The National Security Agency spends about $30 million a year on its privacy and civil liberties compliance programs and has several active research efforts underway focused on developing privacy-enhancing technologies, according to a new transparency report released Tuesday.
The report, NSA’s Civil Liberties and Privacy Protections for Targeted SIGINT Activities Under Executive Order 12333, is the second transparency report released by the NSA since it created the agency’s first Civil Liberties and Privacy Office in January. Although the first report focused on how the NSA carries out its mission in accordance with Section 702 of the Foreign Intelligence Surveillance Act, this latest report focuses on NSA’s signals intelligence collection authorities as defined by Executive Order 12333 and outlines the measures the agency takes to safeguard the privacy and civil liberties of U.S. citizens.
In addition to the funding that supports a compliance staff of more than 300, NSA has initiated several research and development programs that may not only help NSA’s compliance efforts but could also be transferred to the private sector, according to the report.
One of the research efforts is focused on private information retrieval. “This area has the potential to improve data security and privacy protection by cryptographically preventing unauthorized users from accessing protected data,” the report states. Researchers are also developing hardware and software security tools, including “using commercially available microprocessor technology to produce a secure and private computing environment; prototyping systems that validate authorized program execution, querying and auditing; developing tamper-proof hardware and software models; and developing secure failure techniques upon detection of adverse activity.”
NSA is also exploring research opportunities to build upon the many existing capabilities currently deployed in NSA systems for privacy protection. These efforts include tools and techniques to suppress or mask data that constitutes personal information, new cloud architectures with augmented privacy protections and tools for enhancing privacy when analyzing big data.
The report outlines specific areas of concern and risks associated with civil liberties and privacy when it comes to NSA’s SIGINT collection activities. Specifically, the privacy office acknowledges NSA could collect data that is not related to a specific, authorized target; and it could erroneously mark the data as being collected under one authority when it was actually collected under a different authority.
“These potential errors could impact some methods used to control access to SIGINT mission data,” the report states.
To help minimize the chances of these errors occurring, the NSA leverages automated tools that mark the data so the agency can identify the source and authority of the data and access restrictions can be applied. It also uses automated systems to identify when it has collected data it should not have received and automatically deletes the data, according to the report. The transition to newer data repositories in the intelligence community’s emerging cloud infrastructure will enable the agency to improve access controls, the report states.
Roy Snell, CEO of the Society of Corporate Compliance and Ethics, has worked with members of NSA’s compliance team and said the agency’s investment in compliance is substantial.
“NSA’s commitment to compliance both in resources and the quality of their compliance leadership is above average,” Snell told FedScoop. “Not only do they dedicate resources to compliance, they have selected an excellent team of people to lead this effort. In my opinion they have one of the strongest compliance programs of any governmental agency.”