richard talked about. we are talking about a situation in which a foreign government needs access for solving local serious crimes, and previously the foreign government used to be able to get that according to their own rules from their own providers, their own telecoms. , a variety of other sources, and because of the changing nature the internet, because u.s. companies control so much
2:20 am
of the world's data, they are increasingly finding themselves in situation where they need access to data that happen to be u.s. held and u.s. stored, and these countries understandably frustrated. that frustration is leading to a number of different incentives that i think really need to be addressed. it's leading to -- it incentivizes companies to mandate data localization. if the data is local, they don't need to deal with the u.s. and get it according to their own rules, privacy protected or not as the case may be. incentivizing foreignzin governments to increasingly seek access to data, extra territory territorially without regard to u.s. laws come so it is putting companies in the middle. they have to decide i can comply with one law. it's not just a it's not just a hypothetical
2:21 am
concern. there's been an executive who have been arrested and detained because of failure to comply with foreign demands for data. when foreign governments get frustrated, they seek out other surreptitious means of accessing data. i think we see here a link between the debate that we're talking about right now and debates with respect to decryption and finding ways around these problems. that is one of the reasons why i think this is so important and why i think the legislation offers pretty very reasonable response to this. because what it does, it does not require a u.s. company to provide data to foreign government. it simply lifts the bar in those situations where the u.s. and the foreign government had entered into agreement. it sets a number of really critical limitations. to governments, the foreign partner have be certified by the executive branch as satisfying basic rule of law standards.
2:22 am
then each request in addition has to meet a number of criteria that richard talked about. most importantly, these foreign governments cannot get access to the data of a u.s. citizen or legal permanent resident or any other person physically located in the united states. they also cannot get the data with the intent of then sharing the information with the united states and if they access the data of u.s. persons or legal permanent residents, they are required to put in certain protection in place. in addition, the request have to be particularized, targeted. there's limits under duration. there's a requirement of judicial review. i think where the critiques come in are with the specifics of what's required. there are suggestions that some of the language judicial review or oversight, not entirely clear what oversight means, it
2:23 am
requires judicial review. there's other questions about the predicate factual standard. credible facts. there's some who think it should be higher than that. i personally think one thing that should be included any my final bill would be some explicit mechanism that protects the company. they have any questions about whether or not request meets those standards, it would protect them, allow them to kick it up to the department of justice and kick in the other mutual legal assistance treaty process. so there's clearly minor modifications that i think that can be made to this piece of legislation, but as a whole, i agree with the basic premises. it is a reasonable approach and needed. .> thanks jen i will turn to nema guiliani from the aclu. why should we concerned about creating a legislative framework for a foreign government to
2:24 am
request communications data from a u.s. company? >> sure. first, thank you for having me at this panel. i'm really glad that we're discussing this issue. i want to say at the outset, i think that the aclu and largely many privacy and human rights groups disagree with the proposal. amnesty international, human rights watch in the aclu have come out in opposition of the proposal. i can't think off the top of my head of u.s. based privacy group that have done full throated endorsement of the d.o.j. proposal as written. i think the reasons are for couple of major reasons. the first is, we hear, richard said this and jen said this, this isn't about u.s. persons. this is about targeting people overseas. i think that that is a bit of a fig leaf. if i'm an individual in the u.s., we communicate with people
2:25 am
overseas. obviously the standard that is going to apply to targeting of that overseas person affects collection of my data, my conversation with somebody overseas. and so i think this idea that simply because a target cannot be someone in the u.s. that u.s. privacy interests aren't implicated is simply false. let's say the u.k. government wanted to collect a conversation i had with somebody in the u.k. they were investigating that citizen of the u.k. for a crime that had occurred. under today's system, they would have to comply with essentially the m-lap process which would require them to generally comply with a warrant standard. my data, my conversation with somebody in the u.k. is protected under u.s. constitutional standards.
2:26 am
if that standard is dropped and it's the requirements are lessened and we can, that affects my privacy. we are creating a system where incidentally you can collect the information about people in the u.s., citizens and green card holders, under standard that is lower than a warrant standard potentially lower than a warrant standard, and under standards that are lower than would apply to the u.s. government itself, so that i think is a significant concern. it's also a significant concern because the proposal as drafted doesn't prohibit foreign governments from voluntarily sharing information with a u.s. government in certain cases. information then can make its way in court and be used against somebody. that i think is major concern. the second concern has to do with exactly what it allows. the proposal doesn't just affect e-mail stored communications
2:27 am
like e-mail, text messages, etc.. it also involves real-time interception, wiretaps essentially. in the u.s., under federal wiretap, congress, obviously reflecting the perception of the public, put in place very stringent requirements for what applies to when the government can do a wiretap. for example, in the u.s., you can only do a wiretap for certain types of crimes. there are very robust procedures involving the handling of data. you see on tv, someone shuts of phone off when an irrelevant conversation happens. that is part of the wiretap infrastructure. there are notice procedures. you use wiretapping as a last resort when you exhausted other means of obtaining that kind of information. all of those protections are not required for foreign government s who wants now to wiretap using the apparatus created by the d.o.j. proposal. so essentially what you're saying is that foreign governments like the u.k. or other countries who may enter into these arrangements may not
2:28 am
necessarily have to comply with the stringent requirements of the wiretap act that the u.s. government would have to comply it were to do a wiretap on someone in the u.s., so what you're talking about is generally, potentially lowering of standards that doesn't apply to individuals overseas , including the conversations they maybe having with people in the u.s. >> ok, great. that's excellent outline of concern. we're going to come back there to question of stored data. before we do that, i want to turn to stephanie marks with reform government surveillance. so that stephanie can explain to us here, what are the equities , what is the interest from the u.s. based technology sector in these issues of creating a frame work for compliance with foreign government requests. thanks to thel, internet caucus for hosting this event.
2:29 am
i think this is -- i actually think there's a lot of agreement on this panel about what the principles that we need to be protecting when we're talking about the difficult issue of when foreign governments can get data about people -- can get data that lives outside the borders, often about people who are not their own citizens. it implicates complicated matrix of law that don't all talk to each other very well. i think the main disagreement is how to accomplish that while maximizing the ability of legitimate law enforcement need to get material that's related to terrorism and to help keep us all safe, while also maximizing on the curve the privacy protections of all the people who use the internet on a daily basis, so reform government surveillance is a group of 11 all thes that are
2:30 am
companies that make the operating systems for this, have all the apps you use this, that enable us to communicate with each other on a day-to-day basis. rgs formed shortly after the snowden disclosures to support the passage of u.s.a. freedom act. even more specifically, to provide a forum for companies to have detailed conversations about what exactly those reforms should look like and to make sure that everybody was really pulling on the same oar get the important reforms to section 215 done. going forward, the companies have similarly been concerned about other issues that implicate government access to data around the world, and the flip side, of course the privacy rights of the consumers that use these internet platforms all over the world. we have been very involved in fault in discussions about
2:31 am
encryption, the european safe harbor and i've is a shield in existence. we have been involved in all kinds of issues that have arisen in the congress over the past few years. downose would water privacy protections. we have been involved in suggesting reforms to 702 this year. the most important priority is to find a solution to these cross-border issues. we are very much in favor of the language that the department of justice proposed regarding moving the blocking and entering into a bilateral agreements on a limited basis. emphasize that there
2:32 am
are five pages of requirements in the bill language. including limiting those reciprocal arrangements. there are all kinds of ways that we can improve definitions in that language and processes in that language. to make sure that what we are doing internationally for ibis -- the material that these internet companies have is not theirs. it is the communication of consumers all over the world. when we look at solutions to figure out what governments can get this information and under what circumstances and what laws should govern that ability to have tormation, what we focus on is not -- is it -- is the inquiry over when we know it is a u.s. company? the data
2:33 am
doesn't belong to microsoft or google, the data belongs to the people having the conversations. think thedo they people are going to govern when a foreign government wants certain kinds of information? it is what sits at the crux of that. they are the ones with a data center here and a customer over here asking for that data. the ones trying to figure out which law applies, when they should comply, what the due process is. process -- emet lat process such asc it is, companies arespan talking about
2:34 am
replacing it completely. they would only be available for governments that are rights- protective, substantive and procedurally. this seems like a good solution for situations where governments througheed to get important situations quickly. thek selecting through issue of why it is so important to the technology sector. i want to come back to an issue that giuliani race which is the issue of electronic surveillance and in real-time the ability of foreign governments to request from u.s. companies real-time surveillance results. i will turn back to our department of justice representative and ask him two things.
2:35 am
is this proposal geared toward law enforcement challenges? stephanie mentioned terrorism as well. is this a national security problem? at his question one. and question two, does this doj administration proposal -- would it cover real-time surveillance? the ability of a foreign government to request the cooperation of a u.s. company in real-time surveillance? is,hat correct, and if it why is it part of the proposal? >> the way that the proposal frames it is that it covers serious crimes including terrorism. terrorism is often
2:36 am
regarded as a national security matter. about spies spying on other countries or any classic espionage. this is about serious crimes including terrorism falling into the category of criminal to the tea. this proposal would cover wiretapping and the wiretap act. we have to remember that the basic paradigm we should be thinking about is a crime in the u.k. and that the u.k. is trying to solve. you can imagine an organized crime figure in the u.k. and the need to wiretap that to see what their plan is or if they will commit a murder or something. it is fortuitous that the
2:37 am
communication has to be in the united states. model of therrent way they are routed, that would be done under u.k. law in the u.k.. that situation, i would say that is the default. if the u.k. person would call in and get set up on the wiretap, that person would have zero rights at all. in the u.s., they would have a lot of rights. the u.k. cannot target them, and there are a lot of regulations that they would have to comply with such as credible facts, particular richie, exhaustion of alternatives. end, they have to minimize the u.s. persons to get involved in that conversation.
2:38 am
have thethen -- the bottom line u.k.ike the u.s., the views this as a critical part of protecting public safety. if the don't have the thistunity to have arrangement to get access to it, it has the -- it does not solve the underlying problem where if they will insist on decryption disabilities or data regulation, or something else, they are facing serious terrorism and criminal threats. this is a fair and balanced approach for how to deal with that to avoid unnecessarily impinging on anyone's writes, but meeting the legitimate needs of the u.k. >> does anyone want to respond?
2:39 am
>> that was so effective that no one has an answer. >> i will just reiterate. if the u.s. government [inaudible] the wiretap act -- was it not on ? sorry. the wiretap act requires notice. the implication of third parties. allowing discretion for judges to order notice and information to those third parties and we are creating a framework that fundamentally doesn't have those that willuirements now be permitted by foreign governments. it's a way that could have very real implications for people in the u.s..
2:40 am
for information that can be collected by a foreign government and can make its way to the u.s. or a criminal proceeding even though it has not complied with the requirements of the wiretap act. robust saying there is a set of requirements that apply to countries. from our perspective those requirements do not seem very robust at all. been far, you have described primarily in terms of the u.s.-u.k. relationship. they are an ally, they are a in collaboration and national security matters, but the legislative change is not country-specific. so what happens for the rest of the world?
2:41 am
maybe there are a few other countries either in north perhaps or europe, who have -- similar to the united states, maybe not the constitution, but similar judicial requirements -- what happens when other countries come knocking on the door wanting this same type of arrangement with u.s. companies? >> it is a great question about scalability. i want to step back and think about this problem a little bit. what we are facing, because of the way the internet is structured and the dominance of the u.s. companies, something that we as a nation have an , becausein promoting of those things, there is a the characterween
2:42 am
of governments and things that used to be specific to their jurisdiction and things that move around and are not specifically located to their territory. there are fundamental questions about who gets to set the rules. should the specific supply because the data happens to be located here? it's the same problem that we spoke about earlier with respect to the ireland case. should irish rule apply because it happened to be in ireland? ireland may not have any other equity in the case. stepping back and is worth asking some of those bigger questions. homee country that is the of so much of the world data, and has set some of the rules, there is a real opportunity to
2:43 am
demand baseline standards and to try to harmonize the borders, with legitimate access and legitimate cases, so we do not end up with increased falcon is asian. you might -- vulcanization. we might see a reduction of -- to your second question, if this legislation were passed, hopefully it is, there would be a u.k. draft agreement that would be implemented pretty quickly. my hope is there would be other country second meet the standards and can adapt minor changes to meet these standards. time, -- there are some interesting proposals that some people have started to talk about. peter swire has been writing about this that some countries
2:44 am
can have specialized points of contact. you can have units in the country that would not be explicitly required to deal with those standards. even if you do not trust all of india, you may trust a unit for that request. >> if i can turn to stephanie from the industry perspective, how are the companies who will be on the receiving end of these requests from other governments. how are they looking at the issue -- if this legislation work to pass, and this would serve as a model for other arrangements with other governments, how would the industry view the potential
2:45 am
request downstream for agreements with other countries? industryens from the perspective when they might be facing requests from india china come a brazil or other types of countries that have different legal and judicial systems. >> i don't foresee that several of the countries you just listed would meet these standards to enter into an agreement. i don't think that china will be high on the department of justice's list. that would enter into an agreement to go directly into technology company. upset if weould be were presented with such an agreement. there are other countries that could meet the standard and the most exciting thing about this
2:46 am
proposal is that there are other countries who can not quite meet the standard, but with some changes they can. it is important for them to get with u.s. companies that have the bulk of the information that travels the internet. that is something that is really important to the company, something that makes it possible for legitimate law enforcement asks to be met quickly. a make sure they are met in rights-protective manner and to raise the bar on privacy protections around the world. i know we will disagree on whether this particular proposal a couple shows that. if you would go point by point i thinkthe proposal --
2:47 am
it sets the bar higher than it is right now. it will be beneficial to consumers all over the world. it will discourage them from blocking laws and enacting data localization laws. it will give clarity to people all over the world. we have very stringent due process requirements in this country. there are plenty of other companies that do not view the docedural part exactly as we , but they have a fair amount of inrsight and independence the way that they review and handle law-enforcement requests. to see if we can get other law enforcement to honor our
2:48 am
requests. we are trying to maximize law-enforcement and privacy. >> it sounds like part of the confidence trying to be instilled in this legislative it does and agreement, ory on judicial oversight some kind of institutional oversight that would take place ensureforeign country to that the request being made conforms with the fourth amendment and privacy principles to know that there is a process that was involved. how would that play out. allow the oversight so we can envision it a little bit to provide some comfort for those
2:49 am
he might be concerned of the privacy and civil liberties per spec if. first layer of protection would be based on the foreign law itself. the foreign country investigating a crime involving its citizens. legalt situation, the procedures and protections inherent in that set of rules would be the first line of travesty defense. to make sure that the agreement is being lived up to, there is an agreement of oversight done on a bilateral basis. where theprovisions united states would be able to make sure foreign governments are not intentionally targeting u.s. citizens. they will have the protocol in place in the practice is that it is being done directly.
2:50 am
and the whole agreement must be ped everyry -- reup five years. if a provider receives a piece of information from a foreign government, it could raise it with the united states. the united states may block any particular order if it is not in keeping with the agreement. the other thing a went to emphasize is that the congressional role is quite strong. there is a provision notice that would be provided to congress before any agreement goes into effect. this is the idea we happen trying to work in close partnership with congress all day long to make sure we are doing the right thing.
2:51 am
that is the baseline, we are acting reasonably and trying to solve problems that meets the larger circle of equities holders. those safeguards sound to the other panelists? >> i think that the standard and i will than -- the standard [inaudible] the first is the idea of individualized review. doj takes a look at that request and looks at it to examine whether it complies with human rights standards. reviewire individualized does not exist under the new framework. question whether companies
2:52 am
have the ability and the resources to do a robust individualized review. the do not necessarily have the incentive to do the same robust review. they are not on the hook monetarily, other than the reputation. replacinghat you are individualized review in and of itself is a flaw. we spoke about the congressional rules. i don't think a 60-day notification is as robust as it could be. fromy by in action congress certain agreements can go into place. the congressional role needs to be more robust. a lot of the standards are articulated in the legislation. ofmy mind it leaves a lot
2:53 am
wiggle room for the u.s. to enter into agreements, particularly with countries that may have inconsistent or spotty human rights records. with india or brazil, some of those laws largely aligned with the u.s., but in other cases, we would have serious concern. i think we should take a step back -- for years they have used the internet and used u.s. providers with an expectation that their communications would be subject to a certain level of privacy, not just from the idea that privacy is important, but because their life is on the line. we think about putting framework that leaves room for a lower standard to apply. that is something we should have to examine from a human rights perspective and think about the
2:54 am
effect that could have on people all over the world. up in a fewpen it minutes to questions. --ant to ask the professor most of this conversation has focused on the issue of this u.s.-u.k. agreement and what a foreign government wants to access data from a u.s. company. we mentioned the microsoft-ireland case. as you are thinking of questions, could you take a minute and distinguish the issue at play and the legislative proposal and how that is different and what is known as the microsoft-ireland case which the department of justice recently said is appealing to the u.s. supreme court? >> sure. the two-second summary, it is a case decided a year ago by the second circuit. the issue is the u.s. government served a warrant on microsoft.
2:55 am
microsoft refused to comply on the grounds that the data from the u.s. government was located on a server in maryland. had said it only territorial reach and could not reach data outside the united states. the government's position was that they can access it all the time, there is nothing extraterritorial about it. exercise territorial because it is being served on the authority but it can do everything the u.s. government would like it to do from the united states. the second circuit reversed it, they thought that it was microsoft and said at least according to the circuit, the only reach the data that is physically located within the united states. somehas been described by
2:56 am
as a privacy victory. that for disagree with a moment. for the whole conversation about the robustness of the u.s. war authority, in this case the u.s. government accessed the data based on probable cause which is standardally higher than other places around the world. if the net consequence is the u.s. would like data located around the united states it needs to go to that foreign country and access it based on its own rules which may be less privacy protected. microsoft organizes it self anymore location-driven approach and was able to say that it is an ireland. other companies, not as much. able to say was not
2:57 am
it was what the u.s. government wanted. itis fixed the problem but doesn't provide the information about where outside the united states. in some cases there may be no government that has access over the data with legitimate prosecution. there have been at least eight -- five magistrate judges that have ruled in favor of the government. as kerry just said, this case may be heard by the supreme court. i will say one more thing which is i think it would be unfortunate. i think that this case is more complicated than can be resolved in a simple, microsoft is right or the government is right.
2:58 am
ideally, we would see the legislation we have already been talking about coupled with a fix to this problem of microsoft, ireland that would basically set the default that the u.s. government, pursuant to a warrant, based on probable cause can access data without regard to the location but with some caveats that are meant to take into account the interest of foreign governments in citizens, their own not basin where the data is but the equities of foreign governments with their own citizens and own residence. do could require the courts what is known as a comedy analysis, taking some of these countervailing factors. otherare a couple approaches that have been discussed as well.
2:59 am
audience to turn to questions. if you have a question, i will ask that you stand and waved to me. we have a microphone that needs to make its way to you, so we can make sure that your question is heard. while someone is thinking of a question, i will propose a quick question to the panel. if you signal me, i know someone will have a question. a couple of times for the panel, we have mentioned data look all is asian. localization, and why is it bad from the government perspective and perhaps from the industry perspective? talking towe be congress about the legislative fix where one potential outcome is that we avoid global infrastructure moving toward data localization? >> it is when
3:00 am
the government passes a law that requires the data be stored in a certain location. generally within that country's borders. it can require that the data stay and not move from the servers in that country, or it can require that some copy of the data remain in that country. the problem is that can potentially rake the >> makes it difficult for cloud providers to be business consistent a better model and in a way that is consistent with how they useand their data, especially in an enterprise setting, where -- where there are consumers, business enterprises, all different ways people are doing business internationally and on the internet. that would potentially break
3:01 am
that model. that there iss is a whole trove of data available in countries like russia for the russian government to kind of get there positive in at any time they want. no one is in favor of that. >> whitford a lot of talk about how these proposals will stop data localization. i want to provide another perspective. to be clear, i'm not saying i think it will stop data localization. i think it will diss incentivize . >> to be more accurate, we have to realize the proposal on its does not necessarily prohibit data localization. the second is i think the issue of data localization is marked complex. we've seen concerns over u.s. surveillance practices.
3:02 am
some foreign companies use that as a selling point. i use it to say i think the question surrounding data localization are more complex and we should not assume that this in and of itself will stop that from happening. >> i know the congressional internet caucus tries to keep its events on time. i will give one last chance for a question. would you please identify yourself? >> robert thomas. journalist. mike question is about masking about masking is people who have been contacted overseas. we can filter our linkedin contacts or facebook friend requests but we cannot readily
3:03 am
filtered the people who follow us on twitter or who send us private messages. how would your protections and safeguards prevent innocent bystanders, you are you who has been contacted by someone from eastern europe or wherever, contacted by a terminal, how is the innocent of bystander protected from being caught up? what masking techniques are available? >> thank you for the question. i will ask richard to speak reflate to how this feature might deal with incidental collection of targets or underts who are not investigation. >> the scenario is something ake that u.k. needs to get wiretap order for a u.k. crime
3:04 am
and it turns out they have someone from the u.s. contacting them if i understand your proposal accurately. there is no silver bullet way to answered. has to be worked on the need details. we have to make sure they were not intentionally doing it. investigators are looking for materials that have been intercepted, they would be alerted to the idea there might be a u.s. person. it would have to be minimized, put aside, not used except under specialized circumstances. minimized. >> thank you. >> thank you very much. i know we have reached our time limit. thank you l very much for tornadoes. join me in thanking our panel. [applause]
3:05 am
[indiscernible conversation] announcer: the house and senate are back this week from the recess. on the house agenda, the defense authorization bill which sets policies for next year. we spoke with a capitol hill reporter to learn more. gold -- joe gould's a congressional reporter with "d


info Stream Only

Uploaded by TV Archive on