The U.S. National Security Agency takes multiple steps to protect the privacy of the information it collects about U.S. residents under a secretive surveillance program, according to a report from the agency's privacy office.
Surveillance under presidential Executive Order 12333, which dates back to 1981, generally sets the ground rules for the NSA's overseas surveillance. It allows the agency to keep the content of U.S. citizens' communications if they are collected "incidentally" while the agency is targeting overseas communications.
But the surveillance of U.S. residents is conducted with several privacy safeguards in place, ensuring that the NSA collects the right information from the right targets and does not share the collected information inappropriately, according to the NSA Civil Liberties and Privacy Office report, released Tuesday.
NSA safeguards include privacy training for every employee, an oath of office that requires all employees to protect privacy and civil liberties and privacy oversight by six internal organizations, including the office that prepared Tuesday's report.
Consistent communication from NSA leadership on protecting privacy "has resulted in a work force that respects the law, understands the rules, complies with the rules, and is encouraged to report problems and concerns," the report said. "NSA takes several steps to ensure that each individual who joins its ranks understands from the first day on the job that civil liberties and privacy protection is a priority and a key personal responsibility."
The privacy safeguards inside the agency don't make up for a lack of "robust" judicial and congressional oversight of the program, the American Civil Liberties Union said. Oversight from both of those branches of government "are all but entirely lacking when it comes to surveillance under this order," Patrick Toomey, an ACLU staff attorney, said by email. "Rather, these rules can be changed by executive officials unilaterally and in secret, as they have been in the past."
The report doesn't address the privacy issues related to the NSA's separate bulk collection programs, "which means it leaves aside some of the NSA's most indiscriminate surveillance programs," Toomey added.
Targeted 12333 surveillance is separate from the so-called "bulk" collection programs disclosed by former NSA contractor Edward Snowden, including the NSA's collection of most U.S. telephone records and its collection of the online communications of foreigners allegedly connected to terrorism activities.
The NSA has not disclosed how many U.S. communications it has collected under its 12333 program, but a 2007 document released last month by the ACLU, obtained through a Freedom of Information Act request, describes the surveillance program as the "primary source of the NSA's foreign intelligence gathering authority."
It's "heartening" that the NSA has some privacy protections in place, but "significant concerns" remain, said Robyn Greene, policy counsel at think tank New America Foundation's Open Technology Institute.
"The report does not discuss any privacy protections that are applied to the NSA's bulk collection programs ... and it fails to address privacy protections applied to non-U.S. persons' information," she said by email.
Greene called on the NSA to "still be more transparent about the scope and privacy impacts of its targeted and bulk collection programs." The agency cannot be fully transparent about its 12333 surveillance because of national security concerns, the report said.
The NSA Civil Liberties and Privacy Office report details the privacy protection programs the agency has in place without listing any potential breaches in privacy protocols at the agency. The report lists several privacy risks in the NSA's surveillance of U.S. residents under the executive order, but then follows the risks with lists of privacy safeguards at the agency.
A potential risk in targeting people for surveillance is that the wrong people will be targeted, the report said. NSA safeguards allow only properly training employees to use the targeting system, require that a supervisor or senior analyst approve targeting requests, and require the agency to delete any information from incorrectly targeted people, the report said.
Asked why the report doesn't address whether there have been any violations of the agency's privacy protocols, an NSA spokesman said the purpose of the report was to examine the NSA's privacy practices against widely accepted fair information practice principles.
"The report makes valuable contributions to the agency's mission of enhancing transparency and contributing to the ongoing public dialogue on national security and privacy," NSA spokesman Michael Halbig said by email.
Halbig defended the NSA's 12333 surveillance by saying the agency follows the legal authority set out in the executive order and the U.S. attorney general. He declined to say how many surveillance targets the NSA has under 12333 authority.
The report doesn't address the privacy safeguards the agency has in place for foreigners targeted under 12333. In January, President Barack Obama directed U.S intelligence agencies to establish privacy protections for all information they collect, and the agency is still working on ways to apply that directive to the privacy of people living outside the U.S., the report said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is firstname.lastname@example.org.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.