What's missing in the new NSA report?
The NSA released a required report on surveillance transparency, but many questions remain unanswered about how the spy agency is querying vast troves of telephonic metadata.
The National Security Agency Civil Liberties and Privacy Office released a congressionally-mandated transparency report on Jan. 15, detailing the implementation of the USA Freedom Act.
In the summer of 2015, President Barack Obama signed the USA FREEDOM ACT of 2015, which required the NSA to stop collecting and storing bulk telephonic metadata of U.S. citizens. With this law, telephone companies store the metadata on their customers, and NSA analysts can query the information under prescribed legal authorities.
To comply with the law, the NSA has changed the way it accesses telephonic metadata -- the information on callers, call recipients, time and place of call and more. The law was intended to promote the privacy of U.S. citizens, while giving the NSA the flexibility to obtain, analyze, and circulate information regarding international terrorist threats. The new report gives an update on the actual implementation of that program, based on the application of eight Fair Information Practice Principles.
Some experts argue that though it clarifies answers to some of the questions, it still leaves more open for debate.
"It leaves more questions than it resolves," Julian Sanchez told FCW. Sanchez, a senior fellow at the Cato Institute and an expert on surveillance and privacy issues, analyzed the report for the Just Security blog.
Sanchez noted that the bigger question is on what exactly is going on in the black box -- the NSA's architecture which describes how the agency can query telephonic metadata.
"It does leave some significant question marks about how [NSA] are determining these connections and about how this process works especially when the selectors they are giving the companies is something other than just a phone number," he said.
In the report, the agency claims that, "The government has strengthened privacy safeguards by, among other things, ending the collection of telephone metadata in bulk and having telecommunications providers, pursuant to court orders, hold and query the data."
However, it's that process that concerns Sanchez.
Under the current architecture, the first step is to get the legal internal administrative issues sorted, including court orders and such. After that, the number(s) the NSA receives is fed through their current database, which does not include the previously controversial metadata. Then they go to the carriers (if it's a cell phone number, for example) for the "one-hop" or "two-hop" numbers. ("Hops" is surveillance jargon for the degree of separation from a caller to a target. One hop refers to a number that is in direct contact with a surveillance target; two hops indicate that two numbers are connected by a common contact.)
"One-hop returns from providers are placed in NSA's holdings and become part of subsequent query requests, which are executed on periodic basis. Historical bulk data collected under Section 215 of the USA PATRIOT Act will never be included when querying internal holdings," the report states.
The report, "leaves a lot of questions open about the process by which they are determining the two numbers in contact," Sanchez said.
"NSA is not known for volunteering details," Sanchez said. "This is sort of consistent with their practice in a lot of areas where they'll talk kind of generally how they are doing things...they will not really get into any thorny questions of the other ways targeting your surveillance."