We need to recognize: Susan Landau (2011), Surveillance or Security? The Risks Posed by New Wiretapping Technologies, MIT Press, http://mitpress.mit.edu/books/surveillance-or-security.
Tor is an excellent example: Electronic Frontier Foundation (28 Nov 2012), “How to help protect your online anonymity using Tor,” https://www.eff.org/sites/default/files/filenode/Basic_Tor_Intro_Guide_FNL.pdf.
the NSA is continually trying: Everyone else is too, of course. Roger Dingledine (30 Jul 2014), “Tor security advisory: ‘Relay early’ traffic confirmation attack,” Tor Project Blog, https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack.
has been unsuccessful: US National Security Agency (8 Jan 2007), “Tor Stinks,” http://cryptome.org/2013/10/nsa-tor-stinks.pdf.
the FBI was hacking into: Kevin Poulsen (5 Aug 2014), “Visit the wrong website and the FBI could end up in your computer,” Wired, http://www.wired.com/2014/08/operation_torpedo.
both the NSA and the GCHQ: Leo Kelion (22 Aug 2014), “NSA and GCHQ agents ‘leak Tor bugs,’ alleges developer,” BBC News, http://www.bbc.com/news/technology-28886462.
Governments have always spied: Anthony Zurcher (31 Oct 2013), “Roman Empire to the NSA: A world history of government spying,” BBC News, http://www.bbc.com/news/magazine-24749166.
spy stories in the Old Testament: John M. Cardwell (Winter 1978), “A Bible lesson on spying,” Studies in Intelligence, http://southerncrossreview.org/44/cia-bible.htm.
We don’t (yet) design: There is an important and complicated discussion that needs to happen about the relative risks of terrorism, and how much damage terrorists can do with the technologies available to them, but it is beyond the scope of this book. Bruce Schneier (14 Mar 2013), “Our security models will never work—no matter what we do,” Wired, http://www.wired.com/2013/03/security-when-the-bad-guys-have-technology-too-how-do-we-survive.
both corporations and governments: Of course, the process of trusting is far less rational than that. Bruce Schneier (2012), Liars and Outliers: Enabling the Trust That Society Needs to Thrive, Wiley, http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118143302.html.
too much information is exempted: Isolated bubbles of secrecy are always required in any organization, so that people within the organization can do their job properly: votes in a tenure committee, or deliberations preceding a controversial decision. Making things like this transparent can suppress some of the independence of the decision-making process. Deciders will be more concerned about how their decision processes will look to outsiders than they will be with making a good decision.
we cannot judge the fairness: Adrian J. Lee and Sheldon H. Jacobson (May 2012), “Addressing passenger risk uncertainty for aviation security screening,” Transportation Science 46, http://pubsonline.informs.org/doi/abs/10.1287/trsc.1110.0384. Susan Stellin (21 Oct 2013), “Security check now starts long before you fly,” New York Times, http://www.nytimes.com/2013/10/22/business/security-check-now-starts-long-before-you-fly.html. Alissa Wickham (7 Mar 2014), “TSA halts program to screen passengers’ online data,” Law 360, http://www.law360.com/articles/516452/tsa-halts-program-to-screen-passengers-online-data.
the IRS’s algorithms: Amber Torrey (Apr 2008), “The discriminant analysis used by the IRS to predict profitable individual tax return audits,” Bryant University, http://digitalcommons.bryant.edu/cgi/viewcontent.cgi?article=1000&context=honors_mathematics.
the existing power imbalance: This is the problem with David Brin’s transparent society: transparency is not value-free. When a police officer demands to see your ID, your being able to see his ID doesn’t balance things out. David Brin (1998), The Transparent Society: Will Technology Force Us to Choose between Privacy and Freedom? Basic Books, http://www.davidbrin.com/transparentsociety1.html.
the same with transparency and surveillance: Iceland’s Pirate Party (yes, it’s a real political party) put it extremely well in 2014: “The individual’s right to privacy means protecting the powerless from the abuse of the more powerful, and transparency means opening the powerful to the supervision of the powerless.” Paul Fontaine (19 Aug 2014), “Prime Minister learns what ‘transparency’ means,” Grapevine, http://grapevine.is/news/2014/08/19/prime-minister-learns-what-transparency-means.
Institutional transparency reduces: There are, of course, exceptions to this rule. There is value in ankle monitors for people convicted of crimes, even though that reduces the power of the criminals being monitored.
Transparency doesn’t come easily: Peter Watts (9 May 2014), “The scorched earth society: A suicide bomber’s guide to online privacy,” Symposium of the International Association of Privacy Professionals, Toronto, Ontario, http://www.rifters.com/real/shorts/TheScorchedEarthSociety-transcript.pdf.
police harass and prosecute: Ray Sanchez (19 Jul 2010), “Growing number of prosecutions for videotaping the police,” ABC News, http://abcnews.go.com/US/TheLaw/videotaping-cops-arrest/story?id=11179076.
some jurisdictions have: Those laws are unconstitutional. Kathryn Marchocki (25 May 2014), “Court rules Free State project president had right to film Weare police during a traffic stop,” New Hampshire Union Leader, http://www.unionleader.com/apps/pbcs.dll/article?AID=/20140525/NEWS07/140529379.
Cops in Chicago have: David Lepeska (27 Dec 2011), “When police abuse surveillance cameras,” CityLab, http://www.citylab.com/politics/2011/12/surveillance-cameras-threat-police-privacy/806.
San Diego Police Department: Sara Libby (18 Aug 2014), “Even when police do wear cameras, don’t count on seeing the footage,” CityLab, http://www.citylab.com/crime/2014/08/even-when-police-do-wear-cameras-you-cant-count-on-ever-seeing-the-footage/378690.
police routinely prevented protesters: Chris Matyszczyk (14 Aug 2014), “Ferguson, Mo., unrest tests legal right to film police,” CNET, http://www.cnet.com/news/ferguson-unrest-tests-legal-right-to-film-police. Hillel Italie (19 Aug 2014), “Ferguson arrests include at least 10 journalists,” Associated Press, http://abcnews.go.com/Entertainment/wireStory/ferguson-arrests-include-10-journalists-25044845.
Los Angeles police even: Cyrus Farivar (8 Apr 2014), “LAPD officers monkey-wrenched cop-monitoring gear in patrol cars,” Ars Technica, http://arstechnica.com/tech-policy/2014/04/lapd-officers-monkey-wrenched-cop-monitoring-gear-in-patrol-cars.
declining half-life of secrets: Peter Swire (5–6 Jun 2014), “The declining half-life of secrets and the future of signals intelligence,” 7th Privacy Law Scholars Conference, Washington, D.C., http://www.law.berkeley.edu/plsc.htm.
the NSA spied on the cell phone: Jacob Appelbaum et al. (23 Oct 2013), “Berlin complains: Did US tap Chancellor Merkel’s mobile phone?” Der Spiegel, http://www.spiegel.de/international/world/merkel-calls-obama-over-suspicions-us-tapped-her-mobile-phone-a-929642.html. Ian Traynor, Philip Oltermann, and Paul Lewis (23 Oct 2013), “Angela Merkel’s call to Obama: Are you bugging my mobile phone?” Guardian, http://www.theguardian.com/world/2013/oct/23/us-monitored-angela-merkel-german.
It was a private men’s club: This excellent book on Soviet spy Kim Philby talks about the clubbiness in spy agencies. Ben Macintyre (2014), A Spy among Friends: Kim Philby and the Great Betrayal, Crown, http://books.google.com/books?id=wIzIAgAAQBAJ.
Moving from employer to employer: Charles Stross (18 Aug 2013), “Spy kids,” Foreign Policy, http://www.foreignpolicy.com/articles/2013/08/28/spy_kids_nsa_surveillance_next_generation.
Recall that five million: US Office of Management and Budget (Feb 2014), “Suitability and security processes review,” http://www.fas.org/sgp/othergov/omb/suitsec-2014.pdf.
Younger people are much more comfortable: USC Annenberg School for Communication and Journalism (22 Apr 2013), “Is online privacy over? Findings from the USC Annenberg Center for the Digital Future show millennials embrace a new online reality,” USC Annenberg News, http://annenberg.usc.edu/News%20and%20Events/News/130422CDF_Millennials.aspx. Mary Madden et al. (21 May 2013), “Teens, social media, and
privacy,” Pew Research Internet Project, http://www.pewinternet.org/files/2013/05/PIP_TeensSocialMediaandPrivacy_PDF.pdf.
tougher sell convincing this crowd: To be fair, we don’t know whether this is a substantive difference between this generation and older generations, or whether this is a simple age-cohort effect that will change as they get older and have more secrets that matter.
we should strive for transparency: I think of institutional secrecy rather like chemotherapy. Yes, the cancer treatment would kill the patient slowly, but it kills the cancer cells faster, and is therefore a net benefit. If we could find an effective cancer treatment that wasn’t so toxic, we would dump chemo in a minute. Anytime we can find a less harmful substitute for institutional secrecy, we should use it.
This was nicely explained: Charlie Rose, Inc. (29 Jul 2013), “General Michael Hayden, former director of the NSA and the CIA and principal with the Chertoff Group,” The Charlie Rose Show, http://www.charlierose.com/watch/60247615.
organizations are less likely: Nassim Nicholas Taleb and Constantine Sandis (1 Oct 2013), “The skin in the game heuristic for protection against tail events,” Review of Behavioral Economics 1, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2298292.
Advancing technology adds: Any complex system that is both nonlinear and tightly coupled will have catastrophic failures. Charles Perrow (1984), Normal Accidents: Living with High-Risk Technologies, Princeton University Press, https://encrypted.google.com/books?id=VC5hYoMw4N0C.
If systemic imperfections: Supposedly it’s therapeutic to think this way. Kevin Griffin (23 Sep 2011), “Step 9 of Buddhist addiction recovery: The freedom of imperfection,” Huffington Post, http://www.huffingtonpost.com/kevin-griffin/buddhist-addiction-recovery-step-9_b_958708.html.
If something is going to fail: Yacov Y. Haimes (Apr 2009), “On the definition of resilience in systems,” Risk Analysis: An International Journal 29, http://onlinelibrary.wiley.com/doi/10.1111/j.1539-6924.2009.01216.x/abstract.
resilience comes from: Jesse Robbins et al. (Nov 2012), “Resilience engineering: Learning to embrace failure,” Communications of the ACM 55, http://queue.acm.org/detail.cfm?id=2371297.
I am advocating for: Some ideas are here. Warigia Bowman and L. Jean Camp (Apr 2013), “Protecting the Internet from dictators: Technical and policy solutions to ensure online freedoms,” Innovation Journal 18, http://www.innovation.cc/scholarly-style/warigia_camp_bowman5edits18vi1a3.pdf.
the NSA has been entrusted: James Bamford (2002), Body of Secrets: Anatomy of the Ultra-Secret National Security Agency, Anchor, http://www.randomhouse.com/features/bamford/author.html.
Jack Goldsmith, a Harvard law: Jack Goldsmith (12 Apr 2014), “Cyber paradox: Every offensive weapon is a (potential) chink in our defense—and vice versa,” Lawfare, http://www.lawfareblog.com/2014/04/cyber-paradox-every-offensive-weapon-is-a-potential-chink-in-our-defense-and-vice-versa.
StingRay might have been: Stephanie K. Pell and Christopher Soghoian (15 May 2014), “Your secret Stingray’s no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy,” Harvard Journal of Law and Technology (forthcoming), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678.
dozens of these devices: Kim Zetter (3 Sep 2014), “Phone firewall identifies rogue cell towers trying to intercept your calls,” Wired, http://www.wired.com/2014/09/cryptophone-firewall-identifies-rogue-cell-towers. Ashkan Soltani and Craig Timberg (17 Sep 2014), “Tech firm tries to pull back curtain on surveillance efforts in Washington,” Washington Post, http://www.washingtonpost.com/world/national-security/researchers-try-to-pull-back-curtain-on-surveillance-efforts-in-washington/2014/09/17/f8c1f590-3e81-11e4-b03f-de718edeb92f_story.html.
13: Solutions for Government
President Obama set up: Richard A. Clarke et al. (12 Dec 2013), “Liberty and security in a changing world: Report and recommendations of the President’s Review Group on Intelligence and Communications Technologies,” US Executive Office of the President, http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf.
“Necessary and Proportionate” principles: Electronic Frontier Foundation (May 2014), “Necessary and proportionate: International principles on the applications of human rights law to communications surveillance: Background and supporting legal analysis,” https://en.necessaryandproportionate.org.
International Principles: Electronic Frontier Foundation (5 Jan 2014), “13 international principles on the application of human rights to communication surveillance,” https://necessaryandproportionate.org/files/2014/01/05/13p-onepagerfinal.pdf.
Since 9/11, the Bush and Obama: To take one example, Director of National Intelligence James Clapper said, “Disclosing information about the specific methods the government uses to collect communications can obviously give our enemies a ‘playbook’ of how to avoid detection.” Associated Press (9 Jun 2013), “Intelligence chief James Clapper defends Internet spying program,” New York Daily News, http://www.nydailynews.com/news/politics/intelligence-chief-james-clapper-defends-internet-spying-program-article-1.1367423.
And sometimes we need: In 2014, we learned that Israel intercepted diplomatic communications between US Secretary of State John Kerry and various countries in the Middle East. Der Spiegel (3 Aug 2014), “Wiretapped: Israel eavesdropped on John Kerry in Mideast talks,” Der Spiegel, http://www.spiegel.de/international/world/israel-intelligence-eavesdropped-on-phone-calls-by-john-kerry-a-984246.html.
Criminals can read up: Conor Friedersdorf (18 Mar 2014), “Why isn’t the Fourth Amendment classified as top secret?” Atlantic, http://www.theatlantic.com/politics/archive/2014/03/why-isnt-the-fourth-amendment-classified-as-top-secret/284439.
Yet the police regularly manage: Remember that much of this came as a reaction to police abuse. It isn’t that the police are less likely to abuse the rules; it’s that we’ve had longer to develop rules to control them.
Terrorists don’t cause: Bruce Schneier (31 Jul 2012), “Drawing the wrong lesson from horrific events,” CNN, http://www.cnn.com/2012/07/31/opinion/schneier-aurora-aftermath/index.html.
We have to design systems: IT security people call nontransparent security systems “security by obscurity.” Good security design is the opposite of that: it works even if all the details are made public. Bruce Schneier (15 May 2002), “Secrecy, security, and obscurity,” Crypto-Gram, https://www.schneier.com/crypto-gram-0205.html#1.
the US gave up trying: Michael J. Selgelid (Sep 2009), “Governance of dual-use research: An ethical dilemma,” Bulletin of the World Health Organization 87, http://www.who.int/bulletin/volumes/87/9/08-051383/en. Carl Zimmer (5 Mar 2012), “Amateurs are new fear in creating mutant virus,” New York Times, http://www.nytimes.com/2012/03/06/health/amateur-biologists-are-new-fear-in-making-a-mutant-flu-virus.html. Michael Specter (12 Mar 2012), “The deadliest virus,” New Yorker, http://www.newyorker.com/magazine/2012/03/12/the-deadliest-virus. Arturo Casadevall (Jan/Feb 2014), “Redaction of sensitive data in the publication of dual use research of concern,” mBio 5, http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3884058.
Military thinkers now realize: Beth M. Kaspar (Aug 2001), “The end of secrecy? Military competitiveness in the age of transparency,” Occasional Paper No. 23, Center for Strategy and Technology, Air War College, Air University, Maxwell Air Force Base, Alabama, http://www.fas.org/sgp/eprint/kaspar.pdf.
The NSA has justified: US National Security Agency (31 Oct 2013), “NSA’s activities: Valid foreign intelligence targets are the focus,” http://www.nsa.gov/public_info/press_room/2013/NSA_Activities_Valid_FI_Targets.pdf.
We know from recently declassified: In one opinion, Judge Bates held that the “NSA exceeded the scope of authorized acquisition continuously.” Spencer Ackerman (19 Nov 2013), “FISA court order that allowed NSA surveillance is revealed for first time,” Guardian, http://www.theguardian.com/world/2013/nov/19/court-order-that-allowed-nsa-surveillance-is-revealed-f
or-first-time. Yochai Benkler (16 Oct 2013), “How the NSA and FBI foil weak oversight,” Guardian, http://www.theguardian.com/commentisfree/2013/oct/16/nsa-fbi-endrun-weak-oversight. John D. Bates (3 Oct 2011), “Memorandum opinion,” (case title and number redacted), US Foreign Intelligence Surveillance Court, https://www.aclu.org/files/assets/fisc_opinion_10.3.2011.pdf. Marcy Wheeler (22 Aug 2014), “This is why you can’t trust the NSA. Ever,” Week, http://theweek.com/article/index/266785/this-is-why-you-cant-trust-the-nsa-ever.
The NSA has gamed the rules: Peter Wallsten (10 Aug 2013), “Lawmakers say obstacles limited oversight of NSA’s telephone surveillance program,” Washington Post, http://www.washingtonpost.com/politics/2013/08/10/bee87394-004d-11e3-9a3e-916de805f65d_story.html.
Members of Congress can’t: Glenn Greenwald (4 Aug 2013), “Members of Congress denied access to basic information about NSA,” Guardian, http://www.theguardian.com/commentisfree/2013/aug/04/congress-nsa-denied-access.
They can only bring along: Ailsa Chang (11 Jun 2013), “What did Congress really know about NSA tracking?” All Things Considered, NPR, http://www.npr.org/blogs/itsallpolitics/2013/06/11/190742087/what-did-congress-really-know-about-nsa-tracking.
they’re lobbied heavily: Ron Wyden (29 Jan 2014), “Wyden statement at Senate Intelligence Committee’s open hearing,” http://www.wyden.senate.gov/news/press-releases/wyden-statement-at-senate-intelligence-committees-open-hearing.
Senator Dianne Feinstein: Dianne Feinstein (28 Oct 2013), “Feinstein statement on intelligence collection of foreign leaders,” http://www.feinstein.senate.gov/public/index.cfm/2013/10/feinstein-statement-on-intelligence-collection-of-foreign-leaders.
Congressman Alan Grayson: Alan Grayson (25 Oct 2013), “Congressional oversight of the NSA is a joke. I should know, I’m in Congress,” Guardian, http://www.theguardian.com/commentisfree/2013/oct/25/nsa-no-congress-oversight.
Data and Goliath Page 43