I recently conducted a wide-ranging Q+A with the ACLU’s chief technologist, Chris Soghoian, on a range of topics, from the “fraudulent” nature of the recent debate over Section 215 of the Patriot Act to the dire need for more technological expertise among those tasked with overseeing the Intelligence Community in the 21st Century. Another part of our conversation was particularly relevant to those who worry that the end of bulk telephony metadata collection is the high-water mark for intelligence reform. Our topic: The lack of attention to the fact that much of the US’s massive surveillance infrastructure is used for top secret purposes only loosely related to national security. While US intelligence agencies portray themselves as using their dark talents against ne’er-do-wells, the reality is far different, argues Soghoian. He took particular issue with the NSA and its foreign partners like Britain’s GCHQ, doing things like snooping on the employees of technology businesses in order to exploit their products for espionage purposes.
Below is an edited and condensed version of our conversation about some of the ways the NSA uses its powers to do much more than catch terrorists or divining the decision-making within the Kremlin walls.
JR: What are we missing and what aren’t we focused on? Where should we be looking next in terms of digital surveillance reform?
CS: I think that the bulk of what NSA does that bothers me isn’t the collection of data about terrorist suspects. It’s everything else that NSA does. The legal community has done a really bad job of checking the government on their statements that this is about terrorism. So much of what the NSA does is collecting information on foreigners that might be interesting to the government. Not that are going to help them prevent a terrorist attack, not that are communications between Vladimir Putin and the Chinese Prime Minister, but they are of some kind of national interest to the US. Whether it’s information about trade deals being done or business deals between companies. Jack Goldsmith has been very good about pointing out the hypocrisy in our accusations about China. Basically the NSA’s argument is, “We don’t do economic espionage but the Chinese do.” As long as you solely view “economic espionage” as stealing information and giving it to companies. We just steal information and use it for ourselves.
One of the things that has become apparent in the last year — looking at the breach by GCHQ of Belgacom, Belgium’s largest phone company, then looking at the story in The Intercept about the hack of Gemalto, the French/Dutch manufacture of SIM cards — is NSA and GCHQ essentially think that any engineer who works at any company is fair game. Because they are a means to an end. The people who work at Belgacom were not terrorists, they were not pedophiles or drug dealers. Belgacom itself was not a criminal enterprise, they were a phone company. Gemalto was not a criminal enterprise and the people who worked there had children and mortgages and salaries and they went home at night to see their husbands and wives. They were regular people. And here we have a situation where this intelligence apparatus turned on innocent, law-abiding engineers. These people are systematically targeted by the IC because they have something that might be useful to the government down the road.
Normally when we think of innocent people being swept up, it’s “Oh, this is incidental collection. We were looking for the bad guys, but we accidentally got your emails.” Or “we’re trying to drop a bomb on this bad guy, but you live next door. So sorry, the bomb blast went a bit too big and we accidentally knocked down your house too. Sorry.” The targeting of engineers is not incidental. It’s intentional. We’re not accidentally sweeping in the emails of Gemalto. There are analysts typing those email addresses in and then triggering them for malware delivery. These people are the targets. And in his speech last January — a year ago January — the President basically told the world, if you’re not doing something bad the NSA doesn’t care about what you’re doing. But that’s actually not true; it’s not if you are doing something bad, it’s if you are not doing something interesting.
I think that the legal community has done a really, really bad job at allowing the government to frame this in the context of “we’re just going after bad people.” When, in fact, many of the people they are going after are interesting. And to get at those interesting people, they are willing to burn every bridge, they are willing to set fire to every house, and they are willing to hack into any server to get there. And I think when you understand how they do that, and the ends justify the means approach, I think it delegitimizes the entire regime of surveillance. I didn’t sign up for a system where the government can hack anyone they wanted to just because they might be useful. Even I think that surveillance of terrorist is a good idea, but I don’t think that the government should be able to hack into any computer in the world because it might be useful to get some information eventually to the point where they can spy on the really bad guys. And I think, when you frame it in those terms, I think a lot of what the NSA and GCHQ do becomes indefensible to the average person, and certainly to the technical community who are not happy that they themselves are now fair game.
JR: That reminds me of how one might talk with government officials on things as diverse as international climate change negotiations they’ll say, “Oh we’ve got all of this information on our foreign counterparts negotiating stances” and that information was provided by intelligence agencies like NSA.
CS: Well the government says that climate is a national security issue and so we want to know what everyone else is thinking. We want to have an edge. We want to be able to better argue and get what we want from the negotiations. And that’s fine, but at least be honest. At least say, well actually most of the surveillance we are doing is on people who aren’t bad guys, we just want to screw them. If you could read the emails of the guy selling you that used car, you’d probably get a better deal. And that’s really what it boils down to. We want to get the edge and we are willing to do anything to get it. And I don’t think that’s defensible or that’s something where you can say, “You know what, we are willing to set a precedent of anyone hacking anything in order to get that leg up in climate change negotiations.” And I’m someone who believes strongly in climate change. I think we should be doing something about it. But I don’t think that means that we should be hacking into any computer we want.
JR: What about rethinking how we grant these broad powers to the Intelligence Community?
CS: If the NSA only worked on terrorist stuff or was only monitoring the Chinese and the Russians, I don’t think they can justify the sheer expense of what they do. So I think all of the other stuff — all of the economic stuff and providing hacked minutes of the next climate change negotiation — I think that also gives the American government more bang for their buck for the investment in NSA. Even though it’s this thing that I think is least defensible. All those other intelligence products that the NSA can produce, they help other agencies and I think they keep it to say, well, this $10 billion dollar agency is worth it. And that ensures that there budget doesn’t get cut because it ensures that every other part of the government likes them.
JR: It’s true. They help everyone.
CS: They help everyone. Normally agencies are fighting for resources, but NSA makes every other agency’s job easier, all the agencies that they give stuff to. So you’re not going to try to have your allies’ budget cut.
JR: It sounds like the defense contractor strategy (spreading weapons manufacturing projects across the entire country to gain widespread Congressional support).
CS: Yeah, having the NSA providing intelligence to all of these other agencies is sort of like having 50 different pieces of an airplane built in 50 different states.