 Welcome to Free Thoughts from Libertarianism.org and the Cato Institute. I'm Trevor Burrus, a research fellow at the Cato Institute Center for Constitutional Studies. Joining us today is Julian Sanchez, a senior fellow at the Cato Institute, and guest hosting for Aaron is Matthew Feeney, policy analyst here at the Cato Institute. Today's topic is the NSA and domestic surveillance. So my first question is, I guess, just to set the stage. Haven't governments been spying on us forever? Isn't that just what we do with governments? We expect them to spy on us. You know, what's – what happened before and what's new now? Sure. So spying is, of course, ancient. One of the very first and most simple secret codes is called the Caesar Shift. It's when, you know, you write a C instead of A and D instead of B because the Caesar and the ancient Roman generals used it to send coded messages. So spying is certainly as old as governments and human conflict. One of the things that's new, however, is the capability to, in effect, spy on entire populations wholesale. That is really something that is novel with the age of computers and electronic communications. It's always been possible to try and intercept particular communications or spy on particular people. But the idea that, in effect, you could have a vacuum cleaner siphoning up and, in some way, analyzing not just the communications of the entire population but massive databases about their activities. Activities in many cases that never in the past left any kind of permanent record. When you think about reading or having conversations, these are activities that used to not leave any particular trace. If you weren't following someone when they took a particular trip on the road, had a particular meeting, opened a book or a magazine, you had no way of tracking that after the fact, let alone correlating the activities of thousands or millions of people to look for patterns in those activities. So that's all quite novel. In fact, we see, I think, in some of the revelations about modern spying, something that is really, I think, new to our constitutional tradition right there in the Fourth Amendment is the idea that searches and seizures, not just for intelligence purposes and for spying, but certainly especially in criminal investigations, are particularized. You become suspicious of a particular person and then you attempt to read their mail, look through their papers. You know, maybe you break into their house and look for evidence. But the idea was that this is something you did on an individualized basis once there was some kernel of suspicion attached to that person. And what we see, I think, in the revelations about modern NSA spying, is a shift from retail to wholesale surveillance. A shift from a model where you become suspicious about a particular person and then surveil their communications to a model where you surveil the communications of entire populations in order to develop grounds for suspicion. This seems like it came at an interesting confluence of events because not only did we have the technology grow, the internet, the digital life grow, but then 9-11, not coincidentally, at the same time. So then there was both the means and the motive to do those things simultaneously. In a way, we have a kind of three-way perfect storm of a lot of different kinds of capabilities and political background facts coming into confluence at the same time. So on the one hand, we have the technological capability to analyze vast streams of data, which is relatively new. The regime for legally governing American intelligence spying has its origins in scandals of the mid-1970s, late-1960s that led to the passage of the Foreign Intelligence Surveillance Act in 1978. One of these was an illicit NSA program called Shamrock that involved mass analysis of international telegrams and looking for keywords in a way a predecessor to what's being done on a much larger scale today. Then it was quite impressive that NSA was able to analyze at the peak many thousands or hundreds of thousands of telegrams, perhaps in a single month. But we're now talking about millions of communications a day being automatically siphoned and filtered for profile matches or matches to particular targets. So one aspect of this is the ability to essentially surveil communications and mass, which is impossible for it. The other aspect or another aspect is a change in the nature of the enemy. Intelligence in particular where certainly under U.S. law in most countries has always been understood to be a domain where the rules are a bit looser than with respect to ordinary criminal investigation. There's some good reasons for that. It's more difficult basically to deal with state actors, people with the backing of foreign states who have the ability to flee the country and sophisticated intelligence tradecraft. But the nature of the enemy is no longer that you have a sort of a fixed known entity, a foreign state, who is communicating on separate facilities, secure communications channels, and so that you know who you're trying to target in a way because the enemy is these decentralized terrorist groups that are embedded in civilian populations. You have a shift in the mission along with the shift in technology. So it's not just to figure out what the enemy is doing but to detect who the enemy is. And then the third shift, not in the analytic capabilities but the technological shift to a global communications network where not just enemy communications and civilian communications are mixed on the very same network, but also borders don't matter nearly as much. The Foreign Intelligence Surveillance Act was written on the assumption that if you had pretty strict rules or stricter rules for surveillance that was carried out within the United States, you didn't have to worry that much about restricting the ability of the spy agencies to spy outside the United States because the thought was you would occasionally but relatively rarely end up picking up a lot of American communications when you were tapping a phone line in Germany or in Russia. But of course that's no longer true and the NSA folks themselves will tell you a big part of the challenge they face in the 21st century is that a communication between New York and Los Angeles for instance in the modern era might travel through Japan if it's in the middle of the day when the pipes are congested in the U.S. but everyone in Asia is asleep. The cheapest way for that communication to go might be not through the United States but through Asia. If you think about services like Google and Facebook it may be that because they're trying to serve a global user base the database of private information that you think is just on a server somewhere in Palo Alto is actually also backed up in full on backup servers in Ireland or in China with the result that as we now know under the much looser authority of Executive Order 12333 which handles surveillance outside the United States Who issued that one? So the original Executive Order 12333 was signed by Ronald Reagan in the early 1980s again as it meant to provide guidance and authority for intelligence activities not in the United States and the assumption was that really meant spying on foreigners but again as we now know in fact vast, vast amounts of surveillance including surveillance that sweeps in Americans' communications is now done by, well there's a program called Muscular for instance that involved basically tapping the data links between these huge backup servers companies like Google and Yahoo maintained overseas and when they were doing that they were effectively unrestricted by the rules that are meant to govern the acquisition of Americans' communications when they're doing it in bulk they get to say well we're not targeting any particular American we're just getting all the data and of course that includes many Americans' communications or other kinds of remotely stored files and private data and so these three factors the ability to analyze data in bulk the emergence of an enemy that blends into civilian populations and uses civilian communications networks and a global network technology that makes borders increasingly irrelevant have generated this scenario where the intelligence agencies feel this imperative to as their internal documents say collect it all and under old rules that are not really that well adapted to ensure that collecting it all doesn't mean collecting huge amounts of the private data of their own citizens. Well I think a lot of people might be wondering what the intelligence community says quite often which is well if we need to find a needle we need to look at the haystack and that the tools that they use only work with bulk collection. Number one is that true and also how effective has this been? Well so I mean in a way the answer to those are I think the same answer this is sometimes the kind of jokie response to this is this is attempting to find a needle in a haystack by gathering even more hay. Intelligence professionals themselves often refer to the problem of what they call drinking from a fire hose. Having so much data pouring in that they are unable to process it meaningfully or figure out the difference between genuine suspicious patterns and coincidental suspicious patterns because you have enough dots you can draw patterns that look like something suspicious through them. I think if we look back for example first to the 9-11 report and the findings about the causes of the intelligence failure that led to 9-11 you'll find there that the problem was not inadequate raw collection of data. The famous phrase from that report the failure to connect the dots has since I think been very badly spun and misconstrued and now we hear advocates of more surveillance power saying well you can't connect the dots unless you collect all the dots there are as many dots as you can. But as it turns out that is not really a recipe for greater efficacy the finding of the 9-11 commission was in fact that they had the data but failed to collate it not that they needed more data to collate and if you look at the track record of a lot of the bulk collection programs since then we find a not very impressive history here we had two independent panels the president's handpicked surveillance review group the privacy and civil liberties oversight board do a pretty detailed review of this bulk telephony call records program where they were sweeping up the call records at least at one point nearly all Americans domestic international communications and they found that it was essentially never useful in catching a terrorist attack or thwarting an attack that in almost every case they were merely duplicating information that they already obtained through targeted authorities which I mean shouldn't be that surprising that in fact trying to collect and sort through huge amounts of data about millions of innocent people is often just not going to be worth the investment relative to the sort of time-tested method of once you're suspicious of someone focusing your energy and your resources on analyzing their data it's a little bit harder to say with respect to some of these other intelligence programs about which we know last and which have not been subject to the same kind of searching review but if we look back to the original warrantless wiretap program under under President Bush we find that when the Inspector General's looked at the results of that they found basically the same thing that to the extent useful intelligence was obtained there it was almost always about people who were already targeted by the FBI with specific traditional warrants we find the same thing that some of the Senate reports on fusion centers which are supposed to sweep up and synthesize large amounts of data that they basically never provide any useful timely intelligence. So when someone says that this is stopping terrorist attacks or has stopped terrorist attacks that's a very at the least dubious assertion. Well certainly the programs that have been looked at the most carefully that those assertions have not held up it would be hard to say with respect to some of the others. So for example the FISA 702 program this is not metadata but the acquisition of contents. What's metadata is a term we need to define before we continue. So metadata is actually kind of a dubious term people talk sometimes as though it there's some kind of clear natural distinction between the content of a communication and the metadata in fact the distinction is much blurrier especially on the Internet but the idea here is the metadata is the data about the communication so if we have a phone call the phone number I dialed and how long the call took that kind of information that would be on your phone bill is the metadata and the content of the communication is what we actually said over the phone. But of course how you categorize these things is to some extent a matter of choice even on traditional phone networks. I call an office building and I tell the secretary I'd like to be connected to Trevor or to extension 320 or perhaps it's an automated system and I punch in 320 for the extension. Well is that the content of the call or just more metadata gets blurry and more so when you think of something like a website well I go to kato.org slash surveillance or something like that. It gives you a pretty idea of exactly what content I'm looking at it is formally metadata and with Internet communications actually there's a whole nested layer almost like a layers of an onion of content and metadata so. Your computer sends to the website the website sends back to your computer right? So those are the packets is that the right? The packets is sort of the basic unit of information flow on the Internet and you can actually make much the same analogy I did to the you know calling up an office and asking the secretary to connect you to a particular line you know a packet of data will contain so let's say I send an email to Trevor at Kato there'll be an outer layer of metadata that the ISP needs to see that Comcast for example looks at that just says this packet is going to Kato's server and then once it lands on Kato's server that packet has content that says deliver this is a mail message and please deliver it to Trevor's mailbox and so that's metadata for my mail message but the content of the kind of outer layer that just said take this to Kato and then within that of course is the contents of the actual message and there's this sense that defenders of some of these surveillance programs like to spread that metadata is somehow trivial it's not that important and in a way if you think about an individual communication maybe that sounds plausible sure I call up a particular phone number and unless I'm calling a suicide hotline or an abortion clinic or an AA number probably the information about the phone number is less revealing than what I actually say on the call but when you take that at the macro scale and you say not just one phone number or one email address but the whole pattern over the course of many days or weeks or months of my communications of what websites I visit of what I read at what times of day and in what locations and not just what I'm doing but how my patterns of behavior change over time am I staying up later do I seem disturbed am I looking at different things now or talking to different people and also the patterns relative to the entire population not just what does my metadata say but is my metadata unusual is it changing in ways that look different than a normal person's is it changing in the same way as people who become interested in radical interpretations of Islam once you have that kind of bulk database to analyze the metadata can in fact become as or more revealing than the content of the communications because in many cases it's actually much easier to analyze very quickly huge amounts of work through entire communications and from what we know about the NSA do we know that they are doing this for all of us domestically attracting this in large groups of people within the United States so exactly what kinds of data they're gathering are hard to know the we know that the telephone program which is still in effect but is sort of slated for reform was to the largest and most indiscriminate collection of data about communication that was at the prism program that's a separate so the metadata the metadata acquisition is under an authority identified with the the Patriot Act the power that was expended under section 215 of the Patriot Act in 2001 that's an authority to acquire records they're relevant to an investigation I think the idea originally was of course when you're investigating a particular entity may you think this particular charity is actually a front group to fund foreign terrorists once you're investigating this person or this corporation or this entity you would be able to get lots of documents that were relevant to the activities of whoever you were investigating or perhaps associates or people in contact with the target of your investigation so you could figure out whether this required further scrutiny the FISA court established by the foreign intelligence act allowed the NSA to effectively say everything is relevant to the investigation but because by creating this large database they can later analyze it will and and connect to the dots between lots of different people who communicate with each other they would be able to provide useful analysis for investigations that certainly not an understanding that ever before I think courts have had of what relevance means in laws like this that permit you to obtain records but that was something they were able to sell they had also sold the court a similar program now discontinued but probably being conducted under different authorities that did the same thing for international internet communications so at the very least all international emails perhaps also international web traffic and keep in mind here you probably have no idea when you're engaged in an international internet communication I mean you may if you're deliberately visiting the BBC website but maybe that website has a mirror in Atlanta Georgia and maybe again given the time of day and the facts about congestion visiting a Facebook page but in fact the cheapest path for your bits to travel is to a server in Ireland so you probably have a lot more of those international communications than you think you do but something that's always occurred to me while these revelations have come up is that even if you accept that the metadata is good for targeting or investigating terrorism and all the rest of it there have also been revelations that the American intelligence community has spied on German politicians and even spied in the Vatican conclaves I mean how is this supposedly justified given that I don't think the pope is necessarily a threat to US national security and Germany as an ally could you elaborate on that a little bit? So another I think pattern we've seen since 9-11 really is that authorities the intelligence community has wanted for a long time often for general support to their broader intelligence mission which is certainly not limited to terrorism are justified in terms of its utility for counter-terrorism which is not necessarily the primary way they're used maybe the most famous example of this are the so-called sneak and peek searches that were part of the Patriot Act these were explicit authority and the courts have always allowed these in extraordinary circumstances but this was a clearer and easier authority to enable ordinary investigators not necessarily for intelligence cases to get a search warrant that would allow them to surreptitiously break into a home or other location and only notify the homeowner much later the usual model of course is they come to the door or maybe knock down the door but they come at the time they serve it show the person that they have legal authority to search conduct the search the person can sort of monitor and make sure that they're essentially taking only what they're supposed to take and the person is in a position to complain if they do something wrong sneak and peek searches were sold as something that was necessary to avoid tipping off terrorists even though of course is a separate and completely secret physical search authority that's part of FISA the thought though was this was something that you know ordinary police needed to assist in counter-terrorism investigations and of course a few years later it became clear that almost never was this authority used for counter-terrorism investigations it was used overwhelmingly for drug and other kinds of investigations so what we need to bear in mind when we think about all the authorities that have been justified since 9-11 as necessary to fight terrorism is that very rarely are the statutory terms of these power restricted to counter-terrorism so I mentioned earlier 702 this is one of the ones that may have been more useful that may actually have been helpful in foiling terror attacks or actually gathering information about terrorists this is an authority that permits the government without a warrant it's effectively a general warrant that allows the director of national intelligence and the attorney general to issue certifications that cover broad categories of intelligence targets like foreign terror groups or foreign cyber attackers and then lets the NSA basically decide which accounts, which phone lines, which email addresses they're specifically going to subject to search and wiretapping and collection this is always discussed as a counter-terrorism tool but of course if you look at the statute it doesn't say the NSA or the government may spy on foreign terrorists it says essentially if the purpose is to gather foreign intelligence of any kind including plans about what Angela Merkel is going to do at the next round of treaty negotiations and the target is outside the United States so Angela Merkel at germany.de or whatever then NSA can be authorized to do this without further judicial approval and so we know now they have essentially many tens of thousands of targets every year and since targets including corporations that might mean many hundreds of thousands of specific accounts being spied upon and surely some of those are suspected terrorists or people involved in terrorism but that's not a requirement of the statute and we know that one of the things they do for instance is spy on foreign network administrators people who work in IT people who maintain computer networks not because they're suspected of doing anything wrong but because you never know when you might need to spy on a network that some target is using so you spy on the network administrator learn all the things they might be using as their password use that information to be able to compromise their accounts and own their entire network they don't have to be terrorists they just have to be someone who is not in the United States but the 702 program according to some accounts has numerous protections on it attorney general approval director of national intelligence approval FISA court approval which are usually topical certifications rather than individualized certifications congressional oversight committee congressional briefings congressmen can make hey if they want to make hey and there's also they have to submit I think reports every 90 days about the activity and on some accounts the error rate is incredibly low and below 1% of and they self report their errors on these things how do you respond to those levels of prophylaxis about having this be abused right so I think it's important to understand that the scale of a program like this where again they're sweeping in millions or tens of communications on a daily basis makes oversight that's meaningful quite difficult and indeed the judges on the FISA court have said and they certainly have an oversight role here they are the ones who approve the broad procedures under under which 702 surveillance operates and we're getting 702 phone and internet surveillance where there are these broads of general warrants but then the NSA itself is the entity that gets to decide who is actually spied on the FISA court is responsible for approving the procedures they say they're going to use these are the criteria we're going to expect analysts to meet before they start tapping a particular email account or IP address or phone line this is the methods that they're going to use to try and ensure that they're not tapping anyone inside the United States but the FISA court judges have acknowledged that they cannot meaningfully review the actual implementation of this program and now there are routine reviews of how this stuff is being used but there are some difficulties one is just again because of the scale of it you can only really look at a pretty tiny snapshot of what's actually being collected and used I mean the NSA itself probably never looks at most of the communications that are swept in another problem is that it really seems like the oversight is designed to catch inadvertent sort of they're not bad at catching a typo that flagged the wrong email account for surveillance it's not nearly as clear that they have a system that is well suited to catch people who understand how the system of oversight works and either as a sort of rogue analyst are deliberately circumventing those controls or the case where as historically has often happened at a fairly high level the agencies themselves decide that they want to try and circumvent oversight and I think the pattern you see pretty continually when the inspector general does poke into this or that program it's hard to say with respect to 702 specifically but a lot of these programs is that the agencies often have a very narrow idea of what kinds of violations have to be reported to the oversight entities the inspector general often sort of suggests that there are lots of incidents that really probably should have been reported that the FBI didn't think were significant enough to rise to the level of a reportable violation and frankly the fact that so much is legal that it doesn't technically count as a violation so if you have some passable foreign intelligence reason to be collecting a lot of foreign data of foreign communication streams let's say you're targeting entity like WikiLeaks or the Pirate Bay these are both examples that have been discussed the collection of lots of American communications incidentally as they call it is not a violation they understand that you're supposed to be catching basically a lot of American communications as long as you're not targeting the American and so if that's not a violation if it's not a violation of the rules to have all these communications the question of violation kind of comes down to what you're doing with it now that they've got all of our communications are these being used in a way to target or harass people or might they be used in that way in the future and that ultimately comes down to what a person does with information what is once it has entered their brain and that is a lot harder to enforce especially again when you're talking about the enormous quality of data being collected so you know an embarrassing story appears in the gossip pages about a political opponent of the president did that information come from an email the NSA intercepted from someone else well it's hard to say does the NSA even have that information well you would have no way of knowing without then going back and looking through their archives to see whether that embarrassing column matched something that was in the database you don't want to do that because that means searching for an American's information in the database which would itself be without an intelligence purpose if we look historically at the way abuses occurred in the past wiretapping of activists and civil rights leaders and anti-war activists we find that the agencies that had some sense that perhaps what they were doing was not appropriate took steps to ensure that what they were doing would not be visible to overseers so very often these activities would be routed through alternate file systems to ensure that there was no record in the central FBI database of you told me a story one time about the briefcase delivering the briefcase to the hat that's a great story one of my favorite stories involves a former congressman in the center Carl Mont who used to write Hoover, J Edgar Hoover semi-regularly asking for intelligence about political opponents or other figures that he was interested in and invariably Hoover would write back saying no the files of the FBI are confidential I cannot share this personal file with you congressmen or senator and a historian eventually became curious as to why Mont was so persistent why didn't he get the message and as he eventually interviewed Mont's former personal secretary he learned that the answer was that these letters of refusal from the bureau from Hoover would always come hand delivered by an FBI agent who would also come with a briefcase containing the file Mont had asked for open it up late on the desk say I got to take this back with me I can't give you the file but I'm happy to answer any questions you might have and you can take notes but that was Hoover though we know he was bad right so I don't think Hoover was uniquely evil human being the message we should take is that the people who are in charge of these agencies who have access to this information understand that there's oversight and also understand there are ways to avoid creating any records for the overseers to work with in fact what we now know about the abuses of the 60s and 70s under Hoover and under other agencies you know comes from a very partial bit of the historical record historians later uncovered single routing slips single pieces of paper from much larger files that had been destroyed revealing other kinds of illegal break-ins and illegal wiretaps that the congressional investigative committees had not discovered and the only evidence we have is basically something that was accidentally not destroyed suggesting a larger archive of which these slips were a part so it's just given the scale of this even more so now when you're by design collecting so much stuff at least for example in the 70s a new attorney general discovered a decades-old bug that had been planted in the offices of the Southern Christian Leadership Conference that said look if there's not actual criminal prosecution forthcoming you better shut this off you have no legitimate reason to be wiretapping these people but of course it would no longer actually be a big red flag that for instance you know Bill Clinton's emails are being sucked up when you're collecting on this scale the fact that some politically sensitive entity is being collected on doesn't necessarily tell you there's something amiss that someone is using this for an area of purpose in a way easier to come up with excuses for why you have this sensitive information and you know again I think the pattern we see over time in a lot of different programs is the FISA court is informed that the NSA is running a program is collecting data in a certain way and then two or three years later this has happened several times they learned that NSA had actually fundamentally described what was going on that they were collecting much more information that they were not observing restrictions on searching the database that the court had tried to impose in one case they said that the elaborate system of restrictions that had essentially allowed them to justify approving one of these collection programs had effectively never functioned because it had been so systematically disregarded members of congress complained sometimes humorously about how difficult it is to extract information often feels they say like a game of 20 questions and so of course you know the picture they'll get are very brief summaries of something that's working very well and very effectively but again it seems like what we see again and again is when there is greater scrutiny things the overseers weren't aware of come to light and you realize in fact what a partial picture they have I mean it does seem like senior members of the intelligence committees really believed that this telephone program this telephone metadata collection program had been somehow instrumental in thwarting dozens of terrorist plots and as soon as the surface of that claim was scratched it turned out it was of course completely false but it seems like again the senior legislator responsible for oversight genuinely believed it until there was pressure to dig deeper so I think that should be a little bit disturbing and should raise serious questions about how meaningful this oversight mechanism really is or can be well then what sort of reforms can or should we look forward to because the NSA has had a big hit to its reputation in the wake of the Snowden leaks but given the stories you've just told about oversight and well I mean frankly lack of information at the top and lack of transparency it seems to me that even if it was announced that okay there's going to be a big overhaul of the American intelligence community civil liberties will be taken more seriously I suppose the perhaps naive question might be well why trust them whenever they come out and announce these sort of things That is not a bad question you know in part one of the curses of intelligence is the academic scholarship about intelligence oversight you find this trope of fire alarm versus police patrol models and they say that basically for the most part the American intelligence community has operated on a fire alarm model meaning essentially every now and then there's a scandal either a huge intelligence failure or a huge intelligence abuse there is deep scrutiny of their operations corrections are made and then over time the energy to scrutinize falls away and I think you can understand why Matthew you said earlier congress can make hay if they discover something amiss but actually their ability to do that is pretty limited Ron Wyden can get up and say I don't think they're using their authority correctly he was obviously very upset about this bulk metadata collection program I should say phone and internet for a long time but wasn't able to say publicly exactly what he was so concerned about and more generally you know legislators have limited time and their ability to you know focus their resources energy and time on this is sort of constrained because they have to think sort of politically speaking if I fix a big problem internally to one of these agencies I don't get to put out a press release later and sort of trumpet what good I'm doing for my constituents civil liberties it makes a lot more sense to work on other areas especially areas where there are external groups and lobbyists who are willing and able to help whatever the congressman is trying to do the intelligence arena almost all the information you have is coming from inside the agencies themselves you get maybe external pressure from groups like the ACLU or the electronic frontier foundation but they rarely actually have details of what's going on or specific suggestions about how it needs to be fixed that said you know you do see that there are limits that is to say they will twist often the authorities they're given in ways that perhaps were not intended or obvious to the public in order to achieve whatever programs they think are necessary to allow them to do their jobs and serve their intelligence functions but you do see them running again up against you know legal strictures that there's no real way around and so if it's sort of clear enough what you're trying to prohibit them to do and you don't leave loopholes there's at least a sense that someone will cry foul before that gets too wildly out of hand but backing up I think what is most important in terms of limiting the ability of these systems to be used is not to think about this particular program or that particular program and what the standard to get this kind of record should be but to think in a broader sense about the creation of the architectures of surveillance that is to say to look at the way the structure is set up and ask if someone decided after an attack to ignore the rules either for a good reason in a moment of panic or out of malice or desire to abuse the system how easy would it be could you just flip a switch and turn the system to an inappropriate in a way the metadata program we just discussed is one example of what two different kinds of architectures for this might look like the president has already announced his intention to end that program in its current form which involves basically sweeping in everyone's communications data and then analysts querying particular numbers and then all the numbers associated with them are two degrees or three degrees of separation from that master database Google the entire data that Google database of all of our private effectively effectively now the alternate structure which will allow them to do much of the same kind of analysis is instead they're going to go to the FISA court serve an order on the carriers who in sort of consortium are going to work to sync up all their records so that I can get very quickly if a Verizon customer called an AT&T customer or that person called a Sprint customer I can start with one number and get the pattern of that person's communications quickly without having to go back and forth between all the carriers but still on an individualized basis where I've given the FISA court a list of phone numbers that I am suspicious of for some reason go to the carriers and say okay start giving us the feeds on these numbers and the people in contact with them and that ends up pretty quickly getting to a lot of different phone numbers that they're having their metadata swept in but the important thing to recognize about the difference between this architecture and that architecture is under the bulk architecture all the information's in house and so if you decide you want to look at the president's calling patterns or that annoying Cato Institute guys calling patterns all you need is someone who's going to punch that number in at a keyboard in house all the information is kept there and all they have to do is get around whatever internal mechanisms may be set up to raise a red flag if you're doing something weird under this alternate architecture probably all those people's call records are not already in the system so there are additional steps you'd have to get the FISA court to sign off on it get the information from the carrier have it reviewed why that particular information was coming in these are two architectures that allow much the same kind of analysis but as you can see if you wanted to turn one architecture to some inappropriate purpose like spying on your political defense or you know inconvenient activists one architecture basically allows you to do that with a flip of a switch another architecture makes it actually quite a bit more difficult to do that well some listeners might be thinking under both architectures might be thinking to themselves well I've never visited WikiLeaks I've never visited a jihadist website so I don't you know read dodgy books I've never googled how to build a bomb so I may be concerned about this if the justification for it is national security and I'm not a national security threat are you asking if you haven't done anything wrong yeah if I have to worry about this one of these weird guys at Kata yeah I mean you know in a way one answer to that is to ask about the effect of asking that question that is to say if your statement is well I don't have anything to worry about I've never googled how to build a bomb I've never looked at Islamist videos on YouTube does that affect your likelihood in the future of doing those things when you're sitting down to Google is some part of your brain going to be thinking is every American's brain in some tiny corner going to be thinking well can I Google how to build a bomb or should I go to this Islamist website maybe not because I'm an Islamist because I'm interested in reading about it is something in the back of your head wondering whether you're going to get on a list because you made a certain phone call or went to a certain website and we can look at affidavits from a whole array of civil society groups from the NRA to religious groups across the board saying that they encounter a lot of doubting reluctance from their membership now people are worried about calling let's say a gun rights organization they say well I may have a gun that's not legal and I'm not sure what to do about it but I don't certainly if this comes up want it on the record that I called for legal advice about this the other thing to note is of course that historically the point of surveillance has been to affect politics in a way that goes far beyond the particular people who are under surveillance so you think about the notorious campaign that was waged against Martin Luther King they essentially attempted to psychologically destabilize him and drive him out of public life by trying to blackmail him essentially with tapes of his extramarital liaisons obviously if Martin Luther King is removed from political public life that affects a lot of people other than Martin Luther King and his immediate family if as we've learned lots of Muslim civil society leaders people who are attorneys or public advocates or activists from the Muslim community were under surveillance or potential people who are interested in joining these communities are intimidated out of it because they're afraid that this will bring them under government scrutiny that affects the balance of political power and affects the kinds of public discussions we're able to have in a way that goes beyond the effect on the particular people who are scrutinized and again you have to sort of recognize that when data is stored over long periods of time one of the famous instances of this is that in his 20s midshipman John F. Kennedy had an affair with a German columnist who was sort of under monitoring by the FBI more than a decade later when he won the Democratic nomination on that very day the file concerning his affair with this German columnist Inge Arvad was immediately moved to J. Edgar Hoover's personal and confidential file so the question to ask is not just will am I doing something wrong today or even how does the fact of the surveillance system might be perceived as doing something wrong but who is going to define wrong in five years or 10 years and is the fact that I am reading Occupy websites today or Tea Party websites today going to be considered evidence of some kind of potential national security threat five years from now when a different president is in power but isn't it worth it on this one level today if we're weighing these costs which I think everything you just mentioned people would say this is a cost this is a cost to freedom of communication to feeling secure in your own home but police have powers that make us feel unsafe sometime and they have that for good reasons because there are people out there who want to hurt us and in the case of terrorists there are people out there with possibly nuclear weapons and it seems like a minor inconvenience to us might be worth this maximal cataclysmic event in the future right well I mean certainly I think it's true in the abstract that in order to protect people whether from terrorists or from ordinary crime police or investigators, government agents sometimes need to investigate in ways that involve some incursion on personal privacy and that yeah we have to make some trade-offs we need to for example decide that in order to catch murderers sometimes police can obtain search warrants and go into private homes of people who have not yet been convicted of anything to obtain evidence and that's a trade-off we make I think there are two mistakes to avoid though one mistake to avoid is because sometimes there's a trade-off between privacy and security assuming that every loss of privacy is an increase in security or conversely that any gain in security requires a radical diminution in privacy that of course I think is a mistake and the other is to in some sense act as though with respect to every particular invasion proposed that the entire weight of the interest in national security is on the other side of the balance I think you see the courts doing this a lot they'll say well gathering people's phone metadata is an invasion of privacy but on the other side nuclear bombs going off in New York and if every time a particular invasion of privacy is proposed what is on the other side of the ledger is a nuclear bomb going off in New York City privacy will always lose but of course it's never the case that that's actually the nuclear bomb is the alternative in every case the well-known documentary 24 has taught us this but I would suggest we think in a more sophisticated way about marginal differences in probability so we should be asking is not you know is privacy more important or is security more important what we should be asking is all right if the annual probability of an American dying a terrorist attack is one in 20 million then relative to a less intrusive and more particularized method of gathering data how much is that probability reduced at the margin by something more intrusive and what we've seen I think across the board for a lot of the programs that have been examined in detail is when it comes down to it the advantage in terms of intelligence in terms of uncovering bad actors and preventing plots gained from bulk collection over more traditional targeted collection is negligible and maybe nonexistent there may be other contexts in which that's not true and some kind of larger scale collection actually gives you a very very great advantage very significantly reduces the probability of a successful attack but we need to be I think more sophisticated about asking that question if you're taking a very small probability that you've reduced to some manageable level by targeted kinds of surveillance and then it turns out that the additional marginal reduction in that probability involves if you instead of getting 100 people's phone records get 100 million people's phone records is so small it's barely detectable 8 decimal places down you say well that is an instance where the invasion of privacy and indeed the creation of an architecture for monitoring and surveillance is again maybe also you think low probability but a larger risk on the whole than the very very tiny potential gain in security you're getting in trade. It sounds like a precautionary principle type of situation whether in the sense of multiply some probability by any infinite harm and the infinite harm always wins. The answer is always infinity right? I think there is something like that of course you don't actually have infinities in the real world but yeah I mean I think you know when you think back to I think it was Dick Cheney saying if the risk of an attack succeeding is 1% the government has to treat it as though it's a certainty that is a dangerous way of thinking although one that I think fits with our natural cognitive architecture human beings are very bad at thinking about probabilities. We are more anxious about if you think about things that you actually find yourself fretting about people do worry about getting on a plane could there be a bomb on it or is the person next to me a terrorist but of course the probability of dying that way is hugely less than the probability of dying in a car wreck on your way to pick up a pint of milk from the corner store. We overestimate risks that are very large and visible and dramatic underestimate risks that are more mundane but actually much, much more likely to do us in. So this natural tendency I think causes us to do things with respect to risks related to terrorism that we don't do in almost any other realm. I mean the precautionary principle comes from the rare environmental regulation but in fact we don't do anything like this in the environmental category. I mean if you had an environmental pollutant with a kind of average annualized risk of death on par with terrorism probably the EPA wouldn't be allowed to do anything about it. In order to find it they put a huge dragnet over the entire nation to make sure that occasionally someone doesn't use this pollutant that has this much. It's an interesting analogy. People seem to treat terrorism very differently from ordinary sorts of crime because if you took Dick Cheney's if there's 1% chance we have to treat it like 100% then if we thought of murder that way because there's a certain percentage every day some American will be murdered. Do it justify putting police officers in front of every house to make sure there are no break-ins or no assaults or anything like that. And I think Trevor pointing out 24 reminds me of CSI that the more these things get in the media you can romanticize forensics and you can romanticize war and intelligence. And how sure we are about these things. Right exactly but I think if anything these NSA revelations have demonstrated lack of transparency and oversight and maybe lack of success because I feel like if the NSA had prevented a nuclear attack or something the first thing they would have done is mention that they had done that using these systems but they haven't. So I mean is that because they really couldn't if they really hadn't and we should trust them or is there another reason? They don't want to tip their hand possibly. So one I actually don't think there are yet any terror groups that have put themselves in a position to actually detonate a serious nuclear device. Certainly not in the American moment and maybe not anywhere in part just because fissile material is sort of hard to get your hands on. I wouldn't necessarily assume that because they don't talk about specific attacks that they there aren't any for the not bad reason that yeah you don't always want to give away how exactly a plot was foiled. I mean very often for example let's say you foiled a particular terror attack because some weapon shipment didn't come through. You would much rather the group that you're spying on think that was just a stroke of bad luck or that the police investigators got lucky in checking that cargo than realizing that in fact their security has been compromised that they have a mole inside that their email accounts are being surveilled so they stop using those accounts and shift to some other harder to track means of communication. So to some extent I don't blame them for not wanting to go into detail about which attacks those are. And on the flip side you know if there are cases where an attack did fail for bad luck but you're not surveilling that particular terror so you actually want them to be paranoid that they are being surveilled and they start wasting time by going through all sorts of more elaborate means to evade surveillance they're not under. So you never want to give away too much about who is or is not under successful surveillance. That said they certainly have been willing to mention lots of particular cases and when they do mention particular cases like the Najib al-Uzazi subway bombing plot and other cases like that under scrutiny they fall apart pretty quickly so I do find it interesting that to the extent they have been willing to talk about lots of particular cases that they have successfully foiled thanks to these elaborate NSA dragnets once you have a few facts to cling to to start digging into what happened it turns out that those stories don't hold up to scrutiny. We're almost out of time but for the final question I'd like to ask about just privacy in general because libertarians like to talk about privacy maybe more than a lot of people and there's a lot of people who say it doesn't really matter to them or they don't really think about it that much or you're being too paranoid how should these lessons about the NSA make us think about privacy now and going forward with our new e-life that we're going to have anyone who's listening to this pretty much is probably going to have an e-life for the rest of their life so how should we start thinking about this and the government's relationship to privacy. I mean it's an odd fact about discussions of privacy that I think more than almost any other issue we tend to use the language of fiction and often science fiction to talk about our concerns whether it's we say well this is pretty Orwellian or wow that was Kafkaesque or you know more recently might just say well this sounds like something out of Gary Sheingart's super sad true love story which is a fantastic modern dystopian vision and I think the reason is in part that well surveillance is by its nature something that occurs below the surface something that is hard to see directly the whole point is that you're not aware of how surveillance is operating often until it's too late until it eventuates in a kind of massive privacy dystopia like East Germany under the Stasi I think the thing that's important to recognize is that we are at a sort of extraordinary technological moment when simultaneously there are capabilities to allow large scale anonymous coordination across huge spans of distance in a way that has never really been possible for hundreds of people to meet anonymously in a chat room and discuss democratization or their strange sexualities or any other topic that they would be afraid to go out in the street and discuss publicly and at the same time creates what has been called a golden age for surveillance creates an architecture for granular monitoring of enormous number of people in a way that has just historically never been possible even under the Stasi in East Germany an architecture of surveillance where in effect automated systems either private or public may know things about you that you yourself do not know can detect that you are under stress or becoming depressed from changes in your habits or schedule before you yourself detect them can spot the incipient signs of political radicalism stirring in your soul before you yourself recognize what road you're on and in the long term I think the question we need to ask is not the short term question will this or that particular surveillance program or this or that invasion of privacy make us safer from those who would do us harm in a way that makes us a sensible trade off this year or next year I think we need to ask is that when these systems are taken together and integrated as indeed they always are as they already are for these analytic purposes when you imagine a network that is able of scoop a capable of scooping up so many disparate kinds of data about so many people and aggregating them to not just know what they're reading and thinking but to predict what they will be reading and thinking that kind of power to monitor and know populations compatible with a free and democratic society could a government with access to that architecture of monitoring effectively control its own population in a way that made it almost impossible to dislodge and if the answer is that we think that they're not compatible in the long run that a government with that architecture in place could shield itself from accountability then we need to ask very carefully whether the short term security we're purchasing is worth the candle www.libertarianism.org