Liberty and Security - it's not an either/or choice



My good friend Mac Graham just sent me this article that I think is thoughtful, balanced and provides a very interesting solution for this "Liberty versus Security" problem.  (Full Disclosure - I am an Advisory Board Member of TrustCentral, Mac's company.Mac gets us up to date as follows:

"Here's some more info on what's been going on together with some specific recommendations for 2014.

Frequently in the news today (when issues such as the NSA’s broad data-collection activities are being covered) this issue is being presented to public as being about a choice between liberty and security . . . pick one or the other (e.g., Governor Chris Christie of New Jersey made this point in the last week).  Well, it doesn’t have to be such an unpleasant choice: with some reasonable changes we can have both. Both security and liberty are vital to the maintenance of a free society; we must not sacrifice either one. 

My purpose here is to provide: (a) some background; (b) descriptions of some key recent events; and (c) some specific recommendations as to how we can maintain both our liberty and our security. 

Background:

The activities of the NSA that have recently been in the news are being conducted under the authority primarily of two laws: Foreign Intelligence Surveillance Act of 1978 ("FISA") and the Patriot Act, which was passed in October 2011 in the aftermath of the events of 9/11. 

The Foreign Intelligence Surveillance Act of 1978 ("FISA") prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between "foreign powers" and "agents of foreign powers" (which may include American citizens and permanent residents suspected of espionage or terrorism).  As part of FISA the Foreign Intelligence Surveillance Court (FISC) was created.  FISC judges are appointed by the Chief Justice of the Supreme Court and it operates essentially in secret.

The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and other purposes (e.g., a focus on terrorism, money laundering and abuse of the financial system).

Recent events

The FISC is seen to be creating new law that is essentially unknown to and unexamined by the American people.  The following is from an article in the Wall Street Journal on July 8, 2013 entitled: Secret Court's Redefinition of 'Relevant' Empowered Vast NSA Data-GatheringThis article makes the case that the secret FISC has changed the previously accepted definition of the term “relevant” (as regards to a specific suspected criminal event/investigation) so as to authorize the broad collection of millions of records on millions of Americans not suspected of any wrongdoing (e.g., bulk cell phone records from multiple cellular providers).

In classified orders starting in the mid-2000s, the court accepted that "relevant" could be broadened to permit an entire database of records on millions of people, in contrast to a more conservative interpretation widely applied in criminal cases, in which only some of those records would likely be allowed, according to people familiar with the ruling . . .

Some lawmakers now disagree. "The government must request specific records relevant to its investigation," Rep. Jim Sensenbrenner (R., Wis.), one of the authors of the Patriot Act, says. "To argue otherwise renders the provision meaningless," he says. "It's like scooping up the entire ocean to guarantee you catch a fish."

Given the traditional legal definition of relevant, Mr. Edgar [Timothy Edgar, a former top privacy lawyer at the Office of the Director of National Intelligence and the National Security Council in the Bush and Obama administrations] says, it is "a fair point" to say that someone reading the law might believe it refers to "individualized requests" or "requests in small batches, rather than in bulk database form." From that standpoint, he says, the reinterpretation of relevant amounts to "secret law."

The FISC takes the position that collecting vast quantities of cellular metadata is not only constitutional but that their ruling cannot be challenged. (Which appears to be an intriguing position given the Constitution’s clear procedures as to how laws are openly created and adjudicated.)

March 12, 2013: Senator Ron Wyden (Democrat of Oregon) long critical of the reach of U.S. surveillance programs, questioned General James Clapper (Director of National Intelligence) who oversees the U.S. spy agencies, at an open hearing of the Senate Intelligence Committee.  Wyden asked Clapper:

"Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?"

"No, sir," Clapper replied.

"It does not?" Wyden pressed.

"Not wittingly," Clapper responded.

June 2013: Revelations of massive collections of cell phone records (as well as the collection of massive other personal data) on hundreds of millions of Americans appear to contradict General Clapper’s statement.  There was much Congressional and public criticism for Clapper’s March representation to the Senate Intelligence Committee. One noteworthy question asked was how can Congress perform its oversight responsibility if it’s not receiving accurate reports from the groups it is responsible for overseeing?

July 18, 2013: 

A leading congressman is warning the White House the government's electronic surveillance program violated the law and may not be renewed.

Rep. James Sensenbrenner, R-Wis., author of the Patriot Act, said in Wednesday's House Judiciary Committee hearing that Congress has serious reservations about the National Security Agency's program.

Sensenbrenner said Congress may not fund the program again next year.  "Unless you realize you've got a problem, that [provision] is not going to be renewed," he told NSA and Department of Justice officials at the hearing.

Rep. John Conyers, D-Mich., said as far as he's concerned, the program has already violated the law.  "We never at any point in this debate have approved the type of unchecked, sweeping surveillance of United States citizens employed by our government," Conyers said.  "If the government cannot provide a clear, public explanation for how its program is consistent with the statute, it must stop collecting this information immediately," he said

July 19, 2013: General James Clapper, the Director of National Intelligence stated the prior authorization for massive cellular metadata collection program which was expiring was reauthorized by the FISC.

July 24, 2013: A vote is held in the House on an amendment to a Pentagon spending bill which "ends authority for the blanket collection of records under the Patriot Act" and "bars the NSA and other agencies from using Section 215 of the Patriot Act to collect records, including telephone call records, that pertain to persons who are not subject to an investigation under Section 215."  The measure, authored by Republican congressman Justin Amash and supported by Democrat John Conyers drew significant support from normally ideological opposites: Tea Party Republicans and liberal Democrats.  This wide support came in the aftermath of disclosures about massive NSA surveillance programs.  The measure failed by a narrow margin with a vote of 205-217 (this was reportedly after the NSA conducted "top secret" meetings between NSA Director General Keith B. Alexander and select members of the House to lobby against this challenge to the agency's authority to cull broad swaths of communications data).  A swing of only 7-votes would have passed this curtailment of NSA operations.

Public and Congressional sentiment:  The Patriot Act will automatically expire in 2015 unless reauthorized.  Congressmen Sensenbrenner doesn’t see the votes in the House to reauthorize it.

Getting to the Meat of the Matter:  Ezra Klein in his Wonkbook in the Washington Post makes this astute observation:

"Surveillance types make a distinction between secrecy of laws, secrecy of procedures, and secrecy of operations. The expectation is that the laws that empower or limit the government's surveillance powers are always public. The programs built on top of those laws are often secret. And the individual operations are almost always secret. As long as the public knows about and agreed to the law, the thinking goes, it's okay for the government to build a secret surveillance architecture atop it. But the FISA court is, in effect, breaking the first link in that chain. The public no longer knows about the law itself, and most of Congress may not know, either. The courts have remade the law, but they've done so secretly, without public comment or review."

What should be done:

Clearly, to maintain a free society, we must maintain a high sense of public security.  A free society must also maintain liberties such as "’the three liberties’--liberty from tyranny and torture, liberty from poverty, and liberty of conscience, inquiry, and speech” as described by Michael Novak

Specifically, these principles need to be implemented and/or reestablished:

  • 1.   No more secret laws; citizens must know what laws are being applied to them.  Lincoln was right when he said at Gettysburg “. . . that government of the people, by the people, for the people, shall not perish from the earth”. The U.S. government works for the people and at the consent of the people; not the other way around.  By ending the secrecy of these laws and allowing people to know what the law is, people become informed, thus gaining the ability to direct their elected representatives to change laws as they deem fit.  This is how a democracy works (and is a prime example of “transparency”).  I, as many other Americans, do not want to live under some sort of “elected totalitarianism”. 
  • 2.   The Founding Fathers got it right.  We should maintain the model that has served our country well for over 200 years, particularly as specified in the 4th amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. This is the foundation that has served us well, and which we can and must maintain. 
  • 3.   Data must be collected constitutionally.  Any data collected or reviewed by government not in conformance with the Constitution must be deemed inadmissible in a court of law; also any person violating such procedures or abetting another or acting upon information so obtained should be guilty of a crime.
  • 4.   In order to eliminate the need for the NSA’s vast collection of records on millions of individuals not suspected of any crimes, the creators of needed records (e.g., telecommunications, Internet companies, financial institutions and others) should be required to retain records in a secure fashion for an adequate period in order to respond to future government warrants.  At the time such businesses would normally destroy/delete records in the course of their business, instead they should securely encrypt them for long-term storage (it should be noted that the cost of data storage has dropped dramatically in recent years; possibly tax-incentives could be authorized to assist with storage costs).  Later, if and when a proper warrant is issued for specific records, the companies in possession of those records will be able to produce them.  Such procedures conform with our country’s history.  We must end the practice of the same people doing the surveilling (e.g., the NSA collecting email, cellular data, web traffic, social networking) also have limitless access the bulk data, while giving citizens an unverifiable “trust us” slogan.
  • 5.   A PLEDGE IN 2014.  In 2014 those running for Congress should be asked to pledge to either: (a) not to renew the Patriot Act; or (b) at a minimum, amend that law (particularly Section 215) and also amend 1978 FISA law so that both laws conform with the above principles.

Advice to remember:

"A society that will trade a little liberty for a little order will lose both, and deserve neither" - Thomas Jefferson

Regards,

Mac Graham

Thanks: A special acknowledgement to Steve Gibson and Leo Laporte of TWiT.tv/Security Now for discussing most of these topics and for identifying some of the references quoted herein. 

© Copyright Mac Graham 2013 – SOME RIGHTS RESERVED (No part of the “What should be done” section of this document may not be quoted or used without attribution to the author)  This work is licensed for the good of freedom and liberty-minded people under the Creative Commons License v.03. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/3.0/

Mac Graham
Chairman, Founder  TrustCentral
contact mgraham at trustcentral dot com

Topics: IT Security

Subscribe To Our Blog


Traditional Security Webinar Kevin Mitnick




Get the latest about social engineering

Subscribe to CyberheistNews