For years the professional security community has been highlighting how cybercrime has evolved to leverage the advantages in automation. It was only a matter of time before those responsible for defending against this felt they had to do the same. Clandestine surveillance has always been a necessary evil in governed society. What’s new here is that ability to leverage the advantages of automation.
According to the documents revealed by whistleblower Edward Snowden, thanks to the Prism surveillance scheme, the US National Security Agency (NSA) has large-scale access to individual chat logs, stored data, voice traffic, file transfers and social networking data of individuals. Whether these records were gleaned legally or illegally is fuelling controversy. Whether the US has allowed other governments, and particularly GCHQ, access which would be illegal if obtained directly, appears to be fuelling the controversy. At this point, the legalities almost seem secondary.
What is shaking public confidence in governments, or even the companies the public suspect could be dragged into this kind of activity, is the fact that the boundaries governing such automated activity are not at all clear. What can the US government see? What about data protection laws? Are we all being watched? Does it make a difference which country you live in?
Foreign Secretary William Hague’s insistence that law abiding citizens have nothing to worry about may present little comfort as he points out that there is no legal way for individual citizens to opt-out of such surveillance. I am not sure there ever has been when it comes to public surveillance. But people are less likely to be concerned when the surveillance only affects the few. Now that the technology is there to affect us all and track our every online move, it may be time to clarify some of those boundaries.
This problem is not new. In 1775 Benjamin Franklin said, "they who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." It’s a sentiment our politicians tend to ignore.
We need an understanding of public expectation. Snowden alleges that the NSA is collecting as much information as possible by default because this is the most efficient way to manage the task. Are we as a society willing to tolerate this in the name of public safety? The desire to protect individual privacy which undermined the UK’s failed ID card scheme would suggest perhaps not. We are however talking about international cyberspace; the UK perspective is not the only one to consider. Neither is that of the US.
Further, the use or even abuse of surveillance is not limited to governments. Companies too are quite likely taking more advantage of their automated ability to track our every online move than they would like us to know. Data protection laws do guide the use of the information, but the amount of information that can be amassed and how it can be manipulated is poorly understood by the public who have not as a result yet had the chance to make their expectations be known. Boundaries here too are unclear.
Whether we agree with Snowden’s actions or not, they offer a reminder that despite becoming an integral part of our developed world cyberspace is still a new frontier. As we set out to conquer it, we must make the effort to articulate what should be done, not just embrace what can be done. Until the rules are known, everyone will continue to make them up as they go along.
John Colley, managing director EMEA