NSA Strategy 2012-16: Outsourcing Compliance to Algorithms, and What to Do About It

Over the weekend, two new NSA documents revealed a confident NSA SIGINT strategy for the coming years and a vast increase of NSA-malware infected networks across the globe. The excellent reporting overlooked one crucial development: constitutional compliance will increasingly be outsourced to algorithms. Meaningful oversight of intelligence practises must address this, or face collateral constitutional damage.

The New York Times revealed the NSA SIGINT strategy for 2012-2016, while Dutch daily NRC [English] provided more facts about the Boundless Informant program. Both reports have been re-reported and re-tweeted extensively, so I won’t waste your precious time repeating that the NSA thinks we live in a  golden age of surveillance and reflects on mastering global communications, aggressively increasing legal authorities and how to further break encryption (probably HTTPS) – which again seems to work against dragnet surveillance. Or that the NSA has infected 50.000 networks around the world with malicious code that it can activate remotely, while seeking to expand to 85.000 networks anytime soon.

One aspect I haven’t seen in the media reports so far is highly relevant for the legislative proposals seeking to improve oversight on intelligence gathering. Consider these strategic objectives for 2012-16 [pdf]:

4.2. (U//FOUO) Build compliance into systems and tools to ensure the workforce operates within the law and without worry

5.2. (U//FOUO) Build into systems and tools, features that enable and automate end-to-end value-based assessment of SIGINT products and services

Compliance and value-assessment are to be outsourced to algorithms. For the NSA the way forward to surveillance ‘without worry’. Not for the rest of us.

The minimization procedures supposed to protect US citizens against bulk surveillance were based on a rather flakey assumption of 51% ‘foreignness’, as the NSA put it. Such algorithmic compliance probably got the go-ahead from the FISA court without proper inspection of the code, which may have resulted in mass spying on millions of Americans. The NSA held that its surveillance programs had been authorized by the Court, so why are people worrying?

Ed Felten wrote about software transparency before on this blog. That concept helps to think about the new kind of legal oversight needed for 21st century intelligence gathering. Technical experts need to inspect algorithmic compliance mechanisms, advise judges and technically vet their constitutional assessment. This is hard, and needs more thought, but a strong combination of technical and legal analysis is the only way to render oversight on intelligence practises and minimization procedures meaningful going forward.

I have argued before that surveillance based on nationality is not in the interest of Americans. Regardless of what Washington makes of that message, I haven’t seen the maxim of legal and technical oversight in any of the current legislative proposals to limit the intelligence reach of the NSA. Especially when the NSA delegates compliance to algorithms, failure to have a kind of software transparency for compliance equals near-certain collateral constitutional damage.

Leave a Reply

Your email address will not be published. Required fields are marked *