Joe Bonneau is one of the smartest young people I’ve met. He was a Gates Scholar at Cambridge and did a PhD in Ross Anderson’s group in the Computer Lab. On July 18, his paper on “The Science of Guessing” won a prestigious award as the Best Scientific Cybersecurity Paper of 2012. But here’s the catch: the Award, which is judged by a panel of distinguished academic experts, is sponsored by the NSA!
Here’s how Joe blogged about it, and explained his thinking.
I’m honored to have been recognised by the distinguished academic panel assembled by the NSA. I’d like to again thank Henry Watts, Elizabeth Zwicky, and everybody else at Yahoo! who helped me with this research while I interned there, as well as Richard Clayton and Ross Anderson for their support and supervision throughout.
On a personal note, I’d be remiss not to mention my conflicted feelings about winning the award given what we know about the NSA’s widespread collection of private communications and what remains unknown about oversight over the agency’s operations. Like many in the community of cryptographers and security engineers, I’m sad that we haven’t better informed the public about the inherent dangers and questionable utility of mass surveillance. And like many American citizens I’m ashamed we’ve let our politicians sneak the country down this path.
In accepting the award I don’t condone the NSA’s surveillance. Simply put, I don’t think a free society is compatible with an organisation like the NSA in its current form. Yet I’m glad I got the rare opportunity to visit with the NSA and I’m grateful for my hosts’ genuine hospitality. A large group of engineers turned up to hear my presentation, asked sharp questions, understood and cared about the privacy implications of studying password data. It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade. Our focus must remain on winning the public debate around surveillance and developing privacy-enhancing technology. But I hope that this award program, established to increase engagement with academic researchers, can be a small but positive step.
This is — as you’d expect — a very adroit and sophisticated post by an interesting and thoughtful man. I’m inclined to agree with him that “America’s core problems are in Washington and not in Fort Meade [the NSA’s HQ]”. I guess that many (most?) of the engineers who work for the NSA (and GCHQ, for that matter) are decent and humane folks. But they must be reaching the point where they realise that there may be tricky ethical problems associated with working in these kinds of organisations, especially when they have no control over what their managerial or political masters do with their work.
The practice of engineering, in whatever speciality, often throws up involve ethical dilemmas, even though many engineers pretend that it doesn’t. After all, they protest, they’re just solving technical problems set to them by their employers. Moral and ethical questions are “above my pay-grade”, as the saying goes.
The first time I ever thought seriously about this was when I met Robert Jan van Pelt, an architectural historian and an expert on Auschwitz. He talked about the architectural and engineering documents pertaining to the design of Auschwitz that had been found in the Soviet archives in Moscow by a British historian. These documents show how professionals working for two firms, one an architectural practice, the other an engineering company which specialised in incinerators, struggled conscientiously to meet the ever-changing needs of a very demanding client — Himmler’s SS — as they sought to increase the capacity and the throughput of the camp. And both groups of professionals clearly understood what Auschwitz was for.
This is NOT to imply any kind of moral equivalence between those who work for outfits like the NSA and those who services the Nazi genocidal programme. But engineering is, like most other kinds of professional practice, drenched in ethical questions. Even as I write this, there are engineers working for arms companies (for example designing lethal unmanned drones, ingenious new fragmentation bombs whose fragments are less easily detected by X-rays or covert online surveillance technology for authoritarian regimes). All medical schools now insist that their students study ethics. Should engineering schools do the same?