Feedback
Business

Privacy vs. security: 'False choice' poisons debate on NSA leaks

Speeding ticket camera near downtown Cleveland
Americans seem comfortable with law enforcement snapping pictures of license plates — at least those of cars involved in moving violations — as this ticketing camera near downtown Cleveland suggests. Germans feel radically different about such data collection. Amy Sancetta

A mystery gunman who allegedly fired 700 road-rage-inspired bullets at German drivers during the past five years was finally arrested in late June. Digital sleuthing was credited with ending the reign of driving terror. Germany’s E-ZPass-like system is off-limits to law enforcement, so police set up a temporary network that tracked license plates on the road and used the data to catch the suspect.

While the arrest has been celebrated, civil rights advocates have complained that thousands of innocent drivers were also caught up in the police dragnet, and have questioned its legality. The argument might sound absurd to American ears — would Germans really rather be shot at than have their license plates recorded? — but Germans are more sensitive to government overreach than Americans. A rabid debate about security and privacy has begun.

As the Edward Snowden affair enters its second month, Americans don't seem to have much appetite for the subtlety of such a debate. The Prism leak discussion has been framed repeatedly as a zero-sum game, pitting privacy on one side and security on the other.

"You can't have 100 percent security and also have 100 percent privacy," President Obama said on June 7, in his principal public statement in the issue, suggesting there is some dial which forces government officials to pick one over the other.

It's a false choice, say many security experts.

Liberty vs. control
"I've never liked the idea of security vs. privacy, because no one feels more secure in a surveillance state," said Bruce Schneier, security expert and author of Beyond Fear: Thinking Sensibly About Security in an Insecure World. "There's plenty of examples of security that doesn't infringe on privacy. They are all around. Door locks. Fences ... Firewalls. People are forgetting that quite a lot of security doesn't affect privacy. The real dichotomy is liberty vs. control."

Dan Solove, a privacy law expert at George Washington University Law School, said the privacy vs. security framing has interfered with what could be a healthy national debate about using high-tech tools to fight terror.

"You have pollsters and pundits and (National Intelligence Director James) Clapper saying, 'Do you want us to catch the terrorists or do you want privacy?' But that's a false choice. It's like asking, 'Do you want the police to exist or not?'" he said. "We already have the most invasive investigative techniques permissible with the right oversight. With probable cause you can search my home. ... People want limitations and transparency, so they can make a choice about how much surveillance (they) are willing to tolerate."

By creating an either/or tension between privacy and security, government officials have invented a heavy weapon to wield against those who raise civil liberties concerns, he said. It's easy to cast the choice in stark terms: Who wouldn't trade a little personal data to save even one American life?

'A bigger haystack'
An honest, open examination of surveillance programs might show the choice is not so simple, says Ashkan Soltani, an independent security researcher.

"The government feels like they need all this information in order to do its job, that there can't be security without them having access to everything. Well, that's a lazy or shortsighted way of seeing things," he says. "The idea I reject is that you need to violate everyone's privacy rather than be better at your job of identifying specific (targets).'"

Casting such wide nets is also ineffective, he argues. Collecting mountains and mountains of data simply means that when the time comes to find that proverbial needle in a haystack, you've simply created a bigger haystack.

"Law enforcement is being sold bill of goods that the more data you get, the better your security is. We find that is not true," Soltani said.

Collecting data is a hard habit to break, as many U.S. corporations have discovered after years of expensive data breaches. The NSA’s data hoard may be useful in future investigations, helping agents in the future in unpredictable ways, some argue. Schneier doesn't buy it.

"The NSA has this fetish for data, and will get it any way they can, and get as much as they can," he said. "But old ladies who hoard newspapers say the same thing, that someday, this might be useful."

Even worse, an overreliance on Big Data surveillance will shift focus from other security techniques that are both less invasive and potentially more effective, like old-fashioned “spycraft,” Soltani says.

The J. Edgar Hoover test
Soltani is worried that Americans, despite their vocal complaining about Washington politics, have forgotten history and are too trusting of their government when it comes to the exchange of liberty for safety.

"Right now, the abuses seem theoretical. There seems to be a lack of historical context, a lack of cases where the government has abused power," he said. "People seem to have forgotten about J. Edgar Hoover."

In fact, Solove has a test he uses to consider every extension of government power, what might be called the "Hoover test."

"Put J. Edgar Hoover in charge of the program. If your reaction is 'Yikes!' then there isn't adequate protection built in," he said. "One of the tests should be is how do we feel if we don't like the people in charge, because we don't know who will be in charge of it in the future."

The German motorway shooter example is instructive on how a system that provided both security and privacy might work. Police never considered acquiring all data, or demanding it from outside firms. They set up their own temporary collection tool, and German privacy officials are already demanding that the 60 to 80 million records collected from innocent people be handled with care.

In the world of email or mobile surveillance, it would be possible to imitate this example, Schneier says. Internet and phone record collection should not be indiscriminate, but limited, focused and temporary.

"Here's the middle path: transparency and oversight," he said. "We've already recognized that police need extraordinary powers to violate privacy ... but we have to recognize that when you give someone the power to violate privacy, that power is ripe for abuse."

Government officials have often said that oversight itself must be a secret: Mere disclosure of the existence of government surveillance programs tips off the terrorists. Schneier rejects this.

“So they tell the terrorists they are eavesdropping on email. What's the problem? We assume the terrorists don't know? This is fanciful nonsense," he said.

Follow Bob Sullivan on Facebook or Twitter.