At 11:59 p.m. on November 29, 2015, the National Security Agency officially ended its much-criticized 14-year dragnet of American phone-call metadata. Established under Section 215 of the post-September 11 Patriot Act, the program collected information on the numbers involved in phone calls and the calls’ durations (although not their content), for almost every mobile device in the country. Though it was ostensibly anonymous data, privacy activists have pointed out that with the right network analysis and cross-referencing of phone number directories, this metadata could be pinned to individuals, building a world of detailed information about them. Combined with the fact that the program was the first and best-known story to emerge from Edward Snowden’s 2013 NSA leaks, the agency’s metadata vacuum became the embodiment of the intelligence sector’s misguided overreach, failing to balance security and liberty, and with very little to show for it. So for many the program’s death was cause for celebration.
The victory seems even sweeter because it represents rising awareness about and support for robust privacy guarantees, thoughtfully balanced with restrained security policies. Mandated this June with the passage of the USA Freedom Act, a legislative response to Snowden-era revelations on phone metadata collection, the program’s closure signals that politicians now feel secure and justified in combating excessive intelligence programs. The fact that the curtain drop went off without a hitch soon after the terrorist attacks in Paris, which led to knee-jerk calls to extend the program for two more years (just in case), speaks to the resilience of this critical sentiment. Noting that recent legislation has opened the door to other surveillance reforms and greater intelligence-world transparency, many hope that this gain is a sign of more to come.
Yet it may not be time to party with the wild abandon of the unwatched now, or to put our faith in a supposedly changing current. The United States still has many questionable active security and intelligence programs, some that we’re aware of and many that we don’t yet know about. Few of these programs are set for rescindment or restriction anytime soon. Understanding and (if necessary) curbing these programs will require continued, perhaps eternal, dedicated pressure by the public and privacy activists alike.
Many other programs outlined by Snowden’s leaks and in other reports, court cases, and official disclosures are still on the books, illustrating the fact that more work needs to be done to address American privacy deficits. We don’t even have a full grasp on the still-opaque extent of the security and intelligence world’s activities; some point out that the USA Freedom Act may have just touched a fraction of wider telecom dragnet programs. Not only that, but the two-year-old data we’re acting against now is likely obsolete when compared to the reality of emerging data-gathering programs. We do know that existing initiatives like PRISM, which collects internet data, although not directed against Americans (and thus not as galling to us), does have a tendency to nevertheless scoop up a lot of information about U.S. citizens. Data collected incidentally on Americans is supposedly subject to a host of restrictions. But given the scale of data involved, the amount of wiggle room the security and intelligence sector usually manages to find for itself, and the lack of scruples shown in the past, it seems inevitable that there are probably still privacy violations that would make most Americans uncomfortable.
But it’s not just the wider, weirder, and more diffuse operations that we should be turning to after our brief victory. We need to also remain aware that the NSA and similar agencies have a tendency to fill gaps created when they close down data collection programs, often in ways that actually provide them more leeway in action. This trend was made manifest last month when The New York Times ran a story explaining how the NSA, despite ending a program that collected information on Americans’ emails in 2011, just shifted to piecing together data from other operations. This shift resulted in the organization taking an even more liberal scope in collecting information stored in foreign locales, to effectively collect similar information on the cheap and with less oversight. We’ll have to wait and see whether the new, restrained version of the metadata program (which allows access to six months’ info at a time for limited groups of people with permission), operates responsibly and transparently, or just contributes to the ever-shifting roster of questionable practices.
We also ought to be aware that our victory in the metadata program doesn’t mean that hawks, well-meaning or otherwise, won’t pressure to expand surveillance into new and even more worrying sectors. In the wake of the Paris attacks, we’ve seen that old tendency on display as all manner of surveillance advocates and politicians use the attack to promote crackdowns on end-to-end encryption. A system in which content is locked—very securely—on one device and unlocked only on the other side (and not stored in accessible form somewhere in between), encryption is one of the most powerful tools for privacy left in the digital world. And intelligence officials now allege that this ability to go dark, combined with the kind of transparency that leaks like Snowden’s provided, played a key role in allowing an attack like the recent assault in Paris to develop. As such, these intelligence proponents are pushing hard for a back door in secure data delivery services through which they could decrypt communications for the “right” cause.
All of that’s to say that the metadata victory is a relatively tiny one compared to all the other current programs, weaselly workarounds, and future surveillance goals of the security and intelligence worlds. But that doesn’t make it an utterly symbolic token gesture. The precedent set by this rollback not only shows there’s enough popular outrage to inspire action against undue surveillance if the right concerns are publicized and highlighted. It also gives us a sense of where decision makers are ready to draw lines about legitimate versus illegitimate surveillance. Namely, the metadata program’s closure was helped along by a presidential review that showed the program failed to lead to even one clear counterterrorism breakthrough. This suggests that so long as we can argue that a program has a low enough yield, especially relative to the infringements it places upon Americans’ liberties, we at least have a case to push back against it.
This can be of great help in opposing pushes for back doors to encrypted channels. Recent reporting on the Paris attacks suggests they were largely planned and carried out with little surveillance evasion in mind, much less the proactive use of encrypted messages. Plus, industry experts are crawling out of the woodwork to explain how creating back doors to encryption would open up all sorts of new dangers by which malicious actors, terrorist or otherwise, could use those same channels to endanger everything from e-commerce to major research and development projects. Strong arguments about the risk, limited reward, and viable alternative forms of surveillance can limit the effectiveness of post-crisis appeals to expand spying in the same willy-nilly way we’ve done in the past—as with the creation of the metadata program.
It’s not always easy to make an effective case against surveillance, especially when we don’t know the full scope of operations at work. But in a way, it’s our job to keep trying. Even though some surveillance is acceptable-to-necessary in the modern world (by most people’s reckoning), we have to recognize that there will always be an impulse within certain organizations to overreach. That makes sense because these organizations are vested with the mandate to improve security. It’s up to us to push back and define the borders to which we’re willing to let those mandates run by advocating for our own privacy and liberties. That border doesn’t get drawn and resolved through one major victory; as long as there is surveillance, terror, and pain in the world (read: forever), the push and pull between our self-advocacy and the intelligence world’s mission creep will continue. Victories like the end of the phone metadata program aren’t solutions to pat ourselves on the back over and walk away from. But they are heartening reminders that we can push back effectively, and set a precedent by which we can learn to do so more effectively in the future. They’re the fuel that can keep us going as we draw out more information about America’s surveillance ecology and react to it in the name of our rights and self-interests. And that’s something, even if it is part of an essential, never-ending struggle to achieve balance.
