Why I’m Really Not That Bugged About PRISM

16 June 2013, 5:59 am

I’ve been thinking about this a lot, and the conclusion I eventually came to really startled me.

TLDR: The more communications data is recorded, the less scrutiny any of it gets.

Disclaimer: I have a longstanding amateur interest in cryptography and cryptanalysis; I’ve read a few books. I’ve never held a security clearance nor worked in intelligence. It’s entirely possible that classified information exists that invalidates my conclusions. These opinions are solely mine and do not represent those of any employer, past or present.

Thought experiment: What if the NSA actually recorded every single phone call to, from, or within the United States? It couldn’t listen to all those phone calls unless it had as many people to do that listening as to make the calls in the first place. Orwell’s nightmare society’s repression succeeds not because it has some technological genie, but because its government has the luxury of virtually limitless manpower: anyone could an informer. The resources of our intelligence agencies are significant, but they are finite.

Data storage, indexing, and retrieval is a hard problem. The more data you store, the bigger the problem is.

Algorithmically identifying “interesting” conversations based on their content is an extremely hard problem. I don’t believe that we currently have (or will soon have) automatic analysis that can reliably distinguish between innocent people discussing the plot of 24 and a terrorist plot. (Identifying ‘interesting” conversations based on “interesting” attributes (between “interesting” parties, across international borders to places with possible state sponsorship/tolerance of “interesting” organizations) is far more reliable. But reviewing the actual content of those conversations gets harder — exponentially, I think — as the number of potentially “interesting” conversations goes up.

If (and I think it’s a very big “if”) the descriptions of PRISM are essentially accurate, then I would guess it works something like this:
* There’s a constrained set of targets under actual active, like-you-see-it-in-the-movies surveillance. As in The Wire, these are known small fish strung along in the hopes of landing bigger fish.
* There’s a much broader set of communication that’s captured in some form (more envelope/metadata than actual content, some of both)
* There’s some filtering for keywords of current interest, and that elevates some set of the analyzed communication into the constrained set of active surveilled targets
* A lot of communication is analyzed in greater depth only in retrospect. Empirical evidence suggests that the Tsarnaevs, for instance, were below the threshold for active surveillance until they actually did something. But at that point if any communications to or from them had been stored, they became extremely interesting and subject to intense scrutiny and analysis. (Hopefully/presumably some parties cross the active surveillance threshold before executing their plans.)

And I conclude that, even if you have something to hide, the chances that anyone is actually paying attention are slim, unless you call attention to yourself.

Most of the concerns I’ve seen people express seem to center around one of two things:
* Prosecution for things that aren’t currently legal (growing pot; stuff that happens in bedrooms in some states)
* Persecution for things that are legal (civil disobedience; stuff that happens in bedrooms in some some states) but which a non-trivial segment of the populace disapproves of or disagrees with

As far as legality goes, the great thing about a democracy is that we can change what’s legal.

As far as persecution for things that are legal, I think the risk is for intelligence agencies to set and follow their own agendas independent of policy dictated by the executive branch.

I do think we should take steps to minimize this risk — I’m in favor of transparency about the number and categories of requests made, and I’m strongly in favor of due process and oversight around all privacy-violating data requests. But I would also note that even professional CIA gadfly Philip Agee — writing about the pre-Church Committee period, yet — maintained that the Agency did not set its own policy.


Comments are subject to moderation. Unless you have been whitelisted, your comment will not appear on the site until it is approved. Links are allowed for whitelisted commenters; images are not permitted.