It All Started With a Meme
I’m an avid Redditor, though my karma doesn’t show it, and around the time the NSA PRISM story broke, I started seeing this image appear in my feeds:
I’m also the social guy at Backblaze, so I felt it was my duty to post it. After receiving many tweets like, “What’s @Backblaze going to do now that we can just rely on the NSA to keep a backup copy…,” I decided to make a funny quip about how restoring from Backblaze was much easier than from the NSA.
But how much easier is it, really? I decided to find out.
The Right Stuff
In order to “talk” to the NSA or other government agencies who collect or hold data, you need to fill out a Freedom of Information Act (FOIA) request. What is the FOIA? Essentially it requires the federal government to release any requested information unless the release of said information is forbidden by law or executive order. It was intended to give more transparency to the government and let people know information from within large government organizations. FOIA requires agencies to respond to requests within 20 business days after receiving the request (http://www.dhs.gov/foia-processing), which sounds fairly quick, especially for the government. FOIA is only intended for citizens to request information about other things, not themselves. For that, you need to make a Privacy Act request. Unfortunately as per the NSA website for Privacy Act requests, there is no average processing time and the requests are handled on a first-in, first-out basis. Luckily though, you can submit a Privacy Act request via the internet, email, or fax.
The First Attempt
Once I waded through all of the NSA’s websites and requirements for submitting a Privacy Act request, I sent one off via their email submission system. After about a week and a half, I got my response. Nope. The letter that the NSA sent me was well worded, and let me down gently. What it boiled down to was, they could not confirm nor deny that they had any information on me, and confirming or denying whether or not they did could potentially lead to adversaries of the United States knowing the full scope and breadth of the NSA’s ability to collect information, which they simply cannot allow.
“Therefore, your request is denied because the fact of the existence or non-existence of responsive records is a currently and properly classified matter…”
To their credit, they did give me the opportunity to appeal.
The Appeal
Appeal, I did. I was interested in seeing whether or not the first attempt was automated, and if an appeal might warrant a human review. After a month of waiting I received a letter from the NSA stating that the appeal was received and that they had it in the review process. Unfortunately they could not give me an ETA for when the appeal would go through, but they would certainly get back to me once the review of my appeal was completed. It would take a few weeks before I would hear from them again.
Almost exactly a month later I got another letter. This one from the FOIA and Privacy Act Appeal Authority Chief of Staff stating:
“…I have concluded that the appropriate response is to continue to neither confirm nor deny the existence or nonexistence of any intelligence material on you, metadata/call-detail records on you, and/or telephone numbers provided in your request…”
They did give me the option of seeking a judicial review in the United States District Court.
Court? No, Thank You
I don’t think I’ll take things to the next level. After all, this started as somewhat of a joke to see if it was possible to get personal data back from the NSA. Judging by this process, obtaining any information at all from the NSA seems rather difficult, especially if you aren’t willing to go to court over the data. It also helps to know what specific data you want. Since mine was a blanket request, it’s a lot easier to deny than something very specific. Either way, the “NSA Restore Process” is taking far longer than a Backblaze restore would.
