Earlier this month, Director of National Intelligence (DNI) James Clapper described reaching out to the private sector as a “daunting task,” and that “there is still much to be done,” to improve information sharing in the age of digital communications. Brad Brekke, the FBI’s director of private sector engagement, added that there is a need to go even further than that, and “move from information sharing to collaboration.” These statements allude to the ongoing tensions between the government and the tech giants of Silicon Valley.
Tensions remain
These tensions are not new by any means, but were clearly—and publicly—demonstrated in the wake of the San Bernardino shooting in December 2015. Despite a warrant, Apple refused to help the FBI access information on one of the suspect’s iPhones. Apple claimed that the FBI’s request to change the software of the seized phone—which would allow the FBI to automatically attempt the 10,000 possible pin combinations without activating a security system designed to erase all data after too many incorrect guesses—would weaken the encryption of Apple’s entire system as it could be used on all iPhones, anywhere in the world.
Cipher Brief expert and former Senior Deputy General Council at the CIA, Robert Eatinger, argues that by refusing the lawful request from the FBI, a private company has made a decision that affects all Americans. “We were not asked if we wanted to amend the Constitution to withhold from our government the authority to search the contents of cellphones used by any person, for any purpose, anywhere in the world,” he writes. Apple has effectively “imposed terms of governance on the American people without our consent.”
The situation begs for a deeper public discussion on the trade-offs between strong technical security for the consumer and providing the government sufficient tools to effectively mitigate security threats.
There are issues inherent in digital communications that do not recognize national borders. The pros and cons of individual government policies can fall by the wayside when considering the global nature of the Internet and the industry surrounding it. True, the U.S. has a unique opportunity to cooperate with tech companies because many of them are based there, but the products of these companies are used around the world. Should the security of people living under foreign governments affect the decision-making calculus on how Americans ensure their own security? Is Apple able to grant the U.S. intelligence community access to iPhones while denying Chinese intelligence services the same?
Though the public debate is portrayed as one of competing values—privacy vs. security—these questions are not necessarily about opposing principles. Both the U.S. government and private industry have common goals: the promotion of free speech and individual liberty while combatting extremism and violence. Rather, it seems that new technologies have raised conflicting views on how best to achieve those goals—and the shared values, it could be argued, are getting lost in the debate.
Nuala O’Connor, President and CEO of the Center for Democracy and Technology asserts “all Americans—including both company executives and law enforcement officials across the nation—want to keep our country safe and secure.”
But progress is possible
Tech companies sharing information with government is not new. This became immediately apparent in 2013, after former NSA contractor Edward Snowden revealed the NSA program PRISM, which allowed the collection from prominent tech companies of Internet communications data being transmitted abroad. Recently it was revealed that Yahoo has been scanning emails in real time for intelligence agencies, using a modified spam-filter to search for a character string associated with a foreign terrorist organization.
But there is a desire by the government to go beyond information sharing to active cooperation with tech companies. Initially this took the form of government requests for backdoors, or intentionally tailored holes in encryption, allowing government—and, in theory, only government—access to communications content, as in the case of the FBI’s requested entry into the seized iPhone.
The problem is essentially a balancing act between offensive collection and defensive cybersecurity, because ultimately, in the view of the tech industry—and even a number of high-level government officials—a backdoor for one is a backdoor for all. Weakening encryption to allow the U.S. government access to the content of communications would be opening the door for systems used by millions of Americans—as well as people abroad—to penetration by foreign spies, criminals, and repressive regimes.
It is for this reason O’Connor argues that “we need to take one thing off the table if we truly want to find common ground: companies cannot be asked to compromise encryption.” To do so will likely push companies to adopt even stronger encryption.
With this non-negotiable stance for encryption by many of the major tech companies, security officials have warned of criminals and terrorists “going dark.” But while end-to-end encryption is likely to grow, there are various other avenues of information sharing and cooperation that can be explored.
For example, metadata—the whom, when, where and how of communications data—is not encrypted and continues to be shared. And while Apple may have championed encryption, it still provides metadata to the government upon legal request. Metadata is immensely useful in mapping out networks that can help prioritize more targeted monitoring. It is even informative enough that lethal decisions abroad have been made based solely on it.
Another avenue is the rise of connected devices that make up the Internet of Things (IoT), such as cameras, fridges, and DVRs. DNI Clapper has suggested intelligence services will use the IoT for “identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”
More proactive cooperation has occurred between government and tech companies in terms of strategic communications. Google has instituted its Redirect Method, a targeted advertising campaign designed to introduce individuals seeking ISIS recruitment messaging to counter-narratives. Twitter has an ongoing campaign to suspend ISIS-affiliated accounts without corroding its ideals of freedom of expression. Facebook has been the most aggressive, hiring counterterrorism experts and swiftly deleting terror-related content. This was the case during the June attack on the Pulse nightclub in Orlando, where the gunman pledged allegiance to ISIS online, mid-attack, only for the posts to be removed by Facebook.
Ultimately, O’Connor argues, “we live in an age where targeted, informed surveillance for law enforcement purposes is more possible—and more pervasive—than ever.” She maintains there “are certainly many areas where Silicon Valley, law enforcement, and the government can collaborate to find workable practical approaches to keeping our nation secure while protecting the rights of citizens.” So while building a cooperative relationship between Washington and Silicon Valley may seem daunting now, there is plenty of room and interest for it in the future.
Levi Maxey is the cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.
