I’ve been going through my files recently, and discovering some that I had forgotten. A couple of times now I’ve had submissions to journals fall into a void. Ideally, when this happens the piece can still find a home somewhere else, but this was a review of book from 2010 written in 2012, and in 2013 Snowden changed the world and I felt the need move on. Still, Landau’s book remains valuable and some of these issues are even more salient today (also of note, in the 1990s Landau co-wrote Privacy on the Line with Whitfield Diffie).
Book Review: Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.
The choice between security and civil liberties remains a commonplace way of framing many surveillance debates. Susan Landau’s argument in Surveillance or Security? is that many surveillance technologies and systems not only compromise privacy, but may actually make us less secure. This thesis, while worth repeating, will not be novel for some readers familiar with surveillance and security debates. However, readers who are already well-versed in criticisms of the freedom-security opposition will still find a great deal of value in Landau’s book, including the nuance of her more policy and technology-specific arguments and the wealth of detail she provides on various electronic surveillance practices. The patience and clarity with which Landau walks readers through this detail is commendable, and the book makes many technical and legal matters understandable to those unfamiliar with telecommunications, electronic surveillance, or U.S. law. Despite this, reading Surveillance or Security? from beginning to end requires a considerable interest in the subject matter, and much of its detail will be superfluous to those interested in more general surveillance questions or electronic surveillance in a non-U.S. context.
The nuance of Landau’s argument preserves a legitimate and lawful role for surveillance by state actors, and her critique is targeted specifically at emerging forms of surveillance made possible in the age of digital networks. Of greatest concern is the ability to embed surveillance capabilities into our increasingly-capable communications infrastructures. Justifications for expanded or “modernized” police and national security surveillance capabilities are often premised on the need to bring telephone-era laws and abilities up to date with the internet. Landau provides a very effective introduction to telephone and packet-switching networks, the development of the internet, and the contemporaneous changes to U.S. surveillance law and practice. In the process, she shows how the nature of communication and surveillance has been transformed, and how inappropriate the application of telephone-era surveillance logic can be for internet architecture. While telephone and packet-switching networks are now deeply integrated, the reader will learn just how difficult “wiretapping the internet” is when compared to traditional telephone wiretaps. On the other hand, the book also discusses the vast amounts of information available about our digital flows, and how these possibilities of data collection introduce new dangers.
The most forceful of Landau’s arguments are against the embedding of surveillance capabilities into our networked communications infrastructure, as this amounts to an “architected security breach” (p.234) that can be exploited or misused. The main example provided by the author of such modern wiretapping gone wrong is the activation of surveillance capacities embedded in the software of an Athens mobile phone network during 2004 and 2005, wherein parties unknown targeted the communications of Greek government officials. While this case of wiretapping was highly selective, Landau also cites the current U.S. “warrantless wiretapping” program to illustrate the dangers of overcollection. A third case, the FBI’s misuse of “exigent letters” to acquire telephone records after September 11, shows how the risk of overcollection is exacerbated when wiretapping cannot be audited and fails to require “two-organizational control”. In the exigent letters case, FBI investigators and telephone company employees working closely alongside one other were able to nullify institutional boundaries and circumvent legal requirements. From these cases, Landau concludes that “making wiretapping easy from a technical point of view makes wiretapping without proper legal authorization easy” (p.240). Among her chief concerns is the historical propensity to take advantage of surveillance-ready technologies to target journalists and political opponents, and the possibility of “nontargets” being caught up through overcollection.
Surveillance or Security? offers solutions as well as warnings, and these are primarily oriented towards safeguarding communications security. As a general prescription, Landau argues for partitioning our networks to a greater and more sophisticated degree. This includes increased use of identity authentication and attribution for particular networks, and keeping others entirely inaccessible from the public internet. But Landau expressly opposes building identity authentication and surveillance mechanisms (such as deep packet inspection) into the internet itself. Overall, this is a sensible solution that can address “digital Pearl Harbor” fears while preserving the general openness of the internet. Our networks already have “walled gardens” for governments and corporations, and Landau calls for more effective partitions as well as open public vetting of security mechanisms (pp.240-241). Sanctioned wiretaps should also be auditable and not under the independent control of any one organization.
Ultimately, questions about how the internet should be designed and governed boil down to what we value in the network. Many have pointed out that that the values which drove the development of the internet did not include ensuring its security, so that concerns over identification, authentication, malware and cyberattack surfaced later in its development and are difficult to resolve. The debate over whether internet governance and internet architecture needs to be revised in the interests of security continues to this day, but the choice is not simply between security and openness. Rather, “security” can point to a whole host of challenges, some of which can be in opposition to one another. Landau does indeed distinguish between different security threats, but while there is a chapter entitled Who are the intruders?, no equivalent breakdown is given of “whose security” is of primary interest. Instead, Landau treats personal security, national security, and corporate security as compatible and amenable to some of the same solutions. She explicitly values personal privacy and the open innovation made possible by the internet, but also warns against growing foreign threats to the economy and critical infrastructure of the United States. The closing sentence of the book calls for communication security “to establish justice, maintain domestic tranquility, and provide for common defense” (p.256), and it is in the tensions between these three objectives that the supposedly false choice between freedom and security materializes once again.
Landau promotes the value of privacy and journalistic freedom, puts the danger of terrorism “in context” (p.222), and warns against heavy-handed approaches to illegal file-sharing (pp.34-35). But in debating the appropriateness of embedded surveillance or privacy-enhancing cryptography, the reader also learns that “we must weight the costs” (p.35) or the advantages against the disadvantages (p.219) of such technologies and practices. The problem is that different readers may have rather different conception of who is denoted by the “we” in such a formulation, and where the costs accrue. If the security threat is the “havoc” that can be wreaked through an internet connection multiplied by the size of the cyber-capable Chinese army (as Landau suggests in the epilogue, p.255), then Richard Clarke and Robert Knake’s (2010) proposal to embed surveillance and filtering at internet service providers (ISPs) to deal with foreign cyberattacks might seem quite reasonable (such surveillance would receive “rigorous oversight by an active Privacy and Civil Liberties Protection Board to ensure that neither the ISPs nor the government was illegally spying on us” [Clarke & Knake 2010, p. 162]). The principles which guide Landau’s judgments are those embodied in the U.S. Constitution, the open and innovative possibilities of our networks, the right to privacy in communication, and the need to be protected from electronic “intruders” and “threats”. But in making these various appeals Landau is also providing the means to undercut her argument against embedded surveillance, if one values a particular type of security or fears a threat to security over others. She closes with an appeal to consider communications security as vital to both national and personal security, to democracy as well as defense (p.256), but the argument that embedded surveillance makes us less secure is on weaker footing when faced with the catastrophic specter of a cyber-war with China.
In the end, readers may find themselves confronting the dilemma identified by Jonathan Zittrain (2008, pp.60-61), who argues that “the cybersecurity problem defies easy solution, because any of the most obvious solutions to it will cauterize the essence of the Internet”. Like Zittrain, Landau thinks we can improve cybersecurity without sacrificing the internet’s propensity for openness and innovation, but at times she seems to address her arguments more at U.S. policy makers, security officials, and American citizens than at a general readership. The book includes a chapter devoted to analyzing “the effectiveness of wiretapping” in the furtherance of national security and criminal investigations, and the threat of China’s espionage and cyberattack capabilities looms large against a “United States that is being weakened by the very information technologies that brought the nation such wealth” (p.171). Landau’s approach may appeal to those Americans in greatest need of convincing, but it marginalizes arguments based on more critical premises, such as the potential of open networks and private communications to facilitate valuable forms of disruption and social change.
Surveillance or Security? focuses on the U.S. because the complexity of wiretapping policy is better explored through one nation’s economic and legal perspective, and Landau claims that “it should not be hard to reinterpret the issues from the perspective of other nations” (p.10). The networks that constitute the internet certainly warrant analysis on the level of the nation-state, in particular due to the increased assertion of territorially-based state power over and through the internet. The U.S. also deserves study in its own right by anyone interested in global telecommunications, not only because of the influential role of the U.S. in the history of telecom, but because the world’s telecom networks remain disproportionately dependent on U.S.-based institutions and infrastructure. The layout of global fiber-optic cable makes the U.S. “a communications transit point for the entire world” (p.87), and the overall layout of the World Wide Web also remains largely U.S.-centric.
However, many of the details of U.S. wiretapping legislation and practice will not be of interest either to the general reader or to the scholar interested in broader questions of surveillance and telecommunication. The book’s detailed analysis of the U.S. case is therefore its greatest strength, or, for a more general audience, its greatest weakness. Among other strengths are the clarity of Landau’s descriptions of network architecture and internet history, which do not presume prior knowledge on the reader’s part. Surveillance or Security? is clear and approachable, and contributes some much-needed scholarship on the intersection between state and private institutions underpinning contemporary surveillance systems. At its best, it pours cold water on the need to overhaul the internet and expand the scope of electronic surveillance, but Landau is not above fanning the flames to give the issue of communication security some added urgency. In between, surveillance scholars will find plenty of value in the book’s well-researched detail and Landau’s considerable expertise.
One of the headings in the book, What it means to “get communication security right”, remains an open question, with governments moving slowly on the issue, and private institutions largely pursuing their own policies. While it seems clear that securing our communications networks will not be quick or easy, a more immediate concern are poorly-considered proposals to embed and institutionalize surveillance regimes and their attendant harms. Surveillance or Security? contributes to an important conversation, injects caution into a frequently overheated discussion, and offers much of substance for those acquainting themselves with communications security and surveillance.
References
Clarke, Richard. A., & Knake, Robert. (2010). Cyber War: The Next Threat to National Security and What to Do About It. New York: Ecco.
Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.
Zittrain, Jonathan. 2008. The future of the internet–and how to stop it. New Haven: Yale University Press.