In the wake of Edward Snowden’s revelations about government surveillance, Laura Poitras, director of the Oscar-winning documentary Citizenfour, and many Internet-freedom activists and security engineers have told the public to trust math—encryption—not politics or law to protect their privacy. Our track record of reining in US surveillance through the law is abysmal: To date, there are no proven instances of a law permanently removing an operational, cost-effective, productive foreign-surveillance capability on human rights or constitutional grounds.
If compelling the NSA to respect human-rights obligations is unlikely, it must be clear how much harder regulating Israel’s Unit 8200, Russia’s FSB, or the Third Department of the Chinese army’s General Staff will be. Americans—not to mention the other 95 percent of humanity—are just as vulnerable to Russian, Chinese, or Israeli surveillance as they are to the NSA’s. Even closer to home, domestic abusers, racist law enforcement, and organized crime also aim to violate individuals’ privacy. Much of what the NSA can do now will soon be in other hands. Surveillance technology, like the rest of the digital world, is often adapted for sale to the rest of us.
* * *
Surveillance gets cheaper by the day. In the 1970s, three minutes of voice traffic between New York City and London cost about $40 (adjusting for inflation) for the US government. But by 2005, the rise in Internet calling made conversations so cheap that the cost is difficult to meter—well under a penny—and the cost to monitor them has dropped fast. Intelligence budgets have grown massively over the past 40 years—Australia’s, for example, increased a shocking 600 percent—but are difficult to measure because they’re classified. But this is nothing compared to the thousandfold decrease in the cost of collecting information.
Information collected through surveillance has two useful components: the content of communication—what is said during a phone call, for example—and its context, or “metadata,” which includes time, location, and identities. While the former is what we usually think of as surveillance, it’s often less revealing. Take a sudden burst of SMS traffic between two coworkers who have never previously communicated on their personal phones, followed by a set of calls to an abortion clinic and a PayPal transfer between them six weeks later. The content of the communication adds relatively little to the story. Despite resistance from analysts worried about their careers and (much) wasted money, the past 20 years have seen the deployment of automated analysis systems on the communications metadata of most of the world in an attempt to keep up with the flood that NSA surveillance has unleashed. It’s unclear if the intelligence from these efforts is accurate or useful, but as the former director of the NSA, Gen. Michael Hayden, said in reference to the CIA’s drone program, “We kill people based on metadata.”
So, if the law has failed to protect us from giant NSA sweeps of our metadata, and these operations cost the government little, what can encryption do to help?