Have you met the new BOSS?

In my class at Immaculata, when we discuss our increasingly surveillance-rich society, I present my students with a scenario of a future in which surveillance cameras are on every street corner, connected on the back-end not to human monitors but to sophisticated software with both high speed facial recognition capability and a database of, well, everyone. The stated objective of such a system is to find wanted criminals and known terrorists, of course, but we’d all be getting our faces scanned and matched, all the time. I ask students to compare this to the old-fashioned cop on the beat, who can see your face as easily as a camera can. How is this different, and is it a worthy trade-off of privacy for security?

Well, I will to continue using this scenario in class; I’ll just soon be leaving off the word ‘future’. A government program has been designed, built and tested, and I think it’s closer to deployment than anyone realized.

With the well-chosen acronym, BOSS, the Biometric Optical Surveillance System has been under development for several years. The origins of the program are very interesting. It began with a military purpose: to spot terrorists and suicide bombers in Afghanistan and Iraq. But in typical mission creep fashion, the program was brought stateside and put under the control of the Department of Homeland Security. Now the aim is for domestic use by law enforcement across the US.

An article in the NY Times contains the recent revelations about BOSS, which has been a two-year multi-million dollar effort carried out mostly by contractors. It has been field tested (using volunteers) and the improvement in the technology – in terms of accuracy and speed – has been rapid and steady. As a technology guy, I’m impressed.

But as private citizen, I’m alarmed, and for a lot of reasons. The system is designed to contain not just mug shots of the bad guys, but all possible attainable photos – of all of us. The handiest source for this is driver license photos; although this has not been established yet, I foresee that the temptation for a complete nationwide identity recognition system will become very strong.

The potential for abuse is also very high. It would be nice if we could find the bad guys whenever they walk out of hiding, but the system can – and I think, undoubtedly will – be used to track even minor offenders, people subject to civil suits and all around government fishing expeditions. And the potential chilling effect on protected political protest and free speech is not something we should dismiss lightly.

Next, as my students eventually recognize, this system is very different from the cop on the beat. The cop uses judgment and has authority. Yes, we expose our faces to everyone in view when in a public place, and our expectation of privacy is adjusted accordingly. But that expectation does not extend to a big-brotherish system of continuous scanning – at least not yet. I fear the day when such a system may in fact be within our expectations.

And last of all, I’m alarmed that this system was developed entirely in secret, and was only revealed after a Freedom of Information Act filing. As Ginger McCall (a lawyer and privacy advocate who wrote about this in a Times Op-Ed piece) righty points out, we should not be deploying systems like this without safeguards and rules in place, and after a reasoned public debate. This is not something that government bureaucrats should deploy and control in secret. The public should have a say – and the right to a veto.

Given the government's penchant for mission creep and the often overzealous – and secret – application of technology designed to keep us secure at the expense of privacy rights, we should all be concerned. The NSA’s use of packet sniffers to spy on internet traffic and email is just one recent case of an agency going far beyond what reasonable citizens consider acceptable. I think it would be another tragedy if BOSS were deployed without public discussion, and clear-cut rules on how it is to be used, and not abused. Let’s not surrender our reasonable expectations of privacy yet again to another secret government program which we knew nothing about until after the fact.

Why pay for access, when your neighbor’s signal is free?

In the course that I teach on “IT Ethics and the Law”, one of the lectures is devoted entirely to security – hacking (white hat and black), identity theft and so on. I often bring up the topic of the openness of our consumer-electronics world, touching on, among other things, personal Wi-Fi networks and the need to secure them. If I ask about the students’ home networks, there are usually some who say that they don’t need home Wi-Fi and an ISP, as long as their neighbors are leaving their wireless networks unprotected.

When this happens (admittedly, it was once much more prevalent than today), I can’t help challenging the class about the ethics of using a neighbor’s open Wi-Fi signal. I used to be astonished (I no longer am) by the apathy with which students shrug off this question. Invariably I’m confronted with an argument that goes like “If they’re dumb enough to leave their signal unprotected, why shouldn’t I use it? What am I stealing?”

First, let me make this as clear here as I try to do in the classroom: using someone else’s computer resources without their permission IS illegal, according to laws going back to 1984 and reenacted more than once since. It doesn’t matter if the signal is unprotected or not, just as your neighbor doesn’t have to lock his door in order for your act of burglary to be a crime. But no appeal to the law will make any difference to what my group sees as a victimless and undetectable act. To them, setting up a network without a password is tantamount to inviting the neighborhood to log on and start surfing.

So here are the elements of this perfect crime: (1) a victim careless enough to be culpable in his own vulnerability, (2) the apparent absence of harm committed by the perpetrator and (3) the near-impossibility of being detected.

Faced with this thinking, often unanimously argued by a roomful of students, I often feel at a loss of where to begin. (And by the way, this course is taught to continuing-ed students – working adults often in their thirties and forties. NOT teenagers.)

The heart of the matter, of course, is not that you’ve violated the Computer Fraud and Abuse Act, but that you’ve taken something that didn’t belong to you, secretly and without permission, and benefited by it. That feels wrong to me, and I hope it feels wrong to you too.

I recently read a question put to the ‘Ethicist’ columnist of the NY Times, which described a scenario in which a woman failed to shield her laptop from the view of someone (unknown to her, a competitor) in the adjacent airline seat. If she failed to take proper precautions, why shouldn’t I spy on her, the competitor asked, in another variant of the ‘dumb victim’ defense.

I think it’s very dangerous – not to say immoral – for us to lower our standards of good behavior because we perceive the victim to be less smart than we are, as if this somehow invites being taken advantage of. This is ‘blame the victim’ thinking and it is one slippery slope: it can lead us way beyond IT issues to every kind of crime. We should see these phony self-justifications for what they are. Failing to setup a password on a wireless network is NOT an invitation to others to log in for free. 

Today, I believe the vast majority of home networks are password protected by default, and most people who set them up know the importance of securing them. So this argument, or at least this specific scenario, occurs less frequently than it once did. But that doesn’t mean we don’t have to think clearly and ethically when we encounter the property and resources of others. It’s wrong to take stuff that doesn’t belong to you: I think we were supposed to learn that in Kindergarten.

I'm curious. Have you ever logged on through someone else's Wi-Fi? Tell me about it.