Digital Privacy: How It’s Being Eroded by Government Surveillance & Invasive Data Collection
One of the most shocking aspects of the September 11, 2001 terrorist attacks was that an attack of that scale was executed without any detection or preventative measures from the government. Those who were responsible for the attacks had even been living in the United States prior to the attack, and therefore the incredulous question the American people had towards the government was “How did you let this happen?” Obviously, the proper surveillance techniques and security measures were not working as thoroughly as intended, and reform needed to happen to protect the country and its people.
Unfortunately, the National Security Agency’s (NSA) response to the careless pre-9/11 surveillance techniques was an invasive, deeply undercover initiative approved by President Bush that would spy, collect, and examine the digital data of millions of American citizens for years after 9/11 (MacAskill 5). The illegal nature of this top-secret initiative, sheer scale of the surveillance techniques, and shocking involvement of big name American technology giants are only a few pieces of the bigger issue that Americans faced as a result of this initiative. The problem was that the average American’s digital privacy was being quickly, invasively, and secretly eroded by the American government through data collection.
In the weeks following 9/11, President George W. Bush authorized the NSA to conduct a “classified program to detect and prevent further attacks against the United States” (Choi 28). The intricacies of these “detection” programs evolved over time, as the program was revised, expanded upon, and re-authorized every 45 days (Choi 29). Eventually, the detection program spawned PRISM, a code-named NSA surveillance tool that secretly and evasively tapped into the servers of large U.S. internet companies including Google, Microsoft, Yahoo, and Apple, to name a few. PRISM covertly extracted audio and video chats, photographs, emails, and connection logs that analysts at the NSA and FBI used to track targets and suspects in and out of the United States (MacAskill 8, Peterson 253). Originally, the companies that had their data collected by PRISM had no knowledge of the program’s presence in their servers and did not agree to comply with the U.S. government. However, companies who worked closely with the NSA were revealed to be incentivized to comply because they became immunized by the Protect America Act of 2007 and the FISA Amendments Act of 2008 (Poitras). Ironically, these acts existed to protect the companies who voluntarily cooperated with PRISM against the punishments of allowing it to illegally access their servers (Greenwald 240, Shapley 1062).
Microsoft became the first company recruited by PRISM, and from 2007 to 2013 Microsoft gave the NSA access to web chats, emails, cloud storage, contacts, and video calls from its users on Outlook.com (Shapley 1062). Additionally, Microsoft provided the NSA with all the security vulnerabilities to its Windows computer operating system, meaning the NSA could remotely wipe all of a Windows user’s personal data from their computer and also make the computer completely useless and unable to power on (Shapley 1063). In the same vein, AT&T, one of the largest national providers of internet, phone, and cable services in the U.S. willingly cooperated with the NSA from 2003 to 2013 to provide billions of emails and phone calls for examining and even the hardware necessary to wiretap the internet at the United Nations headquarters that used AT&T’s internet (Ivars 253).
After the oversight that occurred surveillance-wise with 9/11, the NSA began to realize the huge surveillance potential of being able to collect and analyze the entire country’s digital data, and additionally took advantage of three major digital developments to augment the reach of their new surveillance initiative. The first development was a massive increase in the creation and collection of huge amounts of personal data due to the records that all digital devices leave behind (Lin 1090). The digital age demanded that citizens remain connected all the time, and therefore they end up constantly uploading and leaving behind their personal data on the internet. Second, with the rapid globalization of the internet and the interconnected nature of the digital world, anyone in the world who could get legal or illegal access to an individual’s private digital information could also manipulate or use the information in any way they pleased (Lin 1091). Third, there was and still is a surprising lack of ways to protect physical data like our personal hard drives and even the servers of large internet companies, meaning there was also vulnerability in the analog world as well (Bowie 341).
The NSA exemplified a kind of sinister genius when taking advantage of these technological changes. It knew that by tapping into those three changes involving digital data and privacy, their goal of protecting America through surveillance and data collection could be accomplished faster. By making it easier for themselves to obtain, store, and manipulate digital information, the NSA slowly amassed nearly full knowledge over the digital identities and private lives of all U.S. citizens. The biggest obstacle the NSA faced in the process of executing their surveillance initiative was that there was no sound legal way of obtaining digital information at a large enough scale to analyze and effectively prevent against future attacks. This is perhaps the primary reason why the surveillance program was chosen to be kept secret from companies, citizens and the majority government officials alike. But as a U.S. government agency, the NSA knew that it could strong-arm even the biggest internet companies with the most diverse sources of digital data into giving up information if they resisted.
The original intention behind PRISM and the NSA’s various “partnerships” with tech giants was to protect the country through surveillance. The surveillance was originally carried out with very specific criteria, as the NSA was intentionally looking for phone calls from a specific region of interest or emails to a specific address (Shamsi 70). But over time, the NSA’s hunger for more data, more information, and more “thorough” surveillance techniques snowballed and transformed the intention of protecting citizens into spying on their every move. Simply put, the NSA began to collect data for the sake of collecting data, otherwise known as “data mining.” Data mining is a process of finding correlations, patterns, and trends by gathering data from thousands of different sources (Shamsi 71). With the ability to filter collected data based on contacts, phone numbers, emails, or texts and to additionally filter the data by keywords, the NSA believed they had to be as thorough as possible in order to “protect” the nation as much as possible.
The NSA and the U.S. government have a dangerous upper hand in today’s digital age with privacy in the public eye. Average citizens in the U.S. are sitting ducks for corporations and corrupt government agencies to mine their digital data. The specific ways a citizen can act to have more of a grasp on their own data are also vague, underdeveloped, and lack exposure. Edward Snowden’s leak of the NSA documents was the first crucial step forward in the improvement of digital privacy rights for the American people. According to Snowden himself, “I don’t want to live in a world where there’s no privacy and therefore no room for intellectual exploration and creativity. I can’t in good conscience allow the U.S. government to destroy privacy, internet freedom and basic liberties for people with this massive surveillance machine they’re secretly building.” Snowden’s words carry a heavy truth and a biting sense of urgency as well.
Several questions come to mind when considering the bigger picture of governmental surveillance and data collection. How long are we going to let the government proceed without supervision? How can we prevent future violations like the ones the government already committed with the NSA and PRISM? How can we increase transparency in how and why our data is being collected?
My proposed solution addresses all of the above. The United States needs to establish a Federal Privacy Agency (FPA). The FPA will be an independent agency in the executive branch, with members appointed by the President and Confirmed by the Senate. It will operate much like the existing Federal Trade Commission and Federal Communications Commission, but for a different purpose. Members of the FPA will have the ability to publicly speak their minds on privacy legislation and reform, and would not be removed from office if they disagreed with the President or Congress. Former Chief Counsel of the House Committee on Government Operations Robert Gellman also proposed an FPA as an aid to digital privacy protection. Gellman specifies that the purposes of an FPA include publicizing the privacy decisions made by the government, investigating prior privacy violations, and proposing more effective, transparent rules and legislation by assisting the government and private sector with the data they collect through research (Gellman 1220).
The United States is at a serious disadvantage as a country without a data protection agency and a laundry list of privacy violations from the NSA. According to Gellman, over the years the United States has been represented at data protection conferences by personnel from numerous non-privacy related groups in the U.S. such as the Commerce and State Departments, Federal Trade Commission, and the Office of Management and Budget (Gellman 1230). He argues that “the adequacy of U.S. representation [in these conferences] has been mediocre, at best” because there is no consistency of representation from one department in the U.S. that specializes in privacy protection (Gellman 1231).
Gellman provides examples of successful foreign privacy protection agencies with a subsection titled “All the Other Kids Have One. “Many governments around the world enacted data protection laws and established privacy agencies in response to concerns about the effects of technology, commercialism, and government on personal privacy,” Gellman says (Gellman 1225). He lists countries such as Canada, Australia, Hong Kong, and Argentina that have already established privacy protection agencies. The European Union (EU) in particular is the prime example of a modern country protecting digital privacy by forming a national data protection agency. Their agency is called the “Data Protection Directive,” and entails a crucial feature: each EU state member is required to have a “supervisory authority” from the data protection agency. This way, state members can be advised, guided, and checked by authorities who represent the country’s privacy protection policies and rules. Finally, the website for the EU privacy protection authority also provides research, policy analyses, advice, annual reports, and other materials to inform the public on new developments (Gellman 1184).
A U.S.-specific model that the Federal Privacy Agency would functionally emulate is the Civil Rights Commission (CRC) that Congress established in the Civil Rights Act of 1957. The CRC was independent, had many investigative functions to promote transparency, had limited powers, and dealt with a highly controversial subject that affected many Americans. Specifically, the CRC investigated complaints of civil rights violations, studied and collected information on civil rights movements and activism, and made appraisals of the laws and policies of the federal government. Members of the CRC were chosen by the President and confirmed by the Senate, and had to report annually to both the President and Congress. Even though the CRC had no authority to enforce any law, it was still able to contribute valuable guidance and information towards a national response to a pressing issue.
A central responsibility for the United States Federal Privacy Agency would be to promote the Fair Information Practices (FIPs). FIPs are the most widely recognized international principles for information privacy, and are significant in today’s world because they form the basis of most digital privacy laws in Canada and the EU. According to the World Privacy Forum, “Fair Information Practices are a set of principles and practices that describe how an information-based society may approach information handling, storage, management, and flows with a view toward maintaining fairness, privacy, and security in a rapidly evolving global technology environment.” They are:
Fair Information Practices
1. Collection Limitation: There must be no personal data record keeping systems whose very existence is secret.
2. Disclosure: There must be a way for an individual to find out what information about him is in a record and how it is used.
3. Secondary Language: There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
4. Record Correction: There must be a way for an individual to correct or amend a record of identifiable information about him.
5. Security: Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent the misuse of the data. (U.S. Dept. of Health, Education and Welfare, 1973)
The FPA’s true value resides in its ability to inform the general public by publicizing proposed privacy-violating techniques, and advising the government through the revision process. Since the government clearly maintains massive volumes of personal data for its own operations, the FPA would be obligated to put the government under scrutiny for how, why, and where the government collects its data. Had the FPA been formed prior to the proposed post-9/11 NSA surveillance techniques, several of the invasive methods could have been prevented or revised to be more aligned with the FIPs. Post-9/11, the FPA would have been able to bring into public eye how PRISM was formed, how it operated, and how it violated the second tenet of the FIPs: disclosure. The secrecy surrounding PRISM and its intricate methods of backdoor data collection is also in direct violation of the first tenet of the FIPs: collection limitation. Clearly, having an independent agency like the FPA that is able to do checks and balances on the privacy legislations of the rest of the government is an indispensable tool to encourage transparency in surveillance methods, digital privacy, and data collection. Only an independent agency like the FPA can criticize or disagree with the policies and practices of the executive branch, making it a must-have when considering how to approach surveillance reform. Whether the government or the private sector more strongly influences privacy policies in the U.S. depends on the point of view, but routine, unsupervised actions from both parties can have overwhelmingly negative effects on the privacy rights and interests of U.S. citizens.
As more countries beyond Gellman’s list begin to form their own privacy protection agencies, the U.S. should also recognize that a formal and dedicated agency like an FPA can be a helpful tool to address international privacy issues as well. An FPA will be vital for the U.S.’s success in the modern international sphere, since international privacy matters will soon need to be dealt with through the cooperation of the privacy-specific agencies of nations around the world. Promoting FIPs as one of the core values of the FPA is a way to help the U.S. conform to the already existing and established principles of the rest of the world by reducing the differences between foreign privacy agencies. The integration of the FPA to the network of numerous foreign agencies will be a streamlined step forward in eliminating PRISM-esque programs of equal secrecy and scale in the future of the U.S. (Gellman 1190).
With the combined purposes of publicizing and documenting digital privacy information like the Civil Rights Commission as well as promoting the protection of digital privacy through the FIPs, the FPA will serve as the public, factual voice of the status of data protection and digital privacy throughout the country. With its independence from the rest of the government, powerful groundwork laid by the Fair Information Practices, and ease of integration with the international privacy agencies, the FPA can point Congress and the President towards more transparent privacy policies for the country. No longer will the government recklessly approve invasive surveillance and data collection programs without the watchful eye of the United States Federal Privacy Agency.
Bibliography
Bowie, Norman E., and Karim Jamal. “Privacy Rights on the Internet: Self-Regulation or Government Regulation?” Business Ethics Quarterly, vol. 16, no. 3, 2006, pp. 323–342.
Choi, Paul. “NSA: Washington’s Best Kept Secret.” Harvard International Review 5.4 (1983): 28-29. Harvard International Review.
Gellman, Robert. “A Better Way to Approach Privacy Policy in the United States: Establish a Non-Regulatory Privacy Protection Board.” Hastings Law Journal 54 (2003): 1219-184. Hastings Law Journal.
Greenwald, Glenn. “Fisa Court Oversight: A Look inside a Secret and Empty Process | Glenn Greenwald.” Glenn Greenwald on Security and Liberty. Guardian News and Media: 235-290, 18 June 2013.
MacAskill, Ewan. “NSA Prism Program Taps in to User Data of Apple, Google and Others.” Ewan MacAskill on Security and Liberty. Guardian News and Media: 4-10, 07 June 2013.
Lin, Elbert. “Prioritizing Privacy: A Constitutional Response to the Internet.” Berkeley Technology Law Journal, vol. 17, no. 3, 2002, pp. 1085–1154.
Peterson, Ivars. “Keeping Secrets Secret.” Science News, vol. 120, no. 16, 1981, pp. 252–254.
Poitras, Laura. “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program.” The Washington Post. WP Company, 7 June 2013.
Shamsi, Hina, and Alex Abdo. “Advertisement.” Privacy and Surveillance Post-9/11 | Section of Civil Rights and Social Justice. American Bar Association: 36-80, 5 Feb. 2011.
Shapley, Deborah. “Telecommunications Eavesdropping by NSA on Private Messages Alleged.” Science, vol. 197, no. 4308, 1977, pp. 1061–1064.