Who Should Store NSA Surveillance Data

One of the recommendations by the president’s Review Group on Intelligence and Communications Technologies on reforming the National Security Agency—No. 5, if you’re counting—is that the government should not collect and store telephone metadata. Instead, a private company — either the phone companies themselves or some other third party — should store the metadata and provide it to the government only upon a court order.

This isn’t a new idea. Over the past decade, several countries have enacted mandatory data retention laws, in which companies are required to save Internet or telephony data about customers for a specified period of time, in case the government needs it for an investigation. But does it make sense? In December, Harvard Law professor Jack Goldsmith asked: “I understand the Report’s concerns about the storage of bulk meta-data by the government. But I do not understand the Report’s implicit assumption that the storage of bulk meta-data by private entities is an improvement from the perspective of privacy, or data security, or potential abuse.”

It’s a good question, and in the almost two months since the report was released, it hasn’t received enough attention. I think the proposal makes things worse in several respects.

First, the NSA is going to do a better job at database security than corporations are. I say this not because the NSA has any magic computer security powers, but because it has more experience at it and is better funded. (And, yes, that’s true even though Edward Snowden was able to copy so many of their documents.) The difference is of degree, not of kind. Both options leave the data vulnerable to insider attacks—more so in the case of a third-party data repository because there will be more insiders. And although neither will be perfect, I would trust the NSA to protect my data against unauthorized access more than I would trust a private corporation to do the same.

Second, there’s the greater risk of authorized access. This is the risk that the Review Group is most concerned about. The thought is that if the data were in private hands, and the only legal way at the data was a court order, then it would be less likely for the NSA to exceed its authority by making bulk queries on the data or accessing more of it than it is allowed to. I don’t believe that this is true. Any system that has the data outside of the NSA’s control is going to include provisions for emergency access, because … well, because the word terrorism will scare any lawmaker enough to give the NSA that capability. Already the NSA goes through whatever legal processes it and the secret FISA court have agreed to. Adding another party into this process doesn’t slow things down, provide more oversight, or in any way make it better. I don’t trust a corporate employee not to turn data over for NSA analysis any more than I trust an NSA employee.

On the corporate side, the corresponding risk is that the data will be used for all sorts of things that wouldn’t be possible otherwise. If corporations are forced by governments to hold on to customer data, they’re going to start thinking things like: “We’re already storing this personal data on all of our customers for the government. Why don’t we mine it for interesting tidbits, use it for marketing purposes, sell it to data brokers, and on and on and on?” At least the NSA isn’t going to use our personal data for large-scale individual psychological manipulation designed to separate us from as much money as possible — which is the business model of companies like Google and Facebook.

The final claimed benefit — and this one is from the president’s Review Group — is that putting the data in private hands will make us all feel better. They write: “Knowing that the government has ready access to one’s phone call records can seriously chill ‘associational and expressive freedoms,’ and knowing that the government is one flick of a switch away from such information can profoundly ‘alter the relationship between citizen and government in a way that is inimical to society.'” Those quotes within the quote are from Justice Sonia Sotomayor’s opinion in the U.S. v. Jones GPS monitoring case.

The Review Group believes that moving the data to some other organization, either the companies that generate it in the first place or some third-party data repository, fixes that problem. But is that something we really want fixed? The fact that a government has us all under constant and ubiquitous surveillance should be chilling. It should limit freedom of expression. It is inimical to society, and to the extent we hide what we’re doing from the people or do things that only pretend to fix the problem, we do ourselves a disservice.

Where does this leave us? If the corporations are storing the data already — for some business purpose — then the answer is easy: Only they should store it. If the corporations are not already storing the data, then — on balance — it’s safer for the NSA to store the data. And in many cases, the right answer is for no one to store the data. It should be deleted because keeping it makes us all less secure.

This question is much bigger than the NSA. There are going to be data — medical data, movement data, transactional data — that are both valuable to us all in aggregate and private to us individually. And in every one of those instances, we’re going to be faced with the same question: How do we extract that societal value, while at the same protecting its personal nature? This is one of the key challenges of the Information Age, and figuring out where to store the data is a major part of that challenge. There certainly isn’t going to be one solution for all instances of this problem, but learning how to weigh the costs and benefits of different solutions will be a key component to harnessing the power of big data without suffering the societal harms.

This essay originally appeared on Slate.com, with a very misleading title.

EDITED TO ADD (2/21): Commentary from Lawfare blog.

Posted on February 17, 2014 at 5:23 AM • 55 Comments