00:00And I apologize. I was having a vote in another committee that is like a mile away.
00:07I mean, so I had to go do that vote. So I apologize for missing some of your testimony. I apologize for that.
00:12Now I recognize the gentleman from Wisconsin, Mr. Tiffany, for his five minutes.
00:17And Mr. Chairman, I was happy to pinch hit.
00:21Ms. Wilson-Pailow, one requirement of the CLOUD Act to enter these agreements is it has to be part of the convention
00:29on cybercrime. Is that correct? That's my understanding.
00:36Yes, I believe so. Although actually some of the other witnesses may be able to ask that answer that better than I could.
00:43With that being the case, that convention also includes countries like Turkey and South Africa.
00:49While the concern is being most pointed towards the UK, and perhaps appropriately so,
01:00Turkey and South Africa aren't exactly exemplars of protecting people's civil rights,
01:08shouldn't we be concerned about this extending beyond the UK?
01:12Certainly. I mean, I think one of the most concerning aspects of this technical capability notice regime
01:21is, of course, the UK claims to be able to serve the notice actually entirely outside of the CLOUD Act provision.
01:26So even if a country like Turkey or South Africa did or did not negotiate an agreement with an executive agreement
01:35under the CLOUD Act, if they had a similar regime in place, as long as that's not blocked by the CLOUD Act
01:42or some other U.S. law provision, they similarly could serve these types of notices on U.S. companies
01:48and may have much less respect for rights, as you suggest.
01:54Mr. Noenjime, do you have a comment in regards to what I just asked in the comments here?
01:57So I think a lot could be done to ensure that the U.S. doesn't enter into agreements with countries
02:05that don't respect the rule of law.
02:07For example, the CLOUD Act does not have a requirement that the U.S., that the country's laws
02:14require that there be even judicial authorization of surveillance.
02:18That seems like a very basic requirement, and yet it's not in the CLOUD Act.
02:23So it strikes me as I sit here and as we once again see that we have spies amongst us from China
02:33and the surveillance that's gone on, a spy balloon that flew over our country a few years ago.
02:39I mean, are we whistling past the graveyard of China freedoms that aren't they the greatest threat here?
02:46I think that China poses a huge cybersecurity threat to the United States.
02:53And if countries like the U.K. can force our providers to disarm by removing encryption protection,
03:01then we're more vulnerable to that kind of surveillance and that kind of attack.
03:05So you're saying that we would benefit by amending the CLOUD Act to make sure that it's not abused by the U.K.,
03:17but perhaps other countries also. Is that what you're saying?
03:19Yeah. Think of the CLOUD Act requirements in three buckets.
03:23There's the criteria that the country's laws and practices must meet.
03:28You could include a new one for protecting encryption.
03:31There are criteria that the agreement must include, things that the agreement must say.
03:37The agreement, right now the statute says that the agreement has to be silent on encryption, basically.
03:45It should say it has to protect encryption.
03:48And then there's requirements about what the orders can and can't do.
03:52So amendments in those three buckets could protect encryption.
03:56Mr. Salgado, were you with Google in 2018 when the CLOUD Act was enacted into law?
04:06I was, yes.
04:07So in reading your testimony, I get the impression that you were a strong advocate for the CLOUD Act at that point.
04:12Is that right?
04:13That's true.
04:14And now coming to us saying it needs to be changed.
04:17Did you sense in 2018 that there should be, that we should be really concerned about, that we were giving away too much with that CLOUD Act in 2018?
04:33Did you have concerns at that time?
04:35I did.
04:35There were some changes to the CLOUD Act I would have liked to have seen or some provisions I would have liked to have seen added.
04:42There wasn't anything quite on the horizon that we have with the UK now.
04:46But, yes, there were some things that I thought we could do better with the CLOUD Act.
04:49It was pretty good as it was passed, and it's been valuable.
04:52But it could use a tune-up.
04:54So this is going to be a pointed question.
04:56It seems to me we have Google and Apple that are the subjects of this, in particular Apple.
05:01And we look at them in China and how they go about doing their business where they have basically, in my terms, they've capitulated to the communist Chinese government.
05:12How do we, how do you reconcile that as someone who's a former executive with Google?
05:18I'm not sure I totally understand the question.
05:21It may be better directed to somebody who's currently at Google who could explain that further.
05:26I'm sorry that the gentleman's time has expired.