I possess a strong civil libertarian streak, and as such, I'm naturally skeptical of government surveillance authorities in general and bulk authorities in particular. I donate to the ACLU Foundation and the EFF and volunteer my time to assist defendants in some cases and occasionally participate in amicus briefs. But I'm also a realist. I recognize that circumstances exist where targeted surveillance is not only appropriate but morally justified.
For example, I would have approved of the FBI's operation against Tor last year—used to bulk-identify drug dealers and pedophiles—had the FBI bothered to seek a Title III wiretap warrant instead of just taking advantage of Carnegie Mellon attacking Tor with federal funding. And I disagree with many of my colleagues about the changes to rule 41, which I believe to be absolutely necessary. I note with concern that the FBI very nearly lost the Silk Road case because they likely hacked a server without a warrant—a warrant they could easily get under the revised rule 41—and then appeared to lie about it in court. But for the fortunate incompetence and/or greed of the defense, critical evidence would likely have been suppressed by the court.
My test for surveillance authorities—especially bulk authorities and target selection—is bipartite and can be summarized as "WWJEHD" (What Would J Edgar Hoover Do) and "WWDGSED" (What Would the DGSE Do). The latter is a matter of reciprocity: what would our supposed "friends" (but sometimes opponents in matters of intelligence) do to us that we have already done to them? The WWDGSED test is why I worry about the NSA's SIGINT development activities. The NSA and GCHQ hacking of Belgacom and Gemalto invites the DGSE to hack AT&T and RSA for the very same reasons and using the same techniques.
But the WWJEHD test gives me greater pause, as it should for others. External threats are bad, but inside threats are the most pernicious. Nearly any authority or capability presents at least some opportunity for abuse, and those authorities that operate without a judicial check or permit broad targeting are especially troublesome. It was only fifty years ago that J Edgar Hoover's FBI tried to blackmail Martin Luther King, using comparatively primitive surveillance tools. What could the next Hoover do wielding 702 authorities? Section 215-style metadata databases? The authorities contained in the British IP bill?
It gratifies me to see that Susan Hennessey—who comes from a substantially different background—struggles with the same concerns in a slightly different form: What would a bigoted demagogue (be it Trump or Le Pen) do?
Between Trump and Le Pen, when do we who advocate for robust nat sec have an obligation to consider tools in genuinely malevolent hands?
— Susan Hennessey (@Susan_Hennessey) December 8, 2015
These are the questions we should all be asking, and it is the balancing act we must perform against expanding surveillance capabilities. At the end of the day, who poses the greater threat to our democracy: a couple of terrorists with guns or Donald Trump with current US surveillance authorities?