Last week (14-15 October 2014) I was in Brussels taking part in the ISSE 2014 information security conference, where I had also the opportunity to present a paper on the European Court of Justice’s repealing of the Data Retention Directive. Among the keynote speakers was Troels Ørting, head of EC3, the European Cybercrime Europol Centre. EC3 is the leading Law Enforcement agency combating cyber criminals in Europe. Ørting’s keynote speech presented the quintessential cops’ (his word!) view of the powers LE agencies need to fight criminals (not to mention terrorists, child molesters and other assorted crooks threatening the very basis of civilization).
The conversation about how cyberspace should be governed and what is the right balance of regulations and security versus freedom and privacy is still very relevant, as it should be. Here I’d like to oppose the cops’ view, brilliantly exposed by Mr. Ørting and explain why and how much it is wrong, not to mention dangerous for free and open societies.
The house with special walls
What I call “cop mentality” is unfortunately widespread among Law Enforcement agencies and officers, even if by no means shared by all. According to this view “everybody is a potential criminal until proven otherwise”. This way of thinking may well be useful in your job, if you are a cop, but must be tempered by judiciary supervision, internal checks and -most importantly- constitutions, bill of rights and statutes, in short the legal system.
The beginning of this century has seen the unchecked growth of this mentality and less and less protection of citizens’ rights by the law, on both sides of the Atlantic. Also we have seen the blurring of the line between law enforcement and intelligence agencies -a blatant example is the NSA, a military agency that acted in practice as feeder to law enforcement. The eroding of basic rights was and is justified by real or inflated threats that range from terrorists to pedophiles, from financial fraudsters and cyber criminals to IP “pirates”.
On the Internet, this translates into widespread and preventive surveillance of all online activity by LE/intelligence agencies -see the “collect it all” strategy of former NSA director Alexander for instance. The example Ørting uses to justify this trend is particularly disturbing.
Ørting’s example for this trend is particularly disturbing. What if we (the police) suspect that inside a certain house drug dealing is taking place but, because the house has walls made of a “special metal” that makes it impossible to look inside. How can we make our job (taking the criminals) if we cannot see inside? (translated into cyber this would mean complete access to all devices, servers, communications etc). First of all, if the cops -already- suspect that inside a house something is going on they could probably obtain a search warrant (for that house, not all the city) by a judge. You could stake out the house and arrest your suspect when they come out, or you could send an officer undercover… Maintaining that all houses should be transparent (like in the dyspotian novel “We” by Russian writer Zamyatin) is non only ludicrous but a very dangerous idea to float around. Also the comparison fall apart quickly when you consider that only in dictatorships the state have the right to enter private homes without limitations or justifications…
“Law enforcement cannot be effective if we are prevented from identifying the perpetrators beyond reasonable doubt,” he said. “‘I’m just trying to do my job! ” Well, you can do that without invasion of personal privacy, as we have seen.
The same worldview is apparently shared by FBI director James Comey, that recently said that encryption of personal data on mobile devices (by Apple and Google for instance, in their last OSs) “threatens to lead all of us to a very dark place”, invoking legislative measures to force companies to give up on this. Fortunately Congress (at the moment…) seems to appreciate the political danger in enforcing more privacy invasions.
A society of children
Together with the usual fear mongering -billions of people outside the “West” are accessing the Internet and represent a danger to us, be it as terrorists or fraudsters is secondary, the vision of society that emerges from the “cop mentality” is that of a society of children, of minus habens that need the cops to protect them and prevent crime. “Most of the 2.9 billion people active online have no clue about security and someone has to protect them”, especially elderly people like “my mom” that knows nothing about security online. Education and awareness are not part of the picture, it seems. For the record, my mom is more than able to go online with a reasonable level of security both on her smartphone and with a a PC. We must build awareness, knowledge and self responsability, not rely on the “authorities” to protect us.
We are the adults
Ørting started his speech with a disclaimer: “I am getting a lot of flack from privacy people because I want police to have access to information on the internet” (quote, unquote). The definition of “privacy people” reeks of the smugness of who thinks he is the only one understanding how the real world works, not like this geeky, spoiled types advocating strange concepts as “privacy” and “civil liberties”. Well, some of these “privacy people” are not so geeky and alternative: it seems the members of the European Court of Justice are some of them. The Court repealed in early 2014 the European legislation that mandated uncontrolled (meta)data retention for up to two years for phone and Internet communications because it conflicted with the Charter of the European Union protecting the fundamental rights of privacy and data protection. I for one advocate an open society where every citizen is responsible for protecting themselves (online and even offline), as adults. Another quote: “We need to get away from IT religion and instead go into reality”. The implication is that us geeky types live in dreamland without many contacts with reality (in the “cloud” maybe): I would like to reassure the world that is not the case. Probably we just value some things more than others and can discern how they are being taken from us all better than others. It all boils down to find a right balance.
Trust us, we are the police!
According to Ørting “the same trust in police and state should be applied in cyber space as in the real world”, implying that they (the state) have to be trusted implicitly. I have news for the cops: trust in the (offline) state is (at least where I live) is at an all-time low, so I would not call for the same level of trust in cyber if I were you. In my work as a digital forensics analyst I often come across this idea that we have to trust the cops without question whatever they do. I respectfully (without throwing any stones) disagree, trust must be earned and kept alive, it does not descend from above.
The only way to build trust in the state and the police is for them not to overstep the boundaries of fundamental rights just to make it easier to catch criminals. Remember the Soviet Union had one of the lowest crime rates in history, but what was the price? The cops mentality however is widespread but not by all means shared by all Law Enforcement Officers. I want to believe our open societies can resist the fear and possess the democratic antibodies not to transform themselves into soft dictatorships.