NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Unintended Consequences: How NSA Revelations May Lead to Even More Surveillance

Unintended Consequences: How NSA Revelations May Lead to Even More Surveillance


It's oh so traditional to make end of year predictions, and never let
it be said that I don't have at least some respect for some
traditions, and least some of the time. And if there's any topic in
the spotlight for predictions at this juncture, it's gotta be where
the continuing bouncing bounty of leaked NSA documents is leading us.

This is a controversial topic, to be sure. When I recently mentioned
my plans for this essay to a prominent Internet activist who has been
quite vocal about these issues, they urged me not to make these
predictions at all -- suggesting that they wouldn't be helpful.

But I'm very much a member of the "actions have consequences" school
of analysis, and I strongly feel that we need to be looking beyond the
headlines, tweets, and clicks, to what the likely real world results
from this maelstrom might actually be.

Before we gaze into the somewhat cloudy crystal ball or stir the
pungent tea leaves, a few preliminary stipulations seem in order.

First, this is a discussion of what I feel are strong probabilities of
what is likely to happen -- not that they are certain to occur, of
course.  And the fact of these predictions doesn't mean that you -- or
I -- are going to be happy about these outcomes if they should
actually occur. I know I won't take any joy from them at all.

Of course it's impossible to proceed without at least mentioning
whistleblower/leaker (pick one or both) Edward Snowden, though I agree
with those who note that this story of global surveillance shouldn't
be about him. Personally, I see no reason to believe that he had
anything but good intentions by his own reckoning, though his modus
operandi, combined with a significant degree of likely naivete, have
led both he and the rest of us off in directions that he perhaps did
not and has not fully anticipated. Time will tell.

Ironically for longtime observers of NSA and other intelligence
agencies, and those of us who warned early about the abuses being
ensconced in the PATRIOT and Homeland Security Acts -- and were
accused of being unpatriotic in return -- scarcely little in the
"revelations" to date are a real surprise at all. Nor are reports of
intelligence agencies weakening encryption systems anything new --
concerns about NSA influence over the Data Encryption Standard (DES),
reach back about four decades.

Perhaps the biggest genuine surprise has been NSA's shoddy security
practices. But we can be sure that NSA and other agencies around the
world are hard at work to try make sure there won't be any more
Snowdens. (Sidenote: An interesting question is whether or not there
already have been the equivalent of Snowden in the scope of
repressive, censoring and brutal domestic intelligence regimes such as
those operated by Russia and China. One suspects that if such a person
were discovered in such countries, they'd be simply marched out,
summarily shot through the head, and we'd never hear about them at 
all -- conveniently avoiding bad publicity of the sort now drowning NSA.)

Nor will I here address in detail the rising "witch hunt" atmosphere
accusing both firms and individuals of complicity in NSA operations --
and demanding a range of immediate penalties -- while simultaneously
refusing to accept the proposition that the accused (guilty or
innocent) deserve due process and a chance to defend themselves --
whether or not such opportunities are legally mandated in any given
case. "Guilt by association" and demanding "proof of negatives" are
the practices of the dark side, not of enlightened critics of
surveillance abuses.

Finally, there's the elephant in the room. Everything we're
discussing, the millions of words and heartfelt arguments about
surveillance and civil liberties, are likely to be entirely academic
in the event of a significant new terrorist attack on U.S. soil. Even
a "small" nuke or dirty bomb in a city center, even if relatively few
people were killed and little significant damage done, would almost
certainly create a headlong rush by politicians to flush our remaining
civil liberties down the toilet so fast that we'd (to borrow a
recurring sci-fi meme) soon be standing in line to be fitted with
remote controlled, steel explosive pain collars.

- - - 

When we look at the likely results from the controversies surrounding
NSA and other intelligence agencies (beyond the economic benefits to
the media sites who have been doling out various associated documents
bit by bit for highest drama and maximal clicks), we can immediately
divide the analysis into the two categories of foreign and domestic

The analysis for the former -- foreign intelligence -- is remarkably
simple. For all the handwringing and politically dissembling spin,
don't expect any significant changes in the foreign intelligence realm
anywhere in the world as a result of these controversies.

The reason is clear. Foreign surveillance ops -- conducted by
essentially every country with the means and opportunity to do so --
are pervasive, and despite Snowden, still largely hidden from view.
Since there are no effective international laws addressing this area
(nor is it clear how there ever could be for secret programs!), there
is simply no mechanism or path for significant reforms, whether
visible or invisible, real or faked, truth or lies.

Foreign intelligence reaches back to the dawn of civilization,
conducted globally everywhere, and long predates technologies like the
Internet, telephone, and telegraph. The ancient Egyptians, Romans, and
Greeks were masters of the art. No doubt it was well developed long
before then, as clusters of early humans were concerned about what
enemy (and ostensibly friendly) other clusters were up to.

Even more to the point, no countries will be amenable to unilaterally
withdrawing in this sphere -- the perceived risks (both real and
political) are simply too great. And it's almost impossible to
postulate some sort of global multilateral agreement on reducing
surveillance that could actually be proven and verified, pretty much
by definition when it comes to secret programs.

What this ends up meaning is that in an international context
especially, you really do want to encrypt your data links with the
best encryption you can obtain or develop, just on general principles
if nothing else. The goal here is to limit the scope of opportunistic,
mass surveillance, not highly targeted surveillance. In practice,
there are almost always ways to surveil specific targets, even if it
involves a "black bag" job to install goodies on a target's computer.
Communications endpoints are especially vulnerable. Nor would it be
prudent even to try stop all targeted surveillance. The sad fact of
the world today is that there are genuinely evil people who
specifically and deliberately want to kill civilians on a mass scale,
and targeted surveillance can (and does) play an important role in
stopping them.

But pervasive encryption can make mass surveillance -- which will
virtually always mostly involve the communications of innocent 
parties -- so time consuming and expensive as to significantly limit its
utility and practicability, and it's indeed mass surveillance where
the most potential for abuses should indeed concern us.

- - -

It's in the scope of domestic intelligence that we can see the most
likelihood of change. Unfortunately, much smart money is now going on
the bet that in the long run the result of all these revelations will
actually be more domestic surveillance (under various changing names
and labels) not less!

How could this be? How could this happen?

There are various clues from around the world.

For example, just weeks ago, and shortly after a high level French
ex-intelligence official was quoted as saying essentially that "we
don't resent NSA, we simply envy them!" France passed legislation
legalizing a vast range of repressive domestic surveillance practices.

News stories immediately proclaimed this to be an enormous expansion
of French spying. But observers in the know noted that in reality this
kind of surveillance had been going on by the French government for a
very long time -- the new legislation simply made it explicitly legal.

And therein is the key. Counterintuitively perhaps, once these
programs are made visible they become vastly easier to expand under
one justification or another, because you no longer have to worry so
much about the very existence of the programs being exposed.

Here in the U.S., it's the NSA telephone "metadata" program that has
received the most attention in the domestic context. And there's yet
another irony here -- this is the very same data that telephone
companies have traditionally collected of their own volition since the
dawn of itemized call billing. And while retention periods have varied
widely (more on that in a bit) that data has long been considered to
be the property of the telcos open for their commercial exploitation
in various ways (at least until relatively recently, in some cases
even available to third parties for marketing purposes).

The NSA metadata program has now been gathering conflicting court
decisions, declaring it both legal and illegal, both an abomination
and absolutely crucial. This strongly suggests that the Supreme Court
will need to take on this issue.

But the landscape of the program is likely to change drastically
before any such decision, and those persons placing their bets on the
Supremes to strike down the program might be in for a disappointment.
The court traditionally shows great deference to the executive branch
on national security matters. Nor is the court likely to be
enthusiastic at the prospect of being lambasted if they kill the
program and then a subsequent terrorist attack is (rightly or wrongly)
blamed on the absence of the program itself.

However, the justices stand a pretty good chance of not even having to
deal with the program in its current form, because something actually
worse, and even easier for them to justify, appears to be rolling into
view as the tea leaves align.

The NSA metadata program has become the proverbial hot potato. And
like a hot potato, it's unlikely to simply vanish. Rather, somebody is
going to end up holding the smoldering spud.

Even before the recent NSA Commission report made its recommendations,
it seemed clear that administration sentiment had shifted toward
making this metadata the responsibility of the telephone and cable
companies -- AT&T, Verizon, Comcast, Charter, Time Warner Cable and so
on. The commission in fact also specifically recommended this -- or
the use of some other "third party" organization for the purpose.

Notably, none of the major stakeholders seem to be seriously talking
about no longer collecting the data at all.

This actually should not be surprising. As mentioned above, this is
exactly the sort of data that has long been collected commercially
anyway. And a key justification for the NSA program -- echoed by that
very recent court decision -- is that (supposedly) we don't have an
expectation of privacy for our call metadata being held in such
commercial third party contexts.

So, the handwriting appears increasingly clear. Pressure will rise to
move the responsibility for holding this data corpus from NSA per se,
back to the carriers or perhaps some ersatz independent org, but the
data will still be collected. And despite calls for more limited
access by NSA and other agencies , one can safely assume that whatever
access they say they really, truly need for national security, they're
going to get -- one way or another. There's simply no obvious way that
there will be a real return to any actual, meaningful, truly
individualized search warrant requirement (no matter how any changes
are ostensibly framed to the public).

It's this focus on "privatizing" this kind of government mandated data
collection that is of especial concern.

Because while the data retention policies of Big Telecom vary widely
today both by company and across a range of services (telephone and
text message metadata, text message content, and so on), we can bet
our bottom dollars that any move toward privatization will come
complete with mandated retention periods that in many cases will
exceed the time that the data is retained today.

Even more importantly, these telecom companies will almost certainly
be prohibited from deciding to hold the data for shorter periods, but
likely will be permitted to hold it longer if they choose, still
available pretty much on demand to the government.

The truth is that this sort of government mandated telecom data
retention regime has long been the wet dream of government agencies in
the U.S. and around the world -- a major push in this direction has
been taking place in the EU for quite some time (despite the
dissembling by Europe's leaders regarding surveillance -- the
hypocrisy is palpable).

It is also not surprising that the thought of Big Telecom having
control over even more of our data sends a cold chill down many
observers' spines. You'll recall these are the same firms arguing that
they have a first amendment right to exploit, control, filter, and
limit Internet data as they see fit (and may shortly have this
anti-net-neutrality view confirmed by an upcoming court decision).

And unlike government agencies, which at least in theory are subject
to significant regulation, Big Telecom has so far been pretty
successful in arguing (in the face of a weak FCC) that they are the
lords and masters of Internet access, beyond the reach of most
meaningful regulations.

I don't know about you, but personally, I've never had any negative
dealings with NSA. But I've been screwed over by AT&T and Verizon
numerous times, as have millions of other customers and vast numbers
of municipalities who have been subject to these firms' manipulations
and outright lies. To put it bluntly, and as painful as this is to
say, many observers trust AT&T and Verizon far less even than NSA, and
consider Big Telecom being the custodian of our data as an even more
nightmarish outcome than the data being under government control, at
least potentially more subject to oversight.

Of course, the best of all worlds would be not holding onto telco
metadata in the first place. But if you really think that's going to
happen, I'd like to talk to you about the potential purchase of a New
York City bridge spanning the East River.

So please excuse me if I can't work up any enthusiasm for those firms
or some "new third party" simply providing a new bucket into which the
metadata will pour in droves.

But it gets worse.

Once these visible government mandated data retention programs are in
place, the urge to expand them will be nearly irresistible.

Already, a prominent member of the NSA Commission has publicly
suggested that such retention should expand to include email --
another item long on the various agencies' wish lists around the world
(again including in the EU).

And if Big Telecom goes along (whether enthusiastically or not,
voluntarily or not), pressure for expanding government-ordered data
retention mandates into other sectors and players also seems very
likely in the long run.

- - -

This then may be the ultimate irony in this surveillance saga. Despite
the current flood of protests, recriminations, and embarrassments --
and even a bit of legal jeopardy -- intelligence services around the
world (including especially NSA) may come to find that Edward
Snowden's actions, by pushing into the sunlight the programs whose
very existence had long been dim, dark, or denied -- may turn out over
time to be the greatest boost to domestic surveillance since the
invention of the transistor.

By creating pressures for a publicly acknowledged, commercially
operated, "privatized" but government mandated data collection and
retention regime, the ease with which new categories of long-sought
data could be added to this realm -- especially in the wake of a
terrorist attack that could be used as an ostensible justification --
seems significant to say the least.

Without having to worry so much about surreptitious programs being
discovered, the government can concentrate on making its public case
for the mandated retention of ever more forms of data -- which is
already typically being collected in the course of business -- while
vastly reducing or eliminating firms' flexibility to delete and
destroy such data on a more rapid and privacy-friendly schedule.

This would be a true privacy tragedy.

As I noted at the start, this outcome is not necessarily already
burned into the timeline.  But listen closely and read between the
lines of statements by the NSA Commission, politicians, and the
surveillance spooks themselves -- the foundations for this outcome are
already being laid.

At least from the standpoint of the global surveillance community,
being able to claim privacy-friendly reforms while actually expanding
surveillance in the open under other labels would be a holy grail of
21st century spying.

The way matters appear to stand right now, it would likely be
extremely unwise to discount the probabilities of this actually
occurring in some form.

All the best to you and yours for 2014!

Be seeing you.

Disclaimer: I'm a consultant to Google. My postings are speaking only
for myself, not for them.
 - - -
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein 
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
nnsquad mailing list