Earlier today, the NSA announced its intentions to limit a surveillance technique that had a nasty side effect of sweeping up communications toand fromAmericans.
In a rare unprompted press statement, the NSA explained that it would halt any upstream internet communications that are solely about a foreign intelligence target, restrictingits surveillance to messages sent or received byforeign intelligence targets.
TechCrunch spoke with General Michael Hayden, former director of the NSA and CIA, about how the shiftwill be implementedand thereasoning behind the agencys surprise decision.
TC: Will this significantly impact the quality of the NSAs data collection on foreign targets?
Hayden: This will have an impact, I think marginal, on some foreign intelligence collection. It also reduces to zero the amount of inadvertent collection you do on Americans. We do that balancing all the time. They decided they were getting too much inadvertent collectionbut you lose some legitimate collection as well.
TC: Why did the NSA have so much trouble complying with court rules?
Hayden: Its routine due diligence, we do this all the time. I have been told there were court concerns about how much inadvertent collection was taking place. No one has blinders on, they know theres going to be grand debate about this system. Theyve got an option here with marginal intelligence disadvantage to reduce how much it squeezes American privacy. Operational, political, legal it all makes sense.
No one has blinders on, they know theres going to be grand debate about this system. Theyve got an option here with marginal intelligence disadvantage to reduce how much it squeezes American privacy.
This does not affect something that will be contentious this summer. The stuff you will continue to collect, you can use a U.S. person identifier to query the data youve already collected. That will also be contentious.
Idont think thats right. The number of times you use a U.S. person query is easily retrievable. Incidental [collection]is foreigner is in the conversation, but theres information to, from or about an American.
They didnt know how much inadvertent [collection] they had unless you go back and look at every one. Wyden kept saying, how many? We said we dont know
TC: What does this mean for upstream data collection?
Hayden: What theyre going to do, theyve got to have a selector for upstream to grab the email coming by and it has to be someone they believe is not an American and outside the U.S. Up until this point, they used the selector to check to see who the email was from or to, or if the selector was mentioned in the body of the email.
The problem they had was when you use the selector about in the body of the email, occasionally you will pick up a communication in which neither end is foreign, in which both ends are American. Its inadvertent and its not authorized. When you discover it, you have to flush it from the system. Occasionally, when the foreign selector was in the body of the email and they picked up a communication,unless they looked at the email they would never know it. Itwould just sit in the database.
In order to go the extra mile for American privacy, they are going to give up a bit of collecting that might have been useful.
What they decided to do, and this means giving up a bit of intelligence collection, they are going to stop using the about selector. The only thing youre going to intercept is a communication to or from your target. In order to go the extra mile for American privacy, they are going to give up a bit of collecting that might have been useful. What this means is they were also getting a lot of information from a foreign selector mentioned in a body of email that wasnt us to us.
They are going to give up some coverage, but its due diligence so as not to do the inadvertent collection of communication between two Americans.
And then theyre going to go back in the database and purge all the collection that was triggered by about, without regard to who the communicates were.
TC: Does this mean the agency has a viable workaround that decouples about surveillance from upstream surveillance?
Hayden: They do. There is technology available to them that allows the selector to be applied to the to or from. You got a gajillion emails skidding by, your selector grabs the one related to the foreign target outside the US. [The]selector is just going to look at the to and from, not the content.
It isnt objectionable except when you do it that way, when youre grabbing some emails because of the content, occasionally you are getting emails to and from an American, [on]both ends.
Its an operational decision. We do this all the time,balancing privacy and operational effect. [Its]a reasonably dramatic step to preserve privacy. I think they made the operational decision.