Surveillance: A Taxonomy of Known Knowns and Known Unknowns

In the wake of the avalanche of revelations about the scope of domestic surveillance, several people have asked me to help them understand what is going on. So I put together this handy cheat sheet that hopefully explains the key issues.

This is a shorthand version of an explainer I presented last week at the Privacy Law Scholars Conference in Berkeley. With apologies to Donald Rumsfeld, I’ve broken it down into “Known Knowns” and “Known Unknowns.”

Patriot Act Surveillance

Known Knowns:

Who: Verizon, AT&T, and SprintNextel, according to reporting by Glenn Greenwald at The Guardian and the The Wall Street Journal.

What: Records of every single domestic and international telephone call, including the location from which the call was placed, the serial number of the phone, the number dialed and the duration of the call, according to the court order obtained by the Guardian.

Where: Turned over to the National Security Agency daily, according to the court order obtained by the Guardian.

When: Ongoing for the past seven years, according to Senator Dianne Feinstein (D-CA)

Why: To “make connections related to terrorist activities over time,” according to the Office of the Director of National Intelligence.

How: Foreign Intelligence Surveillance Court authorizes record collections with a court order every three months, according to Sen. Feinstein. Analysts are required to have “reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization” before querying the database of call records, according to the Office of the Director of National Intelligence.

Legal authority: Section 215 of the Patriot Act allows the FBI to order any person or entity to turn over “any tangible things” for “for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.”

Known Unknowns:

Is it legal? Senators including Ron Wyden and Mark Udall have accused the government of secretly reinterpreting the law.

What happens to innocent people’s data? It’s not clear.

Are some telecom companies refusing to participate? It’s not clear.

Does it prevent terrorism? Officials have pointed to two terrorist attacks that were flagged by this program: a New York city subway bombing plot that was foiled, and the Mumbai terror attacks, which were successful.

Have intelligence officials lied about the existence of the program? Maybe. Sen. Wyden has asked Director of National Intelligence James Clapper to explain his previous denials to Congress.  Last year, National Security Agency Director Keith Alexander told Congress “we don’t have technical insights in the United States.”


PRISM Surveillance:

Known Knowns:

Who: Microsoft, Google, Yahoo, Facebook, YouTube, Skype, AOL, Apple, PalTalk, according to slides obtained by The Guardian and The Washington Post.

What: Content of Internet communications including e-mail, chats, instant messages, according to the slides.

Where: The government can only use this capability to target persons “reasonably believed to be outside the United States” even though the electronic communications may travel through United States computer services, under the Foreign Intelligence Surveillance Act of 2008.

When: Since 2007, tech companies have worked to build systems that let the government collect this data, according to the slides.

Why:  The government says it needs this capability to investigate terrorism, hostile cyber activities and nuclear proliferation.  

How: The government must obtain a search warrant from the Foreign Intelligence Surveillance Court.

Legal Authority: Section 702 of the Foreign Intelligence Surveillance Act of 2008 authorizes the “targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”

Known Unknowns:

Is this blanket surveillance? It’s not clear. Before the 2008 law was passed, the government had to identify the target of surveillance. The 2008 law allowed the government to issue “programmatic warrants” that are not based on the identity of an individual, but rather on broader criteria.

How is the data technically handed over? We don’t yet know all the technical details of how data is turned over to government. Companies have said they don’t provide “direct access” but that doesn’t preclude other ways of sharing bulk data. Google told Wired on Tuesday that it either provides information by hand or secure FTP.

What happens to innocent people’s data? The law requires the government to minimize the use of data about U.S. persons.


In Summary: The Patriot Act surveillance program is potentially illegal, officials may have lied about it to Congress and it collects information about nearly every single person in the United States. The Prism program is legal, is likely less broad and has some safeguards to protect innocent U.S. residents.

There’s a reason that former Department of Justice attorney Mark Eckenwiler, who specialized in electronic surveillance law, has suggested calling the Patriot Act surveillance program “Hoover.”



U.S. Terrorism Agency to Tap a Vast Database of Citizens


Top U.S. intelligence officials gathered in the White House Situation Room in March to debate a controversial proposal. Counterterrorism officials wanted to create a government dragnet, sweeping up millions of records about U.S. citizens—even people suspected of no crime.

Counterterrorism officials wanted to create a government dragnet, sweeping up millions of records about U.S. citizens-even people suspected of no crime.

Not everyone was on board. “This is a sea change in the way that the government interacts with the general public,” Mary Ellen Callahan, chief privacy officer of the Department of Homeland Security, argued in the meeting, according to people familiar with the discussions.

A week later, the attorney general signed the changes into effect.

Through Freedom of Information Act requests and interviews with officials at numerous agencies, The Wall Street Journal has reconstructed the clash over the counterterrorism program within the administration of President Barack Obama. The debate was a confrontation between some who viewed it as a matter of efficiency—how long to keep data, for instance, or where it should be stored—and others who saw it as granting authority for unprecedented government surveillance of U.S. citizens.

Read more at The Wall Street Journal and see the full privacy series.

New Tracking Frontier: Your License Plates

For more than two years, the police in San Leandro, Calif., photographed Mike Katz-Lacabe’s Toyota Tercel almost weekly. They have shots of it cruising along Estudillo Avenue near the library, parked at his friend’s house and near a coffee shop he likes. In one case, they snapped a photo of him and his two daughters getting out of a car in his driveway.

Mr. Katz-Lacabe isn’t charged with, or suspected of, any crime. Local police are tracking his vehicle automatically, using cameras mounted on a patrol car that record every nearby vehicle—license plate, time and location.

“Why are they keeping all this data?” says Mr. Katz-Lacabe, who obtained the photos of his car through a public-records request. “I’ve done nothing wrong.”

Until recently it was far too expensive for police to track the locations of innocent people such as Mr. Katz-Lacabe. But as surveillance technologies decline in cost and grow in sophistication, police are rapidly adopting them. Private companies are joining, too. At least two start-up companies, both founded by “repo men”—specialists in repossessing cars or property from deadbeats—are currently deploying camera-equipped cars nationwide to photograph people’s license plates, hoping to profit from the data they collect.

The rise of license-plate tracking is a case study in how storing and studying people’s everyday activities, even the seemingly mundane, has become the default rather than the exception. Cellphone-location data, online searches, credit-card purchases, social-network comments and more are gathered, mixed-and-matched, and stored in vast databases.

Read more at The Wall Street Journal and see the full What The Know series online.

Selling You on Facebook

Many popular Facebook apps are obtaining sensitive information about users—and users’ friends—so don’t be surprised if details about your religious, political and even sexual preferences start popping up in unexpected places.

A Wall Street Journal examination of 100 of the most popular Facebook apps found that some seek the email addresses, current location and sexual preference, among other details, not only of app users but also of their Facebook friends

The Wall Street Journal, Page W1

Not so long ago, there was a familiar product called software. It was sold in stores, in shrink-wrapped boxes. When you bought it, all that you gave away was your credit card number or a stack of bills.

Now there are “apps”—stylish, discrete chunks of software that live online or in your smartphone. To “buy” an app, all you have to do is click a button. Sometimes they cost a few dollars, but many apps are free, at least in monetary terms. You often pay in another way. Apps are gateways, and when you buy an app, there is a strong chance that you are supplying its developers with one of the most coveted commodities in today’s economy: personal data.

Continue reading at The Wall Street Journal and see the full What They Know series online.

Google’s iPhone Tracking

Web Giant, Others Bypassed Apple Browser Settings for Guarding Privacy

The Wall Street Journal, Page One

Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.

Read more at The Wall Street Journal and read the full What They Know series online.

Stewart Baker: Why Privacy Will Become a Luxury

Stewart Baker, the former assistant secretary for Homeland Security, talks with Julia Angwin about the need for balancing privacy rights with security concerns. In The Big Interview, Mr. Baker explains why privacy may one day be a luxury available only to the privileged and the rich.

Judges Weigh Phone Tracking


The Wall Street Journal, Page One

State and federal authorities follow the movements of thousands of Americans each year by secretly monitoring the location of their cellphones, often with little judicial oversight, in a practice facing legal challenges.

Electronic tracking, used by police to investigate such crimes as drug dealing and murder, has become as routine as “looking for fingerprint evidence or DNA evidence,” said Gregg Rossman, a prosecutor in Broward County, Fla.

The use of cellphone tracking by authorities is among the most common types of electronic surveillance, exceeding wiretaps and the use of GPS tracking, according to a survey of local, state and federal authorities by The Wall Street Journal.

Read more at The Wall Street Journal and see the full What They Know series online.

Secret Orders Target Email

WikiLeaks’ Backer’s Information Sought

The Wall Street Journal, Page One

The U.S. government has obtained a controversial type of secret court order to force Google Inc. and small Internet provider Inc. to turn over information from the email accounts of WikiLeaks volunteer Jacob Appelbaum, according to documents reviewed by The Wall Street Journal.

Read more at The Wall Street Journal and see the full What They Know series online.

Plus, more on, the little ISP that stood up to the government.

Latest in Web Tracking: Stealthy ‘Supercookies’

The Wall Street Journal, Page One

Major websites such as and have been tracking people’s online activities using powerful new methods that are almost impossible for computer users to detect, new research shows.

The new techniques, which are legal, reach beyond the traditional “cookie,” a small file that websites routinely install on users’ computers to help track their activities online. Hulu and MSN were installing files known as “supercookies,” which are capable of re-creating users’ profiles after people deleted regular cookies, according to researchers at Stanford University and University of California at Berkeley.

Read more at The Wall Street Journal and see the full What They Know series online.

Device Raises Fear of Facial Profiling

The Wall Street Journal, Page One

With this device, made by BI2 Technologies, an officer can snap a picture of a face from up to five feet away, or scan a person’s irises from up to six inches away.

Dozens of law-enforcement agencies from Massachusetts to Arizona are preparing to outfit their forces with controversial hand-held facial-recognition devices as soon as September, raising significant questions about privacy and civil liberties.

With the device, which attaches to an iPhone, an officer can snap a picture of a face from up to five feet away, or scan a person’s irises from up to six inches away, and do an immediate search to see if there is a match with a database of people with criminal records. The gadget also collects fingerprints.

Read more at The Wall Street Journal and see the full What They Know series online.