Analysis of NSA Overreach

Overreach by the US National Security Agency:  A Partial Explanation

by Elliott Morss, Morss Global Finance

US citizens and their politicians are troubled by the extent of NSA’s data collection efforts reported by Edward Snowden. It has put the National Security Agency on the defensive and has generated a heated debate on the trade-offs between personal privacy and national security.

One critical issue appears to have been completely ignored in this debate: was it just lax controls that led to the overreach or was something more fundamental at play? Something more fundamental was at play: efforts by government agencies to collect “too much information” are not new. There is a long history of these activities and an extensive literature on them going back to Machiavelli[1] and Weber[2]. Machiavelli focused on the drive for power while Weber articulated how power was exercised in the bureaucratic dynamics of large organizations.

“Secrecy in bureaucracies” is an important sub-set in these extensive writings. I quote from Arthur Schlesinger[3]:

“As societies grew more complex, government grew more powerful. The instinct of bureaucracy, as Max Weber pointed out, was to ‘increase the superiority of the professionally informed by keeping their knowledge and intentions secret’. The concept of ‘official secret’ was ‘the specific invention of bureaucracy’ and officials defended nothing so emphatically as their secrets. Involvement in foreign affairs strengthened the addiction.”

This article reviews this literature and suggests what can be done to keep government data collection in check. It draws on my past experience working with the Commission on Federal Paperwork and the book I later co-authored with Robert R. Rich, Government Information Management: A Counter-Report of the Commission on Federal Paperwork.

The NSA Mandate

Executive Order 12333, originally issued 4 December 1981, delineates the NSA’s roles and responsibilities. In part, NSA is charged to:

  • Collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information and data for foreign intelligence and counterintelligence purposes to support national and departmental missions;
  • Act as the National Manager for National Security Systems as established in law and policy, and in this capacity be responsible to the Secretary of Defense and to the Director, National Intelligence;
  • Prescribe security regulations covering operating practices, including the transmission, handling, and distribution of signals intelligence and communications security material within and among the elements under control of the Director of the National Security Agency, and exercise the necessary supervisory control to ensure compliance with the regulations.

This Executive Order was amended on July 31, 2008 to include: “Maintain or strengthen privacy and civil liberties protections”. It is useful to compare these regulations and the reasons for them with similar government overreach leading to the Paperwork Reduction Act (PRA).

Paperwork Reduction Act (PRA)

This Act was set up to control growing and excessive information requests from the Federal Government burdening individuals and businesses. It requires that any Federal information request must be approved by the Office of Management and Budget (OMB). OMB was originally granted this authority in 1940 under the Federal Reports Act. But due to increasing complaints from the public about duplicate and lengthy federal government data collections and documentation by the Federal Paperwork Commission, Congress passed (PRA) in 1980.

OMB’s review considerations range from policy issues to statistical design and methodology. OMB pays particular attention to the practical utility of the data to the Federal government. PRA clearance is required when standardized data collection from 10 or more individuals or firms is requested. Among other things, the OMB requires an estimate of how much time it will take an individual or business to respond to the information request. The “security” agents are probably exempt from this requirement. However, PRA is intended to minimize government data collections that “burden” respondents. Recent revelations on NRA collections suggest no burden on individuals and firms: they were not even aware the data was being collected.

We turn now to the reasons for these excesses and what can be done to curb them.

Bureaucratic Dynamics

Government entities compete for power. For economic policy, the Treasury, the Federal Reserve, and the President’s Council of Economic Advisors are often at odds. For financial regulation, the Fed, Treasury, the Federal Deposit Insurance Corporation and the Security and Exchange Commission are all players. On the environment, the Environmental Protection Agency and the Energy Department are often championing different viewpoints. It goes on and on, and in this context, information is power.

And perhaps the most intense infighting occurs among the security agencies: NSA, the FBI, the CIA and the military information institutions such as the Defense Intelligence Agency. For these groups, more information means more power. And secret information is even more powerful. NSA got caught. The others did not. But you can be sure they are pushing for more information at the expense of citizen’s privacy. By the way, this competition is not unique to the US – the UK has its MI-5 and MI-6, brought to life in the great BBC series.

Information Collection Pathologies

Most security and other Federal government agencies are structured the same way with politicians at the top. Studies have shown that politicians can espouse the purposes of their institutions and defend their turf. But what it comes to articulating precisely what information they need to do their jobs well, they are not so good. They give generalized instructions to staff who are a bit more precise about what they need. But the detailed job of deciding what information to collect ends up with the agency’s information technicians. Without meaningful guidance from higher up, the technicians will do two things:

  • Identify and provide information that is readily available that “relates to” their mandate, and
  • Collect as much additional information as they can get their hands on.

The problem with this approach is that it leads to tremendous data collection efforts – real overreach and in some instances, related storage issues: when we did the paperwork book, the Defense Department had six acres of paper files stored under the Pentagon. They concluded it would be more costly to determine what they needed and what they could throw out than just leave it there.

What should happen in a non-messy world? Agencies would all have clear objectives. Policy experts would take that information and, working with their “operations” people, convert it into a precise list of data that will help them make their decisions. They would serve as the basis for their information collection and use strategies. The IRS does a pretty good job on this. It is mandated to collect taxes in accordance with Congressional wishes. They put it together in tax forms that get approved by OMB and send them out.

The Unique Challenge Facing the Security Agencies

The security agencies’ primary task is to keep citizens safe. And oh yes, the Executive Order for NSA was amended on July 31, 2008 to include: “Maintain or strengthen privacy and civil liberties protections”. But security is their number one objective. So how do they decide what are security risk, and what information do they need to identify them?

Back in the 1970s, the CIA had a large number of agents located around the world. They would infiltrate and collect “in country” information on what was going on. But overly zealous covert activities led to Church Committee hearings in the Senate and the Pike Committee hearings in the House. The result was that both bodies established permanent intelligence committees. These committees have reduced the number of US overseas agents and placed limits on what they can do. The result is the US does not know what is really going on in a number of dangerous countries.

To compensate, NSA and the other security agents are relying far more heavily on information that they can obtain without being physically in these countries. And the information revolution has provided them with very powerful tools to pick up “what is going on”. Of course, sometimes they pick up critical data from intercepts. But the massive information “sweeps” they are collecting and paying telephone and Internet companies for provides them with “connection” data they deem to be very important – who is talking to whom….

Has it gone too far? Is it too much of an invasion of privacy? Probably until the next terrorist bomb goes off in the US.


Whatever one’s view on the appropriate trade-off between privacy and security, there is no question governments will regularly try to obtain more information than they really need. In our book[4], we suggested the following steps to limit this overreach:

  • Commands;
  • Public Disclosures;
  • Public Hangings;
  • Public Awards;
  • Ombudsmen;
  • Impact Statements and Clearances;
  • Task Forces;
  • Commissions.

Whatever, government overreach efforts will continue.

[1] Niccolò Machiavelli, The Prince.

[2] Max Weber, Economy and Society.

[3] Arthur Schlesinger, Imperial Presidency.

[4] Morss, Elliott R., and Robert F. Rich. 1980. Government information management: a counter-report of the Commission on Federal Paperwork. Boulder, Colo: Westview Press.

[iframe src=”/files/ad_openx.htm” width=”600″ height=”300″ frameborder=”0″ scrolling=”no”]

[iframe src=”” width=”600″ height=”530″ frameborder=”0″ scrolling=”no”]

One reply on “Analysis of NSA Overreach”

Comments are closed.