Rebecca Richards of the U.S. National Security Agency talks about what the organization is doing to ensure the public knows how civil liberties and privacy factor into its operations.
No discussion about privacy and transparency in the digital age would be complete without engaging in a conversation about one of the largest data collection entities in the world – namely, the U.S. government. And at the center of its data collection activities is the National Security Agency (NSA), which serves both the U.S. Defense Department and the intelligence community by using technical advances and human expertise to protect the cybersecurity of the United States and to break the encrypted codes of foreign adversaries.
What may be surprising to learn is that, for an agency whose charter is to obtain information and keep government secrets, the NSA also lists protecting privacy rights among its stated goals. Established in 2014, the National Security Agency’s Office of Civil Liberties and Privacy was created to ensure that the U.S. public has a greater view into the workings of the agency and the role it plays in collecting information in the defense of the common good, as well as the privacy protections it has incorporated into its operations.
To learn more about what this office does, we spoke with Rebecca Richards, the first Director of Civil Liberties, Privacy, and Transparency at the NSA. Rebecca has held this post since February 2014, following a privacy-related career at the Department of Homeland Security, TRUST-e (an independent non-profit privacy seal program) and at the U.S. Department of Commerce. Rebecca shared with us the changes that have occurred as a result of the establishment of her office, the data handling and privacy controls which govern the agency’s actions, and the steps they are taking to help build public trust in the NSA and its mission.
ANSWERS: Can you describe for us what it is that the NSA does?
REBECCA RICHARDS: The NSA has two specific missions. We have a signals intelligence mission, which really is that we use signals intelligence to produce foreign intelligence about our foreign adversaries in order to give a strategic leg up to our policymakers about what our adversaries are thinking. On the flip side of that, we have a cybersecurity mission to ensure that those adversaries aren’t able to get into our Department of Defense or National Security Systems and really ensure that we’re protecting our own technical resources.
ANSWERS: How would you characterize the changes that have occurred within the National Security Agency, now that a Civil Liberties and Privacy Office has been established?
RICHARDS: I’m always excited to talk to people about what we do here at the NSA and how our Civil Liberties, Privacy and Transparency office helps the NSA do its mission. When I started the office four years ago, I came from the Department of Homeland Security and its privacy office. When I came here, the NSA was doing a lot of work in both privacy and civil liberties, but it was in a lot of disparate places throughout the agency. By my coming in and being a direct report to the director and advising the senior leadership team, I brought it up to the forefront to make sure that we were always very consciously thinking about how we were protecting privacy and civil liberties and also thinking about how to implement more transparency so that the public has a better understanding of why America has an NSA.
The change we have seen is really one of increased transparency. I was very impressed with the privacy protections that the NSA had in place, both from a technical perspective as well as a policy perspective and training. But what the NSA didn’t have is a long history of talking about those protections or even really talking with the outside world about what the NSA did. I was struck when I was preparing to interview for this job, that I went on the NSA website at the time and couldn’t really figure out what the NSA did. A lot of what my office has done is to try and bring voice to that.
ANSWERS: What do you think is the most difficult aspect of winning over public trust as a government agency that collects information?
RICHARDS: Public trust is critical to the U.S. government and quite honestly to the NSA’s success. Transparency is really a key to building that trust. I think that’s true in a democracy no matter how we talk about it. The way that I think we’ve tried to really move the conversation forward is to make sure that there are some basic facts about what the NSA does, how we do it, how we follow the rule of law and how we have policies in place to really ensure that we’re doing that. The NSA really conducts those activities in one of the most robust legal and policy frameworks in the world for these types of activities. That’s how it should be, and what we want to really give voice to is talking about what those rules are because they don’t really impact our ability to achieve our mission. In fact, they actually help us do our mission, so that people understand what we’re doing.
I try to remove some of these myths about what the NSA is or isn’t doing. As I look at what we’ve done over the last four years, it’s a nice mixture of different ways of communicating. We’ve issued four different reports on our website on privacy protections for our major national security authorities. Our most recent one was associated with the protections when we disseminate U.S. person information.
We have hosted civil society such as the ACLU and other privacy groups actually inside our building so that they had an opportunity to talk to our leadership. It also gave us the opportunity to hear directly from them about the things that worry them, how we might improve our transparency, and the things they are thinking that maybe we didn’t think about.
We had really robust conversations, and in those conversations what I’ve found is we’ve moved away from people imagining what we’re doing, to really trying and understanding what we’re actually doing. They may and sometimes do disagree with what that is but I think that’s a healthy debate, and I think that debate is what makes our democracy great. That’s an important piece of what we’re doing.
In addition to hosting groups here, I participate with the office of the Director of National Intelligence in meeting with large groups of people. We talk about what it is we do and try to dispel some of the myths that people may think of when they think of the NSA.
ANSWERS: How is the NSA ensuring that it is keeping up with technological advances, civil liberties and privacy at a complimentary pace?
RICHARDS: One of the things that makes working in the privacy space so exciting is that the law can’t really keep up with all the technological changes; we need to have people at the front lines really thinking about what are the privacy issues as we’re developing that technology. What we have done at the NSA is we’ve developed a civil liberties and privacy assessment process that’s embedded in what the NSA does so that we’re supporting those activities and we’re thinking about them at the very beginning of development. We try to identify those privacy considerations early, resolve them as we go through the process, and really our Civil Liberties and Privacy office is part of the process as people begin to think about new and interesting ways to do our business.
ANSWERS: What kinds of data handling controls does the NSA have in place? What assurances do citizens have that their government is managing sensitive, personal data appropriately and free from abuse?
RICHARDS: The U.S. government framework for protecting privacy is quite robust and has been since the 1970s. We have the Privacy Act of 1974 and that very specifically relates that, unlike in the private sector, we have to have the authority in order to do the collection of any particular type of data. We have to put out a notice in the Federal Register that explains what data we’re collecting, what are the purposes for that collection, how are we going to share that information outside of the agency, how are we going to retain it, how are we actually going to secure it, and then we also, in many instances, have to give access to the individual to that type of information.
We’ve had this framework in place since the 1970s. In 2002 with the passage of the E-Government Act, the Congress updated the approach. It left the Privacy Act in place, but then also created what’s called a privacy impact assessment requirement. The idea was to hit on exactly the issues that you’re seeing in the private sector related to questions such as, do you know what information you are collecting? Have you thought about how you’re handling it? Do you understand the context for that information?
One of the things I worked on extensively when I was at Homeland Security was developing how to write a privacy impact assessment to capture and ensure that we were actually building a framework for properly handling data. I would say that the government has actually been very much ahead of the private sector on this because there is so much regulation in that space for the government.
The government has to have authority to say, “This is why I’m allowed to collect this information.” We don’t just get to go out and say, “Well today I think I’m going to collect everybody’s GPS.” It doesn’t work that way. That construct has meant that within the government space you have a lot of regulations and in many cases more than you would have in the private sector. At the NSA, we have developed and shared with the outside world different ways to do tagging of data to ensure that you do understand where did you get this, what was the provenance of the data and how should it be used.
That’s some of the actual code that NSA has shared with the outside world in trying to help people do a better job in privacy. We continue to be able to do what we do because we demonstrate that we’re able to be compliant with those rules in a very specific way.
ANSWERS: With the GDPR going into enforcement, can you share your perspective on how it correlates with U.S. government privacy protections?
RICHARDS: In the GDPR, its requirement for companies to have a data protection officer built into their operations is actually very similar to how the U.S. government has set up itself for privacy. Within the federal space, I have privacy officer counterparts at various agencies such as the Director of National Intelligence, the Central Intelligence Agency, the Department of Defense, Housing and Urban Development, Health and Human Services, and the Department of Treasury.
Something that is always important to remember is that, as we think about U.S. relations with Europe, the U.S. government still operates under Presidential Policy Directive 28. This directive basically says that when we’re doing signals intelligence related to ordinary activities of non-U.S. persons (including EU citizens), we need to take into account the privacy of all persons and they should be treated with dignity and respect regardless of their nationality. What that really is saying is that we’re thinking about the privacy of not just U.S. citizens in the signals intelligence area, but also those of ordinary citizens of the world.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.