A Crash Course in the NSA Programs and the Fourth Amendment

A divide is now presenting itself in the disparate responses to right-wing nutjob Ed Snowden playing the Left with respect to NSA's perfectly legal, court and Congress supervised, communication data gathering program. The people who are up in arms about politics don't seem to understand technology, and the technology nerds obviously have little idea about government, laws or rights. So the two sides - the politically clueless tech nerds and the technically clueless political screamers have come together to launch this "Restore the Fourth" campaign, a play on both the Fourth Amendment and the Fourth of July.

The disinformation - or if you prefer a more benign term, misunderstanding - has spread right to the heart of this "Restore the Fourth" so-called 'movement.' Here is how they describe the PRISM program, the center of this controversy:
According to the Washington Post, Nine major Internet companies allegedly opened their servers to government surveillance: Google, Microsoft, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, and Apple.
Except that the Washington Post later modified its report after it was clear that the companies did not "open their servers." But none of the political activists seem to be explaining the precise nature of data gathering programs, and people who do understand the programs technologically have a grave misunderstanding of the law. Let's address them one by one.

The technologcially clueless political hotheads

Way too often, people take any data gathering operation by a government to mean 'spying.' In addition, a lot of the opposition seem to be coming from a sentiment that is entirely anti-surveillance. Surveillance is not, of course, all bad. The cameras in your local mall's parking lot are surveillance equipment, but they are not spying on you. In fact, I remember a few years ago, a ton of liberals (myself included) demanded that Wal-Marts institute better surveillance in their parking lots. We complained not just because some Wal-Mart parking lots lacked adequate surveillance equipment (and as a result, shoppers were falling victims to crimes), but we faulted them for not having anyone monitor the cameras! Liberals did that! And it was the right thing to do.

Of course, Wal-mart parking lots are publicly available spaces, and Wal Mart spying on those (yes, the monitoring would be considered spying, not just surveillance) is not the same standard that apply to the government to collect personal data. But you don't have to be scared every time you hear the word 'surveillance.'

There are two programs we are talking about here: the first is the collection of meta data on calls (the Verizon call collection). Huh? It means the government is collecting information on the numbers being called (to and from), and the length of the calls. They are not collecting any information on who the numbers belong to, nor the content of the calls. In other words, the NSA data dump has the information that 202-555-7777 called the number 415-555-8888 on June 17 for 5 minutes, but the data dump has no idea who either of the two numbers belong to, nor what was said. If they want to know, they have to go to a federal court and get a warrant. The NSA can shift through this meta data, and in case they come across a telephone number being called or answered by a known terrorist (that they know through a different, legitimate, legal means, not by claiming it so) - i.e. a phone number match - they can ask a federal judge for a warrant to wiretap.

The second, and perhaps the more controversy-generating programs is a set of Internet data gathering programs, with something named PRISM getting the most attention. Data is only collected under PRISM against specific foreign targets. This data collection effort and the specific target must be signed off on by the Director of National Intelligence (DNI) and the Attorney General (AG), as well as authorized by an order from the Foreign Intelligence Surveillance Court (FISC). Under these court orders, specific providers turn over communications logs that are asked for. The FISC orders aren't fourth amendment warrants, since the targets, non-US persons living abroad, do not enjoy the broad protections of the 4th Amendment.

An associated program is called BLARNEY, which I suspect many people are confusing with PRISM when they accuse the government of building some sort of a massive Internet surveillance database. According to both Wikipedia and the original Washington Post story on the subject, BLARNEY gathers metadata on Internet communications - meaning IP addresses and end points, but not personal data nor content - as traffic travels through "choke-points" (when data jumps from one server to another). Think of BLARNEY as the phone metadata program described above, except only for Internet traffic. Because no private entity owns these "choke-points", the government does not need to subpoena anyone to obtain this metadata. Because no content or personal information is being collected, it does not require a warrant.

BLARNEY and PRISM are meant to work in concert. It is possible, for example, that the NSA could search the metadata collected through BLARNEY for an IP address commonly used by (or communicated to by) a known foreign target, in which case it would have evidence to ask the FISC for an order under PRISM to get the communications providers to turn over the actual contents of the data. It is also possible that should and investigation through BLARNEY and PRISM determine that someone in the US has enough grounds to warrant targeted surveillance against that person, the government could take that evidence to a federal court, in order to obtain a warrant under the Fourth Amendment.

And this brings us to the politically clueless technologists.

The politically clueless technology nerds

All this collection somehow seems contrary to principles of privacy and specifically, the fourth amendment, right? That's the question the politically clueless technologist asks because he understands how the programs work technically (though he may want to read the above to see what the legal steps are) but is utterly stunned as to how this is possible under the protections of the US Constitution and its fourth amendment. The answer lies, ironically, within the fourth amendment itself.

The text of the fourth amendment to the US Constitution reads as such:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The focus is, of course, on the 'unreasonable searches and seizures' phrase. Only, none of the programs discussed involve any search at all against any US person (that means any American citizen as well as anyone else present in the United States) without a fourth amendment warrant, as I have described above. All personal communications data (including content) obtained under these programs are obtained against foreign targets, and even those are obtained with a court order (though not a warrant). If the government wants to target an American because of evidence it becomes aware of through those programs, it still has to go back and get a fourth amendment warrant.

But what about the metadata that the government is collecting on nearly all the communications? Isn't that a violation of the fourth amendment? No, it's not. Read the text of the amendment again. Let's go through it quickly. The protection against unreasonable searches and seizures apply to:

  • One's person - that is, you cannot be arrested without a warrant.
  • One's houses, papers and effects - broadly interpreted to mean property that you own or lease (or house within whatever it is you own or lease) cannot be searched or seized without a warrant. It could only reasonably apply if the collection can identify that you own it, which metadata cannot. Furthermore, you do not own or lease your metadata (i.e. your phone number, IP address etc) the same way that you own or lease your home or tangible property.
The United States Constitution is history's most resilient governmental document. But it was written at a time when big data was beyond human grasp. The framers knew that they were writing a document that they wanted to survive well into the future, and for that, they vested in a government - predominantly, Congress - to apply the Constitution's protections and authorities appropriately for a given age. Of course, even in the age of big data and online communications, the notion of privacy and protections against prying, overzealous government eyes must apply. But it is foolish not to acknowledge either the explosion of data or the increased threat because of the wonders of great quantities of data traveling over great distances at the speed of light.

The conclusion: the debate on policy must stand on its own merits.

And so, our policies must adapt. We can of course provide a concept of privacy that extends beyond what is firewalled by the Constittuion. If we think that all metadata is private property, we can put that into law, but let's realize that it's not required by the Constitution. If we want to ensure that all the fourth amendment protections apply to foreigners and the government has to get a warrant to collect communications information on foreign targets and not just a FISA court order, we can amend the Foreign Intelligence Surveillance Act.

But that is a question of policy to be debated through the legislative process. That is not a question of the constitutionality or current law. Nor should we be having that debate under the fog of fear or of accusations against the current government of violating our Constitutional rights when no such thing has happened and when it has operated entirely under law. If we want that debate, we must have that debate independently of cannonizing a traitor, and those who want to advocate these extra-tight policies must justify them without the rhetoric about how your government is coming to get you.

This debate must start with educating the technologists about the legal principles and the political activists about the technology. This debate must find balance between the principle of protecting privacy and the need to gather intelligence in the context of the information super highway about threats, keeping in mind that time is of the essence.

If the debate disintegrates into shouting matches and misinformation campaigns to see who's the loudest, no one will benefit.