NSA shows how to really screw up a PR campaign

I kind of feel sorry for the National Security Agency. It is the U.S. government’s top spy agency. It has an important and mostly secret mission, which means it can’t fully defend itself when it has a public relations problem.

And boy, does it have a public relations problem. After leaks from former NSA contractor Edward Snowden, funneled through the U.K. Guardian and the New York Times, uncovered details about the agency’s PRISM program, the NSA suddenly became every geek’s favorite punching bag. Ordinary citizens might not care about Internet privacy, but the technorati sure do.

Last August, NSA head General Keith Alexander was the T-shirted hero of Def Con, a somewhat lawless hacker gathering in Las Vegas. He promised that the NSA doesn’t keep a file on every American, perhaps telling the literal truth but not exactly disclosing what, in a year’s time, would become widespread knowledge.

This year, he came to Black Hat — the more official, suit-wearing security conference that precedes Def Con by a few days — wearing a uniform and making a strong case for the PRISM program’s limited scope and national-security necessity. He got heckled, but he held his own.

Alexander’s appearance was one part of a three-pronged PR strategy aimed at rehabilitating the NSA by telling more of its story. The other two parts:

• The Obama administration’s Director of National Intelligence released previously classified documents that detailed the rules it says the NSA must follow in order to use data on domestic telephone calls.
• And at the same time, NSA deputy director John Inglis made an appearance in front of the Senate Judiciary Committee to defend the NSA’s plans.

But the best-laid plans of mice and men go oft astray. Just as the NSA was putting this plan into action, another revelation about the NSA hit the Guardian‘s front page. This time, it wasn’t about the tracking of phone metadata through PRISM: It concerned an NSA program called XKeyScore that can monitor pretty much anything you’re doing online, like Googling or Facebook chatting, even if you’re using a virtual private network on other forms of encryption. All this was detailed in a somewhat dated PowerPoint presentation that was published along with the story.

It seems likely that the latest PowerPoint comes from the same source as the PRISM PowerPoint: namely, Snowden. Coincidentally, Snowden received temporary asylum in Russia yesterday, permitting him to leave the international zone within the airport where he’s been holed up for about a month.

(Also coincidentally, the trial of another famous leaker, Bradley Manning, came to an end this week with a series of convictions for espionage that could result in more than 100 years of prison time. Manning’s trial is unrelated to the NSA, but he’s celebrated by many of the same advocates of government transparency and personal privacy who laud Snowden’s leaks.)

Finally, on Thursday came the story by freelance writer Michele Catalano, who detailed a visit from local law enforcement in response, she believes, to recent Google searches she and her family did for pressure cookers, backpacks, and bomb-making instructions.

While Catalano believes her Google searches were the trigger for her visit from law enforcement, and it seems like reasonable if circumstantial evidence to me, it’s important to note that there are other plausible explanations. For example, Declan McCullagh points out, she posted a stock photo of high-powered M-66 firecrackers to her public Facebook page on July 4 this year. Maybe that photo freaked someone out and they reported it to the authorities, who then decided to investigate.

Either way, it’s a disturbing thought: That something you post on Facebook or something you search for on Google could cause three SUVs to materialize in your front yard while six plainclothes police officers fan out to case the joint and ask you a few questions.

Catalano states that the police officers were polite, professional, and their search wasn’t very invasive. But then, she noted, one of them mentioned that they do about 100 such visits a week.

That adds up to more than 5,000 law enforcement visits per year — presumably just in the Long Island area where Catalano lives — many of which may be triggered by little more than your online activities.

How many thousands of investigations are joint terrorism task forces carrying out all around the country? How many people’s homes are being searched as a result of what they do online? And what, precisely, are the online behaviors that are likely to trigger those searches? The NSA answered none of these questions this week.

So yes, people are freaked out.

If the NSA started out this week attempting to control the damage and rehabilitate its reputation for patriotism and usefulness, it failed miserably. The classic advice in damage control — tell it early, tell it all, and tell it yourself — is something the NSA probably can’t do. Instead, it’s fighting a losing war against a rising tide of sentiment against it.

Today it is looking more and more like a spy agency that can’t control its own appetite for information, even if that means targeting Americans and monitoring their most basic online activities.

That’s something that a mere PR campaign can’t fix.