Snowden Undermines Presidential Panel’s Defense of NSA Spying

Just when the Na­tion­al Se­cur­ity Agency looked as though it had fi­nally scored a vic­tory for its ma­ligned sur­veil­lance pro­grams, Ed­ward Snowden again crashed the party.

The fu­git­ive’s new­est leak, re­por­ted by The Wash­ing­ton Post over the week­end, claims that the vast ma­jor­ity of ac­counts scooped up in a for­eign-in­tel­li­gence pro­gram are not those of ac­tu­al over­seas tar­gets but or­din­ary In­ter­net users whose com­mu­nic­a­tions with those tar­gets are in­cid­ent­ally col­lec­ted.

The con­tents of the sur­veil­lance files — al­most half of which con­tained in­form­a­tion from U.S. cit­izens or res­id­ents — “tell stor­ies of love and heart­break, il­li­cit sexu­al li­ais­ons, men­tal-health crises, polit­ic­al and re­li­gious con­ver­sions, fin­an­cial anxi­et­ies and dis­ap­poin­ted hopes,” The Post re­ports.

While re­veal­ing on its face, Snowden’s latest rev­el­a­tion also ar­rived just days after the Pri­vacy and Civil Liber­ties Over­sight Board, an in­de­pend­ent watch­dog agency, deemed spy­ing un­der Sec­tion 702 of the For­eign In­tel­li­gence Sur­veil­lance Act leg­al and ef­fect­ive.

Sec­tion 702, amended in 2008 by Con­gress, al­lows in­tel­li­gence agen­cies to spy on the com­mu­nic­a­tions of for­eign­ers be­lieved to be liv­ing out­side the United States. It provides the leg­al au­thor­ity for an NSA pro­gram known as “PRISM,” in which the agency de­mands that Face­book, Google, and oth­er In­ter­net com­pan­ies hand over users’ com­mu­nic­a­tions. Sec­tion 702 also al­lows in­tel­li­gence agen­cies to tap in­to the In­ter­net back­bone to col­lect massive amounts of in­ter­na­tion­al com­mu­nic­a­tions, a pro­gram un­of­fi­cially known as “Up­stream.”

Wheth­er in­ten­tion­al or not, the timely Post art­icle — the cul­min­a­tion of a four-month in­vest­ig­a­tion of 160,000 email and in­stant-mes­sage con­ver­sa­tions — serves in part as a re­buke to the pri­vacy board’s con­clu­sions, civil-liber­ties groups say, and calls in­to ques­tion the com­plete­ness of its re­view, which stands in stark con­trast to the board’s crit­ic­al re­view earli­er this year of the spy­ing on do­mest­ic phone re­cords un­der Sec­tion 215 of the USA Pat­ri­ot Act.

“There def­in­itely seem to be dis­crep­an­cies” between the re­ports, said Liza Goitein, co­dir­ect­or of the Liberty and Na­tion­al Se­cur­ity Pro­gram at the Bren­nan Cen­ter for Justice. “It ap­pears that, in the Snowden doc­u­ments, that [Amer­ic­an] in­form­a­tion is col­lec­ted de­lib­er­ately in far broad­er cir­cum­stances than what the Pri­vacy and Civil Liber­ties Over­sight Board dis­cussed.”

Goitein said the pri­vacy board did not have ac­cess to large samples of in­ter­cep­ted com­mu­nic­a­tions and in­stead re­lied heav­ily on the testi­mony of NSA of­fi­cials when craft­ing its 200-page re­port. “Testi­mony is well and good, but show me the money,” she ad­ded.

That di­ver­gence of source ma­ter­i­al has res­ul­ted in sev­er­al in­con­sist­en­cies, ac­cord­ing to pri­vacy ad­voc­ates, such as the board’s in­sist­ence that NSA tar­gets are “in­di­vidu­al­ized” and cor­res­pond to something akin to an email ad­dress. The Post story, however, re­ports that the NSA has tar­geted In­ter­net Pro­tocol ad­dresses of serv­ers, which could con­ceiv­ably cor­res­pond to hun­dreds or even thou­sands of In­ter­net users.

The new Snowden leak “cer­tainly shows that the PCLOB may not have re­ceived the full story from the in­tel­li­gence com­munity,” said Mark Jay­cox, a le­gis­lat­ive ana­lyst with the Elec­tron­ic Fron­ti­er Found­a­tion. “The Wash­ing­ton Post art­icle in­tro­duces en­tirely new facts that should’ve been ad­dressed by the PCLOB and found in the PCLOB re­port.”

{{ BIZOBJ (video: 5064) }}

The board’s chair­man, Dav­id Med­ine, and Pa­tri­cia Wald, a former D.C. Cir­cuit judge ap­poin­ted by Jimmy Carter, pressed for stronger safe­guards that would re­quire in­tel­li­gence agen­cies to ob­tain a war­rant from the For­eign In­tel­li­gence Sur­veil­lance Court be­fore search­ing Amer­ic­an data col­lec­tion via 702 pro­grams.

In a state­ment ac­com­pa­ny­ing the board’s un­an­im­ous re­port, Med­ine and Wald note:

“The Sec­tion 702 pro­gram has col­lec­ted hun­dreds of mil­lions of In­ter­net com­mu­nic­a­tions. Even if only a small per­cent­age of those com­mu­nic­a­tions are to or from an Amer­ic­an, the total num­ber of Amer­ic­ans’ com­mu­nic­a­tions is likely sig­ni­fic­ant. Fur­ther­more, these com­mu­nic­a­tions, which may be main­tained for many years in gov­ern­ment data­bases in search­able form, may con­tain sens­it­ive and con­fid­en­tial mat­ters hav­ing noth­ing to do with the for­eign in­tel­li­gence pur­poses of the Sec­tion 702 pro­gram.”

In an in­ter­view with Na­tion­al Journ­al, Wald con­firmed that the board did not have ac­cess to spe­cif­ic num­bers, such as those re­por­ted in The Wash­ing­ton Post, which con­cluded that nine ac­counts of In­ter­net data are col­lec­ted in­cid­ent­ally on av­er­age for every one tar­get.

“We did not know any­thing about the per­cent­age that would be in­ter­cep­ted as non-tar­geted, or as a sub­set of that, Amer­ic­ans that were not tar­geted,” Wald said. “If true, [the Snowden leak] adds more num­bers to [our ana­lys­is].”

In May, the House passed le­gis­la­tion that would re­quire the gov­ern­ment to ob­tain a war­rant be­fore search­ing the com­mu­nic­a­tions of Amer­ic­ans’ data gathered in­cid­ent­ally un­der 702 au­thor­ity. The pri­vacy board, however, did not en­dorse any le­gis­la­tion that would close so-called back­door do­mest­ic searches. The Sen­ate Ju­di­ciary Com­mit­tee has said it will take up NSA re­form this sum­mer, and Chair­man Patrick Leahy has in­dic­ated that back­door searches may be a top area of fo­cus.

The Snowden leak ad­di­tion­ally ap­pears to con­firm what pri­vacy groups have long as­sumed: that private, sens­it­ive in­form­a­tion be­long­ing to Amer­ic­ans is be­ing col­lec­ted and kept through 702 sur­veil­lance. The batch of com­mu­nic­a­tions data ex­amined by The Post, which re­portedly in­cluded nearly 900 email ad­dresses that could be “strongly linked” to Amer­ic­ans, in­cludes pic­tures of in­fants in bathtubs and wo­men mod­el­ing linger­ie. The art­icle does not make it ex­pli­citly clear which or how many im­ages re­viewed by NSA ana­lysts be­long to Amer­ic­ans.

Dur­ing the pri­vacy board’s meet­ing last week, mul­tiple mem­bers men­tioned that they hoped its re­port would clear up mis­con­cep­tions about 702 sur­veil­lance.

“I’d like to dis­pel any no­tion that this pro­gram is likely to give the gov­ern­ment a com­plete or even a sig­ni­fic­ant pic­ture of an Amer­ic­an’s private life,” said Rachel Brand, a con­ser­vat­ive mem­ber of the five-mem­ber pan­el, dur­ing her open­ing re­marks.

But pri­vacy groups strongly pushed back on that as­ser­tion.

“The idea that in­tim­ate de­tails are not be­ing col­lec­ted “¦ is not the whole story,” said Neema Guliani, le­gis­lat­ive coun­sel with the Amer­ic­an Civil Liber­ties Uni­on. “And the Post story really speaks to that.”

Brand would not com­ment about the Post art­icle, ex­cept to say the new Snowden leak made her “con­cerned about the pri­vacy im­plic­a­tions of the NSA’s in­ab­il­ity to safe­guard this data.”

Wald ad­di­tion­ally noted that in­cid­ent­al col­lec­tion could show “a slice of life” but would likely not be able to re­veal a com­plete por­trait of an Amer­ic­an’s per­son­al life.

The Bren­nan Cen­ter’s Goitein dis­agreed with that as­sess­ment.

“There’s no reas­on why sur­veil­lance has to be com­pre­hens­ive to be ab­used,” Goitein said. “All you need is one in­crim­in­at­ing or em­bar­rass­ing piece of in­form­a­tion about a per­son to make their life dif­fi­cult.”