Jennifer Granick on spying: ‘The more we collect, the less we know’ (Q&A)
“Spying is thriving” because little is understood about how pervasive it is.
So writes Jennifer Granick, director of civil liberties at Stanford Law School, in her new book, American Spies: Modern Surveillance, Why You Should Care, and What to Do About It. Modern technology makes spying easy, modern business models encourage trading personal information for cool features, and federal agencies have broad approval—and little resistance—to collect nearly as much information on people as possible.
Granick’s book raises the questions: In the post-9/11, post-Snowden world, how much government surveillance is too much? What lines should be drawn, if any, to protect the rights of private citizens?
“We need a comprehensive public investigation into what American spies are doing in our name, and we need far stronger regulation of surveillance activities to protect innocent people’s privacy and to guard against abuses of sensitive, personal data,” she says in her book’s introduction.
Surveillance has a chilling effect on American democracy and the freedom of speech that resides at its heart, Granick says. (And multiple studies over the past few years support this assertion.) She also argues that ongoing violations of people’s privacy eliminates space required for political evolution and creative thinking.
“The whole notion of the border search exception is for security to stop people from bringing drugs and weapons and bombs and seeds and animals and parasites into the country. Data doesn’t pose those same issues, so why should we have this expansive ability to search for data?” — Jennifer Granick
Granick and I spoke last week about surveillance, law, terrorism, and government, the intersection of which she documents in her book, which has already won the Palmer Prize for scholarship exploring the tension between civil liberties and national security in contemporary American society. What follows is an edited transcript of our conversation.
Q: Your book is remarkably comprehensive and up-to-date, except for Trump.
I’m glad, actually, that Trump wasn’t president—and that I had no inkling that he would be president—when I wrote it, because my point isn’t to say, “Look how dangerous these tools are in the hands of a dangerous person.”
My point was more: “This system we’ve set up is inadequate to protect us from even well-meaning people. Surveillance is dangerous. It’s been misused by presidents, good and bad, throughout the ages. We need to look at the system and not at the person.”
One thing I think the book articulates well is the not-always-apparent impact of surveillance on people. Even my liberal parents have asked me, “What does it matter if the government is listening in on my phone calls?”
In response to the question, “Why should I care?” I think there are two arguments. One is something Cardinal Richelieu said to King Louis XII in 1641: “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.”
The other is a broader political view about democracy and social change and people who are advocating for an evolution. That ability to advocate is an essential part of our development. If we allow people challenging the status quo to be surveilled, we hinder their movement.
I used the example of the Civil Rights Movement in the 1960s. In modern times, it’s Black Lives Matter, or Occupy Wall Street, or the Tea Party, or the movement to interpret the Second Amendment to protect individuals’ right to guns. These movements, these fights, are all part of our democracy. They are challenging the status quo. We have to make sure there’s space for them to develop and operate.
One point you make is that modern, effective tools are enabling a resurgence of government surveillance. Where is surveillance taking us, as a society?
A lot of information collected through a foreign-intelligence lens is available to the FBI to search with no factual predicate. They can do it at the assessment stage, for which you don’t have to have probable cause or reasonable suspicion of anything. All you need is a legitimate purpose.
The FBI’s legitimate purposes include domestic security, domestic intelligence, as well as law enforcement. It’s able to work with the expansive capabilities of the foreign-intelligence agencies to do these other things. A lot of the stuff we found out about in the 1960s had started in the 1940s. I worry that we’ll find out years from now that the FBI has been using this information and its power to do things like track people involved in movements like Black Lives Matter or Occupy in ways we haven’t seen.
A news story the other day said there was a lawsuit, brought by some people who had given money to Barrett Brown’s legal defense fund, saying the Department of Justice had sent subpoenas trying to find out who the contributors were, as part of Brown’s prosecution or sentencing. Why would the identities of the people who contributed money to Brown’s legal defense matter to prosecutors?
These are signs of domestic intelligence gathering. We might just be seeing an iceberg peeping out of the water; we don’t really know what’s underneath.
You point out that the very knowledge of being surveilled can change your behavior.
People are more circumspect about what they say and do, and about whom they contact, when they are aware that they’re being watched and judged. In this way, surveillance is the most effective kind of censorship.
There are things that I worry about saying online, and I hope that my daughters will think twice about putting certain stuff online. Some of that is just being careful, but I don’t think that all of that worry is appropriate.
If I find a government policy really abhorrent, for example, I should be able to say that it’s abhorrent without worrying that Trump’s going to label me as an enemy. I don’t want to sound self-important, that Trump cares about me. But when you could get labeled as an enemy, you think twice about how vehemently you state your opinion.
What part does surveillance fatigue play in all this?
We know, as security-minded people, that technology is not necessarily going to protect you from a dedicated adversary. We’re not that good at security yet.
But security measures can protect you from opportunistic collection where you’re just getting sucked up in the dragnet. Using HTTPS, or services like Signal that encrypt your email or phone calls, can help. They can prevent you from becoming one of the fish caught up in the net.
Technology can be really effective. When Google and Yahoo started encrypting their data center transfers and email between the services, they instantly started protecting hundreds of millions of people. I think that’s awesome.
Political battles seem to preventing significant progress, though.
We’re still in the middle of the political battle. I don’t think that people should give up; apathy makes it easy for the scaremongers to win.
We have an opportunity this year to reform one of the major surveillance laws that affects American privacy, section 702 of the FISA Amendments Act. The statute says you can target foreigners overseas to gather foreign-intelligence information, a really broad thing. It’s not just national security or counterterrorism but also things like foreign affairs, the price of oil, and what France wants.
On its face, it sounds like it’s targeting foreigners, but if you target a foreigner who either has a foreign-intelligence interest or who’s talking about foreign-intelligence matters, you’re collecting information when they talk to Americans. Americans, it turns out, talk to foreigners a lot, in chat rooms, on phone calls, in instant messages, and via other means.
So the law ends up supporting the collection of quite a lot of American data. The Washington Post did an analysis of a subset of data collected under section 702 and found that nearly half of the collected information had something about Americans in it. In the words of one judge, “It has a substantial impact on American privacy.”
That law is going to expire at the end of the year, which means Congress’ hand is forced. Either the law is going to be dead, it’s going to be renewed exactly as it is, or we have an opportunity to reform it and to go to Congress and say, “This doesn’t protect our privacy enough.”
Frankly, it doesn’t protect foreigners’ privacy enough, either. We need to do better by our friends who enjoy human rights in other countries, as well.
Is reform likely, given the makeup of the current Congress?
That, honestly, is up to you and your readers. If people sit back and don’t do anything, then reform is not going to be likely, but if people stand up and are willing to call their legislators and say, “This is important to me,” then yes, it’s not just likely, it’s our best chance.
President Obama had a review group that looked at this issue and made a couple of reform recommendations that were very powerful. The Privacy and Civil Liberties Oversight Board made some reform recommendations. Civil-liberties groups are working on it too. There are a lot of great recommendations out there for how to reduce the unnecessary civil-liberties impact of this law.
How should we balance an interest in legitimately knowing what foreign powers are doing with protecting citizens’ civil liberties?
One way is to basically stop the government from spying on regular people. It should refocus on foreign powers, and agents of foreign powers. Agents of foreign powers includes terrorists, lone wolves, and foreign groups related to foreign affairs, but not regular people.
Another way is to limit the purpose of surveillance to big topics like weapons proliferation, counterterrorism, and nuclear safety.
And a third way is to focus on what happens to the information, once it’s collected.
Right now, agencies are looking into exchanges between me and a foreign-intelligence target, as well as between me and foreigners that pertain to a foreign-intelligence target. They scan the content of messages as they go across the Internet backbone, and they look for selectors.
The intelligence officials say that if I’m talking to a friend in France about a terrorist leader, they don’t collect that because they don’t do proper names, but if our messages contain the selector—maybe it’s his telephone number, maybe it’s his email address, maybe it’s a digitaL signature associated with ISIS—then they will collect the contents of that message. Once the information is ingested into the system, the FBI has access to that raw data, without Americans’ names redacted.
One proposal is to collect only when the target is a party to the conversation. Another is not to let the FBI repurpose collected information for run-of-the-mill law enforcement, nor to let it share the information with the IRS or the DEA or another agency. Use it for the important foreign-intelligence stuff, and don’t allow it to be used otherwise.
The FBI is searching through that information without a warrant. It doesn’t need probable cause or anything. It’s called the backdoor search loophole because normally, agents would have to obtain a search warrant based on probable cause to get access to this information. Instead, the FBI has backdoor access without that safeguard. So the reform proposal is to close that loophole and not let those warrantless searches happen anymore.
None of these proposals stop the U.S. government from collecting information relevant to keeping the country safe. But it’s got to be more targeted.
What role have the courts played so far in protecting privacy?
There have been signs, especially in the Supreme Court, that judges recognize that technology has changed privacy and the law must respond accordingly. Two cases really demonstrate this. I’ll paraphrase the arguments in each.
The first was United States v. Jones, in which police put a GPS tracker on this guy’s car, and tried to track him to see if he was selling drugs. The government basically said, “You don’t have any privacy in public. When you drive around on the public streets, we can follow you, and all this is a technological means of making it easier for us to follow him,” based on cases from the 1970s.
The court—all the justices—rejected it. The majority reasoning was that the government had interfered with the property interest of the car’s owner by sticking this GPS device on it.
But there was also a concurrence saying, “There’s a point where you go too far. Maybe if you followed the guy for a couple of days, that’s OK, but if you follow the person for weeks and weeks and weeks, that’s not OK. We think that this one went too far. You’ve gone overboard in terms of the duration, the quantity, the detail of the information that you can collect without first getting a warrant.”
Separately, Justice Sotomayor wrote, “We have this idea that you can collect metadata without going and getting a warrant. Maybe it’s time to get rid of that idea because the quality and the detail of information is so available, and the information is so precise, it can tell you so many intimate things about somebody. There’s a difference between what an officer could do without technology and what she can do with technology, and the Fourth Amendment has to balance that power out.”
More recently, in Riley v. California, the Court doubled down on the idea that digital technology is different from what’s come before. This was a cell phone search case.
Normally, if you’re arrested, the police can search you and look in packages that you have. They could look in my purse. If you had a cigarette pack, they can look in there. They can look in your pockets—for officer safety, but also to inventory property.
In this case, they copied the data off of the defendant’s phone and used pictures on it to try to convict him. The government said, “This is just like a cigarette pack. We’ve always been allowed to search this stuff. This is a long-standing exception to the warrant requirement, it’s just a search incident to arrest.”
The Court basically said, “No. The detail of information in a phone is categorically different. It’s nothing like a cigarette pack. That is like saying a donkey hitched to a cart is just a conveyance, like a rocket that goes to Mars. We are talking about a difference in amount that is a difference in kind.”
The government said, “It’s OK because we’ll put in place these after-the-fact procedures that’ll make sure it doesn’t get abused.” The court said, “That’s a good idea, but the founding fathers did not fight a war for after-the-fact policies.”
You see some signs of this in the appellate courts too, but these are big cases from the Supreme Court basically indicating that the digital world is different, and we’re going to start looking at these things differently than we have been.
I am actually pretty optimistic that the courts are looking for more advanced ways to understand the role that the Fourth Amendment can play in policing government power in the modern digital era. They’re not willing to just sit back and pretend like nothing’s different.
We’re seeing a tension between Fourth Amendment protections against unreasonable search and seizure, and Fifth Amendment protections against self-incrimination play out right now at the nation’s borders, especially at airports. Given that borders are historically a place where governments have more freedom to investigate and confiscate and create rules to decide whether they want to let people in, how would you like to see the current situation with restricted immigration resolved?
This is an area where I wonder how the Riley case would apply. In the Riley case, you have this historically warrant-free zone, which is search incidental to arrest, and the court said, “No you have to get a warrant because of the nature of these devices.”
It makes me wonder whether the court would think exactly the same thing in the border context. Why should Customs and Border Protection be able to search through, and copy the data on people’s laptops or phones or other devices, just because they’re coming into the country? The whole notion of the border search exception is for security to stop people from bringing drugs and weapons and bombs and seeds and animals and parasites into the country. Data doesn’t pose those same issues, so why should we have this expansive ability to search for data?
It’ll be interesting to see what happens there. It’s something that American people are really uncomfortable with. And I think we’re getting more uncomfortable with it.
People who live in these border areas are getting sick of the militarization of the border. They might stop and say, “Is this really keeping our borders safe?” It’s an opportunity to narrow or tailor what happens at the border for security back to a real security reason, as opposed to this lie that if we keep people from certain countries out, that’s going to help keep us safe.
In your book, you documented the impact of modern terrorism on the surveillance state, detailing how much of modern U.S. surveillance was developed in response to the September 11 attacks.
You can see how the modern surveillance state grew in the shadow of September 11. Knowing this gives us more context and sympathy for the people who come to this debate who are genuinely afraid of terrorism. And it sort of explains how it’s not just the doing of George W. Bush or Barack Obama or Trump. It’s part of a historical moment.
A lot of what we do in the name of stopping terrorism is scattershot—looking under the lamp for our keys because that’s where the light is. We’re not operating with a realistic sense of the scope of the risk but rather in a vacuum as to which techniques actually work.
As a country, what needs to happen for the law to catch up, to better reflect society and where it’s moving?
We still don’t have a law that says you always need a warrant to collect email content. We’re still struggling to fix that from the in Electronic Communications Privacy Act of 1986.
I am a believer in activism. Congress may not be the smartest organism, but if legislators hear not just from the national-security folks, but also from universities, from companies, and from citizens saying, “We want these people here. We as a nation benefit, for example, from having these people here,” I think that makes a difference.
If Congress hears from these constituencies saying, “This is why we need privacy. We need it to protect attorney-client privilege. We need it to protect people’s freedom. We need it for the right to read. We need it for all of these reasons,” then maybe they listen. Right now, they hear one side.
What’s the role of technologists, especially computer security and privacy experts, in influencing Congress? The unsigned Wassenaar Arrangement is an example of technologists stepping in to help guide the law to a better place.
It actually shows a great amount of leadership that we didn’t do the knee-jerk, easy thing. I think that’s a great example of how technologists organized to say, “Whoa, whoa, whoa, you totally misunderstand what’s going on here. You’re doing it all wrong.” Many companies and researchers doing important things would be basically shut down or severely hindered, if the new Wassenaar language were adopted.
This is a good example of how you can get involved in political change. People need to feel invested, though.
How do you get 3.5 million to 4 million people who care about privacy and security around the country to wear pink hats?
Step 1: elect Trump. This is an unbelievable motivator for people. If you had taken a poll six months ago, even here in liberal San Francisco, asking, “How many of you think of yourselves as activists? When’s the last time you went out to protest? How many of you think the police are interested in you, or that the government is interested in you? How many of you are worried that something bad is going to happen to you, or your friends, or your neighbors, or other people you know?” People would’ve responded, “Nope, nope, nope. I buy organic; I act locally.”
Now people across the country are out in the streets and are calling their representatives. Over a 100,000 people dialed in to listen to an oral argument in court about the immigration ban. People are activated. They’re scared. They know that they’re basically the opposition to this administration’s proposals.
I think that it’s a wake-up call for people, and that people are waking up. That’s step 1.
So step 2 is, get politically involved. Join a group. Found a group. Call your legislator. Collect evidence for court cases. Work with immigration groups, anti-poverty organizations, the ACLU, EFF, whichever organization you like. Get active. Support advocacy work in the courts, in Congress, Congress, and at the state level. I think people are doing this. The ACLU has been getting a ton of donations, as are other groups.
I see that this is the beginning of a movement bigger than privacy and security and surveillance. As I said in the beginning of our conversation, a certain amount of privacy and security is a necessary incident to all other political activism. Otherwise political movements can be torn apart, infiltrated, squashed, and killed.
One of the things that I think a lot of people who are advocating for more surveillance, not less, are saying in response to events like those of San Bernardino a year ago is, “We simply just didn’t have enough information.” Certainly that was a viewpoint Trump expressed when on the campaign trail he said we need an encryption backdoor, so we can just get in and do what we need to do to keep people safe. Feeding into that larger and larger vault of information. How would you respond to that?
There’s an idea out there that the more information we have, the better we will be at identifying terrorism before it happens. If you look at terrorist attacks that have been thwarted or have happened, it’s not that we didn’t have any information about them. In all the cases, we did have some information about it, but we didn’t really know what to do with the information we had.
In the Boston Marathon bombing, the Russians had warned us about these guys. In the underwear bomber case, his dad had called the authorities to basically say, “Something is wrong with my son.” Before 9/11, U.S. intelligence officers were tracking the planners, but because of bureaucratic inefficiency, they didn’t tell the CIA or the FBI when al-Hazmi and al-Mihdhar came into the country. We were listening conspirators talking organizers in Yemen, but we just didn’t keep track of them as they came into the country.
We had the supposed 20th hijacker in custody. It’s not that we didn’t have the information out there. We know how to collect information, but we don’t always know how to understand the information that we have.
We have this faith that if we collect it all, then we’ll know it all. The truth is, collecting it all can mean we know less because there’s so much hay in the haystack. All this noise drowns out the signal. What we really may need to do is not collect more, but collect strategically and be much more focused and more thoughtful about what information we get and feed into our systems for analysts to look at.
Otherwise, you have a million people on the terrorist identification database. If you have a million people who can’t fly or a million people who are on this list, what good is that? Many of those people aren’t a safety risk at all.
We have to be more selective and more strategic in order to be effective. Otherwise, you have situations like FBI agents bothering college students who purchase pressure cookers the weekend of the Boston Marathon. That is a waste of time.
Those people could be out there doing other important stuff that actually does make the world a better place. We’re sending them on these wild goose chases, an inherent result of over-collection. We actually know far less. The more we collect, the less we know. I guess another way of saying it is, information is not intelligence.
Speaking of information, let’s talk about another of my favorite chapters in the book, Word Games, which is about the lexicon of spying. What inspired it?
Understanding how words related to spying are abused is important. We know that these words have been used in different ways throughout time. The difficulty really comes when you read government statements, or you look at disclosures, trying to understand what they’re actually saying.
At one point, the Director of National Intelligence James Clapper said that information isn’t collected when the government gathers and stores it, but only when a human takes a look at it. In later discussions of domestic spying, officials at the National Security Agency rejected this and told us that they were using the common definition of the term “collect.” So in policy debates, we often say, “We know that when they use ‘collect’ to refer to this program, they’re using the common definition of the term.” But James Clapper’s gone. Rajesh De is not the general council of the NSA anymore. Do we still know what NSA officials mean when they say “collect” or did they secretly redefine the word again?
It’s very hard to say what the rules are because they can be changed in secret. It’s very hard to trust official representations because they may change their policy in secret.
“Target” is a word like that. It’s not defined in the statute, and people assume that the target is the person you’re monitoring, the person you’re eavesdropping, but actually the target is the thing you want to know about. You can be monitoring totally innocent, unconnected people who are just talking about the target.
The thing that really galls me is when they take a word that everybody knows the meaning of, like “collect,” and then they pretend it means something it doesn’t. That just seems malicious. It makes you paranoid.
Any other surveillance terms that were a challenge to define for the book?
“Minimize” is one of those terms. When people use the word minimize, they think it means to make less, to narrow. In the criminal context, when you are obligated to minimize, it means collect less.
For example, for a criminal wiretap, if I’m the target, and my grandma calls, you’re supposed to stop listening. In the foreign-intelligence context, the government collects everything. Then, there are minimization procedures, which are basically procedures for how the agencies can keep, use, and share the information. Some of the rules tell the agencies to get rid of stuff, like deleting irrelevant information after five years, sometimes redacting the names of Americans. But the rules also say how intelligence agencies can keep the data, analyse the unredacted information, and share it with other parts of the government.
When they say, “This information has been minimized,” you might think, “Oh, you’re only keeping the foreign intelligence stuff.” That’s not what it means at all. Figuring out exactly what those procedures are, whether the ones that are public now are still the ones that are operating—it’s very tricky. This is why Chief Justice John Roberts was right in the Riley case. The founding fathers did not fight a war for minimization procedures: They’re bullshit.
Still, after-the-fact procedures are really important to prevent abuse and to deal with the ramifications of doing collection. There are a lot of things that needed to change for the public to feel confident that the procedures are adequately serving that goal.
So you’re arguing that although we do have external oversight built into the law, it’s largely failed.
I’m a lawyer, so I want the law to do something here. We only have two choices: Congress and the courts. Looking very critically at why it has gotten this way, and what Congress has done or failed to do, and what the courts have done or failed to do, I realized that I’m diagnosing why we’ve had all these abuses. Why there’s been this misuse. Why secrecy is so bad.
The truth is, the courts share the blame with the executive branch. We have to criticize but maintain optimism at the same time.
I think that’s true of a great many things in our brave new world. How do you do that personally?
I love the United States. I love our system. I think we’re the best. I’m very patriotic. But I have to be realistic too, or else I’m going to miss stuff that I need to know. I say that I’m irrationally exuberant. There’s some cognitive dissonance there.