Added: Stefany Murrah - Date: 13.11.2021 07:58 - Views: 48776 - Clicks: 6376
I was invited as a witness on a panel with Steve Bradbury and Steve Vladek and prepared testimony. Unfortunately, Representative Bill Young's untimely death resulted in the House not being in session today and the hearing has been rescheduled for next Tuesday when I cannot attend. Preparing the testimony did, however, give me a chance to work through my thoughts about the right framework for analysis and how it might apply to some of the proposed reforms. Never one to let work go to waste, I post these thoughts here for such value as others might find in the analysis.
Like most issues, in the end I think the only answer you can really give is "it depends. First, the reality of data analytics has fundamentally changed. We may wish that were not the case, but it is and in my judgment, Congress would be wise to recognize this fact. Our privacy laws must, in turn, change to meet this reality;.
Third, applying these concepts to the consideration of NSA surveillance le me to the following conclusions and here I have selected only a few of the most prominent proposals for discussion :. Fourth, our current system of intelligence oversight generally works.
It is incumbent on this Committee and those in Congress with knowledge of how our intelligence apparatus operates to defend that system as effective and appropriate. For those who want to skip the framework and go right to the analysis, scroll down to the sections "Assessing Reforms of the NSA" and "Congressional Action. As an initial matter, two caveats are in order. First, as the current holder of an active Top Secret security clearance I am ened not to access classified materials that have been illegally disclosed.
Naturally, that has caused a bit of a challenge in preparing a statement, since some of what is the subject of discussion today is public only because of such illegal disclosures. Fortunately, however, many of the most important underlying materials have been properly declassified by the Director of National Intelligence and may, therefore, be discussed in open session.
Equally fortunately, I can confidently state that none of the programs we will be discussing today were within my purview when I was at the Department of Homeland Security. Hence everything I write about today is based on the public record, as I understand it — without, by the way, necessarily assuming that everything in that record is an accurate reflection of what is actually happening within NSA and the Intelligence Community.
Second, in offering my statement to you, I necessarily tread where others who are far smarter than I have already walked. Cyberspace is the natural battleground for enhanced analytical tools that are enabled by the technology of data collection. If our goal is to combat terrorists or insurgents or even other nations then the cyber domain offers us the capacity not just to steal secret information through espionage, but to take observable public behavior and information and use cyber tools to develop a more nuanced and robust understanding of their tactics and intentions.
Likewise, it can be used by our opponents to uncover our own secrets. More to the point —these analytical tools are of such great utility that governments will expand their use, as will the private sector. Old rules about collection and use limitations are no longer technologically relevant. If we value privacy at all, these ineffective protections must be replaced with new constructs. The goal then is the identification of a suitable legal and policy regime to regulate and manage the use of mass quantities of personal data.
Get over it. Pure privacy—that is, the privacy of activities in your own home—remains reasonably well-protected. Today, large data collection and aggregation companies, such as Experian and Axicom, may hire retirees to harvest, by hand, public records from government databases. These data aggregation companies typically hold birth records, credit and conviction records, real estate transactions and liens, bridal registries, and even kennel club records. One company, Acxiom, estimates that it holds on average approximately 1, pieces of data on each adult American. Since most, though not all, of these records are governmental in origin, the government has equivalent access to the data, and what they cannot create themselves they can likely buy or demand from the private sector.
The day is now here when anyone with enough data and sufficient computing power can develop a detailed picture of any identifiable individual. That picture might tell your food preferences or your underwear size. It might tell something about your terrorist activity. Or your politics. Even that exercise is a challenge for any government, as the failure to list Abdulmutallab in advance of the Christmas bombing attempt demonstrates. Yet, even with those complexities, the process uses relatively simple technologically—the implementation is what poses a challenge.
By contrast, other systems of data analysis are far more technologically sophisticated. They are, in the end, an attempt to sift through large quantities of personal information to identify subjects when their identities are not already known. In this latter context, the individuals are dangerous because nothing is known of their predilections.
There can be little doubt that data analysis of this sort can prove to be of great value. Our privacy laws and our conceptions of privacy cannot withstand the technological change that is happening and the cyber conflict that is developing. We must put theories of data availability and anonymity on a sounder footing—a footing that will withstand the rigors of ever-increasing computational capacity.
To do so we need to define what values underlie our instinctive privacy-protective reaction to the new technology, assess how realistic threats of abuse and misuse are, and create legal and policy incentives to foster positive applications while restraining adverse ones. Privacy is really a misnomer.
What it reflects is a desire for independence of personal activity, a form of autonomy. We protect that privacy in many ways. Sometimes we do so through secrecy which effectively obscures both observation of conduct and the identity of those engaging in the conduct. In other instances we protect the autonomy directly. Even though conduct is observed and the actor identified, we provide direct rules to limit action as, for example, in the criminal context where we have an exclusionary rule to limit the use of illegally collected evidence. The information data-space is suffused with information of this middle-ground sort, e.
They constitute the core of transactions and electronic ature or verification information available in cyberspace. It is done in public, but one is generally not subject to routine identification and scrutiny. Protecting the anonymity we value requires, in the first instance, defining it accurately. One might posit that anonymity is, in effect, the ability to walk through the world unexamined.
That is, however, not strictly accurate, for our conduct is examined numerous times every day. Sometimes the examination is by a private individual for example, one may notice that the individual sitting next to them on the train is wearing a wedding ring. Other routine examinations are by governmental authorities—the policeman in the car who watches the street or the security camera at the bank or airport, for example. As we drive down the road, any of people might observe us. So what we really must mean by anonymity is not a pure form of privacy akin to secrecy.
If there are no unjustified consequences i. In other words, if nobody is there to hear the tree, or identify the actor, it really does not make a sound. We can and should build structures that map the same rules-based model of authorization linked to consequence as the appropriate model for the world of dataveillance. Thus, the questions to be asked of any dataveillance program are: What is the consequence of identification?
What is the trigger for that consequence? Who decides when the trigger is met? These questions are the ones that really matter, and questions of collection limitation or purpose limitation, for example, are rightly seen as distractions from the main point. The right answers to these questions will vary, of course, depending on the context of the inquiry, but the critical first step is making sure that we are asking the right questions. Finally, let me close this statement of principles by noting that none of this is to diminish the ificance of the transparency and oversight, generally.
Transparency is a fundamental and vital aspect of democracy. Yet Madison understood that transparency was not a supreme value that trumped all other concerns. He also participated in the U. Constitutional Convention of , the secrecy of whose proceedings was the key to its success. While governments may hide behind closed doors, U. It is not enough, then, to reflexively call for more transparency in all circumstances.
The right amount is debatable, even for those, like Madison, who understand its utility. What we need is to develop an heuristic for assessing the proper balance between opacity and transparency. To do so we must ask, why do we seek transparency in the first instance? Not for its own sake. Without need, transparency is little more than voyeurism. Rather, its ground is oversight--it enables us to limit and review the exercise of authority. In the new domain of dataveillance, the form of oversight should vary depending upon the extent to which transparency and opacity are necessary to the new powers authorized.
Allowing some form of surveillance is vital to assure the protection of American interests. Conversely, allowing full public disclosure of our sources and methods is dangerous — identifying publicly how we conduct surveillance risks use of that information by terrorists and, in turn, draws a roadmap of which threats are not known. Thus, complete transparency will defeat the very purpose of disclosure and may even make us less secure.
What is required is a measured, flexible, adaptable transparency suited to the needs of oversight without frustrating the legitimate interests in limiting disclosure. Here, public disclosure through widespread debate in Congress should be rejected in favor of a model of delegated transparency -- Congressional and Executive Branch review for example, random administrative and legislative auditing of how the government is using the information provided that will guard against any theoretical potential for abuse while vindicating the manifest value of limited disclosure.
In short, Madison was not a hypocrite. Rather, opacity and transparency each have their place, in different measures as circumstances call for. The wisdom of Madison's insight--that both are necessary--remains as true today as it was years ago. With these principles in mind, let me now turn to an assessment of some of the more prominent proposals for reform to the NSA programs that have been talked about in the news and in the halls of Congress. Adversarial Advocate : This proposal would create a standing team of attorneys to respond to and present a counter argument before the FISC to requests for permission to collect information against an individual or entity.
There is much to be said in favor of this proposal. With regular criminal warrants the ex parte nature of the application for a warrant does not systematically create a lack of a check on overreaching because of the possibility for post-enforcement review during criminal prosecution with its adversarial process.
By contrast, in intelligence investigations that post-execution checking function of adversarial contest is often missing -- few if any intelligence collection cases wind up before the courts.Adult looking nsa Reform
email: [email protected] - phone:(487) 168-6729 x 6705
Reforming the NSA Surveillance Programs – The Testimony I Would Have Given