Big Data Big Analytics

Privacy v Security, Transparency v Secrecy: The NSA, PRISM, and the Release of Classified Documents

July 19, 2013 at 12:14 pm Mary Ludloff 3 comments

By Mary Ludloff

Privacy, Anonymity, and Judicial Oversight are on the Endangered List

An age old debate has once again reared its very ugly head due to whistleblower Edward Snowden’s revelations about NSA surveillance, PRISM, and the astounding lack of any rigorous oversight on the NSA’s vast data collection apparatus.  While PatternBuilders has been incredibly busy, in our non-copious amounts of spare time Terence and I have also been working on our update to Privacy and Big Data (which is undergoing another rewrite due to new government surveillance revelations that for a while happened hourly, then daily, then weekly but certainly are far from over). It’s important to note that pre-revelations  our  task was already herculean due to mainstream media’s pick up on “all stories related to privacy” (a good thing) that often missed the mark on the technical side of the house (we often find ourselves explaining to non-techies just what meta data is which usually happens after someone on CNN, Fox, NBC, ABC, etc., butchers the definition) or got tripped up by the various Acts, Amendments, state laws, EU Directives, etc., that apply to aspects of privacy.

Over the last few weeks as details about PRISM emerged, it’s become clear to me that main street America may still not understand the seismic shift that big data and analytics brings to the privacy debate. Certainly the power of big data and analytics has been lauded or vilified in the press—followers of our twitter feed are used to seeing the pros and cons of big data projects debated pretty much every day. We’ve (Terence and I) talked and tweeted about privacy issues as it applies to individuals, companies, and governments. Heck, we even wrote a book about privacy and big data.

Not surprisingly (at least to us), we talked about the wholesale collection of our “private” data by a host of government agencies—almost all unwilling to describe what they are using that data for in the name of security and the need for secrecy. While privacy watchdog groups, like the ACLU and Electronic Frontier Foundation, have regularly challenged various government agencies’ data collection and other surveillance efforts, much of what they do is shrouded in secrecy. After all, revealing too much may put us at risk from a security standpoint. This argument has been posited so often that it now qualifies as a platitude.

Enter The Guardian’s initial coverage of a story that would lead to the unveiling of a “secret” government surveillance program, the whistleblower, other countries’ participation, and a myriad of other “secrets” that would make anyone feel like they fell through some sort of rabbit hole.   Honestly, I consider myself well versed in high tech, big data, and privacy-related topics but there were moments (well, sometimes entire days) where I felt that I was in some sort of alternate reality. The amount of information, misinformation, and disinformation being thrown at us has been staggering.  And it just keeps on coming.

We first got wind of the story on June 5 when The Guardian revealed that the NSA is collecting millions of phone records of Verizon customers:

“The [top secret] order, a copy of which has been obtained by the Guardian, requires Verizon on an ‘ongoing, daily basis’ to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.”

We (Terence and I) actually included in our book another occurrence where the NSA was able to “secretly” collect the phone call data of tens of millions of Americans—records that were provided by AT&T, Verizon, and BellSouth in 2006 (as revealed by  USA Today). In fact, many news organizations and nonprofits covered this—questioning just how vast the NSA surveillance apparatus was, whether it was legal, and positing how the PATRIOT Act and the Fisa Amendments Act of 2008 (FAA), which was renewed in 2012, essentially legitimized:

“… the mass acquisition of U.S. citizens’ and residents’ international communications. Although the Act prohibits the government from intentionally targeting people inside the U.S., it places virtually no restrictions on the government’s targeting of people outside the U.S., even if those targets are communicating with U.S. citizens and residents. The law’s effect—and indeed the law’s main purpose—is to give the government nearly unfettered access to Americans’ international communications.”

 Just how unfettered this access was, and is, became clear on June 6 when The Guardian and Washington Post revealed the existence of PRISM, a top-secret national security surveillance program operated by the NSA followed by the Wall Street Journal’s disclosure on June 7  that the NSA’s data collection includes customer records “from the three [Verizon, AT&T, and Sprint] major phone networks as well as emails and Web searches, and the agency also has cataloged credit-card transactions.”

Thus began a cascade of news stories from every major and minor news outlet, President Obama telling us that the government is not “… listening in on people’s telephone calls or gathering emails of Americans,” the declassification of parts of the PRISM program in order to “dispel some of the myths and add necessary context to what has been published about government surveillance of Americans’ phone records and foreigners’ Internet use,” the uncloaking of Edward Snowden (by Edward Snowden) as the source for The Guardian’s NSA files, the pile-on by all  publications covering every conceivable story angle and then some, and the round table discussions by groups of experts (or not) on the significance of the revelations and every other conceivable story angle.

For those who are not dialed in to the privacy debate, the information being thrown at them is difficult to parse. (Hell, it’s been difficult for me to parse and I am supposed to be somewhat informed.) For example, President Obama and members of Congress disingenuous response to the original public outcry was that the NSA was not listening to our phone calls, just collecting our meta data, data that is “generally” available on our phone bills—nothing to worry about.

Meta Data Reveals Everything About “You”—Just Ask the Associated Press

Loosely defined, metadata is simply data about data. For phone calls it includes the numbers you dial, the length of the calls, and the geolocation of those calls. Funnily enough, our mobile phone bills do not include the geolocation of our calls but it appears that PRISM has collected and stored that data too. Together, that metadata is far more revelatory about our personal lives than the content of any call or email:

“It can be a window into every aspect of your life – who you are speaking to, for how long, where from – it’s a database of everything you do.”

Or as a recent research study puts it:

“Mobility data is among the most sensitive data currently being collected. Mobility data contains the approximate whereabouts of individuals and can be used to reconstruct individuals’ movements across space and time. Individual mobility traces have been used in the past for research purposes and to provide personalized services to users. A list of potentially sensitive professional and personal information that could be inferred about an individual knowing only his mobility trace was published recently by the Electronic Frontier Foundation. These include the movements of a competitor sales force, attendance of a particular church or an individual’s presence in a motel or at an abortion clinic.”

While defenders of the program argue that metadata is merely “envelope information,” the Associated Press would disagree as its President, Gary Pruitt, puts it:

“These records potentially reveal communications with confidential sources across all of the newsgathering activities undertaken by the AP during a two-month period, provide a road map to AP’s newsgathering operations, and disclose information about AP’s activities and operations that the government has no conceivable right to know.”

Let’s be very clear here: the NSA’s collection of metadata “gives intelligence analysts a clear window into sensitive interactions and movements of the U.S. population” as does the collection and monitoring of email metadata.

The NSA’s Changing Mission: Focus Moves to Domestic AND Foreign Intelligence Gathering

How did an agency tasked with the mission of protecting our nation from foreign adversaries become the keeper of a government authorized content surveillance program that amasses vast quantities of data on the American citizens it’s protecting? Certainly, the Bush presidency and the post 9/11 mindset played a significant role. Over the years there has been a great deal of conjecture about what precisely President Bush allowed the NSA to do regarding the collection of domestic data. But, thanks again to the Washington Post who recently released yet another top-secret report by the NSA’s inspector general’s office, the scope of the NSA was certainly broadened in 2001 continuing to the present day:

“It depicts a program fashioned virtually from scratch in a time of crisis, by a handful of individuals, including Gen. Michael Hayden, the head of the NSA and Vice President Dick Cheney. Given the code name “Stellar Wind,” the PSP was a set of four surveillance programs that brought Americans and U.S. territory within the domain of the NSA for the first time in decades. The PSP, which initially operated outside the restrictions of the Foreign Intelligence Surveillance Act, was eventually put under full FISA court control by 2007.”

As part of PSP, the NSA was essentially given permission to monitor international telephone calls and emails in the U.S. without warrants:

“Since 2002, the agency has been conducting some warrantless eavesdropping on people in the United States who are linked, even if indirectly, to suspected terrorists through the chain of phone numbers and e-mail addresses, according to several officials who know of the operation. Under the special program, the agency monitors their international communications, the officials said. The agency, for example, can target phone calls from someone in New York to someone in Afghanistan.”

It comes as no surprise that the expansion of the NSA’s surveillance powers was not wholly embraced. Some officials and organizations argued that warrantless eavesdropping inside the U.S. was unlawful and potentially unconstitutional as the Fourth Amendment protects American citizens from improper searches. These concerns prompted an audit of the NSA program in 2004 by the Justice Department who, with the NSA, developed a checklist to determine whether probable cause existed before a citizen’s email or phone call was monitored.  Of course, this too was done under a veil of secrecy.

How Government Agencies Used FISA and the Patriot Act to Broaden Surveillance

Central to the expansion of pretty much limitless surveillance powers by government agencies involved in counterintelligence and counterterrorism, were two acts passed by Congress after 9/11: the Patriot Act and the FISA Amendments Act of 2008 (FAA). Most folks (outside of lawyers, some journalists, and any government agency involved in intelligence gathering) have little “working” knowledge of FISA, the Patriot Act of 2001 , and the FAA. Enacted in 1978, FISA was originally intended to protect American citizens from government’s covert surveillance:

“Widespread abuses – including eavesdropping on Vietnam War protesters and civil rights activists – by American intelligence agencies became public in the 1970’s and led to passage of the Foreign Intelligence Surveillance Act, which imposed strict limits on intelligence gathering on American soil. Among other things, the law required search warrants, approved by the secret F.I.S.A. court, for wiretaps in national security cases. The agency [NSA], deeply scarred by the scandals, adopted additional rules that all but ended domestic spying on its part.”

Fast forward a couple of decades to the post 9/11 era where the Patriot Act gave law enforcement agencies far more latitude in intelligence gathering within the United States, amongst other items. The act was intended to make it easier for counterintelligence, counterterrorism intelligence, and criminal investigation operations to share information. The act also expanded the definition of terrorism to include domestic terrorism which made it much easier for agencies to target American citizens.  Much debate of the Patriot Act is centered round Sections 215 (access to business records) and 214 (pen register and trap and trace authority under FISA).

Essentially, Section 215 does the following:

• It broadens the FBI’s authority (under FISA) for the seizure of business records—third party records of a person’s transactions and activities can now be included.
• It eliminates any limitation on the type of business or entities whose records are seized.
• It broadens the definition of records to include any tangible things (like books, paper, records, documents, etc.) and prohibits anyone ordered to turn over those items from disclosing that the FBI obtained or requested them.

Perhaps most importantly for the purposes of PRISM, Section 215 also eases requirements for seizing records. Previously, under FISA, the FBI was required to provide specific facts as to why the subject of the investigation was believed to be a “foreign power or agent of a foreign power.” However, under Section 215:

“… the government is required only to assert that the records or things are sought for a foreign intelligence investigation or to protect against international terrorism or clandestine intelligence activities, although the investigation of a United States person may not be “solely upon the basis of activities protected by the first amendment to the Constitution.” There is no requirement for an evidentiary or factual showing and the judge has little discretion in reviewing an application. If the judge finds that “the application meets the requirements” of the section, he or she must issue an order as requested “or as modified.”

The mass collection of those “records” hinged on the redefinition of one word: relevant. According to the Wall Street Journal:

“In classified orders starting in the mid-2000s, the [Foreign Intelligence Surveillance] court accepted that ‘relevant’ could be broadened to permit an entire database of records on millions of people, in contrast to a more conservative interpretation widely applied in criminal cases, in which only some of those records would likely be allowed, according to people familiar with the ruling.”

In essence, the redefinition of that one word gave the NSA the full latitude to seize anything it wanted from any American citizen if it suspected the citizen of being involved in international terrorism or other clandestine activities and that all of this is done (here we go again) in secret, with little or no judicial oversight. Declan McCullagh, in a recent podcast on the NSA leaks, sums Section 215 up best:

“A secret court order, from a secret court, based on a secret interpretation of a secret portion of the PATRIOT Act. It’s a little surreal really.”

The only nit I have with his response is that I would not have used the word surreal to describe it—rather, I would use a word that I rarely use in public or private. However, my mother never liked me to swear and always told me to use my grown-up words, so surreal it is. However, my partner in crime, Terence, has used that word (and many others) to describe what he views as a horrendous breach of constitutional responsibilities by all three branches of government.

Now back to the sections. Section 214 broadens the FBI’s ability to monitor communications via pen registers (record the phone numbers you call) and trap-and-trace devices (record the numbers that call you), known collectively as pen-traps. Before the Patriot Act, the FBI was limited by the original FISA act to monitoring the communications of those believed to be an international terrorist or spy or foreign powers or agents believed to be involved in criminal activities with said terrorists or spies. Post-Patriot Act:

“… any innocent person’s communications can be tapped with a pen-trap so long as it is done ‘for’ an intelligence investigation. The FBI doesn’t have to demonstrate to the FISA court that the communications are relevant to its investigation. Nor can the court deny the FBI’s request; if the FBI certifies the tap is ‘for’ such an investigation, the FISA court must issue the order.”

While pen-traps were originally intended for the collection of phones numbers, Section 216 broadened their definition to include:

“… devices that monitor Internet communications, without clarifying what portions of Internet communications are ‘content,’ requiring a full wiretap order, versus ‘non-content,’ which can be legally acquired only with a pen-trap order. At the very least, this change means that the government can use a pen-trap to see the email addresses of people you’re sending email to and the addresses of people who send email to you, along with the timestamp and size in bytes of each email. The FBI can monitor the IP addresses of all the computers you interact with over the Internet, or capture the IP addresses of every person visiting a particular website. Under the vaguely written statute, it may even be able to capture the URL of every web page that you read, although the FBI refuses to confirm or deny whether it has done so.”

In other words, all of our generated metadata is pretty much up for “grabs” if we are “thought” to be involved in an intelligence operation—apparently, in this world search warrants and probable cause are antiquated notions.

Now the Patriot Act expired in 2008 and part of the FISA Amendments Act of 2008 (FAA) was intended to carry forward the expansion of surveillance activities, amongst other things. Essentially, the FAA:

• “… permits the government to conduct mass, untargeted surveillance of all communications coming in and out of the United States, without any individualized review, and without any finding of wrongdoing.” This is why most, if not all, American citizens are in the PRISM database.
• “… permits only minimal court oversight.” A key point here is that the Foreign Intelligence Surveillance Court (FISA Court)—the court that most proponents of PRISM point to as judicial oversight that will prevent overreaches—only reviews the general procedures for targeting and minimizing the information collected. In other words, the court has no idea of who is being targeted and what is being tapped.
• Bans reverse targeting where the government monitors a foreign target so that it can collect the communications of a person located in the United States. However, there are no guidelines about when the government should seek an individualized order to continue to monitor a U.S. person. Additionally, since the FISA Court has no idea of who is being monitored in the first place there is no way to ascertain whether someone is being reverse targeted.
• “… permits the government to start a spying program and wait to go to court for up to 7 days every time intelligence important to the national security of the US may be lost or not timely acquired.” In other words, government agencies have a week or more before any judicial review is triggered.
• Permits the government to continue surveillance even when a judicial review is denied as the appeals process continues and then is allowed to keep and use whatever it collects during that process, even if the appeal is denied. Again, this is part of the judicial review process that PRISM proponents point to as ensuring that there is a rigorous review policy in place.
• “… ensures the dismissal of all cases pending against the telecommunication companies that facilitated the warrantless wiretapping programs over the last 7 years.” So, court cases that argue whether government requests for data from these companies were legal, essentially, must be dismissed. Thus, the legality of these programs cannot be tried in court. Or, as Terence would put it: What is the difference between this and how the average dictatorship governs?
• And finally, “members of Congress not on Judiciary or Intelligence Committees are NOT guaranteed access to reports from the Attorney General, Director of National Intelligence, and Inspector General.” In other words, a majority of congressional members probably know very little about programs like PRISM.

FISA was up for renewal last year and not surprisingly, the Senate voted for a five-year extension, rejecting all the proposed amendments that would have introduced some (very little really) transparency and oversight to the intelligence gathering activities of government agencies.  The irony here is that FISA, originally designed to significantly curtail domestic surveillance, morphed into the FAA which essentially codifies the mass surveillance of domestic and foreign citizens with little (again, very little) to no judicial oversight.

Back to the Present Day: The “I Could Tell You But I’d Have to Kill You” Defense

In the early days of the NSA revelations (June 11 to be precise), The Guardian reported that it had acquired more top-secret documents that detailed the existence of a data mining tool called Boundless Informant. This tool “details and even maps by country the voluminous amount of information it collects from computer and telephone networks.” Perhaps more startling:

“The Boundless Informant documents show the agency collecting almost 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. One document says it is designed to give NSA officials answers to questions like, ‘What type of coverage do we have on country X’ in ‘near real-time by asking the SIGINT [signals intelligence] infrastructure’.”

Throughout the Patriot and FISA years, there has always been a great deal of conjecture about how much data was being collected on American citizens and exactly what that data was being used for.  Privacy advocates have long pointed out that the wording in both acts gave intelligence agencies a tremendous amount of discretion and with that, the possibility of overreaching. Last year, democratic Senators Ron Wyden and Mark Udall asked the NSA this simple question: “Under the broad powers granted in 2008′s expansion of the Foreign Intelligence Surveillance Act, how many persons inside the United States have been spied upon by the NSA?”

“The query bounced around the intelligence bureaucracy until it reached I. Charles McCullough, the Inspector General of the Office of the Director of National Intelligence, the nominal head of the 16 U.S. spy agencies. In a letter acquired by Danger Room, McCullough told the senators that the NSA inspector general ‘and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons,’ McCullough wrote.”

In other words, the privacy of all Americans would be violated if the NSA revealed the approximate number of U.S. citizen being spied on. Let me frame this in a different way: Commercial entities are required to be specific about their data collection and usage policies as they apply to consumers. In fact, the FTC has fined companies (like Google) or forced companies to undergo yearly audits (like Facebook) when they violate data collection and usage policies. For any government agency to suggest that telling citizens what data it collects and how it uses it is an invasion of their privacy flies in the face of what other government agencies are tasked with enforcing in the commercial sector.

Although the NSA was unwilling to answer that question, thanks to the release of that top-secret document we now know that 3 billion pieces of intelligence were collected from U.S. computers in March 2013. Permit me to extrapolate for a moment. Starting with 2009 (after the FISA Amendments Act of 2008—FAA—was enacted) to the present month, we have 150 months multiplied by 3 billion which gives us approximately 450 billion pieces of intelligence gathered since 2009. Perhaps the NSA was right—my privacy was violated. But not by knowing the number of people surveilled (out of a total population that exceeds 315 million), it was violated when the NSA (and any other intelligence agency) collected my data without my knowledge or permission.

Whenever the legality of the NSA’s surveillance is questioned, defenders of it make two arguments:

• Any discussion of the NSA’s surveillance and data collection practices could reveal state secrets.
• National security could be endangered as a result of that discussion.

The state secret defense is the way in which the current and previous administrations have avoided any transparency on the activities of the NSA:

“The state secrets privilege, outlined by the Supreme Court in a 1953 case, originally permitted the government to derail a lawsuit that might otherwise lead to the disclosure of military secrets. It has since turned into a potent weapon the Bush and Obama administrations have used to target any lawsuits alleging illegal NSA surveillance.”

While defenders of the NSA’s surveillance collection apparatus point to the fact that there is judicial oversight in the form of the Fisa Surveillance Court and Congress, and, according to President Obama, that oversight should be left to “Congress and the U.S. courts,” it has become increasingly clear, through the release of what appears to be an unending number of top-secret classified documents that this program has, for all intents and purposes, been rubberstamped. When pressed by civil liberties advocates, legal scholars, the media, or the public for more transparency on the inner workings of the program itself and how it is monitored to prevent overreach, the classic default response is:

“I don’t welcome leaks, because there’s a reason why these programmes are classified,” he [Obama] said. “If every attempt to stop a terrorist act is on the front page of the newspaper or on television … then the people who are trying to do us harm are going to take preventative measures.”

In other words: I can’t tell you what this program does and what oversight really exists because if I did, terrorists would gain the upper hand—you just need to trust us. To back this up:

“…every time a lawsuit is brought contesting the legality of intercepting Americans’ communications without warrants, the Obama DOJ raises claims of secrecy, standing and immunity to prevent any such determination from being made.”

How can any of us trust an administration that has gamed the judicial system put in place to protect Americans’ constitutional rights? What we are left with is a separate, “secret” (there’s that word again) body of law, courtesy of the FISA court:

“The surveillance court is a different world of secret case law, non-adversarial proceedings, and rulings written by individual judges who rarely meet as a panel… Judges generally confer only with government lawyers, and out of public view. Yet the judges have the power to interpret the Constitution and set long-lasting and far-reaching precedent on matters involving Americans’ rights to privacy and due process under the Fourth Amendment. And this fast-growing body of law is almost entirely out of view of legal scholars and the public. Most Americans do not have access to the judiciary’s full interpretation of the Constitution on matters of surveillance, search and seizure when it comes to snooping for terrorist plots — and are limited in their ability to challenge it.”

Some context for you. In 2012, this court received 1,789 requests for electronic surveillance: one was withdrawn, the rest were approved. And we, the public, don’t know about any of the court opinions because they are classified—only Congressional Intelligence Committee members have access to them. That means only 19 members of Congress (this is the congressional oversight part) are privy to those opinions and as illustrated by the many comments made by Senators Wyden and Udall over the years, the committee itself is not allowed to reveal much, if anything, because this information is “secret.”

Even Chief Justice Roberts (who selects the judges for this court) indicated some reservations regarding it during his confirmation hearings in 2005:

“I’ll be very candid. When I first learned about the FISA court, I was surprised. It’s not what we usually think of when we think of a court. We think of a place where we can go, we can watch, the lawyers argue, and it’s subject to the glare of publicity. And the judges explain their decision to the public and they can examine them. That’s what we think of as a court.”

For all intents and purposes, we now have a secret court that makes secret opinions in the name of national security and those opinions have essentially obliterated our Fourth Amendment rights. Additionally, when the efficacy of the programs are questioned we are given broad assertions, without any evidence (because it, too, is secret) to back them up. Perhaps Senators’ Wyden and Udall said it best in a joint statement on the bulk email collection program (separate from PRISM) that was disclosed recently by intelligence officials:

“We believe that the broader lesson here is that even though intelligence officials may be well-intentioned, assertions from intelligence agencies about the value and effectiveness of particular programs should not simply be accepted at face value by policymakers or oversight bodies any more than statements about the usefulness of other government programs should be taken at face value when they are made by other government officials.  It is up to Congress, the courts and the public to ask the tough questions and press even experienced intelligence officials to back their assertions up with actual evidence, rather than simply deferring to these officials’ conclusions without challenging them.” 

Here’s the conundrum: the actual evidence that would support or refute such claims is, of course, secret, or as Julian Sanchez, a research fellow at the Cato Institute in Washington, D.C. puts it:

“More broadly, whether the security benefits of this sweeping surveillance scheme outweigh the privacy costs won’t be clear unless the Obama administration declassifies detailed information about instances in which such data proved crucial to combating terrorism but would have been difficult to obtain with a warrant. And Sanchez believes it is unlikely the government will prove its case… ‘It may well be the case that this kind of thing is of some utility in some situations,’ he says, but only ‘in the same way a general warrant to search any house you please might be useful in preventing crime’.”

Big Data, Analytics, Statistical Modeling, and the False Positive

As a co-founder of a big data analytics company (PatternBuilders) one of the things that most troubles me (outside of the legality of the undertaking) about the NSA’s massive collection of data relating to our digital lives is the implicit assumption that the data will save us from perceived threats that come our way. Certainly, big data has enabled the collection, retention, and analysis of enormous data sets and the data from those streams, when associated with each other, can paint pretty much an exact picture of our daily lives and all the minutiae it entails. In the case of Prism, it becomes an easy out: after all, there’s no listening in on phone calls or reading of emails—we’re just collecting the metadata. Those of us in the business of big data, however, understand precisely what this means:

“In the age of Big Data, collecting information about our conversations yields more intelligence than observing the content of the conversations themselves. And it has the added benefit of sounding less intrusive.”

We also understand that data itself is not information and that there is much more to the discipline of data science than collecting data. For example, predictive models don’t always predict the truth:

“Take the smartest guys you can find and have them cobble together a model which predicts whether each citizen is a ‘potential’ terrorist or no. This model will spit out numbers in the form of probabilities. Some of these will be high enough to exceed the ‘reasonable, articulable suspicion’ threshold (the quote is from Feinstein). At that point even an editorial from the New York Times won’t be able to convince our great brains that they might have the wrong men. The allure of numbers from a computer printed out and physically real is too strong, even for the people who programmed these computers and who know intimately their many and weep-worthy limitations… The nature of these models is that there are bound to be many, many more false identifications of terrorists than true ones.”

This, combined with the general mathematical illiteracy of members of Congress and the Judiciary, is a sure recipe for disaster. Additionally, while the NSA has justified its surveillance program by pointing out that it helped to prevent “dozens of terrorist events,” it appears that more traditional methods were employed:

“…a survey of court documents and media accounts of all the jihadist terrorist plots in the United States since 9/11 by the New America Foundation shows that traditional law enforcement methods have overwhelmingly played the most significant role in foiling terrorist attacks. Homegrown jihadist extremists have mounted 42 plots to conduct attacks within the United States since 2001. Of those plots, nine involved an actual terrorist act that was not prevented by any type of government action, such as the failed attempt by Faisal Shahzad to blow up a car bomb in Times Square on May 1, 2010… Of the remaining 33 plots, the public record shows that at least 29 were uncovered by traditional law enforcement methods, such as the use of informants, reliance on community tips about suspicious activity and other standard policing practices.”

Of course since there is no transparency on the workings of the NSA, we will never know for sure how many plots were thwarted but one can point to the Boston Marathon bombings, the Fort Hood killings, Benghazi, Faisal Shahzad, and many others, and question just how well their predictive models are working.

So we are left with a database that is massive and growing and represents an equally massive data security concern: how is that data protected from internal and external threats? Certainly, Edward Snowden’s ability to obtain classified documents that were way above his security clearance is a strong signal that security is weak.

Even if you are a proponent of Prism, you should be concerned that your personal data can be easily hacked—of course, considering the secrecy that shrouds this program, we’ll never know when or if it has happened. And who looks at the data and what do they do with it—what is the criteria for labeling anyone a potential threat? Today, it appears that the only gate you need to jump thorough is whether you have communicated with someone in another country, or whether someone you know has communicated with someone in another country, or whether someone they know has communicated with someone in another country. Or as NBC News pointed out recently:

“… big data crunchers can play the ‘six degrees of separation’ game with metadata, using, for example, a huge database of email transactions to connect you with potential suspects, something transcripts of emails might never yield. Phone call patterns reveal your whereabouts and life habits in a way that a conversation never could.”

And if you are one of those people who have nothing to fear because you have nothing to hide, well, let’s hope you never are involved in a protest like Occupy Wall Street. A new report, Dissent or Terror, published by the Center for Media and Democracy and DBA Press, documents how counter-terrorism agencies:

“… view citizens engaged in movements of political and social dissent, such as Occupy Wall Street (and its regional incarnations), as nothing less than nascent, if not bona fide, ‘terrorist’ threats.”

The report analyzes thousands of pages of records obtained through state and federal open records/freedom of information laws from law enforcement agencies tasked with counter-terrorism or homeland security operations and those records indicate a troubling trend:

“The resultant stack of documentation… form a grim mosaic of ‘counter-terrorism’ agency operations and attitudes toward activists and other socially/politically-engaged citizens over the course of 2011 and 2012. As such, records show that methods employed by the nation’s ‘counter-terrorism’ apparatus against these citizens has ranged from the use of undercover officers tasked with infiltrating  activist groups, to constant monitoring and the use of advanced technologies in the tracking and identification of certain individuals.”

I suspect that our Founding Forefathers never envisioned that dissent would be viewed as a form of terrorism. This is the slippery slope we are on: Who is a terrorist and who is simply an American citizen engaging in their constitutional rights? It’s a given that PRISM holds information of every American citizen—the question we should be asking ourselves is this: What if some agency or administration decides to use that data for other purposes? After all, the data is there—why not make use of it?

Privacy, Anonymity, and Judicial Oversight are on the Endangered List

When Terence and I wrote Privacy and Big Data we engaged in an ongoing debate regarding transparency versus secrecy. Terence argued that transparency was the only way to monitor issues of digital privacy and I argued that it would be in the best interests of government agencies to encourage transparency in the commercial sector while being secretive about what they were doing with our data. Funnily enough, it appears that we were both right.

By virtue of the release of many classified documents by whistleblower Edward Snowden, we have gotten a glimpse into the inner workings of the NSA and just how massive their surveillance program is. We have seen how government agencies and two administrations have gamed the judicial system in the name of state secrets. We have also been the recipients of a tremendous amount of disinformation and misinformation regarding the NSA, PRISM, various acts, and the workings of the Foreign Intelligence Surveillance Court. After all, it’s in the best interest of this administration to confuse the hell out of us.

Big data has made the Minority Report a reality—we now need to decide how we want to move forward. Privacy, the ability to remain anonymous, and the checks and balances we have constitutionally in place to provide oversight on those who govern us are officially on the endangered list. Will we allow them to become extinct? Or will we turn back the clock and institute real change? What comes next, is up to us.

For your reading NSA, PRISM, etc., “pleasure,” some great additional resources:

• What’s the Matter with Metadata? The New Yorker’s Jane Mayer delivers the Cliff Notes version of why we should all be concerned about the mass collection of our metadata.
• Mobile Call Logs Can Reveal a Lot to the NSA. An overview of academic research that indicates how revealing metadata can be.
• Me and my metadata – thoughts on online surveillance. Ethan Zukerman’s thoughtful post on how revealing metadata can be via a program called Immersion which uses Gmail metadata to discover one’s social network.
• Bush Lets U.S. Spy on Callers Without Courts. A 2005 New York Times article that documents President Bush’s warrantless eavesdropping presidential court order which sets the stage for PRISM.
• National Security Agency inspector general draft report. This top-secret obtained by the Washington Post details the establishment of the PSP as well as the expanding surveillance “powers” of the NSA.
• Timeline of NSA Domestic Spying. Courtesy of the EFF, this timeline delineates all “the credible accounts and information of the NSA’s domestic spying program found in the media, congressional testimony, books, and court actions.
• Secret Court’s Redefinition of ‘Relevant’ Empowered Vast NSA Data-Gathering. A recent Wall Street Journal article that describes how the Foreign Intelligence Surveillance Court’s redefinition of one word in the Patriot Act made it possible for the NSA to collect entire databases of records on millions of people.
• NSA Surveillance Lawsuit Tracker. Put out by ProPublica, lists the key challenges to government surveillance and secrecy and the status of each case.
• Obama defiant over NSA revelations ahead of summit with Chinese premier. How Obama, Congress, and some media characterized Prism revelations in early June.
• For secretive surveillance court, rare scrutiny in wake of NSA leaks. This Washington Post article chronicles the inner workings of the Fisa court.
• Fisa court oversight: a look inside a secret and empty process. The Guardian’s release of more classified documents that reveal the lack of oversight, and thus, limitations on NSA surveillance activities.
• Patriot Act’s Section 215 and Section 214: A Summary. Mary DeRosa, a senior fellow in the Technology and Public Policy Program at the Center for Strategic and International Studies provides a drill-down on Sections 215 and 214. Pro and cons of these sections are debated by two other authors.
• Reform the Patriot Act | Section 215. The ACLU’s cheat sheet on precisely what section 215 covers in terms of surveillance of American citizens as well as the possible violations to the First and Fourth Amendments.
• Jeremy Brito and Declan McCullagh on the NSA leaks. A great podcast that gives you an overview of all the repercussions from the NSA leaks as it applies to the Patriot Act, PRISM, etc.
• H.R. 6304, the FISA Amendments Act of 2008. The ACLU’s breakdown on changes to the original act that essentially carried forward the Patriot Act’s unlimited surveillance of American and foreign citizens.
• Report on the FISA Amendments Act of 2008. The Constitution Project’s  overview of the FAA and its clash with the Fourth Amendment .
• NSA: It Would Violate Your Privacy to Say if We Spied on You. Wired’s article on what transpired when Senators Wyden and Udall asked the NSA how many persons inside the U.S. were spied on by the NSA.  
• Data Mining, PRISM, NSA & False Positives. William M. Briggs mini-overview/tutorial on the problem with statistical models.
• Did NSA snooping stop ‘dozens’ of terrorist attacks? CNN debunks the NSA’s argument that their massive acquisition of data prevented dozens of terrorist attached.
• Justice Department Fought to Conceal NSA’s Role in Terror Case From Defense Lawyers. Wired’s account of how “secrecy” is used to prevent defense lawyers from getting information regarding the surveillance of their clients.
• Dissent or Terror. A fascinating and troubling report by the Center for Media and Democracy and the DBA Press on how citizens involved in political or social dissent are viewed as potential terrorists.

Entry filed under: General Analytics. Tags: big data, book, data privacy, data security, predictive modeling.