Can the NSA know what it's actually doing?

August 21, 2013, at 10:33 PM

The American public has a much better understanding of how the National Security Agency does its work, how it monitors itself, and how it interacts with the Foreign Intelligence Surveillance Court. We should avail ourselves of the opportunity to understand these issues as much as possible.

For example, the director of national intelligence tells us about the two major overcollection/underestimation problems the NSA discovered in 2009.

One involved bulk telephone records, and the other involved the now-discontinued email metadata collection program. The DNI insists that the technical complexities of the collection were such that the agency did not for some time have a clear sense of precisely how its own programs were working. At the same time, when these two major problems were identified, the NSA realized that its compliance architecture had not kept pace with "operational momentum," and began to overhaul its entire procedures and management structure. The NSA therefore did not realize it was misleading Congress and the FISA court. This makes sense.

But I do wonder: If NSA does not know what it is doing because it is so good at collecting intelligence, is it possible that the entire SIGINT architecture is somehow emergent in the sense that it is too complex to be subject to the type of oversight that a reasonable person who does not understand SIGINT would think is appropriate?

This isn't a philosophical question. If the NSA doesn't know what it's doing, or if it is not possible for NSA to know what it is doing, then should it design systems that err on the side of overcompliance? In other words, should the "bias" of its policies be to proactively screen out information even if it might include valuable foreign intelligence because NSA is probably overcollecting? Or are the American people willing to allow a certain amount of technological pipe shifting, even if it includes their communication, so long as the NSA is legitimately trying to make it work?

How eager is the National Security Agency to share its compliance problems with Congress? And how much information SHOULD it share with members of Congress who aren't members of the intelligence committees?

Consider how it described the tens of thousands of emails that flew unnoticed into NSA repositories because the agency had legitimate technical trouble dealing with "multi-communications transactions," or MCTs, under its "702" authority, a section of the FISA Amendments Act of 2008.

Remember, "702" data is made up of two different types of collection. Through its PRISM program, the NSA acquires precertified and target-vetted data sets from internet companies. Through its upstream collection, the NSA directly intercepts transiting internet traffic streams at ISP nodes throughout the United States. Each company that allows NSA access to its nodes gets a code name, like STORMBREW. The SECOND type of collection makes up only about 10 percent of what NSA collects under 702, but it is subject to much less prescreening. NSA is allowed to use what it calls "U.S. Persons Identifiers" to "query" the PRISM-collected data because that data has already been certified by the Justice Department and the Foreign Intelligence Surveillance Court as having a relevant foreign intelligence purpose. Analysts are NOT allowed to use U.S. Persons Identifiers to query the raw traffic streams. The technical problem NSA identified had to do with the agency's ability to screen out unrelated and entirely domestic traffic that it acquired directly from the fiber lines. And the court held that NSA basically ignored the U.S. persons data it KNEW was being inadvertently collected. This includes tens of thousands of emails per year, a tiny fraction of the total, but a large number nonetheless.

To Congress, the NSA said that the court denied the certifications "because of its concerns about rules governing the retention of certain non-targeted internet communications — so-called multi-communications transactions (MCTs) acquired through the NSA's upstream collections." That sounds like a minor thing. And you wouldn't know from this sentence that it took NSA a few years to figure this out, and that the court suggested that this was the third time that the NSA dramatically understated the scope of one of its major collection programs. The NSA tells Congress that the problems were quickly identified and quickly rectified, without describing what actually happened, or why. We know, of course, that the problem was a bit more significant than the NSA describes in the white paper.






Subscribe to the Week