The Complex

Questions the NSA Chief Should Be Forced to Answer

National Security Agency chief Gen. Keith Alexander is set to testify before the House intelligence committee Tuesday on the NSA's vast operations to collect the phone and Internet records of millions of people.

Nothing overtly illegal has surfaced - at least not yet -- in the nearly two weeks since NSA's data-collection efforts were leaked to The Guardian and The Washington Post. But there are still all sorts of question marks surrounding the activities that America's digital spies are undertaking on U.S. soil. Here are seven questions we'd like the Representatives to ask tomorrow. 

  • How many times has NSA been granted permission to collect phone and Internet metadata on the entire customer base of American companies? (Or as ACLU lawyer Michelle Richardson put it in an email to Killer Apps: "How the heck did a federal judge agree that literally every phone call in America is ‘relevant' to an investigation? Is there a court opinion discussing this?")
  • The Intelligence Community collects millions of phone records under section 215 of the Patriot Act, which allows the government to ask a Foreign Intelligence Surveillance Act or FISA court to order a business to hand over customer records to federal investigators. What other bulk information does the Intelligence Community collect under section 215? Last week, Sen. Dick Durban revealed that there's been a huge spike in the amount of times U.S. government has requested authority under Section 215 of the Patriot Act to obtain phone records and possibly medical records, tax records, Internet search records and credit card records -- some 212 times last year compared to the 21 such instances in 2009. Furthermore, is it true that you only consider intelligence as being "acquired" if a querey is made about the details of metadata that 215 programs gather ? 
  • What electronic data are collected by intelligence agencies without a warrant on U.S. soil? Does the NSA have "direct access" to tech company servers under the PRISM program, as an official presentation for the system suggested? If so, describe in detail what you mean by "direct access."
  • You said that "dozens" of potential terrorist attacks against the U.S. and its allies have been thwarted by these programs. But the government has only specifically discussed one plot - and that case seemed to be cracked by old-fashioned police work. Which specific terrorist plots on U.S. soil have been foiled by Section 702 (the section of the Patriot Act that allows the government to search content of foreign electronic communications) programs like PRISM? How many have been foiled by the Section 215 surveillance that looks at business records? 
  • Even the government acknowledges that with broad electronic intelligence programs, information on U.S. citizens may be "incidentally" or accidentally collected. How many American's have had the contents of their electronic communications accidentally scooped up?
  • The government is required to minimize information collected about American citizens who are not being investigated for a connection to terrorism. What is done, specifically, with Americans' information that is accidentally collected? What are the minimization procedures and how quickly are they undertaken? 
  • Edward Snowden has claimed that as a fairly low-level contract-employee to NSA he could he could tap into virtually any American's phone call or e-mails. True or false? Who is given access to the electronic intelligence collected under these programs?

While we're at it, we'd like to ask the tech companies like Apple, how on Earth are their legal departments able to quickly analyze through the thousands of government requests to view customer data and determine how to respond? Maybe these tech company CEOs will be the next witnesses as Congress tries to untangle this vast NSA surveillance web.

National Security

Apple: We Give the Government All Kinds of Data . . . To Find Missing Kids

Apple today joined the chorus of tech firms revealing they have given the U.S. government access to data on tens of thousands of customer "accounts and devices." But the tech giant claimed that most of those data dumps have nothing to do with NSA surveillance.

Over a five-month period between December 2012 and May 2013, the California tech giant received 4,000 to 5,000 requests by U.S. law enforcement agencies to view customer involving 9,000 to 10,000 user accounts and devices, according to a statement on its website. The "most common" requests came from police investigating crimes such as robberies, "looking for missing children, trying to locate a patient with Alzheimer's disease or hoping to prevent a suicide."

Still, Apple notes that some of these cases involve "national security matters," meaning intelligence agencies like the NSA are involved.

(The businesses on the receiving end of these government requests are barred from revealing the exact details of the volume of government request, hence the relatively broad statistics provided. Google is trying to change that.)

The disclosure by Apple -- as well as by tech giants Microsoft and Facebook -- reveals just how large the government's surveillance of people's online activities is, even when limited to a small slice of the firm's clients. Apple and the other tech companies are disclosing this information in the wake of news reports that the National Security Agency had "direct access" to customer information on the firm's servers under one such program called PRISM. Keep in mind that PRISM is just one of many NSA programs aimed at collecting all sorts of electronic information, from telephone calls to sharing "digital threat signatures" with Internet service providers around the globe -- all of which is supposed to be aimed at foreign sources not at American citizens.

However, it remains unclear how much data on Americans who are not suspected of having ties to terrorists or involved in law enforcement investigations are accidentally scooped up by agencies like the NSA and what, exactly is done to "minimize" the amount of personal information about Americans that is accidentally collected by intelligence agencies.

In the nearly two weeks since news of PRISM -- the so-called "direct access" program -- emerged, the companies listed on a slideshow provided to The Guardian and The Washington Post by former NSA contractor Edward Snowden, as participating in PRISM have denied giving the government wide-ranging access to their customers' data.

However, the firms may not know they are participating in the program if it relies on data they turn over to the government under the types of law enforcement and national security requests Apple described in its statement.

"The only access [to specific user data] is a fraction of a fraction of a percent," House intelligence committee chair and staunch defender of the National Security Agency's surveillance operations Mike Rogers told reporters last week when discussing the government's access to tech firm's user data under a number of programs designed to collect information on foreign threats to the United States. (In order to access the contents of American's email, NSA is supposed to work with the FBI and request a warrant to do so from a Foreign Intelligence Surveillance Act court.)

Apple goes on to say that it's legal team conducts an evaluation of each request, and "only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities."

It's also unclear how exactly the tech giants' legal teams manage to quickly sift through the thousands of government requests pouring in to determine which are legal and which ones they should fight.

The company insists that it doesn't "retain" data on iMessage and FaceTime conversations along with customer locations, map searches and Siri queries.

"Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them" said the statement. Apple cannot decrypt that data. Similarly, we do not store data related to customers' location, Map searches or Siri requests in any identifiable form."

Still, Apple (and therefore the government or a hacker) could, in theory, get to at least some of your "encrypted" data when you store it on Apple's servers. That's because Apple ultimately holds your encryption keys, according to some cryptography experts.

Apple's disclosure comes after Facebook revealed that it received between 9,000 and 10,000 government requests to view user data over the last six months of 2012. Those government requests sought to access information from 18,000 to 19,000 Facebook "user accounts."

Just like the request Apple received, these requests come from everyone from local sheriffs looking for missing children to "a national security official investigating a terrorist threat," according to a statement by Facebook's General Council Ted Ullyot on Friday.

Microsoft also on Friday revealed how much data has been requested by the federal, state and local government entities:

"For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities," said the Seattle-based firm.

Getty Images