Paul Pillar

The Pendulum of Opinion on Security and Privacy

Sixteen years ago I participated in the annual summer study of the Defense Science Board, a panel of senior experts and executives from the private sector created in the 1950s to advise the Department of Defense on scientific and technical matters. The summer study is the board's biggest project each year, for which it assembles a large ad hoc task force going well beyond the board's own membership. The topic of the study performed in 1997 was DoD Responses to Transnational Threats. I worked with a science and technology subgroup that made its principal focus the use of modern information technology to collect and exploit data pertinent to terrorist threats.

The resulting report recommended aggressive exploitation of the then-new World Wide Web and data-handling technology available in the private sector to perform such collection and exploitation. The report talked about the importance of exploiting “meta-information” on use of the Internet as well as substantive information possibly pertinent to terrorist threats. The term “data mining” was used, not as a dirty word but instead as a descriptor of the kind of technology that the government ought to employ more extensively. Perhaps as a reflection of the fact that it was mainly scientists and engineers and not lawyers who wrote this part of the report, there was no mention of drawing fine lines or indeed any lines between collection abroad and within the United States.

The report was another indication, ignored by or unbeknownst to the many people who believe serious U.S. counterterrorism didn't begin until September 2001, that much serious attention was being given to the subject, and to better ways of doing counterterrorism, well before that. My own participation in the Defense Science Board study—at the time I was a government official with counterterrorist responsibilities in the intelligence community—was an indication of that. The public reaction to 9/11 would give a big boost, of course, both to the resources devoted to all kinds of countereterrorist activities and to the aggressiveness with which something like large-scale exploitation of data and meta-data could be pursued. Much of the kind of information management that the 1997 report discussed corresponded to the “connect the dots” activity that is a familiar demand after any perceived failure by the government agencies involved. Actually a better metaphor is finding needles in haystacks, or better yet, finding the few needles that matter in a stack of other needles that don't.

But the mood and thus the priorities of the public, as reflected in the press and Congress, shift over time on any subject on which security conflicts with something like privacy, depending on how long it has been since the last thing that upset the public and what the nature of the upset was. Aggressive exploitation of data that once was not only accepted but expected later becomes a matter of objection and controversy. Thus government agencies that are the target of recriminations at one time for not doing enough of something later are the target of recriminations for doing too much of the same thing. The latest hubbub about exploitation of Internet or telephonic communications should be viewed as the latest swing in the ever-swinging pendulum of the public mood about such things.

Meanwhile the hubbub provides little or no perspective to the government activity in question with regard to such things as comparing the implications of government possession of a piece of information with the far more extensive holdings of the same kind of information by private sector organizations. For all that gets said about whether the multiple controls and checks in the judicial and legislative branches are sufficient for what the government does, nothing gets said about the implications of a corporation collecting and holding such data with no checks or controls at all, save for possible eventual sanction by an often highly imperfect marketplace if something were to go badly and embarrassingly wrong.

When leaks are involved, as they are once again in the latest instance, there again is scant attention in the public discussion to the damage done by the leaks. In this case the principal damage is to cooperation and trust between government agencies and the relevant Internet and telecommunications companies. There also is undeserved direct damage to the companies themselves. The ones that have cooperated should be applauded for performing a duty in accordance with the law and with the interests of national security. Instead, because of leaks, they have been handed a major public relations headache. Their businesses have been hit with an undetermined but undeniable cost. The incentive for future cooperation has just gone down.

We also are again hearing nonsense about how a leak is somehow critical for obtaining public accountability or a public debate. Any other members of Congress who listened to Ron Wyden or Mark Udall could have joined their cause if they were so inclined and there would have been the debate. But evidently other members, including the leaderships of both parties, were not so inclined.

This is yet another instance of how what gets the attention of the public, the Congress, and the media is less a function of the intrinsic importance of the topic—even when some members of relevant Congressional committees diligently do their jobs—but instead of what becomes a flap, especially if it is sexed up by something like pilfered PowerPoint slides.