2008 FISA Transcript Shows NSA Already Knew It Might Have An Incidental Collection Problem
from the where-'about'-means-'how-about-we-just-collect-it-all?' dept
The ODNI has released several documents in response to FOIA lawsuits (EFF, ACLU). The EFF scored 18 of these (handy zip link here) and the ACLU seven. The ACLU's batch has proven more interesting (at least initially). One document it obtained shows a tech company challenged a Section 702 surveillance order in 2014. The challenge was shut down by the FISA court, but with the exception of Yahoo's short-lived defiance, we haven't seen any other evidence of ISP resistance to internet dragnet orders.
Included in the ACLU's batch is a 2008 FISA Court transcript [PDF] that's particularly relevant to the NSA's voluntary shutdown of its "about" collection. In it, the NSA discusses its filtering and oversight procedures, which were already problematic nearly a decade ago.
There are some really interesting tidbits to be gleaned from the often heavily-redacted proceedings, including this statement, which makes it clear the NSA engaged in wholly-domestic surveillance prior to the FISA Amendments Act.
THE COURT: All right. Well, what about the non-U.S. person status, which of course is new under the FISA Amendments Act? Are you going to be changing anything in terms of focusing on that?
[REDACTED GOV'T RESPONDENT]: We already sort of do with respect to the U.S. person status is so intertwined with the location of the target [REDACTED] to the extent that in the past NSA.would actually affirmatively identify targeted U.S. persons to us on the sheets, because one of the additional fields that they put in the sheets is basically a blurb, an explanation and a description of the target.
Clearly, we're not allowed to target US persons anymore, so I don't anticipate seeing any such descriptions on the sheets. But again, since the status of the person, the determination of how that is made is so intertwined with the same information upon which NSA relies to make a foreignness determination, that it would be hard for us not to identify such information as we're conducting the reviews.
Which, of course, means the NSA was allowed to target US persons and their communications previously, contradicting statements made by US officials, including President George W. Bush and Vice President Dick Cheney.
It's stated earlier in the transcript that the NSA does a few things to help minimize examination of US persons' communications. But they're not great. The NSA runs spot checks on analysts' transactions, deploys filters, and relies on self-reporting to guard against Fourth Amendment violations. It sounds like quite a bit, but the details show it's not nearly enough. To start with, the filters meant to filter out US persons' communications don't work.
COURT: The NSA minimization procedures, you're stating, 'contain a provision for allowing retention of information because of limitations on NSA's ability to filter communications.' My question I had was is the filter discussed in targeting the same filtering. I just wanted to understand that, and apparently it is. [The rest of the court's question is redacted.]
GOV'T: I think the inclusion of that provision in the minimization procedures was intended to be prophylactic in the event that the filters don't necessarily work, and NSA has represented that it's been their experience with the filters and [redacted] this provision basically captures instances where the filters may not work in every instance.
And there's a good reason why they won't work "in every instance." Further unredacted discussion reveals the NSA partially relies on an IP address blacklist to filter out US persons' communications. This is better than nothing, but still a long way from being a strong positive indicator of a target's (or incidental target's) location.
The court then asks about the limitations of the filters and… we get several fully-redacted pages as an answer.
The court also asks about the "about" collection -- where targets are discussed but the communications do not directly involve NSA targets.The judge wants to know how often this is being used rather than the more-targeted "to/from" collection and how often it results in incidental collection. Unsurprisingly, the government can't say how often this happens. This is because the NSA saw no reason to track these searches.
GOV'T: As far as the percentage number, we don't have a number for that, because as I mentioned earlier, when we [redacted] we find to's and froms and [redacted] so we don't categorize those separately to be able to count those communications as abouts.
The court then asks why it's not possible to limit the collection to to's and froms. The government's response is that collecting it all just works better for the NSA, even though it apparently possesses the technical ability to keep these collections separate.
It is technically feasible. The problem with doing so is if you end up discarding a number of communications that are truly to-froms that you should be able to collect but [redacted]...
So by trying to limit us to no abouts, then we end up cutting out those kind of communications as well, truly to-froms. So it would be -- we're not surgical enough to take that out of the equation without impacting our ability to do to-froms effectively.
And later in the discussion, there's a bit of a bombshell about the "about" collection. The NSA shut it down because it couldn't find a way to prevent incidental collection of US persons' communications. In this transcript, the government points out incidental collection is just as likely with to-from targeting.
COURT: Is it more or less likely to pick up U.S.-person information in an about than a to or from?
MR. OLSEN: I don't know the answer in practice. At least from my perspective in theory, I wouldn't see why it would be more likely than a targeted to or from collection where the target's outside the United States where there's a similar possibility that that target would be in communication with someone in the United States, with a U.S. person in the United States.
If this is true, the elimination of the "about" collection doesn't do much to curtail incidental collection. And almost a decade ago, the NSA was already making it "impossible" to comply with Congressional requests for incidental collection numbers by refusing to separate its collections, even with the FISA Court raising questions about its Fourth Amendment implications.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 702, domestic surveillance, foia, incidental collection, nsa, section 702, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
you're kind of naive
You're kind of naive, and you're young. I can remember using this joke in the late 1970's:
Do you know how to apply for a job at the NSA?
Call your grandmother and ask for an application.
I used to think that was a pretty good joke, considering that my grandmother's phone, at the time, was a party-line.
[ link to this | view in chronology ]
By George, I think he's got it!
[ link to this | view in chronology ]
So they new about it at least in 2002, not later in 2008.
[ link to this | view in chronology ]
Re:
It is discussing the 2008 transcript from a particular set of FOIA requests. Not a history of the NSA. I think they generally do a huge amount of recap in articles, and i don't mind not having it every single time.
https://www.techdirt.com/articles/20110516/12185514286/federal-governments-vindictive-legal-as sault-nsa-warrantless-wiretapping-whistleblowers.shtml
etc. https://www.techdirt.com/blog/?tag=thoma s+drake
Also, Drake's 2002 complaints were about a project that was eventually killed as a massive failure. His continuing complaints about specific practices and general culture came to a head in public around 2011.
The NSA always knows it has a problem, because it is the problem. They see it as their job, and not a problem at all.
People were also already arguing their phone and internet communications were accessed with the help of phone companies. Earlier still were now supposedly defunct programs, long before the excuse was terrorist attacks. Where should they start every article discussing something? It would be like the opening of 2001.
[ link to this | view in chronology ]
Of course it "works better for the NSA"...it means less work involved. But since when did their laziness start trumping the Constitution?
The NSA has the most super computers in the world, yet can't figure out how to effectively implement a filter? If that's truly the case, then they could start by lightening their dataset to filter from by not trying to collect every bit of information on the planet.
[ link to this | view in chronology ]
They could ask Google
Surely someone in that vast storage house of business/personal data can run 'grep'. Well, able to do so and convey such knowledge to those with their head in the sand.
NSA: No Sand Anywhere.
[ link to this | view in chronology ]