Surveillance Is a Tech Problem, but It Requires a Policy Solution
Apple’s former security chief explains why he took a job with the ACLU.
The computer scientist Jon Callas is a legend of the computer security world.
For the last two years, he worked at Apple, where his job entailed breaking into the company’s products to find holes in their security systems. Before that, he co-founded the companies Silent Circle and Blackphone—purveyors of secure communications technology. And earlier in his career, he served as the chief scientist at PGP, where he helped develop one of the world’s most widely used encryption standards.
So when Callas announced last year that he would be leaving Apple to take a two-year job as a technology fellow at the American Civil Liberties Union (ACLU), it raised a few eyebrows. Why would this computer security expert be leaving a high-paying job with huge responsibility for a fellowship at a liberal NGO?
In an interview last week, Foreign Policy caught up with Callas to talk about technology, security, and the perils of Big Tech.
Foreign Policy: Why are you making this move from Apple to ACLU? I’m guessing it was a bit of a pay cut for you.
Jon Callas: Well, yes, working for an NGO doesn’t pay as well as working for a large company. A bunch of friends told me, “This is something you would be really good at.” This was in 2018, and if you look at the way the world is, it seems to me that being a technology fellow for the ACLU in 2019 and 2020 would be better for the world and more interesting than say in 2020 and 2021.
The world has a set of issues that it is facing right now, and they are acutely compelling.
I’m referring to government encroachment on civil rights, hacking all over the world, the political situation in the United States and other countries. I look at it from a broader viewpoint: that what we are going through in the United States and what’s going on in the United Kingdom and going on in France are all reflections of a great uncertainty and turmoil.
I am using surveillance as the umbrella for my work. Surveillance can be anything from the use of machine learning in picture and photo recognition to location privacy leaks to encryption and backdoors. All of these things have to do with surveillance and how much we are being tracked and by whom.
FP: Do you think the tech industry is at all responsible for the kind of turmoil you are describing?
JC: Yes, in a certain sense the tech industry is responsible, but changes in what’s going on in media—the way that it is developed and distributed—are not simply the tech industry’s responsibility.
I don’t know that what we are observing now is all that different from what we have seen in previous generations. Mass media in general has changed things, and this is the latest thing that’s gone on with mass media.
I think that consolidation is as much a problem as anything else. The problem with Big Tech is far more “big” rather than “tech.”
FP: Why is bigness the problem rather than the technology side of the industry?
JC: One major discussion today is: Where does free speech fit in the world? And what constitutes censorship?
If an organization like Twitter says, “No, we don’t want this sort of thing on our platform,” and someone has somewhere else to go for that piece of content, then it is far less of a censorship issue than if there’s only one outlet.
Yes, they are a private company and can do what they want, but if Twitter is the only outlet for that content, then that means that somebody is having their speech repressed. Even though it isn’t censorship, that has the same effects as censorship.
FP: How are you planning on addressing these issues from your perch at the ACLU? What do you see as the way forward on these issues?
JC: I am part of a growing group of people who believe that some of the issues are in fact not technical but policy.
For example, every one of our cell phones—because they have to connect to a set of towers—radio data from those phones is a proxy for location. If that data is being given to companies or governments without the consent and control of users, I don’t see a technical solution to that problem because the system definitionally knows where you are.
FP: We’re hearing similar arguments being made on Capitol Hill in terms of a general need for regulation of the tech industry. Where do you think that energy should be directed?
JC: I am a fan of GDPR [the European Union’s General Data Protection Regulation, which provides EU citizens with greater control over their data]. It’s not perfect but is a huge step forward in how we want to get control of this larger issue that we all deal with.
But there are also follow-on effects to the policy. For example, if someone gets control of your account, they can ask for all of your personal data under GDPR. They’re impersonating you and with that data can learn how to better impersonate you.
FP: Do you think that there’s a need for the bigness of major technology companies to be reduced—perhaps in the form of antitrust action against some of the large tech companies?
JC: That is inevitably going to be discussed. It isn’t just the tech companies. It isn’t just the media companies. It isn’t just the advertising companies.
With there being fewer choices for us, it becomes harder for people to vote with their feet and their dollars. If you have only one internet service provider, your ability to negotiate with it is much less than it would be if you had four. There’s not as much competition that’s going on.
The reason that the “big” is a problem is that there is a place for both market solutions and government. If there isn’t an effective market, then the only choice you have is a regulatory one.
FP: Are there security and privacy implications to the bigness of the big tech companies at the moment? And do you consider antitrust action against them to be an effective solution?
JC: Our notion of antitrust comes from the beginning of the 20th century, and it needs to be rethought. If you look at what’s going on with bigness today, it isn’t big in the same way that the railroads were a monopoly a century ago.
My previous employer Apple has a market share that is well below half. Depending on who you talk to and how they count things, the company’s market share is anywhere from one-sixth to one-third. From that view of the world, it is obviously not a monopoly.
I’m not sure that I can effectively answer a question like, “Is Google, Facebook, Amazon, or Apple a monopoly?” If you look at it one way, you think, “Well, obviously it isn’t.” And if you look at it another way, you say, “Well, there are effects here that are as if they were a monopoly.”
FP: In the early days of the internet, there was the hope that the widespread availability of cryptographic protocols and the internet generally would be a boon for individual privacy and liberty. Decades later, we are at a place where individual privacy has been stripped away in an effort to make huge gobs of money. You’ve been around the tech industry for a long time. You helped build some of its fundamental security protocols. Are you disappointed in the way that the tech industry has evolved from its early days?
JC: I’m disappointed that we have not built as many privacy structures into things as possible.
I’m very disappointed in things like advertising tracking. I have been one of the people who have said, “If you’re not the customer, you’re the product.”
Still, we’ve been given a lot of extraordinarily useful tools. What’s on the internet right now is in some respects the world’s greatest library. We’ve been given this, and it’s been paid for by advertising. I remember many discussions over the last decade or so about the power of free. And the power of free is funded by the money of advertising.
FP: You’re one of the world’s foremost computer experts alive today, and you work at a time that computer security feels like an absolute disaster. Do you have a theory on why it got so bad?
JC: I don’t think it’s an absolute disaster. I think we’re making progress.
Years ago, one of the principles of computer security was that physical access is all—that if the adversary has control of the device, then all bets are off.
Now we are in a situation where we have reversed that discussion. The debate over government access to secure communications and devices is happening because Apple and Google are making technology that has made great progress in security.
There are challenges ahead of us with things like the so-called “internet of things.” It’s very difficult to buy a television today that is not a smart television. At this year’s Consumer Electronics Show, an executive from the television company Vizio explained that if they weren’t monetizing the customer through advertising, then prices for the television would go up.
FP: Do you expect Silicon Valley to at all be responsive to the backlash against it?
JC: I’m sometimes really irritated by the lumping together of many things in Silicon Valley.
It’s an easy thing to say and sometimes meaningless. The drive toward free services that are paid for by advertising encourages a style of developing things that people want in ways that create downstream effects.
If Facebook was something that we all paid a monthly fee for and we could look at it in terms of what we as customers have as a relationship with our provider, it would be a different conversation than the one that we’re having now, which is that we all feel helpless. And the problem is the helplessness.
Some of the more traditional companies, such as Apple and Microsoft, are traditional customer-provider relationships. Other companies are kind of a hybrid. I’m pretty thoroughly in the Amazon world as well as the Apple one, because I really like my iPhone and I really like my Kindle. And I have my Kindle to be cheaper by showing me ads.
Part of that is that I want to see ads about more books. Part of that is that I trust Amazon with my advertising data in a way that I do not trust Facebook. And that comes from my perceptions of what my relationship with Facebook is as opposed to my relationship with Amazon.
Yet my relationship with both of those companies is different than it is with, say, Apple and Microsoft.
I’m concerned about the creep of things like: Can I buy a television that is just a device and not connected to the internet? Can I buy a refrigerator that is just a device?
FP: Do you think it’s possible for companies like Google and Facebook to operate in China and live up to the aspirational ideals that they set out for themselves about working to change the world for the better?
JC: I definitely am concerned about countries like China, but I’m someone who thinks that from a geopolitical standpoint, embargoes and boycotts on countries like Cuba and Iran were probably not as effective as they were sold to be.
The Chinese people are only seeing what is being filtered through the Chinese government, and they’re not getting any other outside voices. Having no Western companies there means that we are abdicating that information and those viewpoints to the Chinese government.
I would like to see Western companies involved in China because Chinese companies are going to be involved here.
FP: What do you think of the debate playing out in the United States about the national security threat posed by the Chinese telecom company Huawei?
JC: I think that there are both kernels of truth in it and fearmongering. There is certainly some kernel of truth that Huawei is partially owned by the Chinese government. There certainly are risks.
In the older days—the ’60s, ’70s, and ’80s—we would have had restrictions on what foreign companies can do in telecommunications. We opened that up in the ’90s, particularly after the fall of the Iron Curtain. The pendulum is now swinging back.
That we ought to have these restrictions in place has a certain amount of merit. But it could be addressed through other ways than simply banning them.
FP: Do you think there’s a way for Huawei to prove that it is an honest player?
JC: It could be done. I think that we want all of our providers to be able to do that, and we want them to do that because we’ve seen abuses.
FP: What do you wish Washington understood about Silicon Valley? And vice versa: What do you wish Silicon Valley understood about Washington?
JC: Washington needs to understand that small decisions on one end can have large effects on others. One of my bugaboos as a security person is that I want to create secure devices because I want to have things like my health data on my phone. I want to have many things that are pieces of paper sitting in my wallet on the electronic device that I have. I like being able to go to the airport and have my boarding pass on my phone. I would love to be able to go to my doctor and have my information there.
We have a choice between designing for security and designing for surveillance, and the government needs to understand that we the people want to have security more than we want to have surveillance.
In Silicon Valley, we need to understand what people think about things and where they will go to address them. In Europe, many people saw technology and the changes it would bring as something coming not only from outside their country but predominantly from the West Coast of the United States and the greater Hong Kong area. And they don’t get to vote for that. But they do get to vote for their local government.
And it is arrogant of us to presume that they would not appeal to the people that they do vote for, for relief from things that they find anything from abusive to creepy. And if we don’t come up with a solution to these problems, then government will.
This interview has been edited for length and clarity.