NSA Has ‘No Idea’ How Many American Citizens It’s Spying On

Uploaded on 2016-06-10 in NEWS-Cybersecurity News, INTELLIGENCE--USA, FREE TO VIEW, BUSINESS-Services-Law

Lawmakers, who are being asked to approve FBI access to wiretapped data, want some basic answers first.

The National Security Agency (NSA) is watching the electronic communications of hundreds of millions people, allegedly to find foreign threats. But before Congress reauthorizes laws allowing this, it has a question:

How many Americans are caught up in the government’s digital dragnets?

The answer, says National Intelligence Director James Clapper, is that we have no idea. “We’re looking at several options right now, none of which are optimal,” said Clapper at a press briefing in Washington DC recently. Security officials argue that analyzing the dataset would mean even more intrusions upon Americans’ privacy. “Many people find that unsatisfactory, but that is a fact,” says Clapper.

Members of Congress are definitely not satisfied. Four years of prompting by US senators Ron Wyden and Mark Udall to nail down the number of Americans whose phone calls and emails are being collected has produced little. The senators, along with colleagues, wrote an exasperated letter (pdf) to Clapper stating, “We are not asking you for an exact count. Today, our request is simply for a rough estimate.”

Fueling the controversy, the NSA says it wants to start sharing raw communications data it collects with domestic law enforcement such as the FBI. That conflicts with intelligence agencies’ assertions that its programs are strictly to target foreigners. “Our employees are trained to not look for US persons,” NSA privacy and civil liberties officer Rebecca Richards told The Hill in March. “We’re not interested in those US persons. We’re trying to look away from those.”

Yet a secret 2015 court ruling (pdf) unsealed this week shows that warrantless spying has already been formally approved by the Foreign Intelligence Surveillance Courts for general criminal investigations in the US, says the Electronic Frontier Foundation. These revelations have prompted dozens of advocacy groups to write intelligence officials that they are (again) circumventing constitutional protections and “pose new threats to the privacy and civil liberties of ordinary Americans”.

The worries focus on two core programs first revealed publicly by former CIA contractor Edward Snowden: PRISM and Upstream. These vast electronic listening programs - authorized by Section 702 of the Foreign Intelligence Surveillance Act -collect, sift and deposit much of the world’s electronic telecommunications in US government databases. Nominally targeting non-US citizens, the system pulls data from hundreds of millions of people’s Internet communications, many of whom, the NSA admits, are Americans.

Each program works differently, which adds to the difficulty of figuring out how many people are being caught up in the surveillance. PRISM allows the NSA to retrieve data directly from US companies like Google, Facebook, and Microsoft through negotiated data-sharing contracts. Security analyst Ashkan Soltani mapped out how the system might work based on available information. The NSA sends a request for data; employees pull target emails, text and video chats, photographs, and other data, and then pass it along to the NSA for analysis. “Upstream” is a program that taps even more data by intercepting undersea fiber-optic cables that carry “about 80%” of the world’s traffic. This allows the US government to eavesdrop on foreign communications over US networks and detect suspicious patterns in the metadata.

Yet the political enthusiasm for this type of surveillance is waning. Last year, Congress passed the USA Freedom Act in an overwhelming bipartisan vote that halted the NSA’s bulk collection of phone metadata of US citizens, such as phone numbers, call length and time. The vote marked the first time Congress has restricted government surveillance since the September 11 attacks in 2001.

DefenseOne:

« Modern Fiction: A Novel Is Required Reading At The Pentagon
Less Than a Quarter of Businesses Are Ready To Resist A Cyberattack »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

Cyber Triage

Cyber Triage

Cyber Triage is an automated incident response software any company can use to investigate their network alerts.

Monegasque Digital Security Agency (AMSN) - Monaco

Monegasque Digital Security Agency (AMSN) - Monaco

AMSN is the national authority in charge of the security of information systems in Monaco.

ThirdWatch

ThirdWatch

ThirdWatch is a Data Science company with real-time automated fraud prevention solutions.

The Security Company (TSC)

The Security Company (TSC)

The Security Company is a leading provider of creative employee security awareness programmes.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

Simply Hired

Simply Hired

Simply Hired is a job search engine that collects job listings from all over the web, including company career pages, job boards and niche job websites.

HackHunter

HackHunter

HackHunter’s passive sensor network continuously monitors, detects and alerts when a malicious WiFi network and/or hacking behaviour is identified.

Field Effect Software

Field Effect Software

Field Effect Software build sophisticated and integrated IT security, threat surface reduction, training and simulation capabilities for enterprises and small businesses.

DMARC360

DMARC360

DMARC360 analyzes your email traffic patterns and sources, rapidly deploys email authentication protocols and monitors your email domains with automated recommendations and incident response.

Sollensys

Sollensys

Sollensys is a leader in commercial blockchain applications. Our flagship product, The Blockchain Archive Server™ is the best defense against the devastating financial loss that ransomware causes.

Swish Data Corp.

Swish Data Corp.

Swish delivers when the problems are complex, requirements are difficult, and the mission is absolutely critical.

Nuts Technologies

Nuts Technologies

Nuts Technologies are simplifying data privacy and encryption with our innovative and novel data containers we call nuts based on our Zero Trust Data framework.

Gotham Security

Gotham Security

Gotham Security delivers high-quality penetration testing, malicious adversary simulation, compliance program development, and threat intelligence services.

ThreatNG Security

ThreatNG Security

ThreatNG is redefining external attack surface management (EASM) and digital risk protection with a platform of unmatched breadth, depth, and capabilities in thwarting technical and business threats.