Snowden’s revelations continue, but receiving the most attention is the program collecting phone records.
Revelations of NSA surveillance are causing reporters, lawyers and cryptologists to rethink working patterns and methods, while questioning government actions and policy.
A panel discussion, “The State of Surveillance: Legal, Cultural and Technology Perspectives,” hosted by New York University’s Institute of Public Knowledge, examined how recent revelations of NSA surveillance are affecting people’s lives. The panel brought together journalists, lawyers and cryptologists.
The start of the panel began with a historical reference. The last time surveillance was a topic of news headlines and public debate was in the 1970s following revelations by then Army Capt. Christopher Pyle, about army spying on U.S. anti-war groups. Those revelations led to Congressional committee investigations, led by Sen. Frank Church, D-Idaho. The investigation uncovered massive illegal spying by U.S. intelligence agencies that spied on Americans based on their political beliefs.
From the hearings, reforms were enacted under the premise that it was illegal for security agencies to spy on Americans unless there was some reason to suspect them of wrongdoing. Reforms included the establishment of the Foreign Intelligence Surveillance Court (FISA Court), with the purpose to review and approve wiretaps on individuals suspected to be agents of foreign governments. The goal was to balance the need to conduct foreign intelligence while protecting the rights of Americans to be secure in their communications at home – upholding the Fourth Amendment.
Then came the Sept. 11, 2001 attacks on New York City and the Pentagon.
“I think we all know that after 9/11 the structure unraveled and standards were loosened to allow more flexibility on the part of security agencies to conduct surveillance. The touchstone of individualized suspicion gave way,” said Faiza Patel, Co-Director, Liberty and National Security Program, The Brennan Center for Justice.
The Bush Administration signed into law the USA Patriot Act – the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 in October. The Act’s ten provisions included enhancing domestic security against terrorists, improving intelligence gathering and sharing, and surveillance procedures.
“Unlike today, however, despite the release of books on the growth of the surveillance state, the concern didn’t resonate with Americans until disclosures about President Bush’s warrantless wiretapping program in 2005, then died down again. Snowden changed all that,” Patel said.
Snowden’s revelations are ongoing, but those that received the most attention is the metadata program that collects almost all records of Americans’ phone calls. Conducted under 215 of the Patriot Act, it allowed the government to collect business records relevant to international terrorism investigations. Patel said the government has decided that all Americans’ phone records are relevant to international terrorism investigations. The FISA Court oversees the program and agreed to the government’s position. Many lawmakers and legal scholars have challenged this definition saying it stretches the word relevant beyond recognition.
The second program, PRISM, collects what is in those communications – emails, logins, saved information, audio/video files. The legal basis of this is section 702, of the FISA amendment act, is meant to allow the government access to intelligence about foreign targets, overseas.
“It is not supposed to be about getting information about Americans or about people who are here,” Patel said.
Carrie Codero, former U.S. Department of Justice Attorney and Director of National Security Studies at Georgetown University Law Center, said at the same panel: “There are strong arguments that the activities are legal, and the oversight structure should give Americans confidence that government is not abusing the legal authorities that its been granted. The question over legal provisions, the 215 and 702 programs, are what the law should be, and not arguments about what the law is today.”
Codero says the arguments that these programs may be unlawful focus on the changes to technology, the difference in how our information is retained, how we communicate today as opposed to decades ago, and on the 4th Amendment concept concerning what constitutes a reasonable expectation of privacy.
Codero says current Supreme Court precedent set in 1979 still holds that there is no expectation of privacy in telephone metadata over the the numbers dialed or the callers that dial them, and a warrant is not required to obtain this information. Also Supreme Court precedent holds that Americans do not have a reasonable expectation of privacy in records voluntarily turned over by a third party, such as a communications company.
A case in point is earlier this summer, the Texas-based encrypted email service company Lavabit shutdown. The service was used by Snowden. Lavabit’s owner, Ladar Levison, in an interview with The New York Times said that he had cooperated with the government on a dozen previous cases, but the government wanted access to passwords, encryption keys and computer code that would have given government access to the protected messages of all his customers, and that was too much.
How has the cryptology community reacted to the disclosures of surveillance techniques used by the NSA and other government agencies?
“The Cryptography community is known for its paranoia extremes” said Danah Boyd, principal researcher at Microsoft Research, Research Assistant Professor of Media, Culture and Communications at New York University and fellow at Harvard University’s Berkman Center. “What Snowden’s information raised was whether the NSA had found a way to get around random numbers (used for encryption/secure keys), and was it using backdoor code for data capturing that showed weakness in technology architecture?”
Encryption uses random numbers, without which it is extraordinarily difficult to produce secure keys, but it also the weakest part in cryptography. Machines are not made to produce randomness, lots of systems automatically produce rhythm which results in non-random randomness, Boyd said. Device builders use random generators or elliptical curves for mathematical function, but these rely on a certain amount of trust within the cryptology community. The National Institute of Standards and Technology, a division of the U.S. Department of Commerce, holds the measurements of these elliptical curves. In November, the NIST issued a notice explaining that they are initiating a review of its cryptographic standards development process.
The revelations about NSA surveillance show backdoor codes have been built in, but cryptologists want to know who is reporting, who is doing the fixing, and are the fixes staying true. Boyd says the larger question being asked is whether the NSA should be purposely eroding the security of cryptology for their gain and national security while at the expense of advances for science and technology.
Cryptologists are also concerned that Americans don’t understand what metadata is and what can be done with the data. What they might not be aware of is that in 1979 the Supreme Court ruled that while individuals have the right to privacy over the telephone, they don’t have the right to fact that the call was made.
“Consider your phone calls — when you call a person, how long you take that call and where you take the call. That’s metadata. If you call Pizza Hut at 7 p.m. there is a pretty reasonable assumption that you are probably ordering pizza, but the question is what else can be discerned by the kind of calls you are making,” Boyd said. “Again think simplicity. What happens when you call a cancer treatment center? What happens when you are calling a criminal lawyer? What can be discerned by the length of that call, and by the timing of that call? What happens when it get interpreted and whom is doing the interpretation? Who has the right to that interpretation and who is checking the accuracy of that interpretation?”
Boyd says social media and network analysts can build a graph of who knows whom, but phone records show the kinds of relationships you have. How often you talk to someone, whom you’re spending time with, how long, in what place and at what time.
“It doesn’t take a lot to assume guilt through association, which is one reason there is so much anxiety about whom is doing the check and balance and making certain that inference is coming from a grounded point of view,” Boyd said, adding that large scale metadata is often more informative than the content itself, and a lot can be used for public good. She has engaged in projects about human trafficking.
“The banking industry is starting to use the metadata to start to determine whether trafficking is occurring. When you start to see $100 Spa visits at 4am on a nightly basis, you know someone is not getting a mani-pedi,” Boyd said.
From a technology perspective, according to Boyd, any effort to undermine core technical security or dupe the American public that metadata isn’t really data, suggests that the government is abusing its power.
“Secrecy is how we get to totalitarianism and informed citizenry is how we maintain our democracy,” she said.
The media industry is not only going through spectacular changes in how it exists and in what form, but increasingly in how it does its business and the limits placed on reporters to do their work.
Journalist and author Peter Maass said the media is covering the surveillance state with much vigor now. Not only due to the information provided by Snowden, but because the Obama administration has embarked on a program of prosecuting leakers, whistleblowers, and the journalists who receive their leaks and their documents. New York Times reporter James Risen has been subpoenaed by the Justice Department and faces jail time for being unwilling to reveal a source on a chapter in his 2002 book “State of War,” about a failed CIA effort to sabotage Iran’s nuclear program.
Being under surveillance as a journalist, Maass said, makes one a practitioners of anti-surveillance technologies and forces journalists to go to extremes of how to report, in terms of using encryption and not using any technology at all.
Maass related a story about how when he was interviewing documentary filmmaker Laura Poitras for a story in The New York Times Magazine, he able to ask Snowden some questions using encryption through Poitras, and they were able to have a conversation. Snowden insisted his answers would be embargoed until he was safe in Moscow. Maass knows that as a national security journalist that if he sent email to his editors about the interview he would be publishing it, not to the public, but to the NSA, or any government entity or corporation that was surveilling him. Maass printed out a hard copy, copied the data on a thumb drive, then went to his editors and told them to share it but not email it to each other. He said it was a way to have a degree of security using limited technology. But he said the idea that the government is listening to us and surveilling us, and journalists can’t do their jobs is wrong.
The Committee to Protest Journalists published a special report in October, “The Obama Administration and the Press: Leak Investigations and Surveillance in post 9-11 America.” The report interviewed working and former journalists about covering the White House and the Obama administration, and the increase in curbing access to information and disclosures. One of those is a policy to carry out routine polygraph examinations of employees of all 16 intelligence agencies. The report said the Obama administration, in addition to that policy, set up its Insider Threat Task Force in Nov. 2012, which instructs all federal government departments and agencies to set up programs to monitor employees with access to classified information and prevent “unauthorized disclosures.” Under the policy each agency must develop procedures “ensuring employee awareness of their responsibility to report, as well as how and to whom to report, suspected insider threat activity.”
Washington Post national news editor Cameron Barr told CPJ’s Leonard Downie, Jr., “Reporters are interviewing sources through intermediaries now so the sources can truthfully answer on polygraphs that they didn’t talk to reporters.”