Schneier on Security
A blog covering security and security technology.
« Finding Sociopaths on Facebook |
| The US Uses Vulnerability Data for Offensive Purposes »
June 19, 2013
Petition the NSA to Subject its Surveillance Program to Public Comment
I have signed a petition calling on the NSA to "suspend its domestic surveillance program pending public comment." This is what's going on:
In a request today to National Security Agency director Keith Alexander and Defense Secretary Chuck Hagel, the group argues that the NSA's recently revealed domestic surveillance program is "unlawful" because the agency neglected to request public comments first. A federal appeals court previously ruled that was necessary in a lawsuit involving airport body scanners.
"In simple terms, a line has been crossed," Marc Rotenberg, executive director of the Electronic Privacy Information Center, told CNET. "The agency's function has been transformed, and we think the public should have an opportunity to say something about that."
It's an ambitious -- and untested -- legal argument. No court appears to have ever ruled that the Administrative Procedure Act, which can require agencies to solicit public comment, has applied to the supersecret intelligence community. The APA explicitly excludes from judicial review, for instance, "military authority exercised in the field in time of war."
EPIC is relying on a July 2011 decision (PDF) it obtained from the U.S. Court of Appeals for the D.C. Circuit dealing with installing controversial full-body scanners at airports. The Transportation Security Agency, the court said, was required to obtain comment on a rule that "substantively affects the public."
This isn't an empty exercise. While it's unlikely that a judge will order the NSA to suspend the program pending public approval, the process will put pressure on Washington to subject the NSA to more oversight, and pressure the NSA into more transparency. We've used these tactics before. Two decades ago, EPIC launched a similar petition against the Clipper Chip, a process that eventually led to the Clinton administration and the FBI abandoning the effort. And EPIC's more recent action against TSA full-body scanners is one of the reasons we have privacy safeguards on the millimeter wave scanners they are still using.
The more people who sign this petition, this, the clearer the message it sends to Washington: a message that people care about the privacy of their telephone records, Internet transactions, and online communications. Secret judges should not be allowed to use secret interpretations of secret laws to authorize the NSA to engage in domestic surveillance. Sooner or later, a court is going to recognize that. Until then, the more noise the better.
Add your voice here. It just might work.
Posted on June 19, 2013 at 2:18 PM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Laughable. Won't work.
Yeah right, it brought the clipper chip to its knees. And see what happened a few years later.
IF anyone really manages to stop the NSA now, guess what will happen the very moment? A new program, different name, a few different people, the same result.
"substantively affects the public." - there's the rub!
Collecting meta data doesn't affect anyone (so sayeth those in nominal oversight and others). It's just stored away. Even if the call contents are being stored, "nobody is listening to your phone calls" (B. Obama, POTUS).
Only 300 queries were run against the stored data last year. That's not "substantively affect[ing]" the public at large, by any measure.
And you know that "only 300 queries were run against the stored data last year" exactly how?
BTW, the question is "know", not "have been told".
obvious troll, but I'll bite:
"Laughable. Won't work."
so... bend over, shut up, and get back to watching american idol, eh. that's the spirit our dear political leaders count on!
Follow your blog religiously and as a fellow security professional you and I are typically on the same page. I have to disagree with you about the NSA counter-terrorism program. As you know, the best way to field a counter-terrorism strategy is through accurate intelligence, robust investigation and comprehensive emergency preparedness. It is impossible for anyone to have complete security but it is possible to diminish the threat by weeding out the plots through intelligence and investigation and adequately handle the response when a plot becomes reality.
By all accounts, the NSA programs have been lawful. The PATRIOT Act and FAA have given that Agency the authority to perform a foreign intelligence mission with all of its activities subject not only to judicial review, but judicial approval. The SSCI and HPSI both receive regular briefings and updates on the execution of NSA. DoD also receives regular updates through its intelligence oversight functions. All three branches of government are involved in the machinations of these programs. Some very, very liberal congresspeople and senators are on board, and defend, the program. You really have to believe that there is one enormous conspiracy going on at all levels of government and that a 29 year-old contractor is preaching gospel. I just don't buy it.
I believe General Alexander when he says there have been over 50 terrorist attacks thwarted since 2006. Imagine if we had 50 terrorist attacks in the past 7 years in addition to the ones that DID occur. I guarantee you the American public, and a lot of the punditry would have a different narrative. It would be one of executing enormous amounts of security theater and demanding anything be done -- civil liberties be damned!
It's definitely worth ensuring the oversight continues and a lot more transparency exists, I just don't think we should engage in demagoguery when it comes to successful programs that have proven to be effective.
"If tech can do it,
and only words say you don't
know this certain fact:
some tech magician
will do every everything
as soon as its turn
turns up on some agenda.
That is no wonder.
It's just a fact of nature."
- Tulsa Davenport
in Stories of L A Noir
(c) all rights reserved, 2013
As a retired Intelligence Officer and a past NSA employee, I can tell you with all confidence, Edward Snowden is NOT a patriot, he is a Thomas Jefferson, John Adams, George Washington type of PATRIOT. He is quite correct, the clock is ticking, one day he will make a mistake and the last thing he will hear is the detonation of the hellfire missile from the predator drone. All that it takes for tyranny to blossom is for good men to do nothing. That sound is the last thing, 16 year old, Colorado Born, US Citizen Abdulrahman al-Awlaki heard, yes, read that again.....a 16 year old child, an American, killed by Mr. Hope and Change, will YOUR children be next?
Quibbles over the number of queries are pointless when a database can return all of the data it contains with a single query...
"Find All". Done.
"a 16 year old child, an American, killed by Mr. Hope and Change, will YOUR children be next?"
Are you refering to the Nobel Peace Prize winner?
"Only 300 queries were run against the stored data last year. That's not 'substantively affect[ing]' the public at large, by any measure."
When the government can effectively go back in time to read our old emails and listen to our past conversations, looking at the number of queries today is like pointing at a distant lightning bolt and offering it as proof that there's no such thing as thunder.
Craig, you're accurate in terms of the large landscape needed to be surveyed.
However, we have a problem with the *scale* at which the omnipresent surveillance seems to be taking place (supposedly 'passively' since a 'human' isn't in the loop). The practice is lawful only in technical terms because even lawmakers seems to be surprised at certain aspects. You don't need every level of government to be lying, just slight reshuffling of the message at a few levels and after a few layers of indirection, you could have folks genuinely convinced the bill accurately reflects field operations.
The agencies ARE supposed to protect and defend. But you cannot compromise the very thing you are defending just to make the job easier. As an extreme example, it would be FAR easy to police/defend if all citizens were under 24/7 curfew. No one ever said the spooks have an easy job. It's a hard job and one we are grateful that they do. However if you follow that zeal down too deep, you destroy the very identity we have as a society.
You have protests in Hong Kong and China about citizens with posters and banners of "Free Speech". In China. Against the US. Have we really come down to that? The land of the free? When Obama said "I think we have stuck the right balance", it's obviously not true - there wouldn't be so much public outcry if we indeed had a reasonable balance.
I'm with Bruce on this one. Don't disclose operational tactics. But we need to have an informed public discussion on the legitimacy of the program itself, without the layers of mysticism around it. I don't need to remind you that at a time racism was legal - we now acknowledge how wrong that was and rolled it into the law appropriately.
Bruce, I appreciate your posts, even the recent NSA ones. And I'm sure I speak for others too.
"All three branches of government are involved in the machinations of these programs. [...] You really have to believe that there is one enormous conspiracy going on at all levels of government and that a 29 year-old contractor is preaching gospel. I just don't buy it."
When all three branches of government are acting in concert to enable secretive, large-scale domestic surveillance, does it really matter whether you call it a conspiracy or not?
How many petitions to the federal government in the past twenty years resulted in a change of policy or revocation of a law or regulation? I will bet the answer is zero. Petitions are a waste of time. Time is better spent writing to legislators who (theoretically) have the clout to push for changes.
"...But we need to have an informed public discussion on the legitimacy of the program itself..."
That requires an informed public, one willing and able to have a discussion and then get up and actually act on the results of the discussion.
How do you see us getting there from where we are now?
IMO, if we had the cultural preconditions to sort this out like rational adults, it never would have happened in the first place.
Cueing off @Analogy Guy's comment about the government searching back in time...
Isn't it risky to sign petitions like this if there is real potential for the government to actually become a police state? Since future officials may dig it up and add the signers to whatever "subversive person" watch lists they have at the time. Similar to retroactive drug testing for athletes, just a lot more ominous.
Calculated risk, TAWMe.
Would you be willing to stop eating because of the (very real) possibility that you might choke to death?
Stop driving because you might get into a wreck?
Stop using the stove because you might burn down the house?
I don't think much of the petition in question, and your question is a valid one, but for the people who think the petition could help prevent the police state you mention, running that risk makes sense.
How about subjecting it to an OIRA cost-benefit review like so many other government programs?
For those that are enraged enough to take action, may I suggest a first step.
Create a twitter account using a name of your own construction that reflects your perspective relative to the constitution, i.e. did Washington have a greater influence or was Jefferson the core of the revolution. For example, my twitter handle would be
The collective of citizens, renamed as patriots of the colonies in the 1770's could be reborn.
Hopefully you have all read Thomas Paine.
So, has someone checked the recent temperature in hell? Might be useful as an indicator...
I hope you read your comments and recognize the tinfoil hat paranoia you generate with hysterical posts and your adoption of Snowden as your personal hero.
We are now at the point you invite people to support a petition, but your readers refuse because you have them believing the fascist police state will add the names to a "subversive person" list and kill them with drones.
I've read your books for a decade and never expected that you'd end up a leader of the tinfoil hat brigade, but that's where you are now (more lucrative than writing serious books on public policy, at least).
Sadly, Bruce Schneier = the Glenn Beck of technology.
How the mighty have fallen.
Over on slashdot, I've been keeping a list of suggested actions people can take if they want to help.
Here's a link to the current list:
No one suggested that putting your name on a petition will do any good, but joining Rand Paul's class action suit sounds promising.
OK, a serious counter suggestion: Bury your representatives under requests to end that spying. Let them know how mad you are that they allow spying on you in violation of the constitution. Let them know they need to stand up against this if they want your vote again.
That may be more efficient than begging the NSA on your knees to stop doing what they love most.
I note that you've made a couple of posts effectivly accusing Bruce Schneier of wearing a tinfoil hat.
However whilst you appear to have the common 20-20 hindsight, you feel you have the right to castigate someone for not having the very rare and excedingly elusive 20-20 forsight.
Which sugests you are adopting a significantly biased point of view.
But importantly you pop up and make your comments under a pen-name that from memory appears not to have been used before on this blog. And further you actually do not add anything to the comments in a way that could be considered as constructivly within the thread subject. Nor do you take a personal position of any note, just the common "hindsight" which any person of even distinctly limited capability can take with not even the more up market "I told you so" or even the compleatly unsupportable "I knew this all along". In effect your position is of "name calling".
This behaviour is one that has been seen on this blog in the past, and I've commented on it in the past.
I guess the question is are you the same trollish person, just somebody doing a good impersonation of that person or somebody else with a different unstated agenda?
A number of people here have said that petitions don't achive their stated objectives.
And whilst it is true for many petitions, you have to remember that often the petitions stated objectives are actually not the real objectives of starting a petition.
So please don't assume that signing one is a waste of time, it's not.
A petition serves a number of purposes,
1, A call for change.
2, To show the popularity of the call for change.
3, To publisize the call for change.
4, Make people talk about the call for change.
5, Make the call for change "newsworthy".
6, Make people think about the change.
7, Help people take a position on the change.
And a number of other things.
Importantly when writing to your political representative, it gives a point of focus for them to consider, because they can quickly see your letter is neither a "one off" or "crank" viewpoint that can be easily dismissed with a "standard reply" from a low grade "policy wonk" or worse.
Others have mentioned that signing the petition might be "signing your fate at a later date", whilst this is true, as others have noted life is not without risk.
In fact it could be said that the most notable of achivments have been reached because people step out of the common line and do take a risk and stand their ground and refuse to be cowed.
A look at American history with the likes of John Brown, Martin Luther King etc shows that "pushback" is to be expected but, if the cause is considered just by others then society moves in that direction all be it slowly and the cause wins through from the initial exceptional view to the accepted view of society in general.
The faster society aligns with the view the less risk there is in standing up for a cause, due to the weight of numbers and the shortage of time for authoritarian pushback to come into play. It's often refered to as "safety in numbers" or "herd protection" but you have to remember that a "herd" starts with a single individual who stands their ground for what becomes the common cause.
@ Clive Robinson
Petitions do accomplish things from time to time, but they are unlikely to be effective if politicians know that all a signatory is willing to do to register their discontent is click a button on the internet.
Do you remember the Citizen's Briefing Book? It was the President's experiment in "transparency" where he solicited ideas from the public, and where other people could vote for ideas they liked.
The ideas with the top two votes were to decriminalize marijuana and disclose UFO files. The President called both ideas "silly" and has gone on to increase raids on medical marijuana dispensaries in states where the substance is legal. As for transparency, well, we don't have to worry about the NSA because all this surveillance is perfectly transparent to a secret court, right? Obama's Nobel Peace Prize acceptance speech was a prolonged meditation on just war -- since he is operating drone campaigns in at least six countries at present, he clearly didn't perceive his pre-emptive Peace Prize as much of a persuasive plea to de-escallate the Global War on Terror. He was elected in large part because Americans were fed up with Bush's illegal surveillance and militarism, and since getting into office, has set about codifying or otherwise making legal many of the things Bush did illegally.
Petitions may work from time to time, but I don't think petitions for transparency in this case are likely to have an effect on this particular administration, nor on Congress, which played a central role in putting these measures in place.
If you want to contact your representatives, tell them to end the surveillance, or they've lost your vote, period. Tell them you don't want to live in East German America.
Don't ask your representatives to do anything. Don't waste time explaining. Fear is the only thing these officials respond to. Tell them they will lose your vote unless these programs end. And then follow through.
It's definitely worth ensuring the oversight continues and a lot more transparency exists, I just don't think we should engage in demagoguery when it comes to successful programs that have proven to be effective.
Thanks for a well articulated and well argumented post. It stands in sharp contrast to the ad hominem attack by @ SwissTime whom both Clive and myself suspect to be a sockpuppet for a commenter who got banned from this forum quite a while ago. Allow me to make the following points:
1) I don't think anyone in the security community is questioning the need for accurate intelligence, robust investigation and comprehensive emergency preparedness. What the debate is about is whether or not blanket surveillance through secret orders from secret courts under secretive interpretations of the law is the right way to go about the problem in a democratic society, and to which extent the current practices are or are not violating both letter and spirit of the 1st, 4th and probably also the 5th Amendment to the Constitution of the United Stated of America.
Those who believe it isn't or have very serious doubts about it are well within their rights to speak out and act accordingly. This is part of the democratic process and exactly what Bruce is doing.
2) Despite the assurances of all sorts of officials that all three branches are approving of these programs and that oversight is in place, I find it less than reassuring that this oversight is just as secret as the programs themselves. Unlike you, I am not willing to just take their word for it with the details burried under the usual "national security" argumentation. The general public may not have any business with operational secrets, but in my opinion is fully entitled to know how all of this works and how it affects them. Your mileage may vary.
What I find equally troubling is that not all congressmen/senators seem to be fully aware of what's going on. After a classified breefing for the Senate, one senator called Snowden's revelations "just the tip of the iceberg". Moreover, more than half of the senators didn't even attend said briefing, which again begs some serious questions as to how serious they actually take the issue, and for that matter their job and responsabilities to their constituents. I call deriliction of duty on such an attitude.
3) Even when these programs are upheld to be in full accordance with the law and the Constitution, it begs the question to which extent the US IC with the help of US based companies under international law is allowed to spy on the on-line activities of citizens outside US jurisdiction. Same goes for China and others running similar programs, by the way.
4) The amount of 50 terrorist plots thwarted by these surveillance programs seems a bit of an exaggeration. Over the last days, several media outlets and independent investigators have played that figure down to a much smaller one, with the bulk of attacks apparently foiled by traditional methods of investigation. Although I sympathise with Gen. Alexander and the difficult task he has been assigned, I cannot help but feeling deeply suspicious about any claims and statements he's making knowing that his DNI counterpart Clapper only a short time ago lied through his teeth in Congress, and apparently is even getting away with it.
All acquired and stored content is processed" first.
"nobody is listening"... an unambigously disingenous parsing of language ...
it's no "body", it's the machines dummies.
the machines are first processing all acquired data, scanning the content, searching both for domestic crimes and foreign intelligence
THEN the bodies in law enforcement agencies can decide whether to go listen to the "original recordings of such communications" §5(2)
it's all "Hoovered" first, J. Edgar style pun intended.
I can't sign up since I'm not a US citizen - I am one of the officially targeted 6.7 billion bad guys out there!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.