There have been two major leaks this past week that we want to talk about. First, news that Verizon turns over all phone call metadata -- the numbers called, dialed, and the duration of the phone call in question -- to the NSA. Second, news that the NSA has agreements with major tech companies, including Apple
, Facebook, Google
, Microsoft, and Yahoo, that require those companies to turn over information.
Every firm named in these slides has come out and said it does not reveal information about US citizens without an appropriate court order. The NSA has released a statement
confirming this, saying: "It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.
"Activities authorized by Section 702 are subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons."
This is true. It is also dangerously inaccurate. Let's talk about why you should care about these policies and what the NSA is and isn't saying. First, we're going to hop back in history. Stick with me; it's related. We're hopping back to 1986 and the investigation into the loss of the space shuttle Challenger.
The Normalization of Deviance:
For those of you who don't remember (or weren't alive), the loss of the space shuttle Challenger in 1986 was caused by the disintegration of an O-ring seal inside the solid rocket booster (SRB). Without a proper seal, hot gas inside the booster penetrated the side of the rocket, leading to a catastrophic explosion. This was far from an unknown possibility; NASA found evidence of O-ring erosion on the second space shuttle mission ever flown, in 1981. The flaw was labeled "Criticality 1" meaning that a failure would destroy the Orbiter and kill the crew.
The night before the catastrophic launch, multiple engineers from Thiokol, the company that designed the flawed SRB system, called for NASA to push the launch back until the weather was warmer. The concern was that low temperatures would make it impossible for the O-ring to seal properly. NASA refused to delay and Thiokol withdrew the request. This, despite the fact that NASA's own policies mandated against relying on a backup part in a "Criticality 1" incident.
What does this have to do with the NSA? More than you might think. In the wake of the Challenger's loss, it became apparent that multiple warnings and safety protocols had been de-emphasized precisely because launches continued to go smoothly. Procedures that deviated from recognized safety margins and limits became the accepted norm.
That's precisely what's happening here. When the Patriot Act passed in 2001, it did not lead to the immediate formation of a police state. What it did
do was create a framework in which virtually any intrusion into civil liberties could be justified in the name of stopping terrorism. In the intervening 12 years, the courts have steadily widened the rights and powers of various investigatory agencies.
Courts have upheld the government's argument that you cannot sue the government for warrantless wiretapping unless you can prove you were affected, and then upheld the government's right not to tell you if it put you under surveillance. Absent a complete cock-up (as happened with warrantless GPS tapping), you have no standing to bring a lawsuit. Now we know Verizon gives the government data on all phone calls, foreign and domestic. PRISM gives the government the right to spy on all US Internet traffic routing through major service providers.
The NSA believes it needs these unprecedented capabilities to fight terrorism, despite the fact that Al-Qaeda is a shell of its former self. PRISM, according to the New York Times, grew out of the laws
that allowed the warrantless wiretaps to proceed in 2005 - 2006. As deviant behavior becomes "normal", actions that would've once been seen as unacceptable become the standard.
The Denials Are Meaningless:
Both Facebook and Google have denied working with the government on these matters and both have used the phrase "direct access." Again, it's probably true. The problem is, the government is allowed to (and encouraged) to trawl for data using a broad net. If the NSA uses PRISM to gain access to the account of John Doe, Chinese national, and John Doe corresponds with American Citizen #1, American Citizen #1 is now on the NSA's radar -- all without going to the trouble of getting a warrant. In theory, this type of data sweep is limited -- but you aren't allowed to see how
Verizon, AT&T, Google, and Facebook don't really have a choice in these matters. Legally, they can be compelled to turn over the data. Arguing that they require the NSA to jump through certain hoops is effectively meaningless, given how much larger those hoops are these days. It's no coincidence that the Department of Justice has recently begun pursuing whistleblowers and journalists with unprecedented zeal.
The Bottom Line:
If you own a phone -- wired or wireless -- you can assume the NSA sees the records, even if it only sees the metadata. PRISM may currently apply only to foreign traffic routed through the United States, but the rules that determine when a US national is deemed as being connected to a foreign group are literally unknown. FISA functions as a rubber-stamp body; only a handful of the thousands of cases it processes each year are ever turned down. There's some good news -- a recent rulings deemed federal gag orders that prevent companies from even speaking about national security letters unconstitutional -- but that decision has yet to be upheld by the Federal Ninth Circuit.
As for non-telephone use, no, at this point, the government doesn't get access to everything, unless it decides it wants that access. If it does, it has no trouble going to FISA, rubber-stamping an application, and turning it over to Google, Facebook
, or Yahoo
, which are then required to comply.
What can you do about it? Nothing. Congress was briefed on this long ago; precious few legislators have spoken out against it. It's not a Bush problem or an Obama problem or a Republican / Democratic problem; the overwhelming majority of elected representatives from both parties have signed on to this as an appropriate means of fighting "terrorism."
If the government decides it needs to spy on US citizens the way it spies on foreign countries, the assertion of that requirement will be handled in a court with an acronym for a name. The evidence will be shrouded under state secrets.
Out of sight, out of mind.