25 September 2015

AFTER A CENTURY OF MASS GOVERNMENT SURVEILLANCE, IT’S TIME FOR NEW LIMITS

Sep. 22 2015

There is something disquieting and unwholesome about telecoms feeding our communications to government agencies. It was headline news, again, last month when we learned that AT&T has had a longstanding partnership with the National Security Agency. Unfortunately, this form of private-public intelligence collusion is neither new nor, in my view, illegal. Whether it is immoral is an entirely separate question.

U.S. communications carriers first became partners in the intelligence game shortly after World War I. Diplomatic and military affairs transmitted via telegram to home countries were intercepted and decrypted by the Black Chamber, the NSA’s precursor. Obtaining telegrams then was eerily similar to how communications are obtained today: The government simply asked.

The Western Union Telegraph Company and the Postal Telegraph Company allowed intelligence officers to copy telegrams, and this partnership persisted in peacetime. In 1929, however, Secretary of State Henry Stimson defunded the Black Chamber. His concise, and seemingly naïve, rationalereportedly being: “Gentlemen do not read each other’s mail.”

World War II exigencies overruled Stimson’s moral objections and the United States resumed telegram interception. Starting in 1945, just after the end of the war, this interception widened, and Western Union, RCA, and ITT provided the government, via the NSA and its predecessors the Army Security Agency and the Armed Forces Security Agency, with paper tape, microfilm, and later magnetic tape copies of most international telegrams. This continued unabated for decades after the war and was known as Project SHAMROCK.

NSA shared this data with law enforcement, including the FBI and Secret Service. Project SHAMROCK, however, suffered from classic function creep, the gradual extension of a system beyond the purposes for which it was conceived. In the 1960s and 1970s, names of American citizens and organizations were added to watch lists. Anti-war activists, Martin Luther King Jr., Muhummad Ali, and Jane Fonda were among the nearly 1,700 U.S. individuals and organizations targeted for domestic surveillance. This was known as Project MINARET.

Presciently, in 1975 on Meet the Press, Senator Frank Church (he himself a target of MINARET) stated:

In the need to develop a capacity to know what potential enemies are doing, the United States government has perfected a technological capability that enables us to monitor the messages that go through the air. … That capability at any time could be turned around on the American people, and no American would have any privacy left. … There would be no place to hide.

The Foreign Intelligence Surveillance Act, codifying a warrant requirement with judicial oversight for electronic surveillance, with particularly strong protections for U.S. persons, was born of the eponymous Church Committee.

This was a philosophical shift in the perception of intelligence activities. Despite infringing privacy of U.S. residents — and undeniably going beyond the degree of intrusion at issue with the Black Chamber — there was no Stimson-like categorical condemnation of surveillance itself. Communications interception was a necessary evil to detect and deter existential threats to the United States. It was crucial, therefore, to safeguard U.S. persons from harm occasioned by this necessary evil.

Foreigners were viewed in a different light, with considerably less protection under FISA as it exists today. Foreigners’ communications have always been legitimate targets of collection, from the time of the Black Chamber and despite fallout from Projects SHAMROCK and MINARET. As an NSA presentation indicates, AT&T even withheld domestic communications before delivering anything to the NSA. The intelligence game in the United States has not changed in over 100 years, so what is the source of the outrage?

As a nation, we are uncomfortable with the morality of the degree (not kind) of intelligence collection that occurs as a result of secret partnerships. In the busiest of MINARET’s six years of operations, there were only 600 domestic and 6,000 foreign targets. Contrast that with the billions of emails flowing across the networks to which AT&T has provided the NSA access. It is the quantity, not the type, source, or method of collection, that produces visceral unease.

Linking this sense of unease to a chilling effect on freedom of speech and association, the ACLU and the Wikimedia Foundation, which runs Wikipedia, have sued to try and halt bulk collection of communications. Our federal courts, however, are not the proper forum. Legal standing and damages requirements mire the process in preliminary motions, and perhaps rightly so because, at root, the question of how surveillance is to be carried out in our names is more of an ethical and political question than a legal issue.

Stimson’s moral prescription that we should not “read each other’s mail” was anachronistic when uttered in 1929. It is ridiculous to suggest we halt foreign intelligence collection derived from U.S. telecoms. It is not outrageous, however, to expect our intelligence be derived more efficiently and fairly. Technologies used to exclude domestic communications can also be adapted to minimize foreigners’ data. Given the quantities of data collected daily, we must expect more to be done to prevent the same function creep that allowed SHAMROCK and MINARET to spiral out of control.

There is a perception that our infrastructure — critical to free expression and global commerce — is exploited and untrustworthy. Our moral compass, again, tells us that this is wrong: Privacy is a right that is universal and fundamental, which ought to apply to all.

Alexander J. Urbelis is a lawyer and self-described hacker with more than 20 years experience with information security. He has worked as a graduate fellow in the Office of General Counsel of the Central Intelligence Agency, as a law clerk at the U.S. Court of Appeals for the Armed Forces, and as an associate in the New York and the D.C. offices of Steptoe & Johnson. He is currently CEO of Black Chambers Inc., an infosec consulting company, and a partner in a law firm focused on infosec. Alex can be reached at alex@blackchambers.nyc.

No comments: