President Obama recently addressed surveillance issues in light of the Edward Snowden leaks and fallout that has resulted since then. At the same time the president made his statement, the Department of Justice and the NSA released documents discussing the topic, justifying the programs and attempting to explain its actions as necessary for the safety of Americans.
The document starts off with a quote from President Obama, circa May of this year, stating the need to "strike a balance" between security and freedom. It then goes on to state that because of the media leaks that have surfaced, the president has ordered that "as much information as possible be made public, while mindful of the need to protect sources." Another reason, says the NSA, is to "correct inaccuracies," which it says this document is a "step" towards.
The NSA speaks at great length about its authority, which is granted by Executive Order 12333 and the FISA Act, which was enacted in 1978. While the Executive Order is extensive, it is the FISA Act that is perhaps of most interest, especially considering its extensive involvement in the areas that Americans are taking such issue with.
As we detailed in our SlashGear 101, program US-98XN, better known as PRISM, is a direct result of the Protect America Act put in place back in 2007, and the Terrorist Surveillance Program that was kicked off a bit after the 9/11 attacks. The NSA's authority to surveil foreign intelligence, however, goes directly to the Foreign Intelligence Surveillance Act, more commonly called FISA. As part of the act, excepting other laws, "the President, through the Attorney General, may authorize electronic surveillance without a court order ... to acquire foreign intelligence information for periods up to one year if ... there is no substantial likelihood that the surveillance will acquire the contents of any communication to which a United States person is a party."
To the NSA's credit, it does briefly discus this (Section 702) in its paper, but then it goes on to state that "For a variety of reasons, including technical ones, the communications of U.S. persons are sometimes incidentally acquired in targeting the foreign entities ... In those cases, minimization procedures adopted by the Attorney General in consultation with the Director of National Intelligence and approved by the [FISA] Court are used to protect the privacy of a U.S. person."
The NSA does not detail what those "minimization procedures" are, however. That information was allegedly leaked earlier this summer, however, by sources who provided documentation to The Guardian.
According to that documentation, the NSA must take "extensive steps" to verify if a target is outside the US. Any data that is nabbed on a US person must then be destroyed. It also went on to discuss the call records that the NSA has gathered, saying that such an activity is aimed at identifying which people are US citizens for purposes related to essentially weeding them out of the data pool.
The issue with pulling records on US citizen aside, the source also revealed some troubling issues: any information, according to the leaked document, can be kept by the NSA for up to 5 years, even if it does contain data about/from a US person. Furthermore, the NSA can both keep and use information on a US person if it acquires that information "inadvertently." What that essentially means is that any information the NSA pulls on a US person can be kept and used.
Beyond that, however, was info from sources that state all the "checks and balances" are performed internally - those who make decisions on whether to proceed report to superiors within the NSA, and no outside accountability is in place.
The paper released by the NSA confirms that oversight claim, at least in part, stating: "NSA has an internal oversight and compliance framework to provide assurance that NSA's activities - its people, its technology, and its operations - act consistently with the law..." It then goes on to state that the "framework" is then externally monitored by multiple organizations, among them being the FISA, AG, Congress, and National Intelligence director. Considering the nature of all these "external" organizations - and their complicity in the surveillance activities - such oversight is hardly reassuring.
All of this is rounded out by a statement that the NSA requires personnel to report what they believe to be activities outside the realm of the law, a self-reporting method it says is "part of the culture and fabric of the NSA." That, however, still misses the point - such a "culture" is an internal one, and thus of little reassurance to the American people.