Exactly one year ago today, The Guardian published a four-page court order that would become one of the year's biggest news stories. Issued by the low-profile Foreign Intelligence Surveillance Court, it required Verizon Business Network Services to hand over phone metadata, including numbers dialed and the time and duration of calls. But this wasn't a single law enforcement request — it applied to every Verizon record over a three-month period. As the world would soon learn, it was only one of many programs that went beyond spycraft and into wholesale surveillance.
A year later, we're still figuring out where, when, and how we're being watched, and how much anyone can do about it. Courts, Congress, and the White House have faced reform challenges, and companies have attempted to allay fears that their networks and services are no longer secure. Reform efforts, though, have been halting and incomplete, stymied by political stonewalling and the difficulty of reconciling the NSA's denials with the documents leaked by former contractor Edward Snowden.
The document that started it all was one of a series of orders issued to phone companies under the NSA's bulk collection program. In late 2001, the George W. Bush administration began building a program that would supposedly remedy the intelligence failures that allowed hijackers to kill thousands on September 11th. It requested and stored phone records in a government database that NSA operatives could draw from as long as they had a "reasonable" suspicion that they were tracking a foreign target. Theoretically justified by the recently passed Patriot Act, it was kept secret from the public and even parts of Congress.
After the program was revealed, President Barack Obama, some members of Congress, and intelligence community leaders spoke out in defense of it. Then-NSA head Keith Alexander argued that "fewer than 300" unique numbers had been queried in 2012, saying that the program was vital in foiling terrorist plots. These plots would fail to materialize, and an oversight board concluded that it was not only likely illegal but had limited value as a surveillance tool. While it was rarely clear that it prevented actual attacks, poor management of the phone record program apparently led to suspicionless searches of 15,000 people.
The internet and beyond
After phone record collection, the most widely discussed NSA program may be its internet surveillance system, parts of which have been reported under the names PRISM and XKeyScore. While some information is requested from companies like Google, Microsoft, and Yahoo — all of which have denied cooperating any more than necessary — some is allegedly gathered by directly tapping fiber optic cables for information. Google's cookies, designed to track users for advertising, have also allegedly become vectors for government surveillance.
It was easiest to point to surveillance programs that overstepped the privacy rights of US citizens, but Snowden's documents increasingly revealed intelligence tactics that targeted not only America's enemies, but its allies. One of the most politically damaging leaks was the revelation that the US had tapped the phones of world leaders, including German chancellor Angela Merkel, since at least 2002. European diplomats pushed for more details on allegations that the US had collected phone calls from millions of French citizens, but the director of national intelligence denied it, and the truth may be more complicated.
Far from uniquely indicting the NSA, Snowden's leaks revealed the ties between it, Britain's GCHQ, and other agencies, which could share information that they might be legally prohibited from collecting themselves. And while the very fact that the NSA spied on citizens in non-allied nations wouldn't be too surprising, the scope of this spying was: recent reports alleged that the agency was recording virtually phone call in both Afghanistan and the Bahamas.
As much as any individual country, technology itself has been a victim of NSA surveillance. After reports that the agency has attempted to make common encryption tools weaker and intercepted computer hardware to plant malware in it, US companies are attempting to rebuild trust, suffering from the same kind of mistrust that Chinese businesses like Huawei have faced abroad — though Huawei itself might have as much to fear from the NSA.
After the leaks, President Barack Obama and the intelligence community promised reform. Obama tasked a pair of boards with examining the US surveillance system, and both recommended an end to the metadata program in its existing state, though one did so in much harsher language. In January, Obama said he would end the program "as it currently exists," though he left the exact plans up in the air. He restricted operatives to searching for information within two degrees of their targets instead of three, and he temporarily required a court to approve every query, instead of offering blanket approval and review after the fact. The program itself, however, was still renewed. Later, he proposed legislation that would leave data with the phone companies and allow searches only after court approval.
Those legislative changes are being made, but the process is halting and incomplete. Members of Congress brought a plethora of bills in the wake of the revelations, but so far, only one has made it past a single house: the USA Freedom Act, which limits how the government can keep and use phone records. The bill lost the support of many reform advocates after a series of amendments removed important provisions about internet surveillance and transparency, as well as specific limits that made the phone surveillance rules harder to abuse. Senator Patrick Leahy (D-VT) plans to bring a stronger bill, which is currently reformers' best hope.
Many hope that after years of unsuccessful anti-surveillance suits, the Supreme Court will finally take notice. A handful of suits stand a chance of making it to the court, especially since there are conflicting rulings on the table. Unlike legislative solutions, these suits would only cover the legality of the metadata collection program, but they could update a vexing court decision from 1979, when a judge ruled that collecting phone metadata did not count as a "search" that could receive Fourth Amendment protection. Reformers argue that Smith v. Maryland, made based on a limited number of traces on a single phone, should not apply to comprehensive metadata programs that can reveal relationships, medical details, political and religious preferences, or even location. So far, most courts haven't agreed with this interpretation, but even supporters of the NSA's surveillance programs agree that a review of the decision could be in order.
The NSA's operations have been an open question and a potential threat for years or even decades, but we know more now than we ever have. We've had a chance to grade Obama's responses, see how new technology and the September 11th attacks shaped spying, and called for an end to the surveillance state. Online and offline protests have been going on since last summer, and today marks another: Reset the Net, meant to give people encryption tools that can protect them when laws can't. We're more cynical than we were a year ago. If we're lucky, we can keep chipping away at the laws and loopholes that got us here in the first place. If we're not, we'll fall into the same complacency that let us ignore what we all knew about US surveillance as the fear and jingoism that spurred us to act after September 11th started to fade.