So Your Government Is Spying On You, Now What?

The Onion's take is also spot-on, as per usual.
The Onion’s take is spot-on, as per usual.

So last week we found out that the government has been routinely collecting all of the metadata from cell phone calls virtually all Americans make for years. Then we learned that the NSA has the capability to tap directly into the databases of Internet giants like Google, Microsoft, and Apple to collect search history, emails, file transfer history, and even live chats of individual users. Big news, eh? (Guardian, NYT)

Not to bestselling author and major blogger John Scalzi, who wrote about the revelations:

Apparently I was the only person in the US who assumed the government was already doing something very much like this? Because it was doing it under Bush, and if Obama had gotten around to stopping doing it, his administration would have made a big deal about it, no? And since the Obama Administration never said a single word about it that I can recall, it was probably still going on? So I guess what I would say is, yeah, seems not surprising in the least

Scalzi’s attitude is refreshing next to all the faux shock and muted outrage from the Left–who would have screamed bloody murder if this were going on under Bush–and the sudden remembrance of civil liberties from the Right–who notably didn’t make a fuss under Bush. In that spirit, I want to try and talk about the program itself: what it really entails in terms of privacy and civil liberties and what it really offers in terms of safety. FWIW, I’m a skeptic of the more extreme claims of the privacy movement (who often strike me as 21st century Luddites) and also of a lot of security measures in the wake of 9/11 (which are often best described as “security theater“).

Let’s start with the successes of the government program, such as they are, which is codenamed Stellar Wind.  According to the Wikipedia article, the suspicious activity reports (SARs) generated by the program were actually the initial source of intel on Elliot Spitzer’s prostitution scandal. Stopping political corruption is never a bad thing, but on the other hand it’s always ominous when controversial policies that threaten civil liberties but are justified on national security grounds end up being employed for conventional law enforcement. This isn’t exceptional, by the way. Back in 2011 the Washington Post revealed that the FBI had used the Patriot Act in 15 terrorism cases and 1,618 drug cases. If those numbers are representative, less than 1% of applications of the Patriot Act have anything to do with terrorism.

Najibullah Zazi's 2009 terror plot was foiled by the secret government scheme.
Najibullah Zazi’s 2009 terror plot was foiled by the secret government scheme.

But the program has been used to stop real and imminent terror attacks as well. New York Magazine reports that in 2009 Najibullah Zazi drove to New York City with explosives. His plan was to finalize the assembly and then detonate 16 backpack bombs in the New York City subway system. Zazi was a Colorado resident who had received both his training and his orders from Al Qaeda. He never completed the attack, however, because he was tipped off that he was under surveillance and so flew back to Colorado where he was arrested. At the time, the discovery was credited to an email intercept by Scotland Yard, and it turns out that might actually have been true because the UK also has access to PRISM, which is the name of the tool at the heart of Stellar Wind.

So this example illustrates two things. First, this program can and does stop serious terrorist attacks. Second, the program is even more widely used than initial reports reveal. In fact, one of the interesting things about the program is the use of intermediaries to hide the program’s full extent. To this day, all of the Internet giants accused of sharing information with the US government deny that they do so, let alone with foreign governments, but an article in Valley Wag suggests a plausible explanation for this: they are working with a private, CIA-funded, Silicon Valley startup that serves as a middleman. So technically when they say “We’re not working with any government,” they are telling the truth. Technically.

Another key aspect of this story is that the government’s approach–dating back to the Bush administration–has been to try and create legal rationales for their programs based on existing statutes and case law even when those rationales (and the programs they support) are kept secret from the public eye. In the case of PRISM, this means that the government gets the data (emails, chat transcripts, etc.), but it is anonymized. They only go in and find out who said what once they have identified a cause for concerns (that’s what the suspicious activity reports, or SARs, are all about). In the case of the data the government receives from Verizon (and presumably all other cell phone carriers), what they get is the metadata and not the actual phone calls. This means they get information about what numbers a person calls and when they call. And, because it was ruled metadata in a court case, also some general geographic data based on the closest cell phone tower at the time that a call is made.

According to journalist and essayist David Simon, this means we have nothing to worry about. He writes:

Having labored as a police reporter in the days before the Patriot Act, I can assure all there has always been a stage before the wiretap, a preliminary process involving the capture, retention and analysis of raw data. It has been so for decades now in this country. The only thing new here, from a legal standpoint, is the scale on which the FBI and NSA are apparently attempting to cull anti-terrorism leads from that data. But the legal and moral principles? Same old stuff.

Same old stuff? What Simon is referring to are older law enforcement practices known as mail cover and pen register. Mail cover is the idea that anything on the outside of an envelope is fair game to be tracked and recorded without a warrant. A pen register is a device that records all phone calls made from a telephone number. The pen register in particular should sound familiar, since it’s basically the same idea as vacuuming up metadata from Verizon. So it is easy to see that the modern surveillance approaches are based on historical precedent, but is it really the same?

I’m speculating a little bit here, but the principle behind mail cover seems to be essentially that there’s no reasonable way for the outside of an envelope to be private since the message has to be delivered by a person. The pen register seems like a similar idea, especially since in the early days of the telephone human switchboard operators directed calls. But technology has changed substantially since then and the metadata is absolutely not the same. Cell phones track your location now, which is the kind of data that an old-fashioned pen register wouldn’t have recorded. Upgrading surveillance techniques to follow new technology without actually reconsidering the rationale makes the rationale suspect.

Then there’s that tricky idea of scale, as though doing dramatically more of a thing was just a minor variation on a theme. If that were true, would everyone be raving about “big data“? The FBI can always assign an agent to follow you around wherever you go (in public) without a warrant. Does that mean that we should just let them attach GPS devices to every single car in the country because following people in public to track their whereabouts is “the same old stuff”? Pretty much the entire story of technological progress for the last 50 years can be reduced to “doing the same old thing with less time, effort, and money” and clearly that’s actually a pretty big deal. (Just ask the music industry about copying music via MP3s vs. cassette tapes.) Anyone who could make such a silly assertion either has been asleep since the 1980s or has an agenda.

So where does that leave us?

1. The current secret government programs (that we know of)  are not the same old stuff. They are new and unprecedented threats to American expectations of privacy and civil liberty.

2. The programs are not straight out of George Orwell’s 1984. The government is, for now, exercising some degree of restraint and at least attempting to operate within our legal framework. This is true of both the Bush and Obama administrations.

3. The programs tend to be used for non-terrorist reasons the vast majority of the time, and are therefore employed against Americans who have no connection to terrorism whatsoever.

4. Some of the time–at least more than none at all–the programs are used to thwart real and imminent terrorist attacks that could have killed hundreds or even thousands of people.

We're not actually here. Yet.
We’re not actually here. Yet.

As long as our government is fundamentally decent and law-abiding, there’s not much threat from a system where everything that everyone writes goes into an anonymous database, and where revealing an individual identity requires a warrant based on accurate analysis that indicates a threat. But will the analysis be accurate? In the actual PRISM system, 99% of SARs were generated by people ordering takeout. Will the data truly be anonymous? The government has managed to flub redaction in a digital age on numerous accounts. Will individual identities really be protected until a warrant is granted? And, the big one, can we actually assume that our government will always be fundamentally decent and law-abiding?

Let me put it this way: if we can’t trust the IRS to collect taxes in a fair and non-partisan way, then we can’t assume that a tool like this will never be abused. Even if we could, however, what kind of effect will our example have on other nations (like Syria or Iran) that use the exact same national defense rationales to suppress the free expression of their citizens?

I believe that the people working in the Bush and Obama administrations who came up with and implemented these programs are fundamentally good and decent people who were trying to do the right thing. But good intentions are not enough. A country where every word that every citizen every sends across a digital medium is available for government analysis is unacceptable because the safeguards against abuse will never be perfectly reliable.

But we need to accept that this position comes with a cost. If we adopt that position and cancel Stellar Wind and shut down PRISM then it is very likely that people will die who might otherwise have been saved. They will be somebody’s loved ones, and it will have been preventable. The trade-off between civil liberties and safety is a real one, and we would be fools to pretend otherwise. When you add the risk of a nuclear, chemical, or biological terror attack into the mix, you can see why the people who would be blamed for such a disaster are willing to bend the rules to make sure that it doesn’t happen on their watch. (Or, more cynically, that if it does happen on their watch they will have political cover.)

For my part: I think the fact that we’re willing to live with an interstate highway system that results in about 30,000 deaths per year for the sake of transportation efficiency, we can probably accept a greater vulnerability to terrorist attacks in return for the safety of our American way of life.