Post by WaTcHeR on May 16, 2006 9:37:31 GMT -5
05/16/2006 - Last week's disclosure that the government has amassed a database of Americans' phone records and revelation of a domestic wiretapping program have sparked a debate on the role of technology in government surveillance efforts. Can both national security and privacy rights be protected in the digital age?
The Wall Street Journal Online asked privacy advocate Marc Rotenberg, head of the Electronic Privacy Information Center, to discuss the issue with security consultant Kim Taipale, founder of the Center for Advanced Studies in Science and Technology Policy. Their exchange, which was carried out over email, is below.
Mr. Rotenberg begins: For the most part, the use of technology to conduct surveillance does result in an invasion of privacy. The big question has always been how best to maximize the benefits and minimize the privacy risks. For example, intercepting telephone calls can be very intrusive. People speak with friends and family members on the phone. They share secrets. They say things that they probably wouldn't say to the general public. Most people in the U.S. still have a strong expectation of privacy about their telephone conversations.
But sometimes, there is a legitimate need for the government to investigate someone and to intercept telephone calls. Perhaps a cellphone is being is used to set up an illegal drug sale. (In fact, most wiretaps are authorized for narcotics investigations). So, the government gets legal authority from a judge to conduct the surveillance. The target and the period of the intercept is specified so that the privacy of innocent people is protected. Data that are not needed for the investigation are discarded. When the wiretap is concluded, the target is notified.
If there is going to be surveillance, there should be safeguards. It helps prevent abuse.
Mr. Taipale responds: Well, it doesn't look like this is going to be much of debate because Marc and I agree on the bottom line: If there is going to be surveillance, there should be safeguards.
Let's see where else we agree … and maybe where we don't. I think everyone agrees that we need to protect civil liberties and privacy (which is both a value in itself and also a protection for other civil liberties, such as autonomy, etc.). I think we also agree that in certain cases -- terrorism, for example -- we need to try to stop terrorist before they act. Thus, it is preemption, not technology, that is the real challenge to our existing procedures for protecting civil liberty and privacy.
Preemption requires uncovering information useful to anticipate and counter future events. Automated data analysis and monitoring technologies can help by monitoring communications and revealing evidence of organization, relationships, or other relevant patterns of behavior indicative or predictive of potential threats, thus allowing law enforcement or security resources to be focused more effectively on those likely targets.
Thus, the issue isn't whether technology in the abstract "results in an invasion of privacy" but, rather, whether any such intrusion is "reasonable" and appropriate under the circumstances. This requires examining the predicate for action, the alternatives, the consequences, and the opportunities for error correction, if there are mistakes. It also means that any use should be appropriately authorized, oversighted, and reviewed -- that is, that there are safeguards to prevent misuse, abuse and error -- just like any other procedures.
Where the disagreement lies is in whether technology -- and particularly automated data analysis or monitoring -- can, in certain circumstances, be used to look for evidence of initial suspicion itself. In other words, can data analysis (nee technology) be used to spot activity that is "reasonably suspicious" and flag it for follow-up. If so, how to authorize, oversight and review these uses?
The requirement for showing "probable cause" prior to the use of any data analysis or electronic surveillance technology is appropriate where one is targeting known terrorists. Unfortunately it is not adequate for finding unknown terrorists and what is needed is a legal procedure -- authority and oversight -- for such uses. The point is that existing mechanisms don't work.
Mr. Rotenberg: Ok. Maybe we should leave the law books and head out to the movie theater. Steven Spielberg's "Minority Report" raised the interesting idea that at some point in the future we could develop technologies that allow us to detect crime before it occurs. That seems very appealing in the post 9-11 world. And I remember the former Attorney General John Ashcroft stating very directly that the purpose of the Department of Justice was no longer to investigate and prosecute crime, but to prevent it -- or "preempt" it, in Kim's phrase.
But "Minority Report" also made an interesting point about these technologies. Even systems of perfect crime detection are subject to abuse. (And Max von Sydow was a great villain!)
And so, we are right back to where we started: We need laws to regulate these technologies.
Mr. Taipale: Exactly, but the laws and procedures should fit the circumstances and the existing mechanisms -- including specifically FISA [the Foreign Intelligence Surveillance Act] and Title III -- are inadequate.
These automated analysis and surveillance technologies are not being used to determine guilt or innocence but are being used to help better allocate investigative or intelligence resources. The real question is under what circumstances -- that is, with what authority, oversight and review -- are we going to allow automated data analysis technologies to help establish probable cause itself.
If a police officer can use "reasonable suspicion" as a basis to stop an individual on the street and investigate further -- in other words, can use reasonable suspicion as the basis to investigate and determine whether there is probable cause to go further -- shouldn't we use the same or an equivalent standard for electronic surveillance, which is, after all, only the automation of traditional investigative techniques?
Requiring "probable cause" prior to any form of electronic analysis or surveillance means not allowing any uses.
Mr. Rotenberg: Kim's point about the various levels of "probable cause" for different levels of an investigation follow pretty closely how the federal wiretap law operates.
The problem with the current systems for mass surveillance, whether it is trolling through phone records, or analyzing airline passenger data, is that there doesn't seem to be any level of suspicion that guides the investigation. It would seem just too easy to use the exact same techniques to identify political protesters exercising their First Amendment rights.
I was also surprised to hear some supporters of the [National Security Agency] surveillance program say that the phone numbers were "anonmyized." There are a lot of good privacy techniques built on anonymization, but I never thought that a phone number would be considered anonymous. In many circumstances it is more likely to identify an individual than a name would.
Kim, you do a lot of work on data mining and anonymization. What are your thoughts about whether phone number could be considered "deidentified"?
Mr. Taipale: I think we are getting at the core of the problem here and the issue is whether there is any suspicion to justify the initial surveillance. My own view is that the NSA program -- as far as it has been disclosed in the press -- was not engaged in any "mass surveillance" or "trolling" (in the U.S. or against U.S. persons) but, rather, in each case started with a reasonably suspected foreign thread and followed it. So, for example, in the original NSA disclosures, the surveillance was of international calls to and from suspected foreign connections that were legitimate targets of foreign intelligence surveillance.
Using that initial contact with the foreign source as a "soft trigger" (in [Air Force Gen. Michael] Hayden's parlance) to justify some limited follow-up surveillance against the U.S. number or person (including in some cases having analysts listen to "fragments" of the international conversation, according to this Washington Post article).
Based on that limited follow-up they either dropped the surveillance (if the contact was deemed not suspicious on follow-up) or targeted the person or source if it was (by getting a FISA warrant). In some cases the initial follow-up would have been inconclusive and here is where the "shift supervisor" (per Hayden's comments) made a judgment call as to whether there was sufficient "reasonable suspicion" to continue some limited monitoring to determine if there was probable cause or not. The problem, it seems to me, is that there is no procedure in the way federal wiretap laws operate to authorize the initial programmatic surveillance or the limited follow-up.
Obviously, you couldn't get a FISA warrant before listening to the snippet because the soft trigger might not be enough for probable cause (even though it might be "reasonable suspicion") and you can't use the retroactive procedures because by definition the contacts that you deemed not suspicious and dropped wouldn't meet the probable cause standard…
As to your last question about whether phone numbers without subscriber data are "anonymized" I would have to say no in any technical sense, but they might be considered "de-identified" enough for use with certain procedural safeguards. For example, if you ran the cross checks against the phone numbers, but required some additional process or approval before actually identifying to whom the number belonged (obviously, such re-identifying is a trivial task -- try Googling your own phone number!).
The point is that the intrusion is not unreasonable simply because it could result in re-identification. So, I guess we are back to your original point: We need some process to authorize and oversight the use of technology. But I do think that we can use data analysis and monitoring technology in appropriate circumstances as a trigger (i.e., to establish reasonable suspicion) for follow-up but only where the initial use is justified by some process. Thus, the need for programmatic approvals and limited follow-up surveillance, something that current law doesn't accommodate.
One last point here, we need to remember that there is a threshold justifying some initial surveillance (i.e., there is an ongoing conspiracy to commit acts of terrorism) even if it is a loose conspiracy. That doesn't justify any particular program or use, but it is a reason to explore under what circumstances electronic surveillance is reasonable even if the "probable cause" standard cannot be met initially.
Mr. Rotenberg: So, we have a legal conundrum. We have surveillance techniques that are potentially far more intrusive than any techniques that previously existed. Yet, we are unable to say before they are used who they will be directed against or what they might uncover.
In such circumstances, I think the law needs to develop more robust means of oversight. We need more engaged judges, more active oversight in Congress, and better public reporting. Instead, we seem to be moving in the opposite direction.
It's a mistake to assume that simply because the surveillance is done by a machine or an algorithm, there is no privacy risk. Most of the modern privacy laws came about in response to concerns about computer-based surveillance.
As Thomas Edison once said, "What man creates with his hand, he should control with his head."
That is the challenge for regulating new technologies of surveillance.
Mr. Taipale: Well, a legal conundrum or a difficult policy choice -- either way I think the debate needs to move beyond the partisan and/or institutional bickering over who has the authority to authorize and oversight these programs to a recognition of the fact that someone must and that the existing mechanisms and laws are no longer completely adequate. I agree with you completely that to assume that there is no privacy risk because it is a machine or algorithm doing the monitoring is a mistake. As Jack Balkin has said, under the theory that only human beings can invade people's privacy, the police ''could simply use robots to do their dirty work."
Nevertheless, I don't think that the conundrum is quite as stark as you portray it. The issue is simply whether and under what circumstances we are going to permit the use of technology to help focus law enforcement or national security resources on potential threats. In the case of the NSA programs we have been discussing, these technologies are not being used as "drift nets over Dearborn" (as Hayden has said) or in the manner of "general warrants" but rather they are being used to follow links and extract patterns starting from known or reasonably suspected foreign intelligence targets. They are being used to drill down to suspects and disambiguate non-suspects.
While we need to take care that their use does not infringe on protected rights we need to remember that there is no right to plot terror attacks in secret.
The Wall Street Journal Online asked privacy advocate Marc Rotenberg, head of the Electronic Privacy Information Center, to discuss the issue with security consultant Kim Taipale, founder of the Center for Advanced Studies in Science and Technology Policy. Their exchange, which was carried out over email, is below.
Mr. Rotenberg begins: For the most part, the use of technology to conduct surveillance does result in an invasion of privacy. The big question has always been how best to maximize the benefits and minimize the privacy risks. For example, intercepting telephone calls can be very intrusive. People speak with friends and family members on the phone. They share secrets. They say things that they probably wouldn't say to the general public. Most people in the U.S. still have a strong expectation of privacy about their telephone conversations.
But sometimes, there is a legitimate need for the government to investigate someone and to intercept telephone calls. Perhaps a cellphone is being is used to set up an illegal drug sale. (In fact, most wiretaps are authorized for narcotics investigations). So, the government gets legal authority from a judge to conduct the surveillance. The target and the period of the intercept is specified so that the privacy of innocent people is protected. Data that are not needed for the investigation are discarded. When the wiretap is concluded, the target is notified.
If there is going to be surveillance, there should be safeguards. It helps prevent abuse.
Mr. Taipale responds: Well, it doesn't look like this is going to be much of debate because Marc and I agree on the bottom line: If there is going to be surveillance, there should be safeguards.
Let's see where else we agree … and maybe where we don't. I think everyone agrees that we need to protect civil liberties and privacy (which is both a value in itself and also a protection for other civil liberties, such as autonomy, etc.). I think we also agree that in certain cases -- terrorism, for example -- we need to try to stop terrorist before they act. Thus, it is preemption, not technology, that is the real challenge to our existing procedures for protecting civil liberty and privacy.
Preemption requires uncovering information useful to anticipate and counter future events. Automated data analysis and monitoring technologies can help by monitoring communications and revealing evidence of organization, relationships, or other relevant patterns of behavior indicative or predictive of potential threats, thus allowing law enforcement or security resources to be focused more effectively on those likely targets.
Thus, the issue isn't whether technology in the abstract "results in an invasion of privacy" but, rather, whether any such intrusion is "reasonable" and appropriate under the circumstances. This requires examining the predicate for action, the alternatives, the consequences, and the opportunities for error correction, if there are mistakes. It also means that any use should be appropriately authorized, oversighted, and reviewed -- that is, that there are safeguards to prevent misuse, abuse and error -- just like any other procedures.
Where the disagreement lies is in whether technology -- and particularly automated data analysis or monitoring -- can, in certain circumstances, be used to look for evidence of initial suspicion itself. In other words, can data analysis (nee technology) be used to spot activity that is "reasonably suspicious" and flag it for follow-up. If so, how to authorize, oversight and review these uses?
The requirement for showing "probable cause" prior to the use of any data analysis or electronic surveillance technology is appropriate where one is targeting known terrorists. Unfortunately it is not adequate for finding unknown terrorists and what is needed is a legal procedure -- authority and oversight -- for such uses. The point is that existing mechanisms don't work.
Mr. Rotenberg: Ok. Maybe we should leave the law books and head out to the movie theater. Steven Spielberg's "Minority Report" raised the interesting idea that at some point in the future we could develop technologies that allow us to detect crime before it occurs. That seems very appealing in the post 9-11 world. And I remember the former Attorney General John Ashcroft stating very directly that the purpose of the Department of Justice was no longer to investigate and prosecute crime, but to prevent it -- or "preempt" it, in Kim's phrase.
But "Minority Report" also made an interesting point about these technologies. Even systems of perfect crime detection are subject to abuse. (And Max von Sydow was a great villain!)
And so, we are right back to where we started: We need laws to regulate these technologies.
Mr. Taipale: Exactly, but the laws and procedures should fit the circumstances and the existing mechanisms -- including specifically FISA [the Foreign Intelligence Surveillance Act] and Title III -- are inadequate.
These automated analysis and surveillance technologies are not being used to determine guilt or innocence but are being used to help better allocate investigative or intelligence resources. The real question is under what circumstances -- that is, with what authority, oversight and review -- are we going to allow automated data analysis technologies to help establish probable cause itself.
If a police officer can use "reasonable suspicion" as a basis to stop an individual on the street and investigate further -- in other words, can use reasonable suspicion as the basis to investigate and determine whether there is probable cause to go further -- shouldn't we use the same or an equivalent standard for electronic surveillance, which is, after all, only the automation of traditional investigative techniques?
Requiring "probable cause" prior to any form of electronic analysis or surveillance means not allowing any uses.
Mr. Rotenberg: Kim's point about the various levels of "probable cause" for different levels of an investigation follow pretty closely how the federal wiretap law operates.
The problem with the current systems for mass surveillance, whether it is trolling through phone records, or analyzing airline passenger data, is that there doesn't seem to be any level of suspicion that guides the investigation. It would seem just too easy to use the exact same techniques to identify political protesters exercising their First Amendment rights.
I was also surprised to hear some supporters of the [National Security Agency] surveillance program say that the phone numbers were "anonmyized." There are a lot of good privacy techniques built on anonymization, but I never thought that a phone number would be considered anonymous. In many circumstances it is more likely to identify an individual than a name would.
Kim, you do a lot of work on data mining and anonymization. What are your thoughts about whether phone number could be considered "deidentified"?
Mr. Taipale: I think we are getting at the core of the problem here and the issue is whether there is any suspicion to justify the initial surveillance. My own view is that the NSA program -- as far as it has been disclosed in the press -- was not engaged in any "mass surveillance" or "trolling" (in the U.S. or against U.S. persons) but, rather, in each case started with a reasonably suspected foreign thread and followed it. So, for example, in the original NSA disclosures, the surveillance was of international calls to and from suspected foreign connections that were legitimate targets of foreign intelligence surveillance.
Using that initial contact with the foreign source as a "soft trigger" (in [Air Force Gen. Michael] Hayden's parlance) to justify some limited follow-up surveillance against the U.S. number or person (including in some cases having analysts listen to "fragments" of the international conversation, according to this Washington Post article).
Based on that limited follow-up they either dropped the surveillance (if the contact was deemed not suspicious on follow-up) or targeted the person or source if it was (by getting a FISA warrant). In some cases the initial follow-up would have been inconclusive and here is where the "shift supervisor" (per Hayden's comments) made a judgment call as to whether there was sufficient "reasonable suspicion" to continue some limited monitoring to determine if there was probable cause or not. The problem, it seems to me, is that there is no procedure in the way federal wiretap laws operate to authorize the initial programmatic surveillance or the limited follow-up.
Obviously, you couldn't get a FISA warrant before listening to the snippet because the soft trigger might not be enough for probable cause (even though it might be "reasonable suspicion") and you can't use the retroactive procedures because by definition the contacts that you deemed not suspicious and dropped wouldn't meet the probable cause standard…
As to your last question about whether phone numbers without subscriber data are "anonymized" I would have to say no in any technical sense, but they might be considered "de-identified" enough for use with certain procedural safeguards. For example, if you ran the cross checks against the phone numbers, but required some additional process or approval before actually identifying to whom the number belonged (obviously, such re-identifying is a trivial task -- try Googling your own phone number!).
The point is that the intrusion is not unreasonable simply because it could result in re-identification. So, I guess we are back to your original point: We need some process to authorize and oversight the use of technology. But I do think that we can use data analysis and monitoring technology in appropriate circumstances as a trigger (i.e., to establish reasonable suspicion) for follow-up but only where the initial use is justified by some process. Thus, the need for programmatic approvals and limited follow-up surveillance, something that current law doesn't accommodate.
One last point here, we need to remember that there is a threshold justifying some initial surveillance (i.e., there is an ongoing conspiracy to commit acts of terrorism) even if it is a loose conspiracy. That doesn't justify any particular program or use, but it is a reason to explore under what circumstances electronic surveillance is reasonable even if the "probable cause" standard cannot be met initially.
Mr. Rotenberg: So, we have a legal conundrum. We have surveillance techniques that are potentially far more intrusive than any techniques that previously existed. Yet, we are unable to say before they are used who they will be directed against or what they might uncover.
In such circumstances, I think the law needs to develop more robust means of oversight. We need more engaged judges, more active oversight in Congress, and better public reporting. Instead, we seem to be moving in the opposite direction.
It's a mistake to assume that simply because the surveillance is done by a machine or an algorithm, there is no privacy risk. Most of the modern privacy laws came about in response to concerns about computer-based surveillance.
As Thomas Edison once said, "What man creates with his hand, he should control with his head."
That is the challenge for regulating new technologies of surveillance.
Mr. Taipale: Well, a legal conundrum or a difficult policy choice -- either way I think the debate needs to move beyond the partisan and/or institutional bickering over who has the authority to authorize and oversight these programs to a recognition of the fact that someone must and that the existing mechanisms and laws are no longer completely adequate. I agree with you completely that to assume that there is no privacy risk because it is a machine or algorithm doing the monitoring is a mistake. As Jack Balkin has said, under the theory that only human beings can invade people's privacy, the police ''could simply use robots to do their dirty work."
Nevertheless, I don't think that the conundrum is quite as stark as you portray it. The issue is simply whether and under what circumstances we are going to permit the use of technology to help focus law enforcement or national security resources on potential threats. In the case of the NSA programs we have been discussing, these technologies are not being used as "drift nets over Dearborn" (as Hayden has said) or in the manner of "general warrants" but rather they are being used to follow links and extract patterns starting from known or reasonably suspected foreign intelligence targets. They are being used to drill down to suspects and disambiguate non-suspects.
While we need to take care that their use does not infringe on protected rights we need to remember that there is no right to plot terror attacks in secret.