Recent report by Washington Post brings two equally strong feelings – one – kind of outrage diluted by number of earlier revelations about the scope of NSA surveillance program and – two – marvel that it is actually possible to store every phone call in the country (not metadata) and have the ability to rewind them whole month back and have effective search engine in place. Of course last part is somehow made up, one have to assume that there is actually some kind tool to browse such, for lack of better word, gianormous amount of data in order to bring any effectiveness to such infrastructure. However looking closer at the information, things get less sensationalistic, first of all which country are we talking about? The article lacks this crucial aspect – important to note – it is not US. It is needless to say that storing calls from Monaco, or Afghanistan (which might quite likely be the target) is much different that storing calls from France or Russia. Second while the premise looks impressive at first glance, the closer we look the things get more complex.
First of all already mentioned search engine. After all storing phone calls for given amount of time requires ‘just’ massive volumes of storage and bandwidth, but given budget of US intelligence community that is hardly a problem. The real issue is reliable voice recognition algorithm with effective noise reduction – we are talking about whole country, and if really less technologically advanced country is the target, just as much as volume of data decreases the quality decreases equally. Second, privacy concerns diminishes a bit when we realize that it is what NSA is really supposed to do – collect foreign signal intelligence. At this very moment I’m preparing conference lecture on breaking anonymity of Tor. As much of my research is dedicated to legal aspects, I’m constantly asking ‘where is the authority of the agency and what is the scope?’ or ‘who is approving this, where is the judicial control?’ and even brief look at the reality and law behind data collection forks significantly when law enforcement vs SIGINT regulation happens. The most commonly used provision included in legal authority behind foreign intelligence agencies is ‘x is being established to collect information vital to strategic/economic/security matters of the country’ (‘provides advisory on national security / cryptography’ is also used) and methods are described purposefully in very broad strokes. On the other hand law enforcement tend to be rather about precisely specifying means of collection, with limiting factors and stricter approval procedures. Not surprisingly just as soon as border created by citizenship of given state ends, all safeguards put in place surrenders to effectiveness of collection. This does not mean that revelation about MYSTIC is irrelevant, important however is context of the situation. Even before President’s Obama declaration (now officially contradicted) that US does not engage in blanket collection of data, from the content of following leaks it became apparent that US intelligence engages in anything it is physically able to do. Tailored Access Operations catalog only reinforced further this claim. What’s concerning is not the existence of the infrastructure and its use. It was just bound to happen. The real problem is, already and constantly discussed, lack of oversight. The problem remains that the same system of rubber stamping various methods of data collection does not change, while the methods became more efficient and powerful, as it could be predicted from way technology improves constantly. As I mentioned difference in legal authority between law enforcement and foreign intelligence, the dangerous phenomena currently happening is mixing of these to worlds. Most commonly it is done by using either ‘terrorism’ or ‘national security’. Influence of this line thought is not new and appeared in various ways, but without a doubt gained momentum after 9/11. The result is applying same principles that are suitable for foreign intelligence to domestic affairs, without adding sufficient safeguards in the process. Alternatively, as in case of FISC, the procedure is added however, standards of process of approval are too diluted to be sufficiently effective. Furthermore confidential nature of proceedings make appeal process and judicial control too much limited, especially in case of blanket collection – as in Clapper v. Amnesty International (often asked is whether AI would have standing after Snowden’s leaks – it seems that answer is still negative as they couldn’t prove that they are specifically targeted). As a result law that normally applies to wiretapping and surveillance is circumvented by routing specific actions through channels of different agency. There is little chance that this trend will slow down in the near future, simply because it becomes more and more convenient. Also sadly there is not much to be done through official judiciary. FISC remains example of how easy it is to set secret court with secret law and secret proceedings when needed. Taking that into consideration it seems that deployment of MYSTIC in the US is matter of time, and there is nothing surprising or particularly outraging about that.