Washington Is Trapped in Its Own Prism of Data-Mining Self-Defense

The defenses of the NSA's program to collect and store records of every phone call and every email have not been very impressive. They have been absurdly weak, pointing to a secret court that rarely says no, to congressional oversight even as intelligence agencies misled Congress, to "metadata" they may not even understand. The response, even from President Obama himself, has been ridiculous. How ridiculous? This ridiculous.

This article is from the archive of our partner .

The defenses of the National Security Agency's program to collect and store records of every phone call and every email have not been very impressive. The NSA defenders point to a secret court that rarely says no. They point out congressional oversight, even though it's clear intelligence agencies have misled Congress. And some even dismiss the information being collected on Americans as unimportant, it seems because they do not know what "metadata" is. With the revelation of domestic surveillance on a scale that's hard for the human brain to conceive of — a Library of Congress's worth of data every six hours — you'd expect something more stirring than Trust us and Who cares about metadata anyway?

On Wednesday night, The Guardian's Glenn Greenwald reported a secret court order to give the NSA metadata on every Verizon call made over three months. Subsequent reporting and statements from senators revealed that it's a regular, quarterly thing to collect the data from several major telecom companies. Further, the NSA's PRISM program, The Guardian also revealed on Thursday night, allows the government to grab emails, chats, what you've searched for, and what files you've shared, thanks to the apparent cooperation of Yahoo, Google, Microsoft, PalTalk, YouTube, Skype, AOL, Apple, and possibly more, and definitely abroad. A career intelligence officer revealed a PowerPoint about PRISM to The Washington Post's Barton Gellman and Laura Poitras because of concerns about privacy. The officer said, "They quite literally can watch your ideas form as you type."

And what is the response to that panopticon from the government and the NSA surveillance program's supporters? It is ridiculous. This ridiculous:

It's just metadata — no eavesdropping!

At a press briefing ostensibly about his health-care program and its success on Friday afternoon, President Obama defended the specificity of the NSA program that has become "the most prolific contributor" to his daily intelligence briefings. Don't worry, the president said, "No one is listening to your phone calls," and the NSA is not looking at names or their content. But metadata reveals the phone numbers, and the time, length, and location of calls. "The program does not allow the Government to listen in on anyone's phone calls," Director of National Intelligence James Clapper (right) wrote in his two-page response to The Guardian article on Thursday night, which President Obama largely echoed on Friday. California Sen. Dianne Feinstein assured reporters on Thursday, "As you know, this is just metadata. There is no content involved. In other words, no content of a communication." The Wall Street Journal's editorial board is sure there's nothing to be worried about. "We bow to no one in our desire to limit government power, but data-mining is less intrusive on individuals than routine airport security," the Journal says, in an editorial titled "Thank You for Data-Mining." Yes, it can be embarrassing to know that when you go through the body scanner at the airport, one person will be able to see the fat deposits you're sensitive about. But it is not more intrusive than collecting metadata on all your calls and your emails.

The metadata is more revealing than the content, mathematician and former Sun Microsystems engineer Susan Landau explained to The New Yorker's Jane Mayer. "If you can track that, you know exactly what is happening—you don’t need the content," Landau says. Take this example: "You can see a call to a gynecologist, and then a call to an oncologist, and then a call to close family members." Geolocation can reveal a reporter's sources, or an extra-marital affair, or when political leaders are meeting.

A 'robust legal regime' acts as a check on this power.

"There is a robust legal regime in place governing all activities conducted pursuant to the Foreign Intelligence Surveillance Act, which ensures that those activities comply with the Constitution and laws and appropriately protect privacy and civil liberties," Clapper writes. "This renewal is carried out by the FISA Court under the business records section of the Patriot Act. Therefore, it is lawful. It has been briefed to Congress..." Feinstein said.

President Obama insisted that there are multiple levels of oversight — "This program is fully overseen not just by Congress, but by the FISA court," he said Friday — but Clapper has a different definition of robust than many people. "This is a court that meets in secret, allows only the government to appear before it, and publishes almost none of its opinions," Jameel Jaffer, deputy legal director of the American Civil Liberties Union, explained to the Post. The Guardian's Spencer Ackerman notes, "critics have pointed out that the Fisa Court has almost never, in its 35-year history, rejected a US surveillance request." And there's reason to doubt the FISA court is rigorously scrutinizing each government request. Wired's Kevin Poulsen points out that the Verizon Business Services court order posted by The Guardian "demands cell phone data, like customers' IMSI (International Mobile Subscriber Identity) number and another identifier that reveals the make and model of the phone." But Verizon Business Services isn't a mobile carrier — it is a landline business. It's obvious, Poulsen writes, that the FISA court "uses the same catchall boilerplate order over and over again, just changing the company name and the date. The court that’s supposed to be protecting Americans from abusive domestic surveillance is not only failing in that duty, it’s also lazy."

As for congressional oversight, Bruce Schneier explains at The Atlantic, "We know that the NSA has many domestic-surveillance and data-mining programs with codenames like TrailblazerStellar WindandRagtime — deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on." And Poulsen argues that the NSA has been able to trick Congress by manipulating numbers, too. Each year, the Justice Department is required to give Congress a tally of how many times it requested classified wiretaps and "business records" under the Patriot Act. The Obama administration only went to the FISA court 200 times to request Americans' "business records" in 2012, Poulsen notes. In 2011, it was 205 times; in 2010, it was 96 times; in 2009, it was 21 times. But the Verizon court order — demanding metadata on all phone calls for three months — counts as one request. President Obama's reassurances Friday on Congressional oversight don't even make sense.

"The Department's testimony left the Committee with the impression that the Administration was using the business records provision sparingly and for specific materials," Rep. Jim Sensenbrenner wrote on Thursday. When a reporter asked Sen. Feinstein if the program was limited to Verizon or other companies got similar court orders, she replied, "We cannot answer that. Fortunately, I don’t know."

It won't affect you!

"The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization," Clapper says. The Obama administration told The Washington Post, "extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons." South Carolina Sen. Lindsey Graham said on Fox and Friends on Thursday, "I don't think you're talking to the terrorists. I know you're not. I know I'm not. So we don't have anything to worry about."

The PRISM program is only supposed to go after foreigners. "This does not apply to U.S. citizens and it does not apply to people in the United States," Obama said at his Obamacare press conference Friday. But The Washington Post reports:

Analysts who use the system from a Web portal at Fort Meade, Md., key in 'selectors,' or search terms, that are designed to produce at least 51 percent confidence in a target’s 'foreignness.' That is not a very stringent test. Training materials obtained by The Post instruct new analysts to make quarterly reports of any accidental collection of U.S. content, but add that 'it's nothing to worry about.'

Foreign or foreignish, no big deal. The NSA looks at everyone in their terror suspects' contact list, and at everyone in their contact lists' contact lists. That's how a good deal of "incidental" American data can be swept up in a search, the Post reports. And we have plenty of reason to be skeptical that the government won't use this trove of Americans' communications, even though it has it, and the Brits, too. There is public record of the NSA abusing its surveillance power, when, under the Bush administration, warranetless wiretapping was allowed on calls in which at least one person was overseas. NSA analysts told ABC News in 2008 they had a good time listening to soldiers' phone sex.

(Top photo by ourcommon via Flickr; Dark Side of the Moon photo by Solapenna via Flickr; Clapper photo via AP PRISM slide via The Washington Post; NSA headquarters via the U.S. government.)

This article is from the archive of our partner The Wire.