3 reasonable criticisms of the NSA

July 8, 2014, at 11:03 AM
To be fair, the NSA didn't anticipate an Edward Snowden breach.

To be fair, the NSA didn't anticipate an Edward Snowden breach. Photo: (Nicolas Armer/dpa/Corbis)

I've become what's known in the business as an NSA defender or, if you please, a tool of the surveillance empire. I think the body of my writing would suggest something different, but hey — people read what they want to anyway. As I was re-reading a bunch of critical commentary about the latest story by The Washington Post, several points made by the NSA's detractors are worth highlighting because they are reasonable and quite legitimate.

1. The NSA wants to store everything it collects for a long time just in case it needs to go back and re-analyze something it missed. That's reasonable. But it's not critical. And the balance should tilt in the direction of getting rid of irrelevant communication and SIGINT as quickly as possible, especially those transactions that might contain unminimized domestic selectors — because they are unminimized domestic selectors. Give the NSA a reasonable amount of time to keep the data, then force them to purge it. Six months is reasonable. Five years isn't. And require the analyst who wants to go back into the data to recertify the foreign intelligence purpose and foreignness of the target before letting him or her do that. Subject the certifications to audits. Have Congress look at the audits.

2. Here's another point where I agree with the NSA detractors, although I disagree with what they would have us do. The NSA has done a very bad job explaining how collecting signals works, and a lot of people who write about the agency haven't taken the time to do so either. The distinction between domestic and foreign in SIGINT is necessarily malleable. (Is a chain of emails domestic if one person on the chain lives in London? Or if two-thirds live in Pakistan and one-third are U.S. citizens? What about buddy lists?)

But the NSA, repeatedly, in public, has drawn a line between "foreign" and "domestic" when no such line can possibly exist, except in individual examples that collapse the SIGINT process down to an analog, assembly-line type mechanism. The NSA did this because its critics have successfully collapsed the distance between "collect" and "analyze" in the public's mind. Collect = spy. Not to the NSA. The NSA wants the public to believe that gathering data and analyzing it are tasks so different that they obligate the NSA to apply different layers of protection and oversight to them. In order to understand the distinction, the public would have to buy the NSA's definition of "collect," which they don't. Whether they should or shouldn't, the fact that they don't makes it silly for the NSA to revert back to the foreign and domestic dichotomy.

When Americans read that their domestic communication is swept up by the NSA in the process of legal intelligence gathering, I might say, "well, yeah." But Americans have every reason to say: "But you, government, told us that it wasn't. You misled us."

3. A third point where I agree with the anti-NSAers: the NSA did not anticipate that someone like Edward Snowden would steal the data protected in its system. Given the sensitivities involved but also, or perhaps more importantly, given the legitimate privacy equities that collecting implies, the raw product should have been protected. My understanding is that the NSA draws a thick line between traffic that hasn't been evaluated or minimized and traffic that has. It requires analysts to obtain an "Exceptionally Controlled Information" sub-clearance, cover term "RAGTIME," in order to even see anything that might remotely contain domestic communication. If you're not ECI-RAGTIME cleared, you're not going to see it. But the finished product — the stuff that policy people see — is taken out of the RAGTIME box when it's been evaluated. And because of the difficulty involved in segregating domestic "selectors," a number of clingers-on will be taken out of the RAGTIME box whenever caches of "evaluated" communications are sent down the line — like, for example, to the DIA or the CIA. Too many domestic selectors escape the RAGTIME box without being minimized. And that's a problem, because that data is stored unminimized.






Subscribe to the Week