al, and opportunity costs as well as
costs to privacy and civil liberties.
The Section 215 debate pitted a
tool (bulk surveillance over domestic phone metadata) that may be very
helpful in preventing some serious
terrorism incident against one that
may be used to harass legal protestors
of government policy—but there is no
evidence that either has happened. In
the absence of evidence, how should
value and cost be determined?
Many factors enter into any such
determination, but perhaps the most
important factor is the reality that the
determination is a strong function of
the circumstances extant at any given
time. As much as some would like it
to be otherwise, a serious national
security incident inevitably results in
greater concerns for security and lesser concerns about privacy and civil liberties. Tools that policy makers see as
providing marginal value and entailing high costs before the incident may
well be seen as providing higher value
and entailing lower costs afterward.
Does such a shift in perspective
ever result in overreaction? Certainly.
In the light of history, the internment
of U.S. citizens of Japanese origin after the Pearl Harbor attack is widely
acknowledged as being an overreaction. And the passage of the USA Freedom Act may indicate the beginnings
of a similar realization, although the
Paris attacks of November 2015 and
the San Bernardino shootings of December 2015 cast such a realization
in a different light. Time will tell how
the U.S. Congress decides to act on
all of these matters, and the voices of
computing professionals can help inform their future actions.
Herbert Lin ( email@example.com) is senior research
scholar for cyber policy and security at the Stanford
Center for International Security and Policy and research
fellow at Stanford’s Hoover Institution.
Although this Viewpoint is informed by the author’s work
on the NRC report mentioned, any differences between
statements in this Viewpoint and the NRC report should
be attributed solely to the author.
Copyright held by author.
have succeeded. Intelligence-gather-ing tools can provide value in more
indirect ways, by helping to advance
investigations and focus efforts in
ways that are sometimes more difficult to measure.”h Although the
PCLOB went on to find no evidence
the Section 215 program has made
any significant contribution to counterterrorism efforts to date, this
conclusion cannot be taken as an
indictment of all possible bulk surveillance programs, each of which
would have to be examined on its
own merits for the benefits that it
had provided or could be expected to
provide in the future.
Others have argued that bulk
surveillance results in information
overload that makes it more difficult
for analysts to find the information
they do need.i That is, they argue a
needle is more difficult to find in a
big haystack than in a smaller one.
Implicit in this argument is the
claim the needle does exist in the
haystack, and thus smarter analysis
will be more helpful than adding
more hay (information). But if the
needle is not in the haystack, only
adding more hay has even a chance
of resulting in a successful needle
discovery—and this is true despite
the undeniable fact the additional
data may place a greater burden on
analysts and may still fail in the end
to provide the necessary data. And
until the needle is found, it is difficult to decide what information will
turn out to be unnecessary before
the analysis is complete.
Bulk surveillance is also useful for
understanding events that have occurred in the past.j It can easily happen that information collected on Day
X alerts analysts to the importance of
a certain event A that occurred before
Day X. Under such circumstances, it
would only have been a matter of luck
that any targeted surveillance operating before Day X would provide information about A, because A was not
known before Day X to be important.
Finally, many policy implications
of bulk surveillance remain to be ad-
j Chapter 4 of the NRC report describes a variety
of applications for bulk surveillance.
dressed. How and to what extent, if
any, should safeguarding the privacy
of foreigners be relevant to U.S. collec-
tion of intelligence for national secu-
rity purposes? Through PPD- 28, Presi-
dent Obama granted foreigners certain
privacy rights regarding information
gathered on them through bulk sur-
veillance. Should this step be rolled
back, be the first step in treating for-
eigners and Americans alike, or be the
last step along this path?
A second issue is the scope of bulk
surveillance. As noted, Section 215
authority has been used to justify
bulk surveillance on domestic telephone metadata. But in principle,
bulk surveillance could apply to communications modalities apart from
telephone and to all kinds of data (
indeed, the line between data and metadata—perhaps well-defined in an era
of plain old telephone service—may
well be blurry with other modalities).
How far are we willing to go along
Lastly, how should the U.S. balance
the intelligence value of capabilities
provided by bulk surveillance against
its costs? As noted earlier, bulk surveillance does have some value for
the intelligence community. But as
the PCLOB noted, “an intelligence-gathering tool with significant ramifications for privacy and civil liberties cannot be regarded as justified
merely because it provides some value
in protecting the nation from terrorism” (emphasis in the original). Nor, I
might add, for other purposes as well.
If any such tool is to be used to protect
the public, the value it provides must
be sufficient to outweigh its costs,
which including financial, operation-
remain to be