An audit conducted by the National Security Agency inspector general raises questions about the intelligence agency’s data retention policies.
The National Security Agency collects and stores a gargantuan amount of signals intelligence data in various databases and its own cloud, but a December audit by its inspector general suggests the agency’s penchant for keeping some data too long could pose civil liberties concerns.
The audit defines SIGINT data as communications or electronics intelligence or foreign instrumentation intelligence collected pursuant to the Foreign Intelligence Surveillance Act and Executive Order 12333.
“The [Office of Inspector General’s] findings reflect significant risks of noncompliance with legal and policy requirements for retention of SIGINT data,” the audit states. “These requirements include established minimization procedures for NSA SIGINT authorities, meaning that the deficiencies we identified have the potential to impact civil liberties and individual privacy.”
The audit measured the NSA’s data deletion efforts, compliance efforts and retention controls. The audit, which reviewed data deletion efforts, compliance efforts and retention controls, found the NSA’s primary content repository—called a Source System of Record, or official data source—“has retained a small percentage of a large number of SIGINT data objects beyond legal and policy retention limits.” Some of the data sampled by auditors exceeded the five-year legal retention period.
In addition, auditors found the NSA’s data retention guidance “outdated” and oversight supporting retention compliance “insufficient.” The NSA’s current data retention policy was last updated in March 2015, and auditors made a series of recommendations to help the spy agency improve its data retention policies.
In total, auditors made 11 recommendations. The NSA agreed to take action on each and has already taken action to close four of the recommendations, according to the audit.
"As required by law and agency policies, on an ongoing basis, NSA deletes data that was lawfully collected in connection with the agency's foreign signals intelligence mission, balancing privacy concerns with the need to have relevant data available for analysis in connection with national security threats," the NSA said in a public response to the audit on Twitter. "The agency's goal is for perfect compliance. In this case, the IG identified an error rate involving substantially less than one-tenth of 1% of items that should have been deleted. NSA treats this seriously and has implemented steps to further reduce the possibility of errors consistent with the OIG report."
Editor's note: This article was updated to include comments from the NSA.