The U.S. National Security Agency's leading privacy voice wants to help bring 21st-century privacy thinking to the most scrutinized intelligence agency in the world. Since the Snowden disclosures in June of 2013, the NSA has become the poster child for over-collection both in the U.S. and abroad. But NSA Civil Liberties and Privacy Officer Rebecca Richards, CIPP/US, CIPP/G, wants to change that by bringing the agency’s civil liberties and privacy program beyond a compliance system that just checks off boxes.
To be sure, the data collection landscape has dramatically changed since the Cold War era of the NSA’s infancy. Fifty years ago, intelligence analysis focused on nation states and structured military using isolated military communication. But now, big data surveillance adversaries are smaller, more rogue targets whose communications are interspersed within the commercial sector. Plus, personal information and its value are much more mainstream today than just 25 years ago, when Social Security numbers were regularly used on school identification cards.
Speaking at Wednesday’s Privacy and Civil Liberties Oversight Board (PCLOB) hearing on “Defining Privacy,” Richards said, “We have an opportunity to bring NSA’s approach to privacy together with a broader approach” that takes into consideration people’s legitimate privacy interests. As part of this new approach, Richards said she is testing a new privacy and civil liberties assessment process that expands upon the NSA’s views to include other privacy frameworks from the private sector and non-intelligence agencies.
For example, there’s the Fair Information Practice Principles (FIPPs). “Traditionally, NSA centered on location and collection” of data, Richards said, but “FIPPs-related questions center on following the data. What's the data being collected? And how will it be used? As such, we have designed an initial standardized template, and during the next year, we’ll refine the question process to ensure we are building a repeatable, meaningful and helpful process to make sure we’re not merely checking off boxes but fundamentally weighing the risk associated with the activity to form a holistic value proposition.”
So what does this mean exactly? Richards continued, “In essence, we’re asking, should NSA conduct a given activity given its civil liberties and privacy risks.” She said the agency has now documented standard protections&mdash:such as data minimization, various access controls and other specialized tools for privacy protection&mdashand like many private-sector organizations, the agency will use the FIPPs “as a basis for analyzing what existing protections are in place.”
Richards also stressed the importance of blending the art and science of privacy. “Historically,” she explained, “privacy has tended to be a bit of an art form. Several of us stand around and think about how we’re going to do the analysis.” But, she conceded, big data’s complexity makes this unmanageable.
That’s where the science comes into play. “Today, the science of privacy has made notable strides that include developing technology and tools that promote privacy such as unique encryption capabilities, digital rights management and trustworthy computing,” she said. Plus, the academic world has advanced coding into privacy policies such that technology can support all of its uses.
What’s needed, she explained, is the marriage of both the liberal arts-minded art of privacy analysis with the calculated science of privacy technology. To blend the two, Richards said her office is building five sequential building blocks. One categorizes personal information to locate privacy risks. A second block will identify and categorize data uses. “If we take both of these together, it should be possible (with the third block) to develop a scientific process to assess privacy risk,” Richards said. “These three building blocks would constitute the science, then the next two would be the art” of privacy risks and impact. The fourth examines whether any other privacy impact analysis needs to be done. Finally, to round it out, the fifth block would “create a responsible use framework that keeps the collectors and users of the data accountable for how they manage data and any harm it causes.”
Time will tell if this new internal procedure will work. In the meantime, and on the same day Richards discussed these internal changes, Congress will consider NSA reform under the proposed USA FREEDOM Act. The bill is scheduled to reach the Senate floor later this month.
Grappling with government use of personal data? Join the IAPP at our Practical Privacy Series event in Washington, DC, December 2. Look for a big set of program updates soon!
If you want to comment on this post, you need to login.