Monday, December 9, 2013
By DAVEED GARTENSTEIN-ROSS and KELSEY D. ATHERTON
(Continued from page 3)
RESPONSE TO TERRORISM
Just as commercial providers have responded to market incentives, the NSA has responded to the incentives provided to it in a world of growing transnational threats. The threat of a terrorist attack is real, not a chimera, and the NSA after 9/11 was charged with sifting through electronic data to shake out the dangers. To accomplish this, the agency wanted a lot of data. As Deputy Attorney General James Cole has said, "If you're looking for the needle in a haystack, you have to have the haystack." This is not to say that we should accept the NSA's programs as they are -- hard questions have been raised about its broad collection of metadata and its internal safeguards against privacy violations -- but the present debate has taken on a Manichean quality in which the NSA is often portrayed as rapacious. It is in fact aggressively pursuing the mission with which it was charged -- of trying to prevent another attack on the homeland.
The NSA also undertook its surveillance efforts at a time when privacy was shedding its old meaning due to the migration of our lives online, into an environment where -- unlike in the offline world -- we are being constantly tracked and monitored, and everything we do is remembered.
So what does privacy mean now? The answer isn't entirely clear; but what is clear is that we need to have the right kind of discussion about it. Perhaps a good place to start is asking whether lawmakers should limit commercial entities' ability to retain user data indefinitely.
There is, of course, good reason for these entities to be able to track users. User data gives them a source of revenue, and they invested in their services with the expectation that their ability to profit from these services will continue. We are not arguing that the government should constrain the ability of these companies to generate revenue, but is very old data really essential -- or even relevant -- to their business efforts? Do commercial entities really need to know what websites you visited, and who you sent instant messages to, and the location of your cell phone, eight or 10 years ago in order to understand your consumer preferences today? The government could require these entities to purge all digital user data (including messages sent, websites visited, records of individuals called, and geolocations) that is more than, say, five or seven years old if a) the user has tried to get rid of it by, for example, deleting the information; and b) there is no independent reason, such as ongoing litigation or national-security concerns, to retain it.
This would be an admittedly small step, but one in the right direction that could help kickstart a badly needed conversation on privacy. Contrary to the absolutist claims that have dominated the public debate on the issue, there is a complex balancing act at play. It involves not only liberty and security, but also commerce rights, Internet users' appetite for free and convenient services, and the desire for privacy not only from one's government but also one's neighbors. The right kind of privacy conversation would recognize this.
But given the way the surveillance debate has been proceeding so far -- focused exclusively on the government, lacking a concrete conception of what privacy means today, and framed in harsh Manichean terms -- we're unlikely to get there.
Daveed Gartenstein-Ross is a senior fellow at the Foundation for Defense of Democracies and an adjunct assistant professorin Georgetown University’s Security Studies Program. Kelsey D. Atherton is a contributing writer for Popular Science, where he focuses on defense technology issues.
– Foreign Policy