NSA Defenders and the Fallacy of the Effectiveness Defense

Aaron Poffenberger

Recent revelations about the NSA collecting phone records on all Verizon customers has brought defenders out of the woodwork. Rather than addressing the substantive concerns of their critics, these defenders keep pointing to the alleged successes of the program.

The Fallacy of the Effectiveness Defense

Harry Reid and others are telling us to "calm down" about the NSA surveillance. They argue it's necessary for the NSA to have these records to keep us safe. They further argue that the program has prevented terrorist attacks. In a word, the program is effective and therefore justifies itself.

What Reid et al. fail to see is that correlation doesn't imply causation. And even where causation is present, that doesn't mean the results could only be achieved by these broad excesses. These thwarted terrorist attacks may have been prevented with other practices, practices that don't compromise our civil liberties. In other words, the effectiveness of the program alone is insufficient to justify it.

Innovating Your Way to Security

The NSA's defenders are assuming (or at least their words lead one to believe) that the FBI, NSA and other organizations could have only prevented these alleged terrorist attacks with call records. But we have to also consider that in the absence of these records these organization would have had to innovate, as it were, and find other, lawful, less-intrusive ways to do their jobs.

Security can function like a market. Where resources are rare, the "cost" of data increases. When costs are high, entrepreneurs look for other ways to satisfy demand. In the case of cellphone records, the cost is (or should be) very high: it requires probably cause. If the NSA, FBI and other TLAs had been restricted by Constitutional boundaries they might have innovated and found other ways to discover terrorist plots.

Or perhaps Congress and the Executive would have had to innovate diplomatically and find ways to make peace[1] with those who have a grudge against the US.

Sometimes the Cost is too High

There is some possibility the NSAs defenders are right. Perhaps having the call records of every American is necessary to prevent some classes of terrorist attacks. The question then must be: "Is the cost too high?"

There's little doubt we could stop a lot of crimes if the police could stop anyone on the street and frisk them. Drunk driving could be nearly completely stopped if we all took public transportation. Wars could be prevented if we nuked any country that threatened the US. Each of these ludicrous ideas would be effective but we're not willing to pay the cost.

Security is about Risk Management

I work in computer security. One of the mantras we have to recite to stake holders is that security is about risk management. Yes. We can secure your computers against all abuse. We shut them down, pack them in crates and store them in a guarded warehouse. Too bad you won't be allowed to use them. That's not an answer any executive will accept.

What we have to do is analyze the risks. Mitigate the most likely and prepare to respond to the unlikely as they happen.


Terrorist attacks are rare. They're scary and make for great press but statistically speaking we're all more likely to be hurt or killed driving to work. Yes. We should prevent the likely attacks. Port and border security are important. Narrowly-focused collection of phone and financial records may be warranted. Broad surveillance of the entire country is not.


[1] I'm not suggesting appeasement or compromise. Perhaps something as simple as eliminating drone strikes and regime-change operations would be enough.