Metadata Equals Surveillance

Back in June, when the contents of Edward Snowden's cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people -- including President Obama -- discounted the seriousness of the NSA's actions by saying that it's just metadata.

Lots and lots of people effectively demolished that trivialization, but the arguments are generally subtle and hard to convey quickly and simply. I have a more compact argument: metadata equals surveillance.

Imagine you hired a detective to eavesdrop on someone. He might plant a bug in their office. He might tap their phone. He might open their mail. The result would be the details of that person's communications. That's the "data."

Now imagine you hired that same detective to surveil that person. The result would be details of what he did: where he went, who he talked to, what he looked at, what he purchased -- how he spent his day. That's all metadata.

When the government collects metadata on people, the government puts them under surveillance. When the government collects metadata on the entire country, they put everyone under surveillance. When Google does it, they do the same thing. Metadata equals surveillance; it's that simple.

EDITED TO ADD (10/12): According to Snowden, the administration is partially basing its bulk collection of metadata on an interpretation by the FISC of Section 215 of the Patriot Act.

EDITED TO ADD (10/28): this post has been translated into Portuguese.

Posted on September 23, 2013 at 6:21 AM • 125 Comments

Comments

AdamSeptember 23, 2013 6:41 AM

I agree with you, Bruce. Unfortunately, the FISC judges do not. Yesterday I looked at one of the recently declassified rulings, and the judge said that, since the customer had used the phone service, any metadata about his calls was not subject to an expectation of privacy under the 4th Amendment, because he had sent the data away, and it now was the phone company's data.

And this ruling was not for an individual's metadata, but it was authorizing a blanket collection for 3 months.

Clearly the 4th Amendment was not written with any conception of today's electronic communications. We need more specific laws.

WinterSeptember 23, 2013 6:43 AM

What I understood from forensic people evaluating phone taps is that most often they are only interested in proving that the suspect was on that phone at that time. What they said is generally less interesting.

Anyone even halfway sane will not use incriminating language on a phone conversation.

So, most often the meta-data is even more relevant than the "real" data.

To get back to the private eye metaphor. You do not need to know what your spouse said to his/her acquaintance. Just knowing that they spend the night in a hotel room will be enough "meta-data".

DFSeptember 23, 2013 6:54 AM

I am troubled by the ruling @Adam mentions because I doubt the customer had a choice in whether or not he "sent the data away". If that is true then people only have two choices, use communication systems and have no privacy, or don't use the phone or internet. That is not much of a choice.

@Adam, can you post a link to that ruling if it is online, I'd like to read it.

Mike the goatSeptember 23, 2013 7:06 AM

Yup . . . I had a discussion with someone the other day about sending PGP encrypted email. The govt are still going to see the headers and that includes the Subject: line. For this reason I suggested they just write "encrypted" in the subject (as blank subjects often trigger spam filters) but this still means they know your origin address, destination address, route the message takes (these days only a hop or two, I remember in the early days messages got handed to plenty of SMTP servers enroute... Anyone remember FidoNET? That was good fun. Completely off topic but good fun), your user agent and most ISP's MTAs (along with webmail providers) will put your IP in X-Forwarded-For or elsewhere in the Received: header.

I guess you could run an MTA as a tor hidden service but at the end of the day you are still going to need routing information somewhere.

WinterSeptember 23, 2013 7:10 AM

@DF
"If that is true then people only have two choices, use communication systems and have no privacy, or don't use the phone or internet."

It seems the judge assumes that in "real life" you cannot hide with whom you speak on public roads or establishments, nor can you hide whose house you visit. Therefor, you should not expect this privilege online.

I think this reasoning cannot stand scrutiny. People who visit me can indeed be seen. But it is different if someone follows me with a camera to record everyone who speaks to me.

Snarki, child of LokiSeptember 23, 2013 7:15 AM

@Mike the goat: just make sure to route your email through KREMVAX. It's what Snowden is using now!

Sling TrebuchetSeptember 23, 2013 7:19 AM

"the judge said that, since the customer had used the phone service, any metadata about his calls was not subject to an expectation of privacy under the 4th Amendment, because he had sent the data away, and it now was the phone company's data."

This of course is brain-damaged.
In order tp place a phone call, one has to dial a number. One is billed for the call.
Without the phone company being aware of the called number, the call can not be made.
Without the phone company knowing the calling number, the call can not be billed.

Europeans have a concept of data privacy in which data is made available to another party only for purposes for which the data subject agrees to.
Summary: http://en.wikipedia.org/wiki/Data_Protection_Directive

In the case of call meta data, the data is necessary for the phone system to work. It is "the phone company's data" in that they need it to run the business. End of.
Meta data does not become a saleable/tradeable asset. The data collectors are responsibe to the data subjects for privacy. They have a legal obligation to keep it secure and use it solely for the purposes agreed to.

This sort of priciple should be obvious to anyone of moderate intelligence and soul.

Marcio LimaSeptember 23, 2013 7:20 AM

What about when this metadata is collected on a head of a foreign country outside the US? Spying?

unimportantSeptember 23, 2013 7:24 AM

@ Mike the goat

Why not trying an application which does not generate interceptable metadata like a decentralized and encrypted F2F application (e.g. RetroShare)?

Darryl DaughertySeptember 23, 2013 7:25 AM

As a professional I've got to take exception to your characterization of private detectives, Bruce. We do not tap phones. We do not open postal mail. In fact we're very careful to play within the rules as regards both the law and standards of professional ethics--and we're very quick to disassociate ourselves from colleagues who won't do likewise.

We take enough stick from the media over the actions of a very small minority as it is and that's on top of the grossly uninformed view of our practices promulgated by the entertainment industry. It saddens me to see you perpetuating those prejudices, too.

Were you to approach 99% of my industry with a task list as in your third paragraph, we'd throw you out on your ear. And most of us would at least think about calling the police as well. So please do tens of thousands of good, honest PIs worldwide a favor and find a different whipping boy for your hypotheticals in the future.

Darryl Daugherty
Bangkok, Thailand

FPSeptember 23, 2013 7:26 AM

Great analogy.

Unfortunately it does not seem to make much of a legal difference whether you surveil one person with immense manpower, or whether you accomplish the same surveillance on a mass scale at a fraction of the cost. When you could surveil a single person with 10 officers, then the same surveillance on a million persons must be legal too! But of course you keep making that point in other posts.

One angle that I am sometimes missing, as a foreign citizen, is that most discussion focuses on the domestic monitoring and data collection of US citizens. To me it seems as if few Americans are concerned with the monitoring of non-US persons!

Tom PetersonSeptember 23, 2013 7:27 AM

@Adam, who cares what a secret Court's judges whose only purpose to create "justice theatre" (justice's alternative to "security theatre")?

We need the opinion of the Supreme Court on this. The total surveillance of the country one of the issues of the *century*. So excuse me if I don't think the secret court's ruling is worth the paper it's been written on.

In fact, I'd even say this needs to go to the International Court in Hague, since it's about the *human right to privacy* - but too bad US couldn't care less about international courts and international laws.

eee_effSeptember 23, 2013 7:28 AM

The comment that the FISA court disagreed with this perspective that metadata=surveillance is only temporarily relevant, because most people donot agree with the FISA court, and therefore this precedent should eventually be overturned--by demand. The only way these secret opinions can stand is if they remain secret.

If you are opposed to these precedents fight the legality of secret courts. All else follows.

wtpayneSeptember 23, 2013 7:35 AM

This is a difficult debate; partly because there are no hard, easy to distinguish lines between what is acceptable and what is excessive, and partly because our concerns have more to do with the (abstract) potential for abuse, rather than any egregious abuses that may already exist.

The security services fill a useful role both in winning wars and in combating terrorism. The price that we pay (in terms of liberty) for that service has expanded exponentially over recent years, driven not so much by changes in the law, or by changes in the modus operandii of the security services, but rather by changes in the way that we all use technology.

Indeed, we pay the same price (in liberty) for the use of our search engines, free webmail, and free mobile phone apps.

I find it difficult to wag my fingers (too much) at the security services when all that they have done (in effect) is to take advantage of the information bonanza that has fallen into their laps. Ditto for everybody else feeding at the personal-information trough.

Is this a price worth paying? Probably not, although it is difficult to be certain without a crystal ball to reveal the consequences.

In any case, this story is worth making a fuss about simply because we (as a public) need to adjust to the fact that our lives are no longer private. My biggest fears are oriented around what will (is) happen(ing) as we loose privacy, but collectively fail to adjust our behaviour, our culture and our expectations to that fact.

NobodySpecialSeptember 23, 2013 7:44 AM

I quite agree. The details of who somebody called/emailed, the location of their phone and all the websites they visited are public information - and so should be routinely published for all politicians, police officers and American idol competitors.

It's a matter of public record that the President visited the G8 summit - then shouldn't the details of all his phone calls during the election campaign also be public?

Mike the goatSeptember 23, 2013 7:47 AM

Snarki: Unfortunately its been offline lately. Rumor has it Putin stole its PSU to make an electrostimulation device.

unimportant: the problem is we need to leverage existing technology as much as possible lest people refuse to use it. I have no idea how we could do that with classic SMTP, dare I say its impossible. That said traditional email is way past its use by date. It would be nice if there was a way to intelligently route email through a peer to peer network with users still using their legacy addressing. I.e. some way to map an internet domain to a tor hidden service or similar.

WayneSeptember 23, 2013 7:51 AM

If the Administration insists on claiming metadata isn't privileged, then we need released the metadata for every Congressman, Senator, the President, and all of their Staff. Since they have done nothing illegal, they have nothing to hide. We use the FISC rulings against themselves.

Can we FOIA their metadata?


Dirk PraetSeptember 23, 2013 7:53 AM

@ Adam, @ DF, @ eee_eff

The comment that the FISA court disagreed with this perspective that metadata=surveillance is only temporarily relevant

No, it isn't. The DoJ's and FISC's opinion is based on the 1979 SCOTUS ruling in the case of Smith v. Maryland, 442 U.S. 735. In that case, a person convicted of robbery and then placing harassing and obscene phone calls to his victim appealed the decision saying that the police had obtained his phone calling history from the phone company without a warrant and then used that information to convict him. He lost his case.

Quoting Mano Singham (Director of UCITE, Cleveland, Ohio) on the subject: "In his opinion, justice Harry Blackmun said that when you call somebody, you are giving a third party, in this case the phone company, the number to call and hence you have voluntarily relinquished your privacy as to the number, although the contents of the call still require a warrant because for that there is still a “legitimate expectation of privacy”, since people do not expect the phone company to be listening in or recording it, though we know it has the capability to do so.

Blackmun cited as evidence that the phone company sends you a monthly bill where it lists all the numbers you called, so you know that they keep a record of your numbers. It is this precedent that the government is using to argue that the collection of metadata does not require a warrant."

Needless to say that I don't agree with this reasoning. Then again, I'm not sitting on the Supreme Court.

@ Snarki, child of Loki

just make sure to route your email through KREMVAX

Do note that their servers are based in Cleveland, Ohio, so just a matter of time before they receive an NSL if some high-profile person as Snowden is using their services.

unimportantSeptember 23, 2013 8:01 AM

@Mike the goat: Any kind of using an SMTP extension will still leave metadata (at best mixed within a cascade). However, using RetroShare feels almost like using Outlook -- but excluding snoopy servers.

Mike the goatSeptember 23, 2013 8:06 AM

unimportant: you misunderstand what I am getting at - not a SMTP extension but a plugin to a mail client so it can be used much in the same way. The only problem that I can think of is that there is no secure way (without a centralized directory server which is bad mojo and could be subverted) to map an email address to a p2p unique ID. So I guess you'd just have to add a new field to your address book for the new identifier.

Clive RobinsonSeptember 23, 2013 8:11 AM

@ Snarki, child of Loki,

    ...just make sure to route your email through KREMVAX.

Hmm that joke is older than Ed Snowden and started as an Aprill fools day joke oh back over 30years ago, and then just to prove that Russians do have a sense of humour they adopted it...

So both you and I've revealed we remember old jokes, I guess some people will use it as proof positive we are both over Bruce's age ;-)

WinterSeptember 23, 2013 8:11 AM

"The security services fill a useful role both in winning wars and in combating terrorism."

But the "old" view of amoral intelligence was that whatever was scooped up would never enter normal, legal, circles.

The fiction that 007 would do illegal things, but nothing he saw or stole or fabricated during his work could be used in court, nor would it be given to the DEA or competing UK firms.

The same with an MD or psychiatrist. People have no problem with their doctor or shrink knowing very private things about them. There would be huge problems when they fear they might be confronted with this information at a police station, during a job interview, when applying for insurance, or simply at a birthday party.

I think the major problem for the NSA is not so much that they spy, but that they actually leak it into the rest of the state apparatus.

Snowden showed how easily this stuff leaks, how many people read it, and how many people get to use this information.

Mike the goatSeptember 23, 2013 8:20 AM

unimportant: if you ran your own MTA /and/ the recipient MTA supports SSLized SMTP for submission you could safely deliver your message to the remote MTA with an attacker knowing only the hostname of the destination (and not the user). If you did the delivery via tor then all an eavesdropper on your end can determine is that you are sending data to a tor relay and an eavesdropper between the exit node and the destination MTA would know only that an SSLized submission is taking place.

Obviously those with access to the remote MTA could read the metadata (but not the content as it is PGP encrypted) but if both ends are running their own MTA this isn't an issue. Running either MTA as a tor hidden service would be even better as you are avoiding the exit node to destination path being publically visible.

By saving certificate information (or perhaps using a DNSSEC signed TXT record with the certificate fingerprint in there) you could avoid a MITM attack. Perhaps something like openssh where on any subsequent connection if the fingerprint changes you are notified.

Those of you who remember FidoNET may remember there was an option called 'crash mail' where a private message could be delivered directly to the remote BBS over the PSTN rather than propagating through the mesh. Of course this wasn't encrypted but it was a lot better than having every sysop in the chain seeing your message.

If you had something similar where a secured connection with the remote host was established on the fly it'd be very nice indeed.


Robert ThauSeptember 23, 2013 8:34 AM

Another way to explain it: Imagine a phone call briefly arranging a meeting at 6:00 next Tuesday. This tells you very little. Now, imagine you knew that the people were a newly married woman and a reproductive rights specialist (or a battered womens' shelter, or ...). Even if I take away access to the content ("next Tuesday at 6:00"), you suddenly know quite a bit --- and if you also know whether this is the first phone call between these two or, say, the tenth, you know a great deal more. The metadata tells you more than the content.

Let E-mail DieSeptember 23, 2013 8:39 AM

Why not let e-mail die? There are more secure (in theory) alternatives. Look at I2P-Bote for a promising alternative.

vas pupSeptember 23, 2013 8:46 AM

@Sling:
"Europeans have a concept of data privacy in which data is made available to another party only for purposes for which the data subject agrees to". That is the core of privacy concept.
Let say phone company needs metadata to bill customer, then after bill is payed (no dispute)
in full, that meta data should be erased altogether, because the purpose it was collected for does not exist anymore. Amazon claims that all information you provided for the pupose of particular transaction only becomes Amazon's property forever. That is absolutely wrong.
Until law by default establish privacy paradigm that all PII provided is for particular transaction only to be completed and NOT for any other purpose until customer agrees and customer disagreement could not be the cause of denial of transaction, then no privacy exists. Metadata related to just fact of privilege communication
to doctor, lawyer, priest, psychologyst, in Great Britain - to Member of Parliment (as now) should have the same level of protecion as content itself.

Clive RobinsonSeptember 23, 2013 8:49 AM

Hmm,

With regards the FISA court judges notions about "public", I wonder how they would deal with the following,

To open your front door "that's on the street" --as opposed to set back by a garden/yard etc-- you hold your key up in public where according to the judges interpretation you are making it publicaly available. If I were to photograph the key or memorise the ward cuts then I own the key profile as I've collected it.

Now at what point do I commit a criminal act or tort, when I sell on that information, when I cut a key, when I open your door, when I photograp all your personal papers?

Now I don't know about the US but in the UK we have a law about "going equipped to commit a crime" and arguably the act of copying (photographing/memorising) the key profile is covered by that and selling/giving the information would be under most circumstances covered by conspiracy to commit a crime...

So the metadata of the key ie it's cutting profile is something that there is no non criminal reason to aquire/trade, because of the expectation it is to be used to commit a crime.

The phone companies must know by now that the use the TLA's will use the metadat is without a proper court order going to be used to commit a crime, thus they know they are committing a crime by handing it over.

Likewise any Judge issuing a blanket order must by now know that issuing such an order is because the TLA is going to use it to commit a crime. Thus issuing such an order is it's self a crime (or unlawful as they chose to a word to try to hide what the rest of us call a crime behind).

Thus the judge has some serious questions to answer about their own conspirital crimes...

Which immediatly calls into question any reasoning they have made as it is blatently self serving and in no way impartialy reasoned.

Ollie JonesSeptember 23, 2013 8:53 AM

Working in health-care IT, we aren't allowed to use email for anything related to patient records, because the metadata (source and destination address) are considered protected health information. We can't even send an email saying "dear patient, log in to the hospital web site to see a message!" Robert Thau's example is correct, and is enshrined in the HIPAA and ARRA 2009 medical privacy laws.

Instead we are supposed to use voice-phone and fax messaging, ostensibly because the metadata, and the content, are hard to obtain without a warrant and a pen-register.

But, but... NSA. Metadata collection and indexing.

Mike the goatSeptember 23, 2013 9:03 AM

Clive: /off topic/ speaking of the good old days back in the early 90s when BBS systems were wildly popular we ran one in a foreign country (I won't name as it may betray my I.D. but think first world English speaking outside of the US) that was revolutionary for the time. All of the fidonet mail from other BBS's that went to the US took a few days to go on its journey as long distance calls were expensive and it would cache a few up and use off peak international calling on a Saturday night. Anyway we were running one on a uni timeshare - we had three phone lines on modems tied to three ttys. Almost all the BBSs were DOS based systems back then but we made our own clone of RemoteAccess in C (we even did ANSI color and VT220). We had them bypass Unix /bin/login and had them dumped into our BBS environment. We used a modified binkley mailer.

Because we weren't paying for local phone calls (educational facility) we delivered mail to all in country nodes immediately. We had a RAS box and our mailer would just telnet to it (8 bit clean telnet) and do its AT commands just like a normal modem only difference being it went over an E1 (euro T1) and wasn't charged. Rather than waiting for mail hour we immediately delivered everything. Some BBS systems didn't like that. For those that failed to receive we would wait until mail hour. But most would be okay. People loved using the board as mail flowed quickly.

We also had an affiliation with a BBS at a Texas college that happened to be doing a similar thing to us. As we both had TCP/IP and neither had to pay long distance we became the defacto most efficient route for mail between the two countries. We used a little utility someone had posted that emulated a serial modem (you'd connect to the 'fake' modem and your software could do ATDT192168001001 for example, so it was just the IP padded out).

It was a hell of a lot of fun. We even setup an interBBS chat using some hackiness around ntalk (some fancy ANSI graphics etc to make it sexy) where people from two countries could chat. This was nothing new to academics but was cutting edge for people at home with their 9600bps modem (excluding those with blue boxes who called international BBS systems without paying).

Man, those were the days! When networks were innocent....

Mike the goatSeptember 23, 2013 9:09 AM

Let email die: the problem is your corporate types use it heavily and want it to be kept around. This is how we ended up with kludged on things like MIME (surely modern links are all 8bit clean?). When unsolicited emails became a problem we ended up with SPF and similar standards not to mention DNSBLs which didnmore harm than good. When transport layer surveillance became an issue we got SSL and STARTTLS and authenticated SMTP for road warriors and webmail users.

The sensible thing is for us to go back to the drawing board. New RFC. Completely new implementation that does it all and does it all properly.

We can always create gateways so the legacy system can be reached from the new and vice versa.

James BellSeptember 23, 2013 9:11 AM

I think the problem lies not in metadata, but in the dragnet approach of collect everything and mine for behavior verses investigation, development of suspect, probable cause, warrant, etc.

StephenSeptember 23, 2013 9:39 AM

Well said. Sadly so many idiots on radio and TV, say: so what they if they know and are listening.. well those idiots use iphones, facebook and twitter etc. They just do not give a shit about who is listening to them. I do.

Lucky for me I figured out the very first time I posted on a BBS forum (yea in the 1970's), anonymous is your friend. Sure you do not want to be a asshole and post stupid crap (troll) whatever. But being under the radar is always better than being ON the radar.

RSaundersSeptember 23, 2013 9:58 AM

I also like the analogy. I think a problem comes from extending "Metadata equals surveillance" to "therefore what the NSA is doing is illegal". We have cameras everywhere, recorded by companies and police departments. It's even more pervasive in the UK.

Is there any question that the traffic camera on top of the traffic signal down the street from you is legal? It's surveillance. It's done by government. It could be tied to a license-plate reader that records metadata on every car that drives by. Driving your car on a public street is not "personal, private behavior" that the government needs a warrant to observe.

I like the analogy, but it seems like it argues just as well for the other side.

Paul NoelSeptember 23, 2013 10:06 AM

I saw a comment about using the Metadata on Congress Critters etc. Just a note, try to get your own metadata like I did and you hit a stone wall. I had commented on the NSA publically and started getting Death Threats and wanted my own Metadata for my own defense of my life. Try getting it and the company will tell you "Only on request from Law Enforcement." It isn't your data! At least according to the service providers. Privacy laws in the USA exist to prevent you from getting your own data and to prevent you from seeing all the things the NSA and that ilk are stealing from you.

P.September 23, 2013 10:06 AM

I think it's even simpler than that... looking at someone for a prolonged period which causes him to lose hi anonymity is survailance. Pure and Simple.

If you want a another good example use kids supervision (as in policing) as an example...

NobodySpecialSeptember 23, 2013 10:16 AM

@RSaunders - and suppose that was extended to a camera inside your house that monitored who you talked to and when, what books you read and what TV programs you watched.
Then another flying camera that followed you around checking where you traveled, which stores you visited, who you talked to and who they then talked to.

Brian M.September 23, 2013 10:18 AM

The Fourth Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Surveillance is neither search nor seizure. Yeah, it's pretty spooky and uncomfortable, but nothing has been searched, and nothing seized. Yes, someone can get a lot of data by seeing to whom you've contacted, and then mapping things out. But it's still not violating the 4th amendment of the US constitution.

What it is doing is wasting a lot of resources. When I worked at Microsoft, one of my coworkers had been a member of Iran's Revolutionary Guard. So by the definition of "foreign agent," I would have been on a second-tier watch list. Now, how long could I remain on that list? Indefinitely, I suppose.

A couple of weeks ago a package in the mail was mysteriously delayed. What did it contain? Three of Bruce's books, and two crypto USB drives. And the package was "out for delivery" for days, and then the routing information was back-dated to show that it had arrived the same day that it was out for delivery. USPS CYA or something more? "Never ascribe to malice that which can adequately be explained by incompetence" -- Napolean Bonaparte.

DanielSeptember 23, 2013 11:00 AM

@Winter - That's been my opinion exactly, and I haven't seen it much, or at all, in the press.

While I understand that non-Americans don't like that the US is spying on them, at least they don't have much to fear in the way of seeing this illegally-obtained data affecting them in court or elsewhere.

My opinion before Snowden-gate was that the NSA can spy on me all day long, not because I don't have anything to hide, but because it isn't legal in court.

Apparently that was never right, or at least it isn't now. Now, for example, I'm curious about why the doctor is asking me if I have guns at home.

When the government and courts start putting all of these data sources (email, medical, courthouse, tax, call logs, political donations, etc) together and starts making legal determinations or denying applications for government services (Drivers' license, concealed carry permits, tax exempt status, etc) based on that data, we will be in a serious hurt locker.

Cynics might say that the government is already doing this. I think that we are only at the beginning of it. The NSA might be smart and agile about data-mining, but most of the rest of the government just figured out how to back up Outlook emails. In time, the US government will start really cross-utilizing all of this data to disastrous effect.

ByronSeptember 23, 2013 11:11 AM

According to Adam, the judge's ruling on the expectation of privacy was predicated on who owned the information once it was transmitted.

Since the time of the Pony Express, the U. S. Mail, FedEx, et al, it has been "thought" the information transmitted belonged to the sender, the recipient or both. The facilitator of the information getting from one place to the other (and sometimes back) had no rights to the information.

If the government, any government, wanted to steam open an individual item to see what nefarious plot was moving apace, they got a warrant and did so. What's changed and why do we now not own what we create?

SkepticalSeptember 23, 2013 11:50 AM

Dictionaries can differ meaningfully in their definitions, but here is Merriam-Webster's entry for surveillance:

the act of carefully watching someone or something especially in order to prevent or detect a crime

But the conditions under which the telephone metadata are held and used mean that the government actually isn't carefully watching everyone's metadata. The access restrictions are important.

Let me put it this way.

A grand jury investigating pop music from the early 1980s issues a subpoena to AT&T, seeking all records relating to "867-5309", which is reasonably suspected of being involved in early 1980s pop music. AT&T performs a search, and gives the results to the grand jury.

Has the grand jury thereby conducted surveillance of all the numbers in AT&T's database? Does anyone consider themselves "under surveillance" by virtue of the existence of such searches?

If the government had no holds barred access to the telephone metadata records, then I would view the "mass surveillance" descriptor as accurate. But given the access restrictions, the database doesn't really change the amount of surveillance Americans are under.

Publius IIISeptember 23, 2013 11:55 AM

@Daniel

The NSA is not "most of the rest of the government". It's an agency with a long history of doing things like surveillance, SIGINT, ELINT etc. I don't think they're that daft like the others may {{seem to}} be.

Clive RobinsonSeptember 23, 2013 11:59 AM

@ Brian M.,

    Surveillance is neither search nor seizure. Yeah, it's pretty spooky and uncomfortable, but nothing has been searched, and nothing seized.

Err NO, you are making the mistake of beliving "seized" applies only to "taking of physical objects" it does not. For it to be "seized" under law all you realy have to show "harm" that is quantifiable and you have "standing" and can thus seak redress through the courts. The US DoJ and all the TLA's are well aware of this which is why they are so secretive, because unless you can demonstrate"standing" the judge will throw your case out. Ed Snowden has ripped the lid of that can of worms and you can bet that quite a few Federal ring pieces are puckering up.

With regards,

    Yes someone can get a lot of data by seeing to whom you've contacted, and then mapping things out. But it's still not violating the 4th amendment of the US constitution

You can rightfully claim that who you contact is a "protected work" as is any "customer list" and it is an item of value. Having value it's loss can be estimated and damages awarded. Contact lists have been used in court and the loss due to what is in effect copying described as theft in exactly the same way as the film and recording industry claims theft if you download a movie clip or song or anything else they belive is their IP.

Further as this "protected work" is obtained in a maner that will be used to commit further unlawfull (criminal) acts it's actualy a criminal act in it's own right...

Muddy RoadSeptember 23, 2013 12:25 PM

How do we get a political solution from a crazy, useless, dysfunctional, corrupt government?

Indeed the NSA (FBI, DEA, IRS, CIA, et al) abuses are directly related to the demise of a functioning democracy in the USA.

Even then, I would add the Brits are in worse shape than us. They are planning a massive firewall to block porno...but of course anything else they want to block, too. Also, in some areas they greatly exceed the capabilities of the US STASI because they have even less effective privacy and security protections across the pond.

Marching in the streets for a few years might work, or it might not.

I am not sure what will slow down the tyrannical police state now being introduced to each and every one of us, 24/7.

I do have some faith the technical guys will come up with some answers. They have a way of making things happen where it would seem nothing would work.

DanielSeptember 23, 2013 12:30 PM

@Publius III: That's true. That's why I wrote:

The NSA might be smart and agile about data-mining, but most of the rest of the government...

I work in the Federal government. So, I know all too well how behind the curve the rest of it is.

RSaundersSeptember 23, 2013 12:41 PM

@ NobodySpecial, To return to Bruce's analogy, the camera in my house would be eavesdropping, and the process to install it would be breaking-and-entering. Those are different crimes than the "surveillance" we're discussing. The flying camera is a different idea, I suppose that if it followed me into the house my dog would enjoy chewing on it.

Actually your response is another example of the "what the government COULD do to you would be bad" argument. We're all in agreement that a airstrike on my neighborhood would be over-reach by the USAF. That's not what's happened. There is NSA data gathering that leads to surveillance of some US people, but there is a SCOTUS decision that phone dialing metadata is not private.

Perhaps laws and rules need to change, but that's not the same as calling what's going on now criminal. They are following the rules and laws as written. It's creepy, because surveillance is generally creepy, but it's not illegal eavesdropping.

jonesSeptember 23, 2013 1:21 PM

@ Daniel

> Now, for example, I'm curious about why the doctor is asking me if I have guns at home.

You probably have kids.

If so, it's standard practice for doctors to inquire about guns in the home, since there is a strong correlation between owning a gun and being injured by one.

Here's a scholarly article on the health risks associated with gun ownership, so you don't have to take my word for it:

http://aje.oxfordjournals.org/content/160/10/929.full

Data from a US mortality follow-back survey were analyzed to determine whether having a firearm in the home increases the risk of a violent death in the home and whether risk varies by storage practice, type of gun, or number of guns in the home. Those persons with guns in the home were at greater risk than those without guns in the home of dying from a homicide in the home (adjusted odds ratio = 1.9, 95% confidence interval: 1.1, 3.4). They were also at greater risk of dying from a firearm homicide, but risk varied by age and whether the person was living with others at the time of death. The risk of dying from a suicide in the home was greater for males in homes with guns than for males without guns in the home (adjusted odds ratio = 10.4, 95% confidence interval: 5.8, 18.9). Persons with guns in the home were also more likely to have died from suicide committed with a firearm than from one committed by using a different method (adjusted odds ratio = 31.1, 95% confidence interval: 19.5, 49.6). Results show that regardless of storage practice, type of gun, or number of firearms in the home, having a gun in the home was associated with an increased risk of firearm homicide and firearm suicide in the home.

It's no different in principle than if a doctor asks you whether you put your child in a child seat while driving.

You should be more worried about the NSA's impact on your life with respect to your having to wonder about these things. And worry about other people wondering about these same things, and maybe not speaking their mind.

People act differently when they think they're being watched. It's how some evolutionary psychologists explain the emergence of religion, after human habitations grew in size from extended families of about 200 members (if your whole social world is 200 people, you have an idea about everything everyone is doing, and everyone knows they're observed, so there's no need to invent religion to enforce morals at a distance).

In this case, however, the NSA is affecting a massive shift in social psychology. That's about as disconcerting as MKULTRA's direct interference in the lives of people like Allen Ginsberg and Ted Kaczynski -- who went on to influence culture in their own respective ways.

CuriousSeptember 23, 2013 1:23 PM

I think Bruce have been very wise here to not end up understating the relevance of acknowledging 'metadata' to be part of surveillance; otherwise there is the risk of ending up becoming an apologist serving to affirm anyones purported agency for even wanting to gather information in the first place, in the lieu of business or security (be it Facebook, NSA, police ect).

EvolvedSeptember 23, 2013 1:38 PM

Problem: you need a warrant to search someone's person, house, car, phone, etc. either physically or electronically.

Problem: you need to obtain such warrant without raising suspicion of privacy advocacy judges or others who may find out about the warrant.

Solution: instead of trying to convince a judge to sign off on it and to keep hush about it just create your own court with your own judge whose job it is to sign off on warrants.

End result: you have just circumvented the warrant system and you might as well not even need a warrant to perform your search which may or may not be ethical and lawful in and of itself.

Also, we have no say over what the phone company does with our gps data when we connect to a cell tower so how can we have any expectation that they won't provide it to law enforcement at the drop of a hat with or without a warrant?

The law says law enforcement needs a warrant to subpoena such data but it doesn't say that the company can't volunteer it if it feels it is in the best interest of law enforcement.

256mboframSeptember 23, 2013 2:03 PM

" THE WOLVES, THE SHEEP AND THE RAM

The wolves sent messengers to the sheep, offering to swear a sacred oath of everlasting peace if the sheep would just agree to hand over the dogs for punishment. It was all because of the dogs, said the wolves, that the sheep and the wolves were at war with one another. The flock of sheep, those foolish creatures who bleat at everything, were ready to send the dogs away but there was an old ram among them whose deep fleece shivered and stood on end. 'What kind of negotiation is this!' he exclaimed. 'How can I hope to survive in your company unless we have guards? Even now, with the dogs keeping watch, I cannot graze in safety.'
http://mythfolklore.net/aesopica/perry/153.htm

The old guard can't fail. They don't have real good security.

CuriousSeptember 23, 2013 2:17 PM

I would say that simply handling metadata of people and the lives of people is 'illicit information gathering'. After all, this is about 'metadata' and not about the more vague 'information' in general and with such 'metadata' it goes to show that gathering such information about people or the lives of people does not warrant any particular use.

With other words, information gathering of the kind 'metadata' that comes about without any clear intent or use, ought not be subject to being gathered (stored, observed, monitored, copied, transferred or displaced) in the first place. In the event of metadata being gathered with the intent for it to be used in a given way, any other use, other than that which has been explicitly declared as an intent and a purpose with the informed consent of an individual, must not be allowed.

I am no lawyer nor an expert in any particular field, but I thought that which I wrote made alot of sense in general (if there are legal or technical loopholes here, I wouldn't know).

Jonathan PSeptember 23, 2013 2:22 PM

Daniel @11:00am, dirty evidence can be laundered. One term of such art disclosed by Snowden is "parallel construction", which works about like it sounds: frame-ups for the (ostensibly) guilty.

Brian M.September 23, 2013 2:29 PM

@Clive Robinson:
You can rightfully claim that who you contact is a "protected work" as is any "customer list" and it is an item of value.

But if the data is compiled independently, then how can it be shown to have caused "loss" to the individual? Dictionary and encyclopedia companies compile lists all the time. It's their day job. I don't remember of a case where one dictionary company sued another over copyright infringement.

Let's presume that the NSA, by use of signal tracking technology and hidden cameras, follows you around and notes your movements and contacts. You also note in a notebook your movements, with GPS annotations. Somehow, through the same mechanism as Collect Garden Gnomes => Magic Happens => Profit, your collection of your movements brings you monetary profit. However, the NSA also has a set of data just as valid as your list. The NSA isn't your competitor, and their list of your movements and contacts doesn't infringe on your list of movements and contacts. The NSA doesn't use your list of movements and contacts for their monetary gain. They simply do it because you're in that big data dragnet of "everybody who isn't us." They keep it under their overcoat of secrecy.

Now, Google also has a list of your movements and contacts, and even of all the data therein. Google does sell this data, and you agreed to all of it.

So who are you going to sue? The NSA, or Google?

A collection of data is just that: a collection. It isn't an invention. A collection is something that anybody with the means can do it. And so the NSA has the means to collect a pile of garbage.

The sad fact of this is that the NSA is in the Garden Gnome Collecting phase. As many Internet startups found out, the scheme of Collect Garden Gnomes => Magic Happens => Profit doesn't actually work. In the NSA's case, it's Collect Garden Gnomes => Magic Happens => Lucid Intelligence. The have a pile of garden gnomes, no magic, and no intelligence.

ScottSeptember 23, 2013 2:38 PM

@Mike the goat

The govt are still going to see the headers and that includes the Subject: line. For this reason I suggested they just write "encrypted" in the subject (as blank subjects often trigger spam filters) but this still means they know your origin address, destination address, route the message takes (these days only a hop or two, I remember in the early days messages got handed to plenty of SMTP servers enroute...


For person to person communication, you can use OTM through Tor with a good degree of privacy, however you both need to be connected. I'm currently working on a way to send messages offline without any useful metadata. The problem is that there is a tradeoff between privacy and usability, and I have chosen to sacrifice usability. The idea is that the two parties exchange diffie-hellman public keys, and agree on a seed (could be a hash of an empty string, it doesn't matter, as long as they agree on it). The diffie hellman shared secret is then computed and hashed with the seed to compute a 48 byte message ID that both parties agree on. The message itself is encrypted and contains an authentication tag, which is then hashed with the secret to derive the next message ID. Your client would have to lookup the ID for each contact you have.

For exchanging messages, you could have a Tor service that stores and looks up by message ID, you could have a peer to peer network (also behind Tor) (both of these options would be extremely easy to do a DOS attack on, considering they have to be completely anonymous), or you can use your browser behind Tor, encode the messages as Base64 with 64 characters per line, paste the message in the comments section of a dead, but indexed blog, and search for the message ID (first line of the encoded message) on google.

JealousSpouseSeptember 23, 2013 3:02 PM

@Adam: "the judge said that, since the customer had used the phone service, any metadata about his calls was not subject to an expectation of privacy under the 4th Amendment, because he had sent the data away, and it now was the phone company's data."

The judge should consider the following question:

Some detective, hired by a jealous spouse, obtains a job at the phone company, in a legal way. Then he contact the system administrator of that company, asking for the 3 months worth of metadata that the spouse wanted. His argument: the metadata belongs to the company and he is working for the company, and his assignment ask him to grab that metadata.

How should, according to you, react the system administrator ?

You can remplace phone calls by snail mail, if you want to consider what could have been in the mind of the redactors of 4th amendment.

name.withheld.for.obvious.reasonsSeptember 23, 2013 3:30 PM

What has to be understood by the lay person and legal scholars is the complete de-emphasis of the citizen's inherent rights to be protected from government hostilities directed at the citizenry. Yes, the framers of the U.S. Constitution, understood that they instruments of tyranny are difficult to avoid--power is a tempting mistress and history has proved time and again that power will be abused once it is obtained. I cannot help repeating this but few seem to get the reasoning behind the 4th amendment and I have yet to see the cogent argument that also throws in the 1st amendment too. The whole reason for the Bill of Rights was to insure that the federal government would not take over the states...and if you consider that in order to address such an issue you have to be ready for any attack that might be entertained by the federal government. To summarize some issues:

1. The fourth amendment to the Bill of Rights was designed to avoid several problems related to tyrannical rulers (King George the Third).

2.) British soldiers were sent into towns and villages, without any suspicion or cause--expect to repress the colonists--and seized documents, letters, possessions, food, or your wife. The level of harassment was unimaginable. And, if you were a smart arse and told the soldiers that the King could go f' himself--you might see the end of a rope (and I don't mean a jump rope--unless of course you're only going to jump once).

3.) The first amendment begins with a constraint on the federal governmen, it is completely obvious; "Congress shall pass no law..." and the object of this constraint besides religious exercise was stated as such; "abridging the freedom of speech, or of the press". The OR is the important issue here. Many people interpret the first amendment to mean that only the press is free to speak. In addition, the next clause continues the theme framers used to address tyrannical methods of repression and added the right to assembly and petition for grievances, "or the right of the people to peaceably assembly, and to petition the Government for redress of grievances."

4.) The first amendment here is VERY IMPORTANT--freedom of assembly. Why, because if individuals cannot organize, the difficulty throwing off a repressive government becomes a most difficult proposition. The colonists held town meetings and assemblies, but, the King appointed the governors. In effect, there was no local government. Laws were passed locally to keep the colonists in line--there was a deliberate effort to derail local assembly because the colonists were beginning to become effectively organized...that's no good for a tyrant...you need to keep the screws applied and insure that the general population doesn't exercise any control--of anything.

5.) Based on the way our federal government is acting, I'd gather that our modern day Thomas Paine is Edward Snowden. Kind of the digital town cryer. We would do well to listen, but we will only continue to do...by acting.

PubliusXSeptember 23, 2013 3:54 PM

It is easy for us geeky types to believe that the solution to this problem can found in technology. The problem, however, is multilayered and obfuscated over time. The first layer is that the Federal Government of the US believes it is the sovereign power in the US. It is not! I've demonstrated the fallacy of that notion with my whitepaper entitled The People are Sovereign residing as the current homepage at UnfetteredSpeech

The next layer is that SCOTUS and its offshoots are the final arbiters of constitutional law. It and they are not. We the People possess that power. We the People overturned the 18th Amendment through our service of jury duty. About 54% of the cases that came before the people on the matter of alcohol prohibition were found to be "not guilty." We were assisted by 23 states that refused to enforce prohibition, thereby forcing the Federal Government to initiate the 21st Amendment. This little tidbit I have confirmed through casual conversation with a neighbor I once had in Louisiana, Federal District Court Judge Rebecca Dougherty.

Another layer is the usage of common law principles within Federal constitutional law. A notion negated by James Madison when he penned the committee's "Report on the Virginia Resolution" for the State of Virginia in 1799, passed through the Virginia House 60 to 40 and the Virginia Senate 15 to 6 in 1800. The two principles of common law in use here are that of precedent and incorporation. Precedent is self explanatory, but incorporation is a bit more complex. To incorporate, in the Latin "in corpus," is to put into a body, thereby creating a "person" in the eyes of common law. This is maintained at the federal level through an 1856 supreme Court ruling I can't think of off the top of my head. (This would be the reason Justice Scalia recently said he only refers to the "Federalists Papers" and not Madison's other writings. They would negate his concept of originalist theory!)

Yet another layer is the use of the 14th Amendment to leverage corporate person-hood to grant protections under the Bill of Rights. This is notable in that these "persons" are granted immunities and protections not granted to the citizens as persons. It must also be noted that many cities, towns and etc are incorporated, granting them rights and immunities over actual citizens. Clearly a violation of the 14th's equal protection clause. If these persons were held to the same standards and laws as the citizens, they wouldn't be in any position to hand data of any sort to the NSA. (Think stalking, harassment and etc.)

Lastly, at least for this discussion, is the governments insistence that all of this is allowable under their interpretation of the 4th Amendment. This is more a 3rd Amendment violation. Something I have expounded upon in a June blog posting at UnfetteredSpeech As long as they keep us thinking that these are just 4th Amendment issues they keep us distracted from our own sovereignty.

Yours in Freedom!

Kris DiefenderferSeptember 23, 2013 4:09 PM

The key here is whether the meta data can be tied back to an individual. If it can, then I agree. Meta-data is surveillance. If it cant, then it is not personal/private information.

PubliusXSeptember 23, 2013 4:34 PM

@name.withheld.for.obvious.reasons

You are so right. While all are important, the 1st Amendment is without a doubt the most important of all of the Bill of Rights. It exempts the Federal Government, and by the 14th, the States, from any form of social control. It must also be remembered that the press was the printing press and not journalism in general. It was Thomas Paine's best selling pamphlet Common Sense that had the greatest influence on moving the revolution forward.

Remember, too, the words of James Madison, the avowed father of our Constitution, when he said

Words could not well express, in fuller or forcible manner, the understanding of the convention, that the liberty of conscience and freedom of the press were equally and completely exempted from all authority whatsoever of the United States.

Yours in Freedom!

PubliusXSeptember 23, 2013 4:40 PM

Let's put this in the simplest of terms; universal surveillance by our government is akin to placing a soldier in every house. Clearly unconstitutional under the 3rd Amendment.

As you know by now...

Yours in Freedom!

Jeff JohnsonSeptember 23, 2013 4:53 PM

This seems like a technically correct argument, but it really doesn't prove that all metadata is surveillance. It proves that surveillance can produce some metadata.

I think that whether metadata is surveillance isn't the important question. The kind of surveillance that really bothers us psychologically, in my view, is when another human being consciously monitors what we do. In the private detective case, it is the individual human looking at what we do that bothers us.

Suppose some kind of automated robot gathers up all the information your private detective has gathered, but that information is protected by ultra-secure encryption so that nobody can read it unless the actual subject of the automated data gathering gives them permission. I realize that assumption is far fetched (most likely someone else would hold the keys), but it illustrates the point. Has that subject been spied upon prior to giving someone access to that data? This is kind of like asking if a tree falls in the woods and nobody is there to hear it, does it make a sound? Well, physically it oscillates air molecules. But no mind records it, experiences it, or notes its implications. There is a real sense in which any sound the tree makes just doesn't matter if it has zero impact on any subjective consciousness.

Another example: all the photons and radio waves that escape the earth contain a massive amount of information about people's activities, including both data and metadata. Let's even suppose all the earth's metadata were gathered, organized, and intelligibly transmitted into outer space, so that it is traveling away from earth at the speed of light. Does that information represent surveillance? I would say not really until some conscious being reads it, and it doesn't really affect us until they take some action based on what they read.

Clive RobinsonSeptember 23, 2013 5:17 PM

@ Brian M.,

    But if the data is compiled independently, then how can it be shown to have caused "loss" to the individual? Dictionary and encyclopedia companies compile lists all the time. It's their day job. I don't remember of a case where one dictionary company sued another over copyright infringement.

Well guess what they do sue or threaten to sue,

http://www.theregister.co.uk/2011/10/07/unix_time_zone_database_destroyed/

Under law you have to distinquish between what is data and a work derived from data. The words in a dictionary their ordering etc is not protected by copyright as they are data in comman usage. However the actual definitions of the words are as a collection a work which is subject to copyright

AnonSeptember 23, 2013 5:49 PM

The 4th amendment question is easy, metadata does not require a warrant, ever. At the time, the only commercial, long distance method of data transfer was the postal service and one of the first acts of Congress was to give the US postal service a monopoly. So one of the first acts of the people who created the 4th amendment was to guarantee that the federal government would have access to 100% of all metadata. They clearly didn't believe metadata was constitutionally protected and neither has any Supreme Court over the past two hundred years.

unimportantSeptember 23, 2013 5:53 PM

@ Evolved -- referring FISA Court

This language reminds me when mandatory chimney inspection were introduced: The German sweepers had also to search for wanted people during the 3rd Reich in otherwise protected environments.

Dirk PraetSeptember 23, 2013 5:55 PM

@ Clive Robinson, @ Snarki, child of Loki, @ Mike the goat

...just make sure to route your email through KREMVAX.

Cr*p. Didn't remember that one. But kremvax.org does point to a small hosting company called 9srv.net that is providing some services, among which email. I thought it was some Lavabit-like initiative.

@ Daniel

While I understand that non-Americans don't like that the US is spying on them, at least they don't have much to fear in the way of seeing this illegally obtained data affecting them in court or elsewhere.

A leap of faith I am not willing to make.

For starters, the US - or any other nation for that matter - absent probable cause has zero business monitoring/accessing my communications, cloud storage or whatever else it is I am doing online, in public or in the privacy of my own home (network). I bet that goes for quite some other people and companies too.

Second, what may be perfectly legal over here may be entirely different in the US, and interpreted as such when applying for a visa, being turned down and never knowing why. Third, from what we've learned the NSA does exchange and share information with other agencies, both at home and abroad. If ever I became a nuisance to my own government, they could request my US file and search for something usable to pin me down own, while in court hiding where the original information came from. That's exactly what the IRS and the DEA seem to have been doing as well.

@ RSaunders

They are following the rules and laws as written. It's creepy, because surveillance is generally creepy, but it's not illegal eavesdropping.

No, they aren't. They are interpreting and extrapolating existing law (constitutional, federal, case law). The 4th Amendment doesn't say a thing about phone calls or digital communications, and the 1979 SCOTUS decision in Smith vs. Maryland was such an interpretation.

American law operates under the doctrine of stare decisis, which means that prior decisions should be maintained - even if the current court would otherwise rule differently - and that lower courts must abide by the prior decisions of higher courts. The U.S. Supreme Court is the highest court in the nation and its decisions set precedents that all other courts then follow. No lower court can ever supersede a Supreme Court decision and not even Congress or POTUS can change, reject or ignore a Supreme Court decision.

This means that overturning a SCOTUS decision is very difficult. There are two ways it can happen:

  • States can amend the Constitution itself. This requires approval by three-quarters of the state legislatures
  • The Supreme Court can overrule itself. This happens when a different case involving the same constitutional issues as an earlier case is reviewed by the court and seen in a new light, typically because of changing social and political situations, or in this case technology.

Thanks to Snowden, we know that the administration is also basing its bulk collection of metadata on an interpretation by the FISC of Section 215 of the Patriot Act.

In conclusion for bulk collection of metadata to go away, we need a case to go all the way up to SCOTUS that in overturning Smith vs. Maryland could equally void the FISC's interpretation of PA Section 215.

@ Jeff Johnson

Let's even suppose all the earth's metadata were gathered, organized, and intelligibly transmitted into outer space... Does that information represent surveillance?

No, that's unintentional data leakage, whereas what the NSA is doing obviously is serving a purpose.

I believe your argument that there is a difference between collecting data and actually doing something with them is purely semantical. If it gives you peace of mind, then that's fine with me, but from where I am sitting monitoring and storing equals surveillance.

name.withheld.for.obvious.reasonsSeptember 23, 2013 6:27 PM

@PubliusX


Let's put this in the simplest of terms; universal surveillance by our government is akin to placing a soldier in every house. Clearly unconstitutional under the 3rd Amendment.

In addition the presumption of guilt is implied for every citizen. Why would a government agency surveil a person--reasonable, articulable suspision? The government has turned jurist prudence on its head. This is what it sounds like (Charlie Brown listening as Lucy yaks is the backdrop). "We collect YOUR information and if we find any malfeasance then we have probable cause."

WHAT?

This is pure insanity, we need to apply this logic to every political appointee and representative. We know you've done something wrong, we just don't know what it is yet! Give me all your papers--please. Your papers, we must have your papers. Dah! Now we have an attack on the fifth amendment, as the evidence produced by a computer, cannot be present--and--that information is "classified" and not even the judge can be privy. Wakey, wakey people.

name.withheld.for.obvious.reasonsSeptember 23, 2013 6:38 PM

And I keep saying, the statute under the FAA was deliberately written to avoid accountability. Two components are used to subvert scrutiny; first the 702 section prescribes that the government order include the method of collection (this immediately sets the classification of the order to secret), in effect the rule forces the order to gag itself. This was totally unnecessary. An order should describe the who, what, where, and why. There's no requirement that I can fathom that says it is necessary to specify how. That's sources and methods, that's opsec information and the people that drafted that rule knew it. The second was to make the FISA court the Superior court. I'm afraid the Supreme Court is just second fiddle, I guess they are so yesterday.

EvolvedSeptember 23, 2013 6:53 PM

@Jeff Johnson, I really like your description and I agree 100% except for the fact that it has been established that the NSA is currently using this murkily-collected evidence in ways that aren't necessarily ethical.

I.e. The DEA's SOD gets info not about a direct tip but to look for a certain car at a certain time in a certain place. Akin to "He may or may not be selling drugs but we have good reason to tell you that he may or may not be driving a black escalade and may or may not be driving down Main Street and he may or may not be doing so at 345pm. This may or may not happen every Saturday."

The end result is the DEA catches a drug dealer which I'm sure none of us have a problem with but to then go and create an evidence trail for how they came across the information isn't ethical because if he were to now have an opportunity to have the case dismissed on procedural grounds then the DEA merely needs to make sure that they consult a few trusted attorneys when creating their fake evidence trail.
That's an extreme and it happens but it doesn't hit home like your kid perusing Wikipedia out of sheer boredom and one thing leads to another and next thing he's researching IEDs out of curiosity but that tips off the FBI to come kick down your door and arrest him for potential future terrorism despite the fact that he hasn't done anything criminal yet.

Sling TrebuchetSeptember 23, 2013 7:31 PM

"the judge said that, since the customer had used the phone service, any metadata about his calls was not subject to an expectation of privacy under the 4th Amendment, because he had sent the data away, and it now was the phone company's data."

OK

So.. Weev
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/23/this-hacker-might-seem-shady-but-throwing-him-in-jail-is-bad-for-everyone/

This guy Weev lookad at data that people had given away to a third party - and therefore "had no expectation of privacy".

"In 2010, Auernheimer and a colleague discovered that AT&T had accidentally published the private e-mail addresses of its iPad customers to an AT&T-owned Web site. Auernheimer then wrote automated software to harvest the e-mail addresses of more than 100,000 iPad users. He passed this information to Gawker."

"The government argues that Auernheimer should have known that AT&T's Web site wasn't intended to be available to the general public and that that should have stopped him from harvesting its customers' e-mail addresses."

eh... Dude? ... "wasn't intended to be available"?
Wut?

Who was the injured party?
Who didn't intend that...... ?

Muddy RoadSeptember 23, 2013 7:36 PM

What if you or I downloaded "metadata", read emails, infected computers with keyloggers, viruses malware, listened to everyone's phone calls at will, hacked and cracked all manner of security software and hardware?

We would ALL be in prison for 20 years. But,

What if bank robbers summarily decided robbing banks was legal? And, found a former bank robber to say so officially? What if they only robbed "bad" banks, but not " good banks" as defined by them and said that was legal?

I am saying the government and corporations involved in the internet have become a run amok criminal enterprise and there is no one person or group willing or able to stop them.

They are all crooks and liars.

Now what?

saucymugwumpSeptember 23, 2013 7:37 PM

Evolved wrote "That's an extreme and it happens but it doesn't hit home like your kid perusing Wikipedia out of sheer boredom and one thing leads to another and next thing he's researching IEDs out of curiosity but that tips off the FBI to come kick down your door and arrest him for potential future terrorism despite the fact that he hasn't done anything criminal yet."

Nonsense. It does not happen that way.

Researching explosives will not result in the FBI looking your way. You would need to also peruse jihadist websites and probably a few other things. FBI agents would never leave the office if they investigated everyone who researched explosives.

Mike the goatSeptember 23, 2013 7:49 PM

saucywugwump: wasn't there a guy who recently got FBI attention as his wife was googling "pressure cooker sales" while he was simultaneously looking at a news story re terrorism? Point is, they were listening. Uh, Mr FBI man .. bomb PETN government explosive gods will. Thanks for reading my post gubment. ;-)

TimSeptember 23, 2013 8:07 PM

There's a very simple way to see that Metadata Equals Surveillance: the NSA is in the business of collecting it! If not for surveilling individuals, why would they need to try to justify its collection? The government doesn't spend billions of dollars on such projects just for fun.

Dear Mr. President: Since the NSA is, you say, not surveilling people, why are they wasting our tax dollars collecting metadata?

Mike the goatSeptember 23, 2013 8:30 PM

Tim: given they are clearly working with big data I am sure they get a lot of contextual info from it.

Ie. If sleepercell@aol.com => allah.akbar@alshabaab.net s="Attacks" 1058
Then allah.akbar@alshabaab.net => sleepercell@aol.com s="Re: Attacks" 1115
Followed by sleepcell@aol.com => hate.us@gmail.com, bomber@verizon.net, shark@therussiansareinvolvedtoo.ru s="mission plan" 1400

You'd have a fair idea how many are involved and what is happening and you'd then be able to get a warrant for content pretty quick.

Wesley ParishSeptember 23, 2013 10:15 PM

My take on sending data away to third parties, is that my data is covered by my copyright. It is leased, by me, to third parties to assist in assessing creditworthiness and the like, for specific purposes, and its use outside of those strict limits constitutes an offense punishable by laws such as the DMCA.

By granting access to these third parties, I have not ceased control over it, as can be seen by analyzing such third parties' insistence on my maintaining that data in a usable form by informing them of changes in my circumstances whenever for example, I move while still paying something off on hire-purchase or on a bank loan. If it was truly their data, they would not need to plead with me to update my information.

Consequently, any judge, justice of the peace or any other officer of the law who takes the position that by granting access to my personal data to any given third party, I have no longer the rights to it - I consider them to be conspiring to pervert the course of justice. And as such, to be outside all and any protection of the law, committing willful outlawry.

Ditto for my emails.

To the extent that we have an international civil society with the rule of law, this applies to all and any officer of the law from any nation-state who commits willful outlawry by intercepting my emails.

Ignorance of the law is no excuse is a common proverb, and when the law itself shows willful ignorance, it has put itself irreparably beyond the protection of the law itself.

FigureitoutSeptember 23, 2013 10:20 PM

A couple of weeks ago a package in the mail was mysteriously delayed.
Brian M.
--Not joking, I would concoct the nastiest thing you can think of, put some neodymium magnets in a box, and ship some random crap on the drives and put it in a postal box to a random address. Save and try to find someone to verify the books; I have a copy I trust of AC2, it shouldn't be hard to find someone. Tampering should be pretty obvious b/c you're dealing w/ imbeciles and maybe try to take some prints if you haven't destroyed the evidence already.

If they're tampering w/ your mail do not trust any electronic device that you do not take drastically extreme measures to protect.

FigureitoutSeptember 23, 2013 10:24 PM

Brian M.
--BTW, it was USPS that tampered w/ my mail too. Maybe they will go bankrupt anyway b/c they're incompetent.

CfrgSeptember 24, 2013 12:19 AM

The court is narrowly right on privacy, there is no reasonable expectation of absolute privacy in telephone call or email data, we know that random telco or ISP staff see it, but there is an expectation of practical obscurity, a concept I believe your Supreme Court applies to FOIA applications but which seems to have gone missing from this discussion.

Mike the goatSeptember 24, 2013 1:30 AM

Figure it out: I would encrypt a file with something tantalyzingly breakable like single DES. Call it manifesto.tar.des

So they'll take the time to decrypt the file and extract the tarball. Inside the tar put another file called operatives.txt.does

Once they've broken that have the first line of the text file state "Hi. Thanks for taking the time to break this file. Included below is a list of Yankees players. Enjoy."

I can imagine how pissed off they would be.

Gary McGathSeptember 24, 2013 8:45 AM

Sorry, "metadata equals surveillance" makes no sense. Metadata is something we all constantly use if we're savvy about managing our files -- when a file was created, who created it, what it's about. You could call that "surveillance" of the file, I suppose, but it has nothing to do with surveillance in the sense of the NSA, a detective, or a website tracking its users.

Metadata has long been an important issue for libraries and archives, which need to keep track of the origin, changes, and context of digital documents. Turning "metadata" into a dirty word is bound to create needless hostility to these important activities.

FilbySeptember 24, 2013 9:43 AM

@Gary McGath
Sorry, "metadata equals surveillance" makes no sense. Metadata is something we all constantly use if we're savvy about managing our files -- when a file was created, who created it, what it's about. You could call that "surveillance" of the file, I suppose...

This is not a question of surveillance of files or other inanimate objects, of course, but surveillance on people that answers questions like what files did the person read? what locations did the person go to?

As a simple example: plain metadata about a building is sufficient to tell the Govt that the building is a church, gun shop, porn video shop, or the house of someone who is "more interesting". The metadata obtained about people's whereabouts (e.g. through their cell phones, etc) is then used to create profiles of the individuals that are not suspects to any crime.

Is this an issue? Its like Bruce wrote:

Now imagine you hired that same detective to surveil that person. The result would be details of what he did: where he went, who he talked to, what he looked at, what he purchased -- how he spent his day. That's all metadata.

If the Govt would have engaged in manual surveillance (using actual detectives walking behind people) of this type, on this scale ,in e.g. 60s, or 70s (the "civil rights era"), we would likely have had major protests about it.

JonathanSeptember 24, 2013 11:11 AM

I agree with you that metadata IS surveillance.

To prove this, ask the members of the congressional intelligence oversight committees if they would like their cell phone records sent to their spouses. Just who they were calling, when, and how long each call lasted. No? Why not? It's just metadata!

AdamSeptember 24, 2013 11:35 AM

A quick thought: perhaps we should consider supporting the development of the FreedomBox project. A standardized software project built on strong foundations and designed to be relatively "plug-and-play" for average people may be the best hope of preserving online privacy.

Chet BredwellSeptember 24, 2013 12:45 PM

Jeez.

Congratulations, Mr Scheiner, for having the "courage" to say now what many of us were complaining about 10 years ago.

3650 days late, millions of dollars short.

Hope your Greenwald-penned late stardom feels powerful. Why weren't you grousing about this a decade ago? Why wasn't he?

Gary McGathSeptember 24, 2013 1:13 PM

Filby: Bruce failed to make that crucial distinction explicit, between surveillance of files and surveillance of people. Even if he'd said "metadata about people is surveillance of people," that would be a confusing way of putting it. Metadata is what's gathered by the surveillance, it isn't itself surveillance. It's spying, not information as such, which needs to be condemned.

As a sound bite, "metadata equals surveillance" is dangerously misleading.

RSaundersSeptember 24, 2013 2:42 PM

@Dirk Praet: Thanx. That was much clearer than what I wrote. At least I should have said "as written and interpreted".

Gary McGathSeptember 24, 2013 3:03 PM

Just thought of a way to better clarify my point. If you've commented here, you were asked to enter a name, email address, and URL. That's metadata about you (strictly speaking, it's metadata about your comment). If it goes to the blog host, at least you know you're submitting it, and you had the choice not to comment. If the NSA taps into the blog host and snarfs the email addresses of everyone who commented (which aren't publicly visible), that's the same metadata. It's how it was collected and whether you consented that makes the difference, not the fact that it's metadata.

AdamSeptember 24, 2013 3:50 PM

One of the arguments I saw somewhere seemed to be along the lines of this: making a phone call is like going out of your front door and walking down the street to a friend's house: it's not illegal nor a 4th Amendment violation to watch you and follow you and note where you go, when, and who you talk to.

But the problem is that making a phone call is nothing like that at all, nor is using the Internet. In real life, you can look outside to see if anyone's watching your door. You can double-back to check to see if you're being followed. You can go out at night, or in disguises. The point is that, other than an invisible, silent UAV or a super-high-res satellite, no one can spy on you without revealing themselves. Even if they disguise themselves, at least you have a chance of seeing them. And if you're in a rural area, it would be hard to surveil someone surreptitiously.

Here's a better, but still very rough, analogy of what real life would be like if it were like the Internet or a phone system: in your town, every door that opens to the outside is connected directly to an opaque tunnel--no one can see inside it. When anyone enters the tunnel, they put on a bodysuit vaguely like a knight's suit of armor in that it's impossible to tell who is inside it. All the suits are identical in size and shape and color. It's impossible to know who someone is unless you see them getting into the suit. The best that can be done is to guess their identity by where they go and come from. And again, the most important point is that no one outside of the tunnels can see inside of them.

In such a system, the kind of metadata surveillance we're talking about here would be like the tunnel maintenance company installing monitoring devices on every door that puts a tracking device on each bodysuit as it enters the tunnel system, and records the date, time, and where the suit exits the tunnel system--and then secretly giving that data to the government.

"But they have no reasonable expectation of privacy once they walk out their door and enter the tunnel," some say. I think that's wrong: the tunnels are opaque; no one outside the tunnels is expected to be able to see inside, and no one who uses the tunnels expects a tracking device to record their every move and then tell third parties where they've been going. People wouldn't be content to know that they were only watched inside the tunnels but not inside their houses--people would want to not be watched at all.

Again, the analogy is far from perfect, but I think it helps illustrate that the comparison between moving about in real life and using phones or the Internet is like comparing apples and giraffes.

AdamSeptember 24, 2013 4:09 PM

@Brian M.:

The Fourth Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Notice that I emphasized some different parts than you did. One can argue about what "search" and "seize" mean, but that isn't necessary to see how this blanket collection violates the Fourth Amendment. There is no reasonable probable cause (it's absolutely unreasonable to claim that probable cause can include every person), and the places to be searched and persons and things to be seized have not been particularly described (it's also unreasonable to claim that "particularly described" could mean "everyone, everything, everywhere, everytime").

I would also still argue about the intention behind the Amendment and how its spirit should guide interpretation of "search" and "seize." And I would say that, by definition, the only way a blanket collection of data can be used is to "search" through it--all of it--because unless every piece of data is examined, it's unknown what each piece is. The data is not alive--one cannot call out to it and have the interesting parts stand up and come forward. It must be looked at--searched--in order to know what it contains, and whether any of it is relevant.

One might try to argue that using a computer to do it automatically means that no human eyes are seeing it and therefore that it's not being "searched", but that's absurd. Computers are simply tools, extensions of our abilities; they only do what humans program them to do. If it were not a computer system, then one could imagine the data as an enormous set of index cards, all turned face-down, and that an army of people were laboriously turning over every one to see if any key words turned up. No one would reasonably argue that doing that was not "searching."

I would also argue that the data is indeed being "seized." It's being taken. Just because it's digital and can be copied doesn't change the fact that the data is being taken into possession.

Finally, I would argue that the government can't have it both ways: if corporations are like people, then phone/Internet companies are entitled to be secure in their "houses and papers and effects," and so no blanket authorization can be given for taking all of their data.

In my opinion, such blanket collection violates the Fourth Amendment in every way: both the letter and spirit of the law.

AdamSeptember 24, 2013 4:13 PM

@Skeptical:

By the way, my comment above applies to yours as well. The "access restrictions" you cite are irrelevant, because they are applied by computers, which are merely tools used by people, only doing what people program them to do. In essence, whatever their computers do, it's no different in principle than a human doing it.

Dr DuhSeptember 24, 2013 4:30 PM

If the reason why metadata is not protected is because there is no "reasonable expectation of privacy" might the solution be to implement a technology that creates the expectation of privacy?

It is not the envelope does not prevent your mail from being opened, it is the law against opening envelopes (without a warrant).

Impregnable security would be great, but it would be difficult to implement broadly. Maybe a simple TOR is the answer to preventing society wide surveillance.

DingbatSeptember 24, 2013 4:51 PM

Wonder if one could win in a copyright infringement case if you have an algorithm for turning your number called, call duration and call time into musical notes. Then register said arrangement of notes with the Library of Congress along with the algorithm to produce the notes from the input meta-data.

After all it would be an original musical composition, which automatically falls under copyright protection. So would that be enough to sue your phone company for willful copyright infringement by distributing your composition to the NSA without permission and compensation?

Bonus would be using FOIA on the NSA to prove that the composition was sent to them by the phone company, thereby proving the copyright infringement occurred.

CuriousSeptember 24, 2013 5:04 PM

@Adam

It just occurred to me as I was reading your comment above:

I am not familiar with the constitution of the United States and I don't find it interesting as I don't live over there, however when I read what you had quoted above "The right of the people to be secure in their persons, (...)", it seemed fairly clear to me that the use of this word 'persons' would have to infer a privilege (something proffered as 'secure') with regard to the very existence of any individual or groups of individuals in their act, speech or in other forms of human behavior that would be an equivalent to the former.

As I see it, any use of the word 'person' in any context that is to be deemed to be good English, would not be about wanting to make a point about anyones status as a living human being or individual as such (one human being, as opposed to a group of people, as if talking about 'rights' of individuals), but rather for being poignant about the very existentials that are associated with the very presence of any one individual in the real world (including anything that propagates onto other mediums, like the internet). Such existentials would have to be whaterver makes up the immediate reality as anyone would have to acknowledge anyones actual presence; name, gender, ethnicity, work, physical attributes, speech, acts or other forms of communication (and maybe other aspects as well, I haven't slept on all of this). I would claim that putting on a mask or dressing up as a walking doughnut, does not diminish you as being there as a person (capacity as an individual aka human being), you would just be an anonymous person (nameless person), but a person nontheless.

And so it seems fairly obvious to me that it ought not be allowed having a government perchance persecuting any individual on a basis, in which any form of suspicion directed at anyone's 'person' were to be or have to be derived from preconceived knowledge, or heh meta knowledge such as so called metadata for example. Metadata that come about directly as a consequence from the lived life of any person might as well be considered personal data, regardless of ownership or property rights.

SkepticalSeptember 24, 2013 5:47 PM

Adam, grand juries issue subpoenas to companies all the time seeking records of relevance to their investigation. Companies then search through their records to produce items responsive to the subpoena.

Does that mean that the grand jury "carefully watched" (i.e. conducted surveillance of) all of the company's records?

You're eliding an incredibly important distinction if you say yes.

As to computers... let me give another example. Attorneys of course have a duty of confidentiality to their clients. Do attorneys breach this duty if they utilize an email service, like gmail, that uses automated scanning of emails to deliver targeted advertising?

In most states - if there's an exception I don't know of one - the answer is no, so long as the process does not involve another human being looking at the contents of the email.

Let me give a final example. Suppose I send a Freedom of Information Act request to the federal government, seeking certain information. The government (eventually) responds, giving me some information, but withholding other information on the basis of certain legal exemptions.

It would be absurd to say that I have "carefully watched" all of the federal government's records as a result of my FOIA request, including those records which the federal government refuses to show me, simply because the federal government conducted a search of its records at my request. What's important is what I'm able to see as a result of my search, not the matching process (which I can't see) that is done over every record (one way or another).

Sorry, one more example. Can't resist. A friend asks you for a copy of an email he sent you a few months ago, which he accidentally deleted. You say sure, search through your email, find it, and send it to him. Has your friend thereby conducted surveillance over all of your email? Of course not.

All of these examples hopefully illustrate why the access restrictions on the government's ability to search the database are so important. Those access restrictions mean that the government actually is not, and legally cannot, conduct mass surveillance. Searching the database for particular numbers that meet a reasonable suspicion standard is no different than issuing subpoenas to telecoms asking for the results of the same search.

AnonSeptember 24, 2013 6:20 PM

@Adam

Even if corporations are "people" and their data is being "searched or seized", it doesn't follow that metadata seizures violate the 4th amendment. The 4th amendment only bans "unreasonable" searches or seizures, not all searches and seizures. You seem misinformed. The government never obtained warrants for the metadata, so the "probable cause" standard and the particular place or person requirements don't apply.

Dirk PraetSeptember 24, 2013 8:30 PM

@ Skeptical

In most states - if there's an exception I don't know of one - the answer is no, so long as the process does not involve another human being looking at the contents of the email.

AFAIK there is no such law. What you are citing is Opinion 820 from the New York State Bar Association Committee on Professional Ethics (NYSBA). There are a number of other states whose Bar Associations have published similar Ethics Opinions on how lawyers might deal with confidentiality issues arising from technology, the bottom-line being that every lawyer must make "a reasonable effort" to keep information secure to insure that the computers and services they are working with are as protected as possible in order to maintain client-attorney privilege. There is however no consensus whatsoever that accepting a cloud provider's T&C's either implicitly or explicitly constitutes a waiver of said privilege.

Post Snowden, any information gained from NSA snooping over such communications for all practical purposes would be inadmissable in court, but we already know the DoJ has found ways to work around that.

@ Anon, @ Adam

The government never obtained warrants for the metadata, so the "probable cause" standard and the particular place or person requirements don't apply.

The administration doesn't need warrants to scoop up metadata. It's perfectly legal under the (until recently secret) FISC's interpretation of PA Section 215. See my previous posts on the subject.

But according to some recently declassified FISC opinions, the collection of inter-American emails (including their contents) between 2008-2011 was indeed ruled unconstitutional by the FISC as an unreasonable search without probable cause. FISA Section 702 only allows for the acquisition of (foreign) intelligence information concerning non-US persons located outside the United States. What happened between 2008-2011 according to the NSA was "unintentional" but for Sen. Ron Wyden and others proof enough that the provision in its current form is largely insufficient to adequately protect the civil liberties and privacy rights of Americans.

Ultimately, the entire discussion boils down to whether or not the collection - as traditionally understood - of metadata represents mass surveillance. The NSA's and government's position is that it doesn't as long as these data are not being accessed. I don't agree. When I see a CCTV camera watching me, I feel (and I am being) surveilled irrespective of the captured images being watched by someone in real time or just stored for future purposes. Same for my phone and other communications traffic.

Not only has Snowden revealed to which extent we are being spied upon - and which until recently was laughed away as tin foil hat thinking - , it would also seem that the so-called checks and balances in essence are little more than figleaves. You may take the USG's reassuring word for it that its gigantic "anti-terrorist" surveillance apparatus has never been, is not and can never be abused. I don't.

AnonSeptember 24, 2013 9:07 PM

@Dirk

Could you gather from those opinions what content collection NSA was doing from a technical perspective and what they mean by an internet transaction? How do you accidentally collect wholly domestic communications?

name.withheld.for.obvious.reasonsSeptember 24, 2013 10:24 PM

One of my concerns is that given the NSA's track record and its nefarious behavior, would you think that the data that the information gathered is transmogrified in such a way as to eliminate the minimization and retention policies? If, for example, I re-designate the address location information of a record from one database and copy it to another database and call the field positional_data_sans_azmith would this constitute a new piece of data (meaning the NSA could hold on to it forever)?

FigureitoutSeptember 25, 2013 12:30 AM

Mike the goat
I can imagine how pissed off they would be.
--I wouldn't even go so far as DES, why do you think I recommend this? Spies have a false conception of the reality of their work, and I want to make that clear to them. I would do something even more comical like this. My message would be worse than yours too; in fact you would probably get a good laugh at how much *ahem* I've put in these databases; and there's plenty more to come.

Mike the goatSeptember 25, 2013 1:36 AM

Figure it out: you don't want it to be too trivial. You want them to expend some effort in decrypting your junk files so as to infuriate them when they realize it is full of junk ;-)

Stephen SamuelSeptember 25, 2013 1:48 AM

They DO NOT JUST COLLECT METADATA.

They keep encrypted data until they can decrypt it.

How are they going to figure out that a communication is encrypted if they don't collect and then process the full DATA???

FigureitoutSeptember 25, 2013 2:07 AM

Mike the goat
--Actually, in a twist, if they think that expending any effort in decrypting your files will result in hilarious trolling of agents; they may actually respect your privacy. What!?

Plus, who's to say my "simple cipher" isn't simply an OTP? Can anyone prove otherwise? I think not; and have fun guessing the infinite possibilities 'til you die deciphering a code saying "Be sure to drink your Ovaltine."

AdamSeptember 25, 2013 8:16 AM

@Skeptical:

I'm not talking about lawful subpoenas, I'm talking about blanket collection of everything, slurping up all of it for later perusal. Don't you recognize the difference between a grand jury subpoena and a ruling by the FISA court that authorizes the blanket collection of all data for an extended period of time? Did you just gloss over my arguments about how that violates the specific requirements of the 4th Amendment?

As for computers, it isn't relevant here what lawyers do with their client data. We're talking about what the Federal government is authorized to do. What happens between two friends is also irrelevant, because they are not the Federal government.

The point I'm making is that the "access restrictions" you seem to trust are irrelevant, because: 1) The data collection itself violates the 4th Amendment; 2) the restrictions are ultimately enforced by human beings, even if through a computer, and the only way to know what data is not interesting is to examine it; 3) they are the same human beings to whom the restrictions apply--they are policing themselves, and we have seen how they have failed to do that. Whether they can legally do something ultimately doesn't matter--they can do it anyway. What are they going to do, slap their own wrists? Eric Holder was found in contempt of Congress on two counts, both civil and criminal--but is he going to prosecute himself? Of course not. Access restrictions are irrelevant because there is no check nor balance.

Finally, you said, "Searching the database for particular numbers that meet a reasonable suspicion standard is no different than issuing subpoenas to telecoms asking for the results of the same search." But that's wrong. It is completely different because the database is owned by the government--it already has the data which it should not have. The government is doing the searching, which means combing through all data, relevant to a warrant or not--because that's the only way to know what data is relevant. When a subpoena is issued to a telecom, the telecom does the searching, and the government only receives the relevant data.

You seem to be missing the point. The government isn't supposed to have the data in the first place.

AdamSeptember 25, 2013 8:19 AM

@Anon: "Even if corporations are "people" and their data is being "searched or seized", it doesn't follow that metadata seizures violate the 4th amendment. The 4th amendment only bans "unreasonable" searches or seizures, not all searches and seizures. You seem misinformed. The government never obtained warrants for the metadata, so the "probable cause" standard and the particular place or person requirements don't apply."

Have you read my earlier comments? You seem confused. The 4th Amendment says that a warrant must be issued. The FISA court authorized a blanket collection claiming the 4th Amendment doesn't apply. I've argued that it does apply. You're just asserting again that it doesn't apply without arguing why.

Clive RobinsonSeptember 25, 2013 8:45 AM

@ Figureitout,

    Plus, who's to say my "simple cipher" isn't simply an OTP? Can anyone prove otherwise? I think not; and have fun guessing the infinite possibilities...

It depends on the cipher type and mode it's used in and the quantity of plain text.

Now if you want them to have fun give them an indication that it's not an OTP and you've mucked up on the mode when you wrote your "simple cipher",

Go and get an early version of FEAL and use a striped down version to say half the block size or only half the rounds. Then use it in what should be CBC mode where you write the IV into a whitening-buffer to XOR with the first block from FEAL, but save the result from the XOR into the TX-buffer and due to a "bug" say in the debuging code you write don't write it back to the whitening-buffer. Also as it's debug mode make the IV something simple like all zeros or the cipher key and send it as the first block. Then pick a test message that with CR/LF is exactly a block size and copy it one hundred times into a text file.

The result as I'm sure you will apreciate will stand out like a boil on a hogs 455 in the sun shine. Over a period of time revise the code a bit to sort out the bugs but prior to that make some changes to FEAL to weaken it. And to give them a helping hand develop your code in a public source code system and give it some project name a teen-geek would find funky such as "HotSecS".

With luck somebody will bite and swallow like a hungry croc. The trick is to have the awfull bugs in debug mode in which you always send the same plaintext file, you then put the "garden path" stuff you are going to lead them with in a file you encrypt using non debug mode which makes the IV and cipher feedback work correctly but still uses the hamstrung version of slimed down FEAL every few months make another improvment to the cipher code.

Now on your "garden path" text you want to do something sensible like take you rude message and ROT13 or some other keyed determanistic cipher of any strength (not OTP) and use that to make the second letter in each line of text such that if push does come to shove you can demonstrate to the press/public/judge it was just a prank...

Oh and when doing the garden path stuff make the keys sequential out of a sensible CS-PRNG (say an AES finalist but not the winner in counter mode, then XOR whiten with the inverse of the counter then hash it using a standard such as a hash contest final candidate but again not the winner, and pick the counter start value from a well known constant) just in case some bozo tries to invent messages that are incriminating.

SkepticalSeptember 25, 2013 10:21 AM

Dirk, that's right, I'm absolutely thinking of the opinions of the bar associations of the various states; the question of whether an act breaches the duty of confidentiality is foremost one of professional ethics. The purpose of the example is to illustrate that we don't usually consider automated scanning by a computer to be quite the same as another human being having cognizance of the information being scanned.

While I'm sure that I could find caselaw supporting the proposition that automated scanning doesn't breach attorney-client privilege, the question of whether it would breach the duty of confidentiality is actually much more telling.

Adam, re the 4th Amendment: a grand jury can acquire the information such as telephone metadata by issuing a subpoena. While a grand jury subpoena must be reasonable, it does not have to meet the standard of probable cause. Instead the subpoena simply must seek items reasonably supposed to be relevant to the investigation; it must be specific enough to enable the entity on which it is served to search for the items; it must not be overbroad; and it must give the entity on which it is served a reasonable amount of time to comply or challenge. That is the relevant standard here; not the probable cause required for a search warrant.

There's certainly an argument to be made that the order issued here is too broad, but there are strong arguments in the other direction as well. Ultimately the court tried to find a middle course, granting the request for the databases from the telecoms, but placing special restrictions on access to those databases.

The access restrictions define the point at which the government actually becomes cognizant of what is in the database. Before that point, the data is certainly there, it exists, and it is under the federal government's control pursuant to a court order; but the federal government cannot actually look it.

If the database is restricted in that way, then there is no real difference between the government running a search on the database, and the government issuing a dozen subpoenas to telecoms ordering them to run the same search and to return the results. In both cases the data exists, and in both cases the government is able to see the results of its searches - but that is ALL the government is able to see.

And that's what this boils down to: what can the government actually SEE, i.e. what is the government cognizant of.

As to the effectiveness of the oversight, the FISC is a federal court, run by federal judges. They have enormous power if they choose to exercise it.

That said, the existence of the database raises the danger of abuse of it, to be sure. How we judge the magnitude of that danger depends on our opinions and knowledge of the courts, the existing mechanism of legislative oversight, and the internal mechanisms of oversight within (and the culture of) relevant departments and agencies of the executive branch. Pretty tough question.

Dirk PraetSeptember 25, 2013 11:30 AM

@ Wael

That just... Kills me! How in the world did you get that @ Dirk Praet?

Sheer coincidence. A while ago somebody in my Twitter feed pointed to a similar discussion on the legality of Google/NSA sifting through Gmail, as well as the implications on client-attorney privilege. Currently, several class action lawsuits have been filed over this practice both against Google and Yahoo because they are alledgedly violating the Maryland Wiretap Act, the California Invasion of Privacy Act and even the ECPA.

Google's defense is that "all users of e-mail must necessarily expect that their emails will be subject to automated processing", that the plaintiffs cannot explicitly prove that their messages are being automatically monitored by Gmail or that they have been harmed in any way as a direct result of Gmail’s activities. I don't know how this is going to play out in the US, but if someone over here were to file a similar class action suit, their *ss is grass as it is a clear violation of our local privacy laws, more in particular those sections on the confidentiality of mail.

@ Adam

The FISA court authorized a blanket collection claiming the 4th Amendment doesn't apply. I've argued that it does apply.

However much sympathetic I am to your argument(s), the sad reality is that our opinions on the matter are of zero legal value and nothing more than a rearguard discussion. Until such a time that PA Section 215 is repealed/reformed and SCOTUS overturns Smith vs. Maryland, warantless collection of business records under PA Section 215 can and will go on, and in an entirely legal way.

There is a flickr of hope though, in the sense that there are currently no less than 12 pending bills seeking to curtail the NSA from sweeping up phone records en masse, take the rubber stamp away from the FISC, allow tech companies to tell the public more about the government requests they receive for user data etc. If you are a US citizen, you may wish to start harassing your representatives in the House and the Senate about them.

@ anon

Could you gather from those opinions what content collection NSA was doing from a technical perspective and what they mean by an internet transaction? How do you accidentally collect wholly domestic communications?

Not really. You can find one of these documents here, and some of the language used in it is quite strong:

Contrary to the government's repeated assurances, NSA has been repeatedly running queries of the metadata using querying terms that did not meet the standard for querying. The Court concluded that this requirement had been "so frequently and systemically violated that it can fairly be said that this critical element of the overall… regime has never functioned effectively".

I think it's fair to say that in most projects security and regulation are usually an afterthought. It's probably not any different at the NSA, meaning that it's highly likely that they have invested a lot of time and resources in a surveillance apparatus that is litterally sucking in everything, irrespective of what the law is saying about that. In a second processing stage, filters are applied as to what is stored and retained, and after that access controls for who can query what as per laws and regulations.

By their own admittance, this has resulted in highly complex systems that are prone to "human error" and misunderstanding of authorities and procedures due to compartmentalisation and "need to know"-related issues. Which leads me to believe that there was nothing accidental about the collection of domestic records, only about their storage and availability. If my assumption is correct, this explains exactly why the NSA and the administration are so hell-bent on their novel interpretation of the word "collection".

AnonSeptember 25, 2013 5:26 PM

@Adam

Have you read the 4th amendment? It doesn't say that a warrant must be issued for metadata seizures. All it says is that if a warrant is issued, then it must meet certain criteria? Read Smith.

FigureitoutSeptember 25, 2013 11:17 PM

..."HotsecS"
Clive Robinson
--Funny you mention that, I had a little calc diff problem today "y=xsec(kx)", it would've been great if the author instead put "x^3" for "y=x.x.x.sec(kx)". Just a suggestion for future math txtbook authors.

I prefer the subtle hints to spooks that I have spotted them; and of course they like to give me some too. But I spotted them first :)

To the blonde hair federal agent chick, sun glasses don't make you invisible as there are other identifiable aspects on your person (I can identify people by their gait w/ no tech.); you best quit while you're ahead lady before you get shown up. To some random dark-skinned dude, nice jeep btw, stop following me if you know what's good for ya. Some other bug-eyed chick, I could smell your scent emanating from under your skirt, maybe get that checked out; or do I make you randy? It doesn't matter b/c I have no interest in you. There are too many to address, but you guys really need to move on and bug someone else and stop wasting taxpayer dollars; and let me live in peace.

My messages and activation sequences...plain and ciphertext OTPs, nothing less.

Clive RobinsonSeptember 26, 2013 3:25 PM

@ vas pup,

    Could white noise generator be effective against that sensor?

It depends primaraly on the dynamic range of the sensor as well as the dynamic range of the transportation medium, neither of which is linear as you aproach the limits.

Then assuming thats OK you then have to consider the dynamic range linearity and noise figures of the following circuitry untill it's digitised.

However I'm not altogether certain from what has been written that the information is acurate (two paralle plates giving directionality... and in the size of a matchstick... hmm).

Dirk PraetSeptember 26, 2013 7:04 PM

@ Skeptical

The purpose of the example is to illustrate that we don't usually consider automated scanning by a computer to be quite the same as another human being having cognizance of the information being scanned.

Update: US District Judge Lucy Koh in San Jose, California today ruled that the proposed class action lawsuit against Google can proceed. She rejected Google's argument that its users had consented to having their email read for the purposes of targeted advertising. The judge wrote: "Nothing in the policies suggests that Google intercepts email communication in transit between users, and in fact, the policies obscure Google's intent to engage in such interceptions". To be continued ...

gehemnisSeptember 27, 2013 5:13 AM

Bruce, you undermine your own privacy advocacy with this.

If metadata and data are the same kind of surveillance... then why shouldn't NSA argue for the whole thing??

SkepticalSeptember 27, 2013 8:07 AM

Dirk, I'm going to quibble (but meaningfully, I hope) with your description. The court did not reject the argument that the plaintiffs consented to having their email "read." The Wiretap Act (and the state law relatives used in this suit), under which plaintiffs are suing in part, requires only "interception", not "reading."

Instead, the court rejected the argument - in the context of a motion to dismiss, where all reasonable conclusions must be drawn in favor of the non-moving party - that users had consented to the interception of its emails, where interception is relevantly defined as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." See 18 USC 2510(4).

All the plaintiffs have to show is that their communications were "intercepted" without their consent and outside of the ordinary course of business exceptions in the statute. Obviously Google "intercepts" email communications as part of its email service, but the plaintiffs allege that there is a "separate device" that intercepts the emails for the purpose of targeted advertising. The question of whether Google is "reading" the emails doesn't come into question, as it does when considering whether such action would breach confidentiality.

So I'm not sure this case helps in showing - or showing false - the distinction between automated scanning of data and another human being reading that data. But it's obviously topical and interesting, and I appreciate the reference to it!

Also interesting was the court's dismissal of plaintiffs claims under California Penal Code 632, which requires a showing that electronic communications, which were confidential, were recorded or eavesdropped without the consent of one party. The court ruled that, under California law, internet communications are not confidential, as an individual has no reasonable expectation that such communications may be kept confidential due to the ease with which a party may copy and forward communications to other parties.

I have to say that I found that part of the court's opinion rather weak.

In any event, if Google can introduce evidence showing that plaintiffs claim of two separate devices effecting the interception is false, that might be enough to bring Google back into the ordinary course of business exception to the Wiretap Act. There wasn't enough in the motion to dismiss for the court to conclude against plaintiffs' allegations on the matter, but assuming Google crafts the question well, there may well be enough in a future motion for summary judgment.

Incidentally, Yochai Benkler, an essay of whom Bruce recently linked, has another essay up at The Guardian arguing that the FISC is failing to take heed of the US Supreme Court on 4th Amendment questions. Worth reading and well written, though in the end I don't think it's convincing.

AnonSeptember 27, 2013 5:56 PM

@Skeptical

I think Benkler's opinion piece is incredibly weak for a Harvard law professor. The Alito opinion, while highly critical of the majority opinion, held to the "reasonable expectation of privacy", but failed to explain how you determine what is a "reasonable expectation of privacy', except to note it was changing all the time. It's a big leap from gps tracking data to billing records. Sotomayor did seem inclined to at least consider over turning Smith, but she's one judge out of nine. His reference to the Scalia quote is almost malpractice. It's in a footnote, which are rarely meant to be controlling for appellate courts. There's nothing obviously approvingly about it, so much as it's a restatement of the holdings of a prior case. Further, merely treating a constitutional question as not being fully addressed in previous case law is far from an invitation for an appellate court to decide it on its own.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..