The Abuses That Nearly Led To The Bulk Metadata Program Being Shut Down Aren't Considered 'Abuses' By The NSA

from the rules-are-for-the-nobodies dept

The set of minimization rules the NSA was supposed to apply to its bulk records collections was issued in 2006. As was noted here earlier, the FISA court laid down a number of limitations and restrictions in this document -- which the agency nearly immediately began violating.

The rules applying to bulk record searches is dated May 24, 2006. A footnote in Judge Walton's furious court order detailing the numerous violations indicates that the NSA began including domestic non-RAS (reasonable and articulable suspicion) numbers on its Alert List shortly thereafter. An NSA report to the FISC dated August 18, 2006 made this statement:

[R]ather than conducting daily queries of the RAS-approved foreign telephone identifier that originally contacted the domestic number, the domestic numbers were included in the alert list as, "merely a quicker and more efficient way of achieving the same result…"
While the end point may seem indistinguishable, the methods aren't and the NSA was forbidden from running searches using non-RAS domestic numbers. This points to the general tendency of the NSA and FBI to opt for the fastest route, rather than the constitutional route.

The Alert List utilized by the NSA contained a sizable number of domestic identifiers. At one point, this list of identifiers grew to nearly 30,000 numbers. Factor in the NSA's two/three-hop (depending on who you ask… and when) contact chaining, and an Alert List search could easily net the entire set of domestic numbers grabbed by the bulk records requisition.

The agency's defense of its abuse boiled down to two arguments, neither of which impressed Judge Walton.

The first claim was that the non-compliance "resulted from a belief by some personnel within the NSA that… [the] Court's restrictions… applied only to "archived data." Walton shot back that this claim "strained credulity," adding that he found it hard to imagine why the court would allow the "critical" RAS requirement to hinge on whether the data had been archived or not. He nailed the lid shut on the argument with this sentence.
Indeed, to the extent that the NSA makes the decision about where to store the incoming BR [bulk records] data and when archiving occurs, such an illogical interpretation of the Court's Orders renders compliance with the RAS requirement merely optional.
The NSA buttressed its first claim with a second one that blamed its immediate oversight, rather than the less-specific "some personnel."
The NSA also suggests that the NSA OGC's [Office of General Counsel] approval of procedures allowing the use of non-RAS-approved identifiers on the alert list to query BR metadata not yet in the NSA's "archive" was not surprising, since the procedures were similar to those used in connection with other NSA SIGINT collection activities.
Walton tore that argument down as well, stating the lack of compliance wasn't simply a "terminological misunderstanding," but a willing decision by the agency to treat all collections uniformly despite there being specific, court-ordered procedures in place to handle incoming BR data.

Further compounding the abuses of the BR data was the NSA's obfuscation of the alert process it (mis)used to search incoming collections. Walton notes that the agency "repeatedly submitted inaccurate descriptions of the alert process." The NSA, in turn, blamed these misrepresentations on a failure by "those familiar with the program" to correct inaccuracies in a report prepared by the managing attorney of the NSA's Office of the General Counsel.

Walton responded to this by pointing out two reasons why the NSA should simply be accused of lying. One, the general counsel who prepared the draft asked for recipients to "make sure" everything contained in the report was true before he sent it to the court. Secondly, Walton footnotes a transcription of proceedings before FISC judge Malcolm Howard where a redacted representative of the NSA affirms that the report is "true and accurate to the best of his knowledge or belief."

The last excuse given by the NSA for its abuse of the BR metadata is perhaps the most damning.
Finally, the NSA reports that "from a technical standpoint, there was no single person who had a complete technical understanding of the BR FISA system architecture."
This is astounding. The NSA openly admits it had no one qualified to deal with tons of metadata, much of which included details on American citizens, and yet it continued to operate the program, expand its Alert List and forge ahead using its own set of rules. At no time did it attempt to seek clarification from the court and at no time did it rein in its collection or querying efforts out of concern it might be violating the privacy of American citizens.

Instead, it did the opposite. It sought permission from the court to expand the number of analysts authorized to access the BR data. And "mistakes" continued to be made. The NSA ensured the court in it would be training the new analysts, but reports continued to filter back detailing more failures.
Despite this training, however, the NSA subsequently determined that 31 NSA analysts had queried the BR metadata during a five day period in April 2008 "without being aware they were doing so."

[F]rom May 2006 until February 18, 2009, the NSA continues to uncover examples of systemic noncompliance.
The uncomfortable truth of the matter is that the FISC judges have to rely on the NSA's narrative of how the programs are being used in order to determine whether requests can be approved. The NSA had a very nice setup, but it couldn't even keep that together. Three years of abuses almost led to the entire bulk records program being shut down by Judge Walton. He wraps up his court order with several damning paragraphs that call out the agency for its extended malfeasance.
It has finally come to light that the FISC's authorizations of this vast collection program have been premised on a flawed depiction of how the NSA uses BR metadata. This misperception… existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government's submissions, despite a government-devised and Court-mandated oversight regime.

The minimization procedures… have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively.

[Nearly all of the call detail records collected pertain to communications of non-US persons who are not the subject of an FBI investigation… [or] are communications of US persons who are not the subject of an FBI investigation… and are data that otherwise could not be legally captured in bulk by the government.
After running down the abuses, Walton again points out how the NSA's actions have effectively turned every layer of "oversight" into a joke.
[T]he Court must rely heavily on the government to monitor this program to ensure that it continues to be justified… and that it is implemented in a manner that protects the privacy interests of US persons as required by applicable minimization procedures. To approve such a program, the Court must have every confidence that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court's orders.

The Court no longer has such confidence.
Five years later, however, the program continues. Walton's order severely limited the NSA until it got a handle on the bulk records program. Walton allowed the collections to continue but forced the NSA to run search requests through the FISC on a "case-by-case" basis.

But were these cases "abuse?" The NSA's stance has been (up until recently) that no abuse has occurred. Some NSA officials probably still believe that nothing that happened between 2006 and 2009 constitutes "abuse," at least not according to any definition it uses.

As the leaks began to filter out into the media, the NSA's defenders have stressed repeatedly that the agency has not abused the rights of Americans, or carried out illegal programs. When evidence surfaced that thousands of incidents of abuse occurred every year, it turned supporters and insiders like Sen. Feinstein ("...the committee has never identified an instance in which the NSA has intentionally abused its authority to conduct surveillance for inappropriate purposes...") and NSA Director of Compliance John Delong ("These are not willful violations, they are not malicious, these are not people trying to break the law.") into liars, or at the very least, dispensers of half-truths.

The defenders of the agency hedge in order to give thousands of apparent abuses the appearance of slight, inadvertent violations. Defending itself from accusations of abuse is about the only place the NSA seems interested in deploying any form of minimization. Feinstein hedges by stating the "committee" has never identified abusive instances (which have to be "intentional" -- an apparently subjective term). Well, considering the committee's role as the premier NSA apologist, it's hardly surprising it's never "identified" any abuse. It's really not interested in looking for any.

Delong hedges as well, using "willful" and "malicious" to make the NSA's convenient "misunderstanding" of the minimization guidelines (which, for a legal document, are surprisingly clear) appear to be privacy-violating errors rather than instances of abuse.

But the NSA does abuse its power and it does violate the privacy of Americans. Just because the analyst doesn't sit down at the desk and start searching for an ex-girlfriend's data (oh wait...), doesn't mean what happened for three straight years under Alexander's watch any less abusive.

Operating a system you don't understand to harvest data on Americans indiscriminately is a form of abuse. Attempting to get away with treating a very specifically regulated program as indistinguishable from other NSA programs not subject to strict limitations is a form of abuse. It's an abuse of the power granted by the Court. It's abuse of the rights of American citizens. But it's never considered abuse by the abusers -- who rationalize everything away as a typo or a misinterpretation or improper training or anything but what it actually is.


Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: abuses, fisc, metadata, nsa, nsa surveillance, patriot act, section 215


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 12 Sep 2013 @ 9:27am

    They kill people in the Middle East with drones based on that "harmless" metadata, if you happen to call the wrong people.

    link to this | view in chronology ]

  • identicon
    Some Guy, 12 Sep 2013 @ 9:53am

    The NSA has no incentive to obey the law because it has no accountability when it doesn't. It's that simple.

    link to this | view in chronology ]

  • icon
    Rikuo (profile), 12 Sep 2013 @ 10:03am

    I work in retail. If my register is short/over money at the end of the day, I get written up by my manager. If it happens several times, I will be let go. It doesn't matter whether it's intentional or not, I'm responsible for the money. I don't have the option of reporting to upstairs only what I want to report, or of lying.
    That is what happens if I lose the company what is, to it, a paltry sum.
    Here, in the NSA, it doesn't matter if it's intentional or not. You're not held accountable for your actions. NSA agents have the potential to wreak havoc using all the data they have access to, damage worse than what I could potentially cause to my company...and yet, they don't even get a slap on the wrist?

    link to this | view in chronology ]

    • icon
      Namel3ss (profile), 12 Sep 2013 @ 11:26am

      Re:

      Obviously it's because you're one of the little people. Laws only apply to folks like you and me. Come on, get with the program!

      link to this | view in chronology ]

  • identicon
    meh, 12 Sep 2013 @ 10:07am

    audits?

    If Snowden used used credentials of higher-ups to access massive amounts of material without any flags for these accounts being tripped... one has to think these accounts weren't subject to audits like the rank and file analysts.

    How many users aren't subject to meaningful oversight and auditing?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2013 @ 10:12am

    when they are doing whatever it is they want to do, it's never anything bad. anyone else that does it, is breaking the law!

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2013 @ 11:28am

      Re:

      It's not that the NSA doesn't do anything bad, but that they always strive for the "least unlawful" and "least unconstitutional" solutions.

      link to this | view in chronology ]

      • icon
        Rikuo (profile), 12 Sep 2013 @ 12:13pm

        Re: Re:

        Imagine if us little people used that excuse. "Well officer, I used the least unlawful method. I only shot this guy I don't like the once. It could have been twice. Therefore, you should let me go".

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2013 @ 2:06pm

    censorship check

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Sep 2013 @ 5:40am

    tcpb

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Sep 2013 @ 7:21pm

    asdf

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.