US Gov Releases First NSA Transparency Report

This morning the Director of National Intelligence (DNI) released a report detailing its use of various legal authorities in 2013 to execute surveillance, and the number of targets impacted by each method.

The move was hinted at in March of this year, when NSA Deputy Director Rick Ledgett said that the government was “actually working on a proposal right now to be transparent and to publish transparency reports in the same way the Internet companies do.” According to the report, the information that it includes was declassified four days ago.

At issue in the data is an incredibly wide definition of the word “target” for the included FISA-related data, which as defined in the document could “be an individual person, a group, or an organization composed of multiple individuals or a foreign power that possesses or is likely to communicate foreign intelligence information that the U.S. government is authorized to acquire by the above-referenced laws.”

Under FISA Orders, 1,767 orders impacted 1,144 targets. The DNI also reported 131 orders under FISA Pen Register and Trap and Trace legal authorities impacting 319 targets.

Section 702 searches, the legal authority under which the controversial PRISM program operates, reported a single order, and 89,138 targets.

Regarding Title V of FISA, under the NSA telephony metadata program, 423 selectors were approved “to be queried” in 2013. According to the government, 248 people “known or presumed U.S. persons […] were the subject of queries of information collected in bulk or who were subject to a business [text ends].”

Finally, the government detailed that it issued 19,212 National Security Letters, and made 38,832 requests for information on an annual basis.

So, what does the above tell us. Regarding the FISA figures, they seem to square with what technology companies sued to be able to disclose. Microsoft, for example, previously reported that in the first half of 2013, it received between 0 and 999 FISA orders for content that impacted between 15,000 and 15,999 accounts. In the first half of 2013, by way of another example, Google indicated that it had received between 0 and 999 FISA orders for content, impacting 9,000 to 9,999 accounts.

Do we now have a full picture of the NSA’s activities? It doesn’t appear so. Microsoft’s top lawyer, Brad Smith, recently gave a talk arguing against bulk data collection and surveillance, touching on the dissonance that Microsoft felt between the amount of information that the government was said to have, and the amount that his company was providing pursuant to legal requests:

Smith continued, indicating that Microsoft, in the aftermath of the Snowden revelations, “had a hard time reconciling [the many] public reports of government access to large amounts of data, with the relatively small amounts” that the company, and likely others like it, had in fact provided.

The answer, Smith stated, came in a report detailing that the NSA was tapping the data cables of U.S.-based companies abroad. Microsoft had to assume that if Yahoo and Google were targeted — those were the two firms cited — it was likely also a target.

So, while it’s quite nice to see the government detail the number of U.S. persons that were targeted under the NSA telephony program, there is more to the NSA’s efforts that we’re not seeing in the above.

Also note the gentle irony between the government’s bristling take on Edward Snowden — the primum movens of the recently declassified data — and the fact that the government actually released this stuff. It’s a mild endorsement of the whistleblower, and at minimum a self-effacing note that the government went too far under the cover of secrecy, for too long.

Update: I missed this earlier today, but Google responded to the NSA’s report. The technology giant pointed out the natural tension between the way that tech companies and the way the government reports data requests:

Specifically, the government has chosen to disclose an estimated number of “targets” that it has surveilled, rather than the number of “accounts” at issue. This means that where the “target” is an organization composed of many people […] By contrast, in our methodology, and that used by other companies, we each would count the number of accounts impacted by a particular surveillance request.

Google then indicates that if the government would release the number of impacted accounts, that would be another useful statistic. I’d warrant that the chance of that happening is low, to lower.

Still, it’s nice to see Google and Microsoft demanding change as they are. The two firms have combined market capitalization of just under $750 billion.