Writing about the National Security Agency myths is a tough task because the rules are always changing and whole agency is shrouded in secrecy—though in the case of the latter, a good deal less than it once was, thanks in part to its empowerment after 9/11, and because of revelations by Edward Snowden. Anecdotally, when I was in high school (very pre-9/11), I wanted to write a report on the NSA, and when I asked the librarian about it, he ridiculed me, saying scornfully that the NSA was a fake spy agency on TV, and that it didn’t exist in real life. I think the NSA would have approved, but any organization that secret is bound to gather a few urban legends along the way. Here are five myths about the National Security Agency.
“The NSA doesn’t have field agents.”
Compared to the Central Intelligence Agency or the Defense Intelligence Agency, no, the NSA doesn’t have that many field agents. Most of its thirty thousand or so employees work at Ft. Meade, MD. (There are 18,000 parking spaces at its headquarters, and enough office space that four U.S. Capitols could fit inside of it.) Still, the agency does have men and women who work in the field. They belong to the NSA’s Special Collection Service, a group of signals intelligence spies who work jointly with the CIA abroad to penetrate foreign communications networks.
Because the SCS is so secretive, what, precisely they do in the field is likely a moving target. When a hard drive needs to be stolen, that assignment is probably going to go to the CIA’s National Clandestine Service. But things like plugging into embassies overseas, planting antennas to intercept communications, and using state-of-the-art technology in the field to acquire signals are almost certainly jobs for the SCS. Though techniques and procedures change, as of a few years ago, small teams called Special Collection Elements, made up of two-to-five members of the Special Collection Service and National Clandestine Service, rotated into foreign embassies and operated abroad under the guise of business persons.
“The NSA can read your email whenever it wants.”
As a matter of technology, yes, most likely. And if you encrypt your messages, it can hang onto those emails forever, or until the encryption is cracked (see below). NSA software is integrated tightly with telecommunications switches for AT&T and, most likely, other such companies. When the companies aren’t knowingly doing the integration, the NSA does the integration themselves, surreptitiously intercepting routers to targeted facilities and implanting surveillance devices and firmware.
But legally, the NSA needs a lot more than simple ability if they want to start reading your letters to grandma. Section 702 of the Foreign Intelligence Surveillance Act allows the government to surveil non-U.S. persons abroad. Each year, the Department of Justice and the Office of the Director of National Intelligence submit certifications to the Foreign Intelligence Surveillance Court stating the types of intelligence they would like to collect, and the way they will do it that is consistent with the law (i.e., here’s how we will make sure we don’t target Americans). Once the certifications are approved, the government goes to industry and compels them to assist with the surveillance. The court reviews these certifications annually.
That’s the basic legal process at work. In practice, if a non-U.S. person abroad fits the certified surveillance standard (e.g. he likes to make bombs for ISIS), and his communications are found to have foreign intelligence (e.g. he’s corresponding with ISIS about where to send the bombs), his communications can be collected.
So if he happens to email you—say he’s a fan of Game of Thrones, and you begin a robust correspondence on that series’s awful ending—then your email can only be searched in pursuit of foreign intelligence information, or, if the FBI gets involved looking for evidence of a crime. Only the attorney general can authorize the use of information collected under Section 702 in criminal proceedings against U.S. persons.
The upshot is that the NSA doesn’t just type “bomb” into SpyGoogle and start vacuuming up anyone’s emails describing Solo: A Star Wars Story. (Which was mostly a pretty good movie, but don’t get me started on The Force Awakens.) The whole thing is monitored by the court, senior analysts at the agency, and the Department of Justice.
“The NSA keeps massive amounts of information on foreigners… forever!”
Under Presidential Policy Directive 28 and its supplemental guidelines, information gathered from the bulk collection of non-U.S. person data must be related to foreign espionage, terrorism, threats to U.S. military forces, cyber warfare, and transnational criminal threats. In other words, if Cuervo Jones of Guadalajara is caught in the net, but isn’t doing evil, his communications aren’t being used against him for other purposes. Moreover, information collected can only be held for five years. If, however, Cuervo has encrypted his correspondence, that can be held indefinitely. It’s worth noting that the NSA is not allowed to collect trade secrets from foreign companies in order to give U.S. firms a competitive advantage.
“The NSA can break PGP encryption.”
Pretty Good Privacy is a popular encryption standard that uses hashing, compression, and public and private keys for encryption and authentication. (ClearanceJobs previously described how hashing works here.) As of 2014, leaked documents reveal that the NSA was unable to break PGP. A lot has changed in five years, and look, anything is possible, but not that much. As the PGP frequently asked questions document states for a PGP 128-bit encryption: “Let’s say that you had developed a special purpose chip that could try a billion keys per second. This is far beyond anything that could really be developed today. Let’s also say that you could afford to throw a billion such chips at the problem at the same time. It would still require over 10,000,000,000,000 years to try all of the possible 128 bit keys. That is something like a thousand times the age of the known universe!”
“The NSA is spying on me.”
Well… maybe. But probably not. Under Section 215 of the Foreign Intelligence Surveillance Act, the NSA is allowed to build contact chains of telecommunications metadata. Not the calls/emails/etc. themselves—but “call detail records”—information about the contact in question. This year, the NSA stated that it has ended the CDR program. In the old days of building those CDR chains, however, the agency used a method called “hops.” If I am John Terrorist and I appear on the NSA’s radar, the agency can use my call detail records to start looking at the people I call (hop one), and the people they call (hop two). So if I call 10 people, those ten people are now in the NSA’s metadata surveillance crosshairs. Moreover, the people those ten people call are now in the NSA’s web of watchers as well. If each of those people contacted ten people, you’ve now got 101 people being monitored. The NSA is limited to two hops, though previously could go out as far as three hops, which meant that one person could lead to the monitoring of 1001.
So is the NSA spying on you? Even if the agency has secretly restarted the program, it’s still highly unlikely, though if you were an Uber driver and John Terrorist called you to give you directions, it’s possible that you might be in the system. And if you hired a local landscaper to mow your lawn, he or she might be in the net as well. There is no way for you to find out, and nothing you can do if you are. But as a matter of numbers, you’re probably safe. Last year fewer than ten thousand queries of American communications stemmed from this program.
