The CyberMaryland Conference on Privacy Versus Protection
Baltimore City welcomed cybersecurity professionals and hobbyists from around the world October 8 – 9 at the third annual CyberMaryland Conference held at the Baltimore Convention Center. CyberMaryland was designed to showcase Maryland’s cybersecurity strengths – and it did just that. Representatives from federal agencies spoke about the benefits of having the cybersecurity “epi-center” in Maryland, close to government intelligence and defense agencies, cybersecurity companies, and 16 higher education institutions designated as National Centers of Academic Excellence in Information Assurance. State and local government representatives spoke about cybersecurity advances that are taking place within their own jurisdictions. Maryland universities showcased their cyber programs not only in their booths and as panelist speakers, but also with teams of students competing in a live “hack-a-thon” (think capture the flag computer style). Several panel discussions brought together experts to discuss issues including emerging cyber threats, the future of employment in cybersecurity, international cooperation in addressing cyber threats, and protecting electronic health records.
In light of the Edward Snowden incident, and everything that came to the public’s notice as a result, the general session on “Privacy vs. Protection” was particularly interesting.
In addition to CHHS Founder and Director Michael Greenberger, panelists of the Privacy vs. Protection panel included: Lydia Kay Griggsby, Chief Counsel for Privacy Information Policy, Senate Judiciary Committee; Kathleen Rice, Counsel for the Senate Select Committee on Intelligence; Greg Nojeim, Senior Counsel, Center for Democracy and Technology; and moderator Eric Chapman, Senior Director, Corporate & Government Relations, UMCP & Deputy Director, Maryland Cybersecurity Center.
As Ms. Grigsby poignantly noted at the very beginning of the discussion, the issue is where the line between privacy and protection should (or must) be drawn.
Admittedly, today’s national security threats are not the threats our nation faced in the past. Instead of only facing the threat of nuclear bombs and conventional weapons, we must also contend with anonymous individuals who can present threats from any location with internet access. The satellites and spy plans that worked well for the large, fixed visible targets of the Cold War are ineffective against terrorists who are able to strike without warning. Who may be a terrorist and when an attack may occur is not readily apparent. An isolated fact—such as taking flying lessons—may seem innocuous, but when combined with other facts, such as having a visa from a country that supports terrorism or calling a known terrorist, a terrorist-like pattern may materialize.
Spurred on by the 9/11 Commission’s chastisement for failing to “connect the dots,” data mining is now mandated by law—an essential tool in fighting terrorism. Data mining applies algorithms to government and non-government data sources such as criminal databases, credit reports, travel itineraries, and grocery cards. Data mining searches through “electronic haystacks” to connect the dots in order to find more information about an identified person or to discover a “terrorist-like” pattern which is then used to find undetected terrorists.
Data mining, however, can make citizens feel vulnerable and powerless – it strips effective control over our own information, it uses information for purposes other than we originally intended, and it happens without public involvement. As a result of data mining, individuals have been wrongfully interrogated, searched, and arrested because of inaccurate data. Individuals, knowing that the government can view their every move and transaction, self-censor for fear that they may be watched. As Mr. Nojeim stated: “If you can’t trust, then you don’t do.”
Meanwhile, a terrorist can slip into our country undetected, his profile not matching patterns of other terrorists like some 9/11 conspirators or the Tsarnaev brothers. Mr. Greenberger referenced this when he referred to the recent Senate Committee hearing where Senator Patrick Leahy questioned NSA Deputy Director John Inglis on how many plots were actually prevented as a result of the bulk surveillance program known as section 215. While the NSA had earlier reported these efforts thwarted or prevented 54 terrorist plots, it was clarified during the hearing that 215 made a contribution in only 12 instances of threats against the US, and only in one of those 12 was the plot specifically prevented due to data collection under 215. The Boston marathon bombing? That’s an example of one that slipped through the cracks. Mr. Greenberger’s concluding remarks: the justification for the massive data collection our country has been conducting is just not there.
So what should be done? How do we protect our privacy, while also protecting our security?
Some information must be kept secret – otherwise we would tip off those who seek to evade detection. A good start was suggested by Mr. Greenberger: switching from using the indicators to decide when to fully read a document to instead using them to decide whether to collect the document at all. Another step in the right direction was suggested by Mr. Nojeim – implementing the Fair Information Practices that were first created by the United States Department of Health, Education and Welfare (now the Department of Health and Human Services) in 1973. The main principles of the Fair Information Practices include: avoiding secret personal data systems, giving individuals power over how their information is used and authority to correct or amend their information, and placing requirements on organizations that deal with identifiable personal records.
The biggest concern is not data mining’s use, but rather the cloud of secrecy that engulfs all facts of data mining: the data involved, the algorithms used, and the results relied upon. When Ms. Rice seemed to say that US citizens had given permission for the bulk collection of our information, and that we knew it was happening, Mr. Nojeim asked by a show of hands who in the room had given their permission. Very few hands went up. And while the law that NSA was relying on was written in black and white on the books, as Mr. Nojeim pointed out, most were not aware of the “secret” interpretations NSA was making of the vague terms in the law.
Perhaps the best summary, similar to the concerns raised by the CyberMaryland panel on Privacy vs. Protection, can be found in Senator Leahy’s comments to the Senate Judiciary Committee in late July: “[I]f we did everything . . . if we strip-searched everybody that came into every building in America; we’re not going to do that. We have more security if we close our borders completely to everyb
ody; we’re not going to do that. . . . [I]f we put a wiretap on everybody’s cell phone in America, if we search everybody’s home, but there are certain things — certain areas of our own privacy that we Americans expect, and at some point, you have to know where the balance is.”