Surveillance by Algorithm

Increasingly, we are watched not by people but by algorithms. Amazon and Netflix track the books we buy and the movies we stream, and suggest other books and movies based on our habits. Google and Facebook watch what we do and what we say, and show us advertisements based on our behavior. Google even modifies our web search results based on our previous behavior. Smartphone navigation apps watch us as we drive, and update suggested route information based on traffic congestion. And the National Security Agency, of course, monitors our phone calls, emails and locations, then uses that information to try to identify terrorists.

Documents provided by Edward Snowden and revealed by the Guardian today show that the UK spy agency GHCQ, with help from the NSA, has been collecting millions of webcam images from innocent Yahoo users. And that speaks to a key distinction in the age of algorithmic surveillance: is it really okay for a computer to monitor you online, and for that data collection and analysis only to count as a potential privacy invasion when a person sees it? I say it’s not, and the latest Snowden leaks only make more clear how important this distinction is.

The robots-vs-spies divide is especially important as we decide what to do about NSA and GCHQ surveillance. The spy community and the Justice Department have reported back early on President Obama’s request for changing how the NSA “collects” your data, but the potential reforms—FBI monitoring, holding on to your phone records and more—still largely depend on what the meaning of “collects” is.

Indeed, ever since Snowden provided reporters with a trove of top secret documents, we’ve been subjected to all sorts of NSA word games. And the word “collect” has a very special definition, according to the Department of Defense (DoD). A 1982 procedures manual (pdf; page 15) says: “information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties.” And “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”

Director of National Intelligence James Clapper likened the NSA’s accumulation of data to a library. All those books are stored on the shelves, but very few are actually read. “So the task for us in the interest of preserving security and preserving civil liberties and privacy,” says Clapper, “is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read.” Only when an individual book is read does it count as “collection,” in government parlance.

So, think of that friend of yours who has thousands of books in his house. According to the NSA, he’s not actually “collecting” books. He’s doing something else with them, and the only books he can claim to have “collected” are the ones he’s actually read.

This is why Clapper claims—to this day—that he didn’t lie in a Senate hearing when he replied “no” to this question: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”

If the NSA collects—I’m using the everyday definition of the word here—all of the contents of everyone’s e-mail, it doesn’t count it as being collected in NSA terms until someone reads it. And if it collects—I’m sorry, but that’s really the correct word—everyone’s phone records or location information and stores it in an enormous database, that doesn’t count as being collected—NSA definition—until someone looks at it. If the agency uses computers to search those emails for keywords, or correlates that location information for relationships between people, it doesn’t count as collection, either. Only when those computers spit out a particular person has the data—in NSA terms—actually been collected.

If the modern spy dictionary has you confused, maybe dogs can help us understand why this legal workaround, by big tech companies and the government alike, is still a serious invasion of privacy.

Back when Gmail was introduced, this was Google’s defense, too, about its context-sensitive advertising. Google’s computers examine each individual email and insert an advertisement nearby, related to the contents of your email. But no person at Google reads any Gmail messages; only a computer does. In the words of one Google executive: “Worrying about a computer reading your email is like worrying about your dog seeing you naked.”

But now that we have an example of a spy agency seeing people naked—there are a surprising number of sexually explicit images in the newly revealed Yahoo image collection—we can more viscerally understand the difference.

To wit: when you’re watched by a dog, you know that what you’re doing will go no further than the dog. The dog can’t remember the details of what you’ve done. The dog can’t tell anyone else. When you’re watched by a computer, that’s not true. You might be told that the computer isn’t saving a copy of the video, but you have no assurance that that’s true. You might be told that the computer won’t alert a person if it perceives something of interest, but you can’t know if that’s true. You do know that the computer is making decisions based on what it receives, and you have no way of confirming that no human being will access that decision.

When a computer stores your data, there’s always a risk of exposure. There’s the risk of accidental exposure, when some hacker or criminal breaks in and steals the data. There’s the risk of purposeful exposure, when the organization that has your data uses it in some manner. And there’s the risk that another organization will demand access to the data. The FBI can serve a National Security Letter on Google, demanding details on your email and browsing habits. There isn’t a court order in the world that can get that information out of your dog.

Of course, any time we’re judged by algorithms, there’s the potential for false positives. You are already familiar with this; just think of all the irrelevant advertisements you’ve been shown on the Internet, based on some algorithm misinterpreting your interests. In advertising, that’s okay. It’s annoying, but there’s little actual harm, and you were busy reading your email anyway, right? But that harm increases as the accompanying judgments become more important: our credit ratings depend on algorithms; how we’re treated at airport security does, too. And most alarming of all, drone targeting is partly based on algorithmic surveillance.

The primary difference between a computer and a dog is that the computer interacts with other people in the real world, and the dog does not. If someone could isolate the computer in the same way a dog is isolated, we wouldn’t have any reason to worry about algorithms crawling around in our data. But we can’t. Computer algorithms are intimately tied to people. And when we think of computer algorithms surveilling us or analyzing our personal data, we need to think about the people behind those algorithms. Whether or not anyone actually looks at our data, the very fact that they even could is what makes it surveillance.

This is why Yahoo called GCHQ’s webcam-image collection “a whole new level of violation of our users’ privacy.” This is why we’re not mollified by attempts from the UK equivalent of the NSA to apply facial recognition algorithms to the data, or to limit how many people viewed the sexually explicit images. This is why Google’s eavesdropping is different than a dog’s eavesdropping, and why the NSA’s definition of “collect” makes no sense whatsoever.

This essay previously appeared on theguardian.com.

Tags: algorithms, Edward Snowden, essays, GCHQ, NSA, privacy, surveillance, tracking

Posted on March 5, 2014 at 6:13 AM • 64 Comments

Comments

kashmarek • March 5, 2014 6:56 AM

The NSA looks at all of it. If their version of “collected” is what they want, then they shouldn’t collect it until they are going to read it. That would take care of the whole issue.

Except, they collect it to read it, whether by a computer program or as seen by visual eyes. If the computer program uses information in the data, then it has been read, and even if the computer program doesn’t use information, it has still beem read, it has STILL BEEN COLLECTED by anybody’s definition.

Dome • March 5, 2014 6:57 AM

We are again the greatest producers of something which endanges us: data.

We need only to address a few points:

1) be responsible data producers
2) properly dispose the data we don’t need any more
3) getting others sensibilized

gurrfield • March 5, 2014 7:41 AM

So… who watches the dogs?

Someone’s gotta do it… sigh =)

Winter • March 5, 2014 7:50 AM

I find the picture of digital online trails as environmental pollution very apt. A little might not even be noticed, a lot can kill you.

When I see what the intelligence community considers all legal, I am wondering what “legal” actions we did not hear about (yet)?

It might be legal to spy on opposition politicians?
It might be legal to “silence” politicians?
It might be perfectly legal to kill politicians?
Or a minister?
Or to kill the Prince of Wales?

Who knows where it ends?

RobertM • March 5, 2014 8:02 AM

So by the NSA’s logic, if you have thousands of child-porn images on your computer, you’re not a perv…it’s only when you open one of those images that you cross the line……uh-huh.

Buck • March 5, 2014 8:38 AM

Word games or no, Clapper clearly committed perjury in front of Congress. The clever wordplay might have saved his ass, If he hadn’t admitted his crime after further questioning…

So I responded in what I thought was the most truthful, or least untruthful, manner by saying ‘no’.

Least untruthful -> not true -> lie-> deliberate deceit -> perjury … indictment???

mz • March 5, 2014 8:46 AM

Sorry, wrong:

“And the National Security Agency, …., then uses that information to try to identify terrorists.”

No, they don’t. They only claim to do that. Neither is this the main purpose, nor the outcome. They spy on everyone to supply the various members of the “intelligence community” with information. The main purpose is political and business espionage.

Please stop spreading that BS about anti terrorism. That is just the fig leave.

Roxanne • March 5, 2014 8:46 AM

Great – only the computers are paying attention to the watching. I’m not sure if this is better or worse.

Meanwhile – it’s absolutely part of the game to spy on the other side. I daresay that someone has made the activity that sparked Watergate specifically legal. We reportedly had a Republican mole wind up in charge of a cell of the Democratic party here in Michigan (neither side wants to truly confirm or deny that).

Guess why they made Obama give up his Blackberry?

So what cellphone technology do government employees use? Because tracking their movements could be informative, to lots of people. I can’t imagine them all going without.

Someone blithely talks about “getting rid of the data we’re no longer using.” Presuming that Google (or whoever) has backed up that data – how exactly do you propose to dispose of it?

More food for thought, eh?

unnamed • March 5, 2014 8:56 AM

I agree with anything said in the last months — NSA activities are worrying as it is data collection methods used by this government agency. But at least access to collected information is restricted to authorized staff (whatever “authorized staff” means here).

I think that a bigger problem exists right now and it is the amount of information collected by private corporations like Google; by the way, I never authorized Google to store and publicly show to the world any USENET messages I posted between 1993 and 1998, before Google was founded. But, who cares?

A lot of times I asked for help to remove posts, provided data to Google that should only be available to law enforcement agencies (and, trust me, I am very uneasy about providing this information to this class of unethical corporations) and the only answer I got from one of their support monkeys is that removal is not possible, even if they say the other way on some documents (only reason to provide personal identification card copies in first place).

Our digital footprint should be under our control. It is our information and we are, in first place, owners of this information. At least our digital footprint should have an expiration date, we say five years.

When will we have the right to remove our personal information from the servers of these unethical corporations that make their business selling our data? (I hope no one thinks Google is so large because they wrote a nice free search engine…)

The answer is simple: never, because politicians work for these corporations instead of being independent thinkers.

z • March 5, 2014 9:06 AM

If I store hundreds of pounds of cocaine in my house, but don’t actually use it, can I be charged for having it?

If I steal 500 machine guns and keep them in my safe, but don’t actually fire them, can I go to jail?

If I’m engaged in corporate espionage and steal documents from a competitor, but just keep them in storage and don’t read them, will I be prosecuted?

uh, Mike • March 5, 2014 9:12 AM

The NSA is a dinosaur-size diversion from the commercial rats.

Bob S. • March 5, 2014 9:13 AM

Yes, the issue:

The government (or corproation) can ransack your computer and electronic life, collect literally everything you do, forever, and then claim it’s not an illegal privacy invasion UNTIL they peek. And then, it’s a secret when they peek, or even if they peek. AND, unless you find out, it’s still not illegal.

And, if you don’t think they are gawking the porno shots I’ve got a bridge in Brooklyn to sell you real cheap.

Meanwhile, look at Congress…mumbling and bumbling and getting absolutely NOTHING done about ANYTHING!

I think there is a fortune to be made creating hardware and software safe from the eyes of government/corporate spies.

Where are you guys?????????

Dome • March 5, 2014 9:34 AM

@Roxanne: the impossibility of getting rid of the data we are no longer using is central part of the problem.

This is exactly what will hurt us sooner or later: data stays there, waiting for the proper algorithm to be written.

No corporation (or government) will ever allow us to get rid of unwanted data, which is still critically valuable money for them.

This is a problem we need to solve ourselves.

Winter • March 5, 2014 9:44 AM

“This is exactly what will hurt us sooner or later: data stays there, waiting for the proper algorithm to be written.”

That data is toxic waste. Not allowing us to get rid of it is criminal.

There is a big discussion going on in Europe about the right of erasure.
http://www.dataguidance.com/dataguidance_privacy_this_week.asp?id=2119

Allen Stanfield • March 5, 2014 10:13 AM

When the government “collects” a citizen’s private property, no matter what the NSA calls it in order to abuse its power, it is a seizure.

Property rights have centuries of case law going back to Medieval England, and the US 4rth Amendment guarantees our right to be free from unreasonable seizures.

It is time that we start using that case law, and asserting our right to ownership of our private property, and start prosecuting government officials who abuse their power – no matter what words they use to avoid the law.

Allen Stanfield

Josh Rubin • March 5, 2014 10:58 AM

Sometimes my dog watches my wife and I have sex. This never used to bother me.

Then I read an article about dogs being trained to tolerate MRI machines. Should I worry now?

Chris S • March 5, 2014 11:02 AM

“To wit: when you’re watched by a dog, you know that what you’re doing will go no further than the dog. The dog can’t remember the details of what you’ve done. The dog can’t tell anyone else.”

Errrm…

Depending somewhat on the training of the dog and what you are doing, I would think this is provably false.

Granted, the dog won’t be called to the stand in a court of law (but IANAL). But if the dogs demonstrable actions and reactions can be placed in a context where they are a shown to be a proxy for what the dog has been exposed to, then an expert witness might be able to establish that “you did something” based on the dog’s subsequent actions.

I feel a little like I am splitting hairs – but then, the entire “metadata as evidence” debate sometimes feels that way too.

vas pup • March 5, 2014 11:14 AM

@Bruce:
“To wit: when you’re watched by a dog, you know that what you’re doing will go no further than the dog. The dog can’t remember the details of what you’ve done. The dog can’t tell anyone else.” Agree with small addition: you can’t force your dog snitching on you (versus your closest friend using collected information on him/her), you can’t subpoena your dog to testify against you in the court. Yes, the dog is your trusted friend who never betray you and provide you with unconditional loyalty and love. That is why you owe same to your dog.
Regarding collection of data. If data is stored in the form which not allowed direct access (e.g.encrypted) by the even authorized person without special request approved by higher level of management (if court approval just wishful thinking), at the same time there are current algorithms which let you process that data for security ‘red flag’ WITHOUT decryption, and each file has embedded expiration data (five years or less depending on nature/sensitivity of the data) which is automatically deleted on every day automatic data clean up (including any back up copy), then Mr. Clapper’s point make sense. Each time when encrypted data/file is decrypted, it’s original encrypted copy should be appended by encrypted (by other key)read only tail of time stamp and user id of person accessing it.
@unnamed. Remove big money out of election by Law, and they all become independent thinkers by assumption that prospective candidate has minimum intellectual level (IQ) to have something to think with independently.

rj07thomas • March 5, 2014 11:28 AM

Look up “collect” at http://www.oxforddictionaries.com/, example 1. At no point does it imply any interaction with the items being “collected” other than their acquisition. It doesn’t imply having to read, or use, the objects in anyway- the key thing is the process of acquisition. If you collect stamps, theoretically you could just order loads of stamps over the internet and leave them all packaged up in their envelopes. You’ve definitely collected stamps, but haven’t interacted with the objects themselves at all…

Allen Stanfield • March 5, 2014 11:47 AM

@rj07thomas:

As the sovereign owner of my private property, I have the power to direct its distribution. The government must obey me when I say they can not have it, unless they have a legal warrant, under the 4rth Amendment.

This is why the 4rth Amendment is the right which recognizes sovereign ownership of property and not “privacy”, with which it has become confused.

In your stamp example, if those are my stamps the government has stored away without even looking at them, and I did not tell them they could have my stamps, then they have stolen them, and that is a crime under the law.

Allen Stanfield

NobodySpecial • March 5, 2014 11:52 AM

@Allen – i think you are forgetting the legal principle of “I’ve got more guns than you” the government has the guns – the government makes the rules.

Really the writers of the constitution should have thought of this.

Jeff • March 5, 2014 12:08 PM

At the time Senator Ron Wyden asked James Clapper, “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, did the senator know there were two meanings of that word (common use and NSA use)? If so, he was complicit in the deception.

dbCooper • March 5, 2014 12:19 PM

Seems the CIA may have ruffled the feathers of the US Senate Intelligence Committee by spying on them:
http://www.theregister.co.uk/2014/03/05/cia_senate_watchdog_spying_row/

The ACLU has a valid perspective on this story:
“If the Senate didn’t want the CIA hacking their computer network, perhaps they shouldn’t have funded the CIA’s offensive cyber capabilities,” said Christopher Soghoian, principal technologist of the speech, privacy & technology project at the American Civil Liberties Union, in an update to his personal Twitter account.”

Winter • March 5, 2014 12:40 PM

“Seems the CIA may have ruffled the feathers of the US Senate Intelligence Committee by spying on them: ”

I am sure this is all legal.
😉

Anony Mouse • March 5, 2014 12:42 PM

Remember, when a computer collects data, it is on a system that is read only, read and write only. Therefore the system collecting data is reading it as it’s collected.
Collecting is a verb/intransitive verb, someone tell Clapper. Of course so many of the many communists now in our federal system are completely illiterate of the english language. We should attack them with this weapon and defeat them with the sword of word.

http://www.merriam-webster.com/dictionary/collect

AlanS • March 5, 2014 1:32 PM

This appears to be another instance where privacy is conflated with secrecy. So they claim that if they don’t read it, it’s still secret and therefore private. But privacy is about access and control over information about oneself, not secrecy. Here’s Alan Westin’s definition: “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” (Privacy and Freedom, 1967).

If it’s in a database controlled by the NSA or Google or whoever it is irrelevant whether it is ever looked at by a person or not. It could be looked at by someone and the individuals whose information is in the database have no control over the when, how, what and by whom.

AlanS • March 5, 2014 1:37 PM

By Clapper’s own logic Snowden didn’t “collect” any information about the NSA until he read it or shared it with someone else who read it.

The “did he lie or not debate” is silly. Look at the body language of Clapper and Wyden in the video. Do you think he’s telling the truth and do you think Wyden believes him? Wyden and Udall know what’s going on but can’t say what they know. So when the DNI, and the heads of CIA, FBI and NSA appear before the intelligence committee in open session, they ask questions that force them into lies or evasive answers. Some people think this is a dirty trick. If you think the people in the hot seat are engaged in secretly violating the Bill of Rights, you probably think otherwise.

AlanS • March 5, 2014 1:51 PM

@Winter

Links to the CIA spying on the intelligence committee story.

Brian M. • March 5, 2014 2:15 PM

@Roxanne:
Great – only the computers are paying attention to the watching. I’m not sure if this is better or worse.

When Skynet first became active, it watched cat videos. Then it moved on to watch all of the live webcam feeds.

Then Skynet determined that the human race just needed killing!

Skynet still likes cats, though.

Thomas • March 5, 2014 2:21 PM

The interesting definition of “collected” reminds me of quantum mechanics, where nothing really happens until it is “observed”.

Alan Kaminsky • March 5, 2014 2:49 PM

“When I use a word,” [Clapper] said in rather a scornful tone, “it means just what I choose it to mean — neither more nor less.”

“The question is,” said Alice, “whether you can make words mean so many different things.”

“The question is,” said [Clapper], “which is to be master — that’s all.”

— Lewis Carroll, Through the Looking-Glass (1871)

$ cat ThroughTheLookingGlass.txt | sed -e ‘s/Humpty Dumpty/[Clapper]/g’

M • March 5, 2014 3:41 PM

So by the NSA’s logic, if you have thousands of child-porn images on your computer, you’re not a perv…it’s only when you open one of those images that you cross the line……uh-huh.

Hm…I guess it’s extremely likely that also sexually explicit images of minors have been collected…uh…I mean, whatever they call what they do. Is there some silly newspeak definition of “possession” too or might the GCHQ now be guilty of possessing child porn?

JonS • March 5, 2014 4:02 PM

“Google even modifies our web search results based on our previous behavior.”

Google and Amazon suggestions are ok-ish, but the thing that annoys me about this is that it assumes that I will be the same – and buy and want the same things – tomorrow as yesterday, and that I’ll be the same in 10 years as I was now. It seems like there’s no scope for change, or re-imagination.

I hate that vision of the future.

JonS • March 5, 2014 4:16 PM

@ z • March 5, 2014 9:06 AM
” If I store hundreds of pounds of cocaine … If I steal 500 machine guns … If I’m engaged in corporate espionage … will I be prosecuted?”

Of course you will. This only works for the TLAs because they apparently have the right to redefine words as they see fit and (and this is the important bit) have the courts then recognise their idiosyncratic definitions.

All of us redefine words everyday. But only some of us can impart the force of law onto those new definitions.

kashmarek • March 5, 2014 4:20 PM

All “collected” data, whether read by any human or not, eventually goes away. Consider that the government probably loses MORE data than they ever use, simply because it dies on the recording media, the media goes out of date, they don’t have the time or money to move the data forward to new media, and when they actually need the old data, it has become too expensive to access, as the current computers are no longer able to access the old formats or devices. The IRS is a classic example (data probably still being held on tape cartridges with few or no working devices to read them). Why, someone just announced they can’t communicate with an older satellite because they disposed of the ground station technology that performed the job years earlier.

So, how long will the NSA “collected” data from today and earlier, live before it can no longer be used for any meaningful purpose? Come on, let’s hear your estimate in years.

The government works best when it loses stuff (including laptops, but probably really good at losing almost everything they touch).

Michael Froomkin • March 5, 2014 4:30 PM

I’ve recently written a paper that considers surveillance as a form of privacy pollution: Regulating Mass Surveillance as Privacy Pollution: Learning from Environmental Impact Statements.

uh, Mike • March 5, 2014 5:09 PM

Or to kill the Prince of Wales?

Or the Princess?

uh, Mike • March 5, 2014 5:13 PM

@M, from what we now know, GHCQ almost certainly possesses child porn. That explains how an all-out, absolute, no-holds-barred law against something can go awry in bizarre ways.

Someone, somewhere asked what “desirable nudity” is. That would be adults.

name.withheld.for.obvious.reasons • March 5, 2014 5:41 PM

@ Kaminsky

One of the best uses of sed I’ve seen in a long time.

Copy editor • March 5, 2014 7:40 PM

“Edwards Snowden” should be “Edward”
“how were treated at airport security” should be “we’re”
There was a third typo between the above two but I can’t find it now.

Dave • March 6, 2014 2:26 AM

You mention terrorism, but it’s worth noting that we already know that GCHQ are involved in reputation assassination (and share data with the NSA). This alone should make the idea of having the your data (or that of politicians or CEOs, or anyone) stored extremely worrying.

Past experience has shown that given this type of data, government agencies misuse it (e.g. the FBI spying on peaceful rallies); whether such things happen because of design or just the type of mission-creep that’s typical of security (it’s easier to argue for more rather than less) is irrelevant.

The semantic argument over what exactly the word “collect” means or should mean serves as a distraction which gives people something to argue about without achieving much of anything. We need to reframe the question, perhaps into something clearly defined around the issue of storage and access.

TimK • March 6, 2014 3:42 AM

Charlie Stross makes an interesting point on the intersection between collecting people’s webcam stuff and the UKs strict-liability laws on indecent images of children…

http://www.antipope.org/charlie/blog-static/2014/02/rule-34-meet-kafka.html

When will CEOP raid GCHQ?

Skeptical • March 6, 2014 4:43 AM

Two good reasons to think that matters are not quite as dire as the “word games” section of your post describes:

(1) The 4th Amendment, and FISA, are not subject to the specialized definitions of DOD regulations. So the executive branch can’t simply define its way out of the confines of the 4th Amendment and FISA.

(2) Executive branch regulations recognize that fact. For example, USSID 18 uses terms as defined by DOD regulations for particular sections (such uses are denoted by all-caps, e.g. “COLLECTION” rather than “collection”). But for other sections, such as those referencing the 4th Amendment, or the requirements of FISA, the DOD definitions are explicitly not used.

Finally, I’d just note that unless there is an understanding that one will be using terms as defined in a particular source, one’s words will be given their ordinary meaning. This is why the NSA’s GC’s description of what occurred with Clapper is couched in terms of how Clapper understood Wyden’s question, and not in terms of how Clapper’s words are defined by DOD regs.

So, to the extent anyone thinks he’s being tricky by using a term as defined in DoD regulations without informing his audience of the peculiar and particular manner of his usage, he’s not. If there’s intent to deceive, such an individual is simply lying.

Reporters should clarify, when speaking with government spokespersons or officials, that the terms being used are being given their ordinary English meanings in statements being given by those spokespersons or officials.

I also think that the White House, and NSA, should set forth a standing policy that when words have both ordinary meanings, and meanings as defined by regulations, and when those meanings differ substantially, public statements will use ordinary meanings unless explicitly stated otherwise.

One more quick note: if you look at USSID 18, you’ll see that even within the sections where DOD definitions apply, USSID 18 sometimes uses the ordinary word “collection” (not all caps) and sometimes uses the defined term “COLLECTION” (all caps). So the defined term is not necessarily the default usage of government officials and spokespersons.

AlanS • March 6, 2014 8:08 AM

@Skeptical

Funny. Thought I was reading the script for a Monty Python skit.

65535 • March 6, 2014 8:46 AM

“If I store hundreds of pounds of cocaine in my house, but don’t actually use it, can I be charged for having it?”

Good point.

@ Bob S.

“…if you don’t think they are gawking the porno shots I’ve got a bridge in Brooklyn to sell you real cheap.”

Yes, you can bet they are looking at the porn if they can measure it – they looked at it. They hit the bottom so to speak.

@ db cooper

“Seems the CIA may have ruffled the feathers of the US Senate Intelligence Committee by spying on them”

Yes, and it probably goes a lot farther than just Senators.

@ Alan S.

“By Clapper’s own logic Snowden didn’t “collect” any information about the NSA until he read it or shared it with someone else who read it.”

How true, there are an estimated 1.7 million documents missing and Snowden and the press have only released a small fraction of that. Thus, Snowden is on par with Clapper – the documents haven’t been “collected” until we see them.

@ M

“…it’s extremely likely that also sexually explicit images of minors have been collected…uh…I mean, whatever they call what they do. Is there some silly newspeak definition of “possession” too or might the GCHQ now be guilty of possessing child porn?”

Yes, you could look at it that way.

One thing I would like to seen the NSA collect less of is billions of tax payer dollars!

In these tight budget times it would be a good idea to cut the NSA’s budget by 40%. Put the money to better use! And, no more porn collecting!

Curious • March 6, 2014 9:31 AM

With apologies to anyone with their brain “wired” towards engineereing work, perhaps relying mostly on a given knowledge base, perhaps not at all used to simmer in doubt and eternal uncertainty. 🙂

I am sorry that this text goes on for so long, but as I see it, there is no way around it.

I can only do so much not knowing the inns and outs of bureucracy, however here are some thoughts of mine. (Well, not really thoughts per se, but so to speak. The reflections here were not apparent from the start)

I would say there might be even more damning issues at stake than authorities patently not being forthright (by lying, as in expressing falsehood) to a public.

I don’t think a good “solution” to learning about policy is as simple as soliciting authorities for using “ordinary English” in explaining things as sceptical suggested, but at least that is something which might have explanations seem more clear. But would such explanations then be precise and relevant in the larger scope of things?

I see a danger in having solicited authorities to be pragmatic to explain themselves and what they do with ordinary English, as such explanations would perhaps only be relevant outside bureaucracy and not within it. Ergo, there might be no change at all that affect “policy” in general.

My point here would be that the authorities probably can’t be forthright to itself (pretty sure a single policeman or politician isn’t required to understand it all) and that anyone tasked with working with the concept of there being ‘an oversight’ for example, can’t even be expected to be simply pragmatic about things (focusing on given problems), because there would be no way of knowing just where to start being pragmatic other than in the simplest way, like interpreting existing terminology within the framework of policy, either by being forced to do this or by not knowing any better. The general idea here would be about how difficult it might be to work with policies, when “a policy” perhaps can’t be explained outside its own definitions, expecially if there were to be minute definitions that only seem to have been tailored to justify having some given policy in the first place.

Given how a particular meaning to various things are attributed to any given policy by definitions, I think it is important to realize that the general notion of “policy” is likely not something logical, as in being rational or sound in itself, but is probably theory for sake of theory. (Afaik, a soldier in the military is never concidered as committing murder in a war killing other soldiers, unfortunately.) As if someone exclaimed “We do what we do because that is how we do it”, or “we do what we can because we must” (as if simply implying that one is compelled). Notions of what would otherwise be best, just or make best sense probably wouldn’t apply there in the context of a bereaucracy.

“A theory” is here thought of, not as an idea, nor a set of ideas, as much as something being an existing “legal” framework, given in writing and thus constituting policy at the highest level (legislature). Presumably, everything “bureaucratic” would be deemed as “policy” by authorities; and there would be be a bunch of policies; and I suspect that the authorities would be free to dictate tailormade truthful statements as they see would fit any given situation, but then as more on the side and not in the heat of it all I think. Simply discussing your own thoughts can never be a lie, and so one cannot help but being honest this way. I would say that to try discern whether or not someone or something is being forthright to you, is unfortunately dependent on the context and relative to the exchange of meaning, because of it being limited to your own expectations. Thus, being a passive party, is never a good thing, because you would forever be on the recieving end this way, as some piece of entertainment.

A theory doesn’t have meaning to it, but rather makes up this kind of conundrum for which theory is what was meant in the first place. A peculiar problem then would be by having people in power providing excuses later on, because if one had to assume that someone misused the public’s trust, with everything having passed in time prior, an event or act can’t simply be justified later on as if there was some apriori knowledge to look for, as if a mere explanation would show why something came to be or how.

Another angle in attempting to describe a problem, for which the bureaucracy was thought to fold in on itself to provide a way and the means to sustain itself (providing excuses), would be to consider knowledge in general as it relates to any problems of understanding governmental policy, as understanding something within the proverbial ‘hermeneutic circle’. A hermeneutic circle could be understood as a framework of references, where there is a “known” relation between the knowledge about the whole as it relates to every part of the whole. Also, cue the rarely used word ‘synecdoche’. I suppose one can understand it as being similar to a synonym in the simplest sense. What is interesting then I think, is how a spokesman or simply a member of the authorities might perhaps end up relating to a variety of problems of a “philosophical” nature, but where conflicting notions of reality isn’t resolved in a satisfactory manner by ‘some standard’. And it is with this notion of ‘some standard’ which ought to be interesting, if something ever is to be considered particularily problematic, as in, ‘interesting’ for whatever reason. (Like trying to understand notions of ‘privacy’ and ‘security’, whatever those would come to mean to any individual.) What is interesting of course, is ending up having a general consensus about some things that one would argue to be simple to understand. Being pragmatic about such notions for which one attempts to relate to reality in general, is probably the wrong way to go about it, if a discussion or just ‘a problem’ about a subject matter is understood as being imposed on a public not knowing any better. (I will have to point out that the notion of “not knowing any better” is here something of an absurdity given that there is no specific context that I am discussing nor am even implying here.) As for the notion of there possibly being any instance of the proverbial synecdoche at any point, I suspect such would be important to try learn about, or at least be something to be aware of; because if someone makes use of a particular word to impress someone as a part of an argument, or with the entire argument itself, the seriousness of a subject matter should be fairly clear, or at least, a kind of seriousness that is not to be overshadowed by triviality (status quo) nor supposedly “pressing matters”. I would like to think that candidates for such mincing of words could be: power, law, legal, authority, lawful and any kind of thinkable words or phrases derived from the previous ones.

http://www.youtube.com/watch?v=iWnA7nZO4EY (Ways In and Out of the Hermeneutic Circle, Paul Fry, YaleCourses)

Curious • March 6, 2014 9:38 AM

I guess I should now better specify that this youtube linkin my previous post goes on to explain ‘hermeneutics’ in its own way, and isn’t directly related to what I wrote. That video offer a nice introduction for becoming comfortable with the general idea of “the hermeneutical circe” which I had mentioned.

Curious • March 6, 2014 9:41 AM

Apologies, there is a glaring typo in my last comment. It should have said
hermeneutical “circle”, not “circe”.

Feel free to update and delete this last comment. 😐

Knott Whittingley • March 6, 2014 9:56 AM

A key difference between NSA’s handling of our data and Google’s ad placement or a dog watching you have sex is that the the NSA apparently does look at all of the data.

Consider a scenario in which all your data is visually scanned for a set of keywords by a human being, and examined more carefully when any of those keywords is found, especially carefully when specified combinations are found, and so on, and the document is actually read in the normal way if certain criteria are met. That’s examining all the data, with a human in the loop.

Now you automate the initial scanning, so that it’s a computer that does the first set of tests, and only sends it to a human if it meets specified criteria.

These situations are substantially the same. There is a human in the loop in both cases, and that’s what matters most.

Consider that if you have keyword searches (or just phone call link searches) implemented with any reasonable efficiency—and they must have done so to handle large volumes of data—then the data have already been analyzed for certain relationships, to build database indexes. That is itself a kind of data analysis enabling further data analysis, like having hordes of non-English-speaking workers scan documents for English keywords visually.

And it reveals things. Those database indexes amount to dossiers on all of us. They don’t look like dossiers to the naive, but the ability to do things like free text searches, automatic analyses of social networks, and various analyses involving time and location means that they’re far more effective than the kind of dossiers the Stasi used to compile.

In the Stasi days, there were only a few basic indexes by which an individual’s dossier could be found and (re-)examined by a human.

Think about having social network and other relationships preprocessed into database indexes, and the ability to construct others on demand with flexible queries.

That amounts to a vastly larger database with a staggering number of virtual indexes available to snoops, which the Stasi could only dream of.

The potential for abuse is limited only by the analysts’ imaginations. Anyone with a clue can reverse-target anybody they want, i.e., frame queries in such a way as to seemingly innocently yield “incidentally” data about an unstated real target, and likewise “accidentally” reveal almost any information they can express logically.

That would be possible even if the standard were probable cause to believe serious crimes have been committed. A standard of “reasonable articulable suspicion” makes it vastly easier, and impossible to detect unless you do something flagrantly stupid.

We need an independent prosecutor and a blue-ribbon commission with a Feynman-like figure to cut through the bullshit about this, sitting down at an analysts terminal and showing just how easy it is to answer some very interesting questions about anybody of interest, even with a suspicious supervisor looking over your shoulder at all times.

Somebody needs to dunk the o-ring in a glass of ice water and break it with their fingers for the cameras.

Dave • March 6, 2014 10:28 AM

“So… who watches the dogs?”

Millions on YouTube

somebody • March 6, 2014 11:16 AM

This is not an argument about the semantics of the word “collect”.

There are always small disagreements about the meaning of words, but the definition Clapper uses is not within the umbra, penumbra or antumber of English usage. Clapper was not engaged in semantic hairsplitting, he was lying. His tortured semantics do not deserve a careful refutation; they deserve a horse laugh, or a horse whipping.

Bob S. • March 6, 2014 1:34 PM

Re: “…information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties.” ETC.

Well OF COURSE!

It’s an agency definition having no force of law in regards to the Constitution.

Robbing the bank can be redefined as an “innovative, self determined withdrawal” ….but it’s still bank robbery in the eyes of the law…and people.

Jack O'Lantern • March 6, 2014 1:45 PM

Bruce Schneier:
And “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”

[…]

So, think of that friend of yours who has thousands of books in his house. According to the NSA, he’s not actually “collecting” books. He’s doing something else with them, and the only books he can claim to have “collected” are the ones he’s actually read.

And for e-books the definition would be that they have not been “collected” until they have been “processed into intelligible form”.

So what if the “data acquired by electronic means” is already in “intelligible form”? Many images, sms messages, etc do not need any particular processing in order to be understood by humans.

Or is it that their definition on “intelligible form” is that it is in that format when its content can somehow be “understood” by their supercomputers…

eindgebruiker • March 6, 2014 3:02 PM

“Worrying about a computer reading your email is like worrying about your dog seeing you naked.”

Interesting. Makes me wonder:

Would you worry if it were your neighbour’s dog?

Your neighbour’s Aibo?

name.withheld.for.obvious.reasons • March 6, 2014 3:32 PM

@ Knott Whittingly

Seems someone gets it…indexes are processing of collected data. I argue that it makes us all guilty, searching a line-up where everyone is in the line-up puts a “number” around all our necks.

Also like the reference to Feynman, this was my suggestion months ago. Am reading the Luke Harding book, it is quite an indictment of the IC. When will this monster become quilled?

Anonnynonny • March 6, 2014 4:57 PM

The Roooski NSA seems to use their data so much more effectively:
http://rt.com/news/ashton-maidan-snipers-estonia-946/ (a phone call between the EU Foreign Aff. Chief and Estonian Foreign Minister)
and Victoria Nueland’s call on youtube.

Pseudonym • March 6, 2014 6:02 PM

I like to think
(it has to be!)
of a cybernetic ecology
where we are free of our labors
and joined back to nature,
returned to our mammal
brothers and sisters,
and all watched over
by machines of loving grace.

rr3fjn43k • March 6, 2014 11:23 PM

These are all old economic and marketing algorithms mentioned, nothing to do with surveillance..

Survelliance algo is all to do with pattern recognition and building in bitmap, text, and audio data which you need access to camera grids or telco infrastructure to implement. This is mostly lashing out at companies for reminding us we live to consume and are careless about it..

Clive Robinson • March 7, 2014 12:46 AM

@ Jack O’Lantern,

And for e-books the definition would be that they have not been “collected” until they have been”processed into intelligible form”

Actualy this is one of the “pay-per-view” business models that has been discussed in the publishing industry. It’s partly based on the idea that one of the biggest costs to publishers is “delivery costs” and was founded on the same poor understanding of things that gave us the Content Scrambling System of DVDs [1].

Thus the premise was to send a single optical disk (or other storage media) with the entire current catalog of the publisher stored on it. And each time you read a book or page from a book you’d pay a fee…

Like the minds behind CSS the assumption was that the keys could be kept secret if put in an e-reader…

These minds have not given up on this “Holy Grail” as it’s seen as by far the best candidate for making even more profit, so like many others they are waiting for the technology (ie TPM-4-DRM) to give them what they want and in the mean time they are lubricating a legislator near you to ensure they get the legislation to own not just you but those that create “the content”.

[1] http://www.math.ucsd.edu/~crypto/Projects/MarkBarry/

Libra • March 7, 2014 6:53 AM

“Director of National Intelligence James Clapper likened the NSA’s accumulation of data to a library. All those books are stored on the shelves, but very few are actually read. “So the task for us in the interest of preserving security and preserving civil liberties and privacy,” says Clapper, “is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read.” Only when an individual book is read does it count as “collection,” in government parlance.”

Thats funny how he likens these practices to the way libraries work.
In library lingo “collecting” is the actual purchase of media. The “collection” is what is sitting on the shelves. Basicly, the normal dictionary meaning of the word. Normal dictionary, not NSA dictionary.

vas pup • March 7, 2014 10:52 AM

@Roxanne: “We reportedly had a Republican mole wind up in charge of a cell of the Democratic party here in Michigan.”
Not surprised. There are cases in the history when person being sent as a police snitch to organization, finally became person in charge of that organization, transformed it for his own purpose (not his “pappet masters”) and won election. His name is A.Hitler (bad guy, but vivid example for the sake of Roxanne’s point). With the same token I am not going to be surprised as well if we will find out that top officials of ‘so called’ leftist/ extremists/ radical/other out of main stream organizations are basically long-term undercover officers infiltrated many years ago and moved up to the top of the organization remaining loyal to LEA sent them initially. My view: if those organizations are pro-violence, kudos to those officers, if those organizations are just stand against erosion of Constitutional Rights, then shame on them.

Hasan Diwan • March 7, 2014 4:16 PM

Indeed, you should know it will be kept by a computer, even if they say they don’t store the data. There are always backups of every interaction. Not that this is a bad idea, but it should always be kept in mind.

Tommyy • March 17, 2014 10:06 AM

My backwords opinion is that we are being hood winked into salvaging the old system to replace it with the new one. I myself is prepared to embark on a new small business idea of data shredding and hard drive destruction. When the exact opposite is probably true that these devices should be saved for future generations to learn from.

Steve Wilson • March 17, 2014 5:20 PM

Here is yet another well written and cogent argument from an influential American in favor of privacy that lands in the place where European and international data protection has been for several decades.

Bruce’s 1300 word essay sets out why surveillance by a computer is just as problematic as surveillance by a person. And so it is. I just point put that OECD Privacy Principles, and in particular the Collection Limitation Principle, since 1980 have ruled that no Personally Identifiable Information should be collected by whatever means unless it is required for an express business purpose. The rights based OECD data privacy paradigm, implemented in dozens and dozens of countries, is technology neutral. It covers all PII regardless of how it is collected or synthesised, and no matter who “owns” it.

Why do so many Americans deride the European approach to data privacy? Why are so many Americans allergic to Collection Limitation? The OECD based regime produces exactly the sorts of general, broad based and technology neutral protections that would meet the well argued concerns of Bruce and so many other commentators.

Why don’t we stop re-analysing the wheel and adopt OECD rights based data privacy?!

Surveillance by Algorithm

Comments

Leave a comment Cancel reply