NSA operations center in 2012 (Photo: Public Domain)
A few days ago the European Parliament’s Office of Citizens’ Rights and Constitutional Affairs released a notably pointed briefing paper arguing for Europe to stop trusting American Internet services. The briefing and the committee are the latest forum tosuggest that European states create domestic cloud computing capacities to provide member states legal protection for NSA data surveillance. The report has the not-at-all-subtle title “The US National Security Agency Surveillance Programmes (PRISM) Foreign Intelligence Surveillance (FISA) Activities and Their Impact on EU Citizens’ Fundamental Rights.” Among the findings:
Prominent notices should be displayed by every US web site offering services in the EU to inform consent to collect data from EU citizens. The users should be made aware that the data may be subject to surveillance (under FISA 702) by the US government for any purpose which furthers US foreign policy.
The argument there being that people will have an incentive to find other websites to use. Particularly for e-commerce. Companies like Amazon, and U.S. airlines and ticketing agencies—Expedia and the like—won’t be pleased, and that in turn will create economic pressure to alter surveillance strategy, the report argues.
A consent requirement will raise EU citizen awareness and favour growth of services solely within EU jurisdiction. This will thus have economic impact on US business and increase pressure on the US government to reach a settlement.
That isn’t all. The report argues for the European Union to simply swear off U.S.-based cloud computing, and to develop local capacity. Again, the argument is largely economic.
Such a policy would reduce US control over the high end of the Cloud e-commerce value chain and EU online advertising markets. Currently European data is exposed to commercial manipulation, foreign intelligence surveillance and industrial espionage. Investments in a European Cloud will bring economic benefits as well as providing the foundation for durable data sovereignty.
Further along, the report notes the different ways the NSA scandal has been understood inside and outside the US. Inside the U.S. a key issue was whether the NSA has been spying domestically, on U.S. citizens, and the implications of that question for domestic data security. Abroad, the report notes, people are understandably more interested in their own ability to protect personal data from the NSA. The briefing suggests E.U.-U.S. negotiations on data security, though efforts at such negotiations have failed previously.
…a casual reader would not understand that the intended target of surveillance was non-Americans, and that they had no rights at all. It seems that the only solution which can be trusted to resolve the PRISM affair must involve changes to the law of the US, and this should be the strategic objective of the EU. Furthermore, the EU must examine with great carethe precise type of treaty instrument proposed in any future settlement with the US. [boldface as printed] Practical but effective mechanisms are also needed to verify that disclosures of data to the US for justifiable law enforcement investigations are not abused.
In sum, Europe’s still upset, and talking seriously and in public about how to protect itself from American eavesdropping. Yesterday, Slate‘s Ryan Gallagher flagged a want ad for a counterintelligence professional posted on a Parliament website last July, shortly after the Edward Snowden affair broke. The same body is housed in a Brussels building ID’d as an NSA target in the Snowden papers, according to the Slate report.
David Simon, the creator of HBO’s epic series The Wire, has weighed in on the recent disclosure that the National Security Agency has been combing through our cell phone records as part of its anti-terrorism efforts. It’s an interesting read, particularly coming from the guy who wrote such interesting stories (presumably based on what he saw as a crime reporter for the Baltimore Sun) about police surveillance. Basically, his take is that using broad swathes of cell phone data (numbers dialed, minutes used, locations, etc.) is not particularly invasive, is perfectly legal, and has been a regular tool of law enforcement since well before 9/11.
How might this be a useful law enforcement tool? To illustrate, I took the liberty of downloading my own cell usage data from the past month from Verizon. Below is a type of network graph called an “egonet” showing my cell phone conversations during the month of May. I’m at the center (the “ego”), and all the red dots (the “alters”) are people to whom I’ve spoken. (No, the points aren’t labeled.) Thicker lines indicate more frequent phone contacts.
You can see that most of the contacts are people I speak to only once or twice. The highlighted (more frequent) connections are my wife, my parents, my brother, a colleague, my kids’ elementary school, and a guy who was doing some contract work at my house. Let’s just assume that’s a typical phone data pattern for a guy in my demographic profile who’s not a terrorist. (You’ll have to take my word for this.)
Now, if you were able to download the phone usage data for all the nodes depicted above and graph them, you’d have a pretty complex network diagram. It would show some small, dense networks (families, groups of friends) and some loosely-affiliated people who have their own connections. Now download the phone usage data for all of those nodes, and imagine the patterns it would show. Now imagine if you could do that for basically every cell phone subscriber in the country.
That’s a huge amount of data, and depicting it graphically would pretty much be a waste of ink. Profiles like mine would quickly disappear into background noise. But computers can look for people who rise above the noise. Perhaps someone seems to belong to no local networks but just pops up to make a few phone calls that last less than a minute. Perhaps those calls occur within 24 hours of a bombing attack, or right after an al Qaeda speech is broadcast. Well, that’s hardly proof of criminal activity, but it might be enough for investigators to seek a warrant for a wiretap or some other form of surveillance to learn more about the person making the calls.
This is related to another point Simon makes in his post: There’s no reason to believe that the government is listening in on all of our phone calls, simply because the task is absurdly vast. What percentage of us are engaged in criminal conspiracies at any given moment? For investigators to somehow monitor all our phone calls to see if we’re doing anything wrong is ridiculous: the signal-to-noise ratio is functionally zero. It would be more efficient to just walk door to door asking if we’re doing anything illegal.
What the big data approach described above does is avoid the task of monitoring everything at once. It uses networking patterns to filter out the noise and find the few individuals who are behaving atypically, and focus on them.
Now, I’m not saying this is how the NSA actually operates; I really don’t know. Nor am I saying that this is how it should operate. Just consider this an educated guess as to how a law enforcement organization would use this kind of data if it were available.