Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Giant Squid TED Talk |
| US Infosec Researchers Against NSA Surveillance »
February 17, 2014
Who Should Store NSA Surveillance Data
One of the recommendations by the president's Review Group on Intelligence and Communications Technologies on reforming the National Security Agency—No. 5, if you're counting—is that the government should not collect and store telephone metadata. Instead, a private company -- either the phone companies themselves or some other third party -- should store the metadata and provide it to the government only upon a court order.
This isn't a new idea. Over the past decade, several countries have enacted mandatory data retention laws, in which companies are required to save Internet or telephony data about customers for a specified period of time, in case the government needs it for an investigation. But does it make sense? In December, Harvard Law professor Jack Goldsmith asked: "I understand the Report's concerns about the storage of bulk meta-data by the government. But I do not understand the Report's implicit assumption that the storage of bulk meta-data by private entities is an improvement from the perspective of privacy, or data security, or potential abuse."
It's a good question, and in the almost two months since the report was released, it hasn't received enough attention. I think the proposal makes things worse in several respects.
First, the NSA is going to do a better job at database security than corporations are. I say this not because the NSA has any magic computer security powers, but because it has more experience at it and is better funded. (And, yes, that's true even though Edward Snowden was able to copy so many of their documents.) The difference is of degree, not of kind. Both options leave the data vulnerable to insider attacks—more so in the case of a third-party data repository because there will be more insiders. And although neither will be perfect, I would trust the NSA to protect my data against unauthorized access more than I would trust a private corporation to do the same.
Second, there's the greater risk of authorized access. This is the risk that the Review Group is most concerned about. The thought is that if the data were in private hands, and the only legal way at the data was a court order, then it would be less likely for the NSA to exceed its authority by making bulk queries on the data or accessing more of it than it is allowed to. I don't believe that this is true. Any system that has the data outside of the NSA's control is going to include provisions for emergency access, because ... well, because the word terrorism will scare any lawmaker enough to give the NSA that capability. Already the NSA goes through whatever legal processes it and the secret FISA court have agreed to. Adding another party into this process doesn't slow things down, provide more oversight, or in any way make it better. I don't trust a corporate employee not to turn data over for NSA analysis any more than I trust an NSA employee.
On the corporate side, the corresponding risk is that the data will be used for all sorts of things that wouldn't be possible otherwise. If corporations are forced by governments to hold on to customer data, they're going to start thinking things like: "We're already storing this personal data on all of our customers for the government. Why don't we mine it for interesting tidbits, use it for marketing purposes, sell it to data brokers, and on and on and on?" At least the NSA isn't going to use our personal data for large-scale individual psychological manipulation designed to separate us from as much money as possible -- which is the business model of companies like Google and Facebook.
The final claimed benefit -- and this one is from the president's Review Group -- is that putting the data in private hands will make us all feel better. They write: "Knowing that the government has ready access to one's phone call records can seriously chill 'associational and expressive freedoms,' and knowing that the government is one flick of a switch away from such information can profoundly 'alter the relationship between citizen and government in a way that is inimical to society.'" Those quotes within the quote are from Justice Sonia Sotomayor's opinion in the U.S. v. Jones GPS monitoring case.
The Review Group believes that moving the data to some other organization, either the companies that generate it in the first place or some third-party data repository, fixes that problem. But is that something we really want fixed? The fact that a government has us all under constant and ubiquitous surveillance should be chilling. It should limit freedom of expression. It is inimical to society, and to the extent we hide what we're doing from the people or do things that only pretend to fix the problem, we do ourselves a disservice.
Where does this leave us? If the corporations are storing the data already -- for some business purpose --- then the answer is easy: Only they should store it. If the corporations are not already storing the data, then -- on balance -- it's safer for the NSA to store the data. And in many cases, the right answer is for no one to store the data. It should be deleted because keeping it makes us all less secure.
This question is much bigger than the NSA. There are going to be data -- medical data, movement data, transactional data -- that are both valuable to us all in aggregate and private to us individually. And in every one of those instances, we're going to be faced with the same question: How do we extract that societal value, while at the same protecting its personal nature? This is one of the key challenges of the Information Age, and figuring out where to store the data is a major part of that challenge. There certainly isn't going to be one solution for all instances of this problem, but learning how to weigh the costs and benefits of different solutions will be a key component to harnessing the power of big data without suffering the societal harms.
This essay originally appeared on Slate.com, with a very misleading title.
EDITED TO ADD (2/21): Commentary from Lawfare blog.
Posted on February 17, 2014 at 5:23 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Why are we talking about this when the data in question is not only data most people don't want collected in the first place but is in all likelyhood illegally collected anyway?
There should be the data to store!
We already tried this with the BATF and its Form 4473s. Gun dealers are supposed to keep the forms, and use them to respond to trace requests from the BATF.
So what's happening? BATF agents are illegally forcing gun dealers to submit to having their entire history of 4473s scanned and centrally databased.
Do we think the NSA is less corrupt than the BATF?
Oh--and in the same way that the NSA can't show any actual benefit to the public from keeping telephone metadata, the BATF can't showxany benefit from keeping 4473s.
It seems to me that leaving the data where it originates is the simplest and safest solution. The phone companies already need to hold on to phone records for billing purposes, so giving the data to NSA for safekeeping just creates a larger attack surface, even if the NSA end of it is relatively more secure. The same goes for medical records, etc. These are not created for the benefit of law enforcement/NSA, they are necessary tools for doctors, clinics, hospitals and medical insurance organisations. If these organisations can't be trusted to hold on to them, the records can't exist in the first place.
More importantly than private or not, I would say the decentralization of data is significant. Even a full scale data breach will only ever compromise the data held in that particular organisation.
Have BOTH the NSA and a 3rd party/Telco store data. But not raw data.
NSA generates an MD5 hash (or whatever hash they prefer), sends hash
Telco stores metadata xored with hash.
Telco can't use the data on its own. NSA doesn't have the data. Only a court order allows the two to be put together.
WHAT'S THE USE OF SPYING ON OTHER NATIONS ?.
Wonder how this will jibe with EU right to be forgotten:
Also perhaps someone should think about introducing this into US or state legislation.
NSA is not welcome to play the shell game with my private data.
So, the choice is trust the government or the corporations?
Let's get back to basics here and say storing metadata is illegal and unconstitutional then work out from that.
Companies -- even big ones -- run into financial trouble. Who "protects" the data if there is a bankruptcy? I think we've just created a new class of corporations -- too snoopy to fail.
NSA is not welcome to play the shell game with my private data
I wish what the NSA was doing had the illusion of the "shell games" options.
What they are doing does not even have the illusion of a fixed coin toss...
P.S. if you don't know how to fix a coin toss a few years ago I posted the simple details on this blog.
This framing of the issue, considering only the phone metadata, obscures a larger issue.
The NY Times (http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html?pagewanted=all&_r=0) and others have reported that the NSA conducts research about social networks using all the data at their disposal. Keeping the data dispersed at its corporate point of origin makes this research less effective, leaving a blindspot when it seeks to find patterns.
Personally, I think lowering the NSA's effectiveness in this regard is well worth the risks of leaving these data in corporate hands.
if NSA would just enforce the National No-Call list and put the kbash to scam callers they can monitor all they want to
otherwise they have no business monitoring anything in usa
Choice of risk is very personal. When mitigation of a large risk is so expensive, that people have to share the cost, part of that cost is privacy.
@ Clive Robinson:
"shell game" is not a perfect analogy, but it is similar in this way:
I don't want to play a game where it's impossible to win, no matter where it looks like the pea has moved, it will always be somewhere else like up your sleeve... It is a scam, a cheat.
Likewise, the NSA will still have unconstitutional access to all my private data, no matter where they pretend to move it. They're pretending to "make it better" when it's really just a scam, a cheat.
"registering" yourself as not wishing to receive spam doesn't work.. that just gives spammers a bigger list of who to spam. That's why a national no-call list doesn't work, for even if it seemed to work at first all it would take is one tiny little data breach and you're in a worse state than you were without the list...
The only real solution is to "black hole" the spam... never respond to it, have spam filters on your email inbox, for example. Or always screen your phone calls, and if it's from an unknown number, let it go to voice mail, no exceptions. Or if a telemarketer does get through to you, always say "hold on a moment" and put the phone down, leaving them on indefinite hold (making it more expensive for them). This is not overly rude, they were rude enough to purposefully call you during dinner time in the first place.
It will take an* Enron & Sarbanes/Oxley moment to answer this question, but who will be accountable when my personal information is unauthorizedly released.
(Emphasis on the Sarbanes/Oxley part. We have plenty of Enron moments in security, Target Black Friday being the latest example.)
Why not make it commercially viable for companies to protect access to our data, make them rewarded for every fended off access request.
Suddenly it's in the interest of the corporation not to disclose that data.
@ DB (and mike~acker)
The "do-not-call" list is an excellent analogy to this recommendation. The purpose is not to fix the problem, but rather to make people "feel better" while making the problem worse by institutionalizing it. It's a classic government diversion, like security theatre.
If government's desire was to stop unwanted telemarketing (unlike spam, which is much more decentralized) all they need to do is allow telephone companies to collect "tolls" from telemarketers who call folks who are on the DNC list. Charging $1 per call, through the telemarketer's phone bill, for calls made to numbers that should have been excluded would lead to 100% effective filtering by legitimate telemarketers. You'd need a legal definition of telemarketer that the phone company could detect, but using a robo-dialer or making more than 100 calls per day could be the criteria.
But, you'd still get dinner-time calls from political campaigns, and fund-raisers, because a loophole in the law was made for them. The interests of the telemarketing scum and the political class are aligned here. An ineffective solution makes you feel better, because government "did something", without being effective. Moreover, you are less likely to complain since the problem is now "not something government can fix" because they tried and what they tried didn't work.
They certainly picked something that wouldn't help you on purpose. Just like this "all your data should be held for future government use by somebody you never heard of" is a solution to the NSA surveillance of you. It won't help you, and it institutionalizes the notion that all your data should be available to government.
A possibility would be to divide the data.
i.e. giving the NSA the encrypted call records and ask the private company to retain the keys for decrypting the data. Then allowing by court oder to give the keys of a persons data for requested days/months.
Alternatively it may also be interesting to make the Data Self decrypting in the sense that if a suspicious event happens (as defined before e.g. you telephone the wrong person) the company could include a hyperplane point representing the key with the data. With enougth such events the NSA could then decrypt the data without further intervention.
I guess there are three major areas to think about that underly the reasoning of collecting and storing the data,
Built on this are the notions of what effects the utility of the data available at any one time,
It's been said that "money is the root of all evil" whilst often true it is however a very good indicator of intentions in most cases.
That is for most people there is an economic model behind what they do. Even the NSA does not have infinite amounts of money, they have many projects and they have to decide how to cut the pie up.
Personaly I have a sneaky suspicion that making the telcos store the data is a way for the Government to externalise the cost onto the consumer as a hidden tax by forcing telcos to increase usage costs. This has a secondary value to the Government, in that it increases the tax take via sales tax which is increased by these costs. So not only do they get the data storage for free the actually get "cash back" on it Win-Win for them. Oh and political brownie points as well because they can claim to the "tea baggers" they are cutting spending whilst also claiming some faux nonsense about improving the economy due to increased tax take...
From the Telco's point of view they have to keep fairly accurate records on a limited data set for billing purposes. However this is an imense amount of data, the main cost of which these days is not the physical storage but providing and controling a suitable environment and the power for that and accessing the data.
It's in the telcos interest to "compress" data and archive it as quickly as possible because backup archive storage generally requires less space and power and thus cost. Doing this generaly makes the random access the likes of the NSA and other Federal organisations want considerably more difficult and this has time implications.
If telcos are forced to keep say seven years of records online to satisfy random access requirments this is going to vastly increase facilities costs that the telcos either cann't or won't want to pass directly to the customers as this makes them less competative in markets with what are currently very small margins.
Thus if random access is required the telcos are going to look at turning the online records into a profit center by moneyterising them in some way because the USG has effectivly pushed then into doing so to keep service bills down. This in turn will make the telcos store very much more data than required by the USG simply to get premium prices for the data.
As with the storage of all records time plays a very big part in how the system you build is configured. Back in the 1980's when the price of data storage was dropping the question of data mining gave rise to data warehousing where data existed in three places the collection system the backup and the secondary analysis system. The collection system was a time critical "write only" DB to collect the data reliably and provide some limited time critical analysis. The data from the primary collection system was copied to both the backups and the secondary analysis system. The analysis system was effectivly an untime critical "read only" DB which was where indepth non time critical analysis or "data mining" was carried out.
In the intervening decades the speed of DB systems has improved. However for quite a few applications it is still better to have two DB's the first being what is in effect a flatfile DB that is then used to populate one or more relational or object based DBs tuned for specific functions. For comercial and general operational functions the flatfile DB generaly holds only a small "current" set of records with the secondary DBs holding the bulk of the records. However this is not a desirable design for intel analysis where data relations are in effect unknown and thus add hock searches more desirable. This gives rise to hugh flatfile DBs which are problematical and expensive to run.
Thus to be honest I would suspect that the telco's are not going to want to run such systems unless there is a pressing need or requirment. I would expect them to provide the likes of the NSA with a fat data pipe and just unload the raw data to them more or less in real time, rather than have the NSA or other Federal agencies run searches on their systems and vastly increasing the cost to the telcos.
Further the telcos are not realy going to be interested in keeping raw flatfile data around for long periods of time what they are going to want to keep around is derived data such as billing information and trending data for business and engineering analysis, which is not realy going to be of interest to the intel community.
Thus I can see the "interface" between the telcos and the intel community is going to be a major source of friction and intense lobbying, which in turn is going to leak vast amounts of general "methods and sources" information that is going to be keenly sought after now the Ed Snowden Revelations has pushed things beyond the tipping point and the USG executive are on the back foot.
Privacy is socialy important to us as individuals but as the citizens are very much at the bottom of the pyramid their views will at best get "lip service" and there will be either regulations or a cartel mentality in the telcos that will rob citizens of any "freedom of choice" of anything other than "go off grid" which is well neigh impossible these days, and will quickly become more difficult as the likes of the FBI will make the usual assumption that such "off griders" are by definition antisocial and therefor a major threat to be dealt with.
From the USG perspective security of the data is with a few exceptions a publicity excercise for data on US citizens, and if the USG follows the UK government policy the data will be sold to whoever wishes to buy it...
Likewise from the USG percpective the accuracy of the data does not have to be high, providing it tends to false positives not false negatives.
That is if you are innocent but marked as a criminal/terrorist suspect thats fine the more the merrier as it alows empire building. However the opposit is not true, a criminal or terrorist who is not flagged up is a serious empire losing issue. Thus you can expect there to be very many false positives many orders of magnitude grater than any real terrorist numbers...
The value of any data is generaly inversly proportianate to the number of people who have access to it. Basic economics indicate that the best value is obtained by limiting supply as much as possible.
However basic economics generaly does not deal with the hidden currancy of "favours" which encorages "horse trading" style tactics which gives political clout. In some respects the data holder will act like a drug dealer keeping other agencies sufficiently on the hook to prevent them going away and developing their own data gathering system.
This means the reality is steadily increasing access to evaluated data which will be supplied in a way that enables secrecy etc to be maintained via various decites to the judiciary.
Over all I would expect any legislation coming out of the current administration to make things considerably worse for citizens under the guise of legislative clarification. With any kind of power or rights the average US citizen has being significntly diminished.
Truly a "heads I win, tails you lose" scenario.
When the impression from Congress I see is, that without this data terrorism will prevail, I don't expect them to take any serious action to get rid of the data.
Telephone metadata is already centralized in a private company: Amdocs.
Partly O.T. but Bruce briefly mentioned it and @Martin Seebach mentioned it too-- regarding health data.
I work in health care and struggle daily with the mandates of that HITECH/ARRA stuff. Protect patient data better, oh, but also share it better so the overall care will be better. With the Health Information Exchanges we are trusting our Electronic Health Record vendors- who think differently about security than security professionals do- and with the Health Information Service Providers who are perhaps more security conscious than software companies.
Each partner becomes another link that may break and lead to data breach. Share more AND protect better?
Split the NSA into three groups, one group that's responsible for protecting the public from vulnerabilities, one group that's responsible for intelligence gathering, and one group that's responsible for data storage. The data storage group's mission would be to share data only with those who are legally authorized to access it.
Why not make it commercially viable for companies to protect access to our data, make them rewarded for every fended off access request.
hmmm who would reward them for that?
if it is supposed to be the individuals whose data they hold, it would become like some coercion thing. Not a very good idea.
How about splitting NSA into 2 groups:
X: responsible for data gathering
Y: responsible for data deletion
As long as one does not gather data much faster than what the other deletes, they will keep each other busy in all perpertuity.
I agree with all the points made but I think the discussion point itself is a win for mass surveillance. We don’t want to be monitored in the first place. When we start talking who saves our data we accept that it’s done. (And getting the other party there is PR 101.)
"And in many cases, the right answer is for no one to store the data. It should be deleted because keeping it makes us all less secure. "
This should have been the focus of the article because /who/ stores the data is a red herring. It's like asking whether I care if my mother or my brother holds on to a dollar for me. It's just a dollar.
The real question is whether I'm going to trust either my mother or my brother with a million dollars, no contract or receipt required. I should not.
There are only two meaningful questions: what gets stored and for how long.
The rest is fluff.
@ Clive Robinson
"In the intervening decades the speed of DB systems has improved. However for quite a few applications it is still better to have two DB's the first being what is in effect a flatfile DB that is then used to populate one or more relational or object based DBs tuned for specific functions. For comercial and general operational functions the flatfile DB generaly holds only a small "current" set of records with the secondary DBs holding the bulk of the records. However this is not a desirable design for intel analysis where data relations are in effect unknown and thus add hock searches more desirable. This gives rise to hugh flatfile DBs which are problematical and expensive to run."
This part isn't necessarily true. That I've seen, most of the main functions they use a regular database. The database is tuned for operational use. Another database tuned for OLAP is used for warehousing. I don't know anyone just using flat files.
One trend that is happening in both spaces is using tech like Hadoop that scale better and are more flexible in OLAP role. Facebook, for instance, uses Hadoop tech to store and analyze a massive amount of data. Another possibility you alluded to was object databases. AllegroCache is a particularly interesting product here as it solves many analysis and coding issues. I'm not sure how cost to scale compares.
In any case, I doubt most will be using flatfiles. They use optimized database technologies for this stuff. Some even have custom tech that kicks the mess out of regular databases for specific applications.
Good example of how far they come with the Hadoop tech. This HStack deployment handled 3 billion records with 15 ms random reads on a mere seven machine cluster. Automated deployments, data resiliency, etc too. Quite the bang for the buck.
One can also look at the recommendation from the perspective of asking first: what is novel or different about the telephone metadata program?
The instructive analogy is to a subpoena from a grand jury. A grand jury issues a subpoena to gather information relevant to its investigation. What is unusual about the telephone metadata program is that the court ordered the production of lots of data that isn't relevant so that future requests can gather relevant data. It's the pre-inquiry collection that renders the court orders so unusual legally.
From that perspective, the recommendation is an attempt to move matters back in the direction of the norm. If followed, there would be no pre-inquiry collection by the government as such.
Would the recommendation offer additional protection from all forms of abuse? In some cases, perhaps not much. But, I think it does offer some additional protection against a wholesale subversion of the program into a kind of "social control" tool. By including another party the interests of which, at least in part, are not complete coincident with those of the NSA. Could the NSA still selectively abuse emergency access or subvert an employee to provide some unsanctioned access? Yes, but it would be much harder for the NSA to use emergency access or an individual employee to run the program as a "social control" tool.
As to the chilling effects of the very existence of the data... maybe. Is there any evidence of chilling effects on freedom of expression thus far? This is something routinely alleged in lawsuits to bolster First Amendment claims, but I don't see evidence of it. Honest question on my part.
More difficult to assess than the effect on freedom of expression is the effect on aspects of personal autonomy made possible by the existence of privacy. That is, by having a zone of privacy in which to explore ideas, we are able to think and make decisions free from the explicit influence of another person's approval or disapproval at the mild end, and free also from the reputational effects of such exploration at the more extreme end. So at the mild end, where we are not worried about government persecution for exploring an idea, we may nonetheless be sensitive to the notion that someone is going to see what we're doing and disapprove. We don't like how we look through that person's eyes, and so we refrain from the exploration.
Arguably the existence of this collection would increase the risk of an individual suffering from the more extreme end of an intrusion into his or her privacy (the data is disclosed, and the individual suffers reputational effects with respect to his friends, family, employers, and the larger society). And arguably the existence of the collection increases the risk at the milder end as well (though sensitivity to this might vary quite a bit by individual).
But do we see any effects of those risks at present? In other words, is there any evidence that a person's autonomy has been significantly altered by knowledge of the existence of this collection of data? If not, then perhaps the mere existence of the data shouldn't be given much weight in our cost/benefit analysis.
The major difficulty in assessing a program like this is that both the potential benefits and the potential harms are theoretical. However, I at least have a clear idea about what the benefits might look like (e.g., three years from now a cell of operatives from Hezbollah or some other organization is illuminated after one of them is compromised and the government is able to rewind the game tape to discover the rest). I'd like a clearer picture of what the empirical evidence of the harm deriving from the mere existence of this collection would be. Such clarity would be useful to the mental balancing of the benefits and harms on which every argument about this program hinges.
@ Nick P,
This part isn't necessarily true. That I've seen, most of the main functions they use a regular database. The database is tuned for operational use Another database tuned for OLAP is used for warehousing. I don't know anyone just using flat files
It is mainly dependent on the "data source" many telecommunications and industrial systems produce data output in flatfile output ie one line per record. In the case of earlier telecoms switch equipment it was essentialy the *nix log file format due to AT&T amongst others using *nix to control the switches and output data for the "control plane". Likewise many SCADA and Industrial control systems output data in flatfile logfile format againbecause of *nix history.
The resulting flatfile logfiles are what are used by other processess to fill the secondary DB systems.
As to the chilling effects of the very existence of the data... maybe. Is there any evidence of chilling effects on freedom of expression thus far? This is something routinely alleged in lawsuits to bolster First Amendment claims, but I don't see evidence of it.
The shear mass of discourse in person hours debating a procedural issue that required disclosure--by whatever means--is direct evidence of two injuries. The lack of moral and ethical authority that can be offered to the citizen is an injury incurred by the paternalistic treatment the citizen receives AS SOVERIEGN by its delegated representative (this strikes at the very core of our representative republic).
The second, and not the last injury by any means, is the recalcitrant treatment of the citizen in "why would a citizen question our authority and righteousness on this issue, I don't see how this harms a citizen", we need to "re-educate" the consumer--I mean citizen. And surly any good consumer knows our government is incapable of using taxpayer funded institutions to harm its citizens. (At least that's what I heard around the water cooler when McCarthy and Hoover were talking.
Evidence of chilling effects is provided in First Unitarian vs. NSA.
One issue with letting the telcos be the repository is that when the warrant for phone-number-N-and-two-or-three-hops-therefrom comes, the telco gets to see and potentially leak the numbers of interest. I can see why NSA would not want those numbers leaked. OTOH, the other (FBI, etc.) warrant issuers take that chance.
@ Clive Robinson
That makes sense. Maybe part of the solution will be to get rid of those flat files. There are quite a few embedded databases and message broker products that might help. Still going to be a heap of costs and operational burdens as you mentioned.
I wonder if oversight could be added by somehow separating the concerns better, organizationally? E.G. if data collection could be better separated from analysis or something along those lines.
The question reminds me of the way children are assigned to share apples: the loudest voice gets to cut it in half, but the other one gets to take first pick. However, in this case, both public and private organizations are on the same side, and the citizen is on the other side. So the one that gets to cut the apple and the one that gets to take the first pick, are one and the same.
Bruce is technically right in that the NSA is probably better equipped to secure and handle large amounts of data. However, the real question is: given the social and economic costs of ubiquitous surveillance, why should anyone be allowed to store such large amounts of people's personal data? (And given that the 5Eyes collective loudly proclaims itself the foremost defenders of democracy, which includes in its self-definition that the state, composed as it is of individuals, has reciprocal rights and duties to its citizens - given that self-definition, I as a citizen of one of these 5Eyes nations, should be issued with the biographies and contact details of all 5Eyes surveillance organizations, and updates, etc, as they occur.)
Well, it sure sounds like the President's panel is about Security Theater Theater.
Frankly, unless the metadata is able to be monetized, the investment by any commercial entity to maintain and secure it will be MINIMAL.
There's so much of this that reminds me of the denouement of "Shockwave Rider"; If the data exists, maybe we should make it accessible to EVERYBODY so no one entity can hoard and leverage it.
Oh, sure, there will be some abuses, but... who watches the watchers?
Finally, the one thing that no one seems to be focusing on is...
"How can our government be trusted to treat us as citizens instead of subjects?"
That whole panel is a PR effort to paper over this whole scandal without solving the real underlying problem... trustworthiness.
I'm not sure that the assumption about the NSA being able to store data more safely is a solid one. It's not the NSA itself doing the work any more, it's (as we saw with Snowden) a chain of contract employees working for contract/consulting companies, all with paperwork carefully drafted to avoid liability in case of breaches. In the private companies (who generate and store the metadata anyway as long as it's commercially useful) there are at least business reasons to avoid giving away a profit center.
[not directed at some of you, obviously]
You know what? After this thread, I'm just about ready to give up. It's hard enough trying to teach all of this stuff to normal people. Watching so MANY people repeat propaganda like this on Mr. Schneier's website is truly disheartening. By accepting the question of "Who stores the data", you are implicitly agreeing that the data should have been captured in the first place. By answering, you repeat the propaganda to others, and further exclude other interpretations.
It's not like the answer matters at all. Given how freely and easily the law was re-interpreted to facilitate the gathering of the data, do any of you seriously believe any plan regarding the storage won't also be "re-interpreted"?
No, as others have said, the answer is that the data shouldn't be captured in the first place. For some reason I can't understand, though, a lot of you seem to be accepting the Write of Assistance the NSA, FISC, and Obama have been waving around, when you should be asking for the giant pile of warrants the are supposed to already have.
If this crowd gives up and falls in line so easily, what hope is there of convincing the large crowds of non-technical people?
So I give up. The war is already lost. Hope of preserving the Constitution was nice for a while.
The whole point of the NSA debate is that the NSA is ILLEGALLY / UNCONSTITUTIONALLY collecting data and breaking multiple laws in the process. NSA counters this by using secret kangaroo courts with large rubber stamps and no oversight. Still doesn't make what they're doing any more legal.
The idea that storing ILLEGALLY collected data one place or another makes a difference is absurd. If I steal a particular $800k sports car, does it matter whether I park it in a public parking garage or private parking garage? NO -- the car (or in the case of the NSA, information) was procured illegally and the act is still illegal. Where you choose to park the assets makes no difference whatsoever.
At least the NSA isn't going to use our personal data for large-scale individual psychological manipulation designed to separate us from as much money as possible -- which is the business model of companies like Google and Facebook.
Are you sure? That there aren't any 'fronts' that launder sell anything of use and value.
Nobody should store or be forced to store this data. It shouldn't be collected in the first place. 'Nuff said.
If anyone is to do this, certainly the original owner of said data should have a record store on a device under h(is|er) control... How ever could over/under-collection issues be diagnosed without any bit of user feedback?
I am currently unaware of any way to compel U.S. companies to provide customers with their own data records (unless they publically offer to do so)... Though FOIA requests to certain public services could prove somewhat fruitful if done en mass...
For citizens of the U.K., you may be able to have a little fun with some carefully crafted DPA requests ;-)
Your main rights to see personal data about yourself, held on computer and on paper, come from the Data Protection Act 1998 (DPA). The DPA provides a right of access to personal information about yourself held by public authorities and private bodies, regardless of the form in which it is held
The telcos certainly need some metadata to do billing and perhaps some dispute resolution. But after, say, 6 months, that portion of it that hasn't been supplied for a warrant, if any, should be erased. I.e., the system should work the way that we naively thought it worked before the revelations.
I'm done with the saving of data. By anybody.
I recently shopped for an apartment providing copious personal financial information to wide varieties of real estate people. Other than the apartment that I rented every other agent always assured me that my personal documentation would be shredded at the end of the transaction.
Whether they actually did that or not the point is that the right thing to do is to destroy any data that is no longer necessary for the transaction.
My phone data is necessary for billing purposes. Once the bill is paid the data serves no purpose other than to make me vulnerable to data miners (government or otherwise.)
OT - one reason I'm firmly against this public/private information overburden partnership:
Pete Seeger, a true citizen of the world, target for FBI misinformation aka slander, libel and character defamation during the 1950s, and several times "guest" at the House UnAmerican Committee sessions.
That Pete Segeer fellow sure sounds like he was quite a dangerous character... Just read what he said to the House Un-American Activities Committee:
I am not going to answer any questions as to my association, my philosophical or religious beliefs or my political beliefs, or how I voted in any election, or any of these private affairs. I think these are very improper questions for any American to be asked, especially under such compulsion as this.
Words for which he apparently earned a prestigious award called 'indictment for contempt of Congress'... I wonder why they've waited so long to acknowledge Clapper's resounding successes in the same...
People keep responding to Skeptical as though he/she intends to hold a discussion. It does not. It exists to troll, to devil's advocate, to diffuse, to muddy-up, to confuse.
As to the chilling effects of the very existence of the data... maybe. Is there any evidence of chilling effects on freedom of expression thus far? This is something routinely alleged in lawsuits to bolster First Amendment claims, but I don't see evidence of it. Honest question on my part.
This is the kind of question for which it's more reasonable to apply a "reasonable person" standard than to expect strong empirical evidence right away.
Consider the fact that a considerable percentage of Americans have cheated on a spouse, and/or falsified tax returns or expense accounts, or pirated episodes of Game of Thrones because they didn't want to wait for the DVD's, or whatever.
And consider the fact that a very big percentage of politicians trade favors around, including favors for campaign contributors, which is absolutely normal and expected, but if you get caught in a specific quid pro quo, you can not just lose your job but go to prison.
So many people, and I'd guess most politicians, are vulnerable to blackmail by any all-knowing adversary for things they've actually done, and many more could easily be framed by somebody in the know about their behavior, who can manpiulate them or the evidence.
And that includes many (more-or-less) "good guys," who are as dirty as the system demands for success, but no dirtier.
Which means you can blackmail the good guys, if you're an all-knowing bad guy.
And that's where ubiquitous surveillance comes in; it's a pretty good proxy for omniscience. If you want dirt on somebody---or just something that looks enough like dirt to be a problem for them politically---you can likely find it, if you have enough data.
And you can choose to out or smear your enemies, and not your friends. Imagine outing all the Republicans' quids-pro-quo, but not the Democrats', or vice versa. You could make either party out to be corrupt, and decimate it, because they're both corrupt. And if you have the information, you get to pick which party is decimated, and which gets the spoils.
You can ignore Eisenhower's mistress and impeach Bill Clinton over a blow job from a consenting adult intern, as though it was a High Crime. If you had all the information, you could even win, and get him thrown out of office, rather than just making it a media circus of it.
Or you can derail a presidential candidate over one real estate quid pro quo, and not another, depending on which one favors your right to spy on people, including politicians like them.
You can let Jane Harmon off the hook for revealing classified secrets to AIPAC lobbyists, who'll likely pass them on to Mossad, because she's pro-NSA.
But if Wyden reveals something classified to Greenwald, before Snowden does, you can nail him to the wall, because he's not so pro-NSA.
And here's where the "reasonable person" standard comes in.
If I was somebody like Wyden, I'd be very very freaking careful what I said to whom. If I was somebody the NSA looked favorably on, and what I happened to want to say was not something they'd object to, I wouldn't be nearly as worried about it.
That's a problem, IMO.
Whether or not Senators or reporters are in fact worried about whether the NSA knows what they say to whom, and inhibiting themselves accordingly, they freaking well should be, if they're reasonable, informed people.
It's a serious legitimate concern, and that itself is a problem. If people aren't aware of it, and are unreasonably outspoken, that's a problem, too. It means that people who might be part of the solution are becoming part of the problem, by leaving themselves open to selective blackmail.
I can see this in action in my own case. I only say things like this publicly because I think I'm relatively unimportant. I am not privy to any governmental secrets, I'm not in communication with anybody I think the government is paying any close attention to, and don't have a platform to inform a lot of people about what I think. I'm just some unimportant guy opining on the internet his spare time.
Maybe they look at me, and if so, they probably think I'm not worth much trouble, and they're probably right.
And that bugs me, a bit. It bugs me that I only feel as free as I do to say what i think because I think they can probably tell that I don't matter much. I'm not worth much effort to spy on or extort.
I have something approximating privacy only because I'm obscure and unimportant.
If I were less obscure or more important, I'd be very freaking careful what I said in public, or anywhere private that it might be intercepted---which might be anywhere at all, if I carry a cell phone, or am near a computer. Which is usually.
I'd self-censor a whole hell of a lot, to preserve my options to reveal things, or not reveal them, later, if I had anything special to reveal.
If you want to empirically study chilling effects, you might want to study DoD and RAND employees privy to sensitive information in the 1970's.
What percentage of people in positions comparable to Ellsberg's felt inhibited about talking about what they knew. How many thought that was a good thing then? How many think that was a good thing now? How many, with benefit of hindsight, think that waging a secret war in Vietnam and Cambodia was a good idea? How many wish the truth had come out sooner?
(And of course, you should be careful about interpreting those numbers, due to self-selection effects.)
Like somebody recently said, arguments against whistleblowing don't age very well, and whistleblowers age very well indeed.
I do suspect that there's been a significant cost to Snowden's revelations, but I still think that in 20 or 40 years there'll be a consensus that it was very well worth it, and we should know about these things.
The answer is no one should store this data for the NSA because the NSA was never authorized to collect it in the first place under section 215, the collection violates ECPA, and possibly both the first and fourth amendments. This was the conclusion of the and Civil Liberties Oversight Board. The FISA court authorized collection under 215 starting in May 2006 and kept reauthorizing the collection but provided no legal justification for the decision to allow the collection (what you get when you have secret courts). And provided none until forced to do as a result the Snowden revelations.
Section 215 is designed to enable the FBI to acquire records that a business has in its possession, as part of an FBI investigation, when those records are relevant to the investigation. Yet the operation of the NSA’s bulk telephone records program bears almost no resemblance to that description. While the Board believes that this program has been conducted in good faith to vigorously pursue the government’s counterterrorism mission and appreciates the government’s efforts to bring the program under the oversight of the FISA court, the Board concludes that Section 215 does not provide an adequate legal basis to support the program.
There are four grounds upon which we find that the telephone records program fails to comply with Section 215.
First, the telephone records acquired under the program have no connection to any specific FBI investigation at the time of their collection.
Second, because the records are collected in bulk — potentially encompassing all telephone calling records across the nation — they cannot be regarded as “relevant” to any FBI investigation...
In addition, we conclude that the program violates the Electronic Communications Privacy Act. That statute prohibits telephone companies from sharing customer records with the government except in response to specific enumerated circumstances, which do not include Section 215 orders...
Finally, we do not agree that the program can be considered statutorily authorized because Congress twice delayed the expiration of Section 215 during the operation of the program without amending the statute. The “reenactment doctrine,” under which Congress is presumed to have adopted settled administrative or judicial interpretations of a statute, does not trump the plain meaning of a law, and cannot save an administrative or judicial interpretation that contradicts the statute itself...
The NSA’s telephone records program also raises concerns under both the First and Fourth Amendments to the United States Constitution...
I've wondered what the process looks like now. The telecom providers are supposedly giving metadata records to the NSA daily. What does this process look like? How secure is it while it's in the telecom's control and when it's in flight? Remember, data doesn't actually move, it gets copied. So "giving" it to the NSA doesn't mean the telecoms no longer have it.
Thanks ...I agree with you.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.