Home inFocus Ideas for a New Congress (Winter 2015) Measuring Privacy and Security

Measuring Privacy and Security

Rachel Brand Winter 2015

When making decisions about national security surveillance programs, policymakers must consider how valuable a type of information or way of collecting information would be to national security and how much the collection program would intrude on privacy interests, and then decide whether the program would be constitutional, otherwise legal, and good policy. Over the last year and a half, how to appropriately conduct this balancing between protecting the national security and respecting individual privacy has captured the public attention. But notwithstanding intense public debate on the subject and a flurry of related legislation, two fundamental questions are both unresolved and often ignored when making specific policy decisions: What exactly is the “privacy” interest the intelligence community should protect? And how should the value of an intelligence program be measured when balancing its importance to national security with its imposition on privacy interests?

What is Privacy?

Take “privacy,” for starters. There is no settled definition of what privacy is or what privacy interest should be protected in intelligence programs. A recent hearing of the Privacy and Civil Liberties Oversight Board (of which I am a member) noted more than a dozen possible definitions. There are so many possible conceptions of privacy, ranging from freedom from the exercise of state power to freedom from embarrassment to a right to solitude, that some would say privacy is in the eye of the beholder.

Certain definitions, such as a “right to be left alone,” are so general that they are not helpful in making granular policy decisions. Other definitions cannot work in the context of clandestine intelligence programs because they depend on the consent of every individual. One common definition of privacy, for example, is the right to control information about oneself; not necessarily a right to anonymity or seclusion, but a right to decide who knows what about you and what they can do with that information. This concept cannot realistically be incorporated into intelligence programs (or law enforcement programs, for that matter) that must operate under objective, generally applicable rules.

z Tension Among Concepts of Privacy

And the various definitions that could be applied in the intelligence context may point in opposite directions when choosing among concrete policy options. The question of how to deal with so-called “incidental collection” of Americans’ communications under Section 702 of the Foreign Intelligence Surveillance Act (often referred to in the press as the “PRISM” program) illustrates this potential tension among concepts of privacy.

To boil a complex program down to a brief description, Section 702 authorizes the government to collect electronic and telephone communications of specific foreigners located outside the United States whom the government believes will communicate foreign intelligence information. Although the government may not target an American under this program, this does not mean that no American’s communications will ever be collected. For instance, if a targeted foreigner abroad communicates with an American, that communication will be collected. This is what is referred to as “incidental collection.” The incidentally collected communication will eventually age off the agency’s database at the end of a defined retention period unless an analyst reviews it earlier in the course of his work. If the analyst who reviews the communication determines that it does not contain foreign intelligence, he should delete it, but otherwise it may be kept for a longer period.

While incidental collection is inevitable and legal under the program (and may be very important if it reveals a domestic connection to a foreign terrorist plot), it raises obvious privacy concerns. Some incidentally collected communications will have foreign intelligence value that justifies keeping them in the agency’s files, but many ­— perhaps most — will not be foreign intelligence and yet will stay in a government database for some period. Examining two potential ways of addressing this problem demonstrates how a rule that could protect privacy in one respect may violate it in another. (These hypothetical options are simpler than the complex rules that actually apply in surveillance programs.)

One alternative would be to flag in the database communications to which one party is an American and require an analyst to review those communications to determine whether they contain foreign intelligence. The purpose would be to delete communications with no foreign intelligence value. Deleting the irrelevant communications would protect a privacy interest in freedom from the exercise of state power, since the government cannot use a communication against a person unless the government possesses the communication. But it would require an actual human being to read a private communication, analyze its meaning, and decide whether to retain it for a longer period, whereas that communication might never be reviewed by anyone without this requirement. This would be detrimental to a privacy interest against embarrassment or disclosure to other people of one’s personal communications.

Another option would be not to impose this special review requirement, to require deletion only if an analyst happened to review the communication in the course of business and determined that it was not foreign intelligence, and to allow unreviewed communications to be deleted at the end of the retention period. For communications that did not come to an analyst’s attention in the course of his work and eventually aged off the system, this option would be better for privacy insofar as no human being would ever review them. But it would be worse in that the agency would keep those communications for longer, increasing the potential that the government would eventually access and use that communication against the individual. A survey of public views likely would reveal a division of opinion on which of these options is preferable from a privacy perspective.

How Should the Value of Intelligence Programs Be Measured?

Just as there is no settled measure of the impact of a program on privacy interests, there is no settled measure of how valuable an intelligence program is to national security. In the counter-terrorism context, a program is obviously valuable if it uncovers information that is the key to discovering and preventing a terrorist plot. But this cannot be the only measure of the success of an intelligence program because silver bullets almost never exist. Intelligence is better thought of as a mosaic: many small pieces of information combine over time to form a picture.

The federal government did itself no favors when it responded to leaked reports of the National Security Agency’s bulk telephony metadata program by claiming that information from the program had thwarted terrorist plots. When push came to shove, the government could not produce any concrete examples to back that claim. It should have pointed out that there are many different ways of measuring success, many of which require a long-term view. For example, discovery of the existence of a terrorist of whom the government was previously unaware might enable the government to track him and decrease the odds he would be able to carry out an attack. Another measure of value would be whether a program has enabled the government to flesh out details about a known terrorist: who his collaborators are, what his sources of financing are, or — very importantly ­­­— whether he has entered the United States or plans to do so. There is also intelligence value in determining that a person is not a suspect. Especially where the government is facing a fast-developing terrorist threat, concluding that a particular suspect is not a risk will enable investigators to train their limited resources in a more fruitful direction and increase the likelihood of preventing the attack. Another metric is how often a program uncovers facts important enough to make their way into written intelligence reports that are shared with other agencies in the intelligence community or included in the President’s daily security briefing. There are surely other measures of value as well.

Incorporating these Fundamental Questions into Policymaking

Finding a good working definition of either privacy or national security value is difficult, and neither is necessarily susceptible to a one-size-fits-all solution. It may be appropriate to apply different concepts of privacy in different circumstances, and different measures of value will be relevant to different programs. The key is that decision makers should consider both of these questions in the policymaking process.

With respect to concepts of privacy, it would be a step in the right direction if policymakers simply stopped to assess the underlying privacy interests at stake before they began drafting the program’s detailed rules. Both inside the government and out, more ink is spilled and more time spent on how to implement privacy protections than on identifying what exactly is being protected. Asking the fundamental question at the outset would allow a more informed assessment of how the program ­— and various potential ways of operating it ­— would impact privacy.

With respect to intelligence value, the intelligence community should establish a process for assessing whether surveillance programs are effective, balancing a program’s effectiveness with its imposition on privacy and determining whether it should continue. The intelligence community does consider the effectiveness of its programs and sometimes shuts programs down for lack of effectiveness, as it did with the NSA’s collection of bulk email metadata. But these reviews are conducted ad hoc and often focus on whether the program is effective enough to warrant its budgetary implications rather than whether its effectiveness justifies its privacy implications. The agencies should conduct effectiveness reviews on a regular basis ­— not only at a program’s inception but periodically through its duration — and should weigh effectiveness against both resource and privacy concerns. The PCLOB has recommended that the intelligence community formalize a process for doing just that, and we are working with the agencies on implementation of that recommendation.

Rachel Brand is a Member of the Privacy and Civil Liberties Oversight Board, a federal agency charged with advising and overseeing the federal government’s counter-terrorism activities from a privacy and civil liberties perspective. The views expressed in this column are her own and do not reflect the position of the Board.