Cybersecurity expert says leaks’ impact may be limited.
By Asif Ismail
WASHINGTON, DC: Allan A. Friedman, the research director of the Center for Technology Innovation at Brookings Institution, is an expert on cybersecurity policy and information privacy. In an interview Wednesday, he spoke about last week’s leaks about U.S. surveillance programs published by The Guardian and The Washington Post. Here are edited excerpts:
Do you think the government was right in eavesdropping on millions of phone records under the pretext of counter-terrorism?
I think they have overreached. But I wouldn’t use the term eavesdropping. What they did is they obtained massive amounts of call records. Now you could say, “Who cares about call records?” But actually, we learn a great deal about who is calling whom and why from them.
The data also includes cell phone records. We don’t know the full amount of information, but a cell phone record can also include information about where that call was made from because it records the physical location of the [cell phone] tower. It is one thing to say that we need information about people that we suspect are bad. It is another thing to say we want that information about everyone so that we can find out who is bad. There are enough people who believe that this is a bad thing.
What about the Washington Post report that the U.S. National Security Agency also had access to servers of major internet companies?
The Washington Post had to walk back on some of the details of its story. They overstated what was going on. In that case, I believe it is a little less damaging in the short run, much more damaging in the long run. There was an existing program in place that allows the security agencies to go to private companies and say, “Listen, we need data about these people for this particular reason.” And then those companies turned it over. The program that the Washington Post reported about was a technical interface that streamlines that process. It didn’t allow access to the records of everyone who used these programs. The NSA still had to specifically request what they want about whom. There was still some limited oversight in those cases.
Even though the U.S. government had its data-gathering operations sanctioned by the Foreign Intelligence Surveillance Court, some argue that it is still a violation of the Fourth Amendment, which guarantees protection against unreasonable search and seizure. What is your opinion?
Again, in the case of the Verizon information, it is a little tricky. I think the easiest way to explain it is there was overreach. There are protections. FISA data is only supposed to be collected about non-Americans. The challenge for these Verizon records is why is there so much data being collected about Americans without any suspicion? In the case of the NSA using the FISA courts to collect data from web companies, about third parties, the principal objection I have about the FISA program is not that we are not allowed to know about individual people because the government should be allowed to investigate criminals or terrorists without tipping their hands. It is that they don’t disclose any aggregate information — there is no public transparency. We don’t know if it is being used on hundreds of people, thousands of people, tens of thousands of people. We found out that oversight from Congress is clearly insufficient.
What kind of impact these leaks are going to have on NSA’s cyber intelligence operations going forward?
The impact is going to be not as large as people suspect. I think the policy will still remain largely the same; there will probably be a little more oversight. I expect to see some congressional hearings — some of them will be public, some of them will be private. I think there will be some reforms, they won’t be extreme reforms. The intelligence community will be able to argue that they need to use this information and no elected official is going to say he wants to be the person that cut the program that could have stopped the terrorists. And that’s why we are in this mess in the first place. Hopefully, we will see more oversight. One of the real challenges is how the military intelligence and cyber intelligence is going to operate in the future with respect to classification — keeping things top secret. One of the lessons that emerged from this is that one person could undermine an entire culture. There are a hundred thousand people with top secret clearance in the United States, and yet one person was able to undermine it. I think the response is going to be pretty drastic, probably it is going to involve spending a lot more money and making much harder for any useful information to be shared.
In your opinion do you feel that Edward Snowden, the government contractor who revealed the existence of the spying program and leaked documents, deserves whistle-blower protection?
I don’t think he does. He clearly broke the law. Now the question is does someone, who breaks the law for a good reason, deserve a certain dispensation? I would like to see more information come out. Certainly, my sympathy is with him. I am glad that he did what he did, but at the same time we have to be careful about creating too strong a precedence so that anyone can go to the press. It is a tricky balance. We want to, on one hand, encourage people who see things that are clearly wrong to come forward. Ideally, what I would like to do is create a case where someone can blow the whistle not necessarily to a major newspaper, but go to their boss, or go to a senator and say, “Listen, bad things are happening, and you need to help because, otherwise, it will come out that you did nothing.”
Wikileaks whistleblower Bradley Manning trial is going on at the moment. There are a lot of interesting comparisons being made between the two. Do you see anything in common between the two?
They have more in common than there are differences. One of the interesting things about both of them is, in both cases, both stories, the narrative changed from focusing on the information that was leaked to becoming a story about people. In [the case of] Bradley Manning, it was less about him and more about [Wikileaks founder] Julian Assange. And now with Snowden, if you watch the American press, they are infatuated with him, and his neighbors, his girlfriend, rather than actually paying attention to what the information he leaked means. I find that disappointing. One of the motivations behind the very strong prosecution of Bradley Manning was that it would deter others from [doing the same] and that clearly hasn’t worked.
There has been a concern about the existence of the private intelligence gathering apparatus even before the current leaks. It has been reported that 70 percent of the U.S. intelligence budget goes to private companies. Is the skepticism about the role of private firms, who are largely driven by profit, justified?
I think it is. But first, in defense of private companies: it is easier for a private company to innovate and it is easier for the government to find talent in the market place than hiring people that it needs. It is more efficient. But there is a downside to that. The downside is, as we emphasize the idea that we shouldn’t expand the government, the government still needs to do what it wants. So they rely on private contractors.
Private contractors, as you point out, do have an incentive to grow programs very much as big as the government itself. In fact, they often [go] to the government [and say]: “Here is a new program that we can do, you should spend money on it.” Moreover, there is much less accountability, and there is the potential for waste, and it leads to a culture where you focus more on these specific dollars and cents amount than the actual results you are getting.
Now that we know technology companies have been providing data about their clients to the U.S. government, can they say no when other governments make similar requests?
I don’t think there is going to be much of a change, just because the governments that have been interested in getting information are already approaching major companies for years. India famously demanded that RIM, the maker of BlackBerry, cooperate with their intelligence service. These companies face a choice: [with] large countries that are important [markets], they have to work with their governments, they don’t have a choice, and for smaller countries, where they decide it is not worth it, if the company is bigger than the government, they can stand up to the government. I don’t think that is going to change because that calculus is already there. What changes is the international discussion. It makes it much harder for the United States to condemn other countries for doing this.
The leaks come at a time when the European Parliament is considering changes to its data protection regulations. Given the fact that some European lawmakers are livid about the U.S. having access to the private internet data of their citizens, what impact is it going to have?
I think it is going make it very hard to have good policy come out. Certainly, I appreciate the European perspective, but what is happening is more of a mass outrage than a productive discussion. The fact that the original report in the Washington Post overstated what American companies were doing is going to make it very difficult to have a balanced discussion, and my fear is that new European regulations will make it very difficult to have a productive global internet.
What is fascinating about this story is that, maybe for the first time, a foreign newspaper broke a major U.S. national security story. Is this going to be the norm in the internet journalism era?
I think it points to the value of newspapers working with a very diverse set of people. The reason that the whistleblower went to the Guardian is because Guardian works with someone named Glenn Greenwald, an American living in Argentina, who has spent 10 years being very critical of the American security environment. He was very critical of Bush, and he is very critical of Obama. Because he had that reputation, the whistleblower went to him. I think it points to a new model in journalism, where you can have an advocate as a reporter that is trusted by whistleblowers. They are going to reporters, not because they are famous reporters, because they are well-known advocates. (Global India Newswire)