Thursday, July 4, 2013

You are being watched: Government surveillance is broad, deep, and dangerous

Published in the Portland Phoenix and the Providence Phoenix

The government is collecting every kind of digital communications information about you — not just the so-called "metadata" of the location, participating phone numbers, and duration of every single telephone call made in the United States, but also the content of those phone conversations, and of emails, online chats and instant messages, and text messages.

Thanks to brave leakers and reporters who have revealed the details of two major programs, one collecting telephone information, and the other vacuuming up terabytes of data from major Internet companies (Facebook, Google, Microsoft, Yahoo, and more), we know all of those things are happening, with the possible — and only possible — exception of recording the phone calls. A former FBI agent told CNN back in May that phone conversations were being captured. The Associated Press was blunt in a June 15 report, paraphrasing Bruce Schneier, a cryptographer and computer-security expert: "Just assume the government collects everything." (For an overview, see sidebar, "PRISM Primer," by Deirdre Fulton.)

Now that we know for sure that we live in a surveillance state, where do we go from here? Of course, some people will say they already expected as much, or believed so. These new revelations aren't for them — they're for everyone else, who didn't think the Panopticon had truly arrived. But now the United States itself has become 18th-century thinker Jeremy Bentham's architectural wonder of a prison, in which inmates can be observed at each and every moment, without being sure whether they are in fact being watched just now.

Rather than dismissing the alarms about government surveillance, the public at large can no longer ignore or wish away its presence. Those fearmongerers who were rudely dismissed should take heart from The Daily Show, which in the wake of the revelations about NSA spying has introduced a new segment: "Good News! You're Not Paranoid."


First, a brief discussion about the importance of privacy. Many people dismiss it, saying things like "I have nothing to hide." Beyond the oft-cited "right to be left alone" definition offered by Supreme Court Associate Justice Louis Brandeis in 1928, privacy is nothing less than the right to actually be yourself.

Surveillance — intrusion on privacy — affects human psychology and action. It is the ultimate infringement on personal freedom, because it exploits an instinctual weakness of humans. When we're in private, we do things freely, as our true selves; when we're being watched, we change our behavior.

The principle Bentham articulated in 1787 is simple: "Observation and fear of detection ensures compliance," as author Charlie Canning summarized it. Think about it yourself (privately): Is there absolutely nothing you would do differently in your entire life if your partner, parent, child, boss, and best friend were watching at all times? Now expand that audience to include the only power that can by the force of arms deprive you of your freedom — the government. (There are several other important related problems; see sidebar "Debunking 'Nothing to Hide.'")

Of course, there are plenty of regular, law-abiding people who will respond, "I don't do anything wrong, so they won't watch me, and there's nothing to catch me doing." But in his 2011 book Three Felonies A Day: How the Feds Target the Innocent, civil-liberties lawyer (and occasional Phoenix contributor) Harvey Silverglate details exactly how misguided that sense of security can be. Making the argument that federal laws are overbroad, loosely interpreted, and aggressively prosecuted, Silverglate describes case after case in which innocent citizens doing their very best to behave within the law accidentally came to the attention of federal authorities — largely through personal misfortune, such as running out of gas when riding a snowmobile on US Forest Service land — and were charged with, and convicted of, felonies.

Let's just say it straight: If a federal prosecutor wants to find something you've done wrong, there's probably something that could qualify. Your main hopes to avoid prosecution are: 1) avoiding coming to authorities' attention, and 2) depriving the authorities of information that could be used against you. Since the first is mainly a matter of chance, it's best to focus on the second — which is, plainly put, privacy. How, exactly, should we do that? In her sidebar ("Counterveillance 101"), Deirdre Fulton outlines some strategies.


As best we can tell, the government is not doing direct collection of the information it's using. Rather, the NSA and the FBI are demanding — at times with the help of judges in the secret Foreign Intelligence Surveillance Court — that private companies disclose data those firms have already collected from us. We have offered up that information willingly in almost every case, often in exchange for services we like, such as connections with distant friends, or directions to the nearest gas station.

There are two key differences between this and what the government is doing. First is transparency: do we know the information is being collected, and by whom? And second, what could the people who have the data do with it? The specter of being tracked just by our cellphones is very real — and requires no snooping on conversations. (See sidebar, "Metadata matters.")

That said, corporate data-mining is pretty open. Most of those companies tell us — even if it's buried pages into a software license agreement — they're collecting data, and most of them make it fairly obvious they do so. For example, when we connect to Facebook, it's right in front of us that the site knows our own information and that of our friends. And we know, when we sign up for customer-loyalty programs, that we're being tracked in exchange for discounts or special deals.

And what companies can do with the data is pretty limited (or so we think). Of course, they could publish it — but apart from the fact that Facebook in particular offers publication as a benefit of its service, it's worth noting the effectiveness of public backlashes against Facebook's periodic attempts to relax privacy controls. That outcry is a limit on intentional corporate misuse of the data — and if the data is stolen or otherwise gets out unintentionally, federal and state laws offer recourse to those whose private data is compromised.

Which is not to say that corporations' use of our personal information is not invasive. But it is less of an affront because we know it's happening, assist in the data-collection process, have some recourse if policies change, and are limited in our vulnerability — at least companies can't lock us up!

Government data-mining, by contrast, is secret — until it's revealed by leakers who face prosecution for telling the truth. And the government's power is sweeping, including literal deprivation of freedom, or even life itself, through prosecution and punishment. Public outcry can only change things when we know what's happening — but too often officials hide behind the concept of classified information, even when they're involving corporations in the info-vacuum. And the so-called "public servants" are bought and paid for by special interests that conflict with our own.

Beyond being deprived of the information we need to make good decisions about our government's actions, we can't even fight back against telecom firms, which are forced to comply and protected from repercussions. A June 11 Huffington Post report details the millions of dollars spent by AT&T, Verizon, and Sprint from 2002 to 2012, including a combined $55 million on lobbying relating to the Foreign Intelligence Surveillance Act. And sure enough, the companies have gotten federal legislation enacted that gives them total retroactive legal immunity from civil lawsuits related to their participation in government surveillance programs. The immunity has been attacked, but repeal efforts have failed.


It's easy to laugh about how ineffective this surveillance system might be, especially in certain cases: How did they miss the Boston-bombing Tsarnaev brothers? Why can't the feds locate NSA leaker Edward Snowden in a worldwide manhunt? "Agency Busy Spying on Three Hundred Million People Failed to Notice One Dude Working For It," wrote the New Yorker satirist Andy Borowitz. But to point out flaws, even arrogance, in the concept that data can tell us everything is to miss the point that our leaders apparently think data is all-seeing, and have taken it upon themselves to gather it without real oversight.

The biggest problem with this whole surveillance mess is that it was secret. We simply have not, as a democratic society, had the conversation about what kinds of freedoms and privacies we are willing to give up in exchange for what kinds of safety and security. As President Barack Obama put it in his false dichotomy June 7, "you can't have 100 percent security and then also have 100 percent privacy."

Nobody's asking for such a thing (nevermind that both concepts are unquantifiable) — we're asking for a clear and transparent balance between security and privacy, a balance arrived at through a public debate, both in Americans' own lives and in Congress. (Also useful would be a conversation through the courts; at present, only government attorneys are permitted to appear at the Foreign Intelligence Surveillance Court's secret hearings, removing any possibility that government claims could be challenged or questioned.)

But it's hard to talk about the details of these programs without security clearances; whether it should be or not, most of this work is classified. That's where a post-9/11 recommendation that has finally borne fruit comes in.

The Privacy and Civil Liberties Oversight Board was suggested in the list of recommendations from the 9/11 Commission report, back in 2004, and was created by Congress later that year. It was never truly funded or staffed, but after a 2008 change in its authorizing law, and after years of Congressional and delays from the Bush and Obama administrations, its chairman was finally confirmed by the Senate on May 7 of this year.

That man, David Medine, has said his board will investigate the NSA program — after a classified briefing on June 11, he told the Associated Press "further questions are warranted." In addition to meeting with Obama and officials in the intelligence community, the board will also hold a public meeting slated for July 9, "that would bring together academics, experts and advocates to explore issues raised by the national surveillance programs," the Washington Post wrote on June 21.

But then again, perhaps these surveillance programs do keep us safer. As Stephen Colbert said of our enemies: "They hate us for our freedoms. The less freedom we have, the less likely they are to attack us."

There's a comforting thought.

Debunking 'nothing to hide'


• Apart from the fact that you do have things to hide — or wasn't it you who posted nudie pics of yourself and your beloved online? (and was it really for the sake of living a transparent life?) — the claim that people have "nothing to hide" and that, therefore, government surveillance must be okay, is torn to pieces by George Washington University law professor Daniel Solove's 2011 book Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale University Press).

Solove argues that the problems of government surveillance go well beyond the watching and collecting. While most debate about privacy centers on themes along the lines of the all-seeing telescreens in George Orwell's 1984, Solove says a better example is Franz Kafka's The Trial, a chillingly prescient early 19th-century novel about a man arrested but not told why, and whose attempts to find explanation only result in vague information that he is being investigated by some authority for some unknown transgression.

"Government information-gathering programs are problematic even if no information that people want to hide is uncovered," Solove writes. "In The Trial, the problem is not inhibited behavior but rather a suffocating powerlessness and vulnerability created by the court system's use of personal data and its denial to the protagonist of any knowledge of or participation in the process. The harms are bureaucratic ones — indifference, error, abuse, frustration, and lack of transparency and accountability."

Beyond that, claiming "nothing to hide," Solove points out, suggests that what's hidden is bad, wrong, or illegal. But "Surveillance . . . can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy," he writes.

There is also the key question of whether people own their own data. "Many government national-security measures involve maintaining a huge database of information that individuals cannot access," Solove writes. "Indeed, because they involve national security, the very existence of these programs is often kept secret." Calling this collection a "due-process problem," in which citizens are denied power over themselves and their information, Solove says this creates "a power imbalance between people and the government. . . . This issue isn't about what information people want to hide but about the power and the structure of government."

Solove also notes a key vulnerability that even law-abiding citizens have to government misinterpretation. "For example, suppose government officials learn that a person has bought a number of books on how to manufacture methamphetamine. That information makes them suspect that he's building a meth lab. What is missing from the records is the full story: The person is writing a novel about a character who makes meth. . . . Should he have to worry about government scrutiny of all his purchases and actions? He might not want to have to worry about how everything he does will be perceived by officials nervously monitoring for criminal activity. He might not want to have a computer flag him as suspicious because he has an unusual pattern of behavior."

So it's not that you have nothing to hide. It's that revealing all would leave you naked and powerless before the fearsome strength of the government — which is the very opposite of freedom.


'Metadata' matters


• If your concern is focused on whether the government is listening to your phone conversations, you're worrying about the wrong thing. Cellphone "metadata" — whom you call, when, from where, and how often — is much more interesting, and much more invasive than whether someone hears you say, "Hi. It's me. Can you please get milk?"

A study published in the online academic journal Scientific Reports in March details exactly how just four pieces of "spatio-temporal" data can "uniquely identify 95 percent of . . . individuals" without hearing any phone conversations or reading any text messages.

Researchers at the Massachusetts Institute of Technology, Harvard University, Catholic University in Belgium, and the Complex Systems Institute in Chile studied cellphone company data covering 1.5 million people's calls over 15 months. The data provided did not contain callers' names or addresses; it included only the time and location of the connecting cellular antenna each time a phone received or sent a call or text message.

By charting the series of antenna connections over time, the researchers were able to construct a map of each phone's movement, which they called a "mobility trace." In 95 percent of the traces, just four points of time-location data were needed to tell that trace uniquely apart from the others in the large dataset. (The most difficult traces to focus in on needed only 11 locations before becoming unique.)

While the study does admit that additional, outside, data would be needed to connect a mobility trace to a person's name, the researchers observe that many pieces of location information are a matter of public record (such as property ownership files), are disclosed voluntarily through online check-ins (Facebook, Foursquare), or are easily searchable (business addresses).

In an example offered on Democracy Now on June 12, cybersecurity expert Susan Landau said this: "When Sun Microsystems was bought by Oracle, there were a number of calls that weekend before. One can imagine just the trail of calls. First the CEO of Sun and the CEO of Oracle talk to each other. Then probably they both talk to their chief counsels. Then maybe they talk to each other again, then to other people in charge. And the calls go back and forth very quickly, very tightly. You know what's going to happen. You know what the announcement is going to be on Monday morning, even though you haven't heard the content of the calls."

And even without a name attached, drawing a picture of events is simple, Landau said: "The metadata of a phone call tells what you do as opposed to what you say. If you call from the hospital . . . and then later in the day the doctor calls you, and then you call the surgeon, and then when you're at the surgeon's office you call your family, it's pretty clear, just looking at that pattern of calls, that there's been some bad news."

Bad news is right.