American Spies: how we got to age of mass surveillance without even trying
While American Spies was written prior to Donald Trump winning the 2016 presidential election, it has become vital and relevant under the new Republican administration.
Jennifer Stisa Granick is one of the premiere legal minds currently trying to grok the intersection between surveillance, privacy, and public policy. She serves as the Director of Civil Liberties at the Stanford Center for Internet and Society. Before that, she worked at the Electronic Frontier Foundation.
In her book, Granick presents an expansive overview of the national-security legal landscape. However, despite being geared largely toward attorneys and academics, American Spies can be easily understood by anyone with even a passing familiarity with touchstone concepts that have graced the pages of Ars Technica in recent years, including Edward Snowden, Section 702, and Executive Order 12333.
The fiery counsel wastes no time in laying out her argument:
Modern surveillance is regulated by a confusing patchwork of laws that nevertheless fails to provide meaningful limits on government power, and which therefore invites abuse. After September 11th, laws that should have protected people’s privacy and stopped surveillance abuses were weakened via the USA PATRIOT Act. When technology and economics gave spies vastly more power, rather than have law step up to the challenge of constraining that power, Congress and the courts did nothing, or the laws were softened even further. American spies have flooded into the power vacuum left by powerful technology and weak legal protections.
In short, American law as it stands is largely insufficient to deal with the crushing weight and power of American spies.
Jeu de mots
While Chapter 1 is largely a summary of Snowden-era programs and revelations, Chapter 2 is the part of Granick’s book that made me sit up and take notice.
She argues that a huge gulf separates how words are used by the intelligence community and the general public. For example: “surveillance.” Granick uses it in the way that Ars (and probably most people) use it: “Surveillance means government collection of private and personal information: address books, buddy lists, photos, phone numbers, web history, geolocation data, and more.”
But within government circles, surveillance means something very specific: it’s shorthand for “electronic surveillance” (ELSUR) as governed by the Foreign Intelligence Surveillance Act (FISA).
By using “surveillance” to mean only ELSUR governed by FISA, officials can say that they do not conduct “surveillance” even when they are collecting personal data like phone numbers, Internet transactional records, face prints, or geolocation data. The intelligence community might call its acquisition of this kind of information “collection,” which sounds milder than “surveillance”... The word “bulk” is another opportunity for mischief. People use the word “bulk” as a synonym for massive, vast, or large-scale collection. But the intelligence agencies have a special definition of the word “bulk.” They only use “bulk” to mean acquisition that takes place without using a selection term or “discriminator.”
In other words, grabbing everything is bulk. But if the government uses search terms, keywords, or selection terms, it’s not bulk. So, if, when wiretapping a particular fiber optic cable, the NSA selects or “tasks” all communications with the word “Syria” or “China” in them, the NSA lawyers might not call that “bulk,” even though hundreds of millions of innocent people’s irrelevant messages are going to be collected and analyzed. Similarly, the government won’t say that its collection is indiscriminate if it uses any kind of selection term.
This becomes more concerning when the government makes it hard to answer the basic question, “Who is a United States person?” Such people have inherent privacy protections, and a “United States person” is generally believed to mean American citizens, American permanent residents (green-card holders), and American companies. But there might be more to it. That’s because, according to the Department of Justice Office of the Inspector General, there’s a classified directive that further explains who a US person is, but it contains a few sentences that are redacted.
Granick reasons that this nomenclature obfuscation isn’t just due to bureaucratic legalese. Rather, it’s part of a broader strategy to keep not only the public in the dark, but the legislative and judicial branches as well.
The evidence suggests that the misdirection is intentional, at least on the part of some officials. The misstatements go well beyond the kind of obfuscation needed to keep terrorists complacent about using surveilled networks. American spies know they have to maintain public acquiescence, and they believe that if people knew the truth, the programs would lose support.
An ever-bigger haystack
Beyond nomenclature, Granick offers a three-part criticism of national security law as it stands, revolving around mathematics, notification, and the opaque nature of the law.
She begins by saying that the entire concept of “collect it all” is not just wrong-headed, it’s also counterproductive. As experts like Bruce Schneier have been saying for years, probability and statistics show us that throwing billions of dollars to conduct mass surveillance to locate something that simply doesn’t happen all that often (terrorism) is largely pointless.
And the “collect it all” credo has crept far beyond the search for terrorists. As Ars has reported for years, this mentality has percolated down to the most local level of law enforcement. Police in cities across America routinely use license plate readers to investigate crimes. However, data from several cities show that the “hit rate,” or match between an unknown plate and a stolen or wanted car, is nearly always less than one percent. (In Oakland, California, it’s 0.16 percent.)
Granick explains that law enforcement agencies don’t want to stop this “collect it all” train, lest they be blamed for people dying. And yet abuses are common.
Ars readers may remember the National Security Agency’s LOVEINT scandal, in which intelligence staffers used the agency’s vast spy infrastructure to target their ex-partners. As far as we are aware, no one knows what punishments, if any, were doled out to those NSA staffers.
“Finally, there are no remedies for people who suffer from violations of those rules,” Granick concludes. “Violations may or may not be reported or cataloged. Victims are not informed. Without the threat of exposure and punishment, there is little incentive for analysts to rigorously follow the rules.”
Worse still is that, while courts ostensibly provide oversight, judges often don’t find out what has gone wrong until a national security official tells them. And even when judges do get upset, no meaningful punishments have ever been doled out for those who stretch the law.
“[Judges] also don’t want to stop the spying because they’re told that if they do, some people could die,” she concludes. “So they expand the NSA’s authority, issue more complex rules, and let the surveillance go forward.”
Finally, she reaches a troubling realization: that the nexus between the law, surveillance, privacy, and national security still lacks clear-cut boundaries. Crucially, these discussions often happen without the benefit of public scrutiny. Many of these court cases are sealed or happen under the umbrella of national security classification, such that the citizenry doesn’t know exactly what’s going on.
In sum, there is much uncertainty in surveillance law. Does the Fourth Amendment protect data stored on the Internet? Is massive spying constitutionally different from the collection of one person’s data? How do FISA and ECPA apply to information for which the expectation of privacy is not legally settled given the third-party doctrine? If the Fourth Amendment doesn’t apply to foreigners abroad what does that mean for foreigners living in the United States and for the Americans that talk with them?
Today, we live under a confusing, convoluted, and technologically outdated legal regime that has left American privacy with uncertain legal protection. The uncertainty is exacerbated by the fact that so much surveillance–both law enforcement and intelligence–is secretly authorized via sealed and ex parte court proceedings.
After all of this, don’t be surprised if you’re demoralized. The wheels of justice move at a glacial pace compared to the breakneck speed of technology. The Supreme Court doesn’t often rule on landmark issues of privacy, which means that older legal theories (like the “third-party doctrine”) remain good law.
American Spies is mostly descriptive and less prescriptive. Granick doesn’t address a possible solution until the end of the book. She knows that any revisions to national policy are “a job for Congress.” However, in the modern American political climate, Congress can barely agree on the time of day, much less comprehensive privacy law reform. While there are some efforts in the right direction (the “Email Privacy Act” just passed the House of Representatives last week), no cohesive, substantial movement exists within Congress to change the law.
Yes, there are groups like the Electronic Frontier Foundation and the American Civil Liberties Union that are lobbying and litigating to nudge the government in the right direction. However, much of Congress still generally lacks the computer literacy skills to fully understand what the risks are and what steps need to be taken. Legislators like Rep. Ted Lieu (D-Los Angeles) often seem to be speaking about the benefits of encryption in a vacuum. (Also, seriously, how many top government officials are still using AOL accounts?)
Granick makes no mention of how these surveillance-policy reforms may be another decade or more away. However, there is a bright spot: a few cities like Seattle and Oakland have taken up efforts to more closely monitor how surveillance is conducted locally, and they have attempted to exert meaningful civilian oversight. So, think globally, act locally?