Where Should We Draw the Cyber Blue Line? | The State of Security
What are the limits of online privacy and law enforcement? Can we clearly define them, or is this a vague and blurred area of debate?
The fact is that as technology advances, the real and the virtual worlds are increasingly converging. Actions (or inactions) in the cyberspace introduce risks and threats for people, especially the most vulnerable ones, i.e. children and elders. Criminals have moved their operations in the cyber realm, becoming more sophisticated and advanced as well as transforming technology into adversarial weapons.
Professionals in the cyber industry, tech companies, academics, and law enforcement are trying to combat the increased cyber criminality, but at the same time, they are compelled to address new and emerging ethical dilemmas. How can we balance systems’ security, humans’ privacy, and society’s safety?
In the trenches of encryption
Encryption, and especially end-to-end encryption, is an important feature both for protecting data at rest and in transit over the internet as well as for preserving the confidentiality and privacy of online communications over messaging apps. However, encryption is leveraged by criminals as well as they try to the conceal their nefarious purposes whether it is terrorist acts or the circulation of Child Sexual Abuse Material (CSAM).
We have seen many ‘episodes’ in the series of encryption debates. Recently, Apple added a new chapter. Apple has announced that future versions of its operating system for iPhones, iPads, Watches, and Macs will scan for CSAM. This move was met with skepticism and criticism by cybersecurity and privacy professionals alike. As Graham Cluley wrote, “many in the cybersecurity community are concerned that systems like this could be misused.”
As tech companies have received considerable pressure from law enforcement agencies and governments to open a backdoor into their systems, privacy and civil society groups fear that this a step in the wrong direction. EFF’s opinion was expressed clearly in their blog: “Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.”
At the same time, an article for Politico by Catherine De Bolle, Executive Director of Europol, and Cyrus R. Vance, Jr., District Attorney of New York County, New York, sparked another round of debate over the meaning of “unregulated encryption.” The authors noted that “encrypted digital devices … keep evidence locked out of reach of investigators.” While both stress that they are for a strong encryption regime, they are against “unregulated encryption,” explaining that “No sector — in this case, the tech industry — should be allowed to dictate the rules of access to digital data for all of society, with limited regard to the wider impact those rules might have.”
It is high time we defined the ‘thin blue line’ in the cyberspace. As De Bolle and Vance wrote in their article, “Regulation is necessary — and urgently so. Solving this problem will require a delicate balance between privacy on the one hand and public safety on the other. Simply prioritizing one above the other is not an acceptable solution.”
How can we define the Cyber Blue Line?
That is the question that Europol tries to answer in their homonymous spotlight report authored by Dr. Mary Aiken, professor of forensic cyberpsychology at the University of East London and adjunct professor at University College Dublin, Ireland; and Dr Philipp Amann, head of expertise & stakeholder management for the European Cybercrime Centre at Europol. You may download the report here.
According to the report authors, law enforcement is combating a “criminal hydra,” and they need to have some sort of Herculean powers to suppress the criminal networks. “This not only undermines Europe’s economy and society but, importantly weakens the rule of law.” One key factor enabling the proliferation of criminality in cyberspace is the ease of getting and using adversarial tools without having advanced skillsets. The Crime-as-a-Service (CaaS) ‘business model’ enables “a broad base of cybercriminals to launch attacks of a scale and scope disproportionate to their technical capability and asymmetric in terms of risks, costs and profits.”
Such criminal activities have a profound financial cost for businesses and digital markets, but they have also resulted in severe social costs, notes the Europol report. “People are being subjected to cyber scams, to fraud and blackmail; they are being coerced, trafficked, harassed and stalked. The most vulnerable members of society, children and young people, are particularly at risk of sexual exploitation and abuse.”
The authors explain that we need to not focus only on protecting systems and data. Although cybersecurity is crucial for national and international economies, it is equally important to develop technology that will protect humans and societies from online harms. “Cybersecurity primarily focuses on protecting data, processes, networks and systems. It does not focus on protecting what it is to be human, what it is to be a society, and this has perhaps contributed to a protection governance gap.” This is the context behind the emerging and developing Safety Tech, which “focuses on protecting people from a range of online harms and crimes, from harassment to child sexual exploitation and terrorist content online.”
We are finding ourselves at the crossroads of security, safety and privacy. Just like Hercules, we need now to debate and decide which is the road of Virtue. This is not an easy decision to make. “In an era of policing augmented by technology […], ‘keeping the peace’ has become a complicated, multi-faceted task; arguably fraught with ethical complexity in terms of privacy and civil liberties.”
What needs to be done? Mary Aiken and Philipp Amann offer several thoughts on the way ahead.
- “The need for protection in technology environments should be debated and re-evaluated.”
- “Policing bodies worldwide need to work out where on the spectrum of total order and total disorder they position their activities, where they draw that blue line – considering that in cyberspace we may be heading towards disorder.”
- “We may have to reconceptualize the future of our communities and our societies, understanding what is required to ensure public safety and maintain security; to tackle online harms, anti-social behaviors and criminality, whilst at the same time accommodating evolving and changing societal values.”
- “The role of industry in developing new technologies should be reevaluated, to ensure stakeholder inclusion and to promote an approach that is human-centric, safe and secure by design.”
Conclusion
President John Kennedy once said, “[a]ll problems created by man can be solved by man.” Although cyberspace is a great enabler of knowledge sharing as well as of transforming and ameliorating our lives, its use and misuse can create great harm for humanity. Law enforcement agencies seem to fight a battle destined to be lost. The ‘thin blue line’ should not separate citizens from officers. We find ourselves in front of a big challenge – how to make cyberspace a safer place without jeopardizing the core values of our society. As Aiken and Amann conclude, “Our focus should be on how we can all join forces and co-operate in the new environment of cyberspace. [W]e can collaborate to conceptualize the Cyber Blue Line collectively and, in doing so, move towards a safer and more secure cyberspace.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.