The National Security Agency is the primary cryptographic and signals-intelligence agency of the United States. To spy on foreign communications, it operates data collection platforms in more than 50 countries and uses airplanes and submarines, ships and satellites, specially modified trucks, and cleverly disguised antennas. It has managed to break the cryptographic systems of most of its targets and prides itself on sending first-rate product to the president of the United States.
Inside the United States, the NSA’s collection is regulated by the Foreign Intelligence Surveillance Act, passed in 1978 to provide a legal framework for intercepting communications related to foreign intelligence or terrorism where one party is inside the United States and might be considered a “U.S. person.”
Three bits of terminology: The NSA “collects on” someone, with the preposition indicating the broad scope of the verb. Think of a rake pushing leaves into a bin. The NSA intercepts a very small percentage of the communications it collects. At the NSA, to “intercept” is to introduce to the collection process an analyst, who examines a leaf that has appeared in his or her computer bin. (An analyst could use computer software to assist here, but the basic distinction the NSA makes is that the actual interception requires intent and specificity on behalf of the interceptor.) A “U.S. person” refers to a U.S. citizen, a legal resident of the United States, or a corporation or business legally chartered inside the United States.
So the big question everyone wonders is: does the NSA read my e-mail? Based on the public statements of the former director of the National Security Agency, Justice Department attorneys, and others involved in NSA operations—as well as confidential information provided to the authors and verified independently by officials read in to the programs—here is how to tell if the NSA spies on you:
1. If you regularly call people in Afghanistan, Pakistan, or Yemen, your telephone records have probably passed through an NSA computer. Most likely, however, if you’ve been calling rug merchants or relatives, no one at the NSA knew your name. (A computer program sanitizes the actual identifying information.) Depending on the time, date, location, and contextual factors related to the call, a record may not have been created.
2. If you’ve sent an e-mail from an IP address that has been used by bad guys in the past (IP addresses can be spoofed), your e-mail’s metadata—the hidden directions that tell the Internet where to send it (that is, the To and From lines, the subject line, the length, and the type of e-mail) probably passed through a server. The chances of an analyst or a computer actually reading the content of an e-mail are very slim.
3. If you are or were a lawyer for someone formally accused of terrorism, there is a good chance that the NSA has or had—but could not or cannot access (at least not anymore)—your telephone billing records. (N.B.: A Senate Select Committee on Intelligence report notes that the FISA Amendments Act does not require material erroneously collected to be destroyed.)
4. If you work for a member of the “Defense Industrial Base” on sensitive projects and your company uses Verizon and AT&T, your e-mail has likely been screened by NSA computers for malware.
5. Before 2007, if you, as an American citizen, worked overseas in or near a war zone, there is a small chance that you were “collected on” by a civilian NSA analyst or a member of the NSA’s Central Security Service (the name given to the military service elements that make up a large part of the NSA’s workforce).
6. If you, from September 2001 to roughly April 2004, called or sent e-mail to or from regions associated with terrorism and used American Internet companies to do so, your transaction records (again, without identifying information) were likely collected by your telecommunications company and passed to the NSA. The records were then analyzed, and there is a tiny chance that a person or a computer read them or sampled them. The NSA would ask telecommunications companies for tranches of data that correlated to particular communities of interest, and then used a variety of classified and unclassified techniques to predict, based on their analysis, who was likely to be associated with terrorism. This determination required at least one additional and independent extraneous piece of evidence.
7. There is a chance that the NSA passed this data to the FBI for further investigation. There is a small chance that the FBI acted on this information.
8. If you define “collection” in the broadest sense possible, there is a good chance that if the NSA wanted to obtain your transactional information in real time and knew your direct identity (or had a rough idea of who you are), they can do so, provided that they can prove to a FISA judge within seventy-two hours that there is probable cause to believe you are a terrorist or associated with a terrorist organization.
9. If the NSA receives permission from a judge to collect on a corporation or a charity that may be associated with terrorism, and your company, which is entirely separate from the organization in question, happens to share a location with it (either because you’re in the same building or have contracted with the company to share Internet services), there is a chance that the NSA incidentally collects your work e-mail and phone calls. It is very hard for the agency to map IP addresses to their physical locations and to completely segregate parts of corporate telephone networks. When this happens, Congress and the Justice Department are notified, and an NSA internal compliance unit makes a record of the “overcollect.”
10. If any of your communications were accidentally or incidentally collected by the NSA, they probably still exist somewhere, subject to classified minimization requirements. (The main NSA signals-intelligence database is code-named PINWALE.) This is the case even after certain collection activities became illegal with the passage of the 2007 FISA Amendments Act, the governing framework for domestic collection. The act does not require the NSA to destroy the data.
11. If you are of Arab descent and attend a mosque whose imam was linked through degrees of association with Islamic charities considered to be supporters of terrorism, NSA computers probably analyzed metadata from your telephone communications and e-mail.
12. Your data might have been intercepted or collected by Russia, China, or Israel if you traveled to those countries. The FBI has quietly found and removed transmitters from several Washington, D.C.–area cell phone towers that fed all data to wire rooms at foreign embassies.
13. The chances, if you are not a criminal or a terrorist, that an analyst at the NSA listened to one of your telephone conversations or read one of your e-mail messages are infinitesimally small given the technological challenges associated with the program, not to mention the lack of manpower available to sort through your irrelevant communications. If an unintentional collection occurred (an overcollect), it would be deleted and not stored in any database.
What safeguards exist today?
From what we could figure out, only three dozen or so people inside the NSA have the authority to read the content of FISA-derived material, all of which is now subject to a warrant. Can the NSA share FISA product on U.S. persons with other countries? By law it cannot and does not. (The FBI can, and does.) What is the size of the compliance staff that monitors domestic collection? Four or five people, depending on the budget cycle. How many people outside the NSA are privy to the full details of the program? More than one thousand. How can you find out if you’ve been accidentally or incidentally surveilled? You can’t. You can sue, but the government will invoke a state secrets privilege, and judges will probably agree—even when you can prove without any secret evidence that there is probable cause to believe that you were surveilled.
The NSA’s general counsel’s office regularly reviews the “target folders”—the identities of those under surveillance—to make sure the program complied with the instruction to surveil those reasonably assumed to have connections to al-Qaeda. They do this by sampling a number of the folders at random. How do we know the program isn’t expanding right now, pushing the boundaries of legality, spying not just on suspected terrorists but on American dissidents? We don’t. But if it is, and over a thousand people are involved, how much longer can that secret last?
Adapted from Deep State: Inside the Government Secrecy Industry, by Marc Ambinder and D.B. Grady. Grady is a regular contributor to mental_floss.