A debate in the U.S. about whether the National Security Agency should end its bulk collection of U.S. telephone and business records has come down to an argument over the meaning of the word "bulk."
A year after the first leaks by former NSA contractor Edward Snowden were published, it appears that already scaled-back proposals to limit the NSA's bulk collection of U.S. telephone and business records may not even happen. And officials with President Barack Obama's administration, backing an NSA reform bill called the USA Freedom Act, have already begun to pick holes in its definitions.
An amended version of the USA Freedom Act that passed the House of Representatives in May would allow the NSA to continue to target wide groups of U.S. records, critics said, because of its expanded definition of the terms the NSA must use to define its searches.
President Barack Obama in January announced plans to end the bulk collection of U.S. phone and business records, and administration officials have said the amended version of the USA Freedom Act would accomplish that goal.
But whether Obama's plan or the bill ends bulk collection depends on the definition of "bulk." Deputy Attorney General James Cole told the Senate Intelligence Committee Thursday that the prohibition on bulk collection means the "indiscriminate" collection of U.S. records. The USA Freedom Act would allow the NSA to collect "large numbers of records," if a surveillance court judge approves the request, he said.
Somewhat contradictory, Cole said the bill would prohibit the collection of all phone records in a ZIP code. "That would be the type of indiscriminate bulk collection that this bill is designed to end," he said.
The language in the bill tells a different story, critics said.
"Senators, let us not use the phrase, 'bulk collection,' as coded jargon for existing programs or nationwide surveillance dragnets," Harley Geiger, senior counsel at the Center for Democracy and Technology, said during the Thursday hearing. "Rather, bulk collection, as any normal person would understand it, means the large-scale collection of information about individuals with no connection to a crime or investigation."
The version of the bill that passed the House would allow the NSA to target wide groups of U.S. records, critics said, because it allows an expended definition of a "specific selection term" that the NSA must use to define its searches. The amended version of the bill allows the NSA to target things "such as a person, entity, accounts, address, or device," language that would give the NSA few limits on what groups it can target, critics said.
The amended USA Freedom Act "does not end bulk collection," Geiger added. "The definition of 'specific selection term' is deliberately ambiguous and open-ended. There is nothing in the bill that would prohibit, for example, the use of [search terms] Verizon, Gmail.com or the state of Georgia as a specific selection term."
The USA Freedom Act may not even pass the Senate, however. During the hearing Thursday, several members of the Senate Intelligence Committee questioned whether they should pass even the scaled-back version of the USA Freedom Act because its limits on the NSA would endanger national security, those senators argued.
Little change in policy
The result is that, one year after Snowden's leaks, a heated debate continues about the appropriate role of government surveillance, but there has been little change in U.S. policy.
While Congress and Obama have taken measured steps toward reining in the NSA's bulk collection of U.S. phone records, the NSA continues to operate the program. Policymakers, however, have taken almost no action, beyond a general statement from Obama that foreigners should have privacy rights, to limit the NSA's surveillance programs targeting overseas electronic communications.
The lack of action in Washington is disappointing and harms the U.S. tech industry the longer nothing happens, said Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, a tech-focused think tank. The leaks about NSA spying worldwide have soured much of the rest of the world on the use of U.S. IT products, he said.
The Snowden leaks have forced a national conversation that's necessary and important, but policymakers "haven't waved the flag and said, 'what was happening before will not happen again,'" Castro said.
While some policy debates in Washington, D.C., take years to play out, speed is important in this case, as other nations look for alternatives to U.S. tech products, Castro said. "There's basically a clock on this," he said. "If you don't address this in a certain period of time, you lose out on long-term competitiveness. Every day you don't address this, you're losing out."
Castro doesn't expect the controversy over the surveillance to die down. "It's defining the brand of American tech companies as something that is both insecure and available to government surveillance," he said. "Once you're branded a certain way, it's really hard to shake."
This week, the CEOs of nine major U.S. tech vendors -- including Facebook, Google and Apple -- wrote a letter to senators, calling on them to strengthen the USA Freedom Act.
"Confidence in the Internet, both in the U.S. and internationally, has been badly damaged over the last year," the letter said. "It is time for action. As the Senate takes up this important legislation, we urge you to ensure that U.S. surveillance efforts are clearly restricted by law, proportionate to the risks, transparent, and subject to independent oversight."
Praise for Snowden
Many civil liberties advocates have praised Snowden's actions, saying the information he leaked to news organizations has ignited a much-needed debate on privacy and government surveillance.
"The revelations have an extraordinary impact on our country," said Alex Abdo, a staff attorney with the American Civil Liberties Union's National Security Project. "They've really reinvigorated our democracy. They've allowed a conversation that's been long overdue about the relationship between new technology and privacy."
While the U.S. public is still debating what the proper surveillance reforms should be, "the fact that we're having that debate is tremendously significant," Abdo said. "We're far from the end of our experience with the Snowden effect."
Even beyond a still-heated debate over government surveillance, the Snowden leaks have led to a broader public debate about privacy in the digital age, Abdo said.
"The tech industry has been jolted a bit with the realization of how much Americans trust them to be good stewards of their private data," he said. "Americans appreciate more and more just how much information both the government and private industry are capable of collecting. We now live in a world in which pervasive surveillance is possible, and, is in some circumstances, occurring."
The Snowden leaks have prompted many tech services and Web users to take action, with encrypted traffic doubling over the past year, added Amie Stepanovich, senior policy counsel with international digital rights group Access.
Major telecom and Internet companies have begun issuing surveillance transparency reports, Stepanovich noted by email.
"Given that the NSA and other governments' surveillance agencies have traditionally operated behind a curtain of secrecy, the greatest impact of the Snowden revelations may be that we are no longer operating in the dark," she said by email. "Documents made available over the past year have meant that, for the first time, civil society and the public have been able to weigh in meaningfully on the limits of how states should spy on the world's Internet users."
The debate is "moving in the right direction," Stepanovich added. "We have the support of the internet community at our backs, pushing forward toward real reform."
Don't wait for Washington
The Reset the Net campaign calls on Web users to take privacy into their own hands by downloading a package of privacy tools.
Internet services with hundreds of millions of users have pledged to use SSL and other privacy tools as part of the campaign.
Web users shouldn't wait for Washington to act on surveillance reform, said Ethan Oberman, CEO of SpiderOak, a Reset the Net supporter and provider of a privacy-focused cloud service.
"I am not sure at this stage that a lot will come out of Washington," Oberman said. "We don't have to wait for things to happen in Washington in order to act. We can start building technologies that make it so that the third-party server that's storing the data does not know what that data is."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is email@example.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.