United States: Blame Hollywood: A Conversation With Stewart Baker, Former General Counsel Of The National Security Agency

Last Updated: January 30 2017
Article by Saad Gul and Michael E. Slipsky

Editor's Note: In the world of cyber law, privacy and cybersecurity, one of the largest and most colorful figures is Stewart Baker, whose resume includes a stint as General Counsel at the National Security Agency and Assistant Secretary of Homeland Security. A partner at Steptoe & Johnson LLP, where he hosts a popular cyberlaw podcast, he recently sat down to talk all things cyber with NC Privacy Blog.

Q: Thank you for your time. So, let's begin with the obvious: what prompted you to leave beautiful Southern California for a lifetime in the District of Columbia?

In my case, it was rather simple. My wife refused to live in Southern California. So I clerked in Portland, Maine, and then Washington, D.C. Then my wife and I compromised: we stayed in D.C., but far enough out in the country that she could ride horses, fuss over dogs, and generally look after any four legged creature that came to her.

Q: How does one go about becoming General Counsel of the NSA?

You know, the NSA was not as high profile in the early 90s. So the General Counsel position did not have the same cachet it would today. What happened was that there was a sense that the legal selection process was not generating candidates that the leadership felt would serve the needs of the agency. So a former NSA General Counsel was asked to go out and identify some additional candidates.

At the time, she was working with the Office of the Legal Advisor at the State Department. She called one of my partners, a former Legal Advisor himself. That call set the ball rolling.

Q: So at that time you weren't an expert on cyber or privacy issues?

No, I was an appellate and regulatory lawyer. This opportunity just happened to be bouncing around and eventually landed on my desk.

Q: And on such whims of fate careers turn?

Pretty much.

Q: And since then you have shuttled between public service at private practice?

Yes. I hold the record for the number of times I've returned to Steptoe & Johnson. 5 times.

Q: 5 times?

Well there was the NSA, and then stints at the Department of Education, Homeland Security, and the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction.

Q: So if you weren't to the computer born, what was your first experience with computers?

My Apple II E. I bought it used. Spoke to friends, decided a computer that worked was all that I needed. I like being cheap!

Q: And what was the first legal issue you encountered involving computers? Law school?

No, not law school. I was a law clerk (ed: Justice Stevens) and the Supreme Court had just introduced word processing software – Wang. It involved special paper, dot matrix printers that shook the floor when coughing out printouts, very elegant. They ended up building a box around it to dampen the racket.

In fact, I made history by being the first law clerk to lose a draft opinion to the printer. We never did find out what happened to it. Probably still sitting in a queue somewhere.

Q: And that's lost to history?

Unless it turns up in the collection of Justice Stevens' papers a few decades from now.

Q: So what was it like at the NSA?

Well, I was getting my bearings, it had been a couple of weeks, and then this official came to see me. You know, one of the Men in Black. And the first thing he did was put a bottle of aspirin on my desk.

I told him "what's this?" I don't have a headache.

Q: What did he say?

He assured me that by the time he was finished I would have one.

Q: What was the issue?

Well, it was a forerunner of the encryption debate we have been dealing with ever since. It's been a persistent issue pretty much ever since. Because there's equities on both sides of the issue. It's what I call the "first crypto-war."

Q: Was that the controversy over the Clipper Chip?

That's what it became, yes. The idea was that encrypted communication equipment would have an access key that could be used for law enforcement or national security. The access key would be kept in escrow. The government could obtain the key by going to court or following a procedure that protected the rights of citizens but still let us fight spies, criminals who might be using encryption.

Q: What was the outcome?

The Clipper Chip itself was a commercial flop, since it was carrying a lot of political baggage. Plus it was really expensive, and everyone you communicated with had to buy one. Even now, no one is making much money trying to sell voice encryption devices, so we shouldn't have been surprised. The chip probably did drag out the debate over encryption export controls by several years.

Q: How did the Clipper Chip and the Crypto War get its start?

I had just become GC of NSA toward the end of the George H.W. Bush Administration. They were not really interested in picking a fight over encryption. They had taken a lot of fire from the press. They had a packed agenda. And they did not see this complex issue as a priority given their time and other constraints.

Then we transitioned to Clinton. The Clinton folks were a lot more interested in it. Part of it was the life-cycle of the Administration. It was early. They had just come in. They had the drive and confidence that they could solve the policy puzzle created by encryption.

Q: So you stayed on with the Clinton Administration and saw both approaches?

I bridged the two, yes. It was a real contrast. It was like walking into the Situation Room in the Bush Administration with a big box of old nasty auto parts covered in dirt and grease. You tell the officials we have to making a functional machine from this The first reaction from the outgoing Bush folks was to ask, "What could go wrong and who will take the blame when it does?"

Forward six months later. Bring the same box of greasy parts into the Situation Room in the Clinton Administration. The reaction around the table is very different, "Hey! We can fix this." Before you know it, everyone's pulling parts out of the box and trying to put them together.

Q: And now when you look back at the crypto wars?

Looking back, I feel pretty comfortable that we raised all the right questions, serious questions. Look, Silicon Valley has taken the view that there's "nothing to discuss when it comes to encryption. And that by asking for government access for law enforcement the government is somehow defying mathematics.

Q: Well, the concern as I understand it, is this: if you build a backdoor for the "good guys", then that is a vulnerability that the "bad guys" can also exploit.

That argument is not unserious. There is a valid point there. But the government has a better argument than Silicon Valley wants to admit. Look at the Apple fight.

Q: You're referring the FBI wanting access to the San Bernardino phone?

Yes. The FBI went to Apple and wanted access to the shooters' phone. And Apple said there was no way to get into the phone. But the fact is that Apple can get into any phone. They can get into your iPhone. Or mine. That's how they update software.

If Apple believed the argument it's been making against the FBI, Apple would say "the ability to update software is dangerous. It creates a security vulnerability. It is so dangerous that we should have no updates."

That's not what Apple says. Instead, if challenged on updates, Apple would say "We have weighed the risks of software updates against the risk of leaving software unpatched, and the payoff from updates justifies the marginal risk of compromising your data.

The same is true for law enforcement access. Yes, it creates a theoretical vulnerability. But it also brings really important social benefits, in the form of criminals who can be caught.

Q: So you're saying the encryption debate is standard policy analysis: determining whether the benefits warrants the risk?

Yes, it is like any public policy issue. If there weren't good arguments on each side, it would have been settled long ago. It's intractable precisely because each side has a point.

Q: So that's why we are still debating this two decades later? Because each side as a point?

That is one reason. The privacy argument is not an unserious one. But there's also what I call Silicon Valley's "technological arrogance." The idea that people who disagree with them are just stupid, and that they can make policy debates irrelevant by releasing products that resolve the debate in their favor. Look, I'm the first to admit it: these are hard problems. But the solution isn't as clear as Silicon Valley or the privacy groups want you to think.

Q: If there was one popular prevailing misconception you could clear up, what would it be?

Look, movies paint a picture that is so disconnected from reality that I'm not sure where to begin to point out everything that's wrong. When Hollywood decides who to make the villain, it's increasingly constrained by lefty politics and Chinese money. American intelligence agencies have become the villains by default. There's no one else left, except perhaps a few Balkan warlords.

Q: I will have to quote you on that.

Go ahead. I wish ordinary Americans understood that everything the NSA does is within the law and how much effort goes into ensuring that.

Q: Training, legal vetting and so on?

Yes, here's an example. So in the early days of the Clinton Administration, the Attorney General of the United States came out to Fort Meade. And frankly, she had a bit of a chip on her shoulder with regard to the NSA. She gave the impression that she would have explain to us about the Constitution. I suspected she'd seen too many Hollywood movies about us.

Q: What happened?

Well, the Director gave her a briefing of the Agency mission. Then he took her for a tour. So here you have the Director and the Attorney General walking around operations rooms filled with soldiers with earphones gathering intelligence through intercepts.

And do you know what the Director does?

Q: What?

Well, he stops by a random soldier and taps him on the shoulder.

Q: The soldier's reaction?

There's the Director, and the Attorney General, so he whips off his headphones and snaps to attention. And the Director says "Sergeant So-and-So, could you please tell the Attorney General what would happen if you came across an American in your intercepts?"

And the Sergeant says: "Ma'am if we suspect it's an American, this is the procedure to verify that. If we know it's an American, we flag it, we anonymize it, and we start following so-and-so protocol to ensure that we protect American citizens." And he starts reciting the steps that he takes.

Q: Steps?

Well, there is legal guidance on different scenarios. The General Counsel's office has determined what to do in this situation, or that situation. Now that doesn't mean that that an American's communications don't end up in some collection effort. That can happen.

For that matter, if there's an American who is a spy or terrorist or a foreign intelligence operative, then they aren't going to be ignored.

But every single thing that is done is done in accordance with the letter of the law. A lot of effort goes into making sure that all NSA operations are legal.

Q: What was the Attorney General's reaction?

Well she learnt the truth: that NSA folks know the law, they are trained what that law is, and everyone, without question, is expected to follow the law.

Q: What was your reaction while all of this was going on?

You know that lawyers are trained to never ask a question unless you know the answer. And here is the Director asking a random soldier standing at attention such a question – and in front of the Attorney General. So I ask him later: What if the soldier had flubbed it?

And the Director says, "I knew he would give the right answer. You know why? Because I went through that training too earlier in my career." This is the Director of the NSA we are talking about. And he says he had it drilled it over and over till he could comply with it in his sleep.

That's a fundamental part of NSA's culture.

Q: So the Snowden revelations....

The problem with the revelations was that the details of what the NSA does, and how much the NSA does, astounded a lot of people. Now I think they were released in a way to have a particular political impact. The Washington Post ran a series of stories that created an erroneous early impression that the agency never recovered from.

Everything the NSA did had been blessed by judges, and checked by the lawyers. You can disagree with the judges; you can change the law. But no one should think that the agency was acting outside the legal rules as they stood at the time.

Q: Have you ever met Glenn Greenwald or Snowden?

Nope. We've had one or two, err, intense exchanges on social media, but I've never met them.

Q: What does The Grugq (reclusive security researcher recently on Stewart's podcast) look like?

I don't know. *laughs* He called in to the podcast. I think he used a burner phone. And probably discarded it after the call.

Q: You have been an outspoken advocate of the position that European privacy regulations, first Safe Harbor, now Privacy Shield, and soon the GDPR, are thinly disguised protectionist efforts against successful U.S. technology giants.

Yes. Decades ago, French officials were taking the position that data processing industries were "vital national capabilities" that had to be protected.

Now that doesn't mean that there aren't policymakers who are genuinely concerned about privacy as a value. It just happens that those values tend to come into play at convenient times. I think privacy laws are uniquely susceptible to misuse for other purposes.

Q: For example?

If you look at the United States, our own privacy jurisprudence came from Justice Brandeis. He wrote strongly on the subject. Convinced dozens of jurisdictions to adopt privacy laws. Do you happen to know what invasion of privacy moved him so deeply?

Q: I'd hesitate to guess.

Having his picture taken! The idea that anyone could take your photograph, on the street or in a public place, without your permission or consent, was simply outrageous to him. Keep in mind that he came from a background where a portrait typically meant commissioning a painter, and then sitting, and frankly if you didn't like it – who hasn't asked themselves "do I really look like that" – if you didn't like it you could burn it and refuse to pay the artist.

Brandeis was so disturbed by the change that he found a right to privacy in United States law. There had to be one, he thought. Now we've still got remnants of his privacy nostalgia law, but it does nothing for the privacy of ordinary people. It's mainly used to enrich celebrities who want to monetize their rejection of privacy and embrace of publicity.

Q: So you're saying privacy legislation is based on old views of technology?

Privacy legislation is almost always an exercise in nostalgia. It's always late. It's always a step behind. And it's an attempt to recapture a world that has slipped away.

Here's another example. By the time the Anti-Wiretap Act was enacted, it was already outmoded. Technology was already making it easy to record conversations, and trying to prevent that was an uphill battle. Now, of course, with cell phone cameras, any time something happens on the street, we've got three separate feeds, law or no law.

Q: Has this law been abused by the powerful too?

Yes, many of the arrests for violating the law against eavesdropping on conversations have actually been efforts to protect police officers. In many states, until the laws were overturned, you couldn't record a police officer going about his business. That makes it harder to monitor police behavior, but it has nothing to do with most people's expectation of privacy.

Q: But now it's a major issue in the European Union? Could privacy issues undermine the U.S. technological edge? Is data localization a danger?

I don't think so. Say you're a German. You absolutely insist on a German cloud provider. You can find one. But there will be a cost premium for that. And they won't be able to offer the same flexibility, scale, features and robustness that say, Amazon or Microsoft can.

Now if you're the same German and you want a server located in Germany, Amazon and Microsoft can handle that for you. If you're concerned about privacy or regulatory concerns, handle it at the front end. Put it in the Terms of Service.

Q: Have the privacy regulations dented the American competitive edge in technology?

No. In fact, American cloud providers have outpaced international competitors since the Snowden revelations. They're winning the race, despite European efforts to handicap them with special legal burdens.

Q: Can Silicon Valley handle it or is there a role for the United States in dealing with EU regulators?

The United States needs to push back as a government. Companies don't want to be responsible for national security and economic growth. That doesn't mean they won't do the right thing. They are American, and but this isn't really their fight.

That's especially true now, with the GDPR, which creates staggering penalties. Billions for a single infraction. That's raised the stakes enormously. If you're a U.S. tech provider, the path of least resistance is keep the European regulators as happy as you can, no matter what the consequences are for U.S. national security.

Q: Have the hacks of the past summer – General Powell, Condoleeza Rice – affected perceptions of privacy?

No matter where you stand politically, people you respect got hacked: Podesta, Powell, Rice. People who laughed when Republican emails were hacked were outraged about Podesta.

People are responding in two ways. First, they are worrying more about security. They won't archive. They'll arrange to delete everything on a 90 day cycle. Things like that.

But they're also adjusting their assumptions about privacy. They are being more circumspect in email . In fact, that struck me about the Podesta emails. For all the hoopla, he was pretty cautious in what he wrote. People know that email isn't private, and they'll adjust their behavior.

Q: What are the two big developments you see in cyberlaw in the next 18 months or so.

Well, GDPR is a big one. I just don't see a scenario where it sails smoothly into law. For two decades now the United States has made unending concessions to Europe on privacy issues, but European negotiators are never satisfied. They keep selling us the same mule. The Trump Administration feels strongly about trade. They could easily say "we've given enough and got nothing in return. No more." So we could see a confrontation there.

The other issue is the Trump Administration's cyber security policy. They have said that they want the Department of Defense to take the lead. But they have not been clear what Defense is going to do. They've specified the driver, but not what he's going to do once he's behind the wheel. My suspicion is that you'll see greater emphasis on deterring China, North Korea and Iran; less attention may be paid to Russia. But we will have to see.

Q: Thank you for your time.

My pleasure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Saad Gul
Michael E. Slipsky
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.