DPI16_Banner_300x250 WITH COPY
IAPP-GDPR Web Banners-300x250-FINAL

By Jedidiah Bracy, CIPP/US, CIPP/E

On October 9, the Cato Institute, a public policy research organization, held a daylong conference on the recent U.S. National Security Agency (NSA) surveillance disclosures. Titled "NSA Surveillance: What We Know; What to Do About It," the conference was packed with privacy advocates and lawyers, journalists, technologists, academics and public policy and security experts. The day was also peppered with three keynotes from Sen. Ron Wyden (D-OR), Rep. Justin Amash (R-MI) and Rep. F. James Sensenbrenner (R-WI).

Some of the leading journalists covering the Edward Snowden leaks and the NSA disclosures shared their insights and were sandwiched between keynotes Wyden and Amash, both outspoken critics of some of the NSA’s surveillance programs.

Author of the USA PATRIOT Act (Patriot Act) Sensenbrenner said in the coming days he will introduce a bipartisan bill to quash the bulk collection of phone records—currently allowed under Section 215 of the Patriot Act. Called the “USA Freedom Act,” and supported by Senate Judiciary Committee Chairman Patrick Leahy (D-VT) and House Judiciary Committee Ranking Member Rep. John Conyers (D-MI), the legislation, according to Sensenbrenner, “will end the bulk collection of Americans’ communications records by adopting a uniform standard for intelligence-gathering under Section 215” as well as amend Section 702 of the Foreign Intelligence Surveillance Act (FISA) to restrict surveillance to authorized terrorist investigations. The bill would also implement an advocate in the FISA court and increase companies’ ability to publicly disclose law enforcement requests of users’ data.

On a legal panel prior to Sensenbrenner’s keynote, Google Privacy Policy Counsel David Lieber, though mum on some of the specifics of FISA requests that Google has received, did note the company does support legislation previously set forth by Sen. Al Franken (D-MN) that would enable businesses to publish aggregated statistics of government requests.

“We assert our First Amendment right to publish (that) aggregated data,” he said, adding that some of the government’s positions are “untenable.”

Notably, the gag orders placed on businesses to not disclose law enforcement requests are equal to prior restraint, he said.

“We don’t think that transparency and national security are mutually exclusive,” Lieber said. “It is anachronistic, whereby the government gets to choose who gets to speak about FISA demands.”

Guardian journalist Spencer Ackerman asked Lieber if Google had any interest in noncompliance with a surveillance order. Ackerman queried whether Google could band together with other relevant businesses “to resist the surveillance apparatus itself” as “a form of civil disobedience.”

Though Lieber couldn’t answer the question, he did say it’s “dangerous terrain” and that “broadly, we have pushed back on government requests on many different occasions.”

The afternoon also featured a packed technology panel, including Karen Reilly of the Tor Project, Jim Burrows of Silent Circle, David Dahl of SpiderOak, Matt Blaze of the University of Pennsylvania and the American Civil Liberties Union’s Christopher Soghoian.

“Google might not like that they get government requests,” Soghoian said, “but they comply. They might push back, but ultimately, they have lawyers that only do this.”

People choose services such as Silent Circle over other larger companies simply because there’s more privacy and security—that’s the only differentiator smaller businesses can run on, he argued. If these smaller companies abuse the trust of their customers, their reputation is gone. If they fight the government, they have to shut down.

“This growing economic sphere is under threat,” Soghoian said. The U.S. is “a global leader, we should do everything to grow this market, but instead the Department of Justice and the NSA squashes them before they are big enough to fight for themselves.”

Asked if she thought anything about Tor should be changed, Reilly said, “we need more nodes … You should not trust us, you should trust the code.” She added that she is “confident that the distributed system still holds up” but the cryptography needs to be worked on further. Reilly also advocated for the transparency of the open community. Open-sourced systems such as Tor are very difficult for bad actors to infiltrate, and making large changes is difficult.

Standards, particularly NIST standards, were also a topic of conversation. Soghoian said the recent news that the NSA allegedly weakened the NIST standards to help with its surveillance capabilities was not the first time the NSA provided input to open standards. They worked on DSS in 1993 and, later, worked with IBM to improve security—which, at the time, was a good thing. “This points to the problem” of the NSA, he said. “They wear two hats—defensive hats and offensive hats, and sometimes you don’t know who you’re talking to when talking with them.”

Moderator and Cato Institute fellow Julian Sanchez noted that companies such as Lavabit, Silent Circle and SpiderOak are less decentralized than the Tor Project. They have slimmer points of access and the NSA wanted their encryption keys: “How do you deal with the challenges of building a security system when simultaneously being asked to undermine it?”

Silent Circle’s Burrows said the day that Lavabit went down was a really bad one. SpiderOak’s Dahl noted that the keys are only located on the computer being worked on, and that no keys are sent to SpiderOak itself. “All our data is literally garbage,” he said. “With our text and phone we have nothing to give” the government.

Notably, all the panelists agreed that there is no longer any truly secure e-mail platform.

Could the NSA revelations hurt U.S. tech business? After the Snowden leaks, Dahl noted, his colleagues in Europe have begun initiating their own tech startups, adding, “there is more motivation” to do so.

But others warned that there are much worse actors than the NSA.

“We have problems here,” noted Burrows, “the NSA is tarnishing a lot of reputations, but I’m not sure I distrust them more than the Chinese or Eastern Europe. We have problems, but they’re not the worst problems.”

Read more by Jedidiah Bracy:
Three Steps to Heaven, St. Rita and the Future of the EU Draft Regulation
Data Brokers, Universities Breached; Was Nurse Fired for Privacy Breach or Whistleblowing?
White House Names NSA Review Panel
Organization-Wide Privacy Training Implemented at Bloomberg


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»