Hit Refresh
Page 16
The ultimate solution to the privacy-versus-security dilemma is to ensure trust on all sides, which is no glib line. Customers must trust that we will protect their privacy, but we must be transparent about the legal conditions in which we won’t. Similarly, public officials must trust that we can be counted on to help them protect public safety, so long as the rules protecting individual freedom are clear and followed consistently. But building and maintaining both kinds of trust—finding the balance between individual and public obligations—has always defined the progress of institutions. But it may be more art than science.
In an engaging TED talk, the British conductor Charles Hazelwood describes the critical importance of trust in leading an orchestra. A conductor’s instrument, of course, is the orchestra itself, and so when he raises the wand, he has to trust that the musicians will respond, and the musicians have to trust that he will create a collective environment within which each can do his or her best work. Based on this experience, Hazelwood speaks of trust as being like holding a small bird in your hand. If you hold it too tightly, you will crush the bird; hold it too loosely, and it will fly away.
That bird symbolizes trust in a time of transition to a digital world. But today we’re in a confused state in which that bird is in a precarious place. And a great deal is at stake. The United States is a beacon for democracy. It is also a technology powerhouse that is leading the wave in cloud computing, but the Snowden case broke a crucial ingredient in cloud computing—trust. How could we be an American cloud computing company, asking the world to trust us, when the NSA is using commercial services to spy on people up to and including heads of state?
As tech companies, we have to design trust into everything we do. But policymakers also have an important role. Trust is not only dependent on our technology but also the legal framework that governs it. In this new digital world, we’ve lost the balance we need in large part because our laws have not caught up with technological changes.
Later on, I’ll discuss what a modern policy framework designed to instill trust might look like. But first I’d like to explore the very essence of trust and how it has shaped our values and founding principles.
My mother, the Sanskrit scholar, and I always enjoyed examining the definitions and philosophies behind Eastern and Western words, which often expose crucial differences between the ways of thinking embedded in these two cultures. The Sanskrit word vishvasa communicates trustworthiness and reliability. Another Sanskrit word is shraddha, which connotes a religious sense of faith, trust, and belief—but rather than a blind faith, it is a faith reminiscent of President Ronald Reagan’s famous line, “Trust but verify.”
In any case, in both English and Sanskrit, trust, like so many words, is a Venn diagram with many overlapping meanings. In either context, for me, trust is a sacred responsibility.
As a computer engineer, I find it helpful to express complex ideas and concepts according to the schemas or algorithms we would use if we were writing a computer program. What are the instructions to write to produce trust? Of course, there is no mathematical equation for such a humanistic outcome. But if there were, it might look something like this:
E + SV + SR = T/t
Empathy + Shared values + Safety and Reliability = Trust over time
When we were in the midst of negotiating the acquisition of LinkedIn in 2016, their CEO Jeff Weiner turned to me and said, “Consistency over time is trust.” That may be an even better equation.
Notice that the first term in my equation for trust is Empathy. Whether you are a company designing a product or a lawmaker designing a policy, you must start by empathizing with people and their needs. No product or policy works if it fails to reflect and honor the lives and realities of people—and that requires those who design the product or the policy to truly understand and respect the values and experiences underlying those realities. So Empathy is a crucial ingredient in developing a product or a policy that will earn people’s trust.
Next, if we hope to build a lasting foundation of trust between a company and its customers or partners—or, for that matter, between policymakers and those affected by policies—we need to have shared values, such as being consistent, equitable, and diverse. Have we prioritized safety and reliability, and ensured that those whose lives we touch can count on experiencing those qualities day in and day out? If we have, we will build trust over time. And trust, in turn, enables people and organizations to have the confidence to experience, explore, experiment, and express. Trust in today’s digital world means everything.
In a 2002 memo Bill Gates sent to Microsoft employees, he expressed the idea that trustworthy computing is more important than any other part of our work. “If we don’t do this,” he declared, “people simply won’t be willing—or able—to take advantage of all the other great work we do.” Trust is more than a handshake. It’s the agreement, the bond, between users of digital services and the suppliers of those services that enables us to enjoy, be productive, learn, explore, express, create, be informed. We play games with friends, store confidential documents, search for things that are deeply personal, build startups, teach kids, and communicate—all over public networks. These technologies have opened new opportunities and new worlds, making it possible for like-minded, well-intentioned people from all over the planet to communicate, collaborate, learn, build, and share. But the flip side is true too. There are those who want to do harm. There are those who plan attacks, steal, insult, bully, lie, and exploit online. Trust is essential—and it is also painfully vulnerable to a multitude of forces.
I think about it this way: Good and evil play out continuously, not just in physical spaces like homes, streets, and battlefields, but in spaces that are not so visible—including cyberspace. We live in a time of what David Gelernter calls the “mirror worlds”: the physical world is mirrored in an online world where data is accumulating and taking on more and more significance. How big is our data becoming? So-called Big Data—information stored and analyzed in the cloud—is on track to reach 400 trillion gigabytes by 2018. To illustrate just how enormous that is, a researcher at the University of Pennsylvania calculated that it’s ten times the information contained in all human speech throughout history. It’s a mind-boggling quantity of data with a potential for beneficial use—as well as for abuse—that is practically limitless. So the mirror world of cyberspace has incredible potential both for good and for evil.
Just as our ethics, values, and laws have been developed and evolved over generations for the physical world, so too must our understanding and rules for the cyberworld. If American law enforcement officers wanted a document sitting in a desk drawer in Ireland, they would ask Irish law enforcement for help; they probably wouldn’t ask an American court to seize that document. And if government officials needed the combination to a specific locked vault, they wouldn’t require the vault manufacturer to create a new tool capable of opening all vaults. Yet those sorts of illogical, arguably unjust results occurred in the cases I described earlier. Principles for interactions in cyberspace need to be worked out carefully and thoughtfully with the establishment and protection of trust as an underlying objective.
Throughout history, trust has had an economic as much as an ethical purpose. Why has the United States generated so much economic opportunity and wealth? Economist Douglass North, who was co-recipient of a Noble Prize, examined this very question. He found that technical innovations alone are not enough to drive an economy to success. Legal tools like courts that will fairly enforce contracts are necessary—how else to ensure some random warlord doesn’t come along and take away your property? What separates modern humans from the caveman is trust.
The American founding fathers knew this. They defined the timeless values that undergird the First Amendment’s right of free speech. Now we need to work out digital publishing laws that will protect free speech in ways that enhance rather than undermine trust among citizens, organizations, and governments. Similarly,
the Fourth Amendment, which protects Americans against unreasonable search and seizure, is based on timeless values that must be upheld through enforcement laws that require continual updating in the face of social, political, economic, and technological change.
This dynamic has been playing out for centuries. On July 3, 1776, John Adams, then a member of the Continental Congress from Massachusetts, wrote to his wife, Abigail, from Philadelphia pointing to the grievance he saw as the origin of the American Revolution—unreasonable search and seizure by the British. For generations, the colonial government had gone house to house searching for evidence without permission. Adams’s passion for balancing individual liberties with public safety would later help to shape the drafting of the Fourth Amendment. Generations later, writing for the U.S. Supreme Court in a case involving law enforcement seizure of a smartphone, Chief Justice John Roberts made the connection between the physical world of the founding fathers and our online world of today:
Our cases have recognized that the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself. . . . Modern cell phones [today] are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life.”
Every wave of technological change has required us to reaffirm the values that undergird protections against unlawful search and seizure and develop new ways to protect them. Benjamin Franklin’s creation of the U.S. Postal Service quickly led to mail fraud—and to laws against it. The telegraph led to wire fraud and eavesdropping—and to laws designed to prevent them. Today’s devices, the cloud, and artificial intelligence will be used both for good and for evil. Now it is our generation’s turn to design legal and regulatory systems that will discourage and punish the evil while encouraging the good to flourish—and to do so in a fashion that will enhance the overall level of trust in society as a whole.
Thinking about the origins of laws dealing with the protection of human rights in America, I wondered how India, also a former English colony, had dealt with the same issues. Yale Law School professor Akhil Reed Amar, author of The Constitution Today and other popular books on the history of American law, said this in an interview with Time magazine: “My parents were born in undivided India, ruled by a monarch and by the Parliament that no one in India ever voted for, just like the American revolutionaries. Today, India is a billion people governing themselves democratically with a written constitution.” In that respect, the evolution of the two countries has strong parallels.
But are there differences between the American and the Indian experiences? I asked Indian constitutional scholar, Arun Thiruvengadam, this question. It turns out that, in the period just after Indian Independence from Great Britain in 1947, there was considerable resentment against the colonial government’s general misuse of criminal laws, including those that restricted free speech and those that enabled the colonial government to preventively detain Indians, often without showing any cause and on mere suspicion of antigovernment activity. So, as in the United States, the framers of India’s new constitution sought to provide guarantees against such misuse in the future, incorporating rights and provisions in their fundamental law to secure this result.
However, because of complicated factors that scholars of Indian history are still unpacking, the constitutional provisions for individual liberties were not as strong or as expansive as was initially demanded. For a variety of reasons, search and seizure provisions were not seen as particularly important, and no analog to the U.S. Fourth Amendment was incorporated in the Indian bill of rights. Since then, as successive governments have continued to make use of the old colonial mechanisms, persons accused of political crimes have sought to employ arguments from U.S. Constitutional law, including the Fourth Amendment. These efforts have had mixed results. This history reminds us that securing the liberties of the people is never a simple matter, and that social, cultural, and political factors can play unpredictable roles in shaping the rights that people take for granted.
History shows that the tension between public safety and individual liberty is often heightened in moments of national crisis. Look back over time. When Europe’s Napoleonic Wars threatened to embroil the fledgling United States, President John Adams signed into law the Alien and Sedition Acts, making it harder for immigrants to enter the United States and empowering the government to imprison non-citizens suspected of being dangerous. During the Civil War, President Abraham Lincoln suspended the writ of habeas corpus, which protected citizens from arbitrary arrest and imprisonment. In World War II, the government interred Japanese-Americans guilty of nothing except being of suspect racial origin. In the heat of conflict, the pendulum often swings toward a greater focus on security. When the moment passes, people want a more permanent equilibrium.
In grappling with today’s conflicts, we can learn from these history lessons. They tell us that we should create new processes and laws that promote public trust by facilitating timely access to data while ensuring appropriate privacy protections for individuals. This is not just my assertion. Every year, Microsoft surveys customers around the world. In 2015, 71 percent of those surveyed said that current legal protections for data security were insufficient, and 66 percent believed the police should need a warrant or its equivalent to obtain personal information stored on a PC. Meanwhile, over 70 percent believed their information stored in the cloud had the same legal protection as physical files—a belief that may or may not be valid in the current unsettled legal climate.
Today, whether in America, India, or anywhere in the world, we need a regulatory environment that promotes innovative and confident use of technology. The biggest problem is antiquated laws that are ill-suited to deal with problems like the Sony hacking case or the San Bernardino terrorist attack. In the midst of Apple’s standoff with the FBI, Microsoft’s general counsel, Brad Smith, went before Congress to argue the larger point that our laws dealing with data privacy and security are badly in need of revision. Brad pointed out that the Justice Department in the Apple case had asked a judge to apply language from a law written and passed in 1911. To illustrate the absurdity of the situation, Brad displayed an example of the leading computing device of that era—a clunky old adding machine that went on sale in 1912. “It’s amazing what you can find on the Internet.” He laughed. But Brad’s point was a serious one. We do not believe that courts should seek to resolve issues of twenty-first-century technology relying on law that was written in the era of the adding machine.
Unfortunately, it’s difficult to be optimistic about the prospects for smart, substantive policy change given the dysfunction we see not only in Washington, DC, but also in capitals around the world. There are many policy priorities competing for attention from lawmakers, but I would argue that getting the rules right for the digital revolution is among the most important. Either trust will fuel this revolution, with all the benefits it promises, or distrust will kill it.
What the events of 2013 and 2014 demonstrated is that information technologies have put the First and Fourth Amendments on steroids—computers can spread freedom of expression at lightning speed. But a chilling effect must be recognized if the government can also use technologies to eavesdrop. Think about it. In order to speak or to write—to express yourself—you must have privacy. Our freedom of expression depends to some degree on the privacy required to read, think, and draft. Those private preparations are protected under the Fourth Amendment.
In Madison’s Music, civil liberties professor Burt Neuborne writes that “a poetic vision of the interplay between democracy and individual freedom is hiding in plain sight in the brilliantly ordered text and structure of the Bill of Rights, but we have forgotten how to lo
ok for it.”
As we search, I’d like to offer my suggestions for six ways lawmakers can shape a framework for building increased societal trust in this era of digital transformation.
First, we need a more efficient system for appropriate, carefully controlled access to data by law enforcement. Among government’s many important responsibilities, none is more important than protecting its citizens from harm. Our industry needs to appreciate the importance of this responsibility, recognizing that our customers are often the very people who need protecting. From cybercrime to child exploitation, many law enforcement investigations that require the disclosure of digital evidence are aimed at protecting our users from malicious activity and helping to ensure that our cloud services are safe and secure. Therefore, under a clear legal framework that is subject to strong checks and balances, governments should have an efficient mechanism to obtain digital evidence.
Second, we need stronger privacy protections so that the security of user data is not eroded in the name of efficiency. Governments also have an obligation to protect citizens’ fundamental privacy rights. Collection of digital evidence should be targeted at specific, known users and limited to cases where reasonable evidence of crime exists. Any government demand for users’ sensitive information must be governed by a clear and transparent legal framework that is subject to independent oversight and includes an adversarial process to defend users’ rights.