Vital Interests: Jon, thanks for agreeing to participate in the Vital Interests Forum. Before we discuss the impact of COVID-19, can you give us an overview of the government’s position on surveillance and privacy, particularly  under the Trump administration.

Jon Callas: We have had tension between privacy, surveillance, et cetera, for decades. In many cases, the conversation hasn't really changed. Many of the debates that we've had over encryption and law enforcement and so on, are pretty much the same debates that we were having in the mid-1990s.

What has changed is that, 25 years ago, the default was that encryption was regulated for export, and those regulations constrained creating a secure Internet that protects our privacy. We wanted those to be liberalized. Now, the default is that we have secure communications and secure devices everywhere, and governments would like to have more access. So the biggest difference is that the status quo has flipped completely, even though the debates haven't changed.

VI: Now that we all have devices that are constantly being tracked, creating a digital profile of what we look at on the internet, where we go and who we contact so that our metadata can be monetized. Is the current concern about how that data is handled?

Jon Callas: Yes, the free services that we all use are paid for by advertising and information gathering. When we search for something, post social media, or read an article that is paid for by advertising or information and of course they want to be able to do that better.

VI: Are these surveillance capabilities getting increasingly sophisticated and more invasive?

Jon Callas: There are always things that companies want to do and they are always thinking of new ways to come up with stuff. There's an old advertising adage, which says, I know I'm wasting half the money I spend on advertising, I wish I knew which half. That has not changed from the pre-internet days to the present one. Despite all of the information being collected, it is not clear what all of this tracking and all of the metadata and what they're constructing as profiles is useful for.

VI: We know that Facebook and Google are collecting data on us. But what about the government - are we willing for government entities to monitor our every action? Authoritative states like China, Russia and others are rapidly developing and employing new technologies to track their populations.

Jon Callas: On the Internet, there are a number of technologies that various countries use, including ours, which include looking at the sorts of traffic that are going on on the web. In the last five years in particular, far more web traffic is happening over encrypted communications like HTTPS, as opposed to unencrypted HTTP. We have gone from protected network traffic being a minority of all use to it being the majority of all web traffic. This has been a benefit for all of us but it has also meant cutting off a bunch of information that they would get through completely passive means.

Lots of other fora are essentially public though. If you think of Facebook, Reddit, any of these discussion platforms,  these are essentially completely unencrypted and anyone can look at them, so of course, governments do. Authoritarian governments will restrict access to things. For example, China just flat out blocks access to both Google and Facebook. China also does a certain amount of content moderating and scanning for things. There are all sorts of things that you can't talk about even in oblique terms. You can't talk about Tiananmen Square, you can't talk about Winnie the Pooh.

I love the Winnie the Pooh example, myself describing an absurdity of where monitoring can go.

VI: Is Christopher Robin considered a subversive?

Jon Callas: No, it's even better than that. It started with a picture of President Obama and Chairman Xi walking along together, and they happened to be in a position that was body posture similar to a picture of Winnie the Pooh and Tigger. With Tigger being Obama, who's tall and thin; and Winnie the Pooh, being Xi, who's shorter and rounder. This got under Xi's skin. The hilarious irony to us is that you can't talk about Winnie the Pooh in China.

VI: That is a rather illustrative absurdity in cyber censorship. In addition to content monitoring, don’t the Chinese now also employ facial recognition?  So not only  can they know about a person’s likes, dislikes and tendencies, but they also know what they look like, where they go and where they are 24/7?

Jon Callas: And you must be part of this regime to get government services, et cetera.

There are many ways governments all over the world are tracking people, from automated license plate readers to so-called smart cities measuring automobile traffic to a prevalence of cameras everywhere, to facial recognition on those cameras and even drone aircraft flying over cities.

VI: So to bring that into the context of the COVID-19 pandemic. If they find people who test positive or someone who has active symptoms, then they can track individuals they come in contact with and that individual themself, is supposed to go into 14 days or more of social isolation. 

Jon Callas: In China, for example, they enforced it. If you tested positive for COVID-19, they would immediately then take you off to a ward where you would spend two weeks in a little cubicle with treatment. A colleague of mine who is Chinese described it to me in a very interesting way. He said that the Asian countries looked at the virus as if it was an invader and that they were going to eliminate the invader, and they worked firmly and decisively to push all of the people away who got it. They would have sympathy for you if you were sick. Just like if you were, say, in a car accident, they would have sympathy for you, but you became someone who needed to be isolated away from the rest of society, for the good of society.

VI: What would they do with the family and friends and people who had come in contact with this symptomatic person?

Jon Callas: They would follow down the line and if somebody had tested positive, they would end up going into one of these field hospitals as well.

VI: Considering these methods, the decline in cases, and the relatively low death count, would you conclude that the Chinese approach is the most efficient way to contain and defeat this virus?

Jon Callas: The U.S. philosophy of dealing with COVID-19 is one of risk management. We don't look at it the same way as the Chinese. Their view is that they are preserving the integrity of society by slicing out the portions that would infect the rest of the population. It  is essentially a total warfare approach to defeating the virus. Ours has been a risk management approach, where even those of us who are in favor of isolation, et cetera, are asking,  how do we flatten the curve? The very phrase  “flattening the curve” indicates our different philosophy in dealing with this.

VI: Because that's not trying to eliminate the virus, that's managing the virus?

Jon Callas: Yes, and I believe that that is a central philosophical, societal attitude difference. Asian countries look at the virus as an invader to be repelled, and the US and Europe look at it as an event to be managed. 

VI: In circumstances of a deadly and spreading pandemic, a centralized national authority has the most competence to protect its population, to eliminate the enemy. But isn’t this counter to our philosophical views on how people should be treated and the limits of government?

Jon Callas: Yes, but I hesitate at the word “competence.” Their errors in effectiveness prioritize the fight against the invader over the liberties of the sick. We are seeing people pushing back against something as simple as wearing a cloth mask. It would be impossible to compel people to isolate away from family and friends even with provided medical care.

VI: In New York City, they set up an auxiliary medical center at the Javits Center and a  Navy hospital ship was brought in, neither of which were used to any extent.

Jon Callas: That's right.

VI: Although the cases kept dramatically increasing with 1000 deaths per day at the height, there seems to have been no authority that wanted to, or was able to, impose those methods of forced isolation on a population that might object to them.

Jon Callas: Yes, that is certainly the reality in the United States.

VI: An organization like the ACLU, what position do they take on these methodologies?

Jon Callas: There are no civil liberties that are not in tension with others. We have a genuine emergency. The government has emergency powers. Civil liberties groups recognize that those emergency powers can be overstepped and there were places where we pushed back against that. There are places where we ourselves discussed, "This is okay for now. What are we going to do when we decide that it's not okay? What would it take for us to decide that we need to intervene now, rather than later?"

We saw this a couple of weeks ago in the question of how we treat churches differently than shopping centers? The question went all the way to the Supreme Court. This tension goes not only to things like religious liberty, but to the right of assembly and others. 

It is true that religious liberty is one of our most important liberties but the way that people exercise religious liberty is one of the ways that is most likely to spread the disease. These things are in tension with each other.

VI: There are trade-offs that are hard to reconcile?

Jon Callas: The State of Rhode Island, for example, like many places, essentially closed its borders. They said: no people from New York State. That was a place where we said you can't do that. You could blockade everyone but not just New Yorkers. This goes to one of our fundamental principles of Equal Protection under the law. So any emergency powers that conflict with things like equal protection, we're obviously going to push back on.

VI: State public health officials seem to be on their own to work out policies on social tracing. Are there clear guidelines on how it  should be done to assure that necessary information is collected but also that privacy is maintained? 

Jon Callas: By and large, they should figure out how social tracking should be implemented. There is a lot of information that they have, and practices that they have, from times past, from what was done with the H1N1 flu of 10 years ago to SARS, now 17 years ago, to what was done with HIV/AIDS and so on. The people who were doing HIV/AIDS contact tracing have a lot of very good things to tell us because they were in a similar yet different situation, because of the sensitivities that they were dealing with because it was a highly stigmatized disease.

So when you do contact tracing, privacy and civil liberties are what get you to a good public health policy. You don't want somebody who is suffering to pretend that they're not because they're afraid to talk to the government because they have an outstanding parking ticket or a warrant, or they know somebody who is not documented. We know that this leads to a bad public health outcome. 

This is part of why civil liberties are so important, you don't want a population to not cooperate with the public health criteria. So, public health has to be very sensitive to it. We have been discussing things like making sure that access controls in databases are done correctly, making sure that somebody is doing adversarial security testing, trying to break the controls, rather than assuming that everyone's going to follow the rules. If someone says to a friend who’s a contact tracer, "Could you do me a favor and look up this person for me?" we want to make it easy for the contact tracer to be able to tell that person, “I literally can't help you.”

VI: The mechanisms for measuring the spread of  COVID-19  and reporting deaths appear to vary from state-to-state, sometimes for political reasons. Do you find that some states are less likely to follow the ACLU’s guidelines?

Jon Callas: I think that public health people understand the problem well enough. They understand that privacy is important and they have 200 years of experience going from small pox to TB, and so on. Local public health officials know how to do this in a comprehensive and professional manner. I'm not just saying privacy and public health go together, they know it. We can point to historic cases when privacy wasn’t respected and there was a secondary problem because it wasn't taken care of correctly. The public health authorities are doing the right sorts of things because they know how to do it and their sincere intent is to do that. I think some of our most important guidance is that public health experts know their discipline and that includes a respect for liberties.

The ACLU can provide both technical and legal guidance, and we're writing up documents for anybody to use. We did a document on principles for designing apps to help with contact tracing that has been referenced in Europe and endorsed by the WHO as a good set of best practices principles.

I recently took a Johns Hopkins course in contact tracing on Coursera, and they stress the importance of ethics, privacy, and respect.

VI: What should be expected from private industry - airlines and workplaces? If they implement surveillance procedures, and restrict access to employment or services based on health criteria, who will monitor these practices? I see that the ACLU is opposing mandatory temperature tests, not only because they are invasive but because the failure rate is around 30%.

Jon Callas: One of our top principles when it comes to technology is that it needs to be effective. It needs to actually work. Our pushback, for example on temperature scanners, comes from the fact that there are people who are making cameras that can detect infrared, and they are rebranding these things as thermometers and they're simply not accurate enough to work.

There's a 30% fail rate and also, there's enough variation between both the temperature sensors and people's natural temperature - elevated skin temperature is not the same thing as elevated core temperature, and elevated core temperature is not necessarily fever. You might have a fever from things that are not illnesses and there are other illnesses than COVID-19.

Now, on the other hand, I don't really have a problem with restricting people who have a non-COVID illness like the flu from getting on airplanes, but the accuracy and effectiveness of temperature measurement is a responsibility of the business to apply it in a non-discriminatory manner. 

VI: The COVID-19 pandemic is being cited as a reason to close borders and undertake uncontested deportations. Are these practices justified?

Jon Callas: The ACLU has filed something like 130 documents in various courts against government actions of this nature. Most of them are related to people who are incarcerated, in immigration detention, et cetera.

VI: Most of these policies come from executive branch emergency powers that seem very open ended?

Jon Callas: That's the biggest problem with emergency powers.

VI: That there is no timeout?

Jon Callas: Right. How many states of emergency are we under at the moment?  I'm trying to remember but believe it is now close to 100. So, yes, it's very easy to declare an emergency and very hard to get out of it.

VI: Is the oversight of these emergency powers only through Congress?

Jon Callas: There really isn't any oversight. We have three branches of government, and they have their own way and their own rules for how they meddle in the affairs of the other branches.

VI: With deportations and closings of borders, does the ACLU coordinate with foreign governments on how to deal with these realities and assist their citizens?

Jon Callas: Yes, and this is a place where the Immigrants' Rights Project and other justice projects that we have are working full-time on this to make sure that things are done legally and responsibly.

VI: Another challenging problem that preceded the coronavirus pandemic is disinformation, deep fakes, and cyber attacks that often invade personal space.  Does the ACLU get involved in monitoring this?

Jon Callas: We leave that mostly to others. We're primarily a law and advocacy office. I'm one of two technologists.

We do look at where we can make a difference and what expertise we have that somebody else doesn't have. We talk with other groups to look at what their expertise is and what others are. We're not set up to deal with disinformation.

VI: Thanks for an interesting discussion. We like to end on a positive note. Looking forward, let's say six months, maybe in a year from now, what do you think the impact of the COVID-19 pandemic will be on citizen privacy? What should we be aware of in terms of government overreach as a consequence of emergency powers?

Jon Callas: I believe that we are coming to a societal consensus that this COVID pandemic should not be an excuse for the advancement of the surveillance state. I have been in a number of fora and the question is - how do we shut this off? We understand there's an emergency going on but... And that “but” is something that pretty much everybody agrees with. The disagreement is that there are lots of people who unrealistically think that this is going away faster than it is.

The place that we don't want to be in, with this tension between people's lives and their liberties, is with liberties being lost after lives are saved.

Jon Callas is a cryptographer, software engineer, UX designer, and entrepreneur. Before joining the ACLU as senior technology fellow, he was at Apple, where he helped design the encryption system to protect data stored on a Mac. Jon also worked on security, UX, and crypto for Kroll-O’Gara, Counterpane, and Entrust. He has launched or worked on the launches of many tools designed to encrypt and secure personal data, including PGP, Silent Circle, Blackphone, DKIM, ZRTP, Skein, and Threefish. Jon is also a tireless advocate within the tech companies he has worked for, in Internet standards bodies, in the press, in public speaking, and in government advocacy for secure and confidential communications.