What you don’t know can hurt you, it turns out. In back-to-back revelations this week, Americans learned that their electronic communications are subject to massive monitoring by the National Security Agency, without any individualized basis for suspicion. On Wednesday, The Guardian published a secret court order requiring Verizon Business to turn over to the NSA phone “metadata” regarding all calls between the United States and other countries and all local calls within the United States. The data includes the originating number, the number called and the date, time and duration of the calls. In some instances, it includes the location of the callers. According to Senator Dianne Feinstein, this was a renewal of an order that has been in place for many years, unbeknownst to the American public. And as there is nothing unique about Verizon, it seems virtually certain that similar orders govern all phone service providers. In the wake of the disclosure, the Obama administration sought to deflect criticism, stressing that the order does not require transmission of the content of phone calls. But it is no small matter to know that every time you pick up the phone and call, the NSA knows it.
As if that weren’t disturbing enough, on Thursday The Washington Post reported that the NSA has entered into agreements with nine Internet service providers—including Google, YouTube, Facebook, Yahoo, Skype, Apple and AOL—to allow the NSA to obtain from them all sorts of private information communicated over their networks. Dropbox, the Post reports, is said to be “coming soon.” According to the Post, the top-secret program, PRISM, allows the FBI and the NSA to extract “audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.”
By combining information from both programs, the government can rather quickly paint a detailed picture of the private life of almost anyone.
The PRISM program, unlike the NSA phone records program, does not sweep up all data in a vacuum. Rather, it enables government analysts to search the private Internet company’s own data for key terms that are supposed to make it more likely than not that the target is “foreign.” But this requirement of only 51 percent certainty means that much of the information disclosed will inevitably concern Americans. The extent of the information available to the government is extraordinary. The Post reports that, according to a PRISM “User Guide,” Skype “can be monitored for audio when one end of the call is a conventional telephone and for any combination of 'audio, video, chat, and file transfers' when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.”
By combining information from both programs, the government can rather quickly paint a detailed picture of the private life of almost anyone. The persons with whom one communicates, the documents one saves in the “cloud,”—photographs, e-mails, Facebook postings and even audio Internet calls—are all available.
The government claims this is useful in fighting terrorism. Sure it is. But it would also be useful in fighting terrorism if all of us were required to open our homes, luggage, wallets, purses, computers and private communications to the government at its direction, without a warrant based on probable cause of criminal activity. Privacy makes it easier for terrorists and other criminals to pursue bad ends. But privacy also makes it possible for the rest of us to live our lives with intimacy, to develop our personalities and ideas and associations without fear of government oversight, and to think and act for ourselves. Privacy is the life blood of a vibrant democracy and a free society.
But in Silicon Valley and the NSA, those values seem increasingly old-fashioned, victims of the technological advances that make it easy to track almost every move a person living in the twenty-first century makes. Every phone call we dial; every Internet site we browse; every credit card purchase we make; every bank deposit or withdrawal; every e-mail we send and, if we carry a smart phone, even every step we take is shared with some private third party—the phone company, the Internet service provider, the bank, credit card company, etc.
Somewhere along the way after 9/11, we lost our bearings on the balance between privacy and security.
In the 1970s, when no one could foresee the digital age we now take for granted, the Supreme Court decided that information we share with third parties is not protected by the Fourth Amendment from government efforts to obtain it from that third party. As a result, the Fourth Amendment’s warrant and individualized suspicion requirements do not apply, and the government is free to obtain information without any suspicion at all on any or, as in the Verizon example, all of us. That “third party disclosure” rule is the single greatest threat to the continued protection of privacy in the digital age, and it desperately needs reconsideration.
But in the meantime, Congress should act. The absence of constitutional protections does not mean that Congress cannot create statutory protections. It has done so in the past, creating statutory safeguards, for example, for bank and credit records, and for the real-time collection of phone data. But this week’s revelations make clear that the protections are outmoded and insufficient. To be sure, the government needs the authority to track individuals suspected of criminal or terrorist activity. But does it really need to be able to track us all in such a sweeping manner?
Somewhere along the way after 9/11, we lost our bearings on the balance between privacy and security. Because it largely happened through secret orders and secret programs, Americans did not even know what we had sacrificed. We are beginning to get an inkling. If privacy is going to survive, Congress needs to launch a full investigation, with the aim of informing Americans about the intrusions on our privacy, and imposing reasonable limits to ensure that those of us who are not engaged in criminal or terrorist activity are not innocent casualties of the modern surveillance state.