The Lawfare Podcast – Lawfare Archive: Big Tech and Law Enforcement, with Lukas Bundonis

Date: November 16, 2025 (archived episode from August 9, 2024)
Host: Eugenia Daugherty (Lawfare Fellow, Technology Policy and Law)
Guest: Lukas Bundonis (Senior Privacy Engineer, Netflix; former Army Reserve Intelligence Officer)

Episode Overview

This episode takes a deep dive into the evolving and complex relationship between law enforcement agencies and big tech companies. Through a candid conversation with Lukas Bundonis—a senior privacy engineer with a military intelligence background—the discussion explores global differences in law enforcement data requests, how political climates and new legislation impact tech/legal operations, the persistent tug-of-war between privacy and surveillance, and the challenges posed by artificial intelligence and machine learning advancements. Importantly, the episode unpacks how tech companies are both intermediaries and gatekeepers, striving to protect user privacy while fulfilling legal obligations.

Key Discussion Points & Insights

1. Bundonis’ Role and Background

• Bridging tech and law:

  • Lukas acts as a "bridge" between software/data engineers and legal teams, specifically on law enforcement response, data portability, and privacy compliance.
  • "My day to day is mostly about being a bridge between engineers... and lawyers... answering requirements from legal about what to add to subject access requests or how to manage requests from customers or law enforcement about data." (05:21)

• Path into the Field:

  • Entered privacy engineering “by happy accident,” leveraging military intelligence and policy experience; there is no direct pathway into this space, especially as tech/legal needs are constantly evolving.
  • Emphasizes that in privacy engineering, you must know “a little bit about each category, but not be a first-line expert in any.”

2. How Tech Companies Navigate Law Enforcement Requests

• Data access tension:

  • Companies are required to build data portability and user control into products, in line with global laws (GDPR, CCPA, etc.).
  • Tension exists between user expectations for privacy and governments’ curiosity or demands for access.
  • "The tension arises when there's also...this access expectation among law enforcement and governments...These tech companies acting as functional intermediaries for this surveillance...It's more along the lines of we build our products to the best of our ability as...to make sure that customers have the most control." (09:54)

• Rejecting government requests:

  • Tech companies may reject law enforcement requests if they’re vague, lack necessary specificity, or come from countries viewed as not respecting rule of law.
  • There’s often public posturing, but cross-industry consensus on major principles.
  • "If a bit of legal process comes in and it's not specific enough... any sane tech company would outright reject the request or push back and say, you need to be more specific." (09:54)

3. Global Variations & Political Complexity

• Different responses for different countries:

  • U.S. and aligned democracies see higher compliance. China, Russia, and others are often stonewalled—requests are ignored due to fears of data misuse targeting dissidents.
  • Risk factors include corruption, fraud, political leadership changes, and the ability to pressure company staff physically present in-country.
  • "When requests come in from say China or Russia...they will just not align to the request." (14:53)

• Physical presence & government leverage:

  • Laws mandating in-country data storage or personnel increase government leverage and, by extension, the risk to staff and data.

4. International Law and Surveillance Treaties

• UN Cybercrime Convention concerns:
  • The wide scope and unspecific data protections could force overly broad collaboration, weakening user protections globally.
  • “Traffic data” (metadata) especially problematic; sharing telemetry doesn't always help investigations and risks “ambient” surveillance.
  • "This concept of traffic data...is really fascinating because a lot of times I don't know that...having every actor...having access to the same, like, telemetry...is actually going to speed up the investigation." (20:36)

5. U.S. Regulatory Developments

• Child Safety Legislation:

  • Bundonis expresses concern about “broad government vehicles” being used to target wide categories of online activity—not necessarily causing direct change in operations, but creating potential for overreach.

• FISA 702 Renewal:

  • Renewal seems necessary for intelligence operations, but “weird provisions” or backdoor inclusions create risk for privacy and risk expanding compelled surveillance.
  • Cross-border cases are his main concern, as protections often break down.
  • "The relationship that intelligence law has with companies...for now, let's say it's fraught. I don't...like the landscape. Especially...when it gets into...silly debates about encryption." (26:22)

6. Encryption and Law Enforcement Access

• The Encryption Debate:
  • Law enforcement views encryption as an obstacle, while privacy advocates see strong encryption as essential, especially for dissidents and marginalized groups.
  • Legislation demanding "exceptional access" without weakening security is viewed as unfeasible—sometimes policymakers misunderstand what’s technically possible.
  • "There was a piece of legislation...that basically said, you know, we want you to have a way to access that is proven to not weaken general protections...sometimes that technology doesn't exist." (35:48)
  • "Encryption exists for a reason...making both sides of the community work harder...has a benefit for everyone." (36:43)

7. Politicization and Communication Breakdown

• Politicized regulatory atmosphere:

  • Both left and right criticize (and sometimes pressure) tech companies, but often for different reasons.
  • Loss of trust and policy clarity risks undermining effective regulation—without close relationships, ill-informed policy may result.
  • "If they don't know how the products are made, they don't know what they're capable of...that lack of understanding is going to produce...silly and ineffective regulation." (39:29)

• Election impacts:

  • If Democrats win: Despite perceptions, meaningful, strong national policy is unlikely due to competing crises and tech industry dominance.
  • If Republicans win: Expect focus on culture war issues, selective tech regulation, and domestic issues.
  • "The companies are in the driver's seat. Like, I don't know how to emphasize that...enough." (43:31)

8. Artificial Intelligence and Machine Learning

• Relentless momentum:
  • Attempts by government (e.g., Brazil, EU) to block or slow AI deployment are likely to be temporary or circumvented; the drive for AI “super-intelligence” is outpacing potential regulation.
  • These advances create more data types and even more complex privacy risks.
  • "Nothing is stopping this train...there is this headlong fascination with birthing like super intelligence...nothing is going to change that headlong fascination." (48:45)

Notable Quotes & Memorable Moments

• On the current state of data protection:

  “When the news says it's a tough time out there for data protection, it is partially because of machine learning, partially because of a vague slide towards populism and authoritarianism in many parts of the world. It doesn't mean we should stop trying.”
  – Lukas Bundonis (04:40, repeated at 51:58)

• On policy-technology disconnect:

  “It's an interesting example of that disconnect or the lack of a bridge between policymakers and actual technologists because sometimes that technology doesn't exist.”
  – Isabella Royo (35:48)

• On the global regulatory arms race:

  “Even the people that work in safety and protection, they're getting fired or removed because they're getting concerned about data...It's going to be up to data protection professionals like us to give a crap about putting in the guardrails, because otherwise the development's going to continue unimpeded.”
  – Lukas Bundonis (48:45)

Timestamps for Key Segments

• [04:40] – State of data protection and Bundonis’ role
• [09:54] – Law enforcement-tech company relationships: balancing privacy, compliance, and access
• [14:53] – Global operations and why tech companies reject certain state requests
• [20:36] – UN cybercrime convention and data-sharing challenges
• [24:28] – Child safety bills and the risk of broad surveillance
• [26:22] – FISA 702 debate and the intricacies of compliance
• [31:53] – Encryption, lawful access, and impossibility of “magic keys”
• [39:29] – Rise of politicization, regulatory dynamics, and impact on intersector communication
• [43:31] – U.S. election outcomes and the future of tech regulation
• [48:45] – The unstoppable advancement of AI and its regulatory challenges
• [51:58] – Final thoughts and encouragement for privacy professionals

Conclusion

This episode offers a nuanced, inside look at how global tech companies contend with governmental pressure, legal obligations, and evolving technological realities like AI. The discussion is frank about the rising challenges—authoritarian clampdowns, regulatory ambiguity, impossible legislative demands on encryption, and the overwhelming pace of AI. Bundonis’s firsthand insights highlight both the persistent risks and admirable determination of privacy professionals to keep defending user rights in an increasingly complex world.

For more in-depth analysis and further reading, visit Lawfare’s website: www.lawfareblog.com