Tag: privacy

NSA Spying and the Illusion of Oversight

Last week, the House Judiciary Committee hurtled toward reauthorization of a controversial spying law with a loud-and-clear declaration: not only do we have no idea how many American citizens are caught in the NSA’s warrantless surveillance dragnet, we don’t care—so please don’t tell us! By a 20–11 majority, the panel rejected an amendment that would have required the agency’s inspector general to produce an estimate of the number of Americans whose calls and e-mails were vacuumed up pursuant to broad “authorizations” under the FISA Amendments Act.

The agency’s Inspector General has apparently claimed that producing such an estimate would be “beyond the capacity of his office” and (wait for it) “would itself violate the privacy of U.S. persons.” This is hard to swallow on its face: there might plausibly be difficulties identifying the parties to intercepted e-mail communications, but at least for traditional phone calls, it should be trivial to tally up the number of distinct phone lines with U.S. area codes that have been subject to interception.

If the claim is even partly accurate, however, this should in itself be quite troubling. In theory, the FAA is designed to permit algorithmic surveillance of overseas terror suspects—even when they communicate with Americans. (Traditionally, FISA left surveillance of wholly foreign communications unregulated, but required a warrant when at least one end of a wire communication was in the United States.) But FAA surveillance programs must be designed to “prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States”—a feature the law’s supporters tout to reassure us they haven’t opened the door to warrantless surveillance of purely domestic communications. The wording leaves a substantial loophole, though. “Persons” as defined under FISA covers groups and other corporate entities, so an interception algorithm could easily “target persons” abroad but still flag purely domestic communications—a concern pointedly raised by the former head of the Justice Department’s National Security Division. The “prevent the intentional acquisition” language is meant to prevent that. Attorney General Eric Holder has made it explicit that the point of the FAA is precisely to allow eavesdropping on broad “Categories” of surveillance targets, defined by general search criteria, without having to identify individual targets. But, of course, if the NSA routinely sweeps up communications in bulk without any way of knowing where the endpoints are located, then it never has to worry about violating the “known at the time of acquisition” clause. Indeed, we already know that “overcollection” of purely domestic communications occurred on a large scale, almost immediately after the law came into effect.

If we care about the spirit as well as the letter of that constraint being respected, it ought to be a little disturbing that the NSA has admitted it doesn’t have any systematic mechanism for identifying communications with U.S. endpoints. Similar considerations apply to the “minimization procedures” which are supposed to limit the retention and dissemination of information about U.S. persons: How meaningfully can these be applied if there’s no systematic effort to detect when a U.S. person is party to a communication? If this is done, even if only for the subset of communications reviewed by human analysts, why can’t that sample be used to generate a ballpark estimate for the broader pool of intercepted messages? How can the Senate report on the FAA extension seriously tout “extensive” oversight of the law’s implementation when it lacks even these elementary figures? If it is truly impossible to generate those figures, isn’t that a tacit admission that meaningful oversight of these incredible powers is also impossible?

Here’s a slightly cynical suggestion: Congress isn’t interested in demanding the data here because it might make it harder to maintain the pretense that the FAA is all about “foreign” surveillance, and therefore needn’t provoke any concern about domestic civil liberties. A cold hard figure confirming that large numbers of Americans are being spied on under the program would make such assurances harder to deliver with a straight face. The “overcollection” of domestic traffic by NSA reported in 2009 may have encompassed “millions” of communications, and still constituted only a small fraction of the total—which suggests that we could be dealing with a truly massive number.

In truth, the “foreign targeting” argument was profoundly misleading. FISA has never regulated surveillance of wholly foreign communications: if all you’re doing is listening in on calls between foreigners in Pakistan and Yemen, you don’t even need the broad authority provided by the FAA. FISA and the FAA only need to come into play when one end of the parties to the communication is a U.S. person—and perhaps for e-mails stored in the U.S. whose ultimate destination is unknown. Just as importantly, when you’re talking about large scale, algorithm-based surveillance, it’s a mistake to put too much weight on “targeting” in the initial broad acquisition stage. If the first stage of your acquisition algorithm says “intercept all calls and e-mails between New York and Pakistan,” that will be kosher for FAA purposes provided the nominal target is the Pakistan side, but will entail spying on just as many Americans as foreigners in practice. If we knew just how many Americans, the FAA might not enjoy such a quick, quiet ride to reauthorization.

Congress Has No Idea What the NSA Is Doing

Didja think that the legislative branch oversees the executive branch? Think again! Congress has no idea what the National Security Agency (NSA) is doing.

Spencer Ackerman at Wired’s Danger Room blog reports on a letter the inspector general of the intelligence community sent earlier this month to Senators Ron Wyden (D-OR) and Mark Udall (D-CO). They had asked how many people in the United States have had their communications collected or reviewed by the NSA.

The letter repeated the NSA IG’s conclusion that estimating this number was “beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission.” Not only that, figuring out the number of people in the United States that the NSA has snooped on “would itself violate the privacy of U.S. persons.”

A federal agency can write a tart, dry non-response like this because Congress is utterly supine before the security bureaucracy. The tough-talking politicians in both parties have no idea what is happening in the agencies they routinely defend as essential. And Congress still hasn’t approved nominations for the Privacy and Civil Liberties Oversight Board, weak sauce that it is, nearly five years since it was reconstituted with greater independence and subpoena power.

The letter concludes with a hopeful note: “I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight.” That also serves as a confession: We have no idea what the NSA is doing.

David Davis Is Right

British Conservative Party member and former shadow home secretary David Davis says that data retention requirements being debated in the U.K. are “incredibly intrusive” and would only “catch the innocent and incompetent.” He’s right.

The United States was formed after a Revolutionary War against Britain so that we could live under a government more protective of liberty. The Fourth Amendment’s requirement of particularity with respect to warrants prevents our government from issuing blanket requirements that information about all of our communications be retained in case it’s needed for law enforcement.

At least we must hope so. Because some in our Congress seem to have little qualm about reversing the Revolutionary War’s results.

Oh, the Uses of the ‘Cyber’ Prefix: Cyberbellicosity, for Example

Senate Majority Leader Harry Reid’s (D-Nev.) announcement yesterday of upcoming Senate action on cybersecurity legislation coincides nicely with reporting that the recently discovered Flame virus has similarities to Stuxnet. You see, the best example of a cyberattack having kinetic effects—causing physical damage—is Stuxnet. It targeted Siemens industrial software and equipment used in Iran’s nuclear program, causing damage to some centrifuges used in that program.

Stuxnet is widely believed to be a product of the U.S. and Israeli governments. Flame’s kinship with Stuxnet adds to the story: Our government is a top producer of cyberattacks.

The methods used in these viruses will be foreclosed as researchers unpack how they work. Our technical systems adapt to new threats the way humans develop antibodies to disease. But in the near term the techniques in Stuxnet and Flame may well be incorporated into attacks on our computing infrastructure.

The likelihood of attacks having extraordinary consequences is low. This talk of “cyberwar” and “cyberterror” is the ugly poetry of budget-building in Washington, D.C. But watch out for U.S. cyberbellicosity coming home to roost. The threat environment is developing in response to U.S. aggression.

This parallels the United States’ use of nuclear weapons, which made “the bomb” (Dmitri) an essential tool of world power. Rightly or wrongly, the United States’ use of the bomb spurred the nuclear arms race and triggered nuclear proliferation challenges that continue today. (To repeat: Cyberattacks can have nothing like the consequence of nuclear weapons.)

Senator Reid has gone hook, line, and sinker for the “cyber-9/11” idea, of course. Like all politicians, his primary job is not to set appropriate cybersecurity policies but to re-elect himself and members of his party. The tiniest risk of a cyberattack making headlines to use against his party justifies expending taxpayer dollars, privacy, and digital liberties. This it not to prevent cyberattack. It is to prevent political attack.

Politics is well understood by the authors of the letter Senator Reid cited in his statement about bringing cybersecurity legislation to the Senate floor. They are mostly from the party opposite his. Several of them participated at some level in developing our nation’s cyberbellicose world posture. And several now make their living in consulting and contracting firms that respond to the danger they helped create.

They are:

  • Michael Chertoff, Homeland Security secretary under President Bush, is now co-founder and Managing Principal of The Chertoff Group, which “provides business and government leaders with the same kind of high-level, strategic thinking and diligent execution that have kept the American homeland and its people safe since 9/11.”
  • Mike McConnell, former director of the National Security Agency and National Intelligence under President Bush, is now Vice Chairman of Booz Allen Hamilton.
  • Paul Wolfowitz was a deputy defense secretary under President Bush, now a visiting scholar at AEI.
  • General Michael Hayden, former director of the NSA and the CIA under President Bush, is now a principal at the Chertoff Group, and in January 2011 was elected to the Board of Directors of Motorola Solutions, which “provides business- and mission-critical communication products and services to enterprises and governments.”
  • Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, is on the board of advisors of TASC, Inc. TASC “provides advanced systems engineering, integration and decision–support services to the Intelligence Community, Departments of Defense and Homeland Security and civilian agencies of the federal government. We deliver honest counsel, forward–thinking engineering and advanced technologies that help our customers protect Americans at home, in the air, on the battlefield and in cyberspace.”
  • Hon. William J. Lynn III, former deputy defense secretary, is now Chairman & CEO of DRS Technologies, a Defense and Security Electronics Division of Italian industrial group Finmeccanica. DRS Technologies is “leading supplier of integrated products, services and support to military forces, intelligence agencies and prime contractors worldwide.”

Joe Barton, Meet Alessandro Acquisti

We were all very excited about the Facebook IPO last week (I guess), and Washington, D.C. wants to have its part in the action. This Politico article, “Facebook IPO Pits Privacy vs. Profits,” is a good illustration. It is the organs of government saying we are relevant, you know.

I was particularly intrigued by the comment of Rep. Joe Barton (R-TX). He’s playing against type—if we’re still to believe that Republicans stand for limited government—where he’s quoted saying: “I believe in free market principles, but there are some things the market can’t put a price on because they lack a monetary value. Privacy is one of those things.”

Aha! Washington does have a role the market can’t provide.

Except that the observation isn’t valid. There are lots of things in markets that “lack a monetary value.” You don’t think that every dimension of every good and service has a price tag on it, do you? Markets still deliver these things through the decision-making of their participants.

Alessandro Acquisti at Carnegie Mellon University has been studying how consumers value privacy for years. Crucially, he’s been studying how they value privacy when confronted with real and simulated trade-offs. (What consumers and politicians say isn’t very informative.) He sometimes puts a price tag on privacy in his studies.

It’s often a low price. Consumers don’t value privacy as much as many of us would like. But markets do implicitly price privacy. You make a little bit more—not a lot—if you deliver privacy. You stand to lose—sometimes a lot—if you don’t protect privacy.

Stand down, Mr. Barton. Stand down, Washington, D.C. You are not relevant to the Facebook IPO. Free market principles suggest leaving markets free to serve consumers’ actual preferences as determined by market processes. This is the case whether you think of privacy as having a “monetary value” or not.

It’s Illegal to Say ‘None of Your Damn Business’

The government’s troops are rallying behind the Census Bureau’s American Community Survey. “After the House voted this month to defund a major part of the U.S. Census Bureau, the agency is taking the threat very seriously,” reports the Washington Times, “with its supporters in both business and government rallying to preserve the annual questionnaire.”

Wait. Who could be against the Census Bureau? Its constitutional charter is to enumerate citizens every ten years for the purpose of apportioning representation in Congress. This is a necessary and unremarkable administrative function.

Oh, wait—again. Government bloat is a law of gravity, and the Census Bureau does far, far more than count noses. Its American Community Survey has made the Census Bureau the research arm for the welfare/redistribution state and a source of corporate welfare in the form of demographic data about Americans.

So Census goes around asking people dozens of questions that have nothing to do with the agency’s constitutional purpose.

The ACS is controversial enough among the strongly principled that Census has a Web page entitled: “Is the American Community Survey legitimate?” Their answer: “Yes. The American Community Survey is legitimate. It is a survey conducted by the U.S. Census Bureau.” (Did you know there’s a whole class on the “appeal to authority” at Fallacy University?…)

The real authority they cite is Title 13 of the U.S. code, which, in section 221, allows the government to fine people who refuse to answer the Census Bureau’s questions. It’s illegal to say “none of your damn business” when a government official comes around asking about your toilet. I’ve written many times, in long form and short, that the helping hand of government strips away privacy before it goes to work.

So it’s nice to see that Rand Paul (R-KY) in the Senate and Ted Poe (R-TX) in the House have introduced a bill to make the American Community Survey voluntary, unless it’s a question that the Census actually needs for its constitutional purposes. Reading public comments on the House bill is particularly interesting. There is a good number of people who want to be left well enough alone. They shouldn’t be subject to penalties for saying so. It’s a matter of principle and privacy.

I Second That Skepticism

The ACLU’s Chris Calabrese notes that nominations to the Privacy and Civil Liberties Board were forwarded from the Senate Judiciary Committee to the full Senate this morning. Congress created the Board in August 2007, and we have waited, and waited, and waited while the Bush and Obama administrations neglected to appoint anyone to it.

Calabrese is rightly skeptical that the “PCLOB” can make a difference:

[T]he national security establishment is huge, with tens of thousands of employees and a budget of more than $60 billion. The NSA alone has more than 30,000 employees. Contrast that with the PCLOB. It’s currently authorized (if it finally gets filled) to spend a whopping $900,000 and hire ten full-time employees for the 2012 fiscal year. With this level of staffing, it’s hard to imagine that the Board and its investigators can even begin to understand this vast national security infrastructure, never mind properly oversee it.

I have a fair amount of experience with privacy oversight in the U.S. government, having served on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. That experience has fairly well validated my thinking in 2001, before there were “privacy officers”:

The appointment of a privacy czar or creation of a privacy office is a poor substitute for directly addressing the voraciousness of many government programs for citizens’ personal information. Political leaders themselves should incorporate privacy into their daily consideration of policy options, rather than farming out that responsibility to officials who may or may not have a say in government policy.

To see how the PCLOB fits into government thinking, we can look at a 2007 speech given by Donald Kerr, principal deputy director of National Intelligence. To him, “privacy” is giving the government access to all the data it wants, subject to oversight.

[P]rivacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change.

That’s not privacy.

So don’t think for a minute that privacy will be better protected with a PCLOB in place, except perhaps marginally in the few programs that the Board dips into.

The membership of the board is slated to be: Jim Dempsey of the Center for Democracy and Technology, a sincere and knowledgeable privacy player, whose “player” role I find incompatible with producing good privacy outcomes; Elisebeth Collins Cook, a former Department of Justice lawyer who I had never heard of before her nomination; Rachel Brand, an attorney for the U.S. Chamber of Commerce also unknown to me; Patricia Wald, a former federal judge for the D.C. Circuit whose privacy work is unknown to me; and David Medine, currently a WilmerHale partner who will chair the board. Medine is unquestionably government-friendly. He was a Federal Trade Commission bureaucrat who helped draft the Gramm-Leach-Bliley financial privacy and the Children’s Online Privacy Protection Act (COPPA) regulations.