July 27, 2014 | Posted in: 4th Amendment, Department of Defense, Director of National Intelligence, E.O. 12333, FISA, FISC, Intelligence, Leaks, NSA, PPD-28, Privacy, Snowden, U.S. Code Title 50

NSA Complex, Fort Meade, MD.

NSA Complex, Fort Meade, MD.

Over the last year, some media outlets have used the leaked classified material from Edward Snowden to write news stories that imply NSA has either: allegedly violated the privacy rights of ‘every American’ or exceeded its authorities.  In every one of these stories, what is usually missing is a SIGINT professional’s level of understanding on the part of the journalist, admittedly difficult to gain when SIGINT operational training is classified.

Signals intelligence, referred to as SIGINT, is both technically complex due to the nature of modern communications technologies, and legally complex, due to the heavy legal and Constitutional burdens placed on the professionals at NSA who conduct it.

These professionals spend months and oftentimes years during a career training in the operational, technical, and legal aspects of conducting SIGINT – which includes training in the protection of U.S. person privacy.

For example, a recent Washington Post article on July 11th, ‘How 160,000 intercepted communications led to our latest NSA story’; written to amplify its July 5th story ‘Non-targets far outnumber targets in NSA data collection’, states that the rules for ‘minimization’ of U.S. person information are ‘opaque’ – in fact, they are not opaque at all.

The minimization rules come in two forms, both of which are written in black and white for anyone to read, now that they have been declassified.  They are contained in the Foreign Intelligence Surveillance Court’s minimization instructions as part of its numerous court rulings, and United States Signals Intelligence Directive 18 (USSID 18).   USSIDs provide implementation guidance and direction to NSA’s civilian and military workforce, ensuring our Constitutional principles, current laws, Executive Orders, and binding court orders are implemented and enforced within the entire United States SIGINT System.  For the purposes of this blog post, we’ll focus on USSID 18.

USSID 18 is titled, “Legal Compliance and U.S. Persons Minimization Procedures”, and is fifty-two pages long.  Naturally, portions of many paragraphs are blanked out as part of the declassification process, but the direction in, and intent of USSID 18 are very clear, and I can tell you from my experience in the intelligence community that it is binding and followed by all SIGINT professionals.

Discussing all the limits USSID 18 places on SIGINT operations would take several blog posts worth of space, but we can look at one instance where USSID 18 applies in the Washington Post’s July 5th story.

The Post’s story states that, in the sample of surveillance files it reviewed, ‘NSA analysts masked, or “minimized,” more than 65,000 [references to U.S. citizens or residents], but the Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S. residents.’  This line is clearly meant to bolster the implication that U.S. person identities or identifiers incidentally collected under the legally authorized, and court monitored FISA Amendments Act (the Patriot Act) Section 702 program are not properly minimized.

If this element of the Post’s story is accurate, that translates to a 98.7% accuracy rate (based on (900 / 65,900) x 100) of minimization, as required under USSID 18 – an operational standard that many U.S. corporations would envy.  The Post didn’t word it that way, but it is example of how the professionals at NSA take protection of U.S. person privacy seriously, rather than supporting the Post’s implication that NSA treats U.S. person data in a cavalier manner.

The Post’s explanatory piece on the 11th also expresses its concern about the volume and nature of incidental collection, the Director of National Intelligence’s assertion that it is unable to estimate how many Americans are affected, and that no outside watchdog – the Congress, courts, or the President’s Privacy and Civil Liberties Oversight Board have access to the content to judge for themselves.

The reason for this is obvious to a professional.  Although the Post could traipse at will through its purported pile of 160,000 intercepts (reviewing U.S. citizen’s private information under the comforting blanket of the 1st Amendment) – the government cannot legally look through incidental collection to identify and characterize it because laws, and both executive and court orders forbid it.  Laws and orders every American citizen, including those working at NSA, must obey.

At this stage of the debate, I had hoped to see stories covering how NSA adheres to law and policy to conduct their assigned foreign intelligence mission, using background interviews with NSA’s professionals and managers in a more transparent environment. Instead, we continue to see stories from some members of the media filled with a selected set of ‘facts’ provided by a man charged with theft and violations of the espionage act, filtered through well-intended, but only partially educated journalist guesswork, resulting in implications or insinuations of impropriety or illegality.  There is more to the story than just what Mr. Snowden, or the journalists who support him, would have you believe.

I've served my country for more than 25 years as a member of the United States Air Force, both on active duty and as a civilian. I've spent my entire career as a member of the Air Force’s Intelligence, Surveillance, and Reconnaissance Agency and its predecessor organizations, the Air Intelligence Agency, the Air Force Intelligence Command, and the Electronic Security Command. I've served in various locations throughout the world during my career, including Japan & Saudi Arabia. I am a veteran of the 1991 Persian Gulf War. I also earned professional certifications from the National Security Agency as an Intelligence Analyst, and the Director of National Intelligence as an Intelligence Community Officer during my career. I have an M.S. in Computer Systems from the University of Maryland Graduate School of Management and Technology, and am a Certified Information Systems Security Professional.