Getting Permission To Use HaveIBeenPwned From Your Legal Dept
Trust is an incredibly important concept in information security and a vital component of influencing an audience. We know from safety risk communication research that it’s not enough to be an expert in your field. It’s not enough to be correct. You also need to be trusted by your audience. Otherwise your level of influence will be reduced and people may decide to act in ways that challenge your mission objectives.
When I wrote the July column as satire imagining what a GCHQ letter to a supportive member of the public might look like I was poking fun at the unrealistic expectations about our intelligence services that were being perpetuated. That as ‘big brother’ they knew better and were always looking out for our best interests. I recognize now that what I was also doing was challenging the notion that intelligence services innately deserved a high level of trust.
I had no idea how close to real life some of my ridiculous scenarios actually were. I poked fun at the possibility of people in surveillance agencies making mistakes. We had been repeatedly reassured that mistakes were minor and infrequent. Not long afterwards we learned that errors were arguably routine. That the agency that wasn’t supposed to target Americans had mistakenly targeted it’s surveillance apparatus at the dialing code for Washington (202) instead of Egypt (20). I mocked the idea that metadata wasn’t a form of surveillance by suggesting that a thermal image of a carnal situation was ok if it was just based on metadata. Opinion seems to be turning and that many now recognize that metadata can be very intrusive. I also poked fun at the idea that agency people would never misuse their access to surveillance data. Not long afterwards we were given evidence of NSA staff abusing their access for personal agendas. While there will always be some mistakes, it’s concerning that so many of the incidents that have come to light weren’t detected by internal controls. It begs the question how wide spread the abuses actually are. I also ridiculed the idea that we should simply trust that surveillance was being operated within the boundaries of law simply because a politician with a vested interest said so. We’ve since learned that the NSA bent the rules so far that even the NSA’s secret captive court raised concerns.
The intelligence services have an important role to play in modern democracies. They help keep people safe and they help warn decision makers of impending dangers. To do this effectively will require some level of surveillance. I’m not about to argue that they shouldn’t have the tools they need to do the job. However, one of the defining characteristics of a democracy isn’t the right to vote (even Zimbabwe has that), it’s the consent of the governed. The NSA and GCHQ appear to have disengaged from public discourse to the extent that they thought that consent wasn’t needed. A degree of consent is essential in any surveillance regime, whether national or organizational. Consent gives the surveillance systems funding and cooperation amongst other benefits. The quickest way to loose that consent and jeopardize the mission is to be caught in a lie that was directly relevant to the granting of that consent. Remember that this all started when James Clapper testified to congress that the NSA didn’t routinely target Americans, which was the basis of the NSA’s consent. He could have said that he couldn’t answer that question in an open forum. He could have said ‘Yes’. Would that have been so terrible? But he didn’t – he chose to lie. In the companies and organizations that I’m aware of, if you lied to the board about your audit and investigation activities you would be immediately dismissed, possibly with criminal charges. It wouldn’t matter that you were trying to protect your methods. It would be of little consequence if you argued that you were acting in the organization’s best interest. How could your audience ever trust you again? Contrast this with James Clapper. Why is he still in post? Is it because he had a uniform? Are we applying a different set of ethics?
The intelligence services urgently need to rebuild trust and need to focus on engagement with the public. Education and transparency is vital. Unfortunately, the most informative NSA resource available right now is a parody. The NSA have a lot of problems that are within their ability to fix and their own PR is surely one of them.
Originally published in the October 2013 edition of the ISSA International Journal.
Related posts
