MARK MCARDLE I TECH TALK
Perhaps the real debate should be about how much government surveillance is too much
Internet security raises serious questions.
IN THE 1990s, I lived in Silicon Valley and was working for an Internet security startup during the heat of what was known as the “crypto wars.”
The U.S. and many other governments wanted to control the use of “strong cryptography.” By “strong” they meant unbreakable. You could use any crypto to protect your sensitive data and email as long as the keys were sufficiently short enough for them to break.
We were on the side of the angels back then, and won some important battles that made things like Internet commerce possible. Our case was pretty straightforward: If you only allow weak crypto, nobody is protected. It was about privacy and security.
The past few months have been full of stories about a man named Edward Snowden who was working for Booz Allen Hamilton as a contractor for the U.S. National Security Agency. This agency is responsible for signals intelligence, which is a fancy way of saying code breaking and eavesdropping. It is an organization whose existence wasn’t even acknowledged by the U.S. government for many years.
Snowden leaked to the U.K. newspaper the Guardian the details of several classified surveillance programs, including PRISM, Boundless Informant and the security agency’s call database.
He said, ‘‘I don’t want to live in a society that does these sort of things (surveillance on its citizens). . . . I do not want to live in a world where everything I do and say is recorded.’’
Since Snowden’s disclosures, he has become the central figure in a Jason Bourne-esque story. At the time of this writing, he had been granted temporary asylum in Russia. His life is now one of exile.
But while much discussion and handwringing is being done over his leaking of top secret information, I don’t see much meaningful discussion about the bigger issue. How much surveillance of a country’s citizens by its government is acceptable?
The conversation is being framed as a battle between privacy and security. This is, and has always been, a false choice.
While it is certainly easier to secure an environment where you control everything (for example, a day care), these practices are not appropriate for a country where freedom is enshrined in a constitution. And this isn’t a purely American issue.
Here in Canada, we have our Charter of Rights and Freedoms. It starts out thus: “The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.” In the context of surveillance in a time of the “Global War on Terror” the last part of that sentence should perhaps give us all pause for thought.
The PRISM program started upon former American president George W. Bush’s signing of the Protect America Act of 2007. The naming of surveillance legislation would make George Orwell shake his head. Remember the Patriot Act? PRISM allegedly allows the National Security Agency to unilaterally access live and stored mass volumes of data, including email, video, VoIP (like Skype), and social networking data. This data can then be searched using keywords to get back results on anything of interest.
The communications of any Canadians using providers like Google, Microsoft and Facebook, would be included as well. If you think you’re safe just sticking with Canadian providers and sites, you may be disturbed to find out that your Internet traffic takes the cheapest route on the Internet and not the most direct. This means your communications may be hitching a ride on a high-speed U.S. link. We are being told that in order to be safe, we must allow this kind of surveillance. It is nonsense, and could quite possibly have the opposite effect. With so much data being collected from
citizens who have nothing to do with any illegal, much less terrorist activity, it is an incredibly attractive asset for abuse. Allowing the government of a free society to build a surveillance infrastructure is dangerous. Abuses happen. Power needs to maintain power, and lines are crossed when oversight is weak, and power is strong. Does this sound paranoid? Then look back in history. As security researcher Ashkan Soltani observed in an interview with NBC News, “Put J. Edgar Hoover in charge of the program. If your reaction is ‘Yikes!’ then there isn't adequate protection built in. "One of the tests should be how do we feel if we don't like the people in charge, because we don't know who will be in charge of it in the future."
It has been reported that taking safeguards like encrypting your communications identifies you for additional attention. Your messages may be retained for a period necessary for “cryptanalysis.” Encrypting your email is no different than putting a letter in an envelope. We don’t write all our correspondence on the back of a postcard. We expect — and have a right to — privacy in our communications.
Law enforcement has a difficult job. It will never be easy, but it’s not supposed to be in a free society. In totalitarian regimes, it is much easier to find the “enemy.”
Those rights that we all share are inconvenient to law enforcement officials when they are tracking down a terrorist. But the answer isn’t to collect everything from everybody, and let some analysts look for suspicious activity. Having strong judicial oversight ensures that a person’s rights are protected, and that probable cause is present before surveillance can begin. Programs like PRISM appear to be beyond the reach of a judge. The tools we are capable of making are beyond our ability to control. Perhaps this has been true since early man first picked up a stick and used it as a club. But hopefully we are sufficiently evolved and self-aware to realize that giving our government the ability to use tools to surveil our every communication is a line that must not be crossed. It appears this line has already been crossed in the U.S. Canada’s own national security agency, Communications Security Establishment Canada, has been predictably quiet on this issue.
I don’t know what will ultimately happen to Edward Snowden. But I’m less concerned about his future than I am for Western society’s.
Our governments are composed of citizens we elect. They are as smart, caring, fallible, ambitious, jealous and vindictive as the rest of us.
The tools we give them will amplify the best and the worst in them. Things work best when there is meaningful independent judicial oversight, and transparency. So let’s think carefully.
Mark McArdle worked at a major Internet security company in Silicon Valley before returning to Waterloo Region, and has been involved in several privacy and security groups, including Canada’s Federal Privacy Commissioner’s External Advisory Panel. He welcomes readers’ comments at mark@gadgetfan.ca.