NSA Has ‘No Idea’ How Many American Citizens It’s Spying On

Lawmakers, who are being asked to approve FBI access to wiretapped data, want some basic answers first.

The National Security Agency (NSA) is watching the electronic communications of hundreds of millions people, allegedly to find foreign threats. But before Congress reauthorizes laws allowing this, it has a question:

How many Americans are caught up in the government’s digital dragnets?

The answer, says National Intelligence Director James Clapper, is that we have no idea. “We’re looking at several options right now, none of which are optimal,” said Clapper at a press briefing in Washington DC recently. Security officials argue that analyzing the dataset would mean even more intrusions upon Americans’ privacy. “Many people find that unsatisfactory, but that is a fact,” says Clapper.

Members of Congress are definitely not satisfied. Four years of prompting by US senators Ron Wyden and Mark Udall to nail down the number of Americans whose phone calls and emails are being collected has produced little. The senators, along with colleagues, wrote an exasperated letter (pdf) to Clapper stating, “We are not asking you for an exact count. Today, our request is simply for a rough estimate.”

Fueling the controversy, the NSA says it wants to start sharing raw communications data it collects with domestic law enforcement such as the FBI. That conflicts with intelligence agencies’ assertions that its programs are strictly to target foreigners. “Our employees are trained to not look for US persons,” NSA privacy and civil liberties officer Rebecca Richards told The Hill in March. “We’re not interested in those US persons. We’re trying to look away from those.”

Yet a secret 2015 court ruling (pdf) unsealed this week shows that warrantless spying has already been formally approved by the Foreign Intelligence Surveillance Courts for general criminal investigations in the US, says the Electronic Frontier Foundation. These revelations have prompted dozens of advocacy groups to write intelligence officials that they are (again) circumventing constitutional protections and “pose new threats to the privacy and civil liberties of ordinary Americans”.

The worries focus on two core programs first revealed publicly by former CIA contractor Edward Snowden: PRISM and Upstream. These vast electronic listening programs - authorized by Section 702 of the Foreign Intelligence Surveillance Act -collect, sift and deposit much of the world’s electronic telecommunications in US government databases. Nominally targeting non-US citizens, the system pulls data from hundreds of millions of people’s Internet communications, many of whom, the NSA admits, are Americans.

Each program works differently, which adds to the difficulty of figuring out how many people are being caught up in the surveillance. PRISM allows the NSA to retrieve data directly from US companies like Google, Facebook, and Microsoft through negotiated data-sharing contracts. Security analyst Ashkan Soltani mapped out how the system might work based on available information. The NSA sends a request for data; employees pull target emails, text and video chats, photographs, and other data, and then pass it along to the NSA for analysis. “Upstream” is a program that taps even more data by intercepting undersea fiber-optic cables that carry “about 80%” of the world’s traffic. This allows the US government to eavesdrop on foreign communications over US networks and detect suspicious patterns in the metadata.

Yet the political enthusiasm for this type of surveillance is waning. Last year, Congress passed the USA Freedom Act in an overwhelming bipartisan vote that halted the NSA’s bulk collection of phone metadata of US citizens, such as phone numbers, call length and time. The vote marked the first time Congress has restricted government surveillance since the September 11 attacks in 2001.

DefenseOne:

« Modern Fiction: A Novel Is Required Reading At The Pentagon
Less Than a Quarter of Businesses Are Ready To Resist A Cyberattack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

RioRey

RioRey

The DDoS mitigation specialist, from single server to Enterprise wide carrier level networks the RioRey Solution provides effective immediate and easy to manage protection.

Siscon

Siscon

Siscon delivers tailor-made compliance solutions that are based on the customer's specific wishes and reality and then supplement with many years of experience in the field.

TechGuard Security

TechGuard Security

TechGuard Security was founded to address national cyber defense initiatives and US critical infrastructure security.

DirectDefense

DirectDefense

DirectDefense is an information security services and managed services provider.

Axence

Axence

Axence provides professional solutions for the comprehensive management of IT infrastructure for companies and institutions all over the world.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

Method Cyber Security

Method Cyber Security

Method offers a Cyber Security Risk Management training course for those responsible for the security of industrial automation, control and safety systems.

Anitian

Anitian

The Anitian Compliance Automation platform builds, configures, and monitors cloud environments to accelerate compliance for standards such as FedRAMP, PCI, ISO/GDPR and CJIS.

Crosspring

Crosspring

Crosspring is an incubator/accelerator for people who have the ambition to start a successful business or want to extend their existing business in the areas of FinTech, AR, VR, Cybersecurity and SaaS

Cyentia Institute

Cyentia Institute

The Cyentia Institute is a research & data science firm with a mission to advance knowledge in the cybersecurity industry.

Eaton

Eaton

Eaton provides comprehensive cybersecurity services for operational technology (OT) to help keep your operations and personnel safe.

Ministry of Information and Communications (MIC) - Vietnam

Ministry of Information and Communications (MIC) - Vietnam

The Ministry of Information & Communications of Vietnam is the policy making and regulatory body in the field of information technology and national information and and communication infrastructure.

Cyber Command - Romania

Cyber Command - Romania

Cyber Command represents the military authority responsible for the development, protection and resilience of military IT networks and services that support the Romanian Force Structure.

FTCYBER

FTCYBER

FTCYBER offers the latest technology and data recovery services to identify and extract data from computers and other digital devices.

Silobreaker

Silobreaker

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace.

Sasken Technologies

Sasken Technologies

Sasken’s Cybersecurity Services enables enterprises to develop, maintain, and take digital products to the market with security postures that empower operational excellence.