Public-Interest Tech at the RSA Conference

Our work in cybersecurity is inexorably intertwined with public policy and­ -- more generally­ -- the public interest. It's obvious in the debates on encryption and vulnerability disclosure, but it's also part of the policy discussions about the Internet of Things, cryptocurrencies, artificial intelligence, social media platforms, and pretty much everything else related to IT.

This societal dimension to our traditionally technical area is bringing with it a need for public-interest technologists.

Defining this term is difficult. One blog post described public-interest technologists as "technology practitioners who focus on social justice, the common good, and/or the public interest." A group of academics in this field wrote that "public-interest technology refers to the study and application of technology expertise to advance the public interest/generate public benefits/promote the public good."

I think of public-interest technologists as people who combine their technological expertise with a public-interest focus, either by working on tech policy (for the EFF or as a congressional staffer, as examples), working on a technology project with a public benefit (such as Tor or Signal), or working as a more traditional technologist for an organization with a public-interest focus (providing IT security for Human Rights Watch, as an example). Public-interest technology isn't one thing; it's many things. And not everyone likes the term. Maybe it's not the most accurate term for what different people do, but it's the best umbrella term that covers everyone.

It's a growing field -- one far broader than cybersecurity -- and one that I am increasingly focusing my time on. I maintain a resources page for public-interest technology. (This is the single best document to read about the current state of public-interest technology, and what is still to be done.)

This year, I am bringing some of these ideas to the RSA Conference. In partnership with the Ford Foundation, I am hosting a mini-track on public-interest technology. Six sessions throughout the day on Thursday will highlight different aspects of this important work. We'll look at public-interest technologists inside governments, as part of civil society, at universities, and in corporate environments.

  1. How Public-Interest Technologists are Changing the World . This introductory panel lays the groundwork for the day to come. I'll be joined on stage with Matt Mitchell of Tactical Tech, and we'll discuss how public-interest technologists are already changing the world.
  2. Public-Interest Tech in Silicon Valley. Most of us work for technology companies, and this panel discusses public-interest technology work within companies. Mitchell Baker of Mozilla Corp. and Cindy Cohn of the EFF will lead the discussion, looking at both public-interest projects within corporations and employee activism initiatives by corporate employees.
  3. Working in Civil Society. Bringing a technological perspective into civil society can transform how organizations do their work. Through a series of lightning talks, this session examines how this transformation can happen from a variety of perspectives: exposing government surveillance, protecting journalists worldwide, preserving a free and open Internet, bringing a security focus to artificial intelligence research, protecting NGO networks, and more. For those of us in security, bringing tech tools to those who need them is core to what we do.
  4. Government Needs You. Government needs technologists at all levels. We're needed on legislative staffs and at regulatory agencies in order to make effective tech policy, but we're also needed elsewhere to implement policy more broadly. We're needed to advise courts, testify at hearings, and serve on advisory committees. At this session, you'll hear from public-interest technologists who have had a major impact on government from a variety of positions, and learn about ways you can get involved.
  5. Changing Academia. Higher education needs to incorporate a public-interest perspective in technology departments, and a technology perspective in public-policy departments. This could look like ethics courses for computer science majors, programming for law students, or joint degrees that combine technology and social science. Danny Weitzner of MIT and Latanya Sweeney of Harvard will discuss efforts to build these sorts of interdisciplinary classes, programs, and institutes.
  6. The Future of Public-Interest Tech Creating an environment where public-interest technology can flourish will require a robust pipeline: more people wanting to go into this field, more places for them to go, and an improved market that matches supply with demand. In this closing session, Jenny Toomey of the Ford Foundation and I will sum up the day and discuss future directions for growing the field, funding trajectories, highlighting outstanding needs and gaps, and describing how you can get involved.

Check here for times and locations, and be sure to reserve your seat.

We all need to help. I don't mean that we all need to quit our jobs and go work on legislative staffs; there's a lot we can do while still maintaining our existing careers. We can advise governments and other public-interest organizations. We can agitate for the public interest inside the corporations we work for. We can speak at conferences and write opinion pieces for publication. We can teach part-time at all levels. But some of us will need to do this full-time.

There's an interesting parallel to public-interest law, which covers everything from human-rights lawyers to public defenders. In the 1960s, that field didn't exist. The field was deliberately created, funded by organizations like the Ford Foundation. They created a world where public-interest law is valued. Today, when the ACLU advertises for a staff attorney, paying a third to a tenth of a normal salary, it gets hundreds of applicants. Today, 20% of Harvard Law School grads go into public-interest law, while the percentage of computer science grads doing public-interest work is basically zero. This is what we need to fix.

Please stop in at my mini-track. Come for a panel that interests you, or stay for the whole day. Bring your ideas. Find me to talk about this further. Pretty much all the major policy debates of this century will have a strong technological component -- and an important cybersecurity angle -- and we all need to get involved.

This essay originally appeared on the RSA Conference blog.

Michael Brennan of the Ford Foundation also wrote an essay on the event.

Posted on February 1, 2019 at 9:48 AM • 22 Comments

Comments

ATFebruary 1, 2019 11:51 AM

It is very hard to talk about hacking ethics in a global tech world with no hard-and-fast ethical principles. You can talk about it in the context of religion (not really a good fit for academia) or in the context of actions and consequences (more as a historical view). You can also talk about it in the context of *laws*, which, clearly, are geographically dependent.

bttbFebruary 1, 2019 12:04 PM

From today's Guardian https://www.theguardian.com/us-news/2019/feb/01/sacramento-rally-fbi-kkk-domestic-terrorism-california :

"Revealed: FBI investigated civil rights group as 'terrorism' threat and viewed KKK as victims

Bureau spied on California activists, citing potential ‘conspiracy’ against the ‘rights’ of neo-Nazis


The FBI opened a “domestic terrorism” investigation into a civil rights group in California, labeling the activists “extremists” after they protested against neo-Nazis in 2016, new documents reveal.

Federal authorities ran a surveillance operation on By Any Means Necessary (Bamn), spying on the leftist group’s movements in an inquiry that came after one of Bamn’s members was stabbed at the white supremacist rally, according to documents obtained by the Guardian. The FBI’s Bamn files reveal:..."

Also:

https://assets.documentcloud.org/documents/5686261/2019-01-11-FBI-Antifa-RL.pdf (FBI FOIA stuff, with date 20 October 2016)

https://twitter.com/nycsouthpaw/status/1091388751182512133

https://twitter.com/SamTLevin/status/1091383780365848577

David RudlingFebruary 1, 2019 12:09 PM

@Bruce

The link pointed to at

"I am bringing some of these ideas to the RSA Conference"

doesn't work at present.

Petre Peter February 1, 2019 1:15 PM

Not sure if a public interest technologist concentrating on privacy can be a bit of a paradox.

Clive RobinsonFebruary 1, 2019 2:08 PM

@ Bruce,

Our work in cybersecurity is inexorably intertwined with public policy and­ -- more generally­ -- the public interest.

Depending on view point "public interest" is the "citizen" perspective and "public policy" is that of the "government".

In what is now the US the founding fathers had a very dim view of governments "wants" because of "General Warants" that lasted the life time of a monarch (English Kings Georges II/III). Thus their viewpoint that government at all times should remain the servant of the citizens and most certainly not the other way around. Thus the legislation of the nascent US was set up to reflect that view point.

Unfortunately not just the US government but others be they monarchies/republics and declaired democratic or tyranical/despotic have the opposite view that the views of "their government" self interests not the "peoples government" societal interests should take primacy. Based on the quaint argument that "if the people" wanted change then they would bring it about, which unfortunatly on analysis is not a despot or tyrants death wish, but an excuse to grab yet more power to prevent a peaceful removal of unwanted leaders by the people. The same is true even in democracies when the likes of encoraged "tactical voting" go horribly wrong (see rise of far right in Europe and what happened on a revote after five months in Austria[1]).

The old maxim about power should not be given to those that seek it, appears to be especially true these days.

A number of journalistic commentators have used the "low voter turn out" which is very common in democracies these days to argue that voters are apathetic or have just lost faith in the system. Either way the "mice will play when the cat is away" or asleep. A consequence of this is agenda change by a thousand small steps favours the the politicians and the often quite hostile government entities and their agencies.

Government entities and those that work in their agencies know there is little or no reprisals if they push their agenda hard at any level (see FBI agents committing perjury etc). Thus they see it as a "draw-win" situation for them, which means for the citizen it is unfortunately and inevitably one of "loose-draw".

As long as such a system exists government and it's entities will over time advance via self interest into a totalitarian position. The only way curently to stop it is for the citizens to force a draw every time, which lets be honest is unlikely to happen due to the contrary nature of the human condition...

Thus a major but required step to gaining and securing "effective privacy" for the citizens against both politicians and government entities is to force a change such that both pokiticians and government entities and their agencies do suffer both losses and limitations, whilst the citizens actually do need to be more involved to protect their interests.

Back a century befor WWII political corruption in England of what was in effect a closed candidate political system met stiff opposition from the "Chartists Movment". They had six simple aims to correct the political system peacefully and lawfully[2]. Of their six points they got all but the sixth of,

Annual Parliamentary elections

This was the one the politicians would not concede ground on. Which is unfortunate because long periods between elections effectively puts the cat to sleep, alowing the mice to play for far longer than they should. In this day and age there is no legitimate excuse for alowing politicians such long periods of virtually unrestricted "self interest".

I feel that unless there is a modern day Chartist Movment to curb not just politicians but government entities it will soon be to late to do anything. Afterall as Stalin once noted it's not the votes that count but who counts them. In effect making the point that government is a parasite that digs it's way into the "body of society" and beyond a certain point it's removal like that of any tick when sufficiently embedded requires violence to be done against the parasite.

But there is another more gental issue to consider, frequent adjusments give rise to not just a smooth journey but a more economic one that is much less likely to end in disaster. Any pilot, ships master or vehicle driver knows this. Frequent voting by citizens will have a similar effect on both politicians and government entities, as long as the hand on the controls retains independance from the machine.

It is realy time we admit that "Reptesentational Democracy" is not "democracy" in any way shape or form. It is in effect a beauty pagent of individuals where the contestants have been selected by a "hiden hand" and if they win then they get four years at the table of the chimpanzee tea party. Ask yourself if this sounds like "A sound idea for good governance?"...

Put simply if the citizens are to be in control of the government as the founding fathers desired to stop abuses of citizens rights then the system of control needs to be one that is kept in line with that goal preferably with minimal changes at each step of the journey. I think few outside of politics would argue that they have that level of much needed control.

[1] https://www.economist.com/europe/2016/12/04/populism-hits-a-snag-in-austrias-presidential-election

[2] https://en.m.wikipedia.org/wiki/Chartism

FaustusFebruary 1, 2019 2:29 PM

Am I mis-remembering or was RSA caught a while back accepting payment from the NSA for intentionally selling its customers compromised encryption? That would be some interesting public tech!!

Clive RobinsonFebruary 1, 2019 4:35 PM

@ Faustus,

Am I mis-remembering or was RSA caught a while back accepting payment from the NSA for intentionally selling its customers compromised encryption?

You are misremembering but not by much, oh and you forgot to mention Jupiter Networks "unknown persons" problem that was quite similar.

The issue was the NSA sponsored Dual Elliptic Curve Digital Random Bit Generator (don't try saying it fast otherwise you'll end up spraying the room). Almost certainly based on the perloined work of others.

At the time the generator was under the care of NIST who approved it despite considerable concern over the behaviour of an NSA employee (likewise ANSI and ISO).

From memory, Niels Furguson --who our host has worked with-- who was at that time working IIRC for Microsoft had misgivings about the NSA Generator for a number of reasons, not least because it was slow (almost "two legged dog slow" in comparison to other algorithms up before NIST). In his misgivings he was not the only one.

However he went on to show using the ideas of Adam Young and Moti Yung for "Kleptography" to not just look for but demonstrate that Dual_EC_DRBG potential had an NSA NOBUS backdoor. Which he not only did he demonstrate was probable, but he did the public a great service by publishing (Which is inline with this threads subject).

This put NIST in an akward spot because they had confirmed Dual_EC_DRBG along with three other algorithms in a Federal Information Processing Standard (FIPS) NIST SP 800-90. Our host had some fairly scathing comments to make about the algorithm, the standard, NIST and some side comments about the NSA behaviour, in his normal mild mannered way.

What RSA did was during the development of it's BSAFE product it oddly gave the slow and inefficient Dual_EC_DRBG "default prominence" as the RNG to use in that "library" that got incorporated in other products. RSA also did receive money from the NSA of 10million USD how ever what it was for specifically has more or less been in dispute.

However a Reuters news agency article "alleged" that the NSA paid RSA Security $10 million in a secret deal to use Dual_EC_DRBG as the default. RSA obviously dispute this, but... previously the NYT had published information that came from "secret documents" that the NSA had backdoored an algorithm (name unknown). Later Ed Snowden trove documents indicated this was as part of project BULL RUN.

Important to note is that the mid 1990's work of Adam Young and Moti Yung very much described in detail how to implement such a NOBUS backdoor. So much so it is extreamly likely it was their work the NSA effectively stole to make the NOBUS backdoor in Dual_EC_DRBC. Which in a way is odd... The NSA put's it's self out there as employing the best mathmaticians out there and being decades ahead of both industry and academia... so why do they need to use "publicaly published" works? (a thought I've had other causes to think about since long befor Stuxnet etc).

Also it was later found a well known high end network equipment manufacturer (Jupiter) anounced that their implementation had been modified by "persons unknown". Why they would be "unknown" is a bit of an open question. Some have suggested it was an "insider attack" by people working for the NSA.

However what is known is the NSA were spending a quater of a billion dollars a year at the time on "backdooring" other peoples software and systems...

Further for years I've said on this blog if I was the NSA I would look at subverting,

1, Standards.
2, Protocols.
3, Implementations.

So far that prediction appears to be correct. Whilst I expect that to continue I feel that the prediction needs a little update that is also very much inline with this thread. As much of what the NSA has been broadly upto is now public knowledge, it's going to make the three above aproaches much much more difficult. Thus their next most likely attack method will be,

0, Legislation.

Which appears very much to be the case one way or another through the Five-Eyes and UK and Australian legislation.

But it leaves open an interesting thought which I and I hope many others will think about, "We know that the NSA will not give up on their ambitions, so where will they go if the legalistive route gets blocked by 'public interest'?".

As they say "Watch this space" ;-)

ThothFebruary 1, 2019 10:02 PM

A good try to talk about the mentioned issues to bring back more defensive security rather than focus on offensive compromisation in state actors.

Btw, RSA Conference != RSA Inc. They are different companies. One is a conference organiser and the other is a ITSec company

WoFebruary 1, 2019 10:40 PM

Really wish I knew what was meant by social justice. If it means helping people, great! I'm all for it. If it means tearing people down and making everyone miserable, I want nothing to do with it.

I still cautiously trust Bruce but I have been burnt a great deal in recent years by groups claiming to promote social justice.


To Bruce - what qualifies as a technologist here? Is it a sys admin? Programmer? Is a background in law required?

A Nonny BunnyFebruary 2, 2019 3:03 PM

@bttb

Federal authorities ran a surveillance operation on By Any Means Necessary
Y'know, given the name, I'm not at all surprised. It doesn't exactly inspire confidence that they'd stop at peaceful (counter)protests.

FaustusFebruary 2, 2019 4:14 PM

@ Thoth

Wikipedia indicates multiple connections between the RSA conference and RSA company. https://en.m.wikipedia.org/wiki/RSA_Conference

Could I hold an IBM or a Starbucks conference without their involvement?

Thats why I am naming my justice conference "The Salem Witch Trials Justice Conference"*

And my good governance conference
"The Nixon Watergate Good Governance Conference"*

*Absolutely no connection intended or implied.

"Salem Witch Trials" and "Nixon Watergate" just sounded too good to pass up. It's not my fault if the ignorant make absurdly unjustified connections with actual real history.

FaustusFebruary 2, 2019 4:19 PM

@ A nonny bunny

"By Any Means Necessary" the government operation != "By Any Means Necessary" the authoritarian world view.

IanFebruary 4, 2019 2:23 PM

Bruce, thanks for posting about this event. Unfortunately, I will not be able to attend. I hope there is video of the event that can be viewed later. Whether this is the case, please keep posting about events like this- hopefully the stars will align in such a way I can attend.

David RudlingFebruary 4, 2019 4:29 PM

@Bruce
Just for the record, as of today the link pointed to at
"I am bringing some of these ideas to the RSA Conference"
is working but not that pointed to at
"partnership"

Drive-By IdealogueFebruary 10, 2019 9:51 PM

Today, 20% of Harvard Law School grads go into public-interest law, while the percentage of computer science grads doing public-interest work is basically zero.

This seems to discount too much the fact that in CS all the contributions to FOSS/etc can be viewed as public-interest work. If it weren't for the - possibly quite necessary - high bar for contribution to public-interest law, one could easily imagine a similar dynamic. I.e. if lawyers with day jobs could donate an hour of their evening to public-interest law as easily as a CS person can, then I think there would be less of a disparity to feed the narrative being expressed here.

Petre Peter April 23, 2019 7:25 PM

public interest is, in the long run, the only force for honesty in government -D. Khan

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.