The feds, not companies, are most liable to mishandle our personal data

Anyone questioning whether a large government conspiracy is possible must be intentionally ignoring our own NSA. America’s own national security team poses the greatest threat to the cyber well being of her citizens. Other governments are amateurs compared to the American security apparatus. Indeed, those adversaries often use tools devised by our own agencies that were somehow allowed to get into the wild. It’s not just the NSA, either; one leaked tool included the CIA’s ability to leave signatures attributing attacks by hostile foreign actors, such as Russia.

Congress should analyze this very real threat to our security as our government institutions blindly look to enact policies that would further increase the NSA’s already omniscient power to gather data on everyone in every way possible, and use for purposes other than national security — in the name of national security. Put another way, we should not blame WikiLeaks for releasing our most damaging secrets and/or tools, many of which could negatively impact the world’s people and economies.

Reactions from Congress would have you think breaches within Yahoo, the Security and Exchange Commission, and Equifax would contend for biggest bumbler. You would be wrong. It is our own secret government programs that allowed the exposure of our most critical data via disgruntled employees or after careless development of weaponized cyber tools that are now available through a simple web search.

{mosads}The real problem is that our security agencies are run like other federal agencies, including those charged with enforcing the criminal laws. They rationalize that the means- justify-the-ends, even when the end looks eerily similar to the beginning. Take the ATF’s policy against drug cartels for example. When the feds were trying to put a dent in the war on drugs, they decided to supply guns to the most dangerous cartels with guns through an operation called “Fast and Furious.” The goal was to track the guns and therefore the cartels. The result has been a trail of American and Mexican corpses and only nominal arrests that had virtually no impact in the war on drugs. Somehow they still tout this program as a success.

Our security agencies are supposed to protect American citizens and keep tabs on terrorists and governments that seek to do us harm. Our cyber agencies decided to weaponize security flaws that could be used against actors that rely on digital transactions and communications. The problem is that those tools are far more dangerous to the U.S. and our allies than our adversaries.

Despite the security agencies’ often demonstrated inability to keep a secret, elected officials still believe they should be given renewed authority — and indeed even more freedom — to spy on U.S. citizens both in country and abroad. This week, Congress is considering whether to extend surveillance authority under Section 702 reauthorization to gather more sensitive material and to expand the number of eyes (i.e. agencies) able to sift through and use information gathered by the security state. Those newly expanded agencies can use the data for matters that have nothing to do with national security.

Equally concerning proposals before Congress are forced encryption backdoors to personal digital communications, and mandatory private sector monitoring and censorship of all digital content. The misleadingly named SESTA would essentially make private companies deputized censors and snitches. Legislators want to pass laws requiring portals like Facebook, Twitter and Google to monitor all content and remove postings that are objectionable to those in power.

For encryption-focused companies like ours, each of these things represent additional, gaping holes in the crumbling wall of digital privacy. The headlines say law enforcement want to stop terror suspects, or human traffickers, but the end result will be increased law enforcement access to any digital platform they want as part of any type of investigation, including those that have nothing to do with foreign actors or even any crime. Often without a warrant.

Congress must exercise far more diligent and stringent supervision over these executive agencies. Each member would do well to open a pocket Constitution and read the First, Fourth, Fifth, and Ninth Amendments in the Bill of Rights before voting to expand cyber-spying. It’s easy to understand why security state agencies want these tools to nail the bad guys, but to law enforcement, everyone — including each elected representative — has a criminal past or future. Even if you think you have nothing to hide, you do. Each person routinely breaks some law or another that government spying could discover and use against you. If the federal government had access to every email you’ve ever written and every phone call you’ve ever made, it’s almost certain that they could find something you’ve done which violates a provision in the 27,000 pages of federal statues or 10,000 administrative regulations.

Congress’ job is to oversee and ensure each cog in the wheel of government stays in its lane. Legislators must ask themselves whether our security agencies have a track record that justifies continuing and expanding their authority and freedom to spy on ordinary Americans, and whether these programs are sensible solutions. We hear a lot about foreign meddling, but no acknowledgement that we were the ones that developed the tools that were used against us.

I suggest that if we really want to protect our way of life, Congress needs to change its understanding of cybersecurity and question whether government agencies are responsible enough to trust with unchecked digital authority.

Carlos Espinosa is the head of government affairs for Golden Frog. The company’s premiere product isVyprVPN, which is largely considered one of the fastest VPNs on the market. Golden Frog is incorporated in Switzerland, but headquartered in Austin, Texas.