For more than six years now, the federal government has been using the specter of terrorism as its preferred method of scaring legislators, foreign governments and the American public into accepting a parade of increasingly spurious laws and policies allegedly designed to improve security. Measures such as the Patriot Act, the Protect America Act and the hopelessly misguided plan to monitor all of the Internet's traffic all have been...
pitched as necessary steps to keep the country's critical assets secure.
But the assumptions on which these arguments are based are fundamentally flawed and this faulty train of thought is leading us into a dangerous new world in which the government and a handful of its corporate confederates control virtually every aspect of our online lives. And that's not only bad for the personal security and privacy of citizens, it's bad for our nation's security as well.
All of this began in the aftermath of the terrorist attacks in 2001, when the Bush administration bullied a terrified Congress into passing the Patriot Act. The act includes a slew of provisions that were hotly debated at the time, but now can be seen as just the warm-up act for what was to come later. For example, the Patriot Act gave every district court judge in the country the ability to issue wiretap and surveillance orders for investigations that involved terrorism. The law also gave the FBI the authority to conduct so-called roving wiretaps, which do not require the bureau to specify all of the third parties or communications carriers that will be targeted in the wiretap. Privacy advocates such as EPIC and legal scholars denounced these provisions as unconstitutional, but the administration just repeated the word terrorism over and over until it drowned out all of the opposition.
Many of the act's more controversial provisions were meant to expire in 2005, but many of them have been extended, some indefinitely, and others have been expanded and re-interpreted to the point that they're hardly recognizable anymore. The most heinous and worrisome result of this is the Protect America Act, an ironically titled law passed in August that many experts say not only further erodes what little privacy Internet users retain, but in fact introduces more vulnerabilities into the U.S. communications infrastructure.
The heart of the PAA is language that gives the U.S. government the ability to eavesdrop on communications on domestic networks without a warrant, as long as one of the parties involved is reasonably believed to be outside the U.S. There are a number of problems with this, with the biggest one being the fact that this system will by default collect some unknowable amount of communications that do not involve any foreign parties. This is unavoidable and it should also be unacceptable. Americans should not be subject to this kind of secret surveillance. But we have grown so accustomed to this slow drip, drip, drip of privacy invasions in the name of security that few opponents even bothered to mount much of an attack on the PAA's implications.
However, a group of security experts analyzed the act, its implications for security and privacy and the problems with the likely architecture of this wiretapping system. Not surprisingly, they found a number of issues. The group, comprising Steve Bellovin of Columbia University, Matt Blaze of the University of Pennsylvania, Peter Neumann of SRI International, Whit Diffie and Susan Landau of Sun Microsystems and Jennifer Rexford of Princeton University, wrote a paper on the Protect America Act and their conclusions are not pretty.
"U.S. communications security has always been fundamental to national security. The surveillance architecture implied by the Protect America Act will, by its very nature, capture some purely domestic communications, risking the very national security that the act is supposed to protect. In an age so dependent on communication, the loss could well be greater than the gain," the authors write in their conclusion. "To prevent greater threats to US national security, it is imperative that proper security—including minimization, robust control, and oversight—be built into the system from the start. If security cannot be assured, then any surveillance performed using that system will be inherently fraught with risks that are fundamentally unacceptable."
Those are the words of some of the top security experts in the world, not some policy wonk at a think tank in Washington. And as bad as that sounds, it only gets worse. Consider these words from a recent story in The New Yorker on Michael McConnell , the director of national intelligence, and his draft plan to secure the Internet: "The plan will propose restrictions that are certain to be unpopular. In order for cyberspace to be policed, Internet activity will have to be closely monitored. [Former National Security Agency analyst and security consultant] Ed Giorgio, who is working with McConnell on the plan, said that would mean giving government the authority to examine the content of any e-mail, file transfer, or Web search. 'Google has records that could help in a cyber-investigation,' he said. Giorgio warned me, 'We have a saying in this business: 'Privacy and security are a zero-sum game.' "'
This is a perfect summation of the government's current policies on surveillance, security and terrorism: If you want security, you have to cede your privacy. And if you'd rather have privacy, then you won't be secure. This flawed logic lays bare the administration's complete misunderstanding of the concept of security and how it is achieved. Security, whether of a network or of a country, results from intelligent, thoughtful policies and procedures designed to support a defined goal. It does not come from scare tactics. And while security often is described as a series of tradeoffs, swapping privacy for security is not one of them, nor should it ever be.