Electronic Surveillance in Extremistan€¦ · • Prevent seizure or subjugation of land or peoples and destruction or control of vital physical or geographic assets Counter/preempt

K. A. Taipale February 4-6, 2010

Center for Advanced Studies www.advancedstudies.org

Slide 1

Electronic Surveillance In Extremistan

K. A. Taipale Executive Director, Center for Advanced Studies

Presented at:

Law at the Intersection of National Security, Privacy, and Technological Change (TLR)

Austin, TX, February 4-6, 2010



•  More info:   http://taipale.info/

  http://foreign-intelligence.info/

  http://surveillance-society.info/

•  These slides available at:   http://extremistan.info/

Slide 2



Slide 3

Overview

1.  Extremistan 2.  New vulnerabilities, new threats 3.  Converging missions 4.  Rethinking electronic surveillance 5.  e-Terry, NSSA, DI, SysAdmin, OIOW-Triage-Treaty 6.  Cautions/caveats 7.  Context/subtext



Slide 4

Overview

1.  Extremistan – DEFINING BORDERS 2.  New vulnerabilities, new threats 3.  Converging missions 4.  Rethinking electronic surveillance 5.  e-Terry, NSSA, DI, SysAdmin, OIOW-Triage-Treaty 6.  Cautions/caveats 7.  Context/subtext



•  Where is Extremistan?

Slide 5

Key question



Extremistan is the domain of low probability, high consequent events

Slide 6



Extremistan vs. Mediocristan

Slide 7

MEDIOCRISTAN Bounded

Nonscalable Type 1 (mild)

Impervious to BS

EXTREMISTAN Unbounded

Scalable/scale-free Type 2 (wild)

Vulnerable to BS



National Security lives in Extremistan

•  Goal: to maintain survival of the nation state through the use of instruments of national power (DIME)   Avoid low probability, high consequent (intolerable) events

  Counter/preempt existential threats to the nation state •  Prevent seizure or subjugation of land or peoples and

destruction or control of vital physical or geographic assets

  Counter/preempt existential threats to “way of life” •  Protect the strategic fragility of civil society

•  Power law distribution and potentially catastrophic outcomes prevents “rational” risk management

Slide 8



Law Enforcement lives in Mediocristan

•  Goal: to reduce undesirable or deviant (criminal) behavior to sociably tolerable levels

•  Presumption of innocence heuristic   “better that 9 guilty go free than 1 innocent be convicted”, see

Coffin vs. US (1895); cf. Volokh, “n Guilty Men” (UPLR 1997)

  Premised on linear scale (tolerable) consequences

•  Normal distribution and predictable/acceptable outcomes allows “rational” risk management

Slide 9



Prediction, Allocation and Risk Management (Preemption vs. Suppression)

Slide 10

Response/mitigation strategies (and legal regimes?) appropriate in one domain are IRRATIONAL in the other



Key question

•  What kind of vulnerabilities and threats are in Extremistan for policy purposes?

Slide 11



Slide 12

Overview

•  Extremistan •  New vulnerabilities, new threats – NEW RESPONSES •  Converging missions •  Rethinking electronic surveillance •  e-Terry, NSSA, DI, SysAdmin, OIOW-Triage-Treaty •  Cautions/caveats •  Context/subtext



New Vulnerabilities to Defend

•  “Strategic fragility” of infrastructure   Single points of failure   Cascading failures   Efficiency undermines security (eliminates redundancy and

resilience, systems are brittle in an engineering sense)

•  “Political/social fragility” (zero-tolerance for risks)   “Spectacular Terrorism” (~ 9/11)   Critical infrastructure cyberattacks (~ Cyber Pearl Harbor)

•  ~ self inflicted (other defensive strategies)? •  ~ political/ideological contingent borders?

Slide 13



Slide 14

Random vs. scale-free networks

Human social evolution



Strategic fragility – supercritical nodes

Slide 15



E.g. #1, Internet has logical SPF > DNS

Slide 16



And, physical SPFs > 7 Telecom Hotels

Slide 17



And, undersea cables

Slide 18



Jan/Feb 2008

Slide 19



E.g. #2, the 5 major shipping routes

Slide 20



With 15 major shipping ports

Slide 21



Cascading failure and “systemic” risks

Slide 22



Political/Social Fragility

•  Zero tolerance for risk •  No more 9/11s, no “Cyber Pearl Harbors”

Slide 23



New Threats to Counter (Super-empowered groups and individuals – Hammes 5GW)

•  Super-empowered capabilities (effort multiplied)   International and transnational terrorists   Insurgencies and anti-globalization forces   Criminal organizations and gangs   Rogue corporations

•  Super-empowered capacities (effect multiplied)   Hackers/crackers (Weapons Mass Disruption)   NCB (Weapons Mass Destruction)

•  Hybrids and proxies (plausible deniability) (no “agent”)   Motivational ambiguity dilutes traditional DIME responses

Slide 24



“Spectacular” terrorism

•  Mass casualty (kinetic, physical)   NCB   Coordinated conventional   Critical infrastructure targets with secondary effects

•  Mass disruption (kinetic or cyber)   Critical infrastructure

•  Utilities/services   Critical systems

•  Transportation/communication •  Financial

Slide 25



Kinds of cyberattacks

•  Unauthorized access (exploit)   Espionage/surveillance

•  Syntactic (attack/deny functionality) (~ force)   Take switch or server down (NB: bomb or virus)   Attack target as info appliance or as control device (SCADA)

•  Semantic (alter meaning/outcomes) (***)   System appears to be working but does more, or less, or

provides wrong/unreliable outcomes.   “Low and slow” (e.g., skew time stamps)

Slide 26



New D“I”ME Responses Available

•  If political consensus for preemption exists   Requires prediction/anticipation of future events, which   Requires observation/analysis of behavior or associations

•  Electronic Surveillance (defensive)   Lyotard: “We are all nodes” (including terrorists and hackers)   Communication Analysis (“wiretap”) (deep packet filter)

  Traffic Analysis (social network analysis)   Behavior Analysis (systems monitoring, anomaly detection)   Data Analysis (dataveillance, data mining, analytics)

  Remote and Technical Sensing (data acquisition)

•  Information Operations (offensive)

Slide 27



Key question

•  Under what legal/policy regime(s) should these various defensive and offensive response mechanisms be managed?

Slide 28



Slide 29

Overview

•  Extremistan •  New vulnerabilities, new threats •  Converging missions - BORDERLESS THREATS •  Rethinking electronic surveillance •  e-Terry, NSSA, DI, SysAdmin, OIOW-Triage-Treaty •  Cautions/caveats •  Context/subtext



Traditional National Security Model (Westphalian, 1st, 2nd GW)

Slide 30

National Security Power

Destruction

Deterrence

ACTIVE

NATION STATE



Extended National Security Model (3rd, 4th GW, SOF)

Slide 31


Destruction

Deterrence

ACTIVE

NATION STATE

Disruption

Preemption

S-E G/I LIC

OOTW



NatSec Legal Regime

Slide 32


Destruction

Deterrence

ACTIVE

NATION STATE

Disruption

Preemption

S-E G/I LIC

OOTW

US Constitution NSA 1947

LOAC in

Title 10 USC (Mil) Title 50 USC (Intel)

UN Charter Int’l Agreements

ML and BL Treaties

Executive Orders



Traditional LE Model (Beccarian - punishment)

Slide 33

Law Enforcement Power

Prosecution

Deterrence

REACTIVE

INDIVIDUAL



Extended LE Model (Intelligence based policing)

Slide 34


Prosecution

Deterrence

REACTIVE

INDIVIDUAL

Disruption

Preemption

S-E G/I OC IntT CC



LE Legal Regime

Slide 35


Prosecution

Deterrence

REACTIVE

INDIVIDUAL

Disruption

Preemption

S-E G/I OC IntT CC

US Constitution Title 18 USC

State Criminal State and Fed Civil

Int’l Agreements MLAT

Att’y Gen Guidelines



5GW > DIME+LE

Slide 36


Destruction


Prosecution

Deterrence Deterrence

ACTIVE REACTIVE

NATION STATE INDIVIDUAL

Disruption

Preemption

S-E G/I CT

CT/W



The Fog of Law

Slide 37


Destruction


Prosecution

Deterrence Deterrence

ACTIVE REACTIVE

NATION STATE INDIVIDUAL

Disruption

Preemption

S-E G/I CT

CT/W

Title 10 USC Title 50 USC

LOAC

Title 18 USC State Criminal State/Fed Civil

Title 6 USC

FISA ECPA

AG Guidelines

HSPD 23 / NSPD 54

EO 12333



The clarity of politics?

•  “We are at war” President Obama, Jan. 7, 2010 •  Political consensus for preemption of

  Spectacular terrorist acts •  Coordinated mass-casualty conventional attacks •  Critical infrastructure kinetic attacks •  NBC attacks

  Critical infrastructure cyber attacks

  Use of WMD/WMD is politically intolerable

Slide 38



Key question

•  What are the government’s security interests/needs/assumptions for using electronic surveillance to counter these threats?

Slide 39



Slide 40

Overview

•  Extremistan •  New vulnerabilities, new threats •  Converging missions •  Rethinking electronic surveillance – NOT “WIRETAP” •  e-Terry, NSSA, DI, SysAdmin, OIOW-Triage-Treaty •  Cautions/caveats •  Context/subtext



Preemption requires actionable intelligence

•  Preemption requires anticipating and countering potential future events

•  Short of clairvoyance, future events can only be anticipated by examining current or past associations or behaviors

•  Associations and behaviors are evidenced in electronic communications

•  Thus, electronic surveillance can lead to actionable intelligence

Slide 41



Conflicting paradigms for electronic surveillance

Intelligence/NatSec Law Enforcement

Activity Signals intelligence Targeted wiretap

Purpose Situational awareness Evidence/forensics

Goal Disruption Conviction

Strategy Move/countermove Linear investigation

Predicate Anticipatory/preemptive Reactive

Target Programmatic Targeted Slide 42



“Special needs”

Intelligence Law Enforcement


Purpose Situational awareness Evidence**/forensics







But, preserve outcome choices

Intelligence Law Enforcement


Purpose Situational awareness Evidence**/forensics







FISA

•  History – never intended to cover progr. intl. comms   Used outdated technology-based distinction – wire/wireless

•  NSA TSP – responded to four problems   Foreign comm intercepted from switches “within the US”   Collateral intercepts to and from US/USP   Pattern matching CDRs (traffic analysis)   Monitoring places/methods vs. individual (“exclusive use”)

•  FISA amendments PAA/FAA didn’t solve   Contacts (communities of interest) (traffic analysis)   Collateral content (ex ante predicate vs. ex post review ~ pc)   Programmatic (cf. pattern vs. roving, “specific” individual)

Slide 45



Key question

•  What alternative or additional doctrines/regimes should be considered?

Slide 46



Slide 47

Overview

•  Extremistan •  New vulnerabilities, new threats •  Converging missions •  Rethinking electronic surveillance •  e-Terry, NSSA, DI, SysAdmin, OIOW-Triage-Treaty •  Cautions/caveats •  Context/subtext



Collateral intercept or “contact”

Slide 48

Reasonable suspicion PROBABLE CAUSE beyond a reasonable doubt

Terry

target/ search ?

adjudication

Real world OBSERVE

Cyber world

seizure adjudication

ES

PROBLEM: How to get to probable cause where contact with FI target is the first or only indication of suspicion?



The e-Terry Stop

Slide 49

ES E-Terry

TARGET

Minimize FI target

“Contact” with FIT can be reasonable suspicion for limited follow up to eliminate or establish probable cause for targeting

SANCTION

Reasonable suspicion PROBABLE CAUSE beyond a reasonable doubt

Cf. Terry v. Ohio, 392 U.S. 1 (1968)

Reasonableness is contextual determined based on “totality of the circumstances”



Programmatic/systemic surveillance

•  FISA is aimed at individuals (“agents of FP”) and particular places (cf. roving**) [~ ECPA]

•  Need for “data-focused” authorities (NSSA Kerr 2008)   Patterns of communication   Conduits/means; Methods   Process of elimination/negative space

•  “Warrant” (or ?) would issue when identity is unknown and surveillance is likely to yield “terrorist intelligence information” (would not require “specific individual”)

•  Results as basis for subsequent targeting under FISA

Slide 50



Domestic Intelligence Agency

•  To facilitate oversight and limit potential harms •  Compare w/ Posner suggestion for warrantless

surveillance with no “pro forma” ex ante predicate but ex post review and reporting mechanisms and prohibition on use of information for most non-national security related crimes

•  Instead an independent agency with broad authority/narrow charter (i.e., no general LE powers) could preserve availability of criminal sanctions (cf. MI5/SB)

•  Maintain “tools” and avoid “wall”

Slide 51



Network Systems Administrator

•  Specialized agency with broad deep-packet surveillance and filtering authority restricted to maintaining network functionality

•  Cf. NTSB, CDC, etc. •  Authorities/functions

  Develop and audit security practices (prophylactic)   Monitor systems in real-time (for systemic risk)   Respond to incidents (identify, quarantine/isolate, counter)   Report on incidents (signatures, forensics, evidence)

•  International issues; jurisdiction

Slide 52



Authorized use/re-use standards

•  Existing policy/law overly focused on collections (policy based on analog information technologies)   Economics of analog information collection served as “check”

on system   Practical obscurity thru information technology inefficiencies

•  Digital technologies with zero/low marginal cost of acquisition and storage require shifting focus to “use” and “re-use” not colections   Markle Task Force Reports (http://markletaskforce.org/)   Taipale Senate Judiciary Committee Testimony

Slide 53



Offensive information operations

•  Need for authorities to engage in offensive information operations (Taipale 2002) (~PFIB 1990s)

Slide 54



How to authorize information operations?

•  Information operation “warrants” for interference with domestic communications (1st A?)   Website   Communication channel   Message content

•  Triage/quarantine authority (5th Amendment?)   Disconnect/isolate networks   POTUS authority in cybersecurity bill

•  International regime (and conflict w/ US Const.)   Constrain ambiguity   Assign R2A

Slide 55



Key question

•  What dangers should be considered?

Slide 56



Slide 57

Overview

•  Extremistan •  New vulnerabilities, new threats •  Converging missions •  Rethinking electronic surveillance •  e-Terry, NSSA, DI5/SysAdmin, OIOW-Triage-Treaty •  Cautions/caveats – SLIPPERY SLOPE, ABUSE, ERROR •  Context/subtext



Caveats

•  Slippery slope   Bureaucratic imperative   Indiscriminate tools

•  Abuse and misuse   Make it “hard to do, easy to spot”   Immutable logging (avoid post hoc rationalization)

•  Error and error correction   Make errors visible (internal advocate, oversight, etc.)   Due process

Slide 58



Key question

•  What values should be considered?

Slide 59



Slide 60

Overview

•  Extremistan •  New vulnerabilities, new threats •  Converging missions •  Rethinking electronic surveillance •  e-Terry, NSSA, DI5/SysAdmin, OIOW-Triage-Treaty •  Cautions/caveats •  Context/subtext – “PRIVACY”, SURVEILLANCE VS.

OMNIVEILLANCE, CONTROL SOCIETY



Slide 61

A Brief History of “Privacy”

•  Physical privacy (~ universal norm?)   Home is your castle   Property right

•  Information privacy (culturally and technology specific)   Cf., Ancient Greek world, private persons were idiotes since

you had to engage in public discourse to have an opinion

•  Print created “privacy” by unifying the two   Private “thinking” space   Modern notion of individuality and privacy   Michel de Montaigne (16thC) -- “the back room”   Based on enforcing borders or barriers



Slide 62

The U.S. Legal Claim to “Privacy”

•  The emergence of “mass media” technologies resulted in violations of social borders (previously enforced through physical space)

•  Warren/Brandeis article (Harv. L.R. 1890)   Tabloid press and fast/mobile photography   Claim to privacy based on property rights (“intrusion”)

•  Unpacking the modern notion of privacy   Secrecy (don’t know) (4th A)   Anonymity (don’t attribute) (1st A)   Autonomy (don’t care) (power over use) (5th A)



Slide 63

Information flows and privacy

•  Technologies of communication bound potentialities   Oral culture: information exchange is bidirectional   Print culture: information exchange is unidirectional   Net culture: information exchange is omnidirectional

•  In a network the most important characteristics of a node are its connection not its intrinsic properties

•  Is ontological separation (nee “privacy”) viable? •  Compare “confidentiality” based on relationships

(protect autonomy directly?) (EU-dignity, UK-conf)



Slide 64

Failure of U.S. Privacy Law

•  Authoritarian   Based on experts and authorities

•  Relevance   Aging notions of individuality   Privacy vs. personalization

•  Subjective perception of violation   Personal and contextual   Therefore local, not broad based

•  Privacy law overly focused on disclosure/collection (secrecy) rather than use (autonomy)

•  Regulatory capture: using privacy claims to render powerful institutional actions opaque while making others transparent



Slide 65

Social ~ Technical privacy

•  Social privacy - group awareness vs. individual “P” •  Technical privacy - system awareness vs. user “P” •  Value sensitive policy and technology design process

tries to expose all aspects of both these relationships early and throughout the design, development, and implementation of socio-technical systems



Slide 66

Emergence of the Surveillance Society

•  Surveillance - collection and analysis of information about populations in order to govern their activities

•  Surveillance is the social response to privacy and anonymity

•  Surveillance is a social control mechanism to provide accountability for behavior within systems (thru audit)

•  Counterparty trust •  Surveillance is a feature of modernity



Slide 67

Characteristics of the Surveillance Society

•  No single big brother – ability to harness the surveillance efforts of otherwise disparate technologies and organizations (info sharing/access to existing data)

•  Power is in taking advantage of existing systems •  Interaction of the panoptic and synoptic

  Panoptic - few watching the many •  Fear and uncertainty about the unseen observer •  Classifying populations for management •  Or discursively, by constructing subjects

  Synoptic - many watching the few •  Seduction and enticement rather than coercion



Slide 68

Consequences of a Surveillance Society

•  Surveillance technologies do not monitor people qua individuals but instead operate thru process of dissembling and reassembling data points (audit)

•  Creates a subject/identity - data double, surveillant assemblage, digital dossier, virtual self

•  To use for social sorting, a technique of power to shape destinies

•  Based on what is measurable/auditable in system •  Can lead to autonomy trap if not made visible



Slide 69

The evolution of modern social control

•  Sovereign model based on arbitrary decree •  Beccarian model based on punishment and

deterrence of deviant acts after they are committed •  Foucauldian model (panoptic) of general social

compliance through ubiquitous preventative surveillance and control through systems constraints

•  Deleuzian model of a “control society” based on seduction and enticement rather than coercion



Slide 70

Discourses of Opposition/Resistance

•  Privacy (but “connections” are not individual privacy violations but disclosures of social organization)

•  Effectiveness (paradoxically reinforces need for more intensive surveillance)

•  Technology (battle of the experts) •  Identity (profile or reputation?) •  Input error (bad data) or threshold error (bad decision) •  Function/mission creep

  Slippery slope and desensitization   “Terrorism” and “Child exploitation”



Slide 71

Strategies of Opposition/Resistance

•  Luddism   whack-a-mole (“privacy lobby” v. TIA)

•  Techno-fix PET (privacy enhancing technologies)   Strategies of consent (notice, P3P, etc.)   Strategies to separate kn of identity from kn of behavior

•  Selective revelation and rules-based processing •  Reintroduce cost/inefficiency as a brake on power •  Process intervention points - policy appliances

  Audit * (accountability strategies)

•  Value sensitive policy and design   Expose the social construction to democratic process



Context/Subtext – the Control Society Divine Right > Beccaria > Foucault > Deleuze

Slide 72

Big Brother or Matrix?



Slide 73

What is “control society”?

•  Control/security is not achieved primarily by law enforcement through arrest and prosecution (“low policing”) but by risk management through surveillance, information exchange, auditing, communication, and classification (“high policing”)

•  Result is not homogenization but infinitely fine-tuned differentiation/personalization (Matrix not 1984)

•  The endpoint is to eliminate the potential for deviance by managing opportunities (fix potential outcomes)



Omniveillance

•  Is this a 1st, 4th or 5th Amendment problem? •  What is the appropriate rhetoric and strategy of

opposition to shape effective policy? •  Is “privacy” historically obsolete? •  If so, what should replace it?

Slide 74



Slide 75

<taipale.info> </end>



Addendum: ECPA

•  The Wiretap Act   “Super” warrant   Transit requirement   Voice/video distinction (~ FISA)

•  The Stored Communications Act   Regular warrants <180 days   Admin subpoena > 180 days

•  The Pen Register Act   Smith ph# > address headers   Wholesale collection vs. retail (individual)

Slide 76



Addendum: Third Party Doctrine

•  Collection vs. secondary use •  U.S. v. Miller

  “business records”   Cf. bailee cases

•  Smith v. Maryland   Phone # (~ duration, etc.)   Retail/individual record vs. wholesale

•  Data quality for re-use

Slide 77

Documents

Electronic Surveillance in Extremistan€¦ · • Prevent seizure or subjugation of land or peoples and destruction or control of vital physical or geographic assets Counter/preempt