One of the lasting images revealed by Snowden was that of the NSA breaking into computers at the United Nations to spy on diplomatic activities there. Reportedly, when they broke into the UN system, U.S. hackers found the Chinese already there conducting their own surveillance.42 But because the United States was engaged in exactly the same arguably illegal activity, the U.S. government had no standing to call out the Chinese.
On May 19, 2014, U.S. attorney general Eric Holder revealed that the Justice Department had obtained a sealed indictment of five Chinese military officials for conducting economic cyber espionage against U.S. companies.43 This desperate effort to regain the upper hand in U.S. dealings with China over electronic spying at least suggested that however little the Obama administration might appreciate the meaning of hypocrisy, it at least understood irony.
Increasing Insecurity in Cyberspace
The Snowden revelations also raise fundamental questions about the extent to which the NSA may be weakening, rather than enhancing, cyber security. Beginning in 2013, the annual Worldwide Threat Assessment of the U.S. Intelligence Community has identified cyber threats, even more than terrorist attacks, as the greatest threats facing the United States.44 The key challenge, according to analysts, “is the often losing battle to stop cyber incursions into US networks.”45
To help guard against that threat, the Obama administration in February 2013 published Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, which asserted:
Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.”46
Although worded in terms of “consultation” and “voluntary” adoption of a cybersecurity framework, which the National Institute of Standards and Technology released in February 2014,47 the Executive Order called for federal agencies to consider incentives, including changes to the federal acquisition regulations, for encouraging adoption of the framework.48 It required agencies to report on the extent of private-sector participation in the framework program.49 And, most significantly, the Executive Order directed agencies to “determine if current cybersecurity regulatory requirements are sufficient given current and projected risks”; report on “whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required”; and “propose prioritized, risk-based, efficient, and coordinated actions . . . to mitigate cyber risk” if current regulatory requirements are “insufficient.”50
While the president ordered federal agencies to strengthen cyber defenses, and the intelligence community identified weaknesses in those defenses as part of the greatest threat the country faces, documents leaked by Snowden suggest the NSA has actually been weakening cyber security. According to a number of the documents, in its quest for tools to break into the communications of other countries and industries, the NSA has worked deliberately to weaken cyber security.
The New York Times cataloged some of the ways disclosed in NSA documents in which the NSA seeks to create and exploit cyber vulnerabilities. These include:
The NSA’s SIGINT Enabling Project, “a $250 million-a-year program that works with Internet companies to weaken privacy by inserting back doors into encryption products . . . to undermine encryption used by the public.”
• NSA insertion of “vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets.”
• NSA efforts to “[i]nfluence policies, standards and specifications for commercial public [encryption] key technologies.”
• NSA work “with the manufacturers of the [encryption] chips to insert back doors or by exploiting a security flaw in the chips’ design.”51
These and other methods of weakening cyber security to advance the NSA’s surveillance mission are profoundly problematic because, in the words of cyber security expert Bruce Schneier, “It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.”52
Ironically, the NSA is charged with two missions: securing the cyber infrastructure of the DOD and related agencies, and gathering foreign intelligence. Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities. Rather than disclose or attempt to fix them, the agency would exploit them, thus compromising its cyber defense mission. What we now know is that the agency went a step further and actively introduced vulnerabilities into commercial security products and services to enhance its ability to collect intelligence, even though this actively weakens both government and private-sector cyber infrastructure. This problem is particularly challenging not only because the NSA holds two conflicting missions, but also because it is problematic to introduce vulnerabilities into the cyber ecosystem if cyber security is as important as the president and intelligence officials claim.
And what the NSA is doing has huge costs for industry, individuals, and our nation. Industry is hurt because foreign business partners and government agencies are refusing to do business with U.S. information technology and telecommunications companies out of fear those companies are cooperating with, or are susceptible to, legal or financial pressure from, the NSA. Individuals are hurt because the software, hardware, and services that secure our data—our financial transactions, health records, and personal communications—are less secure from intrusions by the NSA and anyone else taking advantage of the NSA’s meddling. Our nation is hurt whenever our economy or civil liberties are attacked. Our entire governmental system—our tax records, benefit payments, air traffic control systems, fire and police protection, nuclear safety, and thousands of other vital functions—depends on networks and technologies that, thanks to the NSA, are less secure today.
The Impact of Government Surveillance on Personal Privacy
Snowden’s disclosures focused new attention on the inadequacy of U.S. privacy law. That law has long been described as fragmented, inadequate, and often unworkable. It continues to deny privacy rights to non-U.S. persons, which is inconsistent with the administration’s position on human rights in cyberspace. In addition, it is often impossible to determine the nationality of the source or subject of digital information, an ambiguity the NSA has exploited aggressively. In fact, under current U.S. law, the citizens and leaders of our closest allies get the same level of privacy protection as terrorist suspects and the nation’s most bitter foes.
Under the Supreme Court’s “third party doctrine,” constitutional protection for data is denied to information that is held by a third party. The doctrine originated in 1976 in United States v. Miller, where the court held that there can be no reasonable expectation of privacy in information shared with a third party. The case involved canceled checks, to which, the court noted, “respondent can assert neither ownership nor possession.” Such documents “contain only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business,” and, therefore, the court found that the Fourth Amendment is not implicated when the government sought access to them:
The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government. This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.53
The Court reinforced its h
olding in Miller in the 1979 case of Smith v. Maryland, involving metadata about telephone calls. The Supreme Court found that the Fourth Amendment is inapplicable to telecommunications “attributes” (e.g., the number dialed, the time the call was placed, the duration of the call, etc.) because that information is necessarily conveyed to, or observable by, third parties involved in connecting the call: “[T]elephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.”54
Excluding data held by third parties from the protection of the Fourth Amendment is problematic today because of the extraordinary increase in both the volume and sensitivity of information about individuals necessarily held by third parties. In today’s networked world, almost all information we generate—our e-mail, voice mail, documents, pictures, recordings, etc.—is held by third parties. The Supreme Court’s exemption from the Fourth Amendment of records held by third parties today means that virtually all personal information is removed from the protection of the Fourth Amendment. As a result, individuals are more exposed than ever to government scrutiny. In addition, the Supreme Court also has repeatedly found that there is no constitutional protection against the government’s use of data it already possesses, even if it collected the data illegally.55
Snowden’s disclosures shone new and brilliant light on the inadequacies of U.S. privacy protection against government surveillance by making it clear that despite that protection, the FISC granted secret orders authorizing the collection of “metadata” about all U.S. domestic and international calls despite the absence of any “authorized investigation” to which such a sweeping set of data could be relevant. Subsequent disclosures showed that the NSA was using authorized access to data about non-U.S. persons collected abroad to obtain data on U.S. persons. The NSA was exploiting ambiguity about whether data concerned a U.S. person in order to collect and retain the data, and it was keeping data about U.S. persons erroneously collected for up to five years. This behavior furthered calls for clarifying and strengthening U.S. privacy law.56
This issue is of more than merely domestic importance. Before Snowden, provinces in Canada and a growing range of national governments in the European Union cited the U.S. government’s broad access to private-sector records as a basis for blocking the export of personal data to the United States.57 After Snowden, U.S. information technology, telecommunications, and financial companies reported significant pushback from foreign clients concerned about their data being stored in a “U.S. cloud.” The German government canceled a longstanding agreement with Verizon because of NSA surveillance. Addressing this issue is critical to building stronger, more cooperative relationships with our allies in the quest for better security.
The Technology and Privacy Advisory Committee, the blue-ribbon, bipartisan committee secretary of defense Donald Rumsfeld appointed to examine privacy and security issues, reported in 2004 that “[l]aws regulating the collection and use of information about US persons are often not merely disjointed, but outdated.” They “fail to address extraordinary developments in digital technologies, including the Internet.” As a result, “[i]t is time to update the law to respond to new challenges.”58 Also as a result, privacy is often not protected. Public and legislative concerns about the proper line between privacy and security have also led to political firestorms over proposed security programs and created great uncertainty and even a sense of personal risk among security professionals in the government. The National Academy of Sciences echoed the call for updating U.S. privacy laws in 2008, again to no avail.59
Government officials often respond to calls for stronger privacy laws by claiming that any restraints will diminish the effectiveness of national security, foreign intelligence, or other important activities. This does not have to be the case: building discipline, thoughtfulness, and focus into our nation’s surveillance efforts might actually enhance our nation’s security. After all, in the aftermath of the 9/11 attacks, no one claimed that we lacked information about the hijackers, but rather that we could not work effectively with the data we already had, could not “connect the dots,” or find the needles buried in the government’s own haystacks of existing intelligence information. So while the Obama administration talked about the need to find more information—more hay—that very assertion suggests how misguided our surveillance efforts may be because it ignores a critical lesson from the 9/11 attacks. It also suggests the government has forgotten that the end goal of surveillance should be to find needles, not merely more hay.
Even if protecting our rights and other national interests makes security more difficult, that is the case with all constitutionally protected rights. Trials by juries, for example, take more time and cost more money than trials before judges. The presumption of innocence inevitably results in guilty people going free. Free speech can cause great harm. Important civic values are rarely without cost. But the framers of the Constitution thought that protecting those values was worth the costs those protections imposed. This belief is especially clear in the case of privacy, as the Supreme Court noted in its unanimous June 2014 opinion in Riley v. California, striking down warrantless searches of cellphones: “Privacy comes at a cost.”60
One of the most potent grievances that led the colonists to declare independence more than two centuries ago was the practice of British officials conducting “general” searches. British troops and customs officials would go door to door and person to person, searching everything and everyone in their path. The hostility to general searches found powerful expression in the Fourth Amendment to the Constitution. The amendment established the “right of the people to be secure in their persons, houses, papers, and effects” and to be free from “unreasonable searches and seizures.” But it goes further. It gives meaning to that constitutional right by requiring that to obtain a warrant to conduct a search, the government must “particularly describ[e] the place to be searched, and the persons or things to be seized” and demonstrate under oath that it has “probable cause” a crime has been or is likely to be committed and that the search is germane to that crime.
The NSA surveillance programs ignore the Fourth Amendment. But they ignore something else as well: the courage of the Americans who crafted that amendment and the rest of the Bill of Rights. Too often, government officials today argue that the threat of terrorism has made everything different or that the values of the Fourth Amendment must give way in dangerous times. But the times in which the Fourth Amendment was adopted were hardly tranquil. In 1783, the Treaty of Paris ended the Revolutionary War. The former colonies were in economic and physical shambles. The Articles of Confederation, enacted in 1781, were failing; it looked as though the new nation would disintegrate before it ever got started. In this setting, when the new nation was hanging by a thread, the Fourth Amendment was adopted. In fact, just four days after the amendment was adopted in 1789, Congress created a standing army for the new nation, and within twenty-three years the British would burn the White House in the War of 1812.
The danger to the survival of the nation seemed far greater then than now, yet in the midst of that turmoil, the founders of the United States enacted their most vigorous protections for fundamental rights. Congress and the administration would do well to remember the importance of those values and of the tools to protect them, from not only attack from without but also erosion from within.
The question whether Snowden is a villain or a hero continues to be hotly debated. The truth is more complicated than this simple question might suggest.
As an intelligence gathering agency, many—perhaps most—of the NSA’s activities must be conducted in secret. But this reality does not mean that intelligence activities should be conducted free from effective oversight or that they should be immune from careful scrutiny about whether appropriate benefits outweigh th
eir considerable costs. Perhaps most importantly, intelligence activities should not operate outside the law or be conducted in ways that are unnecessarily intrusive, costly, or damaging to personal privacy, the U.S. economy, the nation’s integrity and standing, or the values Americans purport to uphold. While intelligence activities may need to be secret, the law and legal interpretations that guide them must not be. As former congressman and 9/11 Commission vice chair Lee Hamilton has argued, “secret power is dangerous power.” Clearly we can and should do better, and government task forces, commissions, and expert panels have frequently recommended ways to do so.
The disclosures by Snowden demonstrate that the NSA has violated these basic principles. It has engaged in dozens of secret programs, many of which were totally unknown not merely to the public, but to expert oversight boards, such as the President’s Foreign Intelligence Oversight Board. It has done so under secret legal interpretations with no precedent in published law. In fact, the idea that the NSA could, under existing law, collect data on all Americans had been actively and repeatedly denied by senior government officials until Snowden made it clear that the NSA was doing it. Such sweeping changes in the application of the law, the large-scale surveillance and cyber incursions undertaken under these changes, and the lies that obscured what was being done, should all be the subject of public debate. Thanks to Snowden, whatever his virtues and failings, that debate is now happening.
Notes
1. Foreign Intelligence Surveillance Court, In re Application of the FBI for an Order Requiring the Production of Tangible Things from Verizon Business Network Services, Inc. on Behalf of MCI Communication Services, Inc. D/B/A Verizon Business Services, Docket No. BR 13–80 (RV) (April 25, 2013). See part II.A for the text of this FISC order.
The Snowden Reader Page 7