We repeatedly confront the gulf between law enforcement’s and civilians’ understanding of what online security is and whom it is meant to protect. Well-meaning law enforcement officials and earnest public advocates talk past each other because they harbor different understandings of online security.
Law enforcement works hard to protect the public. In its quest to protect the public from real civilian threats, law enforcement secured 42,000 federal pen register court orders (collect meta data about call originations) and trap and trace court orders (collect meta data about an inbound calls) in 2013. These tools to identify who is talking with whom can identify and locate suspects committing crimes. On the other hand, civilians unrelated to the crime can have their telephone numbers show up in the list of communications evidence, or at a later date, be the subject of a subsequent court order that permits listening in on their phone calls.
A court order to listen in on the content of a call is an invasion of privacy, authorized or not. When government invades personal privacy, they do so presuming their work is for the public good. But those whose privacy is attacked rarely see it as benign. Aggravating the invasion of privacy is the strong likelihood that the nature and details of the investigation will never be made public – to exonerate those swept up into the surveillance. Almost all surveillance orders are kept sealed. Just one-in-a-thousand is ever made available to the public. It is unclear whether there is genuine need for sealing the evidence for protracted periods. In this context, civilians will regard law enforcement’s version of online security as favoring law enforcement’s needs, not civilian’s “rights.”
When profit-seeking cyber thieves steal personal information that can be used in identity theft, they are regarded as criminal by both law enforcement and by civilians. The motives of some cyber attackers are unclear. And there are other hackers whose actions are unlawful but have emotional appeal. Law enforcement and civilian agreement on “security” in this context may be likely.
For example, Anonymous is a loose collection of hackers without command and control structure, who claim their main mission is the protection of free speech. Anonymous’ actions show some tenuous interpretations of its free speech ethic. It has launched revenge against terrorists who attacked Charlie Hebdo in Paris, attacked communications capabilities of the ISIL terrorists, unmasked some Ku Klux Klan members, and conducted Distributed Denial of Service (DDoS) attacks against central banks. They often seem aligned with leftist and populist causes such as Occupy Wall Street, but sometimes their theme is just a petulant hated of the “powers that be” – which explains their compulsion to attack central banks.
Law enforcement seems to show tolerance of Anonymous’ camera-seeking self-righteous sermons and the Guy-Fawkes masks often present at demonstrations and street riots against law and order. Perhaps that matches the mixed feelings toward Anonymous that many civilians have. Hacking of central banks may draw a more concerted law enforcement effort to jail perpetrators, but there appears to be little progress in arresting Anonymous for those more serious crimes.
While law enforcement is distracted by the recent and dramatic DDoS attacks, little progress is likely in identifying a common meaning for online security as it applies to civilians and to law enforcement. Without that common understanding, resentment toward law enforcement surveillance will persist.