About the speakers (L to R): Dorothy
E. Denning is Professor of Computer Science at Georgetown
University and Director of the Georgetown
Institute for Information Assurance. She has published widely on such topics
as information warfare, cyber-crime and cyber-terrorism, encryption and privacy
policies, and the impact of technology on society. Her books include Information
Warfare and Security, Internet Besieged: Countering Cyberspace Scofflaws,
and Rights and Responsibilities of Participants in Networked Communities.
Dr. Denning has testified before the U.S. Congress and has advised the U.S.
government on these issues. Martin
Libicki is Senior Policy Analyst at RAND,
where he specializes in the relationship between information technology and
national security. Dr. Libicki has written extensively on such topics as technology
and warfare, the revolution in military affairs, dominant battle space knowledge
and standards policy for the digital economy. Among his publications are the
monographs, "Illuminating Tomorrow's War" and "The Mesh and the
Net: Speculations on National Security in an Age of Free Silicon." Prior
to joining RAND, he spent twelve years at the National Defense University. Jerry
Berman is the founder and Executive Director of the Center
for Democracy and Technology, a leading Internet public policy organization.
He is also President of the Internet Education
Foundation and head of the 150 organization Advisory Committee to the Congressional
Internet Caucus. Mr. Berman has played a pivotal role in the enactment of
landmark privacy and freedom of information legislation, and coordinated the
First Amendment challenge to the Communications Decency Act at the US Supreme
Court.
Rapporteur's Report
On September 26, 2001, the Project on the Information Revolution and World Politics convened a panel discussion on balancing national security and civil liberties in an age of networked terrorism. The panel's moderator, William Drake, Senior Associate at the Carnegie Endowment, introduced the topic by placing the current national security crisis in the context of the two interrelated meta-trends of interest to the project---the information revolution, and globalization. Osama bin Laden's Al Qaeda and other terrorist organizations have at their disposal the same technological tools that have empowered businesses, nongovernmental organizations, and other non-state actors to organize their activities and advance their objectives more effectively than ever before. And like these other actors, they are able to operate on a global scale by moving and coordinating people, money, information and other assets across increasingly permeable national borders. Drake pointed out that "we are at war not with a nation, but with a network" that includes connected but semi-autonomous cells in multiple countries. Tracking and eliminating this sort of enemy presents challenges that are radically different from those encountered in traditional forms of warfare.
Drake raised four broad questions that merit consideration. First, given the conflicting reports on this score, what do we really know about how terrorists use information and communication technologies (ICTs)---e.g. data and voice communications, encryption, videotape recorders, broadcast radio---to organize their activities and promote their message, and what threats do these uses pose for our national security? Second, what actions should the United States government take in response to such threats? For example, the September 11 attack has reignited and given new urgency to long-standing debates about surveillance efforts such as the Carnivore and Echelon programs, as well as to U.S. policies concerning encryption, privacy protection, and related issues. Third, and of particular interest for this panel discussion, how should we balance the need to strengthen our national security and intelligence capabilities with the need to preserve our constitutionally protected freedoms? The question is critical today because the U.S. Congress is moving to adopt the Bush administration's new anti-terrorist legislation which, civil libertarians argue, goes too far in expanding government surveillance powers within the United States. And finally, given the globally networked nature of some terrorist organizations, national actions will at times be insufficient. In what cases, then, will we need to develop and enforce strong multilateral agreements, and what are the challenges involved in such an effort?
The first panel speaker, Dorothy Denning, described the various ways terrorists have used ICTs in the past and speculated about how they may use them in the future. She began by presenting a website assembled by Robert Cromwell. The site contains links to separatist, para-military, military, intelligence, and aid organizations, and it illustrates how terrorists and their sympathizers have been using the Internet. She referred the audience in particular to the sites of the Taliban, Hamas and Hezbollah groups, supporters of Osama bin Laden, and sites in countries believed to be harboring elements of terrorist networks.
Denning then pointed out some examples of terrorists' use of ICTs.. She noted
that Ramzi Yousef, as associate of bin Laden who was convicted of the 1993 World
Trade Center bombing, used encryption technology to hide information stored
on his computer. Police found a laptop computer in Yousef's safe house in Manila
that contained encrypted files with information about his plans to take down
11 commercial airliners and to assassinate the Pope. She also cited a USA Today
article stating that U.S. officials believe that Osama bin Laden's network and
other Muslim extremists have been posting encrypted messages in pornographic
photographs and on message boards to help plan terrorist actions against the
United States.
Denning then turned to recent incidents involving terrorists and hacktivists conducting cyber attacks, such as Internet viruses, worms, and web-defacements. One of the first reported incidents involved an offshoot of the Tamil Tigers, the Internet Black Tigers, who launched a denial-of-service attack against the Sri Lankan Embassy. With automated tools, they e-mailed roughly 800 messages per day to the embassy over a two week period. The escalating cyber conflicts between Arabs and Jews in the Middle East provided further examples. With hackers on both sides attacking one another's websites, the activities have proven "extremely destructive to companies and Internet service providers such as Netvision in Israel," said Denning. Relating these incidents to the United States' current investigation, Denning called attention to a January 2001 iDefense report stating that a pro-Palestinian group of Internet crackers called Unity had some connections with Hezbollah, while another group, al-Muhajiroun, had ties to bin Laden's network. Denning expressed concern that incidents of information warfare will grow in number in the years ahead, and that terrorist organizations could become more centrally involved in such activity.
Against this backdrop, Jerry Berman focused on the problem of balancing national
security and civil liberties, most immediately in the pending anti-terrorist
legislation. While acknowledging that the current crisis calls for immediate
action, he cautioned against the hasty adoption of overly sweeping limitations
on personal freedoms. The Anti-Terrorism
Act proposed in the wake of the September 11 attack requires careful consideration
because it covers a wide range of complex issues concerning the investigative
authority of government agencies and the conduct of surveillance and intelligence
gathering intelligence.
Berman recalled that in 1978, as Chief Legislative Counsel at the American Civil Liberties Union, he worked with the national security establishment and policy makers to find a balance between national security and civil liberties. The resulting Foreign Intelligence Surveillance Act (FISA) established classified and public guidelines for the surveillance efforts of the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency (CIA). The FISA gives these agencies wide-ranging authority to conduct electronic surveillance against both foreign powers and their agents and terrorist organizations at home and abroad, including U.S. persons who aid and abet such activities. However, it draws a bright line between electronic surveillance for law enforcement purposes and surveillance for intelligence purposes. The law sets a lower standard for collecting intelligence information than does Title III and the Electronic Communications and Privacy Act, which is used in domestic criminal law cases. For example, under FISA, the government can obtain a warrant for intelligence gathering even if there is "less than probable cause" to believe that an individual-including an American-is working with or is aiding and abetting terrorists. In sum, Berman recalled that "we wanted to build a wall to separate the government from using intelligence investigations that focus on crime to target domestic political dissent."
Berman's concern today is that the pending anti-terrorist legislation needlessly breaks down that wall. Since surveillance is secret and never disclosed under FISA, the primary purpose of surveillance is intelligence collection, as opposed to criminal investigation. Berman explained that supporters of the new bill propose to make intelligence gathering one of several purposes of surveillance, with criminal investigation among them. This "serious change in the law" would then allow criminal investigations to be conducted under a statute designed for intelligence gathering under less than probable cause.
In addition, the new proposal allows roving wiretaps for domestic intelligence gathering. Such taps "may follow any device, any computer they use, it may follow them into this room for electronic surveillance," he noted. In his opinion, this change also requires careful attention because supporters intend to apply FISA's low standards of "may be engaged in international terrorist activity" to new technologies and potentially use their findings for criminal investigation.
In addition, Berman pointed out that the proposed legislation weakens the requirement for judicial supervision of surveillance activities. Under FISA, investigators are required to produce business records relevant to the investigation; now, subpoenas would be sufficient for carrying out surveillance. Also, proponents of the administration's bill would like to allow searches and wire taps under FISA to continue for one year, rather than subject them to frequent reviews. Since September 11, 150 new wiretaps have been issued, Berman noted.
Berman also said that the legislation would allow any information that has national security or intelligence value, collected under any wiretap, to be turned over to law enforcement officials and the administration. "It allows the use of wire tap information collected under surveillance illegally abroad-and one can imagine what it would be to be illegal abroad-where there's no Constitution or fourth amendment in criminal prosecutions," he explained. This appeases members of the law enforcement community who feel that current laws restrict them from sharing information gathered in a criminal investigation with an intelligence agency, but it has risks as well. Moreover, changing the primary purpose test for wiretaps under FISA may nullify the statute on Constitutional grounds. If this occurs, both national security and civil liberties are threatened; further, if the statutes are found unconstitutional, criminal prosecution would suffer.
In short, Berman worried that the rushed passage of the law in its current form could have serious unintended consequences. Accordingly, he argued that more time is needed so that interested parties and the public can seriously debate the proposed legislation. If time can be found, the administration and the Congress can strike a better balance between national security and civil liberties. Some elements of a new approach might be to modify statutes perceived as restricting law enforcement officials to make exceptions solely for terrorist investigations, and to determine how best to share a narrow class of information relating to terrorist activities with the intelligence community without broad changes of current standards.
The final speaker, Martin Libicki, also focused on the question of balance, but did so from the standpoint of guiding design concepts rather the current anti-terrorist legislation. He began by drawing a parallel between our surveillance problems and the differences between carnivores and herbivores. Carnivores are very specific in their pursuit of food and convert a high percentage of what they eat into protein. In contrast, herbivores are less specific and have to eat a very large amount of food to get enough protein to survive. To date we have acted like carnivores by targeting surveillance on known people for specific private information which we, in turn, intend to make public to law enforcement. Alas, the perpetrators of the September 11 went undetected, suggesting that this may no longer be the correct template to follow. Instead, we may want to collect a lot of information that is not private to begin with and try to make sense out of what we collect.
Libicki said that for present purposes, there are three types of information:
private, local and global. Private information is undisclosed or disclosed only
to people close to you, e.g. family members. Local information is readily accessible
to relatively small number of physically proximate strangers, e.g. whether or
not one hangs a flag outside of her home. Global information can be collectible
and knowable without restriction. Much of our privacy debates have concerned
the transition between private and public, which is very well protected in the
Constitution by rules regarding search and seizure and search warrants; and
the transition from local to global, which the Constitution does not strongly
protect. The controversy of Amazon.com's creation and distribution of customer
profiles exemplifies this latter notion.
Libicki proceeded to weigh the pros and cons of an enhanced surveillance system that turns local information into global information in order to facilitate the tracking of certain activities. To frame his discussion, he defined hard identification as the coupling of an electronic record with biometric identification such as photographs, signatures, fingerprints, or DNA. The challenges of implementing this type of enhanced surveillance system include determining which organizations are universally recognized as competent authorities to provide identifications, and pinpointing the kinds of places and purposes that require identification. In this context, he also revisited the controversial question of whether a national identification card would be desirable.
Certain situations and places, such as airplanes, dictate the need for identifying people. Yet, Libicki wondered if the government should also collect information to identify people engaged in "intrinsically hazardous activities [such as] flight schools, crop dusters [and] truck rentals" or those who use credit cards. Asking for identifications at specific and predictable times and places, he speculated, proves less useful for police work than seeking it "at random times in random places." But police officers' ability to ask for identification in this manner is the defining characteristic of a police state, he reminded the audience. Finally, Libicki tackled the very controversial issue of targeting populations based not only on their activities but also on their characteristics. The challenge lies in attempting to monitor target populations, including non-US citizens and people that are in institutional care, while avoiding everyone else.
Libicki identified two primary advantages of surveillance in the form of an extensive network of checkpoints. First, surveillance may inhibit or prevent people who do not want to be identified from carrying out their intentions. Second, it may provide security officials with a warning-provided that they have a template to follow, which seems uncertain at this point.
During the subsequent question and answer period, the discussion ranged from technical to philosophical considerations. Several audience members raised questions about the efficacy of restrictive encryption policies, given that the technology is already widely available all over the world. Denning answered that the administration's proposed antiterrorist act does not intend to change encryption policy. She also mentioned her work on the President's Export Council Subcommittee on Encryption to liberalize export controls, stating that she did not expect changes.
Another attendee asked about the ability of the National Security Agency and other intelligence agencies to handle the information load received from satellites and fiber optic cables. Berman said that the Attorney General raised this very issue in the morning. Lacking a sufficient number of analysts and translators to process information gathered from abroad, the administration must address these needs quickly, Berman opined. Berman added that the intelligence agencies' over-reliance on signal intelligence has created an unwieldy amount of information.
The next question directed to Berman elicited his opinion on the implementation of a government identification card, in light of Libicki's remarks. Berman replied that terrorists probably would evade such controls, and noted that a mandatory program would be very controversial. Nevertheless, a voluntary opt-in approach might be desirable if it increased convenience and citizens had faith that the information involved would not be abused.
One audience member asked about the role of business in the balancing national security and civil liberties. Berman pointed to the coalition of businesses and civil libertarians who passed the Electronic Communications Privacy Act, worked on the redesign of the telephone network in 1994 and on the more recent encryption policy. He believes that the business community's strong interest in protecting privacy guarantees adequate debate for these controversial issues.
A question concerning targeting non-American citizens, directed to Libicki, resulted in extensive comments from the panel. Given that citizens of the European Union member countries do not have to have a Visa to stay in the United States for three to four months, an audience member asked, "Are we going to just identify those that come from the so called Third World? Are we going after the usual suspects, the Arab countries?" Libicki responded to the question by claiming that he does not advocate targeting non-American citizens. He went on to mention problems inherent in the view that people with "norms" similar to those of the United States belong on the inside of a figurative border and those who do not share those norms belong on the outside.
The current crisis introduces many sovereignty issues. In Libicki's view, the United States is "starting to come close to saying that you cannot hide people that are wanted from our laws," urging countries to have similar notions of crime and justice. A further paradox is "that a would-be terrorist is safer in the United States where he would have to be proven to be a terrorist than he would be in other countries, if we could lean on them to pick up suspected terrorists."
Berman also offered his opinions in response to the question of targeting
non-Americans. "We live together. The next sleeper might be an American.
You cannot profile on the basis of ethnic and racial background. [If you do],
it will reverberate around the world and the President's coalition would fall
apart. We're all in this together. We're talking about a relatively small number
of very very crazy people and I just don't think you can target whole populations,"
Berman said.