After having read the first half of Liberty and Security in a Changing World I was pleased to see the Review Group confirm many worries I possessed after having been introduced to the harebrained intrusion of privacy by the NSA through its bulk telephony meta-data program, including the “it’s just meta-data” justification proffered for the bulk collection. Although, I am concerned by the Review Group’s recommendation that meta-data is held instead either by private providers or by a private third party (Recommendation 5), and what this would look like in practice.
Meta-Data v Content
I was glad to see the Review Group allude to the ever shrinking distinction between meta-data and content, which sees this justification for the bulk-collection collapse. I found a study finding empirically that “phone metadata is unambiguously sensitive, even in a small population and over a short time window”. It is clear that inferences from telephonic meta-data can be highly sensitive, ranging from political/religious affiliation to whether the subjects were gun-owners or abortion patients.
When we talk about meta-data on the web, the distinction becomes wafer thin. It would probably include meta-data embedded in the HTML of a web page, including a title, description, URL, site name, descriptor image, author name and/or email, and more. For search engines, it may even include the search query. In other words, get the meta-data and you’ve got the content. I haven’t quite made up my mind as to whether I care about my own data being collected and stored; at the minute I’m inclined to say that I’m not bothered unless it comes back to haunt me – but why would it? Who knows. In other words I don’t know what to make of the world or whether to trust my government. But if I did care, I now would care just as much about my meta-data as I would about the content of my communications. I therefore agree with the Review Group that the distinction between content and meta-data should be disregarded, and, if anything, the Group should have been more resolute in this suggestion.
Private Companies v The Government
My natural inclination is to trust private companies more with the bulk collection of my (meta-)data than the government. But why do I consider it to be more intrusive for the NSA or GCHQ to hold my data, rather than a private companies?
For a start, the NSA retains its bulk-collection data for 5 years before purging it. Companies keep the data for as long as they are required to by law (18 months, I think), or for however long they need it in order to improve their services – presumably whichever is longer. Their purpose in collecting the data is not the collection in and of itself. An interesting aspect of the USA Freedom Act is that telecoms companies are only required to hand over the telephone records on individuals if any actually exist – they do not have to collect data that they otherwise would not. And there is probably no reason to think that our data is safer in the hands of the government than of private corporations in terms of data-breaches; both are vulnerable to cyber-attacks.
The subjective harm from not being able to trust your own government seems to be great in magnitude, and the Review Group points out that simply “[k]nowing that the government has ready access to one’s phone call records can seriously chill associational and expressive freedoms,”. On the other hand, a private communication service provider which loses the trust of its customers is dealt with through the laws of demand and supply. We’ve seen a rise in companies that incorporate user privacy in their business models or mission statements as the result of the business value in championing privacy and fighting the NSA. When the WSJ juxtaposes Apple’s strong anti-decryption/back-door access sentiment with Blackberry’s more pro-government disclosure stance, there is a shift in trust for, and demand for, these companies’ products by privacy-conscience consumers (which are increasing in number). Unfortunately, what the government does behind closed doors has no requisite competitive constraint.
There is also the sense in which access to my data by the government for the purpose of investigating me individually becomes a lot easier and efficient when it already has the data at its disposal. There are procedures in place to protect my data from being scrutinized (the “reasonable, articulable suspicion” test) even when the government holds all the data, but if it had to go through communications service providers in order to target my data individually there would be another obstacle to overcome. As we have seen data-collecting companies become increasingly transparent with their interaction with government surveillance agencies, and seen them become more litigious in the face of attempted access by law enforcement, we trust them more and more with every Business Insider headline. The increased respect and demand for privacy championing data-collectors allows the wedge between government access and private collection to grow. If a data-collecting organization gets a request that it considers to be unreasonably large in scope or otherwise unlawful/unconstitutional, it would be a fool not to litigate. Privacy advocates praise companies like Microsoft when they place themselves in contempt or court by refusing to comply with government requests. If private companies held our data, as per Recommendation 5, they too could “advertise that they don’t provide data to U.S. spy agencies” by fighting or refusing to comply with FISA orders.
Review Group’s Proposed Solution
This leads me to the solution proposed by the Review Group that the government queries the information directly from the relevant service providers after obtaining an order from the FISC, in order to “reduce the risk, both actual and perceived, of government abuse”. If I’m right that we should trust companies more with our data than we do bulk-collection by the government, any efficiency problems in querying multiple, privately held databases simultaneously and expeditiously that cannot be fixed by practice and understanding must be outweighed by the greater trust that people will have for the government (a key imbalance that the Group seeks to address), and further outweighed by the suggestion that having to obtain the data from a private corporation adds an additional layer of protection from potential abuse.
An added bonus is that, if we assume that the modern business derives great value from data-collection, and that it will collect data wherever/whenever possible when it can be monetized, the data would be stored in one place rather than two under the proposed solution (as opposed to bulk collection by both the NSA and the service provider; though this does not carry much weight with companies that do not otherwise want to collect said data.
I do not feel as though adopting the Review Group’s Plan B, viz. the collection and storing of bulk telephony meta-data by a specially designated private organization, would bring these same benefits. In fact, on the spectrum between direct NSA collection/storage and ad hoc NSA querying of individual service providers, the collection by a single corporation lies very close to the former. Harm to intellectual privacy stems from what we know or suspect actually goes on. I’m not going to trust the government any more with its data requests post-Snowden if it instead queries one single private organization. There is a sense in which the more famous the company — the more that it’s a household name and the more products of which we own and use every day — the more we learn to expect that it holds our data. The more famous the company, the more pressure, through consumers and therefore through markets, to champion privacy and maintain consumer trust. Previous authors have alluded to this distinction by saying, “You’ve heard of Google, Facebook and Apple, but have you heard of [list of data-brokers]?” Behind-the-scenes data collectors or aggregators suffer from a lack of trust, and trust is the key to the solution. So I agree with the Group’s first plan in Recommendation 5, but not with their alternative.