As faithful readers of our site are hopefully aware, Just Security will be celebrating its second anniversary on Monday with an event dedicated to exploring one of the most important security issues of the day: strong digital encryption and government access to technology company user data. Many in the intelligence and law enforcement communities worry about the ability of criminals and foreign spies using digital communications channels to thwart lawful surveillance through the use of strong encryption. FBI Director James Comey has repeatedly described this as the “going dark” problem. On the other end of the spectrum are civil libertarians and technologists, including those representing some of the world’s biggest technology firms. They claim that risks from any attempt to weaken strong encryption will far outweigh any benefits to law enforcement or intelligence. Maybe doing so will make it marginally easier to catch a few criminals, but at the expense of putting everyone at greater risk of having their digital security compromised. A common critique some members of the tech community have leveled at government officials pushing for ways to access encrypted communications, is that policymakers are failing to heed, or do enough to seek out, their advice in discussions around this and other information security matters.
Earlier this summer, I spoke with Chris Soghoian, the Principal Technologist and a Senior Policy Analyst with the ACLU’s Speech, Privacy, and Technology Project, about a wide range of surveillance and technology-related issues (see here and here for parts of our interview). One of the big themes of our discussion, and indeed, the issue that prompted our conversation in the first place, was the need for lawyers, technologists, and other experts to work collaboratively when tackling questions of how the law is changing in light of advances in technology. So, ahead of our event next week, I thought it would be worth sharing Chris’s thoughts on the need for more collaboration between all parties involved in shaping our digital security.
(The discussion has been lightly edited for clarity.)
John Reed: The Privacy and Civil Liberties Oversight Board held a hearing in May on surveillance and technology and, as you pointed out, there was a total lack of technologists on the panel. Why is that a problem?
Chris Soghoian: There’s no way to have a reasonable discussion about the appropriateness or legality of surveillance if you don’t have an understanding of how the surveillance is taking place. I watched one of the PCLOB panels on technology, the one with Orin Kerr and a bunch of professors — and I was really struck by how little discussion of technology there was on the technology panel. Basically, you know, the panelists ceded that there were technologies that were creating difficulties and then they left it at that, but they didn’t say what the technologies were or how they were changing the landscape.
By the same token, I think there is this tendency in the national security law area to say a professor who has published law review articles about the intersection of technology and law is basically the same as a technical expert. I work with lawyers who are tech savvy. It is a pleasure to work with lawyers who understand technology. But it is not the same thing as having an actual technical expert on a committee or panel. And when you don’t have technical experts present, then the conversation is limited to the most basic topics. And for something like Executive Order 12333 which really covers the vast majority of what NSA does, it’s just embarrassing to have oversight of this Executive Order and these surveillance programs take place without anyone talking about technology.
JR: How does this hurt intelligence oversight, even when you have fairly technically savvy lawyers? What’s the gap?
CS: Because subject-matter experts make the lawyers more efficient, more effective. It means that I can answer a question in five minutes that a lawyer would have to spend a whole week researching. And it also means that we can make arguments that are both more nuanced and more sophisticated, and more novel, that we simply wouldn’t be making otherwise. I’ve seen in my two-and-a-half years at the ACLU that the arguments we’ve been making in cases are ones that we simply would not have made before without someone there who really understood and could explain the technology.
And so the FTC is doing things right and hiring technologists, the White House is moving in that direction, yet in the intelligence oversight world, we’re stuck in the 1990s. The Foreign Intelligence Surveillance Act Court has a permanent staff of national security law experts, but they don’t have any technologists. And there were times that are now publicwhere the FISA Court didn’t understand what NSA was doing. And hell, there were times the NSA didn’t understand what the NSA was doing. But the FISA Court lacks the technical expertise to really evaluate what the NSA is doing.