Recent revelations of government electronic surveillance of U.S. citizens dominated the 23rd Computers, Freedom, and Privacy (CFP) conference titled ""Our Computers, Our Freedom: Can You Trust Anyone in the Digital Age?" this week at the Newseum in Washington, DC.
Most conferees did not directly challenge the basic legality of the spy programs of the National Security Agency (NSA), but many expressed concerns over their secrecy, and over possible violations of the privacy rights of innocent Americans. No one from the NSA, or elsewhere in the Obama administration, was there to publicly defend the programs.
There were four broad types of governmental electronic surveillance outlined at this ACM conference: two for telephone calls and two for Internet traffic. Each of those includes a program for collecting massive amounts of metadata (analogous to the "public" information on a paper envelope containing a private mailing) for pattern-analysis, and a program for reading the actual content of calls or messages. The administration insists it operates these programs within the law, and that they are vital for national security.
Access to personal Internet content under a top-secret, six-year-old program called PRISM is only lawful against foreign targets; any access to the content of U.S. citizens' messages must be authorized by the secret U. S. Foreign Intelligence Surveillance Court. Although PRISM has been the focus of much press coverage recently, "it is the least problematic" of the programs, said Ashkan Soltani, an independent technical consultant and privacy specialist, because it collects data on millions of innocent people and because it serves as a gateway to the content-access system. "The metadata programs identify data for PRISM," he said. "It is in essence the index to the content in PRISM."
The power of software and hardware to mine patterns from huge amounts of data has rapidly advanced, so that massive electronic surveillance has become practical in recent years. In fact, said Matthew Blaze, a professor of computer science at the University of Pennsylvania and an expert on computer security, it is replacing the more labor-intensive wiretapping methods of the past. "Analyzing content is a lot of work; it doesn't scale," he said. "The metadata is the message."
The NSA programs were set up or broadened by the Bush administration after 9/11, and have been perpetuated by the current administration. Timothy Edgar, adjunct professor at Georgetown University Law Center, said the NSA has elaborate safeguards built into its systems and policies to block any use of an individual's data not permitted by a court order. He called the safeguards, which include internal audits and reports to Congress, "meaningful" but not infallible.
"No verification program for the courts or for Congress exists," said William Binney, a mathematician who worked at the NSA for 32 years, where he led the development of automated analysis and intelligence techniques "It's all based on trust."
Edgar, who served from 2009 to 2010 as the first director for Privacy and Civil Liberties in the White House Cybersecurity Office, said the decision by Bush and Obama to keep the programs secret was a "colossal mistake." He called for "much more transparency" in the programs, but said that certain details should remain secret. For example, "What information the NSA does not collect is a key secret," he said.
Both Edgar and Soltani called for technology that would enable the NSA to retrieve information more selectively, rather than a mass downloading of call records. Said Soltani, "We need tools with a better signal-to-noise ratio and fewer false positives."
NSA claims to the contrary, Mike German, policy counsel for national security and privacy for the American Civil Liberties Union (ACLU), said it is not clear that the spy programs actually advance national security, because sophisticated criminals and terrorists know how to avoid them. "The secrecy is aimed at the public, not the bad guys who know you can get a court warrant," he said.
German also warned that any abuses of program safeguards might not ever be made public, because "whistle-blowers can't be guaranteed protection against retaliation," he said.
Meanwhile, Europeans at the conference decried what they described as a general lack of privacy protections in the U.S., compared to those in place in the European Union. In a taped address, Jan Albrecht, a member of the European Parliament and a specialist on civil rights and data protection, said, "It is not clear any more where our data are stored; our privacy can be invaded anywhere. Mass surveillance is not compatible with democracy."
Barry Steinhardt, retired director of the ACLU's Program on Technology and Liberty, did not disagree. "The U.S. has no overarching privacy regulation," he said. "We have the Fourth Amendment [which guards against unreasonable searches and seizures], but it has been so eviscerated over the years that it's almost meaningless. The U.S. is really the outlier on the world stage."
A conference session on cybersecurity ranged broadly over the topic, but settled into a discussion of "active defenses" by the private sector.
Herbert Lin, chief scientist at the Computer Science and Telecommunications Board of the National Research Council, said a company that has come under a cyberattack has just two legal responses—reporting the attack to law enforcement, and strengthening its passive defenses against future security breaches. He added that far more aggressive active defenses are possible, such as disabling the systems of attackers or destroying the stolen data on their computers (he said a few large, sophisticated companies, and some government entities, are responding to cyberattacks in these ways, but declined to give details). "There is no good way to stop the pain with legal actions," Lin said. "If [active defenses] are appropriate for the [U.S. Department of Defense], why not the private sector?"
In fact, a bill now pending in Congress, the Cyber Intelligence Sharing and Protection Act (CISPA), may open the door to more aggressive responses to cyberattack, such as launching denial-of-service countermeasures. CISPA’s "hack back" provision grants companies immunity for good-faith "decisions made based on cyber threat information." On the other hand, Michelle Richardson, a legislative counsel for the ACLU, said the bill is troubling in its provisions that give companies immunity for sharing private customer data with law enforcement and other third parties, if it is for "cybersecurity purposes." "The bill is much too broad," she said. "It's an info-sharing law that authorizes companies to share any data with any organization."
The issue of active defenses by the private sector is a dilemma for government, Lin said. If the government sets standards for it, then the U.S. is seen as actively promoting cyberattacks, but if the government ignores it, then a vigilante approach to computer security may arise. "The status quo is not stable," Lin said.
Lin pointed out that there is not yet any definition for a "national security cyber-threat," something that ought to be the subject of public debate. "The notion that the private sector will just sit and take it is not realistic in the long run," he said.
But Jeff Greene, a senior policy counsel at Symantec, warned, "Much of this is petty theft on the Internet. You can't apply national security measures against these."
U.S. copyright law, which was last overhauled in 1976, is overdue for another remake, said members of a CFP panel. However, the devil is in the details, they agreed, and there are a lot of details in the existing 300-page statute. In fact, said Jessica Litman, a professor of law at the University of Michigan, legislators find the subject so complex, they rely on lobbyists to tell them what to do.
There are three broad groups of interested parties when it comes to copyright—the creators of books, movies and music; the intermediaries that assume the copyrights, and package and distribute the works, and the individual readers, listeners, and viewers. Litman said individual creators, the end-user public, and the purveyors of future technologies have not been represented well in the legislative process in the past; the result is a patchwork of laws crafted by the big interests in a series of compromises that are mind-numbingly complex, often unfair, and difficult to enforce.
"The [legislative] result is messy and complicated," agreed Ben Sheffner, vice president for legal affairs at the Motion Picture Association of America (MPAA). "But is it really that different from how any other sausage is made here in Washington, such as tax law?"
Still, the movie industry is not always happy with the results. The Digital Millennium Copyright Act of 1998 criminalized certain actions that can result in copyright infringement; it provided for "takedown notices" requiring Internet services companies to remove material thought to infringe on a copyright. However, Sheffner said, the content often reappears in minutes, and there is no easy way to ensure its permanent removal.
Panelists agreed that the current law governing copyright of "orphan works"—those with unknown or unreachable authors—is inadequate to protect users who have made good-faith efforts to locate the authors. A bill that passed the Senate but died in the House would have given the green light for those users to use orphan works without fear of being sued.
Indeed, a fear of lawsuits can have a chilling effect on small users of copyrighted material, Litman said, because of the cost of litigation and the often-large damage awards. This enables copyright owners to exert a kind of blackmail on an inadvertent infringer, he said; "the copyright owner can say, ‘pay me $5,000 right now, or I will sue you and you'll spend $500,000 defending.’"
Gary Anthes is a technology writer and editor based in Arlington, VA.