NSA director addresses Black Hat, says there have been “zero abuses” of data

LAS VEGAS—At the Black Hat security conference today, National Security Agency (NSA) Director Keith Alexander defended the NSA's data collection programs and described at a high level what data is collected and how it's used.

His presentation covered two programs, both revealed by Edward Snowden: telephone metadata collection and a program of collecting from the computer industry data relating to foreign nationals, of which PRISM is a component. According to Alexander, the phone metadata collection, authorized under FISA section 215, was both limited and tightly controlled. The NSA collects only the time and date of a call, the phone numbers involved in a call, the duration of a call, and the service provider that captured the information. Notably, he said that names, address information, and location information were not captured. Nor was any conversation data collected, such as the contents of voice calls or text messages.

While this data was collected, Alexander said that access to the information was tightly restricted. Free-for-all queries weren't permitted. Instead, numbers had to be individually approved by one of 22 people at the NSA, and only 35 analysts within the agency were authorized to run queries on those numbers. In 2012, he said that fewer than 300 numbers were added to the list.

The NSA can send information about numbers to the FBI. The FBI can then use National Security Letters to demand name and address information from phone companies, and after showing probable cause, the agency can obtain warrants to request data.

The collection of data relating to foreigners was authorized under FISA section 702. Alexander asserted that this plan cannot target any US citizens, regardless of where they are. He also contradicted the claim made by the Guardian newspaper that the NSA has direct access to major technology companies, saying that there's no unilateral access by the US government to the servers of US companies, and that instead, the companies are legally compelled to hand over data.

Justifying all this, Alexander said that terrorists use these communications systems. After the September 11th attacks, the intelligence community was criticized by the 9/11 Commission for failing to connect the dots between fragments of information that had been collected. These programs are the intelligence community's response and have been used to disrupt 54 "terror-related activities," including 13 in the US.

Alexander gave the concrete example of the 2009 subway bombing plot by Najibullah Zazi, a plot previously linked to the PRISM program. Under the section 702 program, the NSA intercepted e-mail communications between Najibullah Zazi and a Pakistani terrorist. Zazi's phone number was then added to the list of authorized phone numbers for the section 215 scheme, and this revealed communication with another phone number. This second phone number was given to the FBI, and the FBI linked it to Adis Medunjanin, a previously unknown co-conspirator.

Alexander's demeanor was sincere throughout. Foreign intelligence saves lives, he said, and he was dismayed that the NSA's reputation was tarnished due to the incomplete information that had been revealed about its activities. He consistently said that he welcomed the discussion with the community about the trade-offs between privacy and security, but he simultaneously argued for secrecy in order to limit the information disclosed to terrorists, apparently ignoring the irony that thanks to this secrecy, any meaningful discussion is impossible anyway.

The audience reaction was mixed. There were a few heckles: Alexander's claim that "We stand for freedom" was swiftly met with a cry of "Bullshit!" from the crowd. When someone demanded that he "read the constitution," Alexander responded with "I have. You should too," which received warm applause.

But overall, his presentation did little to reassure those suspicious of government data collection efforts. Though he said that the FISA court was no mere rubber stamping operation, the major constraint on misuse of the data was policy. The systems were "100 percent auditable" and the general claimed that there had been "Zero abuses of NSA PRISM, and that's no bullshit." Fundamentally, however, the claim was not that the NSA can't access and abuse this data—it's merely that it doesn't.