recommended reading

At NSA, computers sometimes make the policy calls


John DeLong, the first-ever compliance director at the Pentagon’s spy agency, spends his days making sure analysts are not snooping on Americans.

U.S. law forbids the National Security Agency from intercepting communications between citizens. While privacy advocates argue that NSA databases nevertheless accumulate records on Americans, in fact, some of those systems are calling the shots to delete that information.

“There are times when we use technology to literally make legal and policy decisions,” said DeLong, 37, a lawyer whose additional math and physics degrees likely prepared him for the multifaceted task of policing code-breakers.

With an ever-increasing amount of messages to crack and data patterns to follow, agents have limited time to observe what he describes as “very specific procedures that govern their use and handling of that data.” So, machines sometimes patrol privacy.

“There are obviously some decisions that you can’t automate. You have to rely on a human for judgment. And we have lots of training” on foreign espionage authorizations, DeLong told Nextgov in an interview. “We have to make sure those authorizations pass from human to human from machine to machine very carefully.”

Those authorizations include minimization requirements, which tightly control any data obtained while targeting foreigners that identifies Americans. Other privacy measures include database audits and spot checking decisions about whom to pursue, according to intelligence officials.

A computer, for example, can be instructed to screen out certain types of information before it is passed on to the next stage of processing, DeLong explained. “In some cases, we literally have the legal and policy rules embedded in the technology such that the technology will only do those things,” he said.

Still, intelligence activities have broken the rules. As first reported by Wired in July, the Office of the Director of National Intelligence acknowledged in a letter to warrantless wiretap critic Sen. Ron Wyden, D-Ore., that “on at least one occasion” the judicial branch determined “that some collection carried out pursuant to the [law’s] minimization procedures used by the government was unreasonable under the Fourth Amendment.”

When asked whether the incident occurred on his watch, DeLong said, “Root cause is always difficult to figure out, so I’m very hesitant to answer on timing. I will say very clearly, though, when there are incidents we follow the reporting path.”

He then deferred to ODNI, which coordinates the work of the U.S. intelligence community. “The government has remedied these concerns, and the [Foreign Intelligence Surveillance Court] has continued to approve the collection as consistent with the statute and reasonable under the Fourth Amendment,” officials said in a statement.

DeLong added, “We’re nothing if we lose the confidence of the American people.”

(Image via VLADGRIN/

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.