What's missing in the new NSA report?

Image from

The National Security Agency Civil Liberties and Privacy Office released a congressionally-mandated transparency report on Jan. 15, detailing the implementation of the USA Freedom Act.

In the summer of 2015, President Barack Obama signed the USA FREEDOM ACT of 2015, which required the NSA to stop collecting and storing bulk telephonic metadata of U.S. citizens. With this law, telephone companies store the metadata on their customers, and NSA analysts can query the information under prescribed legal authorities.

To comply with the law, the NSA has changed the way it accesses telephonic metadata -- the information on callers, call recipients, time and place of call and more. The law was intended to promote the privacy of U.S. citizens, while giving the NSA the flexibility to obtain, analyze, and circulate information regarding international terrorist threats. The new report gives an update on the actual implementation of that program, based on the application of eight Fair Information Practice Principles.

Some experts argue that though it clarifies answers to some of the questions, it still leaves more open for debate.

"It leaves more questions than it resolves," Julian Sanchez told FCW. Sanchez,  a senior fellow at the Cato Institute and an expert on surveillance and privacy issues, analyzed the report for the Just Security blog.  

Sanchez noted that the bigger question is on what exactly is going on in the black box -- the NSA's architecture which describes how the agency can query telephonic metadata.

"It does leave some significant question marks about how [NSA] are determining these connections and about how this process works especially when the selectors they are giving the companies is something other than just a phone number," he said.

In the report, the agency claims that, "The government has strengthened privacy safeguards by, among other things, ending the collection of telephone metadata in bulk and having telecommunications providers, pursuant to court orders, hold and query the data."

However, it's that process that concerns Sanchez.

Under the current architecture, the first step is to get the legal internal administrative issues sorted, including court orders and such. After that, the number(s) the NSA receives is fed through their current database, which does not include the previously controversial metadata. Then they go to the carriers (if it's a cell phone number, for example) for the "one-hop" or "two-hop" numbers. ("Hops" is surveillance jargon for the degree of separation from a caller to a target. One hop refers to a number that is in direct contact with a surveillance target; two hops indicate that two numbers are connected by a common contact.)

"One-hop returns from providers are placed in NSA's holdings and become part of subsequent query requests, which are executed on periodic basis. Historical bulk data collected under Section 215 of the USA PATRIOT Act will never be included when querying internal holdings," the report states.

The report, "leaves a lot of questions open about the process by which they are determining the two numbers in contact," Sanchez said.

"NSA is not known for volunteering details," Sanchez said. "This is sort of consistent with their practice in a lot of areas where they'll talk kind of generally how they are doing things...they will not really get into any thorny questions of the other ways targeting your surveillance."

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.