Home > Computing > Big Brother has always been watching, but how much…

Big Brother has always been watching, but how much can he see?

NSA building

It turns out Big Brother is watching — and has been for years. Revelations from the UK’s The Guardian and The Washington Post have revealed long-standing intelligence programs that may have cataloged every phone call made by untold millions of Americans for years. More-recent intelligence-gathering operations apparently even enabled the government to monitor email, chats, documents, and other communications sent through major online services provided by Google, Facebook, Microsoft, and Apple and others.

Congress, the intelligence community, and even the President of the United States aren’t denying that the programs exist, or even their scope: Instead, they’re describing the programs as vital tools for U.S. national security — and insist everything’s being done by the book.

Is the government really tracking everything we do on our phones and online? Is that even legal? What’s being done with all that information — should we be worried?

What’s been revealed?

Recent reports about the government’s data-gathering activities came in two waves. First, The Guardian published a secret order requiring Verizon turn over “telephony metadata” for all telephone calls on a daily basis. Second, The Washington Post went public with details of PRISM, an extensive NSA program capable of collecting data “directly from the servers” of some of the Internet’s largest service providers.

PRISM

Verizon does not provide Uncle Sam with the actual content of telephone conversations or billing information for the callers. It does, however, include almost everything else about calls, including the originating number, receiving number, time and length of call, unique identifiers associated with devices (like mobile phones) and sessions, as well as location data for each endpoint of a call.

Details of PRISM are based on a 41 internal NSA briefing slides dated April 2013. Data collected under PRISM reportedly includes email, images, chats, social-networking details, documents, and connection logs. Companies and services specifically named as cooperating with PRISM are Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. (The presentation describes Dropbox as “coming soon.”) The Guardian reports British intelligence also gathers data through PRISM.

What’s the scope?

In the wake of The Guardian’s Verizon expos, government representatives and members of Congress have confirmed the existence of the call-monitoring program, and asserted it has been conducted lawfully under the continual oversight of both Congress and the Foreign Intelligence Surveillance Court (FICA), a secret body whose proceedings are classified.

Director of National Intelligence James Clapper

At an impromptu press event June 6, Senator Dianne Feinstein (D-CA), chair of the Senate Intelligence Committee, described the published Verizon order as “the exact three-month renewal of what has been the case for the past seven years,” meaning the collection of telephone call metadata has been in place since at least 2006.

“Our courts have consistently recognized that there is no reasonable expectation of privacy in this type of metadata information and thus no search warrant is required to obtain it,” Feinstein and Senator Saxby Chambliss (R-GA) wrote in a joint statement.

Many Americans have been expressing outrage that the numbers the call, when they call them, where they are at the time, and what phone they’re using are all considered public information.

Feinstein and other members of Congress have asserted that the NSA’s collection of phone call metadata has helped foil multiple terror acts in the United States. However, the details remain classified.

“Even terror suspects order pizza and dial wrong numbers.”

Government and Congressional officials have not confirmed whether call metadata is also collected from operators other than Verizon, but three sources with first-hand knowledge of NSA and FBI operations have specifically identified Sprint and AT&T as complying with similar metadata collection operations. They each also implied (but did not confirm) other U.S. telecom operators also provide call metadata.

“There is no indication that this order to Verizon was unique or novel,” the EFF’s Cindy Cohn and Mark Rumold wrote in a statement categorizing the program as untargeted, domestic surveillance.

In a very unusual move, the Director of National Intelligence James Clapper issued a statement indicating Congress has been “fully and repeatedly briefed” on the program, and that it had been “has been authorized by all three branches of the Government.” Clapper also asserted disclosure of the telephone data collection program could cause “irreversible harm” to U.S. anti-terror efforts, but at the same time indicated he’s now seeking to declassify some information about the program so the public can be better informed.

So far, PRISM’s scope is much less clear. While the internal NSA slides refer to obtaining data directly from a company’s servers, a second classified document obtained by The Washington Post indicates information is garnered through “equipment installed at company-controlled locations” that can be configured and queried by NSA analysts.

Nearly every company named in the NSA documents have issued specific denials that they participate in PRISM.

“We only ever comply with orders for requests about specific accounts or identifiers,” Microsoft — reportedly PRISM’s earliest collaborator — said in a statement. “If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”

Facebook, AOL, Apple, Google, and Yahoo have all given similar statements via email or their Web sites denying participation in PRISM or providing any government agency access to its servers. PalTalk has not yet responded to a request for comment.

How is the data used?

According to sources within the NSA and FBI with first-hand knowledge of investigations carried out under FISA warrants, phone call metadata is not immediately screened or monitored when it’s turned over the NSA. Instead, the data is collated in secure facilities and warehoused.

Verizon-NSA-mem-2

“The idea is that the info has already been assembled for when it’s needed,” wrote a recently-retired intelligence officer. “We don’t have to start over from nothing every single time.”

To run queries against that massive (and ever-growing) data set, analysts and investigators need to demonstrate “reasonable suspicion” specific individuals are involved in foreign threats to the United States. According to sources with direct knowledge, those queries cannot be carried out under the same orders that authorized collection of phone metadata from telecom operators like Verizon.

“Analysts cannot just decide on their own that they have ‘reasonable suspicion’ and start firing off queries,” wrote one source within the U.S. intelligence community. “Access must be properly authorized and even then it’s limited and monitored.”

According to these sources, the phone metadata would be used to build out a web of connections from specific individuals or devices, looking for possible connections. Those might include phone calls, or physical proximity to a location, person, or device under scrutiny. A typical analysis would be “two steps deep,” meaning analysts would consider calls to and from a particular number as well as calls to and from connecting numbers. Particular connection might get deeper scrutiny.

When asked if that process of tracing connections was likely to include data from everyday Americans or others completely uninvolved in anything related to foreign agents, terrorism, or other concerns covered by FISA warrants, all sources confirmed the possibility.

“That’s the nature of investigation,” said an active NSA officer. “Put another way: A police helicopter might shine a spotlight in a back yard looking for someone fleeing a robbery or assault. That doesn’t mean the homeowner is a suspect.”

Or phone records can peer deeply into our private lives.

Conceding the possibility everyday citizens come up in queries of phone metadata, the retired intelligence officer noted: “Even terror suspects order pizza and dial wrong numbers.”

The scope of PRISM is far more nebulous. None of my sources would confirm any direct knowledge of PRISM, although they all acknowledged specific FISA warrants have been issued for electronic data and account information from many Internet companies, including those identified in the PRISM presentation. None would confirm or even speculate on the scope of data collected under those warrants or how frequently they have been issued, save to note that any investigation conducted under FISA authorization cannot deliberately target U.S. citizens or people within the United States.

The Wall Street Journal has reported (subscription required) that information collected by the NSA as metadata also includes credit-card transactions, in addition to phone call data and online activity.

Perhaps the best indication on the scope of PRISM comes from another unusual — and very ambiguous — second statement from the Director of National Intelligence, James Clapper. While claiming reports about PRISM contain “numerous inaccuracies” and its unauthorized disclosure is “reprehensible,” Clapper nonetheless maintains “information collected under this program is among the most important and valuable foreign intelligence information we collect.”

The NSA presentation slides characterize PRISM as the tool most commonly used in NSA reporting.

Is all this legal?

In a word, yes.

The U.S. Constitution protects citizens against “unreasonable searches and seizures,” and requires “probable cause” to issue search warrants. Both clauses continue to evolve, but their legal definitions have been well established by more than two centuries of American law.

spying

The legal key to the phone metadata collection program and (apparently) PRISM is that they target foreign citizens who are not subject to Constitutional protections. To monitor communications of suspected foreign agents in the United States, the government must obtain a warrant from the Foreign Intelligence Surveillance Court (FISC), a secret body set up in 1978. The government is the only party who ever appears before the court — it operates more like a grand jury than an adversarial court — and the government’s requests are rarely denied. However, the FISC’s activities are classified: otherwise, the bad guys might get tipped off they were being watched.

Yet a substantial amount of telephone and Internet communication flows through the U.S., even if it doesn’t originate or terminate within the United States. Hence, watching U.S. communications is an effective way to monitor a significant amount of communication to and between foreign nationals — precisely what the FISC can authorize.

The NSA’s phone metadata collection program revealed by The Guardian is not the same as wiretapping. The NSA is not listening to or recording phone calls. To record phone calls of foreign nationals, they would need to appear before the FISC and obtain a separate warrant. If an investigation targeted U.S. citizens, a judge can issue a wiretap warrant only if the government can assert other investigative methods have failed, are too dangerous, or are unlikely to succeed.

Since the FISC’s activities are classified, nobody really knows how the government argues for warrants. To obtain a warrant on individuals who are not U.S. citizens, the government needs to demonstrate “reasonable suspicion” — a legal concept that has a lower standard of proof than probable cause but which must be based on “specific and articulable facts,” not just a hunch.

The slippery slope, in legal terms, comes from the communications data on U.S. citizens the NSA or other intelligence agencies may become privy to under a warrant granted to them under “reasonable suspicion” rather than “probable cause.”

Where do we go from here?

Just as millions of people don’t mind telling the whole world who their friends and family are on Facebook or Twitter, many probably don’t care if federal investigators know they ordered pizza, phoned home, called their grandparents on Sundays, and voted on American Idol.

But there are significant civil liberties and even civil rights concerns if call metadata were to be inappropriately accessed or abused. After all, our phone records can peer deeply into our private lives. Imagine being fired from a job because an employer discovered, via phone records, that you’d been interviewing with another company. Or perhaps a spouse — or employer — finds out that call for a cab you made just after midnight was from a bar, not the office like you’d said. PRISM could amplify these concerns, depending on the scope of the program and the nature of the information it warehouses. What if a school district made a policy never to hire staff or teachers who had visited porn sites, or an insurer decided that your obsession with that extreme sports app was just a little too troubling?

We aren’t there yet. In the meantime, Director of National Intelligence James Clapper notes that “discussing programs like this publicly will have an impact on the behavior of our adversaries and make it more difficult for us to understand their intentions.” In practice, that means bad guys will alter their use of phone and Internet services based in the U.S. to make it more difficult for the NSA and other agencies to sift them out of all the data they collect. That means the intelligence community will have to work harder to find and track them — and who knows where that might lead.

[Keyhole/eye image via Shutterstock / Tischenko Irina]