[Cryptography] Hayden on encryption v. metadata

Tue Apr 5 13:23:31 EDT 2016

On 2016-04-05 18:45, Jerry Leichter wrote:

>> "reasonable expectation of privacy" may still be a thing in the US 
>> context. It is not a terribly relevant criterium in most of the rest 
>> of the industrialized world...
> Do you want to talk about legality or about reality?

As a legal doctrine. I do law, I don't do reality ;-)

> Yes, we need to provide much better protections for privacy in the
> legal domain, especially in the US - though frankly I don't know any
> part of the world that's immune.  (I know many European nations want
> to feel holier than though, but look at what they are doing to
> themselves post-Brussels.  Fear is a great motivator; unfortunately,
> what it motivates is rarely based on much thought about consequences.)

The fundamental difference between the US and the EU hypocrisy that you 
are rightfully pointing out is that the EU and the CoE have legal 
mechanisms for redressing that hypocrisy. Those mechanisms are being 
actively used and are highly likely to have the reining in of GCHQ and 
others as a result.

Since the Amnesty International USA SCOTUS case we know that even as an 
American citizen you don't have standing unless you can prove harm. 
Something the European Court of Human Rights (ECtHR) specifically has 
addressed in the Sakharov case in which it ruled against Russia's 
blanket surveillance. Which makes me willing to bet that it will rule 
against the UK and NL in the GCHQ case later this year. There is not 
even a glimmer of hope for such a viable case in the US context.

And that was the fundamental issue in the Schrems-case, the Court of 
Justice of the European Union (CJEU) had a reasoning that was pivoting 
on a lack of redress, no less than on the blanket surveillance.

> But the *reality* is exactly as Dan has stated it:  By using something
> that keeps you connected continuously, you're inherently making
> yourself continuously trackable.  Bug?  Feature?  Both!  When it
> serves you - feature.  When it serves someone who means you harm -
> bug.  When it serves someone who wants to give you a good deal based
> on your location outside their store - well, it depends.
> 
> I'll agree that Dan should probably not have used the legal phrase
> "reasonable expectation of privacy", with all the freight it brings
> with it.  Rephrase it as:  It's unreasonable to expect privacy if
> you're carrying a continuously connected device around with you and
> it's a truism.

No it is not. It is unreasonable to track someone everywhere that 
someone goes because you *can*. Because it ultimately destroys 
fundamental values we hold dear in a democratic society with the rule of 
law. Values like freedom of expression, freedom of association, religion 
and of conscience. Because all that "harmless" meta-data provides 
insights in your attendance of your place of worship, the books you 
read, the people you talk to etc. People will and do change their 
behaviour in the face of such pervasive monitoring.

It is not unlike saying "It's unreasonable to expect not to get raped if 
you walk around naked, even if you do so without realising".

The growth of our data shadows is a reason to have proper frameworks 
safeguarding the values I mentioned, not an excuse to strip us from our 
fundamental rights.

Regards,

  Walter