Consider the assumptions and conclusions about Internet privacy in the following recent quote from a Fox News article:
Bruce Schneier, a security expert who worked with the Guardian to reveal the NSA's secrets, said Thursday that the U.S. government had "betrayed the Internet."
By subverting the Internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract," Schneier wrote in an essay for the British paper.
"We can no longer trust them to be ethical Internet stewards. This is not the Internet the world needs, or the Internet its creators envisioned. We need to take it back."
The American Civil Liberties Union joined Schneier in criticizing the spy agency. Christopher Soghoian, principal technologist of the ACLU's Speech, Privacy and Technology Project, said late Thursday that the agency's alleged campaign against encryption is "is making the Internet less secure" and exposing Web users to "criminal hacking, foreign espionage, and unlawful surveillance."
The thrust of these comments is that the Internet should be – somehow – immune from any government surveillance of any kind and for any reason. This idea reminds me of a conversation I had with my 90-year-old mom several years ago, when she suggested the same thing. So, I asked her, "OK mom, but what about spies, terrorists and kidnappers?" She thought (for just a second) and said, "Well, those kind of people…sure," as if I should have known that she meant to exclude "those kind of people".
These same arguments were made about the telephone many years ago, especially when organized crime started using it to conduct its "business." And then, just like the terrorist threat today, it "cost us" a bit of our privacy to be able to track the Mafia with wiretaps. In fact, had it not been for wiretaps, the war against organized crime would have been lost decades ago.
In addition, we Americans need to get that we are truly unique in the world because of our traditional insistence on private sector dominance in our telecommunications industry – this continues as we have gone wireless and concentrated on Internet based communications.
More specifically, in most other parts of the world – democratic or not – the communications infrastructures are mostly government owned or operated, similar to (or even part of) the post office. So also, in most of the rest of the world, there is content surveillance and monitoring of Internet based traffic by one or more government intelligence or law enforcement agencies – and usually without any threshold showing or requirement for probable cause or reasonable belief to look at the substance of the communication. Similarly: Check into any hotel in Europe, and you must show your passport or your required identity card, and your personal data goes directly to the national police or internal security service for whatever checks on you they want to make.
And, it goes without saying that everywhere in the undemocratic world, e.g., China, everyone is watched all the time, including all Internet activity, because all dissent is a threat to the regime in power, and that's simply how they stay in power and have always stayed in power. In the past they did it with networks of spies and informants, and now with total Internet supervision.
Much to the concern of despots everywhere, however, is that today's Internet is evolving – at least conceptually – to everyone having or having access to their own shortwave-like capability to be able to talk to anybody anywhere in the world.
So, two key policy questions emerge from this discussion and the technical realities of today's Internet:
- First, do all of us, including the spies, terrorists and kidnappers among us, have a reasonable expectation of privacy when we use the Internet today? And to what extent, if any, have the various democratic governments betrayed the modern day realities of the Internet by their various degrees of monitoring?
- Second, what effect – if any – on the expectation of privacy should efforts to encrypt Internet communications have? In other words, when someone encrypts their Internet communications, are they somehow entitled to more privacy or does it make the Internet less secure because of the government's possible need to decrypt it, for one reason or another, good or bad. Even more fundamental perhaps – and not intended to be silly – should spies, terrorists and kidnappers be able to encrypt their communications with the expectation of privacy?
It would seem that, in turn, the key to these questions (and also the key to whether our government has been and is acting responsibly) is this more fundamental question: How do we determine whether someone's or something's Internet communications are related to espionage, terrorism or criminal activity – the assumption here being that if they are, then our government should know about it and be able to watch them to keep us safe.
It seems reasonable to conclude that: 1) The expectation of Internet privacy does not, should not – never has and never should – extend to spies, terrorist and criminals; 2) Our government should be monitoring the communications of these people, whether they are encrypted or not (and perhaps especially if they are); and 3) Our main focus, therefore, should be on how, who and on what basis (or threshold) a determination is made to look at a particular Internet communication or category of communications, and how this determination is monitored and by who.
Now, we're getting somewhere, and I would invite my colleague Mr. Schneier and the ACLU (for whom I have the utmost respect) to comment more specifically on this aspect of the equation, rather than merely asserting that the government has somehow "betrayed," "subverted" or "undermined" the Internet. Frankly, such assertions are not helpful in the current debate, primarily because they don't address the reasons and thresholds for surveillances, nor the oversight of the processes for it in our democracy.
Let's float some ideas for such a rational and objective discussion:
First, if we knew, based on reliable information or sources – a human source for example – that Internet user X was in fact engaged in espionage, terrorism or criminal activity, it seems clear that our systemshould enable intrusive surveillance of X's Internet usage, just as it would X's telephone. Also, it would seem reasonable to also look at whom X was communicating with, if only to see if the communications were routine – e.g., to order a pizza – or if they were to someone else engaged in espionage, terrorism or criminal activity or were somehow related to those activities.
Second, assuming it were technically possible to somehow sort through huge amounts of Internet traffic, by using key words or other kinds of data in some kind of search engine, and if there were several layers of review, including human review, in such a process, could it then be reasonable to selectively look at the content of the traffic, provided such was also 1) approved by a judge or a senior official, and 2) was allowed for only a limited period of time, and 3) was subject to periodic review? This kind of examination may not necessarily require the identity of the communicators, until and unless such was approved by an additional/similar process that required a specific approval.
Would such an approach to looking at Internet traffic for spies, terrorists and criminals be 1) reasonable 2) constitutional, and could it be established by public law and implemented by executive order and regulation, provided the Congress was kept in the loop with regular oversight reporting?
If the answer to these questions continues to be yes – and it most likely is – then the recent public debate brought on by Edward Snowden's disclosures is far more mundane, and far less sensational than the media would perhaps like it to be. Also In that case, the real issue set boils down to the following set of key questions, best answered by our Congress – specifically the Intelligence committees working with some other key committees – after a searching inquiry and a series of hearings, as many of them open as possible.
- Were the established and relevant laws, regulations and procedures complied with?
- Are the established laws, regulations and procedures up to date for current Internet and other technologies?
- Is there reason to add new laws, regulations and procedures?
- Is there a continued requirement – based on public safety – to be able to do intrusive surveillance, including Internet surveillance, against spies, terrorists or criminals?
In sum, the idea that we have somehow "betrayed" or "subverted" the Internet (or the telephone for that matter) is – as my mom also used to say – "just plain silly." Such kinds of inaccurate statements are emotional and intended mostly for an audience with preconceived opinions or that hasn't thought very hard about the dangerous consequences of an Internet totally immune from surveillance. In fact, it seems time for far less sensationalism – primarily by the media – and far more objectivity. In the final analysis, my mom probably had it right: "Those kind of people, sure".
Daniel Gallington is the senior policy and program adviser at the George C. Marshall Institute in Arlington, Va. He served in senior national security policy positions in the Office of the Secretary of Defense, the Department of Justice, and as bipartisan general counsel for the U.S. Senate Select Committee on Intelligence.
- Read Brian Jackson: The NSA and Intelligence Organizations Need Sustainable Oversight
- Read Michael Shank and Emily Wirzba: Syria's Crisis Was Sparked by Global Warming and Drought
- Check out U.S. News Weekly, now available on iPad