NSA exploring alternatives to holding database of domestic phone records
By Ellen Nakashima,
The National Security Agency is exploring how it could relinquish control of the massive database of domestic phone logs that has been the focus of an intense national debate, according to current and former officials briefed on the discussions.
The agency, in response to political and other pressures, is examining whether there are feasible ways for third parties such as phone companies to hold the data while allowing the agency to exploit the records, the officials said.
The intelligence community is motivated in large part by the prospect that Congress will not renew the NSA’s bulk-collection authority when the statute it is based on expires in June 2015. It is also possible that lawmakers, who are debating legislation to halt the NSA program, could act sooner.
A former senior intelligence official said he expects that the White House “will start the path of shifting it to the phone companies,” but “it’s not going to happen instantly.” Like others in this report, the former official spoke on the condition of anonymity to discuss internal deliberations.
Describing one possible scenario, a second former intelligence official said: “The phone companies would run the analytics and provide you the analysis: ‘Hey, this bad guy is talking to this bad guy.’ ”
Having the phone companies analyze the records on behalf of the government, depending on how it is done, may still raise privacy, cost and other concerns.
At the same time, current and former officials say, the intelligence community is pushing back against a number of recommendations by a White House-appointed advisory panel, including removing the cyberdefense mission from the NSA, ensuring that the agency does not stockpile certain kinds of cyberweapons and requiring judicial approval of administrative subpoenas known as national security letters.
President Obama is studying the panel’s recommendations and preparing to unveil his own set of intelligence and surveillance reforms as early as next week. Obama said last month that it was “possible” for the phone companies to hold the records, as opposed to the NSA — another idea advanced by the advisory group.
The agency database, which contains billions of domestic telephone toll records, though not call content, is a counterterrorism tool that has drawn fire from civil liberties advocates and a number of lawmakers since its revelation in June by former NSA contractor Edward Snowden.
There are many obstacles to such a shift — not least the phone companies’ stiff resistance. The companies have told the White House that they do not want to be made to hold the data on behalf of the government for periods longer than they normally would. And key senators have studied the idea, including the possibility of paying the companies to retain the data, and rejected it.
The NSA’s director, Gen. Keith Alexander, told the advisory panel, the Review Group on Intelligence and Communications Technologies, that the “NSA itself has seriously considered moving to a model in which the data are held by the private sector.” But, according to a review group member, Alexander told the group that “no one else wanted it — especially not the phone companies.” Alexander, the member said, “described it as a ‘bit of a hot potato.’ ”
White House spokeswoman Caitlin Hayden said Obama will make his remarks sometime before the State of the Union address on Jan. 28, but until then, the White House is “continuing to study” the panel’s report as well as gather input from the intelligence agencies and industry.
Overall, when Obama unveils his reform package, “it will be a pretty big speech, focused largely on reinvigorating trust and faith in the system,” said the second former intelligence official. But, the former official said, “in the end, at least from the perspective of people who think everything is broken, I think they’re going to be pretty disappointed about the results coming out of the White House. There will be change, but it is unlikely that there will be a wholesale change in how intelligence is collected and analyzed.”
While the NSA’s phone-logs database has dominated the reform debate since June, the 300-page report issued last month by the advisory panel also has spurred discussion about other issues. Many of its 46 recommendations are not controversial, national security experts say; they include ensuring that data are better secured against hackers and against unauthorized access by insiders, and ensuring that intelligence agency employees are properly cleared for access to information.
But several recommendations are meeting with resistance. For instance, the group urged Congress to amend the law so that national security letters (NSLs) can be issued only upon a finding by a judge that the government has reasonable grounds to believe that the data sought are relevant to an authorized terrorism or intelligence investigation.
Currently, NSLs can be issued by senior FBI officials in field offices, and officials warn that changing that would impede the bureau’s ability to conduct preliminary investigations. The FBI issues more than 20,000 NSLs a year for data such as phone subscriber information and telephone toll records, as well as banking and credit card records. The data do not include phone-call content, which would require a court-approved warrant.
The panel’s report said that “there is a strong argument that NSLs should not be issued by the FBI itself” and that “foreign intelligence investigations are especially likely to implicate highly sensitive and personal information and to have potentially severe consequences for the individuals under investigation.”
One senior U.S. official said that FBI reforms in recent years have put NSLs under much greater oversight and that they are “an essential national security tool” that enables the collection of certain business records only in cases involving terrorists and spies. Imposing judicial review, which is not required of similar records requests in criminal investigations, “would really slow the bureau’s ability to react quickly, early in an investigation,” the official said.
The panel also recommended that the NSA’s cyberdefense arm, the Information Assurance Directorate (IAD), be moved out of the agency and under the cyber-policy arm of the Pentagon. The group said the IAD’s defensive mission is at odds with the NSA’s offensive mission to break into foreign adversaries’ networks for intelligence purposes. Panel member Richard A. Clarke, a former White House counterterrorism and cybersecurity adviser, said that creates an “inherent tension” and that the “defensive mission will never be given the priority it needs within an offensive agency.”
But Richard C. Schaeffer Jr., the IAD’s director from 2006 to 2010, called the idea “crazy.” “It actually damages the ability to understand the threat,” Schaeffer said. “The tactics we employ on the defensive side are based on a deep understanding of how the U.S. exploits other nations’ information systems to gain access for intelligence purposes. You want the offense and the defense to work together.”
Should NSA point out holes?
Among the weapons in the NSA’s arsenal are “zero day” exploits, tools that take advantage of previously unknown vulnerabilities in software and hardware to break into a computer system. The panel recommended that U.S. policy aim to block zero-day attacks by having the NSA and other government agencies alert companies to vulnerabilities in their hardware and software. That recommendation has drawn praise from security experts such as Matt Blaze, a University of Pennsylvania computer scientist, who said it would allow software developers and vendors to patch their systems and protect consumers from attacks by others who may try to exploit the same vulnerabilities.
“This is not to say that reporting a vulnerability means that NSA can’t also exploit it against their targets, only that their overall national security role means that their first responsibility must be to work to fix it,” Blaze said.
But Schaeffer said: “You’re taking a potential weapon away from the very people we’re asking to protect the nation. Those people ought to be able to use their best technical professional judgment as to when it’s appropriate to alert industry that there’s a vulnerability.”
One idea that Obama embraced last year and that was echoed by the panel is to create the position of a public-interest advocate to represent civil liberties concerns before the Foreign Intelligence Surveillance Court, which traditionally hears only the government’s case in applications for domestic surveillance, and does so in secret. It was this court in 2006 that first authorized the NSA’s collection of phone logs.