By Jennifer Granick
Feb, 01, 2006
As Congress considers reauthorization of the USA Patriot Act, we could really use a few good hackers in the debate.
Hackers already know a lot about how to build a system that works, whether it’s a network or a government. That’s because the principles our legal system employs to protect life and liberty are very similar to the principles that computer scientists use to design secure systems. We need hackers right now because — whether they know it or not — they understand democracy.
Take a close look at our nation’s current surveillance laws and you’ll see some of the bedrock legal principles of democracy at work. These include the separation of powers, checks and balances, due process, burden of proof, transparency and oversight, limited discretion and the rule of law. Both the Wiretap Act and the Foreign Intelligence Surveillance Act, or FISA, enlist these principles to make sure that when the government listens in on our conversations, it does so in accordance with the values of a free society.
You can compare these legal concepts to the eight principles for designing secure systems set forth in an article by Jerome Saltzer and Michael Schroeder and discussed in Computer Security: Art and Science by Matt Bishop, where I ran across them. These principles are:
- Separation of privilege: The protection mechanism should grant access based on more than one piece of information.
- Least privilege: The protection mechanism should force every process to operate with the minimum privileges needed to perform its task.
- Open design: The protection mechanism should not depend on attackers being ignorant of its design to succeed. It may, however, be based on the attacker’s ignorance of specific information such as passwords or cipher keys.
- Fail-safe defaults: The protection mechanism should deny access by default, and grant access only when explicit permission exists.
- Complete mediation: The protection mechanism should check every access to every object.
- Economy of mechanism: The protection mechanism should have a simple and small design.
- Least common mechanism: The protection mechanism should be shared as little as possible among users.
- Psychological acceptability: The protection mechanism should be easy to use (at least as easy as not using it).
Separation of privilege is like the separation of powers coded into the Constitution. A computer system requires a user name and password; a surveillance warrant requires executive and judicial examination.
Least privilege resembles the Constitution’s enumerated powers or the surveillance statutes’ general prohibition on eavesdropping. The law broadly prohibits intercepting communications, then specifically defines limited exceptions to that rule, including probable cause. Just as you don’t need root to do word processing, you don’t need to listen in on everyone’s conversations to fight crime.
Open design is analogous to transparency and oversight: If electronic surveillance is carried out as part of a criminal probe, at some point the target of the investigation — and all the people he spoke with who were eavesdropped upon — must be told about it. More on point, Congress and the public know the legal process, and there are strict reporting requirements, even if the specific information about the wiretap applications is kept from view.
If, as the Bush administration has recently asserted, our homeland security hinged on nobody knowing that the government was conducting warrantless wiretaps, then the program’s benefit was illusory to begin with. As the old hacker adage puts it, security through obscurity is no security at all.
As the old hacker adage puts it, security through obscurity is no security at all.
We “fail-safe” by denying the government access to our private communications by default, and granting it in an emergency. In a bigger sense, we fail-safe by outlawing antisocial behavior, even though we understand that there may be extenuating circumstances that we consider on a case-by-case basis. That’s why we need a law against torture, regardless of hypothetical ticking-bomb situations in which some might justify the practice.
Continue reading ‘How to Code a Constitution’
