Declassified Opinion On Bulk Email Collection Details More Abuse By The NSA
from the and-yet-the-program-received-a-green-light dept
As more NSA-related documents are forced out into the public eye, the narrative contained within the court opinions is at odds with the NSA’s continuous declarations that utmost care has been taken to prevent violating the privacy of Americans.
A previous release detailed how FISC Judge Reggie Walton nearly shuttered the Section 215 program in 2009 due to widespread abuse by NSA analysts. The evidence uncovered by internal audits and the agency’s own admissions led Walton to issue this damning statement:
The minimization procedures… have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively.
The NSA’s bulk internet metadata program (Stellar Wind) was also suspended for several months due to numerous violations. Judge John Bates, taking over for Kollar-Kotelly (who issued the opinion granting the NSA permission to collect internet metadata on Americans by using a very generous reading of the pen register statute), makes it clear he’s wholly unimpressed with the agency’s trustworthiness.
Although the specific terms of authorization under those orders varied over time, there were important constants. Notably, each order limited the authorized acquisition to [redacted] categories of metadata. As detailed herein, the government acknowledges that NSA exceeded the scope of authorized acquisition continuously during the more than [redacted] years of acquisition under these orders.
Although all dates are redacted, the opinion does cite Judge Walton’s 2009 findings (in reference to the Section 215 program). The authorization of the email metadata collection seems to have been granted in 2005 (at least in terms of targeting Americans), suggesting that we’re looking at close to another half-decade of abuse by the agency in this program — abuse that saw this program temporarily suspended as well.
Despite these almost-concurrent (and lengthy) episodes of abuse, the government not only sought reinstatement of the program, but also an expansion.
The current application relies on this prior framework, but also seeks to expand authorization in ways that test the limits of what the applicable FISA provisions will bear. It also raises issues that are closely related to serious compliance problems that have characterized the government’s implementation of prior FISC orders.
The court points out in a footnote that the oversight it’s supposed to provide (and that its defenders constantly point to) is severely hampered by the government itself.
The government argued that “FISA prohibits the Court from engaging in any substantive review of this certification,” and that “the Court’s exclusive function” was “to verify that it contains the words required” by the statute.
The court wasn’t impressed by this argument (but ultimately decided in favor of the government anyway) but it’s telling that the government would choose to read the Act as supportive of thwarting oversight.
Even when the government itself is presenting its case, it still can’t find a way to make the violations appear minimal.
As described by the government, the unauthorized collection resulted from failures to [redacted] in the manner required… By the government’s account, the lack of required [redacted] did not result from technical difficulty or malfunction, but rather from a failure of “those NSA officials who understood in detail the requirements of the [redacted] Opinion… to communicate those requirements effectively…”
The government assessed the violations to have been caused by “poor management, lack of involvement by compliance officials, and lack of internal verification procedures — not by bad faith.”
The scenario painted by the government is one of minimal care being taken with the dragnet’s data collection. It appears no one can be bothered to do the job right, even when entrusted with data of millions of Americans. This would be one thing if the agency was tiny and not tasked with national security. It’s quite another when the agency declares that national security trumps privacy concerns and then half-asses its way through each workday. You don’t need “bad faith” when you’ve got lousy management and zero interest in fixing the problem.
The court also notes that the surveillance programs (both the phone and internet metadata) were prone to overcollection. A few heavily-redacted paragraphs leaves just enough substance to indicate the size of the problem.
Notwithstanding this and many similar prior representations, there in fact had been systemic overcollection since [redacted]…
The government later advised that this continuous overcollection acquired metadata obtained at many other types of data” and that “[v]irtually every record” generated by this program included some data that had not been authorized for collection…
The government has provided no comprehensive explanation of how so substantial an overcollection occurred, only the conclusion [lengthy redaction]… The government has said nothing about how the systemic overcollection was permitted to continue [lengthy redaction].
However, given the duration of this problem, the oversight measures ostensibly taken since-to detect overcollection, and the extraordinary fact that NSA’s end-to-end review overlooked unauthorized acquisitions that were documented in virtually every record of what was acquired, it must be added that those responsible for conducting oversight at NSA failed to do so effectively.
The conclusions are ugly but are ultimately of little consequence. The program was reinstated. There’s a long discussion about the terminology being used in these court orders (along with some talk about whether a URL is “content” or “data,” p. 32-33) and several fully-redacted pages presumably detailing the metadata the NSA is authorized to collect (p. 35-52). The government’s discussion on what is or isn’t content (according to the NSA dictionary) contains another long stretch of uninformative blackness that spans from page 57 to page 70.
When we finally arrive at the government’s request to expand the authorization of its highly-modified “pen register,” we get some indication of exactly how much more metadata the agency was looking to grab.
The current application, in comparison with prior dockets, seeks authority to acquire a much larger volume of metadata at a greatly expanded range of facilities,” while also modifying — and in some ways relaxing — the rules governing the handling of metadata. In the foreseeable future, NSA does not expect to implement the full scope of the requested authorization because of processing limitations. [redacted] Response at 1. Even so, NSA projects the creation of [redacted] metadata records per day during the period of the requested order, compared with the norm under prior orders of approximately [redacted] records per day. Id. That is roughly an 11- to 24-fold increase in volume.
Despite the leap in volume and the stated misgivings about the NSA’s ability to do its job properly, the court granted both the expansion and continuation of the program. The court asked for a few minimal concessions (limited to two “hops,” RAS [reasonable articulable suspicion) searches only, an expiration date on stored data [180 days for Americans, one year for the rest of the world], additional reporting from the NSA), but other than that, allowed the bastardization of the pen register statute to sail through. About the only roadblock erected is the declaration that the previously unauthorized collections summarized early in the opinion were effectively off limits to NSA analysts, thanks to wording contained in the FISA Act itself.
We’re still in the dark as to what specifically the NSA was authorized to collect under the heading of “metadata” in this program. The information we do have has come from Snowden’s document leaks, not from the DNI’s “magnanimous” compelled response to court orders. Considering so much of this info is already out in the open, you would think the ODNI would have applied the black pen a little less heavily.
What we have learned is that the FISA courts have been delivered report after report of abuse by the NSA and has, with rare exceptions, allowed the agency to continue its collections uninterrupted. The “rubber stamp” may be able to craft 100+ page opinions filled with sincere discussions of the program’s merits and the NSA’s seeming inability to not exceed its authority, but when it’s all said and done, the court allows the collections to proceed.