SOTN2023-20 Fireside Chat with Travis LeBlanc

Joly MacFie24min

Amie Stepanovich

00:03

Good afternoon, everybody. You're almost done. I caught a glimpse of Alan Friedman earlier who I think is running cocktails later today. So you're just keep getting steps and steps closer. My name is Amy Stanovich. I am the Vice President for US policy at the Future of Privacy Forum and a board member with the Internet Education Foundation. And mostly I'm pleased, because you're not here to hear from me, you're here to hear from Travis LeBlanc, who currently serves as a board member on the US Privacy and Civil Liberties Oversight Board are P club because DC cannot refer to anything not by an acronym, which we'll talk about I think a little bit. Travis has been a board member since 2019. Originally nominated by then President Trump and re nominated by President Biden. In a prior life and many prior lives. Travis was selected by the US Department of Commerce and the European Commission to serve as an arbitrator for the EU us Privacy Shield framework. He is the former chief of the FCC Enforcement Bureau under the Obama administration, during which time he spearheaded hundreds of enforcement actions involving consumer issues. And today, in addition to your pee club work, you are also co lead of coulees global litigation department and the firm's cyber data and privacy practice. So you are busy.

Travis LeBlanc

01:26

Just a little bit.

Amie Stepanovich

01:29

So just to start us off and introduce a little bit about what you're doing in your role at p Club today. P club has had three chairs, since it became an independent agency in 2007. And had one chair prior to that, um, you became a board member 2018, which means you've served under two of those three chairs. So you've seen two thirds of P club, can you talk a little bit about the history of the board and what projects that you have worked on since you've been there?

Travis LeBlanc

01:54

Yeah, happy to do so. And first off, let me thank state of the net, and the Internet Education Foundation for inviting me to this to this session. This is my second or third time at state of the net, I always enjoy the conversations here. And I'm especially excited to be able to partake in this conversation with you, Amy. You know, as a good government employee, in a multi member agency, it's my responsibility to to note that I am one individual member of the board, I'm here in my individual official capacity speak for myself only I don't speak for the board or any staff member of the board as well. The Privacy and Civil Liberties Oversight Board is a five member bipartisan board. It's an executive agency and the executive branch that oversees the national security efforts of the US government to protect against terrorism, while balancing those with privacy and civil liberties. When the President is a Democrat as he is right now, three of the board members are Democrats and then the other two board members are Republican. We all you know, the chair works full time every single day at the agency, the other four members are part time, we all have top secret security clearances, there's no program or activity, at least that I'm aware of right now that if it were within our jurisdiction, we would be precluded from being able to access but it also means that almost everything that we do is highly classified, not everything. But a lot of what we do is is highly classified in my time on the board. The two most high profile issues that we've worked on is a report on section 215, which was, you know, a provision that allowed the NSA in particular, to collect the call detail records of you know, a lot of people, I believe millions of folks were caught into it, the NSA stopped doing that program in 2019 or so. And we put out a report on the 215 program. The other major report that we worked on while I've been on the board was for a government program called X key score, which is also an NSA program that is operated pursuant to executive order 12 Triple three, and is one where we finished the report who in it's probably February of 2021, February of 2021. I believe the only thing that has been released on this report to this date is my statement in connection with the report, you know, for more than a year, almost a year and a half now, that reports have been sitting I believe, with the Department of Justice waiting on them to approve a public release, which I hope will happen very very soon. But it also really highlights the challenges that we work in when we have a mandate to be as transparent as possible. But we're working on highly classified programs. And it takes a while to sometimes get that information from us to Congress and ultimately to the public. And the hope is We'll be able to speed that process up and be able to address these issues more quickly on the back end when we have a report, you know, but speaking of, you know, reports, it also occurs to me that on the front end, we could do a little bit more on transparency, as well. And, you know, one example of that would be to, you know, reexamine the Government Act and the requirement of a privacy impact assessment that, you know, agencies are supposed to do, but there's an exception in there for national security systems that don't necessarily have to have to do a privacy impact assessment. If we were to remove that exception, Congress would remove that exception to require them recognizing the importance of privacy and civil liberties. And at the same time, also modernize it. So that we're thinking about, for example, principles like privacy by design, which in 2002, when the E Government Act was passed, we're not necessarily as critical as they are today.

Amie Stepanovich

05:52

Well, thank you for being here today. Given your push toward transparency, I would say this is another step that we're taking is you speaking here with everybody today and answering some questions about this? And we already have two calls to action, maybe ish. So you've addressed a little bit about what you have done since your time on the board. Why don't we talk about what you're working on now? And what are today's P club priorities?

Travis LeBlanc

06:17

Yes. So again, speaking, you know, primarily as is, from my my standpoint, as a board member, the number one priority that we have, and that we're addressing, is domestic terrorism. This has been the number one terrorist threat to the United States for hundreds of years at this point have been domestic in origin, it's not something that just came out of, you know, 2021, it is something that has, you know, plagued our country's history, unfortunately, largely with the targeting of racial minorities over the country's history. But if you look back at the number of two, and by the way, the Department of Homeland Security agrees, the Office of the Director of National Intelligence, they all agree the number one terrorist threat to the United States of America is domestic in origin. And if we accept that and begin to work on it, then we on the board have to also think about the privacy and civil liberties implications of that of that tournament. It's a project that we have launched and one that we're working heavily on, there was a as part of section 824 of the Consolidated Appropriations Act of 2022. We are required at the P club to do a reporter assess the impacts of on privacy and civil liberties of Americans concerning the the use, or the foreign, the foreign connection to domestic terrorism, as well. So that's something we're working on. For several years now, we've been looking at biometrics and in particularly in the aviation context, looking at the use of say, facial recognition technology by the Transportation Security Administration, or by Customs and Border Protection, you know, for entry and exit into the United States, whether that's you could imagine a world where it's not far off, where when you may go through TSA, rather than asking you for your driver's license, they take an image of you, you know, immediately and compare it to a database of known images that they have to authenticate you and move you through without looking at your driver's license or the same to board a plane or to enter the country, as well. So we've been looking at biometrics and ensuring privacy and civil liberties. And we are also heavily working on the Foreign Intelligence Surveillance Act, which I suspect is a topic you may want to discuss why don't

Amie Stepanovich

08:29

we dive into that? I think that's a big topic this year. For those of you who aren't aware, section 702 is an authority legal authority, originally born out of what most people would colloquially colloquially words, know as the warrantless wiretapping program. That was entrenched into law in Section 72 of the FISA Amendments Act. A big argument at the time was over retroactive immunity for companies who were engaging in that program. And the very, very basic gist of the authority is that it is surveillance for non US persons outside the US when the surveillance itself takes place within the United States. And we've learned about two key programs that take place under 702, the PRISM program and the upstream program, we might at some point learn more about X key score, as this report is made public and the end of this year, that law is up for renewal by Congress, or it will expire like other authorities have before it. So key elements of FISA are going to be considered by Congress this year, we already have seen some action by advocacy organizations engaging on that topic. Why don't you tell us about section 702 while you're working on it and why it is so important to

Travis LeBlanc

09:55

your work? Yes, so we've been working on an update relate to our Seminole 2014 report on section 702. For more than a year now, we've been, we've had several meetings with the intelligence community. You know, I, as a member of the board, have met with the director of national intelligence, Director Haynes, with the director of the CIA, with the director of the NSA, general Nakasone, with the FBI director, Chris rea. And we're trying to schedule a meeting with the Attorney General, which hopefully, will happen soon, especially given how important this is to him and ensuring the privacy and civil liberties are protected in the operation of section 702. We we've also, we did a public comment period, as well, last year that we open for any comments from the public to receive about section 702. And we hosted a public forum on section 702. So we were eagerly working on the report, we have hundreds of pages written at this point on the on the report, and I am very hopeful that it'll be ready later this year, most likely, either the end of the summer, or you know, the early fall, but see my earlier comments about how long it takes to go from a port report once it's finalized by us to actually getting out of the door. But I do know this is a huge priority for the administration, and that there are numerous people across agencies working to help us get this finalized and out out the door.

Amie Stepanovich

11:28

Wonderful. You gave us your caveat that you are about one member of a five member board. But I wonder if you can talk maybe a little specifically about how you are approaching your work on section 702. And the review of the authority. Yes,

Travis LeBlanc

11:43

so let me start by saying this is a highly classified program. And therefore I'm going to be limited in what I can say or all the information that, you know, I may have available. We're also a five person board. And so I'm just I'm just one member. But given what I have seen, and what I know, I do have several concerns about a clean reauthorization without significant common sense, reforms to safeguard privacy and civil liberties. And I sort of start with the premise that incidental collection is a major issue for the program. And by incidental collection, we're talking about the operation of a program that incidentally collects us person communications while targeting foreigners abroad for their communications, we don't have a number on the number of US persons that are impacted by this since 2014, the board has recommended that the NSA develop a methodology and release the number of US person communications collected under the program. But thus far, they failed to do so. So we know that there's a large number of US persons that are ultimately caught in this in the operation of the section 702 program. We also know that there's a massive number of queries of US persons on the collections that have been targeted as part of the program. And so in the most recent public report, the FBI reported that it had queried 3.4 million searches of the of the 702 collections for US persons or or, you know, that were labeled as us as US persons 3.4 million. That's a lot, a lot for a program that is designed around, you know, targeting the communications of foreigners to suddenly 3.4 million queries that have happened there. And you do have to wonder, you know, what, what are these used for, you know, what are these 3.4 million queries that have been taking place? And, you know, are they Is there a value to them, thus far, we have minimal to negligible examples of the value of a 3.4 million queries of US persons in this particular in this particular system. And I want to distinguish between the value of the program in targeting foreigners abroad, and especially, you know, for foreign intelligence, national security purposes, terrorism, anti terrorism purposes, distinguish that from actually queering it for us purposes, right when you're now searching it not for, you know, something necessarily over here, but now of US persons and whether, you know, when you're operating in the United States, a different lens ought to apply there. We have a large number of compliance issues that we are that we've seen over the years, and, you know, these compliance issues particularly around us, person queries are quite significant. We're talking about you know, you know, querying this, these, the 702 database in particular by the by the Bureau For derogatory vetting information, for example, you know, querying for participants in the FBI Citizens Academy, which is, you know, a group of business and civic and religious leaders that are working to understand the role of law enforcement in their communities, but queering them through the databases, querying individuals who provide tips, or report themselves as victims of crimes, querying a local political party query and a US member of Congress queering social security numbers, again, in a database that was designed to target the, you know, the communications of foreigners located abroad, that suddenly now we're looking at office repairman, and queering, someone who's coming in to the bureau, for example, to repair, you know, some, some some broken facility there, for example, to actually query to make sure they're not in the data set. I think that these are all compliance. And so I'm not making any, these are all public, these are already out there. They've been reported in the public. But those are some of the examples over the years that we've that we've seen. And in this, you know, even Matt Olson, the Assistant Attorney General, for National Security Division last week himself recognize that, you know, and I'm quoting, every compliance incident matters, of course, but incidents involving US persons information are especially damaging to public trust. Even he recognized the the the large number of compliance incidents over the years that have resulted from us person queries. So we don't know how many people are involved. We know there's a massive number of queries, we know that there's a substantial number of compliance incidents that are at issue. And so how do we address these? You know, in my view, first of all, we need to finally, you know, ensure through a congressional mandate, that there is a requirement to estimate or to calculate the number of US persons who are ins whose communications are incidentally collected as part of the operation of section 702. There's an interesting report that's come out of Jonathan Mayer's lab at Princeton, which has set forth a process for estimating that that may be one to consider. But it's it's it's, it's far time to require that to be done. Secondly, we need to be better at knowing which communications actually involve us persons. And I believe a common sense way to do that would be to tag us persons, when you tag a record or communication as a US person communication, when an analyst becomes aware that it is a US person, so that that flows through to every other person that season also triggers certain other retention requirements. Thirdly, we've reached a point where it's time for to consider the the necessity of a prior court order before querying, you know, section 702 collections for US persons. That is an important safeguard that could be put in place. And it seems to me, given the the number of compliance and incidents given the relative, you know, lack of value that's been explained for queering without a warrant for us person queries that that seems viable. Fourthly, we've talked you mentioned a little bit about about Congress in 2018, when it reauthorized it, you know, the, you know, made a provision that if the NSA were to resume about collection, that it would notify Congress before doing that it hasn't done that. But I do believe it needs to be codified and into about collection. And we need to be clear about applying to both downstream and upstream communications. And then finally, we have to solve this issue called batch job queries, which are queries where it's where an FBI agent, usually, it will query the entire collection 400 1000 2000 people all at one time with one justification. The risk there is that if that error if that query is inappropriate or wrong, suddenly 2000 people or 10,000, or 100,000, are implicated by this, the the the FBI has reduced it to to that number to 100 before getting approval, but I do have concerns about whether there's any ability to at all do batch queries in a way that would be consistent with the President's new executive order on signals intelligence from last year executive order 14 086, which contains unnecessary, unnecessary and proportionality requirements. For all signals intelligence activities, it is hard for me to imagine that there's a way to justify bulk you know, batch searches in a way that's necessary and proportionate.

Amie Stepanovich

19:56

I certainly agree with that. We only have a few minutes. left. I do want to talk about you know, normally when you work on privacy, you either work on surveillance and intelligence or consumer privacy, and your work happens to span both. So I think something that a lot of people in here might be working on or thinking about now is the new US EU data privacy framework. The agita as we were speaking in advance, the acronym for this agreement has changed several times over. Can you talk about the new agreement, how it might be different from the privacy shield that came and went before it and how P club is involved in this new agreement?

Travis LeBlanc

20:36

Yes, so So obviously, data flows between transatlantic data flows are extremely important $7.1 trillion in US EU economic relationship are directed towards those flows. This is the third time we will have approached this right there was initially Safe Harbor, then there was Privacy Shield. And now we have the DPF. And two times, it's been struck down by the CJ EU, as they've they've reviewed it for not adequately protecting the rights of European data subjects. The DPF is, is a big change, it's a very important change. First of all, it's a big deal that there's an executive order on signals intelligence amendments, and that it contains a necessary necessary and proportionality and that it puts in place a data privacy, a data protection review court, which would be available to review the right to offer new redress mechanism, in particular for European data subjects. But there's also importantly, a reciprocity clause that is contained in the executive order that recognizes that the provision, the protections that are there, should all you know can only you know, may only be extended to countries that afford adequate protections to US persons that are there. And I think the sort of challenge that we face, as we look at this, you know, we know Max Schrems is going to to challenge it again, we know that there's been a lot of activity on this in the last couple, the last couple of weeks, right, you've gotten a decision out of the labor committee of parliament that has raised concerns about the agreement you've got last week, the European Data Protection Board, you know, issued its non binding opinion, and we've worked with them. We've, you know, I met with the European Data Protection Board along with Sharon Bradford Franklin, our chair, we met with the libre committee, as well. You know, the the EDP B's decision specifically says that they believe that P clubs section 702 report is critical to a determination of adequacy. So these things are, are linked together. But on a going forward basis. My concern is whether the goalposts will be moved by the CJ EU, if you look at some of the decisions that they've issued on, you know, sort of the French intelligence authorities, if you look at some of the other concerns they've raised, I actually am concerned that even if we have this agreement and addresses it, that the goalposts will move there. And then you combine that with the fact that, you know, the there are adequacy decisions for other countries such as, you know, Israel or, or the United Kingdom, which fundamentally do the same kinds of activities as we in the United States do. And you have to start to wonder, to what extent is data protection masquerading as data protectionism. And if we are in a place where we're reaching data protectionism, then maybe the future for the United States is beginning to think, How can we protect the data of US persons when it goes abroad? It's very easy when all the protections are on the other side of the Atlantic. But what if you reach a point where you sort of say us data shouldn't be free, US data ought to have some protections. And at that point, we level the playing field when it comes to hopefully reaching a final solution. I fear that this is the third time if it doesn't work this time. I don't know that there honestly, is a fourth time because the industry can't every two years, go back and find a new way to do this. At some point. You just need certainty to help move us forward. Well, thank

Amie Stepanovich

24:08

you for joining us here today. Everybody give a round of applause for board member Lebron James.

00:0000:00