Internet noise

The United States is moving ahead to allow internet providers to sell customer browsing history and related data - and the savviest internet users want to thwart the sell-off and warp the product.

There are two approaches: block your provider from viewing data or overwhelm the provider with data. 

VPNs  - or virtual private networks - block some of what the provider might see, and those with access to work or school VPNs are making a point of signing in every time they start to browse. "While VPNs are an important privacy tool, they have limitations," explains Klint Finley for Wired. "The most obvious: You need to trust your VPN provider not to track you and sell your data itself."

The second approach is directing your browser to head to all kinds of bizarre internet sites. "Yesterday, the House of Representatives voted to let internet service providers sell your browsing data on the open market," explains Emily Dreyfuss, also for Wired. "This decision angered a lot of people, including programmer Dan Schultz. After reading about the vote on Twitter at 1 AM, he turned off Zelda and coded this ghost currently opening tabs on my machine."

So I headed right for the little ghost machine that's called Internet Noise, clicked the button and watch a parade of nonsensical sites, one every few seconds: godmother soap, macrame basket, wood squeegee, silvar dollar blueberry, venom catamaran, the hyena, concrete option, porthole chest and on and on.

Nothing too incriminating there for insurers, financiers, advertisers, campaign organizers or other creeps who want to accumulate, categorize and sell our data. The terms are certainly not as incriminating as those used to research my murder mysteries - especially the two set in Afghanistan, Fear of Beauty and Allure of Deceit.  


On the bottom of  the bare bones Internet Noise page created by Schultz are five suggestions for protecting privacy: install https, donate to the Electronic Freedom Frontier, consider Tor or using a VPN, or install Privacy Badger.

And don't forget to scream at your provider. Give them a call and find out what data they are collecting. Try to opt out - but don't trust them. More articles will be coming out about which providers offer the most privacy protections - and I doubt Comcast will make the list after donating to politicians to get this legislation passed. With luck, some providers may even discover that ensuring privacy offers a big competitive edge.

The Scream in pastel, 1895, by Edvard Munch, courtesy of Wikipedia Commons. 

Privacy

At least one major telecommunications firm - the one I depend on - has changed its privacy policy to advise customers that they must comply with government requests to collect our connections and data.  The privacy policy was updated soon after a former National Security Agency contract worker exposed secret surveillance programs involving telecommunications firms.

Siobahn Gorman and Jennifer Valentino-DeVries report for the Wall Street Journal: 

"The National Security Agency - which possesses only limited legal authority to spy on U.S. citizens - has built a surveillance network that covers more Americans' Internet communications than officials have publicly disclosed, current and former officials say. The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence.... The programs, code-named Blarney, Fairview, Oakstar, Lithium and Stormbrew, among others, filter and gather information at major telecommunications companies. Blarney, for instance, was established with AT&T Inc., T -0.92%former officials say."

So I called AT&T today, introduced myself as a customer and asked if my data had been passed on to the NSA. My call was forwarded to the president's office and customer service.

"Customer service has no way of finding this out," responded the young man. "This is way beyond the scope of customer service." He added it was his understanding that the company was complying to "a legal request" of a government agency.  "The company has no choice but to participate and we can't share with you the level of participation."

As explained in previous blog entries, a mystery author who researches and writes about Afghanistan and terrorism and women's rights has reason to be concerned about compromised data and content. Notably, the new contract with my publisher prohibits submission of manuscripts by email and requests submission by physical disk and mail. Authors, business owners and anyone who prepares creative content can no longer trust that their trade and creative secrets are safe from government prying or abuse of unscrupulous government employees.  

The privacy policy is an eyeopener:

We may provide Personal Information to non-AT&T companies or other third parties for purposes such as:

• Responding to 911 calls and other emergencies;
• Complying with court orders and other legal process;
• To assist with identity verification, and to prevent fraud and identity theft;
• Enforcing our agreements and property rights; and
• Obtaining payment for products and services that appear on your AT&T billing statements

 The policy also points out it collects "anonymous and aggregate data" from customers on its own, separate from government surveillance requests:

• We collect some information on an anonymous basis. We also may anonymize the personal information we collect about you.
• We obtain aggregate data by combining anonymous data that meet certain criteria into groups.
• When we employ non-AT&T companies to anonymize or aggregate data on our behalf, the requirements for sharing Personal Information with non-AT&T companies apply.
• We may share aggregate or anonymous information in various formats with trusted non-AT&T entities, and may work with those entities to do research and provide products and services.

The policy also allows the company to keep "information about you in our business records while you are a customer, or until it is no longer needed for business, tax, or legal purposes." We cannot say we weren't warned, and we deserve as much for years of ignoring terms of agreement for software and services.

One contradictory aspect of the policy, though, is under the section on Customer Privacy Controls and Choices: "You can review and correct your Personal Information collected by us."  But how can we manage that if the company is prohibited from telling us what is being collected and how it is interpreted?


In calling AT&T corporate offices, the phone message responds: "Our vision is to connect people with their world and to do it better than anyone else."

AT&T: Your World Delivered. To the NSA?

Core values

The National Security Agency website includes a section on its core values, and this provides a hint of what’s gone amiss in recent weeks after a young contract worker revealed the extent and names of secret surveillance programs.

The NSA approach detailing core values is unusual, largely relying on an interview with an individual to detail an organization's core values. The interviewer is anonymous, presumably posing questions that typically would come from the public. Anyone familiar with procedures of US government offices knows that the interview was not spontaneous. Questions were carefully selected, the webpage and the interview drafted, then reviewed by dozens of employees besides Deputy Director John C. Inglis, the lead senior civilian NSA employee, and revised numerous times. So readers should bear this in mind in reading the quotations attributed to Inglis.

At any rate, the interview lists NSA's core values – law, honesty, integrity and transparency – in text and video. Inglis' responses on core values emphasize "law," and this may explain the tension  between the NSA and privacy advocates, between NSA and congressional critics like Ron Wyden of Oregon, between the NSA and former contract employee Edward Snowden.

Strict adherence to the law is by no means a guarantee of morality. "Moral integrity and responsible citizenship, understood merely as “good heartedness”, are themselves susceptible to manipulation by propaganda," explains an abstract of an essay by R. Paul posted by the Critical Thinking Community. "The human mind, whatever its conscious good will, is subject to powerful, self-deceptive, unconscious egocentricity of mind. The full development of each characteristic - critical thought, moral integrity, and responsible citizenship - in its strong sense requires and develops the others, in a parallel strong sense. The three are developed together only in an atmosphere, which encourages the intellectual virtues: intellectual courage, intellectual empathy, intellectual good faith or integrity, intellectual perseverance, intellectual fair-mindedness, and faith in reason. The intellectual virtues themselves are interdependent." 

The Inglis interview includes several references to law and adherence: 


“The word compliance has many meanings, but at the National Security Agency, we try to effect that the following way: we first hire people who understand that lawfulness is a fundamental attribute. We ensure that the people that we bring enjoy the values that we hold near and dear. We then understand what the rules are that pertain to our business, and we try to master the spirit and the mechanics of those rules, in all of the procedures that we bring to bear.”
 
“Respect for the law at NSA means that we understand both the spirit and mechanics of the law, and that we fully embody in our actions a respect for both.”
 
“….from the moment we design our systems, to employing those systems, to sorting through, sifting through what we might get from those systems, ensure that at every step of the process we worry not simply about what we've obtained, but whether we had the authority to obtain it and whether we've treated it in exactly the right way.”
 
“The oversight that's in place to make sure that the Agency does not cross the line, that it is entirely lawful in the conduct of its activities, is multifaceted and overlapping. First we ensure that we hire employees that have a respect for the law. We don't hire just anyone; we're not simply after people who have technical competence; we want to make sure we hire people who enjoy our values, who will support fully the Constitution.”
 
To his credit, Inglis touts respect for "both spirit and mechanics of the law."  But can NSA activities meet the letter of the law if most citizens, and even most legislators, are kept ignorant of what the law entails? If most employees, let alone contract workers, do not understand the exact nature of their duties before entering these positions and there is no clear, non-punitive path for discussing the most troubling aspects? Can the activities satisfy the law if attorneys and administrators search for loopholes, twisting policy interpretations in ways that weaken or circumvent original intentions?

As we know, many laws – especially those that once mandated discrimination and criminalized the people who battled that discrimination, and this history is relevant to NSA policies and profiling methods – do not stand the test of time.  In the span of less than fifty years, Martin Luther King went from being a target of FBI investigations to having the honor of a national holiday.  The government has not learned that ignorance and stubborn pushback will only spur more activism, investigative reporting and debate.

NSA officials should take note and move carefully and deliberately with their investigations, avoiding sweeping collections. In a democracy, the targets can emerge as heroes.

~~~

Information is essential for democracy. "Poor public access to information feeds corruption," suggests Laura Neuman in "Access to Information: Key to Democracy," for the Carter Center:  "Secrecy allows back-room deals to determine public spending in the interests of the few rather than the many. Lack of information impedes citizens’ ability to assess the decisions of their leaders, and even to make informed choices about the individuals they elect to serve as their representatives." Of course, security is an area where access to information is limited, but citizens have the right to set the parameters to the actions undertaken in their name and expect those parameters to be respected and enforced.

The essay goes on to suggest that "blanket exemptions – that is to say, an exemption that covers, automatically, a category or type of information – are unwelcome, often unnecessary, and risks serious abuse."

Abuse is inevitable in surveillance systems, especially when "low-level NSA workers can initiate the collection of any U.S. citizen's electronic communications on a whim." Just as one man accessed documents inappropriately and released them to the world, another employee could just as easily have used surveillance equipment to target a personal enemy or listen to conversations about secret business deals and then make investments based on the inside information. We simply do not know. But imaginations are running wild among novelists and screenwriters. 

~~~

Strict adherence to law does not necessarily coincide with morality. Morality is not blind adherence to some dogma, but rather the lifelong acquisition of a conscience, the ability to sense right from wrong and understand the nuances of intention. Often the most skilled investigators are those who decline to simply accept orders and have the ability to analyze laws, policies, cases and context. Independent judgment is required in every task of high-level security employees, as they collect data, decide which connections warrant further scrutiny, examine intentions and context, and follow up.  

Both law and morality channel individual behavior, explains Steven Shavell in his 2002 essay “Law Versus Morality as Regulators as Conduct” in American Law and Economic Review. In several sections, he addresses how information influences the application of moral versus legal rules: 

“In the application of legal rules, certain information is needed. But information can be difficult to acquire or verify, such as that concerning whether a person committed a crime and, if so, what exactly the circumstances were. The difficulty associated with substantiation of information has two disadvantageous implications. One is that errors may be made…. The other is that legal rules are sometimes designed ina less refined manner than would be desirable if more information were available…. In summary, it seems that the informational burdens associated with the application of legal rules may constitute a significant disadvantage, leading to error and to use of simpler-than-otherwise-desirable rules. Application of moral rules with internal moral sanctions does not suffer from these problems, as individuals cannot hide from what they know about themselves.”
 
“Law may enjoy advantages over morality due to the ease with which legal rules can be established, the flexible character of law, and the plausibly greater magnitude of legal sanctions over moral sanctions. Also,the presence of amoral individuals can be a factor of significance favoring law, as can be the presence of firms, for whom moral forces are likely to be relatively weak. However, morality may possess advantages over law,because moral sanctions are often applied with higher likelihood than legal ones (notably, internal moral sanctions apply with certainty), may reflect superior and more accurate information about conduct, and may involve lower costs of enforcement and of imposition.”
 

Shavell also points out that, internally or externally, "moral incentives may be diluted" within firms and organizations:

"Internal moral incentives may be less effective in the setting of the firm because decisions within firms are often made jointly by groups, or influenced by orders from above, or acted upon and influenced by subsequent decisions made below. This may serve to attenuate the sense of personal responsibility for one's acts and may reduce the sharpness of moral incentives." An organization's employees can follow orders and trust assurances from superiors that the law is being followed.

"external moral incentives have unclear force in relation to employees of firm. [Again,] responsibility within a firm is often diffused, so that there often will not be specific individuals within firms whom outsiders to firms will want to punish for wrongful behavior. Also, a firm may have an incentive to conceal the identity of responsible individuals within just so they can escape external social sanctions."


We know little about the chain of authority for Snowden, his employer Booz Allen Hamilton or the NSA. Arrangements with contractors only muddy procedures and dilute responsibility. So far, no one in power has offered a detailed, appropriate path that someone like Snowden could have taken when troubled by agency processes. He could have approached Senator Ron Wyden's office, but the most likely scenario is that Snowden would have been ignored. The public release of the surveillance programs have instigated review and revived debate over the value of contractors for public service and morality of the Patriot Act and NSA surveillance.  

Someday we might learn if Snowden even tried to approach a supervisor or government official. Of course, contracting firms are notoriously keen on ignoring individual concerns and preserving the flow of federal dollars that come their way. And while some government administrators are superb in accepting criticism, too many others are selfish, ambitious, fearful bureaucrats who take any question or criticism as a direct attack on their own judgment. Employees who dare suggest improvements or raise questions quickly learn to expect an ugly backlash.

So many whistleblowing cases might be avoided if the US Government Accountability Office conducted serious study of employee morale in federal offices, applying special scrutiny to offices and programs with high turnover rates. Emerging moral dilemmas would be identified more quickly with regular employee evaluations of office procedures and supervisors, preventing retaliation from supervisors. The US Office of Personnel Management should end immediately the irresponsible, unethical practice of supervisors conducting exit interviews for employees.

~~~

Later in NSA core-values interview, Inglis is asked, “What are the rules for retaining data on a US person?”  He focuses on “what are the rules that allow me to get that data in the first place?” He goes on to compare explicit authority with implied authority, the need for individual judgment, and the obligation to purge data that did not meet the rules around authorization: 

“Those rules are very carefully constructed; we have to have explicit authority, not implied authority, but explicit authority to go after anything in cyberspace, and therefore, if I was to target communications, I need to make sure that I can trace that authority back to an explicit law or court warrant. At that point, I have to make a decision as to whether this in fact was responsive to the explicit authority that I had; I may collect information that's incidental to that. It may have seemed to me up front that I would get information responsive to my authority, but I didn't. I have an obligation to purge that data, I have an obligation to not retain that data. So that at the end of the day, those things that I've gone after I simply didn't have the authority for, but it's the authority plus… it played out just the way I had imagined, I got exactly what I was authorized to get, and I retain only that data.”

It appears the agency retains non-content data for much longer periods than indicated in this interview, and that should end, at least according to the American Civil Liberties Union, which describes data being "dumped into something called the 'corporate store,'" for later access. In the least, Congress must ensure a firm end date on data storage. No one should be judged or investigated based on comments they made years or even months earlier if no illegal activity ensued. Citizens have a constitutional right to free speech (first amendment), and they also have a right to change their mind (fourth amendment).   

~~~

Among the more troubling aspects of the NSA debacle is a prevailing US attitude on human rights – with suggestions by even the president that expectations for privacy are reserved for US citizens. Inglis is more specific on this point than the president:  “The intelligence that we are authorized to collect, and that we report on, is intelligence that bears on foreign adversaries, foreign threats, more often than not, located therefore in foreign domains.”

Human rights are universal, and the US legislators and courts will debate and decide if privacy of ordinary phone calls and emails is such a right.

The United States stood as a beacon to the world, regarded as exceptional by global citizens, not because of its military capability or the ability to keep secrets, but because of economic opportunity, innovation, respect for openness, individualism and freedom. US citizens or foreign visitors suddenly feel the need to engage in self-censorship. Until political leaders can assure global citizens that the NSA has ended the intrusive data collection and storage efforts, internet users should click with caution.   

The Inglis interview was posted on the NSA website in 2009 and last modified in January 2013, before Edward Snowden exposed NSA programs. Photo of empty computer lab, courtesy of Shirley Ku and Wikimedia Commons.

Bias?

As the author of a mystery novel set in Afghanistan, I have often wondered if my internet wanderings have triggered alarms among analysts at the National Security Agency. And as reports emerged abut PRISM, I filed a request with the NSA’s convenient online form – inquiring about any files with my name or the title of my fourth book. 

I would not be surprised if the months of research for the novel, Fear of Beauty, set in Afghanistan, didn’t hit some nerves. The story is told from conflicting points of view of a rural and illiterate Afghan woman and an Army Ranger, with a plot focusing on extremism, varying interpretations of the Koran, weapons and war, conflict among members of a provincial reconstructions team, surveillance and more. So I headed to the National Security Agency’s web page on the Freedom of Information Act and found: “If you are seeking personal records on yourself (i.e., security, medical, personnel, applicant, etc.) or the reason why you were denied a position with this Agency, you will need to submit a PRIVACY ACT (PA) request instead of a Freedom of Information Act (FOIA) request.”

After filing a request, I stumbled on the advice from the National Security Archive for filing a FOIA request – and that advice could be a model for the National Security Agency as they go about the business of collecting and storing vast amounts of our personal phone and internet data.

The archive warns the public seeking FOIA requests that obtaining records can take a long time and be costly.   Many documents are already public available – and alternative sources should be checked first. “Overly broad requests are wasteful in time (yours, and the government’s),” the site notes. Appeals can be filed, and the public is advised to check in occasionally, but not harass the FOIA officers.  

Long delays can be expected and the site notes that “agencies that handle national security information have delays ranging from a few months to several years…. Delays are exacerbated by the fact that, for most agencies, FOIA is not an agency priority -- budget or otherwise.”

Finally, the archive advises:  "Don’t send frivolous letters or file pointless appeals; they will delay the processing of yours –and others’ – requests."  My request was not frivolous, and the NSA and our political leaders need to know that a huge range of Americans, of all ages and backgrounds, are concerned.

A response arrived in less than two weeks, notifying me the request was denied.  I won't appeal, but Congress must review these programs, and eventually much of the methods and data collections will be declassified to truly determine what works and what doesn’t. Transparency could contribute to ongoing public support of the widespread surveillance while eliminating the many questions and concerns. 

To conduct blanket sweeps on internet and phone conversations or not?  Blanket sweeps are time consuming and may not be helpful and the analysts have many alternative avenues to investigate. Opponents of gun control in the United States insist that blanket applications of background checks are ineffective – and that’s for actual weapons.  And perhaps that justifies outlawing the most lethal weapons, military-style assault rifles, just as government prohibits bombs, tanks and other military armaments. 

Of course, blanket searches of any type may eliminate some bias of targeted searches and profiling, but not the labeling and stereotyping that may go on among thousands of analysts with minimal education and training who have access to our data.

And that’s the most troubling aspect of these programs. Hundreds of thousands of contractors with questionable backgrounds seem to have access to data, with so much potential for misuse and a lack of accountability among the managers who devised this unwieldy system.

Congress needs to get straight answers on the operations of the National Security Agency – determining what kind of data should be collected, the appropriate number of analysts who need access, and the proper level of training. The House of Representatives hearing on NSA surveillance was a start.

NSA headquarters at night courtesy of the NSA and Wikimedia Commons.