Congress blesses more NSA domestic spying

Bill lets NSA hold surveillance data 5 years, asks for a way to catch the next Ed Snowden before the truth causes even more trouble.

nsa nsoc ft meade wikicommons larger
Credit: WikiCommons

Congress has passed a bill ordering the U.S. intelligence community to conduct a feasibility study to find out whether a database kept up to date with the latest malware and "cyber threat indicators" would help stop either one.

The Intelligence Authorization Act for Fiscal Year 2015,as posted by GovTrack, was passed by the House and Senate and headed today to the White House, is filled mostly with routine housekeeping issues, rule changes and requests for comprehensive updates on issues like the fight against al-Qaeda.

There are a number of provisions, however, that could be interpreted as reform, or additional Congressional efforts to add controls to the burgeoning U.S. Intelligence community, though not in respect to any of the issues people have been complaining about lately.

One provision attempts to protect whistleblowers by allowing intelligence-agency employees to defend themselves against administrative charges by showing they've been the victim of reprisals following an unauthorized disclosure of non-classified information.

It also contains what is effectively a non-compete provision that requires anyone who leaves a sensitive job in U.S. intelligence to report any subsequent job that might conflict.

The parts of the act that do relate to the NSA eavesdropping scandal that touched off more direct opposition to U.S. intelligence-gathering since the attacks of 9/11, however, don't make a lot of changes.

The only change that section makes is to say federal eavesdroppers can't hold on to recordings for more than five years.

Before the Act says anything about what to do with data collected without a warrant, it refers to the data as "incidentally acquired communications," as if it was talking about a few snippets of conversation accidentally overheard by NSA employees out for a stroll at lunchtime and noted down on Post-Its just in case it might ever be important. What "incidentally acquired communications" actually means is hundreds of terabytes of data pulled out of the air, from personal cell-phone frequencies and internet trunks and, in some cases, tapped directly from the databases and datacenter networks of ISPs, email services, Microsoft, Yahoo, Google and other places the digital lives of Americans intersect. It means so much data that even the projection of how much data it would be overflowed the NSA's giant datacenter in Bethesda, Md. And forced it to spend more than $1 billion building a giant datacenter so giant that each of the four datacenters inside would qualify all by itself as a giant datacenter. It means a covert, aggressive, unconstitutional theft of private data and conversations that some of the NSA's own reports admit are of low value for intelligence purposes and which is so offensive to people who live around the datacenter – in Utah, one of the most politically conservative and defense/intelligence-friendly states in the country – that a large minority support their state rep's attempts to pass legislation that will cut off state water and power to the listening post.

In their effort to preserve the Constitution and respond to the outrage of their constituents, Congress and the Senate passed a law allowing the NSA to keep all that data for five years, with three ways to stretch the holding period out for any given block of data – but for each method there's a price to be paid.

The first way is to say that a particular piece or bloc of information if it relates to a credible threat to human life. The price for that extension is that the agency has to tell Congress within 30 days that the threat exists and that data is being stored to fend off the danger.

Agencies can also retain data for more than 5 years if there's a chance they'll be sued and might need it to satisfy "technical assurance or compliance purposes." The downside? Every time they need to keep stolen data to defend themselves when they get sued for stealing data, NSA managers have to mark it down on a report and tell Congress at the end of the year.

The last extension covers any bloc of information that the head of the agency is willing to say must be held for the sake of national security.

There's a longer and more ironic price for that, though.

To claim information is vital to national security, the head of the agency has to provide Congressional intelligence committees with a certificate.

That certificate must explain how long they want to keep the data and why keeping the information is important to national security – not why that particular piece of information is vital, but all the bits of data within a bloc being considered. (A data block being something like: "Everything_America_Said_on_the_Phone_or_Internet_Sept. 11 2001_to_Dec.31 2015.ext4. ")

The NSA also stretch out the five years by getting the head of the agency responsible for holding it to decide that information is important to the national security of the united states, in which case Congress wants a report giving the reason that data is needed, length of time it might be needed, particular information that is being kept and.

And – here's the ironic part – to justify holding recordings of conversations between American citizens not suspected of a crime, inside the borders of the United States, or stolen directly from the databases of ISPs, email services or Google, Yahoo and the other content interchanges of the Internet, the agency has to report to Congress the things it is doing to ensure the privacy of Americans both at home and abroad.

The act also has some reforms built in.

Sect. 305 adds a kind of non-compete agreement that requires spies or analysts who had access to sensitive information but quit the agency for another job, check in with their former bosses any time during the next two years they take a job that could potentially conflict with their old one. Like, say, if they'd been an IT guy for the NSA in in Hawaii and now work for the Russian version of Facebook.
Another attempt at reform is the section describing improvements that do the opposite of what most people mean by reform.
Within six months after the bill is signed, Sec. 308 reads the National Counterintelligence Executive has to send Congress a report evaluating how federal agencies can use private-sector policies, tools and best practices to counter "insider threats." In this case, "insider threat" means "whistleblower," and Congress wants to know is how to find out from your credit score whether you'll keep your mouth shut or go all Edward Snowden and force one of the big spy bosses to sneak up to Capitol Hill and explain to Congress that it should keep its nose out of the NSA's business.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon