Monday, March 10, 2008

Mining your data at NSA

Let me get this straight. Because there are a lot of Arab-Americans in Detroit, a routine search by an NSA employee could dredge up some communication or transaction of mine with an entity in Detroit, even if it has no connection to a suspected terrorist? Whatever happened to my privacy rights?

Oh, I forgot, they went away thanks to the never ending "war" on terror, which is, apparently, more of a threat to our way of life than facing down a technologically advanced nuclear adversary with thousands of warheads and delivery systems. I had more legal protections of my privacy during the cold war than I do now. See earlier comments here, here and here.

Posted in 2005: ...You might argue that Al Qaeda is more dangerous than the USSR and eastern bloc, with their hundreds of ICBMs and thousands of nuclear warheads, but you'd be crazy. Let me offer the following analogy. While walking home you are confronted by a man with a loaded shotgun. By staring him down and pointing out that you yourself are armed, you avoid having your head blown off. Continuing on your way home, a small dog bites your ankle. Is the dog really a greater threat, just because it bit you, than the guy with the shotgun? If not, why should we allow Bush to unilaterally claim greater security powers than Reagan or Carter had? (Indeed, contravening the existing FISA law of 1978.)

The fact that the NSA has the capability to, e.g., pull up my past internet searches and email traffic, means that the telcos are turning over gigantic amounts of data on each of us to NSA for storage and indexing. The article below states that they don't generally have access to the content of email messages. However, this does not imply that they don't store the content (the text part of the message is a trivial amount of data, not much larger on average than the header information), just that they need a higher level of (FISA?) approval before looking more deeply at the communications. So, if you ever need to recover some lost email that you sent, you could always check with the NSA as a last resort!

WSJ: ...According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called "transactional" data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA's own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge's approval when a link to al Qaeda is suspected.

The NSA's enterprise involves a cluster of powerful intelligence-gathering programs, all of which sparked civil-liberties complaints when they came to light. They include a Federal Bureau of Investigation program to track telecommunications data once known as Carnivore, now called the Digital Collection System, and a U.S. arrangement with the world's main international banking clearinghouse to track money movements.

The effort also ties into data from an ad-hoc collection of so-called "black programs" whose existence is undisclosed, the current and former officials say. Many of the programs in various agencies began years before the 9/11 attacks but have since been given greater reach. Among them, current and former intelligence officials say, is a longstanding Treasury Department program to collect individual financial data including wire transfers and credit-card transactions.

It isn't clear how many of the different kinds of data are combined and analyzed together in one database by the NSA. An intelligence official said the agency's work links to about a dozen antiterror programs in all.

...the systems then can track all domestic and foreign transactions of people associated with that item -- and then the people who associated with them, and so on, casting a gradually wider net. An intelligence official described more of a rapid-response effect: If a person suspected of terrorist connections is believed to be in a U.S. city -- for instance, Detroit, a community with a high concentration of Muslim Americans -- the government's spy systems may be directed to collect and analyze all electronic communications into and out of the city.

The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.

The information doesn't generally include the contents of conversations or emails. But it can give such transactional information as a cellphone's location, whom a person is calling, and what Web sites he or she is visiting. For an email, the data haul can include the identities of the sender and recipient and the subject line, but not the content of the message.


Anonymous said...

Did we ever have privacy "rights"? Serious question.

Steve Hsu said...

Not in the sense of the bill of rights (no mention of privacy, I believe). Perhaps I should have referred to legal protections of privacy rather than "rights"

Anonymous said...

We have protection against unreasonable search and seizure. We are also presumed innocent until proven guilty. We synthesize a right privacy from that, in that the government has a vague limitation as to where its agency with respect to the identification and prosecution of crimes begins and ends.

The systematic outcome is that an unusually small number of citizens can effect an inordinately large amount of 'damage' to other citizens, and there is no way for the latter to defend themself until the damage is done. The question of governance is, "How many people are you willing to expose to hazard X, and for the sake of achieving global safety from hazard Y?"

I don't think that the government does a very good job of accounting for itself in this way, though. (Which is why enabling this kind of datamining is dangerous)

Anonymous said...

> We have protection against unreasonable search and seizure.

We *had* protection against unreasonable search and seizure.

gcochran said...

The positive side is that if your hard disk suddenly dies the real death, you can just send a note to the NSA and they'll send you all your missing email.

Seth said...

"... NSA [will] send you all your missing email."

Not if you're the RNC or the White House they won't ;)

David: I like your answer on the question of privacy rights.

Blog Archive