Monday, June 10, 2013

Some Thoughts about PRISM

I have been waiting to comment on the recently disclosed NSA surveillance programs until more facts came out, since what various parties were saying in the first days after the story broke seemed so irreconcilable. And the reports touch on so many issues covered in Blown to Bits it is hard to know where to begin. We know more now, and though some of puzzles remain, at least some of the questions have started to firm up.

How Does PRISM Work? We don't really know. What is "collected," where? The PRISM slides (the ones that have been released -- only a few of them) clearly state that the "collection" includes both "surveillance" and "stored comms." But stored where? Facebook and Google, two of the companies listed as part of the program, both are clear in their denials. Both Larry Page (Google) and Mark Zuckerberg (Facebook) deny giving the government "direct access" to their servers. (Some have suggested that this phrase needs definition; what about indirect access? But to be fair, arguably we all have indirect access to their servers.) Both also state that their companies respond only to specific requests, which are scrutinized individually and challenged if overly broad. Alex Stamos suggests that (especially given the low -- $20 million per year -- price tag for the program touted in the slides) PRISM may be just a code name for a view into data gathered through a variety of mechanisms. That is not the way Edward Snowden, the self-identified leaker, makes it sound. It seems to me that it is more likely that Snowden is exaggerating, and that the individual who made the cute graphics on the Powerpoint slides did not fully understand the system, than that Page and Zuckerberg would be flat-out lying when the truth might easily come out in another way.

Add to this the subtlety that in the DoD, "collecting" data does not mean what you might think. As the EFF explains,

Normally, one would think that a communication that has been intercepted and stored in a government database as “collected.” But the government’s definition of what it means to “collect” intelligence information is quite different than its plain meaning.
Under Department of Defense regulations, information is considered to be “collected” only after it has been “received for use by an employee of a DoD intelligence component,” and “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.” 
In other words, the NSA can intercept and store communications in its data base, then have an algorithm search them for key words and analyze the meta data without ever considering the communications “collected.”
Director of National Intelligence James Clapper did not help matters when he point-blank denied any massive data collection in his Congressional testimony:
Sen. Wyden: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" Mr. Clapper: "No, sir." 
And then, when challenged after recent disclosures, offered a restatement:
"What I said was, the NSA does not voyeuristically pore through U.S. citizens' e-mails. I stand by that." 
Well, that is not what he said. Taking all the semantical gymnastics into account, I would conclude that the NSA is sifting automatically through lots of email and other content searching for for specific targets. It is what Phil Zimmermann, way back during the Crypto Wars, called "driftnet fishing": scoop everything up, and throw back what you don't want. Isn't that a violation of the Fourth Amendment rights of the rest of the fish?

I think what is going on here is that people think there is a big difference between a computer reading their email and a human being reading it. There isn't.

Questionable defenses. Perhaps the inconsistency can be reconciled by dicing the language yet more finely or by understanding better how the system actually works. But for some, there is no problem in any case. The Fourth Amendment, like the other enumerated rights, is not absolute. PRISM's collecting and sieving just represent a necessary compromise. Of course, because the program has been secret, its constitutionality has never been challenged. The courts like to be reassured that when the government infringes a civil right, the infringement is as limited as possible. The ACLU is hard at work preparing a challenge; maybe we will find out.

But others don't even care about the constitutionality. If PRISM prevents even a single terrorist attack -- and claims have been made that it did exactly that -- they don't mind the infringement of their privacy.

There are two problems with this line of logic, beyond the basic fact that the crime-stopping prowess of PRISM is disputed. One is that civil rights are not subject to popular consensus or majority rule. It may well be that most people don't like the Fifth Amendment; doesn't matter. We all get protection against self-incrimination even if most people don't want it for themselves or anyone else. Same goes with protection against unreasonable searches.

On top of that, I wonder why people feel so comfortable with email searching. Let's take an analogy. Suppose the government had the keys to all our abodes, and we knew it had mounted an anti-terrorism program called SPHERE. Under SPHERE, the police could go into our houses and apartments when no one was home and just look around, without disturbing anything. In fact, it turns out the program has been in place for years, preventing crimes, and none of us knew it existed until some high school dropout turned CIA operative spilled the beans and sought refuge in Hong Kong. How many of us would really say, great -- I have done nothing wrong so I have nothing to worry about?

How did Snowden get away with it? After the Bradley Manning Wikileaks fiasco, I should have thought that the government would deploy some extra software on the computers that had access to Top Secret information. It would know, or learn, the printing and file handling habits of everyone authorized to use these machines, and especially the low staff who have the most limited track records. When the software detected an unusual pattern of downloading or printing, it would ring a bell on the supervisor's desk, who would walk over and check on what the staffer was doing. I would hate this, but I'm not working with top secret information; if you have access to that kind of data you expect to be monitored. Why hasn't such software been deployed?

Enough for tonight -- more thoughts later, perhaps.

1 comment:

  1. There IS a huge diff between a computer reading your email and a human doing it. This is a case of Koan 5 from BLOW TO BITS- More of the same can be a whole new thing. Computers can read so much
    MORE email that this really is different.

    The SPHERE program reminds me of the Joke:
    Last night a burglar broke into my apartment and replaced everything with an EXACT duplicate.