O TEMPORA, o mores…

[I drafted this blog post in late July 2013. I hesitated before hitting the “Publish” button and, in the end, did not do so. At the time, I felt the piece was too speculative, and perhaps overly cynical about the relationship between technology companies and US intelligence. Since then, enough relevant material has reached the public domain since to change my mind. I’m thinking particularly of several of Bruce Schneier‘s pieces, and Matt Green’s post on the NSA and SSL.]

 

When I started blogging about privacy (about 8 years ago, at Sun Microsystems), Scott McNealy had long since made his famous remark that “You have zero privacy anyway…”. Eric Schmidt had yet to say that “if you have something you don’t want anyone to know, maybe you shouldn’t be doing it”, but when I saw the revelations about the NSA’s PRISM and XKEYSCORE programs, it set off a train of thought.

Both programs suggest a very close relationship between technology companies and the US intelligence services – and not just a vendor relationship.

For all its carefully-worded denials that it could access service providers’ data “directly” (as opposed to, say, via an intermediate FBI server) the NSA clearly has long-standing and formal arrangements with those companies through whom the majority of digital data would pass at some point in its lifecycle.

The news about XKEYSCORE further suggests that some supposedly safe cryptographic tools are actually open to NSA interception too. Whether or not vendors were intentionally distributing flawed encryption tools, it certainly seems that flawed tools have been allowed to persist in the market even after the NSA knew they were not delivering the level of protection users expected. What inferences you choose to draw from that are another matter.

So, when Scott and Eric warned us that privacy is dead, maybe they weren’t giving us the benefit of their own crystal insight: maybe they were just repeating the latest NSA briefing to tech CEOs whose products or services “might be of interest”.*

I am, of course, not tin-foily enough to mean that as anything other than a joke.**

But where does this leave us, in privacy terms?

My personal view is that the credibility of policy-makers, as effective custodians of what is done in our name, has taken a beating – and I doubt that we have heard the last of the revelations yet. [In fact, the Guardian’s editor, Alan Rusbridger, says the paper has only published 26 of the 58,000 documents it received: 0.045%]

Policy-makers have insisted on law-enforcement and national security exemptions in privacy laws and conventions, and where they have been prepared to compromise, it’s usually only to the extent that the clauses can include some comforting words about necessity and proportionality.

That approach has been shown to be bogus. There is nothing proportionate about the interception methods whose details have been leaked, and the claim that “it’s not ‘collection’ until you actually inspect a given piece of data” is too daft even to qualify as sophistry. Through mass interception, the government creates the capability to inspect everything at will, and that’s an end of it.

The national security justification looks wafer-thin in proportion to the scope of the activities described. Nor is the oversight regime robust enough to convince us that the surveillance activities are necessary (that is, that the same results could not be achieved by other means).

Even so, perhaps citizens would be prepared to accept that interception takes place – even on this massive scale – if they were convinced that the subsequent use of the data were subject to a rigorous and reliable governance regime. But when we look at the current revelations, there’s no evidence that that is the case. For instance, in the US it seems that blanket approvals are frequently granted (by a secret court, in secret sessions, based on secret legal powers), with no opportunity for an agency’s application to be challenged, and a re-approval cycle that seems to note more and more violations… but grant approval anyway.

Even a former FISA judge feels the current system is too sweeping. The NSA says that analysts’ access to intercept data is strictly controlled, with “multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse”… and yet this was the system from which Edward Snowden was able to extract 58,000 documents.

Nor am I much more reassured by the UK’s governance regime. To be sure, it has an Interception of Communications Commissioner, who publishes an annual report. The latest report can be found here: http://iocco-uk.info – but you will find that it is an exercise in saying very little, at some length.

[A UK minister and member of the National Security Committee has gone into print saying that he was not briefed at all on GCHQ’s TEMPORA programme, or on their partnership in PRISM. If these data points accurately reflect the rigour of the UK’s accountability regime for intelligence services, we, as citizens, should be extremely concerned.]

So, here’s where I think we stand:

  • We should be pressing policymakers to sign up to principles of privacy and make them meaningful.

  • We should disregard any government assurances about proportionality and necessity criteria unless we can see evidence of a robust governance regime.

  • We should be insisting that vendors deliver usable security mechanisms, that guarantee us the ability to share and store data with confidentiality.

  • [It may, exceptionally, be appropriate for a duly-appointed court to hear some cases or evidence behind closed doors, but it cannot be acceptable for any court to exercise legal powers that, themselves, have never been published. Secret law has no place in a democracy.]

 

 

** When I drafted this blog post on Aug. 1st, I really did, mostly, mean that as a joke.

 

* That was before I saw the time-line showing which companies signed up to PRISM when. That chart showed that Google became a PRISM “feed” in February 2009. 11 months later, Eric Schmidt made his “maybe you shouldn’t be doing it” crack.

The marshmallow, or the poker?

Well, now we have seen two parliamentary committees in action. We can now compare the Home Affairs Select Committee’s questioning of Alan Rusbridger (editor of The Guardian) with the Intelligence and Security Committee’s grilling [sic] of the heads of the intelligence services. I have previously described the latter as not so much a “grilling” (the BBC’s term) as a “soft pelting with marshmallows”. The ISC’s questions were pre-vetted, and a time-lag was introduced in the broadcasting of the session, just in case anyone suddenly read out GHCQ’s private RSA key by accident. All in all, I’ve had salads that were grilled more ruthlessly than the three intelligence heads.

Mr Rusbridger got a moderately friendly reception from some MPs, but there were definitely those who would cheerfully stick a poker up him and toast him over an open fire. This, despite a number of pre-publication checks the Guardian editor was able to list, with both US and British government departments (including GCHQ).

Conversely, I don’t believe Mr Rusbridger got an answer to the question of what kind of oversight [sic] is being applied, when a contractor like Snowden is just one of 850,000 people to whom top secret GCHQ files were potentially accessible.

Those of you who have heard me speak on privacy, or have been reading this blog for a while, will know that I often refer to the paradox of privacy versus secrecy. Privacy is not, it turns out, about keeping all your data secret; to describe a person as secretive is quite different from describing them as private.

As Vint Cerf has (albeit unintentionally) recently reminded us, privacy is a function of normal social interaction. Arguably, by the same token, secretiveness is about minimising social interaction – or, at least, minimising the extent to which it reveals data about oneself. So, give this a moment’s thought: which of two people develops better privacy skills… someone who engages in social interaction, or someone who is habitually secretive?

The secretive person need not worry much about the subtleties of privacy, because their instinct is to give nothing away in the first place. Someone who engages in normal social interaction, with an eye to privacy, is also sensitive to factors like context, appropriateness, discretion and personal trust. We all soon learn who among our friends is a gossip, and who can be trusted to keep a confidence.

And, in a way, this mirrors what we have seen as the Snowden revelations have unfurled; an organisation that is supposedly expert in secrecy has shown itself to lack selectiveness in what information it reveals to which of its employees, and to have poor disciplines of contextual disclosure. Which is strange, when you consider that the phrase “need to know” originated in the field of intelligence, with its need for strict compartmentalisation of information.

Conversely, the media companies that received the material have disclosed it selectively, with purpose, and – as far as the average citizen can judge – responsibly. In fact, that is also the judgement of the UN Special Rapporteur on counter-terrorism, Ben Emmerson, QC, who says that the public interest test in this instance is “a no-brainer”.

The organisations who publish information for a living turn out to be better at judging which information should go out and which should not, and at managing the process of separating the two.

Spare a thought, though, for the friends and families of NSA staff, while we’re on the subject of which things to publish and which to keep to oneself. Apparently concerned at the possibility of negative publicity over the US Thanksgiving holiday, the NSA thoughtfully provided its employees with a page of “Talking Points” for use with friends and family, for which I hope friends and family were duly thankful.

If there was much more irony in this, it would rust.