The spy who came in from the code

Carmen Medina talks about tech, the CIA, and why government agencies don't play well with others

If you were going to pick an adjective to describe the Central Intelligence Agency, “open” wouldn’t immediately spring to mind. But according to Carmen Medina, who recently retired from the CIA and will speak at Gov 2.0 Expo, openness is just what the agency needs.

Medina’s Role at the CIA:

Carmen Medina: I just retired after 32 years at the CIA. I spent 25 years as a manager of analysts. In the mid part of this decade, I was sort of the number two in charge of analysis and also ended in charge of the Center for the Study of Intelligence, which is kind of like the Agency’s think tank and lessons-learned center. During my career, I was a bit of a heretic in the organization, though a successful one I guess, in that I always questioned how things were done. From the beginning, I was really interested in how information technology and the Internet had the potential to change the way we did our business. So back in the late ’90s, I was pushing hard to get all of our work online, even though a lot of people in the agency were skeptical about it.

Social media and extreme views:

CM: What the Internet allows, if you’re an individual that has an extreme view, is the ability to broadcast that view in the privacy of your den. You can get information to support your view without having to go to any unusual places that would attract suspicion. You can find other people who hold the same views that you do. You’re able to hide in plain sight, basically, while you’re doing that. While I’m a strong believer in the Internet and social networking, like everything else that’s happened in human history, it also offers a lot of potential for people who are not well-intentioned.

How our ideas about privacy have to change:

Gov 2.0 Expo 2010

CM: It struck me two or three years ago that our historical concepts of privacy were dependent upon what the technologies were at the time. So in my view, privacy is going to have to adjust to what is now possible. While some of the things that are now possible are scary to people, many add to the public good.

I’ll say it in a more generic way: If you’re using the power of social networking or monitoring to prevent activities that the community has decided are illegal, because there is law, then I don’t think you have the privacy to do illegal things.

Some concepts of privacy, that we thought were rights, are going to have to give way as we find out that social networks are just a lot more efficient, and monitoring and digital ubiquity are all more efficient ways to enforce laws, for example. That’s a big thing in Britain. I mean God only knows how many cameras they have on their streets. And they’re using it in ways to fight crime that, frankly, I don’t think is yet possible in the U.S. because of our privacy concerns.

It’s going to be very tricky. A not-well-intentioned government, or a government with authoritarian tendencies, is going to use these technologies in ways that the citizenry wouldn’t approve of. But that government is not going to give them a chance to approve it.

But let me also give you the other side of it. Government is viewed as inefficient and wasteful by American citizens. I would argue that one of the reasons why that view has grown is that they’re comparing the inefficiency of government to how they relate to their bank or to their airline. Interestingly enough, for private industry to provide that level of service, there are a lot of legacy privacy barriers that are being broken. Private industry is doing all sorts of analysis of you as a consumer to provide you better service and to let them make more profit. But the same consumer that’s okay with private industry doing that is not okay, in a knee-jerk reaction, with government doing that. And yet, if government, because of this dynamic, continues not to be able to adopt modern transactional practices, then it’s going to fall further behind the satisfaction curve.

We have to rethink government along these lines. And it’s interesting to me that at least in the British election, it’s out there as an issue in an explicit way that it has yet to be in the U.S.

How failure to share information leads to more failure:

CM: One of the objections to social networking and transparent collaboration that you get at an agency like the CIA, is that when you are really doing something where you cannot have failure, the work has to be tightly controlled. It has to be much more point-to-point and hierarchical. I thought that was a stupid argument that needed to be taken apart.

The first two-thirds of my Expo talk will use the chronology of the 2003 blackout as an example. One of the main utilities had made a decision to buy a different process software, and so they were no longer paying for the upgrades to the old software. Some of those bugs, that would’ve otherwise been fixed, brought the system down. I’m going to talk about why high-reliability, high-risk organizations should be adopting the principles of transparent and collaborative work first, because when these kinds of organizations have catastrophic failure, it’s usually because of stovepipes and lack of systemic awareness.

Since I come at this like a manager, I’m going to also talk about what it means for managers when you adapt transparent, collaborative, networked work. Most of what old-style managers are accustomed to doing is based on the industrial way of working. But if you create a transparent collaborative network, the manager becomes a monitor of the network’s health and the network’s talents. They make sure the mission is done, rather than acting as a quality control officer over every step of the process.

Why previous attempts to share intelligence have failed:

CM: In every instance that I can think of, people get sucked in by the technology solution without looking at the culture and the way people are doing the work. And when you overlay this new shiny toy on old processes, you actually make everything worse. People decide they have to create a big program and ask for a new budget line, and it has to be rolled out with bells and whistles. Then the contractors come along and see real opportunities for billable hours. So instead of getting modest iterative development, you get this massive program that takes 10 years to roll out. And you’re still working on implementing a technology that’s now three generations old. I’ve seen that happen.

But I still think it can be done. Most of what we would want to achieve we can achieve with existing technologies. You’ve got to start with the process. You have to change the objectives of the intelligence business to a certain degree. Make it less hierarchical and less about the “definitive answer.” Once you agree that things could work differently, then different technological solutions will become apparent.

The way government adopts technology is broken:

CM: There’s a tradition of huge IT programs and huge IT departments. And part of that is because that’s how you play the budget game with Congress. But now we’re moving into a world of apps. People are rolling out for pennies on the dollar little apps that can do essentially what a huge big government program is supposed to do. Five years from now, it’s going to be unsustainable for government to still be saying it needs five years and $2 billion to create a new information-sharing system. It’s nuts.

Can we crowdsource intelligence gathering?

CM: The intelligence community is betting that a closed network of limited people can actually be smarter about the world than the open network out in the world. And as a citizen, I don’t think that’s a good bet. In fact, people have been saying that for a while. There’s a move toward greater openness called “outreach.” But outreach is a very old-style static process: an event here, an event there. You’re always going to lag, and you’re always going to have less information about the world around you because you’re within a closed network. I strongly believe that. I’ll probably get in trouble for saying it, but that’s my view.

There are ways to create trusted networks, and it would be fascinating to do some prototypes on that. Look at what happened when Steve Fossett got lost. Satellite images were farmed out to people to see if they could find anything. Another example is Mechanical Turk. I’ve joined Mechanical Turk. I’ve done little tasks on it. If you can itemize a job into small, discreet discrete tasks, then you can farm it out to large networks of people. You could create trusted networks like Proctor & Gamble and some of these other companies do. There’s just huge potential there.

This administration and these policymakers need to ask for this kind of stuff. It’s like if you’re raising money. You’ve got to make the ask. If you don’t, you don’t get it. With something as important as the intelligence community, something that’s also difficult to change, you’ve got to make the ask.

This interview was condensed and edited.

  • bruce wayne

    …..”A not-well-intentioned government, or a government with authoritarian tendencies, is going to use these technologies in ways that the citizenry wouldn’t approve of. But that government is not going to give them a chance to approve it.”

    I might be mistaken, but i think that there is documented proof that beyond a reasonable doubt that the U.S. governments has and continues to use technologies to spy on its citizenry without their approval…..Someone correct me if wrong on this…..Also would this mean that the Government is not “well intentioned” or that it has “authoritarian tendencies” ?

    Its also interesting that interview implies that citizens should have not right to privacy when it come to the participation in illegal activity….. Shouldn’t Government officials no matter their postions fall under the same scrutiny…If we are going to say that illegal activity cannot hide behind a shield of privacy than this should be equal for “ALL”…….

    I also think its laughable and pathetic that a government that skeded “intelligence information ” (WMD in Iraq) to push its illegal agenda could ever been seen as safe, reliable and ethical users of information gathering technology…..

  • Zach Jablons

    One big reason people are fine with airlines, search engines, social networks, etc. having private information is that if you start to get dissatisfied with a private company, you can always hop onto the next competitor’s list of customers. While we could technically move to Canada, it would be a hassle and we’d have to leave a lot of things behind, not to mention there’s no guarantee that the US isn’t getting information from Canada. The government has a monopoly on force, while Delta or Google or Facebook don’t. That’s the big difference. The government isn’t a company trying to satisfy its customers, it is a system that creates and enforces laws, controlled by the people.

    Also, a lot of the anger about technology procurement is more about stuff that would help the government run itself, not violate the privacy of its citizens.

    And hey, your captcha sucks. Just saying.

  • Tom Phinney

    Perhaps the editor should review the proper spelling of “discrete”. Or was “discreet” really the intended adjective?

  • Joe Smith

    Why are we always so eager to turn the cameras on Joe every man but not on the existing power structure? More and more police have dash-cams which are invaluable but when a citizen tries the same activity they are often subject to harassment. In fact why can’t the government lead the way? You want me to give up my rights to privacy? Fine when I see my senators and congressmen and my president do so I’ll follow their lead. The power elite in this country insists on privacy for “security” (eg: ACTA) but expect the citizens to roll over. No thank you.

  • Patrick

    I would have to respectfully take issue with a few things stated in the article. As a former government employee, I simply can’t agree with the premise that government would be as efficient as private industry if the same data sharing and information mining private industry uses was permitted by the government. My contention is that an overwhelmingly large customer base who has no choice in where they go for service and ridiculous amounts of redundant bureaucracy and approval processes both contribute to create a system that barely functions.

    I would also like to comment on the technology procurement system talked about briefly above. I believe that Ms. Medina has only barely scratched the surface of the problem. We have a federal government where just about every office/dept/agency has its own IT infrastructure, all with its own management and policies. The level of redundancy is just astounding and the money expended to create that redundancy is mind-boggling.

    I’d like to use the following example from my own life. I’m currently looking for work since I was a casualty of the budget shortages due to our deep recession. I have a profile on I can create a profile on the site that for the most part is a complete waste of time since just about every job I’m interested in requires me to then go to another site run by a particular agency and do the whole process over again. Companies like Taleo have figured out how to combine general applicant information with the customization required of some jobs. Why can’t the feds figure this out and save me hours of time?

    The feds have another problem in their top-level management. We currently have at least 3 top level groups trying to set IT policy. First, we have the NSA trying to set security policy. Second, we have a presidential appointee as the supposed top IT person in the government. Unfortunately, we all know that the position is a farce since the appointee has no power whatsoever to affect policy and so far, each person appointed to the position has resigned in short order. Third, we have Congress who’s meddled in IT policy before when they have no business determining the day to day operations and strategic planning of IT infrastructure (imo). Those three forces, with no one person who can take control and drive the ship makes for a system doomed to skyrocketing costs, multiple strategic directions and lack of communication and coordination.

    That’s my 2 cents for the day :)

  • Patrick

    One other comment I forgot about in my initial post. She mentions the video surveillance system being used in London and seems to be an advocate of its use. I’m not sure where she’s getting her statistical data, but studies I’ve seen indicate that the camera system does almost nothing to reduce the crime rate. It simply drives the crime to areas not being monitored. A false sense of security will not save you from being mugged or murdered.

  • MP

    MS Medina’s assumption is that the role of government is to “provide services” ala a bank or an airline. However the primary, if not exclusive role of government as defined by the constitution is to preserve the liberty of the citizens (including providing for the common defense). Her argument seems to be ultimately that government can better fulfill this role by infringing on the liberties of the citizens through tracking and eliminating privacy. I don’t buy that one.

    In addition, even granting her point of view and the additional (apparent) gross assumption that our government as it is is a well-intentioned one that ought to be granted what amounts to citizen surveillance powers. But governments change over time, and not necessarily toward benevolence toward the citizenry or competence. Granting such powers now means that they would then already be in place when despotry grows.

  • Yo Gabba

    She waits until she retires and can do nothing about it, then she says something. Typical ex-gov employee running their lazy mouths off. Probably gearing up for office or some stupid book.

  • Malaclypse the younger

    Some concepts of privacy, that we thought were rights, are going to have to give way as we find out that social networks are just a lot more efficient, and monitoring and digital ubiquity are all more efficient ways to enforce laws, for example.

    First, I have to comment on that wording. “…that we thought were rights…”. I beg your pardon, I do think privacy is in fact a right. That is, in accordance with what the UN think to be an essential human right. But nice try selling it as if it was already proven to be obsolete.

    Second, you are arguing that privacy is doomed since surveillance is a powerful tool to enforce laws. Apart from not being such a powerful tool at all as UK crime statistics prove without a doubt, this is like saying: “Some concepts of physical integrity, that we thought were rights, are going to have to give way as we find out that torture is just a lot more efficient way to enforce laws”.

    You see the problem with that reasoning?

  • Malaclypse the younger

    A not-well-intentioned government, or a government with authoritarian tendencies, is going to use these technologies in ways that the citizenry wouldn’t approve of. But that government is not going to give them a chance to approve it.

    Dear Carmen Medina, here you are assuming that one happens to live in either a government with or without authoritarian tendencies. Apart from the fact that I can not even think of any country that would not experience any authoritarian tendencies within its government, you do not seem to consider that things might change over time.

    Like, if I live in a country with only reasonable expectations of authoritarian tendencies, that does not mean that this might not be subject to a sudden chance sometime. *ahem*Hitler*ahem*

    And then, the new uber-authoritarian government will conveniently find all the infrastructure any totalitarian government has ever dreamed of just in place. And no resistance will be possible anymore. Wouldn’t it be wise to insist that no potentially abusive government ever finds such an infrastructure in place because of that argument alone?

  • Anonymous

    One thing I find surprising about the article is the mistaken correlation towards private industry.

    Private industry can data mine it’s customers, but *only* if the customers allow it. It is most definitely not allowed to coerce this, and many lawsuits have driven this point home hard.

    The government, likewise, already can data mine it’s citizens, but again, this is voluntary. If you want a license for anything, you have to submit paperwork.

    The assumption that private enterprises have any deeper insights than this is laughable, and undermines the entire rest of the concept.

    We’re spared total shock at this attitude once we remember this comes from the mouth of one whose job was to collate data from communications, and not a private industry insider. It’s unfortunate to learn the government has employees that actually believe all the chainmail they intercept.

  • MrPrivacy

    Online privacy is a right and one site that is on the public’s side in this matter is This is a free web service that makes end-to-end encryption, privacy and anonymity available to anyone that has basic computer skills. Threads are just online conversations between groups of people that are never transmitted via email and are never transmitted or stored unencrypted.

  • Mac Slocum

    @Tom Phinney — Thanks for the catch!

  • Haig Evans-Kavaldjian

    Some cautionary advice: watch “V for Vendetta” to see where Britain or America or anywhere could so easily go.

  • PrivacyMatters

    Privacy on the internet is a concern but on the mobile phone it seems even more.

    If you think about it, someone (that you know or not) takes your phone and reads your text messages or look at your contacts behind your back. The privacy issues start right there, and is that simple in the mobile space. So you can easily imagine what is happening at telecom company and government level, everything is recorded, listened to, copied…

    You can either accept the status quo or do something about it.

    I use a mobile app called that create a secret space in my phone for sending and receiving private SMS and creating a private list of contacts.