Q&A: Susan Landau on Wiretapping and Data Mining
FierceGovernmentIT, April 13, 2011
Susan Landau is author of the recently-published book "Surveillance or Security," which we're excerpting here. Currently a fellow at the Radcliffe Institute for Advanced Study at Harvard University, Landau has also been an engineer with Sun Microsystems and an academic researcher of algebraic algorithms.
We recently caught up with her to ask her about wiretapping, unintended consequences, connecting the dots and the role of surveillance in society.
Landau: That's a stronger statement than I think they claimed. And it depends on what you mean by "they used to." Let me take both pieces – they said they're going dark, and they're having some problems. They didn't say they can't get anything, and it's clear from various prosecutions and arrests that they're getting plenty.
The second thing is "as they used to." The first federal wiretap bill passed in 1968, that was Title III, the second in 1978, that was FISA. At that time we didn't have location information when somebody was moving about. They used a payphone, and unless you were following them with detectives, with plainclothes people – we're probably talking about 30 full time people a week – you would have no idea the communications they're having. Because you have no idea which phones they're using.
Cellphone and IP communications often reveal where the targets are. That's data that law enforcement did not have until 10, 12 years ago. So when you say "information they're accustomed to having," you have to put it in the context that the technology changed relatively recently, and the law did not change to increase privacy protections of the populace at the time that the technology began revealing far more information. That's the flip side.
FGIT: So would you dispute the premise that they are going dark?
Landau: No. The question you asked originally is "unable to," and I said, they're not "unable to," they're having trouble.
FGIT: Does the emergence of the ability to track people by their cellphones, and also the emergence of being able to track people by their IP address, does that, in sum, add up to a greater flow of information than that which is subtracted by the difficulties of intercepting peer-to-peer communications?
Landau: It varies with the target, so that makes your question somewhat impossible to answer. It's not a fault of the question, it's just a fault of the technology. Some targets becomes much easier, and some targets become much harder. There are a whole bunch of cases I mention [in the book] where transactional data enabled law enforcement or national security to get the guy.
At the same time, we know there are cases where encryption of peer-to-peer communication thwarts law enforcement. [FBI General Counsel] Valerie Caproni [also at the House Judiciary hearing] mentioned two. But I'm sure there are more than that. It varies by case, and in the absence of more detailed information, it's difficult to say how that balance is really changing.
I'm not trying to dance to avoid your question, I'm just trying to be very careful to be precise.
FGIT: Given that difficulty, would you support an effort to expand CALEA to emerging technologies?
Landau: I said during the testimony, and certainly believe – I think that's the wrong way to phrase the question. That's the way the FBI wants to phase the question, but I think that's the wrong way to phrase the question.
I think the first thing to note is that there are three types of communications technologies – there's the old PSTN and cellphones, which use centralized communications. There are things like Facebook or Gmail, which are again centralized, because they go to Facebook or they go to Google. And then there are completely decentralized communications, like Skype.
The first two categories don't present problems, although the second category of centralized communications that are somewhat new – Gmail is no longer new, Facebook is no longer new, but they were new not so long ago – those communications, if they present problems for law enforcement in tapping, they present problems at the policy level. They didn't know who to get in touch with at those companies, they didn't know how to run the tap. It wasn't that the tap was technologically complicated.
The third kind does present a problem. But there are also things that law enforcement could be doing that it's not.
One is that it appears that law enforcement is doing still case-based investigations. That is to say, it doesn't have a sufficient research arm for saying, "Okay, new communications technology, let's figure out how we wiretap this communication technology before we have a case." Because, if it's at all complicated, they use time during the middle of a case. That's the first thing they should be doing. So, I favor bolstering their research funding for the going dark program.
During the testimony, the president of the International Association of Chiefs of Police talked about how his people had a lot of trouble figuring out how to wiretap, and that was due to they don't have the resources to figure out every new single communications technology. National law enforcement – FBI – does, and should have much better interface to that for state and local. There were FOIAed documents released the day before the hearing that said explicitly that that information was done on an ad hoc basis. State and local do something like three fourths or four fifths of the law enforcement wiretaps these days. Fixing that problem would probably take care of a lot right there.
Then, I think we probably need to do a longer term look at what the problems are that law enforcement is facing, and put it in the context of what security risks arise if one were to build solution along the way that law enforcement would like.
FGIT: You're saying that the security risks of building in an ability to wiretap would outweigh the increases in security?
Landau: I would say that there is certainly a big risk that would happen. Yes, I am saying that there is a serious risk that would happen. We have examples: The Greek wiretapping case, Italia Telecom and the Cisco architecture.
FGIT: One thing you mention in the book that I found interesting is you say this notion of being able to connect the dots – if only we could connect the dots, we would be able to have perfect counterterrorism – is actually incorrect.
Landau: That's right. We had that happen right post Sept. 11, when the Bush administration authorized the warrantless wiretapping. There's an article in the New York Times where the FBI is quoted as saying, "We were getting so many possible leads from the NSA from those warrantless wiretaps, we couldn't follow them up." And most of them were not worth following up.
We don't have, in terms of social science research, any good profiling of what terrorist networks look like. Small groups of people who communicate almost exclusively with themselves can just easily be a startup, or it can be a rock band – and it's much more probabilistically likely to be that. Focusing on connecting those dots when the dots are not so easy to connect, and when we don't really understand what the information is giving us, that'd be a waste of resources that could be better applies in other kinds of investigations.
FGIT: Is this a problem surpassable with the right research, or is it inherent?
Landau: At some point, years into the future, we may be able to do it. The people who do data mining will tell you they can do it. But there was a recent case with the CIA, front page story in the Times, that they sunk a lot of money into a technology that couldn't possible do what it was claiming to do. We don't have examples of the technology doing this. Currently, it's a dream, not a reality. And you're not getting clear evaluations about what the technology can and cannot do.
FGIT: The article you're referring to, that's the one with that guy who convinced the CIA that Al Jazeera was embedding secret messages?
Landau: That sounds right.
FGIT: So, if connecting the dots isn't the answer, then what is a sound strategy that makes use of all these data flows?
Landau: The first question is, "What are we trying to protect against? What are our most serious risks?" And that's the question one needs to answer. And you need to answer it for every different domain differently. If you're a .edu, you have a different set of risks than if you're a .com, than if you're a .gov, than if you're a .mil.
Each one of these organizations should have a different set of answers. If you're law enforcement, what you want to do is arrest the guy and go on to the next case. If you're national security, what you want to do is secure the nation's communications, even sometimes private sector communications. And, do signals intelligence on everyone else. In the question that I hear, you're asking me the question from the point of view of law enforcement. I would argue that's a narrow lens under which to look at the problem.
FGIT: You address in the book that counterterrorism and law enforcement have been conflated somewhat.
Landau: Yes, there's been a conflation of the two. Going after bad guys who are drug dealers who run prostitution rings and so on is a different kind of investigative skill than going after people who may be just politically interested, some of whom may cross the line to becoming bad actors. That's a different set of knowledge and different set of skills – as I say in the book, the New York City Police seem to have done a really good job of trying to understand what the issues are there. And how you have to investigate. But, going after the situation hammer and tongs and saying, "These are all bad guys, we've got to wiretap broadly" is not a healthy thing either for the investigations or society.
It may be healthy for a particular investigation, but then it compromises community help, involvement down the road, and that's really problematic.
FGIT: In the conclusion of your book, you say that "Justice trumps security."
Landau: That's right. Look, there was no crime in East Germany. I don't think any American would like to live in the world that East Germany was. There was essentially no petty crime in the Soviet Union. There was plenty of other crime, in the sense that the government was criminal in a very deep way.
One is always balancing risk, and a society that ensures no criminal activity is a society that has a level of surveillance that Americans do not want to live with. I recall reading a number of years ago about someone living in Singapore who had a knock on the door because the plant he had on his terrace had water in the basin of the plant, and that could encourage mosquitoes.
Sure, it's good not to have mosquitos, especially in a climate like that where they can carry malaria, etc., but that's also a very scary situation, where the police knock on your door because they'd observed you watering and there's a plant pot that captures the water that drips from the plant. One has to determine where we want to draw the line in our society.