Earlier today, the New York Times reported that the National Security Agency has secretly expanded its role in domestic cybersecurity. In short, the NSA believes it has authority to operate a warrantless, signature-based intrusion detection system—on the Internet backbone.1
Owing to the program’s technical and legal intricacies, the Times-ProPublica team sought my explanation of related primary documents.2 I have high confidence in the report’s factual accuracy.3
Since this morning’s coverage is calibrated for a general audience, I’d like to provide some additional detail. I’d also like to explain why, in my view, the news is a game-changer for information sharing legislation.
A good Washington talking point delivers zero content. A great Washington talking point sounds substantive… while delivering zero content.
In the spirit of honoring greatness, I’d like to call attention to the current White House position on cryptographic backdoors. It received its most public airing from President Obama, in a February 13 interview with RE/CODE.
“I’m a strong believer in strong encryption,” explained the President. “[T]here’s no scenario in which we don’t want really strong encryption.”
President Obama isn’t the only official invoking “strong encryption.” (And strongly, too.) In just about every recent conversation with an administration policymaker, I’ve been subjected to some version of the line.
According to law enforcement and intelligence agencies, encryption should come with a backdoor. It’s not a new policy position—it dates to the Crypto Wars of the 1990s—but it’s gaining new Beltway currency.
Cryptographic backdoors are a bad idea. They introduce unquantifiable security risks, like the recent FREAK vulnerability. They could equip oppressive governments, not just the United States. They chill free speech. They impose costs on innovators and reduce foreign demand for American products. The list of objections runs long.
I’d like to articulate an additional, pragmatic argument against backdoors. It’s a little subtle, and it cuts across technology, policy, and law. Once you see it, though, you can’t unsee it.
Cryptographic backdoors will not work. As a matter of technology, they are deeply incompatible with modern software platforms. And as a matter of policy and law, addressing those incompatibilities would require intolerable regulation of the technology sector. Any attempt to mandate backdoors will merely escalate an arms race, where usable and secure software stays a step ahead of the government.
The easiest way to understand the argument is to walk through a hypothetical. I’m going to use Android; much of the same analysis would apply to iOS or any other mobile platform.
Earlier this week, the Ninth Circuit heard oral arguments in a challenge to the NSA’s phone metadata program. While watching, I noticed some quite misleading legal claims by the government’s counsel. I then reviewed last month’s oral arguments in the D.C. Circuit, and I spotted a similar assertion.
In both cases, the government attorney waved away constitutional concerns about medical and financial records. Congress, he suggested, has already stepped in to protect those files.
With respect to ordinary law enforcement investigations, that’s only slightly true. And with respect to nation security investigations, that’s really not right.
When the National Security Agency collects data inside the United States, it’s regulated by the Foreign Intelligence Surveillance Act. There’s a degree of court supervision and congressional oversight.
When the agency collects data outside the United States, it’s regulated by Executive Order 12333. That document embodies the President’s inherent Article II authority to conduct foreign intelligence. There’s no court involvement, and there’s scant legislative scrutiny.
So, that’s the conventional wisdom. American soil: FISA. Foreign soil: EO 12333. Unfortunately, the legal landscape is more complicated.
In this post, I’ll sketch three areas where the NSA collects data inside the United States, but under Executive Order 12333. I’ll also note two areas where the NSA collects data outside the United States, but under FISA.
In the debates surrounding intelligence reform, many observers have made a critical assumption. If Congress doesn’t act by mid-2015, it goes, the NSA’s controversial phone metadata program will turn into a pumpkin. In this post, I’m going to sketch why that view is so common—and why, regrettably, the clock may not strike midnight.
Co-authored by Patrick Mutchler.
Is telephone metadata sensitive? The debate has taken on new urgency since last summer’s NSA revelations; all three branches of the federal government are now considering curbs on access. Consumer privacy concerns are also salient, as the FCC assesses telecom data sharing practices.
President Obama has emphasized that the NSA is “not looking at content.” “[T]his is just metadata,” Senator Feinstein told reporters. In dismissing the ACLU’s legal challenge, Judge Pauley shrugged off possible sensitive inferences as a “parade of horribles.”
On the other side, a number of computer scientists have expressed concern over the privacy risks posed by metadata. Ed Felten gave a particularly detailed explanation in a declaration for the ACLU: “Telephony metadata can be extremely revealing,” he wrote, “both at the level of individual calls and, especially, in the aggregate.” Holding the NSA’s program likely unconstitutional, Judge Leon credited this view and noted that “metadata from each person’s phone ‘reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.’”
This is, at base, a factual dispute. Is it easy to draw sensitive inferences from phone metadata? How often do people conduct sensitive matters by phone, in a manner reflected by metadata?
Co-authored with Patrick Mutchler.
MetaPhone is a crowdsourced study of phone metadata. If you own an Android smartphone, please consider participating. In earlier posts, we reported how automated analysis of call and text activity can reveal private relationships, as well as how phone subscribers are closely interconnected.
“You have my telephone number connecting with your telephone number,” explained President Obama in a PBS interview. “[T]here are no names . . . in that database.”
Versions of this argument have appeared frequently in debates over the NSA’s domestic phone metadata program. The factual premise is that the NSA only compels disclosure of numbers, not names. One might conclude, then, that there isn’t much cause for privacy concern.
Co-authored with Patrick Mutchler.
MetaPhone is a crowdsourced study of phone metadata. If you own an Android smartphone, please consider participating. In an earlier post, we reported how automated analysis of call and text activity can detect private relationships.
Does the National Security Agency have court authority to pore over your phone records? Quite possibly.
Co-authored with Patrick Mutchler.
Two weeks ago we kicked off the MetaPhone project, a crowdsourced study of phone metadata. Our aim is to inform policy and legal debates surrounding dragnet surveillance programs. We are exceedingly grateful to the hundreds of users who have joined. If you have not yet participated, you can still grab the MetaPhone app for Android.
Today we are excited to share some preliminary results: We can predict many romantic relationships. Automatically. Using solely phone metadata.