The NSA Hires its First Chief Privacy Officer (CPO)

As the summer of Snowden extends into winter, news comes that the National Security Agency (NSA) has hired Rebecca Richards as its first Chief Privacy Officer.

Ms. Richards, currently deputy chief privacy officer at the Department of Homeland Security, will fill this position which was first advertised last September after the Obama Administration announced the need for reforms – in the NSA’s programs. The White House recognized a clear need to assure the public that “strong oversight and clear protections against abuse” were inherent in its data collection programs, specifically those run by the NSA.

Ms. Richards certainly has her work cut out for her, and we wish her the best as she assumes this very important role. As chief privacy officer for one of the largest “big data” endeavors in history, she will serve as the primary advisor to the NSA to ensure that “privacy and civil liberties are maintained by all of NSA’s missions, programs, policies and technologies.”

The NSA’s Data Collection and Privacy Challenge

One challenge for Richards will be dealing with NSA access to data held by certain third parties – such as commercial data brokers and telephone companies. The NSA – along with other US government agencies – are governed by the 1974 Privacy Act, which applies the Fair Information Privacy Principles (“FIPPs”) to all data collection activities by US government agencies. However, these principles do not extend to data collection by private entities.

The result, which is described in this (incredibly prescient) 2004 paper by UC Berkeley Professor Chris Hoofnagle, is that the NSA has exploited a loophole in the Privacy Act and allowed commercial data brokers to “amass troves of personal information that the government would ordinarily not be allowed to collect.”

Furthermore, such data collection is not subject to the requirements of the FIPPs, because law enforcement and intelligence agencies have special exemptions that limit access, accuracy, and correction rights when the data collection originates with certain private entities (like a commercial data broker).

Most importantly, Richards will have to find a way to curtail those NSA data collection activities that are deemed abusive under the 4th Amendment. As described in this 2007 article, quoting Chris Zoladz, the former CPO of Marriott, CPOs and other privacy professionals “get deeply involved in how information gets repurposed and reused, to make sure it’s done in a way that’s good for customers and for business.”

It’s unclear whether Richards will have the authority to make the necessary changes at the NSA to balance the public’s need for privacy (however that is eventually articulated) against the NSA’s main focus: ensuring our national security.

For instance, Richards will have to choose how transparent the NSA should be regarding its data collection programs. Providing too much information may tip off terrorists, hackers, and others; too little won’t give the public the full picture of how whether the NSA’s intelligence gathering activities are abusive to the public trust.

Already, she’s heard from the nation’s chief executive – President Obama – who announced earlier this month that while some modest reforms are imminent, the NSA’s intelligence gathering programs will remain mostly intact when it comes to surveillance of US citizens.

As the President stated in his January 17th speech: “[N]othing that I have learned since indicates that our intelligence community has sought to violate the law or is cavalier about the civil liberties of their fellow citizens.”