The NSA has given itself a positive performance review, granting itself a total of eight passing grades, even in two areas it failed.
“In conducting [the] assessment, NSA identified and implemented policies, procedures, compliance safeguards, and metrics that minimize the civil liberties and privacy impact, while also enabling the Agency to demonstrate its good stewardship,” noted a report published Friday by the NSA’s Civil Liberties and Privacy Office.
As part of the review, which was mandated by Congress last year in an effort to increase accountability, the CLPO evaluated the NSA’s performance on eight metrics. Those included transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing.
Related Story: http://www.washingtonexaminer.com/article/2580609
On six of those, the CLPO found that the NSA was performing “satisfactorily.” On the dimensions of transparency and individual participation, the CLPO explained that the agency was performing satisfactorily in an abstract sense, in spite of failing to safeguard personally identifiable information in certain respects.
The principle of individual participation “states that organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII.” Organizations should additionally “provide mechanisms for appropriate access, correction, and redress regarding use of PII.”
The CLPO found the NSA was failing to satisfy that requirement for obvious reasons. “The very fact that the government suspects that a particular person is engaged in international terrorism or that a particular phone number is being used by such a person must be kept secret in the interests of national security,” the auditors stated.
“Under the circumstances,” they added, “the oversight and compliance mechanisms serve as sufficient proxies to satisfy the Principle of Individual Participation.”
The report also suggested the NSA was in violation of the transparency principle, which similarly states that organizations should be open about the manner in which PII is shared.
However, the authors said, “the government’s publication of detailed information about the new procedures and … mandatory reporting requirements” regarding more generalized datasets meant that the agency had sufficiently met the spirit of the requirement.
Congress mandated the report as part of the USA Freedom Act passed in June. The legislation was a response to concerns that the agency’s surveillance activities had become overreaching, and it ended its bulk collection of metadata effective last November. It must now ask companies to obtain such information.
That measure was enhanced by the Cybersecurity Act of 2015, passed by Congress in December. Lawmakers who oppose those changes argue that they have made too much data available to intelligence agencies. Those on the other side believe the measures are too restrictive, arguing that the NSA should have more authority to engage in surveillance without oversight.
Related Story: http://www.washingtonexaminer.com/article/2580501
In areas where the NSA is able to conduct its own oversight, Friday’s report would seem to indicate the agency will do fine regardless of which side prevails.
