BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Leaked NSA Doc Says It Can Collect And Keep Your Encrypted Data As Long As It Takes To Crack It

This article is more than 10 years old.

If you use privacy tools, according to the apparent logic of the National Security Agency, it doesn't much matter if you're a foreigner or an American: Your communications are subject to an extra dose of surveillance.

Since 29-year-old systems administrator Edward Snowden began leaking secret documentation of the NSA's broad surveillance programs, the agency has reassured Americans that it doesn't indiscriminately collect their data without a warrant, and that what it does collect is deleted after five years. But according to a document signed by U.S. Attorney General Eric Holder and published Thursday by the Guardian, it seems the NSA is allowed to make ambiguous exceptions for a laundry list of data it gathers from Internet and phone companies. One of those exceptions applies specifically to encrypted information, allowing it to gather the data regardless of its U.S. or foreign origin and to hold it for as long as it takes to crack the data's privacy protections.

The agency can collect and indefinitely keep any information gathered for "cryptanalytic, traffic analysis, or signal exploitation purposes," according to the leaked "minimization procedures" meant to restrict NSA surveillance of Americans. "Such communications can be retained for a period sufficient to allow thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a future foreign intelligence requirement," the procedures read.

And one measure of that data's relevance to foreign intelligence? The simple fact that the data is encrypted and that the NSA wants to crack it may be enough to let the agency keep it indefinitely. "In the context of cryptanalytic effort, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning," the criteria for the exception reads. "Sufficient duration [for retaining the data] may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis."

That encryption exception is just one of many outlined in the document, which also allows NSA to give the FBI and other law enforcement any data from an American if it contains "significant foreign intelligence" information or information about a crime that has been or is about to be committed. Americans' data can also be held if it's "involved in the unauthorized disclosure of national security information" or necessary to "assess a communications security vulnerability." Other "inadvertently acquired" data on Americans can be retained up to five years before being deleted.

"Basically we’re in a situation where, if the NSA's filters for distinguishing between domestic and foreign information stink, it gives them carte blanche to review those communications for evidence of crimes that are unrelated to espionage and terrorism," says Kevin Bankston, a director of the Free Expression Project at the Center For Democracy and Technology. "If they don't know where you are, they assume you're not a US person. The default is that your communicatons are unprotected."

All of those exceptions seem to counter recent statements made by NSA and FBI officials who have argued that any collection of Americans' data they perform is strictly limited by the Foreign Intelligence Surveillance Act (FISA) Court, a special judiciary body assigned to oversea the National Security Agency. "We get great oversight by all branches of government," NSA director Alexander said in an on-stage interview at the Aspen Institute last year. "You know I must have been bad when I was a kid. We get supervised by the Defense Department, the Justice Department the White House, by Congress... and by the [FISA] Court. So all branches of government can see that what we're doing is correct."

But the latest leaked document bolsters a claim made by Edward Snowden, the 29-year-old Booz Allen contractor who has leaked a series of top secret NSA documents to the media after taking refuge in Hong Kong. In a live Q&A with the public Monday he argued that NSA analysts often make independent decisions about surveillance of Americans not subject to judicial review. "The reality is that...Americans’ communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant," Snowden wrote. "They excuse this as 'incidental' collection, but at the end of the day, someone at NSA still has the content of your communications."

However, the leaked document doesn't exactly paint Snowden's picture of a random NSA analyst determining who is surveilled. The guidelines do state that exceptions have to be "specifically" approved by the "Director (or Acting Director) of NSA...in writing."

Just how much actual surveillance the NSA's exception for Americans' encrypted data allows also remains unclear. The Center for Democracy and Technology's Kevin Bankston points out that a previously leaked slide from an NSA presentation makes reference to programs called FAIRVIEW and BLARNEY, which are described as "collection of communications on fiber cables and infrastructure as data flows past."

If the NSA is in fact tapping the Internet's network infrastructure, Thursday's leaked guidelines suggest it might be allowed to collect and retain all data protected with the common Web encryption Secure Sockets Layer, (SSL) used for run-of-the-mill private communications like the Web email offered by Google and Microsoft, social networking services like Twitter and Facebook, and online banking sites. "If they're tapping at the [network] switches and they take full allowance of this ability to retain data, that could mean they're storing an enormous amount of SSL traffic, including things like Gmail traffic," Bankston says.

In other words, privacy advocates may be facing a nasty Catch-22: Fail to encrypt your communications, and they're vulnerable to any eavesdropper's surveillance. But encrypt them, and they become legally subject to eavesdropping by the most powerful surveillance agency in the world.

Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.

Also on Forbes: