What About Private Sector Data Collection?

Personal information gathered by the NSA doesn't compare to the data private sector businesses collect.

By + More
A bill introduced in California would deny NSA facilities access to water and electricity from public utilities and outlaw NSA research partnerships with state universities.
A bill introduced in California would deny NSA facilities access to water and electricity from public utilities and outlaw NSA research partnerships with state universities.

We have a federal district court in Washington D.C. saying that National Security Agency's collection of bulk "telephony"-type metadata from private carriers and providers is unconstitutional and another in New York City saying it's not. While privacy advocates and the media are having a field day with this story, the basic legal issue is relatively simple: whether there is a reasonable expectation of privacy from a government search associated with the data we have given to third parties.

The disparate district court cases will likely be consolidated and will eventually be resolved by the Supreme Court, thus providing an answer to this media whipped issue-set raised by Edward Snowden's cybertheft of NSA documents.

We also have a report from a presidential advisory panel on the NSA – and a few other such policy projects are in the works – on the larger issue set of NSA operations and policies, including legal authorities and the combined executive, judicial and congressional oversight thereof. These studies have – and will – recommend a range of various policy tweaks to NSA ops, with varying effects on present practices. How many – or few – of these recommendations are adopted will no doubt be the subject of presidential decision.

[ See a collection of editorial cartoons on the NSA.]

One very positive result of the whole exercise is that – thereafter – no one in the White House or Congress will be able to say that they "didn't know" or "were not aware" of the nature and extent of NSA operations and its various collection programs, which are very much like the collection programs of many other countries, except that, in many other countries, the government owns the telecommunications network and closely monitors the substance of it with virtually no limitation or oversight such as we have had since the 1970's.

With regard to our government's accesses to telecommunications and Internet information, some history is relevant:

Recall that with the many new telecommunications companies and business models emerging in the 1980s and 1990s, our intelligence and law enforcement agencies, which had long-term relationships with ‘Ma Bell' and AT&T, had to introduce themselves to the new companies. This was sometimes frustrating.

For example, when presented with judicial warrants, many of these new companies simply didn't know what to do with them, or they lacked the technical capability to comply with the orders.

This had to be fixed; otherwise, the breakup of AT&T would have meant a failure of the nation's law enforcement and intelligence agencies to use the limited authorities theyhad. The answer to this conundrum, indirect and cumbersome as it was, came in 1994. It is called the Communications Assistance for Law Enforcement Act. CALEA basically did three things: It stated that the new telecoms had to comply with warrants and other official requests for information by law enforcement and intelligence authorities.

It set aside millions of dollars for the new telecoms so that they could build the capabilities necessary to comply with warrants and other official requests. And finally, it allowed the new firms to contract out these key responsibilities to so-called trusted third- party providers (this part was added in 2007, when the law was expanded to include broadband carriers).

[ Check out 2013: The Year in Cartoons.]

CALEA has been expanded over the years to include all broadband data, Internet and cell service providers.

As a result of our preference for private sector ownership, our government can get access to our communications data only within a carefully defined and limited statutory structure, and under comprehensive oversight by the executive, legislative and judicial branches. However, there are virtually no such limits for the private sector.

For example, our Internet providers know the exact items we have been shopping for on Amazon and will give us persistent pop up ads for these items as we use the Internet, often suggesting similar or alternative products. And, Facebook, Twitter, etc., monitor the substance of the personal traffic thereon to exploit it for commercial purposes. It's like someone listening in on your phone calls – and when you are talking about a new TV having the listener cut in to tell you to where to buy it.

[ See a collection of political cartoons on defense spending.]

In fact, if one were to list the realities and objectives of "big" private sector communications and data, it would be to:

  • Corner the information data transmission and storage market;
  • Collect as much personal/consumer information about users as possible;
  • Store as much marketable data for as long as possible;
  • Aggressively sell personal data;
  • Perfect/develop/sell the storage of data that is "perfectly secure" – i.e., unavailable to anyone, except the owner, who has the only key.

So the practical recommendation here is for a parallel look at the private information and communications sector. After all, the NSA does what it does to protect us from terrorism within carefully defined boundaries, while the private information sector does what it does to make money, and with little limitation and oversight. In fact, when one compares NSA's limited collection authorities to that of the private sector, the private sector's ability to invade our privacy is virtually unlimited.

While it's at it, Congress should also: 1) look very hard at the private information sector, and 2) establish – or require the establishment thereof – basic privacy standards and oversight mechanisms for the collection, retention and sharing of our personal data.

Daniel Gallington is the senior policy and program adviser at the George C. Marshall Institute in Arlington, Va. He served in senior national security policy positions in the Office of the Secretary of Defense, the Department of Justice, and as bipartisan general counsel for the U.S. Senate Select Committee on Intelligence.