Security Doesn’t Have to Cost Liberty

In memory of 9/11 Bruce Schneier reposted a previous post of his. In it he explains that so called security measures that came at the cost of individual liberty not only miss the point but also are unneeded. Things like the PATROIT Act and warrantless wiretapping won’t actually help prevent the next attack, instead they take away civil liberty and gain us nothing. Furthermore there are ways to implement security without taking civil liberty:

It’s easy to refute the notion that all security comes at the expense of liberty. Arming pilots, reinforcing cockpit doors, and teaching flight attendants karate are all examples of security measures that have no effect on individual privacy or liberties. So are better authentication of airport maintenance workers, or dead-man switches that force planes to automatically land at the closest airport, or armed air marshals traveling on flights.

Liberty-depriving security measures are most often found when system designers failed to take security into account from the beginning. They’re Band-aids, and evidence of bad security planning. When security is designed into a system, it can work without forcing people to give up their freedoms.

Likewise cries for more surveillance also miss the point. Have more data doesn’t always mean you have more usable information, in fact quite the opposite is true. If you gather too much data you’ll have to sift through tons of garbage to find a few good items:

Demands for even more surveillance miss the point. The problem is not obtaining data, it’s deciding which data is worth analyzing and then interpreting it. Everyone already leaves a wide audit trail as we go through life, and law enforcement can already access those records with search warrants. The FBI quickly pieced together the terrorists’ identities and the last few months of their lives, once they knew where to look. If they had thrown up their hands and said that they couldn’t figure out who did it or how, they might have a case for needing more surveillance data. But they didn’t, and they don’t.

More data can even be counterproductive. The NSA and the CIA have been criticized for relying too much on signals intelligence, and not enough on human intelligence. The East German police collected data on four million East Germans, roughly a quarter of their population. Yet they did not foresee the peaceful overthrow of the Communist government because they invested heavily in data collection instead of data interpretation. We need more intelligence agents squatting on the ground in the Middle East arguing the Koran, not sitting in Washington arguing about wiretapping laws.

And this my friends is the difference between the government’s so called security experts and somebody who intimately understands security. Just having more data isn’t a good thing, it’s a liability. Likewise adding bandages to previously exploited security flaws doesn’t accomplish anything either. Security is only effective if it’s placed in the design from the start.

I wish our law makers would realize these things instead of using their “we must do SOMETHING” mentality that we’ve conditioned them to do.