IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How to decipher NSA data mining: Examine capabilities and intentions

The news media this week was full of articles describing the U.S. government's role in gathering, mining and analyzing big data from nine leading U.S. Internet companies in order to stop terrorism. Where is this capability going?

The news media this week was full of articles describing the U.S. Government’s role in gathering, mining and analyzing big data from nine leading U.S. Internet companies in order to stop terrorism.

The reaction from most of my friends and family has been one of shock, confusion and almost disbelief. One colleague commented, “The whole story seems almost Orwellian.” Several relatives contacted me to get my viewpoint, since I am a former NSA employee. 

Many of them are angry. Their questions are all over the map, such as:

-    Can the feds really see all that Internet data? Is it even technically possible? (My answer – Yes.)

-    Is government listening to my phone calls? (My answer – No, but they have the capability.) 

-    Do I believe President Obama’s explanation? (Yes, but more questions must be asked.)

-    Is this massive data mining really needed to stop terrorism? (My answer: Probably.)

-    Some believe claims that the government wants to destroy privacy worldwide. (I disagree.)

-    Am I worried? Couldn’t this power be misused? (My answer: A bit – we need future controls.)

-    How can we decipher all of this monitoring? Where is the balance between security and personal privacy? What should be watching out for? (My answer:  Read on.)

Quick News Recap

The Guardian (U.K.) broke the story and The Washington Post quickly followed with this piece. Here’s an excerpt:

“The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, emails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.”

The article goes on to describe the companies involved, the history of the program (reportedly called PRISM) which goes back to President Bush in 2007, includes the British government, describes the approval from all branches of government and more.

The Internet companies named quickly denied many of the claims and urged more government transparency regarding national security programs, with responses like this from Facebook’s founder Mark Zuckerberg:

“Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. ...”

I found these responses from technology companies regarding a lack of involvement to be totally unconvincing. While I believe what they said is likely to be “technically accurate,” I think their responses were very carefully worded. Notice words like “direct access” and “legal.”

OK, was there indirect access? Yes, you may need a court order, but do you provide the data or not? [Saturday update – suspicions confirmed - most companies have now acknowledged participation in the program.]

Expert Perspectives

So how I do view the new revelations? As I look back at the week, I really like the balanced view that New York Times columnist David Brooks provided on PBS on Friday.



 

Since I don’t have access to specific details of what privacy protections are in place now, I can’t be sure if our civil liberties are being protected under PRISM. Nevertheless, my overall view of this the current program is that the data is likely needed for national security reasons and appropriate privacy controls covering content are (likely) in place, since this is the bipartisan view inside the D.C. Beltway right now.

Perhaps just as important to me as the government’s Internet search for terrorists, are the articles describing the breadth and depth of monitoring that is already occurring online by many companies we trust every day.

For example, there were related stories this week that were mostly lost in all of the government monitoring headlines. Bloomberg reported that carriers sell user’s tracking data in $5.5 billion market. Here’s an excerpt:

“Phone companies already collect data on user location, as well as Web surfing and application use, to adjust their networks to handle traffic better. Two carriers, Verizon Wireless and Sprint Nextel Corp. (S), are just starting to make the data available to third-party companies in hopes of booking millions in sales. Worldwide, revenue from selling mobile-user behavior data may reach $9.6 billion in 2016, up from $5.5 billion last year, Walldorf, Germany-based SAP (SAP) estimated….

  … Privacy advocates say data protections don’t go far enough. ...”

And this tracking of data can get very personal and is often shared with business partners. There was even this article describing upcoming versions of Xbox which will be watching (via a camera) and reporting on the actions of game console users. 

Where is This Story Heading Next?

But I want to close this blog by zooming in on one point that was made by David Brooks. We know that mistakes are made with our data. Inadvertent disclosures that are corrected are inevitable -- but don’t bother me much. However, the potential for deliberate future targeting of innocent Americans with this big data concerns me.

For example, we currently have many unanswered questions in the ongoing IRS scandal. There are also questions regarding the use of reporter phone calls and FBI tracking of the media. All of this comes at the same time as The Guardian story breaks, leading to serious public fear regarding how this data could be used.

We can learn from history. During the military debates of the past, Americans were taught the importance of nuclear deterrence. Here is a relevant quote from the Orlando Sentinel in 1996:

“The late Gen. Lewis Walt, a great Marine, was fond of saying that what counts is capability, not intentions. Intentions can change overnight; capability cannot. The truth of that is evident.”

So what matters most in our new “mining big data” technology is not only current capabilities, policies and intentions. Along with David Brooks, I worry about how this big data will be used in the future as the technical capabilities are enhanced further – and intentions may change.

Furthermore, I am equally concerned about private companies collecting and using our data in new ways. It seems that as the pendulum swings more and more toward mining big data 24/7 with new technology, both the public and private sectors want to take advantage of our online surfing habits in more ways than yesterday. Will today’s privacy policy be replaced with a simple letter or perhaps even an email tomorrow?

Important questions on transparency include: What is the current monitoring policy? How will we be told if/when the policy changes? Just as with nuclear weapons, who controls the keys (decision-making)?

Bottom line: Mining big data works – to stop acts of terrorism and to sell products. Nevertheless, we need an open societal discussion on effective, ongoing controls. This is important to more than just a few groups who champion personal privacy. At stake are American freedoms, our liberty and our way of life.  

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.