Wednesday, September 11, 2013

Tell me a story....

There is none so blind as he who cannot see

Joshua Foust puts me on to two things which are related.  And the relationship is:  it really is all about the narrative frame.

It is now clear that Snowden was not focused on unearthing for public debate only selected matters that raise issues of privacy and that ought to be debated. He instead was, like his contemporary Bradley Manning, engaged in wholesale compromising of any secrets he could get his hands (or his keyboard) on, consequences be damned. He was conducting an unrestricted attack on U.S. government information security. Perhaps he and Manning exhibit a naïve belief that secrecy is not necessary for conducting programs of foreign policy and national security. But traitors are not all sophisticated; some are naïve.

 It is well past time to discard the notion that Snowden wasn't doing something terribly wrong because he was not working all along, in classic spy-novel fashion, as an agent of a foreign government. For one thing, foreign governments (and terrorist groups) read U.S. newspapers. For another, when Snowden went to Moscow he put himself at the mercy of the Russian government. When he was given permission to stay in Russia, it could be assumed that anything he had on whatever laptop or thumb drive he had with him came into the possession of the Russian intelligence services. Given his earlier stop in Hong Kong, when he also was looking for help in where to go, probably something similar happened with the Chinese. In short, Snowden's actions entailed bushels of U.S. secrets being given to Russia and China. There are various terms that can be applied to that, but it certainly isn't “whistle-blowing.”
Is Snowden a whistle-blower?  Well, perhaps he is if you take the parochial line that what he revealed is all about us (i.e., "U.S.").  It isn't, of course.

 Snowden, and his collaborators such as Greenwald, had a shrewd public roll-out plan. They started with the stuff about NSA collection activity within the United States, to get on the good side of a lot of public opinion by having Snowden pose as a “whistle-blower” acting on behalf of personal privacy. It was only after scoring that public relations coup that they got on with the rest of their assault on U.S. (and British) national security. Since then there has been a steady flow of divulged stolen secrets, ranging from descriptions of the entire U.S. intelligence program to details about overseas political intelligence targets or NSA's ability to decrypt coded material. Nearly all of this is far removed from any issues of privacy or civil rights or anything else that should be the least bit controversial. It is about normal, legitimate activity by arms of the government performing their assigned missions on behalf of national defense and the conduct of foreign relations. Mainstream media, feasting on the red meat, keep publishing the material. The material may be interesting, titillating, and occasionally even educational. But it is not scandalous.

It's been rather lost in the hubbub that a lot of the documents the Metropolitan Police took off of David Miranda had to do with British intelligence, not just American.  Very little of that data had anything to do with "whistle-blowing."  As Pillar says:  "The Brazilian boyfriend was serving as a courier in an international stolen-secrets ring."  Kind of hard to see it in any other light.

And whistle-blowing is supposed to reveal wrongdoing.  Snowden's revelations are wrong-doing:

The revelation of the material, however, is scandalous. The damage from the disclosures is major, including tipping off adversaries to the vulnerabilities they would need to correct to impede the collection of information about them, tipping off those same adversaries to our own vulnerabilities that they can exploit, causing a host of difficulties in relations with foreign governments, and much more. Those inside the U.S. government doing damage assessments will be kept busy for a long time by just this one case. Say what you want about whether this or that particular item ought to have been classified; the great bulk of the revealed material was classified for very good reasons.
But if you adopt the Greenwaldian frame that all Snowden did was reveal certain information related to how the NSA is spying on Americans, you might not even notice that the bulk of his information is not about that kind of spying at all.  You can be forgiven for still thinking so, as the American coverage especially keeps focusing on those cases; and while such spying is illegal, and should be corralled, that's not all of the information Snowden exposed; not by a long shot.

And who knows how much hasn't been revealed by the press yet, but which the Chinese and the Russians are already reading?  Snowden may end up making Kim Philby look like a low level clerk with access to almost no information at all.  Maybe that's the more appropriate comparison, rather than Daniel Ellsberg.

And on the other hand, and partly to prove I'm no fan of the NSA and whatever it does:

"If someone from the parliament here really believes in free speech, I'm happy to give this to them," said Appelbaum. The node boosts the signal of a worldwide encryption network called TOR. Short for The Onion Router (think protective layers), TOR software provides a web browser that cloaks IP addresses, granting anonymity to Internet users. The National Security Agency’s controversial PRISM program is thought to be using Internet nodes in foreign countries for espionage. TOR nodes create a blanket that shields Web content -- emails, instant messages, metadata and browser histories, for example -- from the government’s gaze. Without anonymity and privacy, Appelbaum argues, freedom is a fallacy.
I'm not sure anonymity and privacy keep freedom from being a false promise, but that's a discussion for another day.  I don't have a problem, however, with TOR.  I see it as the equivalent of a mailing envelope.

Before envelopes were necessary because mail was sorted by machines that demanded uniformity (loose flaps catch in the machinery), envelopes existed anyway.  They were a way of insuring privacy.  People sent postcards, too; but no on imagined what you wrote on the postcard couldn't be read without the recipient ever knowing it.  We all assumed, because custom and law supported it, that a sealed envelope was to be opened only by the addressee.  That guaranteed the privacy of the communication.  And then we invented e-mail, and, well, it's "mail," right?  So it must be private.

Except, as I've noted before, the privacy laws that apply at least to students specifically state I can't send private information to a student via e-mail, because anybody can read it, and then, if they want, mark it as "unread."  Kind of like steaming open the envelope and then resealing it (did that ever really work, by the way?); but so much easier no expectation of privacy could really be created in an e-mail.

What about encrypted e-mail, e-mail that can only be opened by someone with the "key"?  Well, change the facts, change the outcome, but I'm inclined to think that would create a privacy interest equivalent to a sealed envelope.

For their part, the Pirates count digital privacy as fundamental right, not a privilege subject to compromise in the name of national security. Cryptography is a means to that end. It offers a sense of control and relief to people concerned that their personal liberties are being siphoned through their smartphones and ethernet cables.

"I'm worried that the government won't grant me the privacy I think I deserve," said Daniela Berger, a developer who attended the Berlin cryptoparty to learn about TOR. Like many Germans, she is both angry and disheartened by her country's role in NSA surveillance operations. "I think my freedom should be of high value to my government and right now we're steering in a direction where my privacy is an afterthought, if it's a thought at all."
Here we plunge into the problem of definition.  Do you, under the 1st Amendment, have a fundamental right to speak freely?  Well, not that freely.  Don't put up a video on YouTube threatening the President, for example, unless you want Secret Service agents at your door.  Do you have a fundamental right to privacy?  Depends on whether or not you want to have an abortion, and when.  Does the government grant you the privacy you think you deserve?  Well, there we're up against fundamental notions of governance:  that's not exactly the Jeffersonian perspective on "rights."  Should privacy be of high value to your government?  Frankly, coming from Germany, that sentiment is almost laughably naive.

But should it, anyway?  The government is like anybody else:  it loves gossip.  It just calls gossip "intelligence."  Like any neighborhood busybody, the government will take whatever information it can get.  Envelopes developed first as a guarantee of privacy, to hide things from gossips and other government agents (i.e., "spies").  The letter was sealed in the envelope, and unless the seal was broken, only the addressee read the message.  Custom soon led to law, and under the 1st Amendment mail in envelopes was private and not to be tampered with unless there was a showing of cause under the 4th Amendment (which is also part of that penumbral "right to privacy" that is still so contentious in Constitutional law).   Custom needs to be created now in electronic communications so that they can lead to law.  And while the place to start seems to be systems like TOR (which isn't a bad start at all), it's not the only way our internet use has to change.

E-mails are not private because they are too easily accessed.  How likely are you to copy and re-mail a personal letter, and send it to 10 people, or 20, or 300?  Yet with the touch of a button, you can forward an e-mail to everybody in your address book.  A virus can do the same thing, or send a false e-mail under your name.  How many personal letters go out over your name falsely?

E-mail is not "mail," and we have to stop thinking of it as being mail.  Maybe it needs to be encrypted, i.e., put in an envelope, and we develop laws about the privacy of encrypted communications.  After all, unless they have a warrant, the various governments of this country (state, local, federal) can't intercept the snail mail of Al Qaeda anymore than they can intercept mine.  My snail mail is not absolutely private, but it's more private than my e-mail.

And as for this notion of privacy via TOR:  what else is new?  I just got a notice on my "smart phone" warning me never to do more than "window shop" when I'm out on a public wi-fi.  Why?  Because someone with the skills could intercept my information and steal my credit card or access my bank account.  I know this, and should know my electronic privacy isn't private, with or without the NSA.  And frankly, I'm more likely to be damaged by the person stealing my credit information than by the Federal government.  I don't want to be damaged by either one, but I do have to have some modicum of intelligence in this matter.  I may expect the government to guarantee my privacy from the government, but how do I guarantee my privacy from identity thieves?  The two questions, it turns out, are related, and while the government supposed has more powerful tools, I also have a greater ability to control it, than to control a criminal individual.

So what do we do?  Well, maybe it has to be a bit of an arms race:

'The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical,' Bruce Schneier, a renowned security technologist and cryptographer, wrote in The Guardian. 'They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.'
The sealed envelope, after all, was more secure than a piece of parchment folded and held together with a bit of wax.  But the real protection comes from the law:  I have a very strong expectation of privacy in my personal mail, as in my landline telephone (if cell phone calls can be picked up as easily as radio stations, the privacy interest there may not be as strong.  Change the facts, change the outcome.)  But that strong expectation is backed by law, or at least recognized by the courts.  Eventually we have to make the law catch up with technology.

And finally, the fear of the NSA that makes every revelation about what they are doing somehow about American citizens and freedom, leads me to wonder:  is the NSA Big Brother?  Or Sauron? 

Interesting thing about the Eye of Sauron.  For all it's fearsome aspect, it's not very good at seeing things:

 Tolkien’s most potent and intimidating image of centralized surveillance, the Eye of Sauron atop a tower, taking in the whole world, has resonated with those who are paranoid about government monitoring. But it’s Sauron’s vulnerability that has the most relevance for America today. Consider the basic premise of Tolkien’s trilogy: a small group of dedicated subversives willing to sacrifice their lives slips in under the surveillance system of a great power, blends in with an alien population, and delivers a devastating blow to the heart of its empire, leaving its security forces in disarray and its populace terrified. Even a tower or two crumbles to dust. Far from being covert, much of this operation is conducted in plain sight, with the great power aware of its enemies’ existence, if not their intent. Given its prescience about modern-day terrorism, Tolkien’s vision offers at least three lessons for present-day America.
As I recall the end of Tolkien's trilogy, the Eye finally sees Frodo and the Ring just before Gollum attacks Frodo, bites off his ring finger, and plunges into the lava of Mount Doom.

As Rick Perry would say:  Oops.

The Slate article goes on to state the three lessons:  1)  "All-Seeing Is Not All-Knowing" (or, "Total Information Awareness" isn't); 2) "The Enemy Controls the Plot" (or, yeah, we totally saw those Boston Marathon bombers coming!); and 3) "The Louder the Noise the Fainter the Signal".  If you recall the last moments of Sauron, his attention is drawn to the army gathered at his gates; which is precisely what Aragon and Gandalf intended.  Sauron looks to the noise while the real threat slips into Mount Doom.

The article is worth reading.  The criticisms of the efforts of the NSA it makes are, I think, quite sound.  As I've said before, I really do think the serious question here is:  why does the NSA think it's surveillance philosophy (because that's what it is) is working? Why do we?  Tangential to that is the question of privacy; but my privacy is more directly threatened by thieves than by governments.  Fortunately, protecting myself from one protects me from both, and if that ultimately means I have to go back to sealing envelopes or even mailing checks, so be it.

Just because it's convenient, doesn't mean it won't expose me to risks that outweigh the benefits.


  1. but my privacy is more directly threatened by thieves than by governments.

    But that is one of the problems with the NSA's activities: they are making a database that identity thieves, corporates spies, snooping employers, et al., will do almost anything to access. And as the Snowden case (and the Manning case) has pointed out, a lowly contractor (or enlisted person) can very easily get ahold of sensitive information and leak it.

    Also, speaking as someone whose research touches upon statistical and database issues that also pop up in massive surveillance operations such as the NSA's (btw, when you wrote of the NRA, did you mean the NSA?), I have always wondered whether these operations are and could actually be effective with so many potential false positive and false negative signals. Has the NSA even calculated precision, recall and F-measures for their data mining methods on even simulated surveillance data? What is the "number needed to treat" (spy on) before a bad actor can be found? And if that number is as high as it likely is, is massive surveilance even practical or is it really just security theatre?

    Unfortunately, the NSA won't even reveal how successful its methods are (except by giving us scattershot examples of successes that may or may not even involve actual massive surveillance and anyway, as they say, the plural of anecdote is not data). To me that is a tell: while certainly you don't want to reveal the details of your strategy to your enemies, you do want them to know how powerful your forces are. If the NSA cannot even manage to provide statistics that justify the effectiveness of their methods (and send a message to potential terrorists: "don't even try, you'll be caught before you succeed"), then why should we trust them that they know what they are doing? What lack of capability are they trying to hide?

  2. What lack of capability are they trying to hide?

    The one they consider critical to "national security." But that's the problem with "intelligence" gathering at all, isn't it? To reveal your methods is to reveal your strengths; but to reveal your weaknesses for critique, is also to reveal your strengths. If you actually have any.

    Intelligence in U.S. history is actually a joke, IMHO. Tell me again how the CIA predicted the collapse of the Soviet Union. Oh, that's right, they were more surprised than anyone. It turned out the vaunted Soviet military spread across Eastern Europe ready to bear down on the West, was a paper tiger.

    How, again, did we completely miss that?

    We are of one mind on this: I think the basic premise of the NSA is a joke. It can't possibly do what it claims to do, and "Total Information Awareness" is a synonym for blindness. And yes, they have security issues of their own. How the hell was it possible for Snowden to take so much information so easily, much of it above his security clearance level? There was a stabbing at a local high school recently, and today on the news I heard a parent calling for the resignations of the Superintendent of the school district and the principal of the school. I'm not sure that makes sense, but I understand the impulse.

    How many heads have rolled at NSA? All? None, because our brother thinks he's a chicken, but we need the eggs? There is some clear insanity going on here, and sunlight is definitely the best disinfectant.

    But Snowden ain't revealing anything about that, and Snowden's revelations haven't forced any such transparency. I think, in the end, it's the only kind that will count: what is NSA doing, how does it justify it, and who the hell is running this incompetent organization?

  3. Zimmerman (Phil, not George) always was going on about envelopes vs postcards, then invented PGP. Which is only Pretty Good, but still was enough to get the Feds on his ass for years...

  4. How, again, did we completely miss that?

    Because if the USSR were weak, then we wouldn't need such big budgets?

    1. In line with your point ntodd, note that when the CIA failed to overstate the Soviet threat, the politicos brought in "Team B" to give them the "correct" "intelligence". As Simon and Garfunkle once sang "a man here's what he wants to hear and disregards the rest"

  5. Ah yes, good ole Team B. They convinced me a major in Soviet Studies was a good career decision...