Re: [perpass] perens-perpass-appropriate-response-01

[Joseph Lorenzo Hall <joe@cdt.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 12/4/13 12:09 PM, Bruce Perens wrote:
> 
> The potential is that you could be giving aid and comfort to "the
> enemy" by constructing a technical hinderance to intelligence
> gathering by your own national intelligence agency or by your
> country's intelligence partners. It looks from here that this falls
> under the later paragraphs of France's penal code definition of
> treason.

(apologies this is long... hopefully it's fun to read)

Hi Bruce,

It's probably been a bit less than a decade since last we spoke, I
hope you are well.

Like many, I find much to disagree with in your draft response.

First, I wouldn't use the adjective "political" but "policy"
indicating that in addition to the technical side of communications
infrastructure, there are also norms, rules, and laws to which we as a
society agree (either globally through commitments to human rights or
locally through culture, laws, and norms).

There are many of us -- although I'd say not nearly enough, we're all
hiring! -- that work in the policy space and try to advocate carefully
for why the current state of affairs (and where entities like the USG
want to go in the future) can not stand. A democracy is not a
democracy if it is in a constant state of pervasive surveillance.

At CDT we've worked with many people on this list -- and whome you
likely know -- to advocate for infrastructural security and to point
out that many, many countries are involved in essentially attacking
users against the more broad public interest:

https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf
https://www.cdt.org/files/pdfs/nsa-review-panel-tech-comment.pdf

On the "downstream side, many of you may have missed this 2-year
effort (before Snowden!!) to document "systematic access", or
governments of the world demanding access to data the private sector
holds... i.e., it's certainly not just the U.S. or FVEY countries
exploiting data the private sector holds but increasingly every
sovereign entity (note one of the authors, Lee, was a former general
counsel to the NSA):

https://www.cdt.org/systematic-access
https://cdt.org/files/pdfs/govaccess2013/government-access-to-data-comparative-analysis.pdf

The reason I excerpted what you say above is the following: just like
it used to be many decades ago, the government cannot tap everything.
That is a fact. There are methods of communication that it will not be
able to tap, and there will be standards and tools that enable highly
secure communication. It seems overwhelmingly rational to protect
communications against strong adversaries in the passive case
("upstream" so to speak) and to beef up but not eliminate methods of
surveillance that are both legal and further the public interest in
safety as narrowly as possible.

The reason the NSA, CIA, etc. in the US and FVEY countries can collect
so much information is a combination of path dependence -- standards
did not contemplated pervasive threats and our daily lives are
increasingly mediated by protocols -- and over-zealous "we can, so we
will" thinking inspired by a state of terror.

Let me say that more clearly: if terrorism's goal is to put a populace
into a state of terror, this has certainly been accomplished for our
intelligence agencies, who justify any encroachment on the lives of
normal citizens as "why not? if it saves 1 person"... without thinking
about the very Heisenbergian conundrum that the act of pervasive
surveillance -- and not just how it is executed -- will undoubtedly
move us farther from democracy (and yes there are many other things
that affect that... e.g., campaign finance, voting technology, and
voting rights).

What I would like to see is a recognition and acceptance that there
will be secrets that governments can not know, and that they will
inevitably have to get back to actual police work -- not exploiting
the fabric of globally digital society.

This is why it is imperative to many of us to make sure the technical
side supports this to the best of our ability... as Nick said later on
this thread, without pervasive encryption we are vulnerable to
numerous adversaries, despite what you think of their intentions and
goals (and effectiveness, as Jake rightly notes, is simply a joke).

best, Joe

- -- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSoIkCAAoJEF+GaYdAqahxo2kP+wdYMOrOKLiQMi5DvVsbEBGh
pXFZyyWvkIvsH8FSIKIY/+aOrLBuQ2ibqWNxdZqCtTomzCCjbpGkZWDm2LHYXSVG
iTI/gTzL8wFbr9jIbtA2Rw1fnvfp6bxwCFv71/xRTXi4hLMbh979nkMkwx8i6pdH
t9tc1R8G/pfbJ1ze93RNX7E+fm51ILvCIJPTqc6Tq+uZbcwA/55aXeWcymRtte72
AwygyLkGmy0En0G6tMovCKFIZO39KDr7ITcz/2pJJP0W/+yL8n8rH1RLy4+ZL7va
SVYvteSi9rEsCs9HfLGprlvtZYWmSHSwkufrdmXSSteOqhzukQu9qcO7bHGkowpn
CDpwl3WdZ/B44nxLBCM3BOQa4CKx2tCjNvtmkLcny6svhZnjS8O3LXhfX2WWxFah
Cjdfd2HQIbDmc3ORTfwYPluKVHMgvEOTDUgYQIvigyCi20nOLbWM+cBPp47TC+9A
+NcvzDDxt0c+KyX59K5ztbRMj/vEJ7A+IO0pJtaZp639BI4uU3RrRQ/3Iubt/hxp
a1/keKsISpsAHRYa4rgJzZ0bZDY7xvfpKLzwkTM6Ue+w16+Vook+8qqrQE7Xf8/3
/6wmScJe8faddoNnnW5TQDVUmQxFFkK9RDGX0Nw/9euV79SIBqyl2ncHMBZOSi0I
NMSTq+VVhg4RbdMwI2Su
=SNG+
-----END PGP SIGNATURE-----