A history of NSA lies and the plan to legalize domestic spying with CISPA.

Imagine a perfectly ordinary morning. You’re staring at your computer, cup of coffee close at hand, waiting for the cobwebs to clear. Perhaps you’re Googling reviews for the latest Fast and Furious flick. Nothing catches your eye.

Bored, you remember to check Facebook. When all else fails, you can check Facebook. Immediately, as the site comes up, your eyes flick to a little red badge against the familiar blue toolbar. Like a light bulb going off in your head, you experience a slight dopamine rush—you have a new private message!

It’s an old friend from elementary school. She has just opened a coffee shop. “La Bomba Coffee: It’s the bomb!” She wants to know if you could help her publicize it by “liking” the shop’s Facebook page.

Oh.

The dopamine rush is gone, drowned out once again by the drudgery of a dull morning and a seemingly endless wait for the caffeine to kick in. Dutifully, you go to your friend’s page and click “like.”

Mundane interactions like these are the lifeblood of the Internet companies upon which we increasingly rely. We generate an enormous amount of data about ourselves simply by searching, browsing, clicking “like.” It is through these interactions that companies assemble a profile on each of us—our interests, our relationships, our desires. And in turn, they monetize this information, using it to target advertisements, or keep us engaged in their products (or both).

Most of this information we gladly hand over to companies for the convenience of things like social networks, free email, discussion groups, and cloud storage.

And then there are the Internet advertising networks which track peoples’ searching and browsing habits as they surf the web. For many ad networks, no information is off-limits: location, health concerns, sexual orientation—all of it is fair game, and all of it is used to show us targeted advertisements for things we’re more likely to buy.

Summed up, all of this information creates a digital reflection of who we are, a reflection of nearly all aspects of our social, professional and private lives. And all of it is beyond our direct control. When we entrust our data to Internet companies, we have to trust them to safeguard it and keep it private.

But the reality is that they can’t keep it private.

Big Brother is watching you.

The CIA called it Total Information Awareness (TIA). It was their post-9-11 plan to detect terrorist activity by engaging in an unprecedented level of mass surveillance. By aggregating and analyzing huge amounts of data from government and commercial sources, including phone records, credit card transactions, travel records, social network data, text messages, and practically any other digital communication, the CIA’s goal was to look for telltale patterns that could indicate terrorist activity.

Their plan was not very popular. In 2003, after a collective uproar over privacy concerns from citizens, civil rights advocacy organizations, academics and government officials, the plan was renamed Terrorism Information Awareness. This failed to placate critics, and the plan was officially scrapped by Congress shortly afterwards.

But unofficially, the work continued.

In the heart of San Francisco’s SoMa district, among well-appointed high rise office buildings, luxury condos, dimly-lit convenience stores, and cheap ethnic restaurants stands a monolithic concrete structure. Against the surrounding tension between grandiose prosperity and urban decay, the building asserts an almost arrogant contrast—for it is something different entirely.

“I.D.’S MUST BE WORN AT ALL TIMES AND BE COMPLETELY VISIBLE,” warns a sign within the glass of the building’s small entrance lobby.

The building has no other windows. This is a bleak place where it is never truly day, but never night. A lattice of thick concrete slabs extends monotonously to the top of its seventeen stories, casting an imposing, fortress-like presence.

This is 611 Folsom Street, AT&T’s regional Internet Exchange Point (IXP) facility. And it is here where, in 2003, technician Mark Klein discovered a secret domestic surveillance program run by the National Security Agency (NSA).

For some background: IXPs are key choke points in the Internet’s physical infrastructure, supplying connectivity between Internet service companies. If you channel former Senator Ted Stevens’ infamous statement that the Internet is “a series of tubes,” then AT&T’s Folsom Street facility is Northern California’s mother-pipe, a key junction through which nearly all of the region’s Internet data flows.

Klein uncovered evidence that within “Secure Room” 641A, the NSA was using advanced surveillance equipment capable of intercepting and capturing all data as it passed through the facility. Klein later learned from other employees that similar activities were taking place at other IXPs across the country.

“The NSA is getting everything. These are major pipes that carry not just AT&T’s customers, but everybody’s,” Klein said in a 2007 Washington Post interview.

Effectively, this meant that the NSA could have had an unrestricted wiretap on virtually all digital communication within the US. Klein went public with his discovery and was a key witness in a class action lawsuit spearheaded by the Electronic Frontier Foundation (EFF). The lawsuit alleged that AT&T and the NSA were colluding to perform illegal surveillance on American citizens. It ended abruptly in 2008, when President Bush signed the FISA Amendments Act, a law granting AT&T retroactive immunity for any involvement. After all, the surveillance program was in the interest of national security.

In his new cybersecurity book titled Black Code, Dr. Ronald Deibert of Citizen Lab notes that the NSA is formally prohibited from monitoring communications between American citizens, but that their involvement with AT&T strongly suggests that they were ignoring this prohibition.

And, just yesterday, his suspicions were confirmed when The Guardianpublished a leaked court order from the secretive Foreign Intelligence Surveillance Court (FISC).

According to the top secret document, FISC has authorized the NSA to harvest the phone records of millions of US citizens from Verizon. On an “ongoing, daily basis,” Verizon must produce records of phone calls “wholly within the United States, including local telephone calls.” The records must include “metadata” about the calls including telephone numbers, time and duration of calls, and possibly even location data.

“Requesting metadata ‘including location info’ on all calls by US citizens is putting a GPS tracker on every American,” tweets Dr. Matthew D. Green, Assistant Research Professor at Johns Hopkins University’s Computer Science department.

“This is called protecting America,” says Senator Diane Feinstein, who explains that the court order is just a renewal of a program that has been in place since 2006.

Since most FISC orders are highly classified, it’s unclear whether similar orders exist for other US telecommunications providers, or to what extent the NSA has been authorized to use other forms of surveillance on US citizens. But former NSA official William Binney thinks the leaked court order is just one part of a bigger picture.

“If Verizon got one, so did everybody else,” Binney told Democracy Now.

Binney has been an outspoken critic of the Agency since quitting in 2001. In a recent RT interview, he indicated his belief that the government is not only continuing its warrantless surveillance program, but stepping it up to a whole new level.

“No digital communication is secure.”

Gathering all of this data would not come without challenges. As more people across the country and around the globe come online, the sheer volume of data flowing through the Internet is increasing exponentially.

In a 2012 Businessweek op-ed, IBM’s Dave Turek estimated that from the beginning of recorded history to 2003, humans generated roughly 5 exabytes—that’s 5 billion gigabytes—of information. By 2011 humans generated that much data every 2 days, and in 2013, he estimated, we will generate 5 exabytes of data every 10 minutes. That’s over 250 trillion gigabytes per year.

To put that in perspective, that’s the equivalent of about 7.8 trillion Apple iPods—enough, arranged lengthwise, to extend to the moon and back. To be able to record and store a dataset of this magnitude would require a massive engineering effort. And that is exactly what the NSA has set out to do.

They call it the Utah Data Center. Nestled in a valley outside of Salt Lake City, the facility’s non-descript name belies the unprecedented scope of its mission and multi-billion dollar budget.

Scheduled to be operational in fall of 2013, the Utah Data Center houses 100,000 square feet of server space on its heavily-fortified campus. With a power draw of 65 megawatts, the facility will consume more energy than a small city. And it is here that the NSA is building a computer network capable of storing quadrillions of gigabytes of data, according to estimates. That’s enough space to store all domestic digital communication for years to come.

While the full scope of the Utah Data Center’s mission is classified, the NSA insists that it will not be used to illegally eavesdrop on US citizens.

“Many unfounded allegations have been made about the planned activities of the Utah Data Center,” the Agency said in a press statement, adding, “one of the biggest misconceptions about NSA is that we are unlawfully listening in on, or reading emails of, U.S. citizens. This is simply not the case.”

But someone in the Federal Government is.

In the days and weeks following the Boston Marathon bombing, the citizens and government of the US scrambled for answers. Confused and enraged, the FBI cast a wide net, investigating virtually all of the friends and family of the Tsarnaev brothers for possible involvement.

One of their key “persons of interest” was Katherine Russell, the 24-year-old American widow of deceased suspect Tamerlan Tsarnaev.

In an interview about the investigation, former FBI counterterrorism agent Tim Clemente shocked CNN’s Erin Burnett when he nonchalantly revealed that the government could listen in on past phone conversations between Tsarnaev and Russell, or indeed any Americans.

Clemente, who seemed unphased by the implications of what he was saying, was dragged back in the next day for follow-up questioning. When pressed for more details, he sighed, closed his eyes and flippantly reiterated his statement, adding that “all digital communications” are recorded and stored, and that “no digital communication is secure.”

More than likely, the truth behind the NSA’s statement that they perform no “unlawful” monitoring boils down to what, exactly, is lawful.

In a 2012 US Senate report, Senators Ron Wyden (D-OR) and Mark Udall (D-CO) expressed concern about a loophole in the FISA Amendments Act, the same bill that granted AT&T retroactive immunity for their alleged involvement in the NSA’s wiretapping program. Under what some have called a “secret interpretation,” the law could be used to circumvent traditional warrant protections, allowing US citizens to be monitored with no court oversight.

To date, the Bush and Obama administrations have vigorously defended the law, and many of the cases have been dismissed on technicalities. The Supreme Court has not yet ruled on its constitutionality.

But, in addition to defending their existing practices, the Federal Government has recently been pushing for even more surveillance authority.

One example is the FBI’s proposed expansion to the Communications Assistance for Law Enforcement Act (CALEA), a federal wiretapping law. Under the new regulations, online service providers would be required to comply with government wiretapping orders, allowing law enforcement officials to monitor user communications. Companies that do not, or cannot, comply with wiretap orders would be fined upwards of $25,000 per day. After 90 days, unpaid fines would double daily.

I ask Nadim Kobeissi for his opinion on the FBI’s plan. Nadim is the Special Advisor for the Open Internet Tools Project and developer of Cryptocat, a popular encrypted chat app.

“I think CALEA is a measure that is meant to intimidate proponents of Internet privacy into complying with law enforcement no matter the reason or cost,” he explains, “I think the FBI would have a better, more productive time seeking to learn from technologists, rather than attempt to prosecute their efforts.”

The FBI’s plan has drawn further criticism from the Center for Democracy and Technology (CDT), a leading group of security researchers and civil rights activists. In a statement, they point out that many software products allow the exchange of fully encrypted communication between users (Cryptocat is one such app). This makes it impossible to monitor user communication centrally. In order to comply with wiretapping orders, developers would be forced to install monitoring capabilities, or “backdoors,” in the software that runs on their users’ computers or smartphones.

Putting surveillance backdoors in communication software would create easy targets for hackers, warns the CDT, lowering “the already low barriers to successful cybersecurity attacks.” And tech-savvy individuals, they point out, will simply switch to unmonitorable software from non-US countries.

“Ironically, then, potential terrorists may easily be able to use stronger security than the US government, which is less likely to install non-US [software].”

Nadim is not intimidated by the FBI’s plan. “Cryptocat will never include any backdoors,” he states, bluntly.

“CISPA will legalize what they are already doing.”

Another, more ambitious, push from the federal intelligence and law enforcement community has been the Cyber Intelligence Sharing and Protection Act (CISPA).

This recently-defeated legislation would have allowed Internet companies and government contractors to proactively share “cyber threat information” with each other and government agencies for the stated purpose of protecting computer networks against hackers and other cyber-attacks. CISPA would have overridden all other federal and state laws, granting companies legal immunity for any authorized sharing of cyber threat information.

The bill has enraged numerous Internet freedom and civil rights advocacy groups, including the EFF, American Civil Liberties Union (ACLU), Free Press, and hacktivist group Anonymous. A common concern is that the bill is overly broad, potentially allowing for companies to share private user data with government agencies.

I asked an individual associated with Anonymous to weigh in on CISPA.

Perhaps I should explain. Anonymous is a loosely-associated collective of hackers, political activists and mischief-makers. Anons use pseudonyms and encryption software to obscure their identities online, and can often be seen at political rallies wearing iconic Guy Fawkes masks.

Anonymous has no centralized power structure: each anon has as much authority as the next, so the group can hardly be said to have a singular mission. Nevertheless, anons generally rally against oppressive actions from corporations and governments worldwide, usually through political discourse and activism. But, when sufficiently angry, tactics include hacking, distributed denial of service (DDoS) attacks and extortion.

The individual I interview is known to me only by the Twitter handle @MindDetonat0r, where he or she has been an outspoken critic of the US government’s surveillance programs. We speak via encrypted email.

Private government contractors … were hired to illegally hack and target labor organizers and dissident journalists like Glenn Greenwald; the hypocritical justice department didn’t do anything about this, rule of law in the United State is fiction. CISPA will give immunity to companies and government contractors … to target political dissidents and proletarian organizers. In other words, CISPA will legalize what they are already doing.

MindDetonat0r further believes that CISPA would make it more difficult for people to stay anonymous online, which can actually be a matter of life and death:

There are crazy people out there who kill gays, abortion doctors, etc. If contractors … or companies are immunized under CISPA and leak private information about targeted people they very well could be putting the public in danger.

I also have the opportunity to speak by telephone with Sharon Bradford Franklin, Senior Counsel at The Constitution Project (TCP), who offers a more moderate view.

“We do want the government to be able to protect us and be able to use these surveillance tools. At the same time we want them to respect peoples’ privacy and civil liberties. And they can do both. … These are not inconsistent goals,” she explains with the well-spoken terseness of an experienced attorney used to dealing with the press.

But she was not satisfied with the version of CISPA that passed the House, saying the “safeguards in place are not sufficient.”

One of her chief concerns was that the House rejected an amendment requiring companies to make reasonable efforts to strip out information that’s unrelated to cyber threat information, such as private user data.

Another concern was that the bill could have allowed companies to share information directly with the NSA. Ms. Franklin explained that an amendment to address this was approved at the last minute, but its wording was vague, so it was unclear whether it would have actually fixed the problem.

These concerns aren’t a moot point now that CISPA is dead. The US Senate will be introducing a competing cybersecurity bill soon.

“We don’t know what it will look like and how much we’ll have to fight that battle over again on the fight for privacy rights and civil liberties,” says Ms. Franklin.

I ask Ms. Franklin how she would explain the problem to an average person, who might not know or care about government surveillance.

“It’s easiest to envision in the video surveillance context where so many jurisdictions are now blanketed with cameras,” she explains. “The government has said that if you’re in a public place you have no reasonable expectation of privacy. And some have said, 'Well if you’re not doing anything wrong, then you have nothing to worry about.’”

But there are plenty of things people do in their day-to-day lives, like going to AA meetings, fertility clinics, etc. that are all perfectly legal, but “nobody’s business,” she explains. Without adequate safeguards, there’s nothing to prevent government workers from going “back through the footage to compile a digital dossier of someone.”

“Nobody’s business.”

The CIA imagined a world where municipal surveillance networks, like the one Sharon Bradford Franklin described, would feed into their Total Information Awareness Office. Using facial and gait recognition software, they could automatically and accurately identify individuals from great distances.

The NSA imagined a world where they could spy on US citizens with impunity. And, to some extent, their dream has become a reality. The Foreign Intelligence Surveillance Court continues to rubber-stamp their domestic surveillance activities in secret. And soon the NSA will have a data center with the capacity to store all domestic Internet communications indefinitely.

Today, the US government is pushing for even more surveillance authority. Bills like CISPA will allow them to secretly harvest private user data from Internet companies, granting those companies legal immunity for breaking any privacy agreements with their customers.

All of this is done in the name of “national security,” but is it worth the cost?

Two days ago, Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion, released a report about government surveillance and freedom of expression. His report formalized concerns that Internet privacy activists have had for years:

The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other.

In Black Code, Dr. Ronald Deibert notes that, due to Internet surveillance by the Chinese government, Chinese citizens engage in self-censorship—watching carefully what they say and do online. The constant feeling of being watched, and high-profile arrests of political dissidents have led to a chilling effect on the free exchange we normally associate with the Internet.

While the situation is less extreme here in the US, the Federal Government’s existing surveillance practices have gone too far, in many cases. The government has targeted innocent US citizens and journalists, threatening our constitutional rights to privacy, free speech, and a free press. But they’re not apologizing. They’re asking for more power, and they’re asking us to trust them blindly with it.

Imagine a world where you’re just minding your own business, drinking coffee in the morning, and a long-forgotten friend sends you a Facebook message. Your friend happens to be the daughter of a non-US citizen.

“La Bomba Coffee: It’s the bomb!”

Two red flags. At some far off data center, a server clicks faintly as it logs your interaction. A command is sent out automatically. Suddenly, a whole network of computers fires to action, searching through hundreds of thousands of records spread across years of storage. Little by little, matching data is located: a phone call here, a subway trip there, a Facebook profile, emails, credit card transactions. A digital reconstruction of a human life is pieced together from an enormous set of disjointed information, all of this to answer a single question: who are you?

The report is ready minutes later.

A government worker snickers as he looks over some embarrassing photos in your email. None of your Facebook messages are particularly interesting. You’ve paid your taxes on time. Boring.

“False flag,” he mutters, closing the file.

Do you feel safer?