Latest FISA Court Order Details Why NSA Didn't Get Any 702 Requests Approved Last Year
from the hint:-a-datacenter's-worth-of-noncompliance dept
The latest document dump by the Office of the Director of National Intelligence (ODNI) -- which contains several documents pried loose by an ACLU FOIA lawsuit -- explains why the NSA ran through the entirety of 2016 without an approved Section 702 request from the FISA court. The short answer is a whole lot of noncompliance. So's the long answer:
After submitting its 2016 Certifications in September 2016, the Department of Justice and ODNI learned, in October 2016, about additional information related to previously reported compliance incidents and reported that additional information to the FISC. The NSA also self-reported the information to oversight bodies, as required by law. These compliance incidents related to the NSA’s inadvertent use of U.S. person identifiers to query NSA’s “upstream” Internet collection acquired pursuant to Section 702.
Pursuant to statutory requirements, the FISC was required to complete its review of the 2016 Certifications within 30 days of submission. See 50 U.S.C. § 1881a(i)(1)(B). Thus, the FISC had until October 26, 2016, to issue an order concerning the 2016 Certifications. However, after the October 2016 report to the FISC regarding improper queries, the FISC twice extended its time to consider the 2016 Certifications – first until January 31, 2017, and then until April 28, 2017 – in order to receive additional information about the compliance incidents and the Government’s plan to address them. See April 2017 Opinion at 3-4. The previous year’s certifications remained in effect during these extension periods.
Of note here is the fact that the court allowed 2015's certifications to remain in place despite even more reports of noncompliance by the NSA. Section 702 has been steadily abused, inadvertently or deliberately, since its inception in 2008 as part of the FISA Amendments Act.
Because the court was extremely hesitant to approve new searches under this authority, the agency apparently undertook a comprehensive overhaul of the program. The end result was the shutdown of the "about" collection -- an upstream dragnet for email communications that tended to grab a bunch of US persons' communications -- ones the NSA supposedly couldn't figure out how to separate from its non-domestic data.
The latest FISC opinion [PDF] -- roughly a month old at this point -- finally gives the NSA a 702 court order it can include in its next transparency report. The opinion doesn't spend much time chastising the agency for its long-running compliance issues but at least provides more examples of how little the NSA has done to prevent internal abuse of its collections. This abuse also includes the FBI, which has access to the NSA's raw, unminimized 702 data.
Since 2011, minimization procedures have prohibited use of U.S.-person identifiers to query the results of upstream Internet collection under Section 702. The October 26, 2016 Notice informed the Court that NSA had been conducting such queries in violation of that prohibition, with much greater frequency than had previously been disclosed to the Court… The government reported that the NSA IG and OCO were conducting other reviews covering different time periods, with preliminary results suggesting that the problem was widespread during all periods under review.
At the October 26, 2016 hearing, the Court ascribed the government's failure to disclose those IG and COO reviews at the October 4, 2016 hearing to an institutional "lack of candor" on part and emphasized that "this is a very serious Fourth Amendment issue."
Some of the compliance issues could be traced back to the NSA's querying system, which seemed built to ensure as many compliance issues as possible.
The January 3, 2017 Notice stated that "human error was the primary factor" in these incidents, but also suggested that system design issues contributed. For example, some systems that are used to query multiple datasets simultaneously required to "opt-out" of querying Section 702 upstream Internet data rather than requiring an affirmative "opt-in," which, in the Court's view, would have been more conducive to compliance.
The report also details further issues with the NSA and its data-sharing, including a heavily-redacted retelling of compliance issues at the FBI concerning dissemination of unminimized US persons' info (including to government contractors). While steps have now been put in place to prevent a recurrence, the court notes the government has routinely dragged its feet providing notice of misuse of surveillance databases.
Too often, however, the government fails to meet its obligation to provide prompt notification to the FISC when non-compliance is discovered. For example, it is unpersuasive to attribute -- even "in part" -- an eleven-month delay in submitting a preliminary notice to efforts to develop remedial steps… when the purpose of a preliminary notice is to advise the Court while investigation or remediation is still ongoing… The Court intends to monitor closely the timeliness of the government's reporting of non-compliance regarding Section 702 implementation.
And so it goes for 99 pages. Multiple compliance violations, multiple promises to do better next time by the government, and a handful of mild admonitions by the FISA judge. The most useful thing to come of this is the voluntary step the NSA took to end its "about" collection program, thus narrowing the number of incidentally-collected US persons' communications. While the court approves of this move, its approval means very little should the NSA decide to revive the program. Considering its lengthy run of compliance issues, it seems unlikely the agency will be in any hurry to defend a rollback of its rollback in a court that's heard about nothing but misuse and abuse of domestic communications for most of the last decade.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: abuse, fisa court, fisc, nsa, section 702, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
"The end result"
No, the result was the claimed shutdown of the "about" collection. What evidence do we have it's actually stopped? It's much more likely we have "a whole lot of noncompliance".
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: "The end result"
Clarification: The about collection program. They still have the same internet firehose as always.
But anything running interference against them is good. A little bit here, a little bit there. If they have big enough internal problems that we hear about it, something is way off.
[ link to this | view in thread ]
You forgot "under this program".
Actually, that whole sentence sounds like a WH press release. Very disappointing.
[ link to this | view in thread ]
[ link to this | view in thread ]
Unconstitutional
[ link to this | view in thread ]
IP Filter, guys?
I mean, they're claiming that they can't filter out which emails are domestic vs. which are foreign, right? And we already know exactly which IP addresses are allotted to American ISPs, right?
I mean, sure, an IP address is not a person, true. But it IS a location. And we know where those locations are. At least whether they're in New Jersey or New Delhi, anyway. So wouldn't a basic, simple, any-village-idiot-can-do-it-on-a-$29-router IP filter solve this problem?
And before one of you pipes up with "yeah but that might limit them and some terrorist might get through" just remember that the Section 702 program has NEVER, EVER STOPPED A SINGLE TERRORIST, EVER, PERIOD. Some of these programs can point to a small handful of successes, but 702 is the only one we know of that has literally never provided a single piece of actionable intel or led to preventing any terrorist activity, ever. Nine f**king years of violating our privacy, and they can't even show a single example of improving our security, ever, at all.
It's bad enough that we're trading privacy for security in the first place, but with 702, we aren't even getting the security! Hell, we're not even getting decent security theater out of this crap!
[ link to this | view in thread ]
Re: IP Filter, guys?
Why should they? When the courts force them to, they'll say they've started filtering. Until then, why even bother to lie?
[ link to this | view in thread ]