• Law, Policy -- and IT?

    Tracy Mitrano explores the intersection where higher education, the Internet and the world meet (and sometimes collide).


Common Ground

Privacy and cybersecurity.


April 20, 2017

On Wednesday, April 19, I spoke at the University of Montana Missoula Big Sky Conference on the relationship between privacy and cybersecurity.  Adrian Irish who organized the conference did a great job with it.  Below is my contribution.  Readers of this blog will notice some familiar themes although I hope in a context that brings some new ideas to light. 

Before I begin I want to recognize a good question that came after the session.  It was about Administrative Letters under the Foreign Intelligence Surveillance Act.  While I continue to object to the existence of FISA and FISA Courts, I do recognize the value of law enforcement obtaining information from information technology providers in the furtherance of an investigation.  That is different from what I highlighted in the talk about mass surveillance.  And I see no reason why the United States cannot conduct its surveillance, including obtaining metadata, as is done via Administrative Letters, using regular, Tittle III criminal courts.  I hope that answered the question. 

OK, readers, have at it!

When Adrian invited me to speak, he and I discussed a few topics. Should I talk about cybersecurity? After all, it is the focus of work I have done for the University of Massachusetts, the creation of a cybersecurity certificate program, and since last summer a hot topic in the press.

How about privacy? With a law degree, and having cut my professional teeth on the impact that the USA-Patriot Act had on higher education, that would be a natural topic.  I could spice it up with national security, a subject that has long been aligned with issues of government surveillance. And then, again, there is consumer privacy.  A few years ago, I got myself quite worked up over this issue in the higher education market.  Discovery in a case outside of academe revealed that Google used a technology called “OneBox” that swept up everything -- Gmail, YouTube, Google Apps for Education -- into its monitoring and profiling technologies. Even if machine driven, this practice violates the law that protects the privacy of your education records, the Family Education Rights Privacy Act, or FERPA, because Google used the information for its own business purposes, profiling and advertising. In November of 2014 I went to Washington, D.C. and spoke with one of the Federal Trade Commissions, Terrell McSweeny, about it.  So maybe Adrian wanted me to talk about the cloud, procurement of services in academic technologies and privacy in higher education.

 It turns out that rather than choosing one of these topics, in varying degrees I am going to talk about them all. More importantly, I have insights about the relationship of these matters to share with you today.  Here is my thesis: Essential connections exist among and between cybersecurity and privacy, both in the consumer and government surveillance areas.  Appropriate policy on these matters is essential to maintain the economic, social and political conditions necessary for teaching, research and outreach. And finally, those connections have a direct relation to citizenship in a democratic republic. 

 I have been contemplating the law, technology, market and social norms of privacy and security of the Internet for over 15 years now.  Perhaps I am not too innovative, because the same themes keep come up. About cybersecurity, for example, it is impossible to address as a technological matter alone. Cybersecurity requires a framework of global internet governance. On government surveillance, the United States in the telephony age used to have one of the best alignments between law and electronic communications mapping the Fourth Amendment to technology. But with the advent of internet technologies and the failure to update our wiretapping law, it now has one of the worst.  Add our ex parte, secret Foreign Intelligence Surveillance Courts into the mix and the United States stands as one of the most information grubbing governments in all of history.

 For privacy, on the consumer side, the United States lacks what most developed countries embrace: comprehensive legal protection for personally identifiable information. Our “sectoral” approach, defining privacy protections according to the type of information, results in a scattered, uneven landscape, a mine field of liabilities for corporations, hospitals, doctors and even colleges and universities.  All of these factors have resulted in an almost a complete collapse of the distinctions between government surveillance and consumer privacy.   For example, just two weeks ago, President Trump signed into law a bill that allows telecommunication companies to scrap off user information about searches, purchases, location tracking data and so forth for their own marketing and other commercial purposes.  In other words, those companies can collect and sell your personal information, just as Google and Facebook do. This bill levels the playing field between telecommunications and internet companies, but at the consumer’s expense. Rather than going to the lowest common denominator, why wouldn’t we want to dial up privacy protection for consumers who use the internet? Especially when what government cannot scrape, it can buy. The purchase of such information is completely outside of the Fourth Amendment constitutional framework. 

We do not have time to do a deep dive into privacy, the history of it in Western civilization or theories about what exactly it represents in the human condition.  For the sake of argument, allow me to stipulate just a few points. First, although it has ancient roots, it is a modern concept.  Contemporary life, one filled with interactions not only with government but with banks and corporations at almost every step we take, has encroached on the cultural privacy that pre-industrialized, pre-market-driven existence baked into the social norms. Law is the referee, not only for a government but for corporate presence as well.  We struggle with how to name it, how to know it, and how to protect it under these novel circumstances. 
Second, privacy, however elusive the concept, is necessary to personal autonomy.  As such, it must be understood and marked if we intend to live and love and work with at least some elemental degrees of physical and psychological personal choice. The qualities of privacy, no matter how difficult to isolate especially in an 18th century political vocabulary of “rights,” are essential to some other ones, including free speech, protection from the quartering of soldiers, government search and seizure, self-incrimination, and reserved rights of the people under the 9th Amendment.  In short, privacy is a prerequisite to citizenship in a democratic republic and indispensable to any definition I associate with a good life.  These qualities are central to meaningful teaching, critical inquiry, research and outreach missions of colleges and universities. 

With those stipulations in place, let me go back to some specifics, for example the issues related to the USA-Patriot Act of 2001. The Patriot Act amended the basic “wiretapping” act, the Electronic Communications Privacy Act, of 1986. To wit: it lowered the evidentiary showing by which law enforcement could get information in communication technologies. That lower level was not just any information, not even content for the most part, but what in telephony was known as “conversational detail.” Conversational detail is a state-of-the-art term that represents “billing data.” For example: time stamped source and destination telephone numbers.  That kind of information is to be distinguished from “content,” what people said in a phone call.  In our common criminal courts, that distinction mapped the Fourth Amendment protections on electronic communications. Courts required law enforcement to issue a subpoena for conversational detail and a warrant for content, at least until the advent of the internet and the events of 9/11 and the Patriot Act amendments.

The Patriot Act eliminated the subpoena requirement for conversation detail. All that the law now required was for law enforcement to file a letter with clerk.  At the time, it all seemed reasonable enough.  Information technologies and the internet have radically altered the speed with which we live our lives. Especially under the exigent circumstances of the attack, if law enforcement needed crucial information, there should be no extraneous process in the way of their getting it. 

 There was a fly in the ointment, however.  Telephone and internet technologies are different. The way telephony worked supported this distinction mapped to the Fourth Amendment. If I have time stamped source and destination numbers, I have no direct information about the content of the conversation.  Internet “conversational detail” or “metadata,” as we now call it, is time stamped internet protocol or “I.P.” addresses.  If those IP addresses go to different computers, for example in an email, I may get the email headers, depending on how the network switches and routers are configured, but I will not get the content.  If the IP address goes to a web page, however, I may get exactly that page, or page within a site, which is content.  That contradicts what the Fourth Amendment is supposed to protect.  In short, simply by filing a letter filed with a clerk, law enforcement can get content. Moreover, advanced algorithmic technologies, including GPS coordinates or other complementary metadata, can create a profile of a person as replete as any content. As Michael Hayden, former CIA chief, once said, “we kill people based on metadata.”

Parallel to the process by which law enforcement can obtain metadata in our regular criminal courts exists another court system that is “secret,” the Foreign Intelligence Surveillance Court. Congress passed the 1978 Foreign Intelligence Surveillance Act to create a check on the surveillance activities of agencies outside Title III criminal courts, such as the CIA. Under this law, proceeding occurs entirely outside of our regular Title III open and public criminal courts. The Department of Justice, often working with the National Security Agency, makes requests for surveillance information on foreign targets.  Annually, this court would report to Congress the number of requests and the number approved.  In its many years, including after 9/11, only a very small percentage, often less than 1% went unapproved. Those went up to the Appellate FISA Court, where, in every case, they overturned the lower court’s decision and allowed for the surveillance to take place.  Before September 11, few U.S. persons cared very much about the existence of this court.  Terrorism was something that occurred abroad and did not involve people in the states. Or that is at least how it was experienced from citizens within the United States. If there were problems with the process, no one knew about it either because the victims had no voice, or because, well, the process was secret. 

September 11 exacerbated this pattern. The number of requests, understandably, shot up quickly. Even before the first draft of the USA-Patriot Act, President Bush directed the NSA to set up covert surveillance in all the major telecommunication companies.  By the time the New York Times reported the existence of these “unmarked closets” in 2006, the N.S.A. was already in the practice of tracking the metadata on all landline phones in the United States and maintained persistent content connections over international calls, including those that were either sourced or destined from the United States.
Internal operating rules of “hops out” magnified the significance of the FISA court and brought its meaning closer to the domestic front.  Investigators can go out to three persons in the target’s telephone or internet network. In 2008, Congressed passed the FISA Amendments that were intended to retroactively make these efforts legal, including providing telecommunications companies with immunity under the Electronic Communications Privacy Act. Privacy advocates beat the drum about the possibility for abuse, but the whole thing seemed so abstract it was difficult to convey the potential harm to Joe and Jane on the street. 

Until Edward Snowden.  In June of 2013 when his disclosure hit the press, suddenly the fuzzy meaning of FISA, the USA-Patriot Act and FISA Amendments of 2008 came into real focus.  And for a while there was an interest in legal reform, almost none of which came to pass.  In the summer of 2015, Congress passed the Freedom Act, a law originally designed to address some of the most extreme concerns, but, as is often the case with legislation, it had an ironically effect and bolstered the USA-Patriot Act.  Government would stop warehousing metadata, but required telecommunications companies to make it available upon demand.  Nothing substantive about the laws or the technology changed, which means that the government has almost complete access and no longer the obligation to maintain it.  Once again, with FISA as the operative legal arm, and a sweetheart deal between telecoms and the government already in place, I am not sure how much of a difference this new wrinkle makes.  In terms of public relations, not much has happened since.

At least until Donald Trump. Citizen Trump did not raise issues about cybersecurity. Campaigner Trump joked about cybersecurity, in ways that still make Senate and House Intelligence Committees as well as the F.B.I. curious about what he knew and when he knew it. And then there are the tweets alleging that President Obama “tapped” his Trump Tower phones. From someone who probably never gave a thought to internet political issues before becoming a candidate, he now offers perhaps the best opportunity in a generation to revisit those issues as they come to life under his leadership.

Cybersecurity is a very serious global significance.  It is not just about your bank sending you a breach notice.  It has been, is, and will continue to be about issues as central as global commerce, economic competitiveness, the authenticity of culture, the protection of personal information as well as trade secrets, intellectual property and research data.  Intellectual property is one data point. Intellectual property comprises about 50% of the US. exports, with greater and greater percentages of it each year being transmitted, infringed, and exchanged through the internet.  U.S. corporations have long been targets for their patents.  American higher education is of high value for the same booty, procured without firing a shot or a loss of life, as well as for research data. Personal information is currently valued at about $.50 - $1.00 for names plus an identifier such as a social security number or bank address.  A complete medical record goes as high as $50.  Trillions of dollars are spent on information security.  If anyone asks you why tuition costs so much, information security should be included in your answer.

Cybersecurity is also an unwinnable arms race. The United States plays as low and dirty as just about everyone else. Even if the U.S. is a son of bitch who is our son of a bitch, it is a path that can only lead to naught as we continue to play it. Technology will never be the fix.  It could, like nuclear arms did the Soviet Union, bankrupt us because as a wealthy country we have more to protect, and more to lose, than just about anyone else.  That is why I maintain that the only way to bring cybersecurity under control is through diplomacy to create a rational, multi-stakeholder international framework of global internet governance that could be a vital resource for diplomacy. 

A global environment where there are no rules of engagement, there is no trust and everything is suspicious contributes to the practical need and psychological desire to conduct covert surveillance. The international environment bleeds into the domestic.  This kind of environment is consistent with our opaque, secretive Foreign Intelligence Surveillance Courts.  It is what made Edward Snowden’s disclosures so electric. It is what we are now dealing with respect to Russian influence on U.S. elections because it is now clear that a communications network with no global governance allowed a foreign government to meddle in the presidential election of the United States.
Do you see already the connections to consumer privacy? As I already noted, it is entirely legal and possible for the United States government to purchase information about individuals. Not only can the government purchase information about individuals from private data stores, but an array of corporate entities now gather, compile, trade and sell that information. It is not just a big business, it is a HUGE business, judging by the Google and Facebook the hottest business on the block. Take one example: the CEO of Axiom immediately following the events of September 11 publicly put himself in the service of government investigative services because he knew that his information company probably had some of the most detailed and well collated transactional data in the world. I am glad that he did under the circumstances, but my concern, and it should be yours, is that prior to and since these extraordinary events, no one, including Congresses, Democratic and Republican, have taken a step back and said, “Hang on, do we want to put some controls and due process into this flow of information?”  That was in the earlier years of data collection, wherein the information was sold mainly to creditors to be sure that they made safe bets in loan grants.  Now we are full into the most successful companies in the world, Google and Facebook for example, are at root data collection and advertising companies, with no constitutional protections between what they collect and data gathering potential of the U.S. government.

Law school curriculums, structuredt in concert. Cybersecurity is best represented by a law, the Computer Fraud and Abuse Act of 1986, that has garnered a lot of attention since Edward Snowden and the suicide of the copyright reform advocate Aaron Schwartz. In a nutshell, this law makes “hacking,” or unauthorized access into a network or system, a criminal act.  It is thought to have come about when some members of Congress saw the movie “Hackers” and blew a gasket. While I don’t doubt the power of culture on politics, the foundation of this law goes deeper than that.  Financial institutions have long used network systems, well before public accessibility of the internet, to move funds. Those institutions wanted a legal bulwark against criminals who broke into those systems with the intent to divert money to their criminal selves. That background explains why the consequences of violating this law are so grave.  Case in point: it is believed that facing jail time and a felony record, even under a plea bargain, for the alleged “hacking” of the MIT network and library system, Aaron Schwartz decided to take his own life.
The Computer Fraud and Abuse Act does not once mention the word privacy. It is not difficult for us to understand, however, how security controls support privacy in this context. When we negotiate so much of our lives in networked space, to have those communications exposed or aspects about our identity used fraudulently, encroaches on qualities I associate with privacy.  Rather than viewing privacy and security as opposed to each other in a zero-sum game, I propose we explore the interconnected nature of these qualities in technology, law, social norms and the market.  My personal security rests on the control I exercise over information I either created or is about me.  Computer Fraud and Abuse touches just about everything we do or say or think that makes us who we are as individuals, distinct persons, one from the next.  I don’t want anyone, from in or outside the United States, interfering with it.

The quote "A l'exemple de Saturne, la révolution dévore ses enfants" – in time, revolutions eat their children, is known to have been said by the eighteenth century French journalist and witness to the French Revolution, Jacques Mallet du Pan. I have been contemplating this quote not so much for its original meaning but more in the sense of how history is ironic. The United States had its revolution thirteen years before that of France. It was and remains a revolution of world-historical significance.  Representing free trade, upward mobility, democracy, and individualism, the United States was and remains one of political science’s most interesting experiments.

Is the world that the American Revolution created able to sustain it? Ancient Greeks did not have corporations scouring around every detail of their city-state life to grabble with as purveyors of power when they organized “democracy.” Neither did our founding fathers.  Corporations were in their nascent beginnings at the end of the 18th century, progressive by comparison to the state power of monarchs or the British Parliament against which our forefathers fought.  But the tide has turned.  The American Revolution made corporations possible by separating government from the market.  A sleight of hand granting corporations the same rights as individuals obscures how and in what ways these entities are woven into the daily fabric of our lives, and how, at this point, they make money off of us.  Increasingly we live in a profit driven society with less and less focus on public service.  We are no longer in either an agricultural or industrial economy, but one that commodifies information on a global basis. Where is the Marx of this generation to help define the terms that das kapital did for capitalism and industry? Where in the Constitution is my right to information about me?

 This question leads to another.  Can a democracy operate without privacy? My hypothesis is that it cannot.  I further submit that we are at a stage wherein the technology, market, the absence of updated laws to address these developments have devolved to a level that is substandard for a democratic republic. We live every second of our lives surrounded by global cybersecurity threats that have profound effects on the integrity of our political system, a secret court system that bleeds out over the domestic United States unchecked, effectively no Fourth Amendment in electronic communications, and with businesses, large and small, hungrily commoditizing us. It is impossible to address one of these areas without addressing the others; in fact, to deal with any of it is to deal with all of it, the whole kit and caboodle of cybersecurity and privacy in its various aspects.

 I have some thoughts about how we might go about reform. To accommodate our time limits, I have made a short list.  

  • We must set our diplomatic machinery on a course to create a framework of global internet governance, one designed to address not merely cyber insecurity but also the technical and administrative operating mechanics of an open and free internet.  Because change begins at home, the United States must get out of the dirty business of nation-state attacks. The U.S. must demonstrate the quality of leadership that will invite trust for a multi-stakeholder global internet governance to exist. 
  • Congress should repeal FISA.  Its primary purpose has burned itself out.  If it was intended to be a blessing by inserting some form of process, it now exists a curse on the values and traditions of a democratic republic. Other democratic republics, such as Germany, for example, have demonstrated that there is no need to establish a separate, not to mention secret, court for terrorism.  Acts of terrorism are by definition criminal law.  Our Title III criminal courts are fully equipped to oversee investigations and prosecution of these acts, including managing investigations under seal.  The lack of transparency in court processes is a terrible political blight on our country that must be fixed.
  • We must update the Electronic Communications Privacy Act.  A combination of factors keep it in place. To reform it requires more than passing understanding of internet technology and Fourth Amendment jurisprudence.  We need a Congress that can cooperate. And we need to figure out what we are going to do about the twentieth-century concept of Fourth Amendment jurisprudence as it applies to advanced algorithms that mine and combine metadata in a manner that equals, if not exceeds, that revealed by content. To the many who say that it is already too late, the cat is out of the bag, privacy is dead, get over it, I say, let’s give it a shot.  We might be surprised by what we gain back in self-respect and integrity in the process. 
  • It is time to take consumer privacy as seriously as we do government surveillance.  To throw societal suspicions onto a government and ignore the ways in which corporations, banks and other such entities influenced our lives, is akin to the metaphor about looking only under the streetlight for our lost keys because that is the one spot on the sidewalk where there is light.   I say we start big, with a Constitutional Amendment.  “Privacy is a constitutional right.” 
  • Finally, we must take new understandings about technology and the market, the law and social norms in to the classrooms right from the start.  Kindergarten is not too early.  We must remain deeply thoughtful throughout the education process about how to explain these shifting sands, how to raise critical inquiry among students so that as they mature they can raise issues themselves, and about the internet remains in support of teaching and learning and citizenship.



Be the first to know.
Get our free daily newsletter.


Back to Top