Data and Goliath (10 page)

Read Data and Goliath Online

Authors: Bruce Schneier

BOOK: Data and Goliath
6.05Mb size Format: txt, pdf, ePub

And choosing among providers is not a choice between surveillance or no surveillance,
but only a choice of which feudal lords get to spy on you.

5

Government Surveillance and Control

I
t can be hard to comprehend the reach of government surveillance. I’ll focus on the
US government, not because it’s the worst offender, but because we know something
about its activities—mostly thanks to the actions of Edward Snowden.

The US national security surveillance state is robust politically, legally, and technically.
The documents from Snowden disclosed at least three different NSA programs to collect
Gmail user data. These programs are based on three different technical eavesdropping
capabilities. They rely on three different legal authorities. They involve cooperation
from three different companies. And this is just Gmail. The same is almost certainly
true for all the other major e-mail providers—also cell phone call records, cell phone
location data, and Internet chats.

To understand the role of surveillance in US intelligence, you need to understand
the history of the NSA’s global eavesdropping mission and the changing nature of espionage.
Because of this history, the NSA is the government’s primary eavesdropping organization.

The NSA was formed in 1952 by President Truman, who consolidated the US signals intelligence
and codebreaking activities into one organization. It was, and still is, part of the
US military, and started out as entirely a foreign intelligence-gathering organization.
This mission rose in importance during
the Cold War. Back then, a voyeuristic interest in the Soviet Union was the norm,
and electronic espionage was a big part of that—becoming more important as everything
was computerized and electronic communications became more prevalent. We gathered
more and more information as both our capabilities and the amount of communications
to be collected increased.

Some of this was useful, though a lot of it was not. Secrets of fact—such as the characteristics
of the new Soviet tank—are a lot easier to learn than mysteries of intent—such as
what Khrushchev was going to do next. But these were our enemies, and we collected
everything we could.

This singular mission should have diminished with the fall of Communism in the late
1980s and early 1990s, as part of the peace dividend. For a while it did, and the
NSA’s other mission, to protect communications from the spying of others, grew in
importance. The NSA became more focused on defense and more open. But eavesdropping
acquired a new, and more intense, life after the terrorist attacks of 9/11. “Never
again” was an impossible mandate, of course, but the only way to have any hope of
preventing something from happening is to know everything that is happening. That
led the NSA to put the entire planet under surveillance.

Traditional espionage pits government against government. We spy on foreign governments
and on people who are their agents. But the terrorist enemy is different. It isn’t
a bunch of government leaders “over there”; it’s some random terrorist cell whose
members could be anywhere. Modern government surveillance monitors everyone, domestic
and international alike.

This isn’t to say that government-on-population surveillance is a new thing. Totalitarian
governments have been doing it for decades: in the Soviet Union, East Germany, Argentina,
China, Cuba, North Korea, and so on. In the US, the NSA and the FBI spied on all sorts
of Americans in the 1960s and 1970s—antiwar activists, civil rights leaders, and members
of nonviolent dissident political groups. In the last decade, they’ve focused again
on antiwar activists and members of nonviolent dissident political groups, as well
as on Muslim Americans. This latest mission rose in importance as the NSA became the
agency primarily responsible for tracking al Qaeda overseas.

Alongside this change in target came an evolution in communications technology.
Before the Internet, focusing on foreign communications was easy. A Chinese military
network only carried Chinese communications. A Russian system was only used for Russian
communications. If the NSA tapped an undersea cable between Petropavlovsk and Vladivostok,
it didn’t have to worry about accidentally intercepting phone calls between Detroit
and Cleveland.

The Internet works differently. Everyone’s communications are mixed up on the same
networks. Terrorists use the same e-mail providers as everyone else. The same circuits
that carry Russian, Iranian, and Cuban government communications could also carry
your Twitter feed. Internet phone calls between New York and Los Angeles might end
up on Russian undersea cables. Communications between Rio de Janeiro and Lisbon might
be routed through Florida. Google doesn’t store your data at its corporate headquarters
in Mountain View; it’s in multiple data centers around the world: in Chile, Finland,
Taiwan, the US, and elsewhere. With the development and expansion of global electronic
communications networks, it became hard not to collect data on Americans, even if
they weren’t the targets.

At the same time, everyone began using the same hardware and software. There used
to be Russian electronics, radios, and computers that used Russian technology. No
more. We all use Microsoft Windows, Cisco routers, and the same commercial security
products. You can buy an iPhone in most countries. This means that the technical capability
to, for example, break into Chinese military networks or Venezuelan telephone conversations
is generalizable to the rest of the world.

The US has the most extensive surveillance network in the world because it has three
advantages. It has a larger intelligence budget than the rest of the world combined.
The Internet’s physical wiring causes much of the world’s traffic to cross US borders,
even traffic between two other countries. And almost all of the world’s largest and
most popular hardware, software, and Internet companies are based in the US and subject
to its laws. It’s the hegemon.

The goal of the NSA’s surveillance is neatly captured by quotes from its top-secret
presentations: “collect it all,” “know it all,” and “exploit it all.” The agency taps
the Internet at the telcos and cable companies, and collects e-mails, text messages,
browsing history, buddy lists, address books, location information,
and pretty much everything else it can get its hands on. There is no evidence to suggest
that the NSA is recording all telephone calls in the US, but we know it is doing so
in (at the least) Afghanistan and Bermuda under the SOMALGET program. The agency’s
2013 budget was $10.8 billion; it directly employs some 33,000 people, and many more
as contractors. One of the Snowden documents was the top-secret “Black Budget” for
the NSA and other intelligence agencies; the total for 2013 was $53 billion. Estimates
are that the US spends $72 billion annually on intelligence.

Much of the NSA’s money for its modern surveillance infrastructure came from the post-9/11
war efforts in Afghanistan and Iraq: the offensive effort to identify and locate enemy
targets, and the defensive effort to identify and neutralize improvised explosive
devices. That is, the capabilities were developed against networks in those countries,
and because everyone else in the world uses the same equipment, they could be more
cheaply deployed against systems elsewhere.

One obvious question arises: is this legal? The real answer is that we don’t know.
The current authority for NSA surveillance comes from three places:

•  Executive Order 12333, signed by President Reagan in 1981, permits the NSA to conduct
extensive surveillance abroad. It contains some protection for US citizens only, but
allows for extensive collection, analysis, and retention of Americans’ data.

•  Section 215 of the USA PATRIOT Act, enacted in 2001, allows the NSA to collect
“any tangible things (including books, records, papers, documents, and other items)”—about
anyone, not just foreigners—“for an investigation to protect against international
terrorism or clandestine intelligence activities.” That last bit might sound like
a limitation, but a secret court interpreted this to include the continuing collection
of telephone metadata for every American.

•  Section 702 of the FISA (Foreign Intelligence Surveillance Act) Amendments Act
of 2008 retroactively authorized NSA collection activities that were conducted illegally
after 9/11. It expanded the NSA’s remit to gather data on foreigners, with minimal
protections for US citizens. The NSA used this authority to monitor Internet backbone
connections entering the country, harvesting data on both foreigners and Americans.

The reason the discussion doesn’t end there is twofold. One, many of the surveillance
provisions of those laws are almost certainly unconstitutional, either as illegal
searches or illegal seizures. And two, some of the NSA’s interpretations of those
laws are almost certainly illegal. Challenges along both of those fronts are being
debated in the courts right now. I believe that eventually much of what the NSA is
currently doing will be stopped by the courts, and more of what the NSA is currently
doing will be stopped by new legislation. Of course, by then Americans will have been
subject to decades of extensive surveillance already, which might well have been the
agency’s strategy all along. I’ll talk considerably more about this in Chapter 13.

The NSA collects a lot of data about Americans. Some of it is “incidental.” That is,
if the NSA monitors a telephone network in France, it will collect data on calls between
France and the US. If it monitors an Internet cable under the Atlantic, it will sweep
up data on Americans whose traffic happens to get routed through that cable. The NSA
has minimization rules designed to limit the amount of data on Americans it collects,
analyzes, and retains, although much of what we have learned about them indicates
that they don’t work very well. The rules are different for communications content
and metadata, and the rules are different depending on the legal authority the NSA
is using to justify the connection. And minimized doesn’t mean that Americans’ data
is deleted; it just means that it’s anonymized unless someone actually wants to see
it. The NSA does a lot of playing around with the rules here, and even those trying
to oversee the NSA’s activity admit that they can’t figure out what it’s really doing.

A 2014 analysis of some of the actual intercepted traffic provided by Snowden found
that data about innocent people, both Americans and non-Americans, far exceeded the
data about authorized intelligence targets. Some of this reflects the nature of intelligence;
even minimized information about someone will contain all sort of communications with
innocents, because literally every communication with a
target that provides any interesting information whatsoever will be retained.

The NSA might get the headlines, but the US intelligence community is actually composed
of 17 different agencies. There’s the CIA, of course. You might have heard of the
NRO—the National Reconnaissance Office—it’s in charge of the country’s spy satellites.
Then there are the intelligence agencies associated with all four branches of the
military. The Departments of Justice (both FBI and DEA), State, Energy, the Treasury,
and Homeland Security all conduct surveillance, as do a few other agencies. And there
may be a still-secret 18th agency. (It’s unlikely, but possible. The details of the
NSA’s mission remained largely secret until the 1970s, over 20 years after its formation.)

After the NSA, the FBI appears to be the most prolific government surveillance agency.
It is tightly connected with the NSA, and the two share data, technologies, and legislative
authorities. It’s easy to forget that the first Snowden document published by the
Guardian
—the order requiring Verizon to turn over the calling metadata for all of its customers—was
an order by the FBI to turn the data over to the NSA. We know there is considerable
sharing amongst the NSA, CIA, DEA, DIA, and DHS. An NSA program code-named ICREACH
provides surveillance information to over 23 government agencies, including information
about Americans.

That said, unlike NSA surveillance, FBI surveillance is traditionally conducted with
judicial oversight, through the warrant process. Under the Fourth Amendment to the
US Constitution, the government must demonstrate to a judge that a search might reasonably
reveal evidence of a crime. However, the FBI has the authority to collect, without
a warrant, all sorts of personal information, either targeted or in bulk through the
use of National Security Letters (NSLs). These are basically administrative subpoenas,
issued by the FBI with no judicial oversight. They were greatly expanded in scope
in 2001 under the USA PATRIOT Act (Section 505), although the initial legal basis
for these letters originated in 1978. Today, NSLs are generally used to obtain data
from third parties: e-mail from Google, banking records from financial institutions,
files from Dropbox.

In the US, we have reduced privacy rights over all that data because of what’s called
the third-party doctrine. Back in 1976, Michael Lee Smith
robbed a woman in Baltimore, and then repeatedly harassed her on the phone. After
the police identified someone matching Smith’s description, they had the phone company
place a “pen register” on Smith’s phone line to create a record of all the phone numbers
Smith dialed. After verifying that Smith called the woman, they got a search warrant
for his home and arrested him for the robbery. Smith tried to get the pen register
evidence thrown out, because the police hadn’t obtained a warrant. In a 1979 decision,
the Supreme Court ruled that a warrant was not necessary: “This Court consistently
has held that a person has no legitimate expectation of privacy in information he
voluntarily turns over to third parties.” Basically, because Smith shared those phone
numbers with his phone company, he lost any expectation of privacy with respect to
that information. That might have made sense in 1979, when almost all of our data
was held by us and close to us. But today, all of our data is in the cloud somewhere,
held by third parties of undetermined trust.

Other books

In Memories We Fear by Barb Hendee
Avalon by Stephen R. Lawhead
Granada by Raḍwá ʻĀshūr
The Complete Empire Trilogy by Raymond E. Feist
A Play of Isaac by Frazer, Margaret
Lord Gray's List by Robinson, Maggie
The Weeping Desert by Alexandra Thomas