Poking Big Brother in the eye

Poking Big Brother in the eye
By Courtney Macavinta
Interview by Alex Lash and Courtney Macavinta

If you're David Sobel, it pays to be paranoid.

For almost two decades, the calm, professorial Sobel has been turning over rocks to uncover government information kept secret in the name of "national security" and "government interest." First as staff attorney for the National Security Archive and now as legal counsel to the Washington, D.C.-based Electronic Privacy Information Center, Sobel has spent the last 16 years protecting private information, answering threats to free speech, and limiting the vision and hearing of Big Brother.

While today's conspiracy buffs might draw their fuel from Oliver Stone movies or the latest Clinton scandal, Sobel came of intellectual age in the 1970s as a left-leaning political science and law student. Incident by incident, the government's 1950s-era veneer of Eisenhower benevolence was stripped away in full public view: the televised carnage of Vietnam, Watergate, the Church Committee investigations of alleged CIA and FBI abuse of power, and the publication of the Pentagon Papers.

Like so many people, Sobel emerged from the era with a healthy distrust of the J. Edgar Hoovers and Robert McNamaras of the world.

That distrust has resulted in numerous discoveries. Among them, he unearthed thick FBI files on political activists, the Secret Service's harassment of teenage hackers, and the CIA's infiltration of a national student group. One of his main weapons is the Freedom of Information Act, under which he has filed dozens of requests for secret government data for high-profile clients such as Coretta Scott King and the late Ambassador Kenneth Rush, who fought the State Department to obtain his past communications with then Secretary of State Henry Kissinger.

Now with the spread of personal computers and the Internet, Sobel sees new and greater danger of government invasion and censorship. The latest example is the administration's policy overseeing the development and exportation of encryption, which can protect electronic privacy.

Sobel's deep voice and patient explanations are an unexpected vehicle for raising red flags of caution in the digital era, where shrill proclamations and breast-beating are the norms for grabbing attention.

His work at EPIC, however, could well go down as crucial in the history of the digital evolution. With the EPIC staff, he has disclosed government files on cryptography and privacy policy regarding the Digital Signature Standard, the Clipper Chip, and the FBI's Digital Telephony proposal.

Sobel is also serving as co-counsel in the case to kill the Communications Decency Act, now before the Supreme Court.

During a break from the RSA Data Security Conference in San Francisco in January, Sobel laid out his concerns for the future of civil rights in the digital world.

NEWS.COM: Was there a defining event that sparked your interest in electronic privacy issues?
Sobel: I guess it was probably what transpired in the mid '70s, at a time when I was in college and beginning to think about political issues. The debate that went on in the '70s was about how much authority government agencies should have to collect information about people and what kind of controls should be put on those agencies. With the development of this new technology, I think those issues are becoming even more interesting. The encryption debate is probably the most clear-cut example of the competing philosophies that we first really saw articulated back in the '70s at the time of Watergate. What at that time was really a somewhat obscure issue for a lot of people is really now becoming a day-to-day issue. The average person back in the '70s didn't really have to worry whether or not they were on Nixon's enemies list. But today with the development of this technology, the average person, I think, does have to worry about the issue of whether or not the government is going to hold the keys to their private communications.

NEXT: Naughty Uncle Sam

Naughty Uncle Sam

You've said that the government is always asking for the ability "just to keep the status quo." What's wrong with that?
They make the claim in the policy debate over encryption that all they're looking to do is maintain the status quo, meaning that they can currently conduct wiretaps and they're just looking to preserve that ability. But the ability to conduct wiretaps is really not that old. It was only in 1968 that federal law recognized and established procedures for electronic surveillance. And if you go back even further than that, of course, the telephone system is only a little over 100 years old.

It was really with the development of that technology that for the first time the government was able to get between two people having a long distance conversation without their knowledge. Obviously 200 years ago when the Bill of Rights was written, people tended to have face-to-face communications, and there was no way for a third party to intercept their communications. But with the communications technology we have today, there is that capability. I think what we're seeing with encryption technology is a process where the [individual person's] security technology is finally catching up with the [law enforcement agencies'] interception technology.

Today two people can have extensive communications that weren't possible 200, or even 50 years, ago. Perhaps there are trade-offs we need to make.
Well I think that's true, but it's just that the world has changed. The lives that people live today are not really similar to the lives they lived 200 years ago. I think it really is fair to say that the equivalent 200 years ago of living in the same village and walking down the street and talking together, today is one person on the East Coast, the other on the West Coast who have a business relationship and they communicate long distance. But the dynamics of that in terms of the role that the government plays really shouldn't change.

What role should the government play?
I think the government has a legitimate right, or should have the legitimate power, to collect information that they believe is important for them to collect. And of course that's all governed by the judicial system through the issuance of search warrants and subpoenas.

But the question that is really being raised now is whether the government should have the ability to design the ways that we communicate. That's really something that's never happened before. When Alexander Graham Bell developed the telephone he was not designing that system according to the dictates of the government or a police department.

Today we're seeing the government ask for that ability to basically be sitting at the table when these systems are designed. I think that's a major difference. The government today is looking to have surveillance capabilities built into the communications infrastructure. That's really a major change in the philosophy that has always been applied to communications.

The current government policy is really similar to what we all used to think of as being the Soviet bloc, Eastern European approach to these things. We used to think of a country, for instance like East Germany, as being a place where the government mandated that they would have the ability to conduct surveillance of citizens. And unfortunately that philosophy is now being adopted here.

Do you think there's any validity in the government argument that says having a backdoor into things like encryption is in the interest of national security?
I think that philosophy is really outdated at this point. It's no longer a question of whether [encryption] is going to leave the United States and become available worldwide. That's already happened. So the only issue now is whether the security technology that's available in the global information infrastructure is going to be American or if it's going to be Japanese or German or from some other source.

So it's not really even debatable anymore as to whether or not security technology, like encryption, is going to become widely deployed. It is and the question is where it will come from.

So do you think technology is going to be used more to expose governmental abuse or is it going to help them continue abuse in a more sophisticated manner?
I think it will probably go in both directions. I think that this technology in almost every one of its applications has positive aspects and negative aspects. And I think the job of people who do policy work in this area is to try to steer things in the more positive direction. But there's nothing inherently good or bad about the technology. It's a question of what the policies are that go into the design of systems and how these things are deployed.

NEXT: Speak and be heard, by everyone

Speak and be heard, by everyone

What's the difference between the government and the private sector in how you approach abuses in privacy and civil liberties?
There are obviously differences. I think that we have traditionally in the U.S. had a lot of mistrust of the government and there tends to be less mistrust of the private sector. But I think if you look at the situation today with new information technology that the problems on the government side are better controlled than they are on the private side.

After going through experiences like Watergate in the '70s, there were a lot of controls placed on the ability of the government to collect information and restrictions put on the way the government could use information about individuals. That's not the case with the private sector.

In the '70s I think the problem was with the government. But today I think we're starting to see that we need to look at what the private sector is doing. I think the PTRAK Social Security Number episode from last summer is an illustration of that. The public reaction also shows that that's an area where people are increasingly getting concerned.

What do you think are the main nongovernmental abuses of privacy happening right now?
I think the big problem right now is we can't even really accurately define what the problems are. I think there is a lot of nonconsensual collection of information that we're seeing. For instance, the average users, when they log onto a Web site really have no idea what kind of information can be collected and might actually be getting collected. Of course there's the whole issue of cookies that a lot of people talk about and I think that that's a valid concern.

That's a technology that, without any notice to the user, is apparently collecting information about what an individual is doing within a particular site. So there's the issue of whether people have the right to be notified that information is being collected and that their online activities are being monitored.

When you move beyond that, even to situations where people are knowingly providing information, such as when they register at a site, there is really very little information being provided right now about what kinds of uses that information might be put to. Is it going to be sold? Is it going to be used for marketing purposes?

I think people have a right to know what the policy is. There is the technological capability to collect a lot of information and there is not yet much public oversight of the ways in which that information is being used.

Some cultural theorists feel that the Internet is making us turn inward. Is there any danger that things can become too individualized, that we will lose the big picture of what is good for society?
I think that's a very hard question. I think, on an individual level, it is the experience that a lot of us have that this technology can tend to be somewhat antisocial. But I don't think that the average user of the Internet is insisting on their privacy because they're ignoring governmental concerns.

I think it's a question of looking at the reality of the world today and just concluding that the government's rationale for attempting to control this technology isn't very logical and is probably futile in any case. I think people are coming to the conclusion that there's no reason to sacrifice their individual rights in the interest of what the government's talking about.

We talk about governmental interests in controlling this technology. I think it's surprising that we're seeing these issues arising in the United States at all. I would have expected a few years ago that we would see these problems in places, like in China, Singapore, and less democratic countries. I can easily understand why a repressive government would be concerned about this kind of technology. It's less apparent to me why a government like ours would have the concerns that they have.

If you look back to things that our government itself has done--things like the creation of Radio Free Europe or the Voice of America, you would assume that a technology like the Internet would really be embraced as a way to make information freely available to people all over the world. But for some reason that's not happening and it's not entirely clear to me why it isn't.

Should companies should be able to read their employees emails?
I don't think they should, but until that issue gets legally resolved in favor of my position, I think at the very least employees should have a right to know whether or not their email is subject to monitoring and interception. And I think right now that's the big problem, that very few companies are developing policies on the monitoring of email and making that policy available to their employees.

So I think as a starting point people have a right to know what the rules are when they're given a computer and an email account and told this is theirs to use. I think there is just the basic issue of fairness that comes into play, that people ought to know whether or not their communications are going to be monitored.

The very few courts that have dealt with that issue have basically said that the email system is the property of the employer and the employer can therefore do what they want with it. We don't say that about other forms of communication that are facilitated by the employer.

For instance, if that same employee were to take a piece of paper from the company's supplies and write something and put it in an envelope and stick it in the mail, I don't think any court would uphold the company's right to retrieve that of the postal system and read it. So this is an example of an issue where the law needs to catch up with the technology.

Besides encryption, what are other ways?
Well I think there needs to be a lot more self-educating about the security issues that are involved online. I think the average person assumes that what they do online is anonymous, that records are not being kept, that mail is not being archived. And that is frequently not the case.

So I think people really need to be educated on the realities of this technology. As a consumer issue I would have to say that it's not entirely, or it shouldn't be entirely the responsibility of the individual user to find out how this stuff works. I think there should be an obligation on the part of the people who are providing these services, whether it's an online service, or a Web site, or whatever, I think there should be an obligation on the part of companies that are maintaining these systems to inform people as to how the systems work and the kinds of information that are being generated and collected. It's too much of a burden to put on the average user to get an understanding of how this all works.

I'm somebody who spends a lot of time looking at these issues and I can't say with any degree of certainty what happens to my email after I send it in terms of the path that it takes and the archiving that might be going on along the way. So I think people need to learn about the technology, but they also need a lot of help in doing that self-educating.

We've been through the Communications Decency Act, we're hashing out encryption, what are some of the next privacy issues you expect to arise around the Internet in the coming years?
Another significant issue that's on the horizon is the whole issue of digital money or electronic payment systems. This is increasingly an issue that we see the government taking a lot of interest in and expressing a lot of concern about.

The issue with digital currency is that there are really two ends of the spectrum that we could end up with, or of course something in the middle. On the one end we could have a totally anonymous electronic payment system that would be the digital equivalent of paper money. Today when we go into a store and pay with a $20 bill there's no record of that transaction. It is, in fact, anonymous. On the other end of the spectrum, credit card payments are well-documented and recorded.

So the question is going to be, "Which model should digital payment systems follow?" And unfortunately there's the capability in that technology to obliterate the anonymity that we have with paper money. We could in fact move to a system where we won't have paper money and all payments will be made in some digital form, whether from a debit card or some other system where suddenly there will be records kept of every transaction no matter how small it is. So I think that that's a very big battle that's on the horizon.