NSA’s Rogers Acknowledges Facial Recognition Use in Surveillance, Supports Cyber Information-Sharing Legislation
NSA Director Mike Rogers acknowledged Tuesday that the agency does use facial recognition as part of its surveillance programs. “We use facial recognition as a tool to help us understand these foreign intelligence targets,” he said during a Bloomberg Government cybersecurity event. The NSA doesn’t collect and analyze facial recognition data “on a unilateral basis against U.S. citizens,” but “in a digital age, we will encounter U.S. persons in the wilderness.” The New York Times reported Sunday that the NSA was using facial recognition technology to collect facial data from images transmitted through text messages, emails and other social media. That issue also came up at an NTIA meeting on a facial recognition code of conduct. (See separate report below in this issue.)
Rogers denied that the NSA had any access to databases containing images of U.S. citizens’ faces, including those in states’ department of motor vehicle offices. The NSA’s use of facial recognition complies with restrictions on collection of data on U.S. citizens, and the agency will “stop what we're doing” if it finds a surveillance target has a U.S. connection, Rogers said.
Congress is continuing to debate restricting the NSA’s surveillance capabilities via the USA Freedom Act (HR-3361), which passed the House in late May. That measure was in reaction to former NSA contractor Edward Snowden’s leaks about agency surveillance that began a year ago this month. Rogers said Snowden was “probably not” acting on behalf of Russia or another foreign power when he leaked information on the NSA programs, but he said Snowden “seemed fairly arrogant to me.” But those leaks have aided the U.S.’s foreign enemies and foreign governments may now hold documents Snowden took, Rogers said. Those leaks have also been seen to have impeded progress on cybersecurity legislation in the 113th Congress (CD Jan 6 p2).
The Senate Intelligence Committee is “getting close” to completing work on its bill to enhance cybersecurity information sharing between the federal government and the private sector, said committee Vice Chairman Saxby Chambliss, R-Ga. That bill, known as the Cybersecurity Information Sharing Act in a draft leaked in April (CD April 30 p19), would enhance information sharing in part by allowing for new liability protections for entities that share information with the federal government under certain circumstances. The House passed its own information-sharing bill last year -- the Cyber Intelligence Sharing and Protection Act (HR-624).
Negotiations on the Senate Intelligence bill are currently centered on what level of liability protection entities would receive and under what circumstances an entity would qualify for those protections, Chambliss said. Senate Intelligence is “counting votes” and trying to pacify privacy advocates who have said they have concerns about the bill, he said. The measure has a good chance of passing the committee and making it to the Senate floor because of the bipartisan work that’s gone into creating it, which “rings a bell” for Senate Majority Leader Harry Reid, D-Nev., Chambliss said. The Senate Intelligence bill differs from HR-624, but Chambliss said he’s confident the bills are close enough that leaders of the Senate Intelligence and House Intelligence committees can “bridge that gap quickly” in conference.
Rogers and former FBI Director Robert Mueller said separately that they support cybersecurity information-sharing legislation. As long as legislation includes liability protections for entities that share cyberthreat information with government, it will be “tremendously helpful,” said Mueller, who’s now a partner with WilmerHale. Rogers said he hopes it will not take a “traumatic event” like a “cyber 9/11” to bring cybersecurity fully into public consciousness, noting that 27 percent of Americans have experienced a personal data compromise at some point in the past two years.