Editor: In view of your more than 13 years in the field of data analysis, advance search technologies and data production, what is your assessment of the security surrounding the NSA’s data collection techniques in view of the Edward Snowden revelations?
Matzen: As far as the security surrounding how the NSA’s data collection was done, Edward Snowden shined a light on PRISM, a collaboration between the government and private companies that store all data for their own accounts – Google, Microsoft, Hotmail, Yahoo. The fact that the U.S. government was able to access all that information without revealing it to the public has long been debated. Congress apparently was told, but may not have understood the implications, or the extent, to which information was gathered. The real question deals with the security of the NSA’s data collection techniques. Yes, they definitely kept secret their techniques, which Snowden exposed. As for me, personally, having lived in Washington, DC for the past 10 to 15 years, none of this disclosure surprised me.
Editor: As I recall, it was very much in the news a few years back that some of the telecoms were resisting turning over their records and other information to the government.
Matzen: Yes, the news came and went. Snowden’s revelations had to do with Verizon and AT&T handing over documents to the government. The telecoms were put in a very bad spot, since they make their money on what is technically government bandwidth, which is entrusted to them. When the government comes knocking on your door, you really cannot say no when you are making billions of dollars off of a national resource. Snowden’s revelations mention the telecoms directly, pointing out that the telecoms have access to all your text messages, all your emails, all your browsing history, etc.
Should people have known about it? How did they do it? The way the NSA is building an infrastructure to store such a colossal amount of information is unlike anything else anyone has built. The NSA has built an even larger facility in Utah to house up to 12 exabytes of data. Naturally, the NSA expects to store more and more data. If there is a government agency that does not delete anything, the question becomes: who has access to the data and why?
Editor: Do you place the blame for allowing Snowden to have access to such sensitive information on the NSA’s (and earlier CIA’s) failure to perform adequate measures in his security clearance?
Matzen: It is easy to place the blame on the person who certified he should be given top-secret clearance. Getting top clearance is too easy to obtain, in my opinion. What kind of background check was made? Not everyone needs clearance to do certain NSA or government jobs. There seems to be a disconnect between a job description and what a person has access to. The government has shown laxity in giving large numbers of personnel access to so much information because it is hard to segregate the wheat from the chaff.
For what Snowden was supposed to be doing, I do not understand the reason to give him unfettered access to all that was made available to him, as well as the security of being able to move it. One would think that moving such a large amount of data off of a server could have been avoided by providing a computer that had more limited capabilities. The failure was on two fronts: the background check issue and the making available of data that was more than was required for a given position.
Editor: Do you consider there was also a failure to properly screen Bradley Manning in placing him in a pivotal position among highly classified documents in the U.S. military?
Matzen: Manning had access to more information than he needed to do his job, and he was able to remove data from systems, although it was not his responsibility to monitor the data. Information security is something these systems all seem to lack, or at the very least their security was easily circumvented.
Editor: By the NSA using the argument that it is only filtering out metadata from telephone conversations, an assertion which has been challenged, should U.S. citizens feel that their privacy has not been breached?
Matzen: No, their privacy has definitely been breached. This statement is being made for political reasons. Metadata is often more important than readable, hard data in what we do. You can have over 250 fields of metadata around a single communication. Metadata can contain the time, the date, the destination, your longitude and latitude, location of where a picture was taken that you attached, and more. You can track people with metadata. That is why the courts in e-discovery require production of the metadata along with the other data. They know it is just as important. “Oh, it’s just metadata …” is factually incorrect. In any case, your privacy has been breached. Is that a legal cause of action? It depends on what state you reside in. Different courts are interpreting it differently.
Editor: It was reported in June 2013 that the U.S. military blocked access to parts of the Guardian website related to government surveillance programs for thousands of defense personnel not only in Britain, but also in Afghanistan, the Middle East and South Asia. If this report is correct, how does this affect data transfers from nation to nation and across the world?
Matzen: The president of Brazil, Dilma Rousseff, was supposed to meet with President Obama recently, but she cancelled her trip upon learning that her own privacy had been breached. Some parties in Germany expressed a wish to cut trade ties. Many in the EU, where the sensitivities are so high, expressed political outrage. I think at the end of the day, people are going to make their political points to embarrass the U.S., but politics reacts to economics. No country is going to isolate itself in the global marketplace over this dustup. It all comes down to politics. I see it causing a lot of FUD – fear, uncertainty and doubt – generated by other countries that are trying to fine Facebook and Google for privacy violations. While those countries will not change their policies, our government is also not willing to change its policies despite the outrage overseas.
Editor: As I recall, Google was blocked from China for awhile for having intruded on China’s privacy.
Matzen: Google has been trying for a year and a half to get back into China, offering to let the Chinese build some of their routers and other devices. An Italian court fined Google a few years ago for mapping and picturing neighborhoods. The U.S. government is now incorporating these same maps into its PRISM program. They are paying millions mostly to Yahoo and Google – that’s upwards of 80 percent of PRISM – for the information. Not only do you have the government storing all this information, but the for-profit companies have it, as well. This type of big data storage can lead to predicting outcomes, such as police departments that are now predicting where crimes will occur. This raises an ethical dilemma: can you predict a crime and make an arrest before it actually occurs?
In my opinion, the recent Obama election was over before it even took place, owing to the use of big data. Assembling all that data into their systems, algorithms were targeted to certain audiences in terms of what they wished to hear and who was likely to vote. It is difficult to wrap your mind around the predictive aspects of big data, and that is a bit scary.
Editor: Is there any means by which encryption can protect documents from would-be intruders? It has been said that many efforts at trial-and-error can usually break any code.
Matzen: If somebody wants to break into your database, they probably can. Whether you have encryption or not, it does not stop PRISM and some government entities from entering software through the back door. If your password is a simple password like number-number-number-number, then trial and error can unlock it. If you use eight characters and a number – a strong password – it is not so easily broken.
Editor: Director of National Intelligence James Clapper acknowledged that Snowden may have done a public service, since a debate regarding privacy versus security is very much needed. How does the right to privacy, as perceived in parts of Europe, differ from that in the U.S.?
Matzen: In the EU, privacy is considered a fundamental human right, whereas in the United States it is not as important. South American countries are following the EU model, as well. When we collect data there, the collection has to be narrow and targeted, whereas in the U.S., often the whole content of the computer may be made available. EU privacy has gone as far as adopting an EU Data Directive, with several basic principles on how data transfers should occur. Whereas email of an employee of a U.S. company is recognized as belonging to the company if used on its equipment, the same is not true in the case of an employee of a European company. An EU employee has a personal right to that email. In Europe, you have a personal cause of action if your data is breached. In Switzerland, for example, when we collect data, the custodian can sit next to us and delete data while we are collecting it. While our litigators are uneasy about this practice, there is not much we can do.
Editor: While the FISA court overseeing the NSA has found that the NSA has overstepped its authority in certain areas, what measures have been undertaken to curb some of these abuses? Do you expect that any of the NSA’s activities will be curbed?
Matzen: No. Although, there have been arguments as to how we should change the FISA court, as was the case when one retired judge suggested that it should become an adversarial body with two sides taking opposite views. While the rule is that PRISM is only supposed to retain data for a limited time unless there is a warrant, the practice of retaining documents for much longer has been muddled without the FISA court being involved. The ardor with which the NSA is hailed as the best spying and data-gathering group gives cover to their practices. I do not feel the U.S. government is going to change anything, because Obama is able to say “we have stopped X number of attacks, and we haven’t been struck by a foreign terrorist since I’ve been in office.” Technically, people do not really understand it. Even if they did understand it, and it does violate the Fourth Amendment, Congress has shown that it does not really matter. If you stop the NSA’s accrual of data and you are attacked a year later, who is going to take responsibility for that? No one.
Editor: What is your outlook for implementation of greater controls and monitors of international e-discovery and data surveillance? Are we living in glass houses?
Matzen: In The Washington Post right after 9/11, an article that has remained with me since I read it stated that if you commute from Virginia to DC and back, you have your picture taken no less than, I believe, 43 times. While if you are not doing anything wrong, you should not care, I am still uneasy the government and private companies are able to do this, but I do not think it will change.
A friend of mine who used to work at the Department of Commerce in the Safe Harbor Group was charged with coming up with a global compromise relating to international e-discovery, since we are faced with e-discovery in many different contexts where it is not paramount. In the EU and Asia, they design rules to protect their citizens from spam, telemarketing, and having medical records revealed. France has a blocking statute. We are faced with dealing with laws from other countries that do not have litigation in mind, nor should they. For countries in international commerce, we could allow for encryption, where you collect data with a person’s consent; that might be an international solution. The Sedona Conference is trying to develop rules that might apply for onward transfer in e-discovery issues.
As for the actions of the U.S. government going forward, I do not think solving crimes after the fact is a reason to keep petabytes of data infinitely. That crosses the line between risk-reward, not to mention issues with the Constitution. Most data is captured that no one reviews; it is only scrutinized when someone is looking for predetermined phrases. Obviously you can control who has access to it, but as far as stopping data collection, I do not think that will ever happen.