Privacy Advisor

Cato Conference: We Have Problems, Is NSA Biggest One?

October 10, 2013

By Jedidiah Bracy, CIPP/US, CIPP/E

On October 9, the Cato Institute, a public policy research organization, held a daylong conference on the recent U.S. National Security Agency (NSA) surveillance disclosures. Titled "NSA Surveillance: What We Know; What to Do About It," the conference was packed with privacy advocates and lawyers, journalists, technologists, academics and public policy and security experts. The day was also peppered with three keynotes from Sen. Ron Wyden (D-OR), Rep. Justin Amash (R-MI) and Rep. F. James Sensenbrenner (R-WI).

Some of the leading journalists covering the Edward Snowden leaks and the NSA disclosures shared their insights and were sandwiched between keynotes Wyden and Amash, both outspoken critics of some of the NSA’s surveillance programs.

Author of the USA PATRIOT Act (Patriot Act) Sensenbrenner said in the coming days he will introduce a bipartisan bill to quash the bulk collection of phone records—currently allowed under Section 215 of the Patriot Act. Called the “USA Freedom Act,” and supported by Senate Judiciary Committee Chairman Patrick Leahy (D-VT) and House Judiciary Committee Ranking Member Rep. John Conyers (D-MI), the legislation, according to Sensenbrenner, “will end the bulk collection of Americans’ communications records by adopting a uniform standard for intelligence-gathering under Section 215” as well as amend Section 702 of the Foreign Intelligence Surveillance Act (FISA) to restrict surveillance to authorized terrorist investigations. The bill would also implement an advocate in the FISA court and increase companies’ ability to publicly disclose law enforcement requests of users’ data.

On a legal panel prior to Sensenbrenner’s keynote, Google Privacy Policy Counsel David Lieber, though mum on some of the specifics of FISA requests that Google has received, did note the company does support legislation previously set forth by Sen. Al Franken (D-MN) that would enable businesses to publish aggregated statistics of government requests.

“We assert our First Amendment right to publish (that) aggregated data,” he said, adding that some of the government’s positions are “untenable.”

Notably, the gag orders placed on businesses to not disclose law enforcement requests are equal to prior restraint, he said.

“We don’t think that transparency and national security are mutually exclusive,” Lieber said. “It is anachronistic, whereby the government gets to choose who gets to speak about FISA demands.”

Guardian journalist Spencer Ackerman asked Lieber if Google had any interest in noncompliance with a surveillance order. Ackerman queried whether Google could band together with other relevant businesses “to resist the surveillance apparatus itself” as “a form of civil disobedience.”

Though Lieber couldn’t answer the question, he did say it’s “dangerous terrain” and that “broadly, we have pushed back on government requests on many different occasions.”

The afternoon also featured a packed technology panel, including Karen Reilly of the Tor Project, Jim Burrows of Silent Circle, David Dahl of SpiderOak, Matt Blaze of the University of Pennsylvania and the American Civil Liberties Union’s Christopher Soghoian.

“Google might not like that they get government requests,” Soghoian said, “but they comply. They might push back, but ultimately, they have lawyers that only do this.”

People choose services such as Silent Circle over other larger companies simply because there’s more privacy and security—that’s the only differentiator smaller businesses can run on, he argued. If these smaller companies abuse the trust of their customers, their reputation is gone. If they fight the government, they have to shut down.

“This growing economic sphere is under threat,” Soghoian said. The U.S. is “a global leader, we should do everything to grow this market, but instead the Department of Justice and the NSA squashes them before they are big enough to fight for themselves.”

Asked if she thought anything about Tor should be changed, Reilly said, “we need more nodes … You should not trust us, you should trust the code.” She added that she is “confident that the distributed system still holds up” but the cryptography needs to be worked on further. Reilly also advocated for the transparency of the open community. Open-sourced systems such as Tor are very difficult for bad actors to infiltrate, and making large changes is difficult.

Standards, particularly NIST standards, were also a topic of conversation. Soghoian said the recent news that the NSA allegedly weakened the NIST standards to help with its surveillance capabilities was not the first time the NSA provided input to open standards. They worked on DSS in 1993 and, later, worked with IBM to improve security—which, at the time, was a good thing. “This points to the problem” of the NSA, he said. “They wear two hats—defensive hats and offensive hats, and sometimes you don’t know who you’re talking to when talking with them.”

Moderator and Cato Institute fellow Julian Sanchez noted that companies such as Lavabit, Silent Circle and SpiderOak are less decentralized than the Tor Project. They have slimmer points of access and the NSA wanted their encryption keys: “How do you deal with the challenges of building a security system when simultaneously being asked to undermine it?”

Silent Circle’s Burrows said the day that Lavabit went down was a really bad one. SpiderOak’s Dahl noted that the keys are only located on the computer being worked on, and that no keys are sent to SpiderOak itself. “All our data is literally garbage,” he said. “With our text and phone we have nothing to give” the government.

Notably, all the panelists agreed that there is no longer any truly secure e-mail platform.

Could the NSA revelations hurt U.S. tech business? After the Snowden leaks, Dahl noted, his colleagues in Europe have begun initiating their own tech startups, adding, “there is more motivation” to do so.

But others warned that there are much worse actors than the NSA.

“We have problems here,” noted Burrows, “the NSA is tarnishing a lot of reputations, but I’m not sure I distrust them more than the Chinese or Eastern Europe. We have problems, but they’re not the worst problems.”

Read more by Jedidiah Bracy:
Three Steps to Heaven, St. Rita and the Future of the EU Draft Regulation
Data Brokers, Universities Breached; Was Nurse Fired for Privacy Breach or Whistleblowing?
White House Names NSA Review Panel
Organization-Wide Privacy Training Implemented at Bloomberg