Privacy Vs Security Panelists:
- Steve Bongardt, Former FBI
- Amar Singh , Experienced CISO
- Kurt Opsahl, Electronic Frontier Foundation
- Jack Daniel, Technology Activist
In a keynote panel on privacy vs security at Hacker Halted in Atlanta on September 15, panelists debate Apple vs FBI, the Government’s treatment of privacy, and employees’ right to privacy
What are your initial thoughts on the privacy vs security debate?
Steve Bongardt: By asking this question, we’re creating a wall – the same type of wall we dealt with prior to 9/11. Trying to prevent an investigator from tracking down an IP could be a small mistake leading to a big consequence. Investigators are trying to do the right thing, but the policies they have to deal with are immense, so it’s harder than it was twenty years ago. The power of the enemy isn’t a new principle that we’re dealing with.
Amar Singh: What privacy? Is it possible for us to achieve a sense of privacy in today’s world?
Privacy and security are 51 shades of grey. Any monitoring of employees is a very difficult discussion and leads down a dark path. It’s not an easy journey to maintain privacy and security.
Kurt Opsahl: Crypto-war part two is here, and a lot of the discussions we had in the 90s are cropping up again. We need to be careful to keep a society that has freedom and civil liberties and make a future we want to live in.
Jack Daniel: Privacy vs security isn’t the right question; the tools are entwined. It’s a matter of balance, and what we accept as the current balance has changed a lot. The old physical laws don’t translate well. Trust is complex.
Do citizens trust the Government with their privacy and security?
AS: In Europe, vendors use ‘not operating in America’ as a USP, tapping into a fear in the EU that the government is watching everything and wants to invade your privacy. Vendors are using fear of the US government as a sales tool.
SB: The Second Amendment to the US Constitution was made to protect you, the citizen, from the government. People say they had no idea about national security when they wrote the constitution, but I don’t agree. Our interpretation has just changed. Ultimately, you don’t want the government involved in anything it doesn’t have to be involved in – the government doesn’t always know best.
AS: I hope that the world is moving towards selective security, where you can elect what you want to share.
KO: Transparency around surveillance is important, and I’d like to see more transparency reports coming from the private sector. It’s important to balance the legitimate aims of the state with protecting the human rights principles we all want to have. That way, when you overcome someone’s personal boundaries, you’re only doing so to the minimum required.
JD: key is to have transparent oversight and consider the threat model - how sensitive is the data you’re trying to protect? Forget the government though - we need to pay more attention to Google, Facebook, etc – they know more about us than an FBI agent with a warrant does!
KO: The government will actually go to those companies (Facebook, Google, Apple, etc.) to get that data about you. We are seeing that increasingly there are all sorts of requests for that information.
Google and Facebook know more about us than an FBI agent with a warrant does...Jack Daniel
Let’s talk about the legal tussle between Apple and the FBI over access to the devices of suspected criminals…
KO: We need to be mindful that there was a lot more going on than just getting into one phone. The FBI was trying to get a ruling to say a company had to break its own security system and create brand new software – it wasn’t just about a phone.
JD: The FBI mishandled it and Apple was just plain stupid. They drew a line in the sand on a case they probably shouldn’t have. They dragged their feet and wanted to be very public with this, and it could have triggered laws that said you had to put backdoors in. Apple got it so wrong that you’d have expected that it was Microsoft. Apple misplayed it, and as a result, it accelerated the demand for backdoors. They got the PR wrong.
SB: No-one can argue that we shouldn’t be able to get into someone’s phone after they’ve been convicted of a terrorist attack. But, we’re not the only ones trying to get in the backdoor, so we can’t go down that route. Instead, we need to leave it to the free market to come up with a business, a technology, a startup that the government can go to in order to break into a phone when there’s valid reason to do so. The vendor would charge the FBI or NSA for that, and as tax payers, we have to accept that this is a cost that needs to be spent. I’m looking at the free market to come up with that company, the free market has the ability to solve this.
So, does an employee have privacy rights on an employer’s network?
JD: We expect more privacy than we actually have as employees of the US. I don’t have intellectual property on my devices, but not everyone thinks that through. They don’t separate their devices and their behaviors.
AS: The line between personal and corporate space is so blurred. We have a right to monitor what an employee does on the corporate network, but many – especially the younger generation – don’t get that. Look at the new law in Singapore: All government employees’ corporate networks are being disconnected from the internet, regardless of their security clearance level.
What advice can you offer to those navigating the privacy vs security conundrum?
SB: Start with an overall risk evaluation from a privacy versus security perspective. What are the risks? What risks can be tolerated? Go back to the basics. We need to understand that whatever we do that we own that decision.
JD: Be able to explain why you did or didn’t do things. Analyze, be rational. We can learn a lot from aviation and how they respond to bad things; Move on from mistakes and move forward. If we don’t share and own our mistakes, we’ll be having the same conversation with the next generation. Be transparent and minimize blame.
KO: When assessing whether something is a success or failure, look at the system regardless of the result. No breach doesn’t mean good security and a breach doesn’t mean bad security – it’s sometimes about targeting.
AS: Privacy must be everybody’s issue. The government needs to empower its citizens and make it a personal issue.