NSA internal watchdog defends agency's privacy practices

The agency's collection of U.S. communications has privacy controls in place, a report says

The U.S. National Security Agency takes multiple steps to protect the privacy of the information it collects about U.S. residents under a secretive surveillance program, according to a report from the agency's privacy office.

Surveillance under presidential Executive Order 12333, which dates back to 1981, generally sets the ground rules for the NSA's overseas surveillance. It allows the agency to keep the content of U.S. citizens' communications if they are collected "incidentally" while the agency is targeting overseas communications.

But the surveillance of U.S. residents is conducted with several privacy safeguards in place, ensuring that the NSA collects the right information from the right targets and does not share the collected information inappropriately, according to the NSA Civil Liberties and Privacy Office report, released Tuesday.

NSA safeguards include privacy training for every employee, an oath of office that requires all employees to protect privacy and civil liberties and privacy oversight by six internal organizations, including the office that prepared Tuesday's report.

Consistent communication from NSA leadership on protecting privacy "has resulted in a work force that respects the law, understands the rules, complies with the rules, and is encouraged to report problems and concerns," the report said. "NSA takes several steps to ensure that each individual who joins its ranks understands from the first day on the job that civil liberties and privacy protection is a priority and a key personal responsibility."

The privacy safeguards inside the agency don't make up for a lack of "robust" judicial and congressional oversight of the program, the American Civil Liberties Union said. Oversight from both of those branches of government "are all but entirely lacking when it comes to surveillance under this order," Patrick Toomey, an ACLU staff attorney, said by email. "Rather, these rules can be changed by executive officials unilaterally and in secret, as they have been in the past."

The report doesn't address the privacy issues related to the NSA's separate bulk collection programs, "which means it leaves aside some of the NSA's most indiscriminate surveillance programs," Toomey added.

Targeted 12333 surveillance is separate from the so-called "bulk" collection programs disclosed by former NSA contractor Edward Snowden, including the NSA's collection of most U.S. telephone records and its collection of the online communications of foreigners allegedly connected to terrorism activities.

The NSA has not disclosed how many U.S. communications it has collected under its 12333 program, but a 2007 document released last month by the ACLU, obtained through a Freedom of Information Act request, describes the surveillance program as the "primary source of the NSA's foreign intelligence gathering authority."

It's "heartening" that the NSA has some privacy protections in place, but "significant concerns" remain, said Robyn Greene, policy counsel at think tank New America Foundation's Open Technology Institute.

"The report does not discuss any privacy protections that are applied to the NSA's bulk collection programs ... and it fails to address privacy protections applied to non-U.S. persons' information," she said by email.

Greene called on the NSA to "still be more transparent about the scope and privacy impacts of its targeted and bulk collection programs." The agency cannot be fully transparent about its 12333 surveillance because of national security concerns, the report said.

The NSA Civil Liberties and Privacy Office report details the privacy protection programs the agency has in place without listing any potential breaches in privacy protocols at the agency. The report lists several privacy risks in the NSA's surveillance of U.S. residents under the executive order, but then follows the risks with lists of privacy safeguards at the agency.

A potential risk in targeting people for surveillance is that the wrong people will be targeted, the report said. NSA safeguards allow only properly training employees to use the targeting system, require that a supervisor or senior analyst approve targeting requests, and require the agency to delete any information from incorrectly targeted people, the report said.

Asked why the report doesn't address whether there have been any violations of the agency's privacy protocols, an NSA spokesman said the purpose of the report was to examine the NSA's privacy practices against widely accepted fair information practice principles.

"The report makes valuable contributions to the agency's mission of enhancing transparency and contributing to the ongoing public dialogue on national security and privacy," NSA spokesman Michael Halbig said by email.

Halbig defended the NSA's 12333 surveillance by saying the agency follows the legal authority set out in the executive order and the U.S. attorney general. He declined to say how many surveillance targets the NSA has under 12333 authority.

The report doesn't address the privacy safeguards the agency has in place for foreigners targeted under 12333. In January, President Barack Obama directed U.S intelligence agencies to establish privacy protections for all information they collect, and the agency is still working on ways to apply that directive to the privacy of people living outside the U.S., the report said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags New America FoundationtelecommunicationRobyn GreeneU.S. National Security AgencygovernmentBarack ObamainternetprivacyMichael HalbigPatrick ToomeyAmerican Civil Liberties UnionsecurityEdward Snowden

More about FreedomIDGNational Security AgencyNewsNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place