I’ve been impressed by Anil Dash’s writing on building “humane tech”. In “The Immortal Myths About Online Abuse” he challenges makers to rigorously think about the unexpected outcomes of their creations. This careful consideration of how technology affects others is seemingly absent in important silos of our local and federal governments. Why is that? The private and public sectors are being held to different standards. There should be one standard.

Part 1. Trends: How things look on the surveillance front.

The timing and prudence of having passed CISA legislation is questionable amid law enforcement’s push to expand surveillance data into the hands of more individuals.

Last year, lawmakers passed legislation to shield the private sector from liability of government’s potential misuse of bulk data on citizens acquired from companies for “cybersecurity” threats: [1],[2] that culminated in CISA, despite significant pushback from the private sector. So, the US tech sector pushed back on having legal immunity… but was given it anyway. CISA allows the information collected from companies to be used in prosecuting individuals under the Espionage Act, which has been used frequently as of late to suppress journalists and whistleblowers. The data shared between companies and the government under CISA is also exempt from Freedom of Information Act requests. Amendments were proposed to clarify the definition of “cybersecurity” and strike the FOIA exemption, but those amendments were shot down.

This not only means less pressure on the government to use bulk citizen data responsibly, it weakens tech firms’ ability to argue in court that they are harmed from such practices. [If you look at the (once-classified) transcript of a FISA case from 2008 — where Yahoo pushed back against government bulk email requests — the presiding judge makes one thing clear: Yahoo’s argument that the government’s actions financially harmed the company was tenuous and abstract. Such arguments are even harder to make now.]

The private sector has been pushing back for several years. Microsoft’s general counsel called US government surveillance an “advanced persistent threat” in 2013. As evidence of this, Microsoft has been building datacenters in Germany for the explicit reason of evading US surveillance powers, handing the proverbial keys (of some) of its own customers over to a German telecom, Deutsche Telekom.

For years Microsoft and many other companies argued in secret court battles against the surreptitious nature of the spying, and just last week Microsoft filed suit against the Department of Justice, arguing individual Americans at the very least have the right to know whether or not they’re being spied upon… at some point.

Part of Microsoft’s argument here, as I understand it, is that the company’s right to free speech is curtailed when an endless gag order silences the company. That intuitively makes sense.

On left: Press Secretary Joshua Earnest on Apple/FBI fight: “[FBI is] simply asking for something that would have an impact on this one device.” (Photo Pete Souza) On right: President Obama at SXSW on Apple/FBI fight: “it’s fetishizing our phones above every other value”. (Photo Pete Souza) That quote, intended to apply to Americans, is more aptly applied to the FBI and DoJ, but nonetheless underscores that this fight is about more than just one phone.

Free speech, a shining virtue of the United States, also came under attack when the FBI attempted to compel Apple, through a dubious court order, to write code to defeat its own products’ security… for the ostensible purpose of accessing the work phone of the San Bernardino shooter.

With James Comey and Dianne Feinstein leading the charge on different fronts, the feds continue to push to expand surveillance on US citizens further.

Now we know that the NSA shares its warrantless surveillance data of American citizens with the FBI, IRS, DEA for reasons that go far beyond anti-terrorism. In the next section, we’ll dive into the repercussions of how this data is used to prosecute Americans (“parallel construction” aka total secrecy). There could have been limitations on this sharing to anti-terror, but instead the data can be used for domestic policing purposes.

The latest push is to broaden the scope of National Security Letters. NSLs are an astounding legal mechanism brought into mainstream use after 9/11 but around since 1978, which compel companies to secretly hand over data on American citizens without a warrant. In 2006, the USA PATRIOT Improvement and Reauthorization Act allowed for judicial review of an NSL. Nonetheless, they are still issued without a warrant.

(“How can NSLs authorize spying on Americans?” You might ask. Thanks to a legal theory known as the third-party doctrine, “spying on Americans” is different from “spying on Americans through a company’s records on Americans”. Technocrats will never publicly make this distinction. But in any case, this is why NSL’s limitations are crucial — they are the all-you-can-eat buffet of bulk surveillance.)

The ramifications of the latest push (happening now) are enormous, and as PCWorld reports: companies are pushing back. An excerpt:

The companies and groups have pointed out in a letter to senators that the new provisions would expand the types of records, known as Electronic Communication Transactional Records (ECTRs), which the Federal Bureau of Investigation can obtain using the NSLs. The ECTRs would include a variety of online information, such as IP addresses, routing and transmission information, session data, a person’s browsing history, email metadata, location information, and the exact date and time a person signs in or out of a particular online account.

The FBI is demonstrating here that it knows no limit to what it thinks is fair game.

Wanting to invoke NSLs to grab a US citizen’s personal browsing history is like the FBI saying: 1) Americans should have no expectation of privacy, 2.) Americans should also not expect warrants with surveillance. This is well beyond even what FISA courts allow.

So this is how far the FBI would like to take it. Knowing how far they’d like to take it is more important than if they can, in my view.

Part 2. Impact: Problems, historical and current, with a.) domestic spying and b.) acting on bulk citizen records as a matter of general practice.

This all seems so rash, because, as we know, this country has recently emerged from a dark place, and the FBI played its own sinister role, with domestic spying as its primary instrument.

But maybe…

Maybe today’s FBI shows restraint in how it deploys its surveillance technologies. Maybe, given the tech-age we live in, police forces and intel agencies are smart with this kind of data. Maybe we, as a society are uniformly past the problems of systemic racism and other forms of discrimination, and therefore can transcend the limitations on government search and seizure set in place by the Constitution, notwithstanding the questionable legality of such programs. Maybe the use of such technologies augments, rather than hinders, the judicial process. Maybe taking the findings of bulk surveillance into the court of law brings a clearer picture to jury trials, where suspects’ guilt or innocence is to be fairly determined. Maybe we face a never-before-seen enemy, capable of destroying our society, and maybe allowing for ubiquitous surveillance helps us eradicate that enemy. Maybe this should be the generation that finally rids the country of pedophilia and maybe allowing for ubiquitous surveillance helps us eliminate that scourge. Maybe the free press in the US has the tools and support it needs to hold the government in check and educate the public. And maybe the system for whistleblowers works and gets the support it needs to hold the government in check when it oversteps.

On left: 1964 election ad spot. Communism and nuclear war was the existential threat throughout the Cold War. (Photo) On right: Several years of patient police work led to the successful assassination of Osama Bin Laden. Today, terrorism is the existential threat, providing the public story and “mandate” for the Patriot Act and every surveillance bill and classified spying program since. (Photo)

Fortunately for the sake of this conversation, the current-day FBI, Department of Justice, and NSA have shown the American people their hand (time and time again).

Over the past several years the FBI and Department of Justice, have, through anti-terrorism grants financed for local law enforcement the acquisition of cellphone-data intercepting units called Stingrays. While some restrictions have been put in place for federal usage, those restrictions don’t apply to local law enforcement.

These police forces have accepted money for this privacy-invading tech and used it against American citizens (including at public demonstrations) in complete secrecy with virtually no oversight, for years. Ostensibly an anti-terrorism tool, it has been employed for non-terrorism purposes by local police. This technology is, by its very nature, bulk surveillance, catching all cell signals within its radius of effect — and as stated above, restrictions vary by jurisdiction.

Transparency would help in situations like this. But to make matters worse, the FBI/DoJ have intervened in court cases to prevent the public (and the defense lawyers) from understanding how the evidence used in trials was discovered — going so far as to amend court records or even discard evidence rather than disclose its origins.

Can police forces be held accountable for using bulk surveillance tech when the very evidence of having used it is withheld from public scrutiny?

As we know from so many examples over recent years: all police forces are not created equal. Systemic discrimination exists, with pockets in the United States suffering to an extreme degree.

Regardless… the Department of Justice and FBI have shown a desire and willingness to enable surveillance at the local level. This practice, in their view, is not just OK but something worth undermining the judicial system in order to preserve.

In an ongoing effort fueled at the federal level: all surveillance is vigorously kept secret. Above we mentioned the underhanded tactics in court to maintain the secrecy of Stingray tech.

Just this week, the FBI sued the city of Seattle to prevent it from disclosing where the feds had deployed surveillance cameras. The program sounds like one which should be under public scrutiny, as the deployment of these technologies tends to discriminate against certain populations (jump to the Efficacy section for more on this).

(It’s also worth noting that, with or without federal grants, local police forces can source spyware technology directly from companies who supply it, out of their own pockets.)

Through a formalized process within US law enforcement called Parallel Construction, field agents and prosecution teams are expected to limit the disclosure of evidence in the discovery stage of a trial. They are expected to build their case around the original evidence without ever disclosing… the original evidence. As we venture head-first into an always-connected world, more and more evidence-gathering methods are classified: 1) computer exploits, 2) physically distributed tech like Stingrays, 3) NSA-collected information which is now to be used for domestic policing, and 4) evidence collected through National Security Letters …. phew that was a mouthful. When such evidence is included, vague jargon is used to describe the specific methodology of its acquisition — or, if that fails, the evidence is still withheld. This practice is commonplace now and indisputably muddies the judicial process for all Americans.

This is what fetishizing “catching the bad guy” looks like. Our country has, as one if its finest moments, John Adams defending a Redcoat who fired into a crowd, killing 5 Americans. How have we gone so far astray? One explanation is that law enforcement has lobbied more aggressively and relentlessly for powers than the people have lobbied to preserve them. One way you could describe this phenomenon: an advanced persistent threat.

Maybe when pitching the American people on bulk surveillance in congressional testimony, an NSA officer can use the tagline: “Welcome to the surveillance era, where defendants can’t have an expectation of knowing how evidence is brought against them.” NSA officials should also openly declare that they’ve lost control over the data they collect on Americans, since other law enforcement agencies now have routine access to it for domestic policing purposes. The surface area of access is enormous. Again, this is not a surveillance regime which can be held accountable.

FISA.

And finally, a look at a facet of the criminal justice system which has been with us for decades but barely scrutinized until the post-Snowden years, the FISA court. The Foreign Intelligence Surveillance Act of 1978 meant to allow wiretapping on phone calls made between foreigners and people within this country.

Imagine a court that was responsible for authorizing swaths of intelligence involving Americans, but also heard the very cases disputing the legal nature of its own authorizations and only held secret trials. You are imagining the FISA court.

As technology progressed with time, FISA’s scope came to include more forms of communication.

Despite a 99.97% approval rate for surveillance requests, these requests were only to include Americans who were communicating with someone outside the country. It’s important to note that researchers from Harvard and Boston University have shown it would be possible to circumvent this restriction by rerouting Internet traffic abroad.

This remains an aspect of the surveillance regime which can not be held accountable.

Civil asset forfeiture, recklessness in federal and local law enforcement.

We should also look at the restraint, or lack thereof, at an institutional level within local and federal law enforcement.

When a path of least resistance offers a way around the courts, federal and local police have shown they will take it. With National Security Letters, which don’t require a warrant to be issued, the FBI is currently pushing to make that path wider.

But with a process known as Civil Asset Forfeiture, the feds and local police routinely take overbearing action before courts are ever involved. This is an important phenomenon to cite here because 1) it’s well-documented, 2) it’s become an ingrained facet in the cultures of local and federal law enforcement, 3) it’s a lazy alternative to actual police work which keeps us safe. Last year, more was confiscated through civil asset forfeiture than was stolen by burglars in the US. Even in the cases where people were proven to be guilty of a crime: the entire premise of the practice is a slap in the face to American justice — “innocent until proven guilty”.

But there’s been an epidemic of civil asset forfeiture affecting people never even charged with a crime. The Washington Post’s 2014 reporting found:

61,998 cash seizures made on highways and elsewhere since 9/11 without search warrants or indictments through the Equitable Sharing Program, totaling more than $2.5 billion. State and local authorities kept more than $1.7 billion of that while Justice, Homeland Security and other federal agencies received $800 million. Half of the seizures were below $8,800.

Far from having limitations on how this money can be spent, one sheriff likened his department’s use of the money to buying “toys” with “pennies from heaven” (in a 2012 Columbia MS review board hearing). John Oliver did his best to make light of the subject last year. The feds temporarily halted the program late last year for unrelated reasons, but resumed it again this year. Civil asset forfeiture is a process by which you can lose everything you’ve worked for, before you even stand trial… if you ever stand trial. As John Oliver notes, the people robbed by the police often don’t have enough resources to fight back in trial.

Police forces are exploiting new technologies to make civil asset forfeiture even easier. I’ve refrained from using this term, but what the hell: this what a police state looks like. We’ve arrived. Maybe we lose sight of it because it hasn’t affected us personally yet but with civil asset forfeiture you can just look at the numbers to know there’s a problem.

Cognitive dissonance has crept over the nation, and technocrats must believe that the American people will never call their bluff.

Higher Education

As if undermining the criminal justice system weren’t enough (through suppressing the origin of evidence), in the Silk Road case, the FBI showed its willingness to coercively enlist those in higher education. Security researchers at Carnegie Mellon University had their work seized through a subpoena for the investigation. So security experts in higher education should know: as they toil to improve, through research, the state of security and privacy for the world at large, their work is under threat of forfeiture to government.

International Data Sharing

While our opaque intelligence and law enforcement agencies are determined to catch pedophiles (a just goal), they themselves store and share an unreported (we really don’t know the extent of it) number of sexually explicit images through data-sharing agreements between the NSA and the UK’s GCHQ at the very least, with probably more through other “5-Eyes” nations. It’s important to note that in the Yahoo webcam debacle linked to above: this program did not have as its mission to defeat child pornography, it was just incidentally contributing to the problem. This program went on for years, and collected millions of webcam photos indiscriminately. Here’s the link again. This fast and l̶o̶o̶s̶e̶ furious way of handling bulk surveillance data through data-sharing agreements with other nations has been going on for years without the consent or knowledge of the American people. Who knows how many other programs like this exist; I’d wager at least a few. So, while the FBI shares surveillance tech with local law enforcement, the NSA sharing bulk data with other nations.

What if the British were to misuse data on Americans? Would we know? Could we prosecute? Or would such crimes be harmless because no one would be aware of them. As crazy as it sounds, that kind of reasoning “what you don’t know can’t hurt you” has been posited by a federal judge in a secret court before. But the pernicious bit is that as surveillance data creeps into domestic policing, its use does affect us directly, but because of gag orders, parallel construction, and other classified methods, the average American can’t blame surveillance. At least in Stasi Germany you could look in your rearview mirror and see a tail. In the US, the system is carefully constructed so that you can’t (legally) show that surveillance is playing a role in your life.

Of course the method of collecting and storing doesn’t mean the people in charge are completely misguided. Surely most have good intentions, and they’ve found themselves at a point in history that has stemmed from the crazy Bush Administration years where other countries were either “with us, or with the terrorists”. But all of this can’t simply be explained away by the new reality that is terrorism. The completely opaque nature of these organizations should always be troubling to citizens: who looks at our pictures? Who’s advised on these issues? Want to ask questions? Too bad: all of these programs are classified. It’s practically impossible to even have a court of law formally recognize their existence even if the public knows about them (via the Snowden leaks in this case). Classification puts bulk surveillance outside the reach of even the law. And now the FBI wants to put it into even greater mainstream use.

Checks and Balances: whistleblowers and the free press during the Obama Administration years

At least the government has a system in place to protect whistleblowers who share their concerns. After all, they are our best defense to check the power of law enforcement and intelligence communities.

The Obama administration has used the Espionage Act more than any administration in history, has been overtly hostile toward the press, and has quietly argued against Freedom of Information Act (FOIA) reform, a vitally important part of modern-day journalism in the US. In fact, it took a FOIA lawsuit to uncover the Obama administration’s secret lobbying against it — which was sheepishly admitted to after the fact.

Reporting on US intelligence agencies is an uphill battle. Take for example law enforcement’s seizing of Associated Press telephone records in reporting on the Central Intelligence Agency. The White House’s initial claim was that it had no knowledge of the action; if true, that’s even more worrisome and speaks to the recklessness of law enforcement. In any case, it had a chilling effect on the actual reporting being done.

A reporter of the NSA and CIA (James Risen of the New York Times and LA Times) is repeatedly subpoenaed for his sources and threatened with jail time until October 2014 when Attorney General Holder said “no reporter’s going to jail as long as I’m attorney general.” This makes James Risen one of just a handful of Americans who have actually called law enforcement’s bluff on “what constitutes going too far”, and it took him to the brink.

It’s important to note here that law enforcement loves broad definitions. Some examples: NSA analysts need to be 51% sure you’re not an American to act on FISA-collected information relating to you. “Anti-terrorism” bills and grants routinely extend into non-terrorism domains. “Due process” means little given rampant civil forfeiture abuse. So what about “reporter”?

A problematic but potentially helpful federal shield law effort arose in the wake of these and other crackdowns but never passed.

An NSA data-sharing partner, GCHQ, has, according to leaked internal documents, official policies allowing for targeting the communications of lawyers and journalists.

How can investigative reporters fulfill their duty in covering the NSA if they can be spied on by intelligence agencies? It seems patently obvious that journalists fall under the umbrella of the US surveillance regime like all other citizens.

As NSA bulk surveillance programs came onto the scene in the early 2000’s, several employees decided to do something. NSA engineers William Binney, Edward Loomis, and J. Kirke Wiebe; and Diane Roark, who served on the House Intelligence Committee, filed a complaint with the DoD Inspector General. Their houses were subsequently raided by the FBI and their patriotism called into question by their friends and family. They couldn’t speak about the nature of their concerns to allay those suspicions. Thomas Drake was a high-level NSA administrator who also complained to the NSA Inspector General and DoD Inspector General and was ignored, so he went to the press, and also had his house raided.

These whistleblowers felt conflicted over bulk surveillance projects that could have included protections for US citizens, but didn’t. Despite sound reasoning behind questioning the legality of the NSA programs and despite the trepidation of NSA’s chief Hayden over such programs, the NSA lacked the gumption to 1) pause work on the programs, 2) make a case before Congress, or 3) make a case to the American people for their existence: instead acting only on President Bush’s executive order for years.

But the NSA had an opportunity to bring the case to the American people, when whistleblower Russ Tice tried to raise the issues with Congress in 2005. (Tice was fired by the NSA.) Instead, in 2006 the NSA Inspector General released a report that found “no evidence” to support Tice’s claims. That’s rich.

Lives of these whistleblowers were turned upside down because they attempted to bring the case to the American people, but the NSA denied at the time there was any case worth being made.

Enter Edward Snowden. According to documents revealed in a recent FOIA request (and Snowden’s own claims), Edward Snowden blew the whistle within the NSA, talking face-to-face with officials about his concerns. This is despite the NSA’s initial claim to the public that such questions had been limited to a single email: a claim which was explicitly made to discredit Snowden.

The beleaguered system for whistleblowing on the NSA may benefit from a comparison to a similarly broken whistleblowing system in the finance world. In the banking world, people recognized there was a problem and did something about it. With the Dodd-Frank Act, (some) whistleblowers in the banking world are rewarded with real incentives, including a % claim of damages from an SEC action or straight cash. Politicians brag about the impressive results. On the NSA side, it’s not clear how, even after an executive order was signed in 2012 to protect intelligence-community whistleblowers, a public discussion could have ever occurred about the NSA spying programs affecting Americans which were already in place. The order protects whistleblowers that report fraud, waste, and abuse but also protects the classified information, and “abuse” is a subjective term that fellow intelligence community members would responsible for judging.

Let us pause and reflect on a profound reality. Just three years ago, the average congressman had no idea about the scope of NSA spying, having to ask and receive cryptic, untruthful answers about it. Today, this same NSA-collected, privacy-stripped data is being used by the FBI for the purposes of non-terrorism related policing. I wonder if the NSA engineers who built this system knew what they were contributing to…

Efficacy of surveillance

If 1) free speech and the free press, 2) the judicial system, 3) higher education, 4) property rights, and 5) the system for whistleblowers are all under persistent attack from law enforcement, it had better be worth it.

Obama’s own 2013 panel investigation found little evidence of the effectiveness of bulk surveillance, and the rebuttal from Senator Feinstein at the time was found lacking. Other reports within US law enforcement also spoke to the lack of substantive leads generated by the programs.

A recently uncovered secret report from UK’s MI5 program shows the agency complaining about being inundated with data. The agency warned a potential “intelligence failure” may result from the deluge of bulk data.

Just this week, the US Government Accountability Office released a report that called into question the FBI’s lack of privacy protections and accuracy of its facial recognition database, which now contains over 411 million photos of Americans, including 173 million driver’s license photos.

Acting on large pools of collected data effectively and without bias is extraordinarily difficult.

The most sophisticated intel orgs in the world have trouble with false positives (where a pool of data is screened for suspicious people, erroneously catching innocent people in the process), but when local DAs/sheriffs and the judicial system itself (for sentencing guidance) try to act on bulk citizen datasets, we must fear all kinds of unintended bias.

What does a criminal look like? (I can imagine a few cops wouldn’t hesitate to answer.) Do results from bulk-data analysis carry authority because of the size of the dataset from which they were derived? (Another trick question.) Has surveillance technology itself been deployed in a fair and indiscriminate manner? Does the person making decisions based off the results of bulk-data analysis know (or acknowledge) the limitations of the analysis itself?

ProPublica did a study recently that rigorously assessed the results of sentencing-guidance software, increasingly used in courtrooms by judges. Here’s their methodology. In risk scores (that ostensibly measure the likelihood of repeat offenses) they found significant bias against black defendants when reviewing against historical data.

Experts will say that making the haystack bigger just makes it harder to find the needle. But sometimes the haystack itself only gets bigger for certain groups of Americans.

For example, as license plate reader technology comes to more local police forces across the nation, the EFF has found it’s been deployed (in the cases studied) in low-income neighborhoods more frequently than affluent ones. Not all haystacks are created equally.

More concerning is the standard practice of rolling out surveillance tech in complete secrecy. Just this week, the FBI sued the city of Seattle to prevent it from disclosing where the feds had deployed surveillance cameras. The FBI/DoJ have repeatedly intervened in court cases using obstructionist tactics to keep a lid on Stingray deployment. So, how does the EFF, ACLU, ProPublica, etc run a study on the fairness of the deployment of these technolgoies? They can’t!

Does the surveillance regime (at local and federal levels) have the capability to hold itself accountable? How many demographic statisticians are employed by local police forces? Maybe they outsource the data munging work, but that’s simply an abnegation of their public responsibility… has led to bias in other cases anyway. Is it responsible to call surveillance tech humane knowing that its deployment has been executed with blissful ignorance?

The Veil and what “Could have been”

But there’s a veil, which will always exist, that allows law enforcement to point to important threats we don’t know about. They have an incredibly important role: keeping us safe, which shouldn’t be diminished. “Not on my watch” is a fair sentiment to harbor, knowing an untold number of people wish to destroy American lives at scale. Talking about pending investigations of course could compromise real police work. That will never change.

But limitations on surveillance and police powers should exist. Increasingly they don’t.

How many times must we note that a law “could have… but didn’t (include limitations on applicability to terrorism)”, or some NSA program “could have… but didn’t (include privacy protections)”, or some technocrat “could have… but wasn’t (held responsible for lying, overreach, or negligence)”, or some whistleblower “could have… but wasn’t (protected)”, or some journalist “could have… but wasn’t (given privacy to do his or her job)”, or there “could have been… but weren’t (limitations on the use of bulk data)”?

These important questions attack problems tangential to the fight against terrorism and can’t afford to be ignored, otherwise we may enter an era of inhumane tech. Given the body of evidence the FBI, DoJ, Congress, and NSA have provided to the American people: we can say these questions have not been taken seriously.