The IT Ethics story of the year

You’ve probably seen some of the end of year tech wrap-up stories. The struggles of the web site HealthCare.gov certainly trained a big bright spotlight on web development projects, so much so that the president had to apologize for the troubled project. The other big story of 2013 had to be the revelations of the NSA surveillance programs by Edward Snowden. As the Obamacare web site slowly rights itself, I think it’s clear that the NSA revelations will turn out to have the more lasting impact.

I have not blogged about this story until now, partly because my opinions were complex and still evolving. And frankly, I've been surprised at how my assessment of Snowden himself has changed over the past half year.

Let’s level-set the story briefly. Edward Snowden was a contracted system administrator with the NSA for four years, and over that time, was troubled by what he learned of the agency’s worldwide secret spying operations – troubled enough to amass a large treasure trove of confidential documents that show what the agency was up to. In May of 2013, he left the country (he had been based in Hawaii) and began releasing the documents through several mainstream media sources around the world. The US government is determined to prosecute Snowden under the 1917 Espionage Act; they have filed charges that could amount to sentences that total at least 30 years in prison. After spending some time on the run, Snowden has won temporary asylum in Russia, which so far has refused to extradite him to the US.

The NY Times recently summed up the highpoints of what Snowden has revealed about the NSA programs:

• The NSA broke privacy laws or exceeded its authority thousands of times per year, according to its own internal auditor. Presumably, this was as judged by even their own permissive standards of behavior. 

• They broke into communications facilities and data centers both in the US and around the world, without the knowledge or consent of the targets.

• They undermined internet encryption and scooped up massive amounts of data indiscriminately, including health and banking data that is protected by federal law.

• The NSA was rebuked by the FISA court (its nominal oversight body) for misleading it repeatedly about its surveillance practices.

• And finally, the director of national intelligence, James Clapper Jr., lied to congress under oath last year in denying that the agency was doing what is now proved that it did do.

Snowden has been criticized for an indiscriminate data dump of his own; in attempting to uncover wrongdoing, he has (the criticism goes) jeopardized legitimate covert operations and put US friends and operatives at risk to the enemy. Although the Times stated that no real examples of this have been revealed since the disclosures, it’s hard not to agree that the possibility exists and that Snowden either should have realized this or was wrong to have disregarded it.

However, the positive consequences of the Snowden’s revelations are equally hard to deny. The public debate that he intended to spark has indeed been ignited. Outrage has been equally furious on both ends of the political spectrum (getting them to agree on anything at all is quite a feat in itself) and I believe that outrage is justified. The revelations have been well covered in the press, who now have plenty of their own investigative journalists on the case. And legal challenges have begun their paths through the courts; two federal judges have already ruled against the program (a third has ruled in favor) and undoubtedly the Supreme Court will be asked to decide.

As an IT guy, I’m in awe of the technology that the NSA built and deployed to carry out this mission. I would not have thought that the ability to overcome so many barriers, to acquire, store and analyze such a volume of data, and to do it all secretly, was within the capabilities of any government agency; I was wrong. But as an IT ethicist and concerned American citizen, I am appalled in even greater measure by the audacity of the undertaking and the complete disregard of law and the constitution with which it was carried out. Even now, President Obama seems oblivious to – or uninterested in – the magnitude of the issues at stake here; as someone who once taught a course in constitutional law, you would think he’d know better.

The tradeoff between security and civil freedom is something that cannot be done in secret by bureaucrats alone; it must be subject to a national debate, no matter how fractured the process of our political discourse has become in recent years.

On January 1, the New York Times wrote an editorial saying that Snowden may have broken the law but nevertheless he has done his country a great service, and they called on President Obama to work towards a reduced sentence or even clemency so that Snowden could return home. There is growing support for this approach, from many in media and in government, including several prominent US Senators.

Earlier in the year I was conflicted in my opinions of Snowden the man and his actions. I clearly disliked what I learned about the NSA, but I tended to doubt just how far they could have gone, given what I thought the technical limitations might be. Snowden himself I saw as a naive opportunist who was already on the run from facing responsibility for blowing the whistle as he did. But as revelation followed revelation, and the magnitude of the spying grew (and even now continues to grow) my opinion of Snowden has changed. I see him now as a courageous individual who was right to reveal what he did. He proved to me that I was the one who was naive.

The American people and the world do indeed need to know what is going on. The downside effects are still with us and have to be admitted, but for the greater good, I think the benefits – of giving the American people the oversight of their government that they have a right to have and on which the nation was founded – far outweigh the negatives. It is for that reason that I would name Edward Snowden this blog’s 2013 Man of the Year.

(Snowden and his actions are controversial and opinions of him are bound to be strong. Whatever side your views are on, I'd love to hear them.)

Have you met the new BOSS?

In my class at Immaculata, when we discuss our increasingly surveillance-rich society, I present my students with a scenario of a future in which surveillance cameras are on every street corner, connected on the back-end not to human monitors but to sophisticated software with both high speed facial recognition capability and a database of, well, everyone. The stated objective of such a system is to find wanted criminals and known terrorists, of course, but we’d all be getting our faces scanned and matched, all the time. I ask students to compare this to the old-fashioned cop on the beat, who can see your face as easily as a camera can. How is this different, and is it a worthy trade-off of privacy for security?

Well, I will to continue using this scenario in class; I’ll just soon be leaving off the word ‘future’. A government program has been designed, built and tested, and I think it’s closer to deployment than anyone realized.

With the well-chosen acronym, BOSS, the Biometric Optical Surveillance System has been under development for several years. The origins of the program are very interesting. It began with a military purpose: to spot terrorists and suicide bombers in Afghanistan and Iraq. But in typical mission creep fashion, the program was brought stateside and put under the control of the Department of Homeland Security. Now the aim is for domestic use by law enforcement across the US.

An article in the NY Times contains the recent revelations about BOSS, which has been a two-year multi-million dollar effort carried out mostly by contractors. It has been field tested (using volunteers) and the improvement in the technology – in terms of accuracy and speed – has been rapid and steady. As a technology guy, I’m impressed.

But as private citizen, I’m alarmed, and for a lot of reasons. The system is designed to contain not just mug shots of the bad guys, but all possible attainable photos – of all of us. The handiest source for this is driver license photos; although this has not been established yet, I foresee that the temptation for a complete nationwide identity recognition system will become very strong.

The potential for abuse is also very high. It would be nice if we could find the bad guys whenever they walk out of hiding, but the system can – and I think, undoubtedly will – be used to track even minor offenders, people subject to civil suits and all around government fishing expeditions. And the potential chilling effect on protected political protest and free speech is not something we should dismiss lightly.

Next, as my students eventually recognize, this system is very different from the cop on the beat. The cop uses judgment and has authority. Yes, we expose our faces to everyone in view when in a public place, and our expectation of privacy is adjusted accordingly. But that expectation does not extend to a big-brotherish system of continuous scanning – at least not yet. I fear the day when such a system may in fact be within our expectations.

And last of all, I’m alarmed that this system was developed entirely in secret, and was only revealed after a Freedom of Information Act filing. As Ginger McCall (a lawyer and privacy advocate who wrote about this in a Times Op-Ed piece) righty points out, we should not be deploying systems like this without safeguards and rules in place, and after a reasoned public debate. This is not something that government bureaucrats should deploy and control in secret. The public should have a say – and the right to a veto.

Given the government's penchant for mission creep and the often overzealous – and secret – application of technology designed to keep us secure at the expense of privacy rights, we should all be concerned. The NSA’s use of packet sniffers to spy on internet traffic and email is just one recent case of an agency going far beyond what reasonable citizens consider acceptable. I think it would be another tragedy if BOSS were deployed without public discussion, and clear-cut rules on how it is to be used, and not abused. Let’s not surrender our reasonable expectations of privacy yet again to another secret government program which we knew nothing about until after the fact.