A Security Scholar Talks About the NSA Scandal
"They’ve established a Google for police and intelligence operations by siphoning off all the data that we’re producing through telecommunications and other forms of data production."
Last week's explosive revelations of an extensive National Security Administration data mining operation initially revived the post-9/11 debate over how to balance privacy—particularly in the digital realm—with national security. In response to the leak, President Obama argued that the NSA program was an appropriate invasion of privacy, and operated under proper oversight. "You can't have 100 percent security and also then have 100 percent privacy and zero inconvenience. We're going to have to make some choices as a society," Obama said, according to wire reports. "There are trade-offs involved."
This week, however, the story has turned away from that key debate, following the identification of the whistleblower. Edward Snowden, the 29-year-old Booz Allen contractor behind the story, has emerged as its central figure, replacing questions over the program itself with questions over Snowden: his motivations, his legal circumstances, and his character.
What about those "tradeoffs?" Whether the NSA program is too invasive, or just invasive enough, remains an unfinished national conversation. Certainly people care: among the telling reports out just today, copies of George Orwell's famous novel of information control, 1984, have started flying off the shelves in the past few days.
To get at that question of balance, we spoke with Torin Monahan, co-author of SuperVision: An Introduction to the Surveillance Society. An associate professor of communications at the University of North Carolina-Chapel Hill, Monahan is also an editor of Surveillance and Society, an academic journal focused on "Surveillance Studies." His research focuses on so-called "fusion centers," the information-gathering nodes set up around the U.S. post 9/11, designed to aid information-gathering and -sharing among law enforcement and national security agencies. The centers have come under criticism for overstepping their authority.
Our email, our Web searches, our shopping, our driving records, our education and medical records. All these are now data that can be drawn upon in some kind of centralized way to construct a fine-grained representation of who we are.
In an hour-long discussion, Monahan covered topics including the legal framework for the NSA program, the cultural history of American snooping, and the role of private contractors – as well as companies like Facebook and Google – in the modern American data collection industry.
This discussion has been edited slightly for brevity and will be presented in two parts. Today, a look at what scholars are now calling a "surveillance society." Tomorrow, the conversation continues with a profile of what kinds of data get mined, and what don't – and why.
What did you think of this news when you read it? Did it surprise you?
It did not surprise me. I’ve been involved with a community of scholars studying surveillance for a number of years now, and these are the kinds of revelations or insights that many of us have had for some time.
What’s surprising I suppose is that the NSA programs did come to light and that they are catalyzing a very public debate about the surveillance society and the use of our data collected for one purpose applied to other purposes. I think also about the role of private contractors involved in the security industry. But these are all conversations that I think we should have been having for many years.
What did you think of Obama’s response to criticism of the NSA program? I read his response to mean that the balance between security and privacy was appropriate, in his eyes.
I’ve always had an allergy to that formulation of striking a balance between privacy and security, for instance, because it implies that a diminishment in one is an increase in the other, and that’s not empirically accurate. Every time we give up privacy doesn’t mean we’re increasing our security, or vice-versa. I think at root in his response is an articulation that we should trust government officials and we should trust the security industry, that they’re not going to be acting upon the data they collect unless they have reasonable suspicion that the parties involved have been active in some kind of criminal or terrorist activities.
So it comes down to trust. How does one establish trust of that sort? As we become more digitally dependent, people will try to get our information for one reason or another, from whomever is holding it.
By saying that data are going to be collected indiscriminately, and that it’s only if there’s some reasonable suspicion that we’re involved in a criminal activity that the data will be acted upon, I think that puts the cart before the horse. Because we’re not recognizing the impossibility of anonymity in a digital age. And we’re also not recognizing that there’s been a frustration on the part of law enforcement officials and intelligence analysts that they can’t simply access data the way the rest of us do by conducting Google searches on whatever our hunches are.
In my research on Department of Homeland Security fusion centers I’ve seen this. The analyst will say “what we really need is a Google for police.” Something that lets us look people up really quickly without having to open an investigation.
I think what these revelations are showing is in fact that is what they’ve established. They’ve established a Google for police and intelligence operations by siphoning off all the data that we’re producing through telecommunications and other forms of data production.
What can they do with information that seems pretty generic? Whom you called, when you called. How do you carry that information forward into anything useful?
There are a couple of issues. I think the most important one is the potential chilling effect might be if we know, as we now know, that all our phone calls and our Internet activity could be collected, could be analyzed, they could be monitored in some way. Already we’ve seen a real threat to journalism and freedom of the press if people are worried to disclose information to reporters, and then decide not to, then we’re really close to eliminating a key accountability check built into our social system and our system of governance.
A leaker wouldn’t talk to a journalist because an NSA program would be able to be used to identify the leaker?
That’s correct. So instead of issuing a subpoena to your news organization to reveal the phone records, they already have all the phone records. No subpoena is necessary.
In theory, if someone leaks something to this magazine that isn't related to national security, the NSA technology isn’t allowed to be used for that. It’s allowed to be used for purposes of national security.
That’s true but if you look at some of the arguments that are made against people like Edward Snowden and Bradley Manning, they are saying it’s a matter of national security that information was leaked to the press. I think it would be very easy to meet that threshold, to say “this was a security issue.”
Even for minor things. I’ve seen in fusion centers that there will be suspects, and someone will have a hunch that someone has been involved in a criminal activity, and they try to do their due diligence to make sure they have some real data to that effect before acting upon it. But the FBI has been increasingly relaxing its standards, saying that if you’re running a quick search on someone based on a hunch, then you don’t need to open an investigative record. Until you discover that you really want to pursue in a really serious way. So we’re relaxing the norms that have been used to govern these types of searches in the past.
And that began post-9/11 or further back, this relaxation of norms?
What’s especially new about the Obama administration is an intentional relaxing of standards. Official relaxation by the FBI. And secondarily a harmonizing of the intelligence apparatus to the norms of an information society—that there should be an equivalent of Google for intelligence analysts and police. And that is happening.
A common criticism of the intelligence services post-9/11 was a lack of information-sharing between agencies, which led to missing key tips. If you went back 10 years, I imagine a lot of people would have thought “a Google for police” was a fabulous idea. The FBI could talk to the CIA more easily, share information.
Two of the challenges with that is determining whether something is actionable intelligence or not. We’ve seen the monitoring of Occupy Wall Street, for instance. Is that the kind of terrorist or criminal activity these systems were put in place to address? I don’t think they are, but what happens is, once the systems are in place they’re used for whatever threats are determined to be facing us.
The second issue has to do with making sense of massive amounts of data. We’ve seen an increase in data analytics capabilities. Lots of software applications that are used by government centers and private contractors to try and find patterns, find these representations of problematic or criminal behavior—that just wasn’t possible on the current scale 10 years ago.
Is this really a change in strategy, or is this only a new tactic? We know the FBI was wiretapping Martin Luther King. Is there something fundamentally new here, or is this just a tool that allows us to dig through trash cans more efficiently?
One fundamental difference is certainly the surveillance society aspect of all this. Our email, our Web searches, our shopping, our driving records, our education and medical records. All these are now data that can be drawn upon in some kind of centralized way to construct a fine-grained representation of who we are and what we believe in, what we do.
The second thing that’s changed is we’ve seen a pendulum swing in the over-reaches of government. With the program that was used to spy on Martin Luther King, Jr. and others, we realized that was an overstep. We needed to implement changes through the Foreign Intelligence Surveillance Court (FISA) to make sure that there are checks and balances, to make sure that doesn’t happen in the future.
Obama argues this is legal and well-regulated.
The warrantless wiretapping that occurred under the George W. Bush administration was really a violation of the mandates that were set out in the Foreign Intelligence Surveillance Act. And we know that retroactive immunity was applied to participating companies, and there was an amendment added to it to try and make those activities retroactively legal. That was a change. There was a societal recognition earlier that these were over-reaches and we shouldn’t monitor citizens in these ways.
And then it was discovered that we were doing it again.
Tomorrow: Why we don't hear about it when a public figure orders Fifty Shades of Grey off Amazon.