It is not the fact of surveillance but its sheer scale which shocks most in the Prism affair

Ireland falls into ‘less surveilled’ category, but information is gathered here

By Karlin Lillington

Few who follow the ongoing, often vociferous international debate about the proper balance between protecting society and guarding civil rights and personal privacy will have been totally surprised last week to learn that the US government's secretive National Security Agency (NSA) and Federal Bureau of Investigation (FBI) regularly access internet and phone records.

But the sheer scale of the internet surveillance program called Prism, allegedly involving some involvement by nine of the biggest US internet companies running popular social media and services, and of a secret US court order that has allowed covert organisations to sift data from millions of US phone calls for seven years, truly shocks.

The alarm is not limited to citizens in the US. People all over the world use the services -- Facebook, Skype, Google, among others -- pinpointed in the revelations. Europeans are supposed to have specific protections for their personal data, greater than those afforded US citizens.

But how European data is managed by international companies, on computer servers that can be located “in the cloud” anywhere in the world, is not clearly understood, and remains a legal grey area. So does the level of co-operation between American and other countries’ surveillance agencies. Yesterday, parliamentary debate in the UK focused on just such questions.

What can be said definitively is that some of the more alarmist warnings and predictions made by civil rights and privacy organisations over the past decade seem to be reality, according to documents and information passed to the Guardian and Washington Post by Edward Snowden, a 29 year old contract computer expert and former technical assistant for the CIA.

According to a secret set of NSA slides provided by Snowden, Prism is a programme that has given the NSA direct access to computer systems at Apple, Google, Microsoft, Facebook and other technology companies, with their consent.

It is claimed that the companies enabled a Drop Box-like holding place on their systems, into which they could deliver requested files and other data.

Most of the companies have denied the allegations, but in blandly general terms, stating they have only provided data that was requested within an appropriate legal framework.

According to the revelations, a data mining tool called Boundless Informant was used by the NSA to filter through massive amounts of online data, taken from these and other sources. According to one slide, the agency collected 97 billion pieces of intelligence from computers in March 2013 alone.

The phone records -- comprising all call data (but not the content of calls) made by all customers of Verizon over the past seven years -- were demanded under a blanket order based on provisions within the Foreign Intelligence Surveillance Act (FISA), which was expanded by the Patriot Act, controversial security legislation passed swiftly in the wake of the September 11, 2001 terrorist attacks.

The breadth and scope of the surveillance programmes, which have been acknowledged by the US government in the aftermath of the initial articles, have split US politicians.

Some defend tactics they insist are fully authorised under the Patriot Act.

But others are alarmed, including Democrat Mark Udall, a member of the powerful Senate Intelligence Committee, who questioned “this sort of widespread surveillance” as a shocking level of “government overreach”.

Even one of the Patriot Act’s authors and champions, ultra-conservative Republican congressman Jim Sensenbrenner, said that “seizing phone records of millions of innocent people” who use phone operator Verizon “is excessive and unAmerican”, according to the Guardian.

On Twitter, former vice president Al Gore described the level of “blanket surveillance” revealed in the documents as “obscenely outrageous”.

The Obama administration said it welcomed the opportunity now for a deeper national debate over the competing demands of privacy and security.

Yet how can a debate be held, or claims and denials from government departments and agencies, or commercial companies, be believed, when the provisions of American surveillance legislation mandate that no one who knows about such surveillance orders can reveal them, and those who are surveilled -- including, apparently, a large portion of US phone users -- cannot be told their personal data is being collected and searched through?

This makes any form of real oversight impossible, belying claims by US officials and politicians that a robust, albeit deeply secretive, system of checks and balances exists to watch the watchers, to ensure citizen rights are safeguarded and constitutional protections upheld.

But few know who these people are, what the systems of oversight might be, or what is being overseen.

And going by Snowden’s revelations, it is alarmingly easy for a broad range of people (he himself was only a contract worker) to trawl through gathered data and access classified information.

Such an opaque system also virtually eliminates any form of redress for those wrongfully targeted and spied upon -- how would a person ever know, and who would ever be allowed to testify, were a case brought? Yet so-called “false positives” are a constant problem when analysing disparate pieces of data. As anyone working in computer security knows, data mining software can easily make the wrong inferences. Trying to minimise these is a major coding challenge.

The temptation to inappropriately access gathered and stored personal data is also huge, going by regular evidence from privacy watchdogs. For example, the recent annual report of the Irish Data Protection Commissioner’s Office castigates the Department of Social Services for ongoing, unaddressed problems of unauthorised people accessing citizens’ data, even selling it on to private investigators.

Snowden says the issues of access and oversight are at the very heart of why he decided to release highly classified information to the world, an act that has destroyed life as he knows it, and could well earn him imprisonment until death, if he returns to the US.

“The government has granted itself power it is not entitled to. There is no public oversight. The result is people like myself have the latitude to go further than they are allowed to,” he told the Guardian.

We do not know clearly yet if Irish agencies or the Government knew of, and supported, these US surveillance programmes. We also know little about how Irish data is stored and used by Prism companies, many of which have a European base here.

One colour-coded map on a slide in the Prism presentation, posted online by the Guardian, shows that Ireland falls into the “less surveilled” category on Boundless Informant -- but implies online information is, nonetheless, gathered and studied.

As Irish Data Protection Commissioner Billy Hawkes told RTE yesterday, we can ask and investigate, but are ultimately reliant on what the companies (and government) say they do.

Yet governments (including ours, which requires call and some online data to be stored for several years) and companies must now be asked probing questions about personal privacy and the extent of national surveillance. Citizens must demand more transparent and accountable systems of oversight, as digital tools for data collection, storage, analysis and surveillance become increasingly powerful.

Still -- can we can ever fully believe the answers we get? Or fully know the degree to which we are being watched?