The New America: Little Privacy, Big Terror

1.

On June 2, 2015, after a Senate cliffhanger that featured a lengthy filibuster by Rand Paul and a resounding defeat for Senate Majority Leader Mitch McConnell, Congress enacted the USA Freedom Act. The act, whose name echoes the USA Patriot Act, does not exactly mark the restoration of freedom. But it is the first time Congress has limited intelligence powers since the terrorist attacks of September 11, 2001. The act ended, at least partially, the National Security Agency’s collection in bulk of nearly every American’s phone records. It requires the government to limit its demands for phone data and other business records to those related to specific “selectors” (for example, names, phone numbers, or addresses) suspected of terrorism.

The act also improved the Foreign Intelligence Surveillance Act court process, by requiring the appointment of lawyers with security clearances to argue for privacy in the court’s closed-door sessions, until now attended only by the government. And it increased transparency, requiring the government to report on the frequency of its demands for records, and allowing businesses to report how many times they have been approached for records. These are significant victories for privacy.

But consider what the USA Freedom Act didn’t do. It didn’t address the NSA’s practices of collecting enormous amounts of personal data on and communications of foreigners overseas, even when they are communicating with Americans. It said nothing about the NSA hacking into overseas Internet trunk lines to vacuum up indiscriminately data on millions of users, including Americans. It didn’t stop the NSA from inserting vulnerabilities into computer networks and encryption systems so that the agency can more easily conduct surveillance.

Nor did the USA Freedom Act address the increasingly common practice of police obtaining “location data” about citizens from cell phone and Internet service providers that maintain detailed records of everywhere your cell phone goes. It did not change a 1986 law that allows the government to obtain, without probable cause or a warrant, the contents of any e-mail you or your recipient have saved for more than 180 days. It did nothing to check the powers of Google, Facebook, website owners, and Internet service providers to collect, analyze, and sell data about your most private thoughts, desires, associations, and communications. And it was silent on the issue of cybersecurity, notwithstanding the increasingly common data breaches that leave all of us vulnerable to fraud, theft, and worse.

Congress also did not tackle one of Rand Paul’s other principal concerns about new technology—the use of unmanned aerial vehicles, or drones, for targeted killing. The last time Senator Paul conducted a marathon filibuster, it was about the possibility that the government might use a drone to kill a US citizen on US soil. Eventually, Attorney General Eric Holder assured the public that the Obama administration does not assert the power to do any such thing. But don’t venture overseas, because the government has used a drone to kill an American in Yemen, and insists that it was perfectly lawful to do so. In addition to a handful of US citizens, drone strikes have killed several thousand foreign citizens, in Pakistan, Yemen, and Somalia, among other places.

In one sense, Congress can hardly be faulted. Advances in technology are so swift that it’s difficult for anyone even to keep up with the latest innovations, much less to resolve how to adjust our legal regimes to the digital age. But as Justice Sonia Sotomayor put it, these developments threaten to “alter the relationship between citizen and government in a way that is inimical to democratic society.” Even more, they threaten to alter the relationship between foreign citizens and governments in ways that are inimical to fundamental human rights. The fact that we now can spy on seemingly everyone, and can kill individuals by remote control from half a world away, does not mean that we should do so. If our laws and practices are to keep pace with technology, we cannot afford to ignore the fundamental legal and policy questions the new technologies of surveillance and death pose.

2.

In Data and Goliath, Bruce Schneier, a security technologist and fellow at Harvard Law School, explores what it means to have entered the age of mass surveillance. Our data are collected in the first instance by private corporations, but are increasingly exploited, as Edward Snowden has shown, by government intelligence agencies. The NSA didn’t have to build from scratch a vast database on billions of innocent citizens the world over, Schneier explains, because private corporations had already done so. All the NSA needed was access.

Data is, according to Schneier, “the exhaust of the information age.” When we carry our cell phone, use (or have downloaded) apps on those phones, browse websites, send e-mails or texts, drive in our cars, or make purchases with a credit card, we send digital information about our whereabouts, our associations, our interests, and our needs and desires to the corporations that serve us. Because the information is digitized, it is relatively cheap to store, and can be analyzed by computers in great detail.

From even a single data source, one can learn a great deal about a person’s private life. A GPS device in your phone or car can pinpoint you to within sixteen to twenty-seven feet at any time of day or night, and can keep a record of your movements. Phone records can show whether you called a rape crisis line, an abortion provider, or Alcoholics Anonymous. The photos we upload to the cloud or social media sites are often embedded with information about the date, time, and place they were taken, and can be identified by increasingly accurate facial recognition systems.

Corporations are taking advantage of these opportunities. Defentek, a private security firm registered in Panama, sells a device that can “locate and track any phone number in the world…undetected and unknown by the network, carrier, or the target.” Amazon Kindle tracks what you read. “Facebook can predict race, personality, sexual orientation, political ideology, relationship status, and drug use on the basis of Like clicks alone.”

The US government could not possibly compel us to provide this type of information. Yet, Schneier writes, we allow private companies to have it as a routine matter:

Imagine that the US government passed a law requiring all citizens to carry a tracking device. Such a law would immediately be found unconstitutional. Yet we carry our cell phones everywhere. If the local police department required us to notify it whenever we made a new friend, the nation would rebel. Yet we notify Facebook. If the country’s spies demanded copies of all our conversations and correspondence, people would refuse. Yet we provide copies to our e-mail service providers, our cell phone companies, our social networking platforms, and our Internet service providers.

We “agree” in large part because we have no real choice. For the most part, you cannot obtain the services of the digital age without clicking through a “consent” form that authorizes the service provider to collect, analyze, and sell your data.

Schneier argues that if we are to preserve privacy, we must regulate both government and corporate use of this data. The Fourth Amendment regulates only government actors. There are some good reasons for that. Google cannot lock you up or launch a tax investigation against you. Google’s computerized monitoring of your e-mails and Web searches in order to direct particular advertising to you poses a less ominous threat than the NSA using the same tools to identify suspicious political beliefs or associations. But, Schneier maintains, we are unlikely to achieve protection from public surveillance unless we also impose some limits on private surveillance. Europe has pursued precisely this option, with a Data Protection Directive that sharply limits what corporations can do with customer data.

Benjamin Wittes and Gabriella Blum, in The Future of Violence, remind us that we face danger not only from what security agencies can do with new technology, but also from what bad guys can do. As the recent breach of digital systems at Target and the Office of Personnel Management have shown, no one is safe. A case in point: my tech-savvy son has for some time used a sophisticated password manager, LastPass, which generates unique, random passwords for its subscribers for all websites they use. Sure enough, in June, hackers breached LastPass itself, and gained access to users’ e-mail addresses and encrypted master passwords, presumably to facilitate identity theft.

The fact that so much of modern life is mediated through the Internet worries many in the national security field. They are justifiably concerned about attacks on online financial services that could have catastrophic effects on the economy, as well as about the potential manipulation of software that runs public utilities and energy grids. The more that goods and services are controlled by computers, the more vulnerable our lives are to being hacked.

The cybersecurity challenge is worrisome enough. But Wittes and Blum do not stop there. They breathlessly imagine a world in which “technologies of mass empowerment” give everyone the capacity to inflict serious harm on everyone else, from anywhere. They envision a day in which a malevolent person can, from the comfort of his living room, direct a tiny “spider drone” into the home of his enemy, where it will kill the victim in his shower, after first extracting a DNA sample and checking it against a worldwide database to ensure that it’s got the right victim. I’m not holding my breath for this futuristic variation on Psycho. Nor for the day when there are, as Wittes and Blum also imagine, “billions of people walking around with nuclear weapons in their pockets.”

Their basic point, however, is well taken, even if their imaginations occasionally run wild. Advances in technology empower not just private corporations and intelligence agencies, but individuals and groups who might do us harm, and if we are to preserve fundamental values, we need to respond to these threats as well. But in stressing this point, Wittes and Blum too quickly lose sight of the dangers from government surveillance. At one point, they disparage “privacy as sentiment.” But privacy is much more than sentiment; it is a necessary element of any humane existence and a foundation of democracy.

At other points, Wittes and Blum seem eager to define away the problem. In a typical passage, they contend that “in our new world, not only do privacy and security not generally conflict, but they are often largely the same thing.” If only it were so. But while we undoubtedly need the police to secure our privacy, it does not follow that police work does not often unjustifiably interfere with privacy. To insist that they are “often largely the same thing” is to evade the very questions that new technology compels us to ask.

For example, FBI Director James Comey has recently urged passage of a law that would give the government special access to all encrypted digital communications, in order to thwart terror and crime. But as Schneier argues in Data and Goliath, and as he and a group of the world’s leading cryptographers and computer scientists show in a paper released on June 7, 2015, one cannot give the government such access without simultaneously risking official abuse and rendering communications vulnerable to criminals.¹ We cannot simply define away the trade-offs between privacy and security.

To preserve privacy in the Internet age we need not oppose all surveillance, just as the Framers did not bar all searches. The Fourth Amendment prohibits only “unreasonable” searches and seizures. It was designed to forestall general searches—in today’s parlance, mass surveillance—and instead to require targeted searches, based on objective grounds for suspicion of criminal activity, not political opinion, associations, or a computer profile. This is not privacy as an absolute, but as a presumptive good, overridden only where there are sound reasons for doing so. But these principles, which have guided us for two centuries, call into question much of the dragnet surveillance that technology now enables, and that the NSA seems to favor.

3.

The drone is in many respects the ultimate new technology that alters the relationship between government and individuals: it empowers the state to kill by remote control from thousands of miles away. The Obama administration has deployed drones much more aggressively than its predecessor. It does so on traditional battlefields such as Afghanistan, Iraq, and Libya; in Pakistan’s border regions, parts of which likely qualify as a zone of hostilities; and in Yemen and Somalia, thousands of miles from any battlefield. Obama’s rapid escalation in drone attacks may in part reflect advances in technology. In 2001, the US military had eighty-two drones. By 2010, it had nearly eight thousand. It may have been a response to our adversaries having increasingly retreated to areas where they were less susceptible to capture. But it also signals the Obama administration’s wholesale adoption of a “kill list” approach to defeating al-Qaeda. If the top leaders could be eliminated, the thinking went, al-Qaeda would be decimated.

It hasn’t worked out that way. As Andrew Cockburn relates in Kill Chain, one former US official working in Afghanistan said, “They’d come into my province, work their way down the [kill list], but they knew and I knew that all those names on the list would be replaced in a few months.” Some in the military took to calling the process “mowing the grass,” presumably in recognition that the grass always grows back. As David Kilcullen, former counterinsurgency adviser to General David Petraeus, and Andrew Exum, a former army officer, argued in a New York Times Op-Ed in 2009, the drone program is “a tactic—or, more accurately, a piece of technology—substituting for a strategy.”²

One problem is that the much-vaunted accuracy of drones turns out to be overstated. Kill Chain opens with a chilling account of drone surveillance of two SUVs and a pickup truck that happened to be driving through the Afghan countryside in 2010 the night a US Special Operations Force dropped in to prepare for an attack. As the drone’s video feed is simultaneously monitored in Florida, Nevada, Kandahar, and Bagram Air Force Base, the contemporaneous communications, recorded in a series of text messages, make clear that no one can tell whether the three vehicles are hostile. The images just aren’t good enough to distinguish between a woman and a man, a child and an adult, a gun and a shovel. As one CIA officer admitted, “You can only see so much from 20,000 feet.”

Erring on the side of protecting the US Special Forces, the operators ordered an attack. In fact, the convoy was entirely innocent, and they ended up killing twenty-three civilians, including several women, a three-year-old, and a four-year-old. As Cockburn puts it, “everyone involved tried to clarify the ambiguity [of the hazy video images] by shaping the information to fit a predetermined pattern, in this case that of hostile Taliban.”

In another 2010 incident, the military’s target was Mohammed Amin, a Taliban leader on the kill list. It had linked him to a cell phone, and the drone was able to pinpoint the phone to a particular car, again in a caravan. When initial bombing missed the car in which the cell phone owner was driving, the drone operator directed a helicopter gunner to finish the job. He swooped in and shot the cell phone user in the head. The only problem was that they had linked the wrong cell phone. Their victim was not a Taliban leader, but an innocent man out with several family members campaigning for his nephew in the upcoming parliamentary elections.

Technology cannot eliminate human error. Still, Obama’s drone campaign has had many tactical successes, reportedly killing numerous high-level leaders in al-Qaeda, the Taliban, al- Qaeda in the Arabian Peninsula (AQAP), and other assertedly affiliated groups. Yet these tactical successes have come at considerable cost. Ann Patterson, US ambassador to Pakistan, warned in 2009 that drone operations “risk destabilizing the Pakistani state, alienating both the civilian government and military leadership, and provoking a broader governance crisis in Pakistan without finally achieving the goal.” For these reasons, Kilcullen and Exum called for a moratorium on drone strikes in Pakistan as far back as 2009. Dennis Blair, Obama’s first director of national intelligence, concurred.

General Stanley McChrystal, who commanded US Special Forces in Afghanistan from 2003 to 2008, and led the entire Afghan operation from 2009 to 2010, may have captured the problem best in a BBC interview:

There’s a perception of arrogance, there is a perception of helpless people in an area being shot at like thunderbolts from the sky by an entity that is acting as though they have omniscience and omnipotence. And you can create a tremendous amount of resentment inside populations…because of the way it appears and feels…. What seems like a panacea to the messiness of war is not that at all…. And wars are ultimately determined in the minds of populations.

Drones raise serious strategic, legal, and policy questions. Yet because of the official secrecy surrounding this program, the Obama administration has made a transparent assessment of those issues impossible. Not until the beginning of Obama’s second term did he issue a formal guidance on drones, and even then, much of it was classified. That guidance, summarized in the president’s speech at the National Defense University in 2013, authorizes strikes away from the battlefield only to eliminate individuals who pose an imminent threat to US persons, who cannot be captured, when the country in which they are found consents to the attack or is unwilling or unable to counter the threat, and where there is a “near-certainty” that no civilians will be killed or injured.

It is hard to quarrel with this as a legal standard, at least as a matter of theory. But is it being followed in practice? On that issue, the administration’s position seems to be, “trust us.” It will not even acknowledge most of its attacks, much less explain why particular individuals were targeted, or what actually happened when the bombs dropped. We are left to rely on reports from the field, and at best unofficial government accounts, which often conflict markedly.

Indeed, as ACLU attorneys Jameel Jaffer and Brett Max Kaufman noted in a blog post on Just Security, in one recent case the administration could not get its own story straight.³ On June 16, Bloomberg, relying on an unnamed government source, reported that the CIA killed Nasir al-Wuyashi, AQAP’s “general manager,” in a targeted strike “by building a methodical case on his whereabouts over months from information collected through technical means.” But later in the week, The Washington Post reported, on the basis of another unidentified administration official, that al-Wuyashi was killed in a “signature strike,” in which the targets are not identified from a kill list, but merely fit a pattern of activity that leads the military to infer that they are combatants. Which was it? And how can the administration engage in signature strikes if it purports to authorize strikes only when there is “near-certainty” that no civilians will be killed? Obama isn’t saying.

Drones are controversial for many reasons. They inflict intense anxiety on those who live under their shadow, the vast majority of whom are innocent civilians, and therefore they inspire deep resentment. They are the ultimate imperialist weapon, projecting force in other countries without risking vulnerability. Some US drone operators have resigned because of the physical and psychological stress of conducting these attacks. They are a potent symbol of American exceptionalism; as Wittes and Blum ask, would the US tolerate the Assad regime targeting Free Syrian Army members in the US on the ground that the US was unwilling to detain them?

As long as the administration defies any accountability for its actions, they will never be deemed legitimate. And it’s worse than that. The Obama administration seems to have adopted a policy on accountability most likely to incur resentment in others: the only strikes it acknowledges are those that kill Americans. In 2013, the administration admitted that four Americans had died in drone strikes. It has never offered a figure for foreign victims, which others have reported number in the thousands. And in April 2015, President Obama publicly apologized, as well he should have, that a January strike in Pakistan had killed two Western hostages, US citizen Warren Weinstein and Italian citizen Giovanni Lo Porto.

But why apologize only when we kill Western innocents? Are not Arab and Muslim innocent victims equally deserving of apologies? This practice of selective accountability is surely the worst double standard of all.

4.

A War Like No Other, a new book by Yale law professor Owen Fiss, points an important way forward. The book, a compendium of eloquent, carefully reasoned, and heartfelt essays written since September 11, sounds two themes particularly responsive to the issues presented by terror and technology. The first is the universality of constitutional and human rights. The Constitution, Fiss writes, affords all “persons,” not just citizens, due process with respect to deprivations of life, liberty, or property. It therefore protects all of the US’s drone victims, and all US-held detainees, regardless of the passport they have.

The Supreme Court has sometimes suggested, in nonbinding “dicta,” that the Constitution does not protect foreigners outside our borders. But the Court has never in fact issued such a broad ruling. On the contrary, in 2008 it extended the constitutional right of habeas corpus to foreign nationals held as enemy combatants at Guantánamo Bay. If Obama were to adhere to the principle of universality that Fiss advocates, he could not apologize only when a Westerner is killed, or acknowledge a strike only when a US citizen dies. He would have to recognize the equal dignity of all human beings.

Fiss’s second theme is one that he has pursued throughout his career as one of the nation’s leading legal scholars, namely, that courts have a unique responsibility to articulate and protect constitutional principle. This is as true in times of crisis as in peacetime, Fiss maintains. The courts’ obligation is particularly critical with respect to those who are unlikely to find protection from the American political process—such as foreign nationals. It’s no accident that the USA Freedom Act reined in only the surveillance authorities directed against US citizens, and left untouched the much more intrusive programs directed against foreigners abroad. Fiss expresses profound disappointment with the Supreme Court’s too-modest judgments concerning the war on terror, and with lower courts’ refusal even to consider the claims of the victims of torture, rendition, warrantless wiretapping, and targeted killing.

Fiss cites as a model the judgments of Aharon Barak, who as chief justice of the Israeli Supreme Court insisted that the law, and the court, had a central part to play in reviewing all aspects of Israel’s response to terror. Barak wrote landmark decisions limiting Israel’s detention policies, forbidding torture, requiring relocation of parts of the wall separating Israel from the West Bank, and insisting on strict limits and judicial accountability for targeted killing. He did so, moreover, in a country that faces the threat of terrorism on a much more frequent and intimate basis than does the US.

Fiss is right to demand more from our courts. Why, he asks, can courts review the detention of a US citizen captured on a battlefield fighting for the Taliban, but not the targeted killing of a citizen living in Yemen, far from any battle? Why, if the Israeli Supreme Court can review Israel’s every targeted killing after the fact to ensure that it conforms to the limits of law, can’t the US courts undertake a similar responsibility?

But while Fiss is right to insist on a more assertive role for the courts, the answer does not lie there entirely. In the end, the courts cannot save us from ourselves. We must insist that the US conform its actions to the principles that have long defined our nation, including the safeguards of privacy, due process, and equality. We should be skeptical of broad-based surveillance without objective suspicion, insist on clear limits on the use of our data by businesses and the government, and demand that all killing off the battlefield be subject to meaningful, individualized accountability. We must do so not only when our own rights are directly affected, as when the NSA collects our phone records, but also when the rights of others are infringed, as when the US kills without justification or conducts mass surveillance of millions of innocent foreigners. In the end, we are the repository of our nation’s most fundamental commitments, and it is we who must insist that the seduction of new technologies of surveillance and death not divert us from the values that have stood us well for so long.