True to his promise to continue disclosing NSA secrets, Edward Snowden has now revealed to the Guardian that the agency intercepted the communications of former Russian President Dmitry Medvedev and other world leaders in 2009. Not only are the leaks embarrassing for the agency, but they also present the NSA with a Catch-22: How do you defend yourself publicly while keeping a lid on classified operations? In the latest installment of Washington’s PRISM spin war, the NSA has opted for vaguely worded, highly legalistic denials and assurances — ones that are often difficult to square with what’s been reported so far about the U.S. intelligence community’s surveillance programs.
Consider the NSA’s latest fact sheet, released on Saturday, which seeks to address allegations about two different programs geared toward collecting Internet data and telephony metadata. And, oh boy, is the NSA’s public relations department trying hard to make Americans feel like they have nothing to worry about.
Let’s begin with the collection of telephony metadata. According to the Washington Post, the NSA is engaged in a large-scale effort to rake in this data — information like the origin and recipient of a call, call length, subscriber information, and the type of device used. The government has code-named this program MAINWAY.
Here’s how the NSA fact sheet describes the system: "The government does not indiscriminately sift through the telephony metadata acquired under this program…. The metadata acquired and stored under this program may be queried only when there is a reasonable suspicion, based on specific and articulated facts, that an identifier is associated with specific foreign terrorist organizations." (The emphasis is the NSA’s.)
Here’s what the NSA isn’t saying: In order to build this database, it is collecting telephone records en masse. If the government is to be believed, it only looks at the data "when there is a reasonable suspicion," but that doesn’t change the fact that your telephone records are sitting on a government server. We don’t know exactly whom the government has collected records from, but the Post revealed Sunday that the NSA has pulled records from other large telephone companies, including AT&T and Bell South.
Next, let’s look at PRISM, the scope of which is hotly disputed. The initial reports describing PRISM alleged that the program involves "direct access" to the servers of several major tech companies. This allegation has since been scaled back, and the current operating wisdom is that PRISM functions as something of a lock box. The government requests information from the companies, and they deposit the relevant information in a secure repository. Under such an arrangement, the NSA might conceivably ask for every Facebook profile in Peshawar, Pakistan — data that Facebook could then deposit in the lock box for the NSA to download.
According to the NSA fact sheet, this program "does not allow the government to target the phone calls or emails of any U.S. citizen or any other U.S. person anywhere in the world, or any person known to the in the United States. It only allows the targeting of communications of foreigners, and even then only when those communications may have foreign intelligence value." The agency further notes that "any information about U.S. persons that may be incidentally acquired" is subject to "minimization procedures."
First, when evaluating the government’s statements about PRISM, it’s crucial to note that it is dealing with Internet content, not metadata. That is, PRISM can give the NSA access to the contents of an entire email inbox. It sweeps up this data in targeted requests to companies, not in bulk as with telephone records. In its statement, the NSA emphasizes that this power is not directed at Americans, only foreigners. But implicit in this program is the fact that Americans’ communications are bound to be swept up when the government collects something like an entire email inbox. When it does so, such information is subject to "minimization procedures." This is where the NSA’s Catch-22 comes in: Since they are highly classified, the government can’t reveal what those minimization procedures entail.
Stepping back, the NSA fact sheet explains that both PRISM and MAINWAY are "subject to strict controls and oversight." In the case of MAINWAY, "only a small number of specifically trained officials may access the data; the Foreign Intelligence Surveillance Court (FISC) reviews the program every 90 days; and the data must be destroyed within 5 years." With PRISM, the Department of Justice and the director of national intelligence regularly review the program, Congress and the FISC receive semi-annual reports, and the FISC "must renew the program each year upon certification" by the attorney general and the director of national intelligence.
What this description of oversight, meant to convey that these intelligence programs are tightly controlled, omits is that the controls on the program exist entirely out of public view. Though some members of Congress are kept in the loop on the NSA’s activities, they are barred from disclosing any of that information to the public. This is why Sen. Ron Wyden, the Oregon Democrat, has been issuing apocalyptic warnings about the NSA’s activities for years without offering any detailed information to substantiate those accusations.
In other words, when President Obama’s interview on the NSA leaks airs Monday night, pay as much attention to what he omits as to what he says.