Email is now the primary way that many Americans communicate with one another. Our email address books afford a virtually comprehensive list of everyone we know: members of our family, friends, acquaintances, past lovers. If trying to do someone harm, wouldn't you find it useful to have their whole contact list? Wouldn't you try hard to prevent an enemy from getting ahold of yours?
This month, the Washington Post revealed that the NSA "is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world," even those belonging to Americans. "Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information," the story states. "Inbox listings of e-mail accounts stored in the 'cloud' sometimes contain content, such as the first few lines of a message. Taken together, the data would enable the NSA, if permitted, to draw detailed maps of a person’s life, as told by personal, professional, political and religious connections."
Is that confounding to those of you who've heard that the NSA isn't allow to spy on Americans? The article goes on to explain the loophole the agency is exploiting:
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”
Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said. When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.” In practice, data from Americans is collected in large volumes—in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home.
By my way of thinking, the Washington Post is to be congratulated for publishing this story. The scoop, based on documents leaked by Edward Snowden, exposes an ongoing surveillance practice that affects millions of Americans. It provides yet another proof of the fact that NSA defenders are misleading the public when they avow that the agency doesn't spy on American citizens. It permits a debate about whether the U.S. ought to be indiscriminately collecting address books and whether the practice is subject to adequate oversight. And it raises the question of whether it makes sense to permit data collection abroad that would be illegal if conducted within the United States.
But many NSA defenders believe that the Washington Post shouldn't have published this story, and that we'd be better off if the public was still ignorant of its details. Benjamin Wittes of Lawfare is one of those people. Here's how he reacted to the revelations:
The story has a lot of detail about how the agency is capturing large numbers of contact lists. One thing it does not have is any suggestion that the collection in question is unlawful or improper. Indeed, reporters Barton Gellman and Ashkan Soltani make pretty clear, albeit backhandedly, that this is lawful collection under Executive Order 12333 ... If the activity in question is lawful, that raises an interesting question: Why is the Post blowing top-secret intelligence documents that don’t reveal any illegality?
He goes on to qualify and expand on his critique:
... to be sure, the Post has never claimed that it will only reveal classified material when that material suggests illegality. But like other responsible news organizations, it does purport to balance the public interest in the material in question against the damage that publication risks to security interests. Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already.
So what does this story reveal that we didn’t already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can’t quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.
These are extraordinary claims.
Wittes isn't just saying that the benefits of revealing this information are outweighed by the security risks. His claim seems to be that there is zero public benefit. He treats that conclusion as if it's so obvious that the Washington Post reporters may themselves agree that there is no benefit. He speculates that the newspaper published the article out of a desire to reveal secrets as an end in itself.
His claims are worth highlighting because they tell us a lot about the mindset of NSA defenders within the national security establishment. Let's tease out some assumptions.
What do we make of the claim that the Washington Post story lacks "any suggestion that the collection in question is unlawful or improper"? When a typical American reads that a federal surveillance agency that's supposed to spy only on foreigners routinely "sweeps in the contacts of many Americans," that the number affected "is likely to be in the millions or tens of millions," that there is very little oversight of this particular program, and that the information in question is detailed enough to create an intimate portrait of someone's life, there is no mistaking that the paper has raised the question of improper conduct. It's implied that massive secret spying with meager oversight is problematic as surely as the headline "Millions Embezzled from Bank" implies impropriety.
But Wittes has so thoroughly accepted the assumptions of the national-security establishment that he doesn't even discern the newspaper article's implicit disapproval. As he sees it, massive secret spying with lax oversight and hoovering up the digital address books of millions isn't presumptively problematic. Hasn't the NSA assured us that this is all legal and that safeguards are in place? Haven't they explained that this is necessary to keep us safe? Why would anyone want to reveal this unless they just like exposing secrets as an end in itself? Trust the national-security state enough and its critics seem incomprehensible.
The revealing assumptions don't end there. "At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements," Wittes writes. "We knew all of that already." Hold on. To whom is that "we" referring? The Lawfare brain trust may have read the article with a yawn. There is a tiny cadre of surveillance policy experts who know what 12333 is, understand the term "live-stream data," and possess an understanding of surveillance policy so sophisticated that no particular Snowden revelation comes as much of a surprise.
Newspaper articles are not published for those people. The vast majority of Washington Post readers have never studied surveillance policy or heard of 12333. If you told them that the NSA is "collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements," they wouldn't have the foggiest idea what that means. But if you told them, "the NSA is hoovering up hundreds of millions of email address books, including many belonging to Americans," they know much more than before. The Post didn't needlessly reveal a particular consistent with the public's general understanding of NSA practices—it improved public understanding of the NSA's approach to surveillance with a clarifying particular.
The public keeps being told that the NSA doesn't spy on Americans. What the Washington Post story clarifies, among other things, is that they're being misled. Hey Washington Post readers, the article effectively says, the Obama Administration's rhetoric may have led you to believe that as an American, you aren't subject to NSA spying. What probably isn't clear to you is the fact that lists of all the people many of you email with are being hoovered up and stored.
Did telling Americans the truth in this instance hurt national security?
Although Wittes assumes so, he doesn't argue the conclusion with any rigor. He assumes the efficacy of address-book collection and the need for doing it. Wittes nowhere grapples with the possibility that address-book collection is ineffective, whether due to inadequate oversight or because so much time and so many resources are spent collecting overwhelming amounts of information about totally innocent people. He doesn't grapple with the potential for abuse either, and when Wittes writes that "people can now frustrate" this collection method, he doesn't seem to realize or care that the vast majority will be innocents who don't want the government to have their address book and can now take steps to protect the privacy of their own data.
What about the legal question?
Wittes doesn't seem to understand that NSA critics, and many Americans observing the debate, do not concede the lawfulness of what's being done. Our view is that national-security-state lawyers with a penchant for tortured language and too-clever-by-half legal theories are corrupting the rule of law in America. They've gone before pliant, often secret courts with judges cowed by the possibility of another terrorist attack. Sometimes there is no one arguing the other side. And they've secured legal interpretations that transgress against the spirit of the law and the text of the Constitution. At times, the NSA's defenders are on even weaker ground than that: They've avoided attempts to adjudicate surveillance activity on its merits by invoking the state-secrets privilege and questioning the standing of anyone who brings suit against the NSA's behavior. And some legal opinions they rely upon cannot be publicly examined.
Wittes is within his rights to side with the NSA, but he does the Washington Post a disservice by wondering why it would publish a story about lawful activity without mentioning that its lawfulness is hotly contested by many people. More broadly, he has lost sight of the value of having an electorate that is fully informed about the doings of the national-security state. A technocratic elite has spent many years interpreting law, crafting policy and adjudicating challenges to it. That democratic institutions might improve on their judgements if given the opportunity is almost inconceivable to defenders of the status quo.