It is perhaps not surprising that an event like last Friday’s Paris attack would raise questions about why government surveillance didn’t spot such a sweeping and apparently coordinated assault in advance. But the speed with which intelligence and law enforcement professionals worked to play down their own possible shortcomings — and in some cases invoke the attacks in a play for broader powers — has caught the attention of security experts, privacy rights advocates and editorial boards.
Editors at The New York Times called this turn of events “a wretched yet predictable ritual,” singling out statements made Monday by CIA Director John Brennan as “a new and disgraceful low.” Brennan went to the press with complaints that recent “policy and legal” moves have made it harder to spot and disrupt potential terror plots.
But Brennan hasn’t been alone in making such statements in the week since the violence that killed 130 and wounded hundreds more.
Stewart Baker, former general counsel for the National Security Agency (NSA) and an assistant secretary at the Department of Homeland Security under former President George W. Bush, has taken to twitter to voice opposition to limiting government collection of metadata.
Former CIA Director James Woolsey and former Director of National Intelligence and NSA chief Mike McConnell (both of whom, now in the private sector, have business with U.S. intelligence agencies) have taken to the airwaves to advocate for more electronic surveillance. And New York City Police Commissioner Bill Bratton, in an interview Sunday on ABC’s This Week With George Stephanopoulos, said the Islamic State in Iraq and the Levant (ISIL, also known as ISIS), which claimed responsibility for the Paris attacks, has been “taking advantage of the technology that the head of the FBI has been complaining about, I’ve been complaining about.” Bratton was referencing apps that encrypt the content of electronic communications.
Much about how the Paris attackers carried out their strikes is still unknown — or at least hasn’t been made public by French authorities — but when Brennan, Bratton and others with similar views hit the media, little beyond the death toll had been established.
“Seasoned law enforcement officers and the heads of spy agencies should know better than jump to conclusions before the facts are in,” wrote Cindy Cohn, executive director of the privacy watchdog Electronic Freedom Foundation (EFF).
There is still no public information indicating that those involved obscured the content of their electronic communications with any kind of technology — what is known as “point-to-point” or “end-to-end” encryption — or that French security was denied any particular intelligence tool.
“As far as I know, there’s no evidence the French lacked some kind of surveillance authority that would have made a difference,” Jameel Jaffer, deputy legal director of the American Civil Liberties Union, told the Times this week.
The claims of those advocating for greater spy powers — or for less government or legal oversight of spy agencies — loosely coalesce around three assumptions:
1) That point-to-point encryption is a relatively new and fast-growing problem for spy agencies trying to track emerging threats.
2) That bulk collection of metadata has been useful to intelligence and law enforcement, and needs to be maintained or expanded.
3) That information revealed by Edward Snowden in 2013 prompted terror suspects to "go dark" and placed unmanageable restrictions on intelligence gathering.
Civil rights advocates and surveillance critics have questioned all three assumptions.
Encryption not the issue
Sen. Diane Feinstein, D-Calif., speaking Monday to MSNBC, didn’t spare the graphic imagery when she called for companies that make encryption applications to “help.”
“If you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner, that’s a big problem,” she said.
Feinstein has joined fellow senator John McCain, R-Ariz., as well as officials such as Brennan and Bratton in asking for a legal requirement that encryption products come with a “back door” — a key that could, under unspecified circumstances, give authorities access to the content of encrypted, private communications.
But it isn't clear if those behind the Paris attacks used electronic encryption for their communications, and reports say there is evidence that at least some of their interactions went over common, unencrypted SMS messaging. Given the big baskets both U.S. and French surveillance use to gather telecommunications, it seems possible that such conversations were somewhere in some intelligence service’s database. Some reports point to text messages sent Friday night as the evidence that led French authorities to the apartment in Saint-Denis, north of Paris, where a Wednesday morning raid by security forces killed three and arrested eight others said to be connected to last week’s attacks.
And creating back doors is a “terrible idea,” according to Eva Galperin, global policy analyst for EFF. “Once you build a back door,” Galperin told Al Jazeera, “you rarely get to decide who gets to go through it.”
“The Chinese or the British ... or common criminal hackers will start having access to personal info,” Galperin said, adding “back doors make everyone less safe.”
And requiring commercial encryption engineers to provide a back door doesn’t mean backdoor-free encryption would no longer exist. There will always be people capable of creating encryption algorithms, and not all of them will be under the sway of the U.S. government. Software engineer David Auerbach wrote in Slate, “If secure encryption is outlawed, only outlaws will have secure encryption.”
Metadata: dubious claims
Unlike the contents of an encrypted text or email, the metadata on such communications — the who, where, when and how long — is usually visible even if intelligence gatherers don’t have the encryption key. And metadata can be a revealing and powerful tool — one that appeals to Florida governor and Republican presidential candidate Jeb Bush.
"I think we need to restore the metadata program, which was part of the Patriot Act," Bush said this week on MSNBC. "It expires in the next few months. I think that was a useful tool to keep us safe and also to protect civil liberties."
Bush is apparently referring to domestic metadata gathering the U.S. has been conducting under Sec. 215 of the Patriot Act. It is activity that has been found by the courts to violate the privacy guarantees in the Constitution, and is due to be phased out and replaced by a new program on Nov. 29 (not in “the next few months”).
Former NSA counsel Baker is also a fan. “NSA's 215 program was designed to detect a Mumbai/Paris-style attack,” he tweeted less than a day after the Paris attacks. “Maybe this is the wrong month to drop it.”
In their statements, both men tacitly acknowledge that the program, operational for more than a decade, was in place last week — and obviously it didn’t stop the killing spree in Paris (or in Mumbai in 2011, for that matter). But perhaps even more important to note, Sec. 215 only applies to communications within the United States. Far broader bulk data collection programs — ones that track communications between the U.S. and points abroad and ones that focus on regions like the Middle East — exist under different sections of the law. And those will continue mostly unabated past the end of this month.
Still, Baker wrote “detect,” not “stop” — and it is possible the surveillance done in France over the last several months contains metadata tied to the cell responsible for the shootings and bombings last week. But some say the “collect it all” approach pursued by U.S. and European spy agencies has given analysts more data then they can handle.
“They can’t find the needle in the haystack,” Galperin said. This alone, she said, demonstrates how bulk collection can make citizens less safe. But she added that there is also “a whole lot of information about whether mass surveillance is working” — and Galperin said it’s not.
“There is even a lot of criticism from inside the NSA,” she added.
It is a problem as old as modern signal intelligence. Roberta Wohlstetter, in her seminal book “Pearl Harbor: Warning and Decision,” explained a problem that would look familiar to modern analysts. In 1941, the U.S. had cracked the Japanese code and had cables that indicated an attack on the naval installation on Oahu was imminent. But Washington had seen even more traffic that they believed pointed to a strike on U.S. interests in the Philippines. When viewed through pre-existing biases about Japanese ambitions, the signal-to-noise ratio was too small — the important needle was buried under a distracting and much-too-big haystack.
No Snowden effect
The reason we now know so much about the country’s bulk data collection programs is in large part because of Snowden’s revelations. And it was this information that Brennan insisted had incited “a lot of hand-wringing over the government’s role in the effort to try to uncover these terrorists.”
That “hand-wringing” — which the Times called “sustained national outrage” — had, according to Brennan, provoked courts and legislators to hamstring intelligence gathering. Brennan and others allege that Snowden’s leaks tipped off terrorists about government surveillance, prompting them to communicate with encryption or stop using electronic communication altogether.
That logic has raised questions. As noted earlier, the data dragnet has not only proven to be ineffective — and maybe counterproductive — it also has not been meaningfully restricted in the last two years. The bulk collection that might have swept up conversations among Nov. 13 Paris plotters was fully in place on Nov. 12, and will continue to operate well into the foreseeable future.
As for the idea that would-be attackers didn’t know to worry about government surveillance before Snowden’s revelations in 2013, the record is rife with examples of others divulging surveillance programs that flagged perpetrators or suspected instigators. And the official narrative of how the U.S. eventually found Osama bin Laden is based on the premise that spy agencies had to track his couriers because the Al-Qaeda leader stayed away from electronic communications.
The human side
“The Snowden revelations weren’t significant because they told The Terrorists their communications were being monitored,” The Intercept’s Glenn Greenwald wrote on Sunday. “The revelations were significant because they told the world that the NSA and its allies were collecting everyone else’s Internet communications.”
It is a conclusion that points out the bulked-up data collection that undermines the public prognostication, warnings — and hand-wringing — of the intelligence establishment, and hints at the pre-existing biases that have hampered current surveillance efforts. In generating so much noise, intelligence agencies are burying the signal. In fixating on the need to collect everything, the security state, some argue, has fewer resources to devote to specific things.
In France, before and after the Paris attacks, intelligence experts bemoaned that they had a good idea of whom to watch, but lacked the budget and personnel necessary to watch all of them. This means physically watch, as in human intelligence — or “humint” — electronic surveillance’s labor-intensive, older sibling.
It is a shortcoming that has been lamented by U.S. security analysts, as well — a shortage of humint that has been implicated in everything from missed tips to mis-targeted drones. But human intelligence is mostly slow, expensive and often less exciting (in a geeky sort of way) than the latest electronic sleuthing tools. It also requires making choices — and with choice comes responsibility.
Responsibility for some, however, is a heavy load. For a vocal group of current and former intelligence and law enforcement officials, responsibility for the carnage in Paris is a needle desperately in need of a bigger stack of hay.