Surveillance & the Rule of Law: the Road Paved with Good Intentions

A month ago, Ron Deibert, director of the Citizen Lab at the University of Toronto, visited Green College at the University of British Columbia to speak about Cyber Swarming: Distributed Counter Intelligence and Surveillance as Global Civil Security . Deibert called his pitch a “model for a countermovement” against the troubling story of ever-increasing privacy rights violations by state actors.

(Side note: In contrast to my discussion of privacy in the abstract as a weak concept, Deibert’s sketch of the unfolding government surveillance saga looks at what is happening in the real world, now. Just wanted to state for the record that my objections to privacy as a rights-bearing tool are not intended to comment on current state actions.)

What struck me most in the talk was its legal subtext: written all over his narrative was the deterioration and subversion of the rule of law – and how such failures were ushered in the very idealism that birthed the internet. The irony is that it’s the same old “those who forget history are doomed to repeat it” story we never seem to fully grasp. I want to take a moment to scrutinize Deibert’s history from a legal perspective, in the spirit of thumbing my nose at this stupid pattern. I think this is something we need to do more often, so that we learn to recognize the signposts of going down the same treacherous roads before we embark on them.

The Background: the promise of a legal vacuum / a space devoid of legal constraint

So let’s get into the history. Before the swollen constellation we know as the interwebs looked like it does today, Al Gore was a figure instrumental in pushing us in towards this model. He advocated for the consolidation of various unconnected networks by spearheading the High Performance Computing and Communications Act. While he used government to help build the apparatus, he also, according to Deibert, deserves credit for the initial push to extricate government forces from its administration.

As a result, thanks at least in part to Gore, the internet flourished in a space largely devoid of law. The ideology behind this approach was utopian: we wanted the internet to be a free space because we thought that its exemption from law was a safe social experiment. It was new and not terribly important to our daily lives at the time, so why not futz around? It could be a place for unrestricted innovation, collaboration and sharing.

We couldn’t really conceive then that practices taking place in a virtual world might infiltrate the real world irreversibly, and that partly as a result, internet-based practices could be powerful and dangerous. In this context, it gradually accumulated our dependency.

The evolutionary morphing of “security threats”

Deibert identifies 9/11 as the game changer when it came to how state intelligence agencies thought about information and surveillance. Before, says Deibert, it was a “spy versus spy” sort of world – governments against governments. 9/11 saw the coming of age of The Terrorist Threat. As a dispersed and slippery malice, it caused spy agencies to turn away from states and towards their citizens. This movement was exacerbated by the fact that 9/11 was widely characterized as an intelligence failure. It changed the conversation: since there were hints that weren’t picked up on, adequate surveillance technology was clearly available. In hindsight, we thought properly executed violations of privacy seemed like a small price to pay for the now-extinguished lives of thousands of Americans.   

So we’ve got roughly 2.5 conditions here necessary for the perfect storm of government surveillance active today:

  • the growing relocation of commercial and interpersonal communication from other communicative technologies onto the web (and the means to track it) and
  • the primary focus of a threat to national security now located at the situs of the individual rather than the state

It’s easy to see now how what looked at first like a legal haven could have been better described as a vacuum: through the tragedy of the commons, the lowest common denominator of government and private action rushed in. Eventually.

In 2002, American John Poindexter (of Reagan-era scandal fame) championed a bill to launch the Total Information Awareness program, which failed in Congress partly as a result of his connection with it. The program aimed to develop capacities to

“turn everything in cyberspace about everybody …  into a humongous, multi-googolplexibyte database that electronic robots will mine for patterns of information suggestive of terrorist activity,”

as an article from the New Yorker in 2002 by Hendrik Hertzberg describes. But, Deibert points out, the bill’s failure in congress didn’t stop the program from moving forward. It got atomized into different projects and black-budgeted.

Regardless of how commonplace a practice like this might be, I would like to pause here and marvel at just how repulsive this is to a democratically-minded palate: if Congress tells you to bugger off and take your horror-house program with you, you bugger off. I thought that that’s what following democratic procedure means. You don’t add food dye to your rotten meat, repackage it and send it back to the marketplace.

The private sector and state intervention: a waltz

With the public hand of government extracted from the internet, it is now (and has always been) run by private companies.

What do you do if you are a private company and there are no rules?

Deibert offered a couple of case studies, I’ll only mention one here. He pointed to the oft-downplayed Green Revolution or Twitter Revolution in Iran, which happened in 2009, awhile before the Arab Spring is said to have kicked off. When it became clear that Twitter was an indispensable vehicle for the protests, the Iranian government sought and obtained “lawful intercept capability” from Nokia to figure out who was associated with which incendiary tweets. Then came arrests, and the movement was quashed pretty quickly.

It’s easy for us chastise Nokia for complying with Iran’s ask. But think about it: what was this company supposed to do? You’re in an internet with no rules! As Nokia, you have the authority figures of a government knocking at your door, and no playbook to go by except maybe some ethical queasiness. But up against that is the potential threat of getting your business shut out of an entire country.

This is exactly the scenario that government intervention, in the form of legislation, is designed to prevent (presuming, of course, that the legislation we would like to see should have come from Nokia’s home turf). Since we never designed corporations to have moral compasses, it is the job of legislation to let them know where the limits are. Without limits, the worst request is going to get complied with.

A fairly short interval gets us from this point to the government surveillance nightmare we are currently staring down. Thanks to the Snowden saga, Deibert says, countries around the world are taking this government surveillance style and running with it. An activist from Bahrain is arrested, tortured, and presented by his government captors with transcripts of his Skype conversations. The Ethiopian government has used spyware against an opposition party prior to an election. Using the Chinese version of Skype, if you try to type in phrases like “Tiananmen Square” you just can’t.

Garret Hardin wrote “The Tragedy of the Commons” in 1968. I appreciate the difference between the idea of using up a resource and governments abusing power in a space without legal constraints, but I think there is sufficient similarity to merit the comparison. We put in legal frameworks because we want to set a floor for standards of behaviour, government or civilian. Undoubtedly internet culture wouldn’t look the way it does if we had done this from the get-go. What is more important?

All I am saying is, I think it’s fair to demand that when we are presented with a new resource, we don’t approach it with the kind of naïve idealism that leads us to unleash it with insufficient restrictions on behaviour when we have seen this pattern before.