You do not often get to listen to a 10-hour and 31-minute speech about the bulk collection of phone company CDRs by intelligence agencies. Perhaps you never will, because you were too sleepy or had something else to do. But I did listen to it. Originally I had it on in the background whilst I was working, but it was so good that I kept listening and listening. Seriously – it was that good. Rand Paul, the Republican junior United States Senator for Kentucky, spent most of yesterday delivering a filibuster that did not really filibuster anything, in order to draw attention to a lack of debate about amendments to laws which America’s National Security Agency (NSA) were not following anyway. If you understand what I am writing about, then you will like this summary of what was said. And if not, then you should still read this very handy summary of the most interesting bits. The interesting bits were very interesting indeed, in a techy, risk-oriented kind of why. Even though it was given by a politician. I know that is hard to believe, but true, so keep reading to find out how true it is. And keep reading even if you have seen the soundbites per some TV news channel, because those political editors will not point out the most interesting techy and risk-oriented bits, like I am about to…
At 1.18pm North American Eastern Daylight Time, Paul rose to begin his speech. He started by restating his opposition to the Patriot Act, the law which the NSA used to justify bulk collection of CDRs.
There comes to a time in the history of nations when fear and complacency allow power to accumulate and liberty and privacy to suffer. That time is now. And I will not let the Patriot Act, the most un-patriotic of acts, go unchallenged.
At the very least we should debate, we should debate whether or not we are going to relinquish our rights or whether or not we are going to have a full and able debate over whether or not we can live within the constitution or whether or not we have to go around the constitution.
The bulk collection of all Americans’ phone records all of the time is a direct violation of the fourth amendment. The Second Appeals Court has ruled it illegal. The President began this program by executive order. He should immediately end it through executive order.
After the first half hour, Paul objected to the idea of warrants served on telcos with the intention to gather data en masse, instead of being specific to individuals who are suspected of a crime.
If the government wants the records from the phone company, should they be allowed to write the name Verizon and get all of the records for Verizon? I frankly think that if John Smith has his phone service with Verizon and he is a terrorist, the warrant should say John Smith and go to Verizon, but it’s an individualized warrant. I don’t think we should have generalized warrants.
Soon after, Paul noted that tech corporations were resisting government surveillance and blamed the US government for spreading malware on the internet.
They’re asking people like Facebook or demanding people like Facebook that they give them access through their source codes so the government can get in. Now, to Facebook’s credit, Facebook is fighting them and I think more companies now are standing up and trying to fight against this, but the government is going in and in a nefarious way into the code of Facebook and then inserting malware into other people’s Facebook and spreading it throughout the Internet.
After nearly an hour of speaking, Senator Paul discussed whether customers of phone companies have privacy and property rights relating to the data collected about them.
I personally think that your phone records are still partially yours in a way or that you have a privacy interest in them. This is going to become very important because your records ultimately, they probably won’t be any records in your house, they’re going to be on your phone and then your phone records are connected to the company who owns them.
Without wanting to criticize Senator Paul, he largely repeated these themes during the remaining nine-and-a-half hours of his speech. At other times, colleagues from both American parties would interrupt to ask a ‘question’. These usually were opportunities for other Senators to say they agreed with Paul, whilst allowing him a little rest. Though there was a lot of repetition, if you talk for long enough, you are bound to deliver a few good quotes. These were the best ones.
After about two hours, Senator Mike Lee (R-Utah) asked Paul: “is privacy not part of security, instead of being in conflict with it?”
A short while later, Senator Martin Heinrich (D-New Mexico) highlighted how Ed Snowden’s revelations had “ignited a necessary and long overdue conversation” about the balance between security and liberty. He went on to ask: “why on Earth would we continue with a law that the Court of Appeals for the Second Circuit has found illegal?”.
After about three hours, Paul reiterated the theme of who owns your records: “do you give up your interest in the privacy of records held by third parties?” Highlighting how legally protecting your privacy cannot be based purely on safeguarding your physical property or your home, Paul observed that we “won’t have paper records in our house in future.” A little while later, he stated: “when the phone company holds my records, they’re still partly mine.”
Paul then returned to the theme of Facebook, not just citing them as an example of legally mandated backdoors that allow surveillance agencies to gather data, but explicitly stating: “the government inserts malware on Facebook.”
The Senator also thinks in ways that are not typical for many of his colleagues. Paul linked the idea of excessive communications surveillance to racism, by arguing anti-terror laws were rarely used against terrorists, but mostly used to enforce drug laws instead. The threat of terrorism had justified a lower legal standard for surveillance, but surveillance was mostly used to prosecute criminals who are not terrorists. Hence the Patriot Act was partly why “three quarters of the people in US jails are black or brown.” He later talked about the apparent rise of ‘parallel construction’, where law enforcement agencies first discover evidence of ordinary crimes using anti-terror surveillance, but because they are not supposed to gather evidence of ordinary crimes that way, they then use the intelligence they have collected to find alternative evidence that supports a prosecution, without revealing the true source of their intelligence in court.
Senator Paul then touched on the topic of what should be done to Ed Snowden. Though he did not suggest any kind of amnesty for Snowden, he linked Snowden’s specific case to how whistleblowing should be handled in general. He noted that Snowden was not an employee of the NSA, but a contractor, and asserted: “there are not good rules for whistleblowers who are contractors… [the rules] should cover contractors too.”
Nearing the four-hour mark, Paul was helped by Senator Steve Daines (R-Montana), who talked about his work experience. “I spent 12 years in tech before being elected. I know the power of big data and the risks that arise.” Senator Daines then read out letters he had received from ordinary people. Each of them opposed the collection of Call Detail Records, often using the correct industry terminology. The arguments were chiefly that gathering the data did not accomplish the stated goal of identifying and catching terrorists.
Senator Joe Manchin (D-West Virginia) then contributed the following observation: “national security experts say… the bulk collection of data is unnecessary to national security.” Paul and Manchin then engaged in one of the few real debates of the evening. The issue was whether a law that states search warrants can only be applied to a person might still be abused if intelligence agencies interpret large corporations, like telcos, to be a legal person. Paul was worried that all the customer data of a corporation like Verizon might still be gathered using a single warrant, if that meaning of ‘person’ was not explicitly excluded.
Paul then broadened the reasons to fear surveillance. He stated that bulk record collection may “stifle freedom of speech and association” because people know from historical example that the abuse of information about how people connect to each other is “not just a theoretical risk.”
Senator Jon Tester (D-Montana) made a short and punchy contribution around the 5-hour mark. “We deserve a real debate on privacy and security.”
Paul talked about how automation changed the parameters of risk. He mentioned how “computers can analyze and hold so much information.” This was contrasted with the limited technology capability that intelligence agencies used to have. Paul talked about how, when he first read George Orwell’s 1984, he did not take the risks as seriously as he does now, because back then “we didn’t have the technology.”
Another recurring theme was how the NSA had interpreted the law to mean all CDRs were ‘relevant’ to their investigations, and how the Foreign Intelligence Surveillance Act (FISA) Courts which oversees the NSA had agreed with that interpretation. Pointing out that the CDR data was gathered first, put into a database, and only interrogated later, Paul stated that “lawlessness allows us to collect bulk records,” even though the records had “no relevance to an investigation because the investigation hasn’t started yet.”
Paul doubted whether Snowden had really revealed the true extent of communications surveillance, saying “there’s probably another dozen programs which we don’t know about.”
The need for an adversarial approach was raised, because FISA courts had failed to properly assess both sides of the necessary arguments. “No matter how patriotic people are, you can’t find the truth if only the government presents their position.”
As the six-hour mark approached, Paul then listed left-wing, right-wing, and bipartisan groups that all objected to bulk data collection. On three separate occasions he praised the work of the Electronic Frontier Foundation.
During an extended spell when no colleagues were in the chamber to give Paul a rest, the Senator concentrated on the negative impact that NSA surveillance had on US telecoms and technology businesses. He asked the rhetorical question: “do you think anybody in the world thinks we’re not looking at their stuff?” Then he observed: “everybody in the world thinks the worst about us.” Finally he concluded that a “business person in Europe wouldn’t use email” when there is a valid fear that such emails may be intercepted by the US government.
Paul expressed sympathy for the companies that were suffering as a result of the negative publicity caused by US government spying. He supported those businesses that stood up for their customers and objected to ‘backdoors’ in systems. “It’s not the company’s fault for wanting to protect their customer’s information.” He then stated that: “companies are going to be at more risk of sabotage…” if the government forces them to provide backdoors to their systems. He concluded this segment by stating: “mass surveillance harms our economy” and that “nobody in the world is going to want to buy American products.”
Starting to lose his voice, Paul sucked on sweets between reading articles from a series of lever-arch files laying on the desk in front of him. The content came from varied sources, switching between the legal opinions of Judge Andrew Napolitano and articles published in newspapers, or on websites like the Daily Beast. He expressed a concern that ‘bulk’ collection might only be replaced by ‘bulky’ collection, if there was inadequate scrutiny of proposed reforms to law, giving the hypothetical example of ‘targeted’ surveillance that ‘only’ captures the data of all Gmail users. He then alleged that the proposed US Freedom Act, a compromise designed to fix the faults of the Patriot Act, might make bulk collection worse because it would allow the NSA to obtain mobile call records as well as those for landlines.
After a long spell without assistance, Paul was finally relieved by Senator Maria Cantwell (D-Washington). She talked about her experience of opposing the plans to implement ‘clipper chips’ in the 1990’s – special chips designed by the NSA to encrypt voice comms whilst granting them backdoor access. Cantwell asked Paul what he felt about the risks posed by current NSA efforts to break encryption. Paul observed that such plans would most likely drive communications providers to deploy stronger encryption, so that even they could not find out what their customers were saying to each other.
Senator Ron Wyden (D-Oregon) made a passionate intervention, noting how he was especially troubled by the “back door search loophole” created by truly global communications. This meant it was no longer possible to split domestic from overseas traffic and thus seek to spy on one without spying on the other.
Paul returned to the theme of the damage caused to business. He cited Forrester research that US firms may lose as much as USD180bn because of the negative impact on cloud computing services caused by NSA surveillance. He stated “isn’t it sad that American companies are advertising they store data overseas” to work around the reputation damage. Paul listed examples of rapid growth by overseas firms that advertise their data storage is safe from the US government. Paul then warned that US tech companies are being treated the same way that Huawei had been treated in the USA: excluded from foreign markets because of security fears.
Approaching the eight-hour mark, Paul was noticeably slowing and starting to make an increasing number of verbal slips. Whilst repeating himself a lot, he still delivered a few new insights. For example, he observed that automation meant it was possible to gather information from CDRs that previously would have required inspection of the message content.
Whilst Paul croaked on, it came time to substitute the Senate’s official stenographer, presumably because her fingers were numb from transcribing all of Paul’s words. Paul then received some relief himself, as an increasing number of Senators helped him during his final few hours. Perhaps conscious that TV coverage was likely to rise later in the evening, and because of the buzz created by Paul’s marathon, they became increasingly passionate. For example, Senator Richard Blumenthal (D-Connecticut) said the NSA was “breaking the law” and that “the FISA court failed its most crucial test” by not throwing out arguments that all CDRs can be relevant to NSA investigations. Appearing to be genuinely angry, Blumenthal stated: “a court that should get such an important question so disastrously wrong is broken.”
Paul returned to the theme of the adverse impact of NSA surveillance on tech companies, both American and foreign-owned. He quoted Apple’s Tim Cook after saying that “some companies are pushing back on backdoors.” Paul then made explicit reference to the harm done by the NSA’s hacking of Dutch SIM manufacturer Gemalto.
Senator Wyden returned to the chamber again, this time stating he had pushed spies “to explain what they think the rules are for turning mobile phones into tracking devices.” He expressed dissatisfaction with the evasive answers he had received, and also talked of the difficulty of getting straight answers to questions about whether mobile phones had historically been used to follow the location of NSA targets.
Senator Lee also returned to the fray, complaining that FISA Court orders “tell telecoms service providers to ‘give us all your data’ and we’ll put them in our database.” Lee’s long intervention gave Paul a much-needed rest, during which Lee became increasingly dismissive of the arguments raised by political opponents. In particular, Lee was scathing about the presumption that if the NSA does not actually listen to the content of calls, then no harmful or excessive surveillance can occur. Lee fumed that: “the NSA not listening to phone calls is a straw man argument, a red herring, a lie.” If anything, automated processing of CDRs has the potential for much worse abuse because bulk data collection and analysis is “a lot less human resource intensive” than listening to phone calls.
Lee then talked about the work of the Church Committee, which had investigated abuses of intelligence following the Watergate scandal in the 1970’s. He highlighted that if technology that was new in the 1970’s had been repeatedly abused for the purpose of political espionage, we should be wary of what abuses might occur in future.
Lee continued by arguing about how the NSA had interpreted the law. He stated the NSA’s interpretation left grave potential for even worse forms of surveillance than the bulk collection of CDRs. Lee argued that the same legal interpretation could also justify collecting emails, credit card records, and details of purchases made on the internet. He then turned to the topic of the increasing pervasiveness of technology, and how this also increased the risks, saying that “calling data becomes more significant” as more people carry mobile phones all the time. He also said the NSA’s interpretation of the law would allow them to justify gathering location data from mobile phones. Lee’s spirited contribution carried Paul through the 10-hour mark, and he concluded by asserting it was “not persuasive” that if you allow a private business to have your personal data that means you should also expect the government to have access to that data.
Rejuvenated after the lengthy relief, Paul summoned more energy to cite the example of Verizon again. “I don’t know anybody called Mr. Verizon” so it cannot be constitutional to issue a court order for all Verizon’s CDRs.
In perhaps the best line of his entire speech, Paul stated: “a man’s house is his castle, but your records are now in the cloud.”
Paul returned to another theme that he had mentioned several times during the evening: that if customers sign a contract with a communications supplier that covers the topic of privacy, then there is a valid expectation that the contract can be used to legally enforce their privacy. He said this had been undermined by the government, when telling businesses that they would not be held liable for the effects of surveillance. “If you sign a privacy agreement with an internet service provider… or a phone company, that should be an expectation of privacy in court.”
Nearing the end, Senator Ted Cruz (R-Texas) arrived. Whilst Paul had nearly lost his voice at one point, Cruz compensated by shouting his respect for Paul and his opposition to bulk data gathering. Cruz also bashed the federal government for allegedly asserting a right to use mobile phones or GPS devices to track the location of individuals. However, Cruz mostly talked about how hard it was to stand and talk for so long, whilst reminiscing about previous ‘epic filibusters’.
At the 10-hour and 20-minute mark, Paul said he was going to summarize. This seemed hard to believe, given how long he had talked already, but Paul’s summary was brief. He left making the key point: “my hope is the debate today will let the American public know we’re serious about this and we want to vote on reform.”
And just before midnight, 10 hours and 31 minutes after he began, Paul relinquished the floor of the Senate.
Whatever you think of the politics, I think any neutral would be impressed by how much Senator Paul knew about this topic, and his insight into the potential risks. He was ably assisted by colleagues from both parties. I wish every risk manager working for communications providers had such a comprehensive understanding of the issues! This summary is essentially a checklist for the topic of bulk comms data surveillance.
Did the speech change anything? Possibly not. Though Paul consumed most of a day, he did not otherwise affect the Senate’s schedule or block the Patriot Act from being re-approved. However, he did leave the Senate with just two days to conduct its business, including the renewal of the Patriot Act. This might help accentuate the news coverage, and so the public pressure on politicians who oppose Paul’s views. One possible outcome is that the Patriot Act may only be renewed for a short period, whilst debate on the compromise USA Freedom Act may be delayed to a time when amendments may be brought forward and properly considered.
Irrespective of the political impact, Senator Paul has certainly shown how limp some of the ‘debate’ about surveillance has been elsewhere, not least in the UK, whose GCHQ agency was described as a willing partner to the NSA by Ed Snowden. Whether you agree with his conclusions or not, Paul identified the key risks for all parties, from government to telcos to private individuals. Senator Paul raised all the important questions about the collection and interrogation of massive amounts of communications data. Those questions deserve answers.