News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Section 702: Two myths, two concerns, and two final thoughts Related reading: US House subcommittee kicks off draft American Privacy Rights Act consideration

rss_feed

""

The views represented here are solely those of the author and do not represent those of the NSA or any other organization.

On March 1, I had the privilege of testifying before Congress. The House Judiciary Committee held a hearing on the reauthorization of Section 702 of the FISA Amendments Act, which expires in December of this year. The committee organized a panel of four witnesses from academia, think tanks, and the private sector; a separate, closed session included government witnesses. Of the four of us, I was the only one who’d had direct experience working with 702 authority. I was an intelligence lawyer at the National Security Agency before and after the FAA was passed and served as the head of intelligence law for NSA until 2016, when I left the agency to go into private practice.

My written testimony is publicly available and, I hope, speaks for itself, but if I had to boil it down further, I would make six points here, any of which could be a subject all their own.

Two big myths

I often run across the belief, expressed in print or in person, that Section 702 allows for bulk collection of information and that it offers no protections whatsoever for non-U.S. persons. Both of these are urban legends; neither of them is factually correct.

702 does not allow collection of bulk data.
FAA 702 collection can only be initiated when an analyst is able to articulate, and document, a specific set of facts to meet the statutory and procedural requirements for demonstrating that: 1) a specific “facility” (such as a phone number or email address) 2) is associated with a specific user 3) who is a non-U.S. person 4) who is reasonably believed to be located outside the U.S. and 5) who is likely to possess or communicate foreign intelligence information.

Although a large number of selectors have been targeted under FAA 702, each of those facilities has been tasked for collection because on an individual, particularized basis each one of them meets the criteria noted above. 

Each annual certification is accompanied by lengthy, detailed targeting and minimization procedures, which must be reviewed by the FISC. The procedural protections include both technical and administrative controls to guard against improper collection or handling of the information. They include pre- and post-targeting checks on collection; requirements for rigorous training and testing before personnel can access 702 data; and restrictions on dissemination and use of the information. 

Second, 702 does not allow indiscriminate collection of non-US-person communication.
As the independent Privacy and Civil Liberties Oversight Board noted in its comprehensive 2014 report, 702 collection may only be directed against targets who are likely to possess, communicate, or receive foreign intelligence information. The targeting rationale must include an explanation for each facility — such as a phone number or email address — which substantiates the basis for the targeting. As has been noted by a number of intelligence professionals in their public testimony, all signals intelligence collection must be tied to, and based upon, an intelligence requirement that’s been vetted through a formal interagency process.

In other words, neither the statute nor the procedures permit random, arbitrary, or pointless targeting of anyone, even if they are non-US persons located outside the U.S.

Two concerns

Why querying for U.S. persons doesn’t amount to a “back door search.” 
Because of the tailored, documented, and carefully overseen manner in which the front-end collection is carried out, it is neither unlawful nor inappropriate for analysts to query the collected information using U.S. person identifiers when there is a legitimate basis to do so. Some critics have referred to the ability to query 702 data for U.S. person information as “back door searches.”  

Although these searches carry privacy risks, those risks are held in check by current oversight mechanisms. For example, NSA analysts must obtain prior approval to run U.S. person identifier queries in FAA 702 content; there must be a basis to believe the query is reasonably likely to return foreign intelligence information; all queries are logged and reviewed after the fact by NSA; and DoJ and ODNI review every U.S. person query run at NSA and CIA, along with the documented justifications for those queries.

As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends.

The government has a compelling national security need to carry out those searches in appropriate cases. As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends. If analysts — who work 24 hours a day, seven days a week  had to request permission from an outside body such as the Foreign Intelligence Surveillance Court before running U.S. person queries, there is a very real risk that the government would miss the critical time window for finding and acting on essential information.

Why privacy professionals should be concerned about proposals to measure the incidentally collected U.S. person communications. 
Privacy advocates have pressed the IC to count the number of U.S. person communications that are collected incidentally  swept into surveillance when a U.S. person or person in the U.S. communicates with an intelligence target. In order to assess the privacy drawbacks to doing a count like this, it’s important to understand how it would have to work. 

In typical analytic tradecraft, analysts run queries looking for intelligence information; they review those communications; and if they find something of interest, they look to see if the communication includes identifiers  such as emails or phone numbers  that they haven’t seen before. If the communication has no intelligence value, the analyst has little reason to research the identity, nationality, or location of that identifier. 

In order to determine who the unknown identifiers belong to and where those users are in the world, the analysts would need additional information. In some cases, technical data may help assist with the location determination. But technical information generally cannot identify whether the user of an email account happens to be a U.S. person located somewhere else in the world.

To count the number of U.S. person communications that are incidentally acquired under Section 702, the IC would have to find every unknown identifier in 702 communications and then analyze each one in order to determine whether they’re being used inside or outside the U.S. and whether their users might be U.S. persons. NSA does not  nor should it  collect or maintain comprehensive directories of the communications identifiers used by U.S. persons. Without such a reference database, the count of U.S. person communications would be impossible. Yet creating a comprehensive reference database of identifiers used by people who are not of any intelligence interest would constitute a significant intrusion on privacy  and unlike many other privacy risks, there is no intelligence value or gain that could offset or justify this privacy intrusion.

In addition to the privacy impacts, searching for U.S. persons who aren’t intelligence targets would cause the IC to divert significant resources away from doing their core mission of intelligence analysis.

Finally, it is unlikely that knowing the number or percentage of U.S. persons in a particular data sample would result in increased privacy protections in the future: first, because it isn’t clear whether numbers or percentages would be constant over time or across target sets; and second, because the fundamental challenge remains an intractable one: As long as foreign intelligence targets communicate with U.S. persons, there will be some instances in which those communications are incidentally intercepted. This risk is precisely the reason why Congress required, and why the government must abide by, court-approved minimization procedures designed to protect that information.

Final thoughts 

First, 702 oversight works. 
In designing this statute, Congress wisely chose to build in oversight mechanisms involving all three branches of government.  

Four committees in Congress have oversight jurisdiction of the government’s activities under Section 702: the Senate and House Select Committees on Intelligence and the Senate and House Judiciary Committees. These committees receive all government filings, hearing transcripts, and FISC orders and opinions related to the court’s consideration of the Section 702 certifications, along with reports from agency inspectors general.

The FISC also plays a critical role in oversight of the 702 program. The government must report compliance incidents to the FISC through “13(b)” notices that describe each incident of non-compliance. It’s not uncommon for the FISC to ask the government to provide supplemental information to address any questions that the court may have regarding those incidents. In addition to this ongoing oversight function, each year, the FISC reviews the government’s annual certification package, making independent determinations about whether the proposed certifications meet the necessary standards under the law; whether the targeting and minimization procedures faithfully incorporate all of the necessary restrictions; and reviewing the compliance incidents that have taken place over the past year.

The intelligence agencies have rigorous internal oversight and compliance programs, and DoJ and ODNI detailed external oversight through joint reviews of the day-to-day implementation of intelligence activities under FAA 702. These include reviewing targeting decisions; reviewing queries; reviewing disseminations of 702 data; reporting to the FISC and to Congress every instance of non-compliance that is identified; and assessing the Intelligence Community’s implementation of appropriate remedial actions to address compliance matters, including purging of non-compliant data and recalling non-compliant disseminations.

Equally important to these external checks, the use of the FAA 702 authority takes place within a deeply rooted culture of compliance.  

As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top. 

As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top.

In thirteen years at NSA, I saw mistakes that resulted from human error. I also saw instances in which technical complexity led to errors that hadn’t been foreseen. All of these were reported promptly and addressed. However, I did not see people deliberately taking actions that would abuse the trust placed in them in handling this very sensitive data. In other words, my experience was entirely consistent with the PCLOB’s finding that, “Although there have been various compliance incidents over the years, many of these incidents have involved technical issues resulting from the complexity of the program, and the Board has not seen any evidence of bad faith or misconduct.”

Second: 702 intelligence works.
While at NSA, I had the opportunity to witness firsthand the critical importance of robust intelligence information in supporting U.S. troops and in detecting terrorist plans and intentions that threatened the safety of the U.S. and its allies. Many of those instances are recent and remain classified.

However, some successes have been publicly released.

As the PCLOB noted in its report, “[O]ver a quarter of the NSA’s reports concerning international terrorism include information based in whole or in part of 702 collection, and this percentage has increased every year since the statute was enacted.” These numbers are underscored by the success stories that were presented in unclassified testimony before the Senate Committee on the Judiciary in 2016.

As I testified to Congress, it’s my belief, based on my personal experience and professional judgment, that Congress drew the balance of authority and restrictions in the right place when it enacted FAA 702 in 2008 and when it reauthorized it in 2012. This year provides an important opportunity to FAA to be carefully scrutinized once again. But as Congress continues its work, it’s worth remembering that things that aren’t broke don’t need fixing. Sometimes they just need to be extended as-is.

photo credit: t--h--s DSC_0602 via photopin (license)

Author
Headshot April Doss, CIPP/E, CIPP/US IAPP Member Contributor
Tags
Government
U.S.
Privacy Law
Surveillance
2 Comments

If you want to comment on this post, you need to login.

  • comment Kimberley Laris • Mar 20, 2017 
    Your good faith observances of application use and monitoring are appreciated. However, concern remains about the opportunity for well-funded non-accountable access, manipulation, and mass copying of sensitive data via nefarious O/S admin account override. 

If the ability to effectively detect and correct abuse of powerful anonymous privileged administrator rights to large seas of data and software in a timely manner were more certain,  it would help trust levels. 

A raid on administrator employee private information has been underway to capture Admin passwords, because abused O/S Administrator accounts go undetectable in an application's audit trail, circumventing the intended application's accountability design.  

O/S administrator accounts grant what IT Security professionals call "God permissions" to applications and databases, some record O/S admin activities for monitoring (i.e., view, manipulate, or copy sensitive data for offline analysis). If nefarious override Admin activity is detected (within voluminous system activity logs), the records often prove useless because only "Admin" is recorded - not a uniquely identifiable person/device as the application would. 

In addition, someone abusing an O/S admin account can usually turn off and delete their activity before exiting a session. 

Due to the futility frustration, the widest data access role often remains unaccountable. There are exceptions to the rule, but they often require planning insight than most technologists are allotted time to research and money to implement. Then, many of those tools are not interoperable for entrenched application O/S's.  

When no one with great IT power has a non-accountable footprint like Snowden, it will be reassuring to hear.  Until then, it is reasonable to expect crime on data and software assets to escalate.
  • comment Ken Mortensen • Mar 21, 2017 
    Kimberley, 

I think you comment explains exactly what April states in "Why privacy professionals should be concerned about proposals to measure the incidentally collected U.S. person communications." If we were to require that the IC complete the integration of identity data for statistical measurement purposes, a new non-existent risk would be creating by obligating the IC to maintain identifiable information, of both US and non-US persons.

While I did not work with 702 in the day-to-day aspect of what April describes as her role, my experience at DOJ in looking at the programmatic integration of privacy and security into the collection and analytical processes was one that focused on the needed information without limiting what was needed. The concepts of "minimum necessary" and layered analytics provided administrative safeguards for privacy and the oversight discussed in the article works to ensure greater transparency in the implementation of the proper process.

To that end, I agree with April that we need to encourage Congress to let a well-designed and well-functioning law remain in operation to serve the security of this Nation and our allies.
Related Stories
Corrected text of EU AI Act released
The corrigendum of the EU Artificial Intelligence Act has been released. The document corrects and clarifies language in the act and is required before it can fully come into effect. Editor's note: Explore the IAPP AI Governance Center and subscribe to the AI Governance Dashboard. Full story...
Read More queue Save This
Related Stories
Tags
Government
U.S.
Privacy Law
Surveillance
Recent Comments