Troy Nehls Asks Witnesses About Protecting American Communications From Foreign Surveillance

Forbes Breaking News

At a House Judiciary Committee hearing last month, Rep. Troy Nehls (R-TX) spoke about the CLOUD Act.

Transcript

00:00Thank you, Mr. Chairman. Thank you to all the witnesses that are here today. I want to start

00:06posing a question to all of you. In your opinion, does the CLOUD Act and the executive agreements

00:11we have under it with the UK and Australia sufficiently protect American communications

00:17from foreign surveillance? And please explain why or why not. Mr. Salgado.

00:23I'll start with you, Mr. Salgado. Apologies. No, they do not. And for several reasons. But the

00:33primary one that I think the UK matter exposes is that they don't do anything to dissuade a

00:40foreign government from imposing technical capabilities like we've seen in the UK, but

00:44a whole host of other potential efforts to undermine security, backdoors, contaminated apps. There's a

00:52whole host of things that a creative investigator could come up with, all that undermine the security

00:58of American services. And that would also compromise Americans' data. And the CLOUD Act is a framework

01:05that we could use to protect that. Mr. Eugene? I agree with that. We're focused today on the security

01:14risks that the CLOUD Act actually incents countries that have CLOUD Act agreements to demand of U.S.

01:21providers. But there's a lot of improvements that could be made to protect Americans. One improvement

01:27would be to make it so that the U.S. providers could at least tell their government when they

01:33receive an order, like the one served on Apple, that this has happened. Apple is gagged not only from

01:39telling the world it received an order, it can't even tell its home country.

01:44You mentioned there were like 20,000 requests.

01:4720,000 of these. We were at 63. Yeah. It's imbalanced. Yeah. It's imbalanced. Thank you.

01:54Ms. Wilson?

01:55I would agree with my fellow witnesses. I would just add and reemphasize that the CLOUD Act is designed

02:02when engaging in executive agreements with these other countries to make sure that these countries

02:07have a surveillance regime that respects privacy and other rights. And clearly, the U.K. is not

02:12following that here with the TCN. The technical capability notice, it's obviously a huge invasion

02:19into privacy. It's breaking all of our security. By targeting end-to-end encryption, it undermines our

02:24potential free speech rights because of the way that end-to-end encryption can be used by so many

02:28to communicate by opposition groups around the world, by human rights defenders, in really tough

02:33circumstances. So I'd say that the U.K. is not really in the spirit of the Act at the moment.

02:38Professor?

02:39So this is mostly a law and policy question, but I will pose a technical version of it,

02:44which is that in the 1990s, the U.S. government proposed an encryption scheme for digital communications,

02:50digital voice communications, in which the keys would be stored with two agencies of the

02:55federal government. This did not go over well. It didn't go over well with industry. It didn't go

02:59over well with foreign countries. And it didn't go over well with buyers. When AT&T implemented it,

03:04the product did not get bought. But now imagine that the U.K. requires that encryption use keys that

03:12are stored with the U.K. government. As far as I can tell, and the lawyers to my right can correct me if I'm

03:18wrong, but I don't see anything in the CLOUD Act that would prohibit such a thing. And yet, of course,

03:23no American company, no American who has any private business would want to use encryption

03:29where the keys are stored with the U.K. government.

03:33Mr. Salgado, does the CLOUD Act or are agreements under it pose an undue or unfair burden on U.S.

03:39companies? Why or why not? I don't think they pose an undue burden other than that the companies,

03:47as Mr. Nojine pointed out, are barred from disclosing these things that are coming to them.

03:54And the CLOUD Act isn't there to protect them from that. And it is a good vehicle for that,

03:59so that they could tell the U.S. government. And really, Congress ought to have much more

04:03information than is provided through the current reporting mechanism. Yes. And could the U.K.'s

04:09technical capability notice to Apple aggravate that burden? It could, and I think it has. I think

04:16you see the situation with Apple where they seem unable to comment on this, right? What happens if

04:24other countries now, they'll follow suit with this? Yeah, that's the problem. It just continues with

04:28more and more. And especially if it goes unaddressed by the U.S., that just creates an invitation to

04:35continue doing things. We've got about 25 seconds left. Do you have any recommendations for future

04:40executive agreements or amendments to the CLOUD Act to lessen that burden on U.S. companies?

04:46I do. There are several of them laid out in my witness testimony. But first, and very simply,

04:50we should have a declaration in the agreement that network security and cybersecurity is an

04:56essential interest, which is a diplomatic term of art, just like free speech and some others

05:01that carries weight with it. And we can also put some in the conditions to get an agreement,

05:07some restrictions on the type of technical surveillance capabilities that partner countries

05:13would be allowed to provide, among other changes. Thank you all for being here. I reserve.

Category

Transcript

Recommended