Transnational threats demand cooperation, not spying on each other: Verizon

Rather than having the nations of the world spying on each other to prevent international terrorism, Verizon general counsel Craig Silliman says a new paradigm on security cooperation needs to be introduced.

When governments are attempting to deal with a transnational threat such as ISIS that operates with a disregard for national borders, governments cannot be restricted to their own territory, but that doesn't mean they should start claiming extra-territorial jurisdiction, according to Verizon general counsel and executive vice president of Public Policy Craig Silliman.

Speaking to ZDNet, Silliman said cooperation is vital for handling issues on transnational networks.

"I think the problem statement is correct, but the answer cannot be that every country in the world simply starts trying to exercise extra-territorial jurisdiction. That won't work, and it's going to lead to these international tensions on privacy and other bases," he said.

"What we need is a new paradigm for cross-border cooperation, not simply every country trying to claim extra-territorial jurisdiction by their particular law enforcement or national security into other countries. That ultimately will break down and be ineffective; it has to be an international cooperation between all these governments."

Silliman pointed out that is it not a new phenomenon that technological advancement is forcing changes to the way that law enforcement is conducted, such as easier transport and communications technology leading in part to the establishment of the US Federal Bureau of Investigation, and that international models already exist that could be worked on.

"You think about Interpol and how Interpol works in the traditional law-enforcement world. There are mechanisms that we've come up with in the past, and, in fact, national security organisations do work cooperatively together, but they have not tended to talk about that as much publicly," he said.

"I think we live in a world where we need to talk a little more openly and say: 'If you have transnational threats, transnational networks, national security organisations are going to work together, and that's going to be known and recognised publicly.' And let's talk then about what are the legal regimes to effectuate that they actually work together, not by reaching into each other's jurisdiction from one country to another."

While there are discussions occurring around national security and cybersecurity, no one nation has yet arrived at the complete solution, Silliman said.

"I don't know that there is a single country around the world that you'd point to and say: 'They have it all figured out'," he said. "But that's not a criticism, that's simply a recognition that the technologies are changing very, very quickly and the types of challenges that governments are dealing with are changing rapidly, and they tend to change more quickly than the pace of legislation."

As part of its response to transnational threats, Australia has introduced and passed a number of so-called tranches of national security legislation, including the passage and introduction of a mandatory data-retention scheme that forced telcos to collect and store call records, assigned IP addresses, location information, billing information, and other customer data for two years for access by law enforcement.

Unlike many of the legal processes for accessing stored telecommunications data in the United States, Australian law-enforcement and national security agencies will be able to access retained data without needing a warrant. For Silliman, though, a good legal process would involve the courts.

"I think one of those questions for all of us as a society is: 'What type of data are we talking about, and what level of expectation of privacy do we have on that particular data?'" he said.

"There are certain types of data around which customers have an expectation of privacy, and it's important that there be a legal process involved in accessing that, and in most countries around the world, the right process is going to be through a court."

Silliman warned that bearing the costs of data-retention regimes could create a barrier to entry for smaller companies in the telecommunications industry, which was backed up earlier this week when Patrick Fair, a partner at law firm Baker & McKenzie, pointed out that becoming subject to data-retention laws would lead to a slowdown in IoT development nationwide.

"Mandatory data-retention rules, which are, of course, a huge regulatory imposition, not only capture CSPs [carriage service providers] and ISPs as well as carriers, but also operate as a positive disincentive for people doing services which combine carriage with data management, which is a key thing in the IoT," Fair said, speaking at CommsDay's Unwired conference in Sydney.

"So, if I'm an information processing service provider and I say to you, 'Look, I can take your office system and I can put it in my datacentre', good, no problem, I can do that. But the minute I throw in some resold carriage, I become a CSP, and I pick up mandatory data-retention obligations, and I have to look at the messaging systems and the carriage systems that are involved in taking on that customer's implementation and what data I'm going to have to retain about that, which wouldn't have been retained if the system had been implemented by the customer in their own premises or on their own terms, or if I hadn't done bundled carriage with information processing.

"Very stupid system. It's been ill conceived by the government."

Despite the data-retention laws coming into force last month, Telstra revealed in October that it is likely one of very few telcos to have its plan for data-retention implementation approved. By October 13, Australian telecommunications companies were due to be in accordance with the law in one of three ways: Retaining and encrypting data with a working implementation; having an approved implementation plan that dealt with areas of non-compliance; or having been granted an exception.

In an October survey released by the Communications Alliance, it was found that 84 percent of Australian telcos would not be compliant with the deadline, and 37 percent of respondents revealed that they were "not confident at all" on understanding what data the law requires them to retain, and for how long.

That delays in data-retention implementation were widespread across Australia was not a surprise to Verizon's general counsel, who said any new technological requirement is always going to be a challenge coupled with unforeseen issues that arise.

"If you look at the history of rolling out any IT system in any country, there are always these types of delays and challenges," he said.

The bigger issue than implementation details, according to Silliman, is for society to discuss and agree on a balance to strike between security and privacy.

"These are long-running debates, as technologies have changed in every country around the world, so from my perspective, these are societal questions, and so from a company's perspective I would say, 'It's neither a good thing or a bad thing, it's a societal question to decide the balance.' And then the companies' role is to comply with the law that we as society, in whichever country we live, have decided is that right balance."

Australians were warned this week to expect a reduction in privacy in the near future, as Attorney-General George Brandis said citizens may have to "calibrate their attitudes" regarding privacy.

"There will be occasions in which we will have to accept greater limitations, greater impediments to personal privacy," he said.

Under Brandis' tenure as attorney-general, Australia introduced its data-retention regime even though he was famously unable to clearly explain the definition of metadata in August 2014.