The n-Category Café

Thanks for the very interesting comment.

Personally, I don’t think in terms of “morality”. I much prefer to think in terms of “the predictable consequences of one’s actions”, in other words, the likely effect of what I do, and whether it changes a situation in the direction that I want it to be changed. Maybe what I just said is what most people mean by morality anyway; I’m not trying to start a semantic debate. My point is that I view these things in purely practical terms — what will be caused by your or my actions — and not as something to be judged via an abstract set of rules.

So, what is the likely effect of attending a conference or seminar funded by the NSA or GCHQ or their counterparts in other countries? I suppose it’s the case that every participant does a little bit to normalize the presence of the NSA/GCHQ in the academic community, a little bit to further the idea that a collaboration between academia and secret intelligence agencies is a normal state of affairs. Every potential participant who decides not to go does a little bit in the opposite direction. But these are very small effects, of course. Arguably, a more effective action would be to speak up about it in person, or to find some way to try to effect a positive change.

People sometimes make the argument that accepting money from an organization you disapprove of is unproblematic — you’re taking money from them, after all. I don’t entirely accept this. In order to believe this argument, you have to be very confident that the organization has miscalculated, that they’re mistaken in their belief that they’re getting value for money. And in order to believe that, you have to be confident that you’ve correctly guessed what they want out of the transaction.

Sometimes, controversial organizations (e.g. the NSA or branches of the military) offer academic funding for fields of study that appear to have no direct benefit to them — and may indeed be of no direct benefit to them. At first glance, it’s pure altruism. But of course, that’s a very naive belief. What they actually get is social standing.

For instance, what would the British army do if it wanted to start hiring lots of mathematicians? What would you advise? The obvious strategy would be for the army to start involving itself in the UK mathematical community (which it doesn’t at present, at least to any great degree). Cheap and easy ideas would be to sponsor some conferences, give out a few grants, maybe set up some prizes or fellowships. Knowing that not everyone’s comfortable with the military, they’d be well-advised to run mathematical grants etc. with no conceivable military application (maybe even making that an explicit condition). Soon enough, it becomes normal for acknowledgements of army funding to appear on papers and talk slides and lists of sponsors, the army gets stands at conferences, and its efforts to recruit mathematicians begin to take off.

So, maybe you’re a noncommutative algebraist, and the army wants to give you money to do some noncommutative algebra. What harm could there be? What fools the army are to think they’ll get benefit out of theorems on noncommutative rings! Well, actually, I can immediately think of some noncommutative algebraists who’d see right through it and refuse to play along.

As many readers know, the hypothetical strategy that I was suggesting for the army is pretty much exactly what both the NSA and GCHQ do. It’s completely natural from their point of view. They want their organizations to be an integral part of the mathematical community. They want no one to bat an eyelid at their involvement. They want young mathematicians to meet mathematicians working for the agencies and think “Hey! They’re not the scheming sociopaths the news stories made me expect! They’re people just like us!”

Anyway, I suspect you’ve thought all this through rather carefully, and that nothing I’ve written is anything new to you. But those are my thoughts.

I have always agreed with the Nuremberg Trials in that ‘I was just following orders’ is a completely illegitimate moral dodge and that people remain personally responsible for the morality of their actions. Even if someone literally has a gun to their head, the person still has a decision to make. If they decide their life is worth more than acting immorally, that is defensible - but their actions are still immoral and should be punished, though likely more leniently because I believe the likelihood of re-offending needs to be considered when deciding sentencing (most judges do include this kind of reasoning in reaching their sentencing decisions I believe).

The other moral dodge that people often employ, “I was just doing my job” has always seemed to be totally indistinguishable from another excuse that people more generally would see as invalid - “I just did it for money.” For some reason, doing something “for money” is unseemly to most people but “just doing my job” is not seen the same way. I don’t quite understand why.

I’m a software developer and was faced with a similar sort of choice as what you are discussing. I couldn’t take a job and tell myself that I am still a good person because I’m “just doing my job” when actively engaging in immoral activity like spying (even through automated analysis) on people. But I got a job with a defense contractor. Doing completely civilian work, and nothing which could even be re-used without my knowledge to support aggressive ends. In fact, the work I was doing wasn’t even just neutral, but it legitimately helped protect people without violating anyones rights at all.

So my choice was, for me at least, quite complicated. In accepting the job, I was performing a socially responsible task… but I was also generating profit for a company which does very immoral things (not that I consider all military things immoral or anything, their position on drones alone was tremendously disturbing (shortly, ‘the Geneva Conventions don’t mention robots, therefore nothing a robot does can violate them’)). BUT, I was making the civilian and moral side of their business more profitable which might encourage them to more moral action. Not an easy choice at all. I’m still not sure I made the right one… but working for a different company now doing the same work has alleviated a lot of those worries.

In my opinion, issues like these are not discussed enough in the field of Computer Science. This might be a consequence of my having studied Philosophy alongside CS, but even when the issue of social responsibility is discussed it is always in terms of the workers responsibility to be cautious and safe with what they produce and learn good practices so if you have to develop a system to control a system that gives radiation to patients it doesn’t fail and hurt them.

I can think of three reasons why people aren’t more angry than they are:

• Concepts such as privacy, personal liberty and freedom of association are rather abstract.

• The technological nature of the revelations. In all probability, no human being is listening to your phone calls. But metadata analysis is being done, and that could reveal as much or more. How many people are technically-minded enough to have a visceral sense of that?

• Self-centredness. As I wrote here:

  A lot of people know now that the intelligence agencies are keeping records of almost all their communications, but they can’t bring themselves to get worked up about it. And in a way, they might be right. If you, personally, keep your head down, if you never do anything that upsets anyone in power, it’s unlikely that your records will end up being used against you.

  But that’s a really self-centred attitude. What about people who don’t keep their heads down? What about protesters, campaigners, activists, people who challenge the establishment — people who exercise their full democratic rights? Freedom from harassment shouldn’t depend on you being a quiet little citizen.

  And rights violations typically begin with vulnerable groups, which makes it easy to think of the violations as somehow exceptional. If I say that three years ago, the CIA assassinated an American child, you might wonder why there wasn’t the most enormous scandal. If I add that his name was Abdulrahman al-Awlaki, it suddenly sounds depressingly plausible.

I did, thanks!

What I thought of Citizenfour was that it was very unusual in its tonal quality. It’s somehow a quiet film, very directly about human beings and human lives. I mean, it’s very compelling and watchable, but what I found so striking was this direct, almost intravenous, human connection. At a couple of points the film shows clips from CNN news, and in contrast they seem absurdly flashy and superficial.

The news stories based on Snowden’s documents are sometimes quite complicated individually, and all the more so in aggregate. It can be overwhelming. Even in terms of this blog, someone at CT14 told me that he basically felt beaten around the head (he put it more politely than that) by just the sheer quantity of links in some of the posts I’ve written here. Citizenfour conveys lots of information too, but tonally I think it’s a good antidote to that feeling of being bludgeoned with news.

Good questions. It seems that at the very least we have to all become applied mathematicians, in thought if not in deed. That is, we have to put some effort into thinking about the applications of our purely abstract mathematical inventions. Most of the time this effort will yield a spectrum of distant future techniques and technologies from good to bad, and our work is safely neutral. However, we want to avoid this situation (presented in hilarious hyperbole, but with a scary kernel of truth.)

Hi. I want to keep this discussion in the general orbit of what the NSA and its partners do and what effect it has when mathematicians work with them. Edward Snowden revealed some facts, and his motivation is not particularly relevant. I could view him as the worst traitor who ever walked the earth, and that wouldn’t change the facts he revealed, the documentary evidence he provided, or what that evidence implies for society in general and mathematicians in particular.

So I’m not going to let this subthread go much further. Instead, I’ll just let Snowden answer your question for himself.

Unfortunately software itself seems only a partial solution. That is stronger encryption needs usually also more machine power (see also bitcoin). So even without back doors this is quite a energy intensive race between machines. Like what would happen if for example there would be a sudden unexpected leap in the physics of quantum computers? As far as I understood if one would suddenly have a big quantum computer then in principle most of the normal keys would all be way to short. And at the example of the millenium bug one saw what giant infrastructural task this would be if one would need to enlarge all the keys as fast as possible (even if there were indeed some …. who claimed that the Y2K fixing was easy).

Wikipedia writes:

As of 2015, the development of actual quantum computers is still in its infancy, but experiments have been carried out in which quantum computational operations were executed on a very small number of qubits.[6][citation needed] Both practical and theoretical research continues, and many national governments and military agencies are funding quantum computing research in an effort to develop quantum computers for civilian, business, trade, gaming and national security purposes, such as cryptanalysis.[7]

As I understood there are now a couple of private companies working at the development of such quantum computers. If one of those would make a technological leap then what would happen then ? I guess they won’t rob banks with their knowledge, but what about their development costs, if they can’t use their “competitive advantage”?

Importantly, Andrew Appel provides a careful analysis of the vulnerabilities of the (american) voting process.

His conclusion: Cyberoffense is not the best cyberdefense: But really we should ask: Should the FBI and the NSA be hacking us or defending us? To defend us, they must stop hoarding secret vulnerabilities, and instead get those bugs fixed by the vendors.

I was interested in Schneier’s discussion of the “Vulnerability Equity Process”. In the article, he more or less explicitly divides software vulnerabilities into three types:

• Those that can’t be exploited. If you’re the NSA, there’s no harm in making these public, since you can’t use them anyway. (It’s not even clear that they should be called “vulnerabilities”.)

• Those vulnerabilities that you’ve found and you think other people can find too.

• Those vulnerabilities that you’ve found, and you think no one else will find.

The distinction between the last two is very important. If you judge that the vulnerability will soon be found and exploited by others, e.g. foreign intelligence agencies or crooks (but I repeat myself), then you should take immediate steps to get the vulnerability fixed rather than keeping it to yourself. Otherwise, you’re putting everyone’s systems at risks.

On the other hand, if you’re confident — somehow — that no one else will find the vulnerability, then you can keep it to yourself. And if you’re the NSA, you can use that vulnerability however you like, confident that no one’s system security will be damaged (aside from any damage you might deliberately inflict yourself).

Schneier begins by saying that the NSA have been lying: telling us that they don’t hoard zero day exploits when they do. But he also accuses them of being hubristic, evaluating the vulnerabilities that they’ve found as being in the third category (“nobody but us”) when actually, many of them were discovered by other people not long afterwards.