only for the grAde
i:: !i::: $ s
,1.. :r.i.li;::.=::lr;nj:j:::,+.::,j.t'':-i,, :.i::i,.::::=.::ii:rr!i:i:::::. -i
Guide A LOOK THHOUGH NSAS PRISM
better security, but you have to give up some freedom. The
more secure you want to be, the more freedom you have to
give up. It's a simple relationship to understand, but hard to
recognize in your life. Take car insurance as an example. It gives you the se-
curity of knowingyou'll be protected against financial hard- ship if you're in an accident. But the trade-off is that you have to give up the freedom to spend your insurance pre-
miums on something else. You get security, but it costs you.
An organizational security policy requiring users to use
strong passwords works the same way. The organization gets
the security of knowing its passwords will be hard to crack if stolen, thus protecting its information systems. However, us- ers lose the freedom of choosing any password they like. The
organization may also experience other losses in the form of reduced employee productivity or lower morale.
It's important to understand the trade-off between security and freedom because you'll hear people talk about getting more of one without talking about losing the other. A prominent example of this is the recent revelation of the National
Security Agency's (NSA) PRISM program.
NSA's PRISM
On Iune 6, 2013, Edward Snowden leaked
top-secret PowerPoint slides detailing the
NSAs secret global surveillance program codenamed PRISM. The PRISM program
started in2007 and was designed to access
data from nine serwice providers: Google, Microsoft, Yahoo!, Facebooh PalTalk, YouTube, Skype, AOL, and Apple.la
PRISM, according to the leaked slides,
was designed to access email, videos, pho-
tos, video and voice chat, file transfers,
raTimothy Lee, "Here's Everlthing We I(now About PRISM to Datel' The Washington Post,lurre 12,2013, accessed I:une 27,2014, www.washingtonpost.com/blogs/wonkblog/wp/2013/06/ 12/heres-euerything-we-know-about-prism-to-date/. r5Ibid. r6Kim Zetter, "U.S. Says It Spied on 89,000 Targets Last Year, but the Number Is Deceptive," Wired, June 27 , 2014, www.wired.com/ 20 1 4 / 0 6 / 90 000 -fo re ign ers - t ar gete d -for- spy ing/.
VoIR stored data, videoconferencing, login activiry soc networking activity, and something called "special requesl
at service providers. Google, Microsoft, Yahoo!, and Facebo
categorically denied providing access to the U.S. governm€
except for a relatively small number of specific requests.l5
The public doesn't know how many people have be, affected by PRISM, but a 2014 transparency report put out
the Office of the Director of Intelligence indicated that 89,l "targets" were spied on during 2013. The only problem is tl a "target" could refer to individuals, groups, companies, ft
eign powers, or even a facility. It's likely the actual number
people affected could be several orders of magnitude larger.r
The Privacy Versus Secu rity Trade-off
Privacy advocates were outraged at the existence of PRIS and called for congressional investigations. They claimed tl their privacy, or freedom from being observed by other peop
was being destroyed in the name of securiry or state of L ing free from danger. The Internet companies involved fac
418
substantial backlash from customers claiming they were aiding
the U.S. government in their efforts to erode their civil liberties.
Edward Snowden commented on PRISM, saying, "If we
want to be free, we can't become subject to surveillance. We
can't give away our privacy."17 James R. Clapper, director of National Intelligence, stated "the unauthorized disclosure of information about this important and entirely legal pro- gram is reprehensible and risks important protections for
the security of Americansl'18 \&'frite House Spokesman |osh Earnest summed it up by saying, "The President welcomes a discussion of the trade-offs between security and civil liberties." le
For centuries people have knornn that security comes at
a cost. Iean facques Rosseau's 1762 book The Social Contract
or Principles of Political Righ, quotes Count Palatine of Posen
in Latin: "Malo periculosam, libertatem quam quietam serui-
tutemi'which translates as "I prefer dangerous freedom over peaceful slaveryl'
So, the important question becomes, when you look through NSAs PRISM do you see it providing increased security or reducing your freedom from being observed, in other words, your privacy? Put another way, are you con- cerned about being more secure or having more freedom in your life? Undoubtedly your values, beliefs, and past experi-
ences color your answers to these questions.
Another way to think about this trade-off is to imagine how your behavior might change if you were constantly being monitored. Would you still get those
Using both the categorical imperative (pages 20-21) and utilitarianism (pages 56-57), assess the ethics of spying. Consider a government spying on its own citizens, foreign
militaries, foreign governments, foreign corporations, or
foreign citizens.
Describe what you think should be done with the NSAs PRISM program. Should it be continued without change, given more public oversight, substantially reduced in functionality, or discontinued altogether? |ustifu your decision. Without the illegal disclosure of top-secret documents by Edward Snowden, the PRISM program may never
trttsicussitclN OUESTIC,NS
delicious-tasting hamburgers at the seedy bar down the street or stop going there because you're worried credit card charges could be used against you somehow? Would you still hang out with friends from other countries or stop because you're worried it might somehow prevent you from getting a security clearance? Would you have behaved differently on your date last week if a parent was silently taking notes in the back seat?
The Trade-off in Organizations Understanding the trade-off between securiry and free- dom will help you see the rationale behind organizational security policies and procedures. You'll understand that someone touting improved security is also indirectly ad- vocating a loss of freedom in some manner. The contrary is also true.
For example, some people find the PRISM monitoring to be too invasive. They want to live their lives without their government spying on them. But monitoring does have its benefits. It could be used to make you safer by stopping a terrorist attack. Similarly, employee monitoring can be seen as too invasive. But it can also be used to reduce theft. In the
end, it's a balancing act. Can you have both great security and lots of freedom?
Information security managers try to do just that. They try to prevent losses like data theft (security) while enabling in- novation (freedom). In short, they try to be like bulletproof glass-protective and transparent.
have been discovered. Were Snowden's actions ethical?
Consider both the categorical imperative and utilitari- anism perspectives in your response.
\.Vhat is your opinion of employee monitoring? \A/hat effect does employee monitoring have on employee mo- rale? How could employee monitoring make the organi- zation more secure? Describe the differences between freedom and privacy.
Does a loss of privacy always mean a loss of freedom? If so, freedom from what? Can you lose freedom without losing privacy? Describe how your conclusions about the differences in these words pertain to PRISM.
1.
2.
J.
4.
5.
rTMatthew Cole, Richard Esposito, Bill Dedman, and Mark Schone, "Traitor or Patriot? Edward Snowden Sits Down with Brian Williams," NBC News, \[,ay 28,2014, www.nbcnews.com/feature/edward-snowden-interuiew/traitor-or-patriot-edward-snowden-sits-down-brian-williams-n117006. rBCharlie
Savage, Edward Wyatt, Peter Bake! and Michael Shear, "Intelligence Chief Calls Leaks on U.S. Data Coliection 'Reprehenslblel " The New York Times,Iune 7, 2013, accessed Iune 28,2014, www.nytimes.com/2013/06/08/us/intelligence-chief-calls-leaks-on-us-data-collection- renrehensible.html.
'eit.,ia. 419