Tuesday, February 23, 2016

Apple Today Keeps Security at Bay


Prevailing opinion appears to be coalescing against Apple’s refusal to unlock the San Bernardino terrorists’ smartphones.  To many, Apple is more interested in protecting its brand than cooperating to protect our national interests.  As a practical matter, it would seem highly unlikely Apple would adopt a position contrary its financial self-interests, so the assumption that there is an underlying business motivation has some merit.  Yet, Apple has staked its flag upon privacy issues.  As Tim Cook, Apple’s CEO’s, expressed in a rank and file letter today, the issue is not about unlocking one phone. There are bigger issues at stake.    
Beyond the immediate, the Apple controversy has raised policy discussions about the need for government agencies to have formal backdoors to encrypted communications and data.  The basic argument is that criminals and terrorists can operate in the dark by using commonly available strong encryption like AES 256 ciphers and there is no practical way for authorities to de-encrypt and access information critical to thwarting serious criminal activities.  I confess, the arguments for backdoors are compelling.  But, before we rush headlong down backdoor paths, I would suggest we understand where they could lead, and in order to do so we first must uncover the substance of the issue.
Nobody would assume the Navajo language, while virtually undecipherable and used during World War II for secret communications, would require a government back door.  For that matter, whether it is undecipherable ancient Linear A script or modern English, language itself is a form of encoded information.  So why does the Government believe a backdoor is required for modern encrypted communications and stored data?  Is there something different about encrypted information than any other undecipherable or obscure human language?  Perhaps, it is the ease of deciphering an encoded communication that is the essential difference.  While on the surface this seems to be a distinction without substance, it could be rightfully argued that machine generated encryption is sufficiently non-human in origin to be different.  In other words, sufficiently unbreakable encryption exceeds the natural human capacity to devise and initiate such as a form of expression in the absence of a machine.  Thus, it is not a form of protected human speech.  On the other hand, there are many forms of human expression that defy easy interpretation or understanding.  In fact, it can be at times so abstract that no machine could decipher it.  As Picasso once famously said “Painting is just another way of keeping a diary.” I think we would agree deciphering Picasso’s visual diary would be no easy task.  Entire art departments devoted to that endeavor are no closer than the day he sat down with brush in hand.  But, more to the point, ciphers have been used since antiquity, some being more artful than others, for good and bad, precisely for secrecy.  Even in more recent pre-computer times, anyone could employ a relatively simple, mathematically unbreakable Vigenere cipher scheme. So, we again are left with the question of what is the real difference.  Whereas a Vigenere cipher requires only paper, pencil and a random passage from a secret book, modern encryption achieves these ends in a much more efficient and pervasive way.  Even the Vigenere cipher itself is available as one-time pad software, albeit grossly inefficient for real-time communications.  So, it would seem the real difference is that it is too easy, too accessible and too quick.  
With any “too” controversy, the basic contention is that something is too advantageous.  It upsets accepted norms or understood conventions of the relative distribution of power.   This is exactly what government security agencies argue.  There is nothing more principled or deep about it.  They don’t want criminals to enjoy an advantage, because modern encryption is too good, too available and too uncontrolled.  Of course, unfair advantage is a matter perspective.  I, for one, hope that law enforcement enjoys every possible advantage over criminals.  But, I also don’t want criminals accessing my sensitive private data either.  The problem with backdoors is just that.  It is another way in.  But insofar as law enforcement and national security are concerned, for most of human history, even up to and including the advent of modern communications, crafty criminals enjoyed the advantage when it came to secret communications.  It was not until the communications age that phone tapping and eavesdropping came about and gave law enforcement a leg up.  Phone networks became the places where most communications occurred, and intercepting communications became an essential part of  law enforcement’s repertoire.  Of course, this advantage still required a showing of probable cause before a warrant would issue.  So, basic police work was still needed to show a good reason.  However, many claim that even these protections have been eroded under the banner of pressing national security concerns since 9/11 under  the FISA court.  Its critics point out that the FISA court denied a paltry .03% of over 30,000 requests for electronic surveillance searches.  Moreover, critics complain that the FISA court operates in secrecy without public access or visibility into its proceedings and have permitted what amount to large-scale, sweeping general search warrants.  Yet, the FISA Court defends itself by noting that many of the approved requests were substantially modified before they became finalized, and it scrupulously protecting individual liberties from unreasonable searches.   Be that as it may, law enforcement’s technological advantage has been further magnified with the growth of big data, massive private and public transactional data stores, and a proliferation of public surveillance cameras.  For the first time in history, a human’s location, phone calls, spending and buying habits, social dialogue, extended family members, credit history, favorite TV shows, eating habits, topics searched online, and even books read can be found and are subject to government access, subject to legal process.  For all the talk of “cloud security”, it may, ironically, create the greatest vulnerability to personal privacy yet.   Private papers are no longer tucked away in desk drawers, stored on backroom computers or copied away on CDs in shoeboxes, immune from warrantless search and seizures.  Now, it is somewhere else in the ether, under the convenient management of commercial parties.  Cynically, the cloud is a one-stop shop for subpoenas, and in many instances your information is accessed without you even being notified.  We are leaving “digital footprints” all over the world and it provides law enforcement with a wealth of investigative advantages.  This is offered up as a social good that helps make our communities more secure than ever before.  It is true in many respects.  But, we would be wise to be aware of its potential costs so as to avoid being short-changed on liberty.
The classic approach that courts use to address issues like the government’s need to access encrypted private data versus the right to free expression and to be secure in papers and effects is called substantive due process analysis.  The basic inquiry is whether the restraint or infringement upon a particular fundamental freedom is the least intrusive  possible to achieve a compelling need of the state.  Yet, we ought to carefully think about whether this standard will adequately protect fundamental freedoms.  The US Supreme Court found a new right of privacy in the US Constitution in Griswold v. Connecticut.  In so doing, it did as much to expand individual privacy rights beyond traditional property-based concepts as it did in subsequent cases to whittle them away with a myriad of exceptions using substantive due process reasoning.  Even the very existence of the right of privacy is born out of relativism.  It only exists insofar as  a reasonable expectation of privacy exists, which turns on what most people think is, or treat as, private in ordinary course.  The problem is that social behaviors can change relatively quickly.  In the case of technology, there is hardly any greater prime mover of behavioral change afoot.  Thus, I fear right to privacy will wither under the rapid transformations in attitudes brought about by the persistent infiltration of technology into every aspect of our lives.   
As we trek along the evolution path of man and machine, questions around encryption will continually arise.  Yet, the core of the root conflict goes beyond encryption, in the sense that it is  about the role of society at large versus the individual in relation to who really governs a new form of emerging omniscient intelligence that can increasingly see, record, and analyze the most trivial aspects of our daily lives.  It is only a matter of time before machine augmentation of human bodies is commonplace.  As it is Amazon Echo sits in living rooms listening to every word spoken awaiting to assist.  Every large city is populated with cameras monitoring public places; automatic license plate readers innocuously record passersby, and your mobile phone tracks your every movement.  The fundamental question becomes, what are the limits of government access to the communications between mind and personal machine.  It is a widely held belief that one cannot be compelled to testify against oneself.   The brain, with all its memories, recollections and thoughts, are free from government intrusion.  We have even outlawed torture against the worst of our enemies to pry free secrets relegated to the recesses of the mind.  Yet, what cannot be pried out by coercion, will readily be available through not only backdoors in the name of security, but more likely through a gladly opened front door.  In our emerging technology-infused society, your coffee pot becomes a snitch for somebody.   Personal privacy will shrink to the space between your ears, as smart refrigerators, TVs, cars, lights, and so on become an ever present life companions. There will be no expectation of privacy because it will have been given away long ago in exchange for the innocuous promise of convenience and ease.  This, then, is the risk – to be lulled into the complacency of digital convenience served up by a myriad of eager companies aiming to please.   
Some may argue that backdoors are the price of security in an increasingly dangerous world.  Access to powerful tools of secrecy and deception have given bad actors too much power, and the playing field needs to be rebalanced in favor of law enforcement.  I would argue that we merely are reverting to the status quo and this is not so much a new battle as much as a familiar conflict between individual autonomy and state control in pursuit of security.   Some argue that the stakes are higher than ever because of the threats of modern terrorism, global crime syndicates, rogue nations, weapons of mass destruction and a host of other emerging phenomena.  I’m not so sure.  History is replete with successive generations of wholesale slaughters of city inhabitants by hostile invaders, mass enslavement, savage conflicts and global pandemics.  I find it unfathomable that we are in any more precarious situation than those preceding us.  That said, I have no interest in revisiting the Middle Ages, either.  These issues require significant reasoned discourse with an understanding that technology will not stop and is accelerating at an ever-quickening pace.  The ultimate question will be, in whose hand or hands this awesome power will sit.  I find no more comfort in Apple or Alphabet guarding privacy than good old Uncle Sam.  As between them, I would bet on the one that has the greatest guarantee of human freedom in the history of mankind rather than a corporate charter of maximizing profitability for shareholders.  Ultimately, it will fall upon those in black robes covetously protecting our freedom; otherwise, I don’t think we would stand a chance against technology in anyone’s hands. Whereas Apple seeks to preserve and grow its profits, and government bureaucracies seek to preserve and expand power, it is the acolytes of the Constitution, unencumbered by neither, that can best preserve liberty.  So, I say good for Judge Pym for the time being, but he must jealously guard liberty and understand there is more to privacy than mere expectation by custom.  Privacy is inherently human and our machines cannot be allowed to make us less so.

Friday, December 11, 2015

The Shoe Waiting to Drop - Terrorism Trends and Implications for American Security

On the heels of the Paris attacks in November this year, the NY Times published an Op-ed piece “Could Paris Happen Here?”  written by Steven Simon and Daniel Benjamin.  Simon and Benjamin, international affairs scholars and counter terrorism experts from Dartmouth College, posited the assessment that the US need not overly worry about a similar attack.   This turned out to be gravely erroneous, as the San Bernardino attack confirmed.  In their piece, they state that anxiety or worry over a Paris-type attack on US soli was:
"Candlelight vigil in London for the victims of the Peshawar school siege."
by Kashif Haque - Own work. Licensed under CC BY-SA 4.0 via Commons.

 
 “…unwarranted.  In fact, it is a mistake to assume that America’s security from terrorism is comparable to Europe’s. For many reasons, the United States is a significantly safer place. While vigilance remains essential, no one should panic.” 

They confidently go on to make the case that the US is different in four essential ways, ranging from its protected geographic access, the lack of a Euro-jihadist culture within our borders, the lack of access to a weapons pipeline, and superior monitoring and intelligence capabilities.

What Simon and Benjamin and many other experts fail to appreciate is that terrorism is a form of asymmetric warfare.  Traditional factors often used to assess risks in classic state-sponsored conflicts do not apply.  Remarkably, after a large scale attack like Paris, you will hear many media pundits and experts assert that the plot, based on its scale and impact, must have required great sophistication, expertise, planning and outside assistance.  This is simply untrue.   I would argue quite the opposite. 

Terror attacks using conventional high capacity weapons directed at soft civilian targets require very little sophistication or outside assistance.  The more open a society is, the more vulnerable it is to low cost, high impact terror events.  In the case of America, access to sufficiently high capacity semi-automatic weapons is easy, movement is easy, access to public places of mass gathering is easy, and access to materials and secure communications is easy.  Any group of motivated individuals with a few thousand dollars of cash, firearms, smartphones, vehicles, and some hotel reservations can inflict untold civilian casualties with relatively modest planning and coordination.

The 2008 Mumbai terror attacks were in many ways a watershed moment in the evolution of terrorism.  It marked the first adaption of a major commando-style urban assault on a civilian target since the Dubrovka Theater siege in Moscow on October 23, 2002.  Rather than 30 or 40 commandos, Mumbai involved a smaller group of 10 well-armed attackers who were able to inflict massive casualties and generate mayhem by attacking unprepared, publicly accessible civilian targets.  At that time, some experts recognized that Mumbai heralded in a new mode of terror – namely that large-scale urban assaults could be carried out by small teams of well-armed terrorists with devastating consequences. 

In the years that followed, several terror plots were uncovered in Europe and reported as being successfully thwarted.   Around that time, in late 2010, I revisited the significance of Mumbai writing that:
 
The significance of the Mumbai attacks should not be lost in that it represented a continuing departure from the historically favored terror targets of air and rail transportation, and a move towards commando style coordinated attacks. The Mumbai attacks were immensely “successful” from a terrorist perspective, causing large scale carnage and disruption across a major metropolitan region and “success” breeds emulation.”

In the years since, a series of terrorist attacks across the world have served to provide insight into evolving terror tactics and tendencies.  In particular, I recount the following major attacks, among others:

  • The Muna Hotel attack in Somalia in August 24, 2010 was military commando style attack on a hotel resulting in the death of 31 people
  • Spozhmai Hotel attack in Kabul in April 2012 was an assault and suicide bombing killing 20;
  • The Boston Marathon bombing in April 2013 was a planted bombing killing 3 and injuring 264 others.
  • The Westgate Mall Massacre in September 2013, was a commando style attack on a mall resulting in 62 dead, and another 175 injured.
  • The Nigerian School attack and kidnapping of 250 school children by Boko Haram. 
  • Volograd, Russia attacks in December 2013 were multi–site suicide bombing attacks killing 34 and injuring 80.
  •  The Peshawar School Massacre in December, 2014 was a commando style attack on a school resulting in over 400 children and personnel dead. 
  • The Charlie Hebdo terror attack in January 2015 was a commando style attack on a newspaper office building and subsequent kosher supermarket resulting in 17 killed and 22 others injured.
  • The Paris terror attack in November, 2015 was a multi-site, commando style attack on a stadium, theater, restaurant and mall with suicide bombers.
  • The San Bernardino terror attack in December, 2015 was a two-person commando style attack on an office building resulting in 14 killed and 21 injured.
As can be quickly observed, commando-style attacks on soft civilian targets are the current preferred mode of terror attack.  As I previously discussed in an article (Kenya Mall Terror Attack Reinforces a Disturbing Pattern, Sep. 23, 2013), it is my view that modern terror movements and organizations like ISIL, Al Qaeda, Boko Haram, Ansar al-Shari'a, al-Shabaab and others are not merely loosely affiliated groups of cells that are disconnected from each other.  They are distributed thinking entities that are self-aware, share a common gestalt, and are highly adaptive.  Emulation, adaptation and iteration in tactics and techniques can be observed over the course of time across among ostensibly distinct, geographically separated organizations.   These changes are notable because as they evolve they are optimizing towards exploitation of minimal security presence, ease of execution, reduced operational complexity, less resource dependencies or need for command and control, and greater terror impact. 
 
There is no question in my mind that the Pakistan school massacre by Taliban terrorists on December 16, 2014 was inspired, in part, by the Sandy Hook massacre on December 14, 2012, almost exactly two years prior.   Just as what followed with the Boko Haram attack and massacre in Nigeria a month later on January 12, 2015 resulting in 2,000 dead and 350 school children being taken, was no coincidence.  These are convergences of thought facilitated by access to freely available real time news sources and scores of social networking sites.  The biggest mistake made by many terror analysts is the assumption that all of these organizations, large or small, even down to the lone wolf, are not connected to each other by conscious awareness of what others are doing or have done.   Stated simply, they learn from one another, copy one another, inspire one another and obtain tacit ideological approval from one another which propels successive incidents. 

I will repeat my concern again.  The US needs to vastly improve school security.  A commando style attack on a school is a major risk.  School targets house many potential victims, they are not generally secure, and the psychological terror impact of such an attack would be devastating.  The Beslan School siege in 2004 looms like an ever-present shadow over ongoing events.  The Peshawar school massacre and Nigerian school attacks which sent shock waves of horror around the globe, are demonstrable examples that terrorists have learned there is great value in attacking schools.   Recent revelations that the San Bernardino terrorists had access to and information on local schools should serve as notice.   Other targets of concern should be malls, large hotels and theater performance spaces.  We all have a natural desire to be reassured by experts that we should not worry, but as we can see, many so-called experts just get it wrong, and getting it wrong has deadly consequences.  It’s time to get about the business of better protecting against and preparing for the next shoe - which will surely drop. 

Saturday, February 14, 2015

Driving Into the Future on Autopilot - How the Internet of Everything May Challenge Freedom

Photo Credit: Wiki Commons - Andrea Boldizsar
Imagine this.  You’ve been down sized and been out of work for a few months.  You’ve fallen behind on your payments.  You go to bed and wake one morning to discover your car is missing.  Stolen?  No, it drove itself off to your car finance company.  Seem farfetched?  How about this one.  You’re driving down the road to your appointed destination when suddenly your car takes an unplanned detour to the nearest police road block and shuts off.  Welcome to the future.

As technology progresses, society increasingly is  encountering challenges to traditional notions of privacy.  Yet, these concerns are merely the front edge of a more serious storm brewing over fundamental concepts of personal control and freedom.  Today, we already are experiencing the impact of new consumer technologies in regards to our privacy.  When it comes to Internet and networked enabled technologies, there is a rule of quid pro quo in effect where in order to get information or services you must give information.  The most notable type of personal information we routinely furnish to untold numbers of parties is our location.  Many of our favorite mobile “apps” routinely report our location to third party companies.  What is done with this information is really not known.  Most claim they will remove personal identifying information from your data and then combined with generic data of others to discover trends and patterns.  These trends and patterns are theoretically used to “optimize” your experience.  As any savvy consumer knows, this is code speak for personalized targeted marketing.  Further, as we all know, you don’t have a choice in whether you want an optimized experience or not.  It’s take it or leave it.  In fact, when we purchase or license technology there is the inevitable EULA (End User License Agreement) accompanied by a check box or button acknowledging your agreement to the provider’s terms.  We all routinely click and agree because there is no other option, and for the average consumer the terms are unintelligible and meaningless in any case. In essence, we rely on the good graces of some attorney at Big Co. and its executives to determine what is reasonable, and generally this means grudgingly complying with consumer laws where applicable and otherwise finding inoffensive ways of telling you the many rights and restrictions Big Co. imposes because it is their stuff and they decide how, why, when and who uses their stuff.  The fact is nearly two decades into the consumer technology revolution the average person is already trained to roll-over for a cookie.

So, what stops a financing company from requiring that you agree that your self-driving car turn itself in if you’re late on a payment?  Nothing.  In fact, the training is already underway thanks to auto insurance companies under slickly marketed “safe driver” discount programs.  Drivers can install a device that monitors and reports your driving habits and provided the rules of safe driving are obeyed, your insurance premium is discounted.  One might say, so what; it’s voluntary.  But, the question is for how long.  Will there be a day when you can’t manually operate a car in the name of safety?  Will there be a day when you can’t hop in a car for a drive without somebody somewhere knowing where you are and where you are going? 

This is the insidious nature of technology, especially once the new phase of technology known as the internet of everything kicks into overdrive.  The internet is nothing but a vast data communication network.  Interconnecting everything may bring untold innovations and benefits that improve our day to day lives, but the internet of everything comes at a price – to get, you must give.   The new technology economy operates not only on money, but on information currency.  With information comes power, especially when personal information is made an essential aspect of the delivery of the service or functioning of the device.  As devices connect and depend on cloud based intelligence to make decisions, we will begin to see our everyday habits and preferences being altered in subtle ways to better align with the desires and interests of others – those in control of the technology.  This will occur first by interactive messaging, then by incentive based preferences, then by autonomous command.  We have seen hints of this type of manipulation when Facebook launched an undisclosed psychological experiment on its users by increasing negative responses in newsfeeds to gauge how emotional states can be spread.  After a backlash, the experiment was terminated with a corporate mea culpa but with the caveat that users agreed to the experiments in terms of service.  Essentially, the logic was O.K. you caught us, but we didn’t do anything wrong because you agreed to it.  Riot Games, a massive online mobile gaming company, gives us a farther glimpse in to the future.  It recently announced that its platform is being used to experiment with online user behavior modification, and is touting its gaming community as the world’s largest psychology lab.  Riot claims its motivation is to encourage good behavior, and uses various “punishments” to coerce desired behavior.  While Riot’s motivation might be well meaning, the road to abuse and manipulation is being laid with the same reckless abandon as illegal loggers are cutting through the Amazonian forests.   
Again, one might say the concern is overblown because we’re talking about games and social media sites.  But let’s take something that we all need, use and has a direct impact our lives – electricity.  Once all appliances are web connected, energy consumption can be granularly monitored.  Once consumption is monitored, alerts and recommendations to optimize your usage will follow, and in fact, many energy monitoring applications are doing this today.  This will inevitably evolve into energy usage allocations and tiered pricing to de-incentivize excessive use (think Riot’s punishment scheme), and then to automatic control of devices to block usage to control consumption.  Some may think this is a fine idea because it advances conservation.  But, the problem is one man’s good idea is another’s oppression, and this where the government comes in.
As more information about where we are, what we do and how we do it is collected, stored, and dissected by vast numbers of private businesses, these business become voluntary and involuntary privatized arms of the government.  In the “old” days, the telephone company was the first stop in any investigation.  With a subpoena in hand, law enforcement could learn who you talked to and when, and if necessary get a warrant to tap into your conversations.  Today, with “big data” massive amounts of historical information are being captured and stored about where you’ve been, with whom you have communicated, what you’ve communicated, what you have purchased, what you’ve read, what you’ve searched, who your family and friends are, and much more.  But “big data” is still in its infancy, and big data is going to get a whole lot bigger still.  Soon there will big data consortiums and exchanges where inconceivably vast pools of data are logically aggregated and traded.  Your data footprint will ultimately turn into the equivalent of your life’s data DNA.
As more regulations and laws are passed that control businesses, the more intertwined and reliant businesses become on the good graces of government.  These regulations can be fashioned to require business to keep information about you, and this in turn becomes a powerful investigative tool.  The problem is private big data become easily identified and accessible targets for investigation, and generally companies are loath to resist subpoenas and warrants.  It costs too much and they lose because the legal standard of probable cause justifying a request is ludicrously low in practice.  To give you a sense of the laxity, the FISA court approved over 20,000 requests for warrants between 1978 and 2013, and reject a grand total of 11 requests in the 35 year period.  Again, some might say if you are doing no wrong there is nothing to worry about.  True, perhaps. 
But what happens when government regulation indirectly imposes restraints on day to day freedoms and choices?  Take for example CAFÉ standards.  New CAFE standards coming into effect are causing automakers to phase out large vehicles from their portfolios. If you understand physics, there is every reason to buy a bigger vehicle and if you wish to pay the extra fuel charges it would seem like a legitimate and reasonable choice.  But, the fact is many are being indirectly forced to buy smaller fuel efficient cars, the physics of safety be damned.  So, is it not difficult to imagine that as corporations acquire more power through connective technology, the devil’s bargain will be struck.  Messy overt methods of control through law making and regulation will be deftly supplanted by sophisticated indirect regulatory policies of control enforced by technology companies. 
So, let’s take the seemingly outlandish example with which we started.  Your car is driving down the road.  A burglary is reported and a description matching your car is reported with a partial license plate reading of 3 digits.  Using license plate reading technology, your car is spotted and three digits match.  Your license number is checked against your car make and color.  It is a close possible match.  Using the car registration title database, your finance company is retrieved and connected.  Under your financing, you agreed to have your car monitored and controlled to comply with all applicable laws.  A request to detain on reasonable cause issues from law enforcement and is sent to the finance company.  The finance company is connected to the manufacturer’s automatic monitoring system.  A command is sent to your vehicle to proceed and stop at the closest police vehicle rendezvous point.  Blue and red light strobes suddenly appear  on your next-gen multimedia entrainment system and an audible message is played pleasantly announcing you have been requested to be pulled over, remain with your vehicle and wait instructions from police who will meet you in approximately three minutes.  This is followed by “please refrain from making any unusual movements.  Please keep both hands on the dashboard in a visible position as the officer approaches.  Carefully follow instructions for your own safety and for the safety of the officer.  Please be advised that in-vehicle video and audio is being recorded and may be used against you in a court of law.”
Could there be a day when your car arrests you?  Why not?  It will seem like a good idea to somebody.

Friday, January 9, 2015

The Charlie Hebdo Attack – A Foreshadowing of a U.S. Nightmare

At the risk of overstating causation, I have come to believe that the Jungian notion of collective unconsciousness operates like an unseen force in the world of terrorism.  This seems especially true in the context of modern, loosely affiliated terror groups.  While top-down organizational planning occurs in some cases, it is striking how many incidents are characterized as “lone wolf” exploits.  Despite this characterization, we know that these actors do not act alone in a broader sense.  Putting aside self-identification with a radical ideology, they also exhibit discernible patterns of approach and action.  Their tactics are drawn from a well of depravity over time and place, and show signs of adaptive continuity.  And, this brings me to my point.  I see a confluence of terror actions that reflect a shared vector of thinking which ought to raise alarms.  I am very worried that it is only a matter of time before a US school undergoes a commando style terrorist attack.  There are too many behavioral signals that lead in this direction.

The Paris terror attack on Charlie Hebdo magazine comes on the heels of the Pakistan school massacre where Taliban terrorists indiscriminately attacked a school and left 153 dead.  In the Pakistan school attack, a relatively few attackers were able to inflict massive casualties through a coordinated military style attack on a “soft” target.  The Charlie Hebdo attack was also a small coordinated action against a soft civilian target. But, the Paris attack also bears a similarity to the Boston Marathon bombings.  In each case, the perpetrators are disaffected immigrant bothers. Whether the Tsarnaev brothers influenced the suspected brothers in the Paris attack is not known, yet it bears a signature.

Following this Gestalt, the United States suffered the worst school shooting in history at Sandy Hook School in Connecticut in December 2012.  While not undertaken by a “terrorist” in the classical sense, the event was a proof point that very large casualties can be achieved by one actor, and schools are generally defenseless.  It also inflicted vast damage to the US national psyche.  Simply put, attack schools and you attack the very heart and soul of America.  Whether Adam Lanza inspired the Pakistan Taliban would be pure speculation, but again there is a signature of evil bearing a resemblance.  While the Taliban have routinely attacked small girls’ schools in Afghanistan under the pretense of religious offense, the Pakistan school attack had an entirely different tone. It was undertaken purely to exact great retribution and strike massive fear in the Pakistani population.  Framed differently, Sandy Hook showed feasibility and effect. A terror mind could not help but be influenced by the reality of its devastating effect.
The Paris attack has a linger to the Mumbai terror attacks in November of 2008 which resulted in 164 dead and over 300 wounded.  Mumbai was a tactical and behavioral departure point.  It showed that commando style attacks by a small coordinated group could exact large casualties on soft civilian targets.  While bombs were used, the use of automatic weapons was prominent.  The “success” of this style of attack again left its mark on the master psyche of terrorists.  The Charlie Hebdo attack just reinforced this notion. 

Going back even further though, it is possible to follow this deadly lineage and extract some lessons.  In 1998, the United States embassy bombings occurred which killed hundreds of people in simultaneous truck bomb explosions in Dar es Salaam and Nairobi. The date of the bombings marked the eighth anniversary of the arrival of American forces in Saudi Arabia.  These bombings succeeded the Khobar Tower bombing in 1996, which was an attack on a US airman residential complex.  These attacks, while striking an arguably governmental targets, were nonetheless soft targets.  In the Khobar case, a petroleum truck bomb was detonated sheering off half of the building and killed 19 airmen in Saudi Arabia.   A year earlier, in 1995, Timothy McVeigh blew up the Alfred P. Murrah Federal Building with a truck bomb filled with fertilizer, collapsing half of the building and killing 168 people and injuring over 600 others.  The Oklahoma City attack was preceded by the first Twin Towers attack in 1993 when a truck bomb was driven into the belowground garage and detonated.  Even further back in time, we find the 1983 Marine Barracks attack in Beirut, which killed 229 servicemen with two truck bombs.  The Khobar attack a decade is eerily similar to it.  It is difficult to avoid the parallelism and conspiracy in thought that propels the next act of barbarity.
As far as the recent Paris attack is concerned, the perpetrators appear to have some connection with Syria.  As thousands easily move through Europe to fight with ISIS, these radicalized fighters will return as better trained, battle hardened zealots in Europe.  We can see the risks and challenges that European nations will continue to face.  But, the United States is hardly better off.  Without entering into the debate over semiautomatic weapons, the fact is powerful weapons are readily accessible and the United States’ porous borders affords small groups of terrorists relatively easy entry to the country. To assume we will remain insulated from motivated radical terrorists is a deadly mistake.  The means, proven feasibility, massive psychological terror factor and intent are all present.  The chance of commando style attach on a school by a few individuals is a real threat, as is a truck bomb attack.  While obtaining large quantities of explosive materials is difficult, hijacking or stealing a fuel tanker is not.  Driving a tanker into a school facility and detonating is a real possibility given past exploits.  Finally, using the two tactics in combination is also a possibility, given that have used similar tactics in Afghanistan and Iraq on police and army compounds.

In speaking with one law enforcement person about school safety, he indicated that most schools are not worried about active shooters, and are dealing with more practical day to day security problems.  While I can appreciate this pragmatism, there is an overarching pattern of potentiality borne out of past conduct that we ought to recognize.  I greatly fear that a terror attack on an U.S. school by militants is only a matter of time, and the effects will rock this Nation to its core.  I hope and pray that I am wrong. 
Yet, we need to heed the clarion call and continue to make changes in our security posture.  First, schools buildings need to be shielded from a truck assault.  Any large truck, like a tanker or trailer truck, needs to be routed and controlled outside a blast zone until it is verified.  Regional areas should have quick reaction counterterror swat teams that are equipped to respond and defeat well equipped and military trained terrorists.  Schools and law enforcement agencies need to have real time collaboration capabilities for situational awareness and ground truth for tactical advantage. Being able to communicate with school personnel and see inside schools is essential.  Glass windows and doors need to be upgraded to be more breach proof to delay an assault.  Reinforced safe areas should be created in schools.  More one-way exits should be installed to enable personnel and students to evacuate without going through bottleneck points and feeder spaces that create kill zones.  While many of these suggestions may seem over the top, a terrorist attack is by its nature dealing with the unthinkable.  The cost of hardening our schools is a small price to pay if it can save the lives of several hundred or more innocent children – namely ours.

Tuesday, January 6, 2015

Why the Aereo Court Got it Wrong and What it Means


Image Credit: Wikipedia Public Domain
The US Supreme Court got it wrong in the Aereo[i] Decision, and it exemplifies a problem in US courts today.  Judges with little or no understanding of technology are making decisions that have far-reaching impacts on future innovation.  As a general matter, the Federal court system, especially at the appeals level, is comprised of older judges, many of whom are technically illiterate.[ii]  Further, even at the circuit level the vast percentage of judges as a matter of educational background and experience are lacking in the most basic technical understanding to be minimally equipped to make sound decisions.[iii]  Yet, it is nearly universally acknowledged that that our economy has undergone a shift from manufacturing to a digital information economy, and it is the court system that adjudicates disputes and is often forced to make decisions either based on outdated laws or immature digital laws that require an appreciation of technical context and nuance.   Aereo is a classic failure to intelligently navigate the realities of new technology that appear to trespass on old laws.   

In brief, Aereo Inc., is an innovative internet based video distribution company that uses individual antennas to receive locally broadcast TV transmissions then retransmits them to subscribers over the internet one a one to one basis.  The content of the transmission is not altered and is merely passed on to an individual subscriber that elects to request and receive the retransmitted stream for his viewing.   ABC and other broadcasters sued Aereo alleging copyright infringement.  In June, 2014, the US Supreme Court ruled that Aereo violated the Copyright Act of 1976 because Aereo infringed on a copyright owner’s exclusive right to perform the copyrighted work.  The Court relied on amendments to the Copyright Act that were introduced nearly 40 years ago when Congress took aim at Community Access Television (CATV) providers.  CATV providers were organizations that erected large antennas clusters to capture weak TV signal transmissions and retransmit them to underserved viewers in communities.  The Congress revised the Copyright Act to specifically state that the act of retransmission is a right reserved to copyright owners, reversing an earlier line of court decisions that held that merely retransmitting a broadcast without altering its content was not a performance protected under copyright laws.  Making an analogy to CATV providers, the Court essentially found that Aereo was performing the same function and therefore the Congress must have meant to prohibit Aereo’s activities.  

In reality, the Supreme Court made a decision on gut feel, effectively concluding Aereo had created some kind of “infernal machine” that beat the system.  In so many words, the Court divined that a 1970s Congress would have been offended by the outcome of Aereo’s technology rather than its substance.

In making its decision, the Supreme Court rejected several Aereo arguments that sought to distinguish it from a CATV provider.  These arguments included that unlike a CATV provider, Aereo was a one antenna to one viewer retransmission.  Whereas a CATV provider essentially rebroadcasts to anybody within its reception range, an Aereo subscriber, if it chooses to watch a show, must request the show and then when it does, a single antenna is enlisted to pick up the signal which is then converted to IP, temporarily stored and then forwarded to the requesting viewer.  In essence, Aereo argued that a one to one retransmission was not a public performance.  Aereo further argued that it was not a transmission within the meaning of the Copyright Act because it was not a broadcast transmission, meaning that it was not simultaneously transmitted in a wide area or a large number of viewers.    Calling upon poor analogies, the court rejected these arguments, and, most importantly, stated it was deferring to Congress’s intent.

When interpreting a law, deferring to the lawmaker’s intent, that is- determining what lawmakers meant when they enacted a law, has been recognized as the standard of proper judicial review since our founding.  However, despite the appearance of deference in this case, the Supreme Court, in reality, did the opposite.   Essentially, the Court took a nearly forty year old law that could not possibly have conceived or foreseen the technology at issue and speculated what Congress’ intent would have been if it understood the technology.  At some point, extrapolating intent to new circumstances moves beyond reasonable assumptions to activist speculation. This is the case here.

One of the fundamental principles underpinning the validity of any law is its certainty and clarity.  When a law is vague, it deprives all citizens of substantive due process, because a citizen cannot reliably determine whether an act is lawful or unlawful. Not knowing which the case is, a citizen must either forbear from an activity in fear that it may subsequently be determined unlawful or engage in activity under the threat of potential future jeopardy.  This is often referred to in the law as having a “chilling” effect.        

When the Aereo defendants claimed that the Court, if it sided with the plaintiffs, would chill innovation, the Court cast aside this concern while gratuitously acknowledging that Congress does not want to dissuade innovation.  Rather than undertake any substantive analysis, however, the Court merely ordained that the decision would have no adverse impact.  In justifying its determination, the Court emphasized that its ruling was limited and pointed to legislative history that the “[transmit amendment] does not determine whether different kinds of providers in different contexts also ‘perform’.”  But, this precisely what Aereo is.  A different kind of provider in a different context.   To this point, It should not go unnoticed that Court employed used car analogies and “knobs” in its decision to elucidate its technology analysis.  To prop up its finding, the Court turned to legislative history and selectively chose the history which best suited its decision.  Yet, by its own admission, it recognized that Congressional history specifically cautioned that new technology would not necessarily fall within the strictures of the retransmission amendment.    

So, how did the Aereo Court get it wrong? [iv] I would argue it simply did not understand technology to a degree necessary to appreciate the substantive technology issues in question. The Court was fumbling with and failed to grasp the concept of transmission.  A digital broadcast signal is encoded and then decoded when it is received.  This is the case with every TV with a digital receiver.  Once the signal is received, it is decoded and then “retransmitted” across a bus (a carrier) to a processor that then runs an application or function to visually display the data on a screen.  Aereo is simply distributing the same functions over space.[v]  Instead of using an internal bus, it is using the internet to deliver the signal to a computer viewer.  It is as if Aereo removed the box around the TV, and then separated and spread its components over distance and then reconnected the components with very long wires.  Is their a substantive difference merely because a passive box encloses the retransmission function?   Or, is it that the retransmission occurs within some undefined proximity to a viewer that the Court intuitively senses but never articulated?  As for the antenna aspect, again by viewing the function, Aero is no different from a viewer that rents a TV with a digital antenna, except the viewer just rents the antenna component in the Aereo case.  Again, we come to not so much to function as much as packaging and form factor.

When viewed within a comparative functional analysis, the court is simply off base.  The only valid argument one could raise is that transmitting a signal beyond is natural extent (i.e., the receivable coverage area) is exercising a transmission right more broadly than what the content owner intended.   Considered in this light, the question must be put whether any content owner or broadcaster that permits or engages in a broadcast over licensed spectrum to the general public at large is, by the very act itself, waiving its right to select who and how viewers may receive a signal.  It is as if an author dumped an unlimited number of copies of his book into the public square with a “free as long as you don’t tear out or add pages” sign, and then complains if Mr. Smith picks a few up and delivers them to the convalescent home.   If the format is generally decodable and the medium is receivable in the public airwaves, it certainly defies logic that a one-to-one re-transmission does anything more than the original act itself, assuming the viewer had the ability to or ought to have received the signal to start with. But the Court never reaches this level of inquiry in its decision.

Even assuming that Aero was engaged in something analogous to CCTV, the next question is what substantive harm has occurred if the content is unchanged and the content is broadcast for free.  If anything, the act of retransmission in unadulterated form advances the commercial interests of the broadcaster and owner.  It could be argued that the broadcaster suffers harm because the presentation has a particular placement in a series of presentations whereby if the presentation in question is not seen in series it diminishes its value.  This argument would be specious at best, because viewers have the unfettered ability to change channels, nor has any broadcaster attempted to impose a license condition that requires a viewer to be tethered to a channel for a series of programs.  Quite the opposite.  Each “show” is advertised and promoted as a separate work or performance such that no broadcaster adds any transformative value by showing a series of shows in any particular combination.      

Further, to the extent retransmission reaches a larger set of eyes and delivers the original advertising, it seems inexplicable how any broadcaster can claim harm.  If anything, retransmission furthers the economic interests of the broadcaster, and thus the owner of the work.  If the answer is “just because the owner is the copyright holder”, then the question must be whether there is a legally and morally sufficient basis to warrant the chilling of innovation when there is no readily apparent harm.   To this point, it is granted that an artist can control the distribution of his works.  For example, a private painting made for a person or special viewing may very well warrant protection because it was created with the specific purpose of a limited distribution.  The limited or private distribution is part of the original work itself.  It has a creative intimacy in its purpose.   On the other hand, by allowing broad public dissemination of a work to any and all who might view it, the work has lost its intimacy with its creator and there can be no compelling reason why it should be controlled as long as it does not cause economic harm. 

As technology accelerates and provides increasingly more ways in which viewers may receive, view, interpret, interact and enhance works, the courts need to recognize that technology is forcing courts to dig deeper into the substantive nature of intellectual property and understand precisely what is protectable and why a work is protected.  Simply dithering and fudging around the edges with narrow holdings and vague notions does not advance the interests of society, and harms innovation and creativity because of uncertainty.   They create vast uncertainty, because it is impossible to distill any rational boundaries that can be applied by a technologist. 

Our judiciary is in desperate need of qualified jurists with a sound understanding of technology, otherwise the ingenuity and creativity that drives our economy will suffer in the morass of legal uncertainty. 

Disclosure:  The author has no direct or indirect interest in Aereo or any party related or affiliated with Aereo.




[i]  American Broadcasting Cos. v. Aereo, Inc., 134 S. Ct. 2498 (2014) (Web Link: http://www.supremecourt.gov/opinions/13pdf/13-461_l537.pdf)
 
[iii] See, discussion of general expertise of judges:  http://www.libertylawsite.org/2014/02/05/posners-tyranny-of-expertise/
 
[iv] See, Copyright: ABC, Inc. v. Aereo, Inc., 128 Harv. L. Rev. 371 (Nov. 2014), for an interesting discussion of “purposivism and textualism”.
 
[v] Id. Some describe this as raising uncertainty with “cloud” implementations.  Again, it misses the point.  Even the NIST definition of what a cloud service is ambiguous at best.  See, NIST Special Publication 800-146 which contemplates hybrid implementations.  An understanding of how technology is doing a function is essential as what it is doing in any substantive analysis, because the "how" informs the "what."