A Year After 9/11: Where Are We Now?

Governments have traditionally viewed new technologies with suspicion, arguing their presence can disturb the hard-won balance of rights and responsibilities, in the same way large companies have traditionally viewed any new media as a threat to the balance of their markets.

The backlash is predictable. Governments and their agencies have traditionally viewed new technologies with suspicion, arguing their presence can disturb the hard-won balance of rights and responsibilities, in the same way large companies have traditionally viewed any new media as a threat to the balance of their markets. Unconventional forms of publishing and speech challenge conventional ways of conducting business and governing society. Historically, only an exceptionally small and pioneering group of companies and government agencies take advantage of new media. Others resist their implementation, and attempt to use legal mechanisms to frustrate access to such technologies and techniques [3].

The events of September 11 clearly highlighted the threat pathology. Venom has been directed with particular effect on secure communications, open source information, and the right of privacy. In the Washington Post, Dennis Pluchinsky, a senior intelligence analyst with the Diplomatic Security Service in the U.S. State Department, argued that all media (including the Internet) should be subjected to comprehensive controls so that crucial information could not be accessed by terrorists. "A skeptic would call this censorship; a patriot would call it cooperation" [4].

Recent attacks on open source information and free speech have rarely been subtle. In what some critics regard as a transparent broadside on the Internet, former chief of operations at the FBI Buck Revell warned the Congressional Committee on International Relations the Internet "now allows even small or regional terrorist groups to have a worldwide C3I (Command, Control, Communication and Intelligence) system, and propaganda dissemination capability".

Anyone in the business of promoting open source, strong encryption, freeware, or privacy services is accustomed to sustained attacks from government agencies. But without care, such elements as privacy and security design could effectively be nationalized through overzealous regulation.

That scenario applies particularly to legal and constitutional battles for the protection of civil rights. While paying lip service to personal freedoms, the leaders of the democratic world have affirmed with uncharacteristic harmony that the pursuit of a safer society must prompt a reassessment of individual liberties and privacy. In its most blatant manifestation, this will result in a substantial increase in the right of the state to place controls on all citizens, shifting the default in favor of comprehensive surveillance over the population. Technology is at the same time the culprit and the savior.

But despite Herculean efforts, the strategic vision of the U.S. in its war on terror remains largely unformed. While the U.S. goal of strengthening international cooperation has yielded surprisingly impressive results, the distance that remains is immeasurable. And while efforts have been made—perhaps successfully—to strengthen long-forgotten and corroded elements of national security, an abundance of unsettling questions is taking shape.

One of the most contentious and disconcerting of these questions focuses on the integrity of the measures being proposed in the war against terror. How do we distinguish genuine and meaningful public security proposals from those based on convenience and illusion, and yet avoid the appearance of ingratitude or cynicism toward those who might just be doing their best to help in the great partnership?

A war of any type invites opportunity. This can take the form of an opportunity to demonstrate patriotism, through to opportunities to sell political ideas or to market products. But there is a fine—and often a qualitative line—between the exercise of opportunity and the pursuit of opportunism, and many people are coming to believe the distinction has never been clearer than in the current war.

In times such as these, the distinction between critical analysis and cynicism can appear blurry. But when, for example, O’Dwyer’s PR Online on September 24 cites marketing and PR executive Maureen Lippe’s opinion that the "greatest service PR pros can provide in support of the country is to ensure that the consumer continues to buy," it is perhaps easy to understand why critics of the war on terror are sensing opportunism.

And according to PR Week: "The trick in 2002…. will be to redefine your pet issue or product as a matter of homeland security. If you can convince Congress that your company’s widget will strengthen America’s borders, or that funding your client’s pet project will make America less dependent on foreign resources, you just might be able to get what you’re looking for" [5].

Such apparent opportunism extends to government agencies. Consider the recent U.S. state government proposals to clamp down on the public’s access to government documents and meetings, ostensibly driven by concern that terrorists could use the information. States that have passed or are considering measures to limit public access include Michigan, Florida, Minnesota, Missouri, Idaho, Maryland, Massachusetts, Tennessee, and Washington [1]. While there may be some justification for such restraints, it is also true that many of these states had consistently attempted such restrictions prior to September 11. Such measures have thrown into reverse the trend to improve public access to government through electronic means.

Why should computing professionals take careful note of these dynamics? There are a number of reasons. Most obviously, such processes form the basis of political and fiscal support for initiatives that might or might not be technically feasible. Hastily devised strategies fueled by expedience and convenience may well have escaped the rigor of full technical scrutiny.

Perhaps more important is the likelihood that any wide-scale plan for, say, interoperability, data sharing, or redrafted platform standards will have a lasting implication for generations of future technology. A political motivation for such reforms may not square with technical feasibility, in which case everyone suffers unintended consequences.

Recent U.S. legislation provides clear evidence of this syndrome. Earlier this year, President Bush signed into law a hastily designed and poorly drafted bill that may have astonishing implications for the technological infrastructure of immigration and passport control systems worldwide. HR 3525 (the Enhanced Border Security and Visa Entry Reform Act) will set in motion a series of initiatives designed to ensure that the citizens of many countries traveling to the U.S. must be biometrically scanned.

Immigration departments in Europe and the U.S. are salivating at the prospect of introducing biometric technology, despite evidence the technique is still unreliable. The Act does not specify whether the biometric should be a fingerprint, a photograph, a retina scan, or a hand print, but it makes very clear the process of equipping all entry points to the U.S. with the technology to read such data should be in place by 2003. British Prime Minister Tony Blair has repeatedly signaled his support for such security initiatives, and has put his full weight behind U.K. efforts to increase surveillance and to work with the U.S. on improving cooperation.

The U.S. legislation specifies a harmonious global approach to identifying travelers, but does not stop there. It requires the transmission of passenger information prior to arrival in the U.S., mandates increased questioning and scrutiny of travelers, and authorizes the first stage of a global information-sharing system on all travelers.

Remarkably, the Act passed speedily and unanimously through the Congress, the Judiciary Committee, and the Senate with hardly any comment or debate. Its signing into law went largely unreported in U.S. media.

The motivation behind the legislation may be commendable, but it carries significant risks not only to individual freedoms, but also entails key risks at a technical level. Leaving aside for the moment the prospect that attempts would inevitably be made to link the global system to national security and police databases, the track record of international, multipoint, multiple language data-sharing systems suggest a disaster in the making.

Other processes are more subtle, but are equally problematic. Take, for example, the global push for the elimination of money laundering.

Shortly after the September 11 attacks, the U.S. government began focusing on the relationship between money laundering and terrorist financing. The controversial Patriot Act was one of the legislative outcomes. Under this law, all financial institutions are required to speedily implement anti-money laundering programs. The requirements range from development of "suspicious transaction reporting" and "know your customer" programs, through to complex automated reporting and data sharing systems throughout government.

Such requirements had been proposed, and frequently abandoned, for at least a decade. Substantial technical, human, and legal problems had beset the design of a national strategy, and so anti-money laundering initiatives in the U.S. had evolved cautiously. The Patriot Act did not take these dynamics into account. The rush to legislate this complex area could well result in compounded problems at a human and technical level.

The events of September 11 clearly highlighted the threat pathology. Venom has been directed with particular effect on secure communications, open source information, and the right of privacy.

While the Patriot Act was in its formative stages, the U.S. government turned its attention to the international dimension of money laundering. Its first target was the Paris-based Financial Action Task Force (FATF), the leading international organization coordinating the battle against the global black market. Following an extraordinary meeting in Washington D.C. last October, FATF decided to substantially change its focus from money laundering to terrorist financing [4]. Until that time, the organization had scarcely recognized the relationship between the two. FATF guidelines developed over 12 years were hastily placed "under review," even though the organization recognized that efforts to reduce money laundering and terrorist financing were largely one and the same. FATF’s 32-member nations, together with the 130 countries that had signed up to the anti-money laundering guidelines, were urged to follow the U.S. lead in implementing legislation.

These initiatives highlight the profound implications of the U.S. legislative agenda on laws throughout the world. Since the events of last September, many countries have placed an emphasis on enhancing their legal powers to deal with terrorism and terrorist groups. The existing legal powers within many of these countries were deemed inadequate or required updating to include new investigative methods and new communications technologies. In a quest to reach the goal of legal harmonization across borders, some countries have introduced legislation to adhere to a range of formal treaties and conventions, as well as a growing number of informal requests for assistance. Some of these agreements, such as the Council of Europe Cybercrime convention, have profound implications for the development of national legislation in the area of surveillance.¹

These legislative initiatives have changed the international regulatory landscape in a number of ways, particularly from the perspective of surveillance and due process rights. The U.K. introduced legislation regarding the retention of traffic data, while the U.S. government reduced oversight for access to communications and traffic data. Another remarkable change has been the increase in exceptions to Freedom of Information and related acts—further altering the relationship between individuals and governments. Countries such as Canada attempted to include greater powers for law enforcement and national security agencies while ensuring that oversight to exempt data banks would be removed from the Information and Privacy Commissioners.²

These trends are global. The European Commission has pursued a provision requiring all European Union members to make "attacks through interference with an information system" punishable as a terrorist offense if it is aimed at "seriously altering or destroying the political, economic, or social structures." France has expanded police powers to search private property without warrant. Spain now limits the activities of any organization directly or tangentially associated with ETA—the armed Basque Homeland and Freedom group (similar to U.K. legislation). The European Council has taken steps to establish a Europe-wide arrest warrant and a common definition of "terrorist crime." Germany’s government has loosened restrictions on phone tapping and the monitoring of email and bank records and freed up once-proscribed communication between the police and the secret services.³ In June 2002, the U.K. attempted to introduce regulations under the pretext of anti-terrorism that would have mandated almost all local and national government agencies to gain access without warrant to communications traffic data.

Australia introduced a terrorist law to intercept email (giving powers to the nation’s chief domestic spy agency, the Australian Security Intelligence Organization), creating an offense related to preparing for or planning terrorist acts, and will allow terrorist property to be frozen and seized. New Zealand commenced similar legislation in keeping with the bilateral legal harminization agreements of the two countries. India also passed its Prevention of Terrorism Ordinance allowing authorities to detain suspects without trial, impose capital punishment in some cases, conduct wiretapping, and seize cash and property from terrorist suspects—despite concerns it would be used to suppress political opponents.

Yes, the world will never be the same again. The events of a year ago have provided a springboard for measures that in another era might have been abandoned as unworkable or considered unacceptably heavy-handed. Freedom of Information, privacy, online free speech, and security of communications are likely to buckle under the pressure of a regulatory zeal rarely seen in peace time.