Here we go again. Security vs. privacy. Round n.
Of course, I'm referring to the aftermath of the horrific ISIS attacks in Paris. What did we (the U.S., France and like minded societies) know before the event? When did we know it? Could we have known more? What may have prevented us from gaining the information needed to detect and stop such plotting?
Of course, a lot is still unknown. Did the plotters encrypt their communications to stay off police radar or did they simply choose to not communicate electronically? Were they aided or motivated by recent disclosures of intelligence sources and methods? Were the Snowden leaks a proximate cause and guidebook to their tightening their communications and their security? It's not yet clear.
Still, an attack this successful inevitably raises the question: have we got this security-privacy thing about right? And with 130 innocents dead, the context of the question (today) is whether or not we've overplayed by being too self limiting, by giving up or disclosing tools that would increase the odds of detection and prevention.
Indeed, the program that Congress recently chose to end in the USA Freedom Act—NSA's acquisition of American metadata—was a program designed specifically for the Paris massacre kind of problem: terrorists in the homeland, undetected, potentially in contact with known terrorists abroad. With that in mind, Senator Tom Cotton (R, AK) is already sponsoring legislation to stop the implementation of that Act.
For my part, I recently summarized today's context with the observation that, "Right now that big stack of metadata doesn't look like the scariest thing in the room."
Little noticed in coverage here, Congress's action in the USA Freedom Act was a bit of an anomaly globally. In fact, pre-Paris the Parliaments in France, Germany and the United Kingdom were busy strengthening the domestic surveillance authorities of their own security services.
Throughout all of this, a portion of the U.S. population has lionized Edward Snowden who stole and disclosed hundreds of thousands of documents on how the United States, Australia and the United Kingdom collect foreign intelligence. Even former attorney general Holder has suggested that Snowden should be cut a judicial break or two since he promoted a "necessary" conversation. Indeed, Snowden has been supporting himself by remotely beaming in to make speeches on the growth of the "surveillance state".
Last week CIA Director John Brennan corrected the record a bit when he said publicly what every American intelligence professional knew privately: America's enemies went to school on the Snowden disclosures. State enemies must have delighted in getting access to something called the CBJB—the Congressional Budget Justification Book—where the intelligence community catalogues its needs and slices and dices how it intends to spend the money it is asking for. I certainly would have moved heaven and earth at CIA or NSA to steal similar documents from our adversaries. They, of course, didn't have to.
Terrorist groups paid little attention to the CBJB, but were constantly reminded of NSA's and other's efforts to track them. People I've talked to in the intelligence community, senior leaders and junior operators, cite concrete evidence of terror cells changing their communication patterns as a direct result of disclosures. Whatever some may think of Snowden's activism, I cannot see how any rational observer could claim it was cost free. And part of the cost may (we will likely never know) have been blood on the streets of Paris...or some other yet to be identified cobblestones.
And then there has been the self-righteous hyperventilating in Europe over the last two years over NSA's alleged predatory behavior there. That ended up last month in the European Court of Justice canceling something called Safe Harbour, an agreement that allowed European data to be stored on servers in the United States.
No more, the Court ruled, since U.S. privacy protections were inadequate—a surprising ruling since U.S. protections are actually more robust than many EU members. An understandable error, though, since pre-Snowden, because of American transparency and Congressional oversight— European publics and parliaments actually knew much more about U.S. espionage than they did their own.
And post-Snowden? Well, there was a lot of finger wagging and criticism as accusation piled on accusation (not all of them accurate, by the way), although recent press accounts of what some European services do suggest that what distinguishes NSA from them is more about skill and scale than anything else.
And post-Paris? Well, if we're hearing any criticisms from Europe, it's about the need to share more U.S. intelligence with them and nary a word about what we have or how we may have gotten it. Go figure.
For most of the last two years, the security-privacy debate has been at a different point in its orbit— those pushing the debate were all about overreach and the need to reign in. Then I reminded audiences that this was not a battle between the forces of light and the forces of darkness. It was about the tough choices free people always have to make between two things—security and liberty—that are both virtues and the balance between them should be based on the totality of circumstances in which they find themselves.
Even with the debate dramatically (if temporarily) shifted, we should keep that in mind as we decide on a way ahead to protect the values that we share.
After all, the closing of Brussels this past weekend was as much an affront to liberty as it was a matter of security.
