The NSA Should Delete Its Trove of Data on Americans

It cannot reliably protect even its most closely guarded secrets from adversaries. There is no reason to trust it to store years of details about private citizens’ communications, too.

The NSA data center in Bluffdale, Utah, seen from a distance, with mountains in the background
The NSA data center in Bluffdale, Utah (George Frey / Reuters)

Fifteen months ago, a group called the Shadow Brokers began to taunt the National Security Agency with proof of an extraordinary breach: By unknown means, operatives had infiltrated its operations and stolen its most potent cyber weapons. Developed by the U.S. government to penetrate or attack adversaries, those weapons were then used to attack millions of innocents worldwide.

Future attacks are “all but certain,” The New York Times reported while revisiting the matter over the weekend, yet the NSA still doesn’t know exactly what was taken, or whether its defenses were breached by an outside hacker or an insider.

Some fear a mole remains inside the intelligence agency even today.

“The leaks have renewed a debate over whether the NSA should be permitted to stockpile vulnerabilities it discovers in commercial software to use for spying rather than immediately alert software makers so the holes can be plugged,” the Times wrote. “The agency claims it has shared with the industry more than 90 [percent] of flaws it has found, reserving only the most valuable for its own hackers. But if it can’t keep those from leaking, as the last year has demonstrated, the damage to businesses and ordinary computer users can be colossal.”

* * *

Software vulnerabilities aren’t the only thing that the NSA stockpiles. Four years ago, the American public learned that the agency hoovers up metadata pertaining to the private communications of most every adult in this country.

After the Edward Snowden leaks, the Obama administration insisted that the costs of collecting and storing metadata on phone calls, texts, and emails was outweighed by the benefits. Sure, the trove that the government was amassing indicated countless sensitive calls, like those to abortion clinics, suicide hotlines, and oncologists; and it could expose a person’s entire web of acquaintances.

But procedural safeguards would prevent violations of privacy, NSA defenders insisted. NSA analysts wouldn’t enjoy unfettered access to the entire haul. Rather, they would be permitted to submit discrete queries, like a phone number found in a terrorist safe house. And if their database in fact contained information on that target, they’d still be limited by a constraint that they could only look at other phone numbers within two or three “hops” of the target.

NSA critics challenged the accuracy and adequacy of the safeguards, as well as the government’s underlying presumption: that an American’s privacy wasn’t in fact impinged upon if the government merely gathered and stored information about their communications, so long as no one subsequently looked at it.

A different concern was scarcely broached: What if the U.S. government never itself abused the system it built, but failed to safeguard its contents?

The likelihood of the trove’s eventual theft strikes me as significant (and that is assuming that a foreign government or group of hackers hasn’t already gotten any of it). The NSA failed to stop Snowden from taking some of its most closely held secrets. It failed to stop the Shadow Brokers from taking some of its most closely held cyber weapons and deploying them against innocents, including Americans. Why expect it to successfully safeguard its most closely held trove of metadata?

Per the Times, “NSA employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.”

According to the report, after the NSA’s stockpile of offensive weapons leaked, the consequences included the following:

Millions of people saw their computers shut down by ransomware, with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the maker of Oreo cookies, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain, and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil, and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide. American officials had to explain to close allies—and to business leaders in the United States—how cyber weapons developed at Fort Meade in Maryland came to be used against them.

Now consider the potential costs and consequences if the NSA’s stockpile of metadata on American citizens were to be breached by hackers or stolen by an insider, and then come under the control of Russia or China or North Korea or terrorists.

Chaos-loving Russian trolls could take to Facebook, Twitter, and Reddit to post phone numbers of millions who called abortion clinics, addiction and suicide hotlines, and tip lines to anonymously report crime to the FBI or local cops. China’s government could map the business networks of American corporations expected to be in high-stakes economic competition with Chinese firms. I’ll refrain from giving terrorists specific ideas about how they might exploit such information, but I can think of several frightening ways off the top of my head.

To collect and store all this information about U.S. citizens in one place would create a vulnerability even if it was protected by bureaucrats with a good record of data security.

To keep it in the hands of the NSA, given its track record, is folly. All data the NSA retains on Americans should be erased now before it falls into the wrong hands. And Congress should pass data-retention laws that force categories of private corporations, which are often even less capable of safeguarding the data that they amass, to purge whole categories of sensitive information at regular intervals. How many breaches must we witness to give up on securing and start deleting?