Apr 22 2008
It’s been a little while since Captain Privacy donned his uniform, and now it’s got a star instead of two gold bars; he’s been promoted to General Privacy by his friends in the Security Catalysts Community. Seriously though, I’d stopped writing about privacy issues as much since I was getting a little bit of a reputation for being a privacy nut. Maybe it was deserved, maybe not, I’ll let you be the judge of that.
One thing I’ve said many times in my writing and podcasting is that I don’t have a problem with the police, the FBI or even the White House getting access to my personal information. I believe that law enforcement has a vital, legitimate need to access personal information and to sometimes snoop on our conversations. My conversations usually happen pretty publicly, so they won’t learn much; the bad guys aren’t nearly as accommodating as I am, so the cops need to resort to wiretaps. And I’m okay with that, there’s just one thing I want to see as part of the process and that’s judicial oversight. And apparently I’m not the only one, since the New Jersey Supreme Court unanimously ruled that NJ cops need a subpoena and need to notify the target when they go after private electronic information.
Why am I such a strident defender of oversight? I’m a paid paranoid, I spend my days trying to think of how the bad guys are going to abuse the systems to get a little bit of profit. I hear about, read about, talk about people who abuse the system regularly to get profit, revenge, curiosity or plain stupidity. Some times it’s really as easy as greed, but sometimes there are more complex emotions in play. The end result is that systems get abused and we end up paying as a society in the form of lost money, lost credit cards or lost personal information. Oversight is one way to prevent these sorts of abuses from happening; a person who knows they’re being watched is less likely to commit the crime in the first place.
If you think cops are any better than the greater population, think again. They’re human, they make mistakes, they succumb to temptation. I’ve read several times that the personality profiles of cops and robbers are only separated by a few degrees, and it’s a law enforcement officer’s respect for the law that separates him from the criminals. If law enforcement officers didn’t occasionally step over the line, there’d be no need for Internal Affairs departments, would there?
We need to have judicial oversight of the police, the FBI and the CIA to make sure that members of our law enforcement agencies don’t abuse their powers. Whether by design or by mistake, people will succumb to the temptation to abuse the power of their position. I don’t believe the judiciary is there to punish law enforcement agent when they do step over the line, it’s there to draw boundaries around what is and is not acceptable use of the power to look at personal information. The judiciary is the branch of government that exists to create the lines so that we can live in a free and open society. It’s one of the paradoxes of a free and open society that you need rules and boundaries to be free and open.
We’ve drifted into a societal attitude over the last seven years where it’s more important to catch the ‘terrorists’, who ever they are, than to respect the rights of the average citizen. Never mind that the idea of ‘terrorist’ is so ill defined that almost anyone who harbors any ill will towards a group could be branded as such. It’s the fact that the goal, perfect safety for everyone, has become more important than the means, which right now is often spying on American citizens. I think it’s time for the pendulum to start swinging the other way; we need to realize that the trade off for safety has been some of our fundamental freedoms. We can’t let law enforcement of any stripe just spy on anyone and everyone in the name of catching ‘terrorists’ or ‘criminals’.
New Jersey is one of the first states in quite some time to realize that the laws we have currently don’t have direct correlations when you try to apply them to cyberspace. A law that talks about reading someone’s snail mail doesn’t exactly translate well when you’re talking about email. And since it’s open to interpretation, it’s often been interpreted to be in favor of law enforcement. After all, it’s not really your email when it’s sitting on your ISP’s servers, is it? And it’s for law enforcement to help them catch crooks, so it’s okay, isn’t it? It depends on so many circumstances and that’s why we need the judiciary to draw boundaries for law enforcement and for citizens.
I guess my inner privacy geek has been wanting to get out a little more than I realized. All I really want is a little balance, but if you’ve got law enforcement or the Executive Branch calling all the shots without judicial oversight, it’s one-sided, there is no balance. In the computer security arena, the balance is between security and usability or business need in most cases. It’s great to be secure, but if you can’t use your systems or make a profit, it’s of absolutely no use. In a society it’s a balance between security and being able to live a enjoyable, prosperous (profitable?) life; if you can’t live that life because the cost of security is too high, it’s not worth the trade off. You need to be secure, but you also need to be able to live your own life.