Paul Pillar

Safeguarding Privacy, Inside and Outside Government

A recent report in the New York Times, about impending new rules that would permit the National Security Agency to share more extensively with other U.S. intelligence agencies intercepted communications without first applying privacy protections, ought to be of concern to more people than just those who habitually oppose any possession by the government of such communications. It also ought to concern those who recognize the national security needs that are appropriately and necessarily served by communications intelligence. The Times report gives us only a partial glimpse of proposed new procedures that are said to be still under review, but evidently the procedures would cover not only purely foreign communications but also those that have an American end or say something about Americans. Intercepted communications that involve U.S. persons in some way have, of course, been the subject of multiple public controversies in recent years.

To understand why and how the reported new procedures are worrisome, one should bear in mind that there are two basic ways to place limits on governmental handling of intercepted communications to safeguard the public's interest in privacy. One is to limit what any government agency collects in the first place. The other is to limit what a government agency does with the material after collecting it. Public discussion of the subject has placed far greater emphasis on the first method rather than the second. That is a mistake.

The public discourse has been heavily colored by the notion that possession by a commercial corporation of data somehow constitutes less of an infringement of personal privacy than possession of the same data by a government agency. This notion is a crude sort of “government bad, private sector good” standard that takes no account of checks, controls, oversight, and what is known about the potential for abuse. If we do take account of this dimension, we ought to be more comfortable with our communications in the hands of a relevant government agency such as NSA than in the hands of a telecommunications or information technology company. The former is subject to strict legal rules, rigid compartmentation of sensitive information, well-practiced procedures for limiting the number of eyes that can see material, and oversight both by the executive branch and by Congressional committees. With a private sector company, there are no such legal restrictions or oversight, and we basically know nothing about how many people see the material and what is done with it. The most we are apt to get is vague assurance from some CEO that his or her company ought to be trusted.

A similar conclusion emerges if we take account of motives and incentives of the organizations involved, including motives that could underlie possible abuse. An intelligence agency's incentives involve serving national security interests while trying to avoid both substantive errors and any embarrassing or disruptive public flaps. There is no profit motive. With private sector corporations there is. The profit motive can motivate a company to do great things for the consumer in developing useful products and services, but it also can underlie policies and practices that run against either national security or personal privacy.

We have seen something of the conflict between profit and national security in the dust-up between Apple and the FBI over access to the contents of a cell phone used by one of the San Bernardino shooters. Apple has a business interest in presenting itself as a company that gives high priority to preserving the privacy of its customers. That interest clearly is shaping the company's posture in the case of the phone from San Bernardino, and has even driven it to make the absurd argument that having to devise some code for this phone's operating system would violate the First Amendment's guarantee of free speech. FBI director James Comey makes a valid point when he says that “corporations that sell stuff for a living” should not be the judge of where the nation should draw lines and strike balances between security and privacy.

Now here's why even someone who agrees with everything I have just written ought to worry about the sort of change described in the Times report. The two ways to limit the government's handling of intercepted communications—i.e., restricting collection and restricting how material is exploited after it is collected—are related in that the stronger that one of these two barriers is, the less formidable and cumbersome the other barrier has to be. One of the chief reasons much of the opposition to NSA's collection activities has been misplaced is to be found in the extremely restrictive rules for handling anything collected that includes as bycatch information about U.S. persons. Not further disseminating such information, even within the intelligence community, has been a sacred principle for officers at NSA. The procedures involved have been a strong and effective safeguard of the privacy of Americans. But if these procedures for handling information within the government get loosened, then the arguments of those who want to slap major new restrictions on NSA collecting useful communications get strengthened. The eventual net effect on national security may be negative.