The “Oversight” over NCTC’s Not-Terrorist-Terrorist Database

Back when John Negroponte appointed him to be the Director of National Intelligence’s Civil Liberties Protection Officer, Alexander Joel admitted he had no problem with Cheney’s illegal domestic wiretap program.

When the NSA wiretapping program began, Mr. Joel wasn’t working for the intelligence office, but he says he has reviewed it and finds no problems. The classified nature of the agency’s surveillance work makes it difficult to discuss, but he suggests that fears about what the government might be doing are overblown.

“Although you might have concerns about what might potentially be going on, those potentials are not actually being realized and if you could see what was going on, you would be reassured just like everyone else,” he says.

That should trouble you, because he’s the cornerstone of oversight over the National Counterterrorism Center’s expanded ability to obtain and do pattern analysis on US person data.

The Guidelines describe such oversight to include the following:

  • Periodic spot checks overseen by CLPO to make sure database use complies with Terms and Conditions
  • Periodic reviews to determine whether ongoing use of US person data “remains appropriate”
  • Reporting (the Guidelines don’t say by whom) of any “significant failure” to comply with guidelines; such reports go to the Director of NCTC, the ODNI General Counsel, the CLPO, DOJ (it doesn’t say whom at DOJ), and the IC Inspector General; note, the Guidelines don’t require reporting to the Intelligence Oversight Board, which should get notice of significant failures
  • Annual reports from the Director of NCTC on an (admittedly worthwhile) range of metrics on performance to the Guidelines; this report goes to the CLPO, ODNI General Counsel, the IC IG, and–if she requests it–the Assistant Attorney General for National Security

There are a few reasons to be skeptical of this. First, rather than replicate the audits recently mandated under the PATRIOT Act–in which the DOJ Inspector General develops the metrics, these Guidelines have NCTC develop the metrics themselves. And they’re designed to go to the CLPO, who officially reports to the NCTC head, rather than an IG with some independence.

That is, to a large extent, this oversight consists of NCTC reporting to itself.

Also, note who doesn’t get these reports? Congress. Not even the Intelligence Committees.

One of the only mentions of Congressional Committees comes when describing permissible dissemination of US person data. NCTC can, the Guidelines say, share US person data with “a Congressional Committee to perform its lawful oversight functions, after approval by the ODNI Office of General Counsel.” If Congress has lawful oversight functions, shouldn’t they be heeded whether or not ODNI GC approves?

Then there’s the rather curious treatment of the Privacy and Civil Liberties Oversight Board–what is supposed to be an independent congressionally-approved board representing citizens’ interest in the face of government security claims.  The Guidelines say that if there’s a dispute between agencies over whether NCTC should get a database, the head of the agency objecting may appeal to the DNI, then the NSC and AG, and they, in turn, can consult the PCLOB. The Guidelines also say PCLOB “shall have access to all relevant NCTC records … that it deems relevant to its oversight of NCTC activities.”

And all that might provide an independent check on the mother-of-all-databases. Except that Obama took almost 3 years before he got around to appointing a quorum of people to PCLOB. And in the 3 months since then, the Senate Judiciary Committee hasn’t gotten around to dealing with those nominations. Thus, like the Cybersecurity plans working their way through Congress, the NCTC’s mother-of-all-databases also acknowledges that PCLOB has a legally definable oversight role (really, PCLOB’s role would have been most valuable in the last 18 months when NCTC was putting these Guidelines together). But PCLOB–and therefore its oversight function–doesn’t exist.

There are a lot of reasons this proposal, as implemented, is a bad idea: it doesn’t solve the problem it was implemented to solve (and indeed may well drown the analysts in even more data), it creates a one-stop shop for the theft of US person data.

But just as problematic is the geniuses who designed this in secret didn’t even try to build in any truly independent oversight over this massive intrusion into US person privacy.

Alexander Joel thought that if only people could see what the government was doing with its illegal wiretap program, they wouldn’t mind so much. But this vast new power grab was designed to make sure no one independent will see it, either.

Self-oversight like NCTC has designed here amounts to little more than navel gazing. And how likely will thorough navel gazing be, given that NCTC will be scrutinizing all of our belly-buttons at the same time?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

20 replies
  1. ferd says:

    Once again, surprisingly few people are commenting on these surveillance threads. People are interested, but afraid, I’m guessing. I know I am.

  2. earlofhuntingdon says:

    With “populating the database” a prime mover, to justify the billions spent on real estate, hardware and whatnot, and the many millions spent on new software to mine and analyze the data, to look for “patterns” of past behavior and to predict future behavior, everything else seems to fall by the wayside like unlucky mustard seeds. Along with those seeds are what’s left of the Bill of Rights, the separation of powers and oversight of the executive by legislative and judicial branches.

    Who wins in that throw the baby out with the bath water scramble? The president, surely, the Pentagon, and the legion of outsourced IT analysis and “security” vendors that now connect like weak mortar the bricks of our military and intelligence communities.

    Who loses? You and I, for sure, and the visibility and accountability that make representative government work. Imagine where we would be now if William Nelson Cromwell (Sullivan & Cromwell, who helped create Panama and steal the Canal; his successor was John Foster Dulles), TR, Mark Hanna, JP Morgan, Rockefeller and their ilk had such unrestrained power.

  3. liberalrob says:

    I’m not afraid. I’m too depressed and disgusted by the whole sorry state of affairs in this country to comment.

    America, home of the free. Sweet land of liberty. Right.

    “Freedom of speech…just watch what you say” has gone from being an album title to being the law of the land.

  4. Ben Franklin says:

    @emptywheel:

    When I hear ‘my plate is full‘ I imagine morsels falling off the edge in a random manner. I understand how easy it is to lose things off the clipboard.

  5. ferd says:

    A “one nuclear incident would destroy democracy and unleash marshall law” rationale for the surveillance is strong and might take a lot of thought and work to overcome, but what’s the rationale for such seemingly sketchy oversight?

  6. emptywheel says:

    One other detail about the oversight. So Joel was appointed–no congressional oversight–by John Negroponte.

    You know–the guy who invented TIA?

  7. MadDog says:

    @ferd: @emptywheel: The absence of meaningful oversight is not a bug, but a feature.

    I think that the vast majority of Congresscritters over the last 10 years of constant GWOT fear-mongering have concluded that burying their collective heads in the sand is politically safer as a re-election or election choice than to stand up for the Constitution and our rights.

    Until masses of innocent Americans are sufficiently harmed by these TIA programs, and make politicians pay for their misdeeds, Congresscritters see no upside in rocking the GWOT Forever boat.

  8. ondelette says:

    I am going to make a pre-emptive request to bmaz that he let me say my piece on this one, please, because we’ve had a round or two, and I have no other forum at this point (I saw Jane Hamsher out someone on FDL and I have committments to people of confidentiality that cannot sustain such behavior, e.g.). I have something to say, in light of Charlie Savage’s article on this subject. His article was disturbing in two ways.

    The first is allowing someone to use the phrase “complex algorithms” and either not explain what they mean or not research and report what they mean. Either the public is sophisticated enough to understand them or they should be: Their democracy is at stake. I for one am sick and tired of people not referring to such algorithms by name. Even “pattern analysis”. That isn’t an algorithm, it’s a subject heading, so what in hell’s name does a prohibition on “pattern analysis” even mean? No lexical searches but link searches are okay? No lexical and link searches but throwing darts at the computer to find out which circuits are live is fine? Print everything out on one line so nobody will see patterns on the page?

    The second is much more disturbing: The assertion by the government that this isn’t a new encroachment because they aren’t gathering anything new.

    “There is a genuine operational need to try to get us into a position where we can make the maximum use of the information the government already has to protect people,” said Robert S. Litt, the general counsel in the office of the Director of National Intelligence,…”

    Except that the assertion made when they passed the FAA was that they could gather everything whatsoever, and they were only searching and seizing when they ran searches on it, so the argument that they already have it is kinda moot. Of course they have it, they argued that having is wasn’t a search. So now they should have to argue hard, in court, before a judge, for every new form of search that they want to do and in Congress for every new extension of their privileges to fuse data or create new minimization schemes.

    This is among the many reasons why it is necessary to protect internet persona. Just like a collection of some of the attributes of real people tied together in a specific way form a persona that has some limited rights in the form of a corporation for the purposes of doing business (we can and should argue about how many rights), a loose or even tight collection of attributes of a real person or real people tied together for a purpose on electronic media must be afforded some form of protection from searches to stop this kind of infringement, or you won’t be able to stop assaults against people who have collections of all data, or access to collections of all data (all in figurative or relative terms).

    And it really doesn’t matter that those persona are ephemeral, the damage that can be done to the real person from which they are derived is real. The NYT has recently carried stories about the chilling of Spring Break due to fears of future employer surveillance, the SF Chronicle has carried a story on job interviewees being demanded of their usernames and passwords to their email and facebook accounts, and the government right now potentially has access to an account of mine which is supposed to be protected from all governments because it has access to my phone lines and uses laser line snapshots to surveil.

    Sorry for the length, but you see the problem. It’s called a Galois connection on an admissible set. Basically an inversion of all the categories you belong to from all the stated and unstated preferences and similarities you’ve ever shown on the web. If Target can use it ad hoc to successfully find pregnant mothers and send them a congratulations card the day of their delivery without ever having them register on their site, the government can use it to link the picture of you at Occupy to your favorite candybar, too. Only they may not be trying to sell you more candybars.

  9. Ben Franklin says:

    @ondelette:

    A long thought, but well thought out. Take comfort in the fact that there are billions of bits of data out there, and it is impossible to follow them all, unless one is highly motivated. You are not a threat. Take care.

  10. Bob Schacht says:

    @ferd: “one nuclear incident would destroy democracy and unleash marshall law”

    Niggling point: The word you were looking for is *martial* law. It’s a common mistake.

    Bob in AZ

  11. emptywheel says:

    @ondelette: Thanks for the comment. In any case, I doubt bmaz will have a problem.

    I agree with you. You give NCTC the databases, and you’ve got a very different level of pattern analysis than you do if NCTC is just calling up State and asking for information.

    There are a lot more problems with it–such as that your assocaitions today may be defined as indicators of terrorism if a 2 degree of association 4 years from now is what is defined–then–as a terrorist.

    I can’t tell whether they’re doing this to cover up past failures or bc they can and need to invent more terrorists to keep the terror industry going.

  12. P J Evans says:

    @ondelette:
    Facebook came out today and said they don’t want employers demanding passwords, and would consider suing. As bad as their privacy protections are, they’re on the right side on this.

  13. ondelette says:

    @emptywheel: One doesn’t want people using things like 2 degrees of association. Recently, someone went back to the guesstimate “6 degrees of freedom” and tried to get a firmer handle on it. The new estimate for internet users is 4.3 degrees of freedom. One might add that the estimate drops again if you restrict to people from big cities. So 2 is quite high to be populating a suspicion database.

    @Ben Franklin — Acknowledged that I am not a threat. Didn’t say I was. But I do have a right to privacy, and I do have the (how do they put it in response?) moral and ethical right to be able to give my word to someone else that I will keep confidentiality and not have that word broached by someone else beyond my control.

    @P J Evans — Big of them. When you’re as so distinctly not part of the solution as Facebook is, you can hardly be considered not part of the problem. The Austrian dude that touched off the firestorm against them in Europe was a nobody. 1122 pages of data collected on him by Facebook. Data can’t be mined if it hasn’t been collected.

  14. John Iacovelli says:

    Great post. But I don’t understand the point about NCTC having only “self oversight.” The oversight is the Office of the Director of National Intelligence (ODNI), though that raises even more questions:

    1. The National Counter Terrorism Center reports to the Office of the Director of National Intelligence (ODNI).

    2. ODNI has penultimate budget responsibility (see http://www.scribillare.com/congress-deletes-two-words-in-the-national-security-act-of-1947/ ), next only to the President, for the “funding of all programs” which are part of the National Intelligence Program (NIP).

    3. The NIP is comprised of the intelligence functions of the following agencies and departments: Central Intelligence Agency, Defense Intelligence Agency, Department of Energy (Office of Intelligence and Counterintelligence), Department of Homeland Security (Office of Intelligence and Analysis), Department of State (Bureau of Intelligence and Research), Department of the Treasury (Office of Intelligence and Analysis), Drug Enforcement Administration (Office of National Security Intelligence), Federal Bureau of Investigation (National Security Branch), National Geospatial-Intelligence Agency, National Reconnaissance Office, National Security Agency/Central Security Service, Office of the Director of National Intelligence, US Air Force, US Army, US Coast Guard, US Marines, US Navy.

    4. The ODNI is charged under the Intelligence Reform and Terrorist Prevention Act (IRTPA) of 2004 with the responsibility to “Oversee the development and implementation of a program management plan for acquisition of major systems, doing so jointly with the Secretary of Defense for DoD programs, that includes cost, schedule, and performance goals and program milestone criteria.”

    This therefore is about executive branch access to any information collected about citizens, for use by ANY of the departments/agencies named in bullet #3 should the ODNI decide to share that information (plus the White House, of course). Given that oversight rests with President Obama and James Clapper (who is said to be thinking of stepping down soon; rumor has it that Petraeus will be considered as a replacement), the quality of the oversight may indeed problemmatical, but it’s not limited to the NCTC only.

  15. P J Evans says:

    @ondelette:
    Yeah, and they’re already waffling on that stand. I’m not one of their fans-and-supporters, since it’s pretty clear that they exist for the purpose of selling demographic data to businesses – and businesses use FB for advertising themselves.

Comments are closed.