Security vs. privacy: The endless fiery debate continues

There was general agreement at this week’s Cambridge Cyber Summit at MIT that it is imperative to find a balance between the often-competing needs of national security and individual privacy. But there was no agreement on what that balance would look like

The intractable nature of the “privacy vs. security” debate, in a world where the internet is a tool for criminals, spies and terrorists as well as for billions of law-abiding citizens, was on full display during Wednesday’s Cambridge Cyber Summit at MIT.

Not surprisingly, it didn’t get resolved.

The event, hosted by The Aspen Institute, CNBC and MIT, featured top-level government officials, private-sector experts and activists, who all agreed that there needs to be a “conversation” about how to “balance” the two, and that to achieve it will require more effective cooperation between the public and private sectors.

But there was no agreement about where that balance lies. About the best they could do, after some conversation that got chaotic at times, was agree that they should continue the conversation.

Admiral Michael S. Rogers, commander of the US Cyber Command and director of the National Security Agency (NSA) – perhaps the highest-profile participant of the day – told the gathering during the opening session that, “the sweet spot to me is how do we create a partnership between the private sector and the government where the best of both are brought together for a unified purpose.”

[ ALSO ON CSO: You are responsible for your own Internet privacy ]

He told interviewer Walter Isaacson, president and CEO of Aspen, that security at the expense of privacy or vice versa is, “not a great place for us to be. So, how do we find this middle ground?

“This is a tough challenge for us,” he said, acknowledging the increased level of mistrust in government following revelations like those of former NSA contractor Edward Snowden, and reports just this week that the US government had essentially conscripted Yahoo to scan emails in real time for key words.

Yahoo issued a statement Wednesday calling the report by Reuters “misleading.”

Isaacson noted that some elements of the conflict didn’t exist before the online world. “It used to be that nothing – the trunk of your car, your safe deposit box, your diary – was out of the reach of law if a court said it could be searched,” he said, while encryption levels are now at a point where in some cases government is unable to crack it.

That was famously illustrated earlier this year when the FBI insisted that Apple help the agency break into the iPhone of the deceased San Bernardino mass murderer. Apple CEO Tim Cook said that would be like introducing a “cancer” that would compromise all users.

But Rogers said he found it both puzzling and frustrating that there doesn’t seem to be much public opposition to court approvals of warrants for law enforcement or intelligence to access the telephone communications of certain individuals, but there is much more strenuous objections to the same thing regarding emails.

“I'm still trying to work my way through personally, what is the difference?” he said. “But we've got to have this conversation. We cannot vilify each other.

“It isn't that one side is good and one side is bad. We're trying to make sure that these two incredibly foundational imperatives for us as a country are executed in a way that the one doesn't undermine the other.”

Still, Rogers never said specifically how he thought that should be done.

And just how difficult resolving it continues to be was illustrated about an hour later, in a panel titled, “Privacy vs. Security: Beyond the Zero-Sum Game,” where the debate got so intense at times, with participants talking over one another, that it started to sound a bit like the vice-presidential debate the previous evening between Republican Gov. Mike Pence and Democratic Sen. Tim Kaine.

The declaration by Glenn Gerstell, NSA general counsel, that, “encryption is here to stay, and we support it,” drew open skepticism from Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF).

She contended that the real agenda of the NSA is, “strong encryption that only we (NSA) have access to. It’s disingenuous,” she said. “You actually want privacy with an asterisk. That isn’t what the rest of us mean.”

She added that EFF knows the NSA, “stops computers before they are shipped to put back doors in them. They discover vulnerabilities and then don’t tell the companies about them.”

And that drew an openly scornful response from Stewart Baker, former assistant secretary for policy at the Department of Homeland Security (DHS) and currently a partner at Steptoe and Johnson. He accused EFF of being unwilling even to negotiate the balance between privacy and security.

“You’ve (EFF) campaigned for 25 years against every security measure proposed,” he said, adding that there has not been any federal regulation of encryption for all that time either. “Companies can offer any kind of encryption, and they do,” he said.

He also said the debate over back doors is essentially irrelevant, since they already exist. “Every device in this audience has a back door, so they can send you crappy U2 albums,” he said.

[ MORE: The economics of back doors ]

Cohn insisted that government is still able to get anything it wants from online communications. And she said when Apple resisted the FBI’s demand to help it jailbreak the San Bernardino killer, “they got treated like they were a perp on the street.”

She and others said the interests at stake would better be called “security vs. security,” in that people deserve to have their physical safety protected, but also to be secure from government surveillance of their communications.

Gerstell acknowledged that there is, “obviously tension between those two missions. We’re looking to create more safety, but we also need to look at national security,” he said.

“This illustrates why we need a debate,” he said. "We shouldn’t demonize either side.”

In other words, keep the conversation going.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)