Analysis | What Does the NSA Surveillance Program Mean For You?
Yale constitutional law scholar Anjali Dalal suggests that when it comes to grilling the National Security Agency on domestic surveillance programs, it’s all about how one asks the question.
Since the latest revelations from a whistleblower revealed the government’s practice of collecting records of nearly every phone call made on U.S. soil, activists are accusing Director of Intelligence James Clapper of lying to Congress and the American people.
Sen. Ron Wyden (D-Ore.) asked Clapper at a March 12 Senate hearing, “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper’s response was, “No sir … not wittingly.”
Several weeks later, former NSA contractor Edward Snowden leaked documents to the news media that showed the government was, in fact, collecting phone records of every call made across Verizon’s network.
Dalal says that within the legal framework in which the NSA operates, Clapper’s testimony is not necessarily untrue. This is because the NSA targets foreign intelligence and that they have guidelines that require certain hurdles be reached in order for the NSA to process the stored data.
“One of the main issues is that the NSA defines collection differently than you and I might,” Dalal said, “[The] NSA only collects information when it has been processed into intelligible form — thus the aggregation of our most private communications is not triggering the ‘collection’ function within the NSA. This allows that NSA to house data without violating the executive order it operates under.”
Watch Clapper’s testimony:
Snowden released two pieces of classified material to the Guardian Newspaper and Washington Post. The first was a secret Foreign Intelligence Surveillance Act (FISA) order demanding that Verizon Wireless provide the government with “telephony metadata” of all calls going across its network.
The data the government requested includes both the originating and terminating phone numbers, the serial number of the phone making the call, and other information about how the call was placed that can reveal the physical location of the caller and possibly the recipient.
The second document was a classified NSA PowerPoint presentation detailing a program called PRISM. One slide suggests major online services like Google, Yahoo, Skype, and Apple granted the NSA “direct access” to their servers, making available the contents of emails, chats, photos, videos, voice conversations, and a number of other communications.
Downloading the Internet?
Snowden’s leak adds more information to an effort by journalists and activists to piece together just what the federal government is doing with a massive data processing infrastructure put into place following the 9/11 attacks. The NSA’s home base in Maryland consumes more than 65 megawatts of electricity at any given time — enough electricity to power many Connecticut communities. The NSA is completing work on an additional facility with more than 1 million square feet of floor space in Utah.
All of that computing and data storage capability is being used for something, and that use is likely the capture and storage of nearly every packet of data flowing through the Internet in the United States and possibly beyond.
Normally this would be the realm of tin foil hat conspiracy theories. But a prior whistleblower detailed exactly how the government and AT&T did just that.
Former AT&T technician Mark Klein, revealed in stunning detail how, with his former employer’s cooperation, a “splitter” was installed in a major fiber optic switching station in San Francisco.
Much like extending a cable television outlet to a guest bedroom, the NSA was given access to the wire transporting every packet of data flowing through that major piece of the Internet backbone. That includes every email, every skype call, every photo — everything.
The government has not disputed the existence of the splitter, the hardware, or even the secret room at the AT&T switching office. But it hasn’t commented on what they were doing with that data, either.
Internet Technology Makes it Possible
How is this possible? It’s because on the Internet every piece of communication, whether it’s an email, voice call, or the latest update for Angry Birds, is transmitted exactly the same way: through binary data packets of 1s and 0s that are constructed according to standards that ensure every computer, smartphone, and tablet are essentially speaking the same virtual language.
Now that a bulk of the world’s communications are being transited through the Internet, it makes it much easier to simply tap in, capture the raw data, and apply whatever protocols might be used to later decode it into a human readable format. While some of this data is strongly encrypted and difficult (if not impossible) for even the NSA to read, most emails and meta data are still transmitted between servers completely “in the clear” without encryption.
Making it Legal
Initially the government downplayed the extent of its data collections through the fiber splitter program, but it was soon revealed that the NSA was, in fact, intercepting and storing the personal communications of American citizens who were not under suspicion of being terrorists. In other words, both the government and AT&T were breaking the law.
“There was no law that said this was OK,” Dalal said, “So when AT&T was agreeing to it, it didn’t have the coverage of a congressional statute that mandated AT&T comply.”
Lawsuits by the Electronic Frontier Foundation (EFF) and others were filed to hold AT&T accountable for their actions and to try to raise a constitutional court challenge over the government’s actions.
Congress responded by essentially making the data collection process legal — retroactively.
The Bush administration and the telecommunication industry’s lobbyists pushed through a set of changes in 2007 and 2008 that essentially required the telecommunications companies to comply with these government orders going forward. It also granted retroactive immunity from lawsuits against the companies involved for breaking the law and violating the constitutional rights of their customers.
During the debate of these revisions to the law in 2008, a 501c(4) organization suddenly appeared with millions dollars in its coffers targeting potentially vulnerable members of Congress. The organization’s ads ran here in Connecticut, targeting both Rep. Joe Courtney and now Sen. Chris Murphy with a television advertisement similar to this one:
Courtney and Murphy both opposed the measure, but it passed the House and President Bush signed it into law. Barack Obama, a U.S. Senator at the time, supported the legislation. Obama later signed a renewal of the law in 2012.
Those Congressional actions largely shut down the lawsuits that were pending against AT&T and the government.
Interpreting Rights in the Digital Age
Is it legal to record the raw data packets sent by every American while only looking at the traffic from targeted individuals? The answer to that question isn’t clear. Dalal points to a post on Balkinization, a constitutional law blog, that looks at this matter in detail. The grey area in this case is that Department of Defense regulations require that in order to look at data the information must be about foreigners and that US citizens are believed to be involved with or about to be involved with international terrorism. It is uncertain if additional judicial review is required. Also unclear is whether or not that stored information is shared with domestic law enforcement agencies.
And that’s where the legal semantics begin.
“[Storing data] is not collection under the NSA’s definition of collection . . . they’re arguing ‘yes, they can hold this data’,” Dalal said adding, “Who made up that definition? If the NSA is defining ‘collection’ for itself, then we have a bit of a problem.”
All of this data storage and analysis is happening under national security guidelines which are almost always created and conducted in private. Details of the program cannot be debated publicly by elected members of Congress, as revealing them would be a felony.
And despite President Obama’s statements to the contrary, most members of Congress outside of intelligence committees have not received detailed reviews of exactly what the government is doing. And with the legal semantics being what they are, many may not know what to ask to get to the truth.
But the question that has largely gone unanswered is whether the capture and storage of data packets without reviewing them constitutes wiretapping. Also unanswered is how many innocent Americans who may have directly or indirectly come into contact with a person under suspicion have had their communications reviewed by government analysts without their knowledge and without the proper legal review.
Tech Giants Seek Immunity, Too
The nation’s largest tech firms, such as Google, Apple, and Facebook, often find themselves under scrutiny for their privacy policies by the same members of Congress who have granted the government carte blanche access to user data.
The data these firms hold on individuals is extensive, and their financial success is built upon the trust users have granted them in safely storing that information. In exchange for free email and social media services, users are allowing many of these firms to sell their personal information to advertisers. Those advertisers pay substantially to make targeted pitches that often “follow” users across the Internet.
So when the NSA PowerPoint slide suggested that PRISM had “direct” access to data, the industry responded with almost identical statements that “direct” access was not being granted but that they complied with legal government requests.
Google in particular has long released the numbers of requests they have received from law enforcement, but the company has not been legally able to provide the amount of secret requests under FISA or national security letters.
But the amount of data that the government can acquire from these firms is staggering. And some of it might fall into the category of “meta data” and be held to lesser legal standards than a conversation might be.
One area in particular are the Facebook “like” or “recommend” buttons that appear on nearly every website, including this one. Facebook is able to discern and likely log what websites their logged in users are visiting at any given time through those buttons even if they’re not clicked. And, given the Verizon order as an example, it could be a treasure trove of data that would likely not rise to the level of stored communications like emails and voicemails that would have greater legal protections. Facebook would have no choice but to turn it over if a secret request was made of it.
This is likely why the tech firms supported the Cyber Intelligence Sharing and Protection Act (CISPA), despite the objections of activists like the Electronic Frontier Foundation. CISPA would, in effect, deputize the tech giants into the intelligence community, allow them to hand over to the government any user information (including conversations), and be granted the same immunity the telecommunications industry was given in 2008.
Using attacks by foreign hackers as a reason for supporting the legislation, many firms came out in support of the bill. Facebook’s reasoning can be found here.
Google was publicly non-committal on the issue but was quietly lobbying in favor of the legislation’s passage last year. This year TechNet, a trade association of which Google is a voting member, strongly favored the bill and provided cover for member organizations whose users and customers opposed the legislation.
CISPA lost steam after the Obama administration threatened to veto it. The urgency by some in Congress to push CISPA through may be a result of the industry’s shift toward encrypting traffic end-to-end to prevent hackers from employing similar packet sniffing techniques used by the NSA. Encryption is likely making it more difficult for the NSA to acquire data through PRISM, and obtaining the data legally through the FISA process takes additional time.
The story could continue to develop if more whistleblowers come forward. Or it could slither back under the veil of secrecy like it did following Klein’s disclosure and Congress’ quick legislative changes.
Either way, it’s fairly clear now that the government is storing, but not necessarily accessing, data from millions of Americans without a warrant or probable cause.
And the semantics will likely continue.
“If they are arguing that everybody is relevant it makes us wonder what relevance means,” Dalal said.