Presentation from Tim Edgar tracking developments in federal surveillance law and how they affect Virtru's strategy for responding to national security orders and other requests for information.
2. CONFIDENTIAL
Why is Virtru Tracking Surveillance Law?
While Virtru hasn’t been affected by a national
security order we need to be prepared.
Our product predates the “startup clause” of the
recent DOJ settlement. We intend to continue
publishing transparency reports.
Virtru’s strategy hinges upon how the courts view
encryption keys and what is required to access these
keys.
3. Internet
Backbone
in
2010
• For
beCer
or
worse,
US
is
the
hub
of
the
global
Internet.
• Very
hard
for
foreign
countries
to
wall
themselves
off
and
ineffec4ve
anyway.
• Special
responsibility
and
sensi4vity
for
US
companies
given
recent
revela4ons.
4. US
Technology
Companies:
Bad
Rep
on
Privacy
Mark
Zuckerberg
(Facebook):
“That
social
norm
is
just
something
that
has
evolved
over
4me.”
ScoC
McNealy
(Sun
Microsystems):
“You
have
zero
privacy
anyway.
Get
over
it.”
5. Data:
How
Law
Sees
It
Data:
generally
treated
as
wri4ng
Analogies
-‐-‐files
=
documents
-‐-‐computer
=
container
In
transit
versus
at
rest
-‐-‐at
rest
=
document?
-‐-‐in
transit
=
wiretap?
6. Metadata
Collec4on
• Despite
major
debate,
few
real
changes
to
surveillance
laws
in
the
past
year.
• Most
likely
reform
in
the
short
run
is
to
bulk
telephony
metadata
collec4on
– Internet
bulk
metadata
collec4on
under
different
provision
of
FISA
could
affect
Virtru;
ended
in
2011
7. Content
Collec4on
• Methods
of
collec4on:
criminal
tools,
FISA
(tradi4onal
and
sec4on
702),
overseas
signals
intelligence
• ECPA
reform
(criminal)
hasn’t
gone
anywhere
• President’s
reform
direc4ve
(PPD-‐28)
guidelines
to
protect
privacy
interests
of
foreigners
• Reform
coali4on:
4ghten
sec4on
702
of
FISA
(e.g.,
restrict
categories
of
intelligence);
not
in
current
FISA
reform
bills
• PCLOB
to
provide
recommenda4ons
on
sec4on
702
in
June
8. Encryp4on
Keys
• S4ll
unclear
what
legal
tools
are
permiCed
to
access
encryp4on
keys:
subpoena,
pen/trap,
search
warrant?
• Lavabit
–
raised
“master
key”
issue
because
architecture
was
flawed;
Virtru’s
is
different,
would
not
raise
same
issue
• Lavabit
case
sidestepped
issue:
dismissed
appeal
because
Lavabit
failed
to
properly
raise
arguments
in
district
court
9. Mobile
Phone
Search
Cases
Is
a
warrant
needed
to
search
phone
upon
arrest?
United
States
v.
Wurie,
13-‐212
Boston
case
–
following
up
on
informa4on
from
review
of
cell
phone
logs
on
arrest
at
a
drug
deal
resulted
in
search
of
suspect’s
apartment
Riley
v.
California,
No.
13-‐132
California
case
–
forensic
analysis
of
photos
on
phone
lead
to
arrest
for
gang
ac4vity,
following
arrest
on
traffic
viola4on
10. Transparency
• Google,
other
major
tech
companies
agreed
with
DOJ
on
rules
for
transparency
reports;
withdrew
legal
challenge.
• Agreement
sets
forth
DOJ
posi4on;
contains
2-‐
year
gag
rule
for
“new
capabili4es”
• Virtru
published
a
transparency
report
and
promised
to
update
regularly;
would
test
this
rule