Be Very Afraid
What we should have known about government spying before Edward Snowden's leak, why even innocent people have plenty to fear, and what you can do about it
In early June, former National Security Agency (NSA) contractor Edward Snowden jump-started a national debate on government spying when he leaked information about several top-secret mass surveillance programs in the U.S. and Britain. Snowden fled his home in Hawaii ahead of the bombshell disclosures under the correct assumption that his government would not be pleased. He went first to Hong Kong and then to Russia, where he remains at press time (at least as far as we know).
In addition to releasing information about the collection of telephone metadata, Snowden revealed details of an Internet surveillance program called Prism. The resulting avalanche of articles, led by the London Guardian's Glenn Greenwald and The Washington Post's Barton Gellman, sparked an international conversation about privacy, security, and government spying. While President Barack Obama insisted that he would not be "scrambling jets to get a 29-year-old hacker," the commander in chief called Snowden's leaks "damaging" and defended the surveillance apparatus. "You can't have 100 percent security and also then have 100 percent privacy," he explained at a June 7 press conference. Days later, federal prosecutors charged Snowden with espionage and theft of government property.
What follows is what we knew before the NSA scandal broke, why even folks with "nothing to hide" should be concerned about privacy protections, and what ordinary civilians can do to protect the secrecy of their day-to-day business.
Five Alarming Things We Already Knew About the NSA, Surveillance, and Privacy Before Snowden
Brian Doherty
Long before Edward Snowden bought his one-way ticket to Hong Kong, alert Americans should have known their privacy was under attack. Here are five facts about government surveillance and corporate cooperation that should not have been news to those paying attention.
1. Edward Snowden was not the first NSA whistleblower.
Before Snowden became a household name, there was Thomas Drake, a NSA senior executive and whistleblower. Drake was indicted in 2010 under the Espionage Act after publicly revealing that a secret NSA data collection program might be snooping illegally on Americans. (He pled guilty to one small charge of misusing the agency's computer system and was sentenced to one year of probation and some community service.)
Then there was NSA crypto-mathematician William Binney and analyst J. Kirk Wiebe. Each (after they had quit the agency) had his home raided by the FBI in 2007, when they were suspected of being the sources for a 2005 New York Times story about the NSA's Bush-era warrantless wiretapping program. Binney and Wiebe were never charged with a crime, though both had their security clearance revoked.
After Snowden's leaks were made public, Binney told The Daily Caller that the NSA may have its mitts on more than just "metadata," information about makers and recipients of the calls. He said the agency likely has audio of telephone calls as well. "I don't think they're recording all of it," he said. "There are about 3 billion phone calls made within the USA every day. And then around the world, there are something like 10 billion a day. But while they may not record anywhere near all of that, what they do is take their target list, which is somewhere on the order of 500,000 to a million people. They look through these phone numbers, and they target those, and that's what they record."
These three whistleblowers share a lawyer, Jesselyn Radack of the Government Accountability Project, who explained to USA Today in June that the NSA doesn't take kindly to employees complaining about illegal activity through official internal channels. "The inspector general was the one who gave their names to the Justice Department for criminal prosecution under the Espionage Act," she said. "They were all targets of a federal criminal investigation, and Tom [Drake] ended up being prosecuted—and it was for blowing the whistle."
Warnings about NSA surveillance were not limited to internal whistleblowers. Senators such as Russell Feingold (D-Wis.) and Ron Wyden (D-Ore.) were sounding the alarm as early as 2009 that the government was secretly grabbing sensitive information about Americans from private businesses, using a creative interpretation of Section 215 of the PATRIOT Act, which requires the government to certify that all the information it requests pertains to ongoing terrorism inquiries.
In 2006 then-Sen. Joe Biden (D-Del.) succinctly explained the problem with these information dragnets. He told CBS News in a television interview that "if I know every single phone call you made, I'm able to determine every single person you talked to, I can get a pattern about your life that's very very intrusive." The vice president was notably silent about Snowden's revelations—except when he was advising Ecuador against giving the leaker asylum.
2. This isn't the first national conversation about telecommunication companies coughing up customer information to the government.
Americans have known about industry collaboration with the security state for long enough that it was a mini-controversy before Barack Obama became president. In early 2008, Obama came under sharp criticism from elements of his base when he shifted his position on "telecom immunity"—legal protection from lawsuits by customers angry about having their data shared with law enforcement. As a presidential candidate, Obama initially opposed telecom immunity, then voted for a bill providing it.
In 2009 Christopher Soghoian discovered that both Verizon and Yahoo! were afraid their users would learn the extent of their collaboration with the NSA. A letter written by Yahoo! lawyers complained that publicizing such facts would likely "shame" the company and "shock" its customers. In 2010 Soghoian, now with the American Civil Liberties Union, told me telecom and Internet providers "all have special departments, many open 24 hours per day, whose staff do nothing but respond to legal requests. Their entire purpose is to facilitate the disclosure of their customers' records to law enforcement and intelligence agencies."
3. Laws against revealing information about secret NSA programs have been on the books since 1917—before most intelligence agencies even existed.
In June, American Enterprise Institute fellow Marc A. Thiessen inadvertently admitted his own participation in a criminal enterprise by writing a Washington Post column declaring that, according to his reading of federal law, reporting Snowden's revelations is a crime. Thiessen writes a column for the Post, one of the first newspapers to publish Snowden's leaks.
The law Thiessen had in mind is 18 USC § 798, which applies to anyone who "knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes…any classified information…concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or concerning the communication intelligence activities of the United States or any foreign government." Offenders face penalties of up to 10 years in prison.
The law does give would-be communicators a bye if their revelations of intelligence gathering methods were presented to a committee of Congress "upon lawful demand." Not that Congress is likely to demand such a thing.
4. NSA watchers have long known about massive data-hoovering operations.
Even before the revelations about Prism, NSA chronicler James Bamford reported at length in his 2009 book The Shadow Factory that the agency has its own room at a huge AT&T facility in San Francisco through which enormous amounts of domestic electronic communications are funneled. Similar systems were in place at other AT&T hubs, likely grabbing other carriers' traffic as well.
As Bamford wrote four years ago, the NSA already had decided to "create a database of every call ever made" in the country. Unable "to show probable cause, or even a reasonable suspicion…the NSA was on an expensive fishing expedition," he wrote. "People became NSA targets simply because they happened to call a target." NSA then began tossing many of these domestic numbers as "unsolicited leads" to the FBI so it could directly tap domestic calls. As Bamford reports, this wasted a great deal of FBI time, to who knows what detrimental effect.
Bamford concluded that as early as 2008 anyone paying attention knew that "the idea of communications privacy in the United States has literally become a joke." Pranksters in the Billboard Liberation Front altered an AT&T billboard in San Francisco that year to read: "AT&T works in more places, like NSA HEADQUARTERS."
5. The Fourth Amendment is violated daily by both national security and domestic law enforcement agencies.
In a series of decisions beginning in the early 1970s, the Supreme Court declared that people have no reasonable expectation of privacy in data they voluntarily disclose to third parties, meaning that such information is not covered by the Fourth Amendment and has only as much protection as legislators decide to give it. Decisions aimed at facilitating the war on drugs have further eroded the Fourth Amendment's guarantee against unreasonable searches and seizures by, among other things, declaring that even if your outdoor property is fenced and marked "no trespassing" police can still search it for drugs. The rampant use of unreliable drug-sniffing dogs to trigger probable cause has degraded constitutional protections still further.
These reminders of what we already should have known about government surveillance are not meant to denigrate the importance of Snowden's revelations. But those who care about privacy issues should contemplate what was already in the public record and consider how fragile public awareness can be.
Knowledge available to the alert can fade all too quickly from the body of information that forms most Americans' views of the world. One of the challenges now is to ensure that what Snowden has told or reminded us about the NSA and the world of surveillance in which it is enmeshed does not fade from the nation's short memory.
Three Reasons You Should Be Worried About Government Surveillance, Even If You Have 'Nothing to Hide'
Scott Shackford
In June independent blogger Daniel Sieradski started a Twitter feed called "Nothing to Hide," through which he retweeted hundreds of people declaring in one form or another that they are not concerned about government spying because their hands are clean. If a tactic helps the feds fight terrorists, these people argued, civil liberties can take a back seat.
But there are many reasons to be concerned about the rise of the surveillance state even if you have nothing to hide—or rather, even if you think you have nothing to hide. For those tempted to trade liberty for the promise of security, here are three counterarguments.
1. Every American is probably a criminal.
As civil libertarian Harvey Silverglate wrote in his 2009 book Three Felonies a Day: How the Feds Target the Innocent, the federal criminal code has grown so thick during the last several decades that Americans probably don't even know how often they violate it. Did that summer camp pay the performing license to show your kids that DVD of Cloudy with a Chance of Meatballs? Ever copy a song to your computer hard drive? Did you declare all out-of-state purchases on your taxes? Did you displace any protected species when you landscaped your backyard? It's harder to actually follow many federal and state laws than to break them.
Individuals can wind up ensnared in the federal justice system for seemingly innocuous activities, or at least actions that don't obviously call for a federal response. Former Tribune Co. web producer Matthew Keys is facing federal hacking and conspiracy charges and possibly prison time because he gave his old work password to a member of the hacker group Anonymous, which used it to change a headline at the website of the Los Angeles Times. Why did this prank draw the eyes of the feds? The vaguely worded Computer Fraud and Abuse Act, introduced in 1986 but amended many times, makes things like vio- lating a website's terms of service a possible felony, treated similarly to hacking regardless of whether real harms occurred.
Given the digital focus of the Prism program, everybody should be concerned about what crimes we don't even know we're committing—crimes federal prosecutors could try to prove with access to our phone and online metadata, basic information accessible without a federal warrant.
2. The federal government has abused its surveillance powers before.
In 1975 Sen. Frank Church (D-Idaho) put together a committee, which would eventually come to be known as the Church Committee, to investigate illegal activities by the federal government's intelligence agencies. The committee's headline-making revelations included spying on activists, opening and reading private mail, and deploying the Internal Revenue Service as a weapon. Sound familiar?
Defenders of Prism say it only targets foreigners. But under current rules a great deal of information about Americans can be collected "incidentally." In any case, rules can always be changed.
Furthermore, we have no way of knowing that official descriptions of the program are accurate, because oversight has been hidden from public view. We do know, thanks to Sen. Ron Wyden (D-Ore.), that in 2011 the Foreign Intelligence Surveillance Court deemed at least some aspects of the NSA's snooping unconstitutional, but the Justice Department is trying to block the release of that secret decision.
So we know the NSA has broken the law once, but we don't know what it did, what harm resulted, whether there was any sort of punishment or discipline, or what's preventing more such abuses. This is not oversight you can trust.
3. Government is made of people, and people can be creepy, petty, incompetent, and dangerous.
Gilberto Valle had an unusual sexual fetish. He fantasized about kidnapping, killing, and eating young women.
Valle was also a member of the New York Police Department. He was convicted in March of plotting to make his fantasies a reality. Whether he really meant to do so is debatable; his defense was that his cannibalistic musings were all sexual role-playing. But Valle also was convicted of looking up his potential targets in a national crime database, which he was able to use due to his position of authority.
Even as the Obama administration was arguing that NSA surveillance is subject to sufficient oversight, it was blaming the Internal Revenue Service's targeting of conservative political nonprofits for additional evaluation on rogue employees and poor management. You don't have to be a privacy purist to be concerned about bad or dangerous people obtaining sensitive information about you. Some of them work for the government, and they may be interested in you for reasons that have nothing to do with politics. Even if you think you have nothing to hide.
Four Steps to Keep the Government From Spying on You—or at Least Make It More Difficult
Ronald Bailey
"Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" Sen. Ron Wyden (D-Ore.) asked James Clapper, the director of national intelligence, during a Senate Intelligence Committee hearing in March. Clapper replied, "No sir…not wittingly."
We now know this was a bald-faced lie. Or as Clapper parsed it later, it was the "least untruthful" answer he could give. The NSA has been collecting information about the telephone calls and online activity of millions of Americans for years.
Clapper says it's not as bad as it sounds because the government does not actually look at the data unless it has reason to believe a particular person is up to no good. To Christopher Soghoian, a policy analyst at the American Civil Liberties Union, that's like putting a camera in your bedroom while assuring you that no one will look at the resulting footage unless something bad happens.
The NSA was able to obtain all that personal information about American citizens because the dominant Internet business model is to exchange free services for personal information that facilitates targeted advertising. Soghoian suggests the free market has delivered us into a world that is insecure by default. But when I point out that Verizon and the other telephone companies are highly regulated semi-monopolies, Soghoian agrees, noting that phone companies are subject to more regulation than Internet companies such as Google or Facebook. This gives the government more opportunities to punish them should they be shy about meeting demands for information.
If you can't expect the companies entrusted with your information to keep it confidential, what can you do to ward off government snoops? "I have bad news for the average citizen," says Mark Wuergler, a senior researcher at the cybersecurity firm Immunity Inc. To avoid monitoring by the government, he says, you need to use encryption and control your own hardware, networks, and servers. Wuergler is pretty sure that current methods for protecting data are so clunky and complicated that most Americans will not bother with them. "It boils down to less convenient, more secure; more convenient, less secure," he says. "You just need to assume that your data is being watched."
Still, there are some steps you can take to protect your privacy:
1. Consider not putting so much stuff out there in the first place.
Wuergler has devised a program called Stalker that can siphon off nearly all your digital information and use it to assemble an amazingly complete portrait of your life, pretty much pinpointing where you are at all times. So use Facebook if you must, but realize that you're making it easy for the government to track you.
2. Use a secure search engine, such as DuckDuckGo.
DuckDuckGo and its discreet search-engine rivals do not collect the sort of information that can leave a digital trail of your Internet searches. When the government bangs on its door to find out what you've been looking at, DuckDuckGo has nothing to hand over. I have decided to make DuckDuckGo my default for general browsing and searching, turning to Google only for items such as breaking news and scholarly articles. (The NSA presumably would be able to tap into my DuckDuckGo searches in real time.)
3. Use TOR to conceal your whereabouts.
TOR offers free software and a network of relays that can shield your location from prying eyes. TOR operates by bouncing your email messages and files around the Internet through encrypted relays. Anyone intercepting your message once it exits a TOR relay cannot trace it back to your computer or your physical location. The software is used by dissidents and journalists around the world. On the downside, in my experience TOR slows down your browsing and searching.
4. Use encryption.
Silent Circle is an intriguing one-stop encryption solution. Developed by Phil Zimmermann, the inventor of the Pretty Good Privacy (PGP) encryption system, Silent Circle enables users to protect their text messages, video, and phone calls as well as their email. Zimmermann and his colleagues claim that neither they nor anyone else can decrypt messages sent across their network. This kind of security doesn't come free: Silent Circle charges $10 per month.
You might consider protecting the data already stored on your computer by using free encryption software from TrueCrypt. If you keep data in the cloud, you might use SpiderOak, which bills itself as a "zero-knowledge" company. That means it does not have any way to decrypt the data you store with it. But SpiderOak will provide personally identifiable information about users to law enforcement agencies if legally required to do so. The company offers two gigabytes of free storage for beginners.
With regard to encrypting data, you should keep in mind United States v. Fricosu, a recent federal criminal case. Colorado Springs resident Ramona Fricosu and her husband were accused of mortgage fraud in which they obtained titles to homes facing foreclosure, sold them, and then did not pay off the original mortgage. Citing the Fifth Amendment's ban on compelled self-incrimination, Fricosu refused to give police the password to her encrypted computer. A federal judge ordered her to provide the password or supply a decrypted hard drive to the police. She claimed to have forgotten the password, but her ex-husband offered the police some plausible possibilities, one of which worked.
Now for some bad news. Telephone metadata of the sort the NSA acquired from Verizon is impossible to hide. To connect your calls, the phone company needs to know where you are located. Of course, you can avoid being tracked through your cell phone by removing its battery (unless you have an iPhone), but once you slot it back in, there you are.
For much more information on hiding from government monitoring, check out the Electronic Frontier Foundation's Surveillance Self-Defense Web pages at EFF.org.
Wuergler is sanguine about NSA snooping. "To me personally, I think it's an acceptable risk," he says. "I believe that it's not being used on a mass basis against American citizens. At least I hope not."
Me too. But I want to rely on something more than hope when it comes to fending off government snooping.