A number of organizations are uniting to sponsor a day of Internet protests on February 11 against mass surveillance by the NSA. You can find out more here.
With apologies to all my non-American readers, I have no problem with the NSA spying on foreign entities or persons. Hey, that’s why they exist! I do believe they should have well defined governance even in terms of spying outside our borders. Sure I’m willing to grant them a lot of leeway to prevent another Pearl Harbor, or 9/11. But you want to spy on an allied leader? I think that should require a Presidential Directive. On the other hand, you want to track the entire network of communications as it emanates out from a communications pattern detected in an Al Qaeda stronghold somewhere? Fine. Even though it sweeps in a lot of innocent people? Yup. Even though it crosses the U.S. Border? With proper governance.
If the U.S. government is going to spy on people in the U.S. it needs to allow for all the constitutional protections we are supposed to enjoy. It’s pretty obvious from the Snowden leaks that current procedures do not. Administrative fiat and FISA Court rubber stamps have replaced our constitutionally mandated checks and balances. And that is what has to change. We’ve seen a few small improvements in public communications in the wake of the Snowden leaks, but no governance changes that move us closer to our accepted system of legal protections.
What I really worry about with domestic surveillance is the potential for abuse. A prominent D.C. lobbyist once told me “you can write the legislation as long as I get to write the definitions”. Even if you have legislation that restricts the use of domestic surveillance to “terrorism”, almost anything could be redefined as terrorism. Recall what happened with RICO, the Racketeer Influenced and Corrupt Organizations Act. RICO was established to fight organized crime, a.k.a. “The Mob”. But the ink hadn’t dried on the bill before it was being used for other things. It has even been used to suppress Pro-Life groups. How long before any collection of mass surveillance data is exploited to go after suspected tax evaders, drug dealers, drug users, or political protesters?
Two states have now legalized recreational marijuana usage and many more have legalized it for medical use, yet it is still illegal on the federal level. This administration is not going after users or legal producers in states where they are following state law. But that policy could easily be reversed by the next administration. We always hear claims about how terrorists exploit the drug trade to raise funs for their activities, so how hard would it be to justify mining surveillance databases to identify and prosecute state-legal but federally-illegal drug users based on this alleged terrorism connection? It is not that far-fetched.
It is also not far-fetched to consider the use of mass surveillance data to go after political organizations. You don’t have to go back to the Nixon administration to find abuses, we are still in the midst of an IRS abuse-of-power scandal when it comes to approving 501(c)(4) status for conservative organizations. Whatever your political leanings this should be a concern. If a Democratic administration can abuse power against conservative organizations, a Republican administration can do the same against liberal organizations. Given that terrorist organizations are political movements that have embraced violence, how hard would it be to justify using domestic surveillance against non-violent political movements? I can hear the argument now: “today they are non-violent, but if we don’t spy on them how will we know if they are going to stay that way?” To say that is the slippery slope towards totalitarianism is a vast understatement. 1984 wasn’t 1984, but 2024 might be.
It’s time we brought back some balance between our need to defend ourselves and the risks in allowing government to exceed more than a very limited amount of interference in our lives. That’s not to punish, or neuter, the NSA or other agencies. It’s to make it clear what they can do, when they can do it, whose approval they need, and that sufficient checks and balances exist for the American public to be confidant that the protections they believe are afforded to them by the Fourth Amendment to the U.S. Constitution are indeed in effect. Benjamin Franklin (may or) may not have meant his famous words “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” in the way we interpret them today. But he should have.
Note that I’m not discounting the spying, I mean tracking, that goes on amongst commercial entities and the risks that those bring. The difference is that governments send men with guns to do their bidding. And, historically, they aren’t afraid to use them.
Hal's (Im)Perfect Vision 
I remember when RICO was passed. There were comments about the way the law was written, including definitions, that three college students that ride together to class and park in a metered parking space could be charged with a RICO violation if they agreed to take turns feeding the meter to avoid getting a parking ticket. It hasn’t gotten that bad, but pretty close.
The War On Some Drugs laws, especially the forfeiture provisions, have definitely been abused. When the government wants to confiscate some property, and I’m not talking just about real estate, they file suit against the property and the owner has to prove the property was not acquired illegally or it will be confiscated. And since the property is being sued rather than the property owner, it neatly sidesteps many legal protections the owner would have if he was the one being sued. This is so fundamentally wrong on so many levels, that it’s amazing these laws haven’t been ruled unconstitutional. And who gets a share in this money? All the law enforcement agencies that had a hand in the confiscation. Talk about an incentive to confiscate anything and everything possible.
I could go on and on, but that would raise my blood pressure even higher than it already is.
Exactly. I forgot about the use of civil actions rather than criminal ones to side-step constitutional protections. That drives me nuts as well.
There is a problem that the courts are technically independent but judges are still political appointees, and have often worked in the executive branch and been politically active. It takes a lot for them to bite the hand that fed them. This is both good and bad. Good in that it provides quite a bit of stability, bad in that they work hard to find excuses to let the legislative and executive branches get away with activities that are clearly unconstitutional on a simple reading of the Constitution and Federalist Papers. How many activities of the Federal government have been justified on the basis of overly expansive interpretations of the Commerce clause, for example?
The creation of the FISA court was supposed to be a solution to the applications of constitutional protections to the secrecy requirements of the spying business but instead appears to have become a way to get around those protections. That’s partly a function of the secrecy requirement itself, so we don’t actually know if it is functioning properly. And partially that no judge on the court wants to be the one who turned down the request that would have prevented a terrorist attack. It’s easy to say “they need to grow a pair”. But with scenarios such as a dirty, or even atomic, bomb in a major American city staring you in the face on a daily basis I have trouble seeing how you aren’t looking for any justification to say YES!
Of course you can say, that it’s fine to spy on foreigners, and with ‘spy’ i mean mass surveillance to the extreme. But then as a company you should expect your revenue with cloud products in Europe and other countries diminish.
As a German, i am upset about what the US does, especially because it seems the US is doing industrial espionage as well. That is not what an ally or partner should do.
Keep a few things in mind:
1) Do not get anything I say confused with the position of Microsoft or any other company.
2) I did say that any NSA spying even on foreigners needs to be covered by a system of governance. Inherent in that governance is it be limited to situations where they can identify a security threat. Industrial espionage would not qualify and I don’t believe the U.S. does engage in government-sponsored industrial espionage. But then there are obviously grey areas. If a country discovered that a potential foe had come up with a technology that allowed it to overwhelm their defensive systems I would expect them to seek information about the technology and ways to counter it. I can be upset as anyone that the Russians and the Chinese would attempt to steal U.S. stealth technology secrets, but intellectually I know it’s a defensible act. Now have the U.S.’ European allies attempted to obtain them as well? It would not shock me at all to discover they have. Is that an act of self-defense or industrial espionage?
3) Companies, and Microsoft has already announced this, will make sure to allow those outside the United States to store their data locally where it is subject to local law rather than U.S. law. However, once outside the U.S. it is also not subject to the protections that U.S. law currently, or in the future, provides. So that means the NSA actually has more freedom to access it without the permission of the company holding it than they would with data stored in the U.S.! Why do you think storing the data in a cloud data center owned by a European-based entity would make any difference in this scenario? In fact, why do you think it has to be in a cloud data center at all? Microsoft, Amazon, Google, etc. almost certainly have better security provisions than 99% of the private sector data centers in the world.
4) Every country does the same thing. And by that I mean they definitely spy on foreigners and likely spy on their own citizens. And they are exploiting the technical ability to gather data on a massive scale. A few weeks ago an executive of a European-based telecom explained to me that there is a standardized API that they are required by law to provide in Europe so that governments there can access the very same metadata the NSA is accused of gathering here in the U.S. And trust me, despite my outrage over NSA’s domestic spying operations if I had any data of value to governments or their industries the thing that would worry me no matter what country I lived in was spying by the Chinese and Russians. While I think Europe has taken the lead on empowering citizens to keep their personal data private from abuse by commercial entities, Europeans really need to drop the “holier than thou” attitude when it comes to government access to that data.
Re: point 3, what are you expecting the NSA to do to access, for example, a non-big-name company in Europe that uses equipment built without NSA backdoors, with non-standard encryption of data, both in-transit and stored. How would NSA break that encryption? Would it not be more secure from surveillance than using US products which have been built with backdoors for the NSA etc?
The number of bad assumptions here is just incredible.
First, do not assume that there are actually back doors put into systems by NSA with the vendors approval. And if the NSA can put them in without the vendors approval (e.g., by tapping into the communications lines flowing into the data center or by intercepting and modifying hardware before its deliver to the customer) they sure can put them in private data centers without approval too. And let’s not just put the NSA in this category, European, Russian, and Chinese intelligence agencies have the same capabilities and in many cases far fewer restrictions on using them.
Second, experts believe the NSA can brute-force crack encryption with keys up to 4K in length. Commercial software, and SSL specifically, are just migrating to 2K keys. So yes you could use encryption with 8K keys, but the performance hit is probably totally unacceptable and certainly not interoperable with non-bespoke software.
I totally don’t get your “non-standard encryption” comment unless you were just referring to key sizes. It isn’t at all clear that there are algorithms that are any more secure than those that have been standardized, and the odds of there being an exploitable flaw in bespoke or oddball algorithms is very high. And even if it was flawless, it would still be subject to the brute force attack problem when up against someone like the NSA.
And then even if you can secure data on your premises the in-transit problem is much worse. Let’s say you have a flawless encryption algorithm and 8K keys, you can’t exchange data with anyone else because they don’t implement those. So you are limited to communication between nodes and software that you control. Fine, there are a limited number of scenarios where that is useful.
Finally, you act like you are proposing something new. The NSA and other SIGINT organizations were created to spy on other nation-state organizations applying the best technologies for protecting their national secrets. You think it would be much more than child’s play for them to break into a private sector data center no matter what defenses you throw up? OH PLEEEZZZ! In fact, trying that hard to keep the NSA out would probably cause every nation-state SIGINT organization in the world to target you to see what you are trying to hide.
Firstly, it was an off-the-cuff comment on your blog, your words ‘you act like you are proposing something new’ are based on nothing. I didn’t mention national secrets either. From my experience managing the tech of a financial SaaS (i’m no longer in that field), I’m aware that businesses just don’t like the idea of their data being trawled through and copied on an industrial scale by third parties. Your view seems to be that nothing can be done about it. Fine, thanks for the full reply!
“How long before any collection of mass surveillance data is exploited to go after suspected tax evaders, drug dealers, drug users, or political protesters?”
What do you mean by ‘how long before’? Been done for years already. Prosecutors are advised to construct ‘false evidence trails’ to hide how the information was obtained.
You are correct that this already being done.
I see where you are coming from, Hal, but disagree that it is OK to spy on US citizens because of some possible threat of something (“terrorism” is a pretty squishy term that could apply to some foreign national doing little more than expressing a negative opinion of the USA). I think spying is necessary (always has been) but the government should not be unconstrained to chase every goose; it should clearly define and then follow parameters and rules of engagement. As you note, Snowden has shown us that isn’t happening. And how do you feel about the Chinese and Saudi governments spying on you? That would now seem to be fair game given this Administration’s point of view – we’ve certainly squandered any moral high ground here.
Joseph, I thought what I said was to spy on U.S. citizens you have to have probable cause and get a warrant and are entitled to all other constitutional protections. “Domestic Terrorim” is nothing more than a crime from a legal perspective. And to spy on those outside the U.S. (citizens or not) there need to be rules, but those rules are necessarily far more relaxed. My example was actually far more cagey on this point. I didn’t have the NSA sweeping in all communications everywhere, I specifically had them tracing communications that emanated from an Al Qaeda stronghold. Where do we disagree?
You and I lived through the cold war. The Soviets were spying on us all the time, including conducting SIGINT operations throughout Silicon Valley, and the Russians are believed to continue this. And they weren’t just monitoring for military secrets, they were conducting industrial espionage too. The San Francisco consulate reportedly was sweeping up all conversations in the bay area. Why do we think things are any different today? I assume I’m being spied on, period. Should we negotiate treaties that create guidelines for collecting data about each others citizens? Probably, though I have limited faith in them. The Russians have reportedly tested a new missile in violation of the Start treaties, so why would one ever fully trust them to give up something as undetectable as communications surveillance because the signed a treaty? Why would I extend any greater faith to the Chinese? Or the Saudis?
Primarily we should be taking measures to raise the cost of mass data collection to the point it is impractical. The NSA reportedly has the computing horsepower to brute-force break encryption using 4K keys. But until quantum computing becomes practical they can’t brute-force decrypt all communications, especially if we used 4K keys. Right now our email, text messages, phone calls, most of our web searching and browsing, etc. are all done in the clear. Our data is almost all stored in the clear. Our security systems have gaps big enough to drive trucks through (e.g., Target). And we’ve embedded tracking mechanisms at the core of the web (e.g., cookies). If you really want to put mass data collection to rest as an issue the only solution that will work is to make it impractical to conduct. Then the NSA and its peers around the world (as well as commercial institutions and criminal entities) will have to focus their efforts on specific high-value targets.
Oh, and when quantum computing becomes practical? The world ends. Because we don’t know how to protect anything.