The recent disclosure by Edward Snowden about the NSA’s PRISM surveillance system has been quite interesting. It seems certain that they are collecting meta data about all phone calls that pass through US infrastructure (or perhaps even infrastructure of US domiciled telcos that is located elsewhere). There are also claims that they have access to content from major B2C cloud providers such as Facebook, Google, Microsoft and Skype.
First, was anyone seriously surprised? Surely not! The US government is in a siege mind-set and both surveillance and development of a social graph to find accomplices are reasonable approaches (never mind legality) to defend against terrorism.
Why the siege mentality? Because of the ominous terrorist threat! Never mind that the number of people killed or injured in the western world, by terrorism, is statistically indistinguishable from zero and that no government can point to any successful prevention despite billions in spending. The best the US government can point to is a few dead terrorists, thanks to the drone assassination program over Pakistan. And a lot of dead soldiers in Afghanistan and Iraq. Tragic.
So given that wire-tapping without a court order is supposed to be illegal in the US, how might the government justify the legality of this program?
One approach might be to collect all the data, store it, but only analyze any of it with a court order. Another approach might be to run analyses on the social graph, generate reports on interesting sets of people but without identifying who they are and get a secret court to approve display of identity data for the people identified in a report.
Who knows? I am not a lawyer. It’s fun to speculate, though!
So is any of this useful?
As an IT security practitioner, my first instinct is to say “yes” — i.e., it seems plausible that you would find some bad guys this way.
The trouble is, have the US feds found any bad guys? I can’t imagine politicians resisting the urge to brag about the success of this kind of effort if they actually caught someone. They haven’t really done that, so I have to conclude that the program has been a dud. Very much like the video surveillance in London – sounds good on paper, but where is the data to show that it had an impact on crime rates? (hint: there is no such data).
I’m a big believe in “if you can’t measure it, it doesn’t exist” – and extreme surveillance like PRISM or like the London camera system have yielded no measurable value, as far as I can tell.
But what about 9/11 you might ask? It’s a single event, and it could be prevented by better doors on cockpits (done). Seriously – you don’t need a TSA or DHS to prevent it. Even if you include 9/11, in objective terms, terrorism still poses a lower risk than slippery bathtubs (On an average, 370 persons of all ages sustain injuries from bathtub/shower daily in the United States.).
If you accept my thesis that all this anti-terror activity is a huge waste of energy, then what effect does it actually have? Well, if the purported $200,000/year salary for high-school-educated Edward Snowden is any indication, it has an impact on the IT labor market. As does the fact that the NSA and its contractors certainly employ tens of thousands (perhaps hundreds of thousands, collectively) of talented individuals in work that has no economic benefit. This isn’t good for the US economy (diverting labor away from productive work) or for the US federal budget deficit (this isn’t cheap folks!).
Another impact is on cloud computing. While US-domiciled firms may continue to be comfortable moving their corporate infrastructure and apps to the cloud, firms domiciled elsewhere will either not feel comfortable using US-based cloud providers (such as Amazon, Salesforce, etc.) or may even be legally prohibited from doing so (I’ve heard that medical researchers in Canada cannot host their IT on US servers). This means that all the surveillance has the unintended effect of making otherwise world-leading US cloud providers uncompetitive.
Another angle on all this is that it makes US government behaviour uncomfortably similar to Chinese government behaviour. Extensive surveillance? Check! Ability to block content? Check! (the US do this with DNS take-down orders due to claimed IP violations, but still…). Did the moral high ground just making a whooshing noise as it disappeared?
What else could they monitor? Full speech-to-text of voice calls comes to mind. The technology almost certainly exists (I have heard that the Israeli government has had this capability for years). You could use same legal cover to add this feature.
Why the fancy new data centers in Utah and Maryland? Well, if you collect this kind of voluminous data, you have to store it somewhere. Surely the telcos and cloud B2C web site companies won’t want to spend their own money to store all this data on their servers, in their facilities. Violating customer privacy is one thing. Spending big money to do so is something else again.
The US public seems to be sanguine about all this surveillance. That’s an uncharacteristic trust in government’s good intentions, quite at odds with the recent IRS abuse of power scandal. Nishant Kaushik pointed out something really smart today — Americans would likely respond quite differently if they clued in to the idea that PRISM could probably be used to create a gun owners registry. Imagine the NRA‘s response! LOL.
So is this just a US problem? Well, obviously more repressive regimes like China and Russia do the same thing. I think we should assume, by default, that other Western countries (including my home in Canada) do so too. That’s gotta be the safer assumption.
That’s what comes to mind. Quite a lot. We certainly live in interesting times!