PRISM Leak: Understanding How Surveillance Works

In the backdrop of the recent National Security Agency (NSA) surveillance program leaks, Newsclick discusses with Prabir Purkayastha on how governments use telephone records and internet traffic as methods of surveillance, and how that information contributes to intelligence briefing. Questions on breach of privacy have become more or less insignificant. The most important question now is how to prevent misuse of the data that has already been collected.

Rishab Bailey (RB): Hello and welcome to Newsclick. The last few days have seen a number of stories leaked by the Guardian, the Wall Street Journal and the Washington Post about the excessive surveillance carried out by the US government. The National Security Agency using law such as The Patriot Act and FISA has been tapping both telephone conversations as well as accessing data from internet service providers. To discuss the issue, we have with us today Prabir Purkayastha from the Society for Knowledge Commons. Hi Prabir. Welcome to Newsclick. Could you please briefly run us through the contents of the exposes carried out by the Guardian and the Wall Street Journal. What methods of surveillance are actually being used by the NSA?

Prabir Purkayastha (PP): Well, the NSA has two things which they seems to have done, which is what has come up in public. One is of course, the telephone records which is what they have been called as meta data. Now, meta data means that you are not actually listening to the actual conversation, but pretty much, everything else including where you are located, what's the duration of your conversation, what time it was held, to whom you are talking to and so on. So it seems pretty much that all the information that is there which is contextual is being captured and it is captured on mass. It is really the telephone company has been asked to provide for all subscribers and it doesn't seem to be something that is exceptional. It seems to have been served on all the telecom companies. So we have to assume that the entire subscriber what is called the meta data, the data about the transaction that the subscriber does with the telephone company is being handed over to the National Security Agency, the NSA. The second part of it is, what it is called the internet traffic. Now, there has been an earlier case also where it had been, and it's still going on in the US Courts that where the AT&T's entire traffic from San Francisco, one of the switch rooms has been given or diverted using a splitter and taken to an NSA room. That meant pretty much what was called not a ware tap but a country tap. Now this seems to be related. Not to AT&T or telecom companies or those who own the ISPs but related to what are called the internet companies which are google, microsoft, yahoo, apple and so on and of course, facebook. So essentially it is being talked about that here it is not internet meta data but it is actual content - whatever you are doing that is being supplied. Interesting part is, due to, again various accounts indicate that lot of the information today which is used in the intelligence briefing of the government officials come from this kind of data and it is said, could be anything between 75-80 percent of all the intelligence briefing today is based essentially on NSA's snooping. So also it is important to realise that this internet traffic that has been tapped is of American as well as non American and a lot of it is coming really from what are called the email services. In fact, most of this seems to be coming from three, which is yahoo, microsoft and, of course, google because all three as you know, have large or extensive email services - yahoo mail, google mail and of course, the old and trusted hotmail. So this is the core of what seems to have come out. It's been pretty much what has been discussed about a long time. It is only first time now we have official confirmation, at least a court order which is the FISA order and what it is now is a power point presentation, a confidential power point presentation which says what is it that it was doing to the internet snooping, what is called the PRISM programme.

 

RB: Now speaking first about, you said they are collecting meta data which is information about a telephone call. So what exactly can this information be used for and why is it a problem that security agencies are examining this information?

PP: You see obviously the security agencies would like to know who is talking to whom, this is the key issue that they are really focusing on thereby building with other information that it has access to - may be the credit card information, may be your insurance information, your health health information. If you put all of it together you have a pretty much complete profile of the Individual. What he does, where he does it and so on..whom he calls. It also means that, lets look at it. Suppose you are a journalist and you have access to government information which you have printed. Now if I have your telephone data, that means that pretty much I can find out who is the likely leak who has given that information. So, all the protection that a journalist is supposed to have, regarding the not betraying of the source and so on, all that pretty much goes. In fact, it is interesting that this data that is being asked of, is across the county, across board. While in the AP case, this is exactly the kind of data that justice department has actually tried to seize and there was a huge hue and cry about the APs, how this kind of data is being sought for and how this is not good. Now, here it is not one news agency but it is across the board, everybody. So you can see that the extent of this is enormous. The other thing is that you can also look at, for instance, the government wants to know who the dissent is. You remember the Vietnam Times, for instance. There were blacklist mail of the people whom the government didn't like. Nixon had his own personal blacklist and so on. So here you can actually expand the list of people who are against you and then say, well, will he get a job, will he get a contract, will he get this, will he get that. You can decide pretty much how you would like to handle the individual as a state and you can also blacklist him from the industry by telling him: look, we don't like him, so don't employ him. And this is what in the 50's was the Mc Arthur period, this is what was done. Across the industry, particularly at that time the film industry, people who were blacklisted didn't get a job. So you have enormous potential for misuse, if you know who the people are who you don't like, who they are talking to. You can pretty much map what is happening; you don't need to know the content. By looking at who people are talking to, you pretty much get a clear picture of what the content of that conversation is and then, of course, you can always ask for the content of the conversation if you want any further information.

 

RB: But these programmes have been defended by various senior officials including by President Obama on the grounds that national security needs require this sort of information to be collected in today’s day and age and also that there are adequate checks and balances in the system to ensure that civil liberties are protected. What is your take on that?

PP: Well, it is clearly the cheques and balances are not working because the assumption that people have is that individuals may be targeted for security purposes but not that every citizen, every record, transactional record has been stored and then processed by what are called data mining methods. So pretty much that everybody's everything is being tracked, except that the content is not being tracked of the conversation but everything else is, was not something that the people really thought was what was being done. So people thought it was targeted. What has now appeared very clearly that this was completely across the board and thats what makes it qualitatively different. And the kind of information also is qualitatively different. It stays permanently. It's being hosted in this huge facility in Utah where all these data banks are being built. So this is in perpetuity. So what you have done in the 20s, can 25 years later, you occupy position of power; somebody can use it in order to blackmail you in different ways. You can imagine, it was said that Hover, who was an FBI director, had records of every politician in the United States and used it for a very long time to retain his powers and now you can imagine that these kinds of data banks are going to be there in perpetuity. The problem, of course, which people are not realizing is that those who are powerful think they are the ones who can surveillance the rest. But unfortunately as the Petraeus case shows that even a lowly person who has access to the data can then have run surveillance on anybody. So this is really an all pervasive intelligence security state you are building and we are coming into a scenario where at least in the United States, big brother knows all not only about US citizens but pretty much about every user of the internet and that is a big threat because while you are talking about civil liberties protection for US citizens, rest of us who use the internet, use facebook, use google, we have no protection whatsoever. And therefore, it's really also about rest of the world which is not what is coming into the civil liberties debate in the US for instance.

 

RB: You have briefly touched upon one, which I think is one of the biggest problems when we are dealing with one of these issues, in that how do you make people realize that it is an actual problem and it can effect their lives. Most people don't seem to have any problem with either putting up huge quantities of information on facebook or internet in general. And secondly, there is always a strain of thought that says that if I have done nothing wrong, I have nothing to hide. How do you deal with this sort of issue?

PP: Well you know, you are raising really a much larger technological issue as well because it is not the question of what I am putting up. It is also convenience of using a smart phone or a cell phone. The minute I have a smart phone, particularly, I run various apps on it. App applications for instance which every body uses for texting these days. Now that pretty much allows through the internet you would be tracked. Your location would be tracked and it allows the intelligence agencies of the Unites States who again are the host government to pretty much track anybody they want anywhere in the world. Same with using facebook. So the essential issue is the convenience versus what I am giving up and what's happening, the convenience of the internet to do various things willfully we are giving up therefore our anonymity if you will, our privacy if you will to these agencies and these agencies immediately are not government agencies but the telephone companies the googles, the facebooks of the world. The end result is, once it goes into say 8,10,12 companies who run the internet and if those companies are accessed by the home government, in this case the United States, it's pretty much that everything in the world is siphoned into it. Now can you prevent it. I don't think technologically it is possible to reverse that. Because you have already surrendered your anonymity and privacy to these companies in any case. So what we can do is only looking at this - how this data can or cannot be used legally against the people. Can we really protect the people against their governments. And in this case, we are looking at the US government. Let's not forget almost all governments want this data including the Indian government and in fact if you remember the Blackberry case, this was essentially the issue. The government was asking access for all sms using Blackberry. So it does appear that for instance the Government of India, Saudi Arabia, United Arab Emirates, countries who really went after...

 

RB: The difference being in that case, they wanted the possibility to access rather than access actually.

PP: What they said is you have to give us the ability to access this information. Now, once you have that possibility then what is being done is known to Blackberry and the governments and not to us. So for me, the possibility means the realisation as well. I wouldn't go into whether they succeeded or not, the potential is there, whether they exercise it or not is a different issue. I am told that essentially, that for instance, the messaging part of Blackberry not the one which uses the business way messaging part which is really much more protective. But everybody uses in the Blackberry that access has already been given to various governments in different countries. So that access is already there and this I am told is also true for a number of other similar services that are being offered. How much of it is being done in India or not, how much of it is being done in different countries could still be an issue because big companies like google and facebook can say, well you know we will give it to the US government but not to others. It is very clear that they are giving this access to the US government. But whether they are giving this access to other governments is an open question and that's what the battle is all about. To a lot of governments, the issue is the US government has this access, why should we not, becomes a matter of national interest then, in their view of the term and it is also interesting a lot of the flak that has come on for instance this major internet conference took place which was really about the telecom, the world conference for information and technology. In that case it was really about the internet; much more than telecom.

 

RB: Now, you have already spoken about the situation in India. But do you see such a broad and generic surveillance system being possible under Indian law. We recently had various newspapers talking about central monitoring system that the Indian government was planning to launch. Do you think this is possible in India?

PP: You see, at the moment we are being protected by the incompetence of the government. Let's be very clear about it. There are multiple agencies who do not talk to each other; all of them trying to build similar surveillance platforms. There is listening post if you go past towards Ghitorni from Delhi towards Gurgaon. You will see on the left, huge monitoring area being built essentially for intercepting internet traffic, no great secret. There is obviously, a lot of effort to now look at the internet, how to access it. How much you will succeed is an open quesion as I said because of the competence that we seem to have, which is relatively low. It means the ability to get really telecom companies ISPs to co-operate, tap into what they are doing and with that tapping, use really again data mining methods to store, access and collate that information. Unfortunately, lot of this information collation and tools what are called data mining tools are being sold by private companies who are, of course, interested in their commerce. In fact, it is said that Palentine is a company which has developed these data mining tools extensively and incidentally the data mining tool is called PRISM and they are now a billion dollar company and if you look at the reports that are coming its quite possible thats at least a part of the software solution that the NSS use. Now, is that tool available for Indian company to buy at a price; similar tools are available; is it also possible for Indian government to buy those tools. So it's not a question that does government of India have the ability. But do they have the money to buy these kind of tools. The argument is yes, obviously governments do have deep pockets and therefore, they have the ability to access these kinds of tools and therefore, in the long run we have or we are entering into an age where we are likely to lose privacy in this digital world that is emerging. So my issue that I am really raising is we should really look now how can we protect the citizens, given the fact that the privacy is probably not going to be there.

 

RB: So how would you actually go about protecting a citizen given that you have got states which have suddenly woken upto the fact that there is so much data that can be collated on their citizens something as you say corporates have realised for quite a while and based their revenue models around. So where does the citizen stand in all these given that the states seem to have absolved themselves of any responsibility for citizens rights.

PP: I think this is relatively uncharted territory. I mean this is not something for which there is an easy answer to. A part of the answer could be that data cannot be used in a court of law. Thus give tremendous power to black bill in hands of state. So if it is proven the state has used. You can say people who have used then should go to the jail. Now one has to really now device how misuse can be prevented but the fact that this data is out there and it can be collated, I really don't see how it is easy to prevent it because as you rightly said, all the companies, major internet companies have built their entire revenue model out of collation of this data. Now if you say collation of this data for generating ads is OK but not for any other purpose. I don't really see in the long run how that will work. So I would say that legal protection yes, political protection ultimately is the awareness of the citizens that these tools exist and how their government should not use these tools becomes a matter of politics, not just a matter of law. So I think the answer to this is that we have to then get into the realm of politics, how this misuse can be prevented and what laws can be put in place to see that misuse is punished by the government and the government officials and this use against citizens is prohibited in courts of law. These are some of the, you know, really very nebulous ideas I would present but in the long run we would also have to accept that citizen's privacy by which we practice one thing at home and do something else outside - these kinds of things are also going to disappear because it is increasingly impossible to have that kind of protection of privacy, by which you say these things are my private domain and I will not let it be made public. Like the politicians today don't have protection of privacy. The celebrities do not have protection of privacy. It is accepted that their private lives are public domain, information people have a right to it, because they are celebrities. If they come on public stage we have a right.

RB: Different standards for different public figure.

PP: So I think this is going to go and what is going to emerge is that everybody will have standards which are same which means that anything you do in private is open to the public. This is technologically what is happening. So we are entering what we shall say a world of glass houses.

 

RB: Thank you Prabir. That's all we have time for today. Do join us again. We will be covering this issue in more detail. Thank you.