Email is now the primary way that many Americans communicate with one another. Our email address books afford a virtually comprehensive list of everyone we know: members of our family, friends, acquaintances, past lovers. If trying to do someone harm, wouldn't you find it useful to have their whole contact list? Wouldn't you try hard to prevent an enemy from getting ahold of yours?
This month, the Washington Post revealed that the NSA "is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world," even those belonging to Americans. "Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information," the story states. "Inbox listings of e-mail accounts stored in the 'cloud' sometimes contain content, such as the first few lines of a message. Taken together, the data would enable the NSA, if permitted, to draw detailed maps of a person’s life, as told by personal, professional, political and religious connections."
Is that confounding to those of you who've heard that the NSA isn't allow to spy on Americans? The article goes on to explain the loophole the agency is exploiting:
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”
Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said. When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.” In practice, data from Americans is collected in large volumes—in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home.
By my way of thinking, the Washington Post is to be congratulated for publishing this story. The scoop, based on documents leaked by Edward Snowden, exposes an ongoing surveillance practice that affects millions of Americans. It provides yet another proof of the fact that NSA defenders are misleading the public when they avow that the agency doesn't spy on American citizens. It permits a debate about whether the U.S. ought to be indiscriminately collecting address books and whether the practice is subject to adequate oversight. And it raises the question of whether it makes sense to permit data collection abroad that would be illegal if conducted within the United States.
But many NSA defenders believe that the Washington Post shouldn't have published this story, and that we'd be better off if the public was still ignorant of its details. Benjamin Wittes of Lawfare is one of those people. Here's how he reacted to the revelations:
The story has a lot of detail about how the agency is capturing large numbers of contact lists. One thing it does not have is any suggestion that the collection in question is unlawful or improper. Indeed, reporters Barton Gellman and Ashkan Soltani make pretty clear, albeit backhandedly, that this is lawful collection under Executive Order 12333 ... If the activity in question is lawful, that raises an interesting question: Why is the Post blowing top-secret intelligence documents that don’t reveal any illegality?
He goes on to qualify and expand on his critique:
... to be sure, the Post has never claimed that it will only reveal classified material when that material suggests illegality. But like other responsible news organizations, it does purport to balance the public interest in the material in question against the damage that publication risks to security interests. Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already.
So what does this story reveal that we didn’t already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can’t quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.
These are extraordinary claims.
Wittes isn't just saying that the benefits of revealing this information are outweighed by the security risks. His claim seems to be that there is zero public benefit. He treats that conclusion as if it's so obvious that the Washington Post reporters may themselves agree that there is no benefit. He speculates that the newspaper published the article out of a desire to reveal secrets as an end in itself.
His claims are worth highlighting because they tell us a lot about the mindset of NSA defenders within the national security establishment. Let's tease out some assumptions.