« Schmidt happens | Main | Running with scissors »

The learning channel

On the eve of London's CryptoFestival, as everyone gears up to reconnect with their inner cypherpunk, it seems like a good moment to assess what we've learned over the last five months of revelations from the Snowden documents. Not what we've learned from the documents themselves; you can read all that over at the Guardian. I mean the lessons of it all.

When the intelligence agencies and law enforcement ask for new powers because the progress of technology is making it hard for them to do their jobs...they mean that they are already doing the things they're asking permission for and, like most people, they'd rather not have to lie about it. Kind of like your significant other saying they'd like to see other people. As Phoebe said on Friends all those years ago, it means, "Ha, ha, I already am!" (Season 1, episode 3, "The One with the Thumb"). Once the statutes are on the books, of course, they're free to push the next boundary. Which means...

...that at the highest level, the intelligence agencies and law enforcement are always operating a step or two beyond what the law allows them to do, building the systems they want while at the same time pushing for the law to be updated to make them legal. Unfortunately, most of the tradition of detective shows all the way back to Sherlock Holmes, tends to normalize this mode of behavior and dub it heroic. Our scripted dramas revere the maverick, the unstable genius, the misfit who pushes the boundaries and is always eventually right. From Carrie Mathison (bipolar, brilliant and unstoppable) on Homeland, Jack Bauer (torturer for truth and the American Way) on 24, and Reddington (omniscient, clever, and criminal) on The Blacklist to the more cerebral geniuses on Monk, Numb3rs , and Person of Interest, you'd be hard-pressed to find one who solves the toughest cases by following the rules. In fiction, defying authority makes for drama and conflict and engages the audience's root-for-the-underdog instincts. In real life, I have no doubt that pushing the envelope seems entirely justifiable: if I were the person who bears the weight of the nation's security on my shoulders it probably would to me, too.

The "safe harbour" agreement between the EU and the US over the transfer of data was as much of a bandaid as it seemed at the time. This is the agreement that gave US businesses a get-out-of-jail-free card given that the country does not have the standard of data protection laws that would normally allow EU organizations to transfer data there. Basically, under the arrangement US companies are allowed to sign up to a set of principles and self-certify their compliance. Unfortunately, the proposed changes won't actually stop US federal agencies from accessing your data - but they will require companies to inform you in their privacy policies if that's a risk you're taking on when you give them your data.

Loss of trust is expensive. Estimates of the impact on the businesses of Internet companies like Google, Apple, Facebook, and Yahoo! run between $35 billion and $185 billion a year - granted, a pretty wide range, but not cheap even at the bottom of it. Plus, which I'm sure didn't occur to the US experts quoted in the story, all that wasted money lobbying to derail data protection reform in the EU.

We can - and have already started to - upgrade infrastructure to make it more resistant to surveillance, for example by increasing the length of the keys used in already-deployed standards like SSL and TLS. Individually, however, most of the population is not technically adept enough to follow Bruce Schneier's sensible tips for safeguarding privacy. The crypto community's mailing lists have erupted into hotbeds of discussion of what to invent and how to implement it, but mass marketable solutions are a long way off.

The spy agencies seem to fail to understand that the exploits they devise to crack or undermine widespread security standards will come back to bite them as well as us when they escape into the wild to be used by all sorts of miscreants - including people they perceive as opponents.

The rest of the British press is willing to stand by while the government attacks the Guardian for publishing the revelations.

Many of the things privacy advocates have warned about for years that sounded like wild-eyed paranoia are not scare-tactic scenarios but real risks - such as claims of secret arrangements among governments to do each other's spying or the notion that governments have insufficient motivation to get serious about limiting data-gathering practices because it means they have all those nice databases to subpoena when they want to know stuff. You're not paranoid when they're really out to get your digital persona.

You may feel that none of these are lessons you really wanted to learn - and still less, lessons you wanted to pay handsomely for through your taxes. As the turkeys say, happy Thanksgiving.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)