Last week, our country crossed the continental divide into the new sense of civil liberties inspired by the NSA disclosures, according to news media as diverse as the Guardian and the New York Times and monitors like Pew Research. In this morning’s Senate Judiciary hearing, Senator Blumenthal suggested a Special Advocate representing public interests against the Government before the FISA Court and a formal change in the FISA judicial selection process, and Senior FISA Court Judge James Carr advocated both proposals. We appear to be moving forward into a structure of more trustworthy, transparent and accountable controls, decisions and decisionmakers which this blog has been stressing as the most important legal, political and ethical need of big data analytics both in the public and private sectors.
Now it gets really interesting for those of us who think all the time about how best to structure and protect large information stores. Stewart Baker–the one participant in today’s hearing’s second panel who didn’t feel the love–began to allude to some of the following issues as rationales for past decisions, but they really need to be laid out now systematically as a forward-looking, public, strategic agenda:
1. Will the data be kept alive, or allowed to die? This is the biggest question. If it is kept alive, it is safe to assume that it will out and/or be misused in some or all of the following ways, among others:
- Malware will exfiltrate it
- Insiders will sell it
- Lawyers will ediscover it — Remember, European friends, that our system is quite different from all of yours
- Whistleblowers will put it in an electronic drop box
- Government will abuse it
So will the data be forced to live? My guess, FWIW, is yes, because over time our understanding of its value will continue to grow. If we let it die, we will be turning our back on the most transformative aspect of our economy and society, and many other nations will not turn their backs. (Many of you will say that my guess implies the end of liberty, but to me liberty and universal “forgetting” are two very different things.)
2. If the data is forced to live, who will keep it? In Europe (to over-generalize) companies keep it alive for mining by the government. But again, Europeans lack our legal system, meaning both its litigiousness and some of its constitutional protections that might interfere with such a requirement. Could it be kept by a trusted third party subject to special protections? Could proposals such as Blumenthal’s process proposals make the Government such a party in the eyes of the country (let alone the world for the moment)?
3. If the data is forced to live, how will it be kept? Are available protections good enough for such a huge target, or do we need a new system of distributed nodes with strong segmentation, given the vulnerabilities of all systems? Can the needs for speed be met by a decentralized system? How will encryption be used by the custodians? How much and what types of encryption will be permitted by private repositories and the public? And when will the data be allowed to die?
4. And again, what about the rest of the world? A global internet is a big deal, and a good deal. A Guardian editorial predicted its demise (and that of US cloud providers) over the weekend, of which I had warned more than a month ago. We’ll see….