Last week we heard all about how the NSA was pretending to be Facebook.  Maybe you cared, maybe you didn’t.  (If you didn’t, then you’re part of the problem, but I digress.  That’s not the story.)

What is the story, is that the NSA denied doing it.  Loyal readers are familiar with the term “statement analysis,” because we use it here quite often.  Today is another one of those days.  Let’s take a look at the NSA denial:

Recent media reports that allege NSA has infected millions of computers around the world with
malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses
its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of
which must be carried out in strict accordance with its authorities. Technical capability must be
understood within the legal, policy, and operational context within which the capability must be
employed.

NSA’s authorities require that its foreign intelligence operations support valid national security
requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA
does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any
user of global Internet services without appropriate legal authority. Reports of indiscriminate computer
exploitation operations are simply false.

We know the cornerstone of statement analysis is that people do not lie without telling you that they’re lying.  You just need to be paying attention.  So let’s take a look at this so-called denial.

Recent media reports that allege NSA has infected millions of computers around the world with
malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate.

Here’s their initial statement.  This is an interesting statement because no one accused them of actually having accomplished that, only that they were trying.  This, then, is a true statement.  They haven’t done it.  But they’re trying, and you’ll notice they don’t deny that.

NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of
which must be carried out in strict accordance with its authorities.

When you consider that NSA—and by extension, the administration—considers their operations both “lawful” and “appropriate,” suddenly this statement makes a whole lot of sense.  They’re telling you that yes, they’re doing it, and they think it’s okay.

Technical capability must be understood within the legal, policy, and operational context within which the capability must be
employed.

In other words, “it’s so advanced you wouldn’t understand it.”  It’s too complex.  There’s so much context, and you can’t be expected to understand it.

NSA’s authorities require that its foreign intelligence operations support valid national security
requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible.

Again, according to them, their surveillance net does support valid national security requirements.  Notice that word “legitimate.”  Do you have a “legitimate” privacy interest?  Not according to them, you don’t.  So here we go again, dodging the issue.  They’ll protect legitimate privacy interests…if they ever find some.

NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any
user of global Internet services without appropriate legal authority. Reports of indiscriminate computer
exploitation operations are simply false.

Without appropriate legal authority?  We already know that they have legal authority, given to them by secret courts.  The “indiscriminate computer exploitation” is also another dodge, because it’s not indiscriminate.  They know exactly who they’re targeting: conservatives, Tea Partiers, gun owners, liberty lovers.

Think I’m crazy?  Check out this article from Ryan Gallagher. He points out that the NSA’s denials mean jack squat when their own documents show them to be lying.  Gallagher shows a screenshot of an NSA document (which we cannot paste here) in which they explain exactly how the NSA “pretends to be the Facebook server and sends a response to the target.”  That’s a quote from their own document.  Gallagher goes on:

It is difficult to square the NSA secretly saying that it “pretends to be the Facebook server” while publicly claiming that it “does not use its technical capabilities to impersonate U.S. company websites.” Is the agency making a devious and unstated distinction in its denial between “websites” and “servers”? Was it deliberate that the agency used the present tense “does not” in its denial as opposed to the past tense “did not”? Has the Facebook QUANTUMHAND technique been shut down since our report? Either way, the language used in the NSA’s public statement seems highly misleading – which is why several tech writers have rightly treated it with skepticism.

The same is true of the NSA’s denial that it has not “infected millions of computers around the world with malware” as part of its hacking efforts. Our report never actually accused the NSA of having achieved that milestone. Again, we reported exactly what the NSA’s own documents say: that the NSA is working to “aggressively scale” its computer hacking missions and has built a system called TURBINE that it explicitly states will “allow the current implant network to scale to large size (millions of implants).” Only a decade ago, the number of implants deployed by the NSA was in the hundreds, according to the Snowden files. But the agency now reportedly manages a network of between 85,000 and 100,000 implants in computers systems worldwide – and, if TURBINE’s capabilities and the NSA’s own documents are anything to go by, it is intent on substantially increasing those numbers.

In other words, the NSA is engaging in denial and deception.  It’s what they do, and they’re very good at it.  The problem isn’t their method.  The problem is that they’re using their methods on the American people instead of the foreign threats they’re supposed to be focused on.

Think about that next time you log into Facebook and put up photos of your house, your life, your kids.  Think about it next time you have a personal conversation with someone that you would not want plastered on a billboard.  Think about it every single time you log in, because this time, you might not be logging into Facebook.  You might be logging into the NSA’s data collection program.