The government's approach seems to be: "Collect first, ask questions later."

Mathew J. Schwartz, Contributor

June 10, 2013

5 Min Read

Dystopia used to seem sexier. In George Orwell's 1984, Big Brother used non-stop wars and ever-present surveillance to keep the population in check. A stray glance or thoughtcrime might send you to the slammer. Who wouldn't rebel against that?

In today's increasingly wired -- and wireless -- world, however, the surveillance situation is much more banal: Under the NSA's Prism program, APIs installed on servers running at Google, Facebook, Microsoft and other technology giants give government spooks access to meta-data relating to communications and phone calls. It is signals intelligence meets big data and analytics, with a self-writing sales pitch that seems tailor-made for the Big Three: "Mass surveillance to monitor for suspected terrorists across the entire United States, for only $20 million." Data storage, no doubt, costs extra.

To top it all off, the design of the top secret Prism PowerPoint documents -- leaked by Edward Snowden, 29, an employee of Booz Allen Hamilton who's done contract work for U.S. intelligence agencies -- are, in the words of renowned design guru Edward Tufte, "dreadful."

[ Do you know what this means for your job? Read NSA Dragnet Debacle: What It Means To IT.]

But the biggest problem with the NSA's program is that it has all the hallmarks of an "engineering first" mindset, along these lines: With all of that metadata floating in the ether, why not build it and see what secrets it might reveal? The same philosophy appeared to be behind Google's Street View program, in which a "rogue engineer" pursued wardriving by design, capturing Wi-Fi data for later analysis. Numerous governments fined Google for privacy violations.

Similar privacy fears were raised after a security researcher discovered that Carrier IQ diagnostic software installed on 141 million handsets could be used to capture every keystroke entered on the phone. While the company at first refused to discuss its software or what controls might be in place to counter abuse, it belatedly surrendered details in response to a Senator's inquiry.

Both of those episodes highlight that just because something is technically feasible, when it comes to U.S. citizens' rights -- including Fourth Amendment protections against unreasonable searches -- that doesn't satisfy the moral question: Is it right?

Or in the words of Akamai's security evangelist, Martin McKeay: "'Democratic Surveillance' -- collect minimum needed to be effective. 'Totalitarian Surveillance' -- collect everything, sort it out later."

Is Prism even legal? George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, has suggested that Prism simply implements the Protect America Act of 2007 and FISA Amendments Act of 2008. But as Glenn Greenwald, the Brazil-based U.S. citizen who broke the Prism story for the Guardian tweeted Monday: "If everyone is so sure this spying is legal, why does Obama DOJ keep preventing federal courts from ruling on its constitutionality?"

Now it's up to the Obama administration to prove not only that the program is legal, but that privacy and usage safeguards are in place -- and subject to external reviews -- to ensure that information is only used to spy on foreigners, without infringing U.S. citizens privacy. In other words, the White House must prove the system is just.

Where moral questions are concerned, Snowden said he doesn't think the NSA operators were evil -- far from it. "Analysts (and government in general) aren't bad guys, and they don't want to think of themselves as such," he told The Washington Post. But the NSA's approach was based on a false premise: "If a surveillance program produces information of value, it legitimizes it,'" he said.

That "collect first, ask questions later" justification is chilling. Indeed, one big problem with big data analytics when practiced by intelligence or law enforcement agencies is that it's not a zero-sum game. The NSA's data dragnet operation snares information from everyone. According to accounts of how the system seems to work, it's then left to intelligence analysts to tweak their algorithms until they're only investigating hits on people they have a "51% confidence" of being foreign.

In the wrong hands, or without proper oversight, the data set collected by the NSA would be a privacy nightmare. In March 2013, for example, a study published in Nature found that "human mobility traces are highly unique," and that with just four data points -- involving location and time -- were required to "uniquely identify 95% of the individuals" studied. Picking two random points, meanwhile, allowed researchers to correctly identify half of people in the mobility data set, which was collected from 1.5 million people over a 15-month period.

Given the risks introduced by Prism, the big question in coming days will be: Who's guarding our secrets? Are the potentially petabytes of information being collected in safe hands?

One harbinger that the answers may not be to our liking comes via the actions of Snowden, a contract NSA network administrator who, after seeing the program in operation, gave up his $200,000 annual salary, job in Hawaii and hopes of ever seeing his girlfriend or family again. Snowden said the Prism program led him to conclude that the modern surveillance state is "such a direct threat to democratic governance that I have risked my life and family for it."

"Perhaps I am naive," Snowden told The Washington Post, "but I believe that at this point in history, the greatest danger to our freedom and way of life comes from the reasonable fear of omniscient State powers kept in check by nothing more than policy documents."

Now it's up to the Obama administration to refute that criticism and assuage Americans' concerns. In the words of Senator Mark Udall (D-Colo.), a member of the Senate intelligence committee who commented Sunday about ongoing Prism questions: "Let's have the debate, let's be transparent. Let's open this up."

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights