Skip to playerSkip to main contentSkip to footer
  • 6/5/2025
The House Judiciary Committee held a hearing on Thursday on Foreign Influence on Americans' Data.
Transcript
00:00:00We welcome everyone to today's hearing on the CLOUD Act and Foreign Influence on America's Data.
00:00:05I now recognize the gentleman from Texas, Mr. Nels, to lead us in the Pledge of Allegiance.
00:00:30Thank you, Mr. Nels.
00:00:43I now recognize myself for an opening statement.
00:00:47I welcome my colleagues to this important hearing and welcome our audience and our witnesses today.
00:00:54I thank each of our witnesses for being here today, with special recognition for one of our witnesses who flew all the way from the UK to testify today.
00:01:04Given advances in technology and the heightened interconnectivity of the digital era, personal data, business information, and sensitive communications are sent, received, and stored all over the world.
00:01:15Often, during an investigation, law enforcement needs to acquire this information from U.S. companies.
00:01:20Until 2018, if this information was held in another country, for example, a data server in Ireland, it wasn't clear whether U.S. law enforcement would be able to obtain it, even though it was requesting the data from a U.S. company.
00:01:34In 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act, to address this gap in the law.
00:01:41Under the CLOUD Act, U.S. law enforcement pursuant to address this gap in the law.
00:01:46Under the CLOUD Act, U.S. law enforcement, pursuant to a lawful court order, can obtain data held by U.S.-based service providers, but stored outside of the United States.
00:01:57The CLOUD Act also provides avenues for our allies to enter into bilateral agreements with the United States to similarly obtain their citizens' data from these same service providers to assist with their own law enforcement investigations.
00:02:11Unfortunately, one of our closest allies, the United Kingdom, is taking advantage of its authorities under the CLOUD Act and is attacking America's data security and privacy.
00:02:21In February of this year, the Washington Post reported that the U.K. had secretly ordered Apple to build a backdoor into its devices to enable U.K. law enforcement to access a user's data stored on the cloud, including encrypted data.
00:02:37The CLOUD Act requires that a country entering into a data access agreement with the United States have laws that include robust protections for privacy and civil liberties.
00:02:46The U.K.'s order, however, threatens the privacy and security rights not only of those living in the U.K., but of Apple users all over the world, including Americans.
00:02:56This order sets a dangerous precedent and, if not stopped now, could lead to future orders by other countries.
00:03:00The U.K.'s Investigatory Powers Act permits it to issue orders to tech companies, compelling them to weaken encryption or halt security updates for users around the world.
00:03:12This broad extraterritorial order highlights the tension between national security and individual rights.
00:03:19These interests are not mutually exclusive, and it is possible to protect both national security and individual rights.
00:03:26Providing law enforcement with the tools to conduct investigations is a laudable, important goal.
00:03:31But the U.K. is seemingly emboldened by its agreement with the United States under the CLOUD Act as issued an order that will affect people all over the world, and this is a step too far.
00:03:41Encryption is a critical tool to maintain the privacy and security of digital information and communications.
00:03:47Efforts to weaken or even break encryption makes us all less secure.
00:03:51The U.S.-U.K. relationship must be built on trust.
00:03:55If the U.K. is attempting to undermine this foundation of U.S. cybersecurity, it is breaching that trust.
00:04:00If companies are forced to build backdoors to encryption, that simultaneously opens a backdoor to privacy rights or an invasion of privacy rights.
00:04:10And it is impossible to limit a backdoor to just the good guys.
00:04:14Just last year, Chinese hackers known as Salt Typhoon penetrated lawfully mandated backdoors, gaining access to wiretap systems used by U.S. law enforcement.
00:04:24The hackers also were able to access the private data of President Trump and Vice President Vance.
00:04:29This attack is a clear example of the dangers of surveillance backdoors.
00:04:34This should concern everyone.
00:04:35I have long had concerns about the CLOUD Act and the bilateral agreements it enables that could allow foreign governments to spy on Americans.
00:04:43Given the recent actions by the U.K., I am concerned that the CLOUD Act is failing to adequately protect the privacy and security of Americans.
00:04:50In the wake of the U.K.'s order, I have called on this administration to act decisively to protect Americans' communications.
00:04:57I continue to urge our government, including the Justice Department, to evaluate whether the CLOUD Act and our agreement with the United Kingdom are working as intended.
00:05:05If they are not, we should renegotiate the agreement to ensure that our rights are protected, and we should do so by invoking the 30-day termination clause.
00:05:14After years of senior U.S. government officials pushing for weaker encryption and surveillance backdoors, it seems the tide has shifted.
00:05:23Indeed, after the SALT typhoon hack, our government publicly recommended the use of end-to-end encrypted communications tools.
00:05:30Director of National Intelligence Tulsi Gabbard stated at her confirmation hearing that backdoors lead down a dangerous path that can undermine Americans' Fourth Amendment rights and civil liberties.
00:05:39This hearing provides an opportunity to build on the momentum toward greater respect for privacy and evaluate whether and what changes are needed to ensure Americans' rights are protected.
00:05:49I am looking forward to hearing from our witnesses today, and again, thank you for being here, and discussing how we can best move forward.
00:05:57I now recognize the ranking member, Mr. Raskin, for his opening statement.
00:06:01Mr. Chairman, thank you very much, and welcome to our witnesses.
00:06:08I appreciate your being here with us.
00:06:10Living in the digital age in America means that much of our connection with other people takes place over the Internet.
00:06:17We message with friends and family and coworkers over our cell phone apps.
00:06:22We store documents in the cloud, and we share materials over email.
00:06:26End-to-end encrypted services promise that no one, not Apple, not Google, not the government, federal, state, or local, can access the messages that we send.
00:06:36And these platforms are increasingly counted upon by users wishing for the privacy of a protected face-to-face conversation in the new era of technology that we inhabit.
00:06:47Imagine pulling out your phone, opening up an app you've been told is secure, and sending a message to a friend.
00:06:53Now imagine learning that the app is not end-to-end encrypted as promised.
00:06:57Instead, the government has ordered the service provider to make its security weaker so the government can demand access to your message.
00:07:05Imagine the government told the platform that they couldn't tell a soul about this arrangement.
00:07:11Well, that's exactly what the United Kingdom secretly ordered Apple to do recently, and that's the reason that we're here today.
00:07:18Requiring Apple to secretly build a so-called backdoor into its advanced data protection service would make users' end-to-end encrypted documents no longer secure as expected.
00:07:30Law enforcement officers, not just in the U.K., but also in the U.S., could demand Apple produce users' content and metadata from the cloud,
00:07:38and cybercriminals would be able to exploit this system weakness introduced by the backdoor to target Americans for espionage, consumer fraud, and ransomware.
00:07:49Backdoors to encrypted technology are not capable, as the chairman said, only of letting good guys in while keeping the bad guys out.
00:07:58Backdoors are intentional designed weaknesses in an encrypted technology's mathematical formula.
00:08:04These design weaknesses can be exploited by foreign governments seeking to compromise our national security, steal our intellectual property, and monitor us in our daily lives and workplaces.
00:08:17Congress passed the Cloud Act in 2018 to allow for data-sharing agreements between the U.S. and countries that meet required standards.
00:08:24Through its negotiated agreement with the U.S., U.K. law enforcement can access non-encrypted data transmitted by U.S. providers that is relevant to their law enforcement recommendations.
00:08:35While secret orders like the technical capability notice the Home Office placed on Apple have nothing to do with the data-sharing agreement or the Cloud Act,
00:08:44they are only worthwhile to the U.K. because of the data that is made available through the agreement.
00:08:50I, for one, believe that the Cloud Act and the U.S.-U.K. data-sharing agreement thus far have been beneficial, both to U.S. companies and to our country.
00:08:57But I also believe that forcing companies to circumvent their own encrypted services in the name of security is the beginning of a dangerous, slippery slope.
00:09:06And I look forward to hearing from the witnesses as to what, if anything, we need to do to change to prevent future similar orders against other companies.
00:09:15Some argue that privacy is passe. Yesterday's news. Cookies monitor which websites we click on.
00:09:23Our devices already track every step we take. And data brokers take anonymized data and re-identify it in portfolios available to the highest bidder.
00:09:32But I disagree with the idea that privacy is no longer valuable or meaningful to the American citizenry.
00:09:38In a country where visa holders are being detained simply for opinions they've expressed or an op-ed they wrote where criticism of the administration can result in a visit from the Secret Service
00:09:50and where the staff of members of Congress can be arrested and handcuffed just for doing their jobs.
00:09:57American security from government intrusion has never been more urgent or important.
00:10:02The deluge of ways new technology enables the government to spy on their citizens makes it even more important that Americans stand up to increases in state surveillance.
00:10:13Thomas Jefferson wrote in 1788 that the natural progress of things is for liberty to yield and for government to gain ground.
00:10:21Well, we have to resist that natural tendency.
00:10:24A week ago, the Trump administration announced it would hire Palantir to consolidate Americans' data into dossiers on all U.S. citizens.
00:10:33The plan to use Palantir's Foundry project to organize and analyze data across agencies into one big, beautiful dossier is chilling.
00:10:41It's the beginning of an effort to create a national citizen database, which would be vulnerable to manipulation, not just by outside actors, but by inside political actors.
00:10:53From bank account numbers and student debt totals to medical claims and disability status, the administration today is taking information that was previously siloed into different categories as required under the law
00:11:06and using it to create one big, beautiful surveillance apparatus that can be used to crush resistance, to profile Americans, and to silence dissent.
00:11:17We're here today to discuss the CLOUD Act. I recognize this, but we should also recognize none of these issues exist in a vacuum.
00:11:24All government surveillance curtails all citizens' liberties. It is not always immediate.
00:11:30Often it's a slow decay and erosion, but every chip in our civil liberties foundation brings us that much closer to a government
00:11:37that no longer has its foundational and necessary ideological checks against total control of the citizenry.
00:11:45Surveillance databases like the one contemplated by the Trump administration should remain the stuff of science fiction and authoritarian governments,
00:11:53not a reality for a country founded on the principles of democratic self-government and freedoms and rights for the people.
00:12:00In the case of the UK order, we can start with an easy first step.
00:12:04We don't need legislation to pass in the divided House or frozen Senate.
00:12:08The Trump DOJ can just do its job.
00:12:10The U.S. should not sit idly by and watch the Home Office issue perhaps more secret orders against U.S. companies.
00:12:17But thus far, that's exactly what the DOJ has done.
00:12:20I sincerely hope that we move quickly to change that.
00:12:23I thank Chairman Biggs and Chairman Jordan for holding a second bipartisan surveillance hearing,
00:12:28and I look forward to working across the aisle with my friends as we prepare for the expiration of FISA Section 702 next year.
00:12:35And I yield back to you, Mr. Chairman.
00:12:36The gentleman yields back. Thank you.
00:12:38I now recognize the Chairman of the full committee, Mr. Jordan, for his opening statement.
00:12:41I just want to thank the Chairman for having this hearing.
00:12:46Thank our witnesses for being here and appreciate the remarks by both the Chairman and the Ranking Member on this subject
00:12:52and the Ranking Member's reference to the work we have to do as 702 and the FISA comes up for reauthorization less than a year from now.
00:13:02And with that, I would yield back to the Chairman.
00:13:03And again, thank our witnesses for being here.
00:13:05I thank the Chairman.
00:13:06The Chairman yields back.
00:13:07Without objection, all other opening statements will be included in the record.
00:13:11And I'll now introduce today's witnesses.
00:13:14With us today is Professor Susan Landau.
00:13:17Ms. Landau is a professor of Cybersecurity and Policy in the Department of Computer Science at Tufts University.
00:13:24Professor Landau's research focuses on privacy, surveillance, cybersecurity, and law.
00:13:28She has previously worked or held faculty appointments at Google, Sun Microsystems, the Worcester, Worcester, Worcester, Worcester, I'm from Arizona, I mean, I'm not a, Northeast, yeah, the Northeast stuff, who knows, you know.
00:13:44Worcester Polytechnic Institute, the University of Massachusetts Amherst, Wesleyan University, the National Academies of Sciences, Engineering and Medicine, the National Science Foundation, and the National Institute of Standards and Technology.
00:13:55Welcome, Professor. Thank you for being here.
00:13:58Ms. Carolyn Wilson-Palo.
00:14:00Ms. Wilson-Palo is the Legal Director and General Counsel at Privacy International, a nonprofit organization based in the UK.
00:14:07Ms. Wilson-Palo leads the organization's legal advocacy and advises its programs on legal strategy and risk.
00:14:13Prior to joining Privacy International, she was an attorney with Wilson, Sonsini, Goodrich, and Rossati, where her practice focused on privacy and intellectual property.
00:14:22Thank you for joining us. Thanks for coming all this way, too.
00:14:27Mr. Richard Salgado is the founder of Salgado Strategies, a consulting firm that advises clients on geopolitical, cybersecurity, and surveillance issues.
00:14:36He also serves as a lecturer at both Harvard Law School and Stanford Law School.
00:14:41Mr. Salgado previously was the Director of Law Enforcement and Information Security at Google for more than 13 years,
00:14:47worked on international security and law enforcement compliance at Yahoo, and served in the Department of Justice.
00:14:52Thank you, Mr. Salgado, for being with us.
00:14:55And Mr. Gregory Nojime.
00:14:58Nojime? Okay.
00:15:00Mr. Nojime is a Senior Counsel and Director of the Security and Surveillance Project at the Center for Democracy and Technology.
00:15:06A non-profit organization that advocates for civil rights and civil liberties in an increasingly digital world.
00:15:13He previously served as the Associate Director and Chief Legislative Counsel of the ACLU's Washington office,
00:15:18where he focused on the civil liberties implications of terrorism, national security, and information privacy legislation.
00:15:26All of you, we welcome. Thank you for being here today.
00:15:29We will begin now by swearing you in.
00:15:31Would you please rise and raise your right hand?
00:15:36Do each of you swear or affirm under penalty of perjury that the testimony you are about to give is true and correct to the best of your knowledge, information, and beliefs?
00:15:44So help you, God.
00:15:44Let the record reflect that the witnesses have all answered in the affirmative, and you may now be seated.
00:15:52I want you to know that we've read your—I don't know, I won't guarantee everybody, but I've read your statements,
00:15:58and those will be entered into the record in their entirety.
00:16:03Accordingly, we ask that you summarize your testimony in five minutes, and at four minutes, the light should go yellow before you.
00:16:11And when it's almost five minutes, I will just tap this little bit so you'll know it's time to kind of wrap up.
00:16:18And I don't want to cut you off too much, but we do want to remind you of that.
00:16:24So we thank you so much for being here.
00:16:27And now, Professor Landau, I recognize you for your five minutes.
00:16:30Thank you, Chairman Biggs, Ranking Member Raskin, and members of the committee for the opportunity to testify today.
00:16:38I have no need to remind you of the damage caused by Salt Typhoon, but I want to touch on the hackers' access to the databases of wiretap targets.
00:16:46This enabled the Chinese government to learn which spies we had discovered.
00:16:50It appears to have been made easier by the technical requirements, mandates imposed by the Communications Assistance for Law Enforcement Act.
00:16:57In fact, introducing such access to complex systems and communication systems or complex systems increases security vulnerabilities.
00:17:06At the same time, the Salt Typhoon hackers could not read communications sent through WhatsApp, Signal, or on Apple's network.
00:17:14These were end-to-end encrypted, as the Chairman mentioned, a form of cryptography in which as long as the communications device itself has not been hacked,
00:17:22only the sender and receiver can read the encrypted communication.
00:17:26We all use end-to-end encryption daily.
00:17:29You almost always use it when you visit a web page.
00:17:32You always do when you're sending credit card information.
00:17:34You use it on Signal, on WhatsApp, on multiple other applications.
00:17:39Apple's advanced data protection secures users' files by treating them as end-to-end encrypted messages sent from the user to themselves.
00:17:48Files are delivered when the user downloads them.
00:17:51Meanwhile, they reside on the iCloud.
00:17:53Since only the user has the encryption key, the files cannot be decrypted while stored in the iCloud.
00:17:59It is a terrific form of security.
00:18:02If there is ever a breach of the iCloud, the user's data is secure.
00:18:06Who needs it?
00:18:07All of us.
00:18:08Journalists, human rights workers, members of civil society organizations.
00:18:12The latter are particularly targeted by Russia and China.
00:18:14Remote workers, business people while traveling.
00:18:18Members of your family with files they'd like to keep private, like health care proxies, wills, financial information.
00:18:25Members of your staff.
00:18:27All of us.
00:18:28Around the time the U.S. government loosened export controls on encryption back in 2000,
00:18:33the NSA began encouraging wider use of strong encryption domestically.
00:18:38The FBI was less enthusiastic and began pressing about going dark,
00:18:43its increasing inability to understand communications and later read files due to encryption.
00:18:49The issue came to a head with the San Bernardino case involving a locked iPhone.
00:18:52Unable to open the device due to Apple's security protections,
00:18:56the FBI and DOJ sought to have Apple undo those protections.
00:19:00Doing so was not nearly as straightforward as the FBI sought to portray.
00:19:06Requests for access were likely to be frequent,
00:19:09while information on obtaining access had to be stored for both legal and technical reasons.
00:19:14This created a serious security vulnerability, and Apple refused to do it.
00:19:18The case ended, by the way, when an FBI consultant was able to unlock the device.
00:19:23The real point, though, is whether you're looking at CALEA,
00:19:26the 2016 fight over the locked iPhone,
00:19:29or the purported U.K. technical capability notice served on Apple,
00:19:34these attempts at mandating lawful access to be built into complex communication systems
00:19:39creates vulnerabilities in these systems.
00:19:42That's dangerous for Americans and for U.S. national security.
00:19:45Protecting the private data of Americans is a critical aspect of protecting U.S. national security.
00:19:52This is because protecting the private communications of the CEO's son-in-law,
00:19:57the files of an American who has family working in China,
00:20:00the draft research papers of a graduate student in genomics
00:20:03who has not yet filed a patent on her work,
00:20:05is protecting both the individuals and the economic and national security of our nation.
00:20:10That's why former NSA directors Mike McConnell and Michael Hayden,
00:20:14former DHS Secretary Michael Chertoff,
00:20:16former FBI General Counsel Jim Baker,
00:20:19and multiple other national security and law enforcement leaders
00:20:22support widespread public use of end-to-end encryption.
00:20:26And it's why, as the chairman mentioned,
00:20:28the joint guidance of the governments of Australia, Canada, New Zealand,
00:20:31and the United States, post-Salt Typhoon,
00:20:33recommended that end-to-end encryption be used whenever possible
00:20:37and for communications traffic to be used to the maximal extent possible.
00:20:42By refusing to sign, the U.K. is a real outlier.
00:20:45It has become a four-eyes statement.
00:20:48Apple's advanced data encryption protects people's data.
00:20:51It's an important and needed technology.
00:20:53I urge you to ensure that the U.K.'s efforts
00:20:55to improve its own investigatory capabilities
00:20:57do not come at its expense.
00:21:00The technology that Apple developed protects our national security
00:21:04and the security and privacy of ordinary Americans.
00:21:07It should be widely used and widely available.
00:21:10Please ensure that it continues to be so.
00:21:12Thanks very much.
00:21:15Now I recognize you, Ms. Wilson-Paulo, for your five minutes.
00:21:21Thank you, Chairman Biggs, Ranking Member Raskin,
00:21:24and members of the subcommittee.
00:21:25Thank you for the opportunity to testify today
00:21:27on behalf of Privacy International.
00:21:28I'm here to tell you about a troubling surveillance power
00:21:32that allows the United Kingdom's government
00:21:34to secretly order a U.S. company
00:21:36to undermine the security, privacy, and free speech rights of Americans.
00:21:41Indeed, due to the global reach of U.S. companies,
00:21:44these orders threaten the security and fundamental rights of users worldwide.
00:21:48This power can be found in the U.K.'s Technical Capability Notice regime,
00:21:52which is part of the Investigatory Powers Act 2016.
00:21:55Under this law, the U.K. can order a telecommunications service provider
00:22:01to build or modify its systems so that, in the future,
00:22:04the U.K. can access data on those systems through other lawful processes,
00:22:08such as warrants authorizing the interception of content
00:22:11or overseas production orders permitted under the CLOUD Act.
00:22:14More on that later.
00:22:16I've provided a more detailed description of these notices in my written statement,
00:22:20but in brief, the most salient aspects of them
00:22:23are that they are ill-defined, secret, and extraterritorial.
00:22:28An American company subject to U.K. order
00:22:30cannot reveal even its existence to U.S. officials and oversight bodies,
00:22:34much less users, investors, or anyone else who plays a crucial role
00:22:38in vetting the legality and wisdom of such notices.
00:22:41But why are we concerned about a U.K. surveillance power
00:22:43affecting American companies?
00:22:45Because these notices can be given to companies outside of the U.K.,
00:22:49so long as the company offers, provides, or controls
00:22:52services used by people in the U.K.,
00:22:54this small nexus is sufficient for the U.K.
00:22:57to demand a company change its systems worldwide,
00:23:00affecting all of its users, whether in the U.K., the U.S., or elsewhere.
00:23:04We are here today because, in February,
00:23:07the Washington Post revealed that a U.S. company, Apple,
00:23:09received a secret notice requiring it to undermine the security
00:23:12of its Advanced Data Protection Service, as Professor Landau has described,
00:23:18which is an optional security feature for Apple's users,
00:23:20providing end-to-end encryption of iCloud storage
00:23:23that only the iCloud user, not Apple itself, can unlock.
00:23:27The Washington Post reporting and the significant press follow-up
00:23:31have provided us with a potentially unique opportunity
00:23:33to have a public debate about a specific application
00:23:36of these types of orders because of their inherent secrecy.
00:23:39Seizing this opportunity, my organization, Privacy International,
00:23:44has filed a case challenging the notices regime
00:23:46at the U.K.'s Investigatory Powers Tribunal.
00:23:49Apple has filed a similar challenge.
00:23:51Privacy International is devoting significant resources
00:23:53to opposing the Apple order because it exemplifies the potential
00:23:56for the notice regime to have far-reaching consequences
00:23:59that threaten our security and rights.
00:24:02That is because it appears that Apple has been ordered
00:24:04to deliberately weaken an end-to-end encrypted service.
00:24:07We are concerned that this means that these notices
00:24:09are now being used against encryption services
00:24:11and the U.K. will not stop with Apple.
00:24:14My understanding from technical experts, including Professor Landau,
00:24:18is that it is technologically infeasible
00:24:20to have both effective end-to-end encryption
00:24:22and mechanisms for third-party access,
00:24:24which the U.K. seems to be demanding.
00:24:28That is because to enable such third-party access
00:24:30creates an inherent vulnerability that can be exploited
00:24:33by bad actors, including hostile states and criminal networks.
00:24:36That is why government security and privacy experts
00:24:39on both sides of the Atlantic, including in the U.S., the U.K.,
00:24:42and the E.U., strongly recommend using end-to-end encryption.
00:24:46If the U.K. government succeeds in maintaining this order against Apple,
00:24:49it is likely further such orders targeting end-to-end encryption may follow.
00:24:53Other American companies, given their global reach, will be targets.
00:24:57Notices might also be used to force a company
00:24:59to do many other things that can undermine our security,
00:25:01such as send false security updates
00:25:03or refrain from fixing a vulnerability in its systems.
00:25:07Considering the Notices regime's significant impact
00:25:09on fundamental rights and American companies,
00:25:11questions have been raised about the interaction of these orders
00:25:13with the Cloud Act.
00:25:15In some ways, the Notices regime and the Cloud Act
00:25:17operate independently of each other,
00:25:20as the U.K. claims the ability to serve an order
00:25:22directly on a U.S. company irrespective of the Cloud Act.
00:25:25And the Cloud Act itself steers clear of encryption,
00:25:28with the Department of Justice declaring the act encryption neutral.
00:25:32But once a U.S. company is ordered to create a backdoor
00:25:35in its end-to-end encrypted services,
00:25:37the U.K. could then serve a production order on that company
00:25:39for information that would have been previously inaccessible,
00:25:42tying the Notices regime and the Cloud Act back together.
00:25:45These secret orders also significantly impact fundamental rights
00:25:48such as privacy and freedom of speech,
00:25:50and the Cloud Act was intended to protect these rights
00:25:53as well as U.S. companies.
00:25:55The only other country with a Cloud Act data access agreement
00:25:57Australia also has a Technical Capability Notices regime.
00:26:01And the European Union,
00:26:03which is negotiating a data access agreement,
00:26:05has been considering measures
00:26:06that would undermine end-to-end encryption.
00:26:08More countries, therefore,
00:26:10might soon be targeting U.S. companies
00:26:11and undermining the security and privacy
00:26:13of their users worldwide,
00:26:15while also taking advantage of Cloud Act processes.
00:26:18This squarely weighs the question
00:26:19of whether the Cloud Act's encryption neutrality
00:26:21is truly sustainable,
00:26:23which I suspect my fellow panelists are now eager to answer.
00:26:27Thank you, Ms. Wilson-Palau.
00:26:30Now I'd like to turn to Mr. Salgado.
00:26:33You have five minutes for your testimony.
00:26:35Thank you, Mr. Congressman,
00:26:36and thank you, Chairman Biggs,
00:26:38Ranking Member McBath,
00:26:39Chairman Jordan,
00:26:40and Ranking Member Raskin
00:26:41for inviting me here today
00:26:43to participate in this hearing
00:26:44on these important issues
00:26:45and for your leadership on this.
00:26:48My name is Richard Salgado.
00:26:49The chairman summarized my more than 35 years of experience
00:26:53as a lawyer,
00:26:54mostly dealing with government surveillance
00:26:56and network security issues.
00:27:00It was almost exactly eight years ago
00:27:02that I testified about the need for changes
00:27:04that were ultimately included in the Cloud Act,
00:27:07signed into law by President Trump in 2018,
00:27:10and I'm honored to be here again
00:27:12now that we've gained some experience with the Act
00:27:15and the agreement that the U.K. entered pursuant to it.
00:27:18Even in these relatively early days,
00:27:21it's clear that the Act provides a framework
00:27:23for advancing U.S. interests and public safety.
00:27:26It underscores the importance
00:27:29of finalizing agreements with Canada
00:27:31and the European Union
00:27:33and beginning negotiations with other countries.
00:27:36Deeply concerning is the report
00:27:39by the Washington Post in February
00:27:41that the U.K. is secretly seeking
00:27:43to compel Apple to disable a global security feature
00:27:46in one of its products
00:27:47in order to expand its surveillance capabilities.
00:27:51But it also illustrates the value
00:27:53of the Cloud Act framework.
00:27:54When a foreign government coerces an American company
00:27:58to compromise or withhold security protections
00:28:01intended to safeguard users worldwide,
00:28:03the impact reaches everyone, including Americans.
00:28:08The harm is magnified when such mandates are imposed
00:28:11in closed, secret proceedings with outcomes concealed.
00:28:16These actions threaten core U.S. interests in cybersecurity
00:28:19and erode the global competitiveness
00:28:21of American technology providers
00:28:23in the light of serious competition from China.
00:28:27If there's still a real debate
00:28:29about whether security should yield
00:28:31to government surveillance,
00:28:33it doesn't belong behind closed doors
00:28:35in a foreign country.
00:28:37It shouldn't be settled in secret proceedings
00:28:39run by foreign officials
00:28:41and with outcomes unknown even to U.S. government.
00:28:45The debate belongs in public
00:28:47before the United States Congress,
00:28:50led by officials elected by the American people,
00:28:53acting with the interests of this country at heart.
00:28:57It must be decided here, not imposed there.
00:29:02Regardless of the outcome in the reported Apple matter,
00:29:05which we may never know,
00:29:06this experience reflects the broader threat
00:29:09of foreign efforts to covertly undermine
00:29:11the security of products and services
00:29:13offered by American companies.
00:29:15We are now tasked with identifying
00:29:17and implementing solutions.
00:29:19Fortunately, the CLOUD Act provides
00:29:21an ideal framework for this.
00:29:24The CLOUD Act provisions issued today
00:29:26were enacted to address problems
00:29:28created by U.S. blocking statutes.
00:29:30Before the Act,
00:29:31U.S. providers were broadly
00:29:33and presumptively barred
00:29:35from disclosing certain user data
00:29:37to foreign governments,
00:29:38even when the request came from a jurisdiction
00:29:40that respects human law,
00:29:41human rights and the rule of law
00:29:44and in a legitimate case.
00:29:46As a result,
00:29:47countries had to rely on diplomatic tools
00:29:49like mutual legal assistance treaties,
00:29:51which are often too slow in practice.
00:29:54Frustrated,
00:29:54some would resort to unilateral measures
00:29:56to circumvent U.S. law,
00:29:58including tactics that undermine security.
00:30:01The CLOUD Act addresses this
00:30:03by conditionally lifting the blocking statutes
00:30:05for any country that qualifies for
00:30:07and signs an executive agreement with the U.S.
00:30:10To qualify,
00:30:11a government must demonstrate
00:30:12respect for civil liberties
00:30:14and due process,
00:30:15among other requirements.
00:30:17Once an agreement is in place,
00:30:18a U.S. provider may honor data requests
00:30:20from that country
00:30:21without risking running afoul
00:30:22of the blocking statutes.
00:30:25With a few surgical changes,
00:30:26the CLOUD Act is well-suited
00:30:28to address the U.K.'s reported actions
00:30:30and similar moves
00:30:31by other foreign governments.
00:30:33I've outlined several improvements
00:30:34in my written testimony
00:30:36and will briefly summarize only a few here.
00:30:38First,
00:30:39the U.S. government should press the U.K.
00:30:41to end its reported effort against Apple
00:30:43and commit to refraining from similar actions
00:30:46against other American companies.
00:30:48That commitment should be a condition
00:30:50for continued participation in the agreement.
00:30:53Second,
00:30:54Congress should amend the CLOUD Act
00:30:55to declare cybersecurity a national interest
00:30:58that, like free speech,
00:31:00must be respected.
00:31:02Third,
00:31:02Congress should require
00:31:03that to qualify for an agreement,
00:31:06a foreign government
00:31:06must not impose surveillance
00:31:08or anti-security obligations
00:31:10on American companies.
00:31:12With these targeted changes
00:31:14and a few others,
00:31:14the Act can better advance cybersecurity
00:31:16and help American companies
00:31:18continue offering trusted,
00:31:20secured services worldwide.
00:31:23We should treat
00:31:23the lamentable U.S.
00:31:25the U.K. episode
00:31:26as a lesson
00:31:27and improve the Act.
00:31:29Too much is at stake otherwise.
00:31:31Thank you for the opportunity
00:31:32to discuss these issues.
00:31:34Yeah, thank you, Mr. Salgado.
00:31:36Mr. Nojime,
00:31:37you have five minutes for your testimony.
00:31:38Thank you so much,
00:31:39Acting Chairman Tiffany,
00:31:41Ranking Member Raskin,
00:31:42members of the subcommittee.
00:31:44My name is Greg Nojime,
00:31:45and I direct
00:31:45the Security and Spalance Project
00:31:47at the Center for Democracy
00:31:48and Technology.
00:31:50And I'm proud to say
00:31:51that our awesome intern class
00:31:53is here and showed up.
00:31:55Thank you for identifying yourselves.
00:31:57Welcome.
00:31:57CDT is a non-profit,
00:32:02non-partisan organization,
00:32:04and as the chairman mentioned,
00:32:05we defend civil rights,
00:32:06civil liberties,
00:32:08and democratic values
00:32:09in the digital age.
00:32:10We're calling on Congress
00:32:11to act with the DOJ
00:32:14to protect privacy
00:32:15and security of Americans' data
00:32:17against threats from countries
00:32:19that benefit
00:32:19from Cloud Act agreements.
00:32:22Congress enacted
00:32:23the Cloud Act in 2018
00:32:24by tacking it on
00:32:26to the end of a 2,322-page
00:32:30omnibus spending bill.
00:32:33It empowers the DOJ
00:32:34to enter into executive agreements
00:32:36without congressional approval
00:32:37with foreign countries
00:32:39through which the U.S. providers
00:32:41can disclose user data
00:32:42from storage
00:32:43and in real time.
00:32:45Disclosures are made
00:32:46directly to foreign states
00:32:48under the laws
00:32:49of the foreign states,
00:32:50and the U.S. warrant requirement
00:32:52that would otherwise pertain
00:32:54does not apply.
00:32:56The U.K. has availed itself
00:32:58of this opportunity in spades,
00:33:01issuing over 20,000 demands
00:33:03under the Cloud Act.
00:33:04In contrast,
00:33:05the U.S. has issued 63.
00:33:09The benefits of the agreement
00:33:10to the U.S.,
00:33:11while real,
00:33:12are limited.
00:33:14Cloud Act agreements
00:33:15are supposed to preserve
00:33:16the privacy of Americans
00:33:17and of other people
00:33:19in the United States.
00:33:20The foreign country
00:33:23cannot target those people
00:33:25with Cloud Act orders.
00:33:27But things haven't quite worked out
00:33:29as Congress planned.
00:33:31Instead,
00:33:32the U.K. has ordered Apple,
00:33:34as the other witnesses have said,
00:33:35under the authority of U.K. law,
00:33:37not under the authority
00:33:38of the Cloud Act,
00:33:40to build in a backdoor
00:33:41to its encrypted cloud backup service
00:33:44so Apple can fulfill
00:33:46the U.K.'s Cloud Act demands.
00:33:48If Apple had fully complied,
00:33:52it would have compromised
00:33:53the communication security
00:33:54of its users
00:33:55in the U.S. and worldwide.
00:33:58U.K. law,
00:33:59the TCNs,
00:34:00are super extraterritorial.
00:34:03The U.K. authorities
00:34:04can issue orders
00:34:05on companies
00:34:05headquartered outside the U.K.,
00:34:08order them to alter
00:34:10their equipment
00:34:11that is outside the U.K.
00:34:13so they can wiretap people
00:34:15who are outside the U.K.
00:34:17We don't know
00:34:20how many other U.S. providers
00:34:22have received
00:34:22one of these orders.
00:34:24If they have received one,
00:34:25they are gagged
00:34:26and can't say so.
00:34:28Other countries
00:34:29assert the authority
00:34:30to compel
00:34:30this type of provider assistance.
00:34:33Australia
00:34:33is the only other country
00:34:35to have
00:34:36a Cloud Act agreement.
00:34:37It has a similar law,
00:34:39similar to the U.K.'s,
00:34:40but it includes
00:34:41a vague exception
00:34:42that may protect encryption.
00:34:44Canada,
00:34:46which is negotiating
00:34:47a Cloud Act agreement
00:34:48with the U.S. right now,
00:34:50has a provision
00:34:51almost identical
00:34:52to the Australian law provision.
00:34:55Acting Chairman Tiffany,
00:34:57if you are an iPhone user
00:34:59and you go to London
00:35:01and you try to back up
00:35:02your iMessages
00:35:03with the cloud backup service
00:35:06that Apple provides,
00:35:08you wouldn't be able to do it
00:35:10in encrypted form.
00:35:11The reason you wouldn't
00:35:13be able to do it
00:35:13is because Apple
00:35:14has withdrawn that service
00:35:16from the U.K.
00:35:17under the pressure
00:35:18of this order
00:35:19that it's received.
00:35:21The U.K. would have Apple
00:35:22withdraw the service worldwide
00:35:24or compromise
00:35:25its protections
00:35:26so that no matter
00:35:27where you went,
00:35:29even to your office
00:35:30next door
00:35:30in the Cannon building,
00:35:32if you downloaded
00:35:33your iMessages,
00:35:34you wouldn't be able
00:35:35to protect them
00:35:36with encryption.
00:35:37This situation
00:35:38is intolerable.
00:35:40The DOJ and Congress
00:35:41should put an end to it
00:35:43by taking three steps.
00:35:45First, DOJ should invoke
00:35:47Article 12.3 of the agreement
00:35:49and declare that it is ineffective
00:35:51with respect to Cloud Act orders
00:35:53issued to a provider
00:35:55that has received an order
00:35:57like the one served on Apple.
00:35:59Such a declaration
00:36:00would have immediate effect.
00:36:03DOJ should also persuade the U.K.
00:36:05to publicly withdraw the order
00:36:06to Apple
00:36:07so that under threat
00:36:09of terminating the agreement
00:36:11unless the U.K. agrees.
00:36:13This has the benefit
00:36:14of a negotiated result
00:36:16with more predictable
00:36:17public effect
00:36:18that sends a message
00:36:20to other countries
00:36:21that seek Cloud Act agreements.
00:36:23Finally, Congress
00:36:24should back up the DOJ
00:36:26by amending the Cloud Act
00:36:27to prohibit Cloud Act agreements
00:36:29with countries
00:36:30whose laws or practices
00:36:32permit such orders
00:36:34and to require Cloud Act agreements
00:36:36that they explicitly
00:36:38prohibit such orders.
00:36:40We look forward
00:36:41to working with you
00:36:41on such solutions.
00:36:46Thank you, Mr. Nojai.
00:36:47We're now going to proceed
00:36:49under the five-minute rule
00:36:50with questions.
00:36:51First of all,
00:36:52I'd like to recognize
00:36:53the gentleman from Texas,
00:36:54Mr. Nales.
00:36:55Thank you, Mr. Chairman.
00:36:56Thank you to all the witnesses
00:36:57that are here today.
00:36:58I want to start posing
00:36:59a question to all of you.
00:37:01In your opinion,
00:37:03does the Cloud Act
00:37:03and the executive agreements
00:37:05we have under it
00:37:06with the UK and Australia
00:37:08sufficiently protect
00:37:10American communications
00:37:11from foreign surveillance?
00:37:13And please explain
00:37:14why or why not.
00:37:16Mr. Salgado.
00:37:18I'll start with you,
00:37:19Mr. Salgado.
00:37:21Apologies.
00:37:22No, they do not.
00:37:24And for several reasons,
00:37:26but the primary one
00:37:27that I think the UK matter
00:37:29exposes is that
00:37:31they don't do anything
00:37:32to dissuade a foreign government
00:37:34from imposing
00:37:35technical capabilities
00:37:36like we've seen in the UK,
00:37:37but a whole host
00:37:38of other potential efforts
00:37:40to undermine security,
00:37:42backdoors,
00:37:43contaminated apps.
00:37:45There's a whole host
00:37:46of things that a creative
00:37:47investigator could come up with,
00:37:49all that undermine
00:37:51the security
00:37:52of American services,
00:37:53and that would also
00:37:54compromise Americans' data.
00:37:56And the Cloud Act
00:37:58is a framework
00:37:58that we could use
00:37:59to protect that.
00:38:01Mr. Nogin?
00:38:03I agree with that.
00:38:05We're focused today
00:38:06on the security risks
00:38:08that the Cloud Act
00:38:09actually incents countries
00:38:11that have Cloud Act agreements
00:38:12to demand
00:38:13of U.S. providers.
00:38:15But there's a lot
00:38:16of improvements
00:38:17that could be made
00:38:17to protect Americans.
00:38:20One improvement
00:38:20would be to make it
00:38:22so that the U.S. providers
00:38:24could at least tell
00:38:25their government
00:38:26when they receive an order
00:38:28like the one served on Apple
00:38:29that this has happened.
00:38:31Apple is gagged
00:38:32not only from telling the world
00:38:34it received an order,
00:38:35it can't even tell
00:38:36its home country.
00:38:37You mentioned
00:38:38there were like 20,000 requests.
00:38:4020,000 of these.
00:38:42We were at 63.
00:38:43Yeah.
00:38:44It's imbalanced.
00:38:46Yeah.
00:38:46It's imbalanced.
00:38:48Ms. Wilson?
00:38:51I would agree
00:38:51with my fellow witnesses.
00:38:52I would just add
00:38:54and reemphasize
00:38:55that the Cloud Act
00:38:55is designed
00:38:56when engaging
00:38:57in executive agreements
00:38:58with these other countries
00:38:59to make sure
00:38:59that these countries
00:39:00have a surveillance regime
00:39:02that respects privacy
00:39:03and other rights.
00:39:04And clearly,
00:39:05the U.K.
00:39:05is not following that here
00:39:06with the TCN.
00:39:09The technical capability notice,
00:39:11it's obviously
00:39:11a huge invasion into privacy.
00:39:13It's breaking
00:39:13all of our security
00:39:14by targeting
00:39:15end-to-end encryption.
00:39:16It undermines
00:39:17our potential
00:39:18free speech rights
00:39:19because of the way
00:39:19that end-to-end encryption
00:39:20can be used
00:39:21by so many
00:39:21to communicate
00:39:22by opposition groups
00:39:24around the world,
00:39:25by human rights defenders
00:39:26in really tough circumstances.
00:39:28So I'd say
00:39:29that the U.K.
00:39:29is not really
00:39:30in the spirit
00:39:30of the act at the moment.
00:39:31Professor?
00:39:33So this is mostly
00:39:34a law and policy question,
00:39:35but I will pose
00:39:36a technical version of it,
00:39:37which is that
00:39:39in the 1990s,
00:39:40the U.S. government
00:39:41proposed
00:39:41an encryption scheme
00:39:43for digital communications,
00:39:45digital voice communications,
00:39:46in which the keys
00:39:47would be stored
00:39:48with two agencies
00:39:48of the federal government.
00:39:49This did not go over well.
00:39:51It didn't go over well
00:39:51with industry.
00:39:52It didn't go over well
00:39:53with foreign countries.
00:39:54And it didn't go over well
00:39:55with buyers.
00:39:56When AT&T implemented it,
00:39:58the product did not get bought.
00:40:00But now imagine
00:40:01that the U.K.
00:40:02requires that
00:40:03encryption use keys
00:40:05that are stored
00:40:06with the U.K. government.
00:40:07As far as I can tell,
00:40:09and the lawyers to my right
00:40:10can correct me
00:40:11if I'm wrong,
00:40:12but I don't see anything
00:40:13in the Cloud Act
00:40:14that would prohibit
00:40:15such a thing.
00:40:16And yet, of course,
00:40:16no American company,
00:40:18no American
00:40:19who has any private business
00:40:21would want to use encryption
00:40:23where the keys are stored
00:40:24with the U.K. government.
00:40:26Mr. Salgado,
00:40:27does the Cloud Act
00:40:28or are agreements under it
00:40:29oppose an undue
00:40:31or unfair burden
00:40:32on U.S. companies?
00:40:33Why or why not?
00:40:35I don't think
00:40:36they oppose
00:40:37an undue burden
00:40:38other than
00:40:39that the companies,
00:40:41as Mr. Nojine pointed out,
00:40:43are barred
00:40:43from disclosing
00:40:44these things
00:40:45that are coming to them
00:40:46and the Cloud Act
00:40:48isn't there
00:40:48to protect them
00:40:49from that
00:40:50and it is a good vehicle
00:40:51for that
00:40:52so that they could tell
00:40:53the U.S. government
00:40:54and really Congress
00:40:55ought to have
00:40:56much more information
00:40:57than is provided
00:40:58through the current
00:40:59reporting mechanism.
00:41:01Yes,
00:41:01and could the U.K.'s
00:41:03this technical capability
00:41:04notice to Apple
00:41:05aggravate that burden?
00:41:07It could
00:41:08and I think it has.
00:41:09I think you see
00:41:10the situation
00:41:13with Apple
00:41:13where they seem
00:41:14unable to comment
00:41:15on this, right?
00:41:16What happens
00:41:17if other countries
00:41:18know they'll
00:41:18follow suit with this?
00:41:19Yeah,
00:41:20that's the problem.
00:41:21It just continues
00:41:21with more and more
00:41:23and especially
00:41:23if it goes unaddressed
00:41:25by the U.S.
00:41:26that just creates
00:41:27an invitation
00:41:28to continue doing things.
00:41:30We've got about
00:41:3125 seconds left.
00:41:32Do you have any
00:41:32recommendations
00:41:33for future
00:41:34executive agreements
00:41:35or amendments
00:41:36to the Cloud Act
00:41:36to lessen that burden
00:41:38on U.S. companies?
00:41:39I do.
00:41:40There's several of them
00:41:41laid out
00:41:41in my witness testimony
00:41:42but first
00:41:43and very simply
00:41:44we should have
00:41:45the declaration
00:41:45in the agreement
00:41:46that network security
00:41:48and cyber security
00:41:49is an essential interest
00:41:51which is a diplomatic
00:41:52term of art
00:41:53just like free speech
00:41:54and some others
00:41:55that carries weight
00:41:56with it.
00:41:57And we can also
00:41:58put some
00:41:58in the conditions
00:42:00to get an agreement
00:42:01some restrictions
00:42:01on the type
00:42:03of technical
00:42:03surveillance capabilities
00:42:05that partner countries
00:42:06would be allowed
00:42:07to provide
00:42:08among other changes.
00:42:09Thank you all
00:42:09for being here.
00:42:10I reserve.
00:42:11Gentleman Yields,
00:42:12I now turn to
00:42:12the ranking member
00:42:13Mr. Raskin
00:42:14for his five minutes
00:42:17of questions.
00:42:17Thank you,
00:42:17Mr. Chairman.
00:42:19Mr. Nojime,
00:42:20so wait,
00:42:20what is the argument
00:42:21on the other side?
00:42:23What is the UK's interest
00:42:25in doing this
00:42:27and is there
00:42:28some other way
00:42:29to vindicate
00:42:30their interest
00:42:31other than
00:42:31the construction
00:42:33of the back door?
00:42:33I think their argument
00:42:37would be,
00:42:37first,
00:42:38I think they should be
00:42:38at this table
00:42:39and answering
00:42:40your questions,
00:42:41but I think
00:42:41that the argument
00:42:42would be that
00:42:43they need access
00:42:45to communications content
00:42:46in order to
00:42:48fight crimes
00:42:49and prevent crimes
00:42:50and that they would say,
00:42:52well,
00:42:54our interest
00:42:55in getting access
00:42:57trumps
00:42:58the privacy interest
00:42:59of everybody
00:43:00in the world.
00:43:02That's what they
00:43:02would have to say.
00:43:04Yeah,
00:43:04I mean,
00:43:05to transpose it
00:43:06to the domestic context,
00:43:07it would mean
00:43:08that the government
00:43:09would have access
00:43:10to all of our
00:43:11private conversations,
00:43:12not just technologically,
00:43:15but in person,
00:43:16at a restaurant,
00:43:18walking in the park,
00:43:20right,
00:43:20because there might be
00:43:22some information
00:43:22they want to get.
00:43:23You know,
00:43:24you might have heard
00:43:25that some in law enforcement
00:43:26argue that they're going dark
00:43:28because of encryption.
00:43:30This is the golden age
00:43:31of surveillance.
00:43:32There's never been
00:43:33more human thought
00:43:35available to law enforcement
00:43:36agencies around the world
00:43:38in the history of mankind
00:43:40than today.
00:43:41They get it from social media.
00:43:43They get it from data brokers.
00:43:44they get it from all kinds
00:43:46of sources.
00:43:50Professor Landau,
00:43:52could you take us
00:43:54through the Salt Typhoon
00:43:55hack on the telecom
00:43:58providers and show us
00:44:00why that episode
00:44:03underscores the importance
00:44:05of creating strong security?
00:44:07Sure.
00:44:07So none of the technical details
00:44:10have been released
00:44:11by the U.S. government.
00:44:12So this is a certain amount
00:44:13of speculation.
00:44:14But we do know
00:44:15that the telecommunications network,
00:44:18the phone network,
00:44:19has some insecurities.
00:44:21But one of the important aspects
00:44:23of the phone network
00:44:24is that the way
00:44:25that the phone systems
00:44:26interoperate
00:44:27used a model of trust
00:44:30where each of the phone companies
00:44:31knew each other.
00:44:32And there were few phone companies
00:44:34and that worked fine.
00:44:35We don't have few ISPs.
00:44:37We have thousands of ISPs.
00:44:39We have tens of thousands
00:44:40of ISPs.
00:44:41And way back
00:44:43when ISPs started
00:44:44carrying phone calls,
00:44:45for example,
00:44:46E911,
00:44:48voice over IP,
00:44:49and so on,
00:44:50there was a requirement,
00:44:51an appropriate requirement
00:44:52by the government
00:44:53to have the ISPs
00:44:55interrupt,
00:44:56interconnect
00:44:56with the phone system
00:44:57so that when somebody
00:44:58dials a 911 emergency call,
00:45:01the phone system
00:45:01can then locate
00:45:02where that person is.
00:45:04The problem is that ISPs,
00:45:06as we all know,
00:45:06the internet has
00:45:07a great number of insecurities.
00:45:09And so the hackers
00:45:10use the insecurities
00:45:12that are caused
00:45:12by that interconnection.
00:45:14At the technical level,
00:45:15I don't know
00:45:15all the different pieces.
00:45:17So when you send a message,
00:45:20when you text,
00:45:22if you're texting
00:45:22over the phone line
00:45:23as opposed to texting
00:45:24via iMessage
00:45:26or an app
00:45:27that encrypts,
00:45:28if you're texting
00:45:29over the phone line,
00:45:30then your message
00:45:31is not encrypted.
00:45:32Once the hackers
00:45:32were into the phone system,
00:45:34they could read texts,
00:45:35they could read,
00:45:36the CALEA
00:45:38centralized
00:45:40or more greatly
00:45:41centralized wiretaps.
00:45:43So it used to be
00:45:43wiretaps were done
00:45:45at the phone central office,
00:45:46you know,
00:45:47the office five miles
00:45:47down from my house
00:45:48or three miles down
00:45:49from my house.
00:45:50They're now more centralized.
00:45:51So a city
00:45:52will have only
00:45:53a few CALEA sites.
00:45:56If you only have
00:45:57a few sites
00:45:57and you're in
00:45:58the phone system
00:45:59and the hackers
00:46:00are in the phone system,
00:46:01they can more easily
00:46:02access it.
00:46:03So there were
00:46:03all sorts of pieces
00:46:04that were not
00:46:05thought through carefully.
00:46:07Thank you very much,
00:46:09Ms. Wilson-Palo.
00:46:12So the so-called
00:46:15technical capability notice,
00:46:19which is the euphemism,
00:46:21I suppose,
00:46:22for creating this gaping
00:46:23backdoor entryway
00:46:25into communications,
00:46:27contained a provision
00:46:28that the order itself
00:46:30was secret.
00:46:33And I wonder,
00:46:34first of all,
00:46:35what purpose
00:46:36did that secrecy
00:46:38condition serve
00:46:41for the government?
00:46:43And what does that do
00:46:45to civil liberties
00:46:47and people's
00:46:48reasonable expectations
00:46:48of privacy?
00:46:52First, the purpose.
00:46:53And again,
00:46:54I'm speculating
00:46:54because the UK government
00:46:55also has maintained
00:46:57total secrecy
00:46:57around why
00:46:58this order exists.
00:46:59They've got secrecy
00:47:00around secrecy.
00:47:01Yes, secrecy
00:47:02around secrecy,
00:47:02exactly.
00:47:03But I think the UK's
00:47:05general idea
00:47:06is that,
00:47:07and this is actually
00:47:08not just in the case
00:47:09of TCNs,
00:47:09but certain other
00:47:10broader powers
00:47:11like interception,
00:47:12is that it really
00:47:12heavily tries to protect
00:47:14the technical capabilities
00:47:15that it has.
00:47:16And so by making
00:47:17this order
00:47:19entirely secret,
00:47:20it means that users,
00:47:22others,
00:47:23can't know
00:47:24whether or not
00:47:24there is a backdoor
00:47:25in a service
00:47:27that is being targeted.
00:47:28And the UK would say
00:47:29that that's necessary,
00:47:30I think,
00:47:31for national security.
00:47:32But it completely
00:47:33undermines the ability
00:47:34of everyone else,
00:47:36including Congress,
00:47:38including oversight bodies
00:47:40around the world,
00:47:41including users
00:47:41and concerned
00:47:42civil liberties advocates,
00:47:45from being able
00:47:46to question
00:47:47whether or not
00:47:47this is
00:47:48an acceptable
00:47:50violation
00:47:51of our privacy
00:47:52and security.
00:47:54The gentleman's
00:47:55time has expired.
00:47:57And I apologize.
00:47:58I was having a vote
00:47:59in another committee
00:48:00that is
00:48:01like a mile away.
00:48:04I mean,
00:48:04so I had to go
00:48:05do that vote.
00:48:05So I apologize
00:48:06for missing
00:48:06some of your testimony.
00:48:08I apologize for that.
00:48:09Now I recognize
00:48:09the gentleman
00:48:10from Wisconsin,
00:48:10Mr. Tiffany,
00:48:11for his five minutes.
00:48:13And Mr. Chairman,
00:48:14I was happy
00:48:14to pinch hit.
00:48:15Ms. Wilson-Palo,
00:48:20one requirement
00:48:21of the CLOUD Act
00:48:22to enter these agreements
00:48:24is it has to be part
00:48:25of the Convention
00:48:26on Cybercrime.
00:48:27Is that correct?
00:48:30That's my understanding.
00:48:32Yes, I believe so,
00:48:33although actually
00:48:33some of the other witnesses
00:48:34may be able to answer
00:48:36that better than I could.
00:48:40With that being the case,
00:48:41that convention
00:48:42also includes countries
00:48:43like Turkey
00:48:44and South Africa.
00:48:48While the concern
00:48:49is being most pointed
00:48:51towards the UK
00:48:53and perhaps appropriately so,
00:48:57Turkey and South Africa
00:48:59aren't exactly exemplars
00:49:00of protecting people's
00:49:02civil rights,
00:49:04shouldn't we be concerned
00:49:05about this extending
00:49:07beyond the UK?
00:49:11Certainly.
00:49:12I mean,
00:49:13I think one,
00:49:14of the most concerning
00:49:15aspects of this
00:49:16technical capability
00:49:17notice regime
00:49:18is, of course,
00:49:18the UK claims
00:49:19to be able to serve
00:49:20the notice actually
00:49:21entirely outside
00:49:22of the CLOUD Act provision.
00:49:23So even if a country
00:49:24like Turkey
00:49:25or South Africa
00:49:26did or did not
00:49:28negotiate an agreement
00:49:29with an executive agreement
00:49:31under the CLOUD Act,
00:49:32if they had a similar
00:49:34regime in place,
00:49:36as long as that's not
00:49:37blocked by the CLOUD Act
00:49:38or some other
00:49:38U.S. law provision,
00:49:39they similarly could serve
00:49:41these types of notices
00:49:42on U.S. companies
00:49:44and may have
00:49:47much less respect
00:49:48for rights,
00:49:49as you suggest.
00:49:50Mr. Dillon,
00:49:50John, do you have
00:49:51a comment in regards
00:49:52to what I just asked
00:49:53in the comments here?
00:49:54So I think a lot
00:49:55could be done
00:49:56to ensure
00:49:57that the U.S.
00:49:58doesn't enter
00:49:59into agreements
00:50:00with countries
00:50:01that don't respect
00:50:02the rule of law.
00:50:03For example,
00:50:04the CLOUD Act
00:50:05does not have
00:50:06a requirement
00:50:07that the U.S.,
00:50:08that the country's laws
00:50:10require that there be
00:50:12even judicial authorization
00:50:14of surveillance.
00:50:15That seems like
00:50:16a very basic requirement
00:50:18and yet it's not
00:50:19in the CLOUD Act.
00:50:20So it strikes me
00:50:22as I sit here
00:50:22and as we once again
00:50:24see that we have spies
00:50:28amongst us
00:50:29from China
00:50:29and the surveillance
00:50:31that's gone on,
00:50:32a spy balloon
00:50:33that flew over our country
00:50:34a few years ago.
00:50:35I mean,
00:50:36are we whistling past
00:50:38the graveyard
00:50:38of China freedoms
00:50:40that aren't they
00:50:41the greatest threat here?
00:50:43I think that China
00:50:45poses a huge
00:50:46cybersecurity threat
00:50:47to the United States
00:50:49and if countries
00:50:51like the U.K.
00:50:52can force our providers
00:50:53to disarm
00:50:54by removing
00:50:56encryption protection,
00:50:58then we're more vulnerable
00:50:59to that kind of surveillance
00:51:00and that kind of attack.
00:51:02So you're saying
00:51:03that we would benefit
00:51:06by amending
00:51:08the CLOUD Act
00:51:09to make sure
00:51:11that it's not abused
00:51:13by the U.K.
00:51:13but perhaps other countries
00:51:14also.
00:51:15Is that what you're saying?
00:51:16Think of it.
00:51:16Think of the CLOUD Act
00:51:17requirements
00:51:18in three buckets.
00:51:20There's the criteria
00:51:21that the country's
00:51:22laws and practices
00:51:22must meet.
00:51:24You could include
00:51:25a new one
00:51:25for protecting encryption.
00:51:28There are criteria
00:51:29that the agreement
00:51:30must include,
00:51:32things that the agreement
00:51:32must say.
00:51:34The agreement,
00:51:35right now,
00:51:35the statute says
00:51:37that the agreement
00:51:38has to be silent
00:51:40on encryption,
00:51:40basically.
00:51:41It should say
00:51:42it has to protect
00:51:43encryption.
00:51:45And then there's
00:51:45requirements about
00:51:46what the orders
00:51:47can and can't do.
00:51:48So amendments
00:51:49in those three buckets
00:51:51could protect encryption.
00:51:54Mr. Salgado,
00:51:56were you with Google
00:51:58in 2018
00:51:59when the CLOUD Act
00:52:00was enacted into law?
00:52:02I was, yes.
00:52:03So, in reading
00:52:04your testimony,
00:52:05I get the impression
00:52:06that you were
00:52:06a strong advocate
00:52:07for the CLOUD Act
00:52:08at that point.
00:52:09Is that right?
00:52:09That's true.
00:52:10And now coming to us
00:52:12saying it needs
00:52:13to be changed.
00:52:14Didn't you sense
00:52:15in 2018
00:52:16that there should be,
00:52:18that we should be
00:52:20really concerned
00:52:21about,
00:52:23that we were giving
00:52:25away too much
00:52:26with that CLOUD Act
00:52:28in 2018?
00:52:29Did you have concerns
00:52:30at that time?
00:52:31I did.
00:52:31There were some changes
00:52:33to the CLOUD Act
00:52:34I would have liked
00:52:34to have seen
00:52:35or some provisions
00:52:35I would have liked
00:52:36to have seen added.
00:52:38There wasn't anything
00:52:39quite on the horizon
00:52:40that we have
00:52:41with the UK now,
00:52:42but yes,
00:52:42there were some things
00:52:43that I thought
00:52:44we could do better
00:52:45with the CLOUD Act.
00:52:45It was pretty good
00:52:46as it was passed
00:52:47and it's been valuable,
00:52:48but it could use a tune-up.
00:52:50So this is going
00:52:50to be a pointed question.
00:52:52It seems to me,
00:52:53we have Google and Apple
00:52:55that are the subjects
00:52:56of this,
00:52:57in particular Apple,
00:52:58and we look at them
00:52:59in China
00:53:00and how they go about
00:53:01doing their business
00:53:02where they have basically,
00:53:04in my terms,
00:53:05they've capitulated
00:53:06to the communist
00:53:07Chinese government.
00:53:08How do we,
00:53:09how do you reconcile that
00:53:11as someone
00:53:12who's a former executive
00:53:13with Google?
00:53:15I'm not sure
00:53:15I totally understand
00:53:16the question.
00:53:18It may be better directed
00:53:19to somebody
00:53:19who's currently at Google
00:53:20who could explain
00:53:21that further.
00:53:22I'm sorry that
00:53:23the gentleman's time
00:53:24has expired.
00:53:25I yield.
00:53:27Chair now recognizes
00:53:27the gentleman
00:53:28from North Carolina,
00:53:29Mr. Knott.
00:53:30Thank you,
00:53:31Mr. Chairman.
00:53:32I appreciate the topic
00:53:34of today's important hearing
00:53:35to the witnesses.
00:53:36I enjoyed speaking
00:53:37with you briefly
00:53:38before the hearing
00:53:38and again,
00:53:39thank you for making
00:53:40the trip to Washington
00:53:42to discuss
00:53:43this important issue
00:53:44and it's one
00:53:46that's largely unknown
00:53:47on a technical
00:53:48and a practical level
00:53:50to many in this country,
00:53:52even in Congress.
00:53:53and this issue
00:53:55is one that I assume
00:53:56will be abused
00:53:58by foreign governments
00:54:00and or criminal actors
00:54:01and hopefully there is
00:54:02a distinction still
00:54:03between those.
00:54:06Take the UK,
00:54:07for instance,
00:54:07a country
00:54:08with a proud history
00:54:09of protecting liberties,
00:54:11of respecting the rule of law,
00:54:13adhering to due process,
00:54:16bedrocks of Western civilization.
00:54:19That country today
00:54:20has protected
00:54:21and built
00:54:21a surveillance state.
00:54:23They spy
00:54:24on their own citizens.
00:54:25They arrest people
00:54:25for posting
00:54:26various things online.
00:54:28They monitor
00:54:28their own citizens'
00:54:30public communications
00:54:31and public posts.
00:54:33It's something
00:54:34that's quite concerning
00:54:35and under this particular
00:54:38issue
00:54:40that we're discussing today,
00:54:41I do want to know
00:54:42just technically speaking,
00:54:44Ms. Landau,
00:54:44can you just explain
00:54:45to us
00:54:46how the communications
00:54:48that are covered
00:54:49that we're discussing today,
00:54:50how are they collected,
00:54:52how are they stored,
00:54:53and then how can they
00:54:54be accessed
00:54:55in the future?
00:54:57So the current
00:54:58Google architecture
00:54:59says that if I have
00:55:01three devices
00:55:02that I've made
00:55:02fit this
00:55:04advanced data protection,
00:55:06that when I upload
00:55:07something,
00:55:08when I upload something
00:55:09to the iCloud,
00:55:10it's essentially
00:55:11a message
00:55:11that I am going
00:55:12to send to myself
00:55:13because I might pick it up
00:55:14on another one
00:55:15of my devices,
00:55:16and I've encrypted it
00:55:17end-to-end.
00:55:18All of my devices
00:55:19know the encryption key,
00:55:21and I authenticate
00:55:22to the devices
00:55:23before I pull it down
00:55:24from the iCloud.
00:55:25So it's sort of like
00:55:25it's just hanging out
00:55:26in the iCloud,
00:55:27hanging out,
00:55:28hanging out.
00:55:29Apple doesn't have the key,
00:55:30nobody has the key,
00:55:31just I have the key.
00:55:33And so
00:55:34that's the protection
00:55:35for it.
00:55:36Is the UK seeking
00:55:38to collect the data
00:55:39of two parties
00:55:40who are exclusively
00:55:41in the UK,
00:55:42or is it looking
00:55:43to protect...
00:55:44Okay, explain.
00:55:45When they're...
00:55:45Well, I think
00:55:47you're probably better set.
00:55:47All right, Ms. Powell.
00:55:49Yes, with this
00:55:50technical capability notice,
00:55:52they're seeking
00:55:52to open up a backdoor,
00:55:54so the option
00:55:54to collect data.
00:55:55And then under
00:55:56other surveillance powers
00:55:57that they have,
00:55:58they can collect data
00:56:00from anyone in the world.
00:56:01So they have both
00:56:02outward-facing powers
00:56:03and inward-facing
00:56:04to the UK.
00:56:04And then hypothetically,
00:56:05let's say in the future
00:56:06or present,
00:56:07could federal law enforcement
00:56:08request information
00:56:10from a foreign country
00:56:11like the UK
00:56:12to receive communication files
00:56:14that involve
00:56:15American correspondence?
00:56:17Yes, I believe
00:56:23that is possible,
00:56:23although I may defer
00:56:24that to some
00:56:25of my other panelists
00:56:26who better understand
00:56:27the American regulations
00:56:28because I think
00:56:28there are some prohibitions.
00:56:29I'm not talking
00:56:30about regulations.
00:56:31I'm talking about...
00:56:32Practically, yes.
00:56:32Practically speaking,
00:56:33that action
00:56:36would be feasible,
00:56:37correct?
00:56:37That's right,
00:56:38because the UK
00:56:39absolutely will have
00:56:39Americans' data
00:56:40in the intelligence
00:56:41that it collects.
00:56:42So it could also
00:56:43be reasonable
00:56:44to assume
00:56:44this is a bypass
00:56:46of Fourth Amendment
00:56:46protections,
00:56:47potentially,
00:56:48if it was motivated
00:56:49by the wrong actors,
00:56:50correct?
00:56:52Again, it potentially
00:56:53could be.
00:56:54Yeah.
00:56:55In theory,
00:56:56there's the possibility.
00:56:57Now...
00:56:58If I could add
00:56:59something here,
00:56:59may I?
00:57:00I was getting ready.
00:57:00Yeah, go to you.
00:57:01Yes, sir.
00:57:02So the statute
00:57:04wouldn't permit
00:57:05the U.S.
00:57:06to task the UK
00:57:07to listen in
00:57:08on an American.
00:57:10That order would be
00:57:11illegal under the statute.
00:57:13But what happens
00:57:14is Americans communicate
00:57:16with people outside
00:57:16the United States
00:57:17all the time.
00:57:18It doesn't permit it,
00:57:19but it enables it.
00:57:20It enables it
00:57:21through this kind
00:57:22of incidental collection.
00:57:25You're familiar
00:57:25with this
00:57:25through the 702 program.
00:57:27So if I'm talking
00:57:29to a foreigner abroad
00:57:30who's the target
00:57:31of the UK surveillance
00:57:33order served on Apple,
00:57:35my communications
00:57:36will be collected as well.
00:57:38And then there's rules
00:57:39about when those communications
00:57:41can be shared
00:57:41back to the United States.
00:57:43Right.
00:57:44So let me follow up
00:57:45with that.
00:57:45You mentioned earlier
00:57:46this is the golden age
00:57:47of surveillance.
00:57:48What are ways
00:57:49that you believe
00:57:50the CLOUD Act
00:57:51could be reformed
00:57:52to ensure
00:57:53that imminent threats
00:57:54are able to be
00:57:55identified and stopped
00:57:57without eroding
00:57:58the civil liberties
00:57:59protections
00:57:59that we're discussing?
00:58:00So I think
00:58:01in addition
00:58:02to requiring
00:58:03that the foreign
00:58:04country have
00:58:05judicial authorization,
00:58:08that there ought
00:58:08to be a rule
00:58:09that people get notice
00:58:11when they've been surveilled.
00:58:13We have that rule
00:58:14in the United States
00:58:15and you don't get notice
00:58:17that happens
00:58:18before the investigation
00:58:19has finished.
00:58:20You get notice
00:58:21when it's done.
00:58:22So I think
00:58:23that would go a long way.
00:58:24And also transparency
00:58:25and the ability
00:58:27of providers
00:58:28to tell their
00:58:29own government
00:58:29that they've received
00:58:31an unlawful order.
00:58:32Sure.
00:58:33My time's expired.
00:58:34Mr. Chairman,
00:58:35I yield back.
00:58:35Gentleman yields back
00:58:36and I,
00:58:38for entry into the record,
00:58:40a letter from
00:58:41Reform of Government
00:58:42Surveillance
00:58:43that without objection,
00:58:45so ordered.
00:58:46And now yield
00:58:48to the rank,
00:58:49excuse me,
00:58:49the chairman
00:58:49of the entire state.
00:58:50Thank you, Mr. Chairman.
00:58:50Mr. Nojom,
00:58:51should the United States
00:58:51government have to get
00:58:52a warrant
00:58:52before they search
00:58:53the 702 database
00:58:54on an American?
00:58:57Absolutely.
00:58:58Yeah,
00:58:58and you were just there.
00:58:59And this,
00:59:00the issue we're talking
00:59:01about today,
00:59:01I think even underscores
00:59:03and highlights
00:59:03that reason
00:59:04because this,
00:59:05as you point out,
00:59:07United States government,
00:59:08we spy on foreigners
00:59:09all the time.
00:59:10Okay, fine.
00:59:10Good.
00:59:11I think that's appropriate.
00:59:13But they pick up
00:59:13all kinds of information
00:59:14on Americans.
00:59:15And then that giant
00:59:16haystack of information
00:59:18gets searched
00:59:19using Americans'
00:59:20phone number,
00:59:21email address,
00:59:22or name.
00:59:23If you're going
00:59:23to do that,
00:59:24go to a separate
00:59:25and equal branch
00:59:25of government,
00:59:26get a warrant,
00:59:27and show that you
00:59:27have a reason
00:59:28to do so.
00:59:29Yes,
00:59:30I think that's
00:59:30an essential reform
00:59:32in that Congress
00:59:33shouldn't reauthorize
00:59:34Section 702
00:59:35unless it achieves
00:59:36that reform.
00:59:36Well,
00:59:36we almost achieved it
00:59:37last year,
00:59:38last Congress.
00:59:39We lost the vote
00:59:40212 to 212.
00:59:42I'm hoping we win
00:59:42at this time.
00:59:43Mr. Salgado,
00:59:44do you think
00:59:44that's a good change
00:59:47that we need to make?
00:59:48I think it's not only good,
00:59:50I think it's
00:59:50constitutionally mandated.
00:59:52It's also good
00:59:52public policy.
00:59:53No kidding.
00:59:54How about Ms. Wilson-Palau?
00:59:56Do you think so?
00:59:58Yes, I would agree.
00:59:58Professor,
00:59:59do you agree?
01:00:00Absolutely.
01:00:01Wow,
01:00:01this is amazing.
01:00:02This is amazing.
01:00:03We all think
01:00:03we should follow
01:00:04the Constitution
01:00:05and require a warrant
01:00:06if you're going to go
01:00:07search Americans' data.
01:00:08So I am hopeful.
01:00:10One of the things
01:00:11that I think
01:00:12we can get bipartisan
01:00:13support on this committee
01:00:14and actually get it,
01:00:15we had it last Congress.
01:00:16Unfortunately,
01:00:17we didn't have
01:00:17quite the votes
01:00:17we needed.
01:00:19But this issue
01:00:20just highlights
01:00:22it even more
01:00:23why that is necessary.
01:00:25So again,
01:00:25I want to thank you all
01:00:26for coming today.
01:00:26And I would yield,
01:00:27and I appreciate
01:00:27the gentleman
01:00:28from New York
01:00:28allowed me to go
01:00:29and the chairman
01:00:30for doing so.
01:00:30And I'd yield back
01:00:31to the balance
01:00:31of my time
01:00:32to the chairman.
01:00:33Gentleman yields
01:00:33and I now recognize
01:00:34the gentleman
01:00:35from New York,
01:00:35Mr. Goldman.
01:00:36Thank you very much,
01:00:37Mr. Chairman.
01:00:38I think you raise
01:00:40a very interesting
01:00:41point, Mr. Jordan,
01:00:44Chairman Jordan,
01:00:45wanting to make sure
01:00:47that a warrant
01:00:49is obtained
01:00:50to search Americans' data.
01:00:54So I recognize
01:00:55we're here focused
01:00:56on the Cloud Act
01:00:57and it's an important issue.
01:00:59I don't dispute that.
01:01:01But in the times
01:01:03we're in,
01:01:04this seems quaint
01:01:05and intellectual,
01:01:08academic discussion.
01:01:10And in reality,
01:01:11what we're dealing with
01:01:12is an administration,
01:01:14current administration,
01:01:16that is trying
01:01:17to categorize,
01:01:22gather,
01:01:24and streamline
01:01:25data of Americans
01:01:28with access
01:01:30by a private company.
01:01:34Now let me explain
01:01:35a little bit
01:01:35and I want to ask
01:01:36some questions.
01:01:37Many of you,
01:01:38I'm sure,
01:01:38have heard of
01:01:39Palantir,
01:01:40which is a large
01:01:42data company,
01:01:43has a lot
01:01:44of connections
01:01:44to Elon Musk,
01:01:47to Doge.
01:01:49And in March,
01:01:51Donald Trump
01:01:52issued an executive order
01:01:53that would increase
01:01:56the sharing
01:01:56of all unclassified data
01:01:58between and among
01:01:59federal agencies.
01:02:01It directed agency heads
01:02:02to authorize
01:02:03and facilitate
01:02:03both the intra
01:02:04and inter-agency sharing
01:02:06and consolidation
01:02:07and consolidation
01:02:07of unclassified agency records.
01:02:10Now,
01:02:11a New York Times report
01:02:12in May
01:02:14outlined in great detail
01:02:16how the president
01:02:17has employed Palantir
01:02:19to carry out
01:02:20this executive order
01:02:22essentially to merge
01:02:24all data
01:02:26from all different
01:02:27executive branch agencies
01:02:28into one single database.
01:02:31now it's unclear
01:02:34who would control
01:02:36that database,
01:02:37who would have access
01:02:38to it,
01:02:38what searches
01:02:39would be done,
01:02:41and there seem to be
01:02:42no guardrails
01:02:43about that.
01:02:45Another New York Times article
01:02:46says that
01:02:48the administration,
01:02:50that this database
01:02:51would have
01:02:52314 different
01:02:56points of data
01:02:58about every American.
01:03:00Literally,
01:03:01every American,
01:03:02314 various
01:03:04categories of data
01:03:05will be consolidated
01:03:07into one database
01:03:08by a private company,
01:03:10Palantir.
01:03:12Now,
01:03:13my colleagues
01:03:14on the other side
01:03:14of the aisle
01:03:15often express
01:03:16concern
01:03:17about government
01:03:19surveillance,
01:03:20about ensuring
01:03:21that we get
01:03:21search warrants
01:03:22in the context
01:03:23of 702,
01:03:24which is a
01:03:25small universe
01:03:28of already
01:03:29obtained information
01:03:30that we know
01:03:31are communications
01:03:33with people
01:03:34of interest
01:03:35from foreign
01:03:37nationalities.
01:03:38Here,
01:03:39we just have
01:03:40every American's
01:03:42data
01:03:42put into
01:03:44one database
01:03:46with no guidelines,
01:03:48no restrictions.
01:03:50We don't know
01:03:51what Palantir
01:03:52is doing,
01:03:52we don't know
01:03:52what Doge
01:03:53is doing,
01:03:53we don't know
01:03:54what Elon Musk
01:03:54is doing.
01:03:56It essentially
01:03:56creates a
01:03:58one-stop shop
01:03:59for all Americans'
01:04:00data,
01:04:00which,
01:04:01as we're talking
01:04:01about cybersecurity,
01:04:02I'm sure you all
01:04:03agree,
01:04:04that creates
01:04:05a tremendous
01:04:06cybersecurity risk
01:04:07risk if China
01:04:08or Russia
01:04:09were to hack
01:04:10this.
01:04:10Now,
01:04:11the chairman
01:04:12of this committee
01:04:13has said
01:04:14in the past,
01:04:17quote,
01:04:17Congress has
01:04:18struggled,
01:04:19of this subcommittee,
01:04:20Mr. Biggs,
01:04:21Congress has struggled
01:04:21for four years
01:04:22with a corrupt
01:04:23presidential administration,
01:04:25meaning the Biden
01:04:25administration,
01:04:26that further
01:04:27expanded the
01:04:28opportunities
01:04:29for the government
01:04:30to spy
01:04:31on its citizens.
01:04:32So,
01:04:35is there,
01:04:36I mean,
01:04:37there was nothing
01:04:37in the Biden
01:04:38administration
01:04:38that approximates
01:04:40this collection
01:04:41of data,
01:04:42this opportunity
01:04:43for the government
01:04:44to spy
01:04:46on its citizens,
01:04:47and I'm not even
01:04:47talking about
01:04:48breaking laws
01:04:50under the tax code
01:04:52and sharing
01:04:52tax information
01:04:53with immigration
01:04:54enforcement agencies.
01:04:58I'm not even
01:04:59talking about
01:05:00sharing,
01:05:01you know,
01:05:02the tax information
01:05:03or Social Security
01:05:04administration information.
01:05:06This is just
01:05:07every piece of data
01:05:08that is out there
01:05:09in the government's control
01:05:11consolidated
01:05:11with one
01:05:13private company
01:05:15and one database.
01:05:16And so,
01:05:16I would ask
01:05:17my friend,
01:05:19Chairman Biggs,
01:05:21to
01:05:22think about
01:05:24whether,
01:05:24if you are truly worried
01:05:26about government surveillance,
01:05:28why are we not doing
01:05:29any oversight
01:05:30of Palantir?
01:05:31its contracts
01:05:33with the government,
01:05:34its consolidation
01:05:35of all Americans'
01:05:37personal information
01:05:38into one database
01:05:40and the cybersecurity risks.
01:05:42And I really hope,
01:05:43in all seriousness,
01:05:44that you will do
01:05:45oversight over that
01:05:46if you do truly care
01:05:47about government
01:05:49surveillance
01:05:50of citizens.
01:05:51and I yield back.
01:05:54Gentleman yields back
01:05:56and
01:05:57now I yield myself
01:06:00five minutes.
01:06:01Mr. Chairman,
01:06:01could I,
01:06:02I'm sorry,
01:06:02introduce two
01:06:03unanimous consent requests?
01:06:05Yeah.
01:06:07One is an April 9th,
01:06:102025,
01:06:11New York Times article
01:06:13entitled,
01:06:14Trump wants to merge
01:06:15government data.
01:06:16Here are 314 things
01:06:18it might know
01:06:18about you.
01:06:21Without objection.
01:06:22And the other one
01:06:23is a
01:06:24May 30th,
01:06:262025,
01:06:27New York Times article,
01:06:29Trump taps
01:06:29Palantir
01:06:30to compile data
01:06:31on Americans.
01:06:33Without objection.
01:06:36Again,
01:06:36thanks to the witnesses
01:06:38for being here
01:06:38and I'll yield
01:06:39myself now
01:06:40five minutes.
01:06:42So,
01:06:43Mr. Salgado,
01:06:44in your,
01:06:44in your written statement,
01:06:46you said one should
01:06:47take little solace
01:06:48in the provisions
01:06:49of the Cloud Act.
01:06:50First,
01:06:51they will still allow
01:06:52for incidental
01:06:52and inadvertent
01:06:53collection of Americans'
01:06:54data subject
01:06:55to certain
01:06:56minimization requirements.
01:06:57Can you expand
01:06:58on that for me,
01:06:58please?
01:06:59Sure.
01:07:00We touched on that
01:07:01a little earlier
01:07:02in the hearing
01:07:03and specifically
01:07:04Mr. Nojime's
01:07:05reference to inadvertent
01:07:07and incidental
01:07:07collection.
01:07:08where the UK
01:07:09can use the Cloud Act
01:07:10to obtain data
01:07:11from American companies
01:07:13and inadvertently
01:07:15or incidentally
01:07:16that data
01:07:16could include
01:07:17U.S. persons' data
01:07:19or data about people
01:07:20in the United States.
01:07:22There are some,
01:07:23as I mentioned
01:07:24in the written testimony,
01:07:24there are restrictions
01:07:25on the UK
01:07:26and its use
01:07:27and dissemination
01:07:28of that information
01:07:28and it has
01:07:30some minimization
01:07:31requirements,
01:07:31which is a phrase
01:07:32you may be familiar
01:07:33with from Section 702
01:07:34and FISA generally.
01:07:36That's what I was
01:07:36referring to.
01:07:37That's what I thought
01:07:38you were referring to
01:07:40and one of the things
01:07:41that I find interesting
01:07:42about that is
01:07:42having met with
01:07:44UK Home Office
01:07:45within the last six weeks,
01:07:47I am concerned
01:07:48about their processes
01:07:49on what they actually do
01:07:51and their transparency
01:07:52or lack of transparency
01:07:54with this incidentally
01:07:57collected data
01:07:58and that's part
01:07:59of the problem
01:08:00that we have
01:08:01with the 702
01:08:02application as well.
01:08:05So, Ms. Wilson-Palau,
01:08:07you indicated
01:08:08that you disagree
01:08:12that the UK's safeguards
01:08:13are as robust
01:08:14as they claim
01:08:15but that is because
01:08:15the point,
01:08:17that is beside the point
01:08:17because your concern
01:08:19about TCNs
01:08:20is that once a backdoor
01:08:21has created states
01:08:21with far less stellar records
01:08:23on human rights
01:08:23such as Russia and China
01:08:25could seek similar access
01:08:26through legal process.
01:08:27You've talked about
01:08:27that a little bit.
01:08:28I'd like you to expand
01:08:29on that
01:08:30and then ask each
01:08:30of the members
01:08:31of the panel
01:08:32to also expand on that.
01:08:34Certainly.
01:08:34So, once this backdoor
01:08:36is built,
01:08:36once end-to-end encryption
01:08:37is broken,
01:08:38any state using
01:08:39their legal process,
01:08:41no matter whether
01:08:41or not it is
01:08:42as right-respecting
01:08:44as we would hope
01:08:44it would be,
01:08:45can then ask Apple
01:08:48for access to this data
01:08:49because once it's broken,
01:08:50it's not just broken
01:08:51for the UK
01:08:52to access the data
01:08:52or for the US
01:08:53to access the data.
01:08:55Any country
01:08:55could request it
01:08:56and a lot of countries
01:08:57have surveillance
01:08:58regimes that would
01:08:59allow them
01:08:59to make these
01:09:00sort of requests.
01:09:00But it isn't just
01:09:01countries that would
01:09:02request, is it?
01:09:02It's also rogue actors
01:09:04that might be able
01:09:05to access those
01:09:06backdoors as well, right?
01:09:08That's exactly right.
01:09:09So, rather than ask
01:09:10each of you
01:09:11to expand on that,
01:09:12what I'm going to ask
01:09:12instead is,
01:09:14do my position
01:09:15would be that DOJ,
01:09:17without immediate
01:09:18transparency
01:09:19and opening up
01:09:20of the process,
01:09:21the TCN,
01:09:22that's going on
01:09:23with Apple,
01:09:25that they immediately
01:09:26issue the 30-day
01:09:27termination notice.
01:09:28That's just my position.
01:09:29Does anybody there
01:09:30agree with me
01:09:31on the panel?
01:09:35I think that would
01:09:36be a good tactic.
01:09:37They could issue
01:09:38the notice.
01:09:39They say,
01:09:39we're going to
01:09:40terminate in 30 days
01:09:41unless you withdraw
01:09:43this order to Apple.
01:09:45I think that makes
01:09:46a lot of sense.
01:09:46Yeah, it's a leverage point.
01:09:48Yeah.
01:09:48Professor?
01:09:49I absolutely agree.
01:09:51Anybody?
01:09:51Mr. Salgado?
01:09:53No, I don't disagree
01:09:54with that at all.
01:09:55I think there's a lot
01:09:55of negotiating strategies
01:09:56here.
01:09:57This agreement is important
01:09:58to the UK
01:09:58and I think they would
01:09:59come to the table.
01:10:00Ms. Wilson-Pellano.
01:10:02I agree that this is
01:10:03an important moment
01:10:04to pressure the UK
01:10:05because if we don't
01:10:05push back now,
01:10:06then the UK may issue
01:10:07many more of these
01:10:08orders in the future
01:10:08entirely in secret
01:10:09and we won't know
01:10:10about them.
01:10:11Yeah, I think that's
01:10:12my point is that
01:10:13it's hanging out there.
01:10:15We don't know enough
01:10:16about what's happening.
01:10:17We just,
01:10:17there's this,
01:10:20I think the legal term
01:10:21is penumbra of,
01:10:22there's a penumbra
01:10:24of information
01:10:25floating around out there
01:10:26that we hear about
01:10:27but we need to nail it down
01:10:28and really take action on it.
01:10:30So the next step is,
01:10:33and I'm going to ask
01:10:34each of you this
01:10:34and we have a minute left
01:10:35so you should have
01:10:36about 15 seconds.
01:10:37What two things
01:10:39do you think
01:10:40we need to do
01:10:40to improve
01:10:41the CLOUD Act?
01:10:44Sorry, you,
01:10:44Mr. Nojian.
01:10:45Amended to make it
01:10:47so that no such order
01:10:48can be issued
01:10:49by another country
01:10:50that gets one
01:10:51of these agreements.
01:10:52Amended to make it
01:10:53so that a country
01:10:54can't get an agreement
01:10:56unless its laws
01:10:58prohibit such orders.
01:11:01Mr. Salgado.
01:11:02I would adopt,
01:11:04Mr. Nojian,
01:11:04and add two more,
01:11:06one being that
01:11:06the providers
01:11:07be allowed to notify
01:11:08the U.S. government
01:11:09when they receive orders
01:11:11under this act
01:11:11or technical capability notices
01:11:14and that Congress
01:11:16receive more frequent
01:11:17reporting
01:11:18from the Department
01:11:18of Justice
01:11:19on the operation
01:11:21of the acts
01:11:22that are in place.
01:11:22The oversight, yes.
01:11:24Ms. Wilson-Pellow.
01:11:25I would adopt
01:11:26Mr. Salgado
01:11:27and Mr. Nojian's
01:11:28recommendations.
01:11:29Professor.
01:11:30I would adopt
01:11:30all three recommendations.
01:11:32I would add
01:11:33that as Mr. Salgado
01:11:35mentioned earlier,
01:11:37cybersecurity
01:11:37and network security
01:11:38be part of the criteria
01:11:40in deciding
01:11:40whether or not
01:11:41to enter into an agreement.
01:11:42I don't disagree
01:11:43about privacy
01:11:44being fundamental
01:11:45and important,
01:11:46but I think
01:11:46there's a really
01:11:47strong lever
01:11:48about cybersecurity
01:11:49and network security
01:11:51that should be used.
01:11:53Thank you so much.
01:11:55We've exhausted our time,
01:11:57which is a crying shame
01:11:58because there's
01:11:58so much more
01:11:59to get at
01:12:00with this subject.
01:12:01I appreciate each of you
01:12:02and your testimony.
01:12:03It's an important testimony.
01:12:04This is important.
01:12:06Here's the thing
01:12:06about Congress.
01:12:07If there was a bunch
01:12:08of money on the table,
01:12:10this room would be filled.
01:12:11and everybody would be here,
01:12:12but on this type of issue,
01:12:14which is actually critical
01:12:15to the country
01:12:16and national security,
01:12:18you see what happens.
01:12:20It's a sad, sad revelation
01:12:23about the United States
01:12:24Congress today.
01:12:25We appreciate all of you
01:12:26being here.
01:12:27Thank you so much,
01:12:28and we will undertake
01:12:29your recommendations
01:12:30and move forward
01:12:32with those very much.
01:12:33We're adjourned.
01:12:35All right.
01:12:36You

Recommended