This report analyzes privacy issues surrounding the NSA, how they appear similar to those found in other sectors, and how lessons learned in one area may potentially benefit, or at least inform, other areas in pursuit of an equitable balance between the need to know and the right to privacy.
The National Security Agency/Central Security Service of the United States, or NSA/CSS, has inserted itself into the realm of Big Data. The intent of this report is to discuss how it has done so, and to analyze the issues and impacts resulting from its actions, both on the populace at large and specifically on Big Data. The report’s main conclusions and takeaways are as follows:
- The NSA/CSS (referred to hereafter in this report simply as the NSA) now has access to detailed information about much of the electronic communication in the U.S. This includes virtually all mobile communications, virtually all online communications, whether mobile or computer-based, and some landline business communications. It includes phone and data traffic originating inside the U.S. and terminating either inside or outside the U.S. The NSA also has access to most of the credit card transactions occurring in the U.S.; and, as an addon to its 24/7 surveillance of U.S.-based mobile communications, the NSA is also tapping into the most popular mobile phone applications, including Angry Birds.
- The NSA is collecting data from these sources as a result of agreements it has specifically imposed on mobile operators and Internet infrastructure providers—through electronic “back doors” it has persuaded providers to insert in their software and systems, and through its own ability to troll communications highways and collect data at will. Providers such as Google have angrily denounced the NSA’s actions, and claim to have agreed to no such thing; but whatever the case, the end result is the same.
- The NSA claims to simply be interested in, and collecting, metadata, a term that is roughly equivalent to “data about the data.” In the case of what the NSA is claiming, this means information such as call origination and destination points, call duration, where someone accessed the Web and how much time they spent online; not the content of calls or emails. Yet, the NSA is hard at work cracking the code, so to speak, of Secure Sockets Layer (SSL), the protocol that, until now, has kept the content of online communications and transactions hidden from prying eyes. The NSA has also now set its sights on the Advanced Encryption Standard (AES), which is an encryption algorithm for securing sensitive but unclassified material by U.S. government agencies, and is being used more and more for commercial transactions. The NSA’s actions with regard to SSL and AES have “content inspection” written all over them.
- The NSA is far from the only entity that appears to be trampling on the notion of personal privacy in pursuit of information it believes it needs to achieve its ends. The private sector, too, is teeming with examples of companies obtaining personal user data through questionable means, and deploying it in even more questionable ways.
- Concepts and technologies currently in use or development, such as Harvard University’s extensive work on Differential Privacy, are predicated on the point raised in the previous bullet: threats to privacy occur in the private sector and academia as well. Differential Privacy leverages the commonalities across sectors to point
- The upshot of all of this is that, while privacy is already threatened or extinct in a growing number of places, the NSA’s actions are accelerating and expanding this phenomenon. That is already sufficiently concerning in terms of quality of life; but further, since electronic communications are the lifeblood of a great deal of commercial activity, the NSA may also begin to have a chilling effect on the U.S. economy.