Editor’s Note: In the world of cyber law, privacy and cybersecurity, one of the largest and most colorful figures is Stewart Baker, whose resume includes a stint as General Counsel at the National Security Agency and Assistant Secretary of Homeland Security. A partner at Steptoe & Johnson LLP, where he hosts a popular cyberlaw podcast, he recently sat down to talk all things cyber with NC Privacy Blog.
Q: Thank you for your time. So, let’s begin with the obvious: what prompted you to leave beautiful Southern California for a lifetime in the District of Columbia?
In my case, it was rather simple. My wife refused to live in Southern California. So I clerked in Portland, Maine, and then Washington, D.C. Then my wife and I compromised: we stayed in D.C., but far enough out in the country that she could ride horses, fuss over dogs, and generally look after any four legged creature that came to her.
Q: How does one go about becoming General Counsel of the NSA?
You know, the NSA was not as high profile in the early 90s. So the General Counsel position did not have the same cachet it would today. What happened was that there was a sense that the legal selection process was not generating candidates that the leadership felt would serve the needs of the agency. So a former NSA General Counsel was asked to go out and identify some additional candidates.
At the time, she was working with the Office of the Legal Advisor at the State Department. She called one of my partners, a former Legal Advisor himself. That call set the ball rolling.
Q: So at that time you weren’t an expert on cyber or privacy issues?
No, I was an appellate and regulatory lawyer. This opportunity just happened to be bouncing around and eventually landed on my desk.
Q: And on such whims of fate careers turn?
Q: And since then you have shuttled between public service at private practice?
Yes. I hold the record for the number of times I’ve returned to Steptoe & Johnson. 5 times.
Q: 5 times?
Well there was the NSA, and then stints at the Department of Education, Homeland Security, and the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction.
Q: So if you weren’t to the computer born, what was your first experience with computers?
My Apple II E. I bought it used. Spoke to friends, decided a computer that worked was all that I needed. I like being cheap!
Q: And what was the first legal issue you encountered involving computers? Law school?
No, not law school. I was a law clerk (ed: Justice Stevens) and the Supreme Court had just introduced word processing software – Wang. It involved special paper, dot matrix printers that shook the floor when coughing out printouts, very elegant. They ended up building a box around it to dampen the racket.
In fact, I made history by being the first law clerk to lose a draft opinion to the printer. We never did find out what happened to it. Probably still sitting in a queue somewhere.
Q: And that’s lost to history?
Unless it turns up in the collection of Justice Stevens’ papers a few decades from now.
Q: So what was it like at the NSA?
Well, I was getting my bearings, it had been a couple of weeks, and then this official came to see me. You know, one of the Men in Black. And the first thing he did was put a bottle of aspirin on my desk.
I told him “what’s this?” I don’t have a headache.
Q: What did he say?
He assured me that by the time he was finished I would have one.
Q: What was the issue?
Well, it was a forerunner of the encryption debate we have been dealing with ever since. It’s been a persistent issue pretty much ever since. Because there’s equities on both sides of the issue. It’s what I call the “first crypto-war.”
Q: Was that the controversy over the Clipper Chip?
That’s what it became, yes. The idea was that encrypted communication equipment would have an access key that could be used for law enforcement or national security. The access key would be kept in escrow. The government could obtain the key by going to court or following a procedure that protected the rights of citizens but still let us fight spies, criminals who might be using encryption.
Q: What was the outcome?
The Clipper Chip itself was a commercial flop, since it was carrying a lot of political baggage. Plus it was really expensive, and everyone you communicated with had to buy one. Even now, no one is making much money trying to sell voice encryption devices, so we shouldn’t have been surprised. The chip probably did drag out the debate over encryption export controls by several years.
Q: How did the Clipper Chip and the Crypto War get its start?
I had just become GC of NSA toward the end of the George H.W. Bush Administration. They were not really interested in picking a fight over encryption. They had taken a lot of fire from the press. They had a packed agenda. And they did not see this complex issue as a priority given their time and other constraints.
Then we transitioned to Clinton. The Clinton folks were a lot more interested in it. Part of it was the life-cycle of the Administration. It was early. They had just come in. They had the drive and confidence that they could solve the policy puzzle created by encryption.
Q: So you stayed on with the Clinton Administration and saw both approaches?
I bridged the two, yes. It was a real contrast. It was like walking into the Situation Room in the Bush Administration with a big box of old nasty auto parts covered in dirt and grease. You tell the officials we have to making a functional machine from this The first reaction from the outgoing Bush folks was to ask, “What could go wrong and who will take the blame when it does?”
Forward six months later. Bring the same box of greasy parts into the Situation Room in the Clinton Administration. The reaction around the table is very different, “Hey! We can fix this.” Before you know it, everyone’s pulling parts out of the box and trying to put them together.
Q: And now when you look back at the crypto wars?
Looking back, I feel pretty comfortable that we raised all the right questions, serious questions. Look, Silicon Valley has taken the view that there’s “nothing to discuss when it comes to encryption. And that by asking for government access for law enforcement the government is somehow defying mathematics.
Q: Well, the concern as I understand it, is this: if you build a backdoor for the “good guys”, then that is a vulnerability that the “bad guys” can also exploit.
That argument is not unserious. There is a valid point there. But the government has a better argument than Silicon Valley wants to admit. Look at the Apple fight.
Q: You’re referring the FBI wanting access to the San Bernardino phone?
Yes. The FBI went to Apple and wanted access to the shooters’ phone. And Apple said there was no way to get into the phone. But the fact is that Apple can get into any phone. They can get into your iPhone. Or mine. That’s how they update software.
If Apple believed the argument it’s been making against the FBI, Apple would say “the ability to update software is dangerous. It creates a security vulnerability. It is so dangerous that we should have no updates.”
That’s not what Apple says. Instead, if challenged on updates, Apple would say “We have weighed the risks of software updates against the risk of leaving software unpatched, and the payoff from updates justifies the marginal risk of compromising your data.
The same is true for law enforcement access. Yes, it creates a theoretical vulnerability. But it also brings really important social benefits, in the form of criminals who can be caught.
Q: So you’re saying the encryption debate is standard policy analysis: determining whether the benefits warrants the risk?
Yes, it is like any public policy issue. If there weren’t good arguments on each side, it would have been settled long ago. It’s intractable precisely because each side has a point.
Q: So that’s why we are still debating this two decades later? Because each side as a point?
That is one reason. The privacy argument is not an unserious one. But there’s also what I call Silicon Valley’s “technological arrogance.” The idea that people who disagree with them are just stupid, and that they can make policy debates irrelevant by releasing products that resolve the debate in their favor. Look, I’m the first to admit it: these are hard problems. But the solution isn’t as clear as Silicon Valley or the privacy groups want you to think.
Q: If there was one popular prevailing misconception you could clear up, what would it be?
Look, movies paint a picture that is so disconnected from reality that I’m not sure where to begin to point out everything that’s wrong. When Hollywood decides who to make the villain, it’s increasingly constrained by lefty politics and Chinese money. American intelligence agencies have become the villains by default. There’s no one else left, except perhaps a few Balkan warlords.
Q: I will have to quote you on that.
Go ahead. I wish ordinary Americans understood that everything the NSA does is within the law and how much effort goes into ensuring that.
Q: Training, legal vetting and so on?
Yes, here’s an example. So in the early days of the Clinton Administration, the Attorney General of the United States came out to Fort Meade. And frankly, she had a bit of a chip on her shoulder with regard to the NSA. She gave the impression that she would have explain to us about the Constitution. I suspected she’d seen too many Hollywood movies about us.
Q: What happened?
Well, the Director gave her a briefing of the Agency mission. Then he took her for a tour. So here you have the Director and the Attorney General walking around operations rooms filled with soldiers with earphones gathering intelligence through intercepts.
And do you know what the Director does?
Well, he stops by a random soldier and taps him on the shoulder.
Q: The soldier’s reaction?
There’s the Director, and the Attorney General, so he whips off his headphones and snaps to attention. And the Director says “Sergeant So-and-So, could you please tell the Attorney General what would happen if you came across an American in your intercepts?”
And the Sergeant says: “Ma’am if we suspect it’s an American, this is the procedure to verify that. If we know it’s an American, we flag it, we anonymize it, and we start following so-and-so protocol to ensure that we protect American citizens.” And he starts reciting the steps that he takes.
Well, there is legal guidance on different scenarios. The General Counsel’s office has determined what to do in this situation, or that situation. Now that doesn’t mean that that an American’s communications don’t end up in some collection effort. That can happen.
For that matter, if there’s an American who is a spy or terrorist or a foreign intelligence operative, then they aren’t going to be ignored.
But every single thing that is done is done in accordance with the letter of the law. A lot of effort goes into making sure that all NSA operations are legal.
Q: What was the Attorney General’s reaction?
Well she learnt the truth: that NSA folks know the law, they are trained what that law is, and everyone, without question, is expected to follow the law.
Q: What was your reaction while all of this was going on?
You know that lawyers are trained to never ask a question unless you know the answer. And here is the Director asking a random soldier standing at attention such a question – and in front of the Attorney General. So I ask him later: What if the soldier had flubbed it?
And the Director says, “I knew he would give the right answer. You know why? Because I went through that training too earlier in my career.” This is the Director of the NSA we are talking about. And he says he had it drilled it over and over till he could comply with it in his sleep.
That’s a fundamental part of NSA’s culture.
Q: So the Snowden revelations….
The problem with the revelations was that the details of what the NSA does, and how much the NSA does, astounded a lot of people. Now I think they were released in a way to have a particular political impact. The Washington Post ran a series of stories that created an erroneous early impression that the agency never recovered from.
Everything the NSA did had been blessed by judges, and checked by the lawyers. You can disagree with the judges; you can change the law. But no one should think that the agency was acting outside the legal rules as they stood at the time.
Q: Have you ever met Glenn Greenwald or Snowden?
Nope. We’ve had one or two, err, intense exchanges on social media, but I’ve never met them.
Q: What does The Grugq (reclusive security researcher recently on Stewart’s podcast) look like?
I don’t know. *laughs* He called in to the podcast. I think he used a burner phone. And probably discarded it after the call.
Q: You have been an outspoken advocate of the position that European privacy regulations, first Safe Harbor, now Privacy Shield, and soon the GDPR, are thinly disguised protectionist efforts against successful U.S. technology giants.
Yes. Decades ago, French officials were taking the position that data processing industries were “vital national capabilities” that had to be protected.
Now that doesn’t mean that there aren’t policymakers who are genuinely concerned about privacy as a value. It just happens that those values tend to come into play at convenient times. I think privacy laws are uniquely susceptible to misuse for other purposes.
Q: For example?
If you look at the United States, our own privacy jurisprudence came from Justice Brandeis. He wrote strongly on the subject. Convinced dozens of jurisdictions to adopt privacy laws. Do you happen to know what invasion of privacy moved him so deeply?
Q: I’d hesitate to guess.
Having his picture taken! The idea that anyone could take your photograph, on the street or in a public place, without your permission or consent, was simply outrageous to him. Keep in mind that he came from a background where a portrait typically meant commissioning a painter, and then sitting, and frankly if you didn’t like it – who hasn’t asked themselves “do I really look like that” – if you didn’t like it you could burn it and refuse to pay the artist.
Brandeis was so disturbed by the change that he found a right to privacy in United States law. There had to be one, he thought. Now we’ve still got remnants of his privacy nostalgia law, but it does nothing for the privacy of ordinary people. It’s mainly used to enrich celebrities who want to monetize their rejection of privacy and embrace of publicity.
Q: So you’re saying privacy legislation is based on old views of technology?
Privacy legislation is almost always an exercise in nostalgia. It’s always late. It’s always a step behind. And it’s an attempt to recapture a world that has slipped away.
Here’s another example. By the time the Anti-Wiretap Act was enacted, it was already outmoded. Technology was already making it easy to record conversations, and trying to prevent that was an uphill battle. Now, of course, with cell phone cameras, any time something happens on the street, we’ve got three separate feeds, law or no law.
Q: Has this law been abused by the powerful too?
Yes, many of the arrests for violating the law against eavesdropping on conversations have actually been efforts to protect police officers. In many states, until the laws were overturned, you couldn’t record a police officer going about his business. That makes it harder to monitor police behavior, but it has nothing to do with most people’s expectation of privacy.
Q: But now it’s a major issue in the European Union? Could privacy issues undermine the U.S. technological edge? Is data localization a danger?
I don’t think so. Say you’re a German. You absolutely insist on a German cloud provider. You can find one. But there will be a cost premium for that. And they won’t be able to offer the same flexibility, scale, features and robustness that say, Amazon or Microsoft can.
Now if you’re the same German and you want a server located in Germany, Amazon and Microsoft can handle that for you. If you’re concerned about privacy or regulatory concerns, handle it at the front end. Put it in the Terms of Service.
Q: Have the privacy regulations dented the American competitive edge in technology?
No. In fact, American cloud providers have outpaced international competitors since the Snowden revelations. They’re winning the race, despite European efforts to handicap them with special legal burdens.
Q: Can Silicon Valley handle it or is there a role for the United States in dealing with EU regulators?
The United States needs to push back as a government. Companies don’t want to be responsible for national security and economic growth. That doesn’t mean they won’t do the right thing. They are American, and but this isn’t really their fight.
That’s especially true now, with the GDPR, which creates staggering penalties. Billions for a single infraction. That’s raised the stakes enormously. If you’re a U.S. tech provider, the path of least resistance is keep the European regulators as happy as you can, no matter what the consequences are for U.S. national security.
Q: Have the hacks of the past summer – General Powell, Condoleeza Rice – affected perceptions of privacy?
No matter where you stand politically, people you respect got hacked: Podesta, Powell, Rice. People who laughed when Republican emails were hacked were outraged about Podesta.
People are responding in two ways. First, they are worrying more about security. They won’t archive. They’ll arrange to delete everything on a 90 day cycle. Things like that.
But they’re also adjusting their assumptions about privacy. They are being more circumspect in email . In fact, that struck me about the Podesta emails. For all the hoopla, he was pretty cautious in what he wrote. People know that email isn’t private, and they’ll adjust their behavior.
Q: What are the two big developments you see in cyberlaw in the next 18 months or so.
Well, GDPR is a big one. I just don’t see a scenario where it sails smoothly into law. For two decades now the United States has made unending concessions to Europe on privacy issues, but European negotiators are never satisfied. They keep selling us the same mule. The Trump Administration feels strongly about trade. They could easily say “we’ve given enough and got nothing in return. No more.” So we could see a confrontation there.
The other issue is the Trump Administration’s cyber security policy. They have said that they want the Department of Defense to take the lead. But they have not been clear what Defense is going to do. They’ve specified the driver, but not what he’s going to do once he’s behind the wheel. My suspicion is that you’ll see greater emphasis on deterring China, North Korea and Iran; less attention may be paid to Russia. But we will have to see.
Q: Thank you for your time.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.