April 24, 2017

NSA Strategy 2012-16: Outsourcing Compliance to Algorithms, and What to Do About It

Over the weekend, two new NSA documents revealed a confident NSA SIGINT strategy for the coming years and a vast increase of NSA-malware infected networks across the globe. The excellent reporting overlooked one crucial development: constitutional compliance will increasingly be outsourced to algorithms. Meaningful oversight of intelligence practises must address this, or face collateral constitutional damage.

The New York Times revealed the NSA SIGINT strategy for 2012-2016, while Dutch daily NRC [English] provided more facts about the Boundless Informant program. Both reports have been re-reported and re-tweeted extensively, so I won’t waste your precious time repeating that the NSA thinks we live in a  golden age of surveillance and reflects on mastering global communications, aggressively increasing legal authorities and how to further break encryption (probably HTTPS) – which again seems to work against dragnet surveillance. Or that the NSA has infected 50.000 networks around the world with malicious code that it can activate remotely, while seeking to expand to 85.000 networks anytime soon.

One aspect I haven’t seen in the media reports so far is highly relevant for the legislative proposals seeking to improve oversight on intelligence gathering. Consider these strategic objectives for 2012-16 [pdf]:

4.2. (U//FOUO) Build compliance into systems and tools to ensure the workforce operates within the law and without worry

5.2. (U//FOUO) Build into systems and tools, features that enable and automate end-to-end value-based assessment of SIGINT products and services

Compliance and value-assessment are to be outsourced to algorithms. For the NSA the way forward to surveillance ‘without worry’. Not for the rest of us.

The minimization procedures supposed to protect US citizens against bulk surveillance were based on a rather flakey assumption of 51% ‘foreignness’, as the NSA put it. Such algorithmic compliance probably got the go-ahead from the FISA court without proper inspection of the code, which may have resulted in mass spying on millions of Americans. The NSA held that its surveillance programs had been authorized by the Court, so why are people worrying?

Ed Felten wrote about software transparency before on this blog. That concept helps to think about the new kind of legal oversight needed for 21st century intelligence gathering. Technical experts need to inspect algorithmic compliance mechanisms, advise judges and technically vet their constitutional assessment. This is hard, and needs more thought, but a strong combination of technical and legal analysis is the only way to render oversight on intelligence practises and minimization procedures meaningful going forward.

I have argued before that surveillance based on nationality is not in the interest of Americans. Regardless of what Washington makes of that message, I haven’t seen the maxim of legal and technical oversight in any of the current legislative proposals to limit the intelligence reach of the NSA. Especially when the NSA delegates compliance to algorithms, failure to have a kind of software transparency for compliance equals near-certain collateral constitutional damage.


  1. Martin G Smith says:

    My solution to the NSA [No Such Agency] is to put them in a position where they engender riotous [Are we still allowed to use that word?] laughter. My assessment is, in keeping with their need to collect ‘A lot of dots’ in order to complete a picture is all one needs to do is saunter between the dots and get through.

    The fact is, the Monolith in Maryland is really not all that good at what they do, using the perception of competence as their primary weapon. ‘You have to be scared of us, we’re the NSA’

    We recently dealt with another US institution with a similar affliction on the purchase of a specific piece of assessment equipment. It was on the restricted list because a unit was found in a war zone in the possession of a combatant. Turns out it had been legitimately purchased in-country from the company’s representative, two years previous. After some laughter, and no admission of error by the department in question, the restrictions were quietly lifted.

    Martin G. Smith

  2. And that is the problem Martin, they are not as good as they think they are, because implementing this task is so monumentally huge only a power monger would request it is done.

    And practically pointless, for anyone with real intentions of disturbing national security would surely use a layered proprietary system among the almost limitless ways of implementing stenography, to mention also that every subversive step they take will be counter acted at a later stage in the ever changing mathematical landscape.

    So lets just forget that its for national security reasons, they just want to police everything.
    And in that effort they are deeply undermining the integrity of data which poses a massive threat to everyone and all commercial enterprise,

    But it is not just their ability to act on information through initial confidence of its integrity as with your example that is concerning, it is the inevitable slide of when the policing becomes limitless control, the fear of their technology being used by the very people they claim to be protecting us from and the dystopian future faced by my children.

    Pen and paper is currently about the only solution to the NSA,
    Does it not seem a ludicrous violation of basic rights if they where to open every letter, copy it and thoroughly analyse it to build up a trending profile?
    Well that is exactly whats happening digitally … where did it all go wrong.