December 29, 2013

Unintended Consequences: How NSA Revelations May Lead to Even More Surveillance

It’s oh so traditional to make end of year predictions, and never let it be said that I don’t have at least some respect for some traditions, and least some of the time. And if there’s any topic in the spotlight for predictions at this juncture, it’s gotta be where the continuing bouncing bounty of leaked NSA documents is leading us.

This is a controversial topic, to be sure. When I recently mentioned my plans for this essay to a prominent Internet activist who has been quite vocal about these issues, they urged me not to make these predictions at all -- suggesting that they wouldn’t be helpful.

But I’m very much a member of the "actions have consequences" school of analysis, and I strongly feel that we need to be looking beyond the headlines, tweets, and clicks, to what the likely real world results from this maelstrom might actually be.

Before we gaze into the somewhat cloudy crystal ball or stir the pungent tea leaves, a few preliminary stipulations seem in order.

First, this is a discussion of what I feel are strong probabilities of what is likely to happen -- not that they are certain to occur, of course. And the fact of these predictions doesn’t mean that you -- or I -- are going to be happy about these outcomes if they should actually occur. I know I won’t take any joy from them at all.

Of course it’s impossible to proceed without at least mentioning whistleblower/leaker (pick one or both) Edward Snowden, though I agree with those who note that this story of global surveillance shouldn’t be about him. Personally, I see no reason to believe that he had anything but good intentions by his own reckoning, though his modus operandi, combined with a significant degree of likely naivete, have led both he and the rest of us off in directions that he perhaps did not and has not fully anticipated. Time will tell.

Ironically for longtime observers of NSA and other intelligence agencies, and those of us who warned early about the abuses being ensconced in the PATRIOT and Homeland Security Acts -- and were accused of being unpatriotic in return -- scarcely little in the "revelations" to date are a real surprise at all. Nor are reports of intelligence agencies weakening encryption systems anything new -- concerns about NSA influence over the Data Encryption Standard (DES), reach back about four decades.

Perhaps the biggest genuine surprise has been NSA’s shoddy security practices. But we can be sure that NSA and other agencies around the world are hard at work to try make sure there won’t be any more Snowdens. (Sidenote: An interesting question is whether or not there already have been the equivalent of Snowden in the scope of repressive, censoring and brutal domestic intelligence regimes such as those operated by Russia and China. One suspects that if such a person were discovered in such countries, they’d be simply marched out, summarily shot through the head, and we’d never hear about them at all -- conveniently avoiding bad publicity of the sort now drowning NSA.)

Nor will I here address in detail the rising "witch hunt" atmosphere accusing both firms and individuals of complicity in NSA operations -- and demanding a range of immediate penalties -- while simultaneously refusing to accept the proposition that the accused (guilty or innocent) deserve due process and a chance to defend themselves -- whether or not such opportunities are legally mandated in any given case. "Guilt by association" and demanding "proof of negatives" are the practices of the dark side, not of enlightened critics of surveillance abuses.

Finally, there’s the elephant in the room. Everything we’re discussing, the millions of words and heartfelt arguments about surveillance and civil liberties, are likely to be entirely academic in the event of a significant new terrorist attack on U.S. soil. Even a "small" nuke or dirty bomb in a city center, even if relatively few people were killed and little significant damage done, would almost certainly create a headlong rush by politicians to flush our remaining civil liberties down the toilet so fast that we’d (to borrow a recurring sci-fi meme) soon be standing in line to be fitted with remote controlled, steel explosive pain collars.

- - -

When we look at the likely results from the controversies surrounding NSA and other intelligence agencies (beyond the economic benefits to the media sites who have been doling out various associated documents bit by bit for highest drama and maximal clicks), we can immediately divide the analysis into the two categories of foreign and domestic intelligence.

The analysis for the former -- foreign intelligence -- is remarkably simple. For all the handwringing and politically dissembling spin, don’t expect any significant changes in the foreign intelligence realm anywhere in the world as a result of these controversies.

The reason is clear. Foreign surveillance ops -- conducted by essentially every country with the means and opportunity to do so -- are pervasive, and despite Snowden, still largely hidden from view. Since there are no effective international laws addressing this area (nor is it clear how there ever could be for secret programs!), there is simply no mechanism or path for significant reforms, whether visible or invisible, real or faked, truth or lies.

Foreign intelligence reaches back to the dawn of civilization, conducted globally everywhere, and long predates technologies like the Internet, telephone, and telegraph. The ancient Egyptians, Romans, and Greeks were masters of the art. No doubt it was well developed long before then, as clusters of early humans were concerned about what enemy (and ostensibly friendly) other clusters were up to.

Even more to the point, no countries will be amenable to unilaterally withdrawing in this sphere -- the perceived risks (both real and political) are simply too great. And it’s almost impossible to postulate some sort of global multilateral agreement on reducing surveillance that could actually be proven and verified, pretty much by definition when it comes to secret programs.

What this ends up meaning is that in an international context especially, you really do want to encrypt your data links with the best encryption you can obtain or develop, just on general principles if nothing else. The goal here is to limit the scope of opportunistic, mass surveillance, not highly targeted surveillance. In practice, there are almost always ways to surveil specific targets, even if it involves a "black bag" job to install goodies on a target’s computer. Communications endpoints are especially vulnerable. Nor would it be prudent even to try stop all targeted surveillance. The sad fact of the world today is that there are genuinely evil people who specifically and deliberately want to kill civilians on a mass scale, and targeted surveillance can (and does) play an important role in stopping them.

But pervasive encryption can make mass surveillance -- which will virtually always mostly involve the communications of innocent parties -- so time consuming and expensive as to significantly limit its utility and practicability, and it’s indeed mass surveillance where the most potential for abuses should indeed concern us.

- - -

It’s in the scope of domestic intelligence that we can see the most likelihood of change. Unfortunately, much smart money is now going on the bet that in the long run the result of all these revelations will actually be more domestic surveillance (under various changing names and labels) not less!

How could this be? How could this happen?

There are various clues from around the world.

For example, just weeks ago, and shortly after a high level French ex-intelligence official was quoted as saying essentially that "we don’t resent NSA, we simply envy them!" France passed legislation legalizing a vast range of repressive domestic surveillance practices.

News stories immediately proclaimed this to be an enormous expansion of French spying. But observers in the know noted that in reality this kind of surveillance had been going on by the French government for a very long time -- the new legislation simply made it explicitly legal.

And therein is the key. Counterintuitively perhaps, once these programs are made visible they become vastly easier to expand under one justification or another, because you no longer have to worry so much about the very existence of the programs being exposed.

Here in the U.S., it’s the NSA telephone "metadata" program that has received the most attention in the domestic context. And there’s yet another irony here -- this is the very same data that telephone companies have traditionally collected of their own volition since the dawn of itemized call billing. And while retention periods have varied widely (more on that in a bit) that data has long been considered to be the property of the telcos open for their commercial exploitation in various ways (at least until relatively recently, in some cases even available to third parties for marketing purposes).

The NSA metadata program has now been gathering conflicting court decisions, declaring it both legal and illegal, both an abomination and absolutely crucial. This strongly suggests that the Supreme Court will need to take on this issue.

But the landscape of the program is likely to change drastically before any such decision, and those persons placing their bets on the Supremes to strike down the program might be in for a disappointment. The court traditionally shows great deference to the executive branch on national security matters. Nor is the court likely to be enthusiastic at the prospect of being lambasted if they kill the program and then a subsequent terrorist attack is (rightly or wrongly) blamed on the absence of the program itself.

However, the justices stand a pretty good chance of not even having to deal with the program in its current form, because something actually worse, and even easier for them to justify, appears to be rolling into view as the tea leaves align.

The NSA metadata program has become the proverbial hot potato. And like a hot potato, it’s unlikely to simply vanish. Rather, somebody is going to end up holding the smoldering spud.

Even before the recent NSA Commission report made its recommendations, it seemed clear that administration sentiment had shifted toward making this metadata the responsibility of the telephone and cable companies -- AT&T, Verizon, Comcast, Charter, Time Warner Cable and so on. The commission in fact also specifically recommended this -- or the use of some other "third party" organization for the purpose.

Notably, none of the major stakeholders seem to be seriously talking about no longer collecting the data at all.

This actually should not be surprising. As mentioned above, this is exactly the sort of data that has long been collected commercially anyway. And a key justification for the NSA program -- echoed by that very recent court decision -- is that (supposedly) we don’t have an expectation of privacy for our call metadata being held in such commercial third party contexts.

So, the handwriting appears increasingly clear. Pressure will rise to move the responsibility for holding this data corpus from NSA per se, back to the carriers or perhaps some ersatz independent org, but the data will still be collected. And despite calls for more limited access by NSA and other agencies , one can safely assume that whatever access they say they really, truly need for national security, they’re going to get -- one way or another. There’s simply no obvious way that there will be a real return to any actual, meaningful, truly individualized search warrant requirement (no matter how any changes are ostensibly framed to the public).

It’s this focus on "privatizing" this kind of government mandated data collection that is of especial concern.

Because while the data retention policies of Big Telecom vary widely today both by company and across a range of services (telephone and text message metadata, text message content, and so on), we can bet our bottom dollars that any move toward privatization will come complete with mandated retention periods that in many cases will exceed the time that the data is retained today.

Even more importantly, these telecom companies will almost certainly be prohibited from deciding to hold the data for shorter periods, but likely will be permitted to hold it longer if they choose, still available pretty much on demand to the government.

The truth is that this sort of government mandated telecom data retention regime has long been the wet dream of government agencies in the U.S. and around the world -- a major push in this direction has been taking place in the EU for quite some time (despite the dissembling by Europe’s leaders regarding surveillance -- the hypocrisy is palpable).

It is also not surprising that the thought of Big Telecom having control over even more of our data sends a cold chill down many observers’ spines. You’ll recall these are the same firms arguing that they have a first amendment right to exploit, control, filter, and limit Internet data as they see fit (and may shortly have this anti-net-neutrality view confirmed by an upcoming court decision).

And unlike government agencies, which at least in theory are subject to significant regulation, Big Telecom has so far been pretty successful in arguing (in the face of a weak FCC) that they are the lords and masters of Internet access, beyond the reach of most meaningful regulations.

I don’t know about you, but personally, I’ve never had any negative dealings with NSA. But I’ve been screwed over by AT&T and Verizon numerous times, as have millions of other customers and vast numbers of municipalities who have been subject to these firms’ manipulations and outright lies. To put it bluntly, and as painful as this is to say, many observers trust AT&T and Verizon far less even than NSA, and consider Big Telecom being the custodian of our data as an even more nightmarish outcome than the data being under government control, at least potentially more subject to oversight.

Of course, the best of all worlds would be not holding onto telco metadata in the first place. But if you really think that’s going to happen, I’d like to talk to you about the potential purchase of a New York City bridge spanning the East River.

So please excuse me if I can’t work up any enthusiasm for those firms or some "new third party" simply providing a new bucket into which the metadata will pour in droves.

But it gets worse.

Once these visible government mandated data retention programs are in place, the urge to expand them will be nearly irresistible.

Already, a prominent member of the NSA Commission has publicly suggested that such retention should expand to include email -- another item long on the various agencies’ wish lists around the world (again including in the EU).

And if Big Telecom goes along (whether enthusiastically or not, voluntarily or not), pressure for expanding government-ordered data retention mandates into other sectors and players also seems very likely in the long run.

- - -

This then may be the ultimate irony in this surveillance saga. Despite the current flood of protests, recriminations, and embarrassments -- and even a bit of legal jeopardy -- intelligence services around the world (including especially NSA) may come to find that Edward Snowden’s actions, by pushing into the sunlight the programs whose very existence had long been dim, dark, or denied -- may turn out over time to be the greatest boost to domestic surveillance since the invention of the transistor.

By creating pressures for a publicly acknowledged, commercially operated, "privatized" but government mandated data collection and retention regime, the ease with which new categories of long-sought data could be added to this realm -- especially in the wake of a terrorist attack that could be used as an ostensible justification -- seems significant to say the least.

Without having to worry so much about surreptitious programs being discovered, the government can concentrate on making its public case for the mandated retention of ever more forms of data -- which is already typically being collected in the course of business -- while vastly reducing or eliminating firms’ flexibility to delete and destroy such data on a more rapid and privacy-friendly schedule.

This would be a true privacy tragedy.

As I noted at the start, this outcome is not necessarily already burned into the timeline. But listen closely and read between the lines of statements by the NSA Commission, politicians, and the surveillance spooks themselves -- the foundations for this outcome are already being laid.

At least from the standpoint of the global surveillance community, being able to claim privacy-friendly reforms while actually expanding surveillance in the open under other labels would be a holy grail of 21st century spying.

The way matters appear to stand right now, it would likely be extremely unwise to discount the probabilities of this actually occurring in some form.

All the best to you and yours for 2014!

Be seeing you.

--Lauren--
Disclaimer: I'm a consultant to Google. My postings are speaking only for myself, not for them.

Posted by Lauren at December 29, 2013 02:06 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein