Category: Writing

Categories
Links Writing

RCMP Found to Unlawfully Collect Publicly Available Information

The recent report from Office of the Privacy Commissioner of Canada, entitled “Investigation of the RCMP’s collection of open-source information under Project Wide Awake,” is an important read for those interested in the restrictions that apply to federal government agencies’ collection of this information.

The OPC found that the RCMP:

  • had sought to outsource its own legal accountabilities to a third-party vendor that aggregated information,
  • was unable to demonstrate that their vendor was lawfully collecting Canadian residents’ personal information,
  • operated in contravention to prior guarantees or agreements between the OPC and the RCMP,
  • was relying on a deficient privacy impact assessment, and
  • failed to adequately disclose to Canadian residents how information was being collected, with the effect of preventing them from understanding the activities that the RCMP was undertaking.

It is a breathtaking condemnation of the method by which the RCMP collected open source intelligence, and includes assertions that the agency is involved in activities that stand in contravention of PIPEDA and the Privacy Act, as well as its own internal processes and procedures. The findings in this investigation build from past investigations into how Clearview AI collected facial images to build biometric templates, guidance on publicly available information, and joint cross-national guidance concerning data scraping and the protection of privacy.

Categories
Links Writing

Near-Term Threats Posed by Emergent AI Technologies

A cyberpunk image of a series of hackers that represent the 1970s, the 1980s, the 1990s, the 2000s, and the 2050s.

In January, the UK’s National Cyber Security Centre (NCSC) published its assessment of the near-term impact of AI with regards to cyber threats. The whole assessment is worth reading for its clarity and brevity in identifying different ways that AI technologies will be used by high-capacity state actors, by other state and well resourced criminal and mercenary actors, and by comparatively low-skill actors.

A few items which caught my eye:

  • More sophisticated uses of AI in cyber operations are highly likely to be restricted to threat actors with access to quality training data, significant expertise (in both AI and cyber), and resources. More advanced uses are unlikely to be realised before 2025.
  • AI will almost certainly make cyber operations more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.
  • AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.
  • Cyber resilience challenges will become more acute as the technology develops. To 2025, GenAI and large language models will make it difficult for everyone, regardless of their level of cyber security understanding, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing or social engineering attempts.

There are more insights, such as the value of training data held by high capacity actors and the likelihood that low skill actors will see significant upskilling over the next 18 months due to the availability of AI technologies.

The potential to assess information more quickly may have particularly notable impacts in the national security space, enable more effective corporate espionage operations, as well as enhance cyber criminal activities. In all cases, the ability to assess and query volumes of information at speed and scale will let threat actors extract value from information more efficiently than today.

The fact that the same technologies may enable lower-skilled actors to undertake wider ransomware operations, where it will be challenging to distinguish legitimate versus illegitimate security-related emails, also speaks to the desperate need for organizations to transition to higher-security solutions, including multiple factor authentication or passkeys.

Categories
Links Writing

Older Adults’ Perception of Smart Home Technologies

Percy Campbell et al.’s article, “User Perception of Smart Home Surveillance Among Adults Aged 50 Years and Older: Scoping Review,” is a really interesting bit of work into older adults/ perceptions of Smart Home Technologies (SMTs). The authors conducted a review of other studies on this topic to, ultimately, derive a series of aggregated insights that clarify the state of the literature and, also, make clear how policy makers could start to think about the issues older adults associate with SMTs.

Some key themes/issues that arose from the studies included:

  • Privacy: different SMTs were perceived differently. But key was that the privacy concerns were sometimes highly contextual based on region, with one possible effect being that it can be challenging to generalize from one study about specific privacy interests to a global population
  • Collection of Data — Why and How: People were generally unclear what was being collected or for what purpose. A lack of literacy may raise issues of ongoing meaningful consent of collection.
  • Benefits and Risks: Data breaches/hacks, malfunction, affordability, and user trust were all possible challenges/risks. However, participants in studies also generally found that there were considerable benefits with these technologies, and most significantly they perceived that their physical safety was enhanced.
  • Safety Perceptions: All types of SHT’s were seen as useful for safety purposes, especially in accident or emergency. Safety-enhancing features may be preferred in SHT’s for those 50+ years of age.

Given the privacy, safety, etc themes, and how regulatory systems are sometimes being outpaced by advances in technology, they authors propose a data justice framework to regulate or govern SHTs. This entails:

  • Visibility: there are benefits to being ‘seen’ by SHTs but, also, privacy needs to be applied so individuals can selectively remove themselves from being visible to commercial etc parties.
  • Digital engagement/ disengagement: individuals should be supported in making autonomous decisions about how engaged or in-control of systems they are. They should, also, be able to disengage, or only have certain SHTs used to monitor or affect them.
  • Right to challenge: individuals should be able to challenge decisions made about them by SHT. This is particularly important in the face of AI which may have ageist biases built into it.

While I still think that there is the ability of regulatory systems to be involved in this space — if only regulators are both appropriately resourced and empowered! — I take the broader points that regulatory approaches should, also, include ‘data justice’ components. At the same time, I think that most contemporary or recently updated Western privacy and human rights legislation includes these precepts and, also, that there is a real danger in asserting there is a need to build a new (more liberal/individualistic) approach to collective action problems that regulators, generally, are better equipped to address than are individuals.

Categories
Links Writing

Location Data Used to Drive Anti-Abortion Campaigns

It can be remarkably easy to target communications to individuals’ based on their personal location. Location information is often surreptitiously obtained by way of smartphone apps that sell off or otherwise provide this data to data brokers, or through agreements with telecommunications vendors that enable targeting based on mobile devices’ geolocation. 

Senator Wyden’s efforts to investigate this brokerage economy recently revealed how this sensitive geolocation information was used to enable and drive anti-abortion activism in the United States:

Wyden’s letter asks the Federal Trade Commission and the Securities and Exchange Commission to investigate Near Intelligence, a location data provider that gathered and sold the information. The company claims to have information on 1.6 billion people across 44 countries, according to its website.

The company’s data can be used to target ads to people who have been to specific locations — including reproductive health clinic locations, according to Recrue Media co-founder Steven Bogue, who told Wyden’s staff his firm used the company’s data for a national anti-abortion ad blitz between 2019 and 2022.



In a February 2023 filing, the company said it ensures that the data it obtains was collected with the users’ permission, but Near’s former chief privacy officer Jay Angelo told Wyden’s staff that the company collected and sold data about people without consent, according to the letter.

While the company stopped selling location data belonging to Europeans, it continued for Americans because of a lack of federal privacy regulations.

While the company in question, Near Intelligence, declared bankruptcy in December 2023 there is a real potential for the data they collected to be sold to other parties as part of bankruptcy proceedings. There is a clear and present need to legislate how geolocation information is collected, used, as well as disclosed to address this often surreptitious aspect of the data brokerage economy.

Categories
Links Writing

The Near-Term Impact of AI Technologies and Cyber Threats

In January, the UK’s National Cyber Security Centre (NCSC) published its assessment of the near-term impact of AI with regards to cyber threats. The whole assessment is worth reading for its clarity and brevity in identifying different ways that AI technologies will be used by high-capacity state actors, by other state and well resourced criminal and mercenary actors, and by comparatively low-skill actors.

A few items which caught my eye:

  • More sophisticated uses of AI in cyber operations are highly likely to be restricted to threat actors with access to quality training data, significant expertise (in both AI and cyber), and resources. More advanced uses are unlikely to be realised before 2025.
  • AI will almost certainly make cyber operations more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.
  • AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.
  • Cyber resilience challenges will become more acute as the technology develops. To 2025, GenAI and large language models will make it difficult for everyone, regardless of their level of cyber security understanding, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing or social engineering attempts.

There are more insights, such as the value of training data held by high capacity actors and the likelihood that low skill actors will see significant upskilling over the next 18 months due to the availability of AI technologies.

The potential to assess information more quickly may have particularly notable impacts in the national security space, enable more effective corporate espionage operations, as well as enhance cyber criminal activities. In all cases, the ability to assess and query volumes of information at speed and scale will let threat actors extract value from information more efficiently than today.

The fact that the same technologies may enable lower-skilled actors to undertake wider ransomware operations, where it will be challenging to distinguish legitimate versus illegitimate security-related emails, also speaks to the desperate need for organizations to transition to higher-security solutions, including multiple factor authentication or passkeys.

Categories
Photography Writing

Best Photography-Related Stuff of 2023

Bay & King, Toronto, 2023

There are lots of ‘best of’ lists that are going around. Instead of outlining the best things that I’ve purchased or used over the year I wanted to add a thematic: what was the best ‘photography stuff’ that I used, read, watched, or subscribed to over the course of 2023?

Photography Stuff I Used

Best Technology of 2023

90-95% of the photographs that I made over the year were with the Fuji X100F. It’s a spectacular camera system; I really like how small, light, and versatile it is. I created a set of recipes early summer and really think that I dialled in how to use them and, also, how to apply my very minimal editing process to the images. I’m at the point with this camera that I can use it without looking at a single dial, and I know the location of every setting in the camera that I regularly use.

I do most of my writing on my well-used iPad Pro 11” (2018). It’s a great device that is enough for 99% of my needs.1 However, I have to admit that I’ve long missed owning an iPad Mini because they’re so small and light and portable. I do pretty well all of my reading on the iPad Mini these days. My partner purchased me one this year and I’ve fallen in love with it again. I’m using it everyday for an hour or more, and ultimately I now pull out the iPad Pro 11” just when I need to do longer-form writing.

Finally, though I haven’t had it all that long, I really do enjoy the Leica Q2. I’m still getting used to the 28mm focal length but deeply appreciate how I can now shoot in bad weather and low light.2 The in-camera stabilization is also letting me experiment with novel slow shutter speeds. I remain excited, however, for what it’ll be like to use the camera when I haven’t been in persistent cloud cover!

Best Services I Paid For

I have kept using Glass each and every day. Does it (still) have problems with its AI search? Yes. Does it have the best photographic community I’ve come across? Also yes. You should subscribe if you really love photography and want to contribute to a positive circle of practice. And if you’re watching a lot of photography-related materials on YouTube I cannot recommend a Premium subscription highly enough!

I also am deeply invested in Apple’s services and pay for Apple One. This gives me access to some things that I care about, including a large amount of cloud storage, News, customized email, Apple Music, and Apple TV. I find the current costs to be more than a little offensive–Apple’s decision to raise costs without increasing the benefits of the service was particularly shitty–but I’m deeply invested in Apple’s ecosystem–especially for storing my photographs!–and so will continue to pay Apple’s service tax.

Best Apps

I use lots of apps but the best ones I rely on for photography include:

  • Podcasts App to listen to the different podcasts to which I’ve subscribed.
  • Reeder for staying on top of the different blogs/websites I’m interested in reading.
  • Glass to look at, comment on, and reflect on photographers’ images.
  • Geotags Photos Pro and Geotags Photo Tagger. I’ve set the former app to record my geolocation every 5 minutes when I’m out making images and the latter to then apply geotags to the photographs I keep from an outing.3

Stuff I Read

Best Photography Books

Most of the non-fiction books that I read throughout the year were focused around photography. The two best books which continue to stand out are:

  • Bystander: A History of Street Photography. This book does an amazing job explaining how (and why) street photography has developed over the past 150 years. I cannot express what a terrific resource this is for someone who wants to understand what street photography can be and has been.
  • Daido Moriyama: A Retrospective. This book is important for all photographers who are interested in monochromatic images because it really explains why, and how, Moriyama made his classic images. It reveals why he made his gritty black and white images and, also, why some of the equivalent ‘recipes’ the mimic this kind of image-making may run counter to his whole philosophy of image making.

Stuff I Watched

Best Movies

The best photography-related movies that I watched were all classics. They included Bill Cunningham: New York; Gary Winogrand: All Things Are Photographable; The Jazz Loft According to W. Eugene Smith; and Ordinary Miracles: The Photo League’s New York. Combined with written history and photo books they helped to (further) reinforce my understanding of how and why street photographers have made images.

Best YouTube Channels

I watch a lot of photography YouTube. The channels I learn the most from include those run by James Popsys, Tatiana Hopper, EYExplore, Alan Schaller, Pauline B, aows, Aperture, and Framelines. My preference is for channels that either provide POV or discuss the rationales for why and how different images are being (or have been) made.4

Stuff I Subscribed To

Best Podcasts

I tend to listen to photography podcasts on the weekend when I go out for my weekly photowalks. The two that I listen to each and every week are The Photowalk and The Extra Mile. It’s gotten to the point that it almost feels like Neale James (the host of the podcasts) is walking along with me while I’m rambling around taking photos.

Aside from those, I’ll often listen to A Small Voice or The Candid Frame. These are interviews with photographers and I regularly learn something new or novel from each of the interviews.

Best Blogs/RSS Feeds

For the past year I’ve trimmed and managed the number of my RSS feeds. I keep loving the work by Craig Mod, Little Big Traveling Camera,5 and Adrianna Tan’. They all do just amazing photoessays and I learn a tremendous amount from each of them in their posts.

Biggest Disappointments

I somehow managed to break the hood that I’d had attached to my Fuji X100F in the fall and decided to get what seemed like a cool square hood to replace it. It was a really, really bad idea: the hood was a pain to screw on so that it wasn’t misaligned and, once it was aligned, was on so tight that it was very hard to remove. I would avoid this particular hood like the plague.

I also bought a Ricoh GR IIIx and while it’s a fantastic camera I just haven’t used it that much. I didn’t take as many images with it as I’d hoped when I was walking to or from work, and really ended up just using it when I needed to go out and take photos in the rain (I kept it safely hidden under my umbrella). Also, the camera periodically just fails to start up and requires me to pull the battery to reset it. Is it a bad camera? Nope, not at all, and I did manage to capture some images I was happy with enough to submit to Ricoh’s photography contest. But it’s not a camera that I’ve really fallen in love with.

Finally, while I use my AirPods Pro all the time I really don’t like them because I cannot get them to stay in my ears unless I purchase third-party foam tips. And I need to keep purchasing new sets of tips because they wear out after a couple of months. Are they good headphones once they stay in my ears? Yes. But the only way to accomplish that is becoming increasingly costly and that’s frustrating.

Conclusion

Anyhow, that’s my list of the ‘best photography-related stuff’ I’ve used in the course of 2023. What was your top stuff of the year?

  1. I really do want to get a new iPad 11” and will do so once they update the screen. I edit pretty well all of my photos on the iPad Pro and an updated screen (and battery…) would be lovely. ↩︎
  2. There is a caveat that I’ve found: the electronic shutter is absolute garbage for shooting at dusk/in the dark with LED lights. And I think the single-use exposure dial on the Fuji X100F is preferable to the configurable dial on the Q2. ↩︎
  3. You can set the app to record your location more regularly but I’ve found this to be a good balance between getting geolocation information and preserving my phone’s battery life. ↩︎
  4. If you watch a lot of YouTube then I recommend that you pay for a YouTube Premium subscription. You’ll cut out the frustrating advertising that otherwise intrudes into the videos. ↩︎
  5. I think that this is perhaps the single best photography blog that I’ve found. I aspire to this level of excellence and regularity of updates! ↩︎
Categories
Writing

Quick Thoughts on Academics and Policy Impact

I regularly speak with scholars who complain policy makers don’t read their work. 95% of the time that work is either published in books costing hundreds of dollars (in excess of department budgets) or behind a journal paywall that departments lack access to.1

Bluntly, it’s hard to have impact if your work is behind paywalls.

Moreover, in an era of ‘evidence-based policymaking’ dedicated public servants will regularly want to assess some of the references or underlying data in the work in question. They perform due diligence when they read facts, arguments, or policy recommendations.

However, the very work that a scholar is using to develop their arguments or recommendations may, also, lay behind paywalls. Purchasing access to the underlying books and papers that go into writing a paper could run a public servant, or their department, even more hundreds or thousands of dollars. Frankly they’re not likely to spend that amount of money and it’d often be irresponsible for them to do so.

So what are the effect of all these paywalls? Even if the government policymaker can get access to the scholar’s paper they cannot fact-check or assess how it was built. It is thus hard for them to validate conclusions and policy recommendations. This, in turn, means that committed public servants may put important scholarly research into an ‘interesting but not sufficiently evidence-based’ bucket.

Does this mean that academics shouldn’t publish in paywalled journals or books? No, because they have lots of audiences, and publications are the coin of the academic realm. But it does mean that academics who want to have near- or middle-term impacts need to do the work and make their findings, conclusions, and recommendations publicly available.

What to do, then?

Broadly, it is helpful to prepare and publish summaries of research to open-source and public-available outlets. The targets for this are, often, think tanks or venues that let academics write long-form pieces (think maximum of 1,200-1,500 words). Alternately, scholars can just start and maintain a blog and host summaries of their ideas, there, along with an offer to share papers that folks in government might be interested in but to which they lack access.

I can say with some degree of authority from my time in academia that publishing publicly-available reports, or summarising paywalled work, can do a great deal to move the needle in how government policies are developed. But, at the same time, moving that needle requires spending the time and effort. You should not just expect busy government employees to randomly come across your paywalled article, buy it, read it, and take your policy recommendations seriously.

  1. Few government departments have extensive access to academic journals. Indeed, even working at one of the top universities at the world and having access to a wealth of journals, I regularly came across articles that I couldn’t access! ↩︎
Categories
Writing

The Changing Utility of Social Media

Several years ago I was speaking with a special advisor to President Bush Jr. He was, also, an academic and in the summer he had returned to his university to teach some of international relations courses. This was during the time when the US had a force stationed in Iraq, and his students regularly had more up to date information on what was happening on the ground than he did, notwithstanding having a broad security clearance and access to top US intelligence. How was this possible?

His students were on Twitter.

Another story: when I was doing my PhD there was an instance where it was clear that the Iranian government had managed to access information that should have been encrypted while in transit between using Google products from Iran. After figuring this out I shared information on Twitter and the infosec community subsequently went to work to rectify the situation.

There are lots of similar stories of how social media has been good for individuals in their personal and professional lives. But, equally (or more so ), there are stories where social media services have fed serious and life threatening problems. The Myanmar genocide. Undermining young women’s sense of self-confidence and leading to thoughts of self-harm. Enabling a former President to accelerate an irregular political and policy environment, often with harmful effects to members of government, residents of the United States, and the world more broadly.

The Future of Social Media

But the social media services that enable the positive and negative network effects of the past are significantly different, today, than just 5 years ago. What does this mean for the future of social media services?

First, we need to assess the extents to which the services remain well situated for their purposes. For the sharing of popular news, as an example, some companies to moving away from doing so partially or entirely in response to economics or emerging law or regulations. What does it mean when a core driver of some hardcore users — journalists, academics, some in government — no longer see the same utility in engaging online? What does this mean for the affordances of new services?

Second, to what extent are the emerging services really able to address the harms and problems of the old services? How can these services be made ‘safe to use’ and promote equity and avoid generating harms to some individuals and communities? I think there is a valid open question around whether you can ever create a real-time communications platform that enables mass broadcast, and which does not amplify historical harms and dangerous social effects.

Third, to what extent have these services outlived some of their utility? While individuals used to share information broadly on social media networks they can now retreat to large chat groups or online chat services (i.e., the next generation of AOL chat is here!). These more private experience still enable the formation of community without the exposure to some of the harmful or disquieting content or messages that existed on the more public social media sites.1

There has, also, been an explosion of new-Twitter competitors (along with those competing with other networks, including Instagram and popular/corporate chat services). While this has the benefit of reducing some of the aggregated harms that can arise, just in the sense that individuals are spread out between services and cannot mass against one another as they could previously, it also means that content which is published may lack the same kind of reach as in the past. Whereas once you may have had thousands of Twitter or Instagram or Facebook followers who you could alert to pressing issues of social injustice, now this same population is scattered across a bevy of different services and platforms. The dispersion effect makes it hard to have the same kind of thought leader status as may have been possible, even in the relatively recent past.

One of the solutions to these problems, writ large, is to facilitate a ‘Post Once (on your own) Site, Syndicate Everywhere’ (POSSE) situation, where you can post on one service and then syndicate it to all the other services. Promoters of this maintain that you can then have a single ‘identity’ or location, put all your content there, and then share it around the world.

Obviously this approach has some initial appeal. And for many individuals or groups they may prefer this approach. But a POSSE ‘solution’ to the disintermediation of social media fails to take into account the value of having discrete online identities.

As just one example, I have a website for professional materials, use a service to share and circulate my photographs, blog less formally here, circulate interesting news articles using an RSS feed, share short thoughts about professional topics on LinkedIn, and then have a sequence of chat applications for yet other conversations. Bringing all these together into a single space would be problematic by merit of diluting the deliberateness that each space is imbued with. Put differently, I don’t want the materials that might get me a job linked to my street photography or ruminations, on the basis that it could impede my ability to find the right kind(s) of gainful employment.

As I contemplate the state of social media and identity, today, I guess I’m left with the ongoing recognition that classic media organizations played a key role in identifying what was more or less important to pay attention to, especially when the information sources I cultivated over the past decade have quickly and suddenly changed. The social media that was so useful in aggregating information even intelligence services lacked, as well as that was used to respond to information security issues, is now long past.

Social media as it was is dead. Long live socialized media.

  1. With the caveat that some groups retreat to these more private spaces to share harmful or disturbing content without worry their actions are likely to be detected and stopped. ↩︎
Categories
Links Writing

Generative AI Technologies and Emerging Wicked Policy Problems

While some emerging generative technologies may positively affect various domains (e.g., certain aspects of drug discovery and biological research, efficient translation between certain languages, speeding up certain administrative tasks, etc) they are, also, enabling new forms of harmful activities. Case in point, some individuals and groups are using generative technologies to generate child sexual abuse or exploitation materials:

Sexton says criminals are using older versions of AI models and fine-tuning them to create illegal material of children. This involves feeding a model existing abuse images or photos of people’s faces, allowing the AI to create images of specific individuals. “We’re seeing fine-tuned models which create new imagery of existing victims,” Sexton says. Perpetrators are “exchanging hundreds of new images of existing victims” and making requests about individuals, he says. Some threads on dark web forums share sets of faces of victims, the research says, and one thread was called: “Photo Resources for AI and Deepfaking Specific Girls.”

… realism also presents potential problems for investigators who spend hours trawling through abuse images to classify them and help identify victims. Analysts at the IWF, according to the organization’s new report, say the quality has improved quickly—although there are still some simple signs that images may not be real, such as extra fingers or incorrect lighting. “I am also concerned that future images may be of such good quality that we won’t even notice,” says one unnamed analyst quoted in the report.

The ability to produce generative child abuse content is becoming a wicked problem with few (if any) “good” solutions. It will be imperative for policy professionals to learn from past situations where technologies were found to sometimes facilitate child abuse related harms. In doing so, these professionals will need to draw lessons concerning what kinds of responses demonstrate necessity and proportionality with respect to the emergent harms of the day.

As just one example, we will have to carefully consider how generative AI-created child sexual abuse content is similar to, and distinctive from, past policy debates on the policing of online child sexual abuse content. Such care in developing policy responses will be needed to address these harms and to avoid undertaking performative actions that do little to address the underlying issues that drive this kind of behaviour.

Relatedly, we must also beware the promise that past (ineffective) solutions will somehow address the newest wicked problem. Novel solutions that are custom built to generative systems may be needed, and these solutions must simultaneously protect our privacy, Charter, and human rights while mitigating harms. Doing anything less will, at best, “merely” exchange one class of emergent harms for others.

Categories
Writing

Publicly Normalizing Significant Espionage Operations is a Good Thing

The USA government recently took a bad beat when it came to light that alleged Chinese threat actors undertook a pretty sophisticated espionage operation that got them access to sensitive email communications of members of the US government. As the details come out it seems as though the Secretary of State and his inner circle weren’t breached but that other senior officials managing the USA-China relationship were.

Still, the actual language the US government is using to describe the espionage operation is really good to read. As an example, the cybersecurity director of the NSA, Rob Joyce, has stated that:

“It is China doing espionage […] That is what nation-states do. We need to defend against it, we need to push back on it, but that is something that happens.”

Why is this good? Because the USA was successfully targeted by an advanced espionage operation that has likely serious effects but this is normal, and Joyce is saying so publicly. Adopting the right language in this space is all too rare when espionage or other activities are often cast as serious ‘attacks’ or described using other inappropriate or bombastic language.

The US government’s language helps to clarify what are, and are not, norms-violating actions. Major and successful espionage operations don’t violate acceptable international norms. Moreover, not only does this make clear what is a fair operation to take against the USA; it, also, makes clear what the USA/FVEY think are appropriate actions to take towards other international actors. The language must be read as also justifying the allies’ own actions and effectively preempts any arguments from China or other nations that successful USA or FVEY espionage operations are anything other than another day on the international stage.

Clearly this is not new language. Former DNI Clapper, when describing the Office of Personnel Management hack in 2015, said,

You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.

But it bears regularly repeating to establish what remain ‘appropriate’ in terms of signalling ongoing international norms. This signalling is not just to adversary nations or friendly allies however, but also to more regular laypersons, national security practitioners, or other operators who might someday work on the national or international stage. Signalling has a broader educational value for them (and for new reporters who end up picking up the national security beat someday in the future).

At an operational level, it’s also worth noting that this is intelligence gathering that can potentially lower temperatures. Knowing what the other side is thinking or how they’re interpreting things is super handy if you want to defrost some of your diplomatic relations. Though it can obviously hurt by losing advantages in your diplomatic positions, too, of course! And especially if it lets the other side outflank you.

Still, I have faith in the EquationGroup’s ongoing collection against even hard targets in China and elsewhere to help balance the information asymmetry equation. While the US suffered a now-publicly reported loss of information security, the NSA is actively working to achieve similar (if less public) successes of its own on a daily basis. And I’m sure they’re racking up wins of their own!