Since media reports revealed that National Security Agency is collecting millions of Americans’ telephone records as well as data from the servers of major technology firms, there have been discussions in the public square about the relationship between the government’s efforts to protect national security and citizens’ expectations about the privacy of their personal data.
President Obama and leaders in Congress have defended these efforts, declaring that they have prevented terrorist attacks, and there is evidence of public support: A survey, by the Pew Research Center and the Washington Post, found a majority of Americans (56 percent) say the telephone tracking system “is an acceptable way for the government to investigate terrorism,” compared to 41 percent who oppose it. The American Civil Liberties Union, meanwhile, has filed suit challenging the constitutionality of the NSA phone program.
While there is much to learn about the surveillance efforts, and their relevance to the lives of individual citizens, there are also questions that business managers need to think about. The report below summarizes the issues and shares website links to media reports and other resources where you can learn more.
What do we know about the government surveillance program?
There are two components to the surveillance program initially reported by The Guardian. One component involves an order issued by the Foreign Intelligence Surveillance Court (FISC), whose proceedings are secret, to the FBI in April, which requires Verizon to give the National Security Agency (NSA) information on all phone calls in its system on a daily basis until July 19. The issuance of the court order has been confirmed by President Barack Obama and Mike Rogers (R-Mich.), chairman of the U.S. House of Representatives Intelligence Committee.
The second component is an NSA program called Prism. That program, first revealed in The Washington Post, is reportedly collecting information by tapping into the servers of Google, Apple, Microsoft, Facebook and other tech companies. If Prism is sucking information from those companies’ servers, it’s doing so without the companies’ knowledge. All the companies deny participating in any program that gives the government direct access to their servers, although all acknowledge complying with court orders compelling information from them.
Those orders include orders issued under the Foreign Intelligence Surveillance Act (FISA). FISA allows the government to collect data and communications of people rising outside the Unites States and communications between a person living in the U.S. and communicating with someone living abroad. Anyone receiving a FISA order is barred by law from talking about it. Google, however, wants to make aggregate information about the orders it has received public and has asked the U.S. Department of Justice to do so.
What kind of data is being collected?
Under the FISC order, Verizon is compelled to turn over to the NSA the phone numbers of both parties on a call, location data, time of call, call duration and unique identifiers. Actual conversations are not covered by the order.
Specifics of what information Prism is reportedly siphoning from Google and other technology companies hasn’t been identified. It’s known, however, that the companies maintain mountains of data about their users—emails, chat logs, photos, buying habits, Internet searches and such — largely used for marketing purposes.
What can that data tell analysts?
The “metadata” gathered from Verizon, although not personally identified, can actually tell investigators more than the content of the communications that produces them. If you can track who someone calls and who they called calls, you can often determine what’s going on without the voice calls themselves, Susan Landau, author of “Surveillance or Security” told The New Yorker. A pattern of calls among the executives of a company could tip off a merger or acquisition, for example, or reveal a reporter’s conversations with a whistleblower.
As anyone who has watched “The Wire” knows, analog surveillance can be a labor-intensive task. That limits its scope to individuals. With a data mining operation like Prism or the Verizon order, the NSA has the ability to snoop on the entire country.
And it doesn’t take a lot of metadata to assess social relationships. Kieran Healy, a sociology professor at Duke University at its Kean Institute for Ethics, wrote an essay on the topic using data about tavern meetings and other gatherings among residents of Boston in the 1770s. Healy demonstrated how a British investigator could have used that data and statistical techniques from today to identify Paul Revere as a person of interest.
What kinds of tools are required to get such insights?
The Guardian has posted a PowerPoint slide indicating that analysts in the Prism program are looking at “upstream” data traveling via infrastructure providers and well the data collected from the servers of technology companies to find correlations and recognize activity patterns.
While specifics about the text mining tools and algorithms are still to emerge, two things are clear: the government has been working for years with advanced analytics developers and machine learning experts to drill into reservoirs of unstructured data. And, as Bloomberg BusinessWeek points out, experts working on the Prism program benefit from the same open source communities who have been building scalable big data technologies like Hadoop and MapReduce.
These technologies are designed to run on commodity hardware and server farms. And the NSA is building a mammoth data center in Utah to support its efforts. It’s estimated that the facility can store 20 terabytes—the equivalent of all the data in the Library of Congress—a minute.
How does this work compare to what the private sector does?
Google, Facebook and other online companies collect data about their users continually, but unlike a clandestine organization like the NSA, they have a trusting relationship with their users. “There’s an assumption of trust,” Richard Stiennon, chief research analyst at IT-Harvest, says in an interview. “Their only interest in where I browse every day is to serve ads to me.”
“In exchange for my giving Google my interests,” Stiennon continues, “it gives me a great search tool and great Gmail and all the other tools they’re giving me.”
“The government can take my information and arrest me with it,” he adds. “Google can’t do that.”
What responsibilities do businesses have when the government requests such data?
Businesses served with a FISC order or FISA letter have little recourse but to comply.
What concerns should businesses have about this surveillance program?
Who has access to data your company has stored in the cloud is an important question.
As noted above, some government data requests are by law secret. But those that are not should be part of a company’s service agreement, notes Michael Overly, a partner in the information technology and outsourcing group at Foley & Lardner LLP in Los Angeles.
“Every cloud agreement should include a provision requiring the vendor to place the customer on notice when it received any legal request for production or access to the customer’s data (unless the legal request expressly precludes that notice),” Overly writes in a blog post at CSOOnline.com.
Many contracts lack such a provision, he notes, adding that “by requiring notice, the customer may elect to intervene in the legal action to limit production of its data center [and] better ensure its confidentiality.”
Note to readers: What other questions do you have?
As more information emerges about the surveillance program, we are interested to understand how it relates to managing data-driven enterprises. Share your thoughts in the comments section below and we will look for opportunities to update this article with additional information and resources.
John P. Mello Jr., is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security. Follow him on Twitter @jpmello.