PRISM Overstated, NSA Surveillance Still Problematic

I was quick to tweet and post on Facebook about the Guardian and the Washington Post’s stories about the NSA’s PRISM program – a program described as giving the NSA access to the data of hundreds of millions of internet users via direct access to servers at Google, Facebook, Yahoo, Microsoft, and other internet companies.

Like many others, I was quick to denounce the NSA.  When denials began rolling in from Google, Facebook, Microsoft and so on, my first assumption was that those corporations were under the effects of ‘gag orders’ that prevent them from publicly acknowledging the existence of the program.

I have since become convinced that PRISM is not as far reaching as the original stories described it.  Most likely (in my mind, as of today) it’s a system for providing easy access to  electronic intelligence gleaned from specific FISA requests.  The New York Times quotes several sources as saying that technology companies have built systems to make that easier. That would mean that PRISM gives the NSA access to the online data of thousands of individual users and not to the online data of hundreds of millions of individual users.

That is a dramatic difference in scope.  It’s the difference between targeting snooping on specific suspects and wholesale monitoring of virtually all Americans, not to mention millions of foreigners who use American web services.  

How did I come to the conclusion that PRISM is more likely to be a targeted system than a wholesale one?  Two things:

1) First, Google and other companies’ denials of participation in such a program were unusually full-throated.  They went far beyond what I’d expect a gag order to require.

2) Second, savvy tech journalists who dug into the story found it difficult to substantiate.  The existence of a system that provided access to the raw data would be difficult to hide.  If it were in active use tapping into any substantial number of users, the bandwidth used would be difficult to conceal.  As many as hundreds of employees at a large scale corporation might have opportunity to discover it.  Declan McCullagh, a savvy tech journalist who is also a civil libertarian, talked to numerous sources and failed to find evidence of a system that could do wholesale monitoring of activity at these internet giants. Read his piece here.

Still Reasons for Concern

So PRISM, at least in my mind, is likely to be a far more scoped system, where each request must be approved separately by the FISA court.   

Even so, we should be concerned about the NSA’s domestic surveillance activities.  Why?

1) The Verizon Story Remains Unchanged – While the PRISM story appears to have been overstated, so far as we can tell, the Verizon story was not.  The FISA court approved an order that forces Verizon to give the NSA daily dumps of the phone meta-data of every call on the Verizon Network.  Read that story at The Guardian.

Most likely, other phone operators in the US have received similar orders.

If the PRISM story had not broken the next day, we would still be talking emphatically about the Verizon access and the massive civil liberties intrusion it represents.

2) Lack of Judicial Oversight – In trying to allay fears about NSA activities, both President Obama and Director of National Intelligence James Clapper have spoken of the judicial oversight that keeps the NSA in check.  See, for instance, this PRISM Fact Sheet from the DNI (PDF link).

Yet the FISA Court, the court that reviews requests for domestic surveillance from the NSA, approved 100% of the 1,856 requests it received in 2012. In fact, it also approved 100% of the requests received in 2011.  And 100% of the requests it received in 2010.

The FISA Court is, essentially, a rubber stamp.  It does not, in any meaningful sense of the word, provide judicial oversight.

3) Lack of Transparency – In addition to the lack of judicial oversight, there is a marked lack of transparency.  We simply do not know what other surveillance systems are in place, how they are used, or what data they collect.  Had the Verizon order not been leaked, we would not today know that the NSA is collecting the meta data on billions of calls.  The NSA also evidently has systems that collect internet data at the ISP level – yet exactly what those systems are, what data they capture, how long it’s stored, and who has access to it remain unknowns.

The lack of transparency is further hindered by the existence of gag orders.  Gag orders, fully legal due to laws passed since 9/11, can prohibit a person or corporation from disclosing that it has been the target of a search.  An internet corporation that stores your data can be legally compelled (via FISA or other laws) to hand over that data to intelligence or law enforcement, and then barred from ever disclosing that it has done so.  This breeds distrust.

I have a high degree of trust in Google’s management on topics of privacy from government search.  I believe them when they say that they only turn over information to law enforcement or intelligence when legally compelled to do so.  But the fact that the law can prohibit them from disclosing what those situations are means that it’s easy to believe that any particular statement is not the one that Google (or other companies) would like to make, but rather the one they are being compelled to make.  In this case, the strength and breadth of statements from Google, Facebook, Yahoo, and Microsoft have persuaded me (by going well beyond simple denials) that the original PRISM claims are untrue.  But the overall situation is untenable.

Where To Now?
So we are in a situation where one program (PRISM) has been revealed to likely be narrower in scope than we feared, but where other overly broad domestic surveillance (the trawl of all phone metadata from Verizon) has been verified, and yet others (ISP-level monitoring of the internet, phone metadata trawls from other providers) are broadly suspected.

What we need are two things:

1) Transparency – We need added clarity on what programs actually exist, how they’re used, and what limits are placed on them.

2) Real judicial oversight – If the FISA Court is the ultimate approver of domestic surveillance activities, it must demonstrate that it serves as more than a rubber stamp.  A 100% approval rate of requests over the last 3 years (at least) and the approval of incredibly broad data requests like the one served to Verizon serve to undermine the court’s legitimacy. 

How do we get those?  The two entities that most clearly have oversight are the Congress and the Presidency.  My votes and my support in 2014 and 2016 will go to candidates who are intent on improving this situation.  I hope yours will too.