Editor’s Note: In the world of cyber law, privacy and cybersecurity, one of the largest and most colorful figures is Stewart Baker, whose resume includes a stint as General Counsel at the National Security Agency and Assistant Secretary of Homeland Security. A partner at Steptoe & Johnson LLP, where he hosts a popular cyberlaw podcast, he recently sat down to talk all things cyber with NC Privacy Blog.
In my case, it was rather simple. My wife refused to live in Southern California. So I clerked in Portland, Maine, and then Washington, D.C. Then my wife and I compromised: we stayed in D.C., but far enough out in the country that she could ride horses, fuss over dogs, and generally look after any four legged creature that came to her.
You know, the NSA was not as high profile in the early 90s. So the General Counsel position did not have the same cachet it would today. What happened was that there was a sense that the legal selection process was not generating candidates that the leadership felt would serve the needs of the agency. So a former NSA General Counsel was asked to go out and identify some additional candidates.
At the time, she was working with the Office of the Legal Advisor at the State Department. She called one of my partners, a former Legal Advisor himself. That call set the ball rolling.
No, I was an appellate and regulatory lawyer. This opportunity just happened to be bouncing around and eventually landed on my desk.
Yes. I hold the record for the number of times I’ve returned to Steptoe & Johnson. 5 times.
Well there was the NSA, and then stints at the Department of Education, Homeland Security, and the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction.
My Apple II E. I bought it used. Spoke to friends, decided a computer that worked was all that I needed. I like being cheap!
No, not law school. I was a law clerk (ed: Justice Stevens) and the Supreme Court had just introduced word processing software – Wang. It involved special paper, dot matrix printers that shook the floor when coughing out printouts, very elegant. They ended up building a box around it to dampen the racket.
In fact, I made history by being the first law clerk to lose a draft opinion to the printer. We never did find out what happened to it. Probably still sitting in a queue somewhere.
Unless it turns up in the collection of Justice Stevens’ papers a few decades from now.
Well, I was getting my bearings, it had been a couple of weeks, and then this official came to see me. You know, one of the Men in Black. And the first thing he did was put a bottle of aspirin on my desk.
I told him “what’s this?” I don’t have a headache.
He assured me that by the time he was finished I would have one.
Well, it was a forerunner of the encryption debate we have been dealing with ever since. It’s been a persistent issue pretty much ever since. Because there’s equities on both sides of the issue. It’s what I call the “first crypto-war.”
That’s what it became, yes. The idea was that encrypted communication equipment would have an access key that could be used for law enforcement or national security. The access key would be kept in escrow. The government could obtain the key by going to court or following a procedure that protected the rights of citizens but still let us fight spies, criminals who might be using encryption.
The Clipper Chip itself was a commercial flop, since it was carrying a lot of political baggage. Plus it was really expensive, and everyone you communicated with had to buy one. Even now, no one is making much money trying to sell voice encryption devices, so we shouldn’t have been surprised. The chip probably did drag out the debate over encryption export controls by several years.
I had just become GC of NSA toward the end of the George H.W. Bush Administration. They were not really interested in picking a fight over encryption. They had taken a lot of fire from the press. They had a packed agenda. And they did not see this complex issue as a priority given their time and other constraints.
Then we transitioned to Clinton. The Clinton folks were a lot more interested in it. Part of it was the life-cycle of the Administration. It was early. They had just come in. They had the drive and confidence that they could solve the policy puzzle created by encryption.
I bridged the two, yes. It was a real contrast. It was like walking into the Situation Room in the Bush Administration with a big box of old nasty auto parts covered in dirt and grease. You tell the officials we have to making a functional machine from this The first reaction from the outgoing Bush folks was to ask, “What could go wrong and who will take the blame when it does?”
Forward six months later. Bring the same box of greasy parts into the Situation Room in the Clinton Administration. The reaction around the table is very different, “Hey! We can fix this.” Before you know it, everyone’s pulling parts out of the box and trying to put them together.
Looking back, I feel pretty comfortable that we raised all the right questions, serious questions. Look, Silicon Valley has taken the view that there’s “nothing to discuss when it comes to encryption. And that by asking for government access for law enforcement the government is somehow defying mathematics.
That argument is not unserious. There is a valid point there. But the government has a better argument than Silicon Valley wants to admit. Look at the Apple fight.
Yes. The FBI went to Apple and wanted access to the shooters’ phone. And Apple said there was no way to get into the phone. But the fact is that Apple can get into any phone. They can get into your iPhone. Or mine. That’s how they update software.
If Apple believed the argument it’s been making against the FBI, Apple would say “the ability to update software is dangerous. It creates a security vulnerability. It is so dangerous that we should have no updates.”
That’s not what Apple says. Instead, if challenged on updates, Apple would say “We have weighed the risks of software updates against the risk of leaving software unpatched, and the payoff from updates justifies the marginal risk of compromising your data.
The same is true for law enforcement access. Yes, it creates a theoretical vulnerability. But it also brings really important social benefits, in the form of criminals who can be caught.
Yes, it is like any public policy issue. If there weren’t good arguments on each side, it would have been settled long ago. It’s intractable precisely because each side has a point.
That is one reason. The privacy argument is not an unserious one. But there’s also what I call Silicon Valley’s “technological arrogance.” The idea that people who disagree with them are just stupid, and that they can make policy debates irrelevant by releasing products that resolve the debate in their favor. Look, I’m the first to admit it: these are hard problems. But the solution isn’t as clear as Silicon Valley or the privacy groups want you to think.
Look, movies paint a picture that is so disconnected from reality that I’m not sure where to begin to point out everything that’s wrong. When Hollywood decides who to make the villain, it’s increasingly constrained by lefty politics and Chinese money. American intelligence agencies have become the villains by default. There’s no one else left, except perhaps a few Balkan warlords.
Go ahead. I wish ordinary Americans understood that everything the NSA does is within the law and how much effort goes into ensuring that.
Yes, here’s an example. So in the early days of the Clinton Administration, the Attorney General of the United States came out to Fort Meade. And frankly, she had a bit of a chip on her shoulder with regard to the NSA. She gave the impression that she would have explain to us about the Constitution. I suspected she’d seen too many Hollywood movies about us.
Well, the Director gave her a briefing of the Agency mission. Then he took her for a tour. So here you have the Director and the Attorney General walking around operations rooms filled with soldiers with earphones gathering intelligence through intercepts.
And do you know what the Director does?
Well, he stops by a random soldier and taps him on the shoulder.
There’s the Director, and the Attorney General, so he whips off his headphones and snaps to attention. And the Director says “Sergeant So-and-So, could you please tell the Attorney General what would happen if you came across an American in your intercepts?”
And the Sergeant says: “Ma’am if we suspect it’s an American, this is the procedure to verify that. If we know it’s an American, we flag it, we anonymize it, and we start following so-and-so protocol to ensure that we protect American citizens.” And he starts reciting the steps that he takes.
Well, there is legal guidance on different scenarios. The General Counsel’s office has determined what to do in this situation, or that situation. Now that doesn’t mean that that an American’s communications don’t end up in some collection effort. That can happen.
For that matter, if there’s an American who is a spy or terrorist or a foreign intelligence operative, then they aren’t going to be ignored.
But every single thing that is done is done in accordance with the letter of the law. A lot of effort goes into making sure that all NSA operations are legal.
Well she learnt the truth: that NSA folks know the law, they are trained what that law is, and everyone, without question, is expected to follow the law.
You know that lawyers are trained to never ask a question unless you know the answer. And here is the Director asking a random soldier standing at attention such a question – and in front of the Attorney General. So I ask him later: What if the soldier had flubbed it?
And the Director says, “I knew he would give the right answer. You know why? Because I went through that training too earlier in my career.” This is the Director of the NSA we are talking about. And he says he had it drilled it over and over till he could comply with it in his sleep.
That’s a fundamental part of NSA’s culture.
The problem with the revelations was that the details of what the NSA does, and how much the NSA does, astounded a lot of people. Now I think they were released in a way to have a particular political impact. The Washington Post ran a series of stories that created an erroneous early impression that the agency never recovered from.
Everything the NSA did had been blessed by judges, and checked by the lawyers. You can disagree with the judges; you can change the law. But no one should think that the agency was acting outside the legal rules as they stood at the time.
Nope. We’ve had one or two, err, intense exchanges on social media, but I’ve never met them.
I don’t know. *laughs* He called in to the podcast. I think he used a burner phone. And probably discarded it after the call.
Yes. Decades ago, French officials were taking the position that data processing industries were “vital national capabilities” that had to be protected.
Now that doesn’t mean that there aren’t policymakers who are genuinely concerned about privacy as a value. It just happens that those values tend to come into play at convenient times. I think privacy laws are uniquely susceptible to misuse for other purposes.
If you look at the United States, our own privacy jurisprudence came from Justice Brandeis. He wrote strongly on the subject. Convinced dozens of jurisdictions to adopt privacy laws. Do you happen to know what invasion of privacy moved him so deeply?
Having his picture taken! The idea that anyone could take your photograph, on the street or in a public place, without your permission or consent, was simply outrageous to him. Keep in mind that he came from a background where a portrait typically meant commissioning a painter, and then sitting, and frankly if you didn’t like it – who hasn’t asked themselves “do I really look like that” – if you didn’t like it you could burn it and refuse to pay the artist.
Brandeis was so disturbed by the change that he found a right to privacy in United States law. There had to be one, he thought. Now we’ve still got remnants of his privacy nostalgia law, but it does nothing for the privacy of ordinary people. It’s mainly used to enrich celebrities who want to monetize their rejection of privacy and embrace of publicity.
Privacy legislation is almost always an exercise in nostalgia. It’s always late. It’s always a step behind. And it’s an attempt to recapture a world that has slipped away.
Here’s another example. By the time the Anti-Wiretap Act was enacted, it was already outmoded. Technology was already making it easy to record conversations, and trying to prevent that was an uphill battle. Now, of course, with cell phone cameras, any time something happens on the street, we’ve got three separate feeds, law or no law.
Yes, many of the arrests for violating the law against eavesdropping on conversations have actually been efforts to protect police officers. In many states, until the laws were overturned, you couldn’t record a police officer going about his business. That makes it harder to monitor police behavior, but it has nothing to do with most people’s expectation of privacy.
I don’t think so. Say you’re a German. You absolutely insist on a German cloud provider. You can find one. But there will be a cost premium for that. And they won’t be able to offer the same flexibility, scale, features and robustness that say, Amazon or Microsoft can.
Now if you’re the same German and you want a server located in Germany, Amazon and Microsoft can handle that for you. If you’re concerned about privacy or regulatory concerns, handle it at the front end. Put it in the Terms of Service.
No. In fact, American cloud providers have outpaced international competitors since the Snowden revelations. They’re winning the race, despite European efforts to handicap them with special legal burdens.
The United States needs to push back as a government. Companies don’t want to be responsible for national security and economic growth. That doesn’t mean they won’t do the right thing. They are American, and but this isn’t really their fight.
That’s especially true now, with the GDPR, which creates staggering penalties. Billions for a single infraction. That’s raised the stakes enormously. If you’re a U.S. tech provider, the path of least resistance is keep the European regulators as happy as you can, no matter what the consequences are for U.S. national security.
No matter where you stand politically, people you respect got hacked: Podesta, Powell, Rice. People who laughed when Republican emails were hacked were outraged about Podesta.
People are responding in two ways. First, they are worrying more about security. They won’t archive. They’ll arrange to delete everything on a 90 day cycle. Things like that.
But they’re also adjusting their assumptions about privacy. They are being more circumspect in email . In fact, that struck me about the Podesta emails. For all the hoopla, he was pretty cautious in what he wrote. People know that email isn’t private, and they’ll adjust their behavior.
Well, GDPR is a big one. I just don’t see a scenario where it sails smoothly into law. For two decades now the United States has made unending concessions to Europe on privacy issues, but European negotiators are never satisfied. They keep selling us the same mule. The Trump Administration feels strongly about trade. They could easily say “we’ve given enough and got nothing in return. No more.” So we could see a confrontation there.
The other issue is the Trump Administration’s cyber security policy. They have said that they want the Department of Defense to take the lead. But they have not been clear what Defense is going to do. They’ve specified the driver, but not what he’s going to do once he’s behind the wheel. My suspicion is that you’ll see greater emphasis on deterring China, North Korea and Iran; less attention may be paid to Russia. But we will have to see.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.
Join us for an instructional webinar on Family Law on March 2nd from 11:00am-12:00pm. Poyner Spruill divorce attorney Steve Epstein will explain the fundamental components of divorce, child custody, child support, alimony, equitable distribution, and alienation of affections. He will also answer questions submitted by attendees.
Protect Your Business and Preserve More Income. You are invited to a panel discussion exploring what captives are, when you should consider setting up one, how the tax code can help the captive pay for itself, and more.
Advertising Law 101 for Tech Marketing Professionals This presentation will educate attendees on the "need-to-know" basics of advertising law. Marketing professionals in the Tech Industry regularly navigate issues that require a familiarity with truth in advertising, disclosure and endorsement rules for social media marketing, and privacy law - just to name a few. Knowing the basics of advertising law can insulate a company from a host of sanctions, fees, and other consequences.
We are pleased to announce Chase Johnson has joined the firm as an associate lawyer in the Raleigh office. Her law practice involves representing investment banks and financial institutions in their roles as issuers, underwriters, and mortgage loan sellers in both public and private offerings of mortgage-backed securities.
We are pleased to announce that Stephanie Sanders has been elected as Partner in the firm. She represents clients in connection with commercial real estate matters, including acquisition, disposition, financing, development and leasing of commercial real estate.