In a rare unprompted press statement, the NSA explained that it would halt “any upstream internet communications that are solely ‘about’ a foreign intelligence target,” restricting its surveillance to messages sent or received by foreign intelligence targets.
TechCrunch spoke with General Michael Hayden, former director of the NSA and CIA, about how the shift will be implemented and the reasoning behind the agency’s surprise decision.
TC: Will this significantly impact the quality of the NSA’s data collection on foreign targets?
Hayden: This will have an impact, I think marginal, on some foreign intelligence collection. It also reduces to zero the amount of inadvertent collection you do on Americans. We do that balancing all the time. They decided they were getting too much inadvertent collection… but you lose some legitimate collection as well.
TC: Why did the NSA have so much trouble complying with court rules?
Hayden: It’s routine due diligence, we do this all the time. I have been told there were court concerns about how much inadvertent collection was taking place. No one has blinders on, they know there’s going to be grand debate about this system. They’ve got an option here with marginal intelligence disadvantage to reduce how much it squeezes American privacy. Operational, political, legal — it all makes sense.
No one has blinders on, they know there’s going to be grand debate about this system. They’ve got an option here with marginal intelligence disadvantage to reduce how much it squeezes American privacy.
This does not affect something that will be contentious this summer. The stuff you will continue to collect, you can use a U.S. person identifier to query the data you’ve already collected. That will also be contentious.
I don’t think that’s right. The number of times you use a U.S. person query is easily retrievable. Incidental [collection] is “foreigner is in the conversation,” but there’s information to, from or about an American.
They didn’t know how much inadvertent [collection] they had unless you go back and look at every one. Wyden kept saying, how many? We said we don’t know…
TC: What does this mean for upstream data collection?
Hayden: What they’re going to do, they’ve got to have a selector for upstream to grab the email coming by and it has to be someone they believe is not an American and outside the U.S. Up until this point, they used the selector to check to see who the email was from or to, or if the selector was mentioned in the body of the email.
The problem they had was when you use the selector “about” in the body of the email, occasionally you will pick up a communication in which neither end is foreign, in which both ends are American. It’s inadvertent and it’s not authorized. When you discover it, you have to flush it from the system. Occasionally, when the foreign selector was in the body of the email and they picked up a communication, unless they looked at the email they would never know it. It would just sit in the database.
In order to go the extra mile for American privacy, they are going to give up a bit of collecting that might have been useful.
What they decided to do, and this means giving up a bit of intelligence collection, they are going to stop using the “about” selector. The only thing you’re going to intercept is a communication to or from your target. In order to go the extra mile for American privacy, they are going to give up a bit of collecting that might have been useful. What this means is they were also getting a lot of information from a foreign selector mentioned in a body of email that wasn’t “us to us.”
They are going to give up some coverage, but it’s due diligence so as not to do the inadvertent collection of communication between two Americans.
And then they’re going to go back in the database and purge all the collection that was triggered by “about,” without regard to who the communicates were.
TC: Does this mean the agency has a viable workaround that decouples “about” surveillance from upstream surveillance?
Hayden: They do. There is technology available to them that allows the selector to be applied to the “to” or “from.” You got a gajillion emails skidding by, your selector grabs the one related to the foreign target outside the US. [The] selector is just going to look at the to and from, not the content.
It isn’t objectionable except when you do it that way, when you’re grabbing some emails because of the content, occasionally you are getting emails to and from an American, [on] both ends.
It’s an operational decision. We do this all the time, balancing privacy and operational effect. [It’s] a reasonably dramatic step to preserve privacy. I think they made the operational decision.