Are we compromising national security by increasing access to information online?

This post is a liveblog of a panel at Google’s Liberty at 2010 conference in Budapest, September 22, 2010.

Calling this debate the “elephant in the room,” moderator Monroe Price of the Annenberg School of Communications at the University of Pennsylvania introduces the panel.

The first speaker, Smari McCarthy of Digital Freedoms Society (Iceland), notes that this is a double-edged sword: The security of the state and the security of the people of the state.  Conflating these implies a common interest, but McCarthy thinks we need to separate the two.  He believes that thinking about security of the people can increase security of the state.

Respondent Michael Semple of the Kennedy School of Government at Harvard notes the example of Wikileaks as a talking point.

McCarthy notes that “the state chooses its own rules”, and that those often reflect the interests of individuals working for the state, rather than the desires of the people.  He explains that we need to make the test (for what constitutes a security concern) more open.

Heather Brooke, a freedom of information activist in the UK, is asked how she deals with the question of finding a proper limit.

Brooke states that the key is whether or not there is actual harm, as opposed to speculative harm.  She’s been working on a 5-year campaign for the UK parliament to disclose their expenses.  Using freedom of information requests, she’s taken it to the high court in London.  She explains that politicians gave two reasons for not disclosing info: privacy and national security.  Leaving aside privacy, she notes that she had asked for MPs’ second addresses, believing that there were scams going on (houses used for non-governmental officials etc).  She believed that having access to those addresses would allow her to investigate, but the government felt that it was a national security issue.

“The people defining national security are the same who have the most to gain by keeping it secret,” Brooke says, “there’s an incentive for those people to claim ‘national security’ to prevent embarrassment…we need an outside body without a vested interest to determine who is being protected by these rules.”

Price asks if the UK is doing anything to implement this.  Brooke explains that in England, judges are somewhat of an outside authority.  She notes the information commissioner, who has access to classified information and can then make a determination on whether or not such information is justifiably certified.

“Under the guise of national security, lots of information is suppressed,” says Brooke.

Price brings up the example of Wikileaks, noting that this includes people in the US sharing data that actually affects people in Afghanistan, who may not have due process to deal with it.

Semple states that the Wikileaks example illustrates well the example of dealing with information in the modern age. “To get the point of multiple national securities involved, we need to look at how the UN charter (chapter 7) is invoked.”

Semple elaborates a bit on the variety of international involvement in Afghanistan at the moment and how multiple national securities are implicated by the release of the Afghan War Logs. He notes that much has been learned about civilian causalties and “unintended consequences”, as well as “the fog of war.” One of the things Semple notes as his interest is what the US might know about Pakistani involvement in Afghanistan.

“Can we pin down the national security concerns rather than invoke some vague idea of it?” he asks. He claims that one major issue is “embarassment of the state actors involved”. Beyond that, he notes that “counterpart confidentiality” is an issue; officials in the Afghan government briefs US counterparts confidentially, so they have a degree of trust that the security of such information won’t be breached.

Brooke notes that there’s always been a danger or fear of saying things publicly, but that now, we are beginning to see equally the dangers of secrecy.  She notes the 9/11 commission as an example, stating that “not saying things” could be a bigger issue for national security than saying them.

Semple notes that the sheer volume of data has changed the game and that it is testing the limits of editorial control for those people who previously maintained a standard of control in their journalism.  He states that it becomes physically difficult to place restrictions on the output of data, noting that the internal process of redaction in the Wikileaks process meant that Wikileaks only had to get one or two things wrong to jeopardize security.

Price: “We’re dealing with institutions outside of the common culture.  Google even is developing its own culture, in relationship with some governments but maybe not others.  Facebook can say ‘Pakistan made its decision about what’s illegal and offensive, but we don’t agree.'”  The larger question, he notes, is to ask whose culture makes these decisions?

McCarthy notes that the “Americanization of cultural values” can be problematic, noting Sunil Abraham’s example from yesterday’s panel about the difference of attitudes toward breastfeeding in India and the US.  He says that information is free, but context is expensive, cultural.  We must always extract which context we want and move forward with that.

Price brings up the issue of “information without borders,” or one Internet vs. many Internets, asking if security will be the lead argument for having many different servers.

Semple also notes that tactical details are an issue when it comes to security.

He notes that if published in the United States, such as in the New York Times, it becomes a big story in the country.  He also notes that people in other countries (giving the example of Waziristan) also have access to computers, and can access and mine the data.  He also notes that they have a strong interest in the data and are still furious about it.

“Those reports in the Afghan War Logs that generate security concerns are different from those which have generated public interest,” states Semple.

Price asks what the relationship between national security and the potential endangerment of human rights activists is.

McCarthy states that there’s a genuine reason to protect certain information: “because the bad guys could get it.”  He says, “if you get it wrong, people die, it’s simple.”  He then asks, “but who is accountable? Who is Wikileaks accountable to?  But also, who is the commissioner in Britain accountable to?”

Price notes the Wikileaks redaction process and states that Wikileaks did in fact redact information and asks about the difference between private redaction and, for example, government redaction of such information.

Brooke notes that she spoke to someone from the UK who noted that “there have always been leaks, but the difference is the way in which they’re distributed, and who can access them.”

McCarthy notes that there is “national security by policy and national security by design.”

Price notes that the conference is interested in “tertiary consequences to these leaks.”

“Human rights activists are usually aware that they’re working in an area where they could be threatened. If the government has information about them, it’s because they’ve been spied on in some way,” says McCarthy.

Price asks whose interest organizations like Wikileaks are taking into account; Semple gives examples of human rights activists documenting things in their own countries but who are also collaborating with international organizations, and notes that human rights organizations have the first responsibility to protect people.  He says that if a third party gets information, they can get access to information on human rights advocates that needs to be protected.  Brooke adds that journalists are involved in this constant battle: they want to publish as much as they can but also have the need to protect sources.

Price and Brooke agree that journalism has long been part of the debate, but wonders if the complexity and quality of the Internet allows for anything new.  Price calls it a demand from the public for a different kind of outcome.

McCarthy notes that bloggers aren’t the problem, as there has always been shoddy journalism, but rather the loosening up of borders due to the Internet has broken down barriers, allowing for more spread of information.  States’ attempts to place restrictions on the Internet under the guise, justified or not, of national security, complicates this further.  McCarthy asks where the borders ought to be.

Price then asks about “the Iceland example”, or IMMI.  McCarthy notes that no country has the protections we need, and said that the goal of IMMI was to make one country “well-organized” in this respect.  The main issue, states McCarthy, is that “Iceland just lost a huge percent of their economy because of secrecy and access to information; people are feeling burned out and ready to take this to the next level.  We want to create this free speech haven but also open up another discussion.  It’s been 200 years since the French and American revolutions, but since then, nothing has really changed on the issue of free speech; there have been no real philosophical debates.”

Price asks: “If Wikileaks were an Icelandic entity, would it be protected from the security issues of the U.S., Afghanistan, Pakistan, etc?”

McCarthy notes that IMMI isn’t intending to make anything legal that is not legal, but Price interrupts to note that laws vary by country.  McCarthy then clarifies to state that, as long as you are bound by Icelandic law (which is very liberal, has no military, and few issues of national security), you can put your servers/hardware in Iceland, and your borders protect the hardware but not your connection to the Internet.

Price asks if the national security example will be a movement toward “state internets.”

Brooke notes that what’s fascinating about Wikileaks is the fact that it came out of the US, but that it would be problematic to use that as an example for moving forward.

Bob Boorstin of Google asks from the audience if the reason behind IMMI was to create Iceland as a “Switzerland for data centers”.  McCarthy responds by saying that it is in fact a good way of building the economy, and Price compares it to “libel tourism in the UK.”  Most importantly, McCarthy notes, this is a business case, but he doesn’t want Iceland to be the only country to do this.  He says, “We want to change the ‘I’ in IMMI to ‘International.  We want other countries to do the same thing.”

Price then brings up the example of Research in Motion (RIM), noting that it is about access to information and telephony.  Calling on Rob Faris of the Berkman Center, he asks for comment on the recent cases of RIM in Saudi Arabia and the UAE.

Faris states that, in the United States, we have a pervasive surveillance state; there are a number or processes which the government can use to gain access about individuals’ telephone records or other information.  “Generally,” he says, “if the US government wants to gain access to someone’s data, it’s going to get it.  There are examples where they haven’t followed their own processes.”

“What about encryption?” asks Price.

Faris notes that telecoms in the US are required to offer a way for their networks to be surveillable.  “You do have limited protection by encrypting your communications,” notes Faris.

Leslie Harris of the CDT notes that what is happening with RIM is different from US surveillance.  She wants to differentiate the US from other examples, in that the US has rule of law, and that civil liberties unions there have fought against such surveillances.

Price asks: “How is this different from RIM in India?”

Harris explains that RIM is not a phone company and does not hold anyone’s ‘keys,’ and in the US there was a debate on backdoors for the government.

Price calls on Anja Kovacs from the Internet and Society Institute in Bangalore, India to explain the issue in her country.  She asks if making security a freedom of expression issue elsewhere makes it difficult for advocates in India to frame their debate.  She makes the point that what India is asking is compliance with Indian laws.

Price asks: “Is it the substance of the law or is it that it’s law passed in a proper way?”

An audience member adds that there’s a distinction between security and state and security and people, and says there’s a question we have not formulated in relation to the security of the people: “How do we handle hate speech in countries where there are strong religious, political, social tensions?”  Government overshoot as a consequence of trying to protect people, he says.

Price opens the discussion up to the audience, and Nasser Weddady speaks up as a civil rights advocate for the MENA region.  He reminds us that the US is a democracy, and democracies make mistakes, but that the “US is not Russia, there’s due process.  The government has bad ideas but historically there is input and balance.”  He states that he doesn’t believe that putting the US on the same level as other societies is a good comparison.

Nart Villeneuve of the OpenNet Initiative at University of Toronto notes that when you build system to hold info then system to access that info, you’re creating conditions that allow those systems to be compromised, and as governments share classified information with contractors, embassies, etc, they’re opening up that information to be stolen or shared.  “We always seem to be talking about actors with ethical intentions and who want checks and balances,” says Villeneuve, “but what I see is that a lot of these organizations get broken into and their sensitive, sometimes classified information gets taken by people whose intentions are unknown, be they foreign actors or those who want to sell information.”

Villeneuve, a security expert, notes that “about once a week,” he has to contact someone and ask if “they want their stuff back.”  He says that he originally got into this because of human rights groups whose information is being taken or who are being attacked.  He said that the compromise of Tibetan activists’ information is what made him get involved.

Anja Kovacs speaks up again, stating that she’s been working with activists where the Maoist conflict is strong (in India).  She says that websites were blocked, and that she contacted European organizations that usually publish this type of information, but was told that “India is a democratic country and there is nothing we can do.”  She wonders if the Icelandic initiative will make a difference in this manner.

Another audience speaks up and wonders if IMMI will work as an analogy to tax havens.  He states that tax havens don’t work, so why will this?

McCarthy says, “to be honest, most of which we’re trying to implement already exists in Iceland or elsewhere.”

An audience member reiterates that some governments use national security laws to stifle free speech and arrests human rights activists and dissidents.

Sharon Hom, from the audience reminds us that “there are national norms, such as the Johannesburg principles, for dealing with this.”  She states that these international norms apply to disclosure, expression, etc, including things like Wikileaks.

These norms are that you can’t invoke national security, except with imminent harm, concrete harm, etc.  She reminds us that those norms have been applied to specific cases and laws.

Price raises the point of Wikileaks again, asking if there’s a way to legitimately apply the Johannesburg principles to that case.  Hom suggests that if they’re enforced through the UN, they could eventually be reviewed and decided upon, but that it requires NGOs to bring that example up.

Price asks in response how that will help the Afghan people.

An audience member asks if people in countries such as Afghanistan have been able to speak up at all about the US engagement in their country.  He states that people are dying in the name of US national security all the time, and that the best safeguard of public safety is actually validly informed citizenry.

Heather Brooke jumps back in to the discussion and reminds us that these topics were tackled long ago but are still relevant today, and that this is an issue of “evidence of harm, rather than speculation.”  She believes that the state must continue to justify its actions.

Karen from the Tor Project jumps in to state that one of the key ingredients is to make due process stick, to force governments to “knock on the door” so that citizens can force them to go away and come back without a warrant.

Raed Jarrar, an Iraqi-American blogger gets the last word: “In the last couple of days, we’ve been focusing a lot on the US and Europe, with many mainstream voices, some official representatives from those governments, but the voices of the other 80% of humanity that lives outside those places is not represented well.  We haven’t heard mainstream voices from South America, Africa, or Asia, particularly related to issues of national security.  Today we had very nuanced discussions about national security in Europe in the US, for example, in relation to Wikileaks.  On the other hand, there was a blanket criticism toward China, India, Iran and other places viewed in a negative, black-and-white fashion.  My question to the panel is: In the same way you saw the Wikileaks issue in a nuanced way, a tool evading national security constraints, do you see any justification for China, India, Iran, Saudi and other countries to censor for their national security?  They think their national security matters and that some of our attempts to circumvent their censorship is endangering their national security.”

McCarthy jokingly notes that the British view Iceland as a terrorist state, then makes two points: The first, that in the Caucasus, a president stated that anyone who opposes him in the media would be ‘removed’ (the term was used vaguely).  The issue for that is: how is that national security?  That’s an example of an unacceptable concern.”

“India, on the other hand, is a different example.  If people doing terrorist activities want to succeed, there’s little likelihood that they’re going to use Blackberry.  The Indian concerns in regard to encryption aren’t serious; the arguments have already been broken down.  Encryption is a reasonable thing.  We need to stop thinking about national security in terms of the state, and start thinking about it in terms of people.  People are the only thing that matters.”

Price concludes by stating that the organizations are susceptible to this criticism and that these discussions should be furthered.