As faithful readers of our site are hopefully aware, Just Security will be celebrating its second anniversary on Monday with an event dedicated to exploring one of the most important security issues of the day: strong digital encryption and government access to technology company user data. Many in the intelligence and law enforcement communities worry about the ability of criminals and foreign spies using digital communications channels to thwart lawful surveillance through the use of strong encryption. FBI Director James Comey has repeatedly described this as the “going dark” problem. On the other end of the spectrum are civil libertarians and technologists, including those representing some of the world’s biggest technology firms. They claim that risks from any attempt to weaken strong encryption will far outweigh any benefits to law enforcement or intelligence. Maybe doing so will make it marginally easier to catch a few criminals, but at the expense of putting everyone at greater risk of having their digital security compromised. A common critique some members of the tech community have leveled at government officials pushing for ways to access encrypted communications, is that policymakers are failing to heed, or do enough to seek out, their advice in discussions around this and other information security matters.
Earlier this summer, I spoke with Chris Soghoian, the Principal Technologist and a Senior Policy Analyst with the ACLU’s Speech, Privacy, and Technology Project, about a wide range of surveillance and technology-related issues (see here and here for parts of our interview). One of the big themes of our discussion, and indeed, the issue that prompted our conversation in the first place, was the need for lawyers, technologists, and other experts to work collaboratively when tackling questions of how the law is changing in light of advances in technology. So, ahead of our event next week, I thought it would be worth sharing Chris’s thoughts on the need for more collaboration between all parties involved in shaping our digital security.
(The discussion has been lightly edited for clarity.)
John Reed: The Privacy and Civil Liberties Oversight Board held a hearing in May on surveillance and technology and, as you pointed out, there was a total lack of technologists on the panel. Why is that a problem?
Chris Soghoian: There’s no way to have a reasonable discussion about the appropriateness or legality of surveillance if you don’t have an understanding of how the surveillance is taking place. I watched one of the PCLOB panels on technology, the one with Orin Kerr and a bunch of professors — and I was really struck by how little discussion of technology there was on the technology panel. Basically, you know, the panelists ceded that there were technologies that were creating difficulties and then they left it at that, but they didn’t say what the technologies were or how they were changing the landscape.
By the same token, I think there is this tendency in the national security law area to say a professor who has published law review articles about the intersection of technology and law is basically the same as a technical expert. I work with lawyers who are tech savvy. It is a pleasure to work with lawyers who understand technology. But it is not the same thing as having an actual technical expert on a committee or panel. And when you don’t have technical experts present, then the conversation is limited to the most basic topics. And for something like Executive Order 12333 which really covers the vast majority of what NSA does, it’s just embarrassing to have oversight of this Executive Order and these surveillance programs take place without anyone talking about technology.
JR: How does this hurt intelligence oversight, even when you have fairly technically savvy lawyers? What’s the gap?
CS: Because subject-matter experts make the lawyers more efficient, more effective. It means that I can answer a question in five minutes that a lawyer would have to spend a whole week researching. And it also means that we can make arguments that are both more nuanced and more sophisticated, and more novel, that we simply wouldn’t be making otherwise. I’ve seen in my two-and-a-half years at the ACLU that the arguments we’ve been making in cases are ones that we simply would not have made before without someone there who really understood and could explain the technology.
And so the FTC is doing things right and hiring technologists, the White House is moving in that direction, yet in the intelligence oversight world, we’re stuck in the 1990s. The Foreign Intelligence Surveillance Act Court has a permanent staff of national security law experts, but they don’t have any technologists. And there were times that are now public where the FISA Court didn’t understand what NSA was doing. And hell, there were times the NSA didn’t understand what the NSA was doing. But the FISA Court lacks the technical expertise to really evaluate what the NSA is doing.
JR: What about on Capitol Hill? Right after the Snowden leaks we heard so much criticism that the lawmakers had no idea what they were actually authorizing and they didn’t have an understanding of the technology that they were overseeing.
CS: There was a hearing in April before the House Oversight Committee IT Subcommittee … about encryption. And it was probably one of the more enjoyable congressional hearings I have ever watched. For the simple reason that, of the four members of Congress who have computer science degrees, three are on this committee. It was the most hostile reception for the FBI I could have possibly imagined. And they weren’t just ripping the FBI apart because it was bad policy politically, but because it was bad policy technically. And you had a situation there where you actually had members who knew enough about technology to know that the thing that was put before them was a bad idea. And that was remarkable.
If you contrast that with the SOPA and PIPA battles from a few years ago, Congress put those bills forward thinking that it would be a non-issue and then was surprised to learn that the Internet thought they were a bad idea. That really reflected the sort of lack of technical awareness of the members who had put it forward.
It’s still the case that there are very few technical experts working in Congress, either as members themselves or staffers. There are a couple. I had some meetings recently with computer scientists working in Congress and when I do stumble across them, it is an extremely pleasant experience. I love talking to computer scientists working in Congress. But they are the exception rather than the norm.
JR: What are some examples of what happens when lawyers are the sole voices in these matters?
CS: I’ll give you an example from my world. Since 2011, I have been researching and trying to expose the use of surveillance technology called the Stingray by law enforcement [Click here to learn more about Stingrays.] Prior to basically this year, there had been very little judicial analysis on this technology. We had judges around the country who were routinely receiving applications, approving applications for these things and not really knowing what they were approving.
If you ask a police officer for what they are seeking permission, they say, “Well, we are seeking permission to track this person. We have a device that tells us where the person is.” And, for most lawyers, the question about the Stingray is, “Well, is this a Fourth Amendment search because it’s locating someone in a private place?” That’s the limit to most lawyers’ interest in this topic and the police, and the feds were able to analogize and say the Stingray is very similar to a pen register [like in Smith v. Maryland], and therefore, no Fourth Amendment probable cause warrant was required.
So it turns out, when you understand how the Stingray actually functions, then the conversation changes. The Stingray functions by impersonating a cell tower which means that it’s sending signals out to reach phones. When a Stingray is on — if a police officer has a Stingray in her car and is driving through a neighborhood, they are actually sending signals into people’s living rooms, into people’s bedrooms, into people’s bedside tables, into their offices, all these private places.
Many of the statements by law enforcement to the courts, and in some cases, to legislative oversight bodies in the last couple years, make it sound like the Stingray is merely capturing the signals that are being sent to the cell towers and capturing them as they’re going through the air. But that’s not in fact the case. The Stingray is actually sending signals deep into a private place. And so in addition to the Fourth Amendment issues that come up with sort of pager-like tracking in the Knotts case, you also have what I believe is an electronic trespass similar to spike mics that were used in the Silverman case in the 1960s. The fact that the Stingray sends signals into your home makes it a very different kind of search than the police following your car.
And that’s an argument that we are now making and it’s an argument that we wouldn’t have made if we didn’t understand technology. And it’s an argument that when I talk to judges and when I talk to defense counsel, their ears perk up and they say, “Oh! I never thought about it that way.” If you don’t understand how the thing works, and if you just understand what data it spits out, you may miss the most important parts of the conversation. …
The other example, which I think is important, starting in 2007 or so, the public learned that the FBI has the capability to deliver malware to people’s computers. But it wasn’t until October of last year that the public learned that one of the ways the FBI delivered this malware was by impersonating the news media. And that was because I had stumbled upon something in some FOIA documents in the process of doing research for our submission to the Federal Judicial Rules Committee for Rule 41. I looked at the application for the malware warrant and there’s no mention of the fact that the FBI was planning on impersonating the Associated Press. To me, that seems like an important detail. …
[T]hat’s the kind of detail that the government hasn’t thought it necessary to tell judges. And it was only because I started asking the question, “Well hang on, how are they getting the malware onto your computers?” that we started to get more details about that.