America’s Privacy Protections and Web Surveillance


By Paul RosenzweigThe George Washington University Law School

It’s useful to think for a second and ask how Web surveillance programs protect privacy and civil liberties. Why did the program work in the first place? Couldn’t foreigners who want to avoid US interception simply avoid sending traffic through US-based servers? In theory, yes; in practice, no. Much of the world’s electronic communications pass through the United States.

Concept of communication, internet, and cyber security in the U.S.
Almost all communications pass through American servers. (Image: A Kisel/Shutterstock)

America’s Superior Infrastructure

Before getting on to privacy and civil liberty rights, let’s talk about our Web networks. Since the automated protocols that direct the information flows on the network tend to find the cheapest and quickest route, it turns out that a large majority of Internet traffic crosses American borders. Average network response times in North America—that is, the US and Canada—was 38 milliseconds; the next quickest, in South America, was 83 milliseconds; and in Europe, it was a slow day with an average response of 185 milliseconds. 

In the world of Internet speeds, that’s a huge difference. The exact numbers, of course, vary every day, but the pattern is persistent. This infrastructure superiority is America’s home-field advantage. 

Concept of data centers in the U.S., resembling America’s infrastructure
America’s infrastructure is superior to other countries. (Image: AlexLMX/Shutterstock)

It gives US intelligence analysts the opportunity to intercept the communications of foreign targets as their electronic data pass through the United States. How big an advantage is it? Nobody knows for sure. It is estimated that anywhere from 25% to 80% of global Internet traffic passes through the United States.

Learn more about the Internet of Things.

Privacies and Liberties Under Attack

What Congress originally authorized is a program that cannot intentionally include any US person or anyone, whether American or foreign, who is located in the United States. And they could be targeted only at the collection of foreign intelligence information—that is, information relating to a foreign country’s efforts against the United States or for counterterrorism purposes.

But that isn’t the whole story, of course, because foreign intelligence communication might be intermingled with the casual, everyday communications of US persons. One easy way to think about that is to consider when an American sends an e-mail to a foreigner who has been identified as a target for foreign intelligence collection. It’s unavoidable that information about the American, and his or her discussion, will be collected along with the information about the targeted foreign national.

This is a transcript from the video series The Surveillance State: Big Data, Freedom, and YouWatch it now, on Wondrium.

Two Types of Information Collection

Let’s distinguish between two types of collection: one under the PRISM program and the other one that is referred to as an upstream collection. The PRISM collection is actually pretty easy to understand. Say the government has information about a particular e-mail address or a particular individual known as a selector. 

An image of an NSA processor inside a computer
PRISM sends collected data to the NSA and henceforth to the FBI and CIA. (Image: Carsten Reisinger/Shutterstock)

The attorney general and the director of national intelligence certify the selector as relating to a non-US person who is outside the United States and who is reasonably believed to be connected to a foreign intelligence matter. And then, a query about that selector is sent to an Internet service provider. The provider, in turn, is required to hand over to the government any communication it might have that was sent to or from the named selector. 

The National Security Agency that receives all the data collected through PRISM then makes portions of it available to the CIA and the FBI for their use. Upstream collection, by contrast, does not focus on the Internet service provider. Instead, as the name suggests, it focuses upstream within the telecommunications structure, at the backbone through which all telephone and Internet communications travel.

How Different Are PRISM and Upstream Collections?

There are a couple of differences that distinguish upstream collection from PRISM collection besides the location in the Internet architecture where the interception occurs. Most notably, for our purposes, it can involve what is termed communications. About communications refer to selectors that occur within the content of the monitored communication, instead of, in the example of an email, in the To or From line.

So if the government was using a name, as a selector, under the upstream collection program, they would also collect foreign intelligence-related communications in which the name appeared in the body of the communication. Say, for example, that two al-Qaeda members were communicating via e-mail, and one of them said to the other, ‘We should recruit Rosenzweig,’ that’s an example of communication. Under the PRISM program, in contrast, they would collect e-mails to or from the user name and nothing more.

Learn more about quantum computing, human-computer interface, and artificial intelligence.

How Government Protects Privacy and Civil Liberties

Given the breadth of all this, what are the privacy protections? If information about Americans is going to be collected in a program designed to monitor foreigners, what’s to keep that information from being misused? Here is a part of the answer. When information is collected about an American, whether collaterally as part of an authorized investigation or inadvertently as the result of a mistake, the government is required to minimize that information. 

When the government uses the word minimize, what it means is to limit its collection of the information; to retain it, if at all, only for a limited period of time; and to use information about Americans only in narrowly defined circumstances. It may also mean deleting the information entirely. As with the targeting procedures we talked about earlier, these minimization procedures are also approved by the FISA Court, but again, the approval is for the system of minimization, not each individual case.

So, for example, under these minimization procedures, agencies like the NSA, CIA, and FBI are not allowed to unilaterally go through the data they’ve collected. Rather, they must demonstrate a reasonable likelihood that targeting a particular item in the information collected is going to result in the development of foreign intelligence information.

Common Questions about America’s Privacy Protections and Web Surveillance

Q: Does the program authorized by Congress to collect information protect privacy?

Under a program authorized by Congress, no agency has the right to access the information of Americans or non-Americans on U.S. soil. Of course; this is not enough to protect privacy and civil liberties because all data is intermingled with one another.

Q: What does minimization mean?

The minimization procedure means limiting and minimizing the collected information. This happens to protect privacy and civil liberties of the American people. The government is allowed to use the collected data only in specified conditions.

Q: What’s the advantage of the minimization procedure for privacy protection?

The minimization procedure of information aims to protect privacy and civil liberties; agencies such as the NSA and CIA are not allowed to utilize the data they have collected. These agencies must prove that targeting specific cases helps to improve foreign intelligence gathering.

Keep Reading
The Event That Shaped US Surveillance Policy for Decades to Come
Cyberattack on U.S. Public and Private Sectors May Be Largest Ever
Federal Agencies Warn of Increased Cybercrime Efforts against Hospitals