Big data policies at fault in NSA scandals, say privacy experts
The world creates massive amounts of digital information each year — millions of times the amount of information contained in all of the books ever written. And in that data are the communications, photos, texts, voice mails, emails, chats, Web-browsing histories, electronic purchases and social media interactions of more than 2 billion people.
And unfortunately for intelligence agencies such as the National Security Agency, hidden within that massive universe of ones and zeros are the communications and transactions of terrorist groups and transnational criminals. Targeting the individuals who belong to these groups — known and unknown — has proven to be a monumental task. But when Congress passed the USA Patriot Act in the wake of the Sept. 11, 2001 terrorist attacks, the intelligence community came up with what it still argues is the only plausible method of uncovering terrorist plots:
Collect as much as possible, as secretly as possible.
That is exactly what has some privacy advocates calling for changes in the government’s big data and privacy policies. The surveillance state, they argue, is on a collision course with big data. In fact, some argue the collision has already occurred, resulting in all law enforcement matters being treated as secret national security issues and all citizens being presumed guilty until proven innocent.
“The big picture problem is that terrorists do what everyone else does,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology and director of its Project on Freedom, Security & Technology. “They drive down roads and pay tolls. They speed. They also get on airplanes. They cross borders. They rent cars. They stay in hotels. They gamble. They bank. They do everything that everyone else does that leaves behind a little digital footprint.”
That creates myriad haystacks through which intelligence agencies must search to find the proverbial needle. “There’s not really a logical end to that,” Nojeim said, speaking Oct. 30 at an event hosted by the Bipartisan Policy Center. “There’s not that much data that is irrelevant to terrorism under that paradigm.”
Joel Schwarz, civil liberties and privacy officer for the National Counterterrorism Center, known as NCTC, spoke up from the audience and said many privacy groups and citizens harbor misperceptions about the legal guidelines that govern the intelligence and homeland security community’s collection of data, as well as the interest these agencies have in collecting everything on everybody.
Although the precise number of data sets NCTS has access to is classified, Schwarz said the agency only receives data on information related to travel, immigration benefits and suspicious financial transactions.
“Those are the categories of information we have found are most likely to contain significant amounts of terrorism information,” he said. “We’re looking at the data sets where there is the most value for terrorism purposes. We have a lot of data already, so we’re not looking for lots of data sets that have no terrorism information.”
For NSA, that means the bulk telephone metadata collection program authorized under Section 215 of the Patriot Act and a small portion of global Internet traffic (.00004 percent) analyzed under a program known as PRISM, which was authorized under Section 702 of the Foreign Intelligence Surveillance Act. Both programs compel major cell phone companies and Internet service providers to grant NSA access to the data, but with strict limitations and oversight on access to content.
But those protections, including oversight by the federal FISA court and Congress, are not enough for Nojeim, who criticized the lack of transparency and the failure of many members of Congress to learn about the programs and engage in public debate before voting to reauthorize key provisions of the Patriot Act.
“I get it that some of this has to be done in secret,” he said. But “I look at it as kind of a threat to democracy in the sense that there was no debate about whether the program ought to be reauthorized. We get it that big data is here and we adapt to it. We talk about things like use restrictions and audits. But I don’t think we have to have a world where every data set that might contain a piece of data that is relevant to activity of a terrorist … ought to be collected. I think we need to draw lines about what data sets can be collected.”
Nojeim found an unexpected ally in Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. Callahan said she worries about the government wanting to search through big data sets simply because they exist, and said the intelligence community should be subjected to the same level of public scrutiny DHS is when it comes to data mining.
“We had the national operations center [at DHS] using social media. And we have privacy impact assessments, and we have evaluations every six months, and we publish what the evaluations are,” Callahan said, characterizing the level of monitoring as “very limited collections of personally identifiable information.”
But when Callahan testified before the House Homeland Security Committee, “I got crushed because the headline was ‘DHS follows your tweets,'” she said.
“But for the intelligence community to say ‘just trust us’ is problematic,” Callahan said. “You can’t go and say if it’s law enforcement or homeland security, you’ve got incredible scrutiny but not if it’s intelligence. I don’t think that’s a democracy. I don’t think we can have that distinction, because then everything falls into the intelligence bucket.”
Not surprisingly, Stewart Baker, former general counsel at NSA, called DHS’ effort to write a privacy impact assessment on social media monitoring “one of the dumbest things government has ever done.
“It’s like writing a privacy impact assessment on reading the newspaper,” he said.