Ever hear of Presidential Policy Directive (PPD) 20? Bet not. The more you’ve never heard of something, the more worried you should be.
In mid-November , The Washington Post, the first media outlet to report on the directive, noted that it “enables the military to act more aggressively to thwart cyberattacks on the nation’s web of government and private computer networks.”
The Post’s revelation came at the same time that other stories broke pointing to deepening problems with electronic privacy rights in America. The most sensational story involved the FBI’s snooping the private e-mails of two of the nation’s leading security officers, CIA Director David Petraeus and Gen. John Allen, head of the U.S. Afghanistan war effort.
More disturbing but expected, the Supreme Court rejected the ACLU’s challenge to the National Security Agency’s (NSA) use of warrantless wiretaps. And Sen. Patrick Leahy (D-VT), chairman of the Senate Judiciary Committee, proposed the further loosening of e-mail privacy protection regulations.
These are just four examples of an increasing number of efforts among various federal entities, including the Congress and Supreme Court, to expand the power of the U.S. government to spy on American citizens. Recent initiatives by three of the lead agencies engaged in citizen surveillance — National Security Agency (NSA), Department of Homeland Security (DHS) and Defense Department’s research arm, Defense Advanced Research Projects Agency (DARPA) – outline the tightening grip of the spy state.
The ostensible rationale for the tightening of the digital security grip is to track potential foreign cyber-threats. It is, however, evident that federal agencies are increasingly surveilling the electronic lives of ordinary Americans.
These developments signal the growing erosion of personal electronic privacy. Equally troubling, little information is available as to how these agencies share among themselves the personal information they gather about ordinary citizens. Nor do Americans know how these agencies are incorporating data from 3rd party commercial entities, like websites Google or Facebook and data aggregators like Acxiom or LexisNexis, into their database profiles.
In mid-October and with little fanfare, President Obama signed PPD 20. He uses PPDs to promulgate national security decisions and, since taking office, he has issued 20 directives.
According to the Congressional Research Service, “From the earliest days of the federal government, Presidents, exercising magisterial or executive power not unlike that of a monarch, from time to time have issued directives establishing new policy, decreeing the commencement or cessation of some action, or ordaining that notice be given to some declaration.”
PPDs are state secrets. PPD 20 is believed to legalize two un-Constitutional programs. It may expand the power of the military and intelligence agencies to engage in cyber warfare against those deemed “cyber enemies” anywhere in the world. And it may permit federal agencies to monitor the networks of private companies, such as Google and Facebook.
For many, “NSA” means “Never Say Anything.” In keeping with its customary policy, the NSA refused to provide details about the directive. “Disclosure could reasonably be expected to cause exceptionally grave damage to the national security,” the NSA responded. “Because the document is currently and properly classified, it is exempt from disclosure.”
Efforts by civil liberties groups like the ACLU and the Electronic Privacy Information Center (EPIC) to have the Obama administration reveal the contents of PPD 20 have come to naught. EPIC filed a Freedom of Information Act (FOIA) request to find out what the directive covers.
According to EPIC attorney Amie Stepanovich, “we believe that the public hasn’t been able to involve themselves in the cybersecurity debate, and the reason they can’t involve themselves is because they don’t have the right amount of information.” In response, the NSA claims, “disclosure could reasonably be expected to cause exceptionally grave damage to the national security.”
Some media attention has focused on the NSA’s new Data Center being built on a 240-acre site near Camp Williams, UT, and is expected to be completed in September 2013. It is a 1 million square foot facility, of which 10 percent is dedicated to computer systems; its projected construction cost is estimated between $1 and $2 billion, the true number is top secret. In keeping with its hush-hush policy, the agency says only that the facility will “strengthen and protect the nation’s cyber-security.”
The latest NSA whistleblower, William Binney, a 32-year agency veteran who quit over the agency’s failures that resulted in the 9/11 attacks, warns: “It didn’t take but probably a week or so after 9/11 that they [NSA] decided to start spying on the U.S. domestically, on all U.S. citizens they could get.” Going further, he insists that the new facility will be able to monitor everything: it “pretty much means all the communications in the world, for roughly a hundred years.”
Since 2005, the NSA has been engaged in the active warrantless surveillance of Americans. In 2008, faced with court challenges from civil liberties groups, the Congress extended the Foreign Intelligence Surveillance Act (FISA) with the FISA Amendments Act (FISAAA). Doing so, the Congress (i) retroactively extended the NSA’s ability to spy on a “suspected terrorist” without a warrant and (ii) expanded its scope of surveillance to Americans engaged in domestic conversations with foreign suspects. Whoever else is being tracked is a national security secret. Sadly, the Supreme Court just reaffirmed the NSA’s authority to spy on Americans.
PPD 20 seems to be pushing the surveillance envelope a couple of steps further. It might provide legal cover for the NSA, CIA and the military to actively engage in cyber attacks against those deemed to be a cyber threat. Potential targets include individuals, organizations and countries. The apparently joint U.S.-Israel 2010 stuxnet virus attack on an Iranian nuclear processing facility is an example of the type of an action likely covered by the directive.
According to the Post article, “The new directive is the most extensive White House effort to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism.”
Notions like “offensive” and “defensive,” like “enemy” and “ally,” “terrorist” and “citizen,” are oh so 20th century. The 21st century spy state is engaged in (to use a popular concept) a “360-degree” conflict. No one is above suspicion, of being a potential threat. Whether an Army general sending personal e-mails or an ordinary citizen making a phone call, everyone is being watched.