Mainly: Powerful organizations tend to abuse their power. The NSA has a history of abusing its power. And there exists no truly independent check on NSA's activities, so the public has no way to know whether anything NSA says is actually true.
He dissects my bite-sized points rather cleverly, although his argument almost always hinges on a presumed nefarious application of capabilities rather than a deliberate assessment of actual activities and actions.
Yes. But the implication, and pardon me if I am reading too much into it, is that the "surveillance state" should be dismantled and reconstructed because of what harm it could possibly do. I also want to quibble with the use of the phrase "surveillance state." Not that it doesn't exist; of course it does. But the NSA, while being the most potentially powerful agent of surveillance, actually does a very very tiny fraction of the type of surveillance on Americans that makes people like Friedersdorf and me uncomfortable. Too easily, sometimes, Friedersdorf conflates NSA activities with powers and actions that other counties in this surveillance state might actually WANT to do.
At other points, his analogies dissolve under the weight of their own assumptions.
If I send an email to a person who checks a known al Qaeda email address in Yemen, maybe I'd get my name run through a few databases. I'm Jewish by birth. Friedersdorf provides us with the hypothetical example of a Muslim who sends an email to a relative in Yemen expressing a political opinion that he believes the NSA would find controversial. In point of fact, any email from me to a known al Qaeda email has a far greater potential of being collected than a random email sent by a Muslim-American. How do I know this?
Because the potential intelligence value of knowing that Marc Ambinder is communicating with the person who checks a known al Qaeda email address is far greater than than the intelligence value of making a judgment about someone's personal opinion. IF the NSA actually collected THOSE emails, THEN I would worry about the chilling effect on the American Muslim's rights to believe whatever he wants. But the assumption-upon-assumption-upon-assumption that NSA CAN easily collect that sort of email, that the agency would violate the law to do so, and that it DOES, because it somehow has a bizarre interpretation of foreign intelligence or counterterrorism value, is not reasonable. It is simply a fear.
Fundamentally, though, I worry that the gulf between the NSA and its critics may be too wide, and unnecessarily so. That is one reason I write the way I do: To try and foster a better understanding. I write not to excuse, but to try and tear away the hyperbole from what actually happens. As I've written many, many times, I am an advocate of significant reforms. I spell some of them out below.
Jennifer Gralnick, a scholar of civil liberties, sat down with DIRNSA, Gen. Keith Alexander, a few weeks ago. In her account, Alexander seems obtuse. He doesn't understand her skepticism. We do what we do. We have a history of doing this. It's always been this way. Can't you see it? Don't you see the threats? We have no interest in spying on Americans. That's totally outside our ambit.
To which her reply is:
You're not a bad man. You just don't get it.
But let's examine the government's position a little more. In essence, its argument is that NSA belongs to a different realm, a magisterium that does not really overlap with society. The fruits of its collection enable that society to function freely. The NSA would not be the NSA if the values held by civil libertarians migrated to its heart. Stanley Fish's illiberal advice to his fellow English professors rings in my ear as I hear Alexander and other government officials speak.
NSA claims that it protects civil liberties. But its definition of protection is not the same as the one used by those who aren't part of the initiate. It never has been.
In 1975, the Church Committee hearings dislodged NSA's ignominious history: At the direction of Presidents Kennedy, Johnson, and Nixon, the NSA collected information on Americans who protested the Vietnam War or who otherwise belonged to a disfavored political movement. It intercepted all telegrams exiting and entering the United States. It worked with the FBI to compile dossiers on about 75,000 Americans during the peak of the Vietnam War. At the time, any oversight of NSA was purely (and barely) limited to its budget. The agency simply refused to provide information to Congress, and Congress was extraordinarily deferential.
Flash forward to today: The intelligence community in general and NSA as a discrete entity are subject to more oversight by more people than at any time in their history. I don't just mean in raw numbers: There are inspectors general upon inspectors general, 60 cleared staff members on the intelligence, appropriations, and armed services committees, and now, an army of internal compliance officers — more than 300, according to NSA. There are also more laws, and better yet, executive orders, and an agency culture that was, until 9/11, decidedly British in its reservations about snooping on Americans.
As Joshua Foust points out here, the NSA's (yes, self-reported) compliance record is fairly remarkable given how complex the signals intelligence enterprise is. But that doesn't matter. The public, by design not possessing any understanding of signals intelligence, and never being subject to any explanation of how it works, will perceive the NSA's triumphalism as a deceitful feint.
How can we bridge this gap? For starters, quite simply, no more secret law. If the president believes he has the authority to kill American citizens overseas under certain circumstances, he must for the sake of legitimacy state that for the record. If the NSA believes it is entitled to collect the phone records of Americans in order to look for intelligence of value, it must for the sake of its own legitimacy explain why. If the NSA's authorities do diminish significantly after this debate settles down, it will be because of the executive branch's well-intended but ultimately self-defeating understanding of its own imperious policies. No more secret law.
NSA needs to try and meet Gralnick and my friend Conor halfway. This is what we do. This is how we do it. These are how we define our values. This is why we make mistakes. This is the language we use to efficiently perform our functions. It needs to be self-aware. Declassifying documents and legal opinions is a good first step, even if done for prophylactic reasons. But the agency has to get treatment for its oppositional defiant disorder. The membranes around NSA are becoming permeable.
The NSA and the the activist community have entirely different conceptions of oversight and compliance. It will be tough to square the two. NSA needs to come closer to the activists, but the activists must layer their skepticism with pragmatism and context. NSA knows that it has never been subject to as much outsider oversight as it is today. The organization needs to recognize that four years worth of a solid compliance record set against a history of absolute secrecy and significant and harmful violations is not a sufficient defense.
The vast majority of Americans are somewhat in the middle, but I'm fairly certain they'll gravitate toward the activists' worldview on these matters. So "activists" is an appropriate stand-in for "the people of the United States of America."
The activist community needs to understand the limits of independent compliance assessments. For example, when the NSA says that the vast majority of its FISA Amendments Act compliance incidents are related to foreign targets who travel to the United States, activists should understand that an NSA analyst is not going to be punished for a bad guy's decision to travel. (Indeed, the "roamer" problem is evidence that NSA's surveillance net is quite permeable.) Roaming violations are beyond the ken of accountability, simply because they are. The same goes for typographical errors. There is no "punishment" that is appropriate.
Perhaps NSA can institute an accurate typing requirement, but when the compliance violation amounts to a mistyped query, one that is discovered and reported, there is no reasonable reason to demagogue this error. The only world within which an analyst should be or could be punished for an error like this is a world that does not permit NSA to collect significant amounts of raw data, or look at government watch lists, or cross-reference a tip that, say, an American citizen goes to Yemen, communicates with a known target there, and then returns to the United States with a bomb in his underwear. Failing to distinguish between incidental and purposeful privacy violations, and making an analogy between purposeful privacy violations and other much more tangible harms, makes any sort of compromise or practical reform untenable, or unacceptable.
In part because of the work of those activists, the NSA is evolving in the right direction. We can postulate scenarios where its capabilities allow it to abuse its authorities, but on the basis of what we're seeing and hearing, and what actually happens, NSA is not abusing its authorities. It is exercising them.
Some of those authorities are exceptionally broad, spelled out by a 1981 executive order that limits Congress' ability to oversee these particular activities. So-called 12-Triple-Three incidents are more common than FISA Amendments Act violations. But Congress built into the law a regime of compliance that includes site visits, 12 reports a year, numerous hearings, Justice Department reviews, and more. NSA must comply — but only for its FISA — that is, collecting domestic or border-transiting communication — programs. E.O. 12-333 authorities spell out what NSA can do overseas to foreign targets. Since the line between domestic and foreign is not clear, a function of how the telecommunication system has evolved, Congress should write the 12-333 authorities into a law, and mandate a compliance regime that mirrors the FISA oversight.
Because Friedersdorf and Gralnick speak in generalities, I want to delve into the two specific policy objections that Sen. Ron Wyden and Sen. Mark Udall have with NSA's current practices. The believe that Section 215 of the PATRIOT Act does not by intention authorize the bulk collection of telephonic metadata. I agree. The executive branch secretly and rather unorthodoxly interpreted the provision to give it the authority to do what it was already doing. That was a mistake. And absent solid evidence that NSA can't find a better way to quickly obtain and query call records, it should dispense with the too-cute-by-halfness.
Wyden and Udall call this a deception; a willful misinterpretation of the law intended to justify a program that skirts the boundary between reasonable and unreasonable privacy in our papers. It DOES matter that NSA has it, not just what they don't do with it. I don't agree that the practice is particularly harmful, but it does not have to be harmful to be unwise.
Wyden and Udall also object to a recent policy change by NSA regarding the data it receives directly from companies — the so-called PRISM program, which makes up 90 percent of the FISA Amendments Act collection. Until recently, analysts could not use "U.S. persons identifiers" — firstname.lastname@example.org, or (202) 444-5503, or "Marc Ambinder" — to analyze PRISM data. The NSA and CIA in particular found this prohibition too onerous. What the NSA has not explained is that the universe of U.S. persons identifiers is very small. To run U.S. persons identifiers against the PRISM database, the identifier itself must be precleared by the FISA compliance office. There must be a reason why querying that identifier is capable of producing intelligence. The NSA likes to speak of identifiers as if they don't belong to real flesh-and-blood humans, but they do. And I predict that the intelligence committee will ask NSA to stop querying U.S. identifiers against the PRISM data, especially in light of the scrutiny on the agency.