QUESTION & ANSWER

RSA panel to discuss surveillance, privacy concerns

By Erin Kelly, Contributor 14 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Why has surveillance become significant enough in recent years to be a topic at an RSA session?
Gary McGraw: The Protect America Act, which has since been replaced with the Foreign Intelligence Surveillance Act, changed the game pretty significantly after 9/11, and the government started doing things differently. So there has always been a balance between security and privacy and I think now that we're re-examining our basic politics in this country, we're also re-examining our role of surveillance, privacy and security. We asked the government to participate, and they are, with Alexander Joel included in panelist members. Joel is a Civil Liberties Protection Officer for the Director of National Intelligence (DNI), which is the head office of all spy agencies. So we have the guy who's in charge of Civil Liberties Protection offices; we have a guy in the government, as well as (Deirdre K. Mulligan) a fairly radical Berkeley professor who is part of the Electronic Frontier Foundation (EFF), which is a group of technologists who are very concerned about civil liberties. They're kind of like the ACLU of technology. It should be a very interesting debate. I can't anticipate what's going to happen because no one has put these people within 10 feet of each other before. It's going to be an honest, open, intellectual debate. When you live in a free society, it sort of behooves you to do this if you care about personal liberty, which I do.

Gary McGraw

You're a software security expert and your research has been around secure software coding. Why do you have an interest in privacy issues and surveillance?
McGraw: Well, it turns out I'm a scientist, in addition to writing books and running companies that have to do with software security. I also have a podcast called 'The Silver Bullet,' which is one of my roles with the IEEE (Institute of Electrical and Electronics Engineers, Inc.) computer society. So in my role as a person involved with the computer society and IEEE Security and Privacy magazine, I have a great interest in this stuff and every year I've done a panel at RSA for IEEE Security and Privacy Magazine -- this is the fourth one, I think, and they always turn out to be a lot of fun. Last year the topic was electronic voting, the year before that it was rootkits, and the year before that we did wireless security with hardcore experts. I hate panels when people just stand up there and give 20 minute talks. Our object is to get people as far into the issue as they can, and disagree and debate scientifically.

The benefits are obvious -- we want to catch bad people before they indiscriminately slaughter innocents, and we have every right to do that to defend ourselves. But the question is, how? Gary McGraw RSA panel moderator, Surveillance Security, Privacy and Risk

There are three main policy objectives in conflict pertaining to surveillance that the panel will address. What are these objectives, and why are they so controversial?
McGraw: Everybody would love to eavesdrop on terrorists and stop their actions. Everybody would also like to furthermore preserve privacy of people on the Internet, and everybody agrees that having the Internet up and running reliably is a good thing. All of these goals everyone agrees on, but the question is how do you balance them? That's the interesting part. We want to catch terrorists but I don't want the NSA listening in on all my phone conversations. I would like Al Qaeda websites to be monitored and taken down, yet I don't want all of my Internet traffic to be scrutinized. So how do we balance these goals? The problem is there is no perfect answer, so we need to have a very careful debate over how we should perceive these topics, and what is in the balance is personal liberty.

What are the biggest problems individuals and organizations have with the legislation currently enacted?
McGraw: The legislation is not the only problem; it is also the technological approach to carrying out those directives. One might say it's a great idea to always eavesdrop on a terrorist if we know who or where they are, but the question is how do you do that technologically? And if the answer is listening to all international satellite communications, then what if your traffic goes through an international satellite? Does that mean the government gets to listen to you too? So the first thing you have to figure out is: Who's talking to who? But in order to narrow it down to the people the government is interested in surveilling, you have to look at everyone, which is a problem -- unless you don't care. Some people are saying, 'why do you need to hide? Are you a bad person?' I think that's a ridiculous statement, however, I'm sure we'll hear it [during the debate]. 'I have nothing to hide, I'm innocent…now leave me alone,' is my answer.

What are the benefits of these legislative acts? Do the benefits outweigh the problems?
McGraw: The benefits of these acts are what we are going to explore at the debate. The benefits are obvious -- we want to catch bad people before they indiscriminately slaughter innocents, and we have every right to do that to defend ourselves. But the question is, how? So the question is not 'should we go after terrorists?' Anybody who says 'no' to this is an idiot. The question is, 'how do we do that without cashing in all of our personal liberty?' We could be a perfectly crime-free society, but then we would all live in jail. Most people aren't up for that.

SearchSecurity radio:

Explain some of the risks to system integrity brought by technical implementations.
McGraw: Sometimes surveillance systems decrease information flow, and many times they may make actions invisible, such as exactly where the police are, who is being watched, and why they are being watched. Also, there is the potential for voyeurism. We should think about other societies that have taken to different answers, such as closed-circuit cameras in the U.K. -- they're everywhere. You go out your door, and you're on TV somewhere. The question is whether or not those things will work. There is a clear impact on personal liberty in some sense, and the question is whether or not they're leading to less crime or stopping terrorism, or are they simply a gilded jail cell?

RSA Conference 2009 For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

Who will be speaking on each side of the debate, and why were these people chosen?
McGraw: Alexander Joel, who I spoke about before, will be there on the counter-terrorism/anti-cybercrime side. Rebecca Base (president, CEO of Infidel Inc.) will also be on that side. She was at the NSA when [Kevin] Mitnick was captured, and was instrumental in his capture. So she has firsthand experience tracking people down and using surveillance to get cybercriminals. On the individual privacy rights and system integrity side are Matt Blaze and Deirdre K. Mulligan. Blaze often testifies to congress about these issues and is a very famous cryptographer and quite a good public policy person. Mulligan, who I really don't know, is a lawyer who has been involved in all sorts of technology policy work for the FTC and natural task force on privacy, as well as the EFF and the California Voter association. She's kind of an activist, and it is always fun to have someone from Berkeley. So, the entire panel consists of very well spoken, very smart, and even-headed people. Having them hash out these ideas will be very, very interesting.

Tags: Data Privacy and Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Privacy and Protection New data protection laws MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation Information security book excerpts and reviews Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cypherpunk  (SearchSecurity.com) Data Encryption Standard  (SearchSecurity.com) P3P  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary