Perspective: Curbing data use is key to reining in NSA

Proposed legislation and rules focus mostly on curbing data collection activities, not on controlling use of personal data

Any effort to rein in the National Security Agency (NSA) after its widespread spy activities were revealed last summer in leaked documents must focus on more than simply limiting what personal data can be collected.

The key to maintaining some semblance of privacy for ordinary citizens is to limit how any data about them collected by the spy agency is used.

In the months since Edward Snowden began leaking to the press classified documents detailing NSA surveillance activities, there's been a flurry of calls for new restrictions on how much data can be collected and few calling for limits how any data collected can be used.

Since the classified documents were exposed in June, federal lawsuits challenging the NSA's collection of phone metadata records have been filed in New York and Washington D.C. Such lawsuits face difficulties as the U.S. Supreme Court this week declined, without explanation, to hear a similar petition filed by the Electronic Privacy Information Center.

Also, several U.S. lawmakers have proposed legislation to curtail some NSA surveillance activities while adding transparency to those that remain. For instance, a bipartisan bill dubbed the USA Freedom Act, seeks to end the agency's call records collection program and make the secret FISA courts that oversee NSA surveillance requests more accountable to the public.

Meanwhile, Google, Yahoo and others have fueled new efforts to block the NSA's apparently systematic efforts to weaken encryption standards and to harvest data by allegedly tapping their data links.

Many see such efforts as fundamental to curbing the NSA's apparently insatiable appetite for collecting data under the aegis of counter-terrorism. After all, the NSA cannot misuse data that it doesn't have.

But even if all attempts at curbing the NSA's data collection activities are successful, abundant data would still be collected with few limits on how it's used.

The NSA is currently building a massive, $1.53 billion data center near Salt Lake City that it says will be able to to store and process exabytes of data -- call records, social media interactions, Internet conversations, search related data and other information culled from around the world.

It's inconceivable that all of this data is related to potential terrorist activity.

Therefore, the most important question should be: What does the NSA do with all the data it collects?

The spy agency should be required disclose its rules for handling collected data, who it can be shared with, who can access it, how its analyzed and the processes for data deletion.

The NSA insists that multiple controls are already in place to prevent misuse of the data it collects. It generally points first to the secret FISA court an example of oversight of its activities.

NSA director Keith Alexander and James Clapper, U.S. Director of National Intelligence, both maintain that the spy agency's sole focus is on detecting and deterring national security threats. The program is not designed to snoop on innocent Americans, they say.

In a keynote address at the Black Hat security conference in July, Alexander insisted that the agency does not routinely listen in on phone calls, monitor email content or collect personal data of U.S. or foreign citizens.

Alexander said only 22 NSA officials can authorize such searches and only 35 of several thousand NSA analysts can run queries on collected data. Each query must be related to an anti-terror investigation and is fully auditable, he said.

However, such claims cannot be verified. The NSA, and other government officials, claiming national security grounds, have to date stymied attempts to obtain such details about ongoing spy programs.

Meanwhile, NSA Inspector General George Ellard earlier this year said he found at least 12 substantiated instances where NSA analysts misused data access privileges to spy on spouses, boyfriends and girlfriends. The IG's report also cited multiple violations of rules in place for handling collected data.

Though the report cited relatively few instances, and none especially serious, it does suggest that the NSA doesn't oversee the activities as closely as its leaders claim.

There's also little disclosure on how data collected by the NSA is used by other federal agencies, such as the FBI and the U.S. Department of Homeland Security.

The McClatchy newspaper company's Washington bureau reported this week that data collected by the DHS' Customs and Border Protection agency in connection with a probe of two individuals allegedly teaching others how to beat lie detector tests was shared with nearly 30 federal agencies.

The report said that some 4,900 people in the Internal Revenue Service, the NSA, the CIA, DHS and other agencies accessed the data, which included names, Social Security Numbers, addresses and professions.

Officials from multiple agencies confirmed receiving the list to determine whether any employee had obtained the documents before taking a lie detector test. Many agencies planned to retain the list for future use, the McClatchy report said.

Controlling how NSA-collected data is used should be the most important objective of lawmakers, said Fred Cate, professor of law at the Indiana University Maurer School of Law. Cate filed filed an amicus brief in support of the EPIC Supreme Court petition.

"There will almost always be a legitimate reason to collect sensitive data," said Cate. "The challenge is to ensure that data collected for one purpose is not used for other purposes."

The Supreme Court has repeatedly ruled that the Fourth Amendment applies only to collection of data, not its use, Cate noted. The high court has ruled that "even information that illegally seized by the government can be used for other purposes."

Therefore, the onus is on Congress to impose limits on data use by the NSA and other agencies, he said. Even then, Cate noted, "we apparently will have to trust that the government is following the law."

Steve Vladeck, professor of law and associate Dean for scholarship at the American University Washington College of Law is confident that some use restrictions in bills currently pending before Congress will be adopted.

"Reasonable people can disagree about whether the government should be collecting all of this data and yet still agree that there should be far greater, and harsher, constraints on when the government can actually access or otherwise utilize that data," Vladeck said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.

Tags privacyregulationnsaU.S. Supreme CourtGov't Legislation/RegulationNational Security Agencycyberwarfare

Show Comments