So far this week we have looked at two of the three main components of the NSA’s surveillance system: how the NSA collects raw data from fiber optic cables and uses that to build an index of “metadata” that maps nearly all communications in the country going back to 2001 and how they enlist private companies as data distilleries holding and processing the contents of our domestic data. Today we will finish looking at the functional elements of the NSA system with a look at how government agencies at home and abroad partner with the NSA, skirting all effective data protection regulations as a result.

Sharing is caring

The NSA is a single government agency. It may be the "largest, most covert, and potentially most intrusive intelligence agency ever" and it may sit at the center of the global communications network, but it is still just one agency and it has limits. They are still somewhat prohibited from directly targeting US citizens, which is the only factor limiting which domestic fiber optic cables they can tap into with splitter prisms. They also lack domestic access to the 7.25% of global internet traffic that does not pass through the US during transmission. The essential allies for overcoming these obstacles are other government agencies, both those at home and abroad.

At home the NSA cooperates directly with numerous government agencies, most importantly the CIA, FBI, and the little known National Counter Terrorism Center (NCTC). In addition to sharing expertise, connections, and personnel resources, when these agencies work together they also benefit by skirting around laws designed to control just where they can operate. The NSA’s intelligence gathering is limited by law to foreign communications. In order to collect and store the phone records of purely domestic phone calls, as we can now confirm they are doing, someone other than the NSA must do the collection. In the case of phone records, the FBI is the one actually requesting records from the phone companies. The same is true of PRISM requests for internet communications. In all cases the NSA is the one who stores and analyzes the data; the intermediary agencies are used as legal cover. The reason for this game of digital hot potato is that data that is lawfully obtained by the government becomes fair game for other parts of the government to search. So, once the FBI has obtained everyone’s phone records the NSA no longer feels that the legal prohibitions on collecting data about US citizens apply.

Making it easier for different government agencies to exchange information was one of the main reasons for creating the NCTC in 2003. Initially this information was limited. Information about US citizens who were not suspected of any crime could be included but could not be kept for longer than 180 days. Then in press release last march the Attorney General changed that from 180 days to five full years. Perhaps unsurprisingly this is the same length of time the NSA keeps such data on citizens. This one government partnership alone is a significant expansion of the NSA’s surveillance system. The NCTC brings access to all Federal databases including flight records, financial forms submitted by people seeking federally backed mortgages, the health records of people who sought treatment at Veterans Administration hospitals and many others. The only restriction on what databases the NCTC may keep is that they must be “reasonably believed” to contain “terrorism information.” With databases this large it seems reasonable to believe they contain everything.

When foreign governments cooperate in surveillance even these trivial restrictions fade away. Just as we place no restrictions on what the NSA may do with information about non-US citizens, other governments place no restrictions on what their spy agencies can do with information about US citizens. Theoretically then it would be possible for two nations to spy on each other and then exchange information, much like strangers on a train. By accident or by design, this is much what happens with the British intelligence agency GCHQ, who we help access more than 200 fiber optic cables. In return we gain access to the processed metadata they collect. Any data we wish to share with them can be done through the NCTC. The only difference between our two programs is how long we each keep data. While we keep information on our citizens for up to five years the UK government only stores information on their subjects for a maximum of 30 days.

Tomorrow we will put all these pieces into context and draw some conclusions about what these components mean for the surveillance system as a whole: Part 4 – The End.

Update July 8: We learned over the weekend more details about the GCHQ cable tapping and have now have information about how the Australian and other close international partners operate their own social monitoring stations. The geographical diversity of these partner nations means that nearly all of the undersea fiber optic cables that tie the internet together are open to unregulated monitoring by one of our partners. As other nations build their communication storage capacities to match our own this means it will be legally and architecturally possible for this small group of democratic governments to access complete records of all internet communications. As long as nations only store information about each other’s citizens, no domestic surveillance laws will be triggered. As long as the records are complete, each nation will know that any information about their own citizens they wish to access at a later date can be simply requested from a partner.