Life is filled with trade-offs, and when it comes to keeping the country secure against terror attacks, Americans largely trust the government with broad access to personal data. Indeed, a recent Pew Research Center survey found that 56 percent of those polled favored the National Security Agency's previously undisclosed phone tracking activities compared with 41 percent who opposed letting the spy agency surveil phone records.
In making their case to the public, government officials tend to put the issue in black-and-white terms: Do you want to be responsible for a terrorist attack because the intelligence community failed to connect the dots because it couldn't get access to the data? After the failure to connect the dots prior to the 9/11 terror attacks, every office-holder now has extra incentive to avoid an intelligence failure of that magnitude on their watch. But exactly what privacy protections are Americans giving up? On Wednesday, NSA Director Gen. Keith Alexander gave testimony before the Senate Appropriations Committee but only spoke in generalities, making it difficult, if not impossible, for outsiders to ascertain the extent of the spy agency's access to the digital footprints of Americans.
In his testimony, Alexander stated that the secret collection of phone records from millions of U.S. citizens, via Section 215 of the Patriot Act, helped disrupt or stop dozens of terrorist attacks. "I want the American people to know that we're being transparent here," Alexander told the committee.
He wasn't forthcoming on the specific terrorist plots that were foiled, other than the 2009 attempt to bomb New York subways by Najibullah Zazi, which he indicated was thwarted with help from the NSA's PRISM data tool, which was exposed in the leak by 29-year-old NSA contractor Edward Snowden. PRISM is apparently designed to collect and process "foreign intelligence" that passes through American servers.
Under section 702 of the Foreign Intelligence Surveillance Act (FISA), which was enacted in 2008, U.S. companies are required to comply with requests for information on non-U.S. citizens in investigations related to "prevention of terrorism, hostile cyberactivities, or nuclear proliferation."
Director of National Intelligence James R. Clapper stated last week that Section 702 "cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States." But the standard for determining the location of subjects can leave ample room for "unintentional" errors.
The major consumer Internet companies accused of opening their systems to the NSA in the initial coverage of the Snowden leaks refute any claims that they would bow to legally questionable uses of Section 215, and are asking the Department of Justice to clear their names by allowing for disclosure of surveillance requests details.
Sen. Dianne Feinstein (D-Calif.), chairwoman of the Senate Intelligence Committee, stated that the "vast majority of the records in the database are never accessed and are deleted after a period of five years. To look at or use the content of a call, a court warrant must be obtained."
Following a classified briefing Wednesday about undisclosed NSA surveillance practices, Rep. Loretta Sanchez (D-Calif.) said, "What we learned in there is significantly more than what is out in the media today." She further said, "I think it's just broader than most people even realize, and I think that's, in one way, what astounded most of us, too."
Alexander said on Thursday that he would disclose next week some further data about the NSA surveillance practices to give the public with a better sense of the value of the programs.
After the congressional testimony in open and closed sessions, it's still unclear exactly how much or what data the NSA has been vacuuming up from phone companies and the digital footprints of citizens, or precisely where the bar has been set for FISA courts to approve requests to access data on the servers of companies such as Google, Facebook, Microsoft, Apple, and Yahoo.
Whatever may be the actual level of NSA snooping, sucking in all the data from telephony and Internet services, or filling the sky with drones to watch everyone on the planet, isn't the most trust-inducing or efficient way to prevent terrorist attacks or even street crimes. Surely, the wizards of the NSA have less invasive techniques and can apply more precise targeting for finding the needles in the haystack than laying claim to the Internet.
At the same time, most U.S citizens seem less concerned about what they expose online, and how companies like Google, Facebook, Amazon, Microsoft, and Yahoo use their data.
Yahoo, for example, collects data on more than 800 million visitors per month. This activity is detailed in the site's Terms of Service policy, which few actually read or understand. Like Google and most Internet mail providers, Yahoo will "scan and analyze all incoming and outgoing communications content sent and received from your account" and use your account profile information to "match and serve targeted advertising" to you.
Yahoo's general policy states:
Yahoo! collects personal information when you register with Yahoo!, when you use Yahoo! products or services, when you visit Yahoo! pages or the pages of certain Yahoo! partners, and when you enter promotions or sweepstakes. Yahoo! may combine information about you that we have with information we obtain from business partners or other companies.
When you register we ask for information such as your name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests. For some financial products and services we might also ask for your address, Social Security number, and information about your assets. When you register with Yahoo! and sign in to our services, you are not anonymous to us.
Yahoo! collects information about your transactions with us and with some of our business partners, including information about your use of financial products and services that we offer.
Yahoo! automatically receives and records information from your computer and browser, including your IP address, Yahoo! cookie information, software and hardware attributes, and the page you request.
Yahoo! uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.
Of course, the Internet services have Terms of Service about confidentiality and security pertaining to access by employees to user data. Yahoo, for example, states: We limit access to personal information about you to employees who we believe reasonably need to come into contact with that information to provide products or services to you or in order to do their jobs.
And, certainly it's in their best interest to maintain as much trust as possible with users. Nothing sours one more than a breach of trust, whether it's a bank with your money, a friend with your secrets, or Internet services at the center of your digital life.
So in a world where privacy is becoming an illusion for anyone on the grid, it comes down to a question of trust. If a low-level Booz Allen Hamilton consultant with a high-level security clearance can expose top-secret materials, your personal data living in Facebook's servers or your company's IT department could be compromised by a rogue employee with legitimate access to the data or a cunning cyberthief. As Benjamin Franklin famously said, "Three may keep a secret, if two of them are dead."