Art Coviello: Attacking Anonymity, Just In The Right Places
RSA chief explains why he thinks anonymity is the enemy of privacy, but is he more than a little motivated by commercial concerns?
Privacy has never been a simple topic. It has been made more complex by the Snowden revelations on mass global spying, not just by the US and Britain – through the NSA and GCHQ – but by almost every major Western power.
Polemicists from governments and human rights groups are at loggerheads, the former defending snooping as a necessary evil, the latter saying intelligence agencies have gone too far. Little in the way of compromise has materialised.
It’s no surprise then that Art Coviello, who heads up RSA, the security arm of storage giant EMC, offers something of an ambiguous defence of a grand claim he made last week, namely that “anonymity is the enemy of privacy”.
Despite what he said during his brief keynote during RSA Conference 2013 in Amsterdam, Coviello is not wholly against anonymity. He doesn’t want to bring down Tor or uncloak activists who use such tools to hide their tracks from repressive regimes. No, Coviello solely wants anonymity to be eroded in the workplace.
“It was clear to me I was describing anonymity in the context of an organisation, not anonymity in the context of some person at home,” he tells TechWeekEurope.
“Within an organisation there are other larger responsibilities that are at stake. You have a responsibility to your employer, your company has responsibility to you and responsibility to its customers.
“If there’s total anonymity you’re giving that anonymity, you’re giving the attacker a shield with which to take advantage of the company, the customer’s company and perhaps even you. To me that makes, in that sense, anonymity the enemy.
“Anonymity and privacy are not the same thing.”
Coviello says it’s possible to have security and privacy “if we have transparency and governance”, ostensibly agreeing with activists asking for accountability from governments and intelligence agencies, but also promoting better monitoring of corporate networks.
He thinks RSA technology, like the Archer risk mitigation policy tool, could also be used to protect the privacy of workers. “The same tools that monitor abnormal behaviour could monitor for governance… we can create a technological solution for this.”
It’s at this point, though, that something clicks. Coviello, understandably, has a thinly-veiled commercial agenda here. He has occasionally, by his own admission, had trouble selling RSA’s intelligence kit to customers who are concerned about the potential for breaching privacy laws. Even though it can carry out analysis of network traffic without having to pinpoint a person’s identity, some have been afraid to deploy the technology over fears of breaching privacy laws.
By not deploying intelligence-gathering code, he argues, companies are allowing anonymity on their network and therefore allowing crooks to plant themselves on systems and do whatever they like without being caught. To this interviewer, it’s clear at this point that Coviello isn’t really talking about anonymity in the traditional sense. He’s frustrated that companies aren’t monitoring their networks as much as he’d like, to uncover anomalies, or workers sending out corporate information to secret places.
What of whistleblowers then? If one cannot anonymously reveal one’s employer’s wrongdoing, will that not just let businesses get away with egregious acts? Coviello offers no response on this issue.
Despite Coviello’s anti-anonymity drive being partly commercially driven, he is at least talking about privacy and the recent furore surrounding surveillance, something many other traditional vendors ignore. “What I’m trying to do here is get a civil discussion,” he tells me. “People are so unwilling to even have the discussion that I worry that we kill the proverbial goose that lays the golden egg. All of this technology we are the beneficiaries of will not continue to roll out if we can’t create more trust. And we will miss a phenomenal economic opportunity.
“If we don’t get a handle on the privacy of individuals, what chance do we have of getting nation states to behave responsibly on the Internet. I’m not talking about spying per se, but I am talking about theft of intellectual property and respect for rule of law.”
Yet leaving Coviello’s suite in the heart of the Dutch capital leaves me feeling cold about the whole surveillance situation. Saving privacy, or what we have left of it, seems to be such an intractable problem, with so many different stakeholders with different beliefs, from governments and their suppliers to human rights organisations and activists, that there are few answers
Many say that at least Snowden has brought about a debate. But what if it all just amounts to hot air, as it has done so far? What if, in the end, the young man’s explosive revelations only lead to more talk, more silence, more secrets? When it comes to action, we can expect little more than a stalemate. In other words, a victory for those controlling the structures of power.