When you pick up the phone, who you’re calling is none of the government’s business. The NSA’s domestic surveillance of phone metadata was the first program to be disclosed based on documents from whistleblower Edward Snowden, and Americans have been furious about it ever since. The courts ruled it illegal, and Congress let the section of the Patriot Act that justified it expire (though the program lives on in a different form as part of the USA Freedom Act).
Yet XKEYSCORE, the secret program that converts all the data it can see into searchable events like web pages loaded, files downloaded, forms submitted, emails and attachments sent, porn videos watched, TV shows streamed, and advertisements loaded, demonstrates how Internet traffic can be even more sensitive than phone calls. And unlike the Patriot Act’s phone metadata program, Congress has failed to limit the scope of programs like XKEYSCORE, which is presumably still operating at full speed. Maybe Verizon stopped giving phone metadata to the NSA, but if a Verizon engineer uploads a spreadsheet full of this metadata without proper encryption, the NSA may well get it anyway by spying directly on the cables that the spreadsheet travels over.
The outrage over bulk collection of our phone metadata makes sense: Metadata is private. Americans call suicide prevention hotlines, HIV testing services, phone sex services, advocacy groups for gun rights and for abortion rights, and the people they’re having affairs with. We use the phone to schedule job interviews without letting our current employer know, and to manage long-distance relationships. Most of us, at one point or another, have spent long hours on the phone discussing the most intimate details about our lives. There isn’t an American alive today who didn’t grow up with at least some access to a telephone, so Americans understand this well.
But Americans don’t understand the Internet yet. Bulk collection of phone metadata is, without a doubt, a violation of your privacy, but bulk surveillance of Internet traffic is orders of magnitude more invasive. People also use the Internet in all the ways they use phones — often inadvertently sharing even more intimate details through online searches. In fact, the phone network itself is starting to go over the Internet, without customers even noticing.
XKEYSCORE, as well as NSA’s programs that tap the Internet directly and feed data into it, have some legal problems: They violate First Amendment rights to freedom of association; they violate the Wiretap Act. But the biggest and most obvious concerns are with the Fourth Amendment.
The Fourth Amendment to the U.S. Constitution is short and concise:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
It means that Americans have a right to privacy. If government agents want to search you or seize your data, they must have a warrant. The warrant can only be issued if they have probable cause, and the warrant must be specific. It can’t say, “We want to seize everyone’s Internet traffic to see what’s in it.” Instead, it must say something like, “We want to seize a specific incriminating document from a specific suspect.”
But this is exactly what’s happening:
The government is indiscriminately seizing Internet traffic to see what’s in it, without probable cause. The ostensible justification is that, while tens of millions of Americans may be swept up in this dragnet, the real targets are foreigners. In a legal document called USSID 18, the NSA sets out policies and procedures that purportedly prevent unreasonable searches of data from U.S. persons.
But it doesn’t prevent, or even claim to prevent, unreasonable seizures.
Kurt Opsahl, general counsel of the Electronic Frontier Foundation, explains: “We have a fundamental disagreement with the government about whether [data] acquisition is a problem. Acquisition is a seizure and has to be compliant with the Fourth Amendment.”
If you read USSID 18 carefully, you’ll see that it appears to limit, with many exceptions, the government’s ability to intentionally collect data concerning U.S. persons. But the Department of Defense, under which the NSA operates, defines “collection” differently than most of us do. It doesn’t consider seized data as “collected” until it’s been queried by a human.
If you email your mom, there’s a good chance the NSA will intercept the message as it travels through a fiberoptic cable, such as the ones that make up the backbone of the Internet, eventually making its way to an XKEYSCORE field site. You can thwart this with encryption: either by encrypting your email (hopefully someday all parents will know how to use encrypted email), or by using email servers that automatically encrypt with each other. In the absence of such encryption, XKEYSCORE will process the email, fingerprint it and tag it, and then it will sit in a database waiting to be queried. According to the Department of Defense, this email hasn’t been “collected” until an analyst runs a query and the email appears on the screen in front of them.
When NSA seizes, in bulk, data belonging to U.S. citizens or residents, data that inevitably includes information from innocent people that the government does not have probable cause to investigate, the agency has already committed an unconstitutional “unreasonable seizure,” even if analysts never query the data about innocent U.S. persons.
The NSA has legal justifications for all their surveillance: Section 215 of the Patriot Act, now expired, was used to justify bulk collection of phone and email metadata. Section 702 of the Foreign Intelligence Surveillance Act (FISA) is currently used to justify so-called “upstream” collection, tapping the physical infrastructure that the Internet uses to route traffic across the country and around the world in order to import into systems like XKEYSCORE. Executive Order 12333, approved by President Reagan, outlines vague rules, which are littered with exceptions and loopholes, that the executive branch made for itself to follow regarding spying on Americans, which includes USSID 18.
But these laws and regulations ignore the uncomfortable truth that the Fourth Amendment requires surveillance of Americans to be targeted; it cannot be done in bulk. Americans are fighting to end bulk surveillance in dozens of lawsuits, including Jewel v. NSA, which relies on whistleblower-obtained evidence that NSA tapped the fiber optic cables that carry Internet traffic in AT&T’s Folsom Street building in San Francisco. It’s easy for the government to stall cases like this, or get them dismissed, by insisting that talking about it at all puts our national security at risk.
And, of course, let’s not forget the 6.8 billion people on Earth who are not in the United States. Article 12 of the U.N. Declaration of Human Rights states:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
The NSA has very few restrictions on spying on non-Americans (it must be for “foreign intelligence” or “counterintelligence” purposes, and not other purposes), despite XKEYSCORE and the bulk collection programs that feed it being an “arbitrary interference” with the privacy of such persons. NSA doesn’t even have restrictions on spying on allies, such as Germany and France.
Facebook feeds everywhere are decorated with baby pictures. When those babies are grown up and getting elected to Congress, maybe then Americans will understand how the Internet works, and that bulk surveillance of phone metadata is just a tiny sliver of the enormous “collect it all” bulk surveillance pie.