President Obama’s pick to take over the National Security Agency, Vice Admiral Michael Rogers, told Congress that he has no serious reform agenda for the agency except for in one area: public relations. The NSA’s main problem, Rogers said in his Senate confirmation hearing on Tuesday, is not the controversial stockpiling of personal data, nor the tactic of subverting encryption standards, but that the agency didn’t effectively communicate its reasons for doing so.
Rogers’ confirmation hearing for his parallel role as the military’s U.S. Cyber Command commander – the NSA post does not require Senate approval – provided a rare opportunity for lawmakers and the public to hear his opinion on privacy, which has been relatively unknown.
“I believe one of the takeaways form the situation over the last few months is that as an intelligence professional…I have to be capable of communicating in a way that highlights what we are doing and why to the greatest extent possible,” Rogers said to the Senate Armed Services Committee.
Rogers spoke only briefly on the NSA’s controversial practice of collecting bulk metadata on individuals. The Privacy and Civil Liberties Oversight Board, an independent review panel, recently found that the way the NSA was collecting metadata did not comply with Patriot Act requirements and was illegal. That suggests changes are coming in the way that the agency either stores or uses metadata; but the form those changes will take has yet to be determined.
Metadata refers to data about data. In addition to Internet data, it includes phone company records about who called who or whom, at what time, and the duration of the call but doesn’t include the literal content of the conversation. In June, after former NSA contractor Edward Snowden’s disclosures, Obama defended the metadata collection practice, saying, “No one is listening to your phone calls.”
Yet consumer metadata can reveal plenty. The conversation patterns between two individuals on Facebook can predict the likelihood they will end up in a relationship. Email and communication patterns in an office setting can predict possible quitting. In business, knowing who is calling whom and when can also yield an unfair market advantage, according to experts.
“Suppose the head of Oracle calls the head of a company that Oracle is looking to acquire on a Friday. And after the phone call, both CEOs call their general counsel. That information says that a buyout is going to happen,” computer scientist Susan Landau said at a SXSW privacy panel in Austin, Texas, this week, where Snowden spoke to conferees and the NSA controversy was a hot topic.
Rogers, who currently commands the Navy’s 10th Fleet and U.S. Fleet Cyber Command, said that he supported the president’s January policy directive that proposes a review of the bulk metadata collection process in order to find ways the U.S. can more easily collect more specific data, but doesn’t call for the end of the practice. “Within one year… the [Director of National Intelligence], in coordination with the heads of relevant elements of the [intelligence community] and [Office of Science and Technology Policy], shall provide me with a report assessing the feasibility of creating software that would allow the [intelligence community] more easily to conduct targeted information acquisition rather than bulk collection.”
When asked by Sen. Ted Cruz, R-Tex., if the U.S. should continue the practice of using consumer metadata, Rogers said, “I believe we can still do this in a way that ensures the protection of our citizens while also providing us insights that generate value.”
The research firm IDC says we are likely to generate as much as 50 times as much data in the year 2020 as we do today, already on the order of 1.8 million megabytes a year. This data won’t just be limited to how we talk or stream entertainment, our primary data generating activities today, but also how we interact with the increasingly computerized world around us. Future metadata could include information on how often we use smart appliances like Internet-connected refrigerators, when we activate smart thermostats, even the functioning of Wi-Fi enabled pacemakers. All of the digital exchanges that interconnected machines create when trying to provide us with services falls under the broad category of metadata.
Obama’s January directive opens up the possibility of third parties such as telephone companies and Internet service providers maintaining metadata stockpiles, rather than the government holding all that data at not-so-secret facilities. These third parties would then give the government access to portions of that data on the basis of specific requests.
Carriers like AT&T already hold and use customer data for marketing. But relying on phone companies to maintain customer data for possible future government investigations isn’t a popular idea among technologists. Landau called the scheme “a security nightmare.” She says that although AT&T “has kept that data for decades…these days, that data is much less secure.”
Privacy advocates continue to dismiss the president’s reform efforts as lackluster. rejecting the notion of a single presidential policy directive as an effective accountability measure. “The problem with presidential directives is that the president can issue a second directive,” Cato scholar Julian Sanchez said at SXSW on Saturday.
Bulk data collection is only one of the many controversial NSA activities that the Snowden leaks have revealed. Another is the federal government’s bypassing of the encrypted security features of services like Google and Yahoo to intercept data, part of the agency’s so-called MUSCLAR Program. Ironically, NSA infiltration of services like Yahoo, and Snowden’s disclosure of those vulnerabilities, have prompted Silicon Valley players to improve their encrypted firewalls.
“The advancements in crypto over the last six months have been massive,” said Matthew Prince, CEO of the company CloudFlare at a SXSW panel.
For many in the privacy and the technology community, The MUSCLAR program represents a particularly stinging insult. One aspect of the program involved the systematic weakening of encryption standards so that the NSA could break into more networks and systems via backdoors.
“This points to a serious internal mission/goals conflict. After all, the [United States Government] is supposed to be for cybersecurity. U.S. policy regularly calls on everyone to do a better job of securing devices and networks. And yet the NSA actually weakens crypto and exploits vulnerabilities when it could be trying to get everyone to fix them,” Electronic Frontier Foundation senior staff attorney Lee Tien told Defense One..
In his confirmation hearing, Rogers mentioned Snowden by name only twice to demure further comment about him. The admiral did argue that the Snowden’s disclosures had harmed the agency, its mission and national security.
Snowden meanwhile, has been more actively participating in public events. He remotely attended SXSW on Monday to great fanfare. Of perhaps greater concern for U.S. lawmakers, Snowden also recently appeared before the European Parliament to offer public testimony on NSA surveillance of European targets and other sensitive activities. Snowden discussed the MUSCULAR program, though did not mention it by name, stating that “the intentional weakening of the common security standards upon which we all rely is an action taken against the public good.” He also discussed his reasons for making his disclosures and argued for more oversight of the agency.
“Better oversight could have prevented the mistakes that brought us to this point, as could an understanding that defense is always more important than offense when it comes to matters of national intelligence.”
Rogers gave no indication in his testimony that he’s interested in additional congressional oversight.