A View from Ashkan Soltani
Technical, not legal, constraints determine the scope of U.S. government surveillance.
Recent revelations about the extent of surveillance by the U.S. National Security Agency come as no surprise to those with a technical background in the workings of digital communications. Dramatically expanded, highly efficient surveillance programs are predictable given the increased use of digital communication and cloud services—and America’s outdated privacy laws. Our national discussion must take into account the extent to which technology has made surveillance easier and cheaper than ever before.
The American people, maybe unknowingly, relied for years on technical and financial barriers to protect them from large-scale surveillance by the government. These implicit protections have quickly eroded in recent years as digital communication technology has spread through society and advances pioneered in the technology industry have reached intelligence agencies. As a result, we now have to replace these “natural” boundaries and revise the law to protect our privacy.
The majority of our communications are now delivered and stored by third-party services and cloud providers. The bulk of e-mails, documents, phone calls, and chats go through a handful of Internet companies such as Google, Facebook, and Skype or wireless carriers like Verizon, AT&T, and Sprint. And while it’s distributed in nature, the physical infrastructure underlying the World Wide Web relies on key chokepoints that the government can, and does, monitor. The NSA needs to establish relationships with only a few critical companies to capture the majority of the market it wants to observe. With very little effort or cost, it can observe hundreds of millions of people communicating over these services.
Each of the NSA programs recently disclosed by the media is unique in the type of data it accesses, but all of them have been made possible by the same trend: surveillance techniques have been exploding in capacity and plummeting in cost. One leaked document shows that between 2002 and 2006, it cost the NSA only about $140 million to gather phone records for 300 million Americans, operate a system that collects e-mails and other content from Internet companies such as Google, and develop new “offensive” surveillance tools for use overseas. That’s a minuscule portion of the NSA’s $10 billion annual budget.
Spying no longer requires following people or planting bugs; rather, it means filling out forms to demand access to an existing trove of information. The NSA doesn’t bear the cost of collecting or storing data and no longer has to interact with its targets. The reach of its new programs is vast, especially when compared with the closest equivalent possible just 10 years ago.
What we have learned about the NSA’s capabilities suggests it has adopted a style of programmatic, automated surveillance previously precluded by the limitations of scale, cost, and computing speed. This is a trend with a firm lower bound. Once the cost of surveillance reaches zero, we will be left with our outdated laws as the only protection. Whatever policy actions are taken to regulate surveillance in light of the recent leaks should recognize that technical barriers offer dwindling protection from unwarranted government surveillance at home and abroad.
Ashkan Soltani is an independent researcher who previously investigated online privacy issues as a staff technologist with the U.S. Federal Trade Commission.
This view was revised on August 16, 2013.