Restoring Data From the NSA

blog-sad-yev-text

It All Started With a Meme

I’m an avid Redditor, though my karma doesn’t show it, and around the time the NSA PRISM story broke, I started seeing this image appear in my feeds:

nsadata

I’m also the social guy at Backblaze, so I felt it was my duty to post it. After receiving many tweets like, “What’s @Backblaze going to do now that we can just rely on the NSA to keep a backup copy…,” I decided to make a funny quip about how restoring from Backblaze was much easier than from the NSA.

But how much easier is it, really? I decided to find out.

I started my quest with my personal data, to find out what information the NSA has on me, if any. To find your data with Backblaze you simply log in with a web browser. To find your data with the NSA you fill out forms. But as it turns out, simply finding out whether or not the NSA even has any of your data is the hardest part.

The Right Stuff

In order to “talk” to the NSA or other government agencies who collect or hold data, you need to fill out a Freedom of Information Act (FOIA) request. What is the FOIA? Essentially it requires the federal government to release any requested information unless the release of said information is forbidden by law or executive order. It was intended to give more transparency to the government and let people know information from within large government organizations. FOIA requires agencies to respond to requests within 20 business days after receiving the request (http://www.dhs.gov/foia-processing), which sounds fairly quick, especially for the government. FOIA is only intended for citizens to request information about other things, not themselves. For that, you need to make a Privacy Act request. Unfortunately as per the NSA website for Privacy Act requests, there is no average processing time and the requests are handled on a first-in, first-out basis. Luckily though, you can submit a Privacy Act request via the internet, email, or fax.

The First Attempt

Once I waded through all of the NSA’s websites and requirements for submitting a Privacy Act request, I sent one off via their email submission system. After about a week and a half, I got my response. Nope. The letter that the NSA sent me was well worded, and let me down gently. What it boiled down to was, they could not confirm nor deny that they had any information on me, and confirming or denying whether or not they did could potentially lead to adversaries of the United States knowing the full scope and breadth of the NSA’s ability to collect information, which they simply cannot allow.

“Therefore, your request is denied because the fact of the existence or non-existence of responsive records is a currently and properly classified matter…”

To their credit, they did give me the opportunity to appeal.

The Appeal

Appeal, I did. I was interested in seeing whether or not the first attempt was automated, and if an appeal might warrant a human review. After a month of waiting I received a letter from the NSA stating that the appeal was received and that they had it in the review process. Unfortunately they could not give me an ETA for when the appeal would go through, but they would certainly get back to me once the review of my appeal was completed. It would take a few weeks before I would hear from them again.

nsa_lots_of_appeals

Almost exactly a month later I got another letter. This one from the FOIA and Privacy Act Appeal Authority Chief of Staff stating:

“…I have concluded that the appropriate response is to continue to neither confirm nor deny the existence or nonexistence of any intelligence material on you, metadata/call-detail records on you, and/or telephone numbers provided in your request…”

They did give me the option of seeking a judicial review in the United States District Court.

nsa_court

Court? No, Thank You

I don’t think I’ll take things to the next level. After all, this started as somewhat of a joke to see if it was possible to get personal data back from the NSA. Judging by this process, obtaining any information at all from the NSA seems rather difficult, especially if you aren’t willing to go to court over the data. It also helps to know what specific data you want. Since mine was a blanket request, it’s a lot easier to deny than something very specific. Either way, the “NSA Restore Process” is taking far longer than a Backblaze restore would.

About Yev

Yev Pusin is the senior director of Marketing and sometimes Marketing chief of staff at Backblaze, which he joined in 2011. Yev has a degree in business and communications from the University of Iowa, where he developed an alliteration affinity. Yev enjoys writing in an amusing way about the "why" of things and how decisions are made, so that readers can learn and be entertained all at once. Follow Yev on: Twitter: @YevP | LinkedIn: Yev Pusin