Writing at Balkinization, Frank Pasquale outlines the harm that can come from the systematic massive surveillance being carried on in the name of security:
To make this more concrete: note that the US’s intelligence apparatus has already extensively monitored libertarians and peace activists. According to the Partnership for Civil Justice Fund, “from its inception, the FBI treated the Occupy movement as a potential criminal and terrorist threat.” During Occupy Wall Street, investigative journalists uncovered command centers advised by federal and local officials and banks. Skeptics wondered whether banks’ lucrative “private detail pay†and donations for police helped motivate multiple, brutal crackdowns on peaceful (if unorthodox) protesters. Homeland security officials may have advised local police on containment of the hundreds of “Occupy†encampments that arose in the fall of 2011. And in terms of selective enforcement: one has to wonder why police decided to care about a six-year-old open container violation at the homes of activists one day before May Day protests.
The post is highly documented, thoughtful, realistic, and non-hysterical.
To his remarks I would add that if you gave me access to the information that’s apparently being collected I have a high degree of confidence that I could predict your day-to-day movements and only slightly less confidence that I could predict what you’d do when you got there. That such information could have considerable value in a business intelligence context is not paranoia it’s obvious. The information could prove useful to criminals, bosses, spouses and who knows how many other individuals and organizations. It is equally obvious that if value can be extracted from something it will be.
The difference between government officials collecting such data and big businesses retaining such data as they collect it in the course of business is recourse. Due to the civil service shield laws there is no recourse when information is misused by the government and because of the absence of such recourse the disincentives to misuse the data are small. If those protections were removed it would go a long way towards assuaging my concerns.
Update
Some other things that might be considered on why we should be concerned about the federal government retaining and using information that large companies, too, are retaining and using. First, the parallel is in no way exculpatory of government action. Second, there are no trillion dollar companies.
Dave:
There’s not really a line between government data and business data. The data the NSA is getting comes in most cases via back doors provided by business. NSA data = Business data.
And as I mentioned in another comment, any data collected by illegal means from strictly government sources – NSA listening to your calls strictly via government systems — would likely be tainted as possible evidence, whereas statements offered by employees at various big businesses would be usable as evidence.
True as to the first point, but the second point is silly. Google may not be valued at a trillion dollars but it has far more information on us than the government will ever get.
We surrendered on this when we stopped reading privacy policies online. A long while ago. We are now down to discussing whether government must be specifically and uniquely excluded from access to data which is available at hundreds of companies and in many cases freely available for purchase.
I’m willing to be convinced that this exclusion of the government is necessary, but the arguments are not exactly compelling so far.
I’m not arguing for exclusion. I’m arguing for consequences for misuse, for overreaching. Presently, there are none.
It’s not silly. WalMart, the largest American company, has about 2 million employees. The federal government has 2.5 million full-time civilian employees plus another 2.5 million active duty service personnel plus nobody really knows how many private contractors. The total number of civilian plus military plus contractors can’t be less than 10 million.
That means that the problem of security within the federal government is unbelievably complex. Far more complex than in any private sector company. Which means that the opportunities for misconduct are enormous.
AT&T has a quarter million employees. Google has fewer than 50,000 employees. Those are both still huge but much more easily managed than the federal government.
There are no economies of scale in that problem of management and the complexity of the problem doesn’t increase linearly, i.e. the federal government’s complexity isn’t 10 times that of AT&T’s. At the very last the complexity increases at n log n but, more likely, it’s geometric.
Said another way, it’s so huge nobody knows what the heck is going on. Google, by comparison, is still small enough that its security can be controlled. And it has incentives to limit its conduct.
Oy, Mr. Pasquale’s piece is a mess. It is “highly documented” with stuff of questionable relevance. He mashes everything together and creates a false implication that there is this seemless surveillance system targeting Americans. With the possible exception of the metadata program, the NSA programs which were leaked are programs targeting foreign nationals, which is the NSA’s mission. These programs have nothing to do with law enforcement abuses or allegations about FBI monitoring of the Occupy movement. The leaked audit, for example, dealt exclusively with foreign collection programs and there is no indication that information from any of the “incidents” ever left the NSA much less was used illegally against any American. Yet the audit is a “blockbuster” according to Mr. Pasquale and is added to the litany of documentation as “proof” for his uncritical narrative. To me this is a classic case of beginning with a conclusion and then crafting the “evidence” to fit.
His money quote:
They are not making up the documents out of whole cloth, but they don’t say what he and the rest think they say. In short, they are misreading and miss-analyzing the documents.
Let’s look at one example – XKeyscore. The brief on it was leaked to much fanfare, but the document shows that it is tool that is obviously targeted at foreign entities. But Greenwald, the ACLU and others make the assumption that these tools are not limited to foreign targets. They assume the database backends are comprised of comprehensive domestic data than any analyst can query. This is where Snowden got his famous, but misinformed claim that analysts could monitor the President with a few simple searches.
The documents discuss their data sources, which are foreign communication networks, satellites, and US hubs which connect to foreign networks. But, you may say, US citizen communication travels on those networks too, and you’d be right. The the problem is how to distinguish between legal targets (foreigners) and illegal targets (US “persons” as defined by intelligence oversight law). This is an old problem which the NSA has dealt with for decades and they are very good at filtering out illegal US communications. How, you may ask, can I make that claim?
Well, let’s look at the “blockbuster” audit and see how XKeyscore did. XKeyscore had 24 incidents in the one quarter for this report. Maybe XKeyscore isn’t quite the mass surveillance threat it’s been made out to be. So when Glen Greenwald states in his article on Xkeyscore:
He’s right with the caveats that those individuals must be foreigners not on US soil. Yes, analysts do not need prior authorization to query information about foreign targets. Greenwald, Pasquale and the rest never tell you that and instead imply that the same is true for Americans. Not even the NYT or WAPO has yet been able to put together the audit details on XKeyscore performance to give a picture of how the much the tool actually affects Americans.
Like drones in recent years, reporting and commentary on this topic is filled with misinformation, assumptions and downright falsehoods. I strongly suggest that people read the source documents thoroughly, get informed about fundamental concepts like the difference between EO12333 and FISA and then make your own conclusions.
As a government employee, I don’t think that’s the case. There is complexity, but ironically that provides some security. Most sytems cannot talk to each other. Access to information is institutionally controlled and the various bureaucracies don’t like to share information. There is, for example, no possible way for me to get IRS data to punish an asshole neighbor. There are a lot of obstacles to misconduct and the right hand usually doesn’t know what the right pinky is doing.
I think problems can occur as data is gradually consolidated. I also think the law enforcement “fusion centers” are potentially problematic because of their purpose is information sharing. In the intelligence community the pendulum is fast swinging back to stovepipes. The post-9/11 experiment with greater inter-agency information sharing is going away.
What incentives does Google have to control its conduct in this area? It owns, by law, all metadata. it can sell it to any defense contractor it chooses, or anyone else for that matter. No one would ever know. There is zero transparency. Individual employees can steal data, and you can be sure Google will never reveal that has happened (much like most embezzlement never gets reported). You are much too trusting of these smaller entities. While they may have a smaller group to monitor, they also have fewer resources to spend on the monitoring. Their first obligation is to return profit to shareholders.
Bottom line. As long as someone has it, everyone can get it. I dont really have any problems with having misuse of this information punishable, but it should also hold for private providers, and they should then also be monitored. (I actually suspect this would be punishable. Maybe Andy knows?)
Steve
Tort law.
Tort law? They own the metadata. They can sell it to anyone they want. We will likely never know if a worker steals data. The chance of winning a suit against Google if one of their workers does steal data? Close to zero.
Steve
You’re speaking to the likelihood not the possibility. With respect to Google if you’ve got an injury you’ve got a case, difficult as it might be to prevail. With the federal government you don’t even have that.
To Andy–you don’t even address the last sentence of the post, and the docs it links to:
“To preempt the comment “you’re mixing up different programs:” please take a look at this article on vertical and horizontal fusion of data sources in the new Information Sharing Environment. For the TL;DR crowd, there’s this.”
Read those and then reconsider how much you understand of the programs.
Anything is possible. When we start making laws around events that very rare or unlikely, we usually end up with bad policy. I would rather deal with probables.
Steve
Sam,
The first link discusses “fusion centers” and I think they are problematic, but for other reasons unrelated to the NSA. You’ll note that there is nothing in the paper which suggests that NSA surveillance on US citizens is passed down to these centers and the local PD – rather, locally developed information is passed up to the national level. The information sharing is primarily between levels of law enforcement (fed, state local) as well as across jurisdictions. The paper also details several instance where bogus information from state and local “tips” wrongly landed people on watch lists. That had nothing to do with the NSA and everything to do with the vagaries of law enforcement.
The second link discusses a specific DEA program. Below is a more useful link on the differences between what the NSA does and the DEA program:
http://www.reuters.com/article/2013/08/05/us-dea-sod-nsa-idUSBRE9740AI20130805
So, in short, Pasquale is mixing up different programs even if he claims he’s not.
For the DEA, I think the bigger worry is that the DEA is receiving and acting on wiretaps of Americans made in foreign countries by foreign governments. It is illegal for the NSA to do that without a warrant or probable cause – it’s not illegal for the DEA to use wiretap information provided by a foreign government as “tip.”
Dave:
Sorry, but IMHO it is a silly comparison since the issue is hardly the size of the total organization but the amount and quality of data available to it, and the limits in place. The US Government is not solely devoted to intel, and the million janitors they employ and the costs of their salaries, are irrelevant to the potential for harm.
To imagine that any given individual is protected against Google by tort law is a triumph of ideological bias over reality. 99% of the country can’t afford to hire a lawyer, period, and 99.999% can’t hope to prosecute a case against a corporate giant and the dozen major law firms it can deploy. Extending that same empty illusion of recourse to individuals so that they can act against USG employees really does go to the size argument since it would probably be even harder to go after the government than suing Google.
There is no tweak that will ensure good government. It’s a matter of hard work, day in and day out, for months and years and forever. Can we and should we improve the systems in place for detecting and controlling bad behavior? Sure. Always. But it will still be a long back-and-forth struggle, not something as easy as suggesting that a victimized Lebanese-American selling gyros on the streets of New York City can sue the US Government for listening to his calls.
I know you dislike big government, and resist the idea that what we should do is increase the government still more in order to watch the watchers. But big government is likely to be the reality for the foreseeable future and I don’t think we should draw the line at adding Inspectors General. The small government, libertarian ideal is sepia-toned nostalgia. Small/large is meaningless, what matters is efficient/inefficient, legal/lawless, controllable/uncontrollable.
My mistrust of large organizations, public or private, isn’t based on ideology. It’s based on experience.
In the course of my career I’ve worked for two large companies and I’ve had large companies for clients as well as federal, state, and local government entities. I can’t go into too many details without betraying trusts but my experience has been that the larger an organization is the less trustworthy it becomes.
Your experience may have been different but I doubt it since your notion that an organization can become more trustworthy by increasing its size flies in the face not only of experience but of just about everything that is known about organizations, bureaucracies in particular. They’ve been studied extensively over the period of more than a century.