I found a report yesterday, “Intelligence deputy to America: Rethink privacy” quite interesting. The impact on privacy…the actual definition, not the definition Donald Kerr, the principal deputy director of national intelligence, thinks it should be…would not only be a huge step backward for the country, but it would also increase the threats to personally identifiable information (PII) exponentially.
To put it in a nutshell, Kerr is pushing to allow the government to eavesdrop on all types of electronic communications and phone calls without first obtaining court permission; basically at will. All in the name of “intelligence gathering” and preventing terrorism. All they have to do to do this monitoring, under the changes made in a rush last year to the Foreign Intelligence Surveillance Act (FISA) is to “reasonably believe” one of the participants in the communication is located outside the U.S. However, recent history has shown that this is a very wide net cast into the digital ocean that captures basically all that happen to be swimming in the waters.
Kerr doesn’t get privacy. Kerr doesn’t understand what privacy means to most people throughout the world. Kerr doesn’t get the concerns people have about privacy. More of Kerr’s viewpoints on privacy are found in a transcript of a speech he gave in San Antonio, Texas on October 23 of this year.
He states, “Privacy no longer means anonymity.” At the core privacy isn’t about anonymity.
At the core privacy is controlling WHO can access your PII and personal non-public activities and communications, and giving consent to WHAT can be done to your PII and information about your non-public personal activities and communications.
Privacy means others cannot access your PII, non-public personal communications or information about your personal activities, without your knowledge and, ideally, without your consent.
Kerr indicates the government should have free reign to access the telecommunications records of people’s calls and electronic communications.
Excerpts from Kerr’s San Antonio speech are somewhat conflicting. He states,
“Safety and privacy ‚Äì it’s common thinking that, in order to have more safety, you get less privacy. I don‚Äôt agree with that. I work from the assumption that you need to have both. When we try to make it an either/or proposition, we‚Äôre bound to fail. You can be perfectly safe in a prison; but you certainly aren‚Äôt free. And you can be perfectly free in an anarchist society; but you certainly aren‚Äôt safe.”
Well, it is good he says here that he believes everyone needs to have both safety and privacy.
Later he states,
“Protecting anonymity isn‚Äôt a fight that can be won. Anyone that’s typed in their name on Google understands that. Instead, privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change.”
Yes, we definitely need laws to protect privacy. Recent history has shown that the government lacks rules and oversight for privacy in many areas, and within the few areas that do have rules, many incidents demonstrate that the rules are not being followed and that there is not adequate oversight or enforcement.
So much of Kerr’s speech is the epitomy of pushing fear, uncertainty and doubt (FUD) to support his stated goal of being able to monitor communications within the U.S.
It is regrettable that a representative of the government would try to say, more than once throughout his speech, that the concerns of the public for the privacy issues are largely to be blamed on the misrepresentations of movies. What a condescending attitude. Kerr should realize that the public’s concern is not based upon fictional movies; he should give his taxpayers more credit for their knowledge and intelligence than he did within this speech.
At the end of the speech Kerr answered some questions. Here was an interesting one:
“GEN. LEE: Could you elaborate on the notion that privacy does not equal anonymity? What are the implications?
DR. KERR: It’s a really good question because, in fact, it’s a personal question that everyone, in a way, has to answer for themselves. But I think today, you know, I‚Äôm willing to call up, pick the vendor of your choice. I‚Äôm willing to share my credit card number and expiration date with a person I have never seen, have no idea whether they‚Äôve been vetted or not.
I’ve certainly been able to get past being anonymous in that transaction. And of course, you multiply that by all of the transaction that you’re involved in every day.
I was taken by a thing that happened to me at the FBI, where I also had electronic surveillance as part of my responsibility. And people were very concerned that the ability to intercept emails was coming into play. And they were saying, well, we just can’t have federal employees able to touch our message traffic. And the fact that, for that federal employee, it was a felony to misuse the data – it was punishable by five years in jail and a $100,000 fine, which I don’t believe has ever happened – but they were perfectly willing for a green-card holder at an ISP who may or may have not have been an illegal entrant to the United States to handle their data. It struck me as an anomalous situation.
So this is not something where groupthink works for an answer. I think all of us have to really take stock of what we already are willing to give up, in terms of anonymity, but what safeguards we want in place to be sure that giving that up doesn‚Äôt empty our bank account or do something equally bad elsewhere.”
Kerr absolutely does not get it. He doesn’t see the clear difference between the situations he described. People CHOOSE to do business with a company and make purchases, and CHOOSE to give their credit card number to a merchant. That is a choice they made, based upon their knowledge about the company, and their determined risk to do business with the company.
It is quite a different thing to have the FBI, CIA, or any other government agency getting access to our communications, to our PII, to our bank accounts, and who knows how many other types of information, WITHOUT OUR CHOICE and WITHOUT OUR KNOWLEDGE AND CONSENT.
At the core, privacy is about choosing who gets access to our PII, our activities, our communications. Kerr wants to remove that choice and allow surveillance to who knows how large of an extent without the knowledge of the people that are being spied upon.
This is something that organizations, who have records that the government wants to monitor, will need to think about very carefully.
The telecommunications companies are already facing many civil lawsuits for allowing government monitoring of their customers’ records. What types of companies will be next? Once Pandora’s box is open, isn’t it likely there will be no limit to the type of organization subject to subversive surveillance?
Choice and consent are basic components of privacy. They are the foundations of most privacy laws throughout the world.
I am a strong supporter of fighting terrorism, but I still have not seen evidence or heard valid arguments to show that unlimited monitoring by legions of government agencies will have a true impact on mitigating the terrorist threats.
Sharing such large amounts of personal information and PII throughout many different systems with large, and seemingly unlimited, numbers of people having access to the information increases the threats and vulnerabilities to the PII and opens the associated persons up to bad things happening to them without any consequences to those (the government agencies) who possessed the PII and information.
Tags: awareness and training, Donald Kerr, FISA, Foreign Intelligence Surveillance Act, Information Security, IT compliance, national intelligence, policies and procedures, privacy, privacy training, risk management, security training