WASHINGTON – Americans are learning what electronics whizzes and hackers have known all along — that computers and smartphones, which make our lives more productive and entertaining, have at the same time ended privacy as most of us have understood it.
Every e-mail, cellphone call, transferred photo, video and voice mail, online purchase and Internet game leaves a digital trail that identifies not just sender, receiver, length of message and location but also a variety of other data that perhaps we hoped to keep secret.
Against that background, how does the U.S. intelligence community convince American citizens that it is not misusing the metadata it has access to as part of the nation’s effort to keep track of potential terrorists and prevent attacks?
One way would be by trying publicly to explain the multi-layer oversight that’s been practiced and expanded over the decades to prevent the misuse of those electronic records. Oversight is not only internal within the National Security Agency, FBI, Justice Department and Office of the Director of National Intelligence (ODNI). It also involves filing regular reports to judges on the Foreign Intelligence Surveillance Act court and responding to their inquiries. The same goes for the House and Senate intelligence and judiciary committees.
First let’s put U.S. data collection in a broader context. Does the average American know that Microsoft, Facebook and Google regularly provide customer data when requested by foreign government entities as well as by federal, state and local jurisdictions in the United States?
Last year, Microsoft provided data on customers to 50 countries in response to law enforcement requests and court orders related to the company’s online and cloud services, including its Hotmail and Outlook e-mail programs, SkyDrive, Xbox Live, Microsoft Account, Messenger and Office 365, and Skype, according to its website.
In Microsoft’s Web-posted Law Enforcement Request Report for 2012, the company recorded 75,378 law enforcement requests that “potentially impacted 137,424 accounts.” Some 11,000 requests from the U.S. were listed; they involved about 25,000 accounts. Turkey made several hundred more requests, but they related to only 14,000 accounts.
Roughly 80 percent of the requests were for what Microsoft characterized as “Subscriber/Transactional” data, meaning they did not involve actual content, just evidence that a to-and-from exchange took place. Of the 1,558 requests that Microsoft said involved subscriber content, all but 14 were from the U.S. The 14 others were sought by entities from Brazil, Canada and New Zealand.
Last week Microsoft updated that report by including for the first time U.S. national security orders. But the U.S. requested that Microsoft mix those together with law enforcement requests from all other local, state and federal agencies and only present figures for the period from July 1 to Dec. 31, 2012, so the newly added number related to national security does not stand out.
According to Microsoft, the U.S. request was “between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts” during the six months. Based on what had been reported earlier, that would mean roughly 1,500 orders involving about 10,000 consumer accounts in the last six months.
Facebook tells users, “We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so,” adding, “This may include responding to legal requests from jurisdictions outside of the U.S. where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards.”
In short, American Internet users, beware not just your government but also your service provider. Both are cashing in on your electronic activities in one way or another. One unanswered question at this moment: Who is asking the providers — Microsoft, Google, Facebook and the others — what data they are giving to businesses and how they are overseeing the privacy protection of their own customers?
Because of the release of top-secret documents in recent days, we actually know more about the government’s multi-layered oversight system than about how private companies safeguard data.
A limited number of NSA analysts can query the accumulated metadata bases, and their computers log in when they seek clearance to do that. The data they seek must be related to a specific foreign terrorist organization. Less than 300 such queries were recorded last year for the telephonic metadata base — the one that provides the number that placed the call, the number called and the time of the call.
In the next step, when more than a number is involved, picking up a communication of an American citizen who is not a target — or data related to a person inside the U.S. — is considered a noncompliant action. Such a pickup must be reported and the data minimized either through total destruction or removal of the individual’s identification.
At least once every 60 days, the Justice Department and the ODNI conduct oversight of agencies’ activities under the FISA law. These reviews include on-site inspections by a joint Justice/ODNI team that generally includes people with operational experience.
Every six months, the attorney general and the director of national intelligence conduct an assessment and send their report to the FISA court and the House and Senate intelligence and judiciary committees. Those reports include compliance incident reports.
The Justice Department each year publicly reports the number of applications to the FISA court for electronic surveillance (1,789 last year), physical surveillances (78 last year) and searches for business records (212 last year, among which are some for metadata).
In its June 7, 2012, report on the FISA Sunsets Extension Act, the Senate Select Committee on Intelligence said “relatively few incidents of noncompliance” occurred and that “where such incidents have arisen, they have been the inadvertent result of human error or technical defect and have been promptly reported and remedied.”
Most important, the committee said, “through four years of oversight, the committee has not identified a single case in which a government official engaged in a willful effort to circumvent or violate the law.”
If there is a whistle-blower out there who can identify a case in which these records have been misused, he or she apparently has not come forward. Does that mean it hasn’t happened or will never happen? No. But that’s what oversight is all about — supplemented, of course, by an active and responsible free press.
Walter Pincus reports on intelligence, defense and foreign policy for The Washingon Post and writes the Fine Print column.