Pages

2016-04-01

The inutility of mass surveillance, backdoors, and limits to encryption


Terrorist attacks such as the ones in Paris on November 13, 2015 raise the specter of prevention through increased surveillance of digital communication. But as is the case with most knee-jerk reactions following dramatic unforeseen events, the call for increased mass surveillance of the internet has very little practical utility. On the contrary, if the events in Paris taught one lesson, it is that mass surveillance failed resoundingly. It could not be otherwise: since many decades, analysis in hindsight has consistently demonstrated one thing, and one thing only: regardless of how much computing power agencies like NSA, GCHQ, DGSE, BND, ISNU and many others dedicate to the task, the current state of algorithms does not enable sorting massive data for relevance.  Therefore, the entire plethora of intercepted and stored data can be made sense of only after the fact but is more often than not of limited use in the prevention of attacks. Neither 9/11 nor the 2005 London Subway Bombing nor the Madrid Train Station attack nor the Paris Bataclan incident nor any other could be prevented through digital mass surveillance. Admittedly, there are claims – for the most part not verifiable – of a great number of thwarted attempts. But proof of success in mass surveillance has not been adduced in a single case of an individual prosecuted for attempted crimes. While this fits the adage that law enforcement needs to be successful 100% of the time while perpetrators only need to succeed once, it does not change one fundamental insight: despite the fact that many attackers in prominent terrorist incidents had previously shown up on agency radar screens, they were still able to carry out their nefarious plans.


While government-sponsored digital mass surveillance is yet to show any tangible benefits in securing its purported goal – our safety, revelations of the scale of data collection prompted calls for individual and organized resistance, as exemplified by Bernard Harcourt’s Exposed: Desire and Disobedience in the Digital Age, Frank Pasquale’s The Black Box Society: The Secret Algorithms That Control Money and Information, and others, and by the discussions they spurred. 


NSA is, of course, entirely aware of the inutility of mass surveillance. Documents revealed by Edward Snowden show the agency’s struggle with its skyrocketing data overload, forcing it to apply artificial limitations in order to be able to conduct any meaningful analysis at all. The reason why it – and its peers abroad – keeps striving to collect even more Big Data lay in every bureaucracy’s ambition to increase power and status through size and budget as an end in itself. Originally, NSA was established to collect Soviet signal intelligence to prevent another Pearl Harbor – comparably a relatively simple task with few points of communication and data flows to monitor – but one that is not infinitely scalable.


Much discussed lately, backdoors for encryption software are nonetheless technological nonsense: a backdoor for NSA would result in claims by any number of governments starting with China, yet nothing would prevent “evildoers” from using proprietary, backdoor-free encryption software. While the ostensible target of surveillance would continue to avoid detection, commercial enterprises with business and industrial secrets to protect that seek secure communication would be exposed – to competitors as well as to their governments. Industrial and fiscal espionage has ultimately blurred the line between public and commercial interest, and, honi soit qui mal y pense, government surveillance is of considerably greater value in commercial exploitation of the findings than most justifiable security purposes could rationalize.


Quite the contrary: in a world with secure end-to-end encryption freely available, law enforcement and intelligence agencies would be compelled to perform their actual job and focus on targeted surveillance and traditional police work – which is superior to mass surveillance not only in terms of effectiveness but also as a matter of cost-benefit analysis: eroding privacy rights of the population at large and of business  needs to be factored in as a cost and balanced against the purported benefits of information gleaned through surveillance. This is also the only way to confront low-tech, asymmetric responses to computational and cryptologic superiority.


It is ultimately the same calculus that applies to the cost-benefit analysis of military response to terrorism: while eliminating threats by drone may be one thing, “avenging” (though certainly not forestalling) the death of a few thousand people over time by military expeditions costing trillions and causing the death of hundreds of thousands of wartime casualties, be they servicemen, civilians, or sympathizers, shows a crass imbalance. After all, given the fact that an American citizen is approximately 10,000 times more likely to die in a motor vehicle accident, and vastly disproportionately more likely to die in a plane crash, than in a terrorist attack, nobody has yet proposed to shut down private or public transportation – the only “reliable” way to avoid those casualties.


There is also the aspect of constitutional rights: in countries where governments and their agencies are, for one or the other legal reason, precluded from surveillance of their own citizens without meeting an at least somewhat demanding standard of probable cause, no country currently applies a variant of the “fruit of the poisonous tree” doctrine to information obtained through intergovernmental cooperation that, had the receiving government conducted the warrantless search, would have been ruled inadmissible at best and a violation of constitutional rights of the surveilled. It is difficult to predict timing but it is foreseeable that the absurdity of obtaining information from a foreign government that your own constitution and laws prohibit you from collecting will meet with increasing judicial rejection.


As I have argued elsewhere, the matter boils down to our standards of accounting for intangible values. For the sake of avoiding hypocrisy, this has to include putting a realistic valuation on human life (as is done by every wrongful death award and certainly in terms of medical insurance) but also on the quality thereof. Maximum protection lacks economic viability – and is unlikely to be total.


Aside from such considerations, futility is also evidenced as mass surveillance perpetuates the failed logic of the arms race: the Manhattan Project delivered an impressive proof-of-concept demonstration in Hiroshima and Nagasaki – some historians argue, in fact, that Little Boy and Fat Man were used primarily to deter the Soviet Union, as a military purpose against Imperial Japan was difficult to substantiate given that the nation was already very near collapse and surrender. Yet it took only until 1949 for the first Soviet device to see the light of day, while the largest hydrogen bomb ever detonated, Tsar Bomba, capable of 50 megatons or twenty times the amount of all explosives used in World War II combined, was set off in 1961. The role of foreign intelligence for closing this knowledge gap is irrelevant as it has remained a constant across time, and digital technologies tend to seep faster into commercial availability than most intelligence operations would take to set up and harvest. In the cat-and-mouse game with the “dark forces” of hackers and foreign governments, any U.S. lead will be equally temporary, but the effects of this technological arms race on the remaining quality of human life and individual rights and liberties will not be.


Confronted with the need to price for balancing purposes the goods we lose and gain through temporary governmental monopolization of technology, this challenge may have one desirable consequence: it may force us to fundamentally rethink our accounting and valuation treatment of intangibles that will include not only constitutional rights but also assets such as the environment. While no one will dispute that any rational, non-random and non-arbitrary valuation will be difficult and depend on complex consideration and balancing of the purposes thereof, part of the reason for this realization may be that they are, at least with the benefit of hindsight, priceless.