Do the Candidates Even Realize We Just Passed New Cybersurveillance Laws?

More bumbling around tech privacy issues


I considered using a picture of Trump, even though he's not in this blog post, just for the possible page views.

Privacy and surveillance issues did not play as much of a role in Thursday's debate as they did in the last one, where Sens. Ted Cruz, Marco Rubio, and Rand Paul had a big scrap over how much data the National Security Agency (NSA) should be allowed to collect. Rand, very notably, wasn't there last night, and Cruz was caught up in several other fights over his immigration positions, his loan reporting error, his (sigh) birth citizenship, and the New Yorkness of New York.

The privacy vs. security question was asked of Rick Santorum and Carly Fiorina in the undercard debate and Jeb Bush in the main debate. While phrased differently, each question was essentially the same–to what extent should the federal government be able to draft tech companies to serve as providers of data for national security purposes?

The most interestingly libertarian response came from Santorum, actually. Quick, somebody go tell him he sounded like a libertarian and watch him freak out. He argued that the federal government should not attempt to force tech companies to work them and instead pursue voluntary cooperation. He went also went further and explained that the problem isn't on the private side but due to poor operations, bureaucratic blame-shifting, and lack of accountability on the government side.

Fiorina said she disagreed with Santorum, but strangely, trotted out her familiar story of how she voluntarily assisted the NSA by providing a bunch of equipment (which I'm assuming the government paid for, so it's odd to act like this was some sort of favor) when she was head of Hewlett-Packard. Given that she has said at previous debates that the tech industry "wants" to assist government in fighting terrorism, it's strange for her to argue that the government should force companies' hands while still using an example of voluntary cooperation.

She also, incidentally, repeated that Congress should pass legislation to encourage sharing about cybersecurity threats between private industry and the federal government. She was referring to the Cybersecurity Information Sharing Act (CISA), but was apparently unaware that it was rechristened the Cybersecurity Act of 2015, stuffed into the last omnibus spending bill, and actually passed and became law in December. So the candidate with all the tech credentials isn't even aware of the state of tech law.

In the main debate, the moderators mentioned Apple CEO Tim Cook's attitude that private communication on Apple devices should remain private unless law enforcement serves a warrant. Bush was asked whether he agreed or if he would "try to convince" Cook otherwise.

Here's Bush's response (transcript via Washington Post):

[T]he problem today is there's no confidence in Washington, D.C. There needs to be more than one meeting, there needs to complete dialogue with the large technology companies. They understand that there's a national security risk. We ought to give them a little bit of a liability release so that they share data amongst themselves and share data with the federal government, they're not fearful of a lawsuit.

We need to make sure that we keep the country safe. This is the first priority. The cybersecurity challenges that we face, this administration failed us completely, completely. Not just the hacking of OPM, but that is—that is just shameful. 23 million files in the hands of the Chinese? So it's not just the government—the private sector companies, it's also our own government that needs to raise the level of our game.

We should put the NSA in charge of the civilian side of this as well. That expertise needs to spread all across the government and there needs to be much more cooperation with our private sector.

NEIL CAVUTO: But if Tim cook is telling you no, Mr. President.

BUSH: You've got to keep asking. You've got to keep asking because this is a hugely important issue. If you can encrypt messages, ISIS can, over these platforms, and we have no ability to have a cooperative relationship —

CAVUTO: Do you ask or do you order?

BUSH: Well, if the law would change, yeah. But I think there has to be recognition that if we—if we are too punitive, then you'll go to other—other technology companies outside the United States. And what we want to do is to control this.

We also want to dominate this from a commercial side. So there's a lot of balanced interests. But the president leads in this regard. That's what we need. We need leadership, someone who has a backbone and sticks with things, rather than just talks about them as though anything matters when you're talking about amendments that don't even actually are part of a bill that ever passed.

"We should put the NSA in charge of the civilian side of this as well." When he said this last night I joked on Twitter that I was stroking out and declared that this was the worst debate response of the evening. But given time to parse Bush's always-awkward answers, I realize now that he meant just the civilian side of the federal government, not the entire private sector's cybersecurity.

In his awkwardness, he does recognize the big issue of trying to force back doors into encryption, even if he can't articulate it properly. If you force encryption services based in America to provide back doors, guess which country will stop being a source of encryption services?

Bush, like Fiorina, also seems to be unaware that we just passed federal legislation that provides liability protection for businesses that share their cybersecurity data.

He also, like many politicians who talk about encryption back doors, simply doesn't engage in the very serious concern that it's not possible to create a back door that only the government can use, or that only the American government could use, and the implications for citizen privacy and cybersecurity. Heck, the cynic in me thinks that there is an understanding of this flaw and that's actually the real reason for the liability protection. The government wants access to this information so badly that they're willing to compromise its own citizens' privacy and security to do so, and they're willing to remove one important tool (lawsuits) that citizens have in response to protect themselves.