I always feel like somebody’s watching me. And I have no privacy.
I always feel like somebody’s watching me. Tell me is it just a dream?” It was both appropriate and prophetic that the singer Rockwell crooned those words in 1984 – the year that Orwell’s Big Brother was supposed to surveil everything – but which seem to be more of a truism today when governments, social media, and businesses can easily keep a watchful eye on citizens.
The concept of surveillance, or the close observation of a suspected spy or criminal, has evolved to include everything from technological tools, tactics and techniques to track the movements of bad actors, and in many cases to better protect and defend the security of organizations as well.
Terrorist attacks on civilians in Paris, Brussels and here in the U.S. in recent years have helped spur the growth of all types of surveillance. Case in point — intelligent video surveillance, which is expected to grow at a compound annual rate of 18.2 percent through 2022, according to research from the Homeland Security Research Corp. Growth in this area is driven by security-related video surveillance, safe cities projects, autonomous driverless vehicles, and the Internet of Things (IoT), along with maturing video technologies and decreasing costs. HD video cameras that cost $3,000 or more in 2010 are expected to cost $60-$80 in 2022. The boom in defense-related intelligent video surveillance, advanced analytics, robotics and video-guided munitions also contribute to rosy growth estimates.
In today’s world, surveillance is very much considered a double-edged sword. As its use rises, current privacy protections — many of which were written before the advent of cell phones — are simply ill-equipped and ineffective at protecting privacy and personal information.
Although most people once thought government surveillance was the biggest threat to individual freedom, private sector surveillance is currently fueling enormous privacy concerns. “If anyone ever wondered what Facebook’s product is, that would be YOU,” says Samuel Visner, MITRE’s director of cybersecurity and an adjunct professor at Georgetown University.
Users must remember that social media and other online platforms that make information sharing “free” are driven by ulterior motives to monetize the information that is shared, Visner explains.
Technological advances give governments and private sector businesses unprecedented access to personal information. “To ensure that people can seek information and express themselves freely, there must be reasonable checks and balances on governments’ ability to access, collect, and store individuals’ data. Both security and freedom can be protected, but only through balanced laws and policies that uphold human rights,” says Michelle Richardson, deputy director of the Freedom, Security, and Technology Project for the Center for Democracy and Technology.
CDT works to protect the privacy of internet users, and advocate for stronger legal controls on government surveillance. “Facebook is a strong example of how things can go wrong when companies are allowed to operate with no responsibility for privacy. Facebook has grown so large it has an outsized influence on the debate,” Richardson explains.
Striking Data Gold
Over the years, surveillance has evolved from literally ‘following people around,’ as spy-catcher Eric O’Neill says about his role as a former counterintelligence operative responsible for capturing (CIA spy) Robert Hanssen. O’Neill currently serves as national security strategist for Carbon Black. “Now that nearly everyone understands the enormous value of their organizational data, “harvesting that information is a primary driver behind many of the biggest corporate success stories today.”
While the specter of government surveillance remains problematic, data collected by private companies now overshadows what any government outside China has tried to collect previously. Because the surveillance and harvesting of personal data is done with no judicial oversight — a cornerstone of democracies around the globe — companies such as Facebook, Google and Twitter are now facing a congressional inquiry. In Facebook’s case, the Federal Trade Commission is examining Facebook’s privacy policies, and Mark Zuckerberg has agreed to testify before Congress about data collected and how that data is used. “These organizations must be reined in, and brought within the law, just as governments have in the past,” says Neema Singh Guliani, legislative counsel for the American Civil Liberties Union (ACLU).
Rising public consciousness of the issues surrounding privacy and security are important surveillance trends, according to Guliani, because the public understands it must be more vigilant about the information shared. In terms of other leading government surveillance trends, Guliani cited growing concerns about the information citizens have supplied that is now being used in immigration enforcement and deportations, and the obvious need for greater national security in elections. “I see a glimmer of hope in the public’s growing realization of the need for stronger privacy protections, though we still have a long way to go to protect the public from data breaches, leaks and illegal surveillance,” she admits.
Advances in IoT, big data analytics, machine learning/artificial intelligence, automation and collaboration all contribute to improving both access and analysis of personal information and transactional data. As more devices gain IoT smarts, for example, “filling them with functionality provided by millions of lines of code, connecting them to the Internet, and then trying to secure even one smart device with perhaps tens of millions of lines of code, is a very difficult task,” says Philip Reitinger, president and CEO, Global Cyber Alliance.
“No one yet knows how to write vulnerability-free code in a commercially reasonable way. As a result, there are likely billions of smart devices with vulnerabilities,” Reitinger explains.
On the other hand, surveillance technologies may also help improve cybersecurity protections, enabling organizations to closely monitor and mitigate threats. In industries such as healthcare, finance, hospitality or electrical power, there are federal oversight recommendations and guidance published by NIST and the National Cybersecurity Center of Excellence (NCCoE) that can help organizations improve cybersecurity and privacy protections.
The recent Russian attack on U.S. power supply operations underscores how electrical utilities must focus on improving cybersecurity controls. “This is also why NCCoE’s guidance is worth close examination,” Visner explains.
Balancing Security and Privacy
To say privacy protections have not kept up with surveillance advances is an understatement. And a currently lax U.S. federal regulatory climate doesn’t bode well for improvements in privacy protection, Guiliani admits. However, some states have implemented laws and other reforms in the absence of federal congressional action. And whether U.S. standards comport with those of the European Union is in question in the current Privacy Shield debate. The Privacy Shield agreement between the U.S. and the European Union, which governs transatlantic data transfers and is used by thousands of U.S. businesses to serve European customers and perform daily operations, will be challenged in European courts.
“This is an important signal that privacy is increasingly globally linked with other human rights,” Guiliani explains. “There’s a growing recognition that privacy is not abstract, and requires a structure to consider the harmful effects that a lack of privacy creates.”
The cutting-edge uses of technologies such as facial recognition, biometrics, location tracking and social media makes surveillance tactics such as listening to phone calls “so 2005,” according to CDT’s Richardson. “It’s not easy for federal oversight organizations to keep up when technological advances are a decade ahead, and by the time the government can complete an acquisition, the proposed solution may be out of date,” Richardson maintains.
There are also questions about whether people simply expect too much? Is government doing too little? The privacy versus security debate will only intensify as the public learns more about how Facebook, Amazon, Google and Twitter have grown into heavily used platforms that resell personal information to advertisers. “It’s still largely unclear what is illegal on the part of these platform providers. The legality of what they collect and do with this information remains ambiguous,” says Visner.
What Lies Ahead?
Data providers will likely bear greater responsibility for the use and sharing of information, more so than they have in the past, Visner said. As Congress gears up for a conversation with social media giants, it’s likely these companies will be subject to regulatory scrutiny. “Profit seeking is legitimate motive, but breaking the law is not,” he added.
Ultimately, if Cambridge Analytica approached Facebook with an academic experiment and then accrued and used personal data for nefarious purposes that would constitute a serious problem.
In 2019, Congress will debate expiring surveillance provisions in the Patriot Act, providing another opportunity to force a re-examination of U.S. surveillance laws. And pressure to reform surveillance laws could also come from across the Atlantic, if the Privacy Shield is struck down, surveillance reform may quickly become an economic imperative for companies that do business in Europe.
In the future, Carbon Black’s O’Neill predicts artificial intelligence, automation and collaboration will become critical to improving security protection. For example, he adds, “we could examine social media platforms that teachers and others inside schools use to analyze posts online — to spot, tag and track students or others nearby who may be considering violence. Data analytics tools available today could be useful to help stem gun violence in our schools,” he said.
Others cited the general need for nearly every organization to adapt or evolve. “There’s a need to build ecosystems resembling human body bio-defenses, as opposed to the typical ‘command and control’ mechanisms currently in use,” says Reitinger.
“An automated, biodefense-style ecosystem would include strong authentication, automation, interoperability and collaboration to exchange information about risks or compromises at internet speed,” he explained.
Meanwhile, although comprehensive privacy laws are unlikely anytime soon, the FTC’s examination of Facebook will likely lead to reforms in data collection policies. “As a group, data collection companies maintain that the situation is too complex, but Zuckerberg has admitted that reforming policies surrounding data collection ‘isn’t rocket science,’” Richardson says, adding, “while reforms needed may be complicated, it’s no longer impossible.”
The U.S. the Foreign Intelligence Surveillance Act (FISA) governs nearly all surveillance and intelligence collection on U.S. soil. Industry observers maintain that U.S. citizens who are not criminals or terrorists may still be affected by Congress’ Section 702 surveillance continuance.
The decision to continue Section 702 of FISA earlier this year means that just as in prior years, intelligence organizations won’t be required to inform a person when he or she is under surveillance, CDT’s Richardson explains.
So much of FISA’s efforts remain classified, with no clear picture of the types of data being collected and the technologies used to track individuals. This situation remains problematic, according to privacy advocates such as Richardson and ACLU’s Guiliani.
The ACLU will continue its fight against Section 702 in the courts. And a federal appeals court is also considering the Constitutionality of Section 702 surveillance in a criminal case that may shine more light on the impact of warrantless spying and how it violates the Fourth Amendment and U.S. privacy rights.
The Fourth Amendment prohibits searches without a warrant based on individual suspicion. Even if the information collected under Section 702 is never used against individuals, the violation of citizen’s rights remains a serious problem, says Guiliani.
Rulings in any court proceedings may also require Congress to revisit the law.