What Bothers me About NSA Data Collection: A Reply to Thomas Friedman
Warning: This post has little to do with economics, unless you happen to think that an open society with free and private communication is essential to our continued prosperity.
A series of Congressional hearings this week is drawing renewed attention to the issue of the National Security Agency’s program to collect data on telephone and internet activities of hundreds of millions of Americans. While much of the media has focused on whether Edward Snowden is, personally, a hero or a villain, some commentators have plunged into the substantive debate that he hoped to touch off: Is the program he has blown the whistle on really something we want our government to be doing?
One of the most articulate commentators to come to the defense of the NSA is Thomas Friedman. His recent column in the New York Times epitomizes what bothers me most about this whole affair—the readiness of people who claim to be defenders of an open society to make excuses for people and policies that undermine it.
Friedman argues that although what the NSA is doing is distasteful, we should put up with it because it might stop some future terrorist attack, which in turn, would prompt even more intrusive violations of our freedoms. He explains that he fears government abuse of privacy less than he fears another 9/11,
not because I don’t care about civil liberties, but because what I cherish most about America is our open society, and I believe that if there is one more 9/11—or worse, an attack involving nuclear material—it could lead to the end of the open society as we know it. If there were another 9/11, I fear that 99 percent of Americans would tell their members of Congress: “Do whatever you need to do to, privacy be damned, just make sure this does not happen again.” That is what I fear most.
That is why I’ll reluctantly, very reluctantly, trade off the government using data mining to look for suspicious patterns in phone numbers called and e-mail addresses—and then have to go to a judge to get a warrant to actually look at the content under guidelines set by Congress—to prevent a day where, out of fear, we give government a license to look at anyone, any e-mail, any phone call, anywhere, anytime.
Here are three things that trouble me about this line of argument.
1. It looks like the NSA can already do pretty much whatever it wants
My first concern is that we appear already to have given the security establishment a license to look at anything they want. Snowden’s revelations give us a peek at this broad program of surveillance, but we don’t know a lot of the details, nor are we likely to find out any time soon. Here is what we do know:
- The NSA routinely collects “outside of the envelope” data about most if not all of our electronic communications, landline, cell, and internet.
- They comb through this data with computer models that look for patterns of suspicious activity.
- When they find something that looks suspicious, they make a secret request to a secret judge who decides in secret whether to allow the NSA to “open the envelope” and read or listen to the content of the communication.
- The judges hear only the government’s side of the case and almost never say no.
How is that not “giving the government a license to look at anyone, any e-mail, any phone call, anywhere, anytime?”
The only evidence we have to the contrary is the word of our intelligence professionals, who keep telling us that they only look inside the envelopes of the bad guys, and that doing so has allowed them to foil many vaguely specified plots. The trouble is, our intelligence professionals are inherently not credible. That is because they see themselves as having a duty to lie to us when they think we are getting too close to the truth.
Yes, not just a duty to keep secrets, but a duty to lie. That is more than just a conjecture. Exhibit A is the lie that James Clapper, director of national intelligence, told Congress in March this year. Here is a link to the video clip, in case you haven’t watched it yet. In the clip, Congressman Ron Wyden asks Clapper to answer “yes” or “no” as to whether the NSA collects any kind of data at all on millions of Americans. Clapper answers “No” and then adds, disingenuously, “Not wittingly.”
What is revealing is not so much the answer, which Snowden’s revelations have shown to be false, and which Congressman Wyden probably knew to be false from previous closed hearings, but Clapper’s defense of the answer. Speaking to NBC’s Andrea Mitchell, he explained “I was asked a ‘when are you going to stop beating your wife’ kind of question, which is, meaning not answerable necessarily, by a simple yes or no. So I responded in what I thought was the most truthful or least untruthful manner, by saying, ‘No.’”
In fact, Wyden did not ask the trick question, “Have you stopped beating your wife?” He asked the simpler question, “Do you beat your wife?” It is hard to think of a more untruthful answer than “No.” What is interesting is that Clapper did not choose the less untruthful answer, “I cannot answer that question in open session.” The inference I draw from his untruthful “No” is that he understands his duty not to reveal secrets to include an obligation to tell outright lies whenever a simple “No comment” might be too revealing.
In short, it is my view that giving our intelligence agencies the authority to do a limited amount of data collection and at the same time giving them permission to lie about whether they are exceeding the limit is functionally the same as giving them unlimited authority in the first place. Interpreting what any intelligence professional says on the subject, whether to a journalist or under oath to a Congressional committee, is like trying to figure out one of those trick cards that read, on one side, “The statement on the other side of this card is true,” and on the other, “The statement on the other side of this card is false.”
2. We know the NSA’s methods are fallible
We are supposed to be reassured to know that the NSA initially gathers only information “outside the envelope” and uses that information only as input to computer models than look for “patterns.” The trouble is, pattern-finding models are prone to errors. How do we know? We know because Wall Street hires a lot of people to do the same thing. Wall Street firms can pay higher salaries than the NSA, so they presumably get first pick of the best pattern searchers. Still, they make mistakes, sometimes big ones, as happened in the infamous London Whale episode. In the best case, their models are right more often than they are wrong—right often enough to make money for JPMorgan Chase and right enough for the NSA to catch some bad guys.
Still, any statistical models, no matter how sophisticated, have to be calibrated in a way that turns up a lot of false positives. If they are not, they will miss too many true positives. On Wall Street, false positives result in bad trades. In the intelligence world, false positives result in God knows what.
At best, the subject of an intelligence false positive might be hassled at airport security. At worst, if the false positive is unlucky enough to live in Waziristan or Yemen, he may find himself in the crosshairs of a drone. The CIA does not always know the specific identity of its targets. As reported in the Los Angeles Times and elsewhere, the agency also conducts so-called “pattern of life” strikes, which means killing people who it thinks, on the basis of computer models, are probably dangerous terrorists. Those programs, too, are of necessity calibrated to tolerate some nonzero level of false positives.
Let’s suppose you are a false positive and you are lucky enough only to end up on a no-fly list instead of in the crosshairs of a drone. At that point, you run up against another aspect of fallibility—that of the process through which you can appeal to get off the list. Here is how the ACLU describes its attempts to get help one group of no-fly list victims:
Our brief [in the case Latif v. Holder] highlighted the utter irrationality of the government’s No Fly List procedures. The plaintiffs in Latif all flew for years without any problems. But more than two years ago, they were suddenly branded as suspected terrorists based on secret evidence, publicly denied boarding on flights, and told by U.S. and airline officials that they were banned from flying—perhaps forever. Each of them asked the government to remove them from the No Fly List through the only “redress” mechanism available—the Department of Homeland Security Traveler Redress Inquiry Program. But the government has refused to provide any explanation or basis for their inclusion in the list. Our clients have been stuck in limbo ever since.
3. We know the NSA’s people are fallible
Beyond the fallibility of the NSA’s computers, we have to worry about the fallibility of their people. One of the most astonishing things about the reaction to Snowden’s revelations is the parade of intelligence officials who have told us that he could not, or should not, have had access to the very information that he has leaked. If one low-level contract employee could bypass the NSA’s internal firewalls, we have to assume that others can as well. Snowden took his information to the Guardian and the Washington Post. Who knows to whom others might be leaking information? To foreign governments or terrorists? Obviously, but there are other possibilities that are not much less worrisome:
- Hedge fund managers have billions to spend in search of patterns of behavior that could be the basis for profitable trades. How do we know they are not planting Snowden-like IT people at the NSA to snoop for such patterns in the Prism database? What would that say about the integrity of our markets, let alone of our government?
- On the same page of the New York Times where Friedman’s column appeared, James B. Rule, Professor of Law at the U.C. Berkeley Law School, noted that the NSA database could be very handy for uncovering patterns of behavior that reveal crimes other than terrorism. Its use for such purposes is not yet authorized, but Rule worries that once the tools are in place, it will be hard to resist calls to use them for such worthy purposes as targeting child abusers, drug smugglers, and tax evaders. True, those uses are not yet authorized, but how can we be sure that there are no unauthorized uses? Suppose Jane at the IRS thinks she can get a promotion by cracking a big tax evasion case. What keeps her from getting help from her boyfriend at the NSA? The same firewalls that failed to stop Snowden?
- NSA people are only human. Some of them presumably have personal grudges. What stops a vindictive employee from, say, inserting false information into the database that will put a former spouse or lover on the no fly list, or derail their application for a security clearance?
Of course, most federal intelligence employees are straight shooters, but a frighteningly large number of people work in intelligence. The Snowden episode shows that some of them, at least, are willing to step out of line, and that internal controls are less than perfect. In fact, Snowden is actually a special case, in that the nature of his infraction of the rules—whistleblowing—necessarily means the public finds out about him. We are much less likely to learn about those—if there are any—who are passing insider information to hedge funds, or slipping an unauthorized tip to friends in another branch of law enforcement, or working out grudges against former lovers. Even if they are caught, it is likely that their cases will be hushed up as administrative matters, not tried in open court.
The bottom line
Thomas Friedman fears rocking the boat, lest doing so lead to “the end of the open society as we know it.” Personally, though, I am not satisfied with the degree of openness of the society we now know—the society of secret lists, secret courts, and officials who feel free—no, who feel duty bound—to lie to us and our elected officials about what they are up to.
“But it’s all perfectly legal!” you say. Well, as Sen. Rand Paul put it the other day, “Just because Congress approved it doesn’t make it right.” (That’s the same Congress, by the way, in which a majority thinks it would be an outrage against our constitutional rights to maintain a federal register of firearms data. Go figure.)
The whole NSA program, including its façade of legality, is uncomfortably reminiscent of SORM, an internal eavesdropping system first developed by the KGB in the 1980s and extended in Putin’s Russia to encompass cell phones, internet, and every other known form of communication. Interestingly, SORM, like its American counterpart, requires the security services to get a court order before installing equipment to capture data. However, Andrei Soldatov, an investigative journalist and author of several books on Russian security services, has told the Moscow News that the system of court supervision is a sham. “It’s all regulated by internal procedure, by the FSB, essentially,” he said. “Supposedly, there’s some sort of prosecutor control, but nobody’s heard of it [being used]. Nobody is required to show these warrants, so [we] never know for sure whether [the agencies] actually have one.” (Bracketed material is from the Moscow News original.)
I don’t deny that there are real terrorists out there who would be happy to blow me up in the name of whatever warped cause they represent. On balance, though, I welcome the Snowdens who are willing to risk rocking the good ship Open Society a little before it sinks with all of us on board. I’d rather take the risk of a little rocking than cower in the hold, hoping that if we accept things as they are, they won’t get any worse.
14 Responses to “What Bothers me About NSA Data Collection: A Reply to Thomas Friedman”
I agree with the main points of the posting, but I would add some economic issues. In the information age, many American firms sell information, and their customers want to know that it is accurate, timely, and not known by other parties. Google is an example of a firm that is required to provide information to the government, but it is forbidden from informing its customers that it is revealing "confidential" information to the government.
Also the NSA has tried to protect itself from criticism by selectively leaking information about terrorist plots it has foiled without revealing all the false positives that may have harmed individuals and businesses.
Thank your for your post. The problem of Clapper and the congressman seems to be that congresspeople should not ask questions in public session that really should be kept to private session. Lying is sort of job 1 of intelligence agencies, indeed of all politicians, so by itself, it does not constitute a problem, as long as we have some trust in the politicians we elect and their capacity for oversight in confidential matters. (Probably not, but that is a different story. For my part, my estimation of my Senator Diane Feinstein has really taken a dive here.) Some things really need to be secret.
But more broadly, I find it hard to get upset about the government using big data that corporations have free use of already. The form of "voluntarism" by which we "agree" to the contracts and conditions of corporate participation in things like Google and cell phone usage are a sham. We have no choice at all, really, in a modern existence. I trust companies far less than the government, at least in the US setting, and they have been abusing their data for advertising and other "touch" activities continually.
So I would want to see a broad legal framework for big data that recognizes that while it is not physically within the home or on the person in the traditional "search and seizure" sense, it is still very personal and revealing data that needs to be given specific protections in both corporate and official settings, that give us back some rights and privacy. On the face of it, the NSA methods and legal framework don't look that bad- (not at all like SORM, incidentally)- I only wished that companies were as sparing in their actual use of this data.
Thanks, agreed and I think economists should care.
For me this story is just one part of a very disturbing trend, in which major network providers led by Google, Facebook and Apple are collecting ever more personalized data into large databases of high commercial and espionage value. Watch for example Google's apparent move towards accessing traffic camera data. These amount to private, commercial surveillance operations, which are monetized mainly through advertising, but also provide a very convenient entry to government surveillance. The temptation to governments to hack into them, or to coerce or buy off companies to enter into secret data sharing deals, is simply too great.
We are lucky as American residents that we have some amount of constitutional protection from surveillance. The NSA has a free hand to eavesdrop on communications among foreigners. Its computers have been listening in on their phone calls and digitally screening them for flag words for decades. No doubt it is also has a free hand to crack into foreign databases, and is quite successful at that.
One small point that many missed in the recent news is that Microsoft shares its security vulnerabilities with the US government as soon as it finds them, but Microsoft announces those vulnerabilities to the public only after it has come up with a patch to fix them. Stuxnet, the US-intelligence-designed worm that targeted Iranian industrial equipment control computers, employed four such not-yet-publicly-announced security vulnerabilities. An example where US hacking was designed for outright offensive attack on real material equipment.
I hate to sound like a conspiracy theorist, but we're only seeing the tip of the iceberg. The budgets for these types of programs are enormous.
You're right. Although I don't think this is primarily an economic issues, there are economic tie-ins. Another is that it is already throwing sand in the works of a proposed EU-US trade pact. Also, the FT notes that people in other countries are turning to "national champion" alternatives to Google, Yahoo, etc. since they feel they can't trust any US-based web sites any more.
I agree with you, there should be a right to opt out of Big Data on private sites like Google. Even if it meant I had to pay Google an annual fee to use it without data collection (in recognition of the revenue they would lose), I would pay it.
I'm not sure I agree with you that we shouldn't be worried about the government collecting data that private companies already have. After all, even the largest of them only have parts of the whole, for example, Google can't look for patterns that correlate searches with phone records, and vice versa for ATT.
With regard to lying intelligence officials, I don't mean to say they shouldn't lie. I agree, it is part of their job to do so. I just want to emphasize that we all have to be aware that as a result, we cannot believe ANYTHING they say unless it is corroborated by other sources.
And I think you are right, PRISM is not as extensive as SORM, at least not yet, but I think the NSA is catching up fast. I thought it was interesting, though, that even the Russians feel it is necessary to have a fig-leaf of judicial oversight. I wonder if the Chinese equivalent has even that much? Does anyone out there know the answer to that one?
It is very depressing to read about this stuff. It turns us all into conspiracy theorists. I hadn't heard about the Microsoft/Stuxnet angle before.
Friedman says what really frightens him, even more than another 9/11, would be an attack using nuclear material. Even worse than that, I think, might be an "outright offensive attack on real material equipment" such as dams or power grids by a state or nonstate enemy. I would be happier to think that Microsoft is sharing the early tip-offs about vulnerabilities with major infrastructure operators.
In Germany there is huge criticism against Prism. I hope that these critics will change what the NSA is doing but I doubt it…
We still need to have a public debate on whether or not spying on absolutely everyone, in order to find the bad guys, is a policy that is valid and prudent in a democratic society.
Continuing this policy tells me that someone decided, somewhere along the line, that traditional policing and intelligence gathering don't work. If that is the case, then I need to see some data in support of such a claim.
We've been told that 20 plots were foiled. Then we were told that 50 plots were foiled. The only plot I can think of that wasn't foiled and for which there were some warnings was the Boston bombing.
This is all very troubling.
Add to that the lobbying power of firms like Booz, Allen, and you have to wonder how much weight they've had in the decision-making process?
Friedman, like many, are more bothered by the possibility of another act of terror like 9/11 than the establishment of a police state. We should be equally bothered by both.
Sen. Paul was interviewed on CNN a couple of days ago about the 50 cases. He said the testimony did not show that any of them were solved by actual data mining, in the sense that the initial lead was developed by pattern searching within randomly collected data. Instead, he said that traditional police work had led to a suspect in the cases described, and that only then had the NSA used the data base. Paul thought that traditional police work, followed by a request to a court (a real one) for authority to use phone records, e-mail records, etc. would have cracked the same cases. Of course, that is just one Senator's opinion, but it does suggest that PRISM is not the only way–just the most convenient for the agencies and their contractors.
You were kind to Friedman. I don't remember the last time I heard more twisted apologetics than his.
If the NSA's models are so great, how did Snowden slip through? I hope their precious "algorithms" are better than the ones they use to vet their own personnel and those of their contractors, but I see no reason to think so. The very existence of Snowden makes the scenarios you've outlined quite plausible.
I can think of worse ones. Data as extensive as is being stored by the NSA could be used to blackmail any politician. Perhaps only someone alienated enough from other human beings to commit an act of terrorism would be impervious to such blackmail.
The problem of false positive is enormously underestimated. Assuming that their algorithms are 99% effective, then there is a 1% false positive rate. When the algorithms are applied against 20 million people that equates to 200,000 innocent people being targeted for further investigation or being added to No Fly lists or whatever. That, by itself, should be sufficient to end the program.
"FT notes that people in other countries are turning to "national champion" alternatives to Google, Yahoo, etc. since they feel they can't trust any US-based web sites any more."
Pretty funny in its own right. The internet by virtue of its very structure is easily monitored by NSA or any other entity with sufficient technical resources.
And are we to believe that Lithuanian-Facebook will be free to its users but will not collect and sell 'private' data?
Marketing is the art of monetizing credulity.
This coin has two sides; Security versus Freedom. Snowden is naive because every where he is considering for citizenship has a similar and more draconian intelligence program. On the other hand, our nation has privacy laws and these laws are being passed over in favor of security. Our previous Secretary of State, UN Ambassador and our President chose to lie on Benghazi. There reasoning has not been explained, but voters must assume it was related to intelligence related to the event. A great deal of speculation on the Benghazi lie has been published. Why is this lie different from the NSA lie or the IRS lie? Our government leaders seem to feel they must lie and steal our privacy to protect us from ourselves and terrorist. Which creates the ultimate economic question: should citizens trust their government or always be skeptical of the government? Our Founders believed in the latter, but recent voting patterns seems to indicate voters prefer Big Government versus being responsible for their own safety and well being. The economic difference of the two sides of the coin are free markets versus government controlled every thing. Friedman fears the common man can not be trusted to do the right thing in a terrorist attack, while I think a world without freedom plus public officials who feel it is their duty to lie when security emerges will create a dismal place to live plus a declining economy. The trust our nation was built upon will be destroyed if government officials and employees are not required to live by the rule of law and protect our freedoms. My hope is this event will encourage citizens to read and understand our Constitution and its amendments as they were originally intended versus a modern, liberal interpretation that drives the nation to greater and greater central government control versus the trust of the common man originally intended by the Constitution. If one wishes to see the difference in economics, compare the performance of NY/ IL/CA versus TX/KS/and other small government economic strategy states. I propose the intersection of the NSA invasion of privacy and economic performance is a difference of fundamental beliefs of the size and role of government.
Are we witnessing the evolution of a shadow government? Big Data will enable the agency to become almost self-funded via institutionalized insider trading and market manipulation for nearly unlimited funding for off the books black ops with no accountability.
The engineering of consent for its programs is achieved when all political opposition becomes neutralized by coercive blackmail and the planting of false data in a target's digital footprints.