The Civil Liberties and Privacy Office, a new position created early this year at the NSA, released a review on NSA’s Signals Intelligence Activities under 12333 regarding protections of US persons. Unsurprisingly, the report reveals the absurdity of expecting the NSA to police itself and taking it at its word.
The report focuses on and basis its conclusions on a framework designed to ensure privacy and civil liberties and takes it at face value. But it does not address the discrepancies between revelations since the Snowden leaks began, nor does it go into any great detail on how the agency actually upholds the processes it claims to use.
There are four parts to the mission of the NSA’s Civil Liberties and Privacy Office (CLPO). (1) Build systematic and holistic civil liberties and privacy processes that are integrated into NSA activities. (2)Increase transparency and communications about NSA civil liberties and privacy protections for the American public, overseers and stakeholders. (3) Improve civil liberties and privacy protections by supporting research, education and training. (4)Advise NSA leaders on civil liberties and privacy issues.
In this new report, the CLPO uses the framework Fair Information Practice Principles (FIPPs) to evaluate how the NSA safeguards general civil liberties and privacy. Fair Information Practice Principles FIPP’s are broken down in eight founding parts for federal agencies to adhere to. These principles are:
- Transparency: organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII)
- Individual participation: organizations should involve the individual in the process of using PII. Seek consent for collection, use, and maintenance thereof. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.
- Purpose specifications: organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose(s) for which it will be used
- Data minimizations: organizations should only collect PII that is directly relevant and necessary to accomplish the specified purose and only retain PII for as long as it is necessary to fulfill the specified purpose.
- Use limitation: Organizations should use PII solely for the purpose specified in the notice. Sharing PII should be for a purpose compatible wiht the purpose for which the PII was collected.
- Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
- Security: Organizations should protect PII (in all media) though appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure
- Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with thse principles and all applicable privacy protection requirements.
Red color indicates the Civil Liberties and Privacy Office found that the NSA provides for those protections.
CLPO asserts that six of the eight principles have been upheld by the NSA. The two principles the NSA are self-excused from are transparency and individual participation due to national security, but try to uphold those principles through abstract measures.
Ironically, one of the CLPO’s missions is increasing transparency of the NSA to the public. But it later hides behind the phrase “national security” as the sole reason for not being able to complete that mission. If the NSA cannot provide transparency, the office constructed to provide transparency can’t either as reported. ” NSA cannot offer direct Transparency because that would alert foreign intelligence targets that are under surveillance.” The report further states, “Instead, NSA satisfies the Transparency principle through routine reporting to a variety of entities, including Congress, the Department of Defense (DoD), the Department of Justice (DoJ), the Office of the Director of National Intelligence (ODNI), the President’s Intelligence Advisory Board (PIAB) and the Privacy, Civil Liberties Oversight Board (PCLOB).
The report continues that, “In many cases, NSA overseers provide surrogate means for these two principles [transparency and individual participation].”
The surrogate idea is a false notion. “Overseers” the report mentions include members of Congress as representatives of the people. Last year, Glenn Greenwald reported that congressmen and women were stonewalled when trying to get access to even basic information needed to make an informed vote. This raises a number of issue
1. If the people themselves are not notified, how can they give Congress consent?
2. If Congress is a representative to the people, but unable to receive basic information, then they are therefore not notified about collection use, dissemination, and maintenance of PII.
3. This notion that the Congress is to notify the people what is being done in their name rather than the will of the people telling Congress what will be done in their name perverts the Constitution.
Reporting from DoD, DoJ, ODNI is geared primarily to informing the executive branch of how it is fulfilling the execution of laws. Agencies under the executive branch do not independently construct processes to protect privacy and civil liberties, but are expected to obey laws and through the guidance of executive orders, show how to fulfill such obligations.
If failures are seen within these reports, historically, Congress could use the power of the purse string as a reaction by the people to such reports. However, the military industrial complex has eliminated the power of Congress as an overseer of the military and intelligence agencies. With black-hole budgets, the DoD and intelligence agencies are sole instruments of the executive branch. Congress has not attempted any reform on executive orders to reform the NSA.
Unfortunately much of what we know is either from leaks or Freedom of Information Act (FOIA) requests, not agencies under the executive branch. However, the NSA is not subject to FOIA requests. Even more confusing, some reports regarding intelligence have a twisted double speak. This further muddies the notion of transparency.
The double speak is addressed in an article by the Federation of American Scientists. Steven Aftergood reports,
“A report to Congress on authorized disclosures of classified intelligence to the media — not unauthorized disclosures — is classified and is exempt from disclosure under the Freedom of Information Act, the National Security Agency said. The notion of an authorized disclosure of classified information is close to being a contradiction in terms.
If something is classified, how can its disclosure be authorized (without declassification)? And if something is disclosed by an official who is authorized to do so, how can it still be classified? And yet, it seems that there is such a thing…
So what disclosures of classified intelligence to the media were approved by government officials and reported to Congress, we asked earlier this year? The National Security Agency refuses to disclose those disclosures.”
“NSA can only offer Individual Participation in limited instances for the same reason [national security].” The report later states that through surrogate means, this is accounted for.
Direct individual participation is banned due to Section 215 under the USA Patriot Act which prohibits the person under investigation from being notified about collection of communications by a private entity like a telecom or landlord to collect information on the person in question, and therefore due to such secrecy, the person cannot contest the collection.
How does the CLPO describe how the NSA provides for the principle of individual participation through limited instances? By engaging academic community members and civil liberties and privacy advocates to identify potential additional activities to strengthen the privacy and civil liberties protections. It does not eliminate a practice, nor does it educate members on its activities. Only after the NSA is caught red-handed, can any advocate engage with the NSA on how to reform a practice. Such reforms don’t have to be accepted. Individual participation is absurdly substituted with 6-degrees of separation for individual participation. See PCLOB an overseer that recommended ending metadata collection.
Overseers like PCLOB have yet to review EO 12333, but have issued statements that the metadata collection should be ended under the Patriot Act Section 215. PCLOB has been challenged very strongly by academia and privacy advocates. No resolution has was found through this surrogate transparency board or individual participation. The PIAB has more complications. The PIAB has faced drastic reorganization. Currently just a handful of people advising the president are expected be enough to advocate privacy and civil liberties?
The report vaguely describes how the NSA specifically articulates the authority that permits the collection. “The SIGINT activities described in this section are governed by the DoD regulation and Attorney General-approved procedures. Targeting is guided by the classified guideline, the National Intelligence Priorities Framework which requires analyst to review data to ensure that it contains foreign intelligence on foreign targets; in the even an incorrect entity is targeted, all selectors associated with that entity must be removed from targeting and if the entity is a U.S. Person, the data must be deleted from NSA systems.”
This was hotly contested by Bill Binney, who warned that the NSA is going beyond what was believed to be national security. He warned that the NSA is building profiles on every person with a tool he created, including Americans. Not only that, a recent post from the Intercept stated that the NSA is committing economic espionage to maintain US supremacy in tech, science, and finance. Data is not ensured to be for just foreign intelligence purposes, but has been widened to include domestic spying and economic espionage.
“Some of the planning relates to foreign superiority in surveillance technology, but other parts are explicitly concerned with using cyber-espionage to bolster the competitive advantage of U.S. corporations. The report thus envisions a scenario in which companies from India and Russia work together to develop technological innovation, and the U.S. intelligence community then “conducts cyber operations” against “research facilities” in those countries, acquires their proprietary data, and then “assesses whether and how its findings would be useful to U.S. industry””
In the Targeting section, NSA personnel are required to be ” appropriately trained and authorized and are permitted to introduce specific terms (such as phone number or email address) into the NSA collection systems as “selection terms” for acquiring communications associated with specific foreign intelligence targets. They perform pre-targeting research, and two-person review and approval before entering any selection term into NSA’s collection systems, and conduct checks throughout the targeting process to review and validate that the acquired collection is responsive to the documented foreign intelligence need. In addition to initial approvals, selectors are reviewed by a supervisor or senior analyst on an annual basis”
In Alvaro Bedoya contribution on Just Security points out,
“If an ‘incidental’ collection of an Americans’ data is too substantial, that collection may be rendered unreasonable by that fact alone. As Judge Bates wrote in his October 2011 opinion on section 702 collection:
[T]he acquisition of non-target information is not necessarily reasonable under the Fourth Amendment simply because its collection is incidental to the purpose of the search or surveillance. […] There surely are circumstances in which incidental intrusions can be so substantial as to render a search or seizure unreasonable.”
Furthermore, if we assume that targeted collection is actually targeted, one can assume pre-targeted research found probable cause that a crime has been committed, and seizure of a person’s communications are a reasonable requirement to build a case against a person or stop a crime. If that is so, then is it unreasonable to require a warrant? The purpose of the warrant is to minimize the invasion of otherwise suspected innocent people’s lives, and focus on leads that help build a case that a crime has been committed by a specific individual.
The CLPO reports that only ” a limited number of NSA personnel who are appropirately trained and suthorized to introduce specific terms (such as a phone number or email address) into NSA collection systems as “selection terms” for acquiring communications associated with specific foreign intelligence targets.” There currently is no metric for how many analysts are employed to search based on selection terms, nor how much data is accessible per analyst.
1.4 million Americans hold a top secret security clearance. Not all work for the NSA but for other military brances and about 500,000 of that population work for contractors like Booze Allen Hamilton. How many people employed by the NSA will not been recently released. It is apparently classified. Due to Sensitive Compartmented Information, it is unlikely 100% of contractors or NSA employees would have access. However, we do not know the demand analysts needed to complete the mission. With storage facilities being built in Utah, Texas, and elsewhere contractors and NSA analysts needing access to search selectors will increase. Also, data can be retained for up to 5 years, while other obtained data will remain longer in the NSA’s servers.
We learned from the Snowden leaks, that limited collection is in direct conflict of the “Collect it all mentality“. No matter how many analysts employed, the purpose is for the NSA to be able to view it all. Much of communications collected from Americans is considered incidental.
Data Quality and Integrity and Security:
The NSA report states, “if the SIGINT data describes an individual with U.S. citizenship mentioned by name, the report may not reveal the name of the person. Rather, the phrase “named U.S. Person” will be substituted. NSA follows strict process for revealing the true identities of U.S. persons within a report only to properly cleared personnel requiring access to the information to perform his or her official duties. SIGINT reports are based on valid foreign intelligence requirements and no extraneous personal data is included in the reports. NSA policy states that personnel should not include information in reports just because it is available, and they must also complete checklists that assist in reducing likelihood that personal information is inappropriately included in a report.”
However, the Intercept reported that five Muslim Americans were being spied on by the NSA and FBI. Even though it is unclear if this collection occurred under 12333 or another authority, what is clear is that guidance specifically targeted Muslims. The Intercept does confirmed that U.S persons are identified. However, just because their identity may be blocked out, selection terms like an email are not. Emails can identify an individual if the person creating the email uses their name.
“The individuals appear on an NSA spreadsheet in the Snowden archives called “FISA recap”—short for the Foreign Intelligence Surveillance Act. Under that law, the Justice Department must convince a judge with the top-secret Foreign Intelligence Surveillance Court that there is probable cause to believe that American targets are not only agents of an international terrorist organization or other foreign power, but also “are or may be” engaged in or abetting espionage, sabotage, or terrorism. The authorizations must be renewed by the court, usually every 90 days for U.S. citizens…
Under the heading “Nationality,” the list designates 202 email addresses as belonging to “U.S. persons,” 1,782 as belonging to “non-U.S. persons,” and 5,501 as “unknown” or simply blank. The Intercept identified the five Americans placed under surveillance from their email addresses.”
Accountability and Auditing:
The report states that the authority (EO, Patriot Act, etc) of the collection must be documented. “NSA marks the data to understand the source and authority of the data so that access restrictions can be applied” However, in a Just Security piece, the NSA last year said it was impossible to calculate such a number.
“In a December 2013 Washington Post article on the use of 12333 to collect cellphone location records, the NSA demurred an attempt to estimate how many Americans were swept up in that program:
“It’s awkward for us to try to provide any specific numbers,” one intelligence official said in a telephone interview. An NSA spokeswoman who took part in the call cut in to say the agency has no way to calculate such a figure.”
If the authority is documented; how is it not possible for the NSA to calculate incidental or even targeted collection of communications? The report continues that it has “automated tools for identifying situation when it receives data is should not received and then deletes the data.” There is no report on any metrics of how many times the automated tool deletes incidental collection.
The CLPO expects Americans to take it at its word. However, with simple Internet searches, Edward Snowden’s leaks have enlightened us to the idea the government cannot be trusted. Even under it’s own framework, it fails to safeguard privacy and civil liberties. The gold standard of safeguarding civil liberties and privacy is the US Constitution. However, one cannot protect status quo of protecting the national security state and liberty at the same time.
The NSA has chosen to serve the master of secrets instead of serving liberty.