A story in yesterday’s Wall Street Journal titled NSA’s Domestic Spying Grows as Agency Sweeps Up Data (subscription required) reports that–
According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA’s own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge’s approval when a link to al Qaeda is suspected.
The NSA’s enterprise involves a cluster of powerful intelligence-gathering programs, all of which sparked civil-liberties complaints when they came to light. They include a Federal Bureau of Investigation program to track telecommunications data once known as Carnivore, now called the Digital Collection System, and a U.S. arrangement with the world’s main international banking clearinghouse to track money movements.
The effort also ties into data from an ad-hoc collection of so-called “black programs” whose existence is undisclosed, the current and former officials say. Many of the programs in various agencies began years before the 9/11 attacks but have since been given greater reach. Among them, current and former intelligence officials say, is a longstanding Treasury Department program to collect individual financial data including wire transfers and credit-card transactions.
An NSA spokeswoman stated that the Agency “strictly follows laws and regulations designed to preserve every American’s privacy rights under the Fourth Amendment to the U.S. Constitution.” If you find comfort in that statement, consider this description of how the Agency uses its expanded domestic surveillance authority to pursue leads:
If a person suspected of terrorist connections is believed to be in a U.S. city — for instance, Detroit, a community with a high concentration of Muslim Americans –the government’s spy systems may be directed to collect and analyze all electronic communications into and out of the city. The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.
The information collected “doesn’t generally include the contents of conversations or emails.” Generally. That’s a word we lawyers use to say “most of the time we don’t, unless we do.” Even without such content the NSA can identify the parties to phone calls and emails, their locations, and their cell phone numbers. The telecoms enable the NSA’s efforts either by copying all data through their switches to share with the NSA, or by ceding control to the NSA over the switches. The White House is pushing a bill that would immunize the telecoms from liability for privacy claims arising from this data collection. The NSA domestic surveillance program includes elements of and technology from the Pentagon’s Total Information Awareness initiative that Congress defunded in 2003 following criticism of TIA’s potential for civil rights abuses. Before it was killed the Pentagon renamed TIA to Terrorist Information Awareness to make it seem less creepy. Now the NSA is implementing TIA through its “black budget,” beyond effective non-NSA scrutiny.
The Journal story reminded me of a recent Wired column by the always-prescient Bruce Schneier: What Our Top Spy Doesn’t Get: Security and Privacy Aren’t Opposites. Schneir’s column focuses on a proposal from National Intelligence Director Michael McConnell to monitor all–“that’s right, all–” Internet communications:
In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. “Google has records that could help in a cyber-investigation,” he said. Giorgio warned me, “We have a saying in this business: ‘Privacy and security are a zero-sum game.'”
This states it as baldly as one can. This administration’s top intelligence personnel consider every increase in security to require a corresponding decrease in privacy. As Scheier states “I’m sure they have that saying in their business. And it’s precisely why, when people in their business are in charge of government, it becomes a police state.” Scheier says privacy versus security is a false dichotomy, that the true dichotomy is between liberty and control–and that “liberty requires both security and privacy.”