The National Security Agency’s collection of phone records and Internet data from U.S. companies provides a model for other nations, the agency’s director, General Keith Alexander, said today at a prominent computer security conference in Las Vegas.
In his most public appearance since leaked documents revealed the existence of such large-scale surveillance programs, Alexander gave new details about how access to the collected data is controlled within the NSA. Those measures, combined with oversight from Congress and the courts, provide strong protections against abuses, he said. “The assumption is that people are just out there wheeling and dealing, and nothing could be further from the truth,” said Alexander. “I think this is a standard for other countries.” Alexander gave the opening keynote at the Black Hat computer security conference.
Public and political opinion on the NSA’s activities is generally unfavorable after leaks showed how existing laws were being used to enable the collection of data on a previously unimagined scale (see “NSA Surveillance Reflects a Broader Interpretation of the Patriot Act” and “Microsoft’s Surveillance Collaboration”).
Alexander sought to alter that perception a little. Before a particular phone number can be added to a list used to search the NSA’s database of U.S. call records, he said, approval must be given by one of only 22 people inside the agency authorized to give it. Once approval is granted, only 35 analysts at the NSA are authorized to run queries, he added, noting that in 2012, only 300 phone numbers were approved for searches of the call-record database, and 12 reports to the FBI, containing fewer than 500 further numbers for investigation, resulted.
Alexander said less about how access to e-mails and other data collected from Google, Facebook, Microsoft, and other U.S. Internet companies is controlled, but he implied that similar protections are in place. The NSA has “auditing” technology that records everything people with access to the surveillance databases do, he said, so anyone acting suspiciously would be caught. “Our auditing tools would detect them and they would be found accountable, and they know that.”
Alexander mentioned several times that the relevant law allows access to the phone and Internet data troves only in pursuit of foreign intelligence. He made no mention of a leak published today by British newspaper The Guardian about a system called XKeyscore, apparently used to search e-mails and online postings collected worldwide.
Alexander’s claims seem to clash with one made by Edward Snowden, who leaked material about the two surveillance programs in June. After coming forward, Snowden said that although he was not a senior analyst, he could easily “wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal e-mail.”
Alexander repeatedly stated that the NSA’s surveillance efforts were motivated by the need to combat terrorism, and he said his phone and Internet data programs had “disrupted 54 terrorist activities,” 13 of them on U.S. soil.
Against that background, argued Alexander, the NSA’s surveillance programs were necessary, and weakening it in an attempt to defend civil liberties would be counterproductive. “If those attacks were successfully executed, what would that mean for our civil liberties and privacy?” he asked.
Speaking to the media after Alexander’s keynote, Jeff Moss, a hacker and founder of the Black Hat conference, welcomed the NSA director’s willingness to talk publicly and provide some new—if small—details about how the programs operate.
“Because the details of these programs are classified, we need to get as much out of this debate as possible,” while public attention is still focused on the NSA, said Moss, who is also known as the Dark Tangent. The more that can be learned about the NSA’s programs, the more likely it is that better oversights will be developed, he said: “Maybe we can come up with something technologically that can do this but doesn’t compromise privacy.”
Moss caused controversy earlier this month when he reacted to news of the NSA’s large-scale surveillance by suggesting that government workers—“feds”—stay away from the Def Con hackers conference, another event he founded, which takes place in Las Vegas immediately after Black Hat.
That means Alexander is unlikely to show at Def Con this year, despite giving the keynote in 2012 at Moss’s invitation. For that talk, Alexander eschewed the uniform he wore today, sporting a T-shirt and faded jeans as he exhorted the assembled hackers to consider working for the NSA.
Ironically enough, in that 2012 speech Alexander said that the NSA was unable to access enough data on online activity to protect against attacks on financial markets and energy infrastructure (see “NSA Boss Wants More Control Over the Net”), a claim that now appears in a different light. “We do not sit around our country and look in” to the Internet, Alexander said in that speech.