The startling revelations about NSA surveillance this week -- from the collection of phone records to an Internet collection program named "PRISM' -- have brought a firestorm of media attention, but there are few solid answers about how these programs operate, how our personal information is being used or indeed, how post 9-11 laws have been interpreted to permit sweeping surveillance activities.
The American people are being told that the programs are subject to a "robust legal review" and in any event, have proven useful in fighting terrorism. The message has been straightforward: Nothing to see here folks, just move on. But we should not be reduced to playing guessing games about whether and how our own government is monitoring us and how far these programs reach into our private lives.
Thomas Paine famously said, "It is error only, and not truth, that shrinks from inquiry." What we need now is inquiry, and lots of it. Just like the Church Committee that was convened after the revelations of illegal spying in the 1970s, we need a sustained investigation into the breadth of the information collected under these programs and whether the legal interpretations that support the programs are consistent with legislative intent. There are dozens of questions that deserve answers, but here are some that lawmakers, the media, and the public should be asking now:
1) What exactly is the NSA doing with the information collected under the programs disclosed this week concerning people who have nothing to do with terrorism? Are they retaining our data for broader analysis? Discarding it at a certain time? Combining it with information in other databases? Which data -- metadata or content? Exactly what minimization procedures are in place, if any, under different collection regimes to ensure this information is not retained indefinitely?
2) What is 51 percent foreign? The Washington Post has reported that NSA analysts wielding surveillance authorities that are supposed to focus on people abroad use search terms "that are designed to produce at least 51 percent confidence in a target's 'foreignness.'" How is "foreignness" determined, and by whom? Why is a 51 percent confidence interval, which no reputable scientist would accept as adequate, considered acceptable by the Administration? How much collateral data collection of information on U.S. persons does this "foreignness" test produce?
3) How is the information collected? Internet companies have said they are not providing the NSA with "direct access" to their servers. If this is true, how is the NSA obtaining PRISM data? Do the companies retain control over the content that flows to the NSA from their networks and make the decision as to what meets the criteria, or does the NSA set the parameters for the information flow and get the information directly. And if so, how?
4) How did a business records law become a prospective surveillance law? Section 215 of the Patriot Act allows the FBI to request that a court order be issued to compel disclosure of business records. What legal acrobatics turned this into authority to obtain business records that do not even exist until after the court order has been issued? Is the Administration using a stored records provision to authorize real-time surveillance? And how does a legal standard that permits collection of information relevant to an investigation to protect against terrorism become a standard that allows the government to collect phone call and other records about millions of people?
5) What will be the impact of the revelation of these programs on the U.S. cloud services business? Will people -- particularly those outside the U.S. -- entrust data to the cloud when the NSA seemingly has expansive access to it? And as data from more and more devices, from smart phones and tablets to gaming consoles and set top boxes, are stored in the cloud, will the scope of collection continue to expand?
6) How much of the information collected under PRISM and other programs is shared with foreign intelligence agencies? A UK security agency has disclosed that it has been obtaining PRISM data since 2010. Exactly what are we sharing and with whom? And with what safeguards?
The questions of course do not stop here. But without a full inquiry by Congress and an accounting not only to the American people, but also to Internet users around the world, it is fair to question whether our ability to communicate privately has come to an end.