Last month, the Atlantic highlighted the fact that the NSA had ‘fessed up to the fact that its snooping operation was a lot more encompassing than it had previously admitted. Deputy Director Chris Inglis testified that the agency didn’t look “two hops” from a suspected terrorist, as it had previously said. The range was now revealed to be “two or three hops”. A hop is someone you are in contact with, say via e-mail, phone or on a social network. So if you are A, three hops is A => B => C => D. And on the Internet, according to a 2011 study, the average person is 4.7 hops removed from another particular person.
A post on Medium tries to convey the scale of this data-hauling operation. Their math isn’t right, but it’s a useful starting point:
…let’s focus a bit on what may be a suspect’s contacts. If Snowden’s allegations and some of the reporting we’ve read from major media outlets is true, the companies who provide NSA with “metadata” –in other words “who’s speaking with whom”— include Google, Facebook, Yahoo, YouTube, Skype, AOL and Apple.
An average person on Facebook has about 130 friends. Adolescents and young adults often have many more—a Pew study found that the average teen has a median 300 friends on Facebook. In addition to your Facebook friends, a “contact” could be anyone you emailed with Gmail, Yahoo or Hotmail account or instant messaged via a Microsoft service. Add…Skype…cell phone metadata…
Let’s say that there are about another 150 people outside your Facebook friends that you might have emailed, called or otherwise have been detectable contact with over a year. About 300 “contacts” per person sounds like a reasonable baseline. Let’s do the math from this relatively modest base…
At three hops, you have a dragnet. If we stick to our base number and calculate 300*300*300, we are looking at 27 million people. This is no longer a community, it’s a good chunk of a nation.
That’s not the right computation. The problem is you are going to have the same people showing up as duplicates due to overlapping networks. For instance, five people who have written on this blog and therefore are one hop from me are: Lambert, Nathan Tankus, Dave Dayen, Tom Ferguson, and Michael Olenick. Lambert knows all of the other four, so they’d show up in a two-hop-from-me list and therefore be duplicates. Nathan has had direct communication with Tom, so those would be duplicates by another route. Dayen and Olenick also know each other directly. And those are just the connections I’m certain of among them.
So you need to take that 27 million and divide it by a large number. I have no idea exactly how large, but I’d hazard between 10 and 100. Even if you assume 100, you still have three hops from a single person being 270,000 which is still big enough to prove the general point, that this isn’t a search process, this is an excuse for data hoovering.
And that process will put most of you in contact with a terrorist. I know I am via one channel and there are probably others. A member of the ECONNED research team who has stayed in touch with me has helped teach students in the Cambridge public school system. Two of his past students that he’s corresponded with in the last year know Boston bombing suspect Dzhokhar Tsarnaev, and at least one of them had contact with him in the last twelve months. So I am three hops from Tsarnaev, and therefore an official candidate for NSA snooping. Of course, I’m probably on the list for other reasons too, the most obvious being that Glenn Greenwald and I have corresponded occasionally (most recently, he was gracious enough to send a short thank-you message for attacking a hatchet job masquerading as a profile by the New York Times).
That’s before you get to the problem of accidental connections, such as the misdialed phone number. And a fast hangup won’t save you; in fact, fast hangups are often used as a way to signal to someone to contact that person on an agreed supposedly safe channel. So all the mistakes will be included in the NSA hop process.
There’s another aspect of the NSA’s dubious dragnet that the simple multiplication from Medium misses: some people have far more than 300 contacts. They are likely to hold important roles in society. Therefore a three-hop rule is much better at getting you people who are prominent and politically connected than it is at fishing out antisocial loners or smart terrorists who might maintain one or several public personas to conduct their normal life (assuming they have one) and use quite different channels and equipment for their nefarious plans.
In fact, a three-hop rule sounds like a clever, “legally sound” way to justify trawling out the information influential individuals rather than those who are dangerous (at least the way the NSA professes to define dangerous). And that alone over time will have a chilling effect on communication, as people who lived under the Stasi will attest. As long as the NSA can get innumerate judges and compliant Congresscritters to buy off on enough of these not very restrictive heuristics, they are set.