Privacy Part 2: Government Surveillance

April 8

Last week we looked at big-picture concepts of privacy and how the Internet and Internet companies reflect these issues. This week we dive into the specific question of surveillance by governments: how the Internet allows governments to observe their (and other governments') citizens, and what that does to us and the Internet as a system.

Joining us for this week are Berkman fellow and online security expert Bruce Schneier and Berkman Clinical Instructional Fellow Kit Walsh.

There is a related event at Harvard Law School earlier on this class day that may be of interest to students (RSVP required).

Readings

Government vs. Corporate Surveillance

• Brian Fung, Yes, There Is Actually a Huge Difference Between Government and Corporate Surveillance

• Bruce Schneier, The Trajectories of Government and Corporate Surveillance

• Emily Bell et al., Comment to Review Group on Intelligence and Communication Technologies Regarding the Effects of Mass Surveillance on the Practice of Journalism (pages 9-12 ("Mass surveillance raises issues beyond individual surveillance," "Secret and confusing law," and "Chilling Effects") only)

Case Study - the NSA Scandal and Surveillance Policy

• The Guardian, NSA Surveillance Revelations Decoded (peruse)

• Electronic Frontier Foundation, Timeline of NSA Domestic Spying (peruse)

• Jack Goldsmith, We Need an Invasive NSA

• Fred Kaplan, Why Snowden Won't (and Shouldn't) Get Clemency

• Bruce Schneier, The Battle for Power on the Internet (approx. 12:30, watch all)

Surveillance and U.S. law

• Kit Walsh, The NSA's Spying Powers: Reading the Statute

• Steve Vladeck, Laura Donohue's Comprehensive Case Against Bulk Metadata Collection

• If you're interested, the Donohue article can be found here.

Optional Readings

• The Jennifer Granick / Orin Kerr debates on metadata and the Fourth Amendment

• Granick's opening
• Kerr's response
• Granick's reply
• Kerr's sur-reply

• Bruce Schneier, The Limitations of Intelligence

• Johannes Köppel, The International Dimension of the SWIFT Affair

Videos Watched in Class

Links

Bruce's bio: http://en.wikipedia.org/wiki/Bruce_Schneier

Bruce "facts": http://www.schneierfacts.com

Bruce's blog: https://www.schneier.com

Google SSL program: http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html

Metcalf's law: http://en.wikipedia.org/wiki/Metcalf%27s_law

Secret room at Folsom Street San Francisco Internet interchange facility: http://en.wikipedia.org/wiki/Room_641A

Bruce's NSA has betrayed the Internet blog: http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

Guardian article about xkeyscore: http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

Quantum and Foxacid: https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html

NSA's Turbulence program: http://en.wikipedia.org/wiki/Turbulence_(NSA)

Some of NSA/CIA's efforts to get into computers of people they can't hack remotely: http://www.foreignpolicy.com/articles/2013/07/16/the_cias_new_black_bag_is_digital_nsa_cooperation

The Korematsu decision in which the Supreme Court defended the internment of the Japanese: http://en.wikipedia.org/wiki/Korematsu_v._United_States

22 people killed by cows in the US every year: http://www.mnn.com/earth-matters/animals/stories/11-animals-more-likely-to-kill-you-than-sharks

OTI report about effectiveness of surveillance: http://www.bloomberg.com/news/2014-01-13/nsa-data-has-no-discernible-impact-on-terrorism-report.html

LOVEINT scandal: https://en.wikipedia.org/wiki/LOVEINT

Recent Stanford study about deanonymizing metadata: http://arstechnica.com/tech-policy/2014/03/volunteers-in-metadata-study-called-gun-stores-strip-clubs-and-more/

Why Isn't Fourth Amendment Classified?: http://www.theatlantic.com/politics/archive/2014/03/why-isnt-the-fourth-amendment-classified-as-top-secret/284439/

Google altering an election: http://www.washingtonpost.com/opinions/could-google-tilt-a-close-election/2013/03/29/c8d7f4e6-9587-11e2-b6f0-a5150a247b6a_story.html

4th Amendment: http://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution

Katz case established the third party doctrine: http://en.wikipedia.org/wiki/Third-Party_Doctrine

Smith v Maryland: http://en.wikipedia.org/wiki/Smith_v._Maryland

Mass Bar Opinion About Lawyers Using E-mails: http://www.massbar.org/publications/ethics-opinions/2000-2009/2000/opinion-no-00-1

EFF on the Wiretap Act: https://ilt.eff.org/index.php/Privacy:_Wiretap_Act

Wiretap act: http://www.law.cornell.edu/uscode/text/18/2511

Fruit of the Poisonous Tree: http://en.wikipedia.org/wiki/Fruit_of_the_poisonous_tree

Access to stored communications (e.g., email): http://www.law.cornell.edu/uscode/text/18/2701

Some people have argued against the exclusionary rule because it prevents a court from using evidence http://www.streetlaw.org/en/Page/346/Friend_or_Foe_Debating_the_Exclusionary_Rule_Part_II

Compulsory access to stored records: http://www.law.cornell.edu/uscode/text/18/2703

Warshak case says you need a warrant to get an e-mail: http://en.wikipedia.org/wiki/United_States_v._Warshak

The Church Committee: https://en.wikipedia.org/wiki/Church_Committee

FISA: http://www.law.cornell.edu/uscode/text/50/chapter-36

The FISC: https://en.wikipedia.org/wiki/FISC

FOIA applies to governments -- you can't FOIA for private data: http://en.wikipedia.org/wiki/Freedom_of_Information_Act_(United_States)

PATRIOT act: http://en.wikipedia.org/wiki/Patriot_Act

Section 215: http://www.law.cornell.edu/uscode/text/50/1861

An article about Executive Order 12333 that NSA claims gives them broad authority: http://www.mcclatchydc.com/2013/11/21/209167/most-of-nsas-data-collection-authorized.html

FISA Amendments Act of 2008: http://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act_of_1978_Amendments_Act_of_2008

Section 702: http://www.law.cornell.edu/uscode/text/50/1881a

USA Freedom Act: http://beta.congress.gov/bill/113th-congress/house-bill/3361

Surveillance State Repeal Act: http://beta.congress.gov/bill/113th-congress/house-bill/2818

Class Discussion

Maybe I'm missing something, but what, exactly, has the government been doing with the information they have gotten through the NSA? It doesn't seem like they've been using it to incriminate individual citizens or even monitor them too extensively-- otherwise, wouldn't they have been able to track down would-be criminals prior to them committing crimes, a la Minority Report? They also don't seem to be monitoring it for the purpose of censorship, as is the case in China and Russia or the HUAC. And how are they even conducting their "research"? Do individuals actually go through all of that information, or is it a case whereby a machine compiles data and directs NSA employees' attentions only to cases where there are a multitude of 'questionable' searches/calls/etc.? As far as foreign policy is concerned, the act of spying on other governments has been practiced since the beginning of history. Does the advent of technology change what is acceptable in regards to spying, or only make it more accessible? With nuclear war so very possible in our times, it seems like some sort of action must be taken to monitor the intentions of other countries and their relations with the US and alliances with other countries, since transparency seems to be an impossible ideal for all countries. Castille 15:52, 5 April 2014 (EDT)

• The problem is that we don't know what they do with the information because that is secret, and is also used for secret trials in secret courts. The problem is that even if the use of the information is benevolent and well-intentioned, it is worrisome because we're creating the technological foundation for totalitarianism. Now, I don't actually think we're extremely close to creating a totalitarian state but it doesn't mean that it isn't worrisome or that in the wrong political environment we might eventually get there. Jradoff 08:25, 8 April 2014 (EDT)

• Ah, gotcha! No wonder I felt like I was missing something-- we all are! I didn't realize that they're actually hiding what they're doing with the information. Do you know what theory for how they are using the data is most likely?

Castille 12:19, 8 April 2014 (EDT)

The Guardian article- informative content, but I want to comment on its amazing user interface. This is where the web should be heading. In the same way that HTML provides markup to words and sentences, the interactive features of this article help to mark up the thoughts & ideas presented in the article. Very nicely done. Erin Saucke-Lacelle 22:55, 6 April 2014 (EDT)

• I couldn't agree more. The interface was AMAZING! Don't think I've ever seen an article like that before.

Castille 12:19, 8 April 2014 (EDT)

I am very interested to see what new data mining policies are made or both the government and corporations. Despite the reveal that we lack privacy (collection of lots of personal data from each sector), it would be nice if we had the right to know which data and on what terms data is collected on us. Agreed these are probably in the majority of privacy agreements I don't read. Trying harder to be transparent and clear with these privacy regulations would help society to at least be not as shocked by large government leaks. (Margorm 17:58, 7 April 2014 (EDT))

The Brian Fung article makes a fine point about the higher "cost" of switching from the United States to a different country, due to the government's monopoly on a range of services. However, this strikes me as a weak way to compare corporate data mining to government intrusion. In my opinion, the purpose of having a Constitution containing guaranteed rights is so that these costs need not be considered or incurred in the first place. If the US government needs to collect private information about its citizens, then it needs to be done within the restrictions of the Fourth Amendment. If exceptions need to be made it needs to be done with the public's knowledge and consent. Jradoff 08:35, 8 April 2014 (EDT)

I too came away from the Brian Fung article feeling dissatisfied with the comparison of government and corporate intrusion-- especially in light of this week's readings that make it abundantly clear to me that we are not able to "quit" or opt-out of either corporate data mining or government surveillance. I lived overseas in Asia and Europe with my last job and certainly didn't "quit" the United States, in fact I anticipated a greater impact on my "hard-to-measure modicum of privacy"- both tangible and intangible. As Fung suggests, most expats or Americans on short-term contracts overseas whom I knew and worked with openly acknowledged the higher level of scrutiny anticipated regarding correspondence, finances, and eve relationships once overseas- especially for those who intended to return to working life in the US after a time. Interestingly, the majority of these individuals were often more comfortable with- and even welcomed- decreased privacy given the positive correlation in their minds with increased security for their work and families while overseas. I will be interested to see whether cases related to data privacy and online surveillance engage the fourth amendment in the coming years- and especially whether the legal landscape at the highest levels is equipped to respond to such a quickly-evolving corporate and government culture of surveillance. akk22 10:39, 8 April 2014 (EDT)

Regarding the 'huge difference between government and corporate surveillance.' | There's so much to talk about on this topic, so I'll keep it short by playing a bit of devil's advocate. Is there truly that much of a significant difference between the two surveillance types? Both are working towards the same goal: the protection and accumulation of dollars. In the corporate sense, surveillance allows for the ability to make more dollars. With government surveillance, it allows for the preservation of the capitalist system — to maintain the corporate ecosystem. (Hence the argument that corporations still have a stronghold on our online privacy, regardless of who is responsible for the act of surveillance.) Twood 09:31, 8 April 2014 (EDT)

• It seems unfair to me to suggest that government surveillance is solely to preserve the corporate ecosystem-- surely, issues of national security extend to individuals as well as corporations. I think that government surveillance is much more geared towards protection of the individual than corporate surveillance, which is completely for the purpose of accumulating capital. Castille 12:19, 8 April 2014 (EDT)

Given the choice between Government or Corporations in regards to abuse of data - I’d like to trust the government more, as long as we reach a point where they’re transparent to citizens on how it’s being used and to what extent. Corporations will use the data to increase profit, which therefore means mapping out and predicting the spending habits of consumers in order to target them. I hope it’s not wishful thinking to believe our data would be more secure within Government Data centers. Data security at corporations will vary considerably and that means personal data is more exposed to hacking, theft and misuse by unscrupulous individuals or corporations. Marissa1989 23:39, 8 April 2014 (EDT)

Playing Devils Advocate as well, I'm less concerned with government collection of data traffic. The massive collections that exist and increase exponentially on a daily basis are still subject to human interaction. Hiring of skilled staff with Hadoop, Hive, Pig, HBase, R, etc., are still subject to the human element. Threats are real within national security and threats are many. One might argue that we cannot handle sifting the data for agreed upon missions. I'm certainly not worried about my conversation requesting the more mundane issues of life. I am worried however, about the collection, packaging, selling and reselling of corporate collected data. The data crosses so many entities that control is truly impossible. There is a reason the Romans would hide items under a Rose bush - Messengers can always be intercepted.VACYBER 13:59, 8 April 2014 (EDT)

The Battle for Power on the Internet was a great talk and made some great points. I like his idea of the quick versus the strong, saying that the marginalized was quick to use the Internet to organize but although the institutions were slower, they use power more effectively. I’m looking forward to talking more about this in class. Lpereira 14:06, 8 April 2014 (EDT)

After reading all materials it seems that it is impossible to be secured from survellience in the "century of technologies". From one hand, the government survelliance aims to protect us from terrorizm and other hazards. From another hand, it restricts the people's right on freedom of speech. But, nowadays I didn't see that just ordinary citizen was killed because of the content of his message. Let's assume that the content of email is accessed by government, but it doesn't become public. But, the situation is different when it comes to active person, whose speechs/e-mail could rise threats to government. If the threat already exist, this person would be under survellience even in times BC and now, in time of technologies. So, the internet doesn't play a great role here. Still, there are some tools which could somehow prevent the cyber attacks: for example strong code combination. If the code is secure, then it will be diffucult for the computer to break your code. Aysel Ibayeva (Aysel 14:37, 8 April 2014 (EDT))

I thought this might be useful as well: "Big data is here to stay, as it should be. But let’s be realistic: It’s an important resource for anyone analyzing data, not a silver bullet." http://www.nytimes.com/2014/04/07/opinion/eight-no-nine-problems-with-big-data.html?src=me&module=Ribbon&version=context&region=Header&action=click&contentCollection=Most%20Emailed&pgtype=article VACYBER 14:53, 8 April 2014 (EDT)

Whether consciously or uncosciously, Bruce Schneier in The Battle for Power on the Internet voice not only the obvious warning as to the ever increasing powers corporations and governments are gaining, but also the reason we this should not stop us from exploring new technologies may and probably will magnify that power even further in the decades to come. Yes, the magnification effect does, in the long run, give superior powers to larger actors, but as Schneier described so well, small, nimble, distributed actors tend to be at least a few years, if not decades ahead of the curve, which makes sure that as any good uses arise from new technology as the detrimental effects that follow. Privacy, liberty, and similar values are of great importances, but that should not be a reason to protest new developments such as Google Glass, cloud computing or bioengineering. The technologies we now all use daily certainly gave corporations and the government better access to our data, but they have also undoubtedly improved our lives. There is no reason to believe that things should be any different with most of the technologies that are on the horizon, that many are so concerned about. --Seifip 14:56, 8 April 2014 (EDT)

Surveillance is almost impossible to avoid in this age. Technology ranging from something as powerful as a Google search to simple phones, there is no avoiding be tracked, traced and watched. Governments have always been known to survey on one or two individuasl but now the NSA has a “domestic spying program” that collects millions of emails and contact information from Internet service providers. While major news reporting agencies like The New York Times have reported against corporate and government surveillance, the attacks that “The Times “ suffered by what the FBI called “hallmarks of hacking by the Chinese military” seem to justify an invasive NSA for the protection of US citizens.

Edward Snowden released ground-shaking evidence about government surveillance. While some people claim that he released more information then he should have, others claimed that he did a great service to his country and even called on the president to grant him “some form of clemency”. While for some it may be difficult to justify his decision, his actions sparked a new way of thinking over government surveillance and how the NSA will proceed in future programs. Emmanuelsurillo 15:52, 8 April 2014 (EDT)

Personally, I am not sure if it is just me or there may be others, but I do not think that government surveillance is a bad thing altogether. Having said that, I am also a firm believer in transparency in governments' handling of data. For instance, in the internet telephony world, also known as VoIP, some third world country governments (e.g. Senegal) use internet surveillance to track and catch the fraudsters. In many West African countries, governments make it clear to their citizens that they will be spying on anyone (in order to intimidate those who would attempt to divert their international incoming calls by the use of "Sim Boxes" and other devices). Although this is not necessarily targeted to everyday citizens, their "surveillance" help them save millions of dollars annually. Therefore, I believe that as long as government internet surveillance is practiced for the good cause in a transparent manner, it could be a good thing for the society.

cheikmbacke 14:59, 8 April 2014 (EDT)