A number of articles this week have gotten me thinking more about the NSA. I decided to write up my thoughts over lunch. There have been all the reports of Gen. Alexander’s speech at Blackhat, and the audience reaction thereto. Then there was this report of a woman who searched on pressure cookers, while her husband searched on backpacks, and they then got a bunch of government visitors. All of this has the various folks who were already suspicious of “the government” even more up in arms.
Now, I’m not denying there are problems. There is clearly a different between what is legal and what is right, and there are moves afoot to correct the imbalance that has existed since the overreaction to 9/11. That said, there is also clearly a misunderstanding of the NSA and the basic reason this is legal at all.
Let’s start by looking at the differences between agencies. The FBI is focused on law enforcement within the US. The CIA gathers intelligence on foreign soil. The NSA, which is an arm of the Department of Defense, was originally created to focus on signals intelligence for the DOD. It has later branched into electronic intelligence and security, including computer security. The NSA, just like the DOD, is limited by law regarding what actions it can take towards US citizens. Just like the DOD cannot conduct military actions within the US, the NSA cannot monitor the signals between two US citizens.
Next, let’s look at the Constitution. To whom does it apply? The answer is US citizens. Non-citizen — that is, foreign nationals — do not have constitutional protections. Unless other laws have extended protections, they are not protected from search and seizure. If you think about it, the reason is clear — you are dealing with someone who has allegiance to a different country, and so the presumption is that they will work in the interest of that country over that of the US. A lot of people seem to think there should be protections for everyone, but that is not how the law is written. As any game player knows, if something isn’t prohibited in the rules, someone will figure out a way to abuse it.
Put these two factors together, and you have the area in which NSA was working: doing legal investigations in support of monitoring of foreign nationals, and communications to foreign countries. We can — and should — debate how much protection a foreign national in the US should have, or how much a US citizen’s interaction with a foreign national should be protected. Attitudes regarding that question change over time, and technology has pushed the issue even more. But this is also something that most people in the US do not understand. Look closely at what Gen. Alexander said. He kept emphasizing that there was foreign involvement in all the monitoring NSA did. That’s the “F” in the FISA court – Foreign Intelligence.
This bothers some people, including groups such as the ACLU. An article in Boing Boing highlights this way of thinking when it quotes the ACLU’s thoughts on how NSA views “targeted”:
Americans need not worry about the program, the government says, because the NSA’s surveillance activities are “targeted” not at Americans but at foreigners outside the United States. No one should be reassured by this. The government’s foreign targets aren’t necessarily criminals or terrorists—they may be journalists, lawyers, academics, or human rights advocates. And even if one is indifferent to the NSA’s invasion of foreigners’ privacy, the surveillance of those foreigners involves the acquisition of Americans’ communications with those foreigners.
First, note that this makes clear the NSA is not looking at American citizen to American citizen communications — as I noted above, this is outside of their scope. Further, no one seems to have a problem with NSA (or the CIA) monitoring Foreign to Foreign communications. The concern is when there is one side foreign, and one side American citizen. Whose rights are paramount: the American side, or the Foreign side? Right now, it appears the emphasis is on protection. That’s legal under the current laws, as one side is foreign. Is it right? That’s for the people to decide, and express to their congresscritters.
It is these restrictions that makes the case of the family, the pressure cookers, and the backpacks even odder. Presumably, they are all US citizens. So if they were being monitored by an NSA program, why was it done? NSA is very careful about that. The answer is likely much less sinister. It appears it was some local terrorism task force (which tends to overreact). As for the monitoring, the NSA was not involved at all. It turns out that Michele Catalano’s husband’s boss tipped off the police after finding ‘suspicious’ searches (including ‘pressure cooker bombs’) in his old work computer’s search history. It is perfectly legal for an employer to review the usage of a work computer. Yet when this was first reported, what did everyone assume? Yeh. Right. The big bad government.
My point is this: take a deep breath. There is loads of paranoia about the government. Some of it is justified, but much of it isn’t. The government is not filled with men in black suits and Ray-bans out to get you. It is filled with people trying to do their best to protect America, keep it safe, and allow it to succeed. The key word is “people”, and people are (surprise) human. They screw up, and create imperfect laws and structures. Other people come around and then figure out how to exploit the imperfection for some purpose. It is our job not to reject something because it isn’t perfect the first time; it is our job to make steady progress towards perfection. If you don’t like how NSA is operating under the laws, then don’t run around with your head wrapped in tin foil — write your congresscritters — or better yet, run for congress yourself — and change the laws.
We’re also dealing with a congress that, in general, does not understand technology. Consider the constitutional rules on search and seizure. They were written in an environment where one had to go into someone’s house to search. That’s why warrants are required to search in a house. Wiretaps had a similar notion — the wires were in the house. When we’re dealing with cell phones, meta data, and search info, how does that apply? You give the search terms to an external computer. You willingly given the metadata to a centralized system to make a call. Is this personal data where you are going into a residence to seize it? See the problem. Our laws have not caught up to our technology, and you have people that do not understand the technology writing and applying the laws. Don’t believe me? Look at the recent rulings on the resale of digital recordings. It was ruled that you had to sell the media player with the digital media, because the law was based on physical manifestations of recordings. This article about recent attempts by the FBI (not the NSA) to monitor Internet metadata makes the same point: the laws currently do not treat metadata the same as the contents. Metadata is treated analogous to address information on an envelope — something freely visible and out in the open. By the way, note that using encrypted protocols does not solve this problem — addresses must remain unencrypted to permit messages to be routed.
Further, while you’re addressing the laws, remember to look at the entire picture. It is pointless to update surveillance and privacy laws and forget things like the Citizens United decision. As has been noted by folks like Bruce Schneier, the ability with which corporations with deep pockets can finance campaigns and causes makes it so that laws are written that serve the for-profit corporations instead of the individual citizen. It does no good to restrict what data the government can collect when corporations are free to collect even more data simply because of a one-time business relationship.