Whistleblower revelations have altered the relationship between the NSA and corporations. Domestic dragnet spying was once solely based on secret cooperation between the agency and tech companies. Today, executive orders and initiatives “encourage” private business cooperation with intelligence agencies. With partnerships now out in the open, we have an opportunity to cause the federal government to lose its grip on private companies and stymie cooperation.
Both Mark Klein, in 2006, and Edward Snowden in 2013, revealed that secret partnerships between telecoms and the NSA existed to facilitate dragnet domestic spying. For instance, investigative journalists from ProRepublica were able to pinpoint and confirm that AT&T cooperated in the FAIRVIEW program based on documents provided by Edward Snowden.
The National Security Agency’s ability to spy on vast quantities of Internet traffic passing through the United States has relied on its extraordinary, decades-long partnership with a single company: the telecom giant AT&T.” The report continues, “In fact, the secret collaboration was described by the NSA as ‘highly collaborative’ and another lauded the company’s ‘extreme willingness to help.'”
Possibly as a reaction to the cover up, the feds have changed the landscape through open cooperation with tech companies. President Obama has been writing a series of executive orders encouraging these partnerships.
It is of worth noting that executive orders (EOs) are not law, and are generally used simply to create a mechanism for executive agencies to implement and enforce duly passed congressional legislation. These surveillance EO’s go far beyond the scope of typical executive action and cross into jurisdiction of private corporations. It’s almost as if divisions of tech companies, like Room 641A, now fall within the chain of command structure under the director of the NSA. When you declare cyberspace as a battleground, nodes, cables, and hubs become essentially like occupied forts and ports by the military.
Executive Initiatives and Orders
Over the past few decades, executive orders generally empowered government agencies that are integrated into the intelligence or law enforcement sphere. But several recent executive orders create the need for a more cooperative private sector. Instead of gagging companies or individuals that aid government spying on customers and creating an adversarial relationship, these executive orders actually integrate the private sector in under DHS and the Director of National Security.
In 2013 and in 2015, President Obama issued three of these executive orders to expand information sharing. Executive Order 13691—Promoting Private Sector Cyber-Security Information Sharing, builds on both a 2013 Executive Order called Improving Critical Infrastructure Cyber-Security and another Executive Order called, Critical Infrastructure Security and Resilience.
The Improving Critical Infrastructure Cyber Security EO’s had a plainly stated goal.
“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”
To assure partnerships with the private sector on voluntary information sharing is a success, federal intelligence agencies “provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.” This program expanded the need for more security clearances, not for government agents, but within private organizations in targeted sectors like financial organizations and telecoms. These clearances are normally reserved for the military and military contractors.
Critical Infrastructure Security and Resilience expands partnerships and information sharing, but outside of the US.
“The Federal Government shall also engage with international partners to strengthen the security and resilience of domestic critical infrastructure and critical infrastructure located outside of the United States on which the Nation depends.”
The Promoting Private Sector Cyber-Security Information Sharing EO addresses keeping current partnerships active.
“The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”
This EO creates Information Sharing and Analysis Organizations (ISAOs) within private and/or public organizations in specific “threat” sectors.
The standards shall further the goal of creating robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information. The standards will address the baseline capabilities that ISAOs under this order should possess and be able to demonstrate. These standards shall address, but not be limited to, contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.
Along with the EOs, agencies likes the FBI have formulated initiatives set out to build partnerships with the private sector since 2012.
Expansion of Cooperation
It’s quite possible whistleblower revelations ended some of the secret cooperation between the feds and private organizations. But it also seems voluntary cooperation between the surveillance state and private companies is expanding through EOs. Regardless, it’s clear new ways of spying have evolved. Recent news reveals streaming services are now a means of tracking people down. Netflix and Spotify have been used to track individual’s location through their streaming services.
Have these partnership gone too far?
As the demand for data from the federal government increases, customers with knowledge of privacy threats are fighting back, and service providers are feeling the heat. Early this year, AT&T issued an amicus brief stating that the best mechanism to facilitate handing over their customers’ geo-location data concerning is through a warrant based on probable cause.
“As is the case with many other technology companies in different sectors of the economy, AT&T receives and responds to an enormous volume of official demands to provide information to federal, state, and local law enforcement agencies in the United States. These demands may be made through search warrants, court orders issued on demonstrations of probable cause, court orders based on showings of less than probable cause, and subpoenas. Government officials seek a range of information, including the type of personal location information at issue here. In response, AT&T complies with applicable laws, including the Stored Communications Act provisions at issue in this case, and has established a National Subpoena and Court Order Compliance Center. That Compliance Center operates on a continuous basis and is responsible for responding to and implementing judicial orders and subpoenas, employing more than 100 full-time employees. For the first six months of 2014, AT&T processed nearly 116,000 demands for various types of information from the government and private parties related to civil and criminal matters throughout the United States.”
AT&T also expressed concerns about the integrity of the different types of orders.
“Considerable legal uncertainty currently surrounds the compelled production of location information. That uncertainty threatens to undermine both law enforcement and privacy interests and creates administrative difficulties and uncertainty for parties such as AT&T that are subject to orders to compel production of that information. The arguments that follow seek to assist the Court in creating clear and categorical legal rules that accord with the technology and consumer practices related to location information and that take into account both the privacy and the law enforcement interests implicated by such information.”
The brief continues about the Third Party Doctrine
“However the scope of the Fourth Amendment’s protection is resolved, a clear and categorical rule will benefit all parties involved in the application of Section 2703(d), including the technology companies subject to orders to produce information. Whatever standard the Court ultimately determines the government must satisfy, the third party records cases may provide an unsatisfactory basis for resolving this case.Smith and Miller rested on the implications of a customer’s knowing, affirmative provision of information to a third party and involved less extensive intrusions on personal privacy.Their rationales apply poorly to how individuals interact with one another and with information using modern digital devices. In particular, nothing in those decisions contemplated, much less required, a legal regime that forces individuals to choose between maintaining their privacy and participating in the emerging social, political, and economic world facilitated by the use of today’s mobile devices or other location based services.”
While companies are swamped with a vast number of requests, the return of cyber security warnings in the partnership agreement has been anything but fulfilling. Shawn Musgrave of Muckrocks reported on how the FBI hasn’t been much of a partner.
“An audit report released last month by the Justice Department’s inspector general found that the private sector lacks confidence that the FBI will strike the appropriate balance between national security and customer privacy…One of the pillars of the initiative is to enhance information sharing and collaboration with the private sector. The audit found that the FBI particularly lags on this front.”
The article continues,
“Companies that already interface with the FBI on cyber security are frustrated with information flow, interviewers found. Bulletins from the FBI are often outdated, and sending alerts to the FBI is “akin to sending information into a black hole.”
These are the gripes from companies already within the fold of initiatives like the InfraGard network, which boasts 350 out of all Fortune 500 companies as members. The FBI struggles furthermore to attract new private sector partners, particularly in the wake of the Snowden leaks.”
The partnerships used for dragnet spying were abhorrent to whistleblowers, and continue to face backlash by the public as these partnerships try to form out in the open. The partnerships were very useful to intelligence agencies and law enforcement, but the return for promised cyber security information has been lacking.
An Open Door
The existence of open partnerships between the federal surveillance state and private organizations opens a door for everyday Americans to fight back against violations of their privacy. Businesses don’t like bad publicity. By exposing cooperation and encouraging companies to resist working with federal agencies engaged in unwarranted dragnet spying, we can throw a monkey wrench in the federal government’s goal of essentially grafting private organizations into the surveillance state. We can withhold business from companies that willingly cooperate with dragnet spying, and we can reward those that resist by utilizing their services. We can also organize boycotts of companies that refuse to respect their customers’ privacy. Americans need to demand that companies providing communication services protect their customers and resist cooperation with unwarranted spying.
OffNow also has model legislation that incentivizes companies to refuse cooperation with spying that violates the Fourth Amendment. The C.H.O.I.C.E. Act (Creating Helpful Options for Institutions, Corporations, and Enterprise) bars corporations enabling federal spying from winning state contracts. This legislation gives corporations a choice, either do business with spies, or do business with the state.
The federal government will never just stop spying on you because you demand it. You will have to take action to make the stop. For more information on how to get involved, click HERE.