Friday, June 07, 2013

Sensationalizing Cyber Surveillance

As we adapt our laws to technology, we struggle to strike a balance between national security and privacy. As we do, we tend to thrash back and forth between extreme policies such as the Computer Fraud and Abuse Act of 1996 criminalizing researchers and hackers to the Patriot Act of 2001, criminalizing everyone else!

If we begin with first principles, I'd guess that as a society most of us would find the following to be a reasonable starting point for resolving this issue: in light of threats from criminals, terrorists and geopolitical rivals, our government agencies should conduct whatever surveillance they need to, so long as they do not violate our constitutional rights in any way. Chipping away at the Constitution is far more dangerous to us as a precedent than any external enemy. But once we establish that imperative, we want the FBI and NSA to do their jobs as well as they can, with all the tools at their disposal.

Unfortunately, many journalists, bloggers and other pundits prefer to stoke the fires of fear. Conspiracy theories, after all, are a time-proven way to increase clicks, grow one's twitter following, and sell books. Yesterday's report of Verizon's compliance with a court order to provide meta-data on phone calls, and today's allegations that NSA's PRISM program has had free rein on the data stores of the largest internet services, have presented just such a golden opportunity (e.g. BIG BROTHER IS HERE), and now the floodgates are open!

PRISM raises tough questions about the need for transparency in our government agencies, but it is unproductive to be reactionary and polarizing, since these qualities mask the best solutions. And there probably has never been a more prolific source of security and privacy solutions than my friend Bruce Schneier, whom I've backed as an entrepreneur, whose books I've read more than once, and whose words have guided me as an investor. But even Bruce slipped into sensationalism when he posted an article today on The Atlantic titled What We Don't Know About Spying on Citizens: Scarier Than What We Know.

Bruce compels the reader that we need better disclosure, but I believe he goes a bit too far in several respects. "The NSA received...everything except the voice content: who called who [sic], where they were, how long the call lasted," writes Bruce. But that seems inaccurate, since the NSA has not received any personally identifiable information of the callers. For that, they need a court order.

"We know [the FBI] can collect a wide array of personal data from the Internet without a warrant," but so can Google and thousands of other internet companies who track everything we do; should the FBI do any less? Bruce asserts that the FBI can use the microphone in our smartphones to bug a room, if they have a warrant; but why shouldn't the FBI use smartphones to effect a warranted bugging?

"We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime," Bruce writes, "deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on." But I cannot find any evidence that these codenames -- typical for all government projects -- were invented specifically to stymie oversight.

For a balanced view of the facts and issues, I recommend Joshua Foust's blog post, and I leave you with this conclusion from today's Washington Post editorial:
In the days after the Boston bombings, many asked why the government didn’t connect the dots on the Tsarnaev brothers. Now, many are asking why the government wants so much information about so many Americans. The legitimate values of liberty and safety often compete. But for the public to be able to make a reasonable assessment of whether these programs are worth the security benefits, it needs more explanation.

34 comments:

  1. You seem not to be aware of the "secret court" which issues those orders to the companies.

    Also, the Constitution is essentially a treatise on civilians defending themselves from the Government, not from Corporations. That is why we are not complaining of Googl et al. They never said they would not use our data for their purpoesea.

    ReplyDelete
    Replies
    1. Google and Facebook are the most successful CIA programs ever devised. Both Verizon and AT&T have their own Israeli companies that set up the programs and on site secret rooms that contain all the necessary equipment to splice into their fiber optic cables to copy all activity in 'real time' and store or pass on to NSA. I got this info from an article I read by Jon Rappaport at nomorefakenews.com. eaglebob

      Delete
  2. Anonymous6:38 AM

    "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety"

    ReplyDelete
    Replies
    1. Benjamin Franklin... yeah. Except he said, "purchase" not "give up" and he was talking about a tax payment issue in Pennsylvania not internet privacy.

      Delete
    2. Anonymous11:16 PM

      actually, purchase is in the place of obtain in many references to this phrase. Not in the place of give up or surrender.

      The construction I prefer juxtaposes surrendering liberty to purchase security, because it adumbrates the concession of defeat inherent in the price.

      Delete
    3. Anonymous12:42 AM

      Sometimes quotes from past centuries, like right to bring firearms to enforce citizen's rights, are ridiculed, some others are praised as immutable truth written in the stone.
      All boils down to: how much we feel citizens rather than captives, and how far are we capable to go to build a fair society?

      Delete
  3. Anonymous9:07 AM

    "Unfortunately, many journalists, bloggers and other pundits prefer to stoke the fires of fear." You're right, they (and you) are stoking the fires of fear of . Terrorism, cybercrime, etc. These are the unwarranted fears that drive people to allow this erosion of our privacy. If people believe these agencies could have or would have done anything differently for the Boston attack if they had been capable of more surveillance, they're kidding themselves.

    ReplyDelete
    Replies
    1. So you're saying that surveillance doesn't actually work to stop attacks? That is incorrect. I agree with you and others that the public needs more visibility, even if the data are held for some period of time to facilitate law enforcement.

      Delete
    2. Do you have any proof that massive pervasive surveillance stops any more attacks than ordinary, transparent, (not-secret)court-sanctioned surveillance?

      The Boston Bombers were not picked up by the NSA.

      Delete
    3. Anonymous8:48 AM

      "So you're saying that surveillance doesn't actually work to stop attacks? That is incorrect".

      Ah. It is incorrect, because ... you say so? Unfortunately there are loads of documented cases where "terrorists" where not stopped despite lots of surveillance. And it does not work as a deterrence either. Terrorists are away that they might be tracked, and they still carry out their attacks.

      Delete
  4. if they have a warrant; but why shouldn't the FBI use smartphones to effect a warranted bugging

    Two words "secret court". Two more words: "rubber stamp". That's why Bruce is not sensationalizing at all, but is actually dead to rights on this. I appreciate your call to be level headed and reasonable, but sometimes outrage is called for, and I believe this is the time.

    ReplyDelete
    Replies
    1. I agree test at some point the secret court orders should be declassified for public scrutiny. Having said that I'm not sure I would want my data publicized for public scrutiny...

      Delete
  5. Anonymous10:01 AM

    "since the NSA has not received any personally identifiable information of the callers"

    Location meta-data for phone calls should be enough to identify most people within a few calls (as soon as they answer a call while at home). But that is going the hard route - they have the phone number. All they need do is make a call and use a little social engineering (assuming you don't just give your name when you answer the call and you don't include your name on your voice-mail message).

    ReplyDelete
    Replies
    1. So that's your concern, that NSA will do social engineering to identify you? If NSA wanted to "cheat" they could steal the data in much more scalable ways.

      Delete
    2. I would assume that the TLAs *already* have my name associated with my phone numbers. If you were a "bad guy", wouldn't you?

      Delete
  6. Anonymous10:12 AM

    When talking about Bruce and what he said, you mention getting a court order. Lemme ask you something, and please don't respond. If a police officer comes to your house and knocks on the door, and out of suprise, considering you weren't expecting anyone, you turn around, with a glass in your hand, and hit the wall and drop the glass. That officer hears a glass crashing, and hears you yelling and cursing because your hand hurts. Do you really think that police officer is going to leave your house to try to get a court order? No, he is going to kick in your door, wave a gun in your face, throw you on the ground, and then investigate what happended, to find nothing wrong at all. Then he is going to arrest you for disturbing the peace. Now you might find this story extremely exaggerated, however this happens everyday all over the country, and it happens because when given power, the only right decision is the decision made by those whose have power. Now, let me ask you, do you REALLY think that NSA is going to get a court order to sweep through all this information, when they're constructing a monitoring station in the Utah desert? They are the government, they aren't going to ask for permission, they aren't going warn us, nor are they going to give a s%*t.

    ReplyDelete
    Replies
    1. Ok, as you asked I won't respond.

      Delete
    2. Anonymous5:38 PM

      Good job there.

      Delete
  7. Anonymous10:17 AM

    You're a douche for putting [sic] after "who". "Whom" is functionally dead in modern English, one of the last hold-outs of the case-marking system which died out in the 1500s. Also, your essay is silly and wrong, but I'm more concerned with the linguistic wrongness.

    ReplyDelete
    Replies
    1. Agreed, grammar is irrelevant, but I cannot help it.

      Delete
  8. "Unfortunately, many journalists, bloggers and other pundits prefer to stoke the fires of fear."
    You do the exact same thing in order to justify the surveillance by saying:
    "in light of threats from criminals, terrorists and geopolitical rivals, our government agencies should conduct whatever surveillance they need."
    If this were true, it may be ok. But the NSA is doing it in secret and the government won't let any of the secrets out to justify itself. That is criminal.
    I am a verizon customer at the moment. My metadata may be being collected even though I am not a terrorist. That is also criminal.

    ReplyDelete
    Replies
    1. When you say it's criminal, please explain the crime. What law is violated?

      Delete
    2. I think some folks are missing the point and that is that the NSA is obtaining enough private communications from average 'Joe Blow' citizens to create a sizeable haystack from which to find 'the needle' and to further demonstrate their self appointed powers over all American citizens. Both Verizon and AT&T obtained individual Israeli companies to set up secret equipment rooms on site to splice into their fiber optic cables in order to obtain all data for use by NSA and other clients . I received this information from an article written yesterday by Jon Rappaport at nomorefakenews.com. He brings up some interesting questions regarding this 29 year old young man who apparently broke both legs in an Army training excersize and was discharged rather than rehabed and kept on duty. He apparently did not graduate from high school but was still accepted into the military and within a period of less than 10 years holds a job with the NSA paying $200K. That confuses me and I'm a reasonably intelligent man. I did watch the lnterview with this whistle blower and he seemed to be a thoughtful and intelligent person and I did like his reason for coming forward. But I'm still left with the idea that something just does't add up about the whole scenario. Does anybody else feel

      Delete
  9. I was initially under the impression that this was a response to Bruce's article, but after reading both it seems that your response ignores a major point made in the Atlantic piece. Whether or not you think that the media is sensationalizing this NSA offense (definitely a possibility), you fail to address Bruce's main point: Whistleblowers should not be persecuted as criminals and are in fact necessary power-checks to an increasingly unchecked gov't.

    Wanted to hear your take on that, and whether or not you think Snowden was justified/unjustified/an american hero.

    ReplyDelete
    Replies
    1. Anonymous5:41 PM

      You are totally right, but I don't think there's a snowball's chance in hell he'll answer this one, bro. Unless it's to discredit my or your response. He didn't cover that on purpose.

      Delete
    2. I did reply, but I forgot to nest it in this thread. See my reply a few comments down...

      Delete
  10. Anonymous5:07 PM

    '"We know [the FBI] can collect a wide array of personal data from the Internet without a warrant," but so can Google and thousands of other internet companies who track everything we do; should the FBI do any less?'

    Because people give their data to Google. They give it because in some ways, it benefits them, they get a good service in exchange. Most importantly, it's their choice to do so - they can opt out and delete their Google account at any time. People don't give their information to the NSA - they take it. As for the involuntary, hard to opt out of ad-tracking that Google and their like do, that *should* be illegal in my book.

    Most importantly, you present the trade-off "between national security and privacy" without talking about the efficacy of dragnet surveillance at all. The terrorist and pedophile bogeymen are continually trotted out us justification for these expansive powers, without providing sufficient evidence that they are actually effective at preventing these crimes. It's akin to DRM for society - it only hurts honest citizens, and isn't effective at stopping the bad guys. Think about it, if you were a terrorist, would you email your master plan in cleartext from an email account with your real name attached to it?

    ReplyDelete
    Replies
    1. You are right that Google gives us a service. I should have used Experian and TRW as examples instead, or any one of the advertising networks we've never heard of that cookie us. Experian collects whatever they can about us - without a warrant - and then sells the data! Why shouldn't our law enforcement and counter-terrorism agencies be able to do the same thing? How stupid they would be to ignore the internet as a data source.

      Delete
    2. David,

      Yes all the TLAs should be able to collect the data...but in the open and with the public's full knowledge and cooperation and understanding. It's the supposed secrets that are wrong. If I were a "bad guy" then I would assume that the NSA is watching. If the government's entire security plan demands that it be kept secret, then it's a flawed plan.

      And to claim that the national security is greatly harmed is also overblown. The only people that didn't know the NSA was watching was the people the NSA was spying on.

      Delete
    3. Well reading your own sentences for logic is not one of my skills.

      My last sentence should read:

      The only people that didn't know the NSA was watching was the *US citizens*.

      Delete
  11. Anonymous8:57 PM

    Australian citizen here. Why isn't my privacy protected by your constitution?

    ReplyDelete
  12. Jake,

    You are right - I did not address Bruce's main point at all. My point was not necessarily to disagree with Bruce but to call for a little but more balance. Honestly, I do not know whether to think that Snowden should be protected as a whistle-blower because I cannot tell whether he was exposing evidence of a crime. Normally, it's a lot more clear that whistleblowers are actually reporting criminal behavior!

    Most or all of the commenters here, who are visiting from Bruce's excellent site Schneier on Security, seem to believe that it is wrong, criminal or unconstitutional for the federal government to keep any secrets about anyone, and that anyone who exposes government secrets is therefore a hero. But I can see why I would want some government agencies to keep secrets, at least for some period of time, which means that there should be legal consequences for people who leak that information. My initial impression is that as much as I admire Snowden for his principles, I think that he, not Verizon, committed a crime.

    Today, a lawsuit was filed against Verizon, NSA and Obama charging them with unconstitutional conduct. Even if the lawsuit prevails, it's not clear that anyone committed a crime, since a federal court did issue the warrant. But if the FISA court is declared unconstitutional, then I can see why Snowden should ultimately be exonerated and perhaps protected as a whistleblower.

    So I don't see how to pre-judge a question that needs to be debated in a court of law and decided based on evidence that is still being gathered. Automatically jumping to Snowden's defense now strikes me as dogmatic.

    Thanks,
    David

    ReplyDelete
    Replies
    1. Anonymous3:26 AM

      You are _technically_ correct: it is not clear that any law was violated. I claim this is irrelevant. Here's why. You say "I would want some government agencies to keep secrets, at least for some period of time". I agree. But not ARBITRARY secrets. There exist things that any self-respecting democracy must keep public. Here's an example that should not be controversial: rules that decide how elections get decided, including what to do in case of ties. Here's another: people must know not only what's illegal, but what the penalties are. (Otherwise you find out one day that you got the death penalty for jay walking.) I claim that if, as a democracy, we decide that the government is allowed to collect data about everyone from phone companies, then so be it, though I think it's a bad idea. BUT, it is NOT OKAY for some government agency to collect such data in secret.

      Delete
    2. That makes sense. I think I agree and I would like to see more transparency as well. Having said that, what you are prescribing is not captured in the law today, which makes Snowden the criminal, not Verizon or NSA.

      Delete