We know that the NSA has been monitoring millions of calls made in the United States. But what are they doing with that data? And how do they analyze it? Find out everything you need to know in this incredible lecture from Princeton computer science professor and government technology adviser Ed Felten.
Note: Lecture starts at 6:33 in the video below — if you click play, it should jump right to Felten's 45 minute segment.
In this lecture, given yesterday at Trustycon in San Francisco, Felten explains in clear terms how the the NSA surveillance tactics work — but also, why they aren't working, and how we could improve them. What's valuable about this lecture is the fact that Felten pulls no punches. He's going to take you through some statistical analysis, and talk about some software tools that the NSA uses, so he gets a little technical. But you'll emerge with a really clear sense of what's technically possible, given what computer scientists know today about how to analyze massive quantities of network data.
Here are a few of the most interesting takeaways from his talk.
He begins by talking about how the NSA is only gathering what's called "metadata" on US citizens' phone calls. Metadata includes three basic things: who made the call, who received the call, and when (also, how long they talked). That sounds relatively innocuous, because you have no idea what the conversation was about, but Felton offers a couple of examples of how revealing metadata can be. For example, if you receive a call from a medical office appointment number, obviously you have a doctor's appointment. If you call a suicide hotline and talk to them for 45 minutes, that reveals a lot about your mental health. And of course, if you are making repeated, lengthy calls to somebody late at night that can easily reveal a personal relationship.
Those are just a few ways that metadata reveals a lot about you, and Felten notes that when your whole network of calls is analyzed, it's easy to create a fairly accurate profile that reveals how old you are, where you work, and a lot of other things.
Felten has a great slide which lists the two things we know that the NSA does with metadata. It reads:
1. contact chaining
He notes that the second one has to do with tradecraft, or what those of us who watch a lot of bad movies would call "spy shit." Contact chaining is the practice of looking at who your contacts are — in this case, who you called over the past five years — and trying to figure out whether you're a terrorist based on them.
Felten walks you through how exactly the NSA might try to figure out whether a suspect named Bob is a terrorist. Let's say the NSA already thinks Bob has a 20 percent chance of being a terrrorist, which is why they are tracking Bob. If Bob is a few hops away on the chain of a known Bad Guy, then the likelihood of him being a terrorist goes up to about 37 percent. Felton notes that this isn't really a helpful number that we've gotten from contact chaining all that data. There isn't even a fifty/fifty chance that Bob is a terrorist.
So, Felton points out, we should either pull Bob in based on the information we already have about him — or we should get a subpoena to gather more specific information on him, rather than using all that data gathered by the NSA. Crucially, Felton says that contact chaining is a terrible way to determine whether Bob is innocent. Data-gathering techniques should be able to help the NSA find suspects, but it should help them eliminate suspects too. Currently, their system is terrible at detecting false positives.
It's important to note here that Felten isn't against the NSA spying on people. He just thinks that their current methods are ineffective, and needlessly violate innocent people's privacy to boot. In the next part of his talk, he describes how the NSA could be doing their spying in a much more effective, targeted manner. He also offers some suggestions about how innocent people's data could be protected while still helping the NSA in their data analysis of social networks.
Ultimately, he argues, we don't have to trade off our privacy for security. We have the technical tools that will make it possible to protect the privacy of the vast majority of US citizens, while still targeting suspects who could threaten violence.
He also recommends reading a set of recommendations that technologists have made to the government, to reform the current NSA practices, called Liberty and Security in a Changing World.