Home inFocus America: Making it and Keeping it (Summer 2017) The End of Privacy?

The End of Privacy?

Stephen Bryen Summer 2017

high-ranking member of the U.S. government recently asked if I could be of help in finding a mechanical typewriter. Actually, the person did not need any help: old-fashioned manual typewriters, both “uprights” and portables can be bought new or used (some refurbished) on the Internet. Prices vary between $50 and $300.

Why would anyone want a manual typewriter in the age of computers? The answer is easy: to prevent spies from reading what you write. Next to handwriting, a typewriter offers partial anonymity because the machine is immune to electronic spying. Our official feared surveillance from within the government and was trying to find a way to block these attempts.

It is for the same reason that some high-profile Hollywood actors, directors and producers have given up smartphones and started using so-called Flip Phones. A Flip Phone is just a telephone, and the simplest of them have no data connection. It does not mean they cannot be intercepted – but it means stored information including documents, photos and videos (as well as e-mails) are safe just because they don’t “live” on a Flip Phone.

We have evolved today from computers and networks to home networks, to the Internet and now to the Internet of Things. Simply put, the Internet of Things means technology is being built into “things” so the “things” can communicate through the Internet. This includes, for example, a Smart TV that can plug into broadcast channels from anywhere on the globe; or security cameras that can transmit live video anywhere; to smart washing machines and high-tech Internet-connected refrigerators (Your leftover hamburger is about to become too old, better have it for dinner tonight); to “helpers” who live among us and respond to voice commands using voice recognition and artificial intelligence to manage tasks. Tools such as Amazon’s Alexa, Google’s Assistant and Apple’s Siri are “helpers.” These devices are always on and always listening because they don’t know when you will want them, but if someone tries to bug them (they will of course have to get in a long line of hackers trying to do so), they can make odd things happen.

The Internet of Things is not alone in making privacy impossible, but it is a strong indication that people actually don’t either care about privacy or don’t believe they have any to begin with.

Where the Problem Starts

Spying on people has been going on for thousands of years. In the Bible we read that Joseph accuses his brothers of being spies (Genesis 42:9); Moses is told, “Send out for yourself men so that they may spy out the land of Canaan…” (Numbers 13:2 and Joshua 2:1-3); “David sent out spies, and he knew that Saul was definitely coming.” (1 Samuel 26:4); and in the New Testament in Galatians 2:4 we read, “But it was because of the false brethren secretly brought in, who had sneaked in to spy out our liberty which we have in Christ Jesus, in order to bring us into bondage.”

Before and during the American Revolution, spying on private mail was of critical importance to both sides. Benjamin Franklin was caught with secret British official correspondence, humiliated and instantly turned into a ferocious American patriot thanks to British stupidity in letting Franklin know what they knew. The British themselves intercepted colonial mail, opened and copied significant letters – many of them preserved today – and re-sealed envelopes so the recipient could not see that they had been opened. Americans did the same.

It is not surprising that part of Benjamin Franklin’s humiliation was that he was fired as the Crown’s Deputy Postmaster of North America. (Had the British realized Franklin’s prestige would help him secure French support for the American colonies, they would have thought twice about driving him out of Britain. Britain then could then have won the war since only Franklin had the skill and position to get Louis XVI and his foreign minister to recognize the new country, finance its war and provide troops and the decisive naval support that trapped Cornwallis’ army at Yorktown.)

Today spying is easier: it is done by exploiting weaknesses in computers, tablets, smartphones, and other devices.

Types of Spying and Why They Matter

There are different kinds of spying. For example, there is spying to uncover threats to national security; there is spying to carry out law enforcement-related investigations; there is plenty of political spying, often focusing on recording meetings and intercepting e-mails and texts; there is competition spying by business and industry, often through cutouts or third parties to create plausible deniability; there is malicious spying, sometimes for political reasons, sometimes to stir up trouble; and there is “monetization” spying which is done to relay customer behavior information to clients. Big companies including Google, Amazon, Yahoo and others use information gleaned from correspondence or from shopping preferences to promote their businesses or they sell the information to other parties.

While it may seem that information from monetization activity is just a sophisticated form of advertising, it is far more. It can reveal secret political preferences or tendencies that can be exploited; it can pick up transactions that could prove embarrassing, making information of this sort of interest to criminal organizations; it can provide a window of sensitive information to foreign intelligence organizations, perhaps making it possible to bribe or influence people because of “insider” information.

Courts have backed monetization spying on the grounds that if you give a “free” service you didn’t promise anybody anything by way of privacy. But the judiciary did not look deeply enough to estimate what misuse of such information might mean in a free society. Generally speaking, when it comes to privacy matters, U.S. courts have not been very friendly to individual freedom. Thus while there is a lot of moaning about Russian and other foreign spying, domestic spying is given a permissive pat on the shoulder.

The U.S. government runs a vast spying operation primarily targeting electronic communications. At Camp Williams near Bluffdale, Utah, the National Security Agency (NSA) has built a vast data storage center capable of storing Exabytes of data (full extent not known). An Exabyte is a unit of information equal to one quintillion (1018) bytes, or one billion gigabytes. The Center initially cost $1.5 billion to construct and another $2 billion or more for equipment. It takes 65 megawatts of power at a cost of $40 million a year to keep it running. Part of the reason for the huge data storage capability was to hold metadata from U.S. phone calls, which tells you all you need to know, actually. When you build something this mammoth then you need to fill it; and while there is probably useful information there about terrorists or hostile foreign countries, massive data storage like this was never needed in the past.

Failing to Protect Privacy or Data

Yet while the government seems to have taken on the role of superspy, it has failed to protect sensitive information it gathers. We know that important defense information has been compromised. The design of the F-22 and F-35 stealth fighter planes was stolen by China without complaint from the United States. China electronically got its hands on more than 50 terabytes of design information that cost taxpayers tens of billions of dollars to finance. One would think, given the exotic capabilities of NSA and the CIA that this would not have happened, or it would have been quickly found out and stopped. But it seems the Chinese had free access for weeks and months and sucked out 50 terabytes of blueprints and data unmolested. How could this be? It raises a serious question about the focus of the NSA, CIA and, for that matter, the FBI. Why wouldn’t they focus on national security instead of sucking up billions of phone records of Americans?

In a way, even worse happened at the Office of Personnel Management (OPM) where some 21.5 million records were stolen, probably by the Chinese or the Russians. These records were government background checks – information needed for employees of the government to get security clearances. The check is based on a form called the SF-86. Here all your personal information – your address, your Social Security and tax information, your children’s names and personal information, your photo and your fingerprints, the names of your colleagues and friends – are collected “voluntarily.” Such information in the hands of a hostile power is dynamite because it immediately grants means to access information or create false flags that can be used to plant computer bugs or manipulate employees. OPM did not discover the breach until April 2015, long after it began.

You can be reasonably sure that information you give to the government – tax records, Social Security number and information, Medicare, Medicaid, Veterans, law enforcement and military service records – is at risk. None of it is stored in a secure way, nor is the data encrypted. Routinely, it is handed around to others in and out of the government. Your passport application, for example, is handed over to outside contractors for “processing.” Forget about security or any hope of privacy.

We are, therefore, living in a time where privacy protection has become a thing of the past, despite what the Constitution might say or imply.

The Fourth Amendment

The Fourth Amendment to the Constitution says, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” If you couple the 4th Amendment to the 1st Amendment (Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances) you can make the argument that the only way one could carry out electronic spying would be to get a warrant and be able to demonstrate that you are not interfering in a person’s freedom of speech.

Courts have chipped away at situations in which a warrant is required, and the Foreign Intelligence Surveillance Court has approved thousands of warrants to track “foreign spies.”

Then there is the matter of “outing” Americans who are intercepted as a result of the surveillance of a foreign target. Under U.S. law, if an American happens to be picked up in an intercept of a foreign target, the name of the American is supposed to be redacted and not distributed within the government, for example to the CIA, law enforcement, and especially not to political leaders. But it seems that the Obama administration ordered the outing – often called “unmasking” – of high profile Americans, especially political opponents, and the disclosures were shared with officials in the White House, Justice Department, CIA and elsewhere, perhaps even beyond government personnel. Today there is a huge controversy over contacts between President Donald Trump’s 2016 campaign team and Russian diplomats. While in and of itself contacts of this kind are not illegal, it is clear the “outing” process is being used to try to undermine the current administration’s credibility. At the same time, a message is being sent to the general public that no one is immune from electronic spying.

We can draw three conclusions:

• The Internet of Things and the lack of protection of modern electronics and electronic systems creates huge opportunities for spying, whether the spying is foreign or domestic, legal or illegal, governmental or commercial or political;

• The government that should be protecting privacy is still hell-bent on spying on anything that moves (or not). It is spending billions on a spying empire epitomized by its Utah Data Center; and

• At the same time the government has proven unable to protect the strategic and personal information in its care, costing taxpayers billions and harming people irrevocably.

What Should be Done?

The first step is to improve security in electronic devices that are sold to the public or used by industry and government.

Congress needs to encourage policy makers and U.S. agencies to set standards of security acceptability before gadgets and computers of all kinds are unleashed in the U.S. market. And consideration needs to be given to strong oversight over foreign origin equipment and software, such as from China, that likely comes pre-compromised. Without secure equipment that can protect users against spying, any restoration of privacy is a hopeless undertaking.

The second step is to tamp down excessive U.S. government spying. The quickest way to do this is to establish priority targets and slash budgets. Naturally the key agencies will all complain this will undermine their counter-terrorism and national security responsibilities. But, as we might say, the excess is so excessive these days that this argument really isn’t sustainable. Lawmakers will have to show courage for this step to happen.

Third, the government needs to exercise real duty of care over the information it is supposed to safeguard. The quickest and best way involves: 1) compartmentalization on a “need to know” basis of information in government hands, so it does not get passed around willy-nilly and thereby compromised; and 2) encrypting all data using top of the line encryption and not the so-called Advanced Encryption Standard (AES) based on a Dutch cipher recast by NSA. AES is easily compromised and the government knows it – which may be why officials use it and why they want us to use it.

To recover our freedom and secure democracy we have to find ways to make all Americans more “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures” which means to limit electronic spying. The above steps may help us get there.

Stephen D. Bryen, Ph. D., is a former Director of the Defense Technology Security Agency and is President of SDB Partners.