Surveillance: A Taxonomy of Known Knowns and Known Unknowns

Posted on June 11, 2013 by juliaangwin No Comments ↓

In the wake of the avalanche of revelations about the scope of domestic surveillance, several people have asked me to help them understand what is going on. So I put together this handy cheat sheet that hopefully explains the key issues.

This is a shorthand version of an explainer I presented last week at the Privacy Law Scholars Conference in Berkeley. With apologies to Donald Rumsfeld, I’ve broken it down into “Known Knowns” and “Known Unknowns.”

Patriot Act Surveillance

Known Knowns:

Who: Verizon, AT&T, and SprintNextel, according to reporting by Glenn Greenwald at The Guardian and the The Wall Street Journal.

What: Records of every single domestic and international telephone call, including the location from which the call was placed, the serial number of the phone, the number dialed and the duration of the call, according to the court order obtained by the Guardian.

Where: Turned over to the National Security Agency daily, according to the court order obtained by the Guardian.

When: Ongoing for the past seven years, according to Senator Dianne Feinstein (D-CA)

Why: To “make connections related to terrorist activities over time,” according to the Office of the Director of National Intelligence.

How: Foreign Intelligence Surveillance Court authorizes record collections with a court order every three months, according to Sen. Feinstein. Analysts are required to have “reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization” before querying the database of call records, according to the Office of the Director of National Intelligence.

Legal authority: Section 215 of the Patriot Act allows the FBI to order any person or entity to turn over “any tangible things” for “for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.”

Known Unknowns:

Is it legal? Senators including Ron Wyden and Mark Udall have accused the government of secretly reinterpreting the law.

What happens to innocent people’s data? It’s not clear.

Are some telecom companies refusing to participate? It’s not clear.

Does it prevent terrorism? Officials have pointed to two terrorist attacks that were flagged by this program: a New York city subway bombing plot that was foiled, and the Mumbai terror attacks, which were successful.

Have intelligence officials lied about the existence of the program? Maybe. Sen. Wyden has asked Director of National Intelligence James Clapper to explain his previous denials to Congress.  Last year, National Security Agency Director Keith Alexander told Congress “we don’t have technical insights in the United States.”

 

PRISM Surveillance:

Known Knowns:

Who: Microsoft, Google, Yahoo, Facebook, YouTube, Skype, AOL, Apple, PalTalk, according to slides obtained by The Guardian and The Washington Post.

What: Content of Internet communications including e-mail, chats, instant messages, according to the slides.

Where: The government can only use this capability to target persons “reasonably believed to be outside the United States” even though the electronic communications may travel through United States computer services, under the Foreign Intelligence Surveillance Act of 2008.

When: Since 2007, tech companies have worked to build systems that let the government collect this data, according to the slides.

Why:  The government says it needs this capability to investigate terrorism, hostile cyber activities and nuclear proliferation.  

How: The government must obtain a search warrant from the Foreign Intelligence Surveillance Court.

Legal Authority: Section 702 of the Foreign Intelligence Surveillance Act of 2008 authorizes the “targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”

Known Unknowns:

Is this blanket surveillance? It’s not clear. Before the 2008 law was passed, the government had to identify the target of surveillance. The 2008 law allowed the government to issue “programmatic warrants” that are not based on the identity of an individual, but rather on broader criteria.

How is the data technically handed over? We don’t yet know all the technical details of how data is turned over to government. Companies have said they don’t provide “direct access” but that doesn’t preclude other ways of sharing bulk data. Google told Wired on Tuesday that it either provides information by hand or secure FTP.

What happens to innocent people’s data? The law requires the government to minimize the use of data about U.S. persons.

 

In Summary: The Patriot Act surveillance program is potentially illegal, officials may have lied about it to Congress and it collects information about nearly every single person in the United States. The Prism program is legal, is likely less broad and has some safeguards to protect innocent U.S. residents.

There’s a reason that former Department of Justice attorney Mark Eckenwiler, who specialized in electronic surveillance law, has suggested calling the Patriot Act surveillance program “Hoover.”

 

 

Why I’m unfriending you on Facebook

Posted on February 12, 2013 by juliaangwin 74 Comments ↓

I have 666 friends on Facebook. By next week, I hope to have none.

I am going to spend this week “unfriending” all of my Facebook friends because I have come to believe that Facebook cannot provide me the level of privacy that I need. And yet, I am not quitting entirely because I believe that as an author and a journalist, it is important to have a Facebook presence.

My specific concern with Facebook is what NYU Professor Helen Nissenbaum calls a lack of “contextual integrity,” – which is a fancy way of saying that when I share information with a certain group or friend on Facebook, I am often surprised by where the data ends up.

Professor Nissenbaum argues that many online services – of which Facebook is simply the most prominent example –share information in ways that violate the social norms established in offline human relationships.

For example: In real life, even if I am friends with someone, I don’t necessarily want to join their book group or cooking group etc. But on Facebook, my friends can join me to a group without my permission, and my membership in that group is automatically made public.

This is no small thing: this exact feature is what caused two University of Texas students to be outed to their parents, when the president of the Queer Chorus joined them to a Facebook group.

Although I am not worried about being outed, I am a journalist who needs to protect my sources, my relationships and my affiliations from public scrutiny. I am also, quite simply, a human who doesn’t want to be shocked by information about myself that I cannot control. And so, I plan to spend this week unfriending all my Facebook friends.

I did not come to this conclusion easily. I have long struggled with the right approach to Facebook.

I joined Facebook on June 26, 2006, back when it was still only available to people with university e-mail addresses. In fact, I signed up for an alumni address from my college just for the purpose of joining Facebook.

My motivation was primarily journalistic: I was researching a book about the social network MySpace and needed to understand the social networking landscape. But I also enjoyed the thrill of reconnecting with friends from high school and college.

But like many Facebook users, I felt burned when in December, 2009, Facebook unilaterally changed all users’ default privacy settings to encourage sharing information to the entire world instead of just ‘friends.’ My list of friends was automatically made public – which is a terrible problem for journalists who may have befriended sources that could be betrayed by disclosure of the relationship.

Outraged, I wrote a column declaring that Facebook had betrayed the confidential nature of friending, and that I was going to treat it as a public forum like Twitter. I opened up my profile entirely; I began accepting all friend requests (even really creepy ones) and scrubbed my profile clean of any personal details. (Facebook later agreed to settle charges brought by the Federal Trade Commission, which alleged that Facebook’s actions were unfair and deceptive).

The technical name for my approach to Facebook was “privacy by obscurity.” By burying good data (my actual relationships) amidst bad data (people I didn’t know), I aimed to shield my relationships from unwanted scrutiny.

However, privacy by obscurity made Facebook almost unusable. My news feed was cluttered with updates from people I didn’t know. Many of my new ‘friends’ were joining me to groups and sending me spam. Slowly but surely, I started using Facebook less and less. Last year, I didn’t post a single update all year.

Now I am researching and writing a book about online privacy, Tracked, to be published next year. In my book, I aim to answer two questions: why does privacy matter? And what should we do about it? To answer the second question, I’ve been trying out several privacy-protecting measures, such as blocking Web tracking technology and setting up new online identities.

But I’ve been struggling to figure out what to do about my long-neglected Facebook account. My privacy by obscurity approach had only netted spammers and made Facebook annoying to use.

I considered trimming my friends list to a bare minimum (as Fred Wilson successfully did), but I realized that I don’t actually keep up with my closest friends and family on Facebook (we use email, texting and phone).

I considered giving up on privacy by obscurity and actually using Facebook to keep up with people I know. But that would require me to trust Facebook to protect my list of friends. I dug around on Facebook’s privacy settings, and found that it still doesn’t allow you to completely protect your list of friends. If you share a friend with someone, your mutual friend will be displayed to both of you.

For a journalist, even that amount of disclosure is too much: Imagine a low-level employee of an institution who befriends a journalist to share information. If official spokesman for that same organization notices that he or she shares a “mutual friend” with a journalist, that disclosure amounts to outing the employee as a source. So that argued against reducing my list of friends to people with whom I actually have a relationships.

I considered just deleting my profile. But I realized I was going to miss three things about Facebook: 1) I like being able to be send private messages to people through Facebook when I don’t have their latest contact information; 2) I like being notified when I’m tagged in a photo or in a post (usually so I can request being untagged); and 3) As a journalist and author, I would like to be ‘found’ by people who want to read my writing.

And so I’ve decided to unfriend everyone and keep a bare-bones profile for the simple purposes of messaging, untagging and being found by people who might want to find me.

For those who I am unfriending, apologies in advance. As bizarre as it sounds, I am actually trying to protect the contextual integrity of our relationship.

Announcing My Next Book: Tracked

Posted on July 11, 2012 by juliaangwin No Comments ↓

I’m very excited to share with everyone the announcement of my new book, which was posted on Publishers Marketplace this week:

Wall Street Journal senior technology editor and author of STEALING MYSPACE Julia Angwin’s TRACKED, investigative journalism on the importance of understanding and preserving electronic privacy in the age of social media and pervasive surveillance by marketing firms, retailers, credit monitors, government agencies, and snoops of all kinds, to Paul Golob at Times Books, at auction, by Todd Shuster at Zachary Shuster Harmsworth Literary Agency (NA).

Upcoming Events
Twitter