CTO Josh Gagliardi of IPVanish had a Secure Session a couple of weeks ago with reporter and blogger Jenna McLaughlin of The Intercept. McLaughlin has recently reported on national security hacking threats, the Islamic State, increasing government surveillance powers, and social media controversy over privacy versus counter-terrorism data mining. This is our take on part of the 6th Secure Sessions episode which covers a discussion about secret Internet surveillance powers, and the government’s lack of technical knowledge in deliberating issues relating to technology.
FISA Court on Section 702 Surveillance
The FISA Court made a decision some time ago regarding government surveillance being conducted under Section 702 of the Foreign Intelligence Surveillance Act. FISA is supposed to govern US government surveillance that is being conducted on foreign targets, but whistleblowers have been saying that the US government has been overstepping its bounds. The technologies that were developed for legitimate surveillance on foreign targets for counter-terrorism efforts should never be used for domestic surveillance.
The decision was recently unsealed and shows that the permitted foreign surveillance has undeniably been scooping up Americans’ data. Furthermore, the FBI has been able to quite freely access and search through the database that contains the mixed data. This shows that there has not been much of an effort to really separate foreign surveillance data and keep US law enforcement away from any unintentionally gathered data on US citizens. The data that is inadvertently gathered by these technologies should never be offered for the use of local law enforcement. Yet, law enforcement data requests submitted to the FISA Court have been overwhelmingly approved.
In view of this, it is unsettling that there has yet to be an independent advocate appointed to the FISA Court. The presence of this advocate at all those secret proceedings is essential. The advocate would be the only person having adequate technical knowledge regarding the way that the government’s Internet surveillance works. This advocate would be able to witness court proceedings, but this may not even be enough. As McLaughlin explains, there is a lot of discussion and process and decision-making happening between the Court and the executive branch and law enforcement before a request gets heard, and the advocate is not privy to this.
A Justice Department Double Standard
The government has been saying opposite things about the issue of connected security, depending on who they are talking to and the particular situation they are talking about. For instance, Gagliardi pointed out that they say that encryption on mobile phones is a hindrance to law enforcement efforts while at the same time they say that connected cars need to be made safer to protect people from cyber attacks. We have all heard the NSA, the CIA, and the FBI, among other government agencies, say that cyber security is the country’s number one threat. Yet they continually argue in so many words that online security must be weakened for their investigations into terrorist threats to be successful. The government doesn’t seem to know or care that with all the networking our modern world is built on, it just does not make sense to say that one connected thing and not another should be protected.
The law simply has not been brought up to speed on how the world has changed in terms of technology. McLaughlin and Gagliardi agree that what we lack and desperately need is a Constitutional principle so that lawmakers will have appropriate guidelines to tell them how to make the rules that govern the connected world. Trying to go by the laws that we already have in the US at least, both sides of the argument against encryption, for instance, have merit. Law enforcement is not reined in enough by the law in terms of how much authority they have regarding technologies, and they at the same time do not have enough power to wield it well. Fighting terrorism, for instance, within a determined legal structure that takes only criminality and war into consideration cannot work. Terrorism is an apple to the legislation’s oranges. Throwing existing rules into the mix that cannot adequately deal with how the Internet fits into all this just makes matters more complicated.
When the government wants access to secure smartphones so that they can see if these devices contain any data that is valuable to their investigations, it is not as simple as getting a warrant to search a criminal suspect’s house. This house is the sole dominion of the suspect, and it is secured separately from the other houses in the neighborhood, so there are no other individuals to consider. All they need is just cause to search the area. Technologists see this situation in a different light than law enforcement agents do because they understand how technology works. The only thing that the government understands from this resistance is that the techs don’t want to cooperate.
Let’s imagine that this house to be searched is an apartment in a building full of apartments. An occupant has sole dominion over an apartment just like the house owner, but the main locks on all the apartment doors are of the same type. To learn how to open one door means that all the other locks in the building would be compromised. This would be a huge security issue, and the potential for disaster would be too great to ignore just for the sake of searching one apartment for evidence that we are not even sure exists. If the government could see it from the tech perspective, maybe they could adjust course and work on a viable solution. Right now, techs don’t have a way of unlocking just one door. If the government wants to get in there without creating a threat to every other occupant, they need to work on security before pushing for access.