Cybersecurity

Snowden Undermines Presidential Panel’s Defense of NSA Spying

Andre Penner/AP

Just when the National Security Agency looked as though it had finally scored a victory for its maligned surveillance programs, Edward Snowden again crashed the party.

The fugitive's newest leak, reported by The Washington Post over the weekend, claims that the vast majority of accounts scooped up in a foreign-intelligence program are not those of actual overseas targets but ordinary Internet users whose communications with those targets are incidentally collected.

The contents of the surveillance files—almost half of which contained information from U.S. citizens or residents—"tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes," The Post reports.

While revealing on its face, Snowden's latest revelation also arrived just days after the Privacy and Civil Liberties Oversight Board, an independent watchdog agency, deemed spying under Section 702 of the Foreign Intelligence Surveillance Act legal and effective.

Section 702, amended in 2008 by Congress, allows intelligence agencies to spy on the communications of foreigners believed to be living outside the United States. It provides the legal authority for an NSA program known as "PRISM," in which the agency demands that Facebook, Google, and other Internet companies hand over users' communications. Section 702 also allows intelligence agencies to tap into the Internet backbone to collect massive amounts of international communications, a program unofficially known as "Upstream."

Whether intentional or not, the timely Post article—the culmination of a four-month investigation of 160,000 email and instant-message conversations—serves in part as a rebuke to the privacy board's conclusions, civil-liberties groups say, and calls into question the completeness of its review, which stands in stark contrast to the board's critical review earlier this year of the spying on domestic phone records under Section 215 of the USA Patriot Act.

"There definitely seem to be discrepancies" between the reports, said Liza Goitein, codirector of the Liberty and National Security Program at the Brennan Center for Justice. "It appears that, in the Snowden documents, that [American] information is collected deliberately in far broader circumstances than what the Privacy and Civil Liberties Oversight Board discussed."

Goitein said the privacy board did not have access to large samples of intercepted communications and instead relied heavily on the testimony of NSA officials when crafting its 200-page report. "Testimony is well and good, but show me the money," she added.

That divergence of source material has resulted in several inconsistencies, according to privacy advocates, such as the board's insistence that NSA targets are "individualized" and correspond to something akin to an email address. The Post story, however, reports that the NSA has targeted Internet Protocol addresses of servers, which could conceivably correspond to hundreds or even thousands of Internet users.

The new Snowden leak "certainly shows that the PCLOB may not have received the full story from the intelligence community," said Mark Jaycox, a legislative analyst with the Electronic Frontier Foundation. "TheWashington Post article introduces entirely new facts that should've been addressed by the PCLOB and found in the PCLOB report."

The board's chairman, David Medine, and Patricia Wald, a former D.C. Circuit judge appointed by Jimmy Carter, pressed for stronger safeguards that would require intelligence agencies to obtain a warrant from the Foreign Intelligence Surveillance Court before searching American data collection via 702 programs.

In a statement accompanying the board's unanimous report, Medine and Wald note:

"The Section 702 program has collected hundreds of millions of Internet communications. Even if only a small percentage of those communications are to or from an American, the total number of Americans' communications is likely significant. Furthermore, these communications, which may be maintained for many years in government databases in searchable form, may contain sensitive and confidential matters having nothing to do with the foreign intelligence purposes of the Section 702 program."

In an interview with National Journal, Wald confirmed that the board did not have access to specific numbers, such as those reported in The Washington Post, which concluded that nine accounts of Internet data are collected incidentally on average for every one target.

"We did not know anything about the percentage that would be intercepted as non-targeted, or as a subset of that, Americans that were not targeted," Wald said. "If true, [the Snowden leak] adds more numbers to [our analysis]."

In May, the House passed legislation that would require the government to obtain a warrant before searching the communications of Americans' data gathered incidentally under 702 authority. The privacy board, however, did not endorse any legislation that would close so-called backdoor domestic searches. The Senate Judiciary Committee has said it will take up NSA reform this summer, and Chairman Patrick Leahy has indicated that backdoor searches may be a top area of focus.

The Snowden leak additionally appears to confirm what privacy groups have long assumed: that private, sensitive information belonging to Americans is being collected and kept through 702 surveillance. The batch of communications data examined by The Post, which reportedly included nearly 900 email addresses that could be "strongly linked" to Americans, includes pictures of infants in bathtubs and women modeling lingerie. The article does not make it explicitly clear which or how many images reviewed by NSA analysts belong to Americans.

During the privacy board's meeting last week, multiple members mentioned that they hoped its report would clear up misconceptions about 702 surveillance.

"I'd like to dispel any notion that this program is likely to give the government a complete or even a significant picture of an American's private life," said Rachel Brand, a conservative member of the five-member panel, during her opening remarks.

But privacy groups strongly pushed back on that assertion.

"The idea that intimate details are not being collected … is not the whole story," said Neema Guliani, legislative counsel with the American Civil Liberties Union. "And the Post story really speaks to that."

Brand would not comment about the Post article, except to say the new Snowden leak made her "concerned about the privacy implications of the NSA's inability to safeguard this data."

Wald additionally noted that incidental collection could show "a slice of life" but would likely not be able to reveal a complete portrait of an American's personal life.

The Brennan Center's Goitein disagreed with that assessment.

"There's no reason why surveillance has to be comprehensive to be abused," Goitein said. "All you need is one incriminating or embarrassing piece of information about a person to make their life difficult."

Threatwatch Alert

Network intrusion / Stolen credentials

Catch of the Day comes clean on 2011 breach of customer data

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// 5:05 PM ET