NSA Report on Civil Liberties and Privacy Protections under EO 12333

In January 2014, the NSA’s Civil Liberties and Privacy Office (CLPO) was created. The CLPO was tasked with ensuring that civil liberties and privacy protection considerations are integrated into the NSA’s mission activities. Yesterday—and importantly, given the disclosures about NSA surveillance, and subsequent developments—the CLPO released its Report on Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333.  (The latter, as readers well know, represents the legal basis for a great many of the United States’ signals intelligence programs.) As the executive summary puts it, the report “addresses the general civil liberties and privacy protections employed by the NSA” and “documents additional procedures for targeted Signals Intelligence activities under Executive Order (E.O.) 12333.” Specifically, the report examines: 1) the NSA’s Management Activities that are applied throughout the Agency; and 2) the Mission Safeguards used in SIGINT missions conducted under E.O.12333. Significantly, the report is limited in scope: it “focuses only on U.S. person protections.” Below, I overview the report’s contents. Management Activities The first half of the report focuses on the institutional structure and controls of the NSA that relate to civil liberties and privacy protections. The report outlines four: 1) Organization and Management; 2) Policy; 3) Training and Education; and 4) Research.

• Organization and Management. The NSA’s “decentralized execution of civil liberties and privacy protections using both staff and line organizations to create policies and programs, execute procedures and oversee these protections” was commended by inspectors, as a model for other agencies to follow. The report next describes six major staff organizations in the NSA that are responsible for civil liberties and privacy: the Office of the Inspector General, the Office of General Counsel, the Office of the Director of Compliance, the Authorities Integration Group, the Associate Director for Policy and Records, and the Civil Liberties and Privacy Office.

• Policy. This section briefly reviews history of NSA privacy programs, leading up to the establishment of the CLPO. The report then ticks off a number of NSA norms relating to privacy. For instance---and unsurprisingly enough—the NSA maintains published policies and procedures that consider civil liberties and privacy as they relate to the collection, use, retention, dissemination and destruction of SIGINT mission data.

• Training and Education. NSA employees must complete training and educational programs. For example, employees complete annual training on privacy and intelligence; the NSA also has a program designed specifically for personnel performing SIGINT missions or who have access to SIGINT data. According to the report, all employees who have access to such data must complete a minimum of three of these training classes.

• Research. Privacy work at the NSA is hardly historical.  Instead there are “several ongoing research efforts within NSA[to] support enhanced civil liberties and privacy.” Take, for example, the development of Private Information Retrieval—a cryptographic approach to preventing unauthorized users from accessing protected data.

Mission Safeguards This brings us to the report’s second half, which focuses on “operational activities NSA puts in place to implement civil liberties and privacy protections such as: programs, procedures, and human-based and technical-based controls.”  In particular, this part of the document details how operational safeguards play out during the 1) Acquisition, 2) Analysis, 3) Retention, and 4) Dissemination stages of SIGINT.

• Acquisition. Constraints are imposed on the NSA’s targeting. Among other things: the system for targeting only allows properly trained individuals to use it; the targeting must be tied to one of the valid foreign intelligence requirements listed in the National Intelligence Priorities Framework; a supervisor or senior analyst must review the targeting request before collection can begin; the analyst reviews the resulting data after the selector has been targeted, so as to ensure that the data contains foreign intelligence on foreign targets; in the event an incorrect entity is targeted, all selectors associated with that entity must be removed from targeting and, if the entity is a U.S. Person, the data must be deleted from NSA systems; and the initial collection and subsequent decisions are all auditable activities.

Further collection and processing safeguards then come into play. To name four, NSA: maintains an approval process before a major new collection begins; has a documented process and automated tools for identifying situations when it receives data it should not have received, and then deletes the data; marks the data to understand the source and authority of the data so that access restrictions can be applied; and, finally, is transitioning from older repositories to more modern systems.

• Analysis. In keeping with the document’s structure, the report next catalogs the rules governing evaluation of collected signals data. We learn that supervisors must approve an analyst to work on a particular mission, and must assign additional personnel to review queries that analysts have performed in NSA SIGINT repositories. NSA also requires its analysts to document why certain queries are being performed, thus providing a degree of transparency to the post query reviewers; the agency moreover has developed job aids, so as to help analysts determine when sensitive queries are permitted or prohibited. The queries analysts have performed in NSA repositories are documented, too. Finally, NSA has extensive training and policies based on procedures that are approved by the Attorney General related to U.S. Person protections.

• Retention. Generally, “targeted SIGINT mission data collected under E.O.12333 that is enciphered is retained for up to five years unless there is a determination that continued retention is in the national security interest of the United States.” To this the report adds five more specific safeguards for retention: 1) a clear NSA policy stating the time period that SIGINT mission data may be retained in accordance with the appropriate legal authority; 2) ongoing improvements as to how the NSA marks its data to identify the source, authority, and purpose of the collection; 3) other, also ongoing improvements to mechanisms to identify, prioritize, and inventory retained data; 4) technical mechanisms to remove the data in accordance with the retention limitations of the legal authority under which it was collected; and 5) improved data loss prevention measures.

• Dissemination. Our final portion begins with the punch line: private data does occur and can be forforeign intelligence purposes. But such dissemination is subject to restrictions, which the report identifies. NSA uses software that performs limited technical checks for most reports as they are prepared and edited, for one thing; and NSA senior reporters perform quality control and legal and policy compliance reviews of reports, providing feedback and directing necessary corrections before a report can be disseminated.  NSA procedures moreover shield the identity of U.S. Persons, unless revealing their identity is required to understand or assess its importance of the foreign intelligence information; and a designated official authorizes when and how identities may be revealed, in keeping with approved procedures. The agency lastly employs source verification, in order to ensure that is reporting is based only on authorized data.

In closing, the report reemphasizes the mission statement of the CLPO: “to increase internal oversight of NSA’s civil liberties and privacy related activities and develop measures to further strengthen NSA’s privacy protections.” Noting that “part of the aim of this office is to facilitate communications between NSA and the public,” the CLPO promises that this report is only a start and that transparency is an ongoing project.