A lot remains uncertain about the number of users affected by the NSA PRISM surveillance program that is taking place, the extent to which companies are involved, and how the NSA handles this sensitive data. Here are some of the biggest unresolved questions.
Does the NSA regularly collect and examine a huge swath of the cloud communications of American and foreign internet users? Does the agency present evidence and seek careful judicial review to obtain limited amounts of user data related to individual investigations? Or is the answer somewhere in the middle, with queries being constructed such that algorithms scan most or all of the accounts, identifying a smaller set of “interesting” accounts whose contents are sent to the NSA?
This post attempts to set out some fundamental questions that we need answered in order to gain enough clarity on the surveillance taking place to have an informed democratic policy debate.1 We also give our approximations of the realistic “Best case” and “Worst case” scenarios given what we already know about the program, to highlight the range of possible realities.
For each company involved, how many user accounts have had some private data transmitted to the NSA?
Could the NSA, for example, ask for all Gmail emails that contain the word “golden gate bridge” that were sent or received in the last 24 hours? For all private Facebook messages of any user that signed up through an IP address associated with a particular country over a one month period? Are there orders for information which has to be provided on an ongoing basis? Is information filtered by the companies so that no information on Americans is handed over? In order to have a better grasp of the scope, we have been encouraging companies to provide more granular information in their transparency reports or elsewhere.
We’re pleased to see requests from Google and Facebook to the government for more leeway to publish this information in transparency reports. These requests should be taken seriously, and we also encourage the NSA to itself be more forthright with what information is collected.
Best case: The NSA sends a small number FISA 702 orders that are narrowly targeted for specific investigations and touch upon only a small number of user accounts; ideally at most hundreds or perhaps thousands of accounts have information passed on to the NSA every year.
Worst case: Companies receive incredibly broad FISA 702 orders that result in turning over huge swaths of user data to the NSA on a regular or ongoing basis, such as the emails of all users in a particular country, or any that contain a phrase like “golden gate bridge”.
What information about users’ activities is being collected without the cooperation of companies?
Best case: The NSA is not monitoring any metadata or content data of users except via lawful and targeted requests made to the companies.
Worst case: The NSA is broadly monitoring user metadata and content data without any company involvement.
What internal checks does the NSA have on how data is requested and (mis)used?
Aside from purposes, there are other important questions about checks and balances. What evidentiary standard is required for information to be obtained from companies? Once this collection occurs but before a person looks at the data, what minimization procedures take place to ensure that only appropriately targeted data is examined by analysts? Is data deleted, and if so what triggers deletion? What percentage of data is deleted? Is data about Americans always deleted once it is discovered? For people employed at the NSA in a position to look at very private information such as the content of a personal email, what checks are there to prevent that person from misusing this information?
Best case: Data is only sought once there is substantial evidence of terrorism of other activities that might affect national security. Only data relevant to an active investigation is stored, and only as long as it is needed. Data that is not relevant is immediately deleted. All employee access of private data is logged and regularly reviewed for inappropriate or questionable uses.
Worst case: Analysts can go on fishing expeditions without any evidence of wrongdoing. Data is stored indefinitely. Irrelevant data is not discarded, including domestic data on American users. There are few checks on how employees with access can use the tools at their disposal, and little accountability as a result.
America has long struggled to reconcile democratic principles with intelligence imperatives. Striking the right balance is difficult; while there may be legitimate arguments for confidentiality with respect to specific sources and operations, secret legal interpretations and practices are plainly antithetical to American values: the public, acting through Congress, gets to decide what’s allowed. That critical governance process is only possible with transparency. Implausible and unsubstantiated claims that oversight endangers national security only further erode the American public’s trust in the intelligence community. We hope that the NSA will choose a better path: appropriately declassify information, work with companies to disclose the scope of their surveillance programs, and earn the trust of the American public. We urge you to join us in asking the hard questions.
- 1.Note that the following questions are about the sources for the collection of information, and the scope of that collection, but aren’t centred around “PRISM” itself to avoid the word games that government and intelligence agency officials have played to avoid giving substantive answers about the surveillance taking place.
- 2.FISA 702 orders refer to 50 USC § 1881a.
Republished from the Electronic Frontier Foundation under Creative Commons