What Will the New CPO at NSA Do, Anyway?
By Sam Pfeifle
In her current job as senior director for privacy compliance at the Department of Homeland Security (DHS)—she leaves her post tomorrow—new National Security Agency (NSA) Civil Liberties and Privacy Officer Rebecca Richards, CIPP/US, CIPP/G, has a role that’s statutorily proscribed. As with the Justice Department CPO Erika Brown Lee, CIPP/US, and the Director of National Intelligence’s CPO Alex Joel, CIPP/US, CIPP/G, the DHS privacy office was created by law and its duties are carefully laid out.
Such is not the case at the NSA, with the newly created civil liberties and privacy officer, or at any other government agency. While the Government Accountability Office recommends a privacy office for every government agency, to oversee compliance with the Privacy Act of 1974, each agency does things slightly differently.
How will Richards do things at the NSA? While she asked for some time to get up-to-speed before speaking with The Privacy Advisor, it’s possible to get some indications of the shape of the job, and what Richards will do with it, by looking at how the position has been framed and how Richards has served in the privacy office at DHS.
First, the job. Back in August of 2013, when President Barack Obama first indicated a need for the job, he expressed a need for greater transparency at the NSA. Part of that would come in the form of a new Tumblr blog; the other part would come from a new privacy and civil liberties officer: "This will give Americans and the world the ability to learn more about what our intelligence community does and what it doesn't do, how it carries out its mission and why it does so.”
Further, looking at the job description the NSA posted back in September, it’s clear this position isn’t intended to do an audit of past practices. “This new position is focused on the future,” reads the listing, “designed to directly enhance decision-making and to ensure that (civil liberties and privacy) protections continue to be baked into NSA’s future operations, technologies, tradecraft and policies.” Richards’ position is intended to liaise often with Joel, Brown Lee and with all of the other government CPOs.
Maybe most importantly for an agency that’s been embroiled in turmoil for the better part of a year, Richards also will be “responsible for broadly and, to the greatest extent possible, proactively explaining how NSA protects (civil liberties and privacy) to the internal workforce … and to the public.”
Can there really be transparency at an organization like the NSA, though?
“There can’t be complete transparency,” said Stewart Baker, a partner at Steptoe & Johnson and former general counsel at the NSA, “that would be nuts, and everybody who believes in national security understands that. It is, however, a fact that the NSA is going to have to be more transparent than they’ve been. They have to be more effective and forthcoming in dealing with the outside world, because right now, if they present a blank wall to Americans, somebody is going to come along and project their worst fears onto that blank wall. It’s better for more employees to appear in public to talk about what they can talk about and make people realize the values of the folks who work inside the NSA are really not different than the values of any other group of Americans.”
So, is Richards the person for that job?
“The NSA and the country are lucky to have her,” said Center for Democracy and Technology President and CEO Nuala O’Connor, CIPP/US, CIPP/G, who was CPO of the Department of Homeland Security and hired Richards in the first place. “She is a world-class privacy leader … I’m a huge fan. She has a tough job ahead of her, but she has combined a love of country with great practical work. She basically stood up the privacy impact assessment program and the compliance program at the Department of Homeland Security.”
Mary Ellen Callahan, CIPP/US, who followed O’Connor as CPO at DHS, agreed with that assessment. “Becky Richards has spent a decade creating the most robust privacy compliance program in the federal government,” she said. “She has been a leader on the development of Privacy by Design, and has integrated privacy in the whole lifecycle of DHS systems and programs.”
Particularly, said Callahan, Richards is detail-oriented enough to stand up a brand new office.
“She works meticulously with the program managers and creators of new programs,” she said, “and demonstrates an ardent level of diligence and devotion to privacy.”
Richards has certainly shown a dedication to the privacy industry with her work at the IAPP. She spoke at the very first IAPP Privacy and Data Security Academy back in 2003, when she was serving as director of policy and compliance at TRUSTe, and has spoken at nearly a dozen conferences and events for the IAPP since then. She was also a member of the IAPP’s inaugural Education Advisory Board, launched in 2007 to help guide the programming of the Global Privacy Summit and the IAPP’s major conferences throughout the rest of the year.
In fact, she and Callahan were both on that first Education Advisory Board. Callahan was with Hogan & Hartson at the time.
Currently, Richards serves on the IAPP’s CIPP/G Exam Development Board, helping the organization make sure that the CIPP/G certification really does reflect the work that government-focused privacy professionals are doing in the field.
The question remains, however, whether NSA leadership will take Richards seriously, regardless of her background. Will there be respect in the building for the CPO?
Baker believes undoubtedly so: “The NSA has been disturbed by this scandal in a way that it hasn’t been troubled in 40 years,” he said. “The NSA’s assumption has always been that if we stick scrupulously to the law, we can be as aggressive as necessary to gather intelligence. What’s troubling to the agency is that they did stick scrupulously to the law and they’re still being trashed, and they see that as a result of the lack of trust arising from their capabilities and a suspicion that they’re not really committed to protecting privacy. It’s a remarkably compliant place in many ways, and I think the leadership is going to know that showing respect for privacy is going to have to be a part of their culture if they’re going to restore the bipartisan respect they used to enjoy. And leadership is going to set an example there for the rest of the building.”
Read More By Sam Pfeifle:
What’s Bruce Schneier Doing at Co3?
How Baidu Wraps Privacy Into New Products
A New Handy Guide to Global DPAs
CES Buzzes With Privacy News