5 Myths About the National Security Agency – ClearanceJobs

Writing about the National Security Agency myths is a tough task because the rules are always changing and whole agency is shrouded in secrecythough in the case of the latter, a good deal less than it once was, thanks in part to its empowerment after 9/11, and because of revelations by Edward Snowden. Anecdotally, when I was in high school (very pre-9/11), I wanted to write a report on the NSA, and when I asked the librarian about it, he ridiculed me, saying scornfully that the NSA was a fake spy agency on TV, and that it didnt exist in real life. I think the NSA would have approved, but any organization that secret is bound to gather a few urban legends along the way. Here are five myths about the National Security Agency.

Compared to the Central Intelligence Agency or the Defense Intelligence Agency, no, the NSA doesnt have that many field agents. Most of its thirty thousand or so employees work at Ft. Meade, MD. (There are 18,000 parking spaces at its headquarters, and enough office space that four U.S. Capitols could fit inside of it.) Still, the agency does have men and women who work in the field. They belong to the NSAs Special Collection Service, a group of signals intelligence spies who work jointly with the CIA abroad to penetrate foreign communications networks.

Because the SCS is so secretive, what, precisely they do in the field is likely a moving target. When a hard drive needs to be stolen, that assignment is probably going to go to the CIAs National Clandestine Service. But things like plugging into embassies overseas, planting antennas to intercept communications, and using state-of-the-art technology in the field to acquire signals are almost certainly jobs for the SCS. Though techniques and procedures change, as of a few years ago, small teams called Special Collection Elements, made up of two-to-five members of the Special Collection Service and National Clandestine Service, rotated into foreign embassies and operated abroad under the guise of business persons.

As a matter of technology, yes, most likely. And if you encrypt your messages, it can hang onto those emails forever, or until the encryption is cracked (see below). NSA software is integrated tightly with telecommunications switches for AT&T and, most likely, other such companies. When the companies arent knowingly doing the integration, the NSA does the integration themselves, surreptitiously intercepting routers to targeted facilities and implanting surveillance devices and firmware.

But legally, the NSA needs a lot more than simple ability if they want to start reading your letters to grandma. Section 702 of the Foreign Intelligence Surveillance Act allows the government to surveil non-U.S. persons abroad. Each year, the Department of Justice and the Office of the Director of National Intelligence submit certifications to the Foreign Intelligence Surveillance Court stating the types of intelligence they would like to collect, and the way they will do it that is consistent with the law (i.e., heres how we will make sure we dont target Americans). Once the certifications are approved, the government goes to industry and compels them to assist with the surveillance. The court reviews these certifications annually.

Thats the basic legal process at work. In practice, if a non-U.S. person abroad fits the certified surveillance standard (e.g. he likes to make bombs for ISIS), and his communications are found to have foreign intelligence (e.g. hes corresponding with ISIS about where to send the bombs), his communications can be collected.

So if he happens to email yousay hes a fan of Game of Thrones, and you begin a robust correspondence on that seriess awful endingthen your email can only be searched in pursuit of foreign intelligence information, or, if the FBI gets involved looking for evidence of a crime. Only the attorney general can authorize the use of information collected under Section 702 in criminal proceedings against U.S. persons.

The upshot is that the NSA doesnt just type bomb into SpyGoogle and start vacuuming up anyones emails describing Solo: A Star Wars Story. (Which was mostly a pretty good movie, but dont get me started on The Force Awakens.) The whole thing is monitored by the court, senior analysts at the agency, and the Department of Justice.

Under Presidential Policy Directive 28 and its supplemental guidelines, information gathered from the bulk collection of non-U.S. person data must be related to foreign espionage, terrorism, threats to U.S. military forces, cyber warfare, and transnational criminal threats. In other words, if Cuervo Jones of Guadalajara is caught in the net, but isnt doing evil, his communications arent being used against him for other purposes. Moreover, information collected can only be held for five years. If, however, Cuervo has encrypted his correspondence, that can be held indefinitely. Its worth noting that the NSA is not allowed to collect trade secrets from foreign companies in order to give U.S. firms a competitive advantage.

Pretty Good Privacy is a popular encryption standard that uses hashing, compression, and public and private keys for encryption and authentication. (ClearanceJobs previously described how hashing works here.) As of 2014, leaked documents reveal that the NSA was unable to break PGP. A lot has changed in five years, and look, anything is possible, but not that much. As the PGP frequently asked questions document states for a PGP 128-bit encryption: Lets say that you had developed a special purpose chip that could try a billion keys per second. This is far beyond anything that could really be developed today. Lets also say that you could afford to throw a billion such chips at the problem at the same time. It would still require over 10,000,000,000,000 years to try all of the possible 128 bit keys. That is something like a thousand times the age of the known universe!

Well maybe. But probably not. Under Section 215 of the Foreign Intelligence Surveillance Act, the NSA is allowed to build contact chains of telecommunications metadata. Not the calls/emails/etc. themselvesbut call detail recordsinformation about the contact in question. This year, the NSA stated that it has ended the CDR program. In the old days of building those CDR chains, however, the agency used a method called hops. If I am John Terrorist and I appear on the NSAs radar, the agency can use my call detail records to start looking at the people I call (hop one), and the people they call (hop two). So if I call 10 people, those ten people are now in the NSAs metadata surveillance crosshairs. Moreover, the people those ten people call are now in the NSAs web of watchers as well. If each of those people contacted ten people, youve now got 101 people being monitored. The NSA is limited to two hops, though previously could go out as far as three hops, which meant that one person could lead to the monitoring of 1001.

So is the NSA spying on you? Even if the agency has secretly restarted the program, its still highly unlikely, though if you were an Uber driver and John Terrorist called you to give you directions, its possible that you might be in the system. And if you hired a local landscaper to mow your lawn, he or she might be in the net as well. There is no way for you to find out, and nothing you can do if you are. But as a matter of numbers, youre probably safe. Last year fewer than ten thousand queries of American communications stemmed from this program.

See the rest here:
5 Myths About the National Security Agency - ClearanceJobs