It may seem as if I am contradicting myself. On one hand, I am advocating for individual privacy over forced surveillance. On the other, I am advocating for government and corporate transparency over institutional secrecy. The reason I say yes to both lies in the existing power imbalance between people and institutions. Institutions naturally wield more power than people. Institutional secrecy increases institutional power, and that power differential grows. That’s inherently bad for personal liberty. Individual privacy increases individual power, thereby reducing that power differential. That’s good for liberty. It’s exactly the same with transparency and surveillance. Institutional transparency reduces the power imbalance, and that’s good. Institutional surveillance of individuals increases the power imbalance, and that’s bad.
Transparency doesn’t come easily. The powerful do not like to be watched. For example, the police are increasingly averse to being monitored. All over the US, police harass and prosecute people who videotape them, and some jurisdictions have ruled it illegal. Cops in Chicago have deliberately obscured cameras, apparently attempting to conceal their own behavior. The San Diego Police Department denies all requests for police videos, claiming that they’re part of ongoing investigations. During the 2014 protests in Ferguson, Missouri, after the police killed an unarmed black man, police routinely prevented protesters from recording them, and several reporters were arrested for documenting events. Los Angeles police even went so far as to sabotage court-mandated voice recorders in their patrol cars.
Governments and corporations routinely resist transparency laws of all kinds. But the world of secrecy is changing. Privacy-law scholar Peter Swire writes about a declining half-life of secrets. What he observed is that, in general, secrets get exposed sooner than they used to. Technology is making secrets harder to keep, and the nature of the Internet makes secrets much harder to keep long-term. The push of a “send” button can deliver gigabytes across the Internet in a trice. A single thumb drive can hold more data every year. Both governments and organizations need to assume that their secrets are more likely to be exposed, and sooner, than ever before.
One of the effects of a shrinking half-life for secrets is that their disclosure is more damaging. One of Snowden’s documents indicated that the NSA spied on the cell phone of German chancellor Angela Merkel. The document is undated, but it’s obviously from the last few years. If that document had become public 20 years from now, the reaction in Germany would have been very different from the public uproar that occurred in 2013, when Merkel was still in office and the incident was current events rather than historical.
Cultural changes are also making secrets harder to keep. In the old days, guarding institutional secrets was part of a lifelong culture. The intelligence community would recruit people early in their careers and give them jobs for life. It was a private men’s club, one filled with code words and secret knowledge. The corporate world, too, was filled with lifers. Those days are gone. Many jobs in intelligence are now outsourced, and there is no job-for-life culture in the corporate world anymore. Workforces are flexible, jobs are outsourced, and people are expendable. Moving from employer to employer is now the norm. This means that secrets are shared with more people, and those people care less about them. Recall that five million people in the US have a security clearance, and that a majority of them are contractors rather than government employees.
There is also a greater belief in the value of openness, especially among younger people. Younger people are much more comfortable with sharing personal information than their elders. They believe that information wants to be free, and that security comes from public knowledge and debate. They have said very personal things online, and have had embarrassing photographs of themselves posted on social networking sites. They have been dumped by lovers in public online forums. They have overshared in the most compromising ways—and they survived intact. It is a tougher sell convincing this crowd that government secrecy trumps the public’s right to know.
These technological and social trends are a good thing. Whenever possible, we should strive for transparency.
OVERSIGHT AND ACCOUNTABILITY
In order for most societies to function, people must give others power over themselves. Ceding power is an inherently risky thing to do, and over the millennia we have developed a framework for protecting ourselves even as we do this: transparency, oversight, and accountability. If we know how people are using the power we give them, if we can assure ourselves that they’re not abusing it, and if we can punish them if they do, then we can more safely entrust them with power. This is the fundamental social contract of a democracy.
There are two levels of oversight. The first is strategic: are the rules we’re imposing the correct ones? For example, the NSA can implement its own procedures to ensure that it’s following the rules, but it should not get to decide what rules it should follow. This was nicely explained by former NSA director Michael Hayden: “Give me the box you will allow me to operate in. I’m going to play to the very edges of that box. . . . You, the American people, through your elected representatives, give me the field of play and I will play very aggressively in it.” In one sense he’s right; it’s not his job to make the rules. But in another he’s wrong, and I’ll talk about that in Chapter 13.
In either case, we need to get much better at strategic oversight. We need more open debate about what limitations should be placed on government and government surveillance. We need legislatures conducting meaningful oversight and developing forward-looking responses. We also need open, independent courts enforcing laws rather than rubber-stamping agency practices, routine reporting of government actions, vibrant public-sector press and watchdog groups analyzing and debating the actions of those who wield power, and—yes—a legal framework for whistleblowing. And a public that cares. I’ll talk about that in Chapter 13, too.
The other kind of oversight is tactical: are the rules being followed? Mechanisms for this kind of oversight include procedures, audits, approvals, troubleshooting protocols, and so on. The NSA, for example, trains its analysts in the regulations governing their work, audits systems to ensure that those regulations are actually followed, and has instituted reporting and disciplinary procedures for occasions when they’re not.
Different organizations provide tactical oversight of one another. The warrant process is an example of this. Sure, we could trust the police forces to only conduct searches when they’re supposed to, but instead we require them to bring their requests before a neutral third party—a judge—who ensures they’re following the rules before issuing a court order.
The key to robust oversight is independence. This is why we’re always suspicious of internal reviews, even when they are conducted by a vigorous advocate. This was a key issue with the chief privacy officer at the DHS. I remember Mary Ellen Callahan, who held that job from 2009 to 2012. She was a great advocate for privacy, and recommended that the agency cancel several programs because of privacy concerns. But she reported to Janet Napolitano, the DHS secretary, and all she could do was make suggestions. If Callahan had been outside of DHS, she would have had more formal regulatory powers. Oversight is much better conducted by well-staffed and knowledgeable outside evaluators.
You can think of the difference between tactical and strategic oversight as the difference between doing things right and doing the right things. Both are required.
Neither kind of oversight works without accountability. Those entrusted with power can’t be free to abuse it with impunity; there must be penalties for abuse. Oversight without accountability means that nothing changes, as we’ve learned again and again. Or, as risk analyst Nassim Taleb points out, organizations are less likely to abuse their power when people have skin in the game.
It’s easy to say “transparency, oversight, and accountability,” but much harder to make those principles work in practice. Still, we have to try—and I’ll get to how to do that in the next chapter. These three things g
ive us the confidence to trust powerful institutions. If we’re going to give them power over us, we need reassurance that they will act in our interests and not abuse that power.
RESILIENT DESIGN
Designing for resilience is an important, almost philosophical, principle in systems architecture. Technological solutions are often presumed to be perfect. Yet, as we all know, perfection is impossible—people, organizations, and systems are inherently flawed. From government agencies to large multinational corporations, all organizations suffer imperfections.
These imperfections aren’t just the result of bad actors inside otherwise good systems. Imperfections can be mundane, run-of-the-mill, bureaucratic drift. One form of imperfection is mission creep. Another comes from people inside organizations focusing on the narrow needs of that organization and not on the broader implications of their actions. Imperfections also come from social change: changes in our values over time. Advancing technology adds new perturbations into existing systems, creating instabilities.
If systemic imperfections are inevitable, we have to accept them—in laws, in government institutions, in corporations, in individuals, in society. We have to design systems that expect them and can work despite them. If something is going to fail or break, we need it to fail in a predictable way. That’s resilience.
In systems design, resilience comes from a combination of elements: fault-tolerance, mitigation, redundancy, adaptability, recoverability, and survivability. It’s what we need in the complex and ever-changing threat landscape I’ve described in this book.
I am advocating for several flavors of resilience for both our systems of surveillance and our systems that control surveillance: resilience to hardware and software failure, resilience to technological innovation, resilience to political change, and resilience to coercion. An architecture of security provides resilience to changing political whims that might legitimize political surveillance. Multiple overlapping authorities provide resilience to coercive pressures. Properly written laws provide resilience to changing technological capabilities. Liberty provides resilience to authoritarianism. Of course, full resilience against any of these things, let alone all of them, is impossible. But we must do as well as we can, even to the point of assuming imperfections in our resilience.
ONE WORLD, ONE NETWORK, ONE ANSWER
Much of the current surveillance debate in the US is over the NSA’s authority, and whether limiting the NSA somehow empowers others. That’s the wrong debate. We don’t get to choose a world in which the Chinese, Russians, and Israelis will stop spying if the NSA does. What we have to decide is whether we want to develop an information infrastructure that is vulnerable to all attackers, or one that is secure for all users.
Since its formation in 1952, the NSA has been entrusted with dual missions. First, signals intelligence, or SIGINT, involved intercepting the communications of America’s enemies. Second, communications security, or COMSEC, involved protecting American military—and some government—communications from interception. It made sense to combine these two missions, because knowledge about how to eavesdrop is necessary to protect yourself from eavesdropping, and vice versa.
The two missions were complementary because different countries used different communications systems, and military personnel and civilians used different ones as well. But as I described in Chapter 5, that world is gone. Today, the NSA’s two missions are in conflict.
Laws might determine what methods of surveillance are legal, but technologies determine which are possible. When we consider what security technologies we should implement, we can’t just look at our own countries. We have to look at the world.
We cannot simultaneously weaken the enemy’s networks while still protecting our own. The same vulnerabilities used by intelligence agencies to spy on each other are used by criminals to steal your financial passwords. Because we all use the same products, technologies, protocols, and standards, we either make it easier for everyone to spy on everyone, or harder for anyone to spy on anyone. It’s liberty versus control, and we all rise and fall together. Jack Goldsmith, a Harvard law professor and former assistant attorney general under George W. Bush, wrote, “every offensive weapon is a (potential) chink in our defense—and vice versa.”
For example, the US CALEA law requires telephone switches to enable eavesdropping. We might be okay with giving police in the US that capability, because we generally trust the judicial warrant process and assume that the police won’t abuse their authority. But those telephone switches are sold worldwide—remember the story about cell phone wiretapping in Greece in Chapter 11—with that same technical eavesdropping capability. It’s our choice: either everyone gets that capability, or no one does.
It’s the same with IMSI-catchers that intercept cell phone calls and metadata. StingRay might have been the FBI’s secret, but the technology isn’t secret anymore. There are dozens of these devices scattered around Washington, DC, and the rest of the country run by who-knows-what government or organization. Criminal uses are next. By ensuring that the cell phone network is vulnerable to these devices so we can use them to solve crimes, we necessarily allow foreign governments and criminals to use them against us.
I gave more examples in Chapter 11. In general, we get to decide how we’re going to build our communications infrastructure: for security or not, for surveillance or not, for privacy or not, for resilience or not. And then everyone gets to use that infrastructure.
13
Solutions for Government
In the wake of Snowden’s disclosures about NSA surveillance, there has been no shortage of recommendations on how to reform national intelligence. In 2013, President Obama set up a review commission on surveillance and national intelligence; that commission came up with 46 NSA policy recommendations. In 2014, 500 organizations, experts, and officials worldwide, including me, signed the International Principles on the Application of Human Rights to Communications Surveillance, often called the “Necessary and Proportionate” principles. The US Congress has debated several bills offering minor reforms; one or two might have passed by the time you read this.
In this chapter, I look at both national security and law enforcement, and make general policy recommendations, rather than detailed legislative prescriptions. Some of these are easily doable, and others are more aspirational. All of them are where I think government needs to go in the long term.
I am not arguing that governments should never be allowed to conduct surveillance or sabotage. We already give the police broad powers to invade citizens’ privacy and access our data. We do this knowingly—and willingly—because it helps to solve crimes, which in turn makes us safer. The trick is to give government agencies this power without giving them the ability to abuse it. We need the security provided by government as well as security from government. This is what documents like the US Constitution and the European Charter try to do, it’s what the warrant process does, and it’s what fell out of balance in our mad scramble for security against terrorists after the 9/11 attacks.
International Principles on the Application of Human Rights to Communications Surveillance—Summary (2014)
LEGALITY: Limits on the right to privacy must be set out clearly and precisely in laws, and should be regularly reviewed to make sure privacy protections keep up with rapid technological changes.
LEGITIMATE AIM: Communications surveillance should only be permitted in pursuit of the most important state objectives.
NECESSITY: The State has the obligation to prove that its communications surveillance activities are necessary to achieving a legitimate objective.
ADEQUACY: A communications surveillance mechanism must be effective in achieving its legitimate objective.
PROPORTIONALITY: Communications surveillance should be regarded as a highly intrusive act that interferes with the rights to privacy and freedom of opinion and expression, threatening the foundations of a democratic society. Proportionate communications surveillance
will typically require prior authorization from a competent judicial authority.
COMPETENT JUDICIAL AUTHORITY: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.
DUE PROCESS: Due process requires that any interference with human rights is governed by lawful procedures which are publicly available and applied consistently in a fair and public hearing.
USER NOTIFICATION: Individuals should be notified of a decision authorizing surveillance of their communications. Except when a competent judicial authority finds that notice will harm an investigation, individuals should be provided an opportunity to challenge such surveillance before it occurs.
TRANSPARENCY: The government has an obligation to make enough information publicly available so that the general public can understand the scope and nature of its surveillance activities. The government should not generally prevent service providers from publishing details on the scope and nature of their own surveillance-related dealings with State.
PUBLIC OVERSIGHT: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance. Oversight mechanisms should have the authority to access all potentially relevant information about State actions.
INTEGRITY OF COMMUNICATIONS AND SYSTEMS: Service providers or hardware or software vendors should not be compelled to build surveillance capabilities or backdoors into their systems or to collect or retain particular information purely for State surveillance purposes.
Data and Goliath Page 18