United States: Blame Hollywood: A Conversation With Stewart Baker, Former General Counsel Of The National Security Agency

Last Updated: January 30 2017
Article by Saad Gul and Michael E. Slipsky

Editor's Note: In the world of cyber law, privacy and cybersecurity, one of the largest and most colorful figures is Stewart Baker, whose resume includes a stint as General Counsel at the National Security Agency and Assistant Secretary of Homeland Security. A partner at Steptoe & Johnson LLP, where he hosts a popular cyberlaw podcast, he recently sat down to talk all things cyber with NC Privacy Blog.

Q: Thank you for your time. So, let's begin with the obvious: what prompted you to leave beautiful Southern California for a lifetime in the District of Columbia?

In my case, it was rather simple. My wife refused to live in Southern California. So I clerked in Portland, Maine, and then Washington, D.C. Then my wife and I compromised: we stayed in D.C., but far enough out in the country that she could ride horses, fuss over dogs, and generally look after any four legged creature that came to her.

Q: How does one go about becoming General Counsel of the NSA?

You know, the NSA was not as high profile in the early 90s. So the General Counsel position did not have the same cachet it would today. What happened was that there was a sense that the legal selection process was not generating candidates that the leadership felt would serve the needs of the agency. So a former NSA General Counsel was asked to go out and identify some additional candidates.

At the time, she was working with the Office of the Legal Advisor at the State Department. She called one of my partners, a former Legal Advisor himself. That call set the ball rolling.

Q: So at that time you weren't an expert on cyber or privacy issues?

No, I was an appellate and regulatory lawyer. This opportunity just happened to be bouncing around and eventually landed on my desk.

Q: And on such whims of fate careers turn?

Pretty much.

Q: And since then you have shuttled between public service at private practice?

Yes. I hold the record for the number of times I've returned to Steptoe & Johnson. 5 times.

Q: 5 times?

Well there was the NSA, and then stints at the Department of Education, Homeland Security, and the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction.

Q: So if you weren't to the computer born, what was your first experience with computers?

My Apple II E. I bought it used. Spoke to friends, decided a computer that worked was all that I needed. I like being cheap!

Q: And what was the first legal issue you encountered involving computers? Law school?

No, not law school. I was a law clerk (ed: Justice Stevens) and the Supreme Court had just introduced word processing software – Wang. It involved special paper, dot matrix printers that shook the floor when coughing out printouts, very elegant. They ended up building a box around it to dampen the racket.

In fact, I made history by being the first law clerk to lose a draft opinion to the printer. We never did find out what happened to it. Probably still sitting in a queue somewhere.

Q: And that's lost to history?

Unless it turns up in the collection of Justice Stevens' papers a few decades from now.

Q: So what was it like at the NSA?

Well, I was getting my bearings, it had been a couple of weeks, and then this official came to see me. You know, one of the Men in Black. And the first thing he did was put a bottle of aspirin on my desk.

I told him "what's this?" I don't have a headache.

Q: What did he say?

He assured me that by the time he was finished I would have one.

Q: What was the issue?

Well, it was a forerunner of the encryption debate we have been dealing with ever since. It's been a persistent issue pretty much ever since. Because there's equities on both sides of the issue. It's what I call the "first crypto-war."

Q: Was that the controversy over the Clipper Chip?

That's what it became, yes. The idea was that encrypted communication equipment would have an access key that could be used for law enforcement or national security. The access key would be kept in escrow. The government could obtain the key by going to court or following a procedure that protected the rights of citizens but still let us fight spies, criminals who might be using encryption.

Q: What was the outcome?

The Clipper Chip itself was a commercial flop, since it was carrying a lot of political baggage. Plus it was really expensive, and everyone you communicated with had to buy one. Even now, no one is making much money trying to sell voice encryption devices, so we shouldn't have been surprised. The chip probably did drag out the debate over encryption export controls by several years.

Q: How did the Clipper Chip and the Crypto War get its start?

I had just become GC of NSA toward the end of the George H.W. Bush Administration. They were not really interested in picking a fight over encryption. They had taken a lot of fire from the press. They had a packed agenda. And they did not see this complex issue as a priority given their time and other constraints.

Then we transitioned to Clinton. The Clinton folks were a lot more interested in it. Part of it was the life-cycle of the Administration. It was early. They had just come in. They had the drive and confidence that they could solve the policy puzzle created by encryption.

Q: So you stayed on with the Clinton Administration and saw both approaches?

I bridged the two, yes. It was a real contrast. It was like walking into the Situation Room in the Bush Administration with a big box of old nasty auto parts covered in dirt and grease. You tell the officials we have to making a functional machine from this The first reaction from the outgoing Bush folks was to ask, "What could go wrong and who will take the blame when it does?"

Forward six months later. Bring the same box of greasy parts into the Situation Room in the Clinton Administration. The reaction around the table is very different, "Hey! We can fix this." Before you know it, everyone's pulling parts out of the box and trying to put them together.

Q: And now when you look back at the crypto wars?

Looking back, I feel pretty comfortable that we raised all the right questions, serious questions. Look, Silicon Valley has taken the view that there's "nothing to discuss when it comes to encryption. And that by asking for government access for law enforcement the government is somehow defying mathematics.

Q: Well, the concern as I understand it, is this: if you build a backdoor for the "good guys", then that is a vulnerability that the "bad guys" can also exploit.

That argument is not unserious. There is a valid point there. But the government has a better argument than Silicon Valley wants to admit. Look at the Apple fight.

Q: You're referring the FBI wanting access to the San Bernardino phone?

Yes. The FBI went to Apple and wanted access to the shooters' phone. And Apple said there was no way to get into the phone. But the fact is that Apple can get into any phone. They can get into your iPhone. Or mine. That's how they update software.

If Apple believed the argument it's been making against the FBI, Apple would say "the ability to update software is dangerous. It creates a security vulnerability. It is so dangerous that we should have no updates."

That's not what Apple says. Instead, if challenged on updates, Apple would say "We have weighed the risks of software updates against the risk of leaving software unpatched, and the payoff from updates justifies the marginal risk of compromising your data.

The same is true for law enforcement access. Yes, it creates a theoretical vulnerability. But it also brings really important social benefits, in the form of criminals who can be caught.

Q: So you're saying the encryption debate is standard policy analysis: determining whether the benefits warrants the risk?

Yes, it is like any public policy issue. If there weren't good arguments on each side, it would have been settled long ago. It's intractable precisely because each side has a point.

Q: So that's why we are still debating this two decades later? Because each side as a point?

That is one reason. The privacy argument is not an unserious one. But there's also what I call Silicon Valley's "technological arrogance." The idea that people who disagree with them are just stupid, and that they can make policy debates irrelevant by releasing products that resolve the debate in their favor. Look, I'm the first to admit it: these are hard problems. But the solution isn't as clear as Silicon Valley or the privacy groups want you to think.

Q: If there was one popular prevailing misconception you could clear up, what would it be?

Look, movies paint a picture that is so disconnected from reality that I'm not sure where to begin to point out everything that's wrong. When Hollywood decides who to make the villain, it's increasingly constrained by lefty politics and Chinese money. American intelligence agencies have become the villains by default. There's no one else left, except perhaps a few Balkan warlords.

Q: I will have to quote you on that.

Go ahead. I wish ordinary Americans understood that everything the NSA does is within the law and how much effort goes into ensuring that.

Q: Training, legal vetting and so on?

Yes, here's an example. So in the early days of the Clinton Administration, the Attorney General of the United States came out to Fort Meade. And frankly, she had a bit of a chip on her shoulder with regard to the NSA. She gave the impression that she would have explain to us about the Constitution. I suspected she'd seen too many Hollywood movies about us.

Q: What happened?

Well, the Director gave her a briefing of the Agency mission. Then he took her for a tour. So here you have the Director and the Attorney General walking around operations rooms filled with soldiers with earphones gathering intelligence through intercepts.

And do you know what the Director does?

Q: What?

Well, he stops by a random soldier and taps him on the shoulder.

Q: The soldier's reaction?

There's the Director, and the Attorney General, so he whips off his headphones and snaps to attention. And the Director says "Sergeant So-and-So, could you please tell the Attorney General what would happen if you came across an American in your intercepts?"

And the Sergeant says: "Ma'am if we suspect it's an American, this is the procedure to verify that. If we know it's an American, we flag it, we anonymize it, and we start following so-and-so protocol to ensure that we protect American citizens." And he starts reciting the steps that he takes.

Q: Steps?

Well, there is legal guidance on different scenarios. The General Counsel's office has determined what to do in this situation, or that situation. Now that doesn't mean that that an American's communications don't end up in some collection effort. That can happen.

For that matter, if there's an American who is a spy or terrorist or a foreign intelligence operative, then they aren't going to be ignored.

But every single thing that is done is done in accordance with the letter of the law. A lot of effort goes into making sure that all NSA operations are legal.

Q: What was the Attorney General's reaction?

Well she learnt the truth: that NSA folks know the law, they are trained what that law is, and everyone, without question, is expected to follow the law.

Q: What was your reaction while all of this was going on?

You know that lawyers are trained to never ask a question unless you know the answer. And here is the Director asking a random soldier standing at attention such a question – and in front of the Attorney General. So I ask him later: What if the soldier had flubbed it?

And the Director says, "I knew he would give the right answer. You know why? Because I went through that training too earlier in my career." This is the Director of the NSA we are talking about. And he says he had it drilled it over and over till he could comply with it in his sleep.

That's a fundamental part of NSA's culture.

Q: So the Snowden revelations....

The problem with the revelations was that the details of what the NSA does, and how much the NSA does, astounded a lot of people. Now I think they were released in a way to have a particular political impact. The Washington Post ran a series of stories that created an erroneous early impression that the agency never recovered from.

Everything the NSA did had been blessed by judges, and checked by the lawyers. You can disagree with the judges; you can change the law. But no one should think that the agency was acting outside the legal rules as they stood at the time.

Q: Have you ever met Glenn Greenwald or Snowden?

Nope. We've had one or two, err, intense exchanges on social media, but I've never met them.

Q: What does The Grugq (reclusive security researcher recently on Stewart's podcast) look like?

I don't know. *laughs* He called in to the podcast. I think he used a burner phone. And probably discarded it after the call.

Q: You have been an outspoken advocate of the position that European privacy regulations, first Safe Harbor, now Privacy Shield, and soon the GDPR, are thinly disguised protectionist efforts against successful U.S. technology giants.

Yes. Decades ago, French officials were taking the position that data processing industries were "vital national capabilities" that had to be protected.

Now that doesn't mean that there aren't policymakers who are genuinely concerned about privacy as a value. It just happens that those values tend to come into play at convenient times. I think privacy laws are uniquely susceptible to misuse for other purposes.

Q: For example?

If you look at the United States, our own privacy jurisprudence came from Justice Brandeis. He wrote strongly on the subject. Convinced dozens of jurisdictions to adopt privacy laws. Do you happen to know what invasion of privacy moved him so deeply?

Q: I'd hesitate to guess.

Having his picture taken! The idea that anyone could take your photograph, on the street or in a public place, without your permission or consent, was simply outrageous to him. Keep in mind that he came from a background where a portrait typically meant commissioning a painter, and then sitting, and frankly if you didn't like it – who hasn't asked themselves "do I really look like that" – if you didn't like it you could burn it and refuse to pay the artist.

Brandeis was so disturbed by the change that he found a right to privacy in United States law. There had to be one, he thought. Now we've still got remnants of his privacy nostalgia law, but it does nothing for the privacy of ordinary people. It's mainly used to enrich celebrities who want to monetize their rejection of privacy and embrace of publicity.

Q: So you're saying privacy legislation is based on old views of technology?

Privacy legislation is almost always an exercise in nostalgia. It's always late. It's always a step behind. And it's an attempt to recapture a world that has slipped away.

Here's another example. By the time the Anti-Wiretap Act was enacted, it was already outmoded. Technology was already making it easy to record conversations, and trying to prevent that was an uphill battle. Now, of course, with cell phone cameras, any time something happens on the street, we've got three separate feeds, law or no law.

Q: Has this law been abused by the powerful too?

Yes, many of the arrests for violating the law against eavesdropping on conversations have actually been efforts to protect police officers. In many states, until the laws were overturned, you couldn't record a police officer going about his business. That makes it harder to monitor police behavior, but it has nothing to do with most people's expectation of privacy.

Q: But now it's a major issue in the European Union? Could privacy issues undermine the U.S. technological edge? Is data localization a danger?

I don't think so. Say you're a German. You absolutely insist on a German cloud provider. You can find one. But there will be a cost premium for that. And they won't be able to offer the same flexibility, scale, features and robustness that say, Amazon or Microsoft can.

Now if you're the same German and you want a server located in Germany, Amazon and Microsoft can handle that for you. If you're concerned about privacy or regulatory concerns, handle it at the front end. Put it in the Terms of Service.

Q: Have the privacy regulations dented the American competitive edge in technology?

No. In fact, American cloud providers have outpaced international competitors since the Snowden revelations. They're winning the race, despite European efforts to handicap them with special legal burdens.

Q: Can Silicon Valley handle it or is there a role for the United States in dealing with EU regulators?

The United States needs to push back as a government. Companies don't want to be responsible for national security and economic growth. That doesn't mean they won't do the right thing. They are American, and but this isn't really their fight.

That's especially true now, with the GDPR, which creates staggering penalties. Billions for a single infraction. That's raised the stakes enormously. If you're a U.S. tech provider, the path of least resistance is keep the European regulators as happy as you can, no matter what the consequences are for U.S. national security.

Q: Have the hacks of the past summer – General Powell, Condoleeza Rice – affected perceptions of privacy?

No matter where you stand politically, people you respect got hacked: Podesta, Powell, Rice. People who laughed when Republican emails were hacked were outraged about Podesta.

People are responding in two ways. First, they are worrying more about security. They won't archive. They'll arrange to delete everything on a 90 day cycle. Things like that.

But they're also adjusting their assumptions about privacy. They are being more circumspect in email . In fact, that struck me about the Podesta emails. For all the hoopla, he was pretty cautious in what he wrote. People know that email isn't private, and they'll adjust their behavior.

Q: What are the two big developments you see in cyberlaw in the next 18 months or so.

Well, GDPR is a big one. I just don't see a scenario where it sails smoothly into law. For two decades now the United States has made unending concessions to Europe on privacy issues, but European negotiators are never satisfied. They keep selling us the same mule. The Trump Administration feels strongly about trade. They could easily say "we've given enough and got nothing in return. No more." So we could see a confrontation there.

The other issue is the Trump Administration's cyber security policy. They have said that they want the Department of Defense to take the lead. But they have not been clear what Defense is going to do. They've specified the driver, but not what he's going to do once he's behind the wheel. My suspicion is that you'll see greater emphasis on deterring China, North Korea and Iran; less attention may be paid to Russia. But we will have to see.

Q: Thank you for your time.

My pleasure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Saad Gul
Michael E. Slipsky
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions