Saturday, February 01, 2014

On Mass Surveillance

The revelation this week that CSEC has the capability to monitor the movements of Canadians simply by gathering some metadata from the traffic that goes by on public networks raises a lot of interesting questions that are worth discussing.

In an e-mail conversation on the matter, the following question was raised:

And I see that in a debate in the House today Nicholson (Defence) says that the documents don't support that Canadians were targeted. But if WIFI generally is being monitored how can Canadians avoid not being targeted? 

It's a good and legitimate question.  One that I wish had a happier answer.  Unfortunately, the answer is "you can't".

This is where this whole business gets very knotty and complicated.  Ultimately, it all comes down to a matter of professional ethics throughout the IT community.

There are a plethora of technologies which have converged in the last decade or so which enable the kind of massive data gathering and sifting that the NSA, CSEC and other organizations are now engaging in.  

Capturing the data has always been possible.  Just as tools like Wireshark enable detailed analysis of the traffic on a network, given sufficient storage capacity it is easy to simply capture and record that data as it rolls by.  Back in University (some 20+ years ago now), I wrote a rudimentary packet sniffer - it was easy enough to do then, and the reality is that the only obstacle at the time to broader use was simply the availability and cost of high speed mass storage to record the raw data for future analysis.

Today, we add to the mix the availability of "Big Data" toolsets for analyzing and visualizing the content of truly enormous datasets, and it is no surprise that it is not only possible, but in fact fairly easy for organizations (not just CSEC, but just about any online business) to accumulate enormous amounts of data about individual users, and subsequently extract it.

The steady increase in available computing power, and its commensurate drop in cost has also gone an enormous distance to facilitate what we are now learning that states around the world are doing.  

None of the individual technologies involved are inherently good or evil.  They have perfectly legitimate applications that are in no way violating our individual rights to privacy.  However, just as the knife that I use in my kitchen is not a weapon per se, I can turn it into a weapon if I so choose.  

Same thing here.  A series of tools which are individually perfectly harmless have been taken by a group of people and turned to purposes that the vast majority of the population are both uncomfortable with and likely as not do not even adequately understand.  (In fairness, I'm guessing at a lot of this based on the bits of the veil that Edward Snowden has parted for us and an awful lot of extrapolation)

The public perception of this wasn't helped by the words of CSEC's statement on the matter:
CSEC claims "no Canadian or foreign travellers' movements were 'tracked,'" although it does not explain why it put the word "tracked" in quotation marks.
Clearly, Canadians were being "tracked" by this exercise - how else would one interpret the accumulation of data from a Canadian airport, which predominantly serves Canadian travellers?  CSEC is, of course, playing semantics here.  They weren't "targeting" any specific individuals, they were just capturing everything.  Therefore, no Canadians were being "tracked" per se.

This is where an enormous ethics problem emerges, and we need to invest some time and effort in discussing just what that means.

IT professionals have lived for most of the last sixty years in a bit of a bubble when it comes to ethics.  For the most part, the biggest ethical hurdle that most have had to deal with is whether a particular act violates the terms of their employment, or perhaps represents a form of fraud.  Quite frankly, until relatively recently, the content of the data that IT professionals worked with was seen as something of an island.  As long as one did not actively work to disclose that data beyond the workplace, there was very little in terms of consequences to worry about.  The public Internet, e-commerce and mobile computing have changed that picture enormously.

Now, IT professionals find themselves in the position of not only being privy to a remarkable amount of information about people, but the ability to sift that information to learn more about individuals has become so pervasive that suddenly the very act of using that information (or even gathering it) has the potential to have direct impact on individuals.

The game is changing, and the whole discussion around CSEC and its activities represents a major pivot point in the discussion of just what professional ethics means in the world of IT.  Is CSEC's activity ethical professional conduct?  Or does it step far enough into the realm of violating the rights of others that the people who are engaged in it should be held legally and professionally accountable for their actions?

Just as the ability to "tap" telephones caused an enormous stir as telephones became commonplace, and law enforcement soon found itself in the position of having to acquire a court order to enable them to legally tap someone's phone as part of an investigation, the ability to gather intelligence from internet and other mobile connectivity means faces similar challenges.

The argument will rapidly become one of "National Security" versus "Individual Privacy".  I can respect that in today's world, the issues of National Security, especially as it pertains to tracking down threats which are organizing using Internet technologies or involve attacks on a nation's assets via networks, are to some extent necessarily going to demand the gathering of enormous amounts of data that will no doubt contain information about people completely unrelated to the specific threat being pursued.

That doesn't make me any more comfortable with the idea of CSEC, the NSA or any other spy organization having back door access into network infrastructure, or the ability of those people to gather and retain the data acquired through such techniques.

We need to have a meaningful debate in this country (and others) as to where the boundaries lie between the need of a state's security apparatus to identify and neutralize threats and the right of individual citizens not to be tracked at every moment of their lives.  With wiretapping, the law enforcement people generally have to show "just cause" in order to get a court order - in other words they need to have sufficient evidence to demonstrate that the target of the wiretap is likely involved in criminal activity.   The nature of what we are facing here is a bit different, and perhaps the more practical thing is to place limits on the ability of the agencies in question to retain and use the data gathered.  

No comments: