Tag: surveillance

In Its Bubble of Secrecy, the National Security Bureaucracy Redefined Privacy for Its Own Purposes

Rep. Jim Sensenbrenner (R-WI) is nothing if not a security hawk, and this weekend he decried the NSA’s collection of all Americans’ phone calling records in a Guardian post entitled, “This Abuse of the Patriot Act Must End.” On Thursday last week, he sent a letter to Attorney General Eric Holder demanding answers by Wednesday.

It also became apparent over the weekend that the National Security Agency’s program to collect records of every phone call made in the United States is not for the purpose of data mining. (A Wall Street Journal editorial entitled “Thank You for Data Mining” was not only wrong on the merits, but also misplaced.) Rather, the program seizes data about all of our telephone communications and stores that data so it can aid investigations of any American who comes under suspicion in the future.

Details of this program will continue to emerge–and perhaps new shocks. The self-disclosed leaker–currently holed up in a Hong Kong hotel room waiting to learn his fate–is fascinating to watch as he explains his thinking.

The court order requiring Verizon to turn over records of every call “on an ongoing daily basis” is a general warrant.

The Framers adopted the Fourth Amendment to the Constitution in order to bar general warrants. The Fourth Amendment requires warrants 1) to be based upon probable cause and 2) to particularly describe the place to be searched and the persons or things to be seized. The leaked warrant has neither of these qualities.

A warrant like this would never be adopted in an open court system. With arguments and decisions available to the public and appeals going to public courts, common sense and simple shame would foreclose suspicionless data-gathering about every American for the benefit of future potential investigations. 

Alas, many people don’t believe all that deeply in the Constitution and the rule of law when facile promises of national security are on offer. It is thus worthwhile to discuss whether this is unconstitutional law enforcement and security practice would work. President Obama said last week, “I welcome this debate and I think it’s healthy for our democracy.”

What Is the Value of Bitcoin?

With Bitcoin enjoying a spike in price against government currencies, there is lots of talk about it on the Interwebs. If you’re not familiar with it yet, here’s a good Bitcoin primer, which also counsels reading a lot more before you acquire Bitcoin, as Bitcoin may fail. If you like Bitcoin and want to buy some, don’t go all goofy. Do your homework. As if you need to be told, be careful with your money.

Much of the commentary declares a Bitcoin bubble for one reason or another. It might be a bubble, but nobody actually knows. A way of guessing is to compare Bitcoin’s qualities as a currency and payment network to the alternatives. Like any service or good, there are many dimensions to value storage and transfer.

I may not capture them all, and they certainly don’t predict the correct price against the dollar or other currencies. That depends on the ultimate viscosity of Bitcoin. But Bitcoin certainly has value of a different kind: it may discipline fiat currencies and the states that control them.

Government Surveillance of Travel IT Systems

If you haven’t seen Edward Hasbrouck’s talk on government surveillance of travel IT systems, you should.

It’s startling to learn just how much access people other than your airline have to your air travel plans.

Here’s just one image that Hasbrouck put together to illustrate what the system looks like.

He’ll be presenting his travel surveillance talk here at Cato at noon on April 2nd. We’ll also be discussing the new public notice on airport strip-search machines issued by the TSA earlier this week.

Register now for Travel Surveillance, Traveler Intrusion.

Comment on TSA Strip-Search Machine Policy—And Attend Our Event April 2nd

You can now comment on the TSA’s proposed rule regarding its use of strip-search machines on American travelers at our nation’s airports.

Under a July 2011 court order requiring it to do so, the TSA finally proposed the rule that explains its airport procedures with respect to strip-search machines. You can now know your rights and obligations in that process, how to opt-out of the strip-search machines, and where to register complaints if you feel you’ve been treated badly.

Just kidding!

This is the two-sentence statement it proposed to add to existing language about passenger screening:

(d) The screening and inspection described in (a) may include the use of advanced imaging technology. For purposes of this section, advanced imaging technology is defined as screening technology used to detect concealed anomalies without requiring physical contact with the individual being screened.

It took 20 months to produce these two sentences, which allow the TSA to do whatever it wants. My initial thoughts were to find TSA contemptuous of the court’s order and wronly using secrecy to hide the analysis of its policies.

We’ll be discussing the proposal at a Cato policy forum next Tuesday, April 2nd, called “Travel Surveillance, Traveler Intrusion,” starting at noon Eastern. Like most Cato events, it will be live-streamed.

The event is a two-fer. Not only will we hear from Ginger McCall of the Electronic Privacy Information Center, the organization that brought the suit that finally produced this rulemaking. We’ll also hear from Ed Hasbrouck, whose research reveals just how intensively the U.S. government monitors the air travel of every American.

Feel free to move about the country? Just wait until you learn how your movements are tracked—before and after you get your digital strip-search or prison-style pat-down.

Register now!

Called it! Eleven Years Ago

What is this blog for, if not to let Cato scholars call out what smarty-pantses they are?

The Wall Street Journal reports on automobile license plates as the “new tracking frontier.”

For more than two years, the police in San Leandro, Calif., photographed Mike Katz-Lacabe’s Toyota Tercel almost weekly. They have shots of it cruising along Estudillo Avenue near the library, parked at his friend’s house and near a coffee shop he likes. In one case, they snapped a photo of him and his two daughters getting out of a car in his driveway. Mr. Katz-Lacabe isn’t charged with, or suspected of, any crime. Local police are tracking his vehicle automatically, using cameras mounted on a patrol car that record every nearby vehicle—license plate, time and location.

I didn’t have every detail, of course, but 11 years ago I noted the coming problem of license-plate tracking in testimony to a House Transportation subcommittee.

It was a little odd at the time, and still is, to talk about the privacy problem with license plates. But the emerging technology environment makes it essential to analyze and assess more carefully the information and identification demands that the government places on us.

[T]he requirement in all fifty states that cars must exhibit license plates linked to their owners is “anti-privacy” law, as would be a law requiring people to wear name tags in order to walk on public sidewalks. Mandatory license plates prevent citizens from exhibiting the expectation of privacy that Justice Harlan wrote about in Katz. Roughly speaking, they require people to expose their identities to police as a condition of driving on our roadways.

I expanded on “anti-privacy” law in my 2004 Cato Policy Analysis, “Understanding Privacy—and the Real Threats To It.”

We’re still grappling with the problem of privacy “in public.” The Supreme Court’s decision on GPS tracking in the Jones case is the most significant recent iteration of that. (Cato brief and related blog post; pre-decision posts: 1, 2, 3; post-decision posts: 4, 5, 6.) The latest Cato Supreme Court Review (also available digitally) includes an article of mine on the case. My latest thinking on Fourth Amendment privacy can by found in Cato’s brief in Florida v. Jardines.

It is possible to think systematically about privacy. Privacy is not just a morass of feelings about advancing technologies. Once one understands privacy (in its strongest sense) as the exercise of power to control information about oneself, one can see a decade ahead that license plates create privacy problems.

Pretty smart, huh? Yeah.

What 9/11 Should Teach Us

As a fan of comedian Dennis Miller, I was astonished to discover that he became a supporter of U.S. government policies in fighting terrorism after the September 11th attacks. Perhaps I am in the minority on this issue, but the 9/11 attacks were what helped to erode my faith in government.

Few people bring this up, but in 2004, a CIA Inspector General report found a number of weaknesses in the Intelligence Community’s pre-9/11 counterterrorism practices, many of which “contributed to performance lapses related to the handling of materials concerning individuals who were to become the 9/11 hijackers.” Two al Qaeda terrorists who later became 9/11 hijackers, Nawaf al-Hazmi and Khalid al-Mihdhar, had attended a meeting of suspected terrorists in Malaysia in early 2000. The Inspector General probe uncovered that the CIA had learned that one of the operatives had a U.S. visa, and the other had flown from Bangkok to Los Angeles.

Yet, the Agency failed to forward that relevant information by “entering the names of suspected al-Qa’ida terrorists on the ‘watchlist’ of the Department of State and providing information to the Federal Bureau of Investigation (FBI) in proper channels.” Some 50 to 60 individuals—including Headquarters personnel, overseas officers, managers, and junior employees—had read the cables containing the travel information on al-Hazmi and al-Mihdhar.

The report said in a stark assessment, “The consequences of the failures to share information and perform proper operational follow-through on these terrorists were potentially significant.” Indeed. Had the names been passed to the FBI and the State Department through proper channels, the operatives could have been watchlisted and surveilled. In theory, those steps could have yielded information on financing, flight training, and other details vital to unraveling the 9/11 plot.

Corroborating these findings was a Joint Inquiry Report by the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence. It found “persistent problems” with the “lack of collaboration between Intelligence Community agencies.” About the FBI in particular, the report went so far as to say as late as December 2002 that “…the Bureau–-as a law enforcement organization–-is fundamentally incapable, in its present form, of providing Americans with the security they require against foreign terrorist and intelligence threats.” Now that is a ringing endorsement of our government’s ability to protect us.

We often hear that the failure of 9/11 was government-wide. But few observers delve into why it failed, especially on 9/11 anniversaries, when, one would think, such explanations would be most helpful. A number of structural factors impede effective collaboration. For instance, many intelligence agencies operate under different legal authorities. Many of them have distinct customers and cultures, and jealously guard their turf, budgets, sources, and methods. Individuals within various agencies also share information by relying on trust and personal relationships.

Yet, dispersed knowledge made it so that there was no single person or “silver bullet” that could have enabled intelligence agencies to prevent the 9/11 attacks. As the CIA Inspector General report made clear, neither the U.S. government nor the Intelligence Community had a comprehensive strategic plan to guide counterterrorism efforts. Amid the pre-9/11 flurry of warnings, intelligence cables, and briefing materials on al Qaeda’s plot to hijack airliners and ram them into our buildings, a significant failure, concluded the 9/11 Commission, was one of imagination.

After 9/11, many Americans were quick to cede yet more power to government. While much has changed in eleven years, with agencies less reluctant to share critical data, a February 2011 Government Accountability Office report noted that the government “does not yet have a fully-functioning Information Sharing Environment,” that is, “an approach that facilitates the sharing of terrorism and homeland security information”:

GAO found that the government had begun to implement some initiatives that improved sharing but did not yet have a comprehensive approach that was guided by an overall plan and measures to help gauge progress and achieve desired results.

Over the decade, while our government focused narrowly on the problem of terrorism, it also embraced ambitious, wasteful, and counterproductive programs and policies that drained us economically and spread our resources thin. After 9/11, excluding the invasions and occupations of Iraq and Afghanistan, American taxpayers have shelled out over $1 trillion dollars for their sprawling counterterrorism-industrial-complex, replete with its thousands of federal, state, and local government organizations and the private companies that work with them.

Perhaps it is unsurprising that our government expanded after an attack that called into question its primary constitutional function: protecting our country. What is more remarkable is that the public continues to accept humiliating pat-downs and invasive full-body scans for airline travel, costly grant programs rolled out by the Department of Homeland Security, and reckless politicians who advocate endless wars against predominately-Muslim states that play directly into al Qaeda’s hands.

Now, many Americans ask: Are we safer? Certainly, but marginal increases in safety have come at an exceptionally high cost, have far exceeded the point of diminished returns, and have encouraged a terrorized public to exalt a government that failed them.

What We Can and Can’t Know About NSA Spying: A Reply to Prof. Cordero

Georgetown Law professor Carrie Cordero—who previously worked at the Department of Justice improving privacy procedures for monitoring under the Foreign Intelligence Surveillance Act—attended our event with Sen. Ron Wyden (D-OR) on the FISA Amendments Act last week.  Perhaps unsurprisingly, she’s rather more comfortable with the surveillance authorized by the law than our speakers were, and posted some critical commentary at the Lawfare blog (which is, incidentally, required reading for national security and intelligence buffs). Marcy Wheeler has already posted her own reply, but I’d like to hit a few points as well. Here’s Cordero:

Since at least the summer of 2011, [Wyden and Sen. Mark Udall] have been pushing the Intelligence Community to provide more public information about how the FAA works, and how it affects the privacy rights of Americans. In particular, they have, in a series of letters, requested that the Executive Branch provide an estimate of the number of Americans incidentally intercepted during the course of FAA surveillance. According to the exchanges of letters, the Executive Branch has repeatedly denied the request, on the basis that: i) it would be an unreasonable burden on the workforce (and, presumably, would take intelligence professionals off their national security mission); and ii) gathering the data the senators are requesting would, in and of itself, violate privacy rights of Americans.

The workforce argument, even if true, is, of course, a loser. The question of whether the data call itself would violate privacy rights is a more interesting one. Multiple oversight personnel independent of the operational and analytical wings of the Intelligence Community – including the Office of Management and Budget, the NSA Inspector General, and just last month, the Inspector General of the Intelligence Community, have all said that the data call requested by the senators is not feasible. The other members of the SSCI appear to accept this claim on its face. Meanwhile, Senator Wyden states he just finds the claim unbelievable. That there must be some way it can be done, he says, if even on a sample basis. Maintaining that position puts him in an interesting place, however: is the privacy advocate actually advocating for violating the privacy rules, to appease a Congressional request? Assuming that he would not actually want to advocate that the rules be waived at the request of a politician, a question then arises as to whether the Intelligence Community has adequately explained exactly how the data call would work and why it would conflict with existing privacy rules and protections, such as minimization procedures.

I’ll grant Cordero this point: as absurd as it sounds to say “we can’t tell you how many Americans we’re spying on, because it would violate their privacy,” this might well be a concern if those of us who follow these issues from the outside are correct in our surmises about what NSA is doing under FAA authority. The only real restriction the law places on the initial interception of communications is that the NSA use “targeting procedures” designed to capture traffic to or from overseas groups and individuals. There’s an enormous amount of circumstantial evidence to suggest that initial acquisition is therefore extremely broad, with a large percentage of international communications traffic being fed into NSA databases for later querying. If that’s the case, then naturally the tiny subset of communications later reviewed by a human analyst—because they match far narrower criteria for suspicion—is going to be highly unrepresentative. To get even a rough statistical sample of what’s in the larger database, then, one would have to “inspect”—possibly using software—a whole lot of the innocent communications that wouldn’t otherwise ever be analyzed. And possibly the rules currently in place don’t make any allowance for querying the database—even to analyze metadata for the purpose of generating aggregate statistics—unless it’s directly related to an intelligence purpose.

A few points about this.  First: assuming, for the moment, that  this is the case, why can’t NSA and DOJ say so clearly and publicly? Because it would somehow imperil national security to characterize the surveillance program even at this highest level of generality, without any mention of particular search parameters or targets? Would it “help the terrorists” if they answered a more recent query from a bipartisan group of senators, asking whether database searches (as opposed to initial “targeting”) had focused on specific American citizens?  Please.

A  more plausible hypothesis is that they recognize that an official, public acknowledgement that the government is routinely copying and warehousing millions of completely innocent communications—even if they’re only looking at the “suspicious” minority— would not go over entirely smoothly with the citizenry. There might even be a demand for some public debate about whether this is the kind of thing we’re willing to countenance. Legal scholars might become curious whether whatever arguments support the constitutionality of this practice hold up as well in the light of the day as they do when they’re made unopposed in closed chambers. Even without an actual estimate, any meaningful discussion of the workings of the program would be likely to undermine the whole pretense that it only “incidentally” involves the communications of innocent Americans, or that the constraints on “targeting”constitute a meaningful safeguard.  The desire to avoid the whole hornet’s nest using the pretext of national security is perhaps understandable, but it shouldn’t be acceptable in a democracy. Yet everyone knows overclassification is endemic—even the government’s own former “classification czar” has blasted the government’s use of inappropriate secrecy as a weapon against critics.

Second, transparency at this level of generality is an essential component of privacy protection. To the extent that the rules governing  access to the database preclude any attempt to audit its aggregate contents—including by automated software tallying of identifiers such as area codes and IP addresses—then they should indeed be changed, not because a senator demanded it, but because they otherwise preclude adequate oversight. An online service that keeps no server logs would be somewhat more protective of its users privacy… if  its database were otherwise perfectly secure against intrusion or misuse. In the real world, where there’s no such thing as perfect security, such a service would be protecting user privacy extremely poorly, because it would lack the ability to detect and prevent breaches. If it is not possible to audit the NSA’s system in this way, then that system needs to be altered until it is possible. If giving Congress a rough sense of the extent of the agency’s surveillance of Americans falls outside the parameters of the intelligence mission (and therefore the permissible uses of the database), it’s time for a new mission statement.

Finally, Cordero closes by noting the SSCI has touted its own oversight as “extensive” and “robust,” which Cordero thinks “debunks” the  suggestion embedded in our event title that the FAA enables “mass spying without accountability.”  (Can I debunk the debunking by lauding the accuracy and thoroughness of my own analysis?)  Unfortunately, the consensus of most independent analysts of the intelligence committees’ performance is a good deal less sanguine—which makes me hesitant to take that self-assessment at face value.

As scholars frequently point out, the overseers are asked to process incredibly complex information with a limited cleared staff to assist them, and often forbidden to take notes at briefings or remove reports from secure facilities. When you read about those extensive reports, recall that in the run-up to the invasion of Iraq only six senators and a handful of representatives ever read past the executive summary of the National Intelligence Estimate on Iraq’s WMD programs to the far more qualified language of the  full 92-page report. You might think the intel committees would need to hold more hearings than their counterparts to compensate for these disadvantages, but UCLA’s Amy Zegart has found that they consistently rank at the bottom of the pack, year after year. Little wonder, then, that years of flagrant and systemic misuse of another controversial surveillance tool—National Security Letters—was not uncovered by the “extensive” and “robust” oversight of the intelligence committees, but by the Justice Department’s inspector general.

In any event, we seem to have at least 13 senators who don’t believe they’ve been provided with enough information to perform their oversight role adequately. Perhaps they’re setting the bar too high, but I find it more likely that their colleagues—who over time naturally grow to like and trust the intelligence officials upon whom they rely for their information—are a bit too easily satisfied. There are no  prizes for expending time, energy, and political capital on ferreting out civil liberties problems in covert intelligence programs, least of all in an election year. It’s far easier to be satisfied with whatever data the intelligence community deigns to dribble out—often with heroic indifference to statutory reporting deadlines—and take it on faith that everything’s running as smoothly as they say. That allows you to write, and even believe, that you’re conducting “robust” oversight without knowing (as Wyden’s letter suggests the committee members do not) roughly how many Americans are being captured in NSA’s database, how many purely-domestic communications have been intercepted,  whether warrantless “backdoor” targeting of Americans is being done via the selection of database queries. But the public need not be so easily satisfied, nor accept that meaningful “accountability” exists when all those extensive reports leave the overseers ignorant of so many basic facts.