July, 2012

Tech and Law Center interviews Susan Landau, who studies the interplay between privacy, cybersecurity and public policy. She has briefed the US Congress on a variety of issues, including digital rights management and security and privacy of digital identity systems. She is currently a visiting scholar at Harvard University.
For more details on her bio and work, click here.

In your last publication, “Surveillance or Security”, you argue that the line to draw is not between surveillance and civil liberties but between surveillance and security. Which are the consequences of this approach?

The most important one is that when you build surveillance into a system, you must take into account the security risks that you are creating by doing so. At a minimum, you need to protect against these (threat modeling and penetration testing). If you are building infrastructure, you must also take into account the length of time the infrastructure will last and do careful modeling on what the new threats may arise during that period. This could sharply increase the cost of the surveillance mechanism, but it is a necessary protection to include.

You also wrote that “Cryptography is no silver bullet”. It provides security only for the communications content but not for the transactional information. In Europe it is a topic that has been discussed a lot following the Data Retention Directive and the German unconstitutionality decision. What is your point of view on this type of legislation?

Given that cellphones are essentially trackers, such transactional information is much privacy invasive than such data once was. Thus while one can understand the desire of law enforcement to have such information easily at hand, retention of this type of data presents both a privacy and civil-liberty risk as well as a security threat. How will it be protected?  Who might have access to it?  What type of auditing system will be set up to track access to the data?  In the U.S., we have seen that while some jurisdictions allow access to such data only in cases of imminent danger to life, other jurisdictions are far more lax. This is very dangerous.

During the 2011 hearing on “Going Dark: Lawful Electronic Surveillance in the Face of New Technologies”, you stated that a major national security problem facing the United States is  cyber exploitation. Can you please explain us the implications of your statement?

It is a statement I agree with, but I was actually quoting William Lynn, US Deputy Secretary of Defense, at the time he made the statement.  The risk resulting from cyberexploitation means that computer and communications networks should be built highly secured.

Regarding the recent UK plan to monitor UK internet and phone traffic, and decode encrypted messages, including Facebook and GMail messages, which do you think it should be the reaction of the citizens and is there any space for dialogue on these issues at the policy level?

As a result of terrorism stemming from the conflict in Northern Ireland, the UK has long tolerated far more surveillance than other democratic societies.  When surveillance, whether from CCTV cameras or as a result of the retention of communications data, is commonplace, the citizenry doesn’t react; surveillance is simply part of the landscape. It takes egregious attacks against the “common” people to cause the public to react.There is plenty of space for dialogue at the policy level. Issues to be discussed include the purpose of the surveillance, the oversight involved, the risks created by the surveillance, the checks to prevent inappropriate collection of information.

In the United States v. Antoine Jones, the Supreme Court made an extremely important decision, unanimously determining that installing a GPS-tracking device to a suspect’s car constitutes a search and thus requires a warrant: what about the issue of data accumulated by third parties (like Google, Amazon, Facebook, etc)?

In the US, the law is that such third-party collection is subject to less constitutional protections than otherwise. But because the technology is changing what type and how much of personal information is being collected, there is a move to provide greater protections to such third-party data.

The surveillance experts at the National Security Agency won’t tell two powerful United States Senators how many Americans have had their communications picked up by the agency as part of its sweeping new counterterrorism powers. Do you think oversight of intelligence collection should be tighten up?

Yes; see above.

Bolivian custom officers will have to carry special pens, with a hidden micro-camera and voice recorder, as part of a government initiative to tackle corruption: do you think there is a constructive way to use technology in order to curb crime without heavily affecting basic human rights?

I hadn’t been aware of this initiative and I would need to understand it better before I comment. But one observation is that technical fixes are only one piece of a solution when handling corruption issues; process and personnel are the bigger aspects. So one needs to understand how those are changing in the Bolivian situation.

We recently held an event with Prof. Alessandro Acquisti on the current aspects of privacy. One of his interesting works (http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/) is dealing with face recognition systems applied to social networks. What do you think on this type of technology and the possible risks posed by its misuse? Especially in case it might be connected to CCTV in order to allow almost real time identification of recorded people?

That one could not wander the streets anonymously would be a terrible blow to freedom, both real and perceived.  In the US, we had a famous court case, NAACP v. Alabama, protecting the anonymous right of free association. This was a case that occurred in the 1950s in the southern United States, when people demanding political rights for blacks were at risk. The Supreme Court ruled that the NAACP, an organization supporting these rights, did not have to publicly reveal its membership to the state of Alabama. It is hard to imagine that a democratic society could really function as a democracy if the government had the capability to conduct real-time identification of protestors. The point is that few of us have never violated a law — never drove too fast, never underpaid slightly on taxes — and even the hint that the government might be doing such real-time identification would have immediate chilling effects in multiple destructive ways.

In a ever more “cloudy” world in Europe Data Protection Authority regulates privacy issues through an EU directive on investigations (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0010:FIN:EN:PDF); in the US the Patriot Act is a law provision against terrorism which allow to obtain information even outside US jurisdiction. Which are the consequences of these two different approaches?

That’s a very broad question requiring many pages of answer, so I’ll confine myself to several observations:

- Globalization and the Internet have changed the playing field here in multiple dimensions: the ease by which such surveillance is conducted outside one’s own borders, the speed at which the consequences of actions occur, the complex interactions between nation states.

- Nations spy on people outside their own jurisdiction; this includes member states of the EU. This falls under national security authority (which in many nations includes issues related to economics).

- The Internet has made it much easier to conduct much of this type of surveillance without actually leaving your own nation’s borders.

- One needs to keep in mind that there is a large distinction between what nation states consider legitimate surveillance, especially outside one’s jurisdiction, for national-security purposes, and what nation states consider legitimate for law-enforcement purposes.

I realize that I am not answering your question here, but I think that the question needs to be rephrased given the complexity of the situation.