Privacy and Security on the Internet

By Thomas Guzman*

I. Introduction

The Internet has changed how people get information, purchase goods, and interact with one another.  The Internet has been labeled a human right by the United Nations,[1] and Hilary Clinton has identified Internet freedom as a core value in line with freedoms of expression.[2]  Governments have struggled with questions about how to regulate the Internet.  Lately, the Internet regulatory debate has centered around privacy on the web and security on the web.  The two debates are more inextricably intertwined than may appear at first glance.  Can there be complete privacy on the Internet while maintaining enough cyber awareness to ward off potential threats?

II. Background

In a recent New York Times article, Howard E. Shrobe, a computer science professor at the Massachusetts Institute of Technology, is quoted as saying, “[t]he software we run [on the internet], the programming language we use, and the architecture of the chips we use haven’t changed much in over 30 years….[e]verything [on the internet] was built with performance, not security, in mind.”[3]

Since Edward Snowden released troves of information shedding light on the National Security Agency (NSA) data collection methods, privacy on the internet has been a much discussed topic.  Concerns center on governmental activity monitoring their own citizens’ data in the United States.

Prior to Edward Snowden’s disclosures, the Obama administration had already begun examining policy solutions to use data gathered from government entities to protect U.S. critical infrastructure for national security purposes.[4]

A. Snowden Sparks a Debate on Privacy

In 2013, a former contractor for the NSA, Edward Snowden, released thousands of documents to the media, giving the public a look into the secretive practices of the NSA.[5]  Snowden’s leaks showed the breadth and depth of NSA data collecting practices on both foreign nationals and U.S. citizens located domestically.  Snowden cited civil liberties as his primary motive for disclosing classified information.[6]  If Snowden wanted to spark a public debate on the merits of government data collection practices, he was certainly successful.

Following Snowden’s leaks, James R. Clapper, Director of National Intelligence, apologized for previously lying to Congress.  When asked if the NSA collected any type of data on millions of Americans, Clapper replied “no, sir.”[7]  U.S. District Court Judge Richard Leon said that the agency’s controversial program appears to violate the Constitution’s Fourth Amendment, which protects Americans against unreasonable searches and seizures.[8]  The program collects records of the time and phone numbers involved in every phone call made in the U.S., and allows that database to be queried for connections to suspected terrorists.  “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,” wrote Leon, a George W. Bush appointee, in the ruling.[9]  The Supreme Court denied a writ of certiorari to hear the case.[10]

A White House-appointed review panel recommended that the government cease storing call data on hundreds of millions of Americans.[11]  President Obama acknowledged the dialogue surrounding NSA data collection and civil liberties arose at least in part due to Snowden’s disclosures.[12]

Snowden’s disclosures also raised the issue of privacy on the Internet abroad.  Brazilian President Dilma Rousseff championed legislation in her home country that has been touted as an internet bill of rights which limits the metadata that can be collected on Brazilians and promotes access to the Web.[13]

Whether or not the effects of Snowden’s disclosures are positive or negative may be one of opinion.  What cannot be undermined, however, is the rise in awareness of the scant privacy available on the Internet.  While Snowden’s actions led to a whiplash reaction to denounce the NSA’s overreach, which was compounded by the NSA falsely attributing averted terrorist attacks to the data collected, there are more considerations and factors weighing into the merits of monitoring web traffic.

B. Critical Infrastructure Concerns

In a 2013 report to Congress, the Department of Defense accused China of accessing and collecting data on U.S. diplomatic, economic and defense industries.[14]  U.S. accusations were corroborated by a report by Mandiant, a cyber-security firm, which came to similar conclusions.[15]  The accusations from Mandiant and the Defense Department demonstrated the vulnerability to U.S. national security interests against cyber-attacks.

Attempts to pass legislation to address cyber security concerns of private industry critical to national interests have stalled, especially after Snowden’s disclosures.[16]  As a result, President Obama signed an Executive Order in February 2013 that directed the Department of Homeland Security to create a national framework that reflects the increasing role of cyber security in securing physical assets.[17]  “Much of our critical infrastructure – our financial systems, power grids, pipelines, health care systems – run on networks connected to the internet, so this is a matter of public safety and of public health,” President Obama stated in January 2015 while introducing a renewed efforts to pass cyber security reform.[18]

C. Sony

In November 2014, Sony Pictures Entertainment suffered a massive cyber-attack that exposed terabytes of information including personally identifiable information (PII) of Sony employees, emails, and unreleased movies.[19]  On November 24, 2014, Sony became aware of the breach when an ominous red skull with a warning that Sony’s secrets were about to be released appeared on computers at Sony. It is unclear when Sony’s systems became compromised.[20]  A group calling itself “Guardians of Peace” took credit for the attack.  On December 19, 2014, the U.S. Federal Bureau of Investigations (FBI) concluded that North Korea was behind the attack on Sony.[21]

On December 16, 2014, Guardians of Peace, the group claiming responsibility for the hack, posted terrorist threats online directed at movie theaters if they played Sony’s motion picture “The Interview.”[22] The movie is a comedy, which includes a scene depicting the North Korean dictator Kim Jong Un being killed.  In June 2014, North Korea wrote to the Secretary General of the U.N. stating that the distribution of the movie should be regarded as an act of war.[23]

It should be noted however, that Norse, a private cyber security firm, also investigated the Sony hack and found no evidence of North Korea being responsible.[24]

Regardless of who is ultimately responsible, the cost of Sony’s hack is estimated to be upwards of $300 million.[25]

III. Analysis

“You have zero privacy anyway. Get over it,” the co-founder and chief executive of Sun Microsystems, Scott McNealy, said in response to growing concerns of consumer privacy in 1999.[26]  As abrasive as he was, McNealy’s inelegant comment seems eerily prescient sixteen years after the fact.  Every website a user visits is logged, and every post and online purchase leaves a trace of a user’s online presence.[27]  Every email sent via Google’s ubiquitous Gmail service is scanned for data for potential advertisers.[28]  With a $395 billion dollar company built on a principle of data mining and advertising, what chance does online privacy really stand?

Edward Snowden confirmed the notion that “big brother” is watching that existed long before 2012.  As early as 2004, when Facebook was a small website for college students to interact, there was an implicit understanding of the importance of protecting your online image.  There is no doubt that some information posted on the internet should be private, particularly in the case of credit card numbers used for online purchasers.  There is also clearly some information that is not private at all, such as public tweets, which are now being collected by the Library of Congress.[29]  Legal scholars will need to develop theories about all the information that falls between these two examples to determine what online information should be openly accessible and attributable and the information which should require a warrant to be admissible against a citizen.

Do the ends of protecting critical infrastructure from potentially massive disruptions, or preventing potential terrorist attacks through the means of meta-data collection justify NSA practices?  This must be considered while weighing the merits of online data privacy.

Despite the difficulties, online anonymity may be a winning bargain for privacy advocates and policy makers.  Protecting the U.S. economy and national security are goals too large to completely cease metadata collection, but with clear guidelines in place anonymity can be maintained until there is an established need to identify a person of interest.

As Dr. Shrobe stated, the Internet was built with performance in mind not security, so when the need to identify potential persons of interests arises there should be clear guidelines in place to authorize removing the veil of anonymity.[30]  The guidelines should serve as the basis for a preemptive warrant to protect against violations of citizen’s Due Process rights.  As the White House-appointed panel recommended, the government should cease storing call data on hundreds of millions of Americans – or at least cease storing data indefinitely.[31]

Sony is a private example of larger security concerns that come with an open Internet.  The costs Sony has incurred and the publicity of the attack may serve to raise awareness around cyber security.  A federal policy solution to protect industries not critical to national security interests may be a bridge too far, but private companies should begin to factor in cyber security as a cost of doing business in the Internet age, or risk being the next victim of a $300 million cyber-attack.

IV. Conclusion

The Internet has performed exceedingly well in connecting the world and delivering information quickly.  If the Internet was built with performance in mind, as Dr. Shrobe stated, it may be time to consider what the Internet should evolve into.  The Internet as a security-less means of accessing data may prove to be an economic costly proposition that is potentially detrimental to national security.  Private companies can hire cyber security firms to manage their networks and protect against potential cyber intrusions, but the threat of cyber-attacks will not be completely eliminated.  In order for the Internet to meet the challenges of the intricately connected world that it helped to create, it must evolve to become a safer medium through which businesses and governments operate.  Until then, we can remember McNealy’s words every time we log onto an Internet connection and “get over” our lack of privacy.  At least we can cross our fingers for anonymity on the web.

 


*J.D. Candidate, University of Illinois College of Law, expected 2017. B.A. Political Science, University of Illinois at Chicago, 2011.  I would like to thank the entire team at the Journal of Law Technology and Policy for their help on this piece.

[1] David Kravets, U.N Report Declares Internet Access a Human Right, Wired (June 3, 2011), http://www.wired.com/2011/06/internet-a-human-right/.

[2] Harichandan Arakali, Hillary Clinton Calls Internet Freedom ‘Core Value’ at Dreamforce Conference, Int’l Bus. Times (Oct. 15, 2014), http://www.ibtimes.com/hillary-clinton-calls-internet-freedom-core-value-dreamforce-conference-1705158.

[3] Nicole Perlroth, Reinventing the Internet to Make it Safer, N.Y. Times (Dec. 2, 2014, 9:25 PM), http://bits.blogs.nytimes.com/2014/12/02/reinventing-the-internet-to-make-it-safer/.

[4] President Barack Obama, Op-Ed., Taking the Cyberattack Threat Seriously, Wall St. J. (Jul. 19, 2012, 7:15 PM), http://www.wsj.com/articles/SB10000872396390444330904577535492693044650.

[5] Glenn Greenwald, Edward Snowden: The Whistleblower Behind the NSA Surveillance Revelations, Guardian (Jun. 11, 2013, 9:00 AM), http://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance.

[6] U.S. Domestic Surveillance, Council on Foreign Rel. (Dec. 18, 2013), http://www.cfr.org/intelligence/us-domestic-surveillance/p9763#p3.

[7] Aaron Blake, Sen. Wyden: Clapper Didn’t Give ‘Straight Answer’ on NSA Programs, Wash. Post (Jun. 11, 2013), http://www.washingtonpost.com/blogs/post-politics/wp/2013/06/11/sen-wyden-clapper-didnt-give-straight-answer-on-nsa-programs/.

[8] Klayman v. Obama, 957 F. Supp. 2d 1, 42 (D.D.C. 2013).

[9] Id.

[10] Klayman v. Obama, 134 S. Ct. 1975 (2014).

[11] Richard A. Clarke, et al., Liberty and Security in a Changing World, White House 161 (Dec. 12, 2013), http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf.

[12] Office of Press Secretary,  Remarks by the President on the Review of Signals Intelligence, White House (Jan. 17, 2014, 11:15 AM), http://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence.

[13] Stan Lehman, Brazil Passes an Internet “Bill of Rights”, San Jose Mercury News (Apr. 23, 2014, 10:04 AM), http://www.mercurynews.com/business/ci_25621388/brazil-passes-an-internet-bill-rights.

[14] Office of the Secretary of Defense, Military and Security Developments Involving the People’s Republic of China 2013, Defense 36 (2013), http://www.defense.gov/pubs/2013_china_report_final.pdf.

[15] David Sanger, David Barboza, Nicole Perlroth, Chinese Army Unit Is Seen as Tied to Hacking Against U.S., N.Y. Times (Feb. 18, 2013), http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html.

[16] Ryan Tracy, Cybersecurity Legislation Gets Renewed Push From Financial Firms, Wall St. J. (Nov. 13, 2013, 6:22 PM), http://blogs.wsj.com/washwire/2013/11/13/cybersecurity-legislation-gets-renewed-push-from-financial-firms/.

[17] Strengthening Security and Resilience of the Nation’s Critical Infrastructure, Department Homeland Security (Aug. 6, 2013), http://www.dhs.gov/strengthening-security-and-resilience-nation’s-critical-infrastructure.

[18] Obama Pushes Cybersecurity Legislation, N.Y. Times (Jan. 13, 2015), http://www.nytimes.com/video/us/politics/100000003448212/obama-pushes-cybersecurity-legislation.html.

[19] Todd Vanderwerff, The 2014 Sony Hacks, Explained, Vox (Jan. 20, 2015), http://www.vox.com/cards/sony-hack-north-korea/what-did-the-attackers-do; Andrew Wallenstein & Brent Lang, Sony’s New Movies Leak Online Following Hack Attack, Variety (Nov. 29, 2014, 6:37 PM), http://variety.com/2014/digital/news/new-sony-films-pirated-in-wake-of-hack-attack-1201367036/; Letter from Sony Pictures, toSony Pictures Entertainment Employees (Dec. 8, 2014), available at http://oag.ca.gov/system/files/12%2008%2014%20letter_0.pdf.

[20] Kim Zetter, Sony Got Hacked Hard: What We Know and Don’t Know So Far, Wired (Dec. 3, 2014, 4:02 PM), http://www.wired.com/2014/12/sony-hack-what-we-know/.

[21] FBI Statement: ‘We conclude that North Korean Government is Responsible’, Guardian (Dec. 19, 2014), http://www.theguardian.com/us-news/ng-interactive/2014/dec/19/fbi-statement-north-korean-government.

[22] Ben Child, Hackers Demand Sony Cancel Release of Kim Jong-Un-Baiting Comedy, Guardian (Dec. 9, 2014, 6:43 AM), http://www.theguardian.com/film/2014/dec/09/hackers-demand-sony-cancel-kim-jong-un-film-the-interview.

[23] Michelle Nichols, Bernadette Baum, North Korea Complains to U.N. About Film Starring Rogen, Franco, Reuters (Jul. 9, 2014, 1:38 PM), http://www.reuters.com/article/2014/07/09/us-northkorea-un-film-idUSKBN0FE21D20140709.

[24] Tal Kopan, U.S.: No Alternate Leads in Sony Hack, Politico (Dec. 29, 2014, 7:41 PM), http://www.politico.com/story/2014/12/fbi-briefed-on-alternate-sony-hack-theory-113866.html.

[25] Annie Lowery, Sony’s Very, Very Expensive Hack, N.Y. Mag. (Dec. 16, 2014, 5:47 PM), http://nymag.com/daily/intelligencer/2014/12/sonys-very-very-expensive-hack.html.

[26] Polly Sprenger, Sun on Privacy: ‘Get Over It’, Wired (Jan. 26, 1999), http://archive.wired.com/politics/law/news/1999/01/17538.

[27] Mary Madden, et al., Digital Footprints: Online Identity Management and Search in the Age of Transparency,  Pew Internet & American Life Project, (Dec. 16, 2007, 4:00 PM), http://www.pewinternet.org/files/old-media/Files/Reports/2007/PIP_Digital_Footprints.pdf.

[28] Samuel Gibbs, Gmail Does Scan All Emails, New Google Terms Clarify, Guardian (Apr. 15, 2014), http://www.theguardian.com/technology/2014/apr/15/gmail-scans-all-emails-new-google-terms-clarify.

[29] Library of Congress is Archiving All Of America’s Tweets, Bus. Insider (Jan. 22, 2013), http://www.businessinsider.com/library-of-congress-is-archiving-all-of-americas-tweets-2013-1.

[30] Perlroth, supra note 3.

[31] Richard A. Clarke, et al., supra note 11.