If the NSA is losing hawks like me, it’s in trouble

When the Washington Post broke the news about PRISM, a secret NSA programme that monitors online communication between suspected terrorists, I wasn’t particularly appalled. The NSA have been snooping on communication for decades and I’d expect them to still be doing so.

There was also a lot of hysteria about widespread invasion of privacy and spies at every ISP which I thought was overcooked. I wrote a piece about it for the M&G but it was never published.

I’m publishing that piece today (see below) as a sign of how badly the NSA have lost the PR battle. I am generally a national security hawk, but even I am appalled, infuriated and disgusted by the idiotic and short sighted vandalism that the NSA have perpetrated on the very foundations of the internet. If you’re not sure what I’m talking about, read this first.

PRISM - shooting the messenger Here's the unflattering truth: despite what you may have read or heard over the last week, the US government is not spying on you via your email account or your Facebook page. In fact it doesn't currently have the wherewithal to do so in any meaningful sense. Where did this panic start? On the 6th of June the Washington Post and the Guardian fired a simultaneous broadside at the US government's intelligence apparatus. They alleged that a secret programme named PRISM gave intelligence agencies in both the USA and the UK "direct access" to the systems of major internet service providers. The agencies alleged to be involved - the National Security Agency (NSA), the Federal Bureau of Investigations (FBI) and the UK's Government Communications Headquarters (GCHQ) - are accused of "tapping directly into the central servers of nine leading U.S. Internet companies" The list of companies involved in the programme is a who's who of the internet age: Google, Facebook, Yahoo!, Skype. Within hours the story had been spread, amplified and distorted around the globe, often using the very sites allegedly compromised by PRISM: "The CIA is using Facebook to spy on us!" But the facts turn out to be more complicated and less sexy than either of the newspapers who broke the story would like us to believe. Firstly, it's not at all clear that PRISM does provide any kind of "direct access" to the servers of these companies, or whether that idea is an oversimplification by the author of secret documents leaked to the newspapers. For starters every single company named immediately and categorically denied the claims, stressing that court orders are needed to obtain any data, and that the government cannot directly access their systems. Such denials are predictable when the trust of billions of customers is at stake, but these are highly regulated, publicly listed companies. They cannot simply lie to shareholders and customers without it coming back to haunt them. More telling is the fact that, within 24 hours of breaking the news, the Washington Post began secretly editing the original story, softening much of the language around the complicity of the companies. On the 10th of June it published a follow-up story, citing a "more precise description" from an NSA inspector general’s report that clarified the matter: the NSA has no direct access to servers. Another inconvenient truth revealed by the Post is the budget for the programme: $20 million per year. That sounds like an enormous amount until you consider the scale of the task. Together those companies process dozens of petabytes of data every day. That's dozens of times more data than every book ever written. It's equivalent hundreds of thousands of DVDs, every single day. In order to cope with this flood, companies like Google spend billions of dollars every year on server infrastructure. Even were the NSA able to divert all that power to their own ends, it would still be an enormous job, far larger than a paltry $20 million could ever hope to fund. How, then, does the NSA decide what to request from the companies? Via old fashioned spying, of course. It gets leads from other agencies and then applies those leads to its data sources. What all this panic and finger pointing has obscured is the truly terrifying fact that the NSA can legally (and secretly) compel internet companies to hand over data about individuals. This is thanks to the Foreign Intelligence Surveillance Act which grants the broad powers to intelligence agencies that allow programmes like PRISM to function. It's laws like this that are the "problem", not the agencies or the internet companies. There's a strong argument against governmental overreach here: the kind of spying allowed by PRISM, via direct access to servers or not, seems overly broad and invasive. But, faced with personal loss at the hands of terrorists, few people would be against such spying. Everyone enjoys the national security sausage but no one wants to hear about how it's made.

Why has the attack on encryption technology changed my position? Because snooping, however odious, is limited in its damage. It sometimes infringes rights to privacy and due process, but the ends often justify the means.

But to intentionally sabotage one of the most important shared resources the world has ever known is not only reckless, it’s idiotic. As our previous editor-in-chief Nic Dawes said to me on Twitter: