Keil Hubert: Slogging Towards Justice

New technology offers us exciting new ways to innovate, and not always for benevolent purposes. Business Technology’s resident U.S. blogger Keil Hubert argues that we, as a society, need to publicly debate how to mitigate the unprecedented new ways that technology can be corrupted for malevolence and exploitation.

????????????

Earlier this week, my mate Eduardo alerted me to a small article that Olivia Solon had written over on wired.co.uk about the 3rd March prosecution of a UK computer repair tech who had used his access to his customers’ PCs to surreptitiously install software on them that would allow him to later switch on his customers’ webcams without their knowledge. There were several aspects of the article that struck me as interesting.

First off, let me say ‘good on the Metropolitan Police’ for catching this particular villain. Cybercrime is a chaotic and complicated business, and the law often lags a long ways behind the ways that baddies are using technology to commit wrongdoing. Fortunately, this case seemed to have enjoyed a solid foundation in law, reliable evidence analysis protocols, clear-cut definitions of right and wrong for the decision-makers to consider, and sufficient willingness on the part of the victims to bring charges. There are many cases where those planets don’t quite align, and the law then either can’t or won’t bring the baddies to account.

Case in point is the relatively recent problem of ‘revenge porn’ here in the USA. I first heard about this phenomenon about this time last year, about a week after I first stumbled on Ken White’s (fantastic and highly recommended) legal blog PopeHat.com. On 18th March 2013, Mr White wrote a synopsis of a case against a ‘revenge porn’ site/business/racket. As he (and others) described it, the operating methodology of these businesses is to encourage users to upload compromising photos of other people (without their knowledge or permission) to the Internet – after which the business then approaches the people whose pictures are being shared with all and sundry with an opportunity to pay the business to take them down again. Create a humiliating situation and get the victim to pay to clear it up. Sounds like extortion to me …

I understood from Ken’s articles (and others) that the law in some US states was having trouble wrapping its metaphorical head around the concepts involved in these ‘revenge porn’ cases. Who actually ‘owned’ the photos that were uploaded to the Internet? Did the person who was photographed have the right to deny the person who had possession of the photograph the right to then upload it for others’ consumption? This seemed like a new interpretation of the law might be needed, given how our technology (and our use of it) has changed over the last ten years thanks to Internet-connected and camera-equipped mobile phones. I figured we’d be seeing some ground-breaking legal arguments arise over the issue. Turns out that we haven’t made nearly as much progress as I’d been expecting. There has been some positive progress, but not enough.

Turns out it's darned difficult to get a metaphorical handhold within the legal system when it comes to emerging technologies.

Turns out it’s darned difficult to get a metaphorical handhold within the legal system when it comes to emerging technologies.

While I was researching this week’s column, I stumbled onto an article over at cracked.com called ‘5 Horrifying Ways an Ex Can Ruin Your Life With Nude Photos’ by J. F. Sargent. While Cracked is normally a font of hysterical pop-culture humour, Cracked’s crack writers do operate a compelling and subversive side-line in thought-provoking social justice topics. This most-recent piece by Mr Sargent inspired me to go follow all of his hyperlinks to learn more about the problem, and that led me (in turn) to the Cyber Civil Rights Initiative’s ‘EndRevengePorn.org’ site. I was late to dinner (again) because I got caught up re-reading and mulling over ERP’s proposed ‘Guide to Legislation.’

This argument made in this paragraph of ERP’s guide deserves considerable pondering:

Does criminalizing non-consensual porn violate the First Amendment? There is no constitutionally protected right to consume or distribute sexually graphic images of private individuals without their consent any more than there is a constitutionally protected right to distribute obscenity or to engage in threats, harassment, or defamation. A carefully crafted statute with exceptions for lawful activity (e.g. law enforcement or commercial practices) does not offend First Amendment principles.’ [1]

I’m not a constitutional affairs lawyer, so I don’t know the right answer to the initial question. I’d very much like to find out, though. As a cybersecurity professional (and as a parent!), I’m strongly in favour of pushing our society to craft appropriate laws that get control of this kind of predatory, destructive behaviour.

I respect the fact that this is a potentially thorny legal issue. On the one hand, I’m not in favour of allowing the law to suppress free speech; on the other hand, using one’s speech to cause irreparable harm to another person ought to have appropriate (and proportional) consequences. This is a complex issue, and it needs to be publically debated so that we can figure out where, as a people, we agree to fall on the issue. I suspect that this problem is getting common enough that folks will be compelled to pay attention to it. Kudos to the folks at the CCRI for marshalling the resources needed to advance this problem – and well-crafted draft suggested remedies – for public consideration.

The enormity and impact of the problem must be daunting. That makes all of the effort made all the more praiseworthy.

The enormity and impact of the problem must be daunting. That makes all of the effort made all the more praiseworthy.

That thought, in turn, looped me back to Ms Solon’s article on wired.co.uk. Down towards the end of her piece in her second-to-last paragraph, she wrote:

‘Webcam spying has been in the headlines recently after it was revealed by the Guardian that UK spy agency GCHQ intercepted images from the webcams of millions of Yahoo customers. Between 2008 and 2012 a piece of surveillance software called Optic Nerve took still images from Yahoo webcam chats and stored them on GCHQ databases. Between three percent and eleven percent of images were described as containing “undesirable nudity”.’ [2]

That’s another significant area of concern. When a computer tech misuses his (or, to be fair, her) privileged access to install unwanted software on a client’s equipment, we consider that to be an unlawful action. That seems simple enough. But what about when the computer tech isn’t a private contractor, but a government employee operating under an official government program? How is it that an action that’s indisputably illegal for a business or for a private citizen to perform suddenly becomes both legal and proper when performed by an agent of the state? It’s bad enough that we seem to have two parallel sets of laws in operation in the USA – one for the very wealthy and one for the rest of us – but the idea that it’s quite all right for elements of our government to compromise our systems and their security measures even when we’ve been neither suspected of nor indicted for committing a crime is deeply disturbing.

This is an important issue that we need, as a society, to debate and come to terms with. Where do we stand as a society on the arbitrary spectrum that makes ‘security’ and ‘privacy’ an either-or proposition? Are the various spy and law enforcement arms of our government bound to obey our Fourth Amendment rights? Are our agencies allowed to disobey our laws with impunity? Can representatives of a government agency perform acts without an authorizing legal framework that – if that same act was performed by a citizen – can only be defined as criminal?

To be clear, I don’t claim to side with either of the major factions on this debate. I don’t believe that the government should be absolutely forbidden to engage in activities like covert electronic surveillance and computer exploitation; those activities can be essential carrying out their chartered functions. At the same time, I also don’t believe that government agencies should have unfettered authority to engage in such controversial activities without censure or external restraint. Like most arguments in the age-old debate between the power of the government and the power of the people, the right answer to these conundrums probably lies somewhere in the ugly, messy middle: with clearly-defined guidelines, active oversight, and inescapable consequences for stepping over society’s ‘red lines.’ There should be those cyber surveillance activities that we agree to tolerate, and also those that we absolutely do not tolerate – and, once so defined, the various appendages of our government must be held responsible for staying on the right side of that societally agreed-to divide.

We cannot create a just society when anyone is considered 'above the law'.

We cannot create a just society when anyone is considered ‘above the law’.

I’m relieved that we’re starting to have this debate over where the limitations on government surveillance efforts should be in the public square, in the legislatures, and in the courts. That’s how our system is supposed to work.

Call me overly optimistic if you like, but I’m confident that we (as a nation) will eventually get this sorted out. To paraphrase Dr Martin Luther King Jr., I believe that the long arc of American history trends towards justice. We tend to screw most everything up along the way and we make terrible mistakes in the process, but the general weight of public pressure moves us (as a country) towards a more just and rational society. As Ken White is fond of saying in his essays, The wheels grind slowly. But they grind. They grind.

Along those lines, I submit that we need – as an online community – to make our voices heard about exploitative and destructive acts all along the spectrum. From the lone tech that abuses his systems access for voyeurism purposes all the way up to the large company that abuses its user data for financial gain, we need to discuss all of the ways that we may be exploited and decide where we stand on allowing, curtailing, and/or preventing them. These problems are endemic; everywhere that you find tech, you’ll find misuse of tech. Systems administration authority – like power – corrupts, and unmonitored, unfettered sysadmin authority eventually corrupts absolutely. Therefore, we have a moral, ethical, and legal need to discuss where we – as a global community, as a nation, as a company, or even as a family – choose to stand in regards to the major categories of potential systems misuse.

Over the long haul, I suspect that your outfit will eventually find its way to a reasonable, defensible, and sustainable position on how to handle tech problems in the workplace. To get there, though, people’s concerns should be heard, and their arguments considered. We can’t benefit from others’ insights if we never create a space where people can learn about and argue the issues. We certainly can’t craft a reasonable position on a problem if we never drag it into the light of public awareness.

Everyone is affected by these issues. Therefore, everyone should be vigorously debating these issues. We cannot allow a narrow and unrepresentative sliver of the population to define our society's position for us.

Everyone is affected by these issues. Therefore, everyone should be vigorously debating these issues. We cannot allow a narrow and unrepresentative sliver of the population to define our society’s position for us.

If you’re not having these kinds of conversation within your organization already, now’s the right time to start. If you’re the IT lead for your company, I submit that it’s your responsibility to initiate the discussion. As tech experts, we’re the people best positioned to understand the nuances of the problems. Therefore, we’re the people that are best equipped to translate the issues into terms that all of our affected co-workers can get their heads around.

We’re also the best-positioned arbiters to strike the balance between the too permissive and too restrictive ends of any given range of choices, since we’re the agency who’ll likely be tasked to build and manage the programs and control measures. Rather than let others decide what we as IT folks can and can not, or should and should not do, let’s take some ownership of our role and manage the discussion of emerging issues and the best way to mitigate their negative aspects. Let’s be the voice of reason and balance for our organization, not just the amoral and uncaring custodians of the infrastructure.

[1] From the ERP’s ‘Guide to Legislation,’  page 2, paragraph 1.

[2] Included hyperlink is as it appears in the original Wired post.

POC is Keil Hubert, keil.hubert@gmail.com

Keil Hubert is a business, security and technology operations consultant in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo! Broadcast, and helped launch four small businesses (including his own).

Keil-Hubert-featured

His experience creating and leading IT teams in the defence, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employees. He currently commands a small IT support organization for a military agency, where his current focus is mentoring technical specialists into becoming credible, corporate team leaders.

Tags: , , , , , , , , , ,