What do you call it when someone rifles through your computer files without your knowledge? Employers call it monitoring, and civil libertarians call it surveillance. U. S. Senator Dianne Feinstein calls it a “separation of powers” issue.
So Feinstein described her headline-grabbing dustup last year with the Central Intelligence Agency, in which the agency spied on staffers of the Senate Intelligence Committee while the committee was investigating certain interrogations by the CIA.
The squabble started after the CIA set up a dark network in an out-of-the-way location for Senate investigators to view specified CIA documents. When the agency realized it had not sufficiently blocked access to other files that should have remained hidden, five CIA staffers tried to assess the damage by snooping through Intelligence Committee computer files, and even reading email messages. Feinstien went public when she found out, blasting the agency for “violating separation of powers.”
While the senator rooted her fury in the CIA’s apparent intention to undermine her investigation, she discussed the incident in the language of inter-branch conflict, rather than call it what it was — spying by a spy agency. This suggests she stands by her vilification of Edward Snowden and her defense of the programs he leaked, while claiming that her own digital affairs should be off-limits to the prying eyes of alphabet soup agencies. In other words, Constitutional principles apply differently to powerful elected officials than to regular citizens.
Feinstein repeated the separation-of-powers charge when the story resurfaced this week, after a CIA investigative panel cleared the agency’s five snoops of wrongdoing. The agency’s internal report found its employees’ hacking activities had been “clearly inappropriate,” but were not cause for discipline.
But the report revealed something else: There were very basic failures of information governance that enabled the senate committee to grab documents it shouldn’t have, and that subsequently justified clearing the CIA of bad faith or malfeasance.
The Washington Post reports: “… the accountability review board concluded that the CIA-Senate arrangement was so convoluted that the panel could find no clear rules on how the shared computer system was to be run, let alone whether any rules had been violated.”
Notwithstanding the novelty of the “arrangement,” please note that the world’s most powerful spy agency and the nation’s most powerful legislative body abdicated well-established standards that would have determined in advance the protocol for a digital data transaction. This planning is fundamental to digital security and privacy.
Contemplating the agency’s sloppy information governance, especially given what was at stake, should lead to serious doubts about extending to any federal agency more authority to collect, store, or probe the digital records of Americans. For anyone who’s still not clear that the federal government is a poor steward of information, please do a careful reading of the above linked story in the Post.
That brings us (briefly) to President Obama’s 2015 cybersecurity initiatives. The president’s package would facilitate continued government access to citizen communications, and would snag security researchers, journalists, lawyers, and others in a net cast much too wide for cybercriminals. A recent surge in global terrorist activities validates the need for strong cyberdefense, but does not justify tossing all the cybercrime and national security concerns into a cybersecurity blender and turning on the blades.
It’s only a proposal right now, but there are elements that cry out already for the kind of definition that was lacking from the Senate-CIA plan. Selecting a bullet point at random:
“All monitoring, collection, use, retention, and sharing of information are limited to protecting against cybersecurity threats…”
Well, one would hope. But what does the protection entail, and how do we define the threats? These are not nit-picky questions, they are essential to information governance that does the intended tasks, and mitigates privacy invasion. Or whatever you prefer to call it.