Monday, February 12, 2024

Surveillance, Legal and Otherwise

 A New Jersey Court recently held that a "communication data warrant" was insufficient to compel Facebook to hand over a user's posts.  Rather, under New Jersey's Wiretap and Electronic Surveillance Control Act, they would require a "wiretap" order.  While both orders are "warrants" as required by the Fourth Amendment to the US Constitution, under NJ law the standards and permissions are different for the two orders.  Said another way, it is the intention of the New Jersey legislature that surveillance in (near) real-time is more intrusive than a mere search warrant and must be more limited.  The intent of the law is to resist abuse, not only by NJ investigators but also by the federal government.

While the US Code contains no such explicit distinction, both law and precedent require that warrants be explicit as to what methods may be employed and what evidence is sought.  A warrant is not a carte blanche, a license to do anything the officer wants.  In practice judges expect law enforcement to use the "least intrusive means" to investigate.  

Governments around the globe, and law enforcement in particular, employ surveillance to detect and investigate communications that they wish to discourage.  Some, like ours, recognize the potential for abuse and seek to resist it.  None absolutely eschew its use. In some authoritarian states it is routine, a means of exercising power and control over the populous.  

The most frequent justifications for surveillance are crime, specifically CSAM and terrorism.  The rules are often "collect everything, forget nothing, admit nothing."  Data collected for legitimate purposes constitutes a temptation, not to say an invitation, to other uses.  

While the US Constitution requires probable cause for both searches and seizures, in practice seizures are routine and warrants are required only for searches.  While under the Constitution the test is "reasonableness," in practice and precedent the threshold for requiring a warrant has become whether or not the subject has an "expectation of privacy;" reasonableness is no longer even considered.  

In the US the requirement for a warrant is routinely bypassed by purchasing "surveillance as a service" in the open market.  Investigators simply pay a small fee to so called data brokers.  This is much more efficient than creating a government database.  

In summary the protection against unreasonable search and seizure guaranteed in the Fourth Amendment to the US Constitution have been whittled away.  While there is little evidence that the current administration is engaged in massive surveillance, it happened under the GWB administration.  There is little left to protect us against abuse by future administrations.   


The Role of the Chief Information Security Officer (CISO)

There is a great deal of discussion of late about the liability of the Chief Information Security Officer for security breaches.  Seems to me that the biggest problem with CISO is a misunderstanding of the role.  CISOs are staff, not line.  They are not responsible for security, line managers are.  They are not responsible for preventing breaches, line managers are.


They are responsible for recommending the expression of enterprise risk tolerance and security policy but not for setting them; that is a governance decision to be made by the board of directors.  They are responsible for articulating strategy but not for adopting or implementing it.  They are responsible for coordinating implementation of strategy across functions and departments. They are responsible for recommending essential and efficient security measures but not for implementing them.  They are responsible for recommending standards, for measuring against them and reporting on them but not for complying with them.  They are responsible for measuring enterprise IT risk and for reporting on it to general management. 

The wise CISO negotiates his success before taking the job.  When his recommendations are not adopted, he documents the risk, asks the responsible line manager to sign the risk acceptance document, records the risk acceptance, and asks that the decision be revisited annually or when there is a change in responsible management.