Thursday, June 13, 2013

Who Cares About Surveillance?

The Washington Post reported that most Americans don't care that much about recent surveillance disclosures. Perhaps this is because there is bipartisan agreement among Congressional leaders that everything being done is kosher and necessary, and because the president has also weighed in reassuring the public that nobody is eavesdropping on their phone calls. Perhaps it is because it is hard to get worried about anything you don't notice and whose effects you can't see. Perhaps it's because we are now too distant in history from European surveillance states; the fall of the Soviet Union was a long time ago from the perspective of a college student, and Nazi German is the stuff of old movies. (Do they even read 1984 in schools any more?) There is North Korea of course, but people think of that place as so remote and isolated as to be almost a joke (unless they have Korean relatives). As danah boyd has observed (meandering thoughts on the NSA scandal), activists care, but activists are the ones most likely to commit speech and thought crimes.

It seems not to be taken for granted by most Americans that whether the surveillance is unconstitutional is not a matter for consensus decision, since it involves infringement of the Fourth Amendment. As the Washington Post reports, "while it might be fine for your neighbors to let the government inspect their personal lives, it’s not okay for your neighbors to say it’s fine for officials to inspect you. 'The whole purpose of the Bill of Rights was to protect the minority from the will of the majority,' [Professor Lori Andrews] says."

The Washington Post and the Guardian may have muddied the waters by going to press too incautiously with reporting based only on the infamous PowerPoint presentation and on Edward Snowden's interview. The first version of the Post's reporting was walked back in significant respects with very little notice. Declan McCullagh, a respected digital-affairs reporter, has concluded that there is no evidence that the NSA has direct access to Internet service provider servers, as the Guardian and the Post declared and as Facebook and Google denied. Maybe those PowerPoint slides were the work of an overzealous marketing flak. If the newspapers that had the scoop got it wrong, it becomes easier for the public to be reassured that there is nothing creepy or improper going on.


Yet we still don't quite get how the surveillance systems work, and it is reasonable to mistrust what the NSA says since it plainly has misrepresented things in the past. Even if all that exists is the "metadata" log of all US telephone calls -- which could well have been lawfully collected -- that would surely be inconsistent with Director of National Intelligence James Clapper's Congressional testimony that the NSA does not hold any information on tens or hundreds of millions of Americans. (Not to mention last year's testimony that the NSA can't scan email of Americans because it does not have the technology to do so.) I for one think a version of Kerckhoff's Principle should be honored here: The system itself should be public knowledge, though not of course anything about what the system has revealed. Knowing how the system works will make us more secure, not less, because it will reduce the reliance on "security through obscurity." (Cf. Blown to Bits.) 

With so much about the surveillance system still undisclosed, I wonder if the following could be true. As I said in the Washington Post story cited at the top, it would be very cheap to record and store all US telephone calls. Audio is highly compressible; a back of the envelope calculation suggests the government could store a whole year's telephone calls -- all of them -- for a small number of millions of dollars, given the low cost of massive storage units. What is preventing the government from doing that is, presumably, wiretap law. Could the calls be lawfully be recorded by the government, but listened to only after issuance of an appropriate court order? Could the recordings be made by the telcos and held in dead storage, but turned over to the government in response to a narrow and specific court order? I am not a lawyer.

One hates to raise paranoid fears on the basis of a couple of unguarded statements, but consider these.

A CNN exchange on May 1, 2013 between interchange between Erin Burnett and a former FBI counterterrorism expert.
BURNETT: Tim, is there any way, obviously, there is a voice mail they can try to get the phone companies to give that up at this point. It's not a voice mail. It's just a conversation. There's no way they actually can find out what happened, right, unless she tells them?
CLEMENTE: No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It's not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.
BURNETT: So they can actually get that? People are saying, look, that is incredible.
CLEMENTE: No, welcome to America. All of that stuff is being captured as we speak whether we know it or like it or not.
OK, let's not get too excited. But was this just a slip of Senator Feinstein's tongue, from today's New York Times? My emphasis:
Analysts can look at the domestic calling data only if there is a reason to suspect it is “actually related to Al Qaeda or to Iran,” she said, adding: “The vast majority of the records in the database are never accessed and are deleted after a period of five years. To look at or use the content of a call, a court warrant must be obtained.”
I thought it was only metadata, the phone numbers calling and called and the date and time and length of the calls, that were being logged.  Not the content of the calls.

It is hard not to wonder. It is easy to log all the metadata for all domestic phone calls and we now know it is being done. It would be easy and cheap to record all the phone calls being made in the U.S. If the government is not doing it, it's not because they haven't thought of it, and it's not because it would not be useful to do it. It can only because there are legal barriers, and with recent revelations about uses of the PATRIOT Act that have surprised even the bill's primary author, it is hard to be sure where the limits of existing laws actually are.

Monday, June 10, 2013

Some Thoughts about PRISM

I have been waiting to comment on the recently disclosed NSA surveillance programs until more facts came out, since what various parties were saying in the first days after the story broke seemed so irreconcilable. And the reports touch on so many issues covered in Blown to Bits it is hard to know where to begin. We know more now, and though some of puzzles remain, at least some of the questions have started to firm up.

How Does PRISM Work? We don't really know. What is "collected," where? The PRISM slides (the ones that have been released -- only a few of them) clearly state that the "collection" includes both "surveillance" and "stored comms." But stored where? Facebook and Google, two of the companies listed as part of the program, both are clear in their denials. Both Larry Page (Google) and Mark Zuckerberg (Facebook) deny giving the government "direct access" to their servers. (Some have suggested that this phrase needs definition; what about indirect access? But to be fair, arguably we all have indirect access to their servers.) Both also state that their companies respond only to specific requests, which are scrutinized individually and challenged if overly broad. Alex Stamos suggests that (especially given the low -- $20 million per year -- price tag for the program touted in the slides) PRISM may be just a code name for a view into data gathered through a variety of mechanisms. That is not the way Edward Snowden, the self-identified leaker, makes it sound. It seems to me that it is more likely that Snowden is exaggerating, and that the individual who made the cute graphics on the Powerpoint slides did not fully understand the system, than that Page and Zuckerberg would be flat-out lying when the truth might easily come out in another way.

Add to this the subtlety that in the DoD, "collecting" data does not mean what you might think. As the EFF explains,

Normally, one would think that a communication that has been intercepted and stored in a government database as “collected.” But the government’s definition of what it means to “collect” intelligence information is quite different than its plain meaning.
Under Department of Defense regulations, information is considered to be “collected” only after it has been “received for use by an employee of a DoD intelligence component,” and “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.” 
In other words, the NSA can intercept and store communications in its data base, then have an algorithm search them for key words and analyze the meta data without ever considering the communications “collected.”
Director of National Intelligence James Clapper did not help matters when he point-blank denied any massive data collection in his Congressional testimony:
Sen. Wyden: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" Mr. Clapper: "No, sir." 
And then, when challenged after recent disclosures, offered a restatement:
"What I said was, the NSA does not voyeuristically pore through U.S. citizens' e-mails. I stand by that." 
Well, that is not what he said. Taking all the semantical gymnastics into account, I would conclude that the NSA is sifting automatically through lots of email and other content searching for for specific targets. It is what Phil Zimmermann, way back during the Crypto Wars, called "driftnet fishing": scoop everything up, and throw back what you don't want. Isn't that a violation of the Fourth Amendment rights of the rest of the fish?

I think what is going on here is that people think there is a big difference between a computer reading their email and a human being reading it. There isn't.

Questionable defenses. Perhaps the inconsistency can be reconciled by dicing the language yet more finely or by understanding better how the system actually works. But for some, there is no problem in any case. The Fourth Amendment, like the other enumerated rights, is not absolute. PRISM's collecting and sieving just represent a necessary compromise. Of course, because the program has been secret, its constitutionality has never been challenged. The courts like to be reassured that when the government infringes a civil right, the infringement is as limited as possible. The ACLU is hard at work preparing a challenge; maybe we will find out.

But others don't even care about the constitutionality. If PRISM prevents even a single terrorist attack -- and claims have been made that it did exactly that -- they don't mind the infringement of their privacy.

There are two problems with this line of logic, beyond the basic fact that the crime-stopping prowess of PRISM is disputed. One is that civil rights are not subject to popular consensus or majority rule. It may well be that most people don't like the Fifth Amendment; doesn't matter. We all get protection against self-incrimination even if most people don't want it for themselves or anyone else. Same goes with protection against unreasonable searches.

On top of that, I wonder why people feel so comfortable with email searching. Let's take an analogy. Suppose the government had the keys to all our abodes, and we knew it had mounted an anti-terrorism program called SPHERE. Under SPHERE, the police could go into our houses and apartments when no one was home and just look around, without disturbing anything. In fact, it turns out the program has been in place for years, preventing crimes, and none of us knew it existed until some high school dropout turned CIA operative spilled the beans and sought refuge in Hong Kong. How many of us would really say, great -- I have done nothing wrong so I have nothing to worry about?

How did Snowden get away with it? After the Bradley Manning Wikileaks fiasco, I should have thought that the government would deploy some extra software on the computers that had access to Top Secret information. It would know, or learn, the printing and file handling habits of everyone authorized to use these machines, and especially the low staff who have the most limited track records. When the software detected an unusual pattern of downloading or printing, it would ring a bell on the supervisor's desk, who would walk over and check on what the staffer was doing. I would hate this, but I'm not working with top secret information; if you have access to that kind of data you expect to be monitored. Why hasn't such software been deployed?

Enough for tonight -- more thoughts later, perhaps.