In a post-Snowden world, surveillance has taken on a new importance in the ongoing public debate about cybersecurity. The revelations that the National Security Agency (NSA) operated a series of highly classified programs that engaged in mass collection of Internet user data and telephony metadata garnered breathless coverage and attention from leaders and citizens around the world. But to understand how the Snowden affair may really impact the future of cybersecurity, it is important to understand how a dichotomy that the United States advocates for on the international stage – “national security” as distinct from “law enforcement” – has broken down domestically. Just as China is able to conflate the issues of economic or industrial espionage with “traditional” espionage and derail the conversation, so will our mixed messages on the issue of law enforcement and surveillance hamper our ability to credibly negotiate on the international stage.
Snowden’s leaks confirmed the worst fears of civil libertarians and lent credibility to those previously dismissed as tin-foil-hat-wearing apostles of governmental overreach. It is now settled fact: surveillance done by the United States for the ostensible purpose of national security is far more comprehensive than the public could have ever imagined. Between the orders from the Foreign Intelligence Surveillance Court that permit the interception of all telephony metadata to the incriminating slides detailing the NSA’s “PRISM” program that is designed to collect information from major technology companies, there is no longer any question as to whether the government has access to our information. The question remains, however, whether the government will use this information for purposes that are constrained to national security, or if we will see an Orwellian blurring of the lines between national security and law enforcement.
Before delving into the details of the NSA’s programs, it is important to note that in the United States, law enforcement has historically been a local concern. As Justice Kennedy noted in his concurrence in United States v. Comstock, the limited powers granted to the national government in the United States Constitution and the text of the Tenth Amendment lead to the inescapable conclusion that “residual power, sometimes referred to (perhaps imperfectly) as the police power, belongs to the States and the States alone.” It is only in the last century, and in particular the last thirty years, that we have seen a dramatic “federalization” of criminal law. Yet even as the federal government has increased its role in law enforcement, national security has always been seen as a distinct concern. As Matthew Waxman of Columbia University noted in a piece about how post-9/11 counterterrorism efforts began to break down this barrier, “The very term ‘national security’ seems in some sense inconsistent with a police system built upon strong traditions of localism.”
The statutory and court authorizations that underpin the NSA’s recently revealed programs are premised on the basis that they collect foreign intelligence information in support of national security. But from a close examination of the “minimization procedures,” or policies that govern the use of data that is “inadvertently” collected, it becomes evident that the lines between “domestic” and “foreign” and “national security” and “law enforcement” are not as clear as they have been made out to be. Telling language in one of the leaked Snowden documents, “Exhibit B – Minimization Procedures used by the National Security Agency,” is seen in Section 5(b), which governs domestic communications. In relevant part, the document provides:
…a communication identified as a domestic communication will be promptly destroyed…unless the Director specifically determines….that…the communication does not contain foreign intelligence information but is reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed. Such communication may be disseminated (including United States person identities) to appropriate Federal law enforcement authorities…
Existing practice allows the NSA to conduct sweeping surveillance operations under the guise of gathering foreign intelligence. If domestic communications are “inadvertently” are picked up, the NSA remains free to pass along any suspected criminal activity, including the identities of US persons, to federal law enforcement. It should be noted that despite my tone, I do not believe there has been rampant abuse of the system; simply that the institutions as currently designed harbor the potential for such abuse. This post is far from the first to draw this connection, but there are some underlying ironies that have gone underappreciated.
For several years, there has been vocal discussion in Washington DC about amending another outdated law, the Electronic Communications Privacy Act of 1986 (known as “ECPA”). This law has, in short, aged poorly, allowing law enforcement to access to a huge amount of information – certain types of cell phone location data and “transactional” information, as well as cloud-based email over six months old – without a warrant. Hearing after hearing have been held in the House and Senate, and at various points, it seemed that a reform bill, carefully crafted with the input of the administration, technology companies, and civil liberties organizations, would set ECPA’s limits back on the right path. Needless to say, Congress did not act, and ECPA remains in place. But even if such a reform were to have been implemented, the NSA’s power would have remained unchecked.
One can easily imagine the absurdity of such an arrangement, as those within the companies tasked with compliance with PRISM and similar programs are bound to secrecy, even from those that they work with. In the legal departments of such corporations, one employee would be ordered to give the NSA access to all of its users’ information, while at the same time a colleague would steadfastly deny requests by law enforcement that lacked a proper, individualized warrant. The NSA could, of course, then immediately turn over the data that they received but was denied to law enforcement, presuming that the NSA was able to “reasonably believe” there may be criminal activity.
As absurd as that scenario may be, the reality is worse. ECPA remains unreformed, the NSA continues to operate with the approval of the FISA court, and trust in the United States government has fallen domestically and abroad. If there’s any silver lining to this bitter ray of sunshine, it is that it could be worse. The NSA has in the past lobbied for power under Title 18, the criminal and penal code section of the United States Code. An amendment to the Intelligence Authorization Act for 2007, proposed in the House of Representatives, would have given the NSA power to “make arrests without warrant for any offense against the United States committed in the presence of such personnel, or for any felony cognizable under the laws of the United States, if such personnel have probable cause to believe that the person to be arrested has committed or is committing that felony offense.” Section 432. Given what we now know about the extent of the NSA’s surveillance operations, I think most citizens are glad that that proposal has not become law…yet.
While many of the issues highlighted herein touch on domestic policy, and the only credible path forward is a more open and inclusive public debate on these heretofore highly classified issues, the ramifications at the international level are manifold. The United States cannot expect its position at multilateral talks that aim to develop norms for behavior in cyberspace to be taken seriously until it has its own house in order.
Vivek Mohan is a Fellow with The Cyber Project at the Harvard Kennedy School. He formerly served as an attorney at Microsoft’s Innovation and Policy Center in Washington DC and received his JD from Columbia Law School.