NSA Leak: Lessons for CISOs, CPOs
Consider Reputation Risk When Sharing Sensitive Information
Former White House privacy counselor Peter Swire says the time is right to re-evaluate the checks and balances surrounding government programs that collect data on American citizens.
Swire's comments come as the debate continues to intensify over U.S. federal government programs that collect telephone and Internet metadata to identify suspected terrorists [see: NSA Outlines Steps to Reduce Leaks].
"Do we have anything like the right checks and balances in place right now?" Swire asks in an interview with Information Security Media Group [transcript below]. "We've been whittling those [checks and balances] away over the last 12 or 14 years and it's time ... when we can look at it relatively rationally and put some back in place."
Swire argues there should be less secrecy around various government measures, including legal theories surrounding secret court decisions. "When it comes to secret law, that shouldn't be the way that it works in the United States," he says.
With the government collecting large amounts of information, Swire's concerned that that information could be potentially abused. "Cutting back on that, having regular federal judges with less secrecy play a bigger role, I think is part of the answer," he says.
Swire says increased reporting to the public can aid in having more transparency around programs such as Prism, which is aimed at collecting information about non-Americans.
"Have more reporting, especially of summary statistics, so we have a sense of how much the investigations are about some particular person or small group of people, [and] how much is about, 'Give us every e-mail that you have in this huge database,'" Swire says.
In the interview, Swire:
- Discusses whether the exposed government intelligence gathering programs weaken privacy protections;
- Provides an historical perspective on government misuse of programs to collect information on citizens; and
- Counsels chief information security officers and chief privacy officers on how they should react to the disclosures of the government intelligence programs.
In August, Swire will leave his professorship at the Ohio State University Law School to join the faculty of the College of Business at the Georgia Institute of Technology. He also is a senior fellow at the Future of Privacy Forum and the Center for American Progress as well as a policy fellow at the Center for Democracy and Technology. Swire served as chief counselor for privacy in the White House Office of Management and Budget during the Clinton administration and as a special assistant to President Obama for economic policy.
Are Privacy Protections Weakened?
ERIC CHABROW: Edward Snowden unveiled two programs, one in which the NSA collects metadata on telephone conversations, information such as which phone numbers are called and how long the conversation lasted. The other program, code-named Prism, is a surveillance program that facilitates intelligence information from electronic communication service providers for national security purposes. Does either one of these programs weaken privacy protections for Americans?
PETER SWIRE: The telephone information database story, to me, is big news. Part of it is that ordinary Americans don't imagine their own telephone call information going to the government routinely, and the information here is: who you called, who called you, how long you're on the call, but also your location for all your cell phone calls. That's a tracking database for the location of all those phone calls you've made. In human history, the government has never really had a database of your location that way, and this database apparently does that.
CHABROW: Is this something that we should be concerned about, or, because there's so much data out there, is the likelihood of any individual having that information looked at probably very minute?
SWIRE: The problem with great big databases is, once they exist, people find ways to use them. During the J. Edgar Hoover years, there's a history of growing surveillance in a lot of ways - wire taps of Martin Luther King; surveillance of Vietnam War protestors; and at the Democratic National Convention of 1972, a third of the delegates in the political convention were under FBI surveillance. As part of my history of FISA work - Foreign Intelligence Surveillance Act work - having studied the uses and abuses of the data during the anti-communist era up through the 1970s that led up to Watergate, I think that having those kinds of databases is a real problem.
CHABROW: Is FISA, the law you made reference to, enough to protect Americans against that?
SWIRE: FISA was part of the answer to Watergate. It was passed in 1978 after President Nixon resigned in 1974, and it was an attempt to have a legal structure for our national security wire taps and national security investigations. To that extent, it was better than the old ways, which was through the FBI, which did what it wanted to do. It was also better and intended to correct some of the abuses of the CIA, NSA and the Army. I think it's done a good job of creating a legal structure.
But with the War on Terrorism after 9/11, the pressure to do things and to build databases has been so great, and the countervailing pressures to say where the limits are haven't been as great, especially in a world where so much of it is done in secret. I think it's really time for a re-evaluation of whether the FISA rules are the ones we should have going forward.
CHABROW: What are some of your ideas on how we should re-evaluate this?
SWIRE: Part of it is that we should have less secrecy about the legal theories. A Freedom of Information Act request suggests that we've actually had secret court decisions that say something is unconstitutional, but we don't know what the court said was unconstitutional and we don't even know its legal theories. When it comes to secret law, that shouldn't be the way that it works in the United States, [unless] it's some really extraordinarily circumstances. [There should be] more publicity around the legal theories. I also think collection about Americans doing domestic calls is highly questionable under the Fourth Amendment, under the IDF judicial supervision, and so I'm worried that the collection is sitting there waiting to be used or abused potentially in the future. Cutting back on that, having regular federal judges with less secrecy play a bigger role, I think is part of the answer.
Concerns Over Prism
CHABROW: Do you have any concerns about the Prism program?
SWIRE: The facts on Prism have been harder to figure out. The facts on the telephone collection, basically there's an agreement on what happened now. On Prism, that might have been the name for the software program used inside the government to handle all the data coming in. The initial stories got pulled back. The initial Washington Post story in particular got corrected over time. A lot of the big companies have issued denials, and there's some discussion now that the companies might be able to give us more transparency about what they're turning over or not turning over to the government. That's another area that's ripe for change; to have more reporting in public, especially of summary statistics, so we have a sense of how much the investigations are about some particular person or small group of people, and how much instead the investigations are really about, "Give us every e-mail that you have in this huge database."
In a world of clouds, [that] an investigation can get the whole database is really going too broad. The whole idea in the Fourth Amendment is we're supposed to avoid general warrants. We're supposed to have particularity for the searches, and I think that area has to be revived more than it has been recently.
Attitudes Toward Privacy
CHABROW: We've been hearing a lot over the past few weeks that people aren't overly concerned about their privacy. They're already disclosing a lot about themselves on social media and, as we've heard several congressmen say, they had nothing to hide. Is this creating a climate of ambivalence about attitudes towards privacy, in which government programs secretly collect information about individuals?
SWIRE: We always have mixed emotions on this. Some of the polls say, "Do you think ordinary Americans' telephone records should be under surveillance by the government," and three quarters of the people in a CBS poll said "no." But then you say, "Do you think that people should be willing to give up a little privacy for security," and the majority says "yes." How you frame the question really has a big effect on the answers here. The whole constitution has always been about trying to have liberty [while] trying to face security challenges. The founders were revolutionaries, and they were trying to have the freedoms that they wanted against George III, but they also wanted to have an ability to have the United States survive in a dangerous world. I don't think this is anything new. I think each of us has those splits, and part of it is not to stop having national security work. But do we have anything like the right checks and balances in place right now? We've been whittling those away a lot over the last 12 or 14 years, and it's time to say it's a moment of relative calm when we can look at it relatively rationally and put some checks and balances back in place.
Advice for CISOs, CPOs
CHABROW: If you're counseling a chief privacy officer or chief information security officer at a bank, healthcare provider or government for that matter, is there any advice you could give them regarding these programs and the collection of this kind of data, or is there really nothing they can do about it?
SWIRE: When the government says it's going to stay secret, I wouldn't assume they're right. There's a reputation risk for your company if you turn over the data and the next Edward Snowden might be talking about your company. Part of the job for the CISO or the CPO is to remind people that things don't always work the way you want them to. We want to be good patriots. We want to be good against stopping terrorists. But realize that the reputation of the company is on the line if you don't follow the rules and if you assume things are going to stay secret which may not stay secret.