The Freedom Panopticon

This is the fourth post I’ve started on the pervasive, indiscriminate, uncontrolled surveillance of electronic communications by the ministries of state security of the North Atlantic world. I stopped writing each of the last three either because the rant got too paranoid, or further revelations showed that the rant was not yet too paranoid enough.

But the stream of new information seems to have dried up a bit, as the news cycle has distracted itself with something called a Miley Cyrus, whatever that is, so I’ve had a chance to catch up a bit. And as a researcher in network measurement who left a job funded by security-academic-industrial-complex money to move to Europe to work on a project seeking to apply technical privacy guarantees to network monitoring systems (which ironically was named PRISM, and which I must forevermore footnote on my CV as “no, not that PRISM“), I feel I should make some statement on all of this. So here it is, predictable and unoriginal though it may be:

Pervasive surveillance is anathema to a functioning democratic society, and nations which do not exercise effective civilian oversight of their state security apparati end up being controlled by them.

This is simply the way of the world. You can’t have a freedom panopticon. You actually do have to choose one over the other. As for my personal opinion of whether it’s too late for the United States to co-opt its part of the Internet back from the state security apparatus, to pull out of its dozen-year-old fear-of-terrorism induced tailspin, well, I’ve already voted with my feet, and I’m still not coming back. But I do truly hope I’m being too pessimistic.

Back in the good old days, when my habit of pausing my Skype conversations to ask the NSA analyst assigned to review my Skype conversations how she was feeling today was just a paranoid affectation, I actually didn’t worry too much about this. I was concerned about how easy it was to get money from the US government by slapping a counterterrorism sticker on whatever it was you wanted to sell, and I’ll admit, mildly amused when the American state security establishment gave 1% of the population security clearances then wondered why it had so many leaks.

Once the state security apparatus got caught compromising service providers to get at higher-value information — which admittedly has a much better return on investment than just capturing everything and sifting through it, which they also got caught doing — then started detaining the journalists involved in catching them at Heathrow as terrorists, that’s the point the good old days ended. These are not the actions of governments operating in good faith under the rule of law. These are the actions of states that are enemies of their people, to be expected of regimes generally thought of as authoritarian, but unacceptable in a functional democracy.

I’m willing to accept that the various agents and analysts of the various security agencies genuinely believe they’re doing what they can to save us from terrorists. On that point, I can agree to disagree about the threat actually posed by terrorism as they define it. But good intentions do not excuse the overreach into the realm of surveillance that has the power to destroy what’s left of civic discourse through its chilling effects and creeping self-censorship of speech deemed politically sensitive, overreach into active disruption of the operation of the free press which represents the last hope of oversight of their activities.

Last week, Bruce Schneier appealed to the executives of Internet companies subject to — ahem — cooperation with the state security apparatus to resist. Well, I’m not an executive, and I don’t really know any: my relationship to communications networks is rather more hands-on. But I do know how government works, and I know that the politicians authorizing these programs generally lack even the barest ability to understand their details. Even the functionaries ordering them from within the state security establishment would find actual implementation a challenge. In order to execute these orders, they need scientists and practitioners with expertise in communications networks. In other words — and I know many of my readers are fellow network geeks — they need us.

We have a choice as to whether we will accept and perform work which is contrary to our moral obligations to society. We must not use our expertise to the disadvantage of the fundamental rights of our fellow citizens. In many of the jurisdictions in which we live and work, these fundamental rights are guaranteed by the most basic laws, laws which seem more and more to be ignored by our governments in the name of state security and permanent emergency.

In this case, we must start from our own first principles. Surveillance, when absolutely necessary, must be specifically and narrowly targeted, protected against abuse by technical and nontechnical means, and subject to legitimately independent oversight; surveillance systems which do not meet these criteria are not worthy of our support.

Therefore, I pledge the following, and I invite you to join me:

  1. I will not participate in the design, development, deployment, maintenance, and/or operation of any communications system which, in my professional opinion, has as a design goal the indiscriminate collection, storage, and/or analysis of communications content and/or metadata for the purpose of mass surveillance of individuals or associations of individuals without their consent.
  2. I will work to ensure, to the extent technically feasible, that systems in which I participate in the design, development, deployment, maintenance, and/or operation have safeguards against misuse for the purpose of mass surveillance. I explicitly refuse to support any deployment of such a system misused for mass surveillance.
  3. I will work to raise awareness of the dangers to privacy posed by systems on which I work and with which I am familiar, both within my professional community as well as in the community at large.

Of course, the last time I had operational responsibility for anything you could remotely call “production”, 911 was still just a telephone number, so perhaps my saying this doesn’t have that much impact. But I do build tools for network measurement, focusing these days on performance as opposed to security, and I’m actively working to make these as unattractive and cumbersome for mass surveillance purposes as is technically feasible. It might not be much. But it’s what I can do.