Can You have Both Security & Privacy in the Internet Age?

With threats to national and international security on the rise, all agree that security services have to be able to operate in order to address them. However, as the haystack of data necessary to do so has become an object of interest, along with the algorithms that find the needles in it, it has become clear that the traditional mechanisms used to control surveillance are inadequate.

The conundrum is how to ensure protection while retaining the critical underpinnings of our democratic systems – free speech, freedom of assembly and association, and, critically, the right to privacy. It is clear that with the acceleration of technologies, there are no easy lines to draw.  Moreover, in the internet age, almost all boundaries are being erased or redefined.

Black swans of security

Is it possible to be secure without giving up some privacy?  Theoretically yes, although in reality it is not so easy to implement. But stating this has never been so contested. The strategic environment in which state intelligence operators manoeuvre is evolving rapidly, from an increasing number and different types of intelligence consumers, to demands for faster and more efficient responses in the roiling confluence of threats. There’s also the increasing complexity of cross-border terrorism and asymmetric war, and the full-on return of interstate strategic conflict. Thus, keeping distinctions between domestic and international does not work any more.

As intelligence gathering becomes increasingly integral to national and international security, the debate has become quite heated on how the intelligence community should be equipped to anticipate and prevent the worst-case scenarios and “black swans” of security. Yet sometimes even sophisticated and comprehensive intelligence gathering cannot prevent terrorist attacks, as we have seen in the recent wave of gruesome incidents in places as far apart as Pakistan, Nigeria, Tunisia, Australia, the United States, Kuwait and France.

Today, the situation has shifted dramatically. The recently released Global Terrorism Index report (GTI) from the Institute for Economics and Peace shows that between 2012 and 2013, the number of people killed in terrorist incidents saw the largest increase in history, to 18,000 lives lost, which is a 61 percent increase from one year to the next.

Global Terrorism Index 2014 Results Map

Mass data

 Is it problematic if government agencies collect our digital footprint, metadata, online habits and digital history for eternity? This data can potentially be used and abused – but it can also keep people safe. When reflecting on this question it is important to remind ourselves that, between the telecommunication companies, internet search engines and social media apps, you may have already consented to share a lot of your data, including your needs, preferences and dislikes.

While misguided regulation could drive intelligence operations further underground and create more uncertainty about their actions and legitimacy, the debate is stuck on the issue of intelligence gathering and surveillance infringing on the privacy rights of individuals and also the abuse of those powers to target industry competitors and political, environmental, civil-society groups; and even individuals whom current and future governments don’t like.

Do we get caught up in a discussion about where we draw the line and posture over perceived government intrusion in times of calm, or do we reflect on the fact that in times of crisis, the calm tends to be easily replaced with strong criticism of why governments and companies did not do more to protect us? How do we ensure better understanding by lawmakers of the need for, but also the challenges of, making sure mass surveillance is not abused, by both public and private actors? How can we develop oversight mechanisms and processes that are meaningful for ensuring legal compliance?

The recent decisions by the US Congress and the UK government to restrict their agencies’ intelligence gathering and surveillance has been lauded in the media (as well as in sections of academia and civil society), but there is a long way to go before the intelligence community can curb security threats in a digital age that has magnified them, made them more insidious and pushed them across international borders.

Transparency – a tool to more effective intelligence?

 For the intelligence community and the wider government apparatus, this is a matter of public image. To build trust, both groups need to be far more effective in explaining how they honour their responsibilities towards the privacy of individuals, especially in communities that feel they bear the brunt of scrutiny. This is about demonstrating accountability and practising effective oversight. It behooves agencies and the entities that are charged with overseeing them to increase transparency without compromising security, and to foster cooperation among multiple stakeholders.

On the cooperation front, there must be more clarification regarding the distinction between mass collection of information and mass surveillance. Through this clarification, there must be more knowledge among lawmakers about security implications, so that informed legislation and regulatory frameworks can be put in place. In particular, knowledge and legislation must be increased dramatically around the issue of cybersecurity.

The top-secret documents leaked by former NSA contractor Edward Snowden significantly damaged the US intelligence community’s public image and that of the bodies charged with its oversight. And, by default, they damaged that of the intelligence community worldwide. Although few would argue that the leaks directly compromised national and international security, there has been a great deal of commentary (and important legal findings in the US and elsewhere) about intelligence operators overstepping their bounds, which violated both the privacy of ordinary citizens and relationships with key sovereign allies and key companies, the latter when they are needed most.

So far, the legislative consensus on how to manage this negative image has been to dial back actions taken after the September 11 attacks in New York and broaden intelligence-gathering capabilities to reinstate the regulatory regimes that were put in place but not respected. The intelligence community is realizing that it must also act to build trust, and the best route is through accountability and transparency, and also public outreach. By way of example, the Norwegian Intelligence Services has for five years been publishing a declassified annual report on its intelligence activities. This education of the public about what intelligence services do is an important way to foster cooperation. Arguably, it is also the best line of defence for any state experiencing unconventional threats, such as highly trained and motivated foreign fighters returning to their countries of origin, or the growing trend of lone-wolf attacks, which is a nightmare for any intelligence service. Both are extremely difficult to trace and prevent, and an effective response relies upon non-traditional responses and the cooperation of local communities.

Public-private collaboration

Cooperation can also be preventative and on a larger scale. For example, in the digital world of big data, it behooves intelligence agencies to try to enlist the help of the private sector to collect and share data. This type of cooperation also serves the purpose of creating an ally in the private sector to influence legislation and regulations on a global level.  Yet, normally such information sharing only occurs when the parties truly have an incentive to do so, and for the private sector, the case has generally not been compelling. Thus most so-called public/private information sharing has produced little, if any, meaningful sharing. In reality, the private markets, including between public sector and private institutes, has dominated information sharing and collaboration efforts have been mostly meaningless in terms of impact, but served an important public-relations function.

It is thus important to move the pendulum but also recognize that this ally is a fickle one, and the perception that such a shift will respond first and foremost to market forces and growing opaque alliances between intelligence and big business needs to be well managed. (As such, partnerships of this nature need to be handled with as much transparency, accountability and open debate as possible.) In particular, a stronger alliance between the private sector and the intelligence sector could both demarcate and foster better understanding of the difference between mass collection and mass surveillance.

As intelligence agencies and the private sector cooperate, there will be a more thorough debate about whether the public will tolerate companies mining data that encroaches on privacy for commercial purposes. This will be compared with public alarm over intelligence agencies mining data for security purposes – a practice that will have credibility and utility only if driven in equal measure by intelligence agencies, business and civil society, the media and privacy activist groups. Similarly, mining and sharing data will always be a sensitive issue, but the sharing of practices and insights related to how to balance the need for increased security while respecting privacy laws should not be an issue of contention. Ultimately, trust needs to be earned through an honest, collaborative and inclusive approach.

Cybersecurity

 Where cooperation becomes essential is in the realm of cybersecurity. Keeping tabs on dangerous actors online has increased the need for a stronger dialogue between intelligence operators and companies with vast experience in mining and interpreting massive data sets. Both the intelligence community and these companies can work together to increase the understanding among lawmakers about the growing number of “digital extremists”, many of whom operate on the dark net, but most of whom are also still in the open, using social media platforms. The private sector carries a particular responsibility to put mechanisms in place to alert governments about the harmful use of their platforms or networks that compromise the security of individuals, nations and the global community. Despite agreeing that protecting public goods and security is a shared responsibility, many companies see this – commonly referred to as “digital back doors” – as posing great reputational risk and being bad for the bottom line (since the regulatory framework around where to draw that line remains unclear).

As the world becomes increasingly digital, the importance of understanding threats in cyberspace cannot be overstated. Terrorists use cyber tools for propaganda, recruitment and fundraising with such ease that intelligence agencies are truly struggling to keep pace. The common response from decision-makers has been to enact legislation and institute regulations, but these efforts have been largely reactive and uninformed, evidenced by their failure to mitigate the evolution of cyberthreats – and even contributing to increased reliance on the dark net. Decision-makers must be given more information about cyberspace and its security, and the private sector is better positioned than the intelligence community to do this.

Lawmakers in most countries are focusing mainly on businesses’ concerns about how legislation affects their competitive advantage, rather than consulting with its experts about “back doors” to networks as optimal solutions to thwarting cybercriminals. To this effect, there is an important debate about these back doors, with many arguing that they make the internet less safe. And while for their own protection some companies have become savvy in this regard, and some even cooperate with intelligence agencies, most others are concerned that competitors will not comply with the new regulations, creating an uneven playing field.

It is clear that in the field of cybercrime there has been a growing success in partnerships across countries as well as between public and private sectors. Now it is time to leverage this progress to attempt to build more and better bridges between the national intelligence community, the private sector and the wider public.

The need for agile oversight

By nature, intelligence agencies will constantly push the boundaries of legal frameworks to adapt to the rapidly changing security landscape. Such frameworks should be strong but elastic enough to adapt. Qualified decision-makers (those who can make informed judgement calls to determine the means necessary to justify security) are essential to this equation. And it is of vital importance that the authorities involved in regulations and oversight fully understand the evolving technology, tools and security issues. Educating the public to appreciate this paradox is also a necessity.

Although, to a degree, this phenomenon is already happening, it does not have strong enough support from key players to create the transparency that would foster more trust and support. The paradox is that more openness, more visibility and more engagement with other sectors are what will ultimately help intelligence agencies evolve into their role for a new security era.

The World Economic Forum, offering the largest global platform for public-private interaction, is particularly well placed to provide collaborative thought leadership on reducing global security risk. It helps key actors evolve and adapt to the changing security landscape by bringing together companies, government decision-makers and regulators, military leaders, intelligence experts and civil society.

WEF: 

About The Author: Anja Kaspersen is Head of Geopolitics and International Security at the World Economic Forum.