Given recent events, I’ve been thinking a lot lately about metadata. The “Patriot”* act, signed in the hazy, fear-driven months after 9/11 was a piece of legislation that was so broad that even one of the authors now says the hoovering of telephone metadata was never the intent of the law. Law, like any type of contract, is a funny thing. It’s not so much what you say, it’s what you don’t say that matters. I was concerned about the potential exploitability of the fear-driven, rushed passage of such a law – turns out I was right.
At Microsoft, the Security Development Lifecycle (SDL) is deployed across the company as a method to build software which is secure by design. A core tenet of this process involves threat modeling. Simplistically, with threat modeling, you create scenarios and examine all possible exploits for your software design, and work to mitigate them ahead of time. Just as importantly, with threat modeling, you also wind up with have a model to work from when your software does wind up being exploited down the line.
As a practice, threat modeling requires one to consider the absolute worst end results that can come about by the creation of the system being examined. When we look at the “Patriot” act, it is obvious that no threat modeling occurred prior to the drafting and passage of the legislature. Just as importantly, even with their supposed oversight of the NSA’s actions, legislators renewed the act again in 2011 without forcing the NSA to curtail overly broad metadata gathering.
In the US, the goals of the shareholder are often at odds with the goal of the citizen. The shareholder wants to see YoY earnings growth, all too often with little concern about how much that growth costs in terms of the environment, employee retention, or even long-term sustainability of the business. It’s about here and now. In a Gordon Gekko-ish tone, it’s often about greed. The citizen wants to see businesses grow, but not by impeding on their rights, cutting their salary or survivability, or by harming the long-term potential of the republic (which I believe includes the environment).
Politicians in the US all too often reward the companies which helped finance their election, even if doing so results in harming the interests of individual citizens or the republic or state at large. Referred to as soft corruption, money in to the system is used to affect purchasing or policy outbound. We see this happen all the time – for example, individuals who used to head the Department of Homeland Security enthusiastically lobbying the DHS to deploy full-body scanners en masse, without disclosing that he is being paid by manufacturers of the devices – and despite the fact that millions of dollars of these devices would wind up being junked. This isn’t new – as I mentioned yesterday, Thomas Jefferson alluded to the same greed-driven, myopic decision making happening 200 years ago.
The interests of the intelligence community (and the businesses that sell them technology) are often also at odds with the interest of the citizen. IBM gleefully sent executives on a junket to lobby for the passage of CISPA, a cyber-security bill whose creator may have even had conflicts of interest in the passage of. One can only imagine the back-door lobbying that IT companies providing infrastructure to the NSA did ahead of the “Patriot” act renewal in 2011.
As we stand back and consider the NSA’s massive metadata harvesting machine, it’s easy enough to see how we got here.
- A bill passed without adequate consideration for the risks it was creating (versus the ones it was attempting to mitigate).
- An intelligence community that will do whatever it takes, including going right up to the creepy line and beyond in terms of of how the founding documents of our country, and the “Patriot” act can be interpreted.
- Many business will often do whatever it takes to sell technology, software, and services to the intelligence community, without regard to the harm they are causing to the republic and the rights of citizens.
All of these steps happened (and can and will likely happen again) without any regard to the chilling effect they have on civil liberties, are likely to have on the adoption of cloud services sold by US companies, or the long-term harm they do to the trust of citizens in their country, and the stability of the republic overall.
When creating anything, whether it is software, technology, anything… envision the worst possible scenario for its exploitation. Imagine malevolent actors with more hunger for power or money than integrity. Imagine being Leo Szilard, a brilliant scientist. Contemplating the risks of a nuclear chain reaction being used by others to create a bomb, and defensively sending President Roosevelt a letter about the technology and the risks against your country. Your action in turn results in the Manhattan Project, with the technology ironically headed towards offensive use as a military device against civilians against the wishes of you and many of your peers. The result? Your petition is ignored, you and your peers are investigated and penalized, and your prediction of an arms race that can’t be won comes to fruition.
Here we find ourselves in 2013, hurtling drones around the world, killing supposed bad actors, without any consideration of the fact that this action invites a response in kind down the road when bad actors can obtain adequate technology and return the favor. We try to stop people from printing guns; as if people looking to break the law will only buy 3D printers that are legal. Same with 3D key replicators or devices that can easily unlock and start many kinds of vehicles. The velocity of technological change is continuing to accelerate, faster than ever before. An incredibly large number of innovations in the recent past (including the technologies used by the NSA to process this volume of (meta)data)
invite require us to understand the ethical ramifications of them before we bring them up and put them into place; and when these technologies are exploited, analyze the ethical reasons behind why. Our evolving world requires us to think long-term, and consider the ramifications of our actions before we begin.
*I always write the name of this piece of… legislation this way, in quotes. This law overreached and damaged our republic. It also even damaged the meaning of the word ‘patriot’.